Zero-Knowledge Proofs J.W. Pope M.S. – Mathematics May 2004
What is a Zero- Knowledge Proof? A zero-knowledge proof is a way that a “prover” can prove possession of a certain piece of information to a “verifier” without revealing it. This is done by manipulating data provided by the verifier in a way that would be impossible without the secret information in question. A third party, reviewing the transcript created, cannot be convinced that either prover or verifier knows the secret.
The Cave of the Forty Thieves
Properties of Zero-Knowledge Proofs Completeness – A prover who knows the secret information can prove it with probability 1. Completeness – A prover who knows the secret information can prove it with probability 1. Soundness – The probability that a prover who does not know the secret information can get away with it can be made arbitrarily small. Soundness – The probability that a prover who does not know the secret information can get away with it can be made arbitrarily small.
An Example: Hamiltonian Cycles Peggy the prover would like to show Vic the verifier that an element is a member of the subgroup of Z n * generated by , where has order. (i.e., does k = for some k such that 0 ≤ k ≤ ?) Peggy the prover would like to show Vic the verifier that an element is a member of the subgroup of Z n * generated by , where has order. (i.e., does k = for some k such that 0 ≤ k ≤ ?) Peggy chooses a random j, 0 ≤ j ≤ – 1, and sends Vic j. Peggy chooses a random j, 0 ≤ j ≤ – 1, and sends Vic j. Vic chooses a random i = 0 or 1, and sends it to Peggy. Vic chooses a random i = 0 or 1, and sends it to Peggy. Peggy computes j + ik mod, and sends it to Vic. Peggy computes j + ik mod, and sends it to Vic. Vic checks that j + ik = j ik = j i. Vic checks that j + ik = j ik = j i. They then repeat the above steps log 2 n times. They then repeat the above steps log 2 n times. If Vic’s final computation checks out in each round, he accepts the proof. If Vic’s final computation checks out in each round, he accepts the proof.
Complexity Theory The last proof works because the problem of solving discrete logarithms is NP-complete (or is believed to be, at any rate). The last proof works because the problem of solving discrete logarithms is NP-complete (or is believed to be, at any rate). It has been shown that all problems in NP have a zero-knowledge proof associated with them. It has been shown that all problems in NP have a zero-knowledge proof associated with them.
Bit Commitments “Flipping a coin down a well” “Flipping a coin down a well” “Flipping a coin by telephone” “Flipping a coin by telephone” A value of 0 or 1 is committed to by the prover by encrypting it with a one-way function, creating a “blob”. The verifier can then “unwrap” this blob when it becomes necessary by revealing the key. A value of 0 or 1 is committed to by the prover by encrypting it with a one-way function, creating a “blob”. The verifier can then “unwrap” this blob when it becomes necessary by revealing the key.
Bit Commitment Properties Concealing – The verifier cannot determine the value of the bit from the blob. Concealing – The verifier cannot determine the value of the bit from the blob. Binding – The prover cannot open the blob as both a zero and a one. Binding – The prover cannot open the blob as both a zero and a one.
Bit Commitments: An Example Let n = pq, where p and q are prime. Let m be a quadratic nonresidue modulo n. The values m and n are public, and the values p and q are known only to Peggy. Let n = pq, where p and q are prime. Let m be a quadratic nonresidue modulo n. The values m and n are public, and the values p and q are known only to Peggy. Peggy commits to the bit b by choosing a random x and sending Vic the blob m b x 2. Peggy commits to the bit b by choosing a random x and sending Vic the blob m b x 2. When the time comes for Vic to check the value of the bit, Peggy simply reveals the values b and x. When the time comes for Vic to check the value of the bit, Peggy simply reveals the values b and x. Since no known polynomial-time algorithm exists for solving the quadratic residues problem modulo a composite n whose factors are unknown, hence this scheme is computationally concealing. Since no known polynomial-time algorithm exists for solving the quadratic residues problem modulo a composite n whose factors are unknown, hence this scheme is computationally concealing. On the other hand, it is perfectly binding, since if it wasn’t, m would have to be a quadratic residue, a contradiction. On the other hand, it is perfectly binding, since if it wasn’t, m would have to be a quadratic residue, a contradiction.
Bit Commitments and Zero- Knowledge Bit commitments are used in zero-knowledge proofs to encode the secret information. Bit commitments are used in zero-knowledge proofs to encode the secret information. For example, zero-knowledge proofs based on graph colorations exist. In this case, bit commitment schemes are used to encode the colors. For example, zero-knowledge proofs based on graph colorations exist. In this case, bit commitment schemes are used to encode the colors. Complex zero-knowledge proofs with large numbers of intermediate steps that must be verified also use bit commitment schemes. Complex zero-knowledge proofs with large numbers of intermediate steps that must be verified also use bit commitment schemes.
Computational Assumptions A zero-knowledge proof assumes the prover possesses unlimited computational power. A zero-knowledge proof assumes the prover possesses unlimited computational power. It is more practical in some cases to assume that the prover’s computational abilities are bounded. In this case, we have a zero-knowledge argument. It is more practical in some cases to assume that the prover’s computational abilities are bounded. In this case, we have a zero-knowledge argument.
Proof vs. Argument Zero-Knowledge Proof: Unconditional completeness Unconditional completeness Unconditional soundness Unconditional soundness Computational zero- knowledge Computational zero- knowledge Unconditionally binding blobs Unconditionally binding blobs Computationally concealing blobs Computationally concealing blobs Zero-Knowledge Argument: Unconditional completeness Computational soundness Perfect zero-knowledge Computationally binding blobs Unconditionally concealing blobs
Applications Zero-knowledge proofs can be applied where secret knowledge too sensitive to reveal needs to be verified Zero-knowledge proofs can be applied where secret knowledge too sensitive to reveal needs to be verified Key authentication Key authentication PIN numbers PIN numbers Smart cards Smart cards
Limitations A zero-knowledge proof is only as good as the secret it is trying to conceal A zero-knowledge proof is only as good as the secret it is trying to conceal Zero-knowledge proofs of identities in particular are problematic Zero-knowledge proofs of identities in particular are problematic The Grandmaster Problem The Grandmaster Problem The Mafia Problem The Mafia Problem etc. etc.
Research I am currently working with Dr. Curtis Barefoot in the NMT Mathematics Dept. on methods of applying zero- knowledge proofs to mathematical induction: Can a prover prove a theorem via induction without revealing any of the steps beyond the base case? I am currently working with Dr. Curtis Barefoot in the NMT Mathematics Dept. on methods of applying zero- knowledge proofs to mathematical induction: Can a prover prove a theorem via induction without revealing any of the steps beyond the base case? Possible application of methods developed by Camenisch and Michels (or maybe not?) Possible application of methods developed by Camenisch and Michels (or maybe not?)
References Blum, M., “How to Prove a Theorem So No One Else Can Claim It”, Proceedings of the International Congress of Mathematicians, Berkeley, California, 1986, pp Blum, M., “How to Prove a Theorem So No One Else Can Claim It”, Proceedings of the International Congress of Mathematicians, Berkeley, California, 1986, pp Camenisch, J., M. Michels, “Proving in Zero-Knowledge that a Number is the Product of Two Safe Primes”, Eurocrypt ’99, J. Stern, ed., Lecture Notes in Computer Science 1592, pp , Springer-Verlag 1999 Camenisch, J., M. Michels, “Proving in Zero-Knowledge that a Number is the Product of Two Safe Primes”, Eurocrypt ’99, J. Stern, ed., Lecture Notes in Computer Science 1592, pp , Springer-Verlag 1999 Cramer, R., I. Dåmgard, B. Schoenmakers, “Proofs of Partial Hiding and Simplified Design of Witness Hiding Protocols”, Advances in Cryptology – CRYPTO ’94, Lecture Notes in Computer Science 839, pp , Springer-Verlag, 1994 Cramer, R., I. Dåmgard, B. Schoenmakers, “Proofs of Partial Hiding and Simplified Design of Witness Hiding Protocols”, Advances in Cryptology – CRYPTO ’94, Lecture Notes in Computer Science 839, pp , Springer-Verlag, 1994 De Santis, A., G. di Crescenzo, G. Persiano, M. Yung, “On Monotone Formula Closure of SZK”, Proceedings of the 35 th Symposium on the Foundations of Computer Science, pp , IEEE, 1994 De Santis, A., G. di Crescenzo, G. Persiano, M. Yung, “On Monotone Formula Closure of SZK”, Proceedings of the 35 th Symposium on the Foundations of Computer Science, pp , IEEE, 1994 Feigenbaum, J., “Overview of Interactive Proof Systems and Zero-Knowledge”, Contemporary Cryptology, G.J. Simmons, ed., pp , IEEE Press 1992 Feigenbaum, J., “Overview of Interactive Proof Systems and Zero-Knowledge”, Contemporary Cryptology, G.J. Simmons, ed., pp , IEEE Press 1992 Quisquater, J.J., L. Guillou, T. Berson, “How to Explain Zero-Knowledge Protocols to Your Children”, Advances in Cryptology - CRYPTO ’99, Lecture Notes in Computer Science 435, pp , 1990 Quisquater, J.J., L. Guillou, T. Berson, “How to Explain Zero-Knowledge Protocols to Your Children”, Advances in Cryptology - CRYPTO ’99, Lecture Notes in Computer Science 435, pp , 1990 Schneier, B., Applied Cryptography (2 nd edition), Wiley, 1996 Schneier, B., Applied Cryptography (2 nd edition), Wiley, 1996 Stinson, D.R., Cryptography: Theory and Practice, CRC, 1995 Stinson, D.R., Cryptography: Theory and Practice, CRC, 1995