1 / 17

Introduction to Zero Knowledge Proofs

Introduction to Zero Knowledge Proofs. Presenter : Mohammad Hossein Rohban. Oded Goldreich. Adi Shamir. Amos Fiat. “Knowledge is related to computational difficulty, whereas information is not”. O. Goldreich. Introduction. Alice and Bob Model Security Requirements and Assumptions

Télécharger la présentation

Introduction to Zero Knowledge Proofs

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Introduction to Zero Knowledge Proofs Presenter : Mohammad Hossein Rohban Oded Goldreich Adi Shamir Amos Fiat “Knowledge is related to computational difficulty, whereas information is not”. O. Goldreich Computer Engineering Department

  2. Introduction • Alice and Bob Model • Security Requirements and Assumptions • Motivation to ZK Proofs : • When neither Alice nor Bob trust each other, there are two requirements that must be met: • Bob wants to make sure that an impostor cannot successfully masquerade as Alice. • Alice wants to make sure that her secret remains secure. Computer Engineering Department

  3. Topics of Discussion • Some problems including : • Graph Isomorphism • Ali Baba’s Cave • Discrete Logarithm problem • Hamiltonian cycle • 3-Coloring • Commitment Schemes • Definition of One-Way Functions • Formal Definition of and - Complete classes Computer Engineering Department

  4. Graph Isomorphism • Alice claims to have an isomorphism for G and H and wants to prove it for Bob without giving the permutation  to him. • Characteristics of the problem • Solution : • Alice chooses a random permutation  on n vertices and sends G1 = (G) to Bob and asks him to choose one of the followings : • Send Bob  =  -1 to let Bob check whether (G1) = H • Send Bob  =  -1 to let him check whether (G1) = G • Repeat the protocol p(k) times where p is a polynomial • Probability that Alice had lied and succeeded in convincing Bob is 2 –p(k) which is negligible in k. Computer Engineering Department

  5. Ali Baba’s Cave • Alice claims to know the secret password of the door in the picture and wants to prove it. • Bob asks Alice either to go right or left and stand near the door • Bob then come to where Alice stood and choose a random bit b . If b is 1 then he asks Alice to come from right branch, otherwise asks her to come from left branch. • Repeat the protocol p(k) times, where p is polynomial. • The probability that Alice lied and succeeded in convincing Bob is 2 –p(k)which is negligible in k. Computer Engineering Department

  6. Discrete Logarithm Problem • Alice claims to know the value of x in the equation : gx b (mod n ) • But she does not want to give x to Bob! • Solution : • Alice take a random number r and computes c = gr mod n and sends it to Bob and asks him to choose one of the followings : • Ask Alice to send r and let him check c = g r mod n. • Ask Alice to send d = x + r and let him check whether gd = bc. Computer Engineering Department

  7. Commitment Scheme • Loosely speaking, it means that a party in a protocol is able to choose a value from some finite set and commit to his choice such that he can no longer change his mind. • Hiding Property : Verifier can not get any useful information from Prover until Prover opens it for Verifier. • Binding Property : Prover can not change his mind about what he sent. Computer Engineering Department

  8. Formal Definition • It is a probabilistic polynomial time algorithm  called a generator. It takes an input 1L where L is a security parameter and outputs a description of a function : Commit : {0, 1}L {0, 1}  {0, 1}L • Unconditional Binding/Hiding • Computational Binding/Hiding Computer Engineering Department

  9. One-Way Functions • Informally, functions that are easy to compute but hard to compute their inverse. • More Formally f is one-way if : • f : {0, 1}* {0, 1}* • there exists a polynomial deterministic algorithm to compute it • for every polynomial probabilistic algorithm A, and every polynomial p : Pr (A(U(n), 1n)  f –1 (f (U(n)))) < 1/p(n) Computer Engineering Department

  10. Theorems • If one-way functions exist, then commitment schemes with unconditional binding and computational hiding exist. • Both unconditional binding and hiding are not achievable in any commitment scheme. Computer Engineering Department

  11. Hamiltonian Cycle • Alice has a Hamiltonian cycle on G(V, E) and wants to prove it for Bob. • What is the solution? Computer Engineering Department

  12. 3-Coloring • The teacher gave Alice and Bob a random graph with many vertices. • He asks them to color it with 3 colors. • Alice claims that she has done this task, but does not want to provide coloring to Bob. • What is the solution? Computer Engineering Department

  13. Class Definition • A Language L is in if there exists a boolean relation RL {0, 1}*  {0, 1}*and a polynomial p(k) such that RLcan be recognized in (deterministic) polynomial time and x  L iff there exits a y such that |y| < p(|x|) and (x, y)  RL. • A Language L is - Complete if it is in • and any Language in can be reduced in polynomial time (in input size) to it. • Language L1 can be reduced to language L2 if there exists a function f computable in polynomial time in its input size such that x  L1iff f(x) L2. Computer Engineering Department

  14. Consequences of Definition • If L is in , the proof for x to be in L consists of giving (x, y) in RLand verifying correctness of proof consists of verifying in time p(|x|) whether (x, y) is in RL. • Constructing the proof may be computationally difficult (even with a randomized algorithm), but verifying the proof can be done in polynomial time in length of x. Computer Engineering Department

  15. Other Consequences • Can ZK proofs be constructed for any language in ? • By using standard Karp-reductions to 3-Colorability, the protocol given for this problem can be used to construct ZK proofs for any language in . Computer Engineering Department

  16. References • Lectures on Data Security, Modern Cryptography in Theory and Practice, Ivan Damgård (Ed.), 1999 • Foundations of Cryptography, Oded Goldreich, 1998 • Zero Knowledge twenty years after its invention, Oded Goldreich, 2002 Computer Engineering Department

  17. References for Interested Student • Lecture Notes on Cryptography, Shafi Goldwasser – Mihir Bellare, 2001 • Handouts of Cryptography, Luca Trevisan – David Wagner, U.C. Berkeley, 2002 • Commitment Schemes and Zero Knowledge Protocols, Ivan Damgård Computer Engineering Department

More Related