# 英国硕士毕业论文 Investigation of zero knowledge protocols

### Abstract

The question explored throughout this extended essay is “How are zero knowledge protocols able to ensure information privacy?”

Zero knowledge protocols play an important role in the domain of cryptography. They allow for one party, the verifier, to identify and authenticate another party, the prover. At the end of this process, the verifier has only assessed the validity of the prover’s assertion and leaves with zero knowledge.

The essay begins with a definition of zero knowledge and why they are used in cryptography. In the next section, the terminology associated with zero knowledge are defined. These terms are used for the remainder of the essay. The next five sections deal with the major zero knowledge protocols. Both abstract and concrete examples are explored in order to further one’s understanding of these protocols. The following section deals with proving the existence of Hamiltonian cycles while maintaining zero knowledge. The final section explores a case study of smart cards and how the implementation of zero knowledge protocols can increase their security. The essay concludes by highlighting the significance of the applications of zero knowledge as the demand for information security continues to increase into the future.

### Introduction

Zero knowledge proofs show a statement to be true without revealing anything other than the veracity of the statement to be proven. The word “proof” is not used in the traditional mathematical sense (e.g. a proof of the Pythagorean Theorem). Instead, a zero knowledge proof is a protocol in which a series of interactions takes place between two parties, the verifier and the prover.[7] Throughout these interactions, four essential laws must remain unbroken in order to classify the system as zero knowledge.[1] The prover cannot learn anything from the verifier. The prover cannot cheat the verifier. The verifier cannot cheat the prover.[9] The verifier cannot pretend to be the prover to any third party. At the end of the interaction, the verifier has only determined the validity of the prover’s assertion. Thus, the verifier leaves the system with zero knowledge.

Zero knowledge protocols function as useful constructs for analyzing theoretical cryptographic situations, but also function as practical tools for constructing secure security systems. The main incentive for using zero knowledge protocols over more commonly used protocols such as the RSA public-key cryptographic protocol and the symmetric protocol families, lies within its computational requirements. They require anywhere from to of the computing power used by public key protocols. Zero knowledge allows a protocol to be split into an iterative process of many light transactions rather than one “heavy” transaction.[1] For many systems, applying zero knowledge protocols are practical, efficient, and therefore the economical protocol of choice.

In the modern era of online-auctions, e-voting, and internet banking, having a certain paranoia is healthy to ensure the legitimacy and security of information.[2] Certain procedures must be followed to foil malicious individuals’ attempts at acquiring authorized knowledge. Zero knowledge procedures involve a series of proving and verifying between two parties. Because zero knowledge protocols yield nothing beyond the validity of an assertion, they make excellent tools in ensuring information privacy.

### Zero knowledge Terminology

Due to its abstract, often metaphorical manifestation in cryptography textbooks, zero knowledge terminology must be understood before it can be used to analyze problems in cryptography.

Though cryptographic protocols are commonly viewed as existing only between two parties, a total of four can exist in some cases. Cryptographers give these parties alliterative titles for convenience. The parties are: Peggy the Prover, Victor the Verifier, Eve the Eavesdropper, and Maggie the Malice. Peggy the Prover makes a claim that she wants to prove to Victor the Verifier without actually revealing the information or secret behind the claim. Victor asks Peggy under a series of questions to assess the validity of Peggy’s claim. Victor does not learn Peggy’s secret and cannot masquerade as Peggy to a third party. Eve the Eavesdropper is listening to Peggy and Victor’s conversation. She tries to replay the conversation to a third party, but is unsuccessful at convincing them of her claim. Maggie the Malice is also listening to the protocol traffic and tries to manipulate the conversation by modifying, destroying, and sending extra messages.[1] These names are widely used throughout cryptography literature and will be used for the remainder of this paper.

The interactions between Peggy and Victor are involve three elements: the secret, the accreditation, and the problem. The secret is a piece of information that Peggy knows. It can be any piece of information that is useful (e.g. password, an algorithm). The accreditation is the system of building confidence with each iteration of the protocol.[1] With each iteration, a successful proof by Peggy increases Victor’s confidence by a power of 2. However, if Peggy is unsuccessful at her proof, Victor’s confidence is reduced to 0 and the entire protocol fails. The problem is Victor’s method of accreditation. His problem asks for one of the multiple solutions to Peggy’s claim. If Peggy does possess the secret, she will always be able to correctly answer Victor’s problem. However, if Peggy does not possess the secret, she will only be able to correctly answer Victor’s problem a fraction of the time (depending on the exact protocol). Thus, Victor is only able to verify that Peggy holds a secret, if she can always solve his problem for enough rounds of his accreditation.

Protocol identification schemes must be both “complete” and “sound” to be classified as being zero knowledge. Complete means that “if the user who tries to identify himself follows the protocol, then the identification is surely successful”.[3] Completeness holds that an honest verifier will always be convinced of a true statement by an honest prover.[6] Soundness means that “nobody can identify himself as somebody else”.[3] Soundness holds that a cheating prover can convince an honest verifier that a false statement is true with a small probability.[9] If a system is both complete and sound, and no additional knowledge is gained by either party, the system can be classified as zero knowledge.

Zero knowledge protocols’ practicality extends only to problems that are of the complexity class NP. NP (nondeterministic polynomial time) complexity means that “There exists a (polynomial in the length of the input) bound on the number of steps in each possible run of the machine”.[5] “If one-way functions exist, any problem in NP has a zero knowledge proof. Thus, Peggy must be limited to polynomial time. If Peggy were any more powerful, it would be trivial to demonstrate her knowledge, as she could already calculate it in every case.[1]

Various levels of zero knowledge exist. There is perfect zero knowledge, statistical zero knowledge, and computational zero knowledge. In perfect zero knowledge, Victor can create a phony list of problem solutions which is statistically identical to Peggy’s list. His list is indistinguishable from Peggy’s, and therefore, he cannot prove that he knows the secret to any third-party.[6] Statistical zero knowledge states that Peggy and Victor’s lists are statistically similar and that their inconsistency is negligible. Computational zero knowledge, also referred to as general zero knowledge, states that Peggy and Victor’s lists are computationally indistinguishable.[5] Although computational zero knowledge is the most common form of zero knowledge, examples perfect zero knowledge and statistical zero knowledge have been found to exist.