Zero-Knowledge Proofs And Their Applications in Cryptographic Systems Sultan Almuhammadi ICS 454

2 Introduction Zero-knowledge proofs (ZKPs) To prove the knowledge of a secret without revealing it. Special form of interactive proofs (IP) between two parties: prover and verifier. First introduced in 1985 by Goldwasser, Micali and Rachoff, for identification schemes. Have wide ranges of applications in modern cryptographic systems.

3 Introduction ZKPs Iterative: run in several rounds Usually have high cost due to iteration Cost Measures Execution-time complexity Communication cost (#of bits exchanged) Communication latency (delay)

4 From the Literature A Toy Example of ZKP To demonstrate all the features of ZKP Easy to discuss and visualize Known as: Alibaba’s cave

5 Alibaba’s Cave Peggy (the prover) wants to prove her knowledge of the secret word of the cave to Victor (the verifier) but without revealing it

6 Alibaba’s Cave: The Proof 1. Starting at point A 2. Peggy walks all the way to either point C or point D 3. Victor walks to point B 4. Victor asks Peggy to either: Come out of the left passage (or) Come out of the right passage 5. Peggy does that using the secret word if needed 6. They repeat these steps until Victor is convinced that Peggy knows the secret word

7 Alibaba’s Cave: About The Proof 1. Complete: if Peggy knows the secret word, she can complete the proof successfully. 2. Sound: if she does not know the secret, it is highly unlikely that she passes all the rounds. 3. Zero-knowledge: no matter how many rounds Victor asks for, he cannot learn the secret. 4. Repudiatable: (Peggy can repudiate the proof) If Victor video tapes the entire protocol, he cannot convince others that Peggy knows the secret. 5. Non-transferable: Victor cannot use the proof to pretend to be the prover to a third party.

8 Alibaba’s Cave: Number of Rounds How many rounds are needed? Completeness If Peggy knows the secret, she always passes. Soundness If Peggy does not know the secret, she can pass with a probability = 1/2 k where k is the number of rounds. Optimal number of rounds k Minimum k that gives max trust in the proof. Let S be the domain of the secret. E.g. S = {strings of length 4 bits}

9 Alibaba’s Cave: Number of Rounds What is the optimal number of rounds k? E.g. Assume S = {strings of length 4 bits} # of Rounds Prob (pass w/out secret) 0 1/2 1/4 1/8 1/16 |S| = 2 4 = 16 There are 16 possible secrets Prob (guess the secret) = 1/16 k 6 Optimal k =  log 2 |S|  (the length of the secret in bits)

10 Applications of ZKPs Identification schemes Multi-media security and digital watermarks Network privacy and anonymous communication Digital cash and off-line digital coin systems Electronic election Public-key cryptographic systems Smart cards

11 Identification Schemes Identification scheme: a protocol for two parties (User and System) by which the User identifies himself to the System in a secure way, that is, a third party listening to the conversation cannot later impersonate the user.

12 Identification Schemes Why ZKP? In some applications, it is desirable that the identity of the specific user is maintained secret to the system. E.g. an investor accessing a stock-market database prefers to hide his identity. Knowing which user is interested in stock of a given company is a valuable information. However, the system must make sure that the user is legitimate (i.e. a subscriber to the service).

13 Multi-media Security and Digital Watermarks Digital Watermark To resolve ownership of media objects To ensure theft detection in a court of law Must survive within a media object Should not be easily removed by attackers Why ZKP? To prove the existence of a mark, without revealing what that mark is. Revealing a watermark within an object leads to subsequent theft by providing attackers with the information they need to remove or claim the watermark.

14 Digital Cash and Off-line Digital Coin Systems Security needs The bank wants to be able to detect all reuse or forgery of the digital coins. The vendor requires the assurance of authenticity. The customer wants the privacy of purchases (the bank cannot track down where the coins are spent, unless the customer reuses/forges them). Off-line digital coin system The purchase protocol does not involve the bank. Why ZKP? To achieve the privacy of the customer.

15 Electronic Election Electronic voting system: a set of protocols which allow voters to cast ballots while a group of authorities collect the votes and output the final tally. Requirements Security: ensure voting restrictions (e.g. voters can vote to at most one of the given candidates) Privacy: cannot revoke who votes for what Why ZKP? To ensure the privacy of the voter.

16 Public-Key Cryptographic Systems Setups Each user has a public key and a private key encrypted message with some public key needs the corresponding private key to decrypt it. it is computationally infeasible to deduce the private key from the public key. Examples RSA scheme ElGamal scheme Why ZKP?

17 Public-Key Cryptographic Systems Why ZKP? To set up the scheme and prove it is secure. E.g. in RSA, the modulus should consist of two safe primes; ZKPs are used to prove that a given number is a product of two safe primes without revealing any information whatsoever about these safe prime factors

18 Definitions Negligible function Zero-knowledge proof Completeness property Soundness property

19 Definition: Negligible function f is negligible if for all c > 0 and sufficiently large n, f(n) < n -c f is nonnegligible if there exists a c > 0 such that for all sufficiently large n, f(n) > n -c E.g. f(n) = 2 -n is negligible in n.

20 Definition: Zero-knowledge Proof From its name, it has two parts: Proof It convinces the verifier with overwhelming probability that the prover knows the secret. i.e. It is complete and sound Zero-knowledge It should not reveal any information about the secret.

21 Requirements of ZKPs 1. Completeness: If the prover knows the secret, the verifier accepts the proof with overwhelming probability. 2. Soundness: If the prover does not know the secret, it is highly unlikely that the verifier accepts the proof. 3. Zero-knowledge: The verifier cannot learn the secret even if he deviates from the protocol. 4. Repudiatability: The prover can repudiate the proof to a third party. 5. Non-transferability: The verifier cannot pretend to be the prover to any third party.

22 Classical Problems Used in ZKPs Discrete Log (DL) Problem Square Root Problem (SQRT) Graph Isomorphism Problem Satisfiability (SAT) Problem

23 Graph Isomorphism Given two graphs G 1 =(V 1,E 1 ) and G 2 =(V 2, E 2 ), to prove in zero-knowledge the possession of a permutation  from G 1 to G 2 such that (u, v)  E 1 iff (  (u),  (v))  E 2 Applications: Multi-media security

24 ZKP of Graph Isomorphism Peggy (P)Victor (V) 0 G1, G2,  G1, G2 1 P generates random  ’ ’’ 2 P sends H =  ’(G2) to V HH 3V flips a coin ccc 4 If c = Head, P sends  ’ to V  ’, check H =  ’(G2) 5If c = Tail, P sends  =  ’o  , check H =  (G1) 6 Steps 1-5 are repeated until Victor is convinced that Peggy must know  (with probability 1-2 -k, for k iterations).

25 Square Root Problem To prove in zero-knowledge the possession of x such that x 2 = b (mod n) Applications: Digital watermarks Public-key schemes

26 ZKP of SQRT x 2 = b (mod n) Peggy (P)Victor (V) 0b, n, xb, n 1P generates random rr 2P sends s = r 2 mod n to Vss 3V flips a coin c = H or Tcc 4If c = H, P sends r to Vr, check r 2 = s 5If c = T, P sends m = r.xm, check m 2 = s.b 6Steps 1-5 are repeated until Victor is convinced that Peggy must know x (with prob 1-2 -k, for k iterations).

27 DL Problem To prove in zero-knowledge the possession of x such that g x = b (mod n) Applications: Multi-media security Identification schemes Digital cash Electronic election

28 ZKP of DL b = g x (mod n) hhP sends h = g r mod n to V2 rPeggy generates random r1 ccV flips a coin c = H or T3 r, check g r = hIf c = H, P sends r to V4 m, check g m = bhmIf c = T, P sends m = x + r5 Steps 1-5 are repeated until Victor is convinced that Peggy must know x (with prob 1-2 -k, for k iterations). 6 Victor (V)Peggy (P) g, b, ng, b, n, x0

29 One-round ZKPs One-round zero-knowledge proofs Eliminate the iteration costs One-round ZKPs Encapsulate all the requirements of the true ZKP, but in one round.

30 One-round ZKP for Alibaba’s cave example

31 One-Round ZKP of DL b = g x (mod n) yV generates a random y1 C= g y CV sends C = g y (mod n)2 RR= C x P sends R = C x (mod n)3 V verifies that R = C x = (g y ) x = g xy = (g x ) y = b y (mod n) 4 Victor (V)Peggy (P) g, b, ng, b, n, x0

32 Time Complexity Iterative ZKP Let t be the length of the secret x in bits. Each round costs O(t 2 log t log log t) Optimal number of rounds = t O(t 3 log t log log t) One-round ZKP O(t 2 log t log log t).

33 Communication Cost Iterative ZKP Needs 2 messages of size t in each round. Needs one bit for the coin in each round. Optimal number of rounds = t Exchanges (2t 2 + t) bits total. One-round ZKP Needs 2 messages of size t each. Exchanges 2t bits total.

34 Communication Latency Let d be the average latency (delay) per message over the network between the two parties

35 Communication Latency Iterative ZKP Needs 2 messages in each round Needs one bit for the coin in each round Latency per round = 3d Optimal number of rounds = t Overall latency = 3td One-round ZKP Needs 2 messages, each takes d Overall latency = 2d

36 Security Issues on 1-R ZKP of DL