Presentation is loading. Please wait.

Presentation is loading. Please wait.

Fall 2004/Lecture 201 Cryptography CS 555 Lecture 20-b Zero-Knowledge Proof.

Published byMarvin Dixon Modified over 8 years ago

Similar presentations

Presentation on theme: "Fall 2004/Lecture 201 Cryptography CS 555 Lecture 20-b Zero-Knowledge Proof."— Presentation transcript:

1 Fall 2004/Lecture 201 Cryptography CS 555 Lecture 20-b Zero-Knowledge Proof

2 Fall 2004/Lecture 202 Review Identification (entity authentication) –password –one-time password –challenge-response three kinds of challenges symmetric key as well as asymmetric key based

3 Fall 2004/Lecture 203 Lecture Outline Zero knowledge proof protocols

4 Fall 2004/Lecture 204 Fiat-Shamir ID protocol (ZK Proof of knowledge of square root modulo n) System parameter: n=pq, Public identity:vv = s 2 mod n Private authenticator:s Protocol (repeat t times) 1.A: picks random r in Z n *, sends x=r 2 mod n to B 2.B checks x  0 and sends random c in {0,1} to A 3.A sends y to B, where If c=0, y=r, else y=rs mod n. 4.B accept if y 2  xv c mod n

5 Fall 2004/Lecture 205 Properties Zero-Knowledge Proofs Properties of ZK Proofs: –completeness honest prover who knows the secret convinces the verifier with overwhelming probability –soundness (is a proof of knowledge) no one who doesn’t know the secret can convince the verifier with nonnegligible probability –zero knowledge the proof does not leak any additional information How to formalize soundness and ZK?

6 Fall 2004/Lecture 206 Formalizing the Soundness Property The protocol should be a “proof of knowledge” A knowledge extractor exists –that given a prover who can successfully convince the verifier, can extracts the secret Knowledge extractor for the Fiat-Shamir Protocol –Given an algorithm A that can convince a verifier, –After A has sent x, first challenge it with 0, and receives y 1 such that y 1 2 =x –then reset A to the state after sending x, challenge it with 1 and receives y 2 such that y 2 2 =xv, then compute s=y 1 -1 y 2, we have s 2 =v

7 Fall 2004/Lecture 207 Formalizing ZK property For every possible verifier algorithm, a simulator exists –taking what the verifier knows before the proof, can generate a communication transcript that is indistinguishable from one generated during ZK proofs –honest verifier ZK considers only the verifier algorithm in the protocol Three kinds of indistinguishability –perfect (information theoretic) –statistical –computational

8 Fall 2004/Lecture 208 Fiat-Shamir is honest-verifier ZK The transcript of a protocol run consists of t tuples (x, c, y) such that x is a random QR in Z n * and y 2  xv c mod n Proof that Fiat-Shamir is honest verifier ZK Construct a simulator as follows –Repeat the following: pick random c  {0,1}, if c=0, pick random r and outputs (r 2, 0, r) if c=1, pick random y, and outputs (y 2 v -1, 1, y) The transcript generated by the simulator is from the same prob. distribution

9 Fall 2004/Lecture 209 Fiat-Shamir is ZK Given any possible verifier V, construct a simulator as follows –Repeat the following: pick random c  {0,1}, if c=0, pick random r and send r 2 to V, if V challenges 0, output (r 2, c, r); otherwise reset V if c=1, pick random y, compute x=y 2 v -1, and send x to V, if V challenges 1, output (x, 1, y); otherwise reset V –Observe that r 2 and y 2 v -1 have the same prob. distribution, the success prob. of one round is at least ½

10 Fall 2004/Lecture 2010 Running in Parallel All rounds in Fiat-Shamir can be run in parallel 1.A: picks random r 1,r 2,…,r t in Z n *, sends x 1 =r 1 2, x 2 =r 2 2, …, x t =r t 2 to B 2.B checks the x’s are not 0 and sends t random bit to A 3.A sends y 1,y 2,…,y k to B, ….. 4.B accept if y j 2  x j v cj mod n Is this protocol still a proof of knowledge? Is this protocol still honest verifier ZK? Is this protocol still ZK?

11 Fall 2004/Lecture 2011 Schnorr Id protocol (ZK Proof of Discrete Log) System parameter: p, q, g q | (p-1) and g is an order q element in Z p * Public identity:v Private authenticator:sv = g s mod p Protocol 1.A: picks random r in [1..q], sends x = g r mod p, 2.B: sends random challenge e in [1..2 t ] 3.A: sends y=r+se mod q 4.B: accepts if x = (g y v -e mod p)

12 Fall 2004/Lecture 2012 Security of Schnorr Id protocol probability of forgery: 1/2 t soundness (proof of knowledge): –if A can successfully answer two challenges e1 and e2, i.e., A can output y1 and y2 such that x=g y1 v -e1 =g y2 v -e2 then g y1-y2 =v c1-c2 and thus the secret s=(y1-y2)(c1-c2) -1 mod q ZK property –honest verifier ZK, why? –not ZK if 2 t >log n is used, why?

13 Fall 2004/Lecture 2013 Converting Interactive ZK to Non- interactive ZK The only interactive role played by the verifier is to generate random challenges –challenges not predictable by the prover The same thing can be done using one-way hash functions

14 Fall 2004/Lecture 2014 Interactive ZK Implies Signatures Given a message M, run all rounds in parallel, –generate the commitments all at the same time, let X denote all commitments –replace the random challenge of the verifier by the one-way hash c=h(M||X) –append the response

15 Fall 2004/Lecture 2015 Schnorr Signature Key generation (uses h:{0,1} *  Z q ) Select two primes p and q such that q | p-1 Select 1  a  q-1 Compute y = g a mod p Public key: (p,q, g,y) Private key: a

16 Fall 2004/Lecture 2016 Schnorr Signature Signing message M Select random secret k, 1  k  q-1 Compute r = g k mod p, e = h(M || r) s = ae + k mod q Signature is: (r, s) To verify that (r,s) is the signature of M Compute e = h(M || r) Verify that r = g s y -e mod p

17 Fall 2004/Lecture 2017 Summary ZK identification = ZK proof of knowledge –completeness –soundness (is a proof of knowledge) –zero-knowledge (weaker property: honest verifier ZK) Fiat-Shamir –proof of knowing a square root Schnorr –proof of knowing a discrete log

Download ppt "Fall 2004/Lecture 201 Cryptography CS 555 Lecture 20-b Zero-Knowledge Proof."

Similar presentations

Lower Bounds for Non-Black-Box Zero Knowledge Boaz Barak (IAS*) Yehuda Lindell (IBM) Salil Vadhan (Harvard) *Work done while in Weizmann Institute. Short.

Lower Bounds for Non-Black-Box Zero Knowledge Boaz Barak (IAS*) Yehuda Lindell (IBM) Salil Vadhan (Harvard) *Work done while in Weizmann Institute. Short.
On the Amortized Complexity of Zero-Knowledge Proofs Ronald Cramer, CWI Ivan Damgård, Århus University.

On the Amortized Complexity of Zero-Knowledge Proofs Ronald Cramer, CWI Ivan Damgård, Århus University.
1 Chapter 7-2 Signature Schemes. 2 Outline [1] Introduction [2] Security Requirements for Signature Schemes [3] The ElGamal Signature Scheme [4] Variants.

1 Chapter 7-2 Signature Schemes. 2 Outline [1] Introduction [2] Security Requirements for Signature Schemes [3] The ElGamal Signature Scheme [4] Variants.
Efficient Zero-Knowledge Proof Systems Jens Groth University College London.

Efficient Zero-Knowledge Proof Systems Jens Groth University College London.
Lecture 15 Zero-Knowledge Techniques. Peggy: “I know the password to the Federal Reserve System computer, the ingredients in McDonald’s secret sauce,

Lecture 15 Zero-Knowledge Techniques. Peggy: “I know the password to the Federal Reserve System computer, the ingredients in McDonald’s secret sauce,
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.

Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.
Slide 1 Vitaly Shmatikov CS 380S Introduction to Zero-Knowledge.

Slide 1 Vitaly Shmatikov CS 380S Introduction to Zero-Knowledge.
Zero-Knowledge Proofs J.W. Pope M.S. – Mathematics May 2004.

Zero-Knowledge Proofs J.W. Pope M.S. – Mathematics May 2004.
26 th May 20031 Comparative Study on Zero- Knowledge Identification Protocols Konidala M. Divyan International Research Center for Information Security.

26 th May Comparative Study on Zero- Knowledge Identification Protocols Konidala M. Divyan International Research Center for Information Security.
Public-key based. Public-key Techniques based Protocols –may use either weak or strong passwords –high computation complexity (Slow) –high deployment.

Public-key based. Public-key Techniques based Protocols –may use either weak or strong passwords –high computation complexity (Slow) –high deployment.
Session 4 Asymmetric ciphers.

Session 4 Asymmetric ciphers.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
CS426Fall 2010/Lecture 351 Computer Security CS 426 Lecture 35 Commitment & Zero Knowledge Proofs.

CS426Fall 2010/Lecture 351 Computer Security CS 426 Lecture 35 Commitment & Zero Knowledge Proofs.
Lecture III : Communication Security, Services & Mechanisms Internet Security: Principles & Practices John K. Zao, PhD SMIEEE National Chiao-Tung University.

Lecture III : Communication Security, Services & Mechanisms Internet Security: Principles & Practices John K. Zao, PhD SMIEEE National Chiao-Tung University.
1 Slides by Roel Apfelbaum & Eti Ezra. Enhanced by Amit Kagan. Adapted from Oded Goldreich’s course lecture notes.

1 Slides by Roel Apfelbaum & Eti Ezra. Enhanced by Amit Kagan. Adapted from Oded Goldreich’s course lecture notes.
1 Adapted from Oded Goldreich’s course lecture notes.

1 Adapted from Oded Goldreich’s course lecture notes.
Zero Knowledge Proofs By Subha Rajagopalan Jaisheela Kandagal.

Zero Knowledge Proofs By Subha Rajagopalan Jaisheela Kandagal.
CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.

CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.
20-751 ECOMMERCE TECHNOLOGY FALL 2003 COPYRIGHT © 2003 MICHAEL I. SHAMOS Cryptography.

ECOMMERCE TECHNOLOGY FALL 2003 COPYRIGHT © 2003 MICHAEL I. SHAMOS Cryptography.

Similar presentations

Ads by Google