Presentation is loading. Please wait.

Presentation is loading. Please wait.

Slide 1 Vitaly Shmatikov CS 380S Introduction to Zero-Knowledge.

Published byBarry Patrick Modified over 9 years ago

Similar presentations

Presentation on theme: "Slide 1 Vitaly Shmatikov CS 380S Introduction to Zero-Knowledge."— Presentation transcript:

1 slide 1 Vitaly Shmatikov CS 380S Introduction to Zero-Knowledge

2 slide 2 Commitment uTemporarily hide a value, but ensure that it cannot be changed later Example: sealed bid at an auction u1 st stage: commit Sender electronically “locks” a message in a box and sends the box to the Receiver u2 nd stage: reveal Sender proves to the Receiver that a certain message is contained in the box

3 slide 3 Properties of Commitment Schemes uCommitment must be hiding At the end of the 1 st stage, no adversarial receiver learns information about the committed value If receiver is probabilistic polynomial-time, then computationally hiding; if receiver has unlimited computational power, then perfectly hiding uCommitment must be binding At the end of the 2 nd stage, there is only one value that an adversarial sender can successfully “reveal” Perfectly binding vs. computationally binding uCan a scheme be perfectly hiding and binding?

4 slide 4 Discrete Logarithm Problem uIntuitively: given g x mod p where p is a large prime, it is “difficult” to learn x Difficult = there is no known polynomial-time algorithm ug is a generator of a multiplicative group Z p * Fermat’s Little Theorem –For any integer a and any prime p, a p-1 =1 mod p. g 0, g 1 … g p-2 mod p is a sequence of distinct numbers, in which every integer between 1 and p-1 occurs once –For any number y  [1.. p-1],  x s.t. g x = y mod p If g q =1 for some q>0, then g is a generator of Z q, an order-q subgroup of Z p *

5 slide 5 Pedersen Commitment Scheme uSetup: receiver chooses… Large primes p and q such that q divides p-1 Generator g of the order-q subgroup of Z p * Random secret a from Z q h=g a mod p –Values p,q,g,h are public, a is secret uCommit: to commit to some x  Z q, sender chooses random r  Z q and sends c=g x h r mod p to receiver This is simply g x (g a ) r =g x+ar mod p uReveal: to open the commitment, sender reveals x and r, receiver verifies that c=g x h r mod p

6 slide 6 Security of Pedersen Commitments uPerfectly hiding Given commitment c, every value x is equally likely to be the value commited in c Given x, r and any x’, exists r’ such that g x h r = g x’ h r’ r’ = (x-x’)a -1 + r mod q (but must know a to compute r’) uComputationally binding If sender can find different x and x’ both of which open commitment c=g x h r, then he can solve discrete log –Suppose sender knows x,r,x’,r’ s.t. g x h r = g x’ h r’ mod p –Because h=g a mod p, this means x+ar = x’+ar’ mod q –Sender can compute a as (x’-x)(r-r’) -1 –But this means sender computed discrete logarithm of h!

7 slide 7 Zero-Knowledge Proofs uAn interactive proof system involves a prover and a verifier uIdea: the prover proves a statement to the verifier without revealing anything except the fact that the statement is true Zero-knowledge proof of knowledge (ZKPK): prover convinces verifier that he knows a secret without revealing the secret uIdeal functionality Is this true? Yes!

8 slide 8 Properties of ZKPK uCompleteness If both prover and verifier are honest, protocol succeeds with overwhelming probability uSoundness No one who does not know the secret can convince the verifier with nonnegligible probability –Intuition: the protocol should not enable prover to prove a false statement uZero knowledge The proof does not leak any information

9 slide 9 Zero-Knowledge Property uThe proof does not leak any information uThere exists a simulator that, taking what the verifier knows before the protocol starts, produces a fake “transcript” of protocol messages that is indistinguishable from actual protocol messages Because all messages can be simulated from verifier’s initial knowledge, verifier does not learn anything that he didn’t know before Indistinguishability: perfect, statistical, or computational uHonest-verifier ZK only considers verifiers that follow the protocol

10 slide 10 Soundness Property uNo one who does not know the secret can convince the verifier with nonnegligible probability uLet A be any prover who convinces the verifier… u…there must exist a knowledge extractor algorithm that, given A, extracts the secret from A Intuition: if there existed some prover A who manages to convince the verifier that he knows the secret without actually knowing it, then no algorithm could possibly extract the secret from this A

11 slide 11 Schnorr’s Id Protocol uSystem parameters Prime p and q such that q divides p-1 g is a generator of an order-q subgroup of Z p * P V Knows t Knows s such that t=g s mod p Wants to prove this fact to V x = g r mod p c y = r+sc Verifies x= g y t -c mod p Chooses random r in [1..q] Chooses random c in [1..2 n ] = g r+sc (g s ) -c mod p = g r mod p P proves that he knows discrete log of t without revealing its value

12 slide 12 Cheating Sender uProver can cheat if he can guess c in advance Guess c, set x=g y t -c for random y in 1 st message What is the probability of guessing c? P V x = g r mod p c y Verifies x= g y t -c mod p Chooses random r in [1..q] Chooses random c in [1..2 n ] x=g y t -c P proves that he “knows” discrete log of t even though he does not know s

13 slide 13 Schnorr’s Id Protocol Is Sound uGiven P who successfully passes the protocol, extract s such that t=g s mod p Idea: run P twice as a subroutine PExt x y 1 such that x=g y 1 t -c 1 Chooses random c 1 in [1..2 n ] c1c1 Knows t y 2 such that x=g y 2 t -c 2 Chooses random c 2 in [1..2 n ] c2c2 “rewind” P Compute s=(y 1 -y 2 )(c 1 -c 2 ) -1 g y 1 t -c 1 = g y 2 t -c 2 implies g y 1 -y 2 = t c 1 -c 2 Therefore, g y 1 -y 2 (c 1 -c 2 ) -1 =t

14 slide 14 Schnorr’s Id Protocol Is HVZK V x c Pick random c in [1..2 n ] uSimulator produces a transcript which is indistinguishable from the real transcript y such that x=g y t -c Real transcript g y t -c c Pick random c and y y Sim Simulated transcript Does not know s such that t=g s mod p (why?) P These transcripts are indistinguishable … but only if c in the real protocol is indeed random (verifier must run the protocol honestly) Schnorr’s ID protocol is honest-verifier zero-knowledge

15 slide 15 Pick some c (may depend on x) Schnorr’s Id Protocol Is Not ZK V x c uSchnorr’s ID protocol is not zero-knowledge for malicious verifier if challenge c is large y such that x=g y t -c P Triple (x,c,y) is a solution to the equation x=g y t -c Verifier may not be able to come up with such a triple on his own. Therefore, he learned something from the protocol (protocol is not zero-knowledge!)

Download ppt "Slide 1 Vitaly Shmatikov CS 380S Introduction to Zero-Knowledge."

Similar presentations

A Verifiable Secret Shuffle of Homomorphic Encryptions Jens Groth UCLA On ePrint archive:

A Verifiable Secret Shuffle of Homomorphic Encryptions Jens Groth UCLA On ePrint archive:
On the Amortized Complexity of Zero-Knowledge Proofs Ronald Cramer, CWI Ivan Damgård, Århus University.

On the Amortized Complexity of Zero-Knowledge Proofs Ronald Cramer, CWI Ivan Damgård, Århus University.
Zero Knowledge Proofs(2) Suzanne van Wijk & Maaike Zwart

Zero Knowledge Proofs(2) Suzanne van Wijk & Maaike Zwart
SECURITY AND VERIFICATION

SECURITY AND VERIFICATION
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1.

Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1.
Efficient Zero-Knowledge Proof Systems Jens Groth University College London.

Efficient Zero-Knowledge Proof Systems Jens Groth University College London.
Lecture 15 Zero-Knowledge Techniques. Peggy: “I know the password to the Federal Reserve System computer, the ingredients in McDonald’s secret sauce,

Lecture 15 Zero-Knowledge Techniques. Peggy: “I know the password to the Federal Reserve System computer, the ingredients in McDonald’s secret sauce,
Rennes, 24/10/2014 Cristina Onete CIDRE/ INRIA Sigma Protocols and (Non-Interactive) Zero Knowledge.

Rennes, 24/10/2014 Cristina Onete CIDRE/ INRIA Sigma Protocols and (Non-Interactive) Zero Knowledge.
Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.

Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.
Optimistic Concurrent Zero-Knowledge Alon Rosen IDC Herzliya abhi shelat University of Virginia.

Optimistic Concurrent Zero-Knowledge Alon Rosen IDC Herzliya abhi shelat University of Virginia.
Protocols to do seemingly impossible 1 CHAPTER 10: Protocols to do seemingly impossible A protocol is an algorithm two (or more) parties have to follow.

Protocols to do seemingly impossible 1 CHAPTER 10: Protocols to do seemingly impossible A protocol is an algorithm two (or more) parties have to follow.
Efficient Zero-Knowledge Proof Systems Jens Groth University College London.

Efficient Zero-Knowledge Proof Systems Jens Groth University College London.
Zero-Knowledge Proofs J.W. Pope M.S. – Mathematics May 2004.

Zero-Knowledge Proofs J.W. Pope M.S. – Mathematics May 2004.
May, 2011 Algorithmic Game Theory Workshop May, 2011 Algorithmic Game Theory Workshop Michael O. Rabin Harvard University Hebrew University Algorithmic.

May, 2011 Algorithmic Game Theory Workshop May, 2011 Algorithmic Game Theory Workshop Michael O. Rabin Harvard University Hebrew University Algorithmic.
CS426Fall 2010/Lecture 351 Computer Security CS 426 Lecture 35 Commitment & Zero Knowledge Proofs.

CS426Fall 2010/Lecture 351 Computer Security CS 426 Lecture 35 Commitment & Zero Knowledge Proofs.
1 Slides by Roel Apfelbaum & Eti Ezra. Enhanced by Amit Kagan. Adapted from Oded Goldreich’s course lecture notes.

1 Slides by Roel Apfelbaum & Eti Ezra. Enhanced by Amit Kagan. Adapted from Oded Goldreich’s course lecture notes.
1 Adapted from Oded Goldreich’s course lecture notes.

1 Adapted from Oded Goldreich’s course lecture notes.
Zero Knowledge Proofs By Subha Rajagopalan Jaisheela Kandagal.

Zero Knowledge Proofs By Subha Rajagopalan Jaisheela Kandagal.
Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.

Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.

Similar presentations

Ads by Google