1 / 36

Zero-Knowledge Proofs

Zero-Knowledge Proofs. Sultan Almuhammadi ICS 454. And Their Applications in Cryptographic Systems. Introduction. Zero-knowledge proofs (ZKPs) To prove the knowledge of a secret without revealing it. Special form of interactive proofs (IP) between two parties: prover and verifier.

rudolpho-calvey
Download Presentation

Zero-Knowledge Proofs

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Zero-Knowledge Proofs Sultan Almuhammadi ICS 454 And Their Applications in Cryptographic Systems

  2. Introduction • Zero-knowledge proofs (ZKPs) • To prove the knowledge of a secret without revealing it. • Special form of interactive proofs (IP) between two parties: prover and verifier. • First introduced in 1985 by Goldwasser, Micali and Rachoff, for identification schemes. • Have wide ranges of applications in modern cryptographic systems.

  3. Introduction • ZKPs • Iterative: run in several rounds • Usually have high cost due to iteration • Cost Measures • Execution-time complexity • Communication cost (#of bits exchanged) • Communication latency (delay)

  4. From the Literature • A Toy Example of ZKP • To demonstrate all the features of ZKP • Easy to discuss and visualize • Known as: Alibaba’s cave

  5. Alibaba’s Cave Peggy (the prover) wants to prove her knowledge of the secret word of the cave to Victor (the verifier) but without revealing it

  6. Alibaba’s Cave:The Proof • Starting at point A • Peggy walks all the way to either point C or point D • Victor walks to point B • Victor asks Peggy to either: • Come out of the left passage (or) • Come out of the right passage • Peggy does that using the secret word if needed • They repeat these steps until Victor is convinced that Peggy knows the secret word

  7. Alibaba’s Cave: About The Proof • Complete: if Peggy knows the secret word, she can complete the proof successfully. • Sound: if she does not know the secret, it is highly unlikely that she passes all the rounds. • Zero-knowledge: no matter how many rounds Victor asks for, he cannot learn the secret. • Repudiatable: (Peggy can repudiate the proof) If Victor video tapes the entire protocol, he cannot convince others that Peggy knows the secret. • Non-transferable: Victor cannot use the proof to pretend to be the prover to a third party.

  8. Alibaba’s Cave: Number of Rounds How many rounds are needed? • Completeness • If Peggy knows the secret, she always passes. • Soundness • If Peggy does not know the secret, she can pass with a probability = 1/2k where k is the number of rounds. • Optimal number of rounds k • Minimum k that gives max trust in the proof. • Let S be the domain of the secret. E.g. S = {strings of length 4 bits}

  9. Alibaba’s Cave: Number of Rounds What is the optimal number of rounds k? E.g. Assume S = {strings of length 4 bits} Prob (pass w/out secret) • Optimal k = log2 |S|  • (the length of the secret in bits) 1/2 |S| = 24 = 16 There are 16 possible secrets Prob (guess the secret) = 1/16 k 1/4 1/8 1/16 # of Rounds 0 1 2 3 4 5 6

  10. Applications of ZKPs • Identification schemes • Multi-media security and digital watermarks • Network privacy and anonymous communication • Digital cash and off-line digital coin systems • Electronic election • Public-key cryptographic systems • Smart cards

  11. Identification Schemes • Identification scheme: a protocol for two parties (User and System) by which the User identifies himself to the System in a secure way, that is, a third party listening to the conversation cannot later impersonate the user.

  12. Identification Schemes Why ZKP? • In some applications, it is desirable that the identity of the specific user is maintained secret to the system. • E.g. an investor accessing a stock-market database prefers to hide his identity. • Knowing which user is interested in stock of a given company is a valuable information. • However, the system must make sure that the user is legitimate (i.e. a subscriber to the service).

  13. Multi-media Security andDigital Watermarks • Digital Watermark • To resolve ownership of media objects • To ensure theft detection in a court of law • Must survive within a media object • Should not be easily removed by attackers • Why ZKP? • To prove the existence of a mark, without revealing what that mark is. • Revealing a watermark within an object leads to subsequent theft by providing attackers with the information they need to remove or claim the watermark.

  14. Digital Cash and Off-line Digital Coin Systems • Security needs • The bank wants to be able to detect all reuse or forgery of the digital coins. • The vendor requires the assurance of authenticity. • The customer wants the privacy of purchases (the bank cannot track down where the coins are spent, unless the customer reuses/forges them). • Off-line digital coin system • The purchase protocol does not involve the bank. • Why ZKP? • To achieve the privacy of the customer.

  15. Electronic Election • Electronic voting system: a set of protocols which allow voters to cast ballots while a group of authorities collect the votes and output the final tally. • Requirements • Security: ensure voting restrictions (e.g. voters can vote to at most one of the given candidates) • Privacy: cannot revoke who votes for what • Why ZKP? • To ensure the privacy of the voter.

  16. Public-Key Cryptographic Systems • Setups • Each user has a public key and a private key • encrypted message with some public key needs the corresponding private key to decrypt it. • it is computationally infeasible to deduce the private key from the public key. • Examples • RSA scheme • ElGamal scheme • Why ZKP?

  17. Public-Key Cryptographic Systems • Why ZKP? • To set up the scheme and prove it is secure. • E.g. in RSA, the modulus should consist of two safe primes; ZKPs are used to prove that a given number is a product of two safe primes without revealing any information whatsoever about these safe prime factors

  18. Definitions • Negligible function • Zero-knowledge proof • Completeness property • Soundness property

  19. Definition: Negligible function • f is negligible if for all c > 0 and sufficiently large n, f(n) < n-c • f is nonnegligible if there exists a c > 0 such that for all sufficiently large n, f(n) > n-c • E.g. f(n) = 2-nis negligible in n.

  20. Definition: Zero-knowledge Proof From its name, it has two parts: • Proof • It convinces the verifier with overwhelming probability that the prover knows the secret. • i.e. It is complete and sound • Zero-knowledge • It should not reveal any information about the secret.

  21. Requirements of ZKPs • Completeness: If the prover knows the secret, the verifier accepts the proof with overwhelming probability. • Soundness: If the prover does not know the secret, it is highly unlikely that the verifier accepts the proof. • Zero-knowledge: The verifier cannot learn the secret even if he deviates from the protocol. • Repudiatability: The prover can repudiate the proof to a third party. • Non-transferability: The verifier cannot pretend to be the prover to any third party.

  22. Classical Problems Used in ZKPs • Discrete Log (DL) Problem • Square Root Problem (SQRT) • Graph Isomorphism Problem • Satisfiability (SAT) Problem

  23. Graph Isomorphism • Given two graphs G1=(V1,E1) and G2=(V2, E2), to prove in zero-knowledge the possession of a permutation from G1 to G2 such that (u, v)  E1iff ( (u),  (v))  E2 • Applications: • Multi-media security

  24. ZKP of Graph Isomorphism

  25. Square Root Problem • To prove in zero-knowledge the possession of x such that x2 = b (mod n) • Applications: • Digital watermarks • Public-key schemes

  26. ZKP of SQRT

  27. DL Problem • To prove in zero-knowledge the possession of x such that gx = b (mod n) • Applications: • Multi-media security • Identification schemes • Digital cash • Electronic election

  28. Peggy (P) Victor (V) 0 g, b, n, x g, b, n 1 Peggy generates random r r 2 P sends h = gr mod n to V h h 3 V flips a coin c = H or T c c 4 If c = H, P sends r to V r, check gr = h 5 If c = T, P sends m = x + r m m, check gm = bh 6 Steps 1-5 are repeated until Victor is convinced that Peggy must know x (with prob 1-2-k, for k iterations). ZKP of DLb = gx (mod n)

  29. One-round ZKPs • One-round zero-knowledge proofs • Eliminate the iteration costs • One-round ZKPs • Encapsulate all the requirements of the true ZKP, but in one round.

  30. One-round ZKP forAlibaba’s cave example

  31. Peggy (P) Victor (V) 0 g, b, n, x g, b, n 1 V generates a random y y 2 V sends C = gy (mod n) C C= gy 3 P sends R = Cx (mod n) R= Cx R 4 V verifies that R = Cx = (gy)x = gxy = (gx)y = by (mod n) One-Round ZKP of DLb = gx (mod n)

  32. Time Complexity • Iterative ZKP • Let t be the length of the secret x in bits. • Each round costs O(t2log t log log t) • Optimal number of rounds = t • O(t3log t log log t) • One-round ZKP • O(t2log t log log t).

  33. Communication Cost • Iterative ZKP • Needs 2 messages of size t in each round. • Needs one bit for the coin in each round. • Optimal number of rounds = t • Exchanges (2t2 + t) bits total. • One-round ZKP • Needs 2 messages of size t each. • Exchanges 2t bits total.

  34. Communication Latency • Let d be the average latency (delay) per message over the network between the two parties

  35. Communication Latency • Iterative ZKP • Needs 2 messages in each round • Needs one bit for the coin in each round • Latency per round = 3d • Optimal number of rounds = t • Overall latency = 3td • One-round ZKP • Needs 2 messages, each takes d • Overall latency = 2d

  36. Security Issues on 1-R ZKP of DL

More Related