Zero-Knowledge Proofs and

Fiat-Shamir ID Protocol
Christian Peel
chris.peel@ieee.org
What the #$%!!
is a Zero-Knowledge Proof?

Alice wants to prove to Bob that she knows a

secret without revealing what it is!

Bob also wants to believe Alices proof

Solution is probabilistic; Bob can trust Alices proof

with high condence
A Cave Like Ali Babas

A cave has a circular

shape, with a locked door
at the far side, away from
the entrance

From How to explain

Zero-Knowledge Proofs to
your Children, by
Quisquater et al.
Alice and Bob in a Cave
Alice wants to prove to Bob that she knows
the magic password to a door in a cave
1. Alice randomly takes path A or B, while
Bob waits outside
2. Bob yells to Alice to tell her which route
to exit by
3. If needed Alice opens, then re-locks the
door. She reliably exits by the path that
Bob requests
More on
Alice and Bob in a Cave

If Alice doesnt know the password, she
will only be able to return by the correct
path half of the time, and with multiple
tries, Bob will (hopefully) decide that shes
a liar
Bob can know that after N successful tries,
the probability that Alice is lying is 1/2
N

Feige-Fiat-Shamir
Identication Protocol

Feige, Fiat, and Shamir are Israeli computer scientists

(what is up with all the Israeli cryptographers?!!)

They got grief from the US Patent ofce who wanted

to keep the technique we describe here a secret, but
it blew over quickly :-)

Shamir is the S in RSA

Its the same scenario as the cave, except that instead

of a secret password, Alice has some secret numbers
s
i
that she wants to prove that she has, without
revealing the numbers
Background for Following

The notation y = x mod n means y is the

remainder after dividing x by n

Given two large primes p,q, and n=pq, then it is

hard to nd sqrt(x) mod n without knowing p or q

Numbers a and b are coprime if the only

positive number that divides them both is 1
FFS Initialization
Relies on some trusted person (the maker
of the door in the cave, or Mallory to the
left)

Choses two large primes p and q, and

creates the product n=pq

Creates a secret s that is coprime to n.

Send this to Alice

Compute v = s
2
mod n. Send this to Bob
FFS Procedure
1. Alice choses a random integer r, and sign
c (-1 or 1) and computes x = cr
2
mod N.
Alice sends x to Bob
2. Bob choses a from (0,1) and sends a to
Alice
3. Alice computes y =rs
a
mod n and sends
this to Bob
4. Bob checks that y
2
= +/- xv
a
mod n
Repeat this with different r, a values until Bob
is satised
Example from Mohr

p=5, q=7, n=pq=35; Alice picks s = 16, so v=11

First Step

Alice selects r=10, c=1, sends x=30 to Bob

Bob selects e=0, so y=10, and veries y*y=30

Second Step

Alice selects r=20, c=1, sends x = 15 to Bob

Bob selects e=1, so y=5, and Bob veries y*y=25

% Matlab code for Fiat-Shamir
Nmx = 16;
pv = primes(Nmx);
Np = length(pv);

% Chose two large primes p,q and create n=p*q
p = pv(ceil(rand*Np));
q = pv(ceil(rand*Np));
n = p*q;

% Chose s to be coprime to n i.e. gcd(n,s)=1
pv = setdiff(setdiff(pv,p),q);
Ns = length(pv);
ps = pv(ceil(rand*Ns));
qs = pv(ceil(rand*Ns));
s = ps*qs;

if gcd(s,n)~=1
error('chose better s')
end

% Trent creates v = rem(s^2,n) and send v to Bob
v = rem(s*s,n);
% Alice creates random integer r, and sign c, and sends x=rem(c*r^2,n) to Bob
r = ceil(rand*Nmx);
c = sign(randn);
x = rem(c*r*r,n);
% Bob choses a from (0,1) and send it to Alice
a = round(rand);
% Alice computes y = rem(rs^a,n) and sends to Bob
y = rem(r*s^a,n);
% Bob checks that y^2 = +/- x*v^2 rem n
yy = rem(y*y,n);
xva = rem(x*v^a,n);

if yy ~= abs(xva)
error('Feige-Fiat-Shamir fails!')
end
Applications

Anonymous currency (Zerocash): Prove that you have

a coin, without exposing your (pseudo) identity

Prove that some transaction occurred, without

exposing more details than you want

Prove that you have at least N coins in your

account, without disclosing the exact balance

Voting: Proof that your vote was recorded accurately,

without exposing your identity

Prove that you have a credit score or reputation value

of at least N, without disclosing your identity or exact
credit score / reputation
Notes

Ethereum: Ill talk more about this in another talk

Interactive proofs described here; Zerocash

uses non-interactive proofs

ZKPs have a formal mathematical foundation

that I did not go into
References

Zero Knowledge Twenty years after its

introduction by Oded Goldreich

"How to Explain Zero-Knowledge Protocols to

Your Children by Frenchies

A Survey of Zero-Knowledge Proofs with

Applications to Cryptography by Austin Mohr

Alice and Bob on Wikipedia