Interactive and Zero Knowledge Proofs

1
Interactive and Zero Knowledge Proofs
2
Interactive and Zero Knowledge Proofs
A protocol between two parties in which one
party, called the prover tries to prove a
certain fact to the other party, called the
verifier. Used for authentication and
identification.
3
Interactive and Zero Knowledge Proofs
A protocol between two parties in which one
party, called the prover tries to prove a
certain fact to the other party, called the
verifier. Used for authentication and
identification. The fact to prove usually is
related to the prover's identity, say the
prover's secret key.
4
Interactive and Zero Knowledge Proofs
A protocol between two parties in which one
party, called the prover tries to prove a
certain fact to the other party, called the
verifier. Used for authentication and
identification. The fact to prove usually is
related to the prover's identity, say the
prover's secret key. The following
properties are important 1. Completeness - the
verifier always accepts the proof if the
fact is true and both parties follow the protocol.
5
Interactive and Zero Knowledge Proofs
A protocol between two parties in which one
party, called the prover tries to prove a
certain fact to the other party, called the
verifier. Used for authentication and
identification. The fact to prove usually is
related to the prover's identity, say the
prover's secret key. The following properties
are important 1. Completeness - the verifier
always accepts the proof if the fact is
true and both parties follow the protocol. 2.
Soundness - the verifier always rejects the proof
if the fact is false, as long as the
verifier follows the protocol.
6
Interactive and Zero Knowledge Proofs
A protocol between two parties in which one
party, called the prover tries to prove a
certain fact to the other party, called the
verifier. Used for authentication and
identification. The fact to prove usually is
related to the prover's identity, say the
prover's secret key. The following properties
are important 1. Completeness - the verifier
always accepts the proof if the fact is
true and both parties follow the protocol. 2.
Soundness - the verifier always rejects the proof
if the fact is false, as long as the
verifier follows the protocol. 3.
Zero-Knowledge - verifier learns nothing else
about the fact being proved from the
prover that could not be learned without
the prover, regardless of following the
protocol. Verifier cannot even prove the
fact to anyone later.
7
Interactive and Zero Knowledge Proofs
How do you know you have a Zero Knowledge proof?
8
Interactive and Zero Knowledge Proofs
How do you know you have a Zero Knowledge proof?
The verifier can produce a simulation of the
transactions even if the prover does not know the
fact to be proved. The simulation can be handed
to a third party who cannot tell whether the
simulation is real or fake.
9
Interactive and Zero Knowledge Proofs
How do you know you have a Zero Knowledge proof?
The verifier can produce a simulation of the
transactions even if the prover does not know the
fact to be proved. The simulation can be handed
to a third party who cannot tell whether the
simulation is real or fake. How can the
verifier do that?
10
Interactive and Zero Knowledge Proofs
How do you know you have a Zero Knowledge proof?
The verifier can produce a simulation of the
transactions even if the prover does not know the
fact to be proved. The simulation can be handed
to a third party who cannot tell whether the
simulation is real or fake. How can the
verifier do that? The verifier video tapes the
transactions and throws out any bad frames and
presto the rest looks to anyone like a
transaction proving the fact.
11
Interactive and Zero Knowledge Proofs
A Round - a commitment message from the prover,
a challenge from the verifier,
a response to the challenge from
the prover.
12
Interactive and Zero Knowledge Proofs
A Round - a commitment message from the prover,
a challenge from the verifier,
a response to the challenge from
the prover. The protocol may repeat for several
rounds. Based on the prover's responses in all
the rounds, the verifier decides whether to
accept or reject the proof.
13
Interactive and Zero Knowledge Proofs
Example Ali Baba's Cave
P
Q
R
S
14
Interactive and Zero Knowledge Proofs
Example Ali Baba's Cave
P
Q
R
S
Initially Prover and Verifier at the
mouth of the cave. Neither can see deep into
the cave. From Q a player cannot see either R or
S.
15
Interactive and Zero Knowledge Proofs
Example Ali Baba's Cave
P
Q
R
S
Initially Prover and Verifier at the
mouth of the cave. Neither can see deep into
the cave. From Q a player cannot see either R or
S. Prover proves it knows the secret words that
will open the door at green line, deep inside
the cave, but without telling what they are.
16
Interactive and Zero Knowledge Proofs
Example Ali Baba's Cave
P
Q
R
S
Round Prover's commitment is to visit R or S
while verifier waits at P
17
Interactive and Zero Knowledge Proofs
Example Ali Baba's Cave
P
Exit at R!!
Q
R
S
Round Prover's commitment is to visit R or S
while verifier waits at P Verifier's challenge
is to walk to Q and ask prover to exit at R or S
18
Interactive and Zero Knowledge Proofs
Example Ali Baba's Cave
P
Q
R
S
Round Prover's commitment is to visit R or S
while verifier waits at P Verifier's challenge
is to walk to Q and ask prover to exit at R or S
Prover's response is to do as verifier says
19
Interactive and Zero Knowledge Proofs
Example Ali Baba's Cave
P
Q
R
S
Round Prover's commitment is to visit R or S
while verifier waits at P Verifier's challenge
is to walk to Q and ask prover to exit at R or S
Prover's response is to do as verifier says Many
Rounds certain prover does not know or pretty
sure it does
20
Interactive and Zero Knowledge Proofs
How do we know it is a zero-knowledge proof?
21
Interactive and Zero Knowledge Proofs
How do we know it is a zero-knowledge proof?
The proof can be performed efficiently by a
simulator that has no idea of what the proof is.

22
Interactive and Zero Knowledge Proofs
How do we know it is a zero-knowledge proof?
The proof can be performed efficiently by a
simulator that has no idea of what the proof is.
The verifier video tapes the movements of the
prover and the verifier assuming the prover does
not know the secret words.
23
Interactive and Zero Knowledge Proofs
How do we know it is a zero-knowledge proof?
The proof can be performed efficiently by a
simulator that has no idea of what the proof is.
The verifier video tapes the movements of the
prover and the verifier assuming the prover does
not know the secret words. Some of the rounds
show the prover unable to find the correct exit.
Those rounds are deleted from the video tape.
24
Interactive and Zero Knowledge Proofs
How do we know it is a zero-knowledge proof?
The proof can be performed efficiently by a
simulator that has no idea of what the proof is.
The verifier video tapes the movements of the
prover and the verifier assuming the prover does
not know the secret words. Some of the rounds
show the prover unable to find the correct exit.
Those rounds are deleted from the video tape.
The result is a sequence of rounds that appear
to show the prover does know the secret words.

25
Interactive and Zero Knowledge Proofs
How do we know it is a zero-knowledge proof?
The proof can be performed efficiently by a
simulator that has no idea of what the proof is.
The verifier video tapes the movements of the
prover and the verifier assuming the prover does
not know the secret words. Some of the rounds
show the prover unable to find the correct exit.
Those rounds are deleted from the video tape.
The result is a sequence of rounds that appear
to show the prover does know the secret words.
Hence no knowledge can be extracted from the
video tape. There is no knowledge in the
recording of the original protocol.
26
Graph Isomorphism Zero Knowledge Proofs
27
Graph Isomorphism Zero Knowledge Proofs
2
1
4
1
3
5
5
3
2
4
28
Graph Isomorphism Zero Knowledge Proofs
2
1
4
1
3
5
5
3
2
4
It is really hard to determine whether two graphs
are isomorphic
29
Graph Isomorphism Zero Knowledge Proofs
2
1
4
1
3
5
5
3
2
4
It is really hard to determine whether two graphs
are isomorphic But, if someone hands you a vertex
mapping, it is easy to check!!!
30
Graph Isomorphism - Zero Knowledge Proof
Prover
Verifier
31
Graph Isomorphism - Zero Knowledge Proof
Prover
Verifier
Generate two isomorphic graphs G0 and G1 of n
vertices. Publish graphs.
32
Graph Isomorphism - Zero Knowledge Proof
Prover
Verifier
?
H?(Ge )
Protocol Prover Generate 2nd perm ?,
compute H?(Ge )
, select e ?0,1
33
Graph Isomorphism - Zero Knowledge Proof
Prover
Verifier
?
e'
H
H
Protocol Prover Generate 2nd perm ?,
compute H?(Ge ), select e ?0,1 Verifier
Select e' ?0,1, ask prover to prove H
isomorphic to Ge'
34
Graph Isomorphism - Zero Knowledge Proof
Prover
Verifier
?
?
H
H
Protocol Prover Generate 2nd perm ?,
compute H?(Ge ), select e ?0,1 Verifier
Select e' ?0,1, ask prover to prove H
isomorphic to Ge' Prover Compute ?

? if e' e ??-1 if e' 1 and e
0 ?? if e' 0 and e 1

35
Graph Isomorphism - Zero Knowledge Proof
Prover
Verifier
?
?
H
H
Verifier Checks ?(Ge' ) H
Protocol Prover Generate 2nd perm ?,
compute H?(Ge ), select e ?0,1 Verifier
Select e' ?0,1, ask to prove H isomorphic to
Ge' Prover Compute ?
? if e' e ??-1 if e' 1 and e
0 ?? if e' 0 and e 1

36
Graph Isomorphism - Zero Knowledge Proof
Impersonator
Verifier
H
H
Protocol Impersonator Generate ?, compute
H?(Ge ), select e ?0,1
37
Graph Isomorphism - Zero Knowledge Proof
Impersonator
Verifier
e'
H
Protocol Impersonator Generate ?, compute
H?(Ge ), select e ?0,1 Verifier Select e'
?0,1, ask to prove H isomorphic to Ge'
38
Graph Isomorphism - Zero Knowledge Proof
Impersonator
Verifier
???
H
Protocol Impersonator Generate ?, compute
H?(Ge ), select e ?0,1 Verifier Select e'
?0,1, ask to prove H isomorphic to Ge'
Impersonator Cannot compute ? if e' ? e, does
not know ?
39
Graph Isomorphism - Zero Knowledge Proof
Impersonator
Verifier
???
H
Protocol Impersonator Generate ?, compute
H?(Ge ), select e ?0,1 Verifier Select e'
?0,1, ask to prove H isomorphic to Ge'
Impersonator Cannot compute ? if e' ? e, does
not know ? could have
seen a previous ? sent by the prover
but with probability 1/2 it would
be the wrong one
40
Fiat-Shamir Zero Knowledge Proof
Based on difficulty of computing square roots mod
a composite n
41
Fiat-Shamir Zero Knowledge Proof
Based on difficulty of computing square roots mod
a composite n Given two large primes p, q and
npq, computing ?x mod n is very
hard without knowing p, q
42
Fiat-Shamir Zero Knowledge Proof
Based on difficulty of computing square roots mod
a composite n Given two large primes p, q and
npq, computing ?x mod n is very
hard without knowing p, q But there exist
efficient algorithms for computing square roots
modulo a prime number, and therefore ?x
mod n can be computed efficiently if p
and q are known
43
Fiat-Shamir Zero Knowledge Proof
Prover
Trusted Party
44
Fiat-Shamir Zero Knowledge Proof
Prover
Trusted Party
n
q
p
n pq
45
Fiat-Shamir Zero Knowledge Proof
Prover
Trusted Party
n
q
S
V
p
n pq
1 gcd(n, S) V SS mod n
46
Fiat-Shamir Zero Knowledge Proof
Prover
Verifier
S
V
47
Fiat-Shamir Zero Knowledge Proof
Prover
Verifier
rr mod n
S
V
Prover chooses random r, sends rr mod n
48
Fiat-Shamir Zero Knowledge Proof
Prover
Verifier
e ? 1,0
S
V
Prover chooses random r, sends rr mod n Verifier
chooses 1 or 0 and sends it to prover
49
Fiat-Shamir Zero Knowledge Proof
Prover
Verifier
a rS e mod n
S
V
Prover chooses random r, sends rr mod n Verifier
chooses 1 or 0 and sends it to prover Prover
sends rS e mod n to verifier
50
Fiat-Shamir Zero Knowledge Proof
Prover
Verifier
a rS e mod n
S
V
Prover chooses random r, sends rr mod n Verifier
chooses 1 or 0 and sends it to prover Prover
sends rS e mod n to verifier
Verifier checks aa against V err mod n
51
Fiat-Shamir Zero Knowledge Proof
Prover
Verifier
a rS e mod n
S
V
Either ar mod n if e0 or rS mod n if e1 V
err mod n rr mod n if e0 or SSrr mod n
if e1
Verifier checks aa against V err mod n If
prover knows S, then verifier's test always
succeeds Otherwise it fails half the time
52
Feige-Fiat-Shamir Zero Knowledge Proof
Based on difficulty of computing square roots mod
a composite n Given two large primes p, q and
npq, computing ?x mod n is very
hard without knowing p, q But there exist
efficient algorithms for computing square roots
modulo a prime number, and therefore ?x
mod n can be computed efficiently if p
and q are known
53
Feige-Fiat-Shamir Zero Knowledge Proof
Prover
Verifier
54
Feige-Fiat-Shamir Zero Knowledge Proof
p, q, S npq VSS mod n
Prover
Verifier
55
Feige-Fiat-Shamir Zero Knowledge Proof
p, q, S npq VSS mod n
Prover
Verifier
x rr mod n
Protocol Prover Generate random r, send x
rr mod n
56
Feige-Fiat-Shamir Zero Knowledge Proof
p, q, S npq VSS mod n
Prover
Verifier
e
Protocol Prover Generate random r, send x
rr mod n Verifier Select e ?0,1, ask to
prove it knows ?x mod n
57
Feige-Fiat-Shamir Zero Knowledge Proof
p, q, S npq VSS mod n
Prover
Verifier
y
Protocol Prover Generate random r, send x
rr mod n Verifier Select e ?0,1, ask to
prove it knows ?x mod n Prover Send y rS e
mod n
58
Feige-Fiat-Shamir Zero Knowledge Proof
p, q, S npq VSS mod n
Prover
Verifier
Protocol Prover Generate random r, send x
rr mod n Verifier Select e ?0,1, ask to
prove it knows ?x mod n Prover Send y rS e
mod n Verifier Checks y y xV e mod n
59
Parallel Zero Knowledge Protocols
Prover
Verifier
c(1), c(2),...,c(m)
Send m commitments in one message
60
Parallel Zero Knowledge Protocols
Prover
Verifier
c(1), c(2),...,c(m)
Send m commitments in one message But cannot
simulate!!! Cannot edit the Tape!!!
61
Parallel Zero Knowledge Protocols
Prover
Verifier
c(1), c(2),...,c(m)
Send m commitments in one message But cannot
simulate!!! Cannot edit the Tape!!! Are we
screwed???
62
Security Problems
Prover
Verifier
public key

Attacker
63
Security Problems
Prover
Verifier
public key
Trust Center with Key Dictionary
64
Security Problems
Even better need use trust center only for key
generation Trust Center does the following one
time Generates primes p, q, and computes
npq Publishes n, keeps p, q secret
Defines and publishes a one-way hash function
f A Prover visits the Trust Center for a
Zero-Knowledge ID
65
Security Problems
At the Trust Center
f
Prover's public key v
Prover's ID info
66
Security Problems
At the Trust Center
f
Prover's public key v
Prover's ID info
Prover's private key s ?v mod n
67
Security Problems
At the Trust Center
f
Prover's public key v
Prover's ID info
Prover's private key s ?v mod n
Prover's Certified Data
Prover's ID info
68
Security Problems
At the Verifier
f
Prover's public key v
Prover's ID info
Then run the Zero-Knowledge Authentication Scheme