Privacy and Computer Science (ECI 2015) Day 4 - Zero Knowledge Proofs Mathematics

Similar documents
Zero-Knowledge Proofs and Protocols

Notes on Zero Knowledge

CPSC 467: Cryptography and Computer Security

CPSC 467: Cryptography and Computer Security

CPSC 467b: Cryptography and Computer Security

YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE

Lecture Notes, Week 10

Introduction to Cryptography Lecture 13

Introduction to Modern Cryptography. Benny Chor

Lecture 10: Zero-Knowledge Proofs

Theory of Computation Chapter 12: Cryptography

Non-Interactive ZK:The Feige-Lapidot-Shamir protocol

Homework 3 Solutions

CPSC 467b: Cryptography and Computer Security

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 9

Lecture 10. Public Key Cryptography: Encryption + Signatures. Identification

Lecture 3: Interactive Proofs and Zero-Knowledge

Lecture 11: Non-Interactive Zero-Knowledge II. 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian problem

Lecture 14: Secure Multiparty Computation

Cryptography CS 555. Topic 23: Zero-Knowledge Proof and Cryptographic Commitment. CS555 Topic 23 1

18734: Foundations of Privacy. Anonymous Cash. Anupam Datta. CMU Fall 2018

Cryptographic Protocols Notes 2

Notes on Complexity Theory Last updated: November, Lecture 10

Lecture 15 - Zero Knowledge Proofs

Pseudonym and Anonymous Credential Systems. Kyle Soska 4/13/2016

Lecture 18: Zero-Knowledge Proofs

Winter 2011 Josh Benaloh Brian LaMacchia

Great Theoretical Ideas in Computer Science

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 10

2 Natural Proofs: a barrier for proving circuit lower bounds

An Anonymous Authentication Scheme for Trusted Computing Platform

CPSC 467: Cryptography and Computer Security

Zero-Knowledge Proofs 1

Cryptology. Vilius Stakėnas autumn

Lecture Notes 17. Randomness: The verifier can toss coins and is allowed to err with some (small) probability if it is unlucky in its coin tosses.

Lecture Notes 20: Zero-Knowledge Proofs

CPSC 467b: Cryptography and Computer Security

An Epistemic Characterization of Zero Knowledge

Interactive protocols & zero-knowledge

Introduction to Modern Cryptography Lecture 11

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018

Theoretical Cryptography, Lectures 18-20

Oblivious Transfer and Secure Multi-Party Computation With Malicious Parties

ECash and Anonymous Credentials

Cryptographic Protocols FS2011 1

Foundations of Cryptography

Lecture 24: Randomized Complexity, Course Summary

Lecture 12: Interactive Proofs

Delegateable Signature Using Witness Indistinguishable and Witness Hiding Proofs

The Laws of Cryptography Zero-Knowledge Protocols

Notes for Lecture 25

Lecture 26: Arthur-Merlin Games

MTAT Cryptology II. Zero-knowledge Proofs. Sven Laur University of Tartu

Dr George Danezis University College London, UK

ON DEFINING PROOFS OF KNOWLEDGE IN THE BARE PUBLIC-KEY MODEL

Non-Interactive Zero-Knowledge Proofs of Non-Membership

Magic Functions. In Memoriam Bernard M. Dwork

Lecture 5. 1 Review (Pairwise Independence and Derandomization)

Lecture Examples of problems which have randomized algorithms

Selections:! Internet voting with over-the-shoulder coercion-resistance. Jeremy Clark

Lecture 22. We first consider some constructions of standard commitment schemes. 2.1 Constructions Based on One-Way (Trapdoor) Permutations

CS151 Complexity Theory. Lecture 13 May 15, 2017

Lecture th January 2009 Fall 2008 Scribes: D. Widder, E. Widder Today s lecture topics

Lecture 18 - Secret Sharing, Visual Cryptography, Distributed Signatures

Cryptanalysis and improvement of an ID-based ad-hoc anonymous identification scheme at CT-RSA 05

Computer Science A Cryptography and Data Security. Claude Crépeau

Lecture 15: Interactive Proofs

Commitment Schemes and Zero-Knowledge Protocols (2011)

An Epistemic Characterization of Zero Knowledge

Interactive protocols & zero-knowledge

Lecture 1: Introduction to Public key cryptography

The RSA public encryption scheme: How I learned to stop worrying and love buying stuff online

Lecture 9 and 10: Malicious Security - GMW Compiler and Cut and Choose, OT Extension

Augmented Black-Box Simulation and Zero Knowledge Argument for NP

Pseudorandom Generators

Zero-Knowledge Against Quantum Attacks

An Introduction to Probabilistic Encryption

-bit integers are all in ThC. Th The following problems are complete for PSPACE NPSPACE ATIME QSAT, GEOGRAPHY, SUCCINCT REACH.

Lecture 3,4: Multiparty Computation

Analysis - "Post-Quantum Security of Fiat-Shamir" by Dominic Unruh

A An Overview of Complexity Theory for the Algorithm Designer

Multiparty Computation

III. Authentication - identification protocols

The Class NP. NP is the problems that can be solved in polynomial time by a nondeterministic machine.

Interactive proof and zero knowledge protocols

SQUARES IN Z/NZ. q = ( 1) (p 1)(q 1)

One can use elliptic curves to factor integers, although probably not RSA moduli.

Revisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives

Fast Signature Generation with a. Fiat Shamir { Like Scheme. Fachbereich Mathematik / Informatik. Abstract

Lecture 3: Randomness in Computation

Lecture 20: conp and Friends, Oracles in Complexity Theory

Lecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004

Turing Machines and Time Complexity

Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security

Group Undeniable Signatures

Parallel Coin-Tossing and Constant-Round Secure Two-Party Computation

An Identification Scheme Based on KEA1 Assumption

Quantum Computing Lecture 8. Quantum Automata and Complexity

CPSC 467b: Cryptography and Computer Security

How to Go Beyond the Black-Box Simulation Barrier

Transcription:

Privacy and Computer Science (ECI 2015) Day 4 - Zero Knowledge Proofs Mathematics F. Prost Frederic.Prost@ens-lyon.fr Ecole Normale Supérieure de Lyon July 2015 F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero KnowledgeJuly Proofs 2015Mathematics 1 / 45

Introduction Very powerfull tool for cryptographers. At the heart of the privacy issue. Often misunderstood (name to well chosen). Origin in interactive proof systems: a prover tries to convince a verifier that he knows that some formula is true beyond reasonable doubt, through discussion. Interactive proofs, two approaches: Soundness (original problem): the prover tries to trick the verifier. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero KnowledgeJuly Proofs 2015Mathematics 2 / 45

Introduction Very powerfull tool for cryptographers. At the heart of the privacy issue. Often misunderstood (name to well chosen). Origin in interactive proof systems: a prover tries to convince a verifier that he knows that some formula is true beyond reasonable doubt, through discussion. Interactive proofs, two approaches: Soundness (original problem): the prover tries to trick the verifier. What if you don t trust the verifier? = information leakage, eg unix password storage. Thus we look for an interactive proof that convince a verifier of the validity of an assertion but brings no information to the verifier. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero KnowledgeJuly Proofs 2015Mathematics 2 / 45

Zero-Knowledge proofs intuitively Plan 1 Zero-Knowledge proofs intuitively 2 Knowledge complexity [Goldwasser et al., 1985] Interactive Proofs Knowldege Complexity Classes Interactive Proof for Nonresidue Membership is in KC(0) Extension to all NP-language 3 ZKP applications Credentials Group Signature Anonymous Blacklisting 4 Conclusion. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero KnowledgeJuly Proofs 2015Mathematics 3 / 45

Zero-Knowledge proofs intuitively How to explain ZKP to your children [Quisquater et al., 1989] How to prove that you know something without revealing the something? Alibaba and the magic cave. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero KnowledgeJuly Proofs 2015Mathematics 4 / 45

Zero-Knowledge proofs intuitively ZKP Quick Analyzis Based on a cut and choose approach.. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero KnowledgeJuly Proofs 2015Mathematics 5 / 45

Zero-Knowledge proofs intuitively ZKP Quick Analyzis Based on a cut and choose approach. One can tune the fiability of the ZKP by. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero KnowledgeJuly Proofs 2015Mathematics 5 / 45

Zero-Knowledge proofs intuitively ZKP Quick Analyzis Based on a cut and choose approach. One can tune the fiability of the ZKP by More complicated cave (several tunnels). More repetitions of the challenge. Interactions can be done in parallel to accelerate the process.. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero KnowledgeJuly Proofs 2015Mathematics 5 / 45

Zero-Knowledge proofs intuitively ZKP Quick Analyzis Based on a cut and choose approach. One can tune the fiability of the ZKP by More complicated cave (several tunnels). More repetitions of the challenge. Interactions can be done in parallel to accelerate the process. The proof of knowledge cannot be transmitted (easy to cheat).. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero KnowledgeJuly Proofs 2015Mathematics 5 / 45

Plan 1 Zero-Knowledge proofs intuitively 2 Knowledge complexity [Goldwasser et al., 1985] Interactive Proofs Knowldege Complexity Classes Interactive Proof for Nonresidue Membership is in KC(0) Extension to all NP-language 3 ZKP applications Credentials Group Signature Anonymous Blacklisting 4 Conclusion. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero KnowledgeJuly Proofs 2015Mathematics 6 / 45

Knowledge Complexity The raw probleme is to communicate a proof. Proofs are here probabilistic in nature. = on n-bits input we may erroneously be convinced of the correctness with small probability 1/2 n and convinced with very high probability 1 1/2 n Proofs are interactive: kind of challenge response scheme we have seen in cryptographic approaches. ZKP adress this question: How much knowledge should be communicated for proving a theorem T? Knowledge complexity is a measure of the amount of additional (apart from the fact that the theorem is true) knowledge contained in proofs. Here theorems are belongship to a language. Typically is x L. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero KnowledgeJuly Proofs 2015Mathematics 7 / 45

Interactive Proofs Plan 1 Zero-Knowledge proofs intuitively 2 Knowledge complexity [Goldwasser et al., 1985] Interactive Proofs Knowldege Complexity Classes Interactive Proof for Nonresidue Membership is in KC(0) Extension to all NP-language 3 ZKP applications Credentials Group Signature Anonymous Blacklisting 4 Conclusion. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero KnowledgeJuly Proofs 2015Mathematics 8 / 45

Interactive Proofs The NP Case and Interactive Turing Machines NP proof system consists in two communicating Turing Machines A, the prover is exponential-time B, the verifier is polynomial-time F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero KnowledgeJuly Proofs 2015Mathematics 9 / 45

Interactive Proofs The NP Case and Interactive Turing Machines NP proof system consists in two communicating Turing Machines A, the prover is exponential-time B, the verifier is polynomial-time A, B are deterministic and interacts together: on input x belonging to an NP language L, A computes y (polynomialy bounded in the length of x, it is the certificate) and writes it down on a tape that B can read. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero KnowledgeJuly Proofs 2015Mathematics 9 / 45

Interactive Proofs The NP Case and Interactive Turing Machines NP proof system consists in two communicating Turing Machines A, the prover is exponential-time B, the verifier is polynomial-time A, B are deterministic and interacts together: on input x belonging to an NP language L, A computes y (polynomialy bounded in the length of x, it is the certificate) and writes it down on a tape that B can read. B checks that f L (y) = x where f L is a polynomial-time computable function relative to L (checks the certificate eg hamiltonian path). F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero KnowledgeJuly Proofs 2015Mathematics 9 / 45

Interactive Proofs The NP Case and Interactive Turing Machines NP proof system consists in two communicating Turing Machines A, the prover is exponential-time B, the verifier is polynomial-time A, B are deterministic and interacts together: on input x belonging to an NP language L, A computes y (polynomialy bounded in the length of x, it is the certificate) and writes it down on a tape that B can read. B checks that f L (y) = x where f L is a polynomial-time computable function relative to L (checks the certificate eg hamiltonian path). It only captures a particular way to communicate proofs: only proofs that can be written down in a book. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero KnowledgeJuly Proofs 2015Mathematics 9 / 45

Interactive Proofs Interactive Turing Machines Here we deal with proofs that can be explained to a class. The proof is interactive because it can take advantage of the reaction of the people in the class (only answer to questions asked). What are the intuitive requirements for a theorem-proving procedure? 1 It is possible to prove a true statement.. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero Knowledge July Proofs 2015 Mathematics 10 / 45

Interactive Proofs Interactive Turing Machines Here we deal with proofs that can be explained to a class. The proof is interactive because it can take advantage of the reaction of the people in the class (only answer to questions asked). What are the intuitive requirements for a theorem-proving procedure? 1 It is possible to prove a true statement. 2 It is impossible to prove a false statement.. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero Knowledge July Proofs 2015 Mathematics 10 / 45

Interactive Proofs Interactive Turing Machines Here we deal with proofs that can be explained to a class. The proof is interactive because it can take advantage of the reaction of the people in the class (only answer to questions asked). What are the intuitive requirements for a theorem-proving procedure? 1 It is possible to prove a true statement. 2 It is impossible to prove a false statement. 3 Communicating the proof should be efficient: it does not matter how long must the prover compute to find the proof, but the computation required by the verifier should be easy.. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero Knowledge July Proofs 2015 Mathematics 10 / 45

Interactive Proofs Interactive Turing Machines F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero Knowledge July Proofs 2015 Mathematics 11 / 45

Interactive Proofs Interactive Proof-Systems Definition (Interactive Proof System) Let L {0, 1}, and (A, B) an interactive pair TM. (A, B) is an interactive proof-system for L if A (the prover) has infinite power, B (the verifier) is polynomial time and they satisfy: 1 For x L, B halts and accepts with probability at least 1 1/n k for each k and sufficiently large n. 2 For x L and any ITM A, (A, B), B accepts with probability at most 1/n k for each k and sufficiently large n. Remarks: n is the size of the input. Probabilities are taken only over B s random tape.. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero Knowledge July Proofs 2015 Mathematics 12 / 45

Interactive Proofs Interactive Proof-System example Let Z m be the set of integers between 1,..., m relatively prime to m. a Z m is a quadratic residue modulo m if a = x 2 x Z m, otherwise it is a quadratic nonresidue. mod m for some L = {(m, x) x Z m is a quadratic nonresidue }.. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero Knowledge July Proofs 2015 Mathematics 13 / 45

Interactive Proofs Interactive Proof-System example Let Z m be the set of integers between 1,..., m relatively prime to m. a Z m is a quadratic residue modulo m if a = x 2 x Z m, otherwise it is a quadratic nonresidue. mod m for some L = {(m, x) x Z m is a quadratic nonresidue }. L NP. The prover factors m sends it to the verifier (quadratic residue is easy to compute if the modulus is prime).. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero Knowledge July Proofs 2015 Mathematics 13 / 45

Interactive Proofs Interactive Proof-System example Let Z m be the set of integers between 1,..., m relatively prime to m. a Z m is a quadratic residue modulo m if a = x 2 x Z m, otherwise it is a quadratic nonresidue. mod m for some L = {(m, x) x Z m is a quadratic nonresidue }. L NP. The prover factors m sends it to the verifier (quadratic residue is easy to compute if the modulus is prime). But what about an interactive proof?. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero Knowledge July Proofs 2015 Mathematics 13 / 45

Interactive Proofs Interactive Proof for Nonresidue Membership Question : is (m, x) L? The verifier choose n = m random members of Z m: {r 1, r 2,..., r n }.. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero Knowledge July Proofs 2015 Mathematics 14 / 45

Interactive Proofs Interactive Proof for Nonresidue Membership Question : is (m, x) L? The verifier choose n = m random members of Z m: {r 1, r 2,..., r n }. For each i, B flips a coin: heads: he computes t i = ri 2 tails: he computes t i = xri 2 mod m mod m. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero Knowledge July Proofs 2015 Mathematics 14 / 45

Interactive Proofs Interactive Proof for Nonresidue Membership Question : is (m, x) L? The verifier choose n = m random members of Z m: {r 1, r 2,..., r n }. For each i, B flips a coin: heads: he computes t i = ri 2 tails: he computes t i = xri 2 mod m mod m B sends {t 1, t 2,..., t n } to A. A is not restricted in computational power finds which of the t i are quadratic residues to tell B the results. If the information is correct B accepts.. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero Knowledge July Proofs 2015 Mathematics 14 / 45

Interactive Proofs Interactive Proof for Nonresidue Membership: correctness Why is it correct? 1 If (m, x) L then A correctly predicts all last n coin tosses of B who will accept.. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero Knowledge July Proofs 2015 Mathematics 15 / 45

Interactive Proofs Interactive Proof for Nonresidue Membership: correctness Why is it correct? 1 If (m, x) L then A correctly predicts all last n coin tosses of B who will accept. 2 If (m, x) L the t i are random quadratic residues and the prover still respond correctely with probability 1/2 n, since A has probability exactly 1/2 of guessing it correctly.. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero Knowledge July Proofs 2015 Mathematics 15 / 45

Knowldege Complexity Classes Plan 1 Zero-Knowledge proofs intuitively 2 Knowledge complexity [Goldwasser et al., 1985] Interactive Proofs Knowldege Complexity Classes Interactive Proof for Nonresidue Membership is in KC(0) Extension to all NP-language 3 ZKP applications Credentials Group Signature Anonymous Blacklisting 4 Conclusion. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero Knowledge July Proofs 2015 Mathematics 16 / 45

Knowldege Complexity Classes Communication is a tool for transfering/exchanging knowledge. 1 Knowledge is a notion relative to a specific model of computation. 2 One studies and gains knowledge about available objects. Here the participant trying to increase its knowledge is polynomially bounded. The intuitive idea is that knowledge has been transmitted if, in the limitation of its computational power, the verifier can distinguish between probability distributions. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero Knowledge July Proofs 2015 Mathematics 17 / 45

Knowldege Complexity Classes Distinguishers For each x I of size n, let Π x be a probability distribution over n c bit strings.. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero Knowledge July Proofs 2015 Mathematics 18 / 45

Knowldege Complexity Classes Distinguishers For each x I of size n, let Π x be a probability distribution over n c bit strings. Π = {Π x x I } is an I-c-ensemble.. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero Knowledge July Proofs 2015 Mathematics 18 / 45

Knowldege Complexity Classes Distinguishers For each x I of size n, let Π x be a probability distribution over n c bit strings. Π = {Π x x I } is an I-c-ensemble. A distinguisher is a probabilistic polynomial-time algorithm D that on input string s output a bit b.. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero Knowledge July Proofs 2015 Mathematics 18 / 45

Knowldege Complexity Classes Distinguishers For each x I of size n, let Π x be a probability distribution over n c bit strings. Π = {Π x x I } is an I-c-ensemble. A distinguisher is a probabilistic polynomial-time algorithm D that on input string s output a bit b. Let Π 1 = {Π 1,x x I } and Π 2 = {Π 2,x x I } be two I-c-ensembles.. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero Knowledge July Proofs 2015 Mathematics 18 / 45

Knowldege Complexity Classes Distinguishers For each x I of size n, let Π x be a probability distribution over n c bit strings. Π = {Π x x I } is an I-c-ensemble. A distinguisher is a probabilistic polynomial-time algorithm D that on input string s output a bit b. Let Π 1 = {Π 1,x x I } and Π 2 = {Π 2,x x I } be two I-c-ensembles. let p D x,i (i {1, 2}) be the probability that D outputs 1 on input a x c bits long string randomly selected with Π i,x.. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero Knowledge July Proofs 2015 Mathematics 18 / 45

Knowldege Complexity Classes Distinguishers For each x I of size n, let Π x be a probability distribution over n c bit strings. Π = {Π x x I } is an I-c-ensemble. A distinguisher is a probabilistic polynomial-time algorithm D that on input string s output a bit b. Let Π 1 = {Π 1,x x I } and Π 2 = {Π 2,x x I } be two I-c-ensembles. let p D x,i (i {1, 2}) be the probability that D outputs 1 on input a x c bits long string randomly selected with Π i,x. Π 1 and Π 2 are at most p indistinguishable for p : N [0, 1], if for all distinguisher D p D x,1 p D x,2 < p( x ) + 1 x k for all k and sufficiently long x. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero Knowledge July Proofs 2015 Mathematics 18 / 45

Knowldege Complexity Classes Distinguishers For each x I of size n, let Π x be a probability distribution over n c bit strings. Π = {Π x x I } is an I-c-ensemble. A distinguisher is a probabilistic polynomial-time algorithm D that on input string s output a bit b. Let Π 1 = {Π 1,x x I } and Π 2 = {Π 2,x x I } be two I-c-ensembles. let p D x,i (i {1, 2}) be the probability that D outputs 1 on input a x c bits long string randomly selected with Π i,x. Π 1 and Π 2 are at most p indistinguishable for p : N [0, 1], if for all distinguisher D p D x,1 p D x,2 < p( x ) + 1 x k for all k and sufficiently long x. 0-distinguishability is when the two ensembles are equal wrt to any polynomial-time computation. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero Knowledge July Proofs 2015 Mathematics 18 / 45

Knowldege Complexity Classes Knowledge computable from Communication Knowledge vs Information: A sends to B n random number it is n bits of information but 0 Knowledge (B could have chosen n random bits by himself).. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero Knowledge July Proofs 2015 Mathematics 19 / 45

Knowldege Complexity Classes Knowledge computable from Communication Knowledge vs Information: A sends to B n random number it is n bits of information but 0 Knowledge (B could have chosen n random bits by himself). Let us write M[.] = {M[x]} x I the set of possible outputs of a probabilistic Turing machine on input x I. Similarily (A, B)[.] the ensemble associated to a interactive pair of Turing machines (A, B).. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero Knowledge July Proofs 2015 Mathematics 19 / 45

Knowldege Complexity Classes Knowledge computable from Communication Knowledge vs Information: A sends to B n random number it is n bits of information but 0 Knowledge (B could have chosen n random bits by himself). Let us write M[.] = {M[x]} x I the set of possible outputs of a probabilistic Turing machine on input x I. Similarily (A, B)[.] the ensemble associated to a interactive pair of Turing machines (A, B). Definition Let (A, B) be an interactive pair of Turing machines. I the set of inputs. Let B be polynomial-time and f : N N be non-decreasing. A communicates at most f (n) bits of knowledge to B if there is a probabilistic polynomial-time machine M such that the I-ensemble M[.] and (A, B)[.] are at most 1 1/2 f (n) distinguishable.. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero Knowledge July Proofs 2015 Mathematics 19 / 45

Knowldege Complexity Classes Knowledge computable from Communication Knowledge vs Information: A sends to B n random number it is n bits of information but 0 Knowledge (B could have chosen n random bits by himself). Let us write M[.] = {M[x]} x I the set of possible outputs of a probabilistic Turing machine on input x I. Similarily (A, B)[.] the ensemble associated to a interactive pair of Turing machines (A, B). Definition Let (A, B) be an interactive pair of Turing machines. I the set of inputs. Let B be polynomial-time and f : N N be non-decreasing. A communicates at most f (n) bits of knowledge to B if there is a probabilistic polynomial-time machine M such that the I-ensemble M[.] and (A, B)[.] are at most 1 1/2 f (n) distinguishable. A communicates at most f (n) bits of knowledge if for all polynomial-time bounded ITM B, A communicates at most f (n) bits of knowledge to B.. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero Knowledge July Proofs 2015 Mathematics 19 / 45

Knowldege Complexity Classes Discussion Assume a crime x has occurered. B is a reporter and A a police officer. A tries not to communicate too much knowledge. Should B call A to know more about x?. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero Knowledge July Proofs 2015 Mathematics 20 / 45

Knowldege Complexity Classes Discussion Assume a crime x has occurered. B is a reporter and A a police officer. A tries not to communicate too much knowledge. Should B call A to know more about x? = Not if B can with high probability produce the same conversation about this specific x that he might have with A.. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero Knowledge July Proofs 2015 Mathematics 20 / 45

Knowldege Complexity Classes Discussion Assume a crime x has occurered. B is a reporter and A a police officer. A tries not to communicate too much knowledge. Should B call A to know more about x? = Not if B can with high probability produce the same conversation about this specific x that he might have with A. = If B can generate an honest conversation with probability 1/4 it means that A tells him something he doesn t know (2 bits of information).. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero Knowledge July Proofs 2015 Mathematics 20 / 45

Knowldege Complexity Classes Discussion Assume a crime x has occurered. B is a reporter and A a police officer. A tries not to communicate too much knowledge. Should B call A to know more about x? = Not if B can with high probability produce the same conversation about this specific x that he might have with A. = If B can generate an honest conversation with probability 1/4 it means that A tells him something he doesn t know (2 bits of information). = If B has a probability 1/2 100 of generating an honnest conversation then A tells a lot of information and B should definitely call!. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero Knowledge July Proofs 2015 Mathematics 20 / 45

Knowldege Complexity Classes Discussion Assume a crime x has occurered. B is a reporter and A a police officer. A tries not to communicate too much knowledge. Should B call A to know more about x? = Not if B can with high probability produce the same conversation about this specific x that he might have with A. = If B can generate an honest conversation with probability 1/4 it means that A tells him something he doesn t know (2 bits of information). = If B has a probability 1/2 100 of generating an honnest conversation then A tells a lot of information and B should definitely call!. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero Knowledge July Proofs 2015 Mathematics 20 / 45

Knowldege Complexity Classes Knowledge Complexity of a Language How much knowledge have to communicate to provide the proof of theorem T?. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero Knowledge July Proofs 2015 Mathematics 21 / 45

Knowldege Complexity Classes Knowledge Complexity of a Language How much knowledge have to communicate to provide the proof of theorem T? = Enough to check that T is true but normally more. In the case of quadratic residues if one provides the square root of a, x it is enough. But it contains more information than the fact that a is a quadratic residue!. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero Knowledge July Proofs 2015 Mathematics 21 / 45

Knowldege Complexity Classes Knowledge Complexity of a Language How much knowledge have to communicate to provide the proof of theorem T? = Enough to check that T is true but normally more. In the case of quadratic residues if one provides the square root of a, x it is enough. But it contains more information than the fact that a is a quadratic residue! What is going to be measured is the additional knowledge that a prover gives to the verfier. Definition Let L be a language possessing an interactive proof-systeme (A, B), let f : N N be non decreasing. L has knowledge complexity f ()n if, when restricting the inputs of (A, B) to the strings in L, A communicates at most f (n) bits of knowledge. It is written L KC(f (n)).. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero Knowledge July Proofs 2015 Mathematics 21 / 45

Knowldege Complexity Classes Knowledge Complexity of a Language: Informal Discussion This definition is done for yes-instances. If x L the verifier is convinced of that. The verifier possesses the text of the entire computation. This text has been used to check that x L but does not contain more than f (n) bits of additional knowledge. Indeed there is guarantee that we can generate such texts with probability distribution (1 1/2 f (n) ) indistinguishable from the real texts. If L KC(0), B wrt polynomial time computation the text is irrelevant for any other purpose than checking that x L. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero Knowledge July Proofs 2015 Mathematics 22 / 45

Interactive Proof for Nonresidue Membership is in KC(0) Plan 1 Zero-Knowledge proofs intuitively 2 Knowledge complexity [Goldwasser et al., 1985] Interactive Proofs Knowldege Complexity Classes Interactive Proof for Nonresidue Membership is in KC(0) Extension to all NP-language 3 ZKP applications Credentials Group Signature Anonymous Blacklisting 4 Conclusion. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero Knowledge July Proofs 2015 Mathematics 23 / 45

Interactive Proof for Nonresidue Membership is in KC(0) ZKP for Nonresidue Membership { 0 if y is a quadratic residue mod m Q m (y) = 1 otherwise L = {(y, m) Q m (y) = 1}. We look for a ZKP to prove that L KC(0). Easy to compute if m is prime, or equivalently if the factorization of m in prime factors is known. It relies on result on number theory (beyond the scope of this lecture). F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero Knowledge July Proofs 2015 Mathematics 24 / 45

Interactive Proof for Nonresidue Membership is in KC(0) Interactive program for Non-quadratic residue I Input (y, m) L and n = log 2 m 1 B chooses r 0 Z and a random bit C x. If C x = 0 then x = r 2 0 mod m else x = yr 2 0 mod m. B sends x to A. B chooses two sets B sends T S shuffled. T = {t 1,..., t n t i = ri 2 mod m} S = {t n+1,..., t 2n t i = yri 2 mod m} 2 A chooses Z (T S) of size n and sends it to B. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero Knowledge July Proofs 2015 Mathematics 25 / 45

Interactive Proof for Nonresidue Membership is in KC(0) Interactive program for Non-quadratic residue II 3 For all z Z, B sends r to A such that z = r 2 mod m or z = yr 2 mod m. Suppose that size of T Z and S Z differ by d. B chooses d elements in the larger set t i1,..., t id and sends their respective r ij B sets X = T Z {t i1,..., t id } Y = S Z {t i1,..., t id } If x = r 2 0 mod m then X = {r 0 r i = xt i mod m t i X } Y = {yr 0 r i = yxt i t i Y } If x = yr 2 0 mod m then X = {yr 0 r i = yxt i mod m t i X } Y = {r 0 r i = xt i t i Y } F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero Knowledge July Proofs 2015 Mathematics 26 / 45

Interactive Proof for Nonresidue Membership is in KC(0) Interactive program for Non-quadratic residue III B sends X Y in random order to A 4 A checks for all w X Y that either w 2 = xt i mod m or wi 2 = yxt i mod m for some t i X Y and X Y > n/3. If not B tries to cheat. Otherwise A sends B the value v = Q m (x) 5 If v C x, B halts detecting cheating, otherwise iterates until n iteration have been completed (in this case B accepts (y, m) L). F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero Knowledge July Proofs 2015 Mathematics 27 / 45

Extension to all NP-language Plan 1 Zero-Knowledge proofs intuitively 2 Knowledge complexity [Goldwasser et al., 1985] Interactive Proofs Knowldege Complexity Classes Interactive Proof for Nonresidue Membership is in KC(0) Extension to all NP-language 3 ZKP applications Credentials Group Signature Anonymous Blacklisting 4 Conclusion. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero Knowledge July Proofs 2015 Mathematics 28 / 45

Extension to all NP-language ZKP for any NP-language Thanks to the magic of NP-completness one needs just to find a ZKP for a NP-complete problem! F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero Knowledge July Proofs 2015 Mathematics 29 / 45

Extension to all NP-language ZKP for any NP-language Thanks to the magic of NP-completness one needs just to find a ZKP for a NP-complete problem! Provided that one-way functions exists, any S NP has a zero knowledge interactive proof. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero Knowledge July Proofs 2015 Mathematics 29 / 45

Extension to all NP-language ZKP for any NP-language Thanks to the magic of NP-completness one needs just to find a ZKP for a NP-complete problem! Provided that one-way functions exists, any S NP has a zero knowledge interactive proof. Problem of Graph three colouring: given G = (V, E) is there φ : Vf = {1, 2, 3} such that for all (v 1, v 2 ) E φ(v 1 ) φ(v 2 ). F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero Knowledge July Proofs 2015 Mathematics 29 / 45

Extension to all NP-language ZKP for any NP-language Thanks to the magic of NP-completness one needs just to find a ZKP for a NP-complete problem! Provided that one-way functions exists, any S NP has a zero knowledge interactive proof. Problem of Graph three colouring: given G = (V, E) is there φ : Vf = {1, 2, 3} such that for all (v 1, v 2 ) E φ(v 1 ) φ(v 2 ). Repeat t = 4 E times 1 Prover select a permutation π on {1, 2, 3} and commits to π(φ(i)). 2 Verifier select e = (v i, v j ) E. 3 Prover decommits i and j sent at step one. 4 Verifier checks that the decommitment is correct and that the decommited values are different. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero Knowledge July Proofs 2015 Mathematics 29 / 45

ZKP applications Plan 1 Zero-Knowledge proofs intuitively 2 Knowledge complexity [Goldwasser et al., 1985] Interactive Proofs Knowldege Complexity Classes Interactive Proof for Nonresidue Membership is in KC(0) Extension to all NP-language 3 ZKP applications Credentials Group Signature Anonymous Blacklisting 4 Conclusion. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero Knowledge July Proofs 2015 Mathematics 30 / 45

ZKP applications Credentials Plan 1 Zero-Knowledge proofs intuitively 2 Knowledge complexity [Goldwasser et al., 1985] Interactive Proofs Knowldege Complexity Classes Interactive Proof for Nonresidue Membership is in KC(0) Extension to all NP-language 3 ZKP applications Credentials Group Signature Anonymous Blacklisting 4 Conclusion. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero Knowledge July Proofs 2015 Mathematics 31 / 45

ZKP applications Credentials Credential proofs Sending login plus password exposes to replay attack. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero Knowledge July Proofs 2015 Mathematics 32 / 45

ZKP applications Credentials Credential proofs Sending login plus password exposes to replay attack. One way to avoid the problem is to use some scheme with randomization and challenge/response. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero Knowledge July Proofs 2015 Mathematics 32 / 45

ZKP applications Credentials Credential proofs Sending login plus password exposes to replay attack. One way to avoid the problem is to use some scheme with randomization and challenge/response. It remains the fact the server knows who has been logged in. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero Knowledge July Proofs 2015 Mathematics 32 / 45

ZKP applications Credentials Credential proofs Sending login plus password exposes to replay attack. One way to avoid the problem is to use some scheme with randomization and challenge/response. It remains the fact the server knows who has been logged in. One of the features of the ZKP is the fact that they are non-transmissible. ZKP allows to simulate physical keys from this point of view: you can prove that you have the credentials without showing them. Like noone knows when a physical key has been used or not. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero Knowledge July Proofs 2015 Mathematics 32 / 45

ZKP applications Credentials Proof of Identity Based on Graph Isomorphims Alice wants to prove herself by showing that she knows an Hamiltonian path of a big graph G (easy to build) without revealing the path. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero Knowledge July Proofs 2015 Mathematics 33 / 45

ZKP applications Credentials Proof of Identity Based on Graph Isomorphims Alice wants to prove herself by showing that she knows an Hamiltonian path of a big graph G (easy to build) without revealing the path. Finding an Hamiltonian path is NP-complete. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero Knowledge July Proofs 2015 Mathematics 33 / 45

ZKP applications Credentials Proof of Identity Based on Graph Isomorphims Alice wants to prove herself by showing that she knows an Hamiltonian path of a big graph G (easy to build) without revealing the path. Finding an Hamiltonian path is NP-complete. The interactive ZKP plays like this: Alice produces an isomorphic graph to G: H F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero Knowledge July Proofs 2015 Mathematics 33 / 45

ZKP applications Credentials Proof of Identity Based on Graph Isomorphims Alice wants to prove herself by showing that she knows an Hamiltonian path of a big graph G (easy to build) without revealing the path. Finding an Hamiltonian path is NP-complete. The interactive ZKP plays like this: Alice produces an isomorphic graph to G: H Alice commits to H using a commitment scheme.. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero Knowledge July Proofs 2015 Mathematics 33 / 45

ZKP applications Credentials Proof of Identity Based on Graph Isomorphims Alice wants to prove herself by showing that she knows an Hamiltonian path of a big graph G (easy to build) without revealing the path. Finding an Hamiltonian path is NP-complete. The interactive ZKP plays like this: Alice produces an isomorphic graph to G: H Alice commits to H using a commitment scheme. Bob chooses one question among: 1 Prove the graph isomorphism between G and H. 2 Prove the hamiltonian path in H.. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero Knowledge July Proofs 2015 Mathematics 33 / 45

ZKP applications Credentials Proof of Identity Based on Graph Isomorphims Alice wants to prove herself by showing that she knows an Hamiltonian path of a big graph G (easy to build) without revealing the path. Finding an Hamiltonian path is NP-complete. The interactive ZKP plays like this: Alice produces an isomorphic graph to G: H Alice commits to H using a commitment scheme. Bob chooses one question among: 1 Prove the graph isomorphism between G and H. 2 Prove the hamiltonian path in H. Alice complies regarding the question asked, first she reveals H then: 1 gives the isomorphism. 2 gives the list of vertices making the Hamiltonian circuit. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero Knowledge July Proofs 2015 Mathematics 33 / 45

ZKP applications Credentials Interactive Proofs of Knowledge of Knowledge[Feige et al., 1988] Goldwasser s definition of interactive proofs of membership is based on language recognition: is x L true?. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero Knowledge July Proofs 2015 Mathematics 34 / 45

ZKP applications Credentials Interactive Proofs of Knowledge of Knowledge[Feige et al., 1988] Goldwasser s definition of interactive proofs of membership is based on language recognition: is x L true? = There is one bit of in information leaked!. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero Knowledge July Proofs 2015 Mathematics 34 / 45

ZKP applications Credentials Interactive Proofs of Knowledge of Knowledge[Feige et al., 1988] Goldwasser s definition of interactive proofs of membership is based on language recognition: is x L true? = There is one bit of in information leaked! Feige Fiat Shamir give a more subtle definition: one may prove that he knows whether or not x L without revealing if either x L or x L.. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero Knowledge July Proofs 2015 Mathematics 34 / 45

ZKP applications Credentials Interactive Proofs of Knowledge of Knowledge[Feige et al., 1988] Goldwasser s definition of interactive proofs of membership is based on language recognition: is x L true? = There is one bit of in information leaked! Feige Fiat Shamir give a more subtle definition: one may prove that he knows whether or not x L without revealing if either x L or x L. Suppose that A wants to prove that he has settled the Goldbach s conjecture. A wants to convinced B without giving him the proof or a counterexample.. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero Knowledge July Proofs 2015 Mathematics 34 / 45

ZKP applications Credentials Feige-Fiat-Shamir Proof of Identity: Setup TA chooses n = pq such that n = 4r + 3 for some prime numbers p, q and number r and publishes it.. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero Knowledge July Proofs 2015 Mathematics 35 / 45

ZKP applications Credentials Feige-Fiat-Shamir Proof of Identity: Setup TA chooses n = pq such that n = 4r + 3 for some prime numbers p, q and number r and publishes it. Alice will prove to Bob that she knows whether a certain number is a quadratic residue or non-quadratic residue modulo n. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero Knowledge July Proofs 2015 Mathematics 35 / 45

ZKP applications Credentials Feige-Fiat-Shamir Proof of Identity: Setup TA chooses n = pq such that n = 4r + 3 for some prime numbers p, q and number r and publishes it. Alice will prove to Bob that she knows whether a certain number is a quadratic residue or non-quadratic residue modulo n. Alice chooses k random numbers S 1,..., S k in Z n. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero Knowledge July Proofs 2015 Mathematics 35 / 45

ZKP applications Credentials Feige-Fiat-Shamir Proof of Identity: Setup TA chooses n = pq such that n = 4r + 3 for some prime numbers p, q and number r and publishes it. Alice will prove to Bob that she knows whether a certain number is a quadratic residue or non-quadratic residue modulo n. Alice chooses k random numbers S 1,..., S k in Z n. Alice chooses I j, j {1..k} as ±(1/Sj 2 ) mod n. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero Knowledge July Proofs 2015 Mathematics 35 / 45

ZKP applications Credentials Feige-Fiat-Shamir Proof of Identity: Setup TA chooses n = pq such that n = 4r + 3 for some prime numbers p, q and number r and publishes it. Alice will prove to Bob that she knows whether a certain number is a quadratic residue or non-quadratic residue modulo n. Alice chooses k random numbers S 1,..., S k in Z n. Alice chooses I j, j {1..k} as ±(1/Sj 2 ) mod n. Alice publishes I 1,..., I k and keep S 1,..., S k secrets. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero Knowledge July Proofs 2015 Mathematics 35 / 45

ZKP applications Credentials Feige-Fiat-Shamir Proof of Identity: Check Repeat as many times as needed (t times): 1 Alice picks random R and sends X = ±R 2 mod n. 2 Bob sends a random boolean vector (E 1,..., E k ). 3 A sends Y = R E j =1 S j mod n. 4 B checks X = ±Y 2 E j =1 I j mod n.. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero Knowledge July Proofs 2015 Mathematics 36 / 45

ZKP applications Credentials Feige-Fiat-Shamir Proof of Identity: Check Repeat as many times as needed (t times): 1 Alice picks random R and sends X = ±R 2 mod n. 2 Bob sends a random boolean vector (E 1,..., E k ). 3 A sends Y = R E j =1 S j mod n. 4 B checks X = ±Y 2 E j =1 I j mod n. Good values for 0-knowledge: k = O(log log n). t = O(log n). Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero Knowledge July Proofs 2015 Mathematics 36 / 45

ZKP applications Group Signature Plan 1 Zero-Knowledge proofs intuitively 2 Knowledge complexity [Goldwasser et al., 1985] Interactive Proofs Knowldege Complexity Classes Interactive Proof for Nonresidue Membership is in KC(0) Extension to all NP-language 3 ZKP applications Credentials Group Signature Anonymous Blacklisting 4 Conclusion. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero Knowledge July Proofs 2015 Mathematics 37 / 45

ZKP applications Group Signature Group Signature [Chaum and van Heyst, 1991, Bellare et al., 2003] Originally [Chaum and van Heyst, 1991]. A group of participant has one manager and one public key gpk. Each member of the group i has a signing key based on which it can produce a signature relative to gpk. The manager has a secret key gmsk based on which given a signature σ it can extract the identity (traceability) of the member who created σ (impossible for others anonymity). F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero Knowledge July Proofs 2015 Mathematics 38 / 45

ZKP applications Group Signature Group Signature [Chaum and van Heyst, 1991, Bellare et al., 2003] Originally [Chaum and van Heyst, 1991]. A group of participant has one manager and one public key gpk. Each member of the group i has a signing key based on which it can produce a signature relative to gpk. The manager has a secret key gmsk based on which given a signature σ it can extract the identity (traceability) of the member who created σ (impossible for others anonymity). Security discussion: ZKP is only used in some subprotocols. The problem is to know whate exactly is the attack model and definition of adversarial sucess. Can the attacker see previous signatures? Can he have external information ruling out potential signers? Can he call teh group manager? etc. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero Knowledge July Proofs 2015 Mathematics 38 / 45

ZKP applications Anonymous Blacklisting Plan 1 Zero-Knowledge proofs intuitively 2 Knowledge complexity [Goldwasser et al., 1985] Interactive Proofs Knowldege Complexity Classes Interactive Proof for Nonresidue Membership is in KC(0) Extension to all NP-language 3 ZKP applications Credentials Group Signature Anonymous Blacklisting 4 Conclusion. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero Knowledge July Proofs 2015 Mathematics 39 / 45

ZKP applications Anonymous Blacklisting Anonymous Blacklisting [Henry and Goldberg, 2011] The problem raised by anonymous communications (like with Tor) can be the abusers. There is no way for service providers to make anonymous users accountable for their actions. Anonymous blacklisting systems (or anonymous revocation systems) cope with this problem: that is to be able to revoke access of any user that misbehave without revealing their identity. There is a large literature on the subject. The protocols are complex and rely hevily on blind signatures and ZKP. = same problem than with Group Signature: hard to be convinced that it makes a fool-proof security certification. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero Knowledge July Proofs 2015 Mathematics 40 / 45

Conclusion Plan 1 Zero-Knowledge proofs intuitively 2 Knowledge complexity [Goldwasser et al., 1985] Interactive Proofs Knowldege Complexity Classes Interactive Proof for Nonresidue Membership is in KC(0) Extension to all NP-language 3 ZKP applications Credentials Group Signature Anonymous Blacklisting 4 Conclusion. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero Knowledge July Proofs 2015 Mathematics 41 / 45

Conclusion Conclusion Knowledge complexity is different from information content, computational complexity or algorithmic complexity.. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero Knowledge July Proofs 2015 Mathematics 42 / 45

Conclusion Conclusion Knowledge complexity is different from information content, computational complexity or algorithmic complexity. The terms can be misleading. Take care of the precise context, the precise list of hypotheses are used when one talks about ZKP. ZKP is a very powerful tool to prove some privacy properties.. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 4 - Zero Knowledge July Proofs 2015 Mathematics 42 / 45

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback