zero knowledge proofs l.
Skip this Video
Loading SlideShow in 5 Seconds..
Zero-Knowledge Proofs PowerPoint Presentation
Download Presentation
Zero-Knowledge Proofs

Loading in 2 Seconds...

play fullscreen
1 / 17

Zero-Knowledge Proofs - PowerPoint PPT Presentation

  • Uploaded on

Zero-Knowledge Proofs. J.W. Pope M.S. – Mathematics May 2004. What is a Zero- Knowledge Proof?. A zero-knowledge proof is a way that a “prover” can prove possession of a certain piece of information to a “verifier” without revealing it.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Zero-Knowledge Proofs' - ganesa

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
zero knowledge proofs

Zero-Knowledge Proofs

J.W. Pope

M.S. – Mathematics

May 2004

what is a zero knowledge proof
What is a Zero- Knowledge Proof?

A zero-knowledge proof is a way that a “prover” can prove possession of a certain piece of information to a “verifier” without revealing it.

This is done by manipulating data provided by the verifier in a way that would be impossible without the secret information in question.

A third party, reviewing the transcript created, cannot be convinced that either prover or verifier knows the secret.

properties of zero knowledge proofs
Properties of Zero-Knowledge Proofs
  • Completeness – A prover who knows the secret information can prove it with probability 1.
  • Soundness – The probability that a prover who does not know the secret information can get away with it can be made arbitrarily small.
an example hamiltonian cycles
An Example: Hamiltonian Cycles
  • Peggy the prover would like to show Vic the verifier that an element b is a member of the subgroup of Zn* generated by a, where a has order l. (i.e., does ak = b for some k such that 0 ≤ k ≤ l?)
  • Peggy chooses a random j, 0 ≤ j ≤ l – 1, and sends Vic aj.
  • Vic chooses a random i = 0 or 1, and sends it to Peggy.
  • Peggy computes j + ik mod l, and sends it to Vic.
  • Vic checks that aj + ik = ajaik = ajbi.
  • They then repeat the above steps log2n times.
  • If Vic’s final computation checks out in each round, he accepts the proof.
complexity theory
Complexity Theory
  • The last proof works because the problem of solving discrete logarithms is NP-complete (or is believed to be, at any rate).
  • It has been shown that all problems in NP have a zero-knowledge proof associated with them.
bit commitments
Bit Commitments
  • “Flipping a coin down a well”
  • “Flipping a coin by telephone”
  • A value of 0 or 1 is committed to by the prover by encrypting it with a one-way function, creating a “blob”. The verifier can then “unwrap” this blob when it becomes necessary by revealing the key.
bit commitment properties
Bit Commitment Properties
  • Concealing – The verifier cannot determine the value of the bit from the blob.
  • Binding – The prover cannot open the blob as both a zero and a one.
bit commitments an example
Bit Commitments: An Example
  • Let n = pq, where p and q are prime. Let m be a quadratic nonresidue modulo n. The values m and n are public, and the values p and q are known only to Peggy.
  • Peggy commits to the bit b by choosing a random x and sending Vic the blob mbx2.
  • When the time comes for Vic to check the value of the bit, Peggy simply reveals the values b and x.
  • Since no known polynomial-time algorithm exists for solving the quadratic residues problem modulo a composite n whose factors are unknown, hence this scheme is computationally concealing.
  • On the other hand, it is perfectly binding, since if it wasn’t, m would have to be a quadratic residue, a contradiction.
bit commitments and zero knowledge
Bit Commitments and Zero-Knowledge
  • Bit commitments are used in zero-knowledge proofs to encode the secret information.
  • For example, zero-knowledge proofs based on graph colorations exist. In this case, bit commitment schemes are used to encode the colors.
  • Complex zero-knowledge proofs with large numbers of intermediate steps that must be verified also use bit commitment schemes.
computational assumptions
Computational Assumptions
  • A zero-knowledge proof assumes the prover possesses unlimited computational power.
  • It is more practical in some cases to assume that the prover’s computational abilities are bounded. In this case, we have a zero-knowledge argument.
proof vs argument
Zero-Knowledge Proof:

Unconditional completeness

Unconditional soundness

Computational zero-knowledge

Unconditionally binding blobs

Computationally concealing blobs

Zero-Knowledge Argument:

Unconditional completeness

Computational soundness

Perfect zero-knowledge

Computationally binding blobs

Unconditionally concealing blobs

Proof vs. Argument
  • Zero-knowledge proofs can be applied where secret knowledge too sensitive to reveal needs to be verified
  • Key authentication
  • PIN numbers
  • Smart cards
  • A zero-knowledge proof is only as good as the secret it is trying to conceal
  • Zero-knowledge proofs of identities in particular are problematic
  • The Grandmaster Problem
  • The Mafia Problem
  • etc.
  • I am currently working with Dr. Curtis Barefoot in the NMT Mathematics Dept. on methods of applying zero-knowledge proofs to mathematical induction: Can a prover prove a theorem via induction without revealing any of the steps beyond the base case?
  • Possible application of methods developed by Camenisch and Michels (or maybe not?)
  • Blum, M., “How to Prove a Theorem So No One Else Can Claim It”, Proceedings of the International Congress of Mathematicians, Berkeley, California, 1986, pp. 1444-1451
  • Camenisch, J., M. Michels, “Proving in Zero-Knowledge that a Number is the Product of Two Safe Primes”, Eurocrypt ’99, J. Stern, ed., Lecture Notes in Computer Science 1592, pp. 107-122, Springer-Verlag 1999
  • Cramer, R., I. Dåmgard, B. Schoenmakers, “Proofs of Partial Hiding and Simplified Design of Witness Hiding Protocols”, Advances in Cryptology – CRYPTO ’94, Lecture Notes in Computer Science 839, pp. 174-187, Springer-Verlag, 1994
  • De Santis, A., G. di Crescenzo, G. Persiano, M. Yung, “On Monotone Formula Closure of SZK”, Proceedings of the 35th Symposium on the Foundations of Computer Science, pp. 454-465, IEEE, 1994
  • Feigenbaum, J., “Overview of Interactive Proof Systems and Zero-Knowledge”, Contemporary Cryptology, G.J. Simmons, ed., pp. 423-440, IEEE Press 1992
  • Quisquater, J.J., L. Guillou, T. Berson, “How to Explain Zero-Knowledge Protocols to Your Children”, Advances in Cryptology - CRYPTO ’99, Lecture Notes in Computer Science 435, pp. 628-631, 1990
  • Schneier, B., Applied Cryptography (2nd edition), Wiley, 1996
  • Stinson, D.R., Cryptography: Theory and Practice, CRC, 1995