Zero-Knowledge Proofs and Fiat-Shamir ID Protocol

Christian Peel chris.peel@ieee.org

What the #$%!! is a Zero-Knowledge Proof?

Alice wants to prove to Bob that she knows a secret without revealing what it is!

Bob also wants to believe Alices proof

Solution is probabilistic; Bob can trust Alices proof with high confidence

A Cave Like Ali Babas A cave has a circular

shape, with a locked door at the far side, away from the entrance

From How to explain Zero-Knowledge Proofs to your Children, by Quisquater et al.

Alice and Bob in a CaveAlice wants to prove to Bob that she knows the magic password to a door in a cave

1. Alice randomly takes path A or B, while Bob waits outside

2. Bob yells to Alice to tell her which route to exit by

3. If needed Alice opens, then re-locks the door. She reliably exits by the path that Bob requests

More on Alice and Bob in a Cave

!

If Alice doesnt know the password, she will only be able to return by the correct path half of the time, and with multiple tries, Bob will (hopefully) decide that shes a liar

Bob can know that after N successful tries, the probability that Alice is lying is 1/2N

Feige-Fiat-Shamir Identification Protocol

Feige, Fiat, and Shamir are Israeli computer scientists (what is up with all the Israeli cryptographers?!!)

They got grief from the US Patent office who wanted to keep the technique we describe here a secret, but it blew over quickly :-)

Shamir is the S in RSA

!

Its the same scenario as the cave, except that instead of a secret password, Alice has some secret numbers si that she wants to prove that she has, without revealing the numbers

Background for Following

The notation y = x mod n means y is the remainder after dividing x by n

Given two large primes p,q, and n=pq, then it is hard to find sqrt(x) mod n without knowing p or q

Numbers a and b are coprime if the only positive number that divides them both is 1

FFS InitializationRelies on some trusted person (the maker of the door in the cave, or Mallory to the left) Choses two large primes p and q, and

creates the product n=pq Creates a secret s that is coprime to n.

Send this to Alice Compute v = s2 mod n. Send this to Bob

FFS Procedure1. Alice choses a random integer r, and sign

c (-1 or 1) and computes x = cr2 mod N. Alice sends x to Bob

2. Bob choses a from (0,1) and sends a to Alice

3. Alice computes y =rsa mod n and sends this to Bob

4. Bob checks that y2 = +/- xva mod n Repeat this with different r, a values until Bob is satisfied

Example from Mohr p=5, q=7, n=pq=35; Alice picks s = 16, so v=11

First Step

Alice selects r=10, c=1, sends x=30 to Bob

Bob selects e=0, so y=10, and verifies y*y=30

Second Step

Alice selects r=20, c=1, sends x = 15 to Bob

Bob selects e=1, so y=5, and Bob verifies y*y=25

% Matlab code for Fiat-Shamir Nmx = 16; pv = primes(Nmx); Np = length(pv); !% Chose two large primes p,q and create n=p*q p = pv(ceil(rand*Np)); q = pv(ceil(rand*Np)); n = p*q; !% Chose s to be coprime to n i.e. gcd(n,s)=1 pv = setdiff(setdiff(pv,p),q); Ns = length(pv); ps = pv(ceil(rand*Ns)); qs = pv(ceil(rand*Ns)); s = ps*qs; !if gcd(s,n)~=1 error('chose better s') end !% Trent creates v = rem(s^2,n) and send v to Bob v = rem(s*s,n); % Alice creates random integer r, and sign c, and sends x=rem(c*r^2,n) to Bob r = ceil(rand*Nmx); c = sign(randn); x = rem(c*r*r,n); % Bob choses a from (0,1) and send it to Alice a = round(rand); % Alice computes y = rem(rs^a,n) and sends to Bob y = rem(r*s^a,n); % Bob checks that y^2 = +/- x*v^2 rem n yy = rem(y*y,n); xva = rem(x*v^a,n); !if yy ~= abs(xva) error('Feige-Fiat-Shamir fails!') end

Applications Anonymous currency (Zerocash): Prove that you have

a coin, without exposing your (pseudo) identity Prove that some transaction occurred, without

exposing more details than you want Prove that you have at least N coins in your

account, without disclosing the exact balance Voting: Proof that your vote was recorded accurately,

without exposing your identity Prove that you have a credit score or reputation value

of at least N, without disclosing your identity or exact credit score / reputation

Notes

Ethereum: Ill talk more about this in another talk !

Interactive proofs described here; Zerocash uses non-interactive proofs !

ZKPs have a formal mathematical foundation that I did not go into

References Zero Knowledge Twenty years after its

introduction by Oded Goldreich

"How to Explain Zero-Knowledge Protocols to Your Children by Frenchies

A Survey of Zero-Knowledge Proofs with Applications to Cryptography by Austin Mohr

Alice and Bob on Wikipedia