Upload
sanpitch
View
89
Download
0
Embed Size (px)
DESCRIPTION
A mostly non-technical intro to zero-knowledge proofs, including the Fiat-Shamir protocol.
Citation preview
Zero-Knowledge Proofs and Fiat-Shamir ID Protocol
Christian Peel [email protected]
What the #$%!! is a Zero-Knowledge Proof?
Alice wants to prove to Bob that she knows a secret without revealing what it is!
Bob also wants to believe Alices proof
Solution is probabilistic; Bob can trust Alices proof with high confidence
A Cave Like Ali Babas A cave has a circular
shape, with a locked door at the far side, away from the entrance
From How to explain Zero-Knowledge Proofs to your Children, by Quisquater et al.
Alice and Bob in a CaveAlice wants to prove to Bob that she knows the magic password to a door in a cave
1. Alice randomly takes path A or B, while Bob waits outside
2. Bob yells to Alice to tell her which route to exit by
3. If needed Alice opens, then re-locks the door. She reliably exits by the path that Bob requests
More on Alice and Bob in a Cave
!
If Alice doesnt know the password, she will only be able to return by the correct path half of the time, and with multiple tries, Bob will (hopefully) decide that shes a liar
Bob can know that after N successful tries, the probability that Alice is lying is 1/2N
Feige-Fiat-Shamir Identification Protocol
Feige, Fiat, and Shamir are Israeli computer scientists (what is up with all the Israeli cryptographers?!!)
They got grief from the US Patent office who wanted to keep the technique we describe here a secret, but it blew over quickly :-)
Shamir is the S in RSA
!
Its the same scenario as the cave, except that instead of a secret password, Alice has some secret numbers si that she wants to prove that she has, without revealing the numbers
Background for Following
The notation y = x mod n means y is the remainder after dividing x by n
Given two large primes p,q, and n=pq, then it is hard to find sqrt(x) mod n without knowing p or q
Numbers a and b are coprime if the only positive number that divides them both is 1
FFS InitializationRelies on some trusted person (the maker of the door in the cave, or Mallory to the left) Choses two large primes p and q, and
creates the product n=pq Creates a secret s that is coprime to n.
Send this to Alice Compute v = s2 mod n. Send this to Bob
FFS Procedure1. Alice choses a random integer r, and sign
c (-1 or 1) and computes x = cr2 mod N. Alice sends x to Bob
2. Bob choses a from (0,1) and sends a to Alice
3. Alice computes y =rsa mod n and sends this to Bob
4. Bob checks that y2 = +/- xva mod n Repeat this with different r, a values until Bob is satisfied
Example from Mohr p=5, q=7, n=pq=35; Alice picks s = 16, so v=11
First Step
Alice selects r=10, c=1, sends x=30 to Bob
Bob selects e=0, so y=10, and verifies y*y=30
Second Step
Alice selects r=20, c=1, sends x = 15 to Bob
Bob selects e=1, so y=5, and Bob verifies y*y=25
% Matlab code for Fiat-Shamir Nmx = 16; pv = primes(Nmx); Np = length(pv); !% Chose two large primes p,q and create n=p*q p = pv(ceil(rand*Np)); q = pv(ceil(rand*Np)); n = p*q; !% Chose s to be coprime to n i.e. gcd(n,s)=1 pv = setdiff(setdiff(pv,p),q); Ns = length(pv); ps = pv(ceil(rand*Ns)); qs = pv(ceil(rand*Ns)); s = ps*qs; !if gcd(s,n)~=1 error('chose better s') end !% Trent creates v = rem(s^2,n) and send v to Bob v = rem(s*s,n); % Alice creates random integer r, and sign c, and sends x=rem(c*r^2,n) to Bob r = ceil(rand*Nmx); c = sign(randn); x = rem(c*r*r,n); % Bob choses a from (0,1) and send it to Alice a = round(rand); % Alice computes y = rem(rs^a,n) and sends to Bob y = rem(r*s^a,n); % Bob checks that y^2 = +/- x*v^2 rem n yy = rem(y*y,n); xva = rem(x*v^a,n); !if yy ~= abs(xva) error('Feige-Fiat-Shamir fails!') end
Applications Anonymous currency (Zerocash): Prove that you have
a coin, without exposing your (pseudo) identity Prove that some transaction occurred, without
exposing more details than you want Prove that you have at least N coins in your
account, without disclosing the exact balance Voting: Proof that your vote was recorded accurately,
without exposing your identity Prove that you have a credit score or reputation value
of at least N, without disclosing your identity or exact credit score / reputation
Notes
Ethereum: Ill talk more about this in another talk !
Interactive proofs described here; Zerocash uses non-interactive proofs !
ZKPs have a formal mathematical foundation that I did not go into
References Zero Knowledge Twenty years after its
introduction by Oded Goldreich
"How to Explain Zero-Knowledge Protocols to Your Children by Frenchies
A Survey of Zero-Knowledge Proofs with Applications to Cryptography by Austin Mohr
Alice and Bob on Wikipedia