Professional Documents
Culture Documents
J.W. Pope
M.S. ² Mathematics
May 2004
@
|
A zero knowledge proof is a way that
a ÒproverÓ can prove possession of a
certain piece of information to a
ÒverifierÓ without revealing it.
This is done by manipulating data
provided by the verifier in a way
that would be impossible without
the secret information in question.
A third party, reviewing the
transcript created, cannot be
convinced that either prover or
verifier knows the secret.
The Cave of the Forty
Thieves
The Cave of the Forty
Thieves
|
± Vompleteness ² A prover who knows the secret
information can prove it with probability 1.
± Soundness ² The probability that a prover who
does not know the secret information can get
away with it can be made arbitrarily small.
± Peggy the prover would like to
show Vic the verifier that an
element is a member of the
subgroup of Zn* generated by ,
where has order . (i.e., does k
= for some k such that 0 k
?)
± Peggy chooses a random j, 0 j
² 1, and sends Vic j.
± Vic chooses a random i = 0 or 1,
and sends it to Peggy.
± Peggy computes j + ik mod , and
sends it to Vic.
± Vic checks that j + ik = j ik =
ji.
± Vomputational zero-
zero- ± Perfect zero-
zero-knowledge
knowledge ± Vomputationally binding
± Înconditionally binding blobs
blobs ± Înconditionally concealing
± Vomputationally concealing blobs
blobs
± Zero-knowledge proofs can be applied where
Zero-
secret knowledge too sensitive to reveal needs to
be verified
± Key authentication
± PIN numbers
± Smart cards
± A zero-
zero-knowledge proof
is only as good as the
secret it is trying to
conceal
± Zero--knowledge proofs
Zero
of identities in particular
are problematic
± The Grandmaster
Problem
± The Mafia Problem
± etc.
å
± I am currently working with Dr. Vurtis Barefoot in the
NMT Mathematics Dept. on methods of applying zero-zero-
knowledge proofs to mathematical induction: Van a
prover prove a theorem via induction without revealing
any of the steps beyond the base case?
± Possible application of methods developed by
Vamenisch and Michels (or maybe not?)
å
± Blum, M., row to Prove a Theorem So No One Else Van Vlaim Itµ, Proceedings of the
International Vongress of Mathematicians, Berkeley, Valifornia, 1986, pp. 1444-
1444-1451
± Vamenisch, J., M. Michels, rProving in Zero-
Zero-Knowledge that a Number is the Product of Two
Safe Primesµ, Eurocrypt ·99, J. Stern, ed., ecture Notes in Vomputer Science 1592, pp. 107
107--122,
Springer--Verlag 1999
Springer
± Vramer, R., I. Dåmgard, B. Schoenmakers, rProofs of Partial iding and Simplified Design of
Witness iding Protocolsµ, Advances in Vryptology ² VRYPTO ·94, ecture Notes in Vomputer
Science 839, pp. 174-
174-187, Springer-
Springer-Verlag, 1994
± De Santis, A., G. di Vrescenzo, G. Persiano, M. Yung, rOn Monotone ormula Vlosure of SZKµ,
Proceedings of the 35th Symposium on the oundations of Vomputer Science, pp. 454- 454-465,
IEEE, 1994
± eigenbaum, J., rOverview of Interactive Proof Systems and Zero
Zero--Knowledgeµ, Vontemporary
Vryptology, G.J. Simmons, ed., pp. 423-
423-440, IEEE Press 1992
± Quisquater, J.J., . Guillou, T. Berson, row to Explain Zero
Zero--Knowledge Protocols to Your
Vhildrenµ, Advances in Vryptology - VRYPTO ·99, ecture Notes in Vomputer Science 435, pp.
628--631, 1990
628
± Schneier, B., Applied Vryptography (2nd edition), Wiley, 1996
± Stinson, D.R., Vryptography: Theory and Practice, VRV, 1995