Zero Knowledge Proofs

1
Zero Knowledge Proofs
Chongkyung Kil
Slides are revised from class materials by
Vivek Haldar, Matthew Pouliotte, and Anthony
Pringle.
Security Reading Group Sep 8, 2006
2
Overview

• Some theory and motivation
• What is a proof?
• What is knowledge?
• Interactive proofs
• Zero knowledge proofs
• ZKP and NP languages
• Applications
• Brainstorming

3
Motivation

• Two millionaire problem
• Alice and Bob are two millionaires who want to
  find out which is richer without revealing the
  amount of their wealth (money!!!)
• Need verifiable communication among mutually
  distrusting parties

4
Key Point

• To show possession of a secret to another party
  without giving away the secret

5
Ali Babas Cave

• Alice wants to prove to Bob that she knows how to
  open the secret door between A and B.
• Alice and Bob go to cave
• Alice goes to A or B
• Bob tells Alice to come from A or B
• If Alice knows the secret, she can appear from
  the correct side of the cave every time
• Bob repeats as many times until he believe Alice
  knows to open the secret door
• How about Trudy?

6
What is proof?

• In mathematics a fixed sequence of statements
  flowing logically
• In real life proofs have a much wider meaning
• Not fixed, but rather a process by which validity
  is established
• E.g. cross-examination of a witness

7
What is knowledge?

• Tough question
• But, in ZKP, we define a gain of knowledge
• With respect to computational ability
• Bob gains knowledge after interacting with Alice
  if
• He can easily compute something that was tough
  for him earlier (Since Alice let him know the way
  of doing it!)

8
Introduction to Interactive Proofs

• Prover (P) tries to prove some fact to a verifier
• Verifier (V) either accepts or rejects the
  provers proof
• To prove is to convince the verifier of some
  assertion
• Prove that you know a secret value s
• Each party in the protocol does the following
• receive a message from the other party
• perform a private computation
• send a message to the other party
• Repeats t number of rounds

9
Interactive Proof Protocol
P Prover
V Verifier
Common Inputs
Common Inputs
Random Value
Challenge
Response
Repeats t number of rounds

• Prover and verifier share common inputs
  (functions or values)
• The protocol yields Accept if every Response is
  accepted by the Verifier
• Otherwise, the protocol yields Reject

10
Properties of Interactive Proofs

• Completeness
• If the statement is true, the honest verifier
  will be convinced of this fact by an honest
  prover.
• Soundness
• If the statement is false, no cheating prover can
  convince the honest verifier that it is true,
  except with some small probability.

11
Properties of Interactive Proofs (Cont.)

• Completeness
• Prob(P,V)(x) Accept x Î L e
• Soundness
• Prob(P,V)(x) Accept x Ï L d
• Where
• e Î (½,1 d Î 0,½)
• L is a language over 0,1
• (P,V) is an Interactive Proof Protocol involving
  P and V

12
Zero Knowledge Proofs

• Instances of interactive proofs with the
  following properties
• Completeness true theorems are provable
• Soundness false theorems are not provable
• No information about the provers private input
  (secret) is revealed to the verifier implication
  of the zero-knowledge property

13
Zero Knowledge Property

• A transcript is the collection of messages
  resulting from the protocol execution
• Random1,Challenge1,Response1,Random2,Challenge2,Re
  sponse2, , Randomm,Challengem,Responsem
• A simulator is a polynomial-time algorithm that
  generates false transcripts without the prover
  which are identical to the genuine.
• Random1,Challenge1,Response1,Random2,Challenge2,Re
  sponse2, , Randomm,Challengem,Responsem
• An interactive proof has the zero knowledge
  property if a simulator exists for the proof

14
ZKP and NP

• So how we design a simulator for ZKP?

15
ZKP and NP

• Big News!
• Every language in NP has a zero knowledge proof!
• What is NP?

16
Theory of Computation 101

• NP Nondeterministically Polynomial
• A problem is said to be NP if we can find a
  nodeterminsitic Turing machine that can solve the
  problem in a polynomial number of
  nondeterministic moves
• It takes exponential time to prove/find a
  solution, but it takes polynomial time to verify
  the correctness of a candidate solution.

17
Theory of Computation 101
NP search tree

Solution!

Mostly dead ends
Hard to find a solution by just searching the
tree!
18
Theory of Computation 101
NP search tree
But if you just tell me the path in the search
tree that led to a solution, I can check it
easily!

Solution!

Mostly dead ends
19
Theory of Computation 101

• Known NP Problems
• Hamilton cycle for a large graph
• Graph coloring
• Quadratic nonresidue
• Circuit satisfiability
• Vertex-cover
• Knapsack
• Subset-sum

20
ZKP Example Hamiltonian cycle
P Alice
V Bob
Common Inputs
Common Inputs G(secret)
H (isomorphic to G)
Challenge Show the isomorphism between H and
G? Show a Hamilton cycle in H?
Response Vertex translations H.Cycle onto H
verify
Repeats t number of rounds
Accept / Reject
Alice never reveal the secret G
21
Graph Isomorphism
G
H
Tada! f(a) 1 f(b) 6 f(c) 8 f(d) 3 f(g)
5 f(h) 2 f(i) 4 f(j) 7
22
ZKP Applications

• Mainly used in the identification
• Fiat-Shamir Identification Protocol
• Quadratic nonresidues mod m
• Similar to PKI
• Schnorrs Identification Protocol
• Zero-knowledge password proof (ZKPP)
• Still in draft IEEE P1363.2 Password-Based
  Public-Key Cryptography
• Also used in other area
• Direct Anonymous Attestation

23
Conclusions, But Not the end of the talk

• Special case of interactive proofs
• Zero knowledge proofs offer a way to prove
  knowledge to someone without transferring any
  additional knowledge to that person
• Can be used to prove identity
• Basic premise used in all PKIs

24
Brainstorming

• Develop a lightweight ZKP for software
  attestation (Program Integrity) for embedded
  systems.

25
Brainstorming (Cont.)

• Here is the problem
• Embedded Systems/Devices are everywhere
• Handheld devices (telcomm, PDAs, palmtops), smart
  sensors and actuators (military and industry)
• Games and entertainment
• Smart cars, homes/buildings
• Embedded medical devices
• Ad hoc networks of sensors and actuators
• Soon they will be connected and integrated for
  easy maintenance and efficiency

26
Brainstorming (Cont.)

• Remote Attestation is critical
• To trust who they are (identification)
• To trust their report (from sensors)
• To make sure they are not compromised (platform
  integrity)
• To make sure they have right applications

???
2
2
1
1? 2? 3?
1
1
1
2
3
3
Base Station
27
Brainstorming (Cont.)

• Current approaches
• Local attestation techniques
• SWATT use pseudo-random memory address walk
• PIONEER use verifiable code (checksum hash)
• BIND use annotation sand-box hw-based crypto
  computation
• TCG proposed direct anonymous attestation (DAA),
  2004
• Use TPM with a ZKP
• Too much computation modular computation
• Remote Software-based attestation by Yongdae Kim
  et al. (2005)
• A sensor hides the key somewhere in the image
• Verifier sends a encrypted verification code
• Prover sends back the hash of the image according
  to the code

28
Brainstorming (Cont.)

• Current approaches
• Attestation pool by Maurizio Colleluori, 2006
• A device store a set of keys
• Require key server with good key management
• PIV (Program Integrity Verification) by Kang G
  Shin, 2006
• Use mobile agent (maybe another sensor) as
  verifier
• Verifier can be the single point of failure (DoS)
• Semantic attestation
• Does not depend on the binary image verification
• Attest the partys applications behavior
• Property attestation
• Attest the partys security requirements or
  capabilities
• Use property certificates

29
Brainstorming (Cont.)

• Now your turn or my turn
• To answer the question
• Can we find a more efficient ZKP for remote
  attestation for embedded systems?
• Or can we find a better solution for remote
  attestation?

30
Brainstorming (Cont.)

• Lets forget about the cryptographic computation
• Trust negotiation (Dr. Ting Yu and Keith Irwin)

31
Questions?

• Thank you!

32
Fiat-Shamir Identification

• One time setup
• Trusted center published modulus npq, but keeps
  p and q secret
• Alice selects a secret prime s comprime to n,
  computes vs2 mod n, and registers v with the
  trusted center as its public key

33
Fiat-Shamir Identification

• Protocol messages
• A ? B x r2 mod n
• B ? A e from 0, 1
• A ? B y rse mod n

If e1, then information pairs (x, y) can be
simulated by choosing y randomly, and setting
xy2 mod n
If e0, then the response yr is independent of
secret s