ZERO KNOWLEDGE PROOF

Alma Bregaj

oWHAT IS ZERO KNOWLEDGE PROOF?

INFORMALLY, A ZERO-KNOWLEDGE PROOF IS A PROCEDURE THAT

ALLOWS ALICE TO CONVINCE BOB THAT A CERTAIN FACT IS TRUE

WITHOUT GIVING BOB ANY INFORMATION THAT WOULD LET BOB

CONVINCE OTHER PEOPLE THAT THE FACT IS TRUE.

ZERO-KNOWLEDGE (ZK) PROTOCOL IS AN INSTANCE OF INTERACTIVE

PROOF PROTOCOL. AN INTERACTIVE PROOF PROTOCOL IS ONE THAT

AUTHENTICATES A PROVER TO A VERIFIER USING CHALLENGE-

RESPONSE MECHANISM. IN THIS KIND, THE VERIFIER CAN ACCEPT OR

REJECT THE PROVER AT THE END OF THEIR COMMUNICATION.

GOLDWASSER, MICALI, AND RACKOFF FIRST PUT FORWARD THE BASIC

NOTION OF ZERO-KNOWLEDGE PROOF IN 1985.

ABSTRACT EXAMPLE (ALI BABA’S CAVE)Alice is the the prover of the statement and Bob the verifier.

Alice can prove that she knows the word to open the door without

telling it to Bob.

•Bob waits outside the cave as Alice goes in.

•She randomly takes either path A or B.

•Bob enters the cave and shouts the name of the path he wants her

to use to return, either A or B, chosen at random.

•If she relly knows the magic word she will open the door and if

neccesary ,returns along the desired path.

•If she did not know the word the probability is 50% to return along

the desired path.To convince Bob they repeat this trick n-times (n

is large number).

.

APPLICATIONS

Research in zero-knowledge proofs has been motivated by authentication

systems where one party wants to prove its identity to a second party via

some secret information (such as a password) but doesn't want the second

party to learn anything about this secret. This is called a "zero-knowledge

proof of knowledge".

One of the most fascinating uses of zero-knowledge proofs within

cryptographic protocols is to enforce honest behavior while maintaining

privacy. The idea is to force a user to prove, using a zero-knowledge proof,

that its behavior is correct according to the protocol.

ZK protocols are used for many real-time applications like authentication,

e-voting, watermark verification, etc.

PROPERTIES OF ZERO-KNOWLEDGE PROOFS

Completeness: if the statement is true, the honest verifier will be convinced of this fact by an honest prover.

Soundness: if the statement is false, no cheating prover can convince the honest verifier that it is true, except with some small probability.

Zero-knowledge: if the statement is true, no cheating verifier learns anything other than this fact. This is formalized by showing that every cheating verifier has some simulator that, given only the statement to be proven , can produce a transcript that "looks like" an interaction between the honest prover and the cheating verifier.

ADVANTAGES OF ZERO-KNOWLEDGE PROOFS

Zero knowledge transfer – As the verifier does not learn anything

about prover’s secret s , he cannot impersonate the prover to a third

person. Also the prover cannot cheat the verifier with several iterations of

the protocol.

Efficiency – The computational efficiency of ZK protocol is because of

its interactive proofs nature. The costly computation related to encryption

is avoided.

Degradation – The security of protocol itself does not get degraded

with continuous use as no information about the secret is divulged.

Unsolved mathematical assumptions – ZK protocols are based on

various mathematical problems like discrete logarithms and integer

factorization

ZERO KNOWLEDGE PROTOCOLS

Zero-knowledge protocols, are cryptographic protocols which do not reveal

the information or secret itself during the protocol, or to any

eavesdropper.

Some ZK protocols are:

The Fiat-Shamir protocol is the first practical zero-knowledge protocol

with cryptographic applications and is based on the difficulty of factoring.

A more common variation of the Fiat-Shamir protocol is the Feige-Fiat-

Shamir scheme ,Guillou and Quisquater further improved Fiat-Shamir's

protocol in terms of memory requirements and interaction (the number of

rounds in the protocol).

FIAT-SHAMIR IDENTIFICATION PROTOCOL

FIAT-SHAMIR AUTHENTICATION WITH

ARTIFICIALLY SMALL PARAMETERS

We know: p = 3, q = 7 ⇒ n = 21 is the module.

v = 4

s2 · v ≡ 1 mod 21 ⇒ 16 · 4 ≡ 1 mod 21 ⇒ s2 = 16 ⇒ s = 4 is A’s secret.

Public elements: n = 21, ID, z, v = 4

Normal authentication A knows s = 4, B knows v = 4

A chooses r = 5 and sends x = r2 mod n = 25 mod 21 = 4

If B chooses b = 1, A answers with y = r·s = 5·4 = 20

If B chooses b = 0, A answers with y = 5

In case b = 1, B verifies ≡ x/v (mod n) ⇒ = 400 ≡ 1 ≡ x/v = 4/4 = 1 OK

In case b = 0, B verifies ≡ x (mod n) ⇒ = 25 ≡ 4 ≡ x = 4 OK

(CONTINUED)FIAT-SHAMIR AUTHENTICATION

WITH ARTIFICIALLY SMALL PARAMETERS

Attacker A* doesn’t know s = 4:

Since no roots can be calculated (because p and q are unknown), he must assume what the next b will be.

Assumption b = 1:

B wants to see ≡ x/v. A* will select y and calculate x. He can’t select x due to the square root which he can’t calculate.

So: A* chooses y = 2 and 4 ≡ x/4 ⇒ x = 16 and transmits it.

If b = 1 indeed, then the protocol round is completed successfully.

If b = 0, then B will expect = x. A* can’t calculate that due to root

Assumption b=0:

B expects ≡ x. A must select y and since y = r mod n and x = mod n, he must select r.

Let’s say r = 7. A* sends x = = 49 ≡ 7 mod 21.

If b = 0 indeed, y = r = 7 and = 49 ≡ 7 = x OK.

But if b=1, he would have to calculate y such that ≡ x/v ⇒ ≡ 7/4, which is impossible.

We see that an attacker can only complete a protocol round with a probability of 50%. The protocol requires several rounds till it’s complete, so, with every additional round, the probability of success for an attacker decreases rapidly.

FEIGE-FIAT-SHAMIR IDENTIFICATION

PROTOCOL

FEIGE-FIAT-SHAMIR PROTOCOL WITH

ARTIFICIALLY SMALL PARAMETERS

T selects p=683,q=811 and publishes n=pq=553913

Integers k=3 and t=1 are defied as security parameters.

Alice:

Selects 3 random integers , and 3 bits .

Computes with .

Alice’s public key is (441845,338402,124425,553913) and private key is (157,43215,4646).

Alice selects r=1279,c=1 and compute x=2598 and sends this to Bob.

Bob sends to A the 3-bit vector (0,0,1)

Alice computes and sends to Bob y=r

Bob computes and accepts Alice’s identity since z=+x and z=0.

GUILLOU QUISQUATER PROTOCOL

REAL-TIME APPLICATIONS OF ZERO-

KNOWLEDGE PROOFS

ZK protocols are used for many real-time applications like authentication, e-voting, watermark verification, etc. Here, a few of them are mentioned:

Watermark verification- For watermarking schemes, it is very important to show the presence of watermark in the image without actually revealing it .This prevents any malicious user from removing the watermark and reselling multiple copies of duplicate watermark. Kinoshita Hirotsugu uses zero knowledge interactive proofs based on Digital Signatures to assert ownership on an image.

Sky’s VideoCrypt- Sky’s VideoCryt is an analogue decoding card for satellite Directv descrambler used to authenticate the subscriber’s card. This uses Fiat-Shamir Zero Knowledge Protocol. The subscriber center holds the public key, secret key and the address while the card holds the public key and address. Every few seconds, the center requests all the cards to authenticate themselves. Each card which is valid has the algorithm for some function F(x) in its ROM while the data for F(x) is in EEPROM. As described earlier in Fiat-Shamir protocol, virtually no knowledge is transferred between F(x) and EEPROM

NGSCB -Next Generation Secure Computing Base (NGSCB) is Microsoft’s proposed secure computing environment to use zero knowledge proofing techniques to verify authenticity of services and code.

REFERENCES

A basic intro to VideoCrypt, http://www.heyrick.co.uk/willow/vcrypt.html

Wikipedia,

A Mitropoulos, and H. Meijer, “ Zero-knowledge proofs – a survey”

Gaurav Gain, “ Zero-knowledge proofs: A Survey”

Oren, Y., “ Properties of Zero-knowledge Proofs”.

MarkStamp,“NGSCB”,http://www.cs.sjsu.edu/faculty/stamp/CS165/my_ppt/4b_NGS

CB.ppt

J. -J. Quisquater, L. Gullou, and T Berson, “How to explain zero-knowledge protocols

to a children”

K. Gopalakrishnan, and Nasir Memon, “Protocols for watermark Verification”

www.cs.ecu.edu/~gopal/water.ps

Wenbo Mao, Modern Cryptography theory and practice

Alfred J. Menezes, Paul C. van Oorschot, Scott A. Vanstone, “Handbook of Applied

Cryptography”

THANK YOU !