Zero-Knowledge Proofs And Their Applications in Cryptographic Systems Sultan Almuhammadi ICS 454
Zero-Knowledge Proofs
Mar 15, 2016
Zero-Knowledge Proofs. Sultan Almuhammadi ICS 454. And Their Applications in Cryptographic Systems. Introduction. Zero-knowledge proofs (ZKPs) To prove the knowledge of a secret without revealing it. Special form of interactive proofs (IP) between two parties: prover and verifier. - PowerPoint PPT Presentation
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Zero-Knowledge ProofsAnd Their Applications in Cryptographic
Systems
Sultan AlmuhammadiICS 454
2
Introduction Zero-knowledge proofs (ZKPs)
To prove the knowledge of a secret without revealing it.
Special form of interactive proofs (IP) between two parties: prover and verifier.
First introduced in 1985 by Goldwasser, Micali and Rachoff, for identification schemes.
Have wide ranges of applications in modern cryptographic systems.
3
Introduction ZKPs
Iterative: run in several rounds Usually have high cost due to iteration
Cost Measures Execution-time complexity Communication cost (#of bits exchanged) Communication latency (delay)
4
From the Literature A Toy Example of ZKP
To demonstrate all the features of ZKP Easy to discuss and visualize Known as: Alibaba’s cave
5
Alibaba’s Cave
Peggy (the prover) wants to prove her knowledge of the secret word of the cave to Victor (the verifier) but without revealing it
6
Alibaba’s Cave:
The Proof1. Starting at point A2. Peggy walks all the way to either point C or point
D3. Victor walks to point B4. Victor asks Peggy to either:
• Come out of the left passage (or)• Come out of the right passage
5. Peggy does that using the secret word if needed6. They repeat these steps until Victor is convinced
that Peggy knows the secret word
7
Alibaba’s Cave: About The Proof
1. Complete: if Peggy knows the secret word, she can complete the proof successfully.
2. Sound: if she does not know the secret, it is highly unlikely that she passes all the rounds.
3. Zero-knowledge: no matter how many rounds Victor asks for, he cannot learn the secret.
4. Repudiatable: (Peggy can repudiate the proof) If Victor video tapes the entire protocol, he cannot convince others that Peggy knows the secret.
5. Non-transferable: Victor cannot use the proof to pretend to be the prover to a third party.
8
Alibaba’s Cave: Number of Rounds
How many rounds are needed? Completeness
If Peggy knows the secret, she always passes. Soundness
If Peggy does not know the secret, she can pass with a probability = 1/2k where k is the number of rounds.
Optimal number of rounds k Minimum k that gives max trust in the proof. Let S be the domain of the secret.
E.g. S = {strings of length 4 bits}
9
Alibaba’s Cave: Number of Rounds
What is the optimal number of rounds k?E.g. Assume S = {strings of length 4 bits}
1 2 3 4 5 # of Rounds
Prob (pass w/out secret)
0
1/2
1/4
1/81/16
|S| = 24 = 16
There are 16 possible secrets
Prob (guess the secret) = 1/16
k
6
Optimal k = log2 |S| (the length of the secret in bits)
10
Applications of ZKPs Identification schemes Multi-media security and digital watermarks Network privacy and anonymous communication Digital cash and off-line digital coin systems Electronic election Public-key cryptographic systems Smart cards
11
Identification Schemes Identification scheme: a protocol for two
parties (User and System) by which the User identifies himself to the System in a secure way, that is, a third party listening to the conversation cannot later impersonate the user.
12
Identification SchemesWhy ZKP? In some applications, it is desirable that the
identity of the specific user is maintained secret to the system. E.g. an investor accessing a stock-market database
prefers to hide his identity. Knowing which user is interested in stock of a given
company is a valuable information. However, the system must make sure that the user is
legitimate (i.e. a subscriber to the service).
13
Multi-media Security andDigital Watermarks
Digital Watermark To resolve ownership of media objects To ensure theft detection in a court of law Must survive within a media object Should not be easily removed by attackers
Why ZKP? To prove the existence of a mark, without revealing
what that mark is. Revealing a watermark within an object leads to
subsequent theft by providing attackers with the information they need to remove or claim the watermark.
14
Digital Cash and Off-line Digital Coin Systems
Security needs The bank wants to be able to detect all reuse or forgery
of the digital coins. The vendor requires the assurance of authenticity. The customer wants the privacy of purchases (the bank
cannot track down where the coins are spent, unless the customer reuses/forges them).
Off-line digital coin system The purchase protocol does not involve the bank.
Why ZKP? To achieve the privacy of the customer.
15
Electronic Election Electronic voting system: a set of protocols which
allow voters to cast ballots while a group of authorities collect the votes and output the final tally.
Requirements Security: ensure voting restrictions (e.g. voters can vote
to at most one of the given candidates) Privacy: cannot revoke who votes for what
Why ZKP? To ensure the privacy of the voter.
16
Public-Key Cryptographic Systems
Setups Each user has a public key and a private key encrypted message with some public key needs the
corresponding private key to decrypt it. it is computationally infeasible to deduce the private
key from the public key. Examples
RSA scheme ElGamal scheme
Why ZKP?
17
Public-Key Cryptographic Systems
Why ZKP? To set up the scheme and prove it is secure. E.g. in RSA, the modulus should consist of two
safe primes; ZKPs are used to prove that a given number is a product of two safe primes without revealing any information whatsoever about these safe prime factors
18
Definitions Negligible function Zero-knowledge proof Completeness property Soundness property
19
Definition: Negligible function f is negligible if for all c > 0 and
sufficiently large n, f(n) < n-c
f is nonnegligible if there exists a c > 0 such that for all sufficiently large n, f(n) > n-c
E.g. f(n) = 2-n is negligible in n.
20
Definition: Zero-knowledge Proof From its name, it has two parts: Proof
It convinces the verifier with overwhelming probability that the prover knows the secret.
i.e. It is complete and sound Zero-knowledge
It should not reveal any information about the secret.
21
Requirements of ZKPs1. Completeness: If the prover knows the secret, the
verifier accepts the proof with overwhelming probability.
2. Soundness: If the prover does not know the secret, it is highly unlikely that the verifier accepts the proof.
3. Zero-knowledge: The verifier cannot learn the secret even if he deviates from the protocol.
4. Repudiatability: The prover can repudiate the proof to a third party.
5. Non-transferability: The verifier cannot pretend to be the prover to any third party.
22
Classical Problems Used in ZKPs
Discrete Log (DL) Problem Square Root Problem (SQRT) Graph Isomorphism Problem Satisfiability (SAT) Problem
23
Graph Isomorphism Given two graphs G1=(V1,E1) and G2=(V2,
E2), to prove in zero-knowledge the possession of a permutation from G1 to G2 such that
(u, v) E1 iff ( (u), (v)) E2 Applications:
Multi-media security
24
ZKP of Graph IsomorphismPeggy (P) Victor (V)
0 G1, G2, G1, G2
1 P generates random ’ ’
2 P sends H = ’(G2) to V H H3 V flips a coin c c c 4 If c = Head, P sends ’ to V ’, check H = ’(G2)
5 If c = Tail, P sends = ’o
, check H = (G1)
6 Steps 1-5 are repeated until Victor is convinced that Peggy must know (with probability 1-2-k, for k iterations).
25
Square Root Problem To prove in zero-knowledge the
possession of x such that x2 = b (mod n)
Applications: Digital watermarks Public-key schemes
26
ZKP of SQRTx2 = b (mod n) Peggy (P) Victor (V)
0 b, n, x b, n
1 P generates random r r
2 P sends s = r2 mod n to V s s3 V flips a coin c = H or T c c4 If c = H, P sends r to V r,
check r2 = s5 If c = T, P sends m = r.x m,
check m2 = s.b6 Steps 1-5 are repeated until Victor is convinced that Peggy must know x
(with prob 1-2-k, for k iterations).
27
DL Problem To prove in zero-knowledge the
possession of x such that gx = b (mod n)
Applications: Multi-media security Identification schemes Digital cash Electronic election
28
ZKP of DLb = gx (mod n)
hhP sends h = gr mod n to V 2rPeggy generates random r1
ccV flips a coin c = H or T 3
r, check gr = hIf c = H, P sends r to V 4
m, check gm = bhmIf c = T, P sends m = x + r 5
Steps 1-5 are repeated until Victor is convinced that Peggy must know x (with prob 1-2-k, for k iterations).
6
Victor (V)Peggy (P)g, b, ng, b, n, x0
29
One-round ZKPs One-round zero-knowledge proofs Eliminate the iteration costs One-round ZKPs
Encapsulate all the requirements of the true ZKP, but in one round.
30
One-round ZKP forAlibaba’s cave example
31
One-Round ZKP of DLb = gx (mod n)
yV generates a random y1
C= gyCV sends C = gy (mod n)2
RR= CxP sends R = Cx (mod n)3
V verifies that
R = Cx = (gy)x = gxy = (gx)y = by (mod n)
4
Victor (V)Peggy (P)g, b, ng, b, n, x0
32
Time Complexity Iterative ZKP
Let t be the length of the secret x in bits. Each round costs O(t2 log t log log t) Optimal number of rounds = t O(t3 log t log log t)
One-round ZKP O(t2 log t log log t).
33
Communication Cost Iterative ZKP
Needs 2 messages of size t in each round. Needs one bit for the coin in each round. Optimal number of rounds = t Exchanges (2t2 + t) bits total.
One-round ZKP Needs 2 messages of size t each. Exchanges 2t bits total.
34
Communication Latency Let d be the average latency (delay) per message
over the network between the two parties
35
Communication Latency Iterative ZKP
Needs 2 messages in each round Needs one bit for the coin in each round Latency per round = 3d Optimal number of rounds = t Overall latency = 3td
One-round ZKP Needs 2 messages, each takes d Overall latency = 2d
36
Security Issues on 1-R ZKP of DL
Related Documents
