ITIS 6200/8200 Chap 5 Dr. Weichao Wang
Zero knowledge proof How can you convince another party that you know a secret without telling him the secret? The basic example: walk through the cave
General procedure of zero knowledge proof: Alice generates a new problem based on the original one, and the two problems are isomorphic. This is a very tricky part, Bob should not find a easy method to transfer back to the original problem. Alice commit the solution to the new problem to Bob with a bit commitment protocol Bob can challenge Alice with one of the questions Prove the two problems are isomorphic Or show me the solution to the new problem The procedure repeats until Bob is satisfied.
Example of zero-knowledge proof Graph isomorphic problem Why Alice needs to generate new graph every time?
Non-interactive zero-knowledge proof Use a one-way hash function to replace the challenger Alice generates n versions of the hard problem and commits the solutions on the network Alice uses the committed solutions as sources and calculates a hash value. The first n bits will be used as challenges Alice publishes the solution to each of the n challenges
Non-interactive zero-knowledge proof However, such proof requires much more rounds (or challenges) Why, let’s say 10 round. Malicious node takes a wild guess, he has 1023/1024 chance of failure. After 400 times, he has 1/3 chance to succeed. Remember, Alice can do all these offline. For non-interactive approaches, you need much more rounds.
Blind signature Two kinds of blind signature: Not disclose any information Signer knows most of the information, but not all They have different usage Completely blind signature Some encryption methods satisfy E(x1 * x2) = E(x1) * E(x2) Alice sends msg * E_pub(random) Bob signs: E_pri(msg * E_pub(random)) = E_pri(msg) * E_pri E_pub (random) = E_pri(msg) * random Alice divides out random number Unless Bob can guess the random number, he cannot find out what he signs
Another blind signature Bob roughly knows the content, but not all details Alice gives Bob the commitment of 1000 similar messages Bob randomly challenges 999 If everything looks fine, Bob signs the last one Example of the secret agent Can Alice cheat? Bob only challenges a subset: a even better solution
Oblivious transfer Alice has a group of messages and Bob will get a subset of them. But Alice does not know which of the messages Bob gets. Approach using commutative encryption A new approach Alice has two messages and Bob will receive one, but Alice does not know which one.
Oblivious transfer Alice generates two public/private key pairs and gives both public keys to Bob Bob generates a symmetric key K, and randomly selects one public key to encrypt and sends back to Alice Alice does not know which private key to use. So she decrypts with both, gets K and K’ She uses K to encrypt one message and K’ to encrypt the other At the very end, both sides need to reveal the keys to show they do not cheat (what Alice can do, what Bob can do)
Oblivious transfer Can Alice cheat: encrypt the same message with two different keys Can Bob cheat: Bob cannot figure out K’ if he does not know the other private key