Zero-knowledge proof

Zero-knowledge proof

In cryptography, a zero-knowledge proof or zero-knowledge protocol is an interactive method for one party to prove to another that a (usually mathematical) statement is true, without revealing anything other than the veracity of the statement.

A zero-knowledge proof must satisfy three properties:
# Completeness: if the statement is true, the honest verifier (that is, one following the protocol properly) will be convinced of this fact by an honest prover.
# Soundness: if the statement is false, no cheating prover can convince the honest verifier that it is true, except with some small probability.
# Zero-knowledge: if the statement is true, no cheating verifier learns anything other than this fact. This is formalized by showing that every cheating verifier has some "simulator" that, given only the statement to be proven (and no access to the prover), can produce a transcript that "looks like" an interaction between the honest prover and the cheating verifier.

The first two of these are properties of more general interactive proof systems. The third is what makes the proof zero-knowledge.

Research in zero-knowledge proofs has been motivated by authentication systems where one party wants to prove its identity to a second party via some secret information (such as a password) but doesn't want the second party to learn anything about this secret. This is called a "zero-knowledge proof of knowledge". However, a password is typically too small or insufficiently random to be used in many schemes for zero-knowledge proofs of knowledge. A zero-knowledge password proof is a special kind of zero-knowledge proof of knowledge that addresses the limited size of passwords.

Zero-knowledge proofs are not proofs in the mathematical sense of the term because there is some small probability, the "soundness error", that a cheating prover will be able to convince the verifier of a false statement. In other words, they are probabilistic rather than deterministic. However, there are techniques to decrease the soundness error to negligibly small values.

One of the most fascinating uses of zero-knowledge proofs within cryptographic protocols is to enforce honest behavior while maintaining privacy. Roughly, the idea is to force a user to prove, using a zero-knowledge proof, that its behavior is correct according to the protocol. Because of soundness, we know that the user must really act honestly in order to be able to provide a valid proof. Because of zero knowledge, we know that the user does not compromise the privacy of its secrets in the process of providing the proof. This application of zero-knowledge proofs was first used in the ground-breaking paper of Goldreich, Micali, and Wigderson on secure multiparty computation.


There is a well-known story presenting some of the ideas of zero-knowledge proofs, first published by Jean-Jacques Quisquater and others in their paper "How to Explain Zero-Knowledge Protocols to Your Children". [Jean-Jacques Quisquater, Louis C. Guillou, Thomas A. Berson. How to Explain Zero-Knowledge Protocols to Your Children. "Advances in Cryptology - CRYPTO '89: Proceedings", v.435, p.628-631, 1990. [ pdf] ] It is common practice to label the two parties in a zero-knowledge proof as Peggy (the prover of the statement) and Victor (the verifier of the statement). Sometimes P and V are known instead as Pat and Vanna.

In this story, Peggy has uncovered the secret word used to open a magic door in a cave. The cave is shaped like a circle, with the entrance in one side and the magic door blocking the opposite side. Victor says he'll pay her for the secret, but not until he's sure that she really knows it. Peggy says she'll tell him the secret, but not until she receives the money. They devise a scheme by which Peggy can prove that she knows the word without telling it to Victor.

First, Victor waits outside the cave as Peggy goes in. We label the left and right paths from the entrance A and B. She randomly takes either path A or B. Then, Victor enters the cave and shouts the name of the path he wants her to use to return, either A or B, chosen at random. Providing she really does know the magic word, this is easy: she opens the door, if necessary, and returns along the desired path. Note that Victor does not know which path she has gone down.

However, suppose she did not know the word. Then, she would only be able to return by the named path if Victor were to give the name of the same path that she had entered by. Since Victor would choose A or B at random, she would have a 50% chance of guessing correctly. If they were to repeat this trick many times, say 20 times in a row, her chance of successfully anticipating all of Victor's requests would become vanishingly small.

Thus, if Peggy reliably appears at the exit Victor names, he can conclude that she is very likely to know the secret word.

Another example

We can extend these ideas to a more realistic cryptography application. In this scenario, Peggy knows a Hamiltonian cycle for a large graph, "G". Victor knows "G" but not the cycle (e.g., Peggy has generated "G" and revealed it to him.) Peggy will prove that she knows the cycle without revealing it. A Hamiltonian cycle in a graph is just one way to implement a zero knowledge proof; in fact any NP-complete problem can be used, as well as some other difficult problems such as factoring. [] However, Peggy does not want to simply reveal the Hamiltonian cycle or any other information to Victor; she wishes to keep the cycle secret (perhaps Victor is interested in buying it but wants verification first, or maybe Peggy is the only one who knows this information and is proving her identity to Victor).

To show that Peggy knows this Hamiltonian cycle, she and Victor play several rounds of a game.

* At the beginning of each round, Peggy creates "H", an isomorphic graph to "G". Since it is trivial to translate a Hamiltonian cycle between isomorphic graphs with known isomorphism, if Peggy knows a Hamiltonian cycle for "G" she also must know one for "H".
* Peggy commits to "H". She could do so by using a cryptographic commitment scheme. Alternatively, she could number the vertices of "H", then for each edge of "H" write a small piece of paper containing the two vertices of the edge and then put these pieces of paper upside down on a table. The purpose of this commitment is that Peggy is not able to change "H" while at the same time Victor has no information about "H".
*Victor then randomly chooses one of two questions to ask Peggy. He can either ask her to show the isomorphism between "H" and "G" (see graph isomorphism problem), or he can ask her to show a Hamiltonian cycle in "H".
*If Peggy is asked to show that the two graphs are isomorphic, she first uncovers all of "H" (e.g. by turning all pieces of papers that she put on the table) and then provides the vertex translations that map "G" to "H". Victor can verify that they are indeed isomorphic.
*If Peggy is asked to prove that she knows a Hamiltonian cycle in "H", she translates her Hamiltonian cycle in "G" onto "H" and only uncovers the edges on the Hamiltonian cycle. This is enough for Victor to check that "H" does indeed contain a Hamiltonian cycle.

During each round, Peggy does not know which question she will be asked until after giving Victor "H". Therefore, in order to be able to answer both, "H" must be isomorphic to "G" and she must have a Hamiltonian cycle in "H". Because only someone who knows a Hamiltonian cycle in "G" would always be able to answer both questions, Victor (after a sufficient number of rounds) becomes convinced that Peggy does know this information.

However, Peggy's answers do not reveal the original Hamiltonian cycle in "G". Each round, Victor will learn only "H"'s isomorphism to "G" or a Hamiltonian cycle in "H". He would need both answers for a single "H" to discover the cycle in "G", so the information remains unknown as long as Peggy can generate a unique "H" every round. Because of the nature of the isomorphic graph and Hamiltonian cycle problems (namely, that there is no known efficient algorithm for solving them in general), Victor gains no information about the Hamiltonian cycle in "G" from the information revealed in each round.

If Peggy does not know the information, she can guess which question Victor will ask and generate either a graph isomorphic to "G" or a Hamiltonian cycle for an unrelated graph, but since she does not know a Hamiltonian cycle for "G" she cannot do both. With this guesswork, her chance of fooling Victor is 2n, where n is the number of rounds. For all realistic purposes, it is infeasibly difficult to defeat a zero knowledge proof with a reasonable number of rounds in this way.

Variants of zero-knowledge

Different variants of zero-knowledge can be defined by formalizing the intuitive concept of what is meant by 'the output of the simulator "looks like" the execution of the real prove protocol' in different ways:

* We speak of "perfect zero-knowledge" if the distributions produced by the simulator and the proof protocol are distributed exactly the same. This is for instance the case in the first example above.

* "Statistical zero-knowledge" means that the distributions are not necessarily exactly the same, but they are statistical close, meaning that their statistical difference is a negligible function.

* We speak of "computational zero-knowledge" if no efficient algorithm can distinguish the two distributions.

History and results

Zero-knowledge proofs were first conceived in 1985 by Shafi Goldwasser, et al., in a draft of "The knowledge complexity of interactive proof-systems". [ Shafi Goldwasser, Silvio Micali, and Charles Rackoff. [ The knowledge complexity of interactive proof-systems] . "Proceedings of 17th Symposium on the Theory of Computation", Providence, Rhode Island. 1985. Draft. [ Extended abstract] ] While this landmark paper did not invent interactive proof systems, it did invent the IP hierarchy of interactive proof systems ("see interactive proof system") and conceived the concept of "knowledge complexity", a measurement of the amount of knowledge about the proof transferred from the prover to the verifier. They also gave the first zero-knowledge proof for a concrete problem, that of deciding quadratic nonresidues mod "m". In their own words:

Of particular interest is the case where this additional knowledge is essentially 0 and we show that [it] is possible to interactively prove that a number is quadratic non residue mod "m" releasing 0 additional knowledge. This is surprising as no efficient algorithm for deciding quadratic residuosity mod "m" is known when "m"’s factorization is not given. Moreover, all known "NP" proofs for this problem exhibit the prime factorization of "m". This indicates that adding interaction to the proving process, may decrease the amount of knowledge that must be communicated in order to prove a theorem.

The quadratic nonresidue problem has both an NP and a co-NP algorithm, and so lies in the intersection of NP and co-NP. This was also true of several other problems for which zero-knowledge proofs were subsequently discovered, such as an unpublished proof system by Oded Goldreich verifying that a two-prime modulus is not a Blum integer [ Oded Goldreich. A zero-knowledge proof that a two-prime moduli is not a Blum integer. Unpublished manuscript. 1985.] .

Oded Goldreich, et al., took this one step further, showing that, assuming the existence of unbreakable encryption, one can create a zero-knowledge proof system for the NP-complete graph coloring problem with three colors. Since every problem in NP can be efficiently reduced to this problem, this means that, under this assumption, all problems in NP have zero-knowledge proofs [Oded Goldreich, Silvio Micali, Avi Wigderson. [ Proofs that yield nothing but their validity] . "Journal of the ACM", volume 38, issue 3, p.690-728. July 1991.] . The reason for the assumption is that, as in the above example, their protocols require encryption. A commonly cited sufficient condition for the existence of unbreakable encryption is the existence of one-way functions, but it is conceivable that some physical means might also achieve it.

On top of this, they also showed that the graph nonisomorphism problem, the complement of the graph isomorphism problem, has a zero-knowledge proof. This problem is in co-NP, but is not currently known to be in either NP or any practical class. More generally, Goldreich, Goldwasser et al. would go on to show that, also assuming unbreakable encryption, there are zero-knowledge proofs for "all" problems in IP=PSPACE, or in other words, anything that can be proved by an interactive proof system can be proved with zero knowledge [Michael Ben-Or, Oded Goldreich, Shafi Goldwasser, Johan Hastad, Joe Kilian, Silvio Micali, and Phillip Rogaway. Everything provable is provable in zero-knowledge. S. Goldwasser, editor. In "Advances in Cryptology--CRYPTO '88", volume 403 of "Lecture Notes in Computer Science", p.37-56. Springer-Verlag, 1990, 21-25. August 1988.] .

Not liking to make unnecessary assumptions, many theorists sought a way to eliminate the necessity of one way functions. One way this was done was with "multi-prover interactive proof systems" (see interactive proof system), which have multiple independent provers instead of only one, allowing the verifier to "cross-examine" the provers in isolation to avoid being misled. It can be shown that, without any intractability assumptions, all languages in NP have zero-knowledge proofs in such a system [M. Ben-or, Shafi Goldwasser, J. Kilian, and A. Wigderson. [ Multi prover interactive proofs: How to remove intractability assumptions] . "Proceedings of the 20th ACM Symposium on Theory of Computing", p.113-121. 1988.]

It turns out that in an Internet-like setting, where multiple protocols may be executed concurrently, building zero-knowledge proofs is more challenging. The line of research investigating concurrent zero-knowledge proofs was initiated by the work of Dwork, Naor, and Sahai [ Cynthia Dwork, Moni Naor, and Amit Sahai. Concurrent Zero Knowledge. "Journal of the ACM (JACM)", v.51 n.6, p.851-898, November 2004.] . One particular development along these lines has been the development of witness-indistinguishable proof protocols. The property of witness-indistinguishability is related to that of zero-knowledge, yet witness-indistinguishable protocols do not suffer from the same problems of concurrent execution. [Uriel Feige and Adi Shamir. Witness Indistinguishable and Witness Hiding Protocols. "ACM Symposium on Theory of Computing (STOC)", 1990]

Another variant of zero-knowledge proofs are non-interactive zero-knowledge proofs. Blum, Feldman, and Micali [Manuel Blum, Paul Feldman, and Silvio Micali. Non-Interactive Zero-Knowledge and Its Applications. Proceedings of the twentieth annual ACM symposium on Theory of computing (STOC 1988). 103-112. 1988] showed that a common random string shared between the prover and the verifier is enough to achieve computational zero-knowledge without requiring interaction.


ee also

* Cryptographic protocol
* Feige-Fiat-Shamir Identification Scheme
* Topics in cryptography
* Zero-knowledge password proof
* The Montreal company formerly known as Zero-Knowledge Systems is now Radialpoint

External links

* [ Applied Kid Cryptography] – A simple explanation of zero-knowledge proofs using Where's Waldo? as an example
* [ How to construct zero-knowledge proof systems for NP]
* [ An efficient non-interactive statistical zero-knowledge proof system for quasi-safe prime products]
* [ A tutorial by Oded Goldreich on zero knowledge proofs]
* [ Salil Vadhan's phd thesis on statistical zero knowledge]

Wikimedia Foundation. 2010.