Zero-Knowledge Proofs And Their Applications in Cryptographic Systems Sultan Almuhammadi ICS 454.

Slides:



Advertisements
Similar presentations
Efficient Zero-Knowledge Proof Systems Jens Groth University College London.
Advertisements

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
Digital Signatures and Hash Functions. Digital Signatures.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.
Payment Systems 1. Electronic Payment Schemes Schemes for electronic payment are multi-party protocols Payment instrument modeled by electronic coin that.
Zero-Knowledge Proofs J.W. Pope M.S. – Mathematics May 2004.
Introduction to Modern Cryptography, Lecture 13 Money Related Issues ($$$) and Odds and Ends.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
CSCE 715 Ankur Jain 11/16/2010. Introduction Design Goals Framework SDT Protocol Achievements of Goals Overhead of SDT Conclusion.
CS426Fall 2010/Lecture 351 Computer Security CS 426 Lecture 35 Commitment & Zero Knowledge Proofs.
1 Adapted from Oded Goldreich’s course lecture notes.
Zero Knowledge Proofs By Subha Rajagopalan Jaisheela Kandagal.
Cryptography1 CPSC 3730 Cryptography Chapter 10 Key Management.
Mar 4, 2003Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities.
Introduction to Modern Cryptography Homework assignments.
Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.
Electronic Voting Schemes and Other stuff. Requirements Only eligible voters can vote (once only) No one can tell how voter voted Publish who voted (?)
CMSC 414 Computer and Network Security Lecture 19 Jonathan Katz.
Introduction to Modern Cryptography, Lecture 7/6/07 Zero Knowledge and Applications.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Introduction to Modern Cryptography, Lecture 9 More about Digital Signatures and Identification.
Chapter 9 Cryptographic Protocol Cryptography-Principles and Practice Harbin Institute of Technology School of Computer Science and Technology Zhijun Li.
Zero-Knowledge Proofs And Their Applications in Cryptographic Systems ICS 555 Cryptography and Data Security Sultan Almuhammadi.
Module 8 – Anonymous Digital Cash Blind Signatures DigiCash coins.
CSE 597E Fall 2001 PennState University1 Digital Signature Schemes Presented By: Munaiza Matin.
E- Business Digital Signature Varna Free University Prof. Teodora Bakardjieva.
Computer Science Public Key Management Lecture 5.
Quadratic Residuosity and Two Distinct Prime Factor ZK Protocols By Stephen Hall.
8. Data Integrity Techniques
Information Security and Management 13. Digital Signatures and Authentication Protocols Chih-Hung Wang Fall
Bob can sign a message using a digital signature generation algorithm
Digital Cash By Gaurav Shetty. Agenda Introduction. Introduction. Working. Working. Desired Properties. Desired Properties. Protocols for Digital Cash.
14.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 14 Entity Authentication.
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
Chapter 4: Intermediate Protocols
1 SC700 A2 Internet Information Protocols 3/20/2001 Paper Presentation by J. Chu How to Explain Zero-Knowledge Protocols to Your Children.
Digital Signatures A primer 1. Why public key cryptography? With secret key algorithms Number of key pairs to be generated is extremely large If there.
Fall 2004/Lecture 201 Cryptography CS 555 Lecture 20-b Zero-Knowledge Proof.
Based on Schneier Chapter 5: Advanced Protocols Dulal C. Kar.
Cryptography and Network Security (CS435) Part Eight (Key Management)
Cryptography and Network Security Chapter 13 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
Chapter 16 Security Introduction to CS 1 st Semester, 2012 Sanghyun Park.
Presented by: Suparita Parakarn Kinzang Wangdi Research Report Presentation Computer Network Security.
Zero-Knowledge Proofs And Their Applications in Cryptographic Systems ICS 555 Cryptography and Data Security Sultan Almuhammadi.
Chapter 3 (B) – Key Management; Other Public Key Cryptosystems.
Advanced Database Course (ESED5204) Eng. Hanan Alyazji University of Palestine Software Engineering Department.
14.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 14 Entity Authentication.
Merkle trees Introduced by Ralph Merkle, 1979 An authentication scheme
Zero-knowledge proof protocols 1 CHAPTER 12: Zero-knowledge proof protocols One of the most important, and at the same time very counterintuitive, primitives.
15-499Page :Algorithms and Applications Cryptography I – Introduction – Terminology – Some primitives – Some protocols.
Electronic Cash R. Newman. Topics Defining anonymity Need for anonymity Defining privacy Threats to anonymity and privacy Mechanisms to provide anonymity.
Zero Knowledge Proofs Matthew Pouliotte Anthony Pringle Cryptography November 22, 2005 “A proof is whatever convinces me.” -~ Shimon Even.
Software Security Seminar - 1 Chapter 4. Intermediate Protocols 발표자 : 이장원 Applied Cryptography.
1 Diffie-Hellman (Key Exchange) Protocol Rocky K. C. Chang 9 February 2007.
Lecture 9 Overview. Digital Signature Properties CS 450/650 Lecture 9: Digital Signatures 2 Unforgeable: Only the signer can produce his/her signature.
July 8, 2004 IEEE - CEC '041 Better Privacy and Security in E-Commerce: Using Elliptic Curve-Based Zero-Knowledge Proofs Sultan Almuhammadi Nien Sui Dennis.
1 Diffie-Hellman (Key Exchange) Protocol Rocky K. C. Chang 9 February 2007.
 5.1 Zero-Knowledge Proofs  5.2 Zero-Knowledge Proofs of Identity  5.3 Identity-Based Public-Key Cryptography  5.4 Oblivious Transfer  5.5 Oblivious.
Bit Commitment, Fair Coin Flips, and One-Way Accumulators Matt Ashoff 11/9/2004 Cryptographic Protocols.
Cryptography and Network Security Chapter 13
Fourth Edition by William Stallings Lecture slides by Lawrie Brown
Topic 36: Zero-Knowledge Proofs
Information Security message M one-way hash fingerprint f = H(M)
Information Security message M one-way hash fingerprint f = H(M)
Information Security message M one-way hash fingerprint f = H(M)
Zero-Knowledge Proofs
Interactive Proofs Adapted from Oded Goldreich’s course lecture notes.
Presentation transcript:

Zero-Knowledge Proofs And Their Applications in Cryptographic Systems Sultan Almuhammadi ICS 454

2 Introduction Zero-knowledge proofs (ZKPs) To prove the knowledge of a secret without revealing it. Special form of interactive proofs (IP) between two parties: prover and verifier. First introduced in 1985 by Goldwasser, Micali and Rachoff, for identification schemes. Have wide ranges of applications in modern cryptographic systems.

3 Introduction ZKPs Iterative: run in several rounds Usually have high cost due to iteration Cost Measures Execution-time complexity Communication cost (#of bits exchanged) Communication latency (delay)

4 From the Literature A Toy Example of ZKP To demonstrate all the features of ZKP Easy to discuss and visualize Known as: Alibaba’s cave

5 Alibaba’s Cave Peggy (the prover) wants to prove her knowledge of the secret word of the cave to Victor (the verifier) but without revealing it

6 Alibaba’s Cave: The Proof 1. Starting at point A 2. Peggy walks all the way to either point C or point D 3. Victor walks to point B 4. Victor asks Peggy to either: Come out of the left passage (or) Come out of the right passage 5. Peggy does that using the secret word if needed 6. They repeat these steps until Victor is convinced that Peggy knows the secret word

7 Alibaba’s Cave: About The Proof 1. Complete: if Peggy knows the secret word, she can complete the proof successfully. 2. Sound: if she does not know the secret, it is highly unlikely that she passes all the rounds. 3. Zero-knowledge: no matter how many rounds Victor asks for, he cannot learn the secret. 4. Repudiatable: (Peggy can repudiate the proof) If Victor video tapes the entire protocol, he cannot convince others that Peggy knows the secret. 5. Non-transferable: Victor cannot use the proof to pretend to be the prover to a third party.

8 Alibaba’s Cave: Number of Rounds How many rounds are needed? Completeness If Peggy knows the secret, she always passes. Soundness If Peggy does not know the secret, she can pass with a probability = 1/2 k where k is the number of rounds. Optimal number of rounds k Minimum k that gives max trust in the proof. Let S be the domain of the secret. E.g. S = {strings of length 4 bits}

9 Alibaba’s Cave: Number of Rounds What is the optimal number of rounds k? E.g. Assume S = {strings of length 4 bits} # of Rounds Prob (pass w/out secret) 0 1/2 1/4 1/8 1/16 |S| = 2 4 = 16 There are 16 possible secrets Prob (guess the secret) = 1/16 k 6 Optimal k =  log 2 |S|  (the length of the secret in bits)

10 Applications of ZKPs Identification schemes Multi-media security and digital watermarks Network privacy and anonymous communication Digital cash and off-line digital coin systems Electronic election Public-key cryptographic systems Smart cards

11 Identification Schemes Identification scheme: a protocol for two parties (User and System) by which the User identifies himself to the System in a secure way, that is, a third party listening to the conversation cannot later impersonate the user.

12 Identification Schemes Why ZKP? In some applications, it is desirable that the identity of the specific user is maintained secret to the system. E.g. an investor accessing a stock-market database prefers to hide his identity. Knowing which user is interested in stock of a given company is a valuable information. However, the system must make sure that the user is legitimate (i.e. a subscriber to the service).

13 Multi-media Security and Digital Watermarks Digital Watermark To resolve ownership of media objects To ensure theft detection in a court of law Must survive within a media object Should not be easily removed by attackers Why ZKP? To prove the existence of a mark, without revealing what that mark is. Revealing a watermark within an object leads to subsequent theft by providing attackers with the information they need to remove or claim the watermark.

14 Digital Cash and Off-line Digital Coin Systems Security needs The bank wants to be able to detect all reuse or forgery of the digital coins. The vendor requires the assurance of authenticity. The customer wants the privacy of purchases (the bank cannot track down where the coins are spent, unless the customer reuses/forges them). Off-line digital coin system The purchase protocol does not involve the bank. Why ZKP? To achieve the privacy of the customer.

15 Electronic Election Electronic voting system: a set of protocols which allow voters to cast ballots while a group of authorities collect the votes and output the final tally. Requirements Security: ensure voting restrictions (e.g. voters can vote to at most one of the given candidates) Privacy: cannot revoke who votes for what Why ZKP? To ensure the privacy of the voter.

16 Public-Key Cryptographic Systems Setups Each user has a public key and a private key encrypted message with some public key needs the corresponding private key to decrypt it. it is computationally infeasible to deduce the private key from the public key. Examples RSA scheme ElGamal scheme Why ZKP?

17 Public-Key Cryptographic Systems Why ZKP? To set up the scheme and prove it is secure. E.g. in RSA, the modulus should consist of two safe primes; ZKPs are used to prove that a given number is a product of two safe primes without revealing any information whatsoever about these safe prime factors

18 Definitions Negligible function Zero-knowledge proof Completeness property Soundness property

19 Definition: Negligible function f is negligible if for all c > 0 and sufficiently large n, f(n) < n -c f is nonnegligible if there exists a c > 0 such that for all sufficiently large n, f(n) > n -c E.g. f(n) = 2 -n is negligible in n.

20 Definition: Zero-knowledge Proof From its name, it has two parts: Proof It convinces the verifier with overwhelming probability that the prover knows the secret. i.e. It is complete and sound Zero-knowledge It should not reveal any information about the secret.

21 Requirements of ZKPs 1. Completeness: If the prover knows the secret, the verifier accepts the proof with overwhelming probability. 2. Soundness: If the prover does not know the secret, it is highly unlikely that the verifier accepts the proof. 3. Zero-knowledge: The verifier cannot learn the secret even if he deviates from the protocol. 4. Repudiatability: The prover can repudiate the proof to a third party. 5. Non-transferability: The verifier cannot pretend to be the prover to any third party.

22 Classical Problems Used in ZKPs Discrete Log (DL) Problem Square Root Problem (SQRT) Graph Isomorphism Problem Satisfiability (SAT) Problem

23 Graph Isomorphism Given two graphs G 1 =(V 1,E 1 ) and G 2 =(V 2, E 2 ), to prove in zero-knowledge the possession of a permutation  from G 1 to G 2 such that (u, v)  E 1 iff (  (u),  (v))  E 2 Applications: Multi-media security

24 ZKP of Graph Isomorphism Peggy (P)Victor (V) 0 G1, G2,  G1, G2 1 P generates random  ’ ’’ 2 P sends H =  ’(G2) to V HH 3V flips a coin ccc 4 If c = Head, P sends  ’ to V  ’, check H =  ’(G2) 5If c = Tail, P sends  =  ’o  , check H =  (G1) 6 Steps 1-5 are repeated until Victor is convinced that Peggy must know  (with probability 1-2 -k, for k iterations).

25 Square Root Problem To prove in zero-knowledge the possession of x such that x 2 = b (mod n) Applications: Digital watermarks Public-key schemes

26 ZKP of SQRT x 2 = b (mod n) Peggy (P)Victor (V) 0b, n, xb, n 1P generates random rr 2P sends s = r 2 mod n to Vss 3V flips a coin c = H or Tcc 4If c = H, P sends r to Vr, check r 2 = s 5If c = T, P sends m = r.xm, check m 2 = s.b 6Steps 1-5 are repeated until Victor is convinced that Peggy must know x (with prob 1-2 -k, for k iterations).

27 DL Problem To prove in zero-knowledge the possession of x such that g x = b (mod n) Applications: Multi-media security Identification schemes Digital cash Electronic election

28 ZKP of DL b = g x (mod n) hhP sends h = g r mod n to V2 rPeggy generates random r1 ccV flips a coin c = H or T3 r, check g r = hIf c = H, P sends r to V4 m, check g m = bhmIf c = T, P sends m = x + r5 Steps 1-5 are repeated until Victor is convinced that Peggy must know x (with prob 1-2 -k, for k iterations). 6 Victor (V)Peggy (P) g, b, ng, b, n, x0

29 One-round ZKPs One-round zero-knowledge proofs Eliminate the iteration costs One-round ZKPs Encapsulate all the requirements of the true ZKP, but in one round.

30 One-round ZKP for Alibaba’s cave example

31 One-Round ZKP of DL b = g x (mod n) yV generates a random y1 C= g y CV sends C = g y (mod n)2 RR= C x P sends R = C x (mod n)3 V verifies that R = C x = (g y ) x = g xy = (g x ) y = b y (mod n) 4 Victor (V)Peggy (P) g, b, ng, b, n, x0

32 Time Complexity Iterative ZKP Let t be the length of the secret x in bits. Each round costs O(t 2 log t log log t) Optimal number of rounds = t O(t 3 log t log log t) One-round ZKP O(t 2 log t log log t).

33 Communication Cost Iterative ZKP Needs 2 messages of size t in each round. Needs one bit for the coin in each round. Optimal number of rounds = t Exchanges (2t 2 + t) bits total. One-round ZKP Needs 2 messages of size t each. Exchanges 2t bits total.

34 Communication Latency Let d be the average latency (delay) per message over the network between the two parties

35 Communication Latency Iterative ZKP Needs 2 messages in each round Needs one bit for the coin in each round Latency per round = 3d Optimal number of rounds = t Overall latency = 3td One-round ZKP Needs 2 messages, each takes d Overall latency = 2d

36 Security Issues on 1-R ZKP of DL