Interactive Proofs and Zero-Knowledge Identification Schemes, Slides of Cryptography and System Security

Download Interactive Proofs and Zero-Knowledge Identification Schemes and more Slides Cryptography and System Security in PDF only on Docsity!

Interactive and Zero

Knowledge Proofs

2

Identification Schemes

Peggy: Can you let me in please?

Vera: Who are you?

Peggy: I’m Peggy.

Vera: What’s your password?

Peggy: None of your beeswax

Vera: Get lost...

4

Completeness and

Soundness

For Interactive Proof System to work, Peggy should usually be able to prove her knowledge while impostor Pernicia ( P* ) should usually fail.

Completeness: When possessor of secret P interacts, prob. of V accepting ≥ ⅔

Soundness: When non-possessor of secret P* interacts, prob. of V accepting ≤ ⅓

5

Password Identification

Scheme

1. P : Sends password x
2. V : Checks x against stored password y. ACCEPTs iff x == y Transcript diagram: CLAIM: System is Complete and Sound. ISSUES

If Eve sees transcript, can successfully pretend to be Peggy

If Villain V* replaces V , can pretend as well x P transcript action

7

PKE for Identification

First attempt to fix: use secret key to decrypt encrypted messages, thus not revealing secret key. First round omitted as Peggy does nothing. Peggy proves that she knows sk : V accepts iff m==m’. CLAIM: System is Complete and Sound. ISSUE: V* tricks P into decrypting ciphertext c with unknown plaintext. c = E ( m,pk) m’ = D ( c,sk) V : random message m P

8

Secrecy = Transcript

Indistinguishability

If information is leaked, true transcripts inherently distinguishable from Simon’s ( S ) simulations ignorant of P ’s secret:

Password Scheme Leakage: Peggy: Simon:

PKE Scheme Leakage: Peggy: Simon: andromeda P ^%$!@%$!* S c* m’ = D ( c*,sk) V * P c * m’’ ( c* ) V * S

10

Removing Information

Leaks: Fiat-Shamir

Simplified version of Fiat-Shamir:

Public Information: n - a product of discarded equal-length distinct primes p, q 3 (mod 4) and y - a quadratic residue mod n

Peggy’s secret: x - a square root of y mod n

Protocol defined by:

Victor ACCEPTs iff

P : r ∈ V : P

U Z ∗ n

b ∈ U { 0 , 1 }

s = r

2

mod n b t = rx

b

mod n

t

2

≡ n sy

b

11

Proof that Simple Fiat-

Shamir is a ZKIP

1. Prove that protocol defines Interactive Proof: i.e. Sound and Complete
2. Prove that protocol reveals zero knowledge. Simon defined by: Simon is a Las-Vegas algorithm.

b r

S : guesses generates: V* S : Starts over if Else: sends above message

r ∈ U Z

∗ n b ′ ∈ U { 0 , 1 }

b != b

′

s = r

2

/ y

b ′

mod n

13

Complexity Theorems

1. (^) Shamir proved: IP = PSPACE
2. (^) If one-way functions exist: CZK = IP COR: With the aid of a one-way function, any interactive proof system can be converted to a computational zero-knowledge proof system.

CZK : computational zero knowledge lang’s

IP : interactive proof languages

PSPACE : polynomial space languages

Recall NP PSPACE