ZeroKnowledge Proofs - PowerPoint PPT Presentation

1 / 43

About This Presentation

Title:

ZeroKnowledge Proofs

Description:

First introduced in 1985 by Goldwasser, Micali and Rachoff, for identification schemes. ... Secret admirer (or criticizing) letter to system admin ... – PowerPoint PPT presentation

Number of Views:73

Avg rating:3.0/5.0

Slides: 44

Provided by: Facul216

Category:

more less

Transcript and Presenter's Notes

Title: ZeroKnowledge Proofs

1
Zero-Knowledge Proofs

And Their Applications in Cryptographic Systems

Sultan Almuhammadi ICS 555
2
Introduction

Zero-knowledge proofs (ZKPs)
To prove the knowledge of a secret without
revealing it.
Special form of interactive proofs (IP) between
two parties prover and verifier.
First introduced in 1985 by Goldwasser, Micali
and Rachoff, for identification schemes.
Have wide ranges of applications in modern
cryptographic systems.

3
Introduction

ZKPs
Iterative run in several rounds
Usually have high cost due to iteration
Cost Measures
Execution-time complexity
Communication cost (of bits exchanged)
Communication latency (delay)

4
From the Literature

A Toy Example of ZKP
To demonstrate all the features of ZKP
Easy to discuss and visualize
Known as Alibabas cave

5
Alibabas Cave

Peggy (the prover) wants to prove her knowledge
of the secret word of the cave to Victor (the
verifier) but without revealing it

6
Alibabas Cave The Proof

Starting at point A
Peggy walks all the way to either point C or
point D
Victor walks to point B
Victor asks Peggy to either
Come out of the left passage (or)
Come out of the right passage
Peggy does that using the secret word if needed
They repeat these steps until Victor is convinced
that Peggy knows the secret word

7
Alibabas Cave About The Proof

Complete if Peggy knows the secret word, she can
complete the proof successfully.
Sound if she does not know the secret, it is
highly unlikely that she passes all the rounds.
Zero-knowledge no matter how many rounds Victor
asks for, he cannot learn the secret.
Repudiatable (Peggy can repudiate the proof) If
Victor video tapes the entire protocol, he cannot
convince others that Peggy knows the secret.
Non-transferable Victor cannot use the proof to
pretend to be the prover to a third party.

8
Alibabas Cave Number of Rounds

How many rounds are needed?
Completeness
If Peggy knows the secret, she always passes.
Soundness
If Peggy does not know the secret, she can pass
with a probability 1/2k where k is the number
of rounds.
Optimal number of rounds k
Minimum k that gives max trust in the proof.
Let S be the domain of the secret.
E.g. S strings of length 4 bits

9
Alibabas Cave Number of Rounds

What is the optimal number of rounds k?
Assume S strings of length 4 bits

Chance to cheat
Optimal k log2 S (the length of the secret
in bits)
1/2
k
S 24 16 There are 16 possible secrets
1/4
1/8
1/16
of Rounds
1
2
3
4
5
0
6
10
Applications of ZKPs

Identification schemes
Multi-media security and digital watermarks
Network privacy and anonymous communication
Digital cash and off-line digital coin systems
Electronic election
Public-key cryptographic systems
Smart cards

11
Identification Schemes

Identification scheme a protocol for two parties
(User and System) by which the User identifies
himself to the System in a secure way, that is, a
third party listening to the conversation cannot
later impersonate the user.

12
Identification Schemes

Why ZKP?
In some applications, it is desirable that the
identity of the specific user is maintained
secret to the system.
E.g. an investor accessing a stock-market
database prefers to hide his identity.
Knowing which user is interested in stock of a
given company is a valuable information.
However, the system must make sure that the user
is legitimate (i.e. a subscriber to the service).

13
Example Identification Scheme

Two modes of identification
Normal-mode The User reveals his identity to the
System.
Private-mode The identity of the user is
maintained secret to the system.

14
Example Identification Scheme

Using ZKP of SAT
Given a boolen formula f, to prove the possession
of the truth-assignment A that satisfies the
formula (i.e. without revealing any information
whatsoever about A itself or why and how it
works).

15
Example Identification Scheme

Each user i is given a boolean formula fi and a
truth-assignment Ai that satisfies fi
To log in to the system in normal-mode
User i proves that fi is satisfiable in
zero-knowledge.
To log in to the system in private-mode
Create ? f1 ? f2 ? ? fn
User i proves that ? is satisfiable in
zero-knowledge.

16
Multi-media Security and Digital Watermarks

Digital Watermark
To resolve ownership of media objects
To ensure theft detection in a court of law
Must survive within a media object
Should not be easily removed by attackers
Why ZKP?
To prove the existence of a mark, without
revealing what that mark is.
Revealing a watermark within an object leads to
subsequent theft by providing attackers with the
information they need to remove or claim the
watermark.

17
Network Privacy and Anonymous Communication

Why ZKP?
To achieve anonymity (like in identification
schemes)
Anonymous Communication
To hide who communicates with whom
The adversary is allowed to see all the
communications but cannot determine the sender
(or the receiver).
Examples of Applications
Crime tip hotline
Secret admirer (or criticizing) letter to system
admin
Allow employees leaking information to the press
from corrupted organizations

18
Digital Cash and Off-line Digital Coin Systems

Why ZKP?
To achieve the privacy of the customer.
Security needs
The bank wants to be able to detect all reuse or
forgery of the digital coins.
The vendor requires the assurance of
authenticity.
The customer wants the privacy of purchases (the
bank cannot track down where the coins are spent,
unless the customer reuses/forges them).
Off-line digital coin system
The purchase protocol does not involve the bank.

19
Electronic Election

Why ZKP?
To ensure the privacy of the voter.
Electronic voting system a set of protocols
which allow voters to cast ballots while a group
of authorities collect the votes and output the
final tally.
Requirements
Security ensure voting restrictions (e.g. voters
can vote to at most one of the given candidates)
Privacy cannot revoke who votes for what

20
Public-Key Cryptographic Systems

Why ZKP?
To set up the scheme and prove it is secure
Setups
Each user has a public key and a private key
encrypted message with some public key needs the
corresponding private key to decrypt it.
it is computationally infeasible to deduce the
private key from the public key.
Examples
RSA scheme
ElGamal scheme

21
Public-Key Cryptographic Systems

Why ZKP?
To set up the scheme
E.g. in RSA, the modulus should consist of two
safe primes ZKPs are used to prove that a given
number is a product of two safe primes without
revealing any information whatsoever about these
safe prime factors

22
Definitions

Negligible function
Zero-knowledge proof
Completeness property
Soundness property

23
Definition Negligible function

f is negligible if for all c gt 0 and sufficiently
large n, f(n) lt n-c
f is nonnegligible if there exists a c gt 0 such
that for all sufficiently large n, f(n) gt n-c
E.g. f(n) 2-n is negligible in n.

24
Definition Zero-knowledge Proof

From its name, it has two parts
Proof
It convinces the verifier with overwhelming
probability that the prover knows the secret.
It is complete and sound (defined later)
Zero-knowledge
It should not reveal any information about the
secret.
The transcript of the dialogue should be
computationally indistinguishable to the
transcript generated by a simulator that
simulates the interaction between the prover and
the verifier.

25
Definition Completeness and Soundness

Zero-knowledge proofs are complete and sound
Completeness property
For any c gt 0 and sufficiently long x ? L,
Probability (V accepts x) gt 1 - x-c
Soundness property
For any c gt 0 and sufficiently long x ? L,
Probability (V accepts x) lt x-c, (i.e.
negligible), even if the prover deviates from the
prescribed protocol.

26
Classical Problems

Discrete Log (DL) Problem
Discrete Log over Elliptic Curve (DL-EC)
Square Root Problem (SQRT)
Equality of Two Discrete Log (DL-AND)
One of Two Discrete Log (DL-OR)
Multiple-Base Representation (MBR)
Graph Isomorphism Problem
Graph 3-Colorability Problem
Hamiltonian Cycle Problem
Satisfiability (SAT) Problem

27
DL Problem

To prove in zero-knowledge the possession of x
such that
gx b (mod n)
Applications
Multi-media security
Identification schemes
Digital cash
Anonymous communication
Electronic election

28
Multiple-Base Representation Problem (MBR)

To prove in zero-knowledge the possession of X
ltx1 , x2, x3, , xtgt, such that
b ?i gi xi (mod n)
Applications
Public-key schemes
Digital cash systems

29
Graph Isomorphism

Given two graphs G1(V1,E1) and G2(V2, E2), to
prove in zero-knowledge the possession of a a
permutation ? from G1 to G2 such that
(u, v) ? E1 iff (? (u), ? (v)) ? E2
Applications
Multi-media security

30
Graph 3-Colorability

Given a graph G(V,E), to prove in zero-knowledge
the possession of a 3-coloring function f such
that for all (u,v) ? E
f(u) ? f(v)
Applications
Digital watermarks
3-colorability is NP-complete
Easy to visualize and discuss

31
Square Root Problem

To prove in zero-knowledge the possession of x
such that
x2 b (mod n)
Applications
Digital watermarks
Public-key schemes
Smart cards

32
Requirements of ZKPs

Completeness If the prover knows the secret, the
verifier accepts the proof with overwhelming
probability.
Soundness If the prover does not know the
secret, it is highly unlikely that the verifier
accepts the proof.
Zero-knowledge The verifier cannot learn the
secret even if he deviates from the protocol.
Repudiatability The prover can repudiate the
proof to a third party.
Non-transferability The verifier cannot pretend
to be the prover to any third party.

33
Examples of ZKPs