zkp seminar
TRANSCRIPT
-
7/29/2019 ZKP Seminar
1/80
Zero Knowledge Proofs
Comp 4109
Bill Ewanick
March 31, 2011
-
7/29/2019 ZKP Seminar
2/80
Zero Knowledge Proofs (ZKP)
An interactive method for one party to provethat a statement is true
-
7/29/2019 ZKP Seminar
3/80
Zero Knowledge Proofs
An interactive method for one party to provethat a statement is true
This is done without revealing anythingother than the statement is true
-
7/29/2019 ZKP Seminar
4/80
Zero Knowledge Proofs
An interactive method for one party to provethat a statement is true
This is done without revealing anythingother than the statement is true
Quick Example:Prove to the prof that you deserve an A+
without taking the exam.
-
7/29/2019 ZKP Seminar
5/80
Quick History
ZKPs were first conceived in 1985 by ShafiGoldwasser, Silvio Micali, and CharlesRackoff in the draft paper:
The Knowledge Complexity of InteractiveProof-Systems
They also gave the first zero-knowledge
proof for a concrete problem, that ofdeciding quadratic nonresidues mod m.
-
7/29/2019 ZKP Seminar
6/80
ZKP: So Easy a Child Can Get It
Jean-Jacques Quisquater published apaper entitled
How to Explain Zero-Knowledge Protocolsto Your Children
which contains several simple examples ofZKPs.
-
7/29/2019 ZKP Seminar
7/80
Peggy and Victor
Instead of Alice and Bob, we have
Peggy, the prover
Victor, the verifier
-
7/29/2019 ZKP Seminar
8/80
Simple Example
-
7/29/2019 ZKP Seminar
9/80
Simple Example
-
7/29/2019 ZKP Seminar
10/80
Simple Example
-
7/29/2019 ZKP Seminar
11/80
Real Definition
A Zero Knowledge Proof must satisfy threeproperties.
-
7/29/2019 ZKP Seminar
12/80
Real Definition
1)Completeness:
If the statement is true, the honest verifier(who follows the protocol properly) will be
convinced of this fact by an honest prover.
-
7/29/2019 ZKP Seminar
13/80
Real Definition
1)Completeness
2)Soundness:
If the statement is false, no cheating provercan convince the honest verifier that it istrue, except with some small probability.
-
7/29/2019 ZKP Seminar
14/80
Soundness Property in Detail
An interactive proof is soundif there existsan expected polynomial-time algorithm Mwith the following property:
-
7/29/2019 ZKP Seminar
15/80
Soundness Property in Detail
An interactive proof is soundif there existsan expected polynomial-time algorithm Mwith the following property:
if a dishonest prover can with non-negligibleprobability successfully execute the proof,then M can be used to extract from theprover knowledge which withoverwhelming probability allowssuccessful subsequent proof executions.
-
7/29/2019 ZKP Seminar
16/80
Soundness
Alternate explanation:
The prover's secret, s, together with publicdata satisfies some polynomial-timepredicate can be extracted, allowingsuccessful execution of subsequentprotocol instances.
-
7/29/2019 ZKP Seminar
17/80
What Does It Mean?
A proof is sound if it is not possible for adishonest prover to convince an honestverifier, due to the honest prover's secret
knowledge. This says nothing about the ease of
acquiring the prover's secret knowledge.
-
7/29/2019 ZKP Seminar
18/80
Real Definition
1)Completeness
2)Soundness
These two properties constitute a moregeneral Interactive Proof System.
The last attribute is needed to for the proofto be zero-knowledge.
-
7/29/2019 ZKP Seminar
19/80
Real Definition
1)Completeness
2)Soundness
3)Zero-Knowledge If the statement is true, no cheating verifier
learns anything other than this fact.
-
7/29/2019 ZKP Seminar
20/80
In Depth Zero-Knowledge
A protocol which is a proof of knowledgehas the zero-knowledge property if it issimulatable in the following sense:
-
7/29/2019 ZKP Seminar
21/80
In Depth Zero-Knowledge
There exists an expected polynomial-timealgorithm (simulator) which can produce,upon input of the assertions to be proven
but without interacting with the realprover, transcripts indistinguishable fromthose resulting from interaction with thereal prover.
-
7/29/2019 ZKP Seminar
22/80
Real Definition
1)Completeness
2)Soundness
3)Zero-Knowledge
-
7/29/2019 ZKP Seminar
23/80
Computational Vs. Perfect ZK
A protocol is computationallyzero-knowledge if an observer restricted toprobabilistic polynomial-time tests cannot
distinguish real from simulated transcripts.
-
7/29/2019 ZKP Seminar
24/80
Computational Vs. Perfect ZK
A protocol isperfectlyzero-knowledge if theprobability distributions of the transcriptsare identical.
-
7/29/2019 ZKP Seminar
25/80
ZK Property and SoundnessVs. Security
Neither the Zero-Knowledge property northe Soundess property guarantee that aprotocol is secure (ie. The probability of it
being easily defeated is negligible)
-
7/29/2019 ZKP Seminar
26/80
ZK Property and SoundnessVs. Security
These two properties have little valueunless the underlying problem faced byan opponent is computationally hard.
-
7/29/2019 ZKP Seminar
27/80
More Realistic Example
Based off the Fiat-Shamir identificationprotocol, which is beyond the scope ofthis talk.
Peggy is going to prove that she knows asecret numbers to Victor withoutrevealing what s is.
-
7/29/2019 ZKP Seminar
28/80
One-Time Setup
Let T be a trusted third party.
-
7/29/2019 ZKP Seminar
29/80
One-Time Setup
Let T be a trusted third party.
T selects and publishes an RSA-likemodulus n = pq, but keeps p and q secret.
-
7/29/2019 ZKP Seminar
30/80
One-Time Setup
Let T be a trusted third party.
T selects and publishes an RSA-likemodulus n = pq, but keeps p and q secret.
Peggy selects a secret s coprime to n, suchthat 1 s n-1.
-
7/29/2019 ZKP Seminar
31/80
One-Time Setup
Let T be a trusted third party.
T selects and publishes an RSA-likemodulus n = pq, but keeps p and q secret.
Peggy selects a secret s coprime to n, suchthat 1 s n-1.
Peggy computes v = s2 mod n.
-
7/29/2019 ZKP Seminar
32/80
One-Time Setup
Let T be a trusted third party.
T selects and publishes an RSA-likemodulus n = pq, but keeps p and q secret.
Peggy selects a secret s coprime to n, suchthat 1 s n-1.
Peggy computes v = s2 mod n.
Peggy registers v with T as her public key.
-
7/29/2019 ZKP Seminar
33/80
Protocol Messages
Each of the trounds has three messageswith the following form:
Peggy Victor: x = r2 mod n
Victor Peggy: e {0, 1}
Peggy Victor: y = r se mod n
The variables e and r will be explained inthe next few slides.
-
7/29/2019 ZKP Seminar
34/80
Protocol Actions
The following steps are iterated ttimes,sequentially and independently.
Victor accepts the proof that Peggy knows s
if all trounds succeed.
-
7/29/2019 ZKP Seminar
35/80
Protocol Actions
1)Peggy chooses a random numberrsuch that1 r n-1 and sends x = r2 mod n to Victor.
-
7/29/2019 ZKP Seminar
36/80
Protocol Actions
1)Peggy chooses a random numberrsuch that1 r n-1 and sends x = r2 mod n to Victor.
2)Victor randomly selects a challenge bite = 0 ore = 1, and sends e to Peggy.
-
7/29/2019 ZKP Seminar
37/80
Protocol Actions
1)Peggy chooses a random numberrsuch that1 r n-1 and sends x = r2 mod n to Victor.
2)Victor randomly selects a challenge bite = 0 ore = 1, and sends e to Peggy.
3)Peggy computes and sends to Victor
y = r se mod n.
-
7/29/2019 ZKP Seminar
38/80
Protocol Actions
1)Peggy chooses a random numberrsuch that1 r n-1 and sends x = r2 mod n to Victor.
2)Victor randomly selects a challenge bite = 0 ore = 1, and sends e to Peggy.
3)Peggy computes and sends to Victor
y = r se mod n.
Either y = r (ife = 0), or y = rs mod n (if e = 1)
-
7/29/2019 ZKP Seminar
39/80
Protocol Actions
1)Peggy chooses a random numberrsuch that1 r n-1 and sends x = r2 mod n to Victor.
2)Victor randomly selects a challenge bite = 0 ore = 1, and sends e to Peggy.
3)Peggy computes and sends to Victor
y = r se mod n.
Either y = r (ife = 0), or y = rs mod n (if e = 1)
4)Victor rejects the proof if y = 0, and otherwiseaccepts upon verifying y2 x ve (mod n)
-
7/29/2019 ZKP Seminar
40/80
Protocol Actions
The previous steps are iterated ttimes,sequentially and independently.
Victor accepts the proof that Peggy knows s
if all trounds succeed.
-
7/29/2019 ZKP Seminar
41/80
Justifications
The challenge e requires that Peggy beable to answer two questions.
-
7/29/2019 ZKP Seminar
42/80
Justifications
The challenge e requires that Peggy beable to answer two questions.
One question demonstrates her knowledge
of the secret s.
-
7/29/2019 ZKP Seminar
43/80
Justifications
The challenge e requires that Peggy beable to answer two questions.
One question demonstrates her knowledge
of the secret s. The other question is an easy one (for
honest provers) to prevent cheating.
-
7/29/2019 ZKP Seminar
44/80
Justifications
An opponent impersonating Peggy might tryto cheat in the following way:
-
7/29/2019 ZKP Seminar
45/80
Justifications
An opponent impersonating Peggy might tryto cheat in the following way:
By choosing any rand setting x = r2/v, the
imposter could answer the challenge e=1with a 'correct' answer.
f
-
7/29/2019 ZKP Seminar
46/80
Justifications
An opponent impersonating Peggy might tryto cheat in the following way:
By choosing any rand setting x = r2/v,
instead of r2 mod n, the imposter couldanswer the challenge e=1 'correctly'.
However, they would still be unable to
answer the challenge e=0.
J tifi ti
-
7/29/2019 ZKP Seminar
47/80
Justifications
An opponent impersonating Peggy might tryto cheat in the following way:
By choosing any rand setting x = r2/v,
instead of r2 mod n, the imposter couldanswer the challenge e=1 'correctly'.
However, they would still be unable to
answer the challenge e=0. This is due to the required knowledge of a
square root ofxmod n, ie.
E l
-
7/29/2019 ZKP Seminar
48/80
Example
Cheating Peggy sets x = r2/v
E l
-
7/29/2019 ZKP Seminar
49/80
Example
Cheating Peggy sets x = r2/v
Victor requests y = rs
E l
-
7/29/2019 ZKP Seminar
50/80
Example
Cheating Peggy sets x = r2/v
Victor requests y = rs
Cheating Peggy sends y = r
E l
-
7/29/2019 ZKP Seminar
51/80
Example
Cheating Peggy sets x = r2/v
Victor requests y = rs
Cheating Peggy sends y = r
Victor attempts to verify - y2 x ve
x ve r2/v v r2 y2 (mod n)
Example
-
7/29/2019 ZKP Seminar
52/80
Example
Cheating Peggy sets x = r2/v
Victor requests y = rs
Cheating Peggy sends y = r
Victor attempts to verify - y2 x ve
x ve r2/v v r2 y2 (mod n)
Victor believes Peggy knows s
Example
-
7/29/2019 ZKP Seminar
53/80
Example
If Cheating Peggy sends x = r2/v, Victorexpects her to send x = r2
Example
-
7/29/2019 ZKP Seminar
54/80
Example
If Cheating Peggy sends x = r2/v, Victorexpects her to send x = r2
If Victor asks for y = r, he'll try to compute
x y2 r2/v y2 r/v y
Example
-
7/29/2019 ZKP Seminar
55/80
Example
If Cheating Peggy sends x = r2/v, Victorexpects her to send x = r2
If Victor asks for y = r, he'll try to compute
x y2 r2/v y2 r/v y
This fails, so Victor knows Peggy ischeating.
Chance of Detection
-
7/29/2019 ZKP Seminar
56/80
Chance of Detection
An opponent who doesn't know s can onlyanswer one of the two challenges.
This gives a probability of of escaping
detection. We execute the protocol ttimes to reduce
the likelihood of cheating to 2-t.
Zero Knowledge Property
-
7/29/2019 ZKP Seminar
57/80
Zero Knowledge Property
In the previous example, Peggy reveals sheknows s, but not any information about s.
Zero Knowledge Property
-
7/29/2019 ZKP Seminar
58/80
Zero Knowledge Property
In the previous example, Peggy reveals sheknows s, but not any information about s.
The response y = ris totally independent
from s.
Zero Knowledge Property
-
7/29/2019 ZKP Seminar
59/80
Zero Knowledge Property
In the previous example, Peggy reveals sheknows s, but not any information about s.
The response y = ris totally independent
from s. The response y = rs mod n also provides no
information about s because the random ris unknown to Victor.
Zero Knowledge Property
-
7/29/2019 ZKP Seminar
60/80
Zero Knowledge Property
Information pairs (x, y) extracted fromPeggy could be simulated by Victor aloneby choosing y randomly, then defining
x = y
2
or y
2
/v mod n.
Zero Knowledge Property
-
7/29/2019 ZKP Seminar
61/80
Zero Knowledge Property
Information pairs (x, y) extracted fromPeggy could be simulated by Victor aloneby choosing y randomly, then defining
x = y
2
or y
2
/v mod n. Peggy wouldn't create pairs this way, but
they have a probability distributionindistinguishable from the ones Peggy
would create.
Zero Knowledge Property
-
7/29/2019 ZKP Seminar
62/80
Zero Knowledge Property
Information pairs (x, y) extracted fromPeggy could be simulated by Victor aloneby choosing y randomly, then defining
x = y
2
or y
2
/v mod n. Peggy wouldn't create pairs this way, but
they have a probability distributionindistinguishable from the ones Peggy
would create. This establishes the Zero-Knowledge
Property.
Example With Numbers
-
7/29/2019 ZKP Seminar
63/80
Example With Numbers
Here is the previous example with numbers.
Let p = 5, q = 7. Then, n = pq = 35.
Peggy secretly chooses s = 16, which is
coprime to n. She publishesv = s2 mod n = 11 to T.
Example With Numbers
-
7/29/2019 ZKP Seminar
64/80
Example With Numbers
We'll assume Victor only needs 2successful tests to be proven.
Example With Numbers
-
7/29/2019 ZKP Seminar
65/80
Example With Numbers
We'll assume Victor only needs 2successful tests to be proven.
Peggy randomly selects r = 10. She sends
x = r2
mod n = 102
mod 35 = 30to Victor.
Example With Numbers
-
7/29/2019 ZKP Seminar
66/80
Example With Numbers
We'll assume Victor only needs 2successful tests to be proven.
Peggy randomly selects r = 10. She sends
x = r2
mod n = 102
mod 35 = 30to Victor. Victor randomly selects e = 0, sends to
Peggy.
Example With Numbers
-
7/29/2019 ZKP Seminar
67/80
Example With Numbers
Recall the challenge formula:
y = r se mod n
Example With Numbers
-
7/29/2019 ZKP Seminar
68/80
p
Recall the challenge formula:
y = r se mod n
Since e = 0, Peggy computes y = r = 10,
and sends it to Victor.
Example With Numbers
-
7/29/2019 ZKP Seminar
69/80
p
Recall the challenge formula:
y = r se mod n
Since e = 0, Peggy computes y = r = 10,
and sends it to Victor.
Victor verifies that y2 = 102 30 (mod 35)
Example With Numbers
-
7/29/2019 ZKP Seminar
70/80
p
Recall the challenge formula:
y = r se mod n
Since e = 0, Peggy computes y = r = 10,
and sends it to Victor.
Victor verifies that y2 = 102 30 (mod 35)
First challenge successfully proven.
Second Challenge
-
7/29/2019 ZKP Seminar
71/80
g
Peggy randomly selects r = 20. She sendsx = r2 mod n = 202 mod 35 = 15 to Victor.
Second Challenge
-
7/29/2019 ZKP Seminar
72/80
g
Peggy randomly selects r = 20. She sendsx = r2 mod n = 202 mod 35 = 15 to Victor.
Victor randomly sends e = 1 to Peggy.
Second Challenge
-
7/29/2019 ZKP Seminar
73/80
g
Peggy randomly selects r = 20. She sendsx = r2 mod n = 202 mod 35 = 15 to Victor.
Victor randomly sends e = 1 to Peggy.
Peggy computes y = r se mod n, or
y = 20 16 mod 35 = 5, sends to Victor.
Second Challenge
-
7/29/2019 ZKP Seminar
74/80
Peggy randomly selects r = 20. She sendsx = r2 mod n = 202 mod 35 = 15 to Victor.
Victor randomly sends e = 1 to Peggy.
Peggy computes y = r se mod n, or
y = 20 16 mod 35 = 5, sends to Victor.
Victor verifies that y2 = 25 1511 (mod 35)
End of Challenges
-
7/29/2019 ZKP Seminar
75/80
Peggy successfully completed t = 2 rounds,so Victor accepts.
Use in Cryptography
-
7/29/2019 ZKP Seminar
76/80
Very useful in authentication schemes.
Blocks eavesdroppers from discoveringsecret information.
Able to enforce honest behavior whilemaintaining privacy.
Use in Cryptography
-
7/29/2019 ZKP Seminar
77/80
Other problems used include:
Graph Isomorphism
Graph Three-Colorability
Every NP-Complete Problem Fiat-Shamir Identification Protocl is not
normally implemented in moderncryptosystem.
However, it is the basis of existing zero-knowledge entity authentication schemes.
ZKP and NP Completeness
-
7/29/2019 ZKP Seminar
78/80
The original ZKP on quadratic nonresidue,along with the graph coloring problem, areall NP-Complete.
Since every problem in NP can be reducedto every other one, there is a ZKP for allproblems in NP.
References
-
7/29/2019 ZKP Seminar
79/80
Alfred J. Menezes, Paul C. van Oorschot, and Scott A. Vanstone. Handbook of AppliedCryptography. 5th Ed. CRC Press, 2001.
Jean-Jacques Quisquater, Louis C. Guillou, Thomas A. Berson. How to Explain Zero-KnowledgeProtocols to Your Children (http://pages.cs.wisc.edu/~mkowalcz/628.pdf). Advances inCryptology - CRYPTO 89: Proceedings, v.435 p.628-631, 1990.
Austin Mohr, A Survey of Zero-Knowledge Proofs with Applications to Cryptography.http://www.austinmohr.com/work/files/zkp.pdf
Zero-knowledge proof. Wikipedia, The Free Encyclopedia.
Shafi Goldwasser, Silvio Micali, and Charles Rackoff. The Knowledge Complexity of InteractiveProof Systems. 1989. http://crypto.cs.mcgill.ca/~crepeau/COMP647/2007/TOPIC02/GMR89.pdf
Quiz
-
7/29/2019 ZKP Seminar
80/80
1) Who authored the paper How to Explain Zero-KnowledgeProtocols to Your Children?
2) What three properties must a Zero-Knowledge Proof satisfy?
3) What does it mean for a protocol to beperfectlyzero-
knowledge?4) Instead of Alice and Bob, what names are traditionally used in
Zero-Knowledge Proofs?
5) When were Zero-Knowledge Proofs first conceived?
Bonus) Name one of the authors from that paper.