Your SlideShare is downloading. ×

Zero knowledge proofsii


Published on

Each grain must hold a charge …

Each grain must hold a charge
When their volume becomes too little, they will no longer be stable & will be influenced by ambient thermal energy
With current technology, this will happen around 130 Gb/in2

  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 1. Zero-Knowledge Proofs J.W. Pope M.S. – Mathematics May 2004
  • 2. What is a Zero- Knowledge Proof?
    • A zero-knowledge proof is a way that a “prover” can prove possession of a certain piece of information to a “verifier” without revealing it.
    • This is done by manipulating data provided by the verifier in a way that would be impossible without the secret information in question.
    • A third party, reviewing the transcript created, cannot be convinced that either prover or verifier knows the secret.
  • 3. The Cave of the Forty Thieves
  • 4. The Cave of the Forty Thieves
  • 5. Properties of Zero-Knowledge Proofs
    • Completeness – A prover who knows the secret information can prove it with probability 1.
    • Soundness – The probability that a prover who does not know the secret information can get away with it can be made arbitrarily small.
  • 6. An Example: Hamiltonian Cycles
    • Peggy the prover would like to show Vic the verifier that an element  is a member of the subgroup of Z n * generated by  , where  has order  . (i.e., does  k =  for some k such that 0 ≤ k ≤  ?)
    • Peggy chooses a random j, 0 ≤ j ≤  – 1, and sends Vic  j .
    • Vic chooses a random i = 0 or 1, and sends it to Peggy.
    • Peggy computes j + ik mod  , and sends it to Vic.
    • Vic checks that  j + ik =  j  ik =  j  i .
    • They then repeat the above steps log 2 n times.
    • If Vic’s final computation checks out in each round, he accepts the proof.
  • 7. Complexity Theory
    • The last proof works because the problem of solving discrete logarithms is NP-complete (or is believed to be, at any rate).
    • It has been shown that all problems in NP have a zero-knowledge proof associated with them.
  • 8. Bit Commitments
    • “ Flipping a coin down a well”
    • “ Flipping a coin by telephone”
    • A value of 0 or 1 is committed to by the prover by encrypting it with a one-way function, creating a “blob”. The verifier can then “unwrap” this blob when it becomes necessary by revealing the key.
  • 9. Bit Commitment Properties
    • Concealing – The verifier cannot determine the value of the bit from the blob.
    • Binding – The prover cannot open the blob as both a zero and a one.
  • 10. Bit Commitments: An Example
    • Let n = pq, where p and q are prime. Let m be a quadratic nonresidue modulo n. The values m and n are public, and the values p and q are known only to Peggy.
    • Peggy commits to the bit b by choosing a random x and sending Vic the blob m b x 2 .
    • When the time comes for Vic to check the value of the bit, Peggy simply reveals the values b and x.
    • Since no known polynomial-time algorithm exists for solving the quadratic residues problem modulo a composite n whose factors are unknown, hence this scheme is computationally concealing.
    • On the other hand, it is perfectly binding, since if it wasn’t, m would have to be a quadratic residue, a contradiction.
  • 11. Bit Commitments and Zero-Knowledge
    • Bit commitments are used in zero-knowledge proofs to encode the secret information.
    • For example, zero-knowledge proofs based on graph colorations exist. In this case, bit commitment schemes are used to encode the colors.
    • Complex zero-knowledge proofs with large numbers of intermediate steps that must be verified also use bit commitment schemes.
  • 12. Computational Assumptions
    • A zero-knowledge proof assumes the prover possesses unlimited computational power.
    • It is more practical in some cases to assume that the prover’s computational abilities are bounded. In this case, we have a zero-knowledge argument.
  • 13. Proof vs. Argument
    • Zero-Knowledge Proof:
    • Unconditional completeness
    • Unconditional soundness
    • Computational zero-knowledge
    • Unconditionally binding blobs
    • Computationally concealing blobs
    • Zero-Knowledge Argument:
    • Unconditional completeness
    • Computational soundness
    • Perfect zero-knowledge
    • Computationally binding blobs
    • Unconditionally concealing blobs
  • 14. Applications
    • Zero-knowledge proofs can be applied where secret knowledge too sensitive to reveal needs to be verified
    • Key authentication
    • PIN numbers
    • Smart cards
  • 15. Limitations
    • A zero-knowledge proof is only as good as the secret it is trying to conceal
    • Zero-knowledge proofs of identities in particular are problematic
    • The Grandmaster Problem
    • The Mafia Problem
    • etc.
  • 16. Research
    • I am currently working with Dr. Curtis Barefoot in the NMT Mathematics Dept. on methods of applying zero-knowledge proofs to mathematical induction: Can a prover prove a theorem via induction without revealing any of the steps beyond the base case?
    • Possible application of methods developed by Camenisch and Michels (or maybe not?)
  • 17. References
    • Blum, M., “How to Prove a Theorem So No One Else Can Claim It”, Proceedings of the International Congress of Mathematicians, Berkeley, California, 1986, pp. 1444-1451
    • Camenisch, J., M. Michels, “Proving in Zero-Knowledge that a Number is the Product of Two Safe Primes”, Eurocrypt ’99, J. Stern, ed., Lecture Notes in Computer Science 1592, pp. 107-122, Springer-Verlag 1999
    • Cramer, R., I. Dåmgard, B. Schoenmakers, “Proofs of Partial Hiding and Simplified Design of Witness Hiding Protocols”, Advances in Cryptology – CRYPTO ’94, Lecture Notes in Computer Science 839, pp. 174-187, Springer-Verlag, 1994
    • De Santis, A., G. di Crescenzo, G. Persiano, M. Yung, “On Monotone Formula Closure of SZK”, Proceedings of the 35 th Symposium on the Foundations of Computer Science, pp. 454-465, IEEE, 1994
    • Feigenbaum, J., “Overview of Interactive Proof Systems and Zero-Knowledge”, Contemporary Cryptology, G.J. Simmons, ed., pp. 423-440, IEEE Press 1992
    • Quisquater, J.J., L. Guillou, T. Berson, “How to Explain Zero-Knowledge Protocols to Your Children”, Advances in Cryptology - CRYPTO ’99, Lecture Notes in Computer Science 435, pp. 628-631, 1990
    • Schneier, B., Applied Cryptography (2 nd edition), Wiley, 1996
    • Stinson, D.R., Cryptography: Theory and Practice, CRC, 1995