Understanding Zero Knowledge Proofs in Cryptography

1. Zero Knowledge Proofs Matthew Pouliotte Anthony Pringle Cryptography November 22, 2005 “A proof is whatever convinces me.” ~ Shimon Even

2. Presentation Overview • What is a Zero Knowledge Proof? • Introduction to Interactive Proofs • Definition Zero Knowledge Proofs • Properties of Zero Knowledge Proofs • Applications of Zero Knowledge Proofs • Feige-Fiat-Shamir Proof of Identity • Schnorr’s Identification Protocol • Conclusion

3. What is a Zero Knowledge Proof? • Classic Example: • Ali Baba’s Cave • Alice wants to prove to bob that she knows how to open the secret door between R and S. • Bob goes to P • Alice goes to R or S • Bob goes to Q and tells Alice to come from one side or the other of the cave • If Alice knows the secret, she can appear from the correct side of the cave every time • Bob repeats as many times until he believe Alice knows to open the secret door Image from RSA Labs [1]http://www.rsasecurity.com/rsalabs/node.asp?id=2178

4. Introduction to Interactive Proofs • Prover (P) tries to prove some fact to a verifier • Verifier (V) either accepts or rejects the prover’s proof • To prove is to convince the verifier of some assertion • Prove that you know a secret value s • Each party in the protocol does the following: • receive a message from the other party • perform a private computation • send a message to the other party • Repeats t number of rounds

5. Interactive Proof Protocol Common Inputs P Prover V Verifier Common Inputs Random Value Challenge Response Repeats t number of rounds • Prover and verifier share common inputs (functions or values) • The protocol yields Accept if every Response is accepted by the Verifier • Otherwise, the protocol yields Reject

6. Properties of Interactive Proofs • Completeness • The verifier accepts the proof if the assertion is true • Assumption: the parties follow the protocol • Soundness • if the fact is false, the verifier rejects the proof • Assumption: the parties follow the protocol

7. Interactive Proofs – Soundness and Completeness • Completeness: Prob[(P,V)(x) = Accept | xÎL] ≥ε • Soundness: Prob[(¬P,V)(x) = Accept | xÏ L] ≤δ • Where: εÎ (½,1] δÎ [0,½) • L is a language over {0,1}* • (P,V) is an Interactive Proof Protocol involving P and V

8. Zero Knowledge Proofs • Instances of interactive proofs with the following properties: • Completeness – true theorems are provable • Soundness – false theorems are not provable • No information about the prover’s private input is revealed to the verifier – implication of the zero-knowledge property

9. Zero Knowledge Property • A transcript is the collection of messages resulting from the protocol execution Random1,Challenge1,Response1,Random2,Challenge2,Response2, … , Randomm,Challengem,Responsem • A simulator is a polynomial-time algorithm that generates false transcripts (without the prover) which are identical to the genuine. Random1,Challenge1,Response1,Random2,Challenge2,Response2, … , Randomm,Challengem,Responsem • An interactive proof has the zero knowledge property if a simulator exists for the proof

10. Identification Schemes • Provide a way to demonstrate who you are • Show you know a secret value without revealing it • Feige-Fiat-Shamir Proof of Identity • Schnorr’s Identification Protocol • The zero knowledge premise is used in all PKIs • You do not reveal your private key • Most PKIs are single round though

11. Feige-Fiat-Shamir Proof of Identity • A trusted certifier publishes a modulus n which is the product of two large primes • Primes of the form 4r+3 (Blum integers) • Only purpose of trusted certifier • Where Ā is the prover and B is the verifier

12. Feige-Fiat-Shamir Proof of Identity • For Ā to prove its identity to B, the following protocol is executed

13. Schnorr’s Identification Protocol • Two primes p and q such that q|p-1 • Usually |p| = 1024 and |q| = 160 • A g such that orderp(g) = q • A y such that y = g-a (mod p) • Alice chooses a such that a < q • Alice’s public-key (p, q, q, y) which is certified by a CA

14. Schnorr’s Identification Protocol • Bob knows Alice knows some aÎZq such that y ≡ g-a (mod p) • To prove this to Bob, the following steps are repeated log2log2p times • Alice picks kÎuZq and computs gk (mod p) that she sends to Bob • Bob pick x Îu {0,1}log2log2p and sends to Alice • Alice computes y = k + ax (mod q) • Bob checks gk (mod p) ≡ gxgy

15. Conclusions • Special case of interactive proofs • Zero knowledge proofs offer a way to prove knowledge to someone without transferring any additional knowledge to that person • Can be used to prove identity • Basic premise used in all PKIs

16. References • O. Goldreich. Foundations of Cryptography: Basic Tools. USA: Cambridge Press, 2001. • D. R. Stinson. Cryptography: Theory and Practice (1st edition). Boca Raton: CRC Press, 1995. • W. Mao. Modern Cryptography: Theory and Practice. New Jersey: Prentice Hall, 2003. • A. Menezes, P. van Oorschot, and S. Vanstone. Handbook of Applied Cryptography. Boca Raton: CRC Press, 1996. • L. Guillou, and J.J. Quisquater. “How to Explain Zero-Knowledge Protocols to Your Children”. Advances in Cryptology, CRYPTO 1989. • G. Simari. “A Primer on Zero Knowledge Protocols”. http://cs.uns.edu.ar/~gis/publications/zkp-simari2002.pdf • M. Tompa. “Zero knowledge interactive proofs of knowledge (a digest)”. Proceedings of the 2nd conference on Theoretical aspects of reasoning about knowledge, 1988. • U. Feige, A. Fiat, and A. Shamir. “Zero-knowledge proofs of identity”. ACM Special Interest Group on Algorithms and Computation Theory (SIGACT), 1987. • RSA Laboratories, “What are interactive proofs and zero-knowledge proofs?” http://www.rsasecurity.com/rsalabs/node.asp?id=2178

17. - Questions??? “Knowledge must come through action; you can have no test which is not fanciful, save by trial.” ~ Sophocles