|


 



J.W. Pope
M.S. ² Mathematics
May 2004
 @




|


  


A zero knowledge proof is a way that
a ÒproverÓ can prove possession of a
certain piece of information to a
ÒverifierÓ without revealing it.
This is done by manipulating data
provided by the verifier in a way
that would be impossible without
the secret information in question.
A third party, reviewing the
transcript created, cannot be
convinced that either prover or
verifier knows the secret.
The Cave of the Forty
Thieves
The Cave of the Forty
Thieves




|


 


± Vompleteness ² A prover who knows the secret
information can prove it with probability 1.
± Soundness ² The probability that a prover who
does not know the secret information can get
away with it can be made arbitrarily small.


 




± Peggy the prover would like to
show Vic the verifier that an
element  is a member of the
subgroup of Zn* generated by ,
where has order
. (i.e., does k
=  for some k such that 0 ” k ”

?)
± Peggy chooses a random j, 0 ” j ”

² 1, and sends Vic j.
± Vic chooses a random i = 0 or 1,
and sends it to Peggy.
± Peggy computes j + ik mod
, and
sends it to Vic.
± Vic checks that j + ik = j ik =
ji.

± They then repeat the above steps

log2n times.
± If Vic·s final computation checks
  
 

± The last proof works because the problem of
solving discrete logarithms is NP-
NP-complete (or is
believed to be, at any rate).
± It has been shown that all problems in NP have
a zero-
zero-knowledge proof associated with them.
 [
 
± r lipping a coin down a wellµ
± r lipping a coin by telephoneµ
± A value of 0 or 1 is committed to by the prover
by encrypting it with a one-
one-way function,
creating a rblobµ. The verifier can then
runwrapµ this blob when it becomes necessary
by revealing the key.
 [
 



± Voncealing ² The verifier cannot determine the
value of the bit from the blob.
± Binding ² The prover cannot open the blob as
both a zero and a one.
 [
  



±  et n = pq, where p and q are prime.  et m be a quadratic
nonresidue modulo n. The values m and n are public, and the
values p and q are known only to Peggy.
± Peggy commits to the bit b by choosing a random x and sending
Vic the blob mbx2.
± When the time comes for Vic to check the value of the bit,
Peggy simply reveals the values b and x.
± Since no known polynomial-
polynomial-time algorithm exists for solving the
quadratic residues problem modulo a composite n whose factors
are unknown, hence this scheme is computationally concealing.
± On the other hand, it is perfectly binding, since if it wasn·t, m
would have to be a quadratic residue, a contradiction.
 [
 


|



 
± Bit commitments are used in zero-
zero-knowledge
proofs to encode the secret information.
± or example, zero-
zero-knowledge proofs based on
graph colorations exist. In this case, bit
commitment schemes are used to encode the
colors.
± Vomplex zero-
zero-knowledge proofs with large
numbers of intermediate steps that must be
verified also use bit commitment schemes.
 


 
± A zero-
zero-knowledge proof assumes the prover
possesses unlimited computational power.
± It is more practical in some cases to assume that
the prover·s computational abilities are bounded.
In this case, we have a zero-
zero-knowledge
argument.
 

 

 
Zero-Knowledge Proof:
Zero- Zero-Knowledge Argument:
Zero-
± Înconditional completeness ± Înconditional completeness

± Înconditional soundness ± Vomputational soundness

± Vomputational zero-
zero- ± Perfect zero-
zero-knowledge
knowledge ± Vomputationally binding
± Înconditionally binding blobs
blobs ± Înconditionally concealing
± Vomputationally concealing blobs
blobs
 

± Zero-knowledge proofs can be applied where
Zero-
secret knowledge too sensitive to reveal needs to
be verified
± Key authentication
± PIN numbers
± Smart cards
  

± A zero-
zero-knowledge proof
is only as good as the
secret it is trying to
conceal
± Zero--knowledge proofs
Zero
of identities in particular
are problematic
± The Grandmaster
Problem
± The Mafia Problem
± etc.
 å


± I am currently working with Dr. Vurtis Barefoot in the
NMT Mathematics Dept. on methods of applying zero-zero-
knowledge proofs to mathematical induction: Van a
prover prove a theorem via induction without revealing
any of the steps beyond the base case?
± Possible application of methods developed by
Vamenisch and Michels (or maybe not?)
 å 

± Blum, M., r
ow to Prove a Theorem So No One Else Van Vlaim Itµ, Proceedings of the
International Vongress of Mathematicians, Berkeley, Valifornia, 1986, pp. 1444-
1444-1451
± Vamenisch, J., M. Michels, rProving in Zero-
Zero-Knowledge that a Number is the Product of Two
Safe Primesµ, Eurocrypt ·99, J. Stern, ed.,  ecture Notes in Vomputer Science 1592, pp. 107
107--122,
Springer--Verlag 1999
Springer
± Vramer, R., I. Dåmgard, B. Schoenmakers, rProofs of Partial
iding and Simplified Design of
Witness
iding Protocolsµ, Advances in Vryptology ² VRYPTO ·94,  ecture Notes in Vomputer
Science 839, pp. 174-
174-187, Springer-
Springer-Verlag, 1994
± De Santis, A., G. di Vrescenzo, G. Persiano, M. Yung, rOn Monotone ormula Vlosure of SZKµ,
Proceedings of the 35th Symposium on the oundations of Vomputer Science, pp. 454- 454-465,
IEEE, 1994
± eigenbaum, J., rOverview of Interactive Proof Systems and Zero
Zero--Knowledgeµ, Vontemporary
Vryptology, G.J. Simmons, ed., pp. 423-
423-440, IEEE Press 1992
± Quisquater, J.J.,  . Guillou, T. Berson, r
ow to Explain Zero
Zero--Knowledge Protocols to Your
Vhildrenµ, Advances in Vryptology - VRYPTO ·99,  ecture Notes in Vomputer Science 435, pp.
628--631, 1990
628
± Schneier, B., Applied Vryptography (2nd edition), Wiley, 1996
± Stinson, D.R., Vryptography: Theory and Practice, VRV, 1995