130 likes | 324 Views
Zero Knowledge. Two parties: All powerful prover P Polynomially bounded verifier V P wants to prove a statement to V with the following properties: Completeness – honest verifier convinced by honest prover
E N D
Zero Knowledge • Two parties: • All powerful prover P • Polynomially bounded verifier V • P wants to prove a statement to V with the following properties: • Completeness – honest verifier convinced by honest prover • Correctness – dishonest prover can’t convince verifier of false statement (except with negligible probability) • Zero knowledge – verifier doesn’t learn anything besides the correctness of the statement
Proving Zero Knowledge • By simulation • Every cheating verifier has a simulator that outputs • Perfect zero knowledge - the same distribution as the verifier’s view in the protocol • Computational zero knowledge – indistinguishable distribution from the verifier’s view in the protocol • Bad example – challenge-response password protocol • Example – proving knowledge of discrete log
Commitment • Two player protocol • Alice commits to a value b • Binding - Alice can’t change the value after the commitment • Concealing – Bob can’t discover b • Alice can reveal b at some point • Example – f(x) one-way permutation, B(x) hardcore for f(x) • Commitment – (f(x),bB(x)) • Revealing - x
Commitment (cont.) • Naor’s scheme – using the indistinguishability property of a PRG G. • Commitment • Bob sends random string r of length G(x). • Alice chooses random x and sends G(x)br • Revealing – Alice sends x • Claim – if Bob can find b before Alice reveals it, then Bob can distinguish G(x) from random string • Claim – Alice has low probability of success in cheating (finding y such that G(y)=rG(x)
Zero Knowledge for GI • GI – Graph homomorphism • Two graphs G1, G2 are homomorphic if there is a re-labeling of the nodes of G that gives the nodes of H • Hard problem • No known polynomial algorithm • Not known if it is NP-hard • Prover commits to m graphs H1,…,Hm • Verifier sends m choices a1,…,am, ai{1,2} • Prover reveals homomorphism between Hi and Gai for every i.
SRP • Client authenticated by short password • Motivated by ZK, although not the same • Server and client agree on p, g and hash function h • Server sends random salt • Client sends ga mod p • Server computes x=h(password, salt), B=gb+gx mod p. Server sends B. • Client computes gx mod p, both sides compute u=h(B) • Client computes shared=(B-gx)a+ux mod p • Server computes shared=(gagxu)b mod p
Special attacks to conclude • Fault attack – induce some fault in operation of target and hope for good results • Examples • Original hardware jailbreak of iPhone • Power spike during access control run • RSA-CRT computation – error in computation on p, but not on q • Side channel attacks - overview • Power analysis • Simple power analysis of exponentiation