NOTES ZERO KNOWLEDGE PROOF

VINAYAK WADHWA
MTECH IS 1ST SEM
01310100814
Introduction
One of the most important, and at the same time very
counterintuitive, primitives for cryptographic protocols are so called
zero-knowledge proof protocols (of knowledge).
Very informally, a zero-knowledge proof protocol allows one party,
usually called PROVER, to convince another party, called VERIFIER,
that PROVER knows some facts (a secret, a proof of a theorem)
without revealing to the VERIFIER ANY information about his
knowledge (secret, proof).
A zero-knowledge proof must satisfy three properties:
1 Completeness: if the statement is true, the honest verifier
(that is, one following the protocol properly) will be convinced
of this fact by an honest prover.
2 Soundness: if the statement is false, no cheating prover can
convince the honest verifier that it is true, except with some
small probability.
3 Zero-knowledge: if the statement is true, no cheating
verifier learns anything other than this fact. This is formalized
by showing that every cheating verifier has some simulator
that, given only the statement to be proved (and no access to
the prover), can produce a transcript that "looks like" an
interaction between the honest prover and the cheating
verifier.

Fiat-Shamir Protocol

Source: Cryptography and network security by B.A. Forouzan

The goal of the Fiat-Shamir protocol is to allow A to prove knowledge
of s to B in t executions. This is a probabilistic protocol with a
probability of 2-t for an adversary to fool the verifier. Since FiatShamir is run for t = 20 to 40 executions, the probability for an
adversary to fool the verifier for all executions of t is very small.
Fiat-Shamir is a 3 pass protocol that depends on the difficulty of
factoring.
One time setup
1. Trusted center (T) selects RSA-like modulus n=pq, n public, p
and q secret
2. A selects s coprime to n, 1 <= s <= n 1, computes v = s2
mod n, and registers v with T, v public,
s secret
Protocol
1. A chooses random commitment r, 1 <= r <= n 1
2. A sends B (1): x = r2 mod n
3. B sends A (2): random e, e = 0 or e = 1
4. A sends B (3): y = r se mod n
Verification
1. B rejects if y = 0
2. B accepts if y2 = x ve mod n, rejects otherwise

Classic Example of Zero-Knowledge Proofs

Ali Babas cave
Lets consider an example of Ali Babas Cave. Alice wants to prove to
Bob her knowledge of the secret to open the door R-S in the cave
without revealing the secret.

Fig 2. Representation of Ali Babas Cave

(Source: http://www.rsasecurity.com/rsalabs/faq/2-1-8.html)
They work as follows:
Alice enters the tunnel and takes the path either R or S. Bob is not
aware of this, standing outside the tunnel (P). Bob comes to Q and
calls out Alice through either R or S. The probability that Alice comes
out through the right tunnel is only , if she does not know the
secret. So bob can repeat this several times until he is convinced
that Alice knows the secret to open the door. In this process, Bob
doesnt learn the secret.

Advantages of Zero-Knowledge Protocols:

Secured Not requiring the revelation of ones secret.

Simple Does not involve complex encryption methods.

Disadvantages of Zero-Knowledge Protocols:

Limited Secret must be numerical, otherwise a translation is

needed.
Lengthy There are 2k computations, each computation
requires a certain amount of running time.

Imperfect The attacker can still intercept the transmission

(i.e. messages to the Verifier or the Prover might be modified
or destroyed).

Real-Time Applications of Zero-Knowledge Proofs

ZK protocols are used for many real-time applications like
authentication, e-voting, watermark verification, etc. Some products
like Skys VideoCrypt, Microsofts NGSCB also use ZK protocols.
Here, a few of them are mentioned.
Watermark verification
For watermarking schemes, it is very important to show the
presence of watermark in the image without actually revealing it
.This prevents any malicious user from removing the watermark and
reselling multiple copies of duplicate watermark. Kinoshita Hirotsugu
uses zero knowledge interactive proofs based on Digital Signatures
to assert ownership on an image.
Skys VideoCrypt
Skys VideoCryt is an analogue decoding card for satellite Directv
descrambler used to authenticate the subscribers card. This uses
Fiat-Shamir Zero Knowledge Protocol. The subscriber center holds
the public key, secret key and the address while the card holds the
public key and address. Every few seconds, the center requests all
the cards to authenticate themselves. Each card which is valid has
the algorithm for some function F(x) in its ROM while the data for
F(x) is in EEPROM. As described earlier in Fiat-Shamir protocol,
virtually no knowledge is transferred between F(x) and EEPROM.
NGSCB
Next Generation Secure Computing Base (NGSCB) is Microsofts
proposed secure computing environment to use zero knowledge
proofing techniques to verify authenticity of services and code. This
authentication is called Attestation which uses third party for
signature verification. By this way, anonymity of the service is
preserved.