Zero Knowledge Proofs

By
Subha Rajagopalan
Jaisheela Kandagal
 Zero Knowledge Proofs

• Introduction
• Properties of ZKP
• Advantages of ZKP
• Examples
• Fiat-Shamir Identification Protocol
• Real-Time Applications
 Zero Knowledge Proofs (ZKP)

• Goldwasser, Micali, and Rackoff, 1985.

• ZKP instance of Interactive Proof System
• Interactive Proof Systems
– Challenge-Response Authentication
– Prover and Verifier
– Verifier Accepts or Rejects the Prover
 ZKP

• Zero knowledge Transfer between the Prover and

the Verifier
• The verifier accepts or rejects the proof after
multiple challenges and responses
• Probabilistic Proof Protocol
• Overcomes Problems with Password Based
Authentication
 Properties of ZKP

• Completeness
– Succeeds with high probability for a true
assertion given an honest verifier and an honest
prover.

• Soundness
– Fails for any other false assertion, given a
dishonest prover and an honest verifier
 Advantages of ZKP

• As name Suggests – Zero Knowledge Transfer

• Computational Efficiency – No Encryption
• No Degradation of the protocol
• Based on problems like discrete logarithms and
integer factorization
 Classic Example

• Ali Baba’s Cave

Alice has to convince Bob She knows the secret to
open the cave door without telling the secret
(“Open Sesame”).

(source: http://www.rsasecurity.com/rsalabs/faq/2-1-8.html)
 Fiat-Shamir Identification Protocol
• 3 Message Protocol
• Alice A, the Prover and Bob B, the Verifier
A  B : x = r2 mod n
A  B : e  { 0,1}
A  B : y = r * se mod n is y2 = x * ve ?
• A random modulus n, product of two large prime numbers p and q generated by a trusted party
and made public
• Prover chooses secret s relatively prime to n
• prover computes v = s2 mod n, where v is the public key

 
 Fiat-Shamir Identification Protocol

• Alice chooses a random number r (1  r  n-1)

• Sends to Bob x = r2 mod n – commitment
• Bob randomly sends either a 0 or a 1 ( e  { 0,1})
as his challenge
• Depending on the challenge from Bob, Alice
computes the response as y = r if e = 0 or
otherwise y = r*s mod n
• Bob accepts the response upon checking y2  x * ve
mod n
 Fiat-Shamir Identification Protocol
• After many iterations, with a very high probability Bob can verify Alice’s
identity
• Alice’s response does not reveal the secret s (with y = r or y = r* s mod n)
• An intruder can prove Alice’s identity without knowing the secret, if he
knows Bob’s challenge in advance:
– Generate random r
– If expected challenge is 1, send x = r2/v mod n as commitment, and y
= r as response
– If expected challenge is 0, send x = r mod n as commitment
• Probability that any Intruder impersonating the prover can send the right
response is only ½
• Probability reduced as iterations are increased
• Important - Alice should not repeat r
 Applications

• Watermark Verification
– Show the presence of watermark without
revealing information about it
– prevents from removing the watermark and
reselling multiple duplicate copies
• Others – e-voting, e-cash etc.
 Products

• Sky’s VideoCrypt
– Analogue decoding card for satellite DirecTV
descrambler used to authenticate the
subscriber’s card
– Uses Fiat-Shamir Zero Knowledge Protocol
• NGSCB – New Generation Secure Computing
Base
– Zero Knowledge for code attestations
 References
[1] Alfred J. Menezes, Paul C. van Oorschot, Scott A. Vanstone,
Handbook of Applied Cryptography.
[2] Ross Anderson, Security Engineering
[3] Wenbo Mao, Modern Cryptography theory and practice
[4] Don Coppersmith (Ed.), Advances in Cryptology- CRYPTO ’95
Lecture Notes in Computer Science.
[5] www.rsa.com
[6] Oded Goldreich, Silvio Micali and Avi Wigderson, “ Proofs that
yield nothing but their validity and a methodology of
cryptographic protocol design”.
[7] Oren, Y., “ Properties of Zero-knowledge Proofs”.
[8] A Mitropoulos, and H. Meijer, “ Zero-knowledge proofs – a
survey”.