Zero-Knowledge Proofs

Nikhil Balaji
Department of Electronics and
Communication Engineering
NITK Surathkal
20th February 2008
 Overview
• Some theory and motivation
– What is a proof?
– What is knowledge?
– Interactive proofs
– Zero knowledge proofs
– Cryptography and computational complexity
• Applications- Fiat-Shamir Identification
• Summary
 What is a Proof?
• In mathematics: a fixed sequence of
statements flowing logically
• In real life proofs have a much wider
meaning
• Not fixed, but rather a process by
which validity is established
– E.g. cross-examination of a witness
 What is knowledge?
• Tough question…
• But, in ZKP, we define a gain of
knowledge-With respect to
computational ability
• Bob gains knowledge after interacting
with Alice if:
– He can easily compute something that
was tough for him earlier (Since Alice
let him know the way of doing it!)
Where’s Waldo?
 So, what is it anyway?
• Communication among mutually
distrusting parties
• To show possession of a secret to
another party without giving away the
secret
A challenge and a solution
 Interactive Proofs
• Prover (P) tries to prove some fact to a verifier
• Verifier (V) either accepts or rejects the prover’s
proof
• To prove is to convince the verifier of some assertion
– Prove that you know a secret value s
• Each party in the protocol does the following:
1. receive a message from the other party
2. perform a private computation
3. send a message to the other party
• Repeats t number of rounds
 Zero knowledge Proofs
• Instances of interactive proofs with the
following properties:
– Completeness – true theorems are provable
– Soundness – false theorems are not
provable
– No information about the prover’s private
input (secret) is revealed to the verifier:
implication of the zero-knowledge property
 Cryptography before
computational complexity
Secret communication

Assuming shared information

which no one else has
What do we want to do?
 Modern Cryptography
The basic conflict between:
• Secrecy / Privacy
• Resilience / Fault Tolerance

Tasks Implements
Encryption Code books
Identification Driver License
Money transfer Notes, checks
Public bids Sealed envelopes
What are we assuming?
Axiom 1: Agents are computationally
limited.

Consequence 1: Only tasks having efficient

algorithms can be performed
 Easy and Hard Problems
asymptotic complexity of functions
Multiplication Factoring
mult(23,67) = 1541 factor(1541) = (23,67)

grade school algorithm: best known algorithm:

n2 steps on n digit inputs exp(n) steps on n digits

EASY HARD?
Can be performed quickly We don’t know!
for huge integers We’ll assume it.

Axiom 2: Factoring is hard!

Axiom 1: Agents are computationally limited
Axiom 2: Factoring is hard

Easy
p,q pq

Impossible

Theorem: Axioms  digital

 One-way functions
Axiom 1: Agents are computationally limited
Axiom 2’: The exist one-way functions E
Easy
Example: E(p,q) = pq
x E(x) E is multiplication
We have other E’s
Impossible

Easy
Nature’s one-way
functions: 2nd law of
Thermodynamics
Impossible
 Applications
• Zero-knowledge proofs can be applied
where secret knowledge too sensitive to
reveal needs to be verified
• Key authentication
• PIN numbers
• Smart cards
 Identification
• Alice is identified by some secret she
alone is known to possess - e.g. a
password
• Problems
– The authenticator must be trusted
– If secret sniffed or given to untrusted
party, can impersonate
• Use zero knowledge!
 Fiat-Shamir Identification
One time setup:
• Trusted center published modulus n=pq,
but keeps p and q secret
• Alice selects a secret prime s coprime
to n, computes v=s2 mod n, and registers
v with the trusted center as its public
key
 Fiat-Shamir Identification

Protocol messages:
A  B: x = r2 mod n
B  A: e from {0, 1}
A  B: y = rse mod n
 Fiat-Shamir Identification

Protocol messages:
If e=0, then the
A  B: x = r2 mod
response ny=r is
independent of
B  A: e from {0, secret1}
s

A  B: y = rse mod n
 Fiat-Shamir Identification

Protocol messages:
A  B: x = r2 mod n
B  A: e from {0, 1}
A  B: y = rse mod n
If e=1, then information pairs
(x, y) can be simulated by
choosing y randomly, and
setting x=y2 mod n
 Summary
Practically every cryptographic task can
be performed securely & privately
Assuming that players are computationally
bounded and Factoring is hard.

- Computational complexity is essential!

- Hard problems can be useful!
- The theory predated (& enabled) the
Internet
 References
• http://en.wikipedia.org/wiki/Zero-knowledge_proof
• Oded Goldreich, Silvio Micali, Avi Wigderson.
Proofs that yield nothing but their validity. Journal
of the ACM, volume 38, issue 3, p.690-728. July
1991.
• “Applied Kid Cryptography” : Moni Naor, Yael Naor,
Omer Reingold, Weizmann Institute, Israel
• "The digital envelope - a crash course in modern
cryptography" Avi Widgerson, IAS Princeton. (
http://www.math.ias.edu/~avi/TALKS/)
Thank You