1 / 26

Zero-Knowledge Proofs Protocol Examples and Applications

Explore Zero-Knowledge Protocols and Proofs in advanced networking protocols, including Graph Isomorphism, Non-Interactive Proofs, and Identity Verification. Learn how Peggy can prove information without revealing secrets.

mlockwood
Download Presentation

Zero-Knowledge Proofs Protocol Examples and Applications

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Chapter 5: Advanced Protocols Dulal C. Kar Based on Schneier

  2. Zero-Knowledge Proofs • Peggy wants to prove to Victor that she has a piece of valuable information but she does not want to reveal it to Victor at all • Develop a protocol for this

  3. Basic Idea: Zero-Knowledge Protocol • Refer to fig 5.1, page 102 • Assume, Peggy knows the magic words that can open the secret door between C and D. She wants to prove her knowledge of the cave to Victor without revealing the words • An Analogous Protocol • Victor stands at point A • Peggy walks all the way into the cave, either point C or point D • After Peggy has disappeared into the cave, Victor walks to point B • Victor shouts to Peggy, asking her either to: • Come out of the left passage or • Come out of the right passage • Peggy complies, using the magic words to open the secret door if she has to. • Peggy and Victor repeats steps (1) through (5) n times.

  4. Cut and Choose • Basic Zero-Knowledge Protocol is similar to classic “cut and choose” protocol for dividing anything fairly: • Alice cuts the thing in half • Bob chooses one of the halves for himself • Alice takes the remaining half

  5. Basic Zero-KnowledgeProtocol (cont’d) • Observation • It is impossible for Victor to convince a third party of the proof’s validity • It proves that the protocol is zero-knowledge • Protocol works because there is no way Peggy can repeatedly guess which side Victor will ask her to come out • Chance of fooling Victor by Peggy is 50% in one round, 25% in two rounds, and 1 in 2n in n rounds

  6. Basic Zero-Knowledge Protocol • Assume • Peggy knows some information which is a solution of a hard problem and wants to prove it to Victor without revealing the solution • Protocol • Using her information and a random number, Peggy generates a new problem, isomorphic to the original problem and obtains a solution of the new problem • Peggy commits to the solution using a bit-commitment scheme • Peggy reveals to Victor the new instance • Victor asks Peggy either to: • Prove to him that old and new instances are isomorphic, or • Open the solution she committed to in step (2) and prove that it is a solution to the new instance • Peggy complies • Peggy and Victor repeat steps (1) through (5) n times

  7. Graph Isomorphism • Assume that Peggy knows, graphs G1 and G2 are isomorphic and wants to convince Victor of her knowledge • Protocol • Peggy randomly permutes G1 to produce a graph H, isomorphic to G1. Finding an isomorphism between G1 and H or between H and G2 is just as hard as finding an isomorphism between G1 and G2 • Peggy sends H to Victor • Victor asks Peggy either to: • Prove that H and G1 are isomorphic, or • that H and G2 are isomorphic • Peggy complies. She either: • Proves that H and G1 are isomorphic, without proving that H and G2are isomorphic, or • Proves that H and G2 are isomorphic, without proving that H and G1 are isomorphic • Peggy and Victor repeat steps (1) through (4) n times • Notice, in each round, Victor receives a new random permutation of H, along with an isomorphism between H and either G1or G2

  8. Non-interactive Zero Knowledge Proofs • Carol, a third party, cannot be convinced because she is not involved in interaction • Peggy wants to publish her proof to convince anyone takes time to check • Protocol using one-way hash function • Peggy uses her information and n random numbers to transform the hard problem into n different isomorphic problems. Using information and random numbers, she solves n new hard problems • Peggy commits to solutions of n new hard problems • Peggy uses all commitments as a single input to a one-way hash function and saves first n bits of the output • For each ith new hard problem in turn, she takes ith bit of those n bits and: • If it is a 0, she proves that the old and new problems are isomorphic, or • It is a 1, she opens the solution she committed in step (2) and proves that it is a solution to new problem • Peggy publishes all the commitments from step (2) as well as the solutions in step (4) • Victor or Carol or whoever else is interested, verifies that steps (1) through (5) were executed properly • Important point: Peggy cannot predict the output of the hash function

  9. Zero-Knowledge Proofs of Identity • Real world proofs of identity • Passports, driver’s licenses containing picture, signature or thumbprint • In digital world • One’s private key can be his/her identity • Using a zero-knowledge proof, he/she proves that he/she knows the private key and therefore, proves his/her identity

  10. Abuses of Zero-Knowledge Proofs of Identity • Chess Grandmaster Problem • Alice does not know chess but can defeat a grandmaster • Two grandmasters are in separate room and do not know presence of other • Alice travels back and forth between rooms and copies each grandmaster’s move to play with other • This type of attack can be used against zero-knowledge proofs of identity • While Alice is proving her identity to Mallory, Mallory can simultaneously prove to Bob that he is alive

  11. Abuses of Zero-Knowledge Proofs of Identity (cont’d) • The Mafia Fraud • Alice • Bob (fraud) • Carol (fraud) • Dave • Alice proves her identity to Bob, Bob radios Carol and Carol performs the same protocol with Dave • Multiple Identity Fraud • In some implementations, there is no check when an individual registers a public key • One can have several private keys and therefore, several identities

  12. Blind Signatures • Suppose we want people to sign documents without ever seeing their contents

  13. Completely Blind Signatures • Bob • A Notary Public • Not interested in doc • Protocol • Alice takes the document and multiplies it by a random value called a blinding factor • Alice sends the blinded document to Bob • Bob signs the blinded document • Alice divides out the blinding factor, leaving the original document signed by Bob • Protocol works if the signature function and multiplication are commutative

  14. Properties of Completely Blind Signatures • Bob’s signature on the document is valid. It will convince Bob that he signed the document if shown to him • Bob cannot correlate the signed document with act of signing the document. Even if keeps records of every blind signatures he makes, he cannot determine when he signed any given document

  15. Blind Signatures • Suppose Bob wants to know what he is signing, while still maintaining the useful properties of a blind signature • Heart of the protocol is cut-and-choose technique

  16. Protocol: Blind Signatures (?) • Bob prepares n documents, each using a different cover name • Bob blinds each document with a distinct blinding factor • Bob sends n blinded documents to Alice • Alice chooses n-1 documents at random and asks Bob for their blinding factors • Bob sends Alice the appropriate blinding factors • Alice opens (removes blinding factors) n-1 documents to make sure they are correct • Alice signs the remaining document and sends it to Bob • Bob removes the blinding factor and read his new name “The Crimson Streak.”

  17. Oblivious Transfer • Alice transmits a group of messages to Bob • Bob receives some subset of those messages • Alice does not know which ones Bob receives • Alice has to convince Bob that the bits she sent are part of a group of messages

  18. Oblivious Transfer Protocol • Alice generates two public-key/private-key key pairs. She sends both public keys to Bob. • Bob chooses a DES key and encrypts it with one of Alice’s public key randomly and sends it • Alice decrypts Bob’s key twice, once with each of her private keys. She recovers DES key and meaningless random key • Alice encrypts both of her messages, one with real DES key and other with meaningless random key and sends them to Bob • Bob decrypts each of them with his DES key, one he can read and the other is gibberish to him (Note: Alice does not know which one Bob was able to read) • At end, Alice must give Bob her private keys so that he can verify she did not cheat and she did not send the same message with both keys in step 4

  19. Simultaneous Contract Signingwith an Arbitrator • Alice signs a copy of the contract and sends it to Trent • Bob signs a copy of the contract and sends it to Trent • Trent sends a message to both Alice and Bob indicating that the other has signed the contract • Alice signs two copies of the contract and sends them to Bob • Bob signs both copies and keeps one and sends other to Alice • Alice and Bob both inform Trent • Trent tears up his two copies signed by one only

  20. Simultaneous Contract Signing without Arbitrator (Face-to-face) • Alice signs first letter of her name and passes the contract to Bob • Bob signs first letter of his name and passes the contract to Alice • This continues until both Alice and Bob have signed their entire names • After each party has signed several letters, a judge could probably be convinced that both parties had signed the contract

  21. Simultaneous Contract Signing without an Arbitrator (Not face-to-face) • Alice and Bob agree on a date by which the signing protocol should be completed • Alice and Bob decide on a probability difference. Call Alice’s difference a; call Bob’s difference b. • Alice sends Bob a signed message with p = a • Bob sends Alice a signed message with p = a + b • Let p be probability of the message Alice received in the previous step from Bob. Alice sends Bob a signed message with p’ = p + a or 1, whichever is smaller • Let p be probability of the message Bob received in the previous step from Alice. Bob sends Alice a signed message with p’ = p + b or 1, whichever is smaller • Alice and Bob continue alternating steps (5) and (6) until both have received messages with p = 1 or until the date agreed to in step (1) has passed

  22. Simultaneous Contract Signing without an Arbitrator (Not face-to-face) • As the protocol proceeds, both Alice and Bob agree to be bound to the contract with a greater and greater probability

  23. Simultaneous Contract signing without an Arbitrator (Using Cryptography) • Both Alice and Bob randomly select 2n DES keys, grouped in pairs. • Both Bob and Alice generate n pairs of messages, Li and Ri. Li: left half of the ith signature and Ri: right half of the ith signature. The contract is signed if other party can produce both halves, Li and Ri, of a single signature pair • Both Alice and Bob encrypt their message pairs in each of the DES key pairs, the left message with left key in the pair and the right message with the right key in the pair • Alice and Bob send each other their pile of 2n encrypted messages, making clear which messages are which halves of which pairs

  24. Simultaneous Contract signing without an Arbitrator (Using Cryptography) (cont’d) • Alice and Bob send each other every key pair using the oblivious transfer protocol for each pair. Now both Alice and Bob have one key in each key pair, but neither knows which halves the other has • Both Alice and Bob decrypts the message halves that they can, using keys they received • Alice and Bob send each other the first bits of all 2n DES keys • Alice and Bob repeat step (7) for the second bits of all 2n DES keys, the third bits, and so on, until all the bits of all the DES keys have been transferred • Alice and Bob decrypt the remaining halves of the message pairs and the contract is signed • Alice and Bob exchange the private keys used during the oblivious transfer protocol in step (5) and each verifies that the other did not cheat

  25. Digital Certified Mail • Suppose Alice wants to send a message to Bob, but she does not want him to read it without signing a receipt • Protocol • Alice encrypts her message using a random DES key, and sends the message to Bob • Alice generates n pairs of DES keys. The first key of each pair is generated at random, the second key of each pair is the XOR of the first key and the message encryption key • Alice encrypts a dummy message with each of her 2n keys • Alice sends the whole pile of encrypted messages to Bob, making sure he knows which messages are which halves of which pairs • Bob generates n pairs of random DES keys • Bob generates a pair of messages that indicates a valid receipt. He makes n receipt pairs of “left half” and “right half”, each numbered. A receipt is considered valid, if Alice can produce it from both halves

  26. Digital Certified Mail (cont’d) • Bob encrypts each ith message pair with ith DES key pair, (left with left …) • Bob sends all message pairs to Alice and tells Alice which messages are which halves of which pairs • Alice and Bob send each other every key pair using the oblivious transfer protocol • Both Alice and Bob decrypts the halves they can and make sure that the decrypted messages are valid • Alice and Bob send each other the first bits of all 2n DES keys • Alice and Bob repeat step (11) for the second bits of all 2n DES keys, the third bits, and so on, until all the bits of all the DES keys have been transferred • Alice and Bob decrypt the remaining halves of the message pairs. Alice has a valid receipt from Bob, and Bob can XOR any key pair to get the original message encryption key • Alice and Bob exchange the private keys used during the oblivious transfer protocol and each verifies that the other did not cheat

More Related