Presentation is loading. Please wait.

Presentation is loading. Please wait.

Zero Knowledge r Two parties:  All powerful prover P  Polynomially bounded verifier V r P wants to prove a statement to V with the following properties:

Published byMartina Stevenson Modified over 8 years ago

Similar presentations

Presentation on theme: "Zero Knowledge r Two parties:  All powerful prover P  Polynomially bounded verifier V r P wants to prove a statement to V with the following properties:"— Presentation transcript:

1 Zero Knowledge r Two parties:  All powerful prover P  Polynomially bounded verifier V r P wants to prove a statement to V with the following properties:  Completeness – honest verifier convinced by honest prover  Correctness – dishonest prover can’t convince verifier of false statement (except with negligible probability)  Zero knowledge – verifier doesn’t learn anything besides the correctness of the statement 1

2 Proving Zero Knowledge r By simulation  Every cheating verifier has a simulator that outputs Perfect zero knowledge - the same distribution as the verifier’s view in the protocol Computational zero knowledge – indistinguishable distribution from the verifier’s view in the protocol r Bad example – challenge-response password protocol r Example – proving knowledge of discrete log 2

3 Commitment r Two player protocol r Alice commits to a value b  Binding - Alice can’t change the value after the commitment  Concealing – Bob can’t discover b  Alice can reveal b at some point r Example – f(x) one-way permutation, B(x) hardcore for f(x)  Commitment – (f(x),b  B(x))  Revealing - x 3

4 Commitment (cont.) r Naor’s scheme – using the indistinguishability property of a PRG G.  Commitment Bob sends random string r of length G(x). Alice chooses random x and sends G(x)  br  Revealing – Alice sends x r Claim – if Bob can find b before Alice reveals it, then Bob can distinguish G(x) from random string r Claim – Alice has low probability of success in cheating (finding y such that G(y)=r  G(x) 4

5 Zero Knowledge for GI r GI – Graph homomorphism r Two graphs G 1, G 2 are homomorphic if there is a re-labeling of the nodes of G that gives the nodes of H r Hard problem  No known polynomial algorithm  Not known if it is NP-hard r Prover commits to m graphs H 1,…,H m r Verifier sends m choices a 1,…,a m, a i  {1,2} r Prover reveals homomorphism between H i and G a i for every i. 5

6 SRP r Client authenticated by short password r Motivated by ZK, although not the same r Server and client agree on p, g and hash function h r Server sends random salt r Client sends g a mod p r Server computes x=h(password, salt), B=g b +g x mod p. Server sends B. r Client computes g x mod p, both sides compute u=h(B) r Client computes shared=(B-g x ) a+ux mod p r Server computes shared=(g a g xu ) b mod p 6

7 Special attacks to conclude r Fault attack – induce some fault in operation of target and hope for good results r Examples  Original hardware jailbreak of iPhone  Power spike during access control run  RSA-CRT computation – error in computation on p, but not on q r Side channel attacks - overview r Power analysis  Simple power analysis of exponentiation 7

Download ppt "Zero Knowledge r Two parties:  All powerful prover P  Polynomially bounded verifier V r P wants to prove a statement to V with the following properties:"

Similar presentations

A Verifiable Secret Shuffle of Homomorphic Encryptions Jens Groth UCLA On ePrint archive:

A Verifiable Secret Shuffle of Homomorphic Encryptions Jens Groth UCLA On ePrint archive:
Statistical Zero-Knowledge Arguments for NP from Any One-Way Function Salil Vadhan Minh Nguyen Shien Jin Ong Harvard University.

Statistical Zero-Knowledge Arguments for NP from Any One-Way Function Salil Vadhan Minh Nguyen Shien Jin Ong Harvard University.
Rennes, 23/10/2014 Cristina Onete Commitment Schemes and Identification/Authentication.

Rennes, 23/10/2014 Cristina Onete Commitment Schemes and Identification/Authentication.
Zero Knowledge Proofs(2) Suzanne van Wijk & Maaike Zwart

Zero Knowledge Proofs(2) Suzanne van Wijk & Maaike Zwart
1 Reducing Complexity Assumptions for Statistically-Hiding Commitment Iftach Haitner Omer Horviz Jonathan Katz Chiu-Yuen Koo Ruggero Morselli Ronen Shaltiel.

1 Reducing Complexity Assumptions for Statistically-Hiding Commitment Iftach Haitner Omer Horviz Jonathan Katz Chiu-Yuen Koo Ruggero Morselli Ronen Shaltiel.
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
Complexity Theory Lecture 3 Lecturer: Moni Naor. Recap Last week: Non deterministic communication complexity Probabilistic communication complexity Their.

Complexity Theory Lecture 3 Lecturer: Moni Naor. Recap Last week: Non deterministic communication complexity Probabilistic communication complexity Their.
Efficient Zero-Knowledge Proof Systems Jens Groth University College London.

Efficient Zero-Knowledge Proof Systems Jens Groth University College London.
Rennes, 23/10/2014 Cristina Onete Commitment Schemes and Identification/Authentication.

Rennes, 23/10/2014 Cristina Onete Commitment Schemes and Identification/Authentication.
Rennes, 24/10/2014 Cristina Onete CIDRE/ INRIA Sigma Protocols and (Non-Interactive) Zero Knowledge.

Rennes, 24/10/2014 Cristina Onete CIDRE/ INRIA Sigma Protocols and (Non-Interactive) Zero Knowledge.
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
Foundations of Cryptography Lecture 5 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 5 Lecturer: Moni Naor.
Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.

Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.
Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.
Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.

Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.
Short course on quantum computing Andris Ambainis University of Latvia.

Short course on quantum computing Andris Ambainis University of Latvia.
Slide 1 Vitaly Shmatikov CS 380S Introduction to Zero-Knowledge.

Slide 1 Vitaly Shmatikov CS 380S Introduction to Zero-Knowledge.
Complexity 26-1 Complexity Andrei Bulatov Interactive Proofs.

Complexity 26-1 Complexity Andrei Bulatov Interactive Proofs.
CS426Fall 2010/Lecture 351 Computer Security CS 426 Lecture 35 Commitment & Zero Knowledge Proofs.

CS426Fall 2010/Lecture 351 Computer Security CS 426 Lecture 35 Commitment & Zero Knowledge Proofs.
1 Slides by Roel Apfelbaum & Eti Ezra. Enhanced by Amit Kagan. Adapted from Oded Goldreich’s course lecture notes.

1 Slides by Roel Apfelbaum & Eti Ezra. Enhanced by Amit Kagan. Adapted from Oded Goldreich’s course lecture notes.

Similar presentations

Ads by Google