Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Zero knowledge proofsii


Published on

Each grain must hold a charge
When their volume becomes too little, they will no longer be stable & will be influenced by ambient thermal energy
With current technology, this will happen around 130 Gb/in2

  • Be the first to comment

  • Be the first to like this

Zero knowledge proofsii

  1. 1. Zero-Knowledge Proofs J.W. Pope M.S. – Mathematics May 2004
  2. 2. What is a Zero- Knowledge Proof? <ul><li>A zero-knowledge proof is a way that a “prover” can prove possession of a certain piece of information to a “verifier” without revealing it. </li></ul><ul><li>This is done by manipulating data provided by the verifier in a way that would be impossible without the secret information in question. </li></ul><ul><li>A third party, reviewing the transcript created, cannot be convinced that either prover or verifier knows the secret. </li></ul>
  3. 3. The Cave of the Forty Thieves
  4. 4. The Cave of the Forty Thieves
  5. 5. Properties of Zero-Knowledge Proofs <ul><li>Completeness – A prover who knows the secret information can prove it with probability 1. </li></ul><ul><li>Soundness – The probability that a prover who does not know the secret information can get away with it can be made arbitrarily small. </li></ul>
  6. 6. An Example: Hamiltonian Cycles <ul><li>Peggy the prover would like to show Vic the verifier that an element  is a member of the subgroup of Z n * generated by  , where  has order  . (i.e., does  k =  for some k such that 0 ≤ k ≤  ?) </li></ul><ul><li>Peggy chooses a random j, 0 ≤ j ≤  – 1, and sends Vic  j . </li></ul><ul><li>Vic chooses a random i = 0 or 1, and sends it to Peggy. </li></ul><ul><li>Peggy computes j + ik mod  , and sends it to Vic. </li></ul><ul><li>Vic checks that  j + ik =  j  ik =  j  i . </li></ul><ul><li>They then repeat the above steps log 2 n times. </li></ul><ul><li>If Vic’s final computation checks out in each round, he accepts the proof. </li></ul>
  7. 7. Complexity Theory <ul><li>The last proof works because the problem of solving discrete logarithms is NP-complete (or is believed to be, at any rate). </li></ul><ul><li>It has been shown that all problems in NP have a zero-knowledge proof associated with them. </li></ul>
  8. 8. Bit Commitments <ul><li>“ Flipping a coin down a well” </li></ul><ul><li>“ Flipping a coin by telephone” </li></ul><ul><li>A value of 0 or 1 is committed to by the prover by encrypting it with a one-way function, creating a “blob”. The verifier can then “unwrap” this blob when it becomes necessary by revealing the key. </li></ul>
  9. 9. Bit Commitment Properties <ul><li>Concealing – The verifier cannot determine the value of the bit from the blob. </li></ul><ul><li>Binding – The prover cannot open the blob as both a zero and a one. </li></ul>
  10. 10. Bit Commitments: An Example <ul><li>Let n = pq, where p and q are prime. Let m be a quadratic nonresidue modulo n. The values m and n are public, and the values p and q are known only to Peggy. </li></ul><ul><li>Peggy commits to the bit b by choosing a random x and sending Vic the blob m b x 2 . </li></ul><ul><li>When the time comes for Vic to check the value of the bit, Peggy simply reveals the values b and x. </li></ul><ul><li>Since no known polynomial-time algorithm exists for solving the quadratic residues problem modulo a composite n whose factors are unknown, hence this scheme is computationally concealing. </li></ul><ul><li>On the other hand, it is perfectly binding, since if it wasn’t, m would have to be a quadratic residue, a contradiction. </li></ul>
  11. 11. Bit Commitments and Zero-Knowledge <ul><li>Bit commitments are used in zero-knowledge proofs to encode the secret information. </li></ul><ul><li>For example, zero-knowledge proofs based on graph colorations exist. In this case, bit commitment schemes are used to encode the colors. </li></ul><ul><li>Complex zero-knowledge proofs with large numbers of intermediate steps that must be verified also use bit commitment schemes. </li></ul>
  12. 12. Computational Assumptions <ul><li>A zero-knowledge proof assumes the prover possesses unlimited computational power. </li></ul><ul><li>It is more practical in some cases to assume that the prover’s computational abilities are bounded. In this case, we have a zero-knowledge argument. </li></ul>
  13. 13. Proof vs. Argument <ul><li>Zero-Knowledge Proof: </li></ul><ul><li>Unconditional completeness </li></ul><ul><li>Unconditional soundness </li></ul><ul><li>Computational zero-knowledge </li></ul><ul><li>Unconditionally binding blobs </li></ul><ul><li>Computationally concealing blobs </li></ul><ul><li>Zero-Knowledge Argument: </li></ul><ul><li>Unconditional completeness </li></ul><ul><li>Computational soundness </li></ul><ul><li>Perfect zero-knowledge </li></ul><ul><li>Computationally binding blobs </li></ul><ul><li>Unconditionally concealing blobs </li></ul>
  14. 14. Applications <ul><li>Zero-knowledge proofs can be applied where secret knowledge too sensitive to reveal needs to be verified </li></ul><ul><li>Key authentication </li></ul><ul><li>PIN numbers </li></ul><ul><li>Smart cards </li></ul>
  15. 15. Limitations <ul><li>A zero-knowledge proof is only as good as the secret it is trying to conceal </li></ul><ul><li>Zero-knowledge proofs of identities in particular are problematic </li></ul><ul><li>The Grandmaster Problem </li></ul><ul><li>The Mafia Problem </li></ul><ul><li>etc. </li></ul>
  16. 16. Research <ul><li>I am currently working with Dr. Curtis Barefoot in the NMT Mathematics Dept. on methods of applying zero-knowledge proofs to mathematical induction: Can a prover prove a theorem via induction without revealing any of the steps beyond the base case? </li></ul><ul><li>Possible application of methods developed by Camenisch and Michels (or maybe not?) </li></ul>
  17. 17. References <ul><li>Blum, M., “How to Prove a Theorem So No One Else Can Claim It”, Proceedings of the International Congress of Mathematicians, Berkeley, California, 1986, pp. 1444-1451 </li></ul><ul><li>Camenisch, J., M. Michels, “Proving in Zero-Knowledge that a Number is the Product of Two Safe Primes”, Eurocrypt ’99, J. Stern, ed., Lecture Notes in Computer Science 1592, pp. 107-122, Springer-Verlag 1999 </li></ul><ul><li>Cramer, R., I. Dåmgard, B. Schoenmakers, “Proofs of Partial Hiding and Simplified Design of Witness Hiding Protocols”, Advances in Cryptology – CRYPTO ’94, Lecture Notes in Computer Science 839, pp. 174-187, Springer-Verlag, 1994 </li></ul><ul><li>De Santis, A., G. di Crescenzo, G. Persiano, M. Yung, “On Monotone Formula Closure of SZK”, Proceedings of the 35 th Symposium on the Foundations of Computer Science, pp. 454-465, IEEE, 1994 </li></ul><ul><li>Feigenbaum, J., “Overview of Interactive Proof Systems and Zero-Knowledge”, Contemporary Cryptology, G.J. Simmons, ed., pp. 423-440, IEEE Press 1992 </li></ul><ul><li>Quisquater, J.J., L. Guillou, T. Berson, “How to Explain Zero-Knowledge Protocols to Your Children”, Advances in Cryptology - CRYPTO ’99, Lecture Notes in Computer Science 435, pp. 628-631, 1990 </li></ul><ul><li>Schneier, B., Applied Cryptography (2 nd edition), Wiley, 1996 </li></ul><ul><li>Stinson, D.R., Cryptography: Theory and Practice, CRC, 1995 </li></ul>