Zero Knowledge Proofs By Subha Rajagopalan Jaisheela Kandagal

Zero Knowledge Proofs Introduction Properties of ZKP Advantages of ZKP Examples Fiat-Shamir Identification Protocol Real-Time Applications

Zero Knowledge Proofs(ZKP) Goldwasser, Micali, and Rackoff, ZKP instance of Interactive Proof System Interactive Proof Systems –Challenge-Response Authentication –Prover and Verifier –Verifier Accepts or Rejects the Prover

ZKP Zero knowledge Transfer between the Prover and the Verifier The verifier accepts or rejects the proof after multiple challenges and responses Probabilistic Proof Protocol Overcomes Problems with Password Based Authentication

Properties of ZKP Completeness –Succeeds with high probability for a true assertion given an honest verifier and an honest prover. Soundness –Fails for any other false assertion, given a dishonest prover and an honest verifier

Advantages of ZKP As name Suggests – Zero Knowledge Transfer Computational Efficiency – No Encryption No Degradation of the protocol Based on problems like discrete logarithms and integer factorization

Classic Example Ali Baba’s Cave Alice has to convince Bob She knows the secret to open the cave door without telling the secret (“Open Sesame”). (source:

Fiat-Shamir Identification Protocol 3 Message Protocol Alice A, the Prover and Bob B, the Verifier A  B: x = r 2 mod n A  B: e  { 0,1} A  B: y = r * s e mod n is y 2 = x * v e ? A random modulus n, product of two large prime numbers p and q generated by a trusted party and made public Prover chooses secret s relatively prime to n prover computes v = s 2 mod n, where v is the public key

Fiat-Shamir Identification Protocol Alice chooses a random number r (1  r  n-1) Sends to Bob x = r 2 mod n – commitment Bob randomly sends either a 0 or a 1 ( e  { 0,1}) as his challenge Depending on the challenge from Bob, Alice computes the response as y = r if e = 0 or otherwise y = r*s mod n Bob accepts the response upon checking y 2  x * v e mod n

After many iterations, with a very high probability Bob can verify Alice’s identity Alice’s response does not reveal the secret s (with y = r or y = r* s mod n) An intruder can prove Alice’s identity without knowing the secret, if he knows Bob’s challenge in advance: –Generate random r –If expected challenge is 1, send x = r 2 /v mod n as commitment, and y = r as response –If expected challenge is 0, send x = r mod n as commitment Probability that any Intruder impersonating the prover can send the right response is only ½ Probability reduced as iterations are increased Important - Alice should not repeat r Fiat-Shamir Identification Protocol

Applications Watermark Verification –Show the presence of watermark without revealing information about it –prevents from removing the watermark and reselling multiple duplicate copies Others – e-voting, e-cash etc.

Products Sky’s VideoCrypt –Analogue decoding card for satellite DirecTV descrambler used to authenticate the subscriber’s card –Uses Fiat-Shamir Zero Knowledge Protocol NGSCB – New Generation Secure Computing Base –Zero Knowledge for code attestations

References [1] Alfred J. Menezes, Paul C. van Oorschot, Scott A. Vanstone, Handbook of Applied Cryptography. [2] Ross Anderson, Security Engineering [3] Wenbo Mao, Modern Cryptography theory and practice [4] Don Coppersmith (Ed.), Advances in Cryptology- CRYPTO ’ 95 Lecture Notes in Computer Science. [5] [6] Oded Goldreich, Silvio Micali and Avi Wigderson, “ Proofs that yield nothing but their validity and a methodology of cryptographic protocol design”. [7] Oren, Y., “ Properties of Zero-knowledge Proofs”. [8] A Mitropoulos, and H. Meijer, “ Zero-knowledge proofs – a survey”.