Zero Knowledge Proofs

1
Zero Knowledge Proofs

• Matthew Pouliotte
• Anthony Pringle
• Cryptography
• November 22, 2005
• A proof is whatever convinces me.
• Shimon Even

2
Presentation Overview

• What is a Zero Knowledge Proof?
• Introduction to Interactive Proofs
• Definition Zero Knowledge Proofs
• Properties of Zero Knowledge Proofs
• Applications of Zero Knowledge Proofs
• Feige-Fiat-Shamir Proof of Identity
• Schnorrs Identification Protocol
• Conclusion

3
What is a Zero Knowledge Proof?

• Classic Example
• Ali Babas Cave
• Alice wants to prove to bob that she knows how to
  open the secret door between R and S.
• Bob goes to P
• Alice goes to R or S
• Bob goes to Q and tells Alice to come from one
  side or the other of the cave
• If Alice knows the secret, she can appear from
  the correct side of the cave every time
• Bob repeats as many times until he believe Alice
  knows to open the secret door

Image from RSA Labs 1http//www.rsasecurity.com
/rsalabs/node.asp?id2178
4
Introduction to Interactive Proofs

• Prover (P) tries to prove some fact to a verifier
• Verifier (V) either accepts or rejects the
  provers proof
• To prove is to convince the verifier of some
  assertion
• Prove that you know a secret value s
• Each party in the protocol does the following
• receive a message from the other party
• perform a private computation
• send a message to the other party
• Repeats t number of rounds

5
Interactive Proof Protocol
P Prover
V Verifier
Common Inputs
Common Inputs
Random Value
Challenge
Response
Repeats t number of rounds

• Prover and verifier share common inputs
  (functions or values)
• The protocol yields Accept if every Response is
  accepted by the Verifier
• Otherwise, the protocol yields Reject

6
Properties of Interactive Proofs

• Completeness
• The verifier accepts the proof if the assertion
  is true
• Assumption the parties follow the protocol
• Soundness
• if the fact is false, the verifier rejects the
  proof
• Assumption the parties follow the protocol

7
Interactive Proofs Soundness and Completeness

• Completeness
• Prob(P,V)(x) Accept x Î L e
• Soundness
• Prob(P,V)(x) Accept x Ï L d
• Where
• e Î (½,1 d Î 0,½)
• L is a language over 0,1
• (P,V) is an Interactive Proof Protocol involving
  P and V

8
Zero Knowledge Proofs

• Instances of interactive proofs with the
  following properties
• Completeness true theorems are provable
• Soundness false theorems are not provable
• No information about the provers private input
  is revealed to the verifier implication of the
  zero-knowledge property

9
Zero Knowledge Property

• A transcript is the collection of messages
  resulting from the protocol execution
• Random1,Challenge1,Response1,Random2,Challenge2,Re
  sponse2, , Randomm,Challengem,Responsem
• A simulator is a polynomial-time algorithm that
  generates false transcripts (without the prover)
  which are identical to the genuine.
• Random1,Challenge1,Response1,Random2,Challenge2,Re
  sponse2, , Randomm,Challengem,Responsem
• An interactive proof has the zero knowledge
  property if a simulator exists for the proof

10
Identification Schemes

• Provide a way to demonstrate who you are
• Show you know a secret value without revealing it
• Feige-Fiat-Shamir Proof of Identity
• Schnorrs Identification Protocol
• The zero knowledge premise is used in all PKIs
• You do not reveal your private key
• Most PKIs are single round though

11
Feige-Fiat-Shamir Proof of Identity

• A trusted certifier publishes a modulus n which
  is the product of two large primes
• Primes of the form 4r3 (Blum integers)
• Only purpose of trusted certifier
• Where A is the prover and B is the verifier

12
Feige-Fiat-Shamir Proof of Identity

• For A to prove its identity to B, the following
  protocol is executed

13
Schnorrs Identification Protocol

• Two primes p and q such that qp-1
• Usually p 1024 and q 160
• A g such that orderp(g) q
• A y such that y g-a (mod p)
• Alice chooses a such that a lt q
• Alices public-key (p, q, q, y) which is
  certified by a CA

14
Schnorrs Identification Protocol

• Bob knows Alice knows some aÎZq such that y
  g-a (mod p)
• To prove this to Bob, the following steps are
  repeated log2log2p times
• Alice picks k ÎuZq and computs gk (mod p) that
  she sends to Bob
• Bob pick x Îu 0,1log2log2p and sends to Alice
• Alice computes y k ax (mod q)
• Bob checks gk (mod p) gxgy

15
Conclusions

• Special case of interactive proofs
• Zero knowledge proofs offer a way to prove
  knowledge to someone without transferring any
  additional knowledge to that person
• Can be used to prove identity
• Basic premise used in all PKIs

16
References

• O. Goldreich. Foundations of Cryptography Basic
  Tools. USA Cambridge Press, 2001.
• D. R. Stinson. Cryptography Theory and Practice
  (1st edition). Boca Raton CRC Press, 1995.
• W. Mao. Modern Cryptography Theory and Practice.
  New Jersey Prentice Hall, 2003.
• A. Menezes, P. van Oorschot, and S. Vanstone.
  Handbook of Applied Cryptography. Boca Raton CRC
  Press, 1996.
• L. Guillou, and J.J. Quisquater. How to Explain
  Zero-Knowledge Protocols to Your Children.
  Advances in Cryptology, CRYPTO 1989.
• G. Simari. A Primer on Zero Knowledge
  Protocols. http//cs.uns.edu.ar/gis/publications
  /zkp-simari2002.pdf
• M. Tompa. Zero knowledge interactive proofs of
  knowledge (a digest). Proceedings of the 2nd
  conference on Theoretical aspects of reasoning
  about knowledge, 1988.
• U. Feige, A. Fiat, and A. Shamir. Zero-knowledge
  proofs of identity. ACM Special Interest Group
  on Algorithms and Computation Theory (SIGACT),
  1987.
• RSA Laboratories, What are interactive proofs
  and zero-knowledge proofs? http//www.rsasecurity
  .com/rsalabs/node.asp?id2178

17
- Questions???

• Knowledge must come through action you can have
  no test which is not fanciful, save by trial.
• Sophocles