Introductory Zero-Knowledge Proof
and its Extension to Boolean-Proof
Hiroaki ANADA
Dept. of Pure Mathematics, University of Calcutta
18 Dec 2015
1. Introductory Protocol of
Zero-Knowledge Proof
Thief-Cop Protocol
(a variant of [0])
2
[0] “How to Explain Zero-Knowledge Protocols to Your Children”
Quisquater and Guillou, http://pages.cs.wisc.edu/~mkowalcz/628.pdf
Long, long ago, Thief was chased by Cop
• Went into a cave
• Two paths
3
Long, long ago, Thief was chased by Cop
• Went into a cave
• Two paths
• Door...
4
Long, long ago, Thief was chased by Cop
• Went into a cave
• Two paths
• Cop lost Thief..
5
?
Long, long ago, Thief was chased by Cop
• Went into a cave
• Two paths
• Thief used
6
a magic word(!)to open & go through
The other day, Thief was chased by Cop
• Went into a cave
• Two paths
• Door...
7
The other day, Thief was chased by Cop
• Went into a cave
• Two paths
• Cop lost Thief..
8
?
The other day, Thief was chased by Cop
• Went into a cave
• Two paths
• Thief used
9
a magic word(!)to open & go through
One day, finally Thief was caught by Cop
• Cop asked Thief for the magic word,
• but he refused…
• So, Cop asked;
10
Provethat you know the magic word
Prove that you know the magic word
• “Choose one path, Left or Right
while I am away”
11
Prove that you know the magic word
• “Choose one path, Left / Right
while I am away”
• Maybe, Thief
choose Left / Right
at Random
12
Prove that you know the magic word
• “Choose one path, Left / Right
while I am away”
• “When “Left!”,
come back from
“Left”
13
Left!
Prove that you know the magic word
• “Choose one path, Left / Right
while I am away”
• “When “Left!”,
come back from
“Left”
14
Left!
Prove that you know the magic word
• “Choose one path, Left / Right
while I am away”
• “When “Right!”,
come back from
“Right”
15
Right!
Prove that you know the magic word
• “Choose one path, Left / Right
while I am away”
• “When “Right!”,
come back from
“Right”
16
Right!
Cop: “Left” w. prob. 1/2
“Right” w. remain. prob. 1/2
Thief-Cop Protocol
• “Choose one path, Left or Right while I am away”
• “When “Left!”, come back from “Left””
• “When “Right!”, come back from “Right””
• By using the magic word;
Thief always succeeds
“COMPLETE”17
Right!
Thief-Cop Protocol
• “Choose one path, Left / Right while I am away”
• “When “Left!”, come back from “Left””
• “When “Right!”, come back from “Right””
• Suppose Thief does not know.
After times trial
Thief succeeds only with neg.Prob.=(1/2)
“SOUND”18
Right!
→ ���� → ∞
Thief-Cop Protocol
• “Choose one path, Left / Right while I am away”
• “When “Left!”, come back from “Left””
• “When “Right!”, come back from “Right””
• Cop gets no info. on the magic word
“ZERO-KNOWLEDGE”19
Right!
Thief-Cop protocol: Summary1. COMPLETE
2. SOUND
3. ZERO-KNOWLEDGE
Under Three Properties,
Protocol of
Zero-Knowledge Proof
20
Right!
Left!
Prob.
=1/2
Iteration...
2. Fiat-Shamir Protocol of
Zero-Knowledge Proof
21
Fiat-Shamir protocol
•2
Prover: : Verifier
�
� ∈� ℤ/�ℤ ≔ �2mod�
∈� {1,0}
If = 1, �: = ��mod�else = 0, � ≔ �mod� If �2 = � , then accept
else reject
� (�,�)
22
′
′
�′
Repeat
("-times iteration)
�: “∃�, � = �$”
Fiat-Shamir protocol is COMPLETE
• If
Therefore, 2 2 2 2 1
• else , then
Therefore, 2 2 0
• In Both cases 2
� always accepts
COMPLETE
23
Fiat-Shamir protocol is SOUND• Suppose ∀ 2
• Then ∀PPT ∗;
• Pr[�2 ≠ �] =,
$
• When iterated for " times,
Pr �2 ≠ � for"times =
,
$
2→ 0(" → ∞)
�Wrong statements are not accepted with non-neg. prob.
SOUND
24
Fiat-Shamir protocol is ZERO-KNOWLEDGE
• For ∀ PPT ∗, ∃ : Simulator:
� �$ 3
If ∗
Return
else Try again
� generates without as if REAL
ZERO-KNOWLEDGE
25
In average two trials because is ONLY 1 bit
4∗’s view is indistinguishable from 5’s output☺
Fiat-Shamir protocol is PROOF OF KNOWLEDGE
• For ∀ PPT 6∗s.t. 6∗ makes 4accept, ∃7: PPT, Extractor:
7 �,� :
6∗(�, �)
� ≔89
8:, Return �
� ; returns < (employing =∗) with non-neg. prob
PROOF OF KNOWLEDGE26
�$ =�,�>
$
=�
= �
= 1�,
= 0�>
Rewind 6∗
Fiat-Shamir protocol: Summary1. COMPLETE
2. SOUND
3. ZERO-KNOWLEDGE
4. PROOF OF KNOWLEDGE
Under Four Properties,
Protocol of Zero-Knowledge Proof of Knowledge
27
�
� ∈� ℤ/�ℤ ∶= �2
∈� {1,0}If = 1, �: = ��else = 0, �: = �
If�2 = �
thenacceptelsereject
� (�,�)
3. Guillou-Quisquater Protocol of
Zero-Knowledge Proof
No need of the "-times repetition
28
Guillou-Quisquater protocol
• �∗ H
Prover: : Verifier
�
� ∈� ℤ/�ℤ ≔ �I
∈� {0,1}J
� ≔ ��3
If �I = � , then accept
else reject
� (�, I, �)�: “∃�, � = �H”
29
(No Repeat)
Without , ∗ succeeds ONLY WITH neg.Prob.=(1/2)K
not 1 bit,
but L bits
Guillou-Quisquater protocol is COMPLETE
I H H H3 3
always accepts
COMPLETE
30
Guillou-Quisquater protocol is SOUND• Suppose ∀ H
• Then ∀PPT ∗;
• Pr �I ≠ � =,
$
J→ 0(L → ∞)
�Wrong statements are not accepted with non-neg. prob.
SOUND
31
Guillou-Quisquater protocol is
Honest-Verifier ZERO-KNOWLEDGE
• For ∀ PPT ; honest, ∃ : Simulator
�J
�∗ H 3
Return
generates without as if REAL
HONEST-VERIFIER
ZERO-KNOWLEDGE32
: the same dist. as Honest Verifier 4
4’s view is indistinguishable from 5’s output☺
Guillou-Quisquater protocol is PROOF OF KNOWLEDGE
• For ∀ PPT 6∗s.t. 6∗ makes 4accept with non-neg. prob., ∃7: PPT, Extractor
7(�, �)
6∗(�, �)
� ≔8
8M
,/(3N3O), Return �
; returns < (employing =∗) with non-neg. prob
PROOF OF KNOWLEDGE33
�H =�
�′
H
= �
�
′�′
Rewind 6∗
∈� 0,1 J
′ ∈� 0,1 J
Guillou-Quisquater protocol: Summary1. COMPLETE
2. SOUND
3. HONEST-VERIFIER ZERO-KNOWLEDGE
4. PROOF OF KNOWLEDGE
Under Four Properties,
Protocol of Honest-Verifier Zero-Knowledge Proof of
Knowledge34
�
� ∈� ℤ/�ℤ ∗
∶= �I
∈� {0,1} J
�:= ��
If�I = �
accept;elsereject
� (�, I, �)
Abstraction of Guillou-Quisquater• GQ-protocol
= , $ T UVWX
is:
HV-ZKPOK
with Extractor & Simulator:YZ[ \]^
35
�
← Σ2(a)
� ← Σ3(�, �, , )
IfΣvrfy �,�; , , �= 1, thenaccept;elsereject
� �
← Σ1(�, �)
Summary: “ -protocol”• -protocol
= , $ T eVWX
is:
HV-ZKPOK
with Extractor & Simulator:YZ[ \]^
: statement
: witness
36
�
← Σ2(a)
� ← Σ3(�, �, , )
IfΣvrfy �,�; , , �= 1, thenaccept;elsereject
� �
← Σ1(�, �)
4. Boolean-proof
“Expressive” Proof-Technique
37
What is AND-proof?
• Run two = , $ T eVWX in parallel with a single
38
= f
(�1, �2)(�1, �2)
1, 2
1, �1, 2, �2
1 ← Σ1(�1, �1)2 ← Σ1(�2, �2)
← Σ2(a)�1 ← Σ3(�1, �1, 1, )�2 ← Σ3(�2, �2, 2, ) ΣVrfy(�1, 1, 1, h1)
∧ ΣVrfy(�2, 2, 2, h2)
Two statementsTwo witnesses
jkl: AND-proof: both 1 and 2
: AND-proof protocol
Proving Knowledge of both 1 and 2
for a single AND-formula 1 2
HV-ZKPOK39
∧
mn mo
✔ ✔
✔
1 2
What is OR-proof?
• Divide with \]^
40
= f
(�1, �2)�1
1, 2
1, �1, 2, �2
1 ← Σ1(�1, �1)2 ← Σ2(a),(2, �2) ← Σsim(�2, 2)
← Σ2(a)1: = ⊕ 2
�1 ← Σ3(�1, �1, 1, 1) ΣVrfy(�1, 1, 1, h1)∧ ΣVrfy(�2, 2, 2, h2)
Committment
Two statementsOne witnesses
qr: OR-proof: either 1 or 2 or both
: OR-proof protocol [1][2]
Proving Knowledge of either 1 or 2 or both
for a single OR-formula 1 2
HV-ZKPOK & WI
41
∨
mn mo
✔
✔
1
[1] “Proofs of Partial Knowledge and Simplified Design of Witness Hiding Protocols”
Cramer, Damgård, Shoenmakers, CRYPTO’94
[2] “On Sigma Protocols”
Damgård, survey: http://www.cs.au.dk/~ivan/Sigma.pdf
WI: witness indistinguishable;
“Which one was used, (�,, −)or (−,�$)?”
� “Indistinguishable”☺
What is Boolean-proof? [1][3][4]
•
�u(v) = v1 ∧((v2 ∧ v3) ∨ v4))
Proving Knowledge of " "
for a Boolean formula
HV-ZKPOK & WI
42
∧
mn ∨
∧ mx
mo my
✔
✔
✔
✔1
4
[1] “Proofs of Partial Knowledge and Simplified Design of Witness Hiding Protocols”
Cramer, Damgård, Shoenmakers, CRYPTO’94
[3] "Generalized Secret Sharing and Monotone Functions"
Benaloh and Leichter, CRYPTO’88
[4] "Attribute-Based Signatures without Pairings via the Fiat-Shamir Paradigm"
Anada, Arita and Sakurai, AsiaPKC2014
Wrap Up
1. Thief-Cop Protocol
2. Fiat-Shamir Protocol
3. Guillou-Quisquater Protocol
4. Boolean-Proof protocol
43
References[0] “How to Explain Zero-Knowledge Protocols to Your Children”
Quisquater and Guillou, http://pages.cs.wisc.edu/~mkowalcz/628.pdf
[1] “Proofs of Partial Knowledge and Simplified Design of
Witness Hiding Protocols”
Cramer, Damgård, Shoenmakers, CRYPTO’94:
[2] “On Sigma Protocols”
Damgård, survey paper: http://www.cs.au.dk/~ivan/Sigma.pdf
[3] “Generalized Secret Sharing and Monotone Functions”
Benaloh and Leichter, CRYPTO’88
[4] “Attribute-Based Signatures without Pairings via the
Fiat-Shamir Paradigm”
Anada, Arita and Sakurai, AsiaPKC2014
44
Thanks
45