跳到主要内容

英国硕士毕业论文 Investigation of zero knowledge protocols

Guillou-Quisquater Proof of Identity

The Guillou-Quisquater Proof of Identity, invented by Louis Guillou and Jean-Jacques Quisquater is an improvement to the Feige-Fiat-Shamir Proof of Identity.[3] The Feige-Fiat-Shamir Protocol is weak in that it requires multiple iterations between Peggy and Victor and that Peggy needs a large amount of memory. Guillou-Quisquater optimizes this protocol by using longer computations. Take for example the following situation. Peggy wants to authenticate her identity with Victor. She holds a public certificate J and a private certificate S, where S = mod n. Similar to the Feige-Fiat-Shamir Protocol, n is the product of the two primes p and q. The number v is the public key such that the greatest common divisor between n and v is 1. Thus, n and v are said to be co-prime. First, Peggy chooses a random number r. She computes x = (mod n). Peggy sends both x and J (the public certificate) to Victor. He chooses and random number e {1, v} and sends it to Peggy. She computes y = r (mod n) and sends it to Victor. He computes and verifies that the result is equal to x and different from 0. By using this longer procedure of computation, Victor reduces Peggy’s cheating probability. This is modeled by the following equation:

where Pr is the probability of Peggy making an error, are the total possible computations of the protocol, and n is the number of rounds of accreditation. Because , the rounds required for Victor to achieve a certain level of confidence is reduced exponentially. Thus, the Guillou-Quisquater Proof of Identity serves as an improvement to the Feige-Fiat-Shamir Protocol, because it reduces the number of rounds of accreditation by demanding more complex computations by using both a public and a private key.

Schnorr’s Mutual Digital Signature Authentication

Schnorr’s identification and authentication scheme can be used for digital signatures by replacing Victor with a hash function. A digital signature is simply a mathematical scheme to demonstrate the authenticity of a digital document. If Victor is replaced by a cryptographically secure hash function, most zero knowledge protocols can be turned into digital signatures.[1] They are implemented as follows. Peggy creates a number of problems and uses the hash function as a virtual Victor. The inputs of the hash function are just the message and problems presented to Victor. Using these inputs guarantees that neither the message nor the problems can be altered without making the signature void.[1] Also, the output of the hash function is completely random and unpredictable. Thus, Peggy cannot try to change the inputs to the hash in her favor to try and get values which would allow her to cheat. The receiving end of the protocol can calculate the hash function itself and check that Peggy returns the correct solutions in order to determine that the digital signature is valid. Schnorr’s Mutual Digital Signature Authentication is the last of the five prominent zero knowledge protocols.

Hamiltonian Cycles

A Hamiltonian cycle for a graph is the path through the graph that passes every node exactly once.[1] As the size of the graph increases, the difficulty of calculating its Hamiltonian cycle increases as well, and is therefore classified as having NP complexity. The most popular example of a zero knowledge Hamiltonian cycle consists of Peggy, who tries to prove that she knows the Hamiltonian cycle for a certain graph and Victor, who is to determine whether or not Peggy knows the secret to calculating a graph’s Hamiltonian cycle. Peggy gives Victor a permuted version of the original graph. Victor, in return, asks for either a proof that the graph is a permutation or the original graph, or for Peggy to show the Hamiltonian cycle for the permuted graph. Either of these problems can be calculated easily from the original data, but being able to respond to both of these possible requests requires Peggy to truly know the secret (the Hamiltonian cycle of a graph). This protocol can be better illustrated with a concrete example. Consider a fictional city “Orbiville” which recently updated its subway system with its own Hamiltonian path.[2] Suppose Peggy claims to know the Hamiltonian cycle of Orbiville’s subway system illustrated below.

Peggy first permutes the graph a to generate a partial graph b with a new Hamiltonian cycle c. By revealing only the partial graph b, Victor can verify that c visits each station once and exists in the subway system. After multiple rounds of accreditation (with a new permuted graph each time), Victor will be assured of the existence of a Hamiltonian path, without actually knowing the path itself. This system is complete because an honest Peggy will be able to solve Victor’s problem every time. The system is sound because a cheating Peggy will only be able to solve the problem of the time (either the permutation or the path would be incorrect). Because the Hamiltonian cycle system is both complete and sound, it is zero knowledge.

Case Study: Smart Cards

Zero knowledge protocols are often discussed in a theoretical sense and not in a practical sense. However, zero knowledge protocols do have a variety of practical applications. They are used to ensure secure data transactions during identification and authentication. The following case study illustrates how using zero knowledge protocols increases the security of smart cards.[1]

Smart cards, or Integrated Circuit Cards (ICCs) are small pocket sized cards with embedded integrated circuits which are used to process the input and output of data. They are most commonly used as ATM, SIM, health, and National ID cards, but have grown increasingly popular for their ability to store certificates during web browsing.

Since their introduction into the technological market, Smart cards have experienced major breaches in security. They are often encrypted using simple cryptographic techniques, making them easily decrypted by pirates. Pirates have developed efficient techniques to reverse-engineer smart card CPUs and their memories. These techniques include: using nonstandard programming voltages to clear code protection fuses, magnetic scanning of currents throughout the integrated circuits, and acid washing the chip one layer at a time.[1] Fortunately, smart cards are not yet used widely enough to cause any major organized criminal activity. In the future, smart card applications will need public key and zero knowledge protocols and solutions to circumvent such malicious activity.

The first step to solving smart card security issues is to use a light zero knowledge protocol. The protocol should mandate that each round is completed within a very short time limit (so that a Mafia man-in-the-middle attack will fail) and that a dictionary or pre-calculated table based brute force attack is not feasible. Assume that the smart card only has 36 bytes of RAM available to work on the protocol and that some of this space must be reserved for other use. Each key should therefore be about 8 bytes in length. Suppose the intruder has 5 orders of magnitude more processing power than the given system. Even if the brute-force calculation is fast, the combination of a 64 bit key and a time limit would foil even the fastest computers. Although intruders can try and anticipate Feige-Fiat-Shamir protocols with pre-calculated prime number tables before launching their attack, simply changing the system’s public key values periodically would make an intrusion infeasible and would effectively negate any attack. Thus, zero knowledge protocols prove to have practical applications in solving cryptographic problems in current and future technological systems.

Conclusion

Zero knowledge proofs are both fascinating and useful concepts. They are convincing yet return nothing beyond the validity of an claim. Zero knowledge protocols ensure that after reading a proof, the verifier cannot perform any computational tasks the he could not perform before. Thus, the integrity and privacy of information is maintained. Because zero knowledge proofs force malicious parties to act according to a predetermined protocol, they have vast applications in the domain of cryptography. [9] The need to effectively understand and implement zero knowledge protocols is increasing as internet capabilities continue to expand at such a rapid rate. Because zero knowledge protocols are relatively easy to implement, but difficult to foil, they make excellent constructs for solving cryptographic security issues. Although the various zero knowledge protocols will remain the same, they will have unforeseen applications in the years to come.

Works Cited

  1. Arronsson, Hannu. “Network Security: Zero Knowledge and Small Systems.” TKK – TML. Helsinki University of Technology. Web. 19 Feb. 2010. <http://www.tml.tkk.fi/Opinnot/Tik-110.501/1995/zeroknowledge.html>.
  2. Chazelle, Bernard. “The security of knowing nothing.” Nature 446 (2007). 26 Apr. 2007. Web.
  3. Giani, Annarita. “Identification with Zero Knowledge Protocols.” Thesis. University of California Berkeley, 2001. SANS Institute. 2001. Web. 20 Feb. 2010.
  4. Goldreich, Oded. Foundations of cryptography basic tools. Cambridge, U.K: Cambridge UP, 2001. Print.
  5. Goldreich, Oded. Zero-Knowledge twenty years after its invention. Thesis. Weizmann Institute of Science, 2004. Print.
  6. Hoffstein, Jeffrey. An introduction to mathematical cryptography. New York: Springer, 2008. Print.
  7. Mohr, Austin. “A Survey of Zero Knowledge Proofs with Applications to Cryptography.” Thesis. Southern Illinois University at Carbondale. Web. <http://www.austinmohr.com/work/files/zkp.pdf>.
  8. Pass, Rafael. “Lecture 18: Zero-Knowledge Proofs.” Lecture. Cornell University, Ithaca. 26 Mar. 2009. Web.
  9. Rosen, Alon. Concurrent Zero-Knowledge With Additional Background by Oded Goldreich (Information Security and Cryptography). New York: Springer, 2006. Print.
  10. Weis, Steve. “Lecture 3: Zero-Knowledge Proofs Continued.” Lecture. Massachusetts Institute of Technology, Cambridge. 12 Feb. 2003. Web.
返回顶部