You are on page 1of 16

ZERO KNOWLEDGE PROOF

Alma Bregaj
oWHAT IS ZERO KNOWLEDGE PROOF?
INFORMALLY, A ZERO-KNOWLEDGE PROOF IS A PROCEDURE THAT
ALLOWS ALICE TO CONVINCE BOB THAT A CERTAIN FACT IS TRUE
WITHOUT GIVING BOB ANY INFORMATION THAT WOULD LET BOB
CONVINCE OTHER PEOPLE THAT THE FACT IS TRUE.

ZERO-KNOWLEDGE (ZK) PROTOCOL IS AN INSTANCE OF INTERACTIVE


PROOF PROTOCOL. AN INTERACTIVE PROOF PROTOCOL IS ONE THAT
AUTHENTICATES A PROVER TO A VERIFIER USING CHALLENGE-
RESPONSE MECHANISM. IN THIS KIND, THE VERIFIER CAN ACCEPT OR
REJECT THE PROVER AT THE END OF THEIR COMMUNICATION.

GOLDWASSER, MICALI, AND RACKOFF FIRST PUT FORWARD THE BASIC


NOTION OF ZERO-KNOWLEDGE PROOF IN 1985.
ABSTRACT EXAMPLE (ALI BABA’S CAVE)
Alice is the the prover of the statement and Bob the verifier.

Alice can prove that she knows the word to open the door without
telling it to Bob.

•Bob waits outside the cave as Alice goes in.

•She randomly takes either path A or B.

•Bob enters the cave and shouts the name of the path he wants her
to use to return, either A or B, chosen at random.

•If she relly knows the magic word she will open the door and if
.
neccesary ,returns along the desired path.

•If she did not know the word the probability is 50% to return along
the desired path.To convince Bob they repeat this trick n-times (n
is large number).
APPLICATIONS
 Research in zero-knowledge proofs has been motivated by authentication
systems where one party wants to prove its identity to a second party via
some secret information (such as a password) but doesn't want the second
party to learn anything about this secret. This is called a "zero-knowledge
proof of knowledge".

 One of the most fascinating uses of zero-knowledge proofs within


cryptographic protocols is to enforce honest behavior while maintaining
privacy. The idea is to force a user to prove, using a zero-knowledge proof,
that its behavior is correct according to the protocol.

 ZK protocols are used for many real-time applications like authentication,


e-voting, watermark verification, etc.
PROPERTIES OF ZERO-KNOWLEDGE PROOFS

 Completeness: if the statement is true, the honest verifier will be


convinced of this fact by an honest prover.

 Soundness: if the statement is false, no cheating prover can convince


the honest verifier that it is true, except with some small probability.

 Zero-knowledge: if the statement is true, no cheating verifier learns


anything other than this fact. This is formalized by showing that every
cheating verifier has some simulator that, given only the statement to be
proven , can produce a transcript that "looks like" an interaction between
the honest prover and the cheating verifier.
ADVANTAGES OF ZERO-KNOWLEDGE PROOFS

 Zero knowledge transfer – As the verifier does not learn anything


about prover’s secret s , he cannot impersonate the prover to a third
person. Also the prover cannot cheat the verifier with several iterations of
the protocol.

 Efficiency – The computational efficiency of ZK protocol is because of


its interactive proofs nature. The costly computation related to encryption
is avoided.

 Degradation – The security of protocol itself does not get degraded


with continuous use as no information about the secret is divulged.

 Unsolved mathematical assumptions – ZK protocols are based on


various mathematical problems like discrete logarithms and integer
factorization
ZERO KNOWLEDGE PROTOCOLS

 Zero-knowledge protocols, are cryptographic protocols which do not reveal


the information or secret itself during the protocol, or to any
eavesdropper.

 Some ZK protocols are:


 The Fiat-Shamir protocol is the first practical zero-knowledge protocol
with cryptographic applications and is based on the difficulty of factoring.
 A more common variation of the Fiat-Shamir protocol is the Feige-Fiat-
Shamir scheme ,Guillou and Quisquater further improved Fiat-Shamir's
protocol in terms of memory requirements and interaction (the number of
rounds in the protocol).
FIAT-SHAMIR IDENTIFICATION PROTOCOL
FIAT-SHAMIR AUTHENTICATION WITH
ARTIFICIALLY SMALL PARAMETERS
 We know:
 p = 3, q = 7 ⇒ n = 21 is the module.
 v=4
 s2 · v ≡ 1 mod 21 ⇒ 16 · 4 ≡ 1 mod 21 ⇒ s2 = 16 ⇒ s = 4 is
A’s secret.
 Public elements: n = 21, ID, z, v = 4

 Normal authentication
 A knows s = 4, B knows v = 4
 A chooses r = 5 and sends x = r2 mod n = 25 mod 21 = 4
 If B chooses b = 1, A answers with y = r·s = 5·4 = 20
 If B chooses b = 0, A answers with y = 5
 In case b = 1, B verifies ≡ x/v (mod n) ⇒ = 400 ≡ 1 ≡ x/v =
4/4 = 1 OK
 In case b = 0, B verifies ≡ x (mod n) ⇒ = 25 ≡ 4 ≡ x = 4 OK
(CONTINUED)FIAT-SHAMIR AUTHENTICATION
WITH ARTIFICIALLY SMALL PARAMETERS
 Attacker A* doesn’t know s = 4:
 Since no roots can be calculated (because p and q are unknown), he must
assume what the next b will be.
 Assumption b = 1:
 B wants to see ≡ x/v. A* will select y and calculate x. He can’t select x due
to the square root which he can’t calculate.
 So: A* chooses y = 2 and 4 ≡ x/4 ⇒ x = 16 and transmits it.
 If b = 1 indeed, then the protocol round is completed successfully.
 If b = 0, then B will expect = x. A* can’t calculate that due to root
 Assumption b=0:
 B expects ≡ x. A must select y and since y = r mod n and x = mod n, he
must select r.
 Let’s say r = 7. A* sends x = = 49 ≡ 7 mod 21.
 If b = 0 indeed, y = r = 7 and = 49 ≡ 7 = x OK.
 But if b=1, he would have to calculate y such that ≡ x/v ⇒ ≡ 7/4, which is
impossible.

 We see that an attacker can only complete a protocol round with a


probability of 50%. The protocol requires several rounds till it’s
complete, so, with every additional round, the probability of
success for an attacker decreases rapidly.
FEIGE-FIAT-SHAMIR IDENTIFICATION
PROTOCOL
FEIGE-FIAT-SHAMIR PROTOCOL WITH
ARTIFICIALLY SMALL PARAMETERS
 T selects p=683,q=811 and publishes n=pq=553913
 Integers k=3 and t=1 are defied as security
parameters.
 Alice:
 Selects 3 random integers , and 3 bits .
 Computes with .
 Alice’s public key is (441845,338402,124425,553913) and
private key is (157,43215,4646).
 Alice selects r=1279,c=1 and compute x=2598 and
sends this to Bob.
 Bob sends to A the 3-bit vector (0,0,1)
 Alice computes and sends to Bob y=r
 Bob computes and accepts Alice’s identity since z=+x
and z=0.
GUILLOU QUISQUATER PROTOCOL
REAL-TIME APPLICATIONS OF ZERO-
KNOWLEDGE PROOFS

 ZK protocols are used for many real-time applications like authentication, e-


voting, watermark verification, etc. Here, a few of them are mentioned:

 Watermark verification- For watermarking schemes, it is very important to


show the presence of watermark in the image without actually revealing it
.This prevents any malicious user from removing the watermark and reselling
multiple copies of duplicate watermark. Kinoshita Hirotsugu uses zero
knowledge interactive proofs based on Digital Signatures to assert ownership
on an image.

 Sky’s VideoCrypt- Sky’s VideoCryt is an analogue decoding card for satellite


Directv descrambler used to authenticate the subscriber’s card. This uses Fiat-
Shamir Zero Knowledge Protocol. The subscriber center holds the public key,
secret key and the address while the card holds the public key and address.
Every few seconds, the center requests all the cards to authenticate
themselves. Each card which is valid has the algorithm for some function F(x)
in its ROM while the data for F(x) is in EEPROM. As described earlier in Fiat-
Shamir protocol, virtually no knowledge is transferred between F(x) and
EEPROM

 NGSCB -Next Generation Secure Computing Base (NGSCB) is Microsoft’s


proposed secure computing environment to use zero knowledge proofing
techniques to verify authenticity of services and code.
REFERENCES

 A basic intro to VideoCrypt, http://www.heyrick.co.uk/willow/vcrypt.html


 Wikipedia,
 A Mitropoulos, and H. Meijer, “ Zero-knowledge proofs – a survey”
 Gaurav Gain, “ Zero-knowledge proofs: A Survey”
 Oren, Y., “ Properties of Zero-knowledge Proofs”.
 MarkStamp,“NGSCB”,http://www.cs.sjsu.edu/faculty/stamp/CS165/my_ppt/4b_NGS
CB.ppt
 J. -J. Quisquater, L. Gullou, and T Berson, “How to explain zero-knowledge protocols
to a children”
 K. Gopalakrishnan, and Nasir Memon, “Protocols for watermark Verification”
www.cs.ecu.edu/~gopal/water.ps
 Wenbo Mao, Modern Cryptography theory and practice
 Alfred J. Menezes, Paul C. van Oorschot, Scott A. Vanstone, “Handbook of Applied
Cryptography”
THANK YOU !