zero-knowledge proofs and their applications in cryptographic systems ics 555 cryptography and data...
Post on 22-Dec-2015
223 views
TRANSCRIPT
Zero-Knowledge Proofs
And Their Applications in Cryptographic Systems
ICS 555Cryptography and Data Security
Sultan Almuhammadi
2
Introduction Zero-knowledge proofs (ZKPs)
To prove the knowledge of a secret without revealing it.
Special form of interactive proofs (IP) between two parties: prover and verifier.
First introduced in 1985 by Goldwasser, Micali and Rachoff, for identification schemes.
Have wide ranges of applications in modern cryptographic systems.
3
Introduction ZKPs
Iterative: run in several rounds Usually have high cost due to iteration
Cost Measures Execution-time complexity Communication cost (#of bits exchanged) Communication latency (delay)
4
From the Literature A Toy Example of ZKP
To demonstrate all the features of ZKP Easy to discuss and visualize Known as: Alibaba’s cave
5
Alibaba’s Cave
Peggy (the prover) wants to prove her knowledge of the secret word of the cave to Victor (the verifier) but without revealing it
6
Alibaba’s Cave:
The Proof1. Starting at point A2. Peggy walks all the way to either point C or
point D3. Victor walks to point B4. Victor asks Peggy to either:
• Come out of the left passage (or)• Come out of the right passage
5. Peggy does that using the secret word if needed6. They repeat these steps until Victor is convinced
that Peggy knows the secret word
7
Alibaba’s Cave: About The Proof
1. Complete: if Peggy knows the secret word, she can complete the proof successfully.
2. Sound: if she does not know the secret, it is highly unlikely that she passes all the rounds.
3. Zero-knowledge: no matter how many rounds Victor asks for, he cannot learn the secret.
4. Repudiatable: (Peggy can repudiate the proof) If Victor video tapes the entire protocol, he cannot convince others that Peggy knows the secret.
5. Non-transferable: Victor cannot use the proof to pretend to be the prover to a third party.
8
Alibaba’s Cave: Number of Rounds
How many rounds are needed? Completeness
If Peggy knows the secret, she always passes. Soundness
If Peggy does not know the secret, she can pass with a probability = 1/2k where k is the number of rounds.
Optimal number of rounds k Minimum k that gives max trust in the proof. Let S be the domain of the secret.
E.g. S = {strings of length 4 bits}
9
Alibaba’s Cave: Number of Rounds
What is the optimal number of rounds k?E.g. Assume S = {strings of length 4 bits}
1 2 3 4 5 # of Rounds
Prob (pass w/out secret)
0
1/2
1/4
1/8
1/16
|S| = 24 = 16
There are 16 possible secrets
Prob (guess the secret) = 1/16
k
6
Optimal k = log2 |S| (the length of the secret in bits)
10
Applications of ZKPs Identification schemes Multi-media security and digital watermarks Network privacy and anonymous communication Digital cash and off-line digital coin systems Electronic election Public-key cryptographic systems Smart cards
11
Identification Schemes Identification scheme: a protocol for two
parties (User and System) by which the User identifies himself to the System in a secure way, that is, a third party listening to the conversation cannot later impersonate the user.
12
Identification Schemes
Why ZKP? In some applications, it is desirable that the
identity of the specific user is maintained secret to the system. E.g. an investor accessing a stock-market database
prefers to hide his identity. Knowing which user is interested in stock of a given
company is a valuable information. However, the system must make sure that the user is
legitimate (i.e. a subscriber to the service).
13
Example: Identification Scheme
Two modes of identification Normal-mode: The User reveals his identity
to the System. Private-mode: The identity of the user is
maintained secret to the system.
14
Example: Identification Scheme
Using ZKP of SAT Given a boolen formula f, to prove the
possession of the truth-assignment A that satisfies the formula (i.e. without revealing any information whatsoever about A itself or why and how it works).
15
Example: Identification Scheme
Each user i is given a boolean formula fi and a truth-assignment Ai that satisfies fi
To log in to the system in normal-mode: User i proves that fi is satisfiable in zero-
knowledge. To log in to the system in private-mode:
Create = f1 f2 … fn User i proves that is satisfiable in zero-
knowledge.
16
Multi-media Security and Digital Watermarks
Digital Watermark To resolve ownership of media objects To ensure theft detection in a court of law Must survive within a media object Should not be easily removed by attackers
Why ZKP? To prove the existence of a mark, without revealing
what that mark is. Revealing a watermark within an object leads to
subsequent theft by providing attackers with the information they need to remove or claim the watermark.
17
Network Privacy and Anonymous Communication
Why ZKP? To achieve anonymity (like in identification schemes)
Anonymous Communication To hide who communicates with whom The adversary is allowed to see all the communications
but cannot determine the sender (or the receiver). Examples of Applications
Crime tip hotline Secret admirer (or criticizing) letter to system admin Allow employees leaking information to the press from
corrupted organizations
18
Digital Cash and Off-line Digital Coin Systems
Why ZKP? To achieve the privacy of the customer.
Security needs The bank wants to be able to detect all reuse or forgery
of the digital coins. The vendor requires the assurance of authenticity. The customer wants the privacy of purchases (the bank
cannot track down where the coins are spent, unless the customer reuses/forges them).
Off-line digital coin system The purchase protocol does not involve the bank.
19
Electronic Election Why ZKP?
To ensure the privacy of the voter. Electronic voting system: a set of protocols which
allow voters to cast ballots while a group of authorities collect the votes and output the final tally.
Requirements Security: ensure voting restrictions (e.g. voters can vote
to at most one of the given candidates) Privacy: cannot revoke who votes for what
20
Public-Key Cryptographic Systems
Why ZKP? To set up the scheme and prove it is secure
Setups Each user has a public key and a private key encrypted message with some public key needs the
corresponding private key to decrypt it. it is computationally infeasible to deduce the private
key from the public key. Examples
RSA scheme ElGamal scheme
21
Public-Key Cryptographic Systems
Why ZKP? To set up the scheme E.g. in RSA, the modulus should consist of two
safe primes; ZKPs are used to prove that a given number is a product of two safe primes without revealing any information whatsoever about these safe prime factors
23
Definition: Negligible function
f is negligible if for all c > 0 and sufficiently large n, f(n) < n-c
f is nonnegligible if there exists a c > 0 such that for all sufficiently large n, f(n) > n-c
E.g. f(n) = 2-n is negligible in n.
24
Definition: Zero-knowledge Proof
From its name, it has two parts: Proof
It convinces the verifier with overwhelming probability that the prover knows the secret.
It is complete and sound (defined later) Zero-knowledge
It should not reveal any information about the secret. The transcript of the dialogue should be
computationally indistinguishable to the transcript generated by a simulator that simulates the interaction between the prover and the verifier.
25
Definition: Completeness and Soundness
Zero-knowledge proofs are complete and sound: Completeness property
For any c > 0 and sufficiently long x L,
Probability (V accepts x) > 1 - |x|-c
Soundness property For any c > 0 and sufficiently long x L,
Probability (V accepts x) < |x|-c, (i.e. negligible), even if the prover deviates from the prescribed protocol.
26
Classical Problems Discrete Log (DL) Problem Discrete Log over Elliptic Curve (DL-EC) Square Root Problem (SQRT) Equality of Two Discrete Log (DL-AND) One of Two Discrete Log (DL-OR) Multiple-Base Representation (MBR) Graph Isomorphism Problem Graph 3-Colorability Problem Hamiltonian Cycle Problem Satisfiability (SAT) Problem
27
DL Problem To prove in zero-knowledge the
possession of x such that
gx = b (mod n) Applications:
Multi-media security Identification schemes Digital cash Anonymous communication Electronic election
28
Graph Isomorphism Given two graphs G1=(V1,E1) and G2=(V2,
E2), to prove in zero-knowledge the possession of a permutation from G1 to G2 such that
(u, v) E1 iff ( (u), (v)) E2 Applications:
Multi-media security
29
Graph 3-Colorability Given a graph G=(V,E), to prove in zero-
knowledge the possession of a 3-coloring function f such that for all (u,v) E
f(u) f(v) Applications:
Digital watermarks 3-colorability is NP-complete Easy to visualize and discuss
30
Square Root Problem To prove in zero-knowledge the
possession of x such that
x2 = b (mod n) Applications:
Digital watermarks Public-key schemes Smart cards
31
Requirements of ZKPs1. Completeness: If the prover knows the secret, the
verifier accepts the proof with overwhelming probability.
2. Soundness: If the prover does not know the secret, it is highly unlikely that the verifier accepts the proof.
3. Zero-knowledge: The verifier cannot learn the secret even if he deviates from the protocol.
4. Repudiatability: The prover can repudiate the proof to a third party.
5. Non-transferability: The verifier cannot pretend to be the prover to any third party.
33
Example: ZKP of Graph Isomorphism
Peggy (P) Victor (V)
0 G1, G2, G1, G2
1 P generates random ’ ’
2 P sends H = ’(G2) to V H H
3 V flips a coin c c c
4 If c = Head, P sends ’ to V ’, check H = ’(G2)
5 If c = Tail, P sends = ’o
, check H = (G1)
6 Steps 1-5 are repeated until Victor is convinced that Peggy must know (with probability 1-2-k, for k iterations).
34
Example: ZKP of SQRTx2 = b (mod n) Peggy (P) Victor (V)
0 b, n, x b, n
1 P generates random r r
2 P sends s = r2 mod n to V s s
3 V flips a coin c = H or T c c
4 If c = H, P sends r to V r, check r2 = s
5 If c = T, P sends m = r.x m, check m2 = s.b
6 Steps 1-5 are repeated until Victor is convinced that Peggy must know x (with prob 1-2-k, for k iterations).
35
Example: ZKP of DLb = gx (mod n)
hhP sends h = gr mod n to V 2
rPeggy generates random r1
ccV flips a coin c = H or T 3
r, check gr = hIf c = H, P sends r to V 4
m, check gm = bhmIf c = T, P sends m = x + r 5
Steps 1-5 are repeated until Victor is convinced that Peggy must know x (with prob 1-2-k, for k iterations).
6
Victor (V)Peggy (P)g, b, ng, b, n, x0
36
One-round ZKPs One-round zero-knowledge proofs Eliminate the iteration costs One-round ZKPs
Encapsulate all the requirements of the true ZKP, but in one round.
38
One-Round ZKP of DLb = gx (mod n)
yV generates a random y1
C= gyCV sends C = gy (mod n)2
RR= CxP sends R = Cx (mod n)3
V verifies that
R = Cx = (gy)x = gxy = (gx)y = by (mod n)
4
Victor (V)Peggy (P)g, b, ng, b, n, x0
39
Time Complexity Iterative ZKP
Let t be the length of the secret x in bits. Each round costs O(t2 log t log log t) Optimal number of rounds = t O(t3 log t log log t)
One-round ZKP O(t2 log t log log t).
40
Communication Cost Iterative ZKP
Needs 2 messages of size t in each round. Needs one bit for the coin in each round. Optimal number of rounds = t Exchanges (2t2 + t) bits total.
One-round ZKP Needs 2 messages of size t each. Exchanges 2t bits total.
41
Communication Latency Let d be the average latency (delay) per message
over the network between the two parties