1 SC700 A2 Internet Information Protocols 3/20/2001 Paper Presentation by J. Chu How to Explain Zero-Knowledge Protocols to Your Children

11

SC700 A2 Internet Information Protocols

3/20/2001

Paper Presentation by J. Chu

How to Explain Zero-Knowledge

Protocols to Your Children

22


3/20/2001

1. The Fact: Identifications and passwords are essential parts in a

secured system in which they prevent unauthorized access to private materials.

2. The Problem:Passwords are assigned to authorized personnel and are

meant to be kept secret. But ironically, one often have to give out his/her password during authentication. That’s not very

safe!

3. The Solution:Zero-Knowledge Protocol!

How to Explain Zero-KnowledgeProtocols to Your Children – J. Chu

BackgroundBackground

33


3/20/2001

1. Zero-Knowledge Protocols allow one party to access a secured area without having that party to give out any private or secret information.

2. Examples of Zero-Knowledge Protocols: a. Bizcardb. Fiat-Shamir Protocolc. Guillou-Quisquater’s Analogy


IntroductionIntroduction

44


3/20/2001

Imagine the following scenario:

Bob: “Let me in! I have access to this area!”

Alice: “Oh really? What is the secret password?”

Bob: “I can’t tell you my password; it’s a secret.”

Alice: “That’s too bad. Because you cannot get in without telling me your secret password.”

There must be a better solution…


The Bizcard Example

55


3/20/2001

The Zero-Knowledge Protocol:

Assume that the password is a positive integer.Equipment: A deck of cards

1. While Alice is looking away. Bob counts from the top of the deck until he reaches the card that corresponds to the password. Bob then make an unique mark on one side of that card and turn over all the cards in the deck (without changing their order) and hand the deck to Alice.

2. Now Bob is looking away. Alice also counts from the top of the deck until she reaches the card that corresponds to the password. Alice then make an unique mark on the other side of that card. To conceal the secret, Alice shuffles the deck.

3. If the shuffled deck contains one card having distinct marks on both its sides, then it is possible that both Bob and Alice knows the password. Therefore, Bob is able to prove his knowledge of the password without revealing it to Alice.


The Bizcard Example Continues

66


3/20/2001

The Zero-Knowledge Protocol Phase II:

However, Alice is not convinced that Bob actually knows the password because the protocol is not perfect. Simply because Bob might have guessed the password!

Since the password, s, is a positive integer, it has to be limited by a range, z, such that: 1 s z. If Bob doesn’t actually know the password, he could have guessed it anyway with a probability of 1/z.

The Solution: Alice can request Bob to perform the exact same experiment k times so that the probability of Bob correctly guessing the password every time is reduced to (1/z)k.

When (1/z)k is small enough, that is, when the probability of Bob actually knowing the password is high enough, Alice may grant Bob access to his account without worrying that he might be an imposter.


The Bizcard Example Continues

77


3/20/2001

“I can’t tell you my secret,but I can prove to youthat I know the secret.”


To Make a Short Story Even Shorter…

88


3/20/2001

1. The Prover (Bob): Bob has to prove that he knows some kind of secret

(such as a password to a restricted area) but he doesn’t want to share it with anyone, not even the Verifier.

2. The Verifier (Alice):Alice has to verify whether Bob knows the secret or

not. She can perform a series of experiment with Bob until she is ~100% certain whether Bob is authorized (or not).

3. The Malice (Oscar):Simply put, the bad guy who tries to cheat the security system.


The Actors

99


3/20/2001

1. Completeness: The Verifier will always accept a proof from the Prover,

given that they both follows the correct protocol.

2. Soundness:The Verifier will not accept any “incorrect” proof from the Prover, given that the Verifier follows the correct protocol.

3. Zero-Knowledge:During the whole “proving” process, the Verifier will learn nothing about the Prover’s secret, nor will she be able to

prove that secret to any other party.


Properties of Zero-Knowledge Protocols

1010


3/20/2001

Fact: It is easier to compute x2 than x1/2.

• Chosen is an arithmetic modulo n = pq, where p and q are primes.

• Bob (the Prover) will choose a number s in Zn. He will keep s (private key) a secret but publish v = s2 mod n (public key).

• During authentication, Bob will randomly choose a number r in Zn and sends x = r2 mod n to Alice (the Verifier).

• After receiving x, Alice will randomly choose a number e, where e is in {0,1}, and send it to Bob.

• After receiving e, Bob will send y = rse to Alice.

• Alice will now need to check whether y2 mod n = xve mod n. If yes, Bob has passed the test. Alice might request Bob to perform the experiment as many times as she desires until she’s certain of Bob’s authority. Throughout the entire process, Alice will only need to work with the publicly known number x, e, & v and will learn nothing about the secret s.


The Fiat-Shamir Protocol

1111


3/20/2001

Security Analysis:

• Assuming that Oscar (the Malice) is listening to the entire transmission between Alice and Bob, he will not be able to learn anything about Bob’s secret since the secret itself had never been revealed or transmitted.

• The fact that r is random prevents Oscar from recognizing any patterns between the values of yi, where i represents the ith transmission.

• The fact that it is difficult to determine the square root of x increasing the level of security of the protocol.

• With Alice performing the experiment k times, it is almost impossible for Oscar to impersonate Bob, given the fact that Oscar himself does not know the secret s. Since each time Oscar will have a 50% chance of passing Alice’s test. The probability of Oscar passing all k tests will be (1/2)k.


The Fiat-Shamir Protocol Continues

1212


3/20/2001

How is it possible to explain the concepts of Zero-Knowledge Protocols to young children?


A

B C

The Analogy of Ali Baba’s Cave

Guillou-Quisquater’s Analogy

1313


3/20/2001

Quick Review:

Ali Baba had discovered the secret of this strange cave. In which the password “open sesame” will vanish the secret wall between point B and point C, creating a loop. Without the knowledge of the password. One would see dead ends at both B & C.

Years later, the cave was discovered and Mick Ali, a researcher is able to acquire the secret password of the cave. To prove his great discovery, Mick Ali invites a television network to make a documentary of the cave. Mick Ali wished not to share his secret password, however. So he set up a scenario, in which he would go to either point B or C, and a reporter will randomly request Mick Ali to go to point A via either the left or the right passage. Knowing the secret of the cave, Mick Ali had no trouble passing the reporter’s test. And therefore proving that he knows the password without having to reveal it.


A

B C

However, a fake version of the documentary had been made. It involved an Ali-look-alike performing the same experiment. But without the knowledge of the secret, the actor can only succeed 50% of the time. However, after editing the film, no one in the world can tell the different between the real and the fake version.

Guillou-Quisquater’s Analogy Continues

1414


3/20/2001

Points of the Analogy:

• By performing a series of verification experiment, it is possible to prove that you know a certain secret without sharing it with anyone.

• Zero-Knowledge Protocols help prevent leaks of any secret information by not directly requesting the secret itself during verification.

• Zero-Knowledge Protocols won’t care if you actually know the password or not, as long as you can prove that you know it.

• Faking the proof of knowing the secret is possible, but it has a low probability of success.


Guillou-Quisquater’s Analogy Continues

1515


3/20/2001

1. Network Authentications

2. Smart Cards

3. Key Exchanges

4. Digital Signatures


Real-World Applications

1616


3/20/2001

Advantages of Zero-Knowledge Protocols:

• Secured – Not requiring the revelation of one’s secret.

• Simple – Does not involve complex encryption methods.

Disadvantages of Zero-Knowledge Protocols:

• Limited – Secret must be numerical, otherwise a translation is needed.

• Lengthy – There are 2k computations, each computation requires a certain amount of running time.

• Imperfect – The Malice can still intercept the transmission (i.e. messages to the Verifier or the Prover might be modified or destroyed).


Pros and Cons

1717


3/20/2001

H. A. Aronsson, “Zero Knowledge Protocols and Small Systems”, “http://www.tml.hut.fi/Opinnot/Tik-110.501/1995/zeroknowledge.html”, 1995

H. L. Marko, “Authentication Protocols Lecture Notes”, “http://www.cs.cmu.edu/afs/cs/academic/class/15827-f98/www/Slides/lecture3”, 1998

“Integrity Science – The Source for Knowledge-based Authentication”, “http://www.integritysciences.com”, 1996-2000

J.J. Quisquater and L. Guillou. "How to explain zero-knowledge protocols to your children", Lecture Notes in Computer Science, 435 (1990), 628-631.


References

Documents

1 SC700 A2 Internet Information Protocols 3/20/2001 Paper Presentation by J. Chu How to Explain Zero-Knowledge Protocols to Your Children