NOTES – ZERO KNOWLEDGE PROOFVINAYAK WADHWAMTECH IS – 1ST SEM01310100814

Introduction

One of the most important, and at the same time very counterintuitive, primitives for cryptographic protocols are so called zero-knowledge proof protocols (of knowledge).Very informally, a zero-knowledge proof protocol allows one party, usually called PROVER, to convince another party, called VERIFIER, that PROVER knows some facts (a secret, a proof of a theorem) without revealing to the VERIFIER ANY information about his knowledge (secret, proof).

A zero-knowledge proof must satisfy three properties:1 Completeness: if the statement is true, the honest verifier (that is, one

following the protocol properly) will be convinced of this fact by an honest prover.

2 Soundness: if the statement is false, no cheating prover can convince the honest verifier that it is true, except with some small probability.

3 Zero-knowledge: if the statement is true, no cheating verifier learns anything other than this fact. This is formalized by showing that every cheating verifier has some simulator that, given only the statement to be proved (and no access to the prover), can produce a transcript that "looks like" an interaction between the honest prover and the cheating verifier.

Fiat-Shamir Protocol

Source: Cryptography and network security by B.A. Forouzan

The goal of the Fiat-Shamir protocol is to allow A to prove knowledge of s to B in t executions. This is a probabilistic protocol with a probability of 2-t for an adversary to fool the verifier. Since Fiat-Shamir is run for t = 20 to 40 executions, the probability for an adversary to fool the verifier for all executions of t is very small. Fiat-Shamir is a 3 pass protocol that depends on the difficulty of factoring. One – time setup

1. Trusted center (T) selects RSA-like modulus n=pq, n – public, p and q – secret 2. A selects s coprime to n, 1 <= s <= n – 1, computes v = s2 mod n, and registers

v with T, v – public, s – secret Protocol 1. A chooses random commitment r, 1 <= r <= n – 1

2. A sends B (1): x = r2 mod n 3. B sends A (2): random e, e = 0 or e = 1 4. A sends B (3): y = r • se mod n

Verification 1. B rejects if y = 0 2. B accepts if y2 = x • ve mod n, rejects otherwise

Classic Example of Zero-Knowledge Proofs

Ali Baba’s caveLets consider an example of Ali Baba’s Cave. Alice wants to prove to Bob her knowledge of the secret to open the door R-S in the cave without revealing the secret.

Fig 2. Representation of Ali Baba’s Cave

(Source: http://www.rsasecurity.com/rsalabs/faq/2-1-8.html)

They work as follows:Alice enters the tunnel and takes the path either R or S. Bob is not aware of this, standing outside the tunnel (P). Bob comes to Q and calls out Alice through either R or S. The probability that Alice comes out through the right tunnel is only ½ , if she does not know the secret. So bob can repeat this several times until he is convinced that Alice knows the secret to open the door. In this process, Bob doesn’t learn the secret.

Advantages of Zero-Knowledge Protocols:

• Secured – Not requiring the revelation of one’s secret.• Simple – Does not involve complex encryption methods.

Disadvantages of Zero-Knowledge Protocols:• Limited – Secret must be numerical, otherwise a translation is needed. • Lengthy – There are 2k computations, each computation requires a certain

amount of running time.• Imperfect – The attacker can still intercept the transmission (i.e. messages to

the Verifier or the Prover might be modified or destroyed).

Real-Time Applications of Zero-Knowledge Proofs

ZK protocols are used for many real-time applications like authentication, e-voting, watermark verification, etc. Some products like Sky’s VideoCrypt, Microsoft’s NGSCB also use ZK protocols. Here, a few of them are mentioned.

Watermark verificationFor watermarking schemes, it is very important to show the presence of watermark in the image without actually revealing it .This prevents any malicious user from removing the watermark and reselling multiple copies of duplicate watermark. Kinoshita Hirotsugu uses zero knowledge interactive proofs based on Digital Signatures to assert ownership on an image.

Sky’s VideoCryptSky’s VideoCryt is an analogue decoding card for satellite Directv descrambler used to authenticate the subscriber’s card. This uses Fiat-Shamir Zero Knowledge Protocol. The subscriber center holds the public key, secret key and the address while the card holds the public key and address. Every few seconds, the center requests all the cards to authenticate themselves. Each card which is valid has the algorithm for some function F(x) in its ROM while the data for F(x) is in EEPROM. As described earlier in Fiat-Shamir protocol, virtually no knowledge is transferred between F(x) and EEPROM.

NGSCBNext Generation Secure Computing Base (NGSCB) is Microsoft’s proposed secure computing environment to use zero knowledge proofing techniques to verify authenticity of services and code. This authentication is called Attestation which uses third party for signature verification. By this way, anonymity of the service is preserved.