Successfully reported this slideshow.
Upcoming SlideShare
×

Zero knowledge proofsii

4,493 views

Published on

Each grain must hold a charge
When their volume becomes too little, they will no longer be stable & will be influenced by ambient thermal energy
With current technology, this will happen around 130 Gb/in2

• Full Name
Comment goes here.

Are you sure you want to Yes No
• Be the first to comment

• Be the first to like this

Zero knowledge proofsii

1. 1. Zero-Knowledge Proofs J.W. Pope M.S. – Mathematics May 2004
2. 2. What is a Zero- Knowledge Proof? <ul><li>A zero-knowledge proof is a way that a “prover” can prove possession of a certain piece of information to a “verifier” without revealing it. </li></ul><ul><li>This is done by manipulating data provided by the verifier in a way that would be impossible without the secret information in question. </li></ul><ul><li>A third party, reviewing the transcript created, cannot be convinced that either prover or verifier knows the secret. </li></ul>
3. 3. The Cave of the Forty Thieves
4. 4. The Cave of the Forty Thieves
5. 5. Properties of Zero-Knowledge Proofs <ul><li>Completeness – A prover who knows the secret information can prove it with probability 1. </li></ul><ul><li>Soundness – The probability that a prover who does not know the secret information can get away with it can be made arbitrarily small. </li></ul>
6. 6. An Example: Hamiltonian Cycles <ul><li>Peggy the prover would like to show Vic the verifier that an element  is a member of the subgroup of Z n * generated by  , where  has order  . (i.e., does  k =  for some k such that 0 ≤ k ≤  ?) </li></ul><ul><li>Peggy chooses a random j, 0 ≤ j ≤  – 1, and sends Vic  j . </li></ul><ul><li>Vic chooses a random i = 0 or 1, and sends it to Peggy. </li></ul><ul><li>Peggy computes j + ik mod  , and sends it to Vic. </li></ul><ul><li>Vic checks that  j + ik =  j  ik =  j  i . </li></ul><ul><li>They then repeat the above steps log 2 n times. </li></ul><ul><li>If Vic’s final computation checks out in each round, he accepts the proof. </li></ul>
7. 7. Complexity Theory <ul><li>The last proof works because the problem of solving discrete logarithms is NP-complete (or is believed to be, at any rate). </li></ul><ul><li>It has been shown that all problems in NP have a zero-knowledge proof associated with them. </li></ul>
8. 8. Bit Commitments <ul><li>“ Flipping a coin down a well” </li></ul><ul><li>“ Flipping a coin by telephone” </li></ul><ul><li>A value of 0 or 1 is committed to by the prover by encrypting it with a one-way function, creating a “blob”. The verifier can then “unwrap” this blob when it becomes necessary by revealing the key. </li></ul>
9. 9. Bit Commitment Properties <ul><li>Concealing – The verifier cannot determine the value of the bit from the blob. </li></ul><ul><li>Binding – The prover cannot open the blob as both a zero and a one. </li></ul>
10. 10. Bit Commitments: An Example <ul><li>Let n = pq, where p and q are prime. Let m be a quadratic nonresidue modulo n. The values m and n are public, and the values p and q are known only to Peggy. </li></ul><ul><li>Peggy commits to the bit b by choosing a random x and sending Vic the blob m b x 2 . </li></ul><ul><li>When the time comes for Vic to check the value of the bit, Peggy simply reveals the values b and x. </li></ul><ul><li>Since no known polynomial-time algorithm exists for solving the quadratic residues problem modulo a composite n whose factors are unknown, hence this scheme is computationally concealing. </li></ul><ul><li>On the other hand, it is perfectly binding, since if it wasn’t, m would have to be a quadratic residue, a contradiction. </li></ul>
11. 11. Bit Commitments and Zero-Knowledge <ul><li>Bit commitments are used in zero-knowledge proofs to encode the secret information. </li></ul><ul><li>For example, zero-knowledge proofs based on graph colorations exist. In this case, bit commitment schemes are used to encode the colors. </li></ul><ul><li>Complex zero-knowledge proofs with large numbers of intermediate steps that must be verified also use bit commitment schemes. </li></ul>
12. 12. Computational Assumptions <ul><li>A zero-knowledge proof assumes the prover possesses unlimited computational power. </li></ul><ul><li>It is more practical in some cases to assume that the prover’s computational abilities are bounded. In this case, we have a zero-knowledge argument. </li></ul>
13. 13. Proof vs. Argument <ul><li>Zero-Knowledge Proof: </li></ul><ul><li>Unconditional completeness </li></ul><ul><li>Unconditional soundness </li></ul><ul><li>Computational zero-knowledge </li></ul><ul><li>Unconditionally binding blobs </li></ul><ul><li>Computationally concealing blobs </li></ul><ul><li>Zero-Knowledge Argument: </li></ul><ul><li>Unconditional completeness </li></ul><ul><li>Computational soundness </li></ul><ul><li>Perfect zero-knowledge </li></ul><ul><li>Computationally binding blobs </li></ul><ul><li>Unconditionally concealing blobs </li></ul>
14. 14. Applications <ul><li>Zero-knowledge proofs can be applied where secret knowledge too sensitive to reveal needs to be verified </li></ul><ul><li>Key authentication </li></ul><ul><li>PIN numbers </li></ul><ul><li>Smart cards </li></ul>
15. 15. Limitations <ul><li>A zero-knowledge proof is only as good as the secret it is trying to conceal </li></ul><ul><li>Zero-knowledge proofs of identities in particular are problematic </li></ul><ul><li>The Grandmaster Problem </li></ul><ul><li>The Mafia Problem </li></ul><ul><li>etc. </li></ul>
16. 16. Research <ul><li>I am currently working with Dr. Curtis Barefoot in the NMT Mathematics Dept. on methods of applying zero-knowledge proofs to mathematical induction: Can a prover prove a theorem via induction without revealing any of the steps beyond the base case? </li></ul><ul><li>Possible application of methods developed by Camenisch and Michels (or maybe not?) </li></ul>
17. 17. References <ul><li>Blum, M., “How to Prove a Theorem So No One Else Can Claim It”, Proceedings of the International Congress of Mathematicians, Berkeley, California, 1986, pp. 1444-1451 </li></ul><ul><li>Camenisch, J., M. Michels, “Proving in Zero-Knowledge that a Number is the Product of Two Safe Primes”, Eurocrypt ’99, J. Stern, ed., Lecture Notes in Computer Science 1592, pp. 107-122, Springer-Verlag 1999 </li></ul><ul><li>Cramer, R., I. Dåmgard, B. Schoenmakers, “Proofs of Partial Hiding and Simplified Design of Witness Hiding Protocols”, Advances in Cryptology – CRYPTO ’94, Lecture Notes in Computer Science 839, pp. 174-187, Springer-Verlag, 1994 </li></ul><ul><li>De Santis, A., G. di Crescenzo, G. Persiano, M. Yung, “On Monotone Formula Closure of SZK”, Proceedings of the 35 th Symposium on the Foundations of Computer Science, pp. 454-465, IEEE, 1994 </li></ul><ul><li>Feigenbaum, J., “Overview of Interactive Proof Systems and Zero-Knowledge”, Contemporary Cryptology, G.J. Simmons, ed., pp. 423-440, IEEE Press 1992 </li></ul><ul><li>Quisquater, J.J., L. Guillou, T. Berson, “How to Explain Zero-Knowledge Protocols to Your Children”, Advances in Cryptology - CRYPTO ’99, Lecture Notes in Computer Science 435, pp. 628-631, 1990 </li></ul><ul><li>Schneier, B., Applied Cryptography (2 nd edition), Wiley, 1996 </li></ul><ul><li>Stinson, D.R., Cryptography: Theory and Practice, CRC, 1995 </li></ul>