Zero--Knowledge

Zero
Proofs
J.W. Pope
M.S. – Mathematics
May 2004
 What is a Zero-
Zero- Knowledge Proof?
A zero
zero- -knowledge proof is a way that a “prover”
can prove possession of a certain piece of
information to a “verifier” without revealing it.
This is done by manipulating data provided by
the verifier in a way that would be impossible
without the secret information in question.
A third party, reviewing the transcript created,
cannot be convinced that either prover or
verifier knows the secret.
The Cave of the Forty Thieves
The Cave of the Forty Thieves
Properties of Zero-
Zero-Knowledge Proofs
 Completeness – A prover who knows the secret
information can prove it with probability 1.
 Soundness – The probability that a prover who
does not know the secret information can get
away with it can be made arbitrarily small.
 Identification
 Alice is identified by some secret she alone is
known to possess - e.g. a password
 Problems
 The authenticator must be trusted
 If secret sniffed or given to untrusted party, can
impersonate
 Use zero knowledge!
 Fiat--Shamir Identification
Fiat
One time setup:
 Trusted center published modulus n=pq
n=pq,, but
keeps p and q secret
 Alice selects a secret prime s comprime to n,
computes v=s2 mod n, and registers v with the
trusted center as its public key
 Fiat--Shamir Identification
Fiat

Protocol messages:
A  B: x = r2 mod n
B  A: e from {0, 1}
A  B: y = rs mod n
e
 Fiat--Shamir Identification
Fiat

Protocol messages:
A  B: x = r mod
2 y=r isn
If e=0, then the response
independent of
secret s

B  A: e from {0, 1}
A  B: y = rs mod n
e
 Fiat--Shamir Identification
Fiat

Protocol messages:
A  B: x = r2 mod n
B  A: e from {0, 1}
A  B: y = rs mod n
e

If e=1, then information pairs (x, y) can be

simulated by choosing y randomly, and
setting x=y2 /v mod n
 Another Example
 Peggy the prover would like to show Vic the verifier that an
element b is a member of the subgroup of Zn* generated by a,
where a has order l. (i.e., does ak = b for some k such that 0 ≤ k
≤ l?)
 Peggy chooses a random j, 0 ≤ j ≤ l – 1, and sends Vic aj.
 Vic chooses a random i = 0 or 1, and sends it to Peggy.
 Peggy computes j + ik mod l, and sends it to Vic.
 Vic checks that aj + ik = ajaik = ajbi.
 They then repeat the above steps log2n times.
 If Vic’s final computation checks out in each round, he accepts
the proof.
 Complexity Theory
 The last proof works because the problem of
solving discrete logarithms is NP-
NP-complete (or is
believed to be, at any rate).
 It has been shown that all problems in NP have
a zero-
zero-knowledge proof associated with them.
 Bit Commitments
 “Flipping a coin down a well”
 “Flipping a coin by telephone”
 A value of 0 or 1 is committed to by the prover
by encrypting it with a one-
one-way function,
creating a “blob”. The verifier can then
“unwrap” this blob when it becomes necessary
by revealing the key.
 Bit Commitment Properties
 Concealing – The verifier cannot determine the
value of the bit from the blob.
 Binding – The prover cannot open the blob as
both a zero and a one.
 Bit Commitments: An Example
 Let n = pq, where p and q are prime. Let m be a quadratic
nonresidue modulo n. The values m and n are public, and the
values p and q are known only to Peggy.
 Peggy commits to the bit b by choosing a random x and sending
Vic the blob mbx2.
 When the time comes for Vic to check the value of the bit,
Peggy simply reveals the values b and x.
 Since no known polynomial-
polynomial-time algorithm exists for solving the
quadratic residues problem modulo a composite n whose factors
are unknown, hence this scheme is computationally concealing.
 On the other hand, it is perfectly binding, since if it wasn’t, m
would have to be a quadratic residue, a contradiction.
 Bit Commitments and Zero-
Zero-
Knowledge
 Bit commitments are used in zero-
zero-knowledge
proofs to encode the secret information.
 For example, zero-
zero-knowledge proofs based on
graph colorations exist. In this case, bit
commitment schemes are used to encode the
colors.
 Complex zero-
zero-knowledge proofs with large
numbers of intermediate steps that must be
verified also use bit commitment schemes.
 Computational Assumptions
 A zero-
zero-knowledge proof assumes the prover
possesses unlimited computational power.
 It is more practical in some cases to assume that
the prover’s computational abilities are bounded.
In this case, we have a zero-
zero-knowledge
argument.
 Proof vs. Argument
Zero-Knowledge Proof:
Zero- Zero-Knowledge Argument:
Zero-
 Unconditional completeness  Unconditional completeness

 Unconditional soundness  Computational soundness

 Computational zero-
zero-  Perfect zero-
zero-knowledge
knowledge  Computationally binding
 Unconditionally binding blobs
blobs  Unconditionally concealing
 Computationally concealing blobs
blobs
 Applications
 Zero-knowledge proofs can be applied where
Zero-
secret knowledge too sensitive to reveal needs to
be verified
 Key authentication
 PIN numbers
 Smart cards
 Limitations
 A zero-
zero-knowledge proof
is only as good as the
secret it is trying to
conceal
 Zero--knowledge proofs
Zero
of identities in particular
are problematic
 The Grandmaster
Problem
 The Mafia Problem
 etc.
 Research
 I am currently working with Dr. Curtis Barefoot in the
NMT Mathematics Dept. on methods of applying zero-zero-
knowledge proofs to mathematical induction: Can a
prover prove a theorem via induction without revealing
any of the steps beyond the base case?
 Possible application of methods developed by
Camenisch and Michels (or maybe not?)
 References
 Blum, M., “How to Prove a Theorem So No One Else Can Claim It”, Proceedings of the
International Congress of Mathematicians, Berkeley, California, 1986, pp. 1444-
1444-1451
 Camenisch, J., M. Michels, “Proving in Zero-
Zero-Knowledge that a Number is the Product of Two
Safe Primes”, Eurocrypt ’99, J. Stern, ed., Lecture Notes in Computer Science 1592, pp. 107-
107-122,
Springer--Verlag 1999
Springer
 Cramer, R., I. Dåmgard, B. Schoenmakers, “Proofs of Partial Hiding and Simplified Design of
Witness Hiding Protocols”, Advances in Cryptology – CRYPTO ’94, Lecture Notes in Computer
Science 839, pp. 174-
174-187, Springer
Springer--Verlag, 1994
 De Santis, A., G. di Crescenzo, G. Persiano, M. Yung, “On Monotone Formula Closure of SZK”,
Proceedings of the 35th Symposium on the Foundations of Computer Science, pp. 454-454-465,
IEEE, 1994
 Feigenbaum, J., “Overview of Interactive Proof Systems and Zero-
Zero-Knowledge”, Contemporary
Cryptology, G.J. Simmons, ed., pp. 423-
423-440, IEEE Press 1992
 Quisquater, J.J., L. Guillou, T. Berson, “How to Explain Zero-
Zero-Knowledge Protocols to Your
Children”, Advances in Cryptology - CRYPTO ’99, Lecture Notes in Computer Science 435, pp.
628--631, 1990
628
 Schneier, B., Applied Cryptography (2nd edition), Wiley, 1996
 Stinson, D.R., Cryptography: Theory and Practice, CRC, 1995