1 / 7

Zero Knowledge

Zero Knowledge. Two parties: All powerful prover P Polynomially bounded verifier V P wants to prove a statement to V with the following properties: Completeness – honest verifier convinced by honest prover

lore
Download Presentation

Zero Knowledge

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Zero Knowledge • Two parties: • All powerful prover P • Polynomially bounded verifier V • P wants to prove a statement to V with the following properties: • Completeness – honest verifier convinced by honest prover • Correctness – dishonest prover can’t convince verifier of false statement (except with negligible probability) • Zero knowledge – verifier doesn’t learn anything besides the correctness of the statement

  2. Proving Zero Knowledge • By simulation • Every cheating verifier has a simulator that outputs • Perfect zero knowledge - the same distribution as the verifier’s view in the protocol • Computational zero knowledge – indistinguishable distribution from the verifier’s view in the protocol • Bad example – challenge-response password protocol • Example – proving knowledge of discrete log

  3. Commitment • Two player protocol • Alice commits to a value b • Binding - Alice can’t change the value after the commitment • Concealing – Bob can’t discover b • Alice can reveal b at some point • Example – f(x) one-way permutation, B(x) hardcore for f(x) • Commitment – (f(x),bB(x)) • Revealing - x

  4. Commitment (cont.) • Naor’s scheme – using the indistinguishability property of a PRG G. • Commitment • Bob sends random string r of length G(x). • Alice chooses random x and sends G(x)br • Revealing – Alice sends x • Claim – if Bob can find b before Alice reveals it, then Bob can distinguish G(x) from random string • Claim – Alice has low probability of success in cheating (finding y such that G(y)=rG(x)

  5. Zero Knowledge for GI • GI – Graph homomorphism • Two graphs G1, G2 are homomorphic if there is a re-labeling of the nodes of G that gives the nodes of H • Hard problem • No known polynomial algorithm • Not known if it is NP-hard • Prover commits to m graphs H1,…,Hm • Verifier sends m choices a1,…,am, ai{1,2} • Prover reveals homomorphism between Hi and Gai for every i.

  6. SRP • Client authenticated by short password • Motivated by ZK, although not the same • Server and client agree on p, g and hash function h • Server sends random salt • Client sends ga mod p • Server computes x=h(password, salt), B=gb+gx mod p. Server sends B. • Client computes gx mod p, both sides compute u=h(B) • Client computes shared=(B-gx)a+ux mod p • Server computes shared=(gagxu)b mod p

  7. Special attacks to conclude • Fault attack – induce some fault in operation of target and hope for good results • Examples • Original hardware jailbreak of iPhone • Power spike during access control run • RSA-CRT computation – error in computation on p, but not on q • Side channel attacks - overview • Power analysis • Simple power analysis of exponentiation

More Related