1

ConcurrencyConcurrencyandand

Zero-Knowledge ProtocolsZero-Knowledge Protocols

Amit Sahai

MIT Laboratory for Computer Science

2

Zero-knowledge Proofs Zero-knowledge Proofs [GMR85][GMR85]

• One party (“the prover”) convinces another party (“the verifier”) that some assertion is true,

• The verifier learns nothing except that assertion is true!

3

Zero-knowledge Proofs (cont.)Zero-knowledge Proofs (cont.)

Vast applicability throughout Cryptography:

• Identification / Authentication Protocols: [GMR, FS, …] Prove knowledge without revealing it.

• “Next Generation” Protocols: [GMW]

• Key Escrow [M, MS, VvT, …]

• Electronic Elections [C, CF, C, OO, … ]

• Anonymous Credentials [C, CvH, LRSW, …]

• Dealerless Poker [GMW, BCR, C, …]

4

AssumptionsAssumptions Almost all previous research assumes:

• Sequential communication

• At most 2 parties communicating at any given time

• Mutually aware, cooperating parties

ProverVerifier

5

The InternetThe Internet

EbayYahoo

6

The InternetThe Internet• Concurrent, interleaved communication

• Mutually unaware parties, acting locally

EbayYahoo

7

Challenge: Challenge: Global Coordinated AttackGlobal Coordinated Attack

Yahoo

8

Global Coordinated AttackGlobal Coordinated Attack

Yahoo

9

Our Context: Zero KnowledgeOur Context: Zero Knowledge

Prover

HonestVerifier

Corrupted Verifiers tryingto extract Prover’s secrets.

10

The GoalThe Goal

Extend theory of Zero-Knowledge Protocolsto provide security in Internet setting.

• [Dwork, Naor, Sahai -- STOC ‘98]

• [Dwork, Sahai -- Crypto ‘98]

+ Ongoing work

11

OutlineOutline

1. Zero Knowledge:

Definitions and example

2. What goes wrong

3. How to fix it

12

Interactive Proof SystemInteractive Proof Systemv1

p1

v2

pk

accept/reject

Prover Verifier

Interactive protocol where Prover tries to convince probabilistic Verifier that assertion x is true.

• When x is true, Verifier always accepts.

• When x is false, Verifier accepts only with negligible prob. no matter what strategy Prover uses.

13

(Ordinary) Zero-Knowledge(Ordinary) Zero-Knowledge [GMR][GMR]

v1

p1

v2

pk

accept/reject

When assertion is true, can simulate interaction with any Verifier, w/o access to Prover.

Formally, for every verifier, there is probabilistic efficient simulator such that, when given a true assertion, simulator output is computationally indistinguishable from Verifier’s actual view of interaction with Prover.

14

Zero Knowledge Zero Knowledge [GMR][GMR]

?

v1

p1

v2

pk

accept/reject

v1

p1

v2

pk

accept/reject

15

When assertion is true, can simulate interaction with any Adversary, w/o access to Prover.

V1 V2 … Vn

1 2 1 2 .. 1 2 3 4 .. 3 4 3 4

Concurrent Zero KnowledgeConcurrent Zero Knowledge

Formally, for every Adversary, there is a probabilistic efficient simulator such that, when given a true assertion, simulator output is computationally indistinguishable from Adversary’s actual view of interaction with Prover.

16

Deniable Message Deniable Message AuthenticationAuthentication

Monica

Linda

Bill

17

Example:Example:Zero-Knowledge ProofsZero-Knowledge Proofs

for NPfor NP

18

CryptographicCryptographicCommitmentCommitment

• Public Key Encryption Scheme (PK,SK)

• Assume EPK is always one-to-one.

• To commit to a string x, I send y = EPK(x;r).

• To open the commitment, I reveal (x,r).

• Commitment is secret.

• Because EPK is 1:1, can’t change my mind about x.

19

The Power of NPThe Power of NP• NP is very useful cryptographically, e.g.:

• Say y=EPK(x;r) and y’=EPK’(x’;r’).

• “y and y’ are encryptions of same message” is in NP!

• Say f is efficiently computable.

• “y’ is the encryption of f applied to the decryption of y” NP

• If we could prove NP statements in ZK, ...

20

NP-CompletenessNP-Completeness• Amazing thing about NP:

• There are languages complete for NP!

• e.g. Graph 3-Colorability

21

NP-Completeness (cont.)NP-Completeness (cont.)

• y=EPK(x;r) and y’=EPK’(x;r’) “y and y’ are encryptions of same message”

reduction

22

ZK Proof for ZK Proof for Graph 3-ColorabilityGraph 3-Colorability

• Input: Graph G=(V=1, …, n,E).

• Prover Knows: 3-coloring c: V R,B,G

• First, Prover picks random permutation

: R,B,G R,B,G, and applies to c:

23

ZK Proof (cont.)ZK Proof (cont.)

Prover Verifier

Commit((c(1)), …, Commit((c(n))

e(i,j) R E

Reveal (c(i) and (c(j)

Verifier accepts if (c(i) (c(j)

24

ZK Proof (cont.)ZK Proof (cont.)

25

Related WorkRelated Work

• Large body of work on Concurrent Security:

• Focus: Integrity/Consistency of System State

• Locking and preventing Deadlock, Starvation

• Preventing inconsistent data reads

• Synchronizing databases

• Our Focus: Completely Different

• Not state, but preventing information leakage from protocol abuse.

26

Problem: Coordinated AttacksProblem: Coordinated Attacks

Yahoo

27

Problem: Coordinated AttacksProblem: Coordinated Attacks

Yahoo

28

Problem: Coordinated AttacksProblem: Coordinated Attacks

EbayYahoo

29

Problem: Coordinated AttacksProblem: Coordinated Attacks

Yahoo

30

The InternetThe Internet

EbayYahoo

31

Modern Cryptography:Modern Cryptography:

Zero-Knowledge

Proofs

Amit SahaiMIT

32

CryptographyCryptography

• Encryption, Digital Signatures, etc.

• Protocols!

• Identification, Authentication...

• Electronic Elections

• Pseudonym Systems

• ...

• Today’s focus: Zero-Knowledge Proofs!

33

ProofsProofs

• What is a proof?

Lemma 1: blah blah blah.

Proof: blah blah blah �

Lemma 2: blah blah.

Proof: blah blah blah

blah blah blah �

blah blah blah! QED.

© Microsoft Proof WizardTM.

34

ProofsProofs

• What is a proof to a computer?

• Verify(assertion, Proof) = accept

• Verify(assertion, Proof) = reject

• What kinds of assertions+proofs can computers verify?

35

Example: SatisfiabilityExample: Satisfiability• Consider assertions of form:

• “Formula is satisfiable”

• e.g. = (x1 x2) (x2 x3)

• Proof = Satisfying Assingment

• x1 = true, x2 = false, x3 = true

• Verify(, (a1,a2,a3)):

• Plug in a1,a2,a3 into .

•Accept if becomes true.

36

NPNP

• NP = assertion “types” (aka languages) with proofs that are:

• efficiently computer-verifiable

• reasonable length

• Very rich class.

• e.g. Satisfiability NP

• Not the end of the story!

37

ProbabilisticProbabilistic Proofs Proofs

• Must proof be totally convincing?

• Alternative:

• If proof correct, Verifier accepts always

• If proof wrong, Verfier rejects with high prob.

38

InteractiveInteractive Proofs Proofs

• Prover and Verifier talk back and forth.

• Prover tries to convince Verifier that assertion is true.

• If assertion is false, Prover fails with high prob.

• Now, Proof is a Protocol.

39

Interactive Proof SystemInteractive Proof Systemv1

p1

v2

pk

accept/reject

Prover Verifier

Interactive protocol where Prover tries to convince probabilistic Verifier that x is true.

• When x is true, Verifier accepts always.

• When x is false, Verifier rejects w.p. (1-2-

100) no matter what strategy Prover uses.

40

Interactive Proof SystemInteractive Proof Systemv1

p1

v2

pk

accept/reject

Prover Verifier

Interactive protocol where Prover tries to convince probabilistic Verifier that x is true.

• When x is true, Verifier accepts always.

• When x is false, Verifier rejects w.p. (1-2-

100) no matter what strategy Prover uses.

1/2

41

Zero KnowledgeZero Knowledge

• Prover convinces Verifier, but...

• Verifier learns nothing except that assertion is true!

• What does that mean??

42

Defining Zero KnowledgeDefining Zero Knowledge

• Natural Suggestion:

• Verifier should not be able to prove assertion to anyone else.

• …what if Verifier already knew how to prove assertion?

• ...maybe Verifier learned something else...

43

Magic TricksMagic Tricks

• Magic tricks are like zero-knowledge proofs:

• Good magic tricks reveal nothing about how they work.

• What makes a magic trick good?

44

A Magic TrickA Magic Trick• Two balls: Purple and Red, otherwise identical

• Blindfolded Magician

• You give a random ball to magician

45

A Magic Trick (cont.)A Magic Trick (cont.)• Magician tells you the color!

• Magician proves he can distinguish balls blindfolded.

• You learn nothing except this.

Abracadabra,Goobedy goo!

It is Red!

Wow! He’sso cool!

46

A Magic Trick (cont.)A Magic Trick (cont.)• You knew exactly what magician was going to do.

• And he did it!

• Since you knew to begin with, you could not have learned anything new!

It’s Red!

I knew hewould say that.

47

Zero KnowledgeZero Knowledge• Idea for definition:

• Verifier “knows” what is going to happen.

• CS-speak: Verifier can simulate it herself!

Abracadabra,Goobedy goo!

It is Red!

Simulation

48

Zero-Knowledge ProofZero-Knowledge Proof

v1

p1

v2

pk

accept/reject

When assertion is true, Verifier can simulate her view of the interaction on her own.

Formally, there is probabilistic poly-time simulator such that, when given a true assertion, simulator output is computationally indistinguishable from Verifier’s actual view of interaction with Prover.

Note: ZK for honest verifier only.

49

Zero Knowledge ProofZero Knowledge Proof

?

v1

p1

v2

pk

accept/reject

v1

p1

v2

pk

accept/reject

50

Dishonest VerifiersDishonest Verifiers

Ha ha!

51

Zero-Knowledge ProofZero-Knowledge Proof

v1

p1

v2

pk

accept/reject

When assertion is true, any Verifier can simulate her view of the interaction on her own.

Formally, for every verifier, there is probabilistic poly-time simulator such that, when given a true assertion, simulator output is computationally indistinguishable from Verifier’s actual view of interaction with Prover.

52

Zero-Knowledge ProofsZero-Knowledge Proofsfor NPfor NP

53

Another Magic TrickAnother Magic Trick• Magician asks you to think of either

• “Apple” or

• “Banana”

• Magician then gives you a sealed box.

54

Mind ReadingMind Reading• You tell Magician what you were thinking.

I was thinkingof a banana.

55

Banana

Mind Reading (cont.)Mind Reading (cont.)• Magician tells you to open box, and read piece of paper in box.

• Magician proves he can predict what you will say.

How did hedo that!!

56

Mind Reading (cont.)Mind Reading (cont.)• Again, you knew what was going to happen. Zero-Knowledge

I was thinkingof a banana.

Simulation

Banana

57

Mind Reading (cont.)Mind Reading (cont.)• But why was it convincing?

• Because Magician committed to his guess before you told him.

58

CryptographicCryptographicCommitmentCommitment

• Public Key Encryption Scheme (PK,SK)

• Assume EPK is always one-to-one.

• To commit to a string x, I send y = EPK(x;r).

• To open the commitment, I reveal (x,r).

• Commitment is secret.

• Because EPK is 1:1, can’t change my mind about x.

59

The Power of NPThe Power of NP• NP is very useful cryptographically, e.g.:

• Say y=EPK(x;r) and y’=EPK’(x’;r’).

• “y and y’ are encryptions of same message” is in NP!

• Say f is efficiently computable.

• “y’ is the encryption of f applied to the decryption of y” NP

• If we could prove NP statements in ZK, ...

60

NP-CompletenessNP-Completeness• Amazing thing about NP:

• There are languages complete for NP!

• e.g. Graph 3-Colorability

61

NP-Completeness (cont.)NP-Completeness (cont.)

• y=EPK(x;r) and y’=EPK’(x;r’) “y and y’ are encryptions of same message”

reduction

62

ZK Proof for ZK Proof for Graph 3-ColorabilityGraph 3-Colorability

• Input: Graph G=(V=1, …, n,E).

• Prover Knows: 3-coloring c: V R,B,G

• First, Prover picks random permutation

: R,B,G R,B,G, and applies to c:

63

ZK Proof (cont.)ZK Proof (cont.)

Prover Verifier

Commit((c(1)), …, Commit((c(n))

e(i,j) R E

Reveal (c(i) and (c(j)

Verifier accepts if (c(i) (c(j)

64

ZK Proof (cont.)ZK Proof (cont.)

65

ZK Proof: AnalysisZK Proof: Analysis• Suppose Graph is NOT 3-colorable.

• Then at least one edge where colors equal.

Verifier catches with prob. 1/m.

• Repeat protocol 100m times, Verifier catches with prob. (1-2-100)

66

ZK Proof: Analysis (cont.)ZK Proof: Analysis (cont.)• Why Zero-Knowledge? Verifier knows what will happen.

• Simulator:

• Pick e(i,j) R E

• Pick random different colors a,b.

• Commit to arbitrary values for all colors except for i and j.

• For i and j, commit to a,b.

• Imitate rest of protocol.

67

SimulatorSimulator

68

ZK Proof (Simulated)ZK Proof (Simulated)

69

ZK Proof: Analysis (cont.)ZK Proof: Analysis (cont.)• Only difference between real & simulated:

• In real life, commitments are to valid coloring.

• In simulator, commitments are to invalid coloring.

• But commitments are secret, by security of encryption scheme.

Simulator output and real life are computationally indistinguishable.

70

ZK Proof: Analysis (cont.)ZK Proof: Analysis (cont.)

• This is proof of ZK for Honest Verifier.

• Same protocol ZK for Dishonest Verifiers.

• Proof: same idea, more technical.

• Not surprising...

• Verifier’s only job: pick random edge.

71

ZK Proof in a nutshellZK Proof in a nutshell

72

ConsequencesConsequences

73

IdentificationIdentification• Most basic application of ZK: Identification.

• To prove identity, just prove in ZK that some graph is 3-colorable.

• 3-coloring is like password

• Even the computer you are logging on to will never find out your password!

Idea used to make signatures too.

74

Bigger PictureBigger Picture• Anonymity:

• Anonymous Credentials

• Pseudonyms (www.zeroknowledge.com)

• e-cash

• Fair exchange

• Distributed Encryption, Signatures

• General Multi-Party Computation

• Mental Poker

75

Mental PokerMental Poker• Want to play poker totally in your mind?

• No physical cards.

• No trusted dealer.

• Main Problem: How to deal cards fairly?

76

Mental Poker (cont.)Mental Poker (cont.)• Basic idea: Each player shuffles deck, by picking random permutation i.

• Player i gets card 1(2(..(n(i))..).

• No player can control his card.

• Might as well pick random i.

• Shuffle is random + hidden.

• But how does player i get proper card?

77

Mental Poker (cont.)Mental Poker (cont.)• Player i wants card 1(2(..(n(i))..)

• Player i asks for n(i), n-1(n(i)), ...

• Say Player i needs k(x):

• Use “Oblivious Transfer”:

• Player i finds out k(x) for one value x.

• Player k does not learn x.

• Uses ZK as subroutine.

78

Mental Poker (cont.)Mental Poker (cont.)• Problem: Player k may not give correct k(x).

• Solution:

• Every player commits at beginning to k(1),…,k(52)

• Player k proves in ZK that it gave correct value for k(x)

79

Mental Poker (cont.)Mental Poker (cont.)• Problem: Player i may not ask for correct x.

• Solution:

• Player i proves in ZK that it is asking for correct x each time.

Each player gets proper random cards at end of “dealing” phase.

80

Mental Poker (cont.)Mental Poker (cont.)• At end of game, if Player i reveals card:

• Player n opens commitment to n(i)

• Player n-1 opens commitment to n-

1(n(i))

• ...

• Player 1 opens commitment to 1(2(..(n(i))..)

• All players verify.

81

Any Mental GameAny Mental Game• Using these techniques, can actually play any mental game!

• For any efficient function f, n players with secret inputs x1, ..., xn can:

• Learn y=f(x1, ..., xn) s.t.

• No players learn anything except y.

• In particular, x1, ..., xn still secret.

• e.g. Two people can figure out who has bigger salary, without revealing salary!

82

ConclusionsConclusions• Zero Knowledge Proofs

• Simple, beautiful idea.

• Fundamental to Cryptography

• Can prove all NP statements in ZK (assuming one-way functions exist)

• Have a great vacation!

83

Mental Poker (cont.)Mental Poker (cont.)• Player i needs k(x).

• Use “Oblivious Transfer”:

• Player k commits to k(1),…,k(n) (at start)

• “Player i gets k(x) without Player k finding out x”

• Player i proves in ZK that only got 1 value.

• Player k proves in ZK that value is consistent with commitment.

84

ZK Proof (cont.)ZK Proof (cont.)

ProverVerifier

85

ZK Proof (cont.)ZK Proof (cont.)

ProverVerifier

86

ZK Proof (cont.)ZK Proof (cont.)

ProverVerifier

87

ZK Proof (cont.)ZK Proof (cont.)

ProverVerifier

88

Example: GRAPH ISOMORPHISM [GMW86]

10 ,GG Graphs :Input

.0G

H

ofcopy isomorphic random Let

.1,0R

coin Flip

.HGcoin ifAccept

H

1.

2.

4.

Prover Verifier

Claim: Protocol is an (honest ver) SZK proof.

10 GG :YES

10 GG :NO

coin

3.

.HGcoin and between misomorphis

(random) a be Let

89

I love you.

Mind ReadingMind Reading• Two balls: Purple and Red, otherwise identical

• Blindfolded Magician

• You give a random ball to magician

90

A Magic Trick (cont.)A Magic Trick (cont.)• You knew exactly what magician was going to do.

• He did it!

• Since you knew to begin with, you could not have learned anything new!

It’s Red!

I knew hewould say that.

91

A Magic TrickA Magic Trick

•

92

Interactive Proof SystemInteractive Proof Systemv1

p1

v2

pk

accept/reject

Prover Verifier

Interactive protocol where Prover tries to convince probabilistic Verifier that x is true.

• When x is true, Verifier accepts always.

• When x is false, Verifier rejects w.p. 1/2 no matter what strategy Prover uses.

93

PhilosophyPhilosophy

Is my random numbergenerator secure?

System Designerfor Hospital

Will my protocolswork securely

together?Is it secure vs.

attack A?

Is it secure vs.attack B?

94

Holy GrailHoly Grail

• Guarantee: Nobody can break system in 100 years.

• Unfortunately, we don’t know how to do prove such theorems.

Need to make assumptions.

95

One Approach...One Approach...

It’s so complicated!It must be secure!

Cryptosystem XYZ(Patent Pending)

96

One Approach… (cont.)One Approach… (cont.)

Cryptosystem XYZ Broken 2 Days After

Release!

97

ExamplesExamples

• PKCS #1 (Encryption Standard).

• DVD Encryption

• Digital Cellular Phone Encryption (GSM)

• …

• Lesson: Intuition often fails to hold for cryptography. Must be cautious!

98

AssumptionsAssumptions

• Some assumptions have held up over the years.

• e.g. problems believed to be hard:

• Discrete Logarithm: Given y=gx (mod p), find x.

• RSA: Given y=xe (mod N=pq), find x.

Key: Red = Secret, Blue = Known

99

SecuritySecurityCryptographic Primitives

RSA Discrete Log

Assumptions

“My encryption scheme is secure against CPA if RSA is hard to invert.”

100

Better SecurityBetter SecurityCryptographic Primitives

RSA Discrete Log

Assumptions

One Way Functions

Lattice Problems ...

101

Better SecurityBetter SecurityCryptographic Primitives

RSA Discrete Log

Assumptions

One Way Functions

Lattice Problems...

“My signature scheme is secure against CMA if One-Way Functions exist…”

“One-Way Functions exist if either RSA is hard, or Discrete Log is hard, or …”

102

PhilosophyPhilosophy

Cryptography: Systematically address as many concerns as we can.

Will my protocolswork securely

together?Is it secure vs.

attack A?

Is it secure vs.attack B?

Is my random number generator

secure?

103

Randomness: Why?Randomness: Why?• Example: Public-Key Encryption

• Deterministic Encryption?

• Two possible messages:

• “Attack!”

• “Retreat!”

Completely insecure!

Need Randomization.

• Many other examples throughout Crypto.

104

RandomnessRandomness• True randomness hard to come by.

• Can get a source with moderate entropy.

• Mouse/Keyboard movements

• Radioactive decay

• Refine a few truly random bits.

• Need many more!

Need to generate Pseudo-Random bits from a few truly random bits

105

Pseudo-Random GeneratorPseudo-Random Generator(PRG)(PRG)

Truly Random Seed

Pseudo-RandomGenerator

……………Lots of pseudo-random bits……………

deterministic

procedure

106

Pseudo-Random?Pseudo-Random?• What are “good” pseudo-random bits?

• Statistical tests?

• Linear Congruential Generator(a,b,m,y0): yn=ayn-1+b (mod m) passes lots of tests.

• Insecure in practice!

• Need definition that guarantees security.

107

A.I. Turing TestA.I. Turing Test

108

Cryptographic Turing TestCryptographic Turing Test

?

Our SystemPerfectlySecureSystem

109

Def. for PRGDef. for PRG

?

Truly RandomBits

Random Seed

PRG

110

Is it good enough?Is it good enough?• Consider Encryption Scheme, secure if use truly random bits.

• Can we use Encryption w/PRG?

• Consider any poly-time attacker s.t.:

• Breaks Encryption w/PRG

• Fails vs. Encryption w/true random bits

Encryption + Attacker = Distinguisher for PRG.

Contradiction.

111

Reductions and SecurityReductions and Security• Want: Assumption Security

• How to prove? Use Contrapositive: Successful Attack Break Assumption

Must Give Reduction!