http://cseweb.ucsd.edu/users/bsy/ZKP.

html Abstractly, a zero-knowledge proof is an interactive proof with a prover and a v erifier, where the prover convinces the verifier of a statement (with high proba bility) without revealing any information about how to go about proving that sta tement. Hopefully the following example will make it all clear. First, our assumptions. We're going to do arithmetic modulo n, where n = pq, and p and q are primes. Factoring n is assumed to be intractable. Rabin showed in [RabinFunc] that finding square roots modulo n is equivalent to factoring n. That is, if you have an algorithm that can find a square root of a number modulo n, then you can use that algorithm to factor n. Our zero-knowledge proof will consist of rounds of interaction which shows that the prover knows a square root of a published number, where we do not reveal any new information a bout the square root. It is known that there exists a square root to this number (public knowledge), i.e., it is a quadratic residue. The factors of the modulus n may be entirely secret. (U. Feige et al show a refinement in [FFS] which allo ws the published number to be a non-quadratic residue of a particular form as we ll, thus revealing less information; in either case, runs of the protocol itself reveals no new information.) The prover, P, publishes the quadratic residue v for which P claims to know a ro ot s. When P wishes to prove its knowledge of s to the verifier, V, P runs several rou nds of interaction. In each round, P choses a new random number r and sends x = r2 mod n to V. Now, V choses a random bit b, and sends it to P. P replies with y = r sb. To verify P's claim, V computes y2 and compares it with x vb. Now, let's do the analysis. The first claim is that only P can successfully comp lete the protocol for both possible values of b. This is clear, since knowing y0 = r when b = 0 and y1 = r s when b = 1 means you also know s, since y1/y0 = s. The second claim is that an imposter P' who does not actually know s can succeed with a probability of exactly 1/2 each round: to see this, notice that if P' gu esses correctly that b = 0, then it can just follow the protocol and succeed; on the other hand, if P' guesses that b = 1, P' can generate x by chosing a random number t and setting x = t2 / v. The response is y = t. The third claim is that no new information is released. To see this, consider what an eavesdropper E he ars. In the case of the random bit b = 0, E sees a random numer r and its square x; in the case of b = 1, E sees the numbers rs and x = (rs)2/v. These are numbe rs that the eavesdropper could have generated in a closet. More precisely, a sim ulator S can run both sides of the protocol, and by using advanced information a s to the value of the random bit (model is a poly-time TM with an auxiliary inpu t tape of random bits), S can simulate the protocol without knowledge of s. Each round of the proof shows that there is a 1/2 chance that a prover P'' (we d on't know whether P'' is P or P') might not actually know s. Iterating 20 times gives a probability of less than 2-20 or .0000009536 that P'' does not actually know s. Such zero-knowledge proofs can be used for authentication -- the value of v can be generated from a randomly chosen s, and v is widely published as the public a uthentication ``puzzle''. A successful zero-knowledge proof showing knowledge of s authenticates identity. In [StrongboxIn25th], Doug Tygar and I show how to ob tain superexponential scaling in security modulo the factorization assumption, r un the protocol in constant rounds while retaining the zero-knowledge property, and simultaneously perform key exchange. Note that using only a zero-knowledge proof of identity over a communication cha nnel such as that provided by TCP/IP does not suffice to provide a secure commun

ication channel: an attacker who has access to a link in the Internet through wh ich your packets all cross may wait until the authentication protocol completes, and then `hijacks' your connection. Furthermore, doing the obvious protocol pig gy-backing to run zero-knowledge authentication at the same time as, say, anonym ous Diffie-Hellman key exchange is subject to message tampering -- an attacker m ay substitute her/his own Diffie-Hellman values in your packets, using your zero -knowledge authentication as a subroutine. Care must be taken when composing two cryptograhic protocols to ensure that the needed security properties are retain ed.

http://www.wisdom.weizmann.ac.il/~oded/zk-tut02.html Zero-Knowledge proofs are fascinating and extremely useful constructs. Their fas cinating nature is due to their seemingly contradictory definition; zero-knowled ge proofs are both convincing and yet yield nothing beyond the validity of the a ssertion being proven. Their applicability in the domain of cryptography is vast ; they are typically used to force malicious parties to behave according to a pr edetermined protocol. In addition to their direct applicability in Cryptography, zero-knowledge proofs serve as a good bench-mark for the study of various probl ems regarding cryptographic protocols (e.g., ``secure composion of protocols'' a nd the ``use of of the adversary's program within the proof of security''). In this tutorial we will present the basic definitions and results regarding zer o-knowledge as well as some recent developments regarding this notion. The Basics Loosely speaking, zero-knowledge proofs are proofs that yield nothing beyond the validity of the assertion. That is, a verifier obtaining such a proof only gain s conviction in the validity of the assertion. This is formulated by saying that anything that is feasibly computable from a zero-knowledge proof is also feasib ly computable from the (valid) assertion itself (by a so-called simulator). Vari ants on the basic definition include: Consideration of auxiliary inputs. Universal and black-box simulations. Restricting attention to honest verifiers. The level of similarity required of the simulation. It is well-known that zero-knowledge proofs exist for any NP-set, provided that one-way functions exist. This result is a powerful tool in the design of cryptog raphic protocols, because it enables to force parties to behave according to a p redetermined protocol (i.e., the protocol requires parties to provide zero-knowl edge proofs of the correctness of their secret-based actions, without revealing these secrets). Advanced Topics We focus on two basic problems regarding zero-knowledge, which actually arise al so with respect to the security of other cryptographic primitives. The first que stion refers to the preservation of security (i.e., zero-knowledge in our case) under various types of composition operations. We survey the known results regar ding sequential, parallel and concurrent execution of (arbitrary and/or specific ) zero-knowledge protocols. The main facts are: Zero-knowledge (w.r.t auxiliary inputs) is closed under sequential compositi on. In general, zero-knowledge is not closed under parallel composition. Yet, so me zero-knowledge proofs (for NP) preserve their security when many copies are e

xecuted in parallel. Furthermore, some of these protocol use a constant number o f rounds. Some zero-knowledge proofs (for NP) preserve their security when many copies are executed concurrently, but such a result is not known for constant-round pr otocols. The second basic question regarding zero-knowledge refers to the usage of the ad versary's program within the proof of security (i.e., demonstration of the zeroknowledge property). For 15 years, all known proofs of security used the adversa ry's program as a black-box (i.e., a universal simulator was presented using the adversary's program as an oracle). Furthermore, it was believed that there is n o advantage in having access to the code of the adversary's program. Consequentl y it was conjectured that negative results regarding black-box simulation repres ent an inherent limitation of zero-knowledge. This belief has been refuted recen tly by a zero-knowledge argument (for NP) that has important properties that are unachievable by black-box simulation. Other topics treated in the full version of the tutorial (but not in its oral pr esentation) include proofs of knowledge, Non-Interactive Zero-Knowledge proofs, Statistical Zero-Knowledge, Knowledge Complexity, and the resettability of a par ty's random-tape. Material Available On-Line A preliminary version, July 2002. Revised October 2002, December 2002, March 2004, March 2010,