英国硕士毕业论文 Investigation of zero knowledge protocols

Proof of Knowledge

Five major zero knowledge protocols are used, each ensuring information privacy throughout the verification process in its own way. The first (and most concrete) of such protocols is the Proof of Knowledge. It states that “if Peggy has a non-negligible chance of making Victor accept, then Peggy can also compute the secret, from which knowledge is being proved”.[1] The definition of this protocol raises the need to distinguish between two terms that are often misused interchangeably. Knowledge is very different from information. Knowledge is related to computational difficulty of publicly known objects, whereas information relates mainly to objects on which only partial information is known.[4]

Many examples exist for illustrating the Proof of Knowledge. Imagine the following situation. Peggy claims that she can count the leaves of a big maple tree in a few seconds without revealing to Victor her method of calculation and without revealing the number of leaves. To test Peggy’s claim, Victor designs a protocol. When Peggy closes her eyes, Victor either pulls off a leaf or does nothing. Then Peggy opens her eyes and tells Victor what he did.

Determining whether or not this situation is zero knowledge requires the definition of what makes a system zero knowledge.[3] First, the system is complete because if Peggy truly possesses such an ability, she could recognize a difference in the number of leaves because Victor pulled one off. Or, she could compute that the number of leaves has remained unchanged and that Victor has done nothing. The system is also sound because if Peggy doesn’t know the secret, she will still have a chance of guessing the answer to Victor’s problem on the first try. Because this system is both complete and sound, it is zero knowledge. With a few rounds of positive accreditation, Victor should be convinced that Peggy knows the secret. Let us assume that Victor can afford a error in this validation process. After only 40 rounds of accreditation, he is convinced that Peggy knows the secret. If put Peggy under 100 rounds or 100,000 rounds the chance of him making an error is nearly 0. This is modeled by the following equation:

where n is the number of rounds of accreditation. Given enough rounds of accreditation, it would be extremely difficult for a cheating Peggy to fool Victor.

One of the most well known examples of the Proof of Knowledge is Jean-Jacques Quisquater’s “magical cave” allegory. The cave has a magical door deep inside which opens only upon the utterance of a secret word, which Peggy claims to know. Victor will pay $10 million dollars for the secret word, but he must be convinced that Peggy knows the secret word. Peggy cannot simply reveal the word to him, as a dishonest Victor would rescind his monetary offer and leave with the secret and all of his money. Victor and Peggy decide to construct a zero knowledge system so that Peggy can prove to Victor that she knows the secret without actually telling it to Victor.[7] The devise the following scheme [7] :

Victor will wait outside the cave while Peggy enters. She chooses either path A or path B at random while Victor is not looking. Then Victor will enter the cave as far as the fork and announces the path by which he wants Peggy to return. If Peggy knows the secret word, she will be able to return by either path A or path B regardless of which path she chose initially. If Victor announces the same path through which Peggy initially chose to enter, she simply turns around and exits via the same path. If Victor announces the path that Peggy did not choose, she whispers the secret word and returns along the desired path. [7] Thus, the system is complete. If Peggy is lying and does not know the secret word, then she will only be able to return along the correct path if Victor announces the same path that she chose. The probability of this happening is and with multiple rounds of accreditation, Victor should grow increasingly confident about whether or not Peggy truly knows the secret. Thus, the system is sound. Because the system is both complete and sound, it is zero knowledge. Peggy can successfully prove to Victor that she knows the secret word without actually telling him what it is. Therefore, this system is exemplifies the Proof of Knowledge protocol.

Proof of Identity

The next zero knowledge protocol, the Proof of Identity, ensures that nobody can masquerade as Peggy or Victor for any third party.[1] This protocol is used to solve the cryptographic problem of “Mafia man-in-the-middle attacks”, which is often modeled by the Chess Grand master Problem. The malicious user (Maggie the Malice) wants to prove that she is the better than the champion chess player in her city, Bob. She sets up two separate, yet concurrent, online matches with both the local champion and Grandmaster Garry Kasparov. She lets Kasparov move first and relays his move to the other game with Bob. She then relays Bob’s move back to Garry Kasparov. Maggie is acting as the “man-in-the-middle” and has essentially set up a match between Kasparov and Bob, where she has access to both boards in play. Eventually, Maggie will relay Kasparov’s checkmate to Bob and be crowned the new city champ. As expected, Maggie (playing as Bob), will lose to Kasparov. This scenario raises the security issue of the malicious Maggie having access to the intermediate stages of accreditation. Cryptographers have decided that the best countermeasure to this attack would be to impose a time limit for replies, in the hope that there is not enough time for Maggie to relay the communications.[3]

Another way to thwart a man-in-the-middle Maggie is by using a pair of security keys. Suppose Alice and Bob share a secret key, and Alice wants to prove the legitimacy of her identity to Bob. They devise the following scheme. Alice sends Bob her public identity (her name Alice). Bob sends Alice a challenge, ?. Alice encrypts ? and sends back E(?) to Bob. Bob then decrypts E(?) with D(E(?)) and if he obtains ?, he can verify that he is communicating with Alice.[3] This protocol is especially useful in circumventing Eve and Maggie’s attempts at learning the secret. Suppose the secret is:

E(p) = p + 20 and

It follows that:

= p – 20.

Now suppose that Bob sends Alice the challenge ? = 5, and that this message is also heard by Eve and Maggie. Alice performs E(?) and returns 25 to Bob. Upon intercepting the value of E(?), Eva and Maggie can only guess as to what the secret E(?) really is. It is possible that they are fooled into believing E(?) = .When Bob receives 25, he applies D(?) to determine that D(?) = 5. Throughout this process, Eva is prevented from learning the secret, and sending the preliminary public identity helps prevent Maggie from tampering with the accreditation process. Therefore, this process preserves zero knowledge, and demonstrates the protocol of the Proof of Identity.

Feige-Fiat-Shamir Proof of Identity

Cryptographers Uriel Feige, Amos Fiat, and Adi Shamir developed the Feige-Fiat-Shamir Protocol Proof of Identity in 1988.[1] It is the best known zero knowledge proof of identity protocol. The Feige-Fiat-Shamir Proof demonstrates the difficulty of finding square roots of quadratic residues (squares mod n).[10] This protocol is one of the rare examples of being a perfect zero knowledge proof. The proof is split up into two steps, the pre-calculation phase and the identification phase. In the pre-calculation phase, Peggy chooses two random prime numbers (p,q). She keeps these two numbers as her secret. Then, she calls n, the product of p and q. She randomly chooses a number s {1, n-1} that is co-prime to n. Two numbers are co-prime if they do not share any common positive factors other than 1. Peggy then chooses a random number r {1, n-1}. She computes x = (mod n) and sends these values (n, s, and r) to the verifier. This signifies the start of the identification phase. Victor chooses a number B{0,1}. And sends it to Peggy. If B = 0, Peggy sends y, where y = r to the verifier. If B = 1, then Peggy sends y where y = (r s) mod n. Finally, Victor determines whether or not = mod n (where v = (mod n). The Feige-Fiat-Shamir Protocol can be more clearly demonstrated by following an example run[7]:

Let p = 5 and q = 7. Then, n = 35. Peggy secretly chooses s = 16. She calculates v = mod 35 which equals 11. Suppose Victor only requires two rounds of accreditation of the protocol in order to accept Peggy’s claim. Peggy randomly selects r = 10. She sends x = 100 mod 35 = 30 to Victor. Victor randomly selects B = 0 and sends it to Peggy. She returns y = r = 10 to Victor. He verifies that 100 mod 35 = x = 30. In the second round, Peggy randomly selects r = 20. She sends x = 15 to Victor and he randomly selects B = 1, and sends it back to Peggy. She returns y = (16 mod 35 = 5 to Victor. He verifies that 25 = (15 mod 35. After two rounds of successful accreditation, Victor is able to verify Peggy’s claim using the Feige-Fiat-Shamir Proof of Identity.