The Recycle Bin

A repository of comments, code, and opinions.

Zero-Knowledge Proofs

leave a comment »

I think I’m going to make Sundays “Learn About Cryptology Day”.  Here’s the first installment: Zero-Knowledge Proofs.  ZKP is an interactive process in which one party can prove that they know a secret without revealing any information about that secret.  In doing this, a ZKP must satisfy three criteria:

  1. Must be complete in the sense that if a person follows the protocol and passes then they have successfully proved that they are honest (within reasonable probability)
  2. Must be sound such that a dishonest party cannot fool anyone (within reasonable probability)
  3. Must be zero-knowledge meaning it cannot reveal any information about the secret, thus a dishonest party cannot learn anything while faking the process.

Cave Example

To demonstrate a hypothetical system I need to introduce some characters.  ZKPs are usually a two party systems, there is a prover (Peggy) whose goal is to convince a verifier (Victor) something.  In this example, Peggy will know a secret that opens a door in a cave.  The cave is circular and there is a door on the far end that blocks the path.

150px-Zkip_alibaba0 Victor would like to purchase this password from Peggy, but he  doesn’t want to give her any money until he is convinced that she knows the password.  Peggy is not about to tell him anything about the password since that would devalue it.  Together, they devise a system that will convince Victor that Peggy knows the password but satisfy Peggy’s need to secrecy.

Peggy enters the cave by selecting a path, A or B, at random.  Victor does not know which direction she chose.  Once Peggy is beyond the bend, Victor enters the front of the cave, picks a direction, A or B, and shouts it to Peggy.  She must exit the cave in this direction.  If she has to pass the door to do this, then she must unlock the door with the password.  There is a probability of 0.5 that Victor will chose the path that Peggy entered and she can simply turn around an leave.  This at first might seem like it ruins the whole procedure, but consider the probability of Peggy successfully anticipating Victor’s request say, 100 times (0.5^100 = 7.8×10^-31).  The chances of this happening are sufficiently low to be considered within reasonable probability.  The protocol is shown below (images from Wikipedia)

150px-Zkip_alibaba1 150px-Zkip_alibaba2 150px-Zkip_alibaba3

NP Problems

A more realistic implementation of ZKP is done with NP-complete problems.  NP-complete problems are a set of problems that are computationally difficult to solve, but easy to verify given then question and the solution.  They are a subset of NP (Non-deterministic Polynomial time) class problems.  A common implementation of ZKP with an NP-complete problem is to use Isomorphic graph transformations and Hamiltonian cycles.  Given a graph G, a Hamiltonian cycle is a path around G that visits each vertex exactly once and returns to the starting vertex.  There are many different cycles for each graph, provided the graph has a cycle to begin with.  In this example, Peggy knows a graph G, and a Hamiltonian cycleVictor knows the graph, but not the cycle.  Peggy aims to convince Victor that she knows the cycle without revealing anything about it.

  1. Peggy creates an isomorphic graph of G, call it H, and sends it to Victor. 
  2. Victor now asks Peggy to do one of two things:  show that H is isomorphic to G, or give a Hamiltonian cycle to H.  By revealing the cycle of H Peggy proves that she knows the cycle of G, because it is trivial to transform the cycle of G to that of H if G and H are isomorphic. 
  3. If Victor asked Peggy to show that H is isomorphic to G then she must provide the vertex translations needed to transform H into G.
  4. If Victor asked Peggy for a Hamiltonian cycle for H then she transforms the cycle that she has for G and sends it to Victor.  This reveals nothing about the cycle of G since Victor won’t have the vertex translations and doesn’t know exactly how H is isomorphic to G.

This problem is exactly the same as cave, with a probability of 0.5 that Peggy will be able to fool Victor at each step.  Any NP-complete problem can be adapted and used in a ZKP, provided there hasn’t been a break through that allows NP-complete problems to be solved efficiently (P=NP).  The security of these systems rely on the number of times the system is repeated, each time making it more and more difficult for Peggy to continue to fool Victor. 

There are many adaptations of ZKP, including a non-interactive version, and research is ongoing trying to find ways to incorporate these into authentication systems and the Internet. Post questions in the comments section below.


Written by Nathan

April 6, 2008 at 6:27 pm

Posted in Cryptography

Tagged with ,

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: