Upcoming SlideShare
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Standard text messaging rates apply

Zero knowledge proofsii

390

Published on

Each grain must hold a charge …

Each grain must hold a charge
When their volume becomes too little, they will no longer be stable & will be influenced by ambient thermal energy
With current technology, this will happen around 130 Gb/in2

0 Likes
Statistics
Notes
• Full Name
Comment goes here.

Are you sure you want to Yes No
• Be the first to comment

• Be the first to like this

Views
Total Views
390
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
18
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript

• 1. Zero-Knowledge Proofs J.W. Pope M.S. – Mathematics May 2004
• 2. What is a Zero- Knowledge Proof?
• A zero-knowledge proof is a way that a “prover” can prove possession of a certain piece of information to a “verifier” without revealing it.
• This is done by manipulating data provided by the verifier in a way that would be impossible without the secret information in question.
• A third party, reviewing the transcript created, cannot be convinced that either prover or verifier knows the secret.
• 3. The Cave of the Forty Thieves
• 4. The Cave of the Forty Thieves
• 5. Properties of Zero-Knowledge Proofs
• Completeness – A prover who knows the secret information can prove it with probability 1.
• Soundness – The probability that a prover who does not know the secret information can get away with it can be made arbitrarily small.
• 6. An Example: Hamiltonian Cycles
• Peggy the prover would like to show Vic the verifier that an element  is a member of the subgroup of Z n * generated by  , where  has order  . (i.e., does  k =  for some k such that 0 ≤ k ≤  ?)
• Peggy chooses a random j, 0 ≤ j ≤  – 1, and sends Vic  j .
• Vic chooses a random i = 0 or 1, and sends it to Peggy.
• Peggy computes j + ik mod  , and sends it to Vic.
• Vic checks that  j + ik =  j  ik =  j  i .
• They then repeat the above steps log 2 n times.
• If Vic’s final computation checks out in each round, he accepts the proof.
• 7. Complexity Theory
• The last proof works because the problem of solving discrete logarithms is NP-complete (or is believed to be, at any rate).
• It has been shown that all problems in NP have a zero-knowledge proof associated with them.
• 8. Bit Commitments
• “ Flipping a coin down a well”
• “ Flipping a coin by telephone”
• A value of 0 or 1 is committed to by the prover by encrypting it with a one-way function, creating a “blob”. The verifier can then “unwrap” this blob when it becomes necessary by revealing the key.
• 9. Bit Commitment Properties
• Concealing – The verifier cannot determine the value of the bit from the blob.
• Binding – The prover cannot open the blob as both a zero and a one.
• 10. Bit Commitments: An Example
• Let n = pq, where p and q are prime. Let m be a quadratic nonresidue modulo n. The values m and n are public, and the values p and q are known only to Peggy.
• Peggy commits to the bit b by choosing a random x and sending Vic the blob m b x 2 .
• When the time comes for Vic to check the value of the bit, Peggy simply reveals the values b and x.
• Since no known polynomial-time algorithm exists for solving the quadratic residues problem modulo a composite n whose factors are unknown, hence this scheme is computationally concealing.
• On the other hand, it is perfectly binding, since if it wasn’t, m would have to be a quadratic residue, a contradiction.
• 11. Bit Commitments and Zero-Knowledge
• Bit commitments are used in zero-knowledge proofs to encode the secret information.
• For example, zero-knowledge proofs based on graph colorations exist. In this case, bit commitment schemes are used to encode the colors.
• Complex zero-knowledge proofs with large numbers of intermediate steps that must be verified also use bit commitment schemes.
• 12. Computational Assumptions
• A zero-knowledge proof assumes the prover possesses unlimited computational power.
• It is more practical in some cases to assume that the prover’s computational abilities are bounded. In this case, we have a zero-knowledge argument.
• 13. Proof vs. Argument
• Zero-Knowledge Proof:
• Unconditional completeness
• Unconditional soundness
• Computational zero-knowledge
• Unconditionally binding blobs
• Computationally concealing blobs
• Zero-Knowledge Argument:
• Unconditional completeness
• Computational soundness
• Perfect zero-knowledge
• Computationally binding blobs
• Unconditionally concealing blobs
• 14. Applications
• Zero-knowledge proofs can be applied where secret knowledge too sensitive to reveal needs to be verified
• Key authentication
• PIN numbers
• Smart cards
• 15. Limitations
• A zero-knowledge proof is only as good as the secret it is trying to conceal
• Zero-knowledge proofs of identities in particular are problematic
• The Grandmaster Problem
• The Mafia Problem
• etc.
• 16. Research
• I am currently working with Dr. Curtis Barefoot in the NMT Mathematics Dept. on methods of applying zero-knowledge proofs to mathematical induction: Can a prover prove a theorem via induction without revealing any of the steps beyond the base case?
• Possible application of methods developed by Camenisch and Michels (or maybe not?)
• 17. References
• Blum, M., “How to Prove a Theorem So No One Else Can Claim It”, Proceedings of the International Congress of Mathematicians, Berkeley, California, 1986, pp. 1444-1451
• Camenisch, J., M. Michels, “Proving in Zero-Knowledge that a Number is the Product of Two Safe Primes”, Eurocrypt ’99, J. Stern, ed., Lecture Notes in Computer Science 1592, pp. 107-122, Springer-Verlag 1999
• Cramer, R., I. Dåmgard, B. Schoenmakers, “Proofs of Partial Hiding and Simplified Design of Witness Hiding Protocols”, Advances in Cryptology – CRYPTO ’94, Lecture Notes in Computer Science 839, pp. 174-187, Springer-Verlag, 1994
• De Santis, A., G. di Crescenzo, G. Persiano, M. Yung, “On Monotone Formula Closure of SZK”, Proceedings of the 35 th Symposium on the Foundations of Computer Science, pp. 454-465, IEEE, 1994
• Feigenbaum, J., “Overview of Interactive Proof Systems and Zero-Knowledge”, Contemporary Cryptology, G.J. Simmons, ed., pp. 423-440, IEEE Press 1992
• Quisquater, J.J., L. Guillou, T. Berson, “How to Explain Zero-Knowledge Protocols to Your Children”, Advances in Cryptology - CRYPTO ’99, Lecture Notes in Computer Science 435, pp. 628-631, 1990
• Schneier, B., Applied Cryptography (2 nd edition), Wiley, 1996
• Stinson, D.R., Cryptography: Theory and Practice, CRC, 1995