170 likes | 295 Vues
Introduction to Zero Knowledge Proofs. Presenter : Mohammad Hossein Rohban. Oded Goldreich. Adi Shamir. Amos Fiat. “Knowledge is related to computational difficulty, whereas information is not”. O. Goldreich. Introduction. Alice and Bob Model Security Requirements and Assumptions
E N D
Introduction to Zero Knowledge Proofs Presenter : Mohammad Hossein Rohban Oded Goldreich Adi Shamir Amos Fiat “Knowledge is related to computational difficulty, whereas information is not”. O. Goldreich Computer Engineering Department
Introduction • Alice and Bob Model • Security Requirements and Assumptions • Motivation to ZK Proofs : • When neither Alice nor Bob trust each other, there are two requirements that must be met: • Bob wants to make sure that an impostor cannot successfully masquerade as Alice. • Alice wants to make sure that her secret remains secure. Computer Engineering Department
Topics of Discussion • Some problems including : • Graph Isomorphism • Ali Baba’s Cave • Discrete Logarithm problem • Hamiltonian cycle • 3-Coloring • Commitment Schemes • Definition of One-Way Functions • Formal Definition of and - Complete classes Computer Engineering Department
Graph Isomorphism • Alice claims to have an isomorphism for G and H and wants to prove it for Bob without giving the permutation to him. • Characteristics of the problem • Solution : • Alice chooses a random permutation on n vertices and sends G1 = (G) to Bob and asks him to choose one of the followings : • Send Bob = -1 to let Bob check whether (G1) = H • Send Bob = -1 to let him check whether (G1) = G • Repeat the protocol p(k) times where p is a polynomial • Probability that Alice had lied and succeeded in convincing Bob is 2 –p(k) which is negligible in k. Computer Engineering Department
Ali Baba’s Cave • Alice claims to know the secret password of the door in the picture and wants to prove it. • Bob asks Alice either to go right or left and stand near the door • Bob then come to where Alice stood and choose a random bit b . If b is 1 then he asks Alice to come from right branch, otherwise asks her to come from left branch. • Repeat the protocol p(k) times, where p is polynomial. • The probability that Alice lied and succeeded in convincing Bob is 2 –p(k)which is negligible in k. Computer Engineering Department
Discrete Logarithm Problem • Alice claims to know the value of x in the equation : gx b (mod n ) • But she does not want to give x to Bob! • Solution : • Alice take a random number r and computes c = gr mod n and sends it to Bob and asks him to choose one of the followings : • Ask Alice to send r and let him check c = g r mod n. • Ask Alice to send d = x + r and let him check whether gd = bc. Computer Engineering Department
Commitment Scheme • Loosely speaking, it means that a party in a protocol is able to choose a value from some finite set and commit to his choice such that he can no longer change his mind. • Hiding Property : Verifier can not get any useful information from Prover until Prover opens it for Verifier. • Binding Property : Prover can not change his mind about what he sent. Computer Engineering Department
Formal Definition • It is a probabilistic polynomial time algorithm called a generator. It takes an input 1L where L is a security parameter and outputs a description of a function : Commit : {0, 1}L {0, 1} {0, 1}L • Unconditional Binding/Hiding • Computational Binding/Hiding Computer Engineering Department
One-Way Functions • Informally, functions that are easy to compute but hard to compute their inverse. • More Formally f is one-way if : • f : {0, 1}* {0, 1}* • there exists a polynomial deterministic algorithm to compute it • for every polynomial probabilistic algorithm A, and every polynomial p : Pr (A(U(n), 1n) f –1 (f (U(n)))) < 1/p(n) Computer Engineering Department
Theorems • If one-way functions exist, then commitment schemes with unconditional binding and computational hiding exist. • Both unconditional binding and hiding are not achievable in any commitment scheme. Computer Engineering Department
Hamiltonian Cycle • Alice has a Hamiltonian cycle on G(V, E) and wants to prove it for Bob. • What is the solution? Computer Engineering Department
3-Coloring • The teacher gave Alice and Bob a random graph with many vertices. • He asks them to color it with 3 colors. • Alice claims that she has done this task, but does not want to provide coloring to Bob. • What is the solution? Computer Engineering Department
Class Definition • A Language L is in if there exists a boolean relation RL {0, 1}* {0, 1}*and a polynomial p(k) such that RLcan be recognized in (deterministic) polynomial time and x L iff there exits a y such that |y| < p(|x|) and (x, y) RL. • A Language L is - Complete if it is in • and any Language in can be reduced in polynomial time (in input size) to it. • Language L1 can be reduced to language L2 if there exists a function f computable in polynomial time in its input size such that x L1iff f(x) L2. Computer Engineering Department
Consequences of Definition • If L is in , the proof for x to be in L consists of giving (x, y) in RLand verifying correctness of proof consists of verifying in time p(|x|) whether (x, y) is in RL. • Constructing the proof may be computationally difficult (even with a randomized algorithm), but verifying the proof can be done in polynomial time in length of x. Computer Engineering Department
Other Consequences • Can ZK proofs be constructed for any language in ? • By using standard Karp-reductions to 3-Colorability, the protocol given for this problem can be used to construct ZK proofs for any language in . Computer Engineering Department
References • Lectures on Data Security, Modern Cryptography in Theory and Practice, Ivan Damgård (Ed.), 1999 • Foundations of Cryptography, Oded Goldreich, 1998 • Zero Knowledge twenty years after its invention, Oded Goldreich, 2002 Computer Engineering Department
References for Interested Student • Lecture Notes on Cryptography, Shafi Goldwasser – Mihir Bellare, 2001 • Handouts of Cryptography, Luca Trevisan – David Wagner, U.C. Berkeley, 2002 • Commitment Schemes and Zero Knowledge Protocols, Ivan Damgård Computer Engineering Department