1 / 13

Zero Knowledge Proofs

Zero Knowledge Proofs. By Subha Rajagopalan Jaisheela Kandagal. Zero Knowledge Proofs . Introduction Properties of ZKP Advantages of ZKP Examples Fiat-Shamir Identification Protocol Real-Time Applications. Zero Knowledge Proofs (ZKP). Goldwasser, Micali, and Rackoff, 1985.

zona
Télécharger la présentation

Zero Knowledge Proofs

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Zero Knowledge Proofs By Subha Rajagopalan Jaisheela Kandagal

  2. Zero Knowledge Proofs • Introduction • Properties of ZKP • Advantages of ZKP • Examples • Fiat-Shamir Identification Protocol • Real-Time Applications

  3. Zero Knowledge Proofs (ZKP) • Goldwasser, Micali, and Rackoff, 1985. • ZKP instance of Interactive Proof System • Interactive Proof Systems • Challenge-Response Authentication • Prover and Verifier • Verifier Accepts or Rejects the Prover

  4. ZKP • Zero knowledge Transfer between the Prover and the Verifier • The verifier accepts or rejects the proof after multiple challenges and responses • Probabilistic Proof Protocol • Overcomes Problems with Password Based Authentication

  5. Properties of ZKP • Completeness • Succeeds with high probability for a true assertion given an honest verifier and an honest prover. • Soundness • Fails for any other false assertion, given a dishonest prover and an honest verifier

  6. Advantages of ZKP • As name Suggests – Zero Knowledge Transfer • Computational Efficiency – No Encryption • No Degradation of the protocol • Based on problems like discrete logarithms and integer factorization

  7. Classic Example • Ali Baba’s Cave Alice has to convince Bob She knows the secret to open the cave door without telling the secret (“Open Sesame”). (source: http://www.rsasecurity.com/rsalabs/faq/2-1-8.html)

  8. Fiat-Shamir Identification Protocol • 3 Message Protocol • Alice A, the Prover and Bob B, the Verifier A  B : x = r2 mod n A  B : e  { 0,1} A  B : y = r * se mod n is y2 = x * ve ? • A random modulus n, product of two large prime numbers p and q generated by a trusted party and made public • Prover chooses secret s relatively prime to n • prover computes v = s2 mod n, where v is the public key

  9. Fiat-Shamir Identification Protocol • Alice chooses a random number r (1  r  n-1) • Sends to Bob x = r2 mod n – commitment • Bob randomly sends either a 0 or a 1 ( e  { 0,1}) as his challenge • Depending on the challenge from Bob, Alice computes the response as y = r if e = 0 or otherwise y = r*s mod n • Bob accepts the response upon checking y2  x * ve mod n

  10. Fiat-Shamir Identification Protocol • After many iterations, with a very high probability Bob can verify Alice’s identity • Alice’s response does not reveal the secret s (with y = r or y = r* s mod n) • An intruder can prove Alice’s identity without knowing the secret, if he knows Bob’s challenge in advance: • Generate random r • If expected challenge is 1, send x = r2/v mod n as commitment, and y = r as response • If expected challenge is 0, send x = r mod n as commitment • Probability that any Intruder impersonating the prover can send the right response is only ½ • Probability reduced as iterations are increased • Important - Alice should not repeat r

  11. Applications • Watermark Verification • Show the presence of watermark without revealing information about it • prevents from removing the watermark and reselling multiple duplicate copies • Others – e-voting, e-cash etc.

  12. Products • Sky’s VideoCrypt • Analogue decoding card for satellite DirecTV descrambler used to authenticate the subscriber’s card • Uses Fiat-Shamir Zero Knowledge Protocol • NGSCB – New Generation Secure Computing Base • Zero Knowledge for code attestations

  13. References [1] Alfred J. Menezes, Paul C. van Oorschot, Scott A. Vanstone, Handbook of Applied Cryptography. [2] Ross Anderson, Security Engineering [3] Wenbo Mao, Modern Cryptography theory and practice [4] Don Coppersmith (Ed.), Advances in Cryptology- CRYPTO ’95 Lecture Notes in Computer Science. [5] www.rsa.com [6] Oded Goldreich, Silvio Micali and Avi Wigderson, “ Proofs that yield nothing but their validity and a methodology of cryptographic protocol design”. [7] Oren, Y., “ Properties of Zero-knowledge Proofs”. [8] A Mitropoulos, and H. Meijer, “ Zero-knowledge proofs – a survey”.

More Related