Zero-Knowledge Proofs And Their Applications in Cryptographic Systems ICS 555 Cryptography and Data Security Sultan Almuhammadi

Introduction Zero-knowledge proofs (ZKPs) To prove the knowledge of a secret without revealing it. Special form of interactive proofs (IP) between two parties: prover and verifier. Have wide ranges of applications in modern cryptographic systems.

Introduction ZKPs Cost Measures Iterative: run in several rounds Usually have high cost due to iteration Cost Measures Execution-time complexity Communication cost (#of bits exchanged) Communication latency (delay)

From the Literature A Toy Example of ZKP “How to explain ZKP to your children” Known as: Alibaba’s cave To demonstrate all the features of ZKP Easy to discuss and visualize

Alibaba’s Cave Peggy (the prover) wants to prove her knowledge of the secret word of the cave to Victor (the verifier) but without revealing it

Alibaba’s Cave: The Proof Starting at point A Peggy walks all the way to either point C or point D Victor walks to point B Victor asks Peggy to either: Come out of the left passage (or) Come out of the right passage Peggy does that using the secret word if needed They repeat these steps until Victor is convinced that Peggy knows the secret word

Alibaba’s Cave: About The Proof Complete: if Peggy knows the secret word, she can complete the proof successfully. Sound: if she does not know the secret, it is highly unlikely that she passes all the rounds. Zero-knowledge: no matter how many rounds Victor asks for, he cannot learn the secret. Repudiatable: (Peggy can repudiate the proof) If Victor video tapes the entire protocol, he cannot convince others that Peggy knows the secret. Non-transferable: Victor cannot use the proof to pretend to be the prover to a third party.

Alibaba’s Cave: Number of Rounds How many rounds are needed? Completeness If Peggy knows the secret, she always passes. Soundness If Peggy does not know the secret, she can pass with a probability = 1/2k where k is the number of rounds. Optimal number of rounds k Minimum k that gives max trust in the proof. k is optimal if the k+1st round is redundant. Let S be the domain of the secret. E.g. S = {strings of length 4 bits} NB

Alibaba’s Cave: Number of Rounds What is the optimal number of rounds k? E.g. Assume S = {strings of length 4 bits} Prob (pass w/out secret) Optimal k = log2 |S|  (the length of the secret in bits) 1/2 |S| = 24 = 16 There are 16 possible secrets Prob (guess the secret) = 1/16 NB k 1/4 1/8 1/16 # of Rounds 1 2 3 4 5 6

Applications of ZKPs Identification schemes Multi-media security and digital watermarks Network privacy and anonymous communication Digital cash and off-line digital coin systems Electronic election and e-voting Public-key cryptographic systems Smart cards

Identification Schemes Identification scheme: a protocol for two parties (User and System) by which the User identifies himself to the System in a secure way, that is, a third party listening to the conversation cannot later impersonate the user.

Identification Schemes Why ZKP? In some applications, it is desirable that the identity of the specific user is maintained secret to the system. E.g. an investor accessing a stock-market database prefers to hide his identity. Knowing which user is interested in stock of a given company is a valuable information. However, the system must make sure that the user is legitimate (i.e. a subscriber to the service).

Example: Identification Scheme Two modes of identification Normal-mode: The User reveals his identity to the System. Private-mode: The identity of the user is maintained secret to the system.

Example: Identification Scheme Using ZKP of SAT Given a boolen formula f, to prove the possession of the truth-assignment A that satisfies the formula (i.e. without revealing any information whatsoever about A itself or why and how it works).

Example: Identification Scheme Each user i is given a boolean formula fi and a truth-assignment Ai that satisfies fi To log in to the system in normal-mode: User i proves that fi is satisfiable in zero-knowledge. To log in to the system in private-mode: Create  = f1  f2  …  fn User i proves that  is satisfiable in zero-knowledge.

Multi-media Security and Digital Watermarks To resolve ownership of media objects To ensure theft detection in a court of law Must survive within a media object Should not be easily removed by attackers Why ZKP? To prove the existence of a mark, without revealing what that mark is. Revealing a watermark within an object leads to subsequent theft by providing attackers with the information they need to remove or claim the watermark.

Network Privacy and Anonymous Communication Why ZKP? To achieve anonymity (like in identification schemes) Anonymous Communication To hide who communicates with whom The adversary is allowed to see all the communications but cannot determine the sender (or the receiver). Examples of Applications Crime tip hotline Secret admirer (or criticizing) letter to system admin Allow employees leaking information to the press from corrupted organizations

Digital Cash and Off-line Digital Coin Systems Why ZKP? To achieve the privacy of the customer. Security needs The bank wants to be able to detect all reuse or forgery of the digital coins. The vendor requires the assurance of authenticity. The customer wants the privacy of purchases (the bank cannot track down where the coins are spent, unless the customer reuses/forges them). Off-line digital coin system The purchase protocol does not involve the bank.

Electronic Election (e-voting) Why ZKP? To ensure the privacy of the voter. Electronic voting system: a set of protocols which allow voters to cast ballots while a group of authorities collect the votes and output the final tally. Requirements Security: ensure voting restrictions (e.g. voters can vote to at most one of the given candidates) Privacy: cannot revoke who votes for what

Public-Key Cryptographic Systems Why ZKP? To set up the scheme and prove it is secure Setups Each user has a public key and a private key encrypted message with some public key needs the corresponding private key to decrypt it. it is computationally infeasible to deduce the private key from the public key. Examples RSA scheme ElGamal scheme

Public-Key Cryptographic Systems Why ZKP? To set up the scheme E.g. in RSA, the modulus should consist of two safe primes; ZKPs are used to prove that a given number is a product of two safe primes without revealing any information whatsoever about these safe prime factors

Definitions Negligible function Zero-knowledge proof Completeness property Soundness property

Definition: Negligible function f is negligible if for all c > 0 and sufficiently large n, f(n) < n-c f is nonnegligible if there exists a c > 0 such that for all sufficiently large n, f(n) > n-c E.g. f(n) = 2-n is negligible in n. NB

Definition: Zero-knowledge Proof From its name, it has two parts: Proof It convinces the verifier with overwhelming probability that the prover knows the secret. It is complete and sound (defined later) Zero-knowledge It should not reveal any information about the secret. The transcript of the dialogue should be computationally indistinguishable to the transcript generated by a simulator that simulates the interaction between the prover and the verifier. NB

Definition: Completeness and Soundness Zero-knowledge proofs are complete and sound: Completeness property For any c > 0 and sufficiently long x  L, Probability (V accepts x) > 1 - |x|-c Soundness property For any c > 0 and sufficiently long x  L, Probability (V accepts x) < |x|-c, (i.e. negligible), even if the prover deviates from the prescribed protocol. NB

Classical Problems Discrete Log (DL) Problem Square Root Problem (SQRT) Graph Isomorphism Problem Graph 3-Colorability Problem Satisfiability (SAT) Problem

DL Problem To prove in zero-knowledge the possession of x such that gx = b (mod n) Applications: Multi-media security Identification schemes Digital cash Anonymous communication Electronic election NB

(u, v)  E1 iff ( (u),  (v))  E2 Graph Isomorphism Given two graphs G1=(V1,E1) and G2=(V2, E2), to prove in zero-knowledge the possession of a permutation  from G1 to G2 such that (u, v)  E1 iff ( (u),  (v))  E2 Applications: Multi-media security NB

Graph 3-Colorability Given a graph G=(V,E), to prove in zero-knowledge the possession of a 3-coloring function f such that for all (u,v)  E f(u)  f(v) Applications: Digital watermarks 3-colorability is NP-complete Easy to visualize and discuss

Square Root Problem To prove in zero-knowledge the possession of x such that x2 = b (mod n) Applications: Digital watermarks Public-key schemes Smart cards NB

Requirements of ZKPs Completeness: If the prover knows the secret, the verifier accepts the proof with overwhelming probability. Soundness: If the prover does not know the secret, it is highly unlikely that the verifier accepts the proof. Zero-knowledge: The verifier cannot learn the secret even if he deviates from the protocol. Repudiatability: The prover can repudiate the proof to a third party. Non-transferability: The verifier cannot pretend to be the prover to any third party. NB

Examples of ZKPs ZKP of Graph Isomorphism Problem ZKP of SQRT problem ZKP of D-Log problem

Example: ZKP of Graph Isomorphism Peggy (P) Victor (V) G1, G2,  G1, G2 1 P generates random ’ ’ 2 P sends H = ’(G2) to V H 3 V flips a coin c c 4 If c = Head, P sends ’ to V ’, check H = ’(G2) 5 If c = Tail, P sends  = ’o  , check H = (G1) 6 Steps 1-5 are repeated until Victor is convinced that Peggy must know  (with probability 1-2-k, for k iterations). NB

Example: ZKP of SQRT x2 = b (mod n) b, n, x b, n 1 Peggy (P) Victor (V) b, n, x b, n 1 P generates random r r 2 P sends s = r2 mod n to V s 3 V flips a coin c = H or T c 4 If c = H, P sends r to V r, check r2 = s 5 If c = T, P sends m = r.x m, check m2 = s.b 6 Steps 1-5 are repeated until Victor is convinced that Peggy must know x (with prob 1-2-k, for k iterations). NB

Example: ZKP of DL b = gx (mod n) Victor (V) Peggy (P) g, b, n g, b, n, x h P sends h = gr mod n to V 2 r Peggy generates random r 1 c V flips a coin c = H or T 3 NB r, check gr = h If c = H, P sends r to V 4 m, check gm = bh m If c = T, P sends m = x + r 5 Steps 1-5 are repeated until Victor is convinced that Peggy must know x (with prob 1-2-k, for k iterations). 6