英国硕士毕业论文 Investigation of zero knowledge protocols

 

Abstract

The question explored throughout this extended essay is “How are zero knowledge protocols able to ensure information privacy?”

Zero knowledge protocols play an important role in the domain of cryptography. They allow for one party, the verifier, to identify and authenticate another party, the prover. At the end of this process, the verifier has only assessed the validity of the prover’s assertion and leaves with zero knowledge.

The essay begins with a definition of zero knowledge and why they are used in cryptography. In the next section, the terminology associated with zero knowledge are defined. These terms are used for the remainder of the essay. The next five sections deal with the major zero knowledge protocols. Both abstract and concrete examples are explored in order to further one’s understanding of these protocols. The following section deals with proving the existence of Hamiltonian cycles while maintaining zero knowledge. The final section explores a case study of smart cards and how the implementation of zero knowledge protocols can increase their security. The essay concludes by highlighting the significance of the applications of zero knowledge as the demand for information security continues to increase into the future.

Introduction

Zero knowledge proofs show a statement to be true without revealing anything other than the veracity of the statement to be proven. The word “proof” is not used in the traditional mathematical sense (e.g. a proof of the Pythagorean Theorem). Instead, a zero knowledge proof is a protocol in which a series of interactions takes place between two parties, the verifier and the prover.[7] Throughout these interactions, four essential laws must remain unbroken in order to classify the system as zero knowledge.[1] The prover cannot learn anything from the verifier. The prover cannot cheat the verifier. The verifier cannot cheat the prover.[9] The verifier cannot pretend to be the prover to any third party. At the end of the interaction, the verifier has only determined the validity of the prover’s assertion. Thus, the verifier leaves the system with zero knowledge.

Zero knowledge protocols function as useful constructs for analyzing theoretical cryptographic situations, but also function as practical tools for constructing secure security systems. The main incentive for using zero knowledge protocols over more commonly used protocols such as the RSA public-key cryptographic protocol and the symmetric protocol families, lies within its computational requirements. They require anywhere from to of the computing power used by public key protocols. Zero knowledge allows a protocol to be split into an iterative process of many light transactions rather than one “heavy” transaction.[1] For many systems, applying zero knowledge protocols are practical, efficient, and therefore the economical protocol of choice.

In the modern era of online-auctions, e-voting, and internet banking, having a certain paranoia is healthy to ensure the legitimacy and security of information.[2] Certain procedures must be followed to foil malicious individuals’ attempts at acquiring authorized knowledge. Zero knowledge procedures involve a series of proving and verifying between two parties. Because zero knowledge protocols yield nothing beyond the validity of an assertion, they make excellent tools in ensuring information privacy.

Zero knowledge Terminology

Due to its abstract, often metaphorical manifestation in cryptography textbooks, zero knowledge terminology must be understood before it can be used to analyze problems in cryptography.

Though cryptographic protocols are commonly viewed as existing only between two parties, a total of four can exist in some cases. Cryptographers give these parties alliterative titles for convenience. The parties are: Peggy the Prover, Victor the Verifier, Eve the Eavesdropper, and Maggie the Malice. Peggy the Prover makes a claim that she wants to prove to Victor the Verifier without actually revealing the information or secret behind the claim. Victor asks Peggy under a series of questions to assess the validity of Peggy’s claim. Victor does not learn Peggy’s secret and cannot masquerade as Peggy to a third party. Eve the Eavesdropper is listening to Peggy and Victor’s conversation. She tries to replay the conversation to a third party, but is unsuccessful at convincing them of her claim. Maggie the Malice is also listening to the protocol traffic and tries to manipulate the conversation by modifying, destroying, and sending extra messages.[1] These names are widely used throughout cryptography literature and will be used for the remainder of this paper.

The interactions between Peggy and Victor are involve three elements: the secret, the accreditation, and the problem. The secret is a piece of information that Peggy knows. It can be any piece of information that is useful (e.g. password, an algorithm). The accreditation is the system of building confidence with each iteration of the protocol.[1] With each iteration, a successful proof by Peggy increases Victor’s confidence by a power of 2. However, if Peggy is unsuccessful at her proof, Victor’s confidence is reduced to 0 and the entire protocol fails. The problem is Victor’s method of accreditation. His problem asks for one of the multiple solutions to Peggy’s claim. If Peggy does possess the secret, she will always be able to correctly answer Victor’s problem. However, if Peggy does not possess the secret, she will only be able to correctly answer Victor’s problem a fraction of the time (depending on the exact protocol). Thus, Victor is only able to verify that Peggy holds a secret, if she can always solve his problem for enough rounds of his accreditation.

Protocol identification schemes must be both “complete” and “sound” to be classified as being zero knowledge. Complete means that “if the user who tries to identify himself follows the protocol, then the identification is surely successful”.[3] Completeness holds that an honest verifier will always be convinced of a true statement by an honest prover.[6] Soundness means that “nobody can identify himself as somebody else”.[3] Soundness holds that a cheating prover can convince an honest verifier that a false statement is true with a small probability.[9] If a system is both complete and sound, and no additional knowledge is gained by either party, the system can be classified as zero knowledge.

Zero knowledge protocols’ practicality extends only to problems that are of the complexity class NP. NP (nondeterministic polynomial time) complexity means that “There exists a (polynomial in the length of the input) bound on the number of steps in each possible run of the machine”.[5] “If one-way functions exist, any problem in NP has a zero knowledge proof. Thus, Peggy must be limited to polynomial time. If Peggy were any more powerful, it would be trivial to demonstrate her knowledge, as she could already calculate it in every case.[1]

Various levels of zero knowledge exist. There is perfect zero knowledge, statistical zero knowledge, and computational zero knowledge. In perfect zero knowledge, Victor can create a phony list of problem solutions which is statistically identical to Peggy’s list. His list is indistinguishable from Peggy’s, and therefore, he cannot prove that he knows the secret to any third-party.[6] Statistical zero knowledge states that Peggy and Victor’s lists are statistically similar and that their inconsistency is negligible. Computational zero knowledge, also referred to as general zero knowledge, states that Peggy and Victor’s lists are computationally indistinguishable.[5] Although computational zero knowledge is the most common form of zero knowledge, examples perfect zero knowledge and statistical zero knowledge have been found to exist.

Proof of Knowledge

Five major zero knowledge protocols are used, each ensuring information privacy throughout the verification process in its own way. The first (and most concrete) of such protocols is the Proof of Knowledge. It states that “if Peggy has a non-negligible chance of making Victor accept, then Peggy can also compute the secret, from which knowledge is being proved”.[1] The definition of this protocol raises the need to distinguish between two terms that are often misused interchangeably. Knowledge is very different from information. Knowledge is related to computational difficulty of publicly known objects, whereas information relates mainly to objects on which only partial information is known.[4]

Many examples exist for illustrating the Proof of Knowledge. Imagine the following situation. Peggy claims that she can count the leaves of a big maple tree in a few seconds without revealing to Victor her method of calculation and without revealing the number of leaves. To test Peggy’s claim, Victor designs a protocol. When Peggy closes her eyes, Victor either pulls off a leaf or does nothing. Then Peggy opens her eyes and tells Victor what he did.

Determining whether or not this situation is zero knowledge requires the definition of what makes a system zero knowledge.[3] First, the system is complete because if Peggy truly possesses such an ability, she could recognize a difference in the number of leaves because Victor pulled one off. Or, she could compute that the number of leaves has remained unchanged and that Victor has done nothing. The system is also sound because if Peggy doesn’t know the secret, she will still have a chance of guessing the answer to Victor’s problem on the first try. Because this system is both complete and sound, it is zero knowledge. With a few rounds of positive accreditation, Victor should be convinced that Peggy knows the secret. Let us assume that Victor can afford a error in this validation process. After only 40 rounds of accreditation, he is convinced that Peggy knows the secret. If put Peggy under 100 rounds or 100,000 rounds the chance of him making an error is nearly 0. This is modeled by the following equation:

where n is the number of rounds of accreditation. Given enough rounds of accreditation, it would be extremely difficult for a cheating Peggy to fool Victor.

One of the most well known examples of the Proof of Knowledge is Jean-Jacques Quisquater’s “magical cave” allegory. The cave has a magical door deep inside which opens only upon the utterance of a secret word, which Peggy claims to know. Victor will pay $10 million dollars for the secret word, but he must be convinced that Peggy knows the secret word. Peggy cannot simply reveal the word to him, as a dishonest Victor would rescind his monetary offer and leave with the secret and all of his money. Victor and Peggy decide to construct a zero knowledge system so that Peggy can prove to Victor that she knows the secret without actually telling it to Victor.[7] The devise the following scheme [7] :

Victor will wait outside the cave while Peggy enters. She chooses either path A or path B at random while Victor is not looking. Then Victor will enter the cave as far as the fork and announces the path by which he wants Peggy to return. If Peggy knows the secret word, she will be able to return by either path A or path B regardless of which path she chose initially. If Victor announces the same path through which Peggy initially chose to enter, she simply turns around and exits via the same path. If Victor announces the path that Peggy did not choose, she whispers the secret word and returns along the desired path. [7] Thus, the system is complete. If Peggy is lying and does not know the secret word, then she will only be able to return along the correct path if Victor announces the same path that she chose. The probability of this happening is and with multiple rounds of accreditation, Victor should grow increasingly confident about whether or not Peggy truly knows the secret. Thus, the system is sound. Because the system is both complete and sound, it is zero knowledge. Peggy can successfully prove to Victor that she knows the secret word without actually telling him what it is. Therefore, this system is exemplifies the Proof of Knowledge protocol.

Proof of Identity

The next zero knowledge protocol, the Proof of Identity, ensures that nobody can masquerade as Peggy or Victor for any third party.[1] This protocol is used to solve the cryptographic problem of “Mafia man-in-the-middle attacks”, which is often modeled by the Chess Grand master Problem. The malicious user (Maggie the Malice) wants to prove that she is the better than the champion chess player in her city, Bob. She sets up two separate, yet concurrent, online matches with both the local champion and Grandmaster Garry Kasparov. She lets Kasparov move first and relays his move to the other game with Bob. She then relays Bob’s move back to Garry Kasparov. Maggie is acting as the “man-in-the-middle” and has essentially set up a match between Kasparov and Bob, where she has access to both boards in play. Eventually, Maggie will relay Kasparov’s checkmate to Bob and be crowned the new city champ. As expected, Maggie (playing as Bob), will lose to Kasparov. This scenario raises the security issue of the malicious Maggie having access to the intermediate stages of accreditation. Cryptographers have decided that the best countermeasure to this attack would be to impose a time limit for replies, in the hope that there is not enough time for Maggie to relay the communications.[3]

Another way to thwart a man-in-the-middle Maggie is by using a pair of security keys. Suppose Alice and Bob share a secret key, and Alice wants to prove the legitimacy of her identity to Bob. They devise the following scheme. Alice sends Bob her public identity (her name Alice). Bob sends Alice a challenge, ?. Alice encrypts ? and sends back E(?) to Bob. Bob then decrypts E(?) with D(E(?)) and if he obtains ?, he can verify that he is communicating with Alice.[3] This protocol is especially useful in circumventing Eve and Maggie’s attempts at learning the secret. Suppose the secret is:

E(p) = p + 20 and

It follows that:

= p – 20.

Now suppose that Bob sends Alice the challenge ? = 5, and that this message is also heard by Eve and Maggie. Alice performs E(?) and returns 25 to Bob. Upon intercepting the value of E(?), Eva and Maggie can only guess as to what the secret E(?) really is. It is possible that they are fooled into believing E(?) = .When Bob receives 25, he applies D(?) to determine that D(?) = 5. Throughout this process, Eva is prevented from learning the secret, and sending the preliminary public identity helps prevent Maggie from tampering with the accreditation process. Therefore, this process preserves zero knowledge, and demonstrates the protocol of the Proof of Identity.

Feige-Fiat-Shamir Proof of Identity

Cryptographers Uriel Feige, Amos Fiat, and Adi Shamir developed the Feige-Fiat-Shamir Protocol Proof of Identity in 1988.[1] It is the best known zero knowledge proof of identity protocol. The Feige-Fiat-Shamir Proof demonstrates the difficulty of finding square roots of quadratic residues (squares mod n).[10] This protocol is one of the rare examples of being a perfect zero knowledge proof. The proof is split up into two steps, the pre-calculation phase and the identification phase. In the pre-calculation phase, Peggy chooses two random prime numbers (p,q). She keeps these two numbers as her secret. Then, she calls n, the product of p and q. She randomly chooses a number s {1, n-1} that is co-prime to n. Two numbers are co-prime if they do not share any common positive factors other than 1. Peggy then chooses a random number r {1, n-1}. She computes x = (mod n) and sends these values (n, s, and r) to the verifier. This signifies the start of the identification phase. Victor chooses a number B{0,1}. And sends it to Peggy. If B = 0, Peggy sends y, where y = r to the verifier. If B = 1, then Peggy sends y where y = (r s) mod n. Finally, Victor determines whether or not = mod n (where v = (mod n). The Feige-Fiat-Shamir Protocol can be more clearly demonstrated by following an example run[7]:

Let p = 5 and q = 7. Then, n = 35. Peggy secretly chooses s = 16. She calculates v = mod 35 which equals 11. Suppose Victor only requires two rounds of accreditation of the protocol in order to accept Peggy’s claim. Peggy randomly selects r = 10. She sends x = 100 mod 35 = 30 to Victor. Victor randomly selects B = 0 and sends it to Peggy. She returns y = r = 10 to Victor. He verifies that 100 mod 35 = x = 30. In the second round, Peggy randomly selects r = 20. She sends x = 15 to Victor and he randomly selects B = 1, and sends it back to Peggy. She returns y = (16 mod 35 = 5 to Victor. He verifies that 25 = (15 mod 35. After two rounds of successful accreditation, Victor is able to verify Peggy’s claim using the Feige-Fiat-Shamir Proof of Identity.

Guillou-Quisquater Proof of Identity

The Guillou-Quisquater Proof of Identity, invented by Louis Guillou and Jean-Jacques Quisquater is an improvement to the Feige-Fiat-Shamir Proof of Identity.[3] The Feige-Fiat-Shamir Protocol is weak in that it requires multiple iterations between Peggy and Victor and that Peggy needs a large amount of memory. Guillou-Quisquater optimizes this protocol by using longer computations. Take for example the following situation. Peggy wants to authenticate her identity with Victor. She holds a public certificate J and a private certificate S, where S = mod n. Similar to the Feige-Fiat-Shamir Protocol, n is the product of the two primes p and q. The number v is the public key such that the greatest common divisor between n and v is 1. Thus, n and v are said to be co-prime. First, Peggy chooses a random number r. She computes x = (mod n). Peggy sends both x and J (the public certificate) to Victor. He chooses and random number e {1, v} and sends it to Peggy. She computes y = r (mod n) and sends it to Victor. He computes and verifies that the result is equal to x and different from 0. By using this longer procedure of computation, Victor reduces Peggy’s cheating probability. This is modeled by the following equation:

where Pr is the probability of Peggy making an error, are the total possible computations of the protocol, and n is the number of rounds of accreditation. Because , the rounds required for Victor to achieve a certain level of confidence is reduced exponentially. Thus, the Guillou-Quisquater Proof of Identity serves as an improvement to the Feige-Fiat-Shamir Protocol, because it reduces the number of rounds of accreditation by demanding more complex computations by using both a public and a private key.

Schnorr’s Mutual Digital Signature Authentication

Schnorr’s identification and authentication scheme can be used for digital signatures by replacing Victor with a hash function. A digital signature is simply a mathematical scheme to demonstrate the authenticity of a digital document. If Victor is replaced by a cryptographically secure hash function, most zero knowledge protocols can be turned into digital signatures.[1] They are implemented as follows. Peggy creates a number of problems and uses the hash function as a virtual Victor. The inputs of the hash function are just the message and problems presented to Victor. Using these inputs guarantees that neither the message nor the problems can be altered without making the signature void.[1] Also, the output of the hash function is completely random and unpredictable. Thus, Peggy cannot try to change the inputs to the hash in her favor to try and get values which would allow her to cheat. The receiving end of the protocol can calculate the hash function itself and check that Peggy returns the correct solutions in order to determine that the digital signature is valid. Schnorr’s Mutual Digital Signature Authentication is the last of the five prominent zero knowledge protocols.

Hamiltonian Cycles

A Hamiltonian cycle for a graph is the path through the graph that passes every node exactly once.[1] As the size of the graph increases, the difficulty of calculating its Hamiltonian cycle increases as well, and is therefore classified as having NP complexity. The most popular example of a zero knowledge Hamiltonian cycle consists of Peggy, who tries to prove that she knows the Hamiltonian cycle for a certain graph and Victor, who is to determine whether or not Peggy knows the secret to calculating a graph’s Hamiltonian cycle. Peggy gives Victor a permuted version of the original graph. Victor, in return, asks for either a proof that the graph is a permutation or the original graph, or for Peggy to show the Hamiltonian cycle for the permuted graph. Either of these problems can be calculated easily from the original data, but being able to respond to both of these possible requests requires Peggy to truly know the secret (the Hamiltonian cycle of a graph). This protocol can be better illustrated with a concrete example. Consider a fictional city “Orbiville” which recently updated its subway system with its own Hamiltonian path.[2] Suppose Peggy claims to know the Hamiltonian cycle of Orbiville’s subway system illustrated below.

Peggy first permutes the graph a to generate a partial graph b with a new Hamiltonian cycle c. By revealing only the partial graph b, Victor can verify that c visits each station once and exists in the subway system. After multiple rounds of accreditation (with a new permuted graph each time), Victor will be assured of the existence of a Hamiltonian path, without actually knowing the path itself. This system is complete because an honest Peggy will be able to solve Victor’s problem every time. The system is sound because a cheating Peggy will only be able to solve the problem of the time (either the permutation or the path would be incorrect). Because the Hamiltonian cycle system is both complete and sound, it is zero knowledge.

Case Study: Smart Cards

Zero knowledge protocols are often discussed in a theoretical sense and not in a practical sense. However, zero knowledge protocols do have a variety of practical applications. They are used to ensure secure data transactions during identification and authentication. The following case study illustrates how using zero knowledge protocols increases the security of smart cards.[1]

Smart cards, or Integrated Circuit Cards (ICCs) are small pocket sized cards with embedded integrated circuits which are used to process the input and output of data. They are most commonly used as ATM, SIM, health, and National ID cards, but have grown increasingly popular for their ability to store certificates during web browsing.

Since their introduction into the technological market, Smart cards have experienced major breaches in security. They are often encrypted using simple cryptographic techniques, making them easily decrypted by pirates. Pirates have developed efficient techniques to reverse-engineer smart card CPUs and their memories. These techniques include: using nonstandard programming voltages to clear code protection fuses, magnetic scanning of currents throughout the integrated circuits, and acid washing the chip one layer at a time.[1] Fortunately, smart cards are not yet used widely enough to cause any major organized criminal activity. In the future, smart card applications will need public key and zero knowledge protocols and solutions to circumvent such malicious activity.

The first step to solving smart card security issues is to use a light zero knowledge protocol. The protocol should mandate that each round is completed within a very short time limit (so that a Mafia man-in-the-middle attack will fail) and that a dictionary or pre-calculated table based brute force attack is not feasible. Assume that the smart card only has 36 bytes of RAM available to work on the protocol and that some of this space must be reserved for other use. Each key should therefore be about 8 bytes in length. Suppose the intruder has 5 orders of magnitude more processing power than the given system. Even if the brute-force calculation is fast, the combination of a 64 bit key and a time limit would foil even the fastest computers. Although intruders can try and anticipate Feige-Fiat-Shamir protocols with pre-calculated prime number tables before launching their attack, simply changing the system’s public key values periodically would make an intrusion infeasible and would effectively negate any attack. Thus, zero knowledge protocols prove to have practical applications in solving cryptographic problems in current and future technological systems.

Conclusion

Zero knowledge proofs are both fascinating and useful concepts. They are convincing yet return nothing beyond the validity of an claim. Zero knowledge protocols ensure that after reading a proof, the verifier cannot perform any computational tasks the he could not perform before. Thus, the integrity and privacy of information is maintained. Because zero knowledge proofs force malicious parties to act according to a predetermined protocol, they have vast applications in the domain of cryptography. [9] The need to effectively understand and implement zero knowledge protocols is increasing as internet capabilities continue to expand at such a rapid rate. Because zero knowledge protocols are relatively easy to implement, but difficult to foil, they make excellent constructs for solving cryptographic security issues. Although the various zero knowledge protocols will remain the same, they will have unforeseen applications in the years to come.

Works Cited

1. Arronsson, Hannu. “Network Security: Zero Knowledge and Small Systems.” TKK – TML. Helsinki University of Technology. Web. 19 Feb. 2010. <http://www.tml.tkk.fi/Opinnot/Tik-110.501/1995/zeroknowledge.html>.
2. Chazelle, Bernard. “The security of knowing nothing.” Nature 446 (2007). 26 Apr. 2007. Web.
3. Giani, Annarita. “Identification with Zero Knowledge Protocols.” Thesis. University of California Berkeley, 2001. SANS Institute. 2001. Web. 20 Feb. 2010.
4. Goldreich, Oded. Foundations of cryptography basic tools. Cambridge, U.K: Cambridge UP, 2001. Print.
5. Goldreich, Oded. Zero-Knowledge twenty years after its invention. Thesis. Weizmann Institute of Science, 2004. Print.
6. Hoffstein, Jeffrey. An introduction to mathematical cryptography. New York: Springer, 2008. Print.
7. Mohr, Austin. “A Survey of Zero Knowledge Proofs with Applications to Cryptography.” Thesis. Southern Illinois University at Carbondale. Web. <http://www.austinmohr.com/work/files/zkp.pdf>.
8. Pass, Rafael. “Lecture 18: Zero-Knowledge Proofs.” Lecture. Cornell University, Ithaca. 26 Mar. 2009. Web.
9. Rosen, Alon. Concurrent Zero-Knowledge With Additional Background by Oded Goldreich (Information Security and Cryptography). New York: Springer, 2006. Print.
10. Weis, Steve. “Lecture 3: Zero-Knowledge Proofs Continued.” Lecture. Massachusetts Institute of Technology, Cambridge. 12 Feb. 2003. Web.