Zero-Knowledge Prof’s 101 ENCORE – Only Highschool Math
Zero-Knowledge Prof’s 101 ENCORE – Only Highschool Math
Thursday 1F
Convener: Kazue Sako
Notes-taker(s): Christian Lundkvist
Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:
Suppose we have publicly known integers g, p, where p is large(~ 2^256), g < p. (p is often a prime)
Define f(x) = g^x mod p
We use the fact that given f(x) it is computationally infeasible to compute x (“Discrete logarithm problem”)
For modular arithmetic (i.e. the “mod p“ above), see https://en.wikipedia.org/wiki/Modular_arithmetic
(All operations are modulo p here)
Alice gives y = f(x) to Bob, he holds on to y. Alice has the secret number x and wants to prove to Bob that she knows x such that y = f(x) without revealing x.
Alice can prove to Bob that she knows x through the following protocol:Alice creates random number r
Alice gives u = g^r mod p to Bob Bob sends a random number e \in {0, 1} to Alice
If e=0 Alice defines v = u
If e=1 Alice defines v = g^(r+x) mod p
Alice sends v to Bob
Bob verifies by checking:
if e=0 check that v = u
if e=1 check that v = u * y (=u * f(x) = g^r * g^x = g^(r+x))
If Alice knows x she can always give the right response v. If Alice doesn’t know x she has probability 1/2 of giving the correct value (if Bob sends e=0).
Now if we do this 10 times the probability of Alice sends the right thing without knowing x is 1/2^10 (around 1 in a million).Why is the choice e=0 relevant (it’s unrelated to x)?
Suppose Bob always gives e=1 and Alice knows this. She can then cheat by providing
u = g^r / y mod p
to Bob, and when Bob sends e=1 Alice can respond by sending v = g^r mod p. Bob will compute u * y = g^r/y * y = g^r mod p = v so Bob’s check will always succeed even though Alice didn’t know x. This is why Bob needs to also send e=0.
Generalize a bit:
Alice generates r, defines u = g^r mod p, send u to Bob
Bob sends e, Alice sends back v = g^(r + e*x) mod p Bob verifies by checking that v = u * y^e(same as above in the case e \in {0,1})
Now, instead of e \in {0, 1}, let e be a random number in the interval [0, p-1] and do the same thing:
Alice generates r, defines u = g^r mod p, send u to Bob
Bob sends e, Alice sends back v = g^(r + e*x) mod p Bob verifies by checking that v = u * y^e
Now you only have to do one step in the interactive proof, and the probability of Alice generating a successful number v without knowing x is around 1/2^256
This is still an interactive proof, can we make the proof non-interactive?
Instead of Bob randomly choosing e, we can automatically generate a “random” response value e by hashing u:
e = Hash(u)
Now Alice can create a non-interactive zk-proof v:
Randomly generate r Define u = g^r mod p define e = Hash(u) v = g^(r + e * x) mod p Bob verifies the proof by checking that: v = u * y^e
If we only do this an attacker can replay Alices proof u, so Alice could add something like a nonce value to e, i.e. use e = Hash(u || nonce) ) where || means concatenation of byte strings. This way you can protect against replay attacks.
We now see that at this point we’ve actually designed a general signature scheme, by using an arbitrary message instead of the nonce above.This signature scheme would be defined as follows:Alice has a private key x, and generates a public key y = f(x) = g^y mod p.
To sign a message M with the private key x Alice does Randomly generate r Define u = g^r mod p define e = Hash(u || M) v = g^(r + e * x) mod p
The signature is defined as the pair (u, v).
To verify the signature on M using Alice’s public key y Bob computes e = Hash(u || M) and checks that v = u * y^e.This is very close to the Schnorr signature scheme: https://en.wikipedia.org/wiki/Schnorr_signature
Also instead of using modular arithmetic directly we often use more specific group arithmetic (such as elliptic curve arithmetic in elliptic curve cryptography).