zkp seminar

7/29/2019 ZKP Seminar

1/80

Zero Knowledge Proofs

Comp 4109

Bill Ewanick

March 31, 2011


2/80

Zero Knowledge Proofs (ZKP)

An interactive method for one party to provethat a statement is true


3/80



This is done without revealing anythingother than the statement is true


4/80



This is done without revealing anythingother than the statement is true

Quick Example:Prove to the prof that you deserve an A+

without taking the exam.


5/80

Quick History

ZKPs were first conceived in 1985 by ShafiGoldwasser, Silvio Micali, and CharlesRackoff in the draft paper:

The Knowledge Complexity of InteractiveProof-Systems

They also gave the first zero-knowledge

proof for a concrete problem, that ofdeciding quadratic nonresidues mod m.


6/80

ZKP: So Easy a Child Can Get It

Jean-Jacques Quisquater published apaper entitled

How to Explain Zero-Knowledge Protocolsto Your Children

which contains several simple examples ofZKPs.


7/80

Peggy and Victor

Instead of Alice and Bob, we have

Peggy, the prover

Victor, the verifier


8/80

Simple Example


9/80

Simple Example


10/80

Simple Example


11/80

Real Definition

A Zero Knowledge Proof must satisfy threeproperties.


12/80

Real Definition

1)Completeness:

If the statement is true, the honest verifier(who follows the protocol properly) will be

convinced of this fact by an honest prover.


13/80

Real Definition

1)Completeness

2)Soundness:

If the statement is false, no cheating provercan convince the honest verifier that it istrue, except with some small probability.


14/80

Soundness Property in Detail

An interactive proof is soundif there existsan expected polynomial-time algorithm Mwith the following property:


15/80

Soundness Property in Detail

An interactive proof is soundif there existsan expected polynomial-time algorithm Mwith the following property:

if a dishonest prover can with non-negligibleprobability successfully execute the proof,then M can be used to extract from theprover knowledge which withoverwhelming probability allowssuccessful subsequent proof executions.


16/80

Soundness

Alternate explanation:

The prover's secret, s, together with publicdata satisfies some polynomial-timepredicate can be extracted, allowingsuccessful execution of subsequentprotocol instances.


17/80

What Does It Mean?

A proof is sound if it is not possible for adishonest prover to convince an honestverifier, due to the honest prover's secret

knowledge. This says nothing about the ease of

acquiring the prover's secret knowledge.


18/80

Real Definition

1)Completeness

2)Soundness

These two properties constitute a moregeneral Interactive Proof System.

The last attribute is needed to for the proofto be zero-knowledge.


19/80

Real Definition

1)Completeness

2)Soundness

3)Zero-Knowledge If the statement is true, no cheating verifier

learns anything other than this fact.


20/80

In Depth Zero-Knowledge

A protocol which is a proof of knowledgehas the zero-knowledge property if it issimulatable in the following sense:


21/80

In Depth Zero-Knowledge

There exists an expected polynomial-timealgorithm (simulator) which can produce,upon input of the assertions to be proven

but without interacting with the realprover, transcripts indistinguishable fromthose resulting from interaction with thereal prover.


22/80

Real Definition

1)Completeness

2)Soundness

3)Zero-Knowledge


23/80

Computational Vs. Perfect ZK

A protocol is computationallyzero-knowledge if an observer restricted toprobabilistic polynomial-time tests cannot

distinguish real from simulated transcripts.


24/80

Computational Vs. Perfect ZK

A protocol isperfectlyzero-knowledge if theprobability distributions of the transcriptsare identical.


25/80

ZK Property and SoundnessVs. Security

Neither the Zero-Knowledge property northe Soundess property guarantee that aprotocol is secure (ie. The probability of it

being easily defeated is negligible)


26/80

ZK Property and SoundnessVs. Security

These two properties have little valueunless the underlying problem faced byan opponent is computationally hard.


27/80

More Realistic Example

Based off the Fiat-Shamir identificationprotocol, which is beyond the scope ofthis talk.

Peggy is going to prove that she knows asecret numbers to Victor withoutrevealing what s is.


28/80

One-Time Setup

Let T be a trusted third party.


29/80

One-Time Setup


T selects and publishes an RSA-likemodulus n = pq, but keeps p and q secret.


30/80

One-Time Setup



Peggy selects a secret s coprime to n, suchthat 1 s n-1.


31/80

One-Time Setup




Peggy computes v = s2 mod n.


32/80

One-Time Setup




Peggy computes v = s2 mod n.

Peggy registers v with T as her public key.


33/80

Protocol Messages

Each of the trounds has three messageswith the following form:

Peggy Victor: x = r2 mod n

Victor Peggy: e {0, 1}

Peggy Victor: y = r se mod n

The variables e and r will be explained inthe next few slides.


34/80

Protocol Actions

The following steps are iterated ttimes,sequentially and independently.

Victor accepts the proof that Peggy knows s

if all trounds succeed.


35/80

Protocol Actions

1)Peggy chooses a random numberrsuch that1 r n-1 and sends x = r2 mod n to Victor.


36/80

Protocol Actions


2)Victor randomly selects a challenge bite = 0 ore = 1, and sends e to Peggy.


37/80

Protocol Actions



3)Peggy computes and sends to Victor

y = r se mod n.


38/80

Protocol Actions




y = r se mod n.

Either y = r (ife = 0), or y = rs mod n (if e = 1)


39/80

Protocol Actions




y = r se mod n.

Either y = r (ife = 0), or y = rs mod n (if e = 1)

4)Victor rejects the proof if y = 0, and otherwiseaccepts upon verifying y2 x ve (mod n)


40/80

Protocol Actions

The previous steps are iterated ttimes,sequentially and independently.

Victor accepts the proof that Peggy knows s

if all trounds succeed.


41/80

Justifications

The challenge e requires that Peggy beable to answer two questions.


42/80

Justifications


One question demonstrates her knowledge

of the secret s.


43/80

Justifications


One question demonstrates her knowledge

of the secret s. The other question is an easy one (for

honest provers) to prevent cheating.


44/80

Justifications

An opponent impersonating Peggy might tryto cheat in the following way:


45/80

Justifications


By choosing any rand setting x = r2/v, the

imposter could answer the challenge e=1with a 'correct' answer.

f


46/80

Justifications


By choosing any rand setting x = r2/v,

instead of r2 mod n, the imposter couldanswer the challenge e=1 'correctly'.

However, they would still be unable to

answer the challenge e=0.

J tifi ti


47/80

Justifications


By choosing any rand setting x = r2/v,

instead of r2 mod n, the imposter couldanswer the challenge e=1 'correctly'.

However, they would still be unable to

answer the challenge e=0. This is due to the required knowledge of a

square root ofxmod n, ie.

E l


48/80

Example

Cheating Peggy sets x = r2/v

E l


49/80

Example


Victor requests y = rs

E l


50/80

Example



Cheating Peggy sends y = r

E l


51/80

Example




Victor attempts to verify - y2 x ve

x ve r2/v v r2 y2 (mod n)

Example


52/80

Example




Victor attempts to verify - y2 x ve

x ve r2/v v r2 y2 (mod n)

Victor believes Peggy knows s

Example


53/80

Example

If Cheating Peggy sends x = r2/v, Victorexpects her to send x = r2

Example


54/80

Example


If Victor asks for y = r, he'll try to compute

x y2 r2/v y2 r/v y

Example


55/80

Example


If Victor asks for y = r, he'll try to compute

x y2 r2/v y2 r/v y

This fails, so Victor knows Peggy ischeating.

Chance of Detection


56/80

Chance of Detection

An opponent who doesn't know s can onlyanswer one of the two challenges.

This gives a probability of of escaping

detection. We execute the protocol ttimes to reduce

the likelihood of cheating to 2-t.

Zero Knowledge Property


57/80


In the previous example, Peggy reveals sheknows s, but not any information about s.



58/80



The response y = ris totally independent

from s.



59/80



The response y = ris totally independent

from s. The response y = rs mod n also provides no

information about s because the random ris unknown to Victor.



60/80


Information pairs (x, y) extracted fromPeggy could be simulated by Victor aloneby choosing y randomly, then defining

x = y

2

or y

2

/v mod n.



61/80



x = y

2

or y

2

/v mod n. Peggy wouldn't create pairs this way, but

they have a probability distributionindistinguishable from the ones Peggy

would create.



62/80



x = y

2

or y

2

/v mod n. Peggy wouldn't create pairs this way, but

they have a probability distributionindistinguishable from the ones Peggy

would create. This establishes the Zero-Knowledge

Property.

Example With Numbers


63/80


Here is the previous example with numbers.

Let p = 5, q = 7. Then, n = pq = 35.

Peggy secretly chooses s = 16, which is

coprime to n. She publishesv = s2 mod n = 11 to T.



64/80


We'll assume Victor only needs 2successful tests to be proven.



65/80



Peggy randomly selects r = 10. She sends

x = r2

mod n = 102

mod 35 = 30to Victor.



66/80



Peggy randomly selects r = 10. She sends

x = r2

mod n = 102

mod 35 = 30to Victor. Victor randomly selects e = 0, sends to

Peggy.



67/80


Recall the challenge formula:

y = r se mod n



68/80

p


y = r se mod n

Since e = 0, Peggy computes y = r = 10,

and sends it to Victor.



69/80

p


y = r se mod n



Victor verifies that y2 = 102 30 (mod 35)



70/80

p


y = r se mod n




First challenge successfully proven.

Second Challenge


71/80

g

Peggy randomly selects r = 20. She sendsx = r2 mod n = 202 mod 35 = 15 to Victor.

Second Challenge


72/80

g


Victor randomly sends e = 1 to Peggy.

Second Challenge


73/80

g



Peggy computes y = r se mod n, or

y = 20 16 mod 35 = 5, sends to Victor.

Second Challenge


74/80



Peggy computes y = r se mod n, or

y = 20 16 mod 35 = 5, sends to Victor.


End of Challenges


75/80

Peggy successfully completed t = 2 rounds,so Victor accepts.

Use in Cryptography


76/80

Very useful in authentication schemes.

Blocks eavesdroppers from discoveringsecret information.

Able to enforce honest behavior whilemaintaining privacy.

Use in Cryptography


77/80

Other problems used include:

Graph Isomorphism

Graph Three-Colorability

Every NP-Complete Problem Fiat-Shamir Identification Protocl is not

normally implemented in moderncryptosystem.

However, it is the basis of existing zero-knowledge entity authentication schemes.

ZKP and NP Completeness


78/80

The original ZKP on quadratic nonresidue,along with the graph coloring problem, areall NP-Complete.

Since every problem in NP can be reducedto every other one, there is a ZKP for allproblems in NP.

References


79/80

Alfred J. Menezes, Paul C. van Oorschot, and Scott A. Vanstone. Handbook of AppliedCryptography. 5th Ed. CRC Press, 2001.

Jean-Jacques Quisquater, Louis C. Guillou, Thomas A. Berson. How to Explain Zero-KnowledgeProtocols to Your Children (http://pages.cs.wisc.edu/~mkowalcz/628.pdf). Advances inCryptology - CRYPTO 89: Proceedings, v.435 p.628-631, 1990.

Austin Mohr, A Survey of Zero-Knowledge Proofs with Applications to Cryptography.http://www.austinmohr.com/work/files/zkp.pdf

Zero-knowledge proof. Wikipedia, The Free Encyclopedia.

Shafi Goldwasser, Silvio Micali, and Charles Rackoff. The Knowledge Complexity of InteractiveProof Systems. 1989. http://crypto.cs.mcgill.ca/~crepeau/COMP647/2007/TOPIC02/GMR89.pdf

Quiz


80/80

1) Who authored the paper How to Explain Zero-KnowledgeProtocols to Your Children?

2) What three properties must a Zero-Knowledge Proof satisfy?

3) What does it mean for a protocol to beperfectlyzero-

knowledge?4) Instead of Alice and Bob, what names are traditionally used in

Zero-Knowledge Proofs?

5) When were Zero-Knowledge Proofs first conceived?

Bonus) Name one of the authors from that paper.

zkp seminar

Documents