Trng i hc Dn lp Hi Phng B MN CNG NGH THNG TIN

Chng minh khng tit l thng tin ( Zero-knowledge proofs)

Ging vin: KS Trn Ngc Thi Sinh vin thc hin: Nguyn Th Tn L Quang c
Nhm 26: Nguyn Th Tn v L Quang c_CT702

Tng quan:
Chng minh khng tit l thng tin l g? Gii thiu nhng s chng minh tng tc nh ngha Chng minh khng tit l thng tin. Cc thuc tnh ca chng minh khng tit l thng tin. ng dng ca Chng minh khng tit l thng tin:
Giao thc xc minh Feige-Fiat-Shamir. Giao thc xc minh Schnorrs.

Kt lun.
Nhm 26: Nguyn Th Tn v L Quang c_CT702 2

Zero Knowledge Proof l g?

V d n gin:
Hang ng ca Ali Baba.

Alice mun chng minh cho Bob l anh ta bit cch m cnh ca b mt gia R v S.
Bob i ti P Alice i ti R hoc S Bob i ti Q v bo Alice i ti t ca khc ca hang ng. Nu Alice bit c b mt th ln no anh ta cng xut hin t ca ng ca hang.

Image from RSA Labs [1] http://www.rsasecurity.com/rsalabs/node.asp?id=2178

Bob lp li nhiu ln cho n khi anh ta tin rng Alice c th m cnh ca b mt.
3

Nhm 26: Nguyn Th Tn v L Quang c_CT702

Gii thiu v s chng minh tng tc:

Prover (P) th chng minh mt vi s tht kim chng. Verifier (V) chp nhn hoc bc b s chng minh ca Prover. Chng minh s thuyt phc Verifier v mt s khng nh no :
Chng minh rng anh ta bit mt gi tr b mt s.

Vi party khc trong giao thc c cp di y:

1. 2. 3. Nhn mt thng ip t mt party khc Thc hin mt s tnh ton ring. Gi thng ip cho mt party khc.
Nhm 26: Nguyn Th Tn v L Quang c_CT702

Lp t ln qu trnh .
4

Interactive Proof Protocol

Cc u vo ph bin

Gi tr ngu nhin S thch thc

Cc u vo Ph bin

P Prover

V Verifier

S tr li

Lp li t ln

Prover and verifier chia s cc u vo ph bin (Cc hm hoc gi tr) Giao thc tr v Accept cho mi tr li c chp nhn bi Verifier. Ngc li, Giao thc tr v Reject
Nhm 26: Nguyn Th Tn v L Quang c_CT702 5

Cc thuc tnh ca S chng minh tng tc:

S hon thnh:
Verifier chp nhn s chng minh nu s kim chng l True. Gi nh: cc Party tun theo Giao thc.

Tnh vng chc:

Nu thc t l FALSE, Verifier s t chi s chng minh Gi nh: cc Party tun theo Giao thc.
Nhm 26: Nguyn Th Tn v L Quang c_CT702 6

S chng minh tng tc Tnh vng chc v s hon thnh:

S hon thnh:

Prob[(P,V)(x) = Accept | x L]
Tnh vng chc: Prob[(P,V)(x) = Accept | x L] Vi: (,1] [0,)

L l nhn cc gi tr {0,1} (P,V) l mt giao thc chng minh tng tc bao gm P v V

Nhm 26: Nguyn Th Tn v L Quang c_CT702 7

Chnh minh khng tit l thng tin:

Cc trng hp ca chng minh tng tc vi cc thuc tnh ko theo:
S hon thnh Cc nh l ng c th chng minh. Tnh bn vng Cc nh l sai khng c kh nng chng minh. Khng c thng tin ring no ca Prover c tit l vi Verifier thuc tnh khng cng khai ca zero-knowledge.
Nhm 26: Nguyn Th Tn v L Quang c_CT702 8

Thuc tnh Zero Knowledge:

Mt bn ghi c chn ca cc thng ip a ra kt qa t giao thc thc thi Mt simulator l mt gii thut thi gian a thc pht hin cc bn ghi sai(khng c prover) c xc thc l chnh xc.
Random1,Challenge1,Response1,Random2,Challenge2,Respo nse2, , Randomm,Challengem,Responsem

S chng minh tng tc c thuc tnh zero knowledge nu mt simulator tn ti cho chng minh.
Nhm 26: Nguyn Th Tn v L Quang c_CT702 9

Random1,Challenge1,Response1,Random2,Challenge2,Response2, , Randomm,Challengem,Responsem

Lc xc minh:

Quy nh cch thc chng minh bn l ai:

a ra cho bn mt gi tr b mt m khng bc l n. Chng minh tnh xc minh Feige-Fiat-Shamir Giao thc xc minh Schnorrs.

Gi thuyt zero knowledge c s dng cho tt c PKIs( Public-key infrastructurec s h tng kha cng khai)
Bn khng c tit l kha ring ca mnh Tuy nhin phn ln PKIs ch l mt qu trnh n.
Nhm 26: Nguyn Th Tn v L Quang c_CT702 10

Giao thc xc minh Feige-Fiat-Shamir

Mt chng thc ng tin cy c cng b l tr tuyt i ca n tc l tch ca 2 primes ln nht
Cc s nguyn t ca mu 4r+3 (Blum nguyn) Ch nhng kt qu tin cy c xc nhn.

Vi l Prover v B Verifier

Nhm 26: Nguyn Th Tn v L Quang c_CT702

11

Giao thc xc minh Feige-Fiat-Shamir

chng minh n xc minh vi B, giao thc sau y c thc thi

Nhm 26: Nguyn Th Tn v L Quang c_CT702

12

Giao thc xc minh Schnorrs

Hai s nguyn t p v q nh l q|p-1
Thng thng |p| = 1024 v |q| = 160

g bng orderp(g) = q y bng y = g-a (mod p)

Alice chn mt gi tr a sao cho a < q

Kha dng chung ca Alice l (p, q, q, y) c chng nhn bi CA.

Nhm 26: Nguyn Th Tn v L Quang c_CT702 13

Giao thc xc minh ca Schnorr

Bob bit Alice c mt vi aZq vi y g-a (mod p) chng minh cho Bob, cc bc sau c lp log2log2p ln

1. Alice chn k uZq v tnh gk (mod p) m c ta gi cho Bob 2. Bob chn x u {0,1}log2log2p v gi cho Alice 3. Alice tnh y = k + ax (mod q) 4. Bob kim tra gk (mod p) gxgy
Nhm 26: Nguyn Th Tn v L Quang c_CT702 14

Nhn xt:
Trng hp c bit ca chng minh tng tc. Zero knowledge proofs cung cp mt cch chng minh tri thc cho mt ai m khng thay i bt c kin thc b sung cho ngi
C th c dng chng minh s xc minh. Gi thuyt c bn c dung trong tt c PKIs
Nhm 26: Nguyn Th Tn v L Quang c_CT702 15

References
O. Goldreich. Foundations of Cryptography: Basic Tools. USA: Cambridge Press, 2001. D. R. Stinson. Cryptography: Theory and Practice (1st edition). Boca Raton: CRC Press, 1995. W. Mao. Modern Cryptography: Theory and Practice. New Jersey: Prentice Hall, 2003. A. Menezes, P. van Oorschot, and S. Vanstone. Handbook of Applied Cryptography. Boca Raton: CRC Press, 1996. L. Guillou, and J.J. Quisquater. How to Explain Zero-Knowledge Protocols to Your Children. Advances in Cryptology, CRYPTO 1989. G. Simari. A Primer on Zero Knowledge Protocols. http://cs.uns.edu.ar/~gis/publications/zkp-simari2002.pdf M. Tompa. Zero knowledge interactive proofs of knowledge (a digest). Proceedings of the 2nd conference on Theoretical aspects of reasoning about knowledge, 1988. U. Feige, A. Fiat, and A. Shamir. Zero-knowledge proofs of identity. ACM Special Interest Group on Algorithms and Computation Theory (SIGACT), 1987. RSA Laboratories, What are interactive proofs and zero-knowledge proofs? http://www.rsasecurity.com/rsalabs/node.asp?id=2178

Nhm 26: Nguyn Th Tn v L Quang c_CT702

16

Question ???
Tri thc phi n thng qua hnh ng; bn khng th c s th nghim no m khng c tng; v c rt bng th nghim. ~ Sophocles