1. Zero Knowledge Proofs Matthew Pouliotte Anthony Pringle Cryptography November 22, 2005 “A proof is whatever convinces me.” -~ Shimon Even

2. Presentation Overview What is a Zero Knowledge Proof? Introduction to Interactive Proofs Definition Zero Knowledge Proofs Properties of Zero Knowledge Proofs Applications of Zero Knowledge Proofs  Feige-Fiat-Shamir Proof of Identity  Schnorr’s Identification Protocol Conclusion

3. What is a Zero Knowledge Proof? Classic Example:  Ali Baba’s Cave Alice wants to prove to bob that she knows how to open the secret door between R and S.  Bob goes to P  Alice goes to R or S  Bob goes to Q and tells Alice to come from one side or the other of the cave  If Alice knows the secret, she can appear from the correct side of the cave every time Bob repeats as many times until he believe Alice knows to open the secret door Image from RSA Labs [1] http://www.rsasecurity.com/rsalabs/node.asp?id=2178

4. Introduction to Interactive Proofs Prover ( P ) tries to prove some fact to a verifier Verifier ( V ) either accepts or rejects the prover’s proof To prove is to convince the verifier of some assertion  Prove that you know a secret value s Each party in the protocol does the following: 1.receive a message from the other party 2.perform a private computation 3.send a message to the other party Repeats t number of rounds

5. Interactive Proof Protocol Prover and verifier share common inputs (functions or values) The protocol yields Accept if every Response is accepted by the Verifier Otherwise, the protocol yields Reject P Prover V Verifier Random Value Challenge Response Repeats t number of rounds Common Inputs Common Inputs

6. Properties of Interactive Proofs Completeness  The verifier accepts the proof if the assertion is true  Assumption: the parties follow the protocol Soundness  if the fact is false, the verifier rejects the proof  Assumption: the parties follow the protocol

7. Interactive Proofs – Soundness and Completeness Completeness: Prob[( P, V )( x ) = Accept | x  L ] ≥ ε Soundness: Prob[(¬ P, V )( x ) = Accept | x  L ] ≤ δ Where: ε  (½,1] δ  [0,½) L is a language over {0,1} * ( P, V ) is an Interactive Proof Protocol involving P and V

8. Zero Knowledge Proofs Instances of interactive proofs with the following properties:  Completeness – true theorems are provable  Soundness – false theorems are not provable  No information about the prover’s private input is revealed to the verifier – implication of the zero-knowledge property

9. Zero Knowledge Property A transcript is the collection of messages resulting from the protocol execution Random 1,Challenge 1,Response 1,Random 2,Challenge 2,Response 2, …, Random m,Challenge m,Response m A simulator is a polynomial-time algorithm that generates false transcripts (without the prover) which are identical to the genuine. Random 1,Challenge 1,Response 1,Random 2,Challenge 2,Response 2, …, Random m,Challenge m,Response m An interactive proof has the zero knowledge property if a simulator exists for the proof

10. Identification Schemes Provide a way to demonstrate who you are  Show you know a secret value without revealing it  Feige-Fiat-Shamir Proof of Identity  Schnorr’s Identification Protocol The zero knowledge premise is used in all PKIs  You do not reveal your private key  Most PKIs are single round though

11. Feige-Fiat-Shamir Proof of Identity A trusted certifier publishes a modulus n which is the product of two large primes  Primes of the form 4r+3 (Blum integers)  Only purpose of trusted certifier Where Ā is the prover and B is the verifier

12. Feige-Fiat-Shamir Proof of Identity For Ā to prove its identity to B, the following protocol is executed

13. Schnorr’s Identification Protocol Two primes p and q such that q | p -1  Usually | p | = 1024 and | q | = 160 A g such that order p ( g ) = q A y such that y = g -a (mod p )  Alice chooses a such that a < q Alice’s public-key ( p, q, q, y ) which is certified by a CA

14. Schnorr’s Identification Protocol Bob knows Alice knows some a  q such that y ≡ g -a (mod p ) To prove this to Bob, the following steps are repeated log 2 log 2 p times 1.Alice picks k  u  q and computs g k (mod p ) that she sends to Bob 2.Bob pick x  u {0,1} log 2 log 2 p and sends to Alice 3.Alice computes y = k + ax (mod q ) 4.Bob checks g k (mod p ) ≡ g x g y

15. Conclusions Special case of interactive proofs Zero knowledge proofs offer a way to prove knowledge to someone without transferring any additional knowledge to that person  Can be used to prove identity  Basic premise used in all PKIs

16. References O. Goldreich. Foundations of Cryptography: Basic Tools. USA: Cambridge Press, 2001. D. R. Stinson. Cryptography: Theory and Practice (1 st edition). Boca Raton: CRC Press, 1995. W. Mao. Modern Cryptography: Theory and Practice. New Jersey: Prentice Hall, 2003. A. Menezes, P. van Oorschot, and S. Vanstone. Handbook of Applied Cryptography. Boca Raton: CRC Press, 1996. L. Guillou, and J.J. Quisquater. “How to Explain Zero-Knowledge Protocols to Your Children”. Advances in Cryptology, CRYPTO 1989. G. Simari. “A Primer on Zero Knowledge Protocols”. http://cs.uns.edu.ar/~gis/publications/zkp-simari2002.pdf http://cs.uns.edu.ar/~gis/publications/zkp-simari2002.pdf M. Tompa. “Zero knowledge interactive proofs of knowledge (a digest)”. Proceedings of the 2nd conference on Theoretical aspects of reasoning about knowledge, 1988. U. Feige, A. Fiat, and A. Shamir. “Zero-knowledge proofs of identity”. ACM Special Interest Group on Algorithms and Computation Theory (SIGACT), 1987. RSA Laboratories, “What are interactive proofs and zero-knowledge proofs?” http://www.rsasecurity.com/rsalabs/node.asp?id=2178

17. - Questions??? “Knowledge must come through action; you can have no test which is not fanciful, save by trial.” -~ Sophocles