sen-material: handouts/ho99-zkp.tex@0697622fb181 (annotated)

283 40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	1	\documentclass{article}
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	2	\usepackage{../style}
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	3
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	4	\begin{document}
495 f5172bb6cf45 updated Christian Urban <urbanc@in.tum.de> parents: 436 diff changeset	5	\fnote{\copyright{} Christian Urban, King's College London, 2014, 2015}
283 40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	6
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	7	\section*{Handout 6 (Zero-Knowledge Proofs)}
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	8
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	9	Zero-knowledge proofs (short ZKP) solve a paradoxical puzzle:
288 fd4bf1a2d38d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 283 diff changeset	10	How to convince somebody else that one knows a secret, without
fd4bf1a2d38d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 283 diff changeset	11	revealing what the secret actually is? This sounds like a
fd4bf1a2d38d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 283 diff changeset	12	problem the Mad Hatter from Alice in Wonderland would occupy
fd4bf1a2d38d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 283 diff changeset	13	himself with, but actually there some serious and not so
fd4bf1a2d38d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 283 diff changeset	14	serious applications of it. For example, if you solve
fd4bf1a2d38d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 283 diff changeset	15	crosswords with your friend, say Bob, you might want to
fd4bf1a2d38d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 283 diff changeset	16	convince him that you found a solution for one question, but
fd4bf1a2d38d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 283 diff changeset	17	of course you do not want to reveal the solution, as this
fd4bf1a2d38d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 283 diff changeset	18	might give Bob an advantage somewhere else in the crossword.
296 428952dd7053 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 295 diff changeset	19
288 fd4bf1a2d38d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 283 diff changeset	20	So how to convince Bob that you know the answer (or a secret)?
fd4bf1a2d38d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 283 diff changeset	21	One way would be to come up with the following protocol:
fd4bf1a2d38d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 283 diff changeset	22	Suppose the answer is \textit{folio}. Then look up the
fd4bf1a2d38d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 283 diff changeset	23	definition of \textit{folio} in a dictionary. Say you find:
283 40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	24
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	25	\begin{quote}
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	26	``an \textit{individual} leaf of paper or parchment, either
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	27	loose as one of a series or forming part of a bound volume,
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	28	which is numbered on the recto or front side only.''
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	29	\end{quote}
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	30
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	31	\noindent
422 abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	32	Take the first non-small word\footnote{Let's say the, a, an,
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	33	or, and \ldots fall into the category of small words.} in this definition,
283 40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	34	in this case \textit{individual}, and look up the definition
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	35	of this word, say
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	36
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	37	\begin{quote}
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	38	``a single \textit{human} being as distinct from a group''
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	39	\end{quote}
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	40
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	41	\noindent
422 abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	42	In this definition take the second non-small word, that
283 40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	43	is \textit{human}, and again look up the definition of this
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	44	word. This will yield
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	45
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	46	\begin{quote}
422 abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	47	``relating to or \textit{characteristic} of humankind''
283 40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	48	\end{quote}
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	49
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	50	\noindent
370 ddac52c0014c updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 366 diff changeset	51	You could go on looking up the definition of the third
422 abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	52	non-small word in this definition and so on. But let us assume
283 40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	53	you agreed with Bob to stop after three iterations with the
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	54	third non-article word in the last definition, that is
290 045e6ea00132 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 289 diff changeset	55	\textit{or}. Now, instead of sending to Bob the solution
422 abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	56	\textit{folio}, you send to him \textit{characteristic}.
288 fd4bf1a2d38d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 283 diff changeset	57
fd4bf1a2d38d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 283 diff changeset	58	How can Bob verify that you know the solution? Well, once he
fd4bf1a2d38d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 283 diff changeset	59	solved it himself, he can use the dictionary and follow the
fd4bf1a2d38d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 283 diff changeset	60	same ``trail'' as you did. If the final word agrees with what
422 abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	61	you had sent him, he must infer you knew the solution earlier
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	62	than him. This protocol works like a one-way hash function
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	63	because \textit{characteristic} does not give any hint as to
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	64	what was the first word was. I leave you to think why this
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	65	protocol avoids small words?
283 40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	66
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	67	After Bob found his solution and verified that according to
422 abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	68	the protocol it ``maps'' also to \textit{characteristic}, can
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	69	he be entirely sure no cheating is going on? Not with 100\%
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	70	certainty. It could have been possible that he was given
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	71	\textit{characteristic} as the word, but it derived from a
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	72	different word. This might seem very unlikely, but at least
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	73	theoretical it is a possibility. Protocols based on
288 fd4bf1a2d38d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 283 diff changeset	74	zero-knowledge proofs will produce a similar result---they
fd4bf1a2d38d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 283 diff changeset	75	give an answer that might be erroneous in a very small number
422 abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	76	of cases. The point is to iterate them long enough so that the
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	77	theoretical possibility of cheating is negligibly small.
283 40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	78
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	79	By the way, the authors of the paper ``Dismantling Megamos
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	80	Crypto: Wirelessly Lockpicking a Vehicle Immobilizer'' who
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	81	were barred from publishing their results used also a hash to
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	82	prove they did the work and (presumably) managed to get into
288 fd4bf1a2d38d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 283 diff changeset	83	cars without a key; see Figure~\ref{paper}. This is very
370 ddac52c0014c updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 366 diff changeset	84	similar to the method above about crosswords: They like to
ddac52c0014c updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 366 diff changeset	85	prove that they did the work, but not giving out the
ddac52c0014c updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 366 diff changeset	86	``solution''. But this also shows what the problem with such a
ddac52c0014c updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 366 diff changeset	87	method is: yes, we can hide the secret temporarily, but if
ddac52c0014c updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 366 diff changeset	88	somebody else wants to verify it, then the secret has to be
ddac52c0014c updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 366 diff changeset	89	made public. Bob needs to know that \textit{folio} is the
ddac52c0014c updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 366 diff changeset	90	solution before he can verify the claim of Alice that she had
ddac52c0014c updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 366 diff changeset	91	the solution first. Similarly with the car-crypto paper: we
422 abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	92	needed to wait until September 2015 when the authors were
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	93	finally able to publish their findings in order to verify the
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	94	hash. Zero-knowledge proofs, in contrast, can be immediately
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	95	checked, even if the secret is not public yet and perhaps
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	96	never will be.
283 40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	97
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	98	\begin{figure}
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	99	\begin{center}
288 fd4bf1a2d38d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 283 diff changeset	100	\addtolength{\fboxsep}{4mm}
283 40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	101	\fbox{\includegraphics[scale=0.4]{../pics/Dismantling_Megamos_Crypto.png}}
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	102	\end{center}
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	103	\caption{The authors of this paper used a hash in order to prove
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	104	later that they have managed to break into cars.\label{paper}}
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	105	\end{figure}
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	106
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	107
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	108	\subsubsection*{ZKP: An Illustrative Example}
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	109
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	110	The idea behind zero-knowledge proofs is not very obvious and
288 fd4bf1a2d38d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 283 diff changeset	111	will surely take some time for you to digest. Therefore let us
fd4bf1a2d38d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 283 diff changeset	112	start with a simple illustrative example. The example will not
fd4bf1a2d38d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 283 diff changeset	113	be perfect, but hopefully explain the gist of the idea. The
fd4bf1a2d38d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 283 diff changeset	114	example is called Alibaba's cave, which graphically looks as
296 428952dd7053 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 295 diff changeset	115	follows:\footnote{The example is taken from an
428952dd7053 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 295 diff changeset	116	article titled ``How to Explain Zero-Knowledge Protocols
428952dd7053 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 295 diff changeset	117	to Your Children'' available from
428952dd7053 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 295 diff changeset	118	\url{http://pages.cs.wisc.edu/~mkowalcz/628.pdf}.}
283 40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	119
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	120	\begin{center}
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	121	\begin{tabular}{c@{\hspace{8mm}}c@{\hspace{8mm}}c}
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	122	\includegraphics[scale=0.1]{../pics/alibaba1.png} &
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	123	\includegraphics[scale=0.1]{../pics/alibaba2.png} &
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	124	\includegraphics[scale=0.1]{../pics/alibaba3.png} \\
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	125	Step 1 & Step 2 & Step 3
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	126	\end{tabular}
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	127	\end{center}
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	128
290 045e6ea00132 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 289 diff changeset	129	\noindent Let us take a closer look at the picture in Step 1:
045e6ea00132 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 289 diff changeset	130	The cave has a tunnel which forks at some point. Both forks
045e6ea00132 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 289 diff changeset	131	are connected in a loop. At the deep end of the loop is a
045e6ea00132 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 289 diff changeset	132	magic wand. The point of the magic wand is that Alice knows
045e6ea00132 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 289 diff changeset	133	the secret word for how to open it. She wants to keep the word
288 fd4bf1a2d38d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 283 diff changeset	134	secret, but wants to convince Bob that she knows it.
fd4bf1a2d38d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 283 diff changeset	135
fd4bf1a2d38d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 283 diff changeset	136	One way of course would be to let Bob follow her, but then he
296 428952dd7053 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 295 diff changeset	137	would also find out the secret. So this does not work. To find
428952dd7053 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 295 diff changeset	138	a solution, let us first fix the rules: At the beginning Alice
428952dd7053 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 295 diff changeset	139	and Bob are outside the cave. Alice goes in alone and takes
428952dd7053 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 295 diff changeset	140	either tunnel labelled $A$ in the picture, or the other tunnel
428952dd7053 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 295 diff changeset	141	labelled $B$. She waits at the magic wand for the instructions
428952dd7053 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 295 diff changeset	142	from Bob, who also goes into the gave and observes what
428952dd7053 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 295 diff changeset	143	happens at the fork. He has no knowledge which tunnel Alice
428952dd7053 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 295 diff changeset	144	took and calls out (in Step 2) that she should emerge from tunnel
428952dd7053 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 295 diff changeset	145	$A$, for example. If she knows the secret for opening the
428952dd7053 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 295 diff changeset	146	wand, this will not be a problem for Alice. If she was already
428952dd7053 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 295 diff changeset	147	in the $A$-segment of the tunnel, then she just comes back. If
428952dd7053 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 295 diff changeset	148	she was in the $B$-segment of the tunnel she will say the magic
428952dd7053 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 295 diff changeset	149	word and goes through the wand to emerge from $A$ as requested
428952dd7053 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 295 diff changeset	150	by Bob.
288 fd4bf1a2d38d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 283 diff changeset	151
fd4bf1a2d38d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 283 diff changeset	152	Let us have a look at the case where Alice cheats, that is not
fd4bf1a2d38d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 283 diff changeset	153	knows the secret. She would still go into the cave and use,
fd4bf1a2d38d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 283 diff changeset	154	for example the $B$-segment of the tunnel. If now Bob says she
294 5e8ffb58bdaa updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 290 diff changeset	155	should emerge from $B$, she is lucky. But if he says she
290 045e6ea00132 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 289 diff changeset	156	should emerge from $A$ then Alice is in trouble: Bob will find
294 5e8ffb58bdaa updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 290 diff changeset	157	out she does not actually know the secret. So in order to fool
5e8ffb58bdaa updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 290 diff changeset	158	Bob she needs to anticipate his call, and already go into the
422 abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	159	corresponding tunnel. This of course also does not work, since
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	160	Bob can make any call he wants. Consequently in order to find
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	161	out whether Alice cheats, Bob just needs to repeat this
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	162	protocol many times. Each time Alice has a chance of
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	163	$\frac{1}{2}$ to be lucky or being found out. Iterating this
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	164	$n$ times means she must be right every time and when
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	165	cheating: the probability for this is $\frac{1}{2}^n$, number
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	166	that for already relatively small $n$, say 10, is incredibly
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	167	small.
294 5e8ffb58bdaa updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 290 diff changeset	168
5e8ffb58bdaa updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 290 diff changeset	169
5e8ffb58bdaa updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 290 diff changeset	170	There are some interesting observations we can make about
5e8ffb58bdaa updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 290 diff changeset	171	Alibaba's cave and the ZKP protocol between Alice and Bob:
5e8ffb58bdaa updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 290 diff changeset	172
5e8ffb58bdaa updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 290 diff changeset	173	\begin{itemize}
5e8ffb58bdaa updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 290 diff changeset	174	\item {\bf Completeness} If Alice knows the secret, Bob
5e8ffb58bdaa updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 290 diff changeset	175	accepts Alice ``proof'' for sure. There is no error
297 530b98bcc36f updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 296 diff changeset	176	possible in that Bob thinks Alice cheats when she
294 5e8ffb58bdaa updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 290 diff changeset	177	actually knows the secret.
5e8ffb58bdaa updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 290 diff changeset	178	\item {\bf Soundness} If Alice does not know the secret,
5e8ffb58bdaa updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 290 diff changeset	179	Bob accepts her ``proof'' with a very small probability.
5e8ffb58bdaa updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 290 diff changeset	180	If, as in the example above, the probability of being
5e8ffb58bdaa updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 290 diff changeset	181	able to hide cheating is $\frac{1}{2}$ in each round
5e8ffb58bdaa updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 290 diff changeset	182	it will be $\frac{1}{2}^n$ after $n$-rounds, which even
5e8ffb58bdaa updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 290 diff changeset	183	for small $n$ say $> 10$ is very small indeed.
5e8ffb58bdaa updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 290 diff changeset	184	\item {\bf Zero-Knowledge} Even if Bob accepts
5e8ffb58bdaa updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 290 diff changeset	185	the proof by Alice, he cannot convince anybody else.
5e8ffb58bdaa updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 290 diff changeset	186	\end{itemize}
5e8ffb58bdaa updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 290 diff changeset	187
296 428952dd7053 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 295 diff changeset	188	\noindent The last property is the most interesting one.
428952dd7053 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 295 diff changeset	189	Assume Alice has convinced Bob that she knows the secret and
428952dd7053 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 295 diff changeset	190	Bob filmed the whole protocol with a camera. Can he use the
428952dd7053 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 295 diff changeset	191	video to convince anybody else? After a moment of thought, you
428952dd7053 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 295 diff changeset	192	will agree that this is not the case. Alice and Bob might have
428952dd7053 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 295 diff changeset	193	just made it all up and colluded by Bob telling Alice
428952dd7053 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 295 diff changeset	194	beforehand which tunnel he will call. In this way it appears
428952dd7053 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 295 diff changeset	195	as if all iterations of the protocol were successful, but they
428952dd7053 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 295 diff changeset	196	prove nothing. If another person wants to find out whether
428952dd7053 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 295 diff changeset	197	Alice knows the secret, he or she would have to conduct the
428952dd7053 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 295 diff changeset	198	protocol again. This is actually the formal definition of a
428952dd7053 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 295 diff changeset	199	zero-knowledge proof: an independent observer cannot
428952dd7053 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 295 diff changeset	200	distinguish between a real protocol (where Alice knows the
428952dd7053 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 295 diff changeset	201	secret) and a fake one (where Bob and Alice colluded).
294 5e8ffb58bdaa updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 290 diff changeset	202
283 40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	203
289 71f52ad510c2 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 288 diff changeset	204	\subsubsection*{Using an Graph-Isomorphism Problem for ZKPs}
283 40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	205
294 5e8ffb58bdaa updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 290 diff changeset	206	Now the question is how can we translate Alibaba's cave into a
5e8ffb58bdaa updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 290 diff changeset	207	computer science solution? It turns out we need an NP problem
5e8ffb58bdaa updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 290 diff changeset	208	for that. The main feature of an NP problem is that it is
5e8ffb58bdaa updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 290 diff changeset	209	computational very hard to generate a solution, but it is very
5e8ffb58bdaa updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 290 diff changeset	210	easy to check whether a given solution indeed solves the
5e8ffb58bdaa updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 290 diff changeset	211	problem at hand.\footnote{The question whether $P = NP$ or not,
5e8ffb58bdaa updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 290 diff changeset	212	we leave to others to speculate about.}
5e8ffb58bdaa updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 290 diff changeset	213
295 81a08931ecb4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 294 diff changeset	214	One NP problem is the \emph{graph isomorphism problem}. It
81a08931ecb4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 294 diff changeset	215	essentially determines whether the following two graphs, say
81a08931ecb4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 294 diff changeset	216	$G_1$ and $G_2$, can be moved and stretched so that they look
81a08931ecb4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 294 diff changeset	217	exactly the same.
81a08931ecb4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 294 diff changeset	218
81a08931ecb4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 294 diff changeset	219	\begin{center}
81a08931ecb4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 294 diff changeset	220	\begin{tabular}{c@{\hspace{8mm}}c@{\hspace{8mm}}c}
81a08931ecb4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 294 diff changeset	221	$G_1$ & $G_2$\\
81a08931ecb4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 294 diff changeset	222	\raisebox{-13mm}{\includegraphics[scale=0.4]{../pics/simple.png}} &
81a08931ecb4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 294 diff changeset	223	\raisebox{-13mm}{\includegraphics[scale=0.4]{../pics/simple-b.png}}&
81a08931ecb4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 294 diff changeset	224
81a08931ecb4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 294 diff changeset	225	\footnotesize
81a08931ecb4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 294 diff changeset	226	\begin{tabular}{rl}
81a08931ecb4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 294 diff changeset	227	Graph $G_1$ & Graph $G_2$\\
419 667a39dda86e updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 370 diff changeset	228	a & 1\\
667a39dda86e updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 370 diff changeset	229	b & 6\\
667a39dda86e updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 370 diff changeset	230	c & 8\\
667a39dda86e updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 370 diff changeset	231	d & 3\\
667a39dda86e updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 370 diff changeset	232	g & 5\\
667a39dda86e updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 370 diff changeset	233	h & 2\\
667a39dda86e updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 370 diff changeset	234	i & 4\\
295 81a08931ecb4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 294 diff changeset	235	j & 7\\
81a08931ecb4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 294 diff changeset	236	\end{tabular}
81a08931ecb4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 294 diff changeset	237	\end{tabular}
81a08931ecb4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 294 diff changeset	238	\end{center}
81a08931ecb4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 294 diff changeset	239
81a08931ecb4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 294 diff changeset	240	\noindent The table on the right gives a mapping of the nodes
296 428952dd7053 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 295 diff changeset	241	of the first graph to the nodes of the second. With this
428952dd7053 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 295 diff changeset	242	mapping we can check: node $a$ is connected in $G_1$ with $g$,
428952dd7053 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 295 diff changeset	243	$h$ and $i$. Node $a$ maps to node $1$ in $G_2$, which is
428952dd7053 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 295 diff changeset	244	connected to $2$, $4$ and $5$, which again correspond via the
428952dd7053 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 295 diff changeset	245	mapping to $h$, $i$ and $g$ respectively. Let us write
428952dd7053 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 295 diff changeset	246	$\sigma$ for such a table and let us write
295 81a08931ecb4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 294 diff changeset	247
81a08931ecb4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 294 diff changeset	248	\[G_1 = \sigma(G_2)\]
81a08931ecb4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 294 diff changeset	249
296 428952dd7053 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 295 diff changeset	250	\noindent for two isomorphic graphs ($\sigma$ being the
428952dd7053 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 295 diff changeset	251	isomorphism). It is actually very easy to construct two
428952dd7053 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 295 diff changeset	252	isomorphic graphs: Start with an arbitrary graph, re-label the
428952dd7053 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 295 diff changeset	253	nodes consistently. Alice will need to do this frequently
428952dd7053 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 295 diff changeset	254	for the protocol below. In order to be useful, we therefore
428952dd7053 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 295 diff changeset	255	would need to consider substantially larger graphs, like
428952dd7053 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 295 diff changeset	256	with thousand nodes.
295 81a08931ecb4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 294 diff changeset	257
81a08931ecb4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 294 diff changeset	258	Now the secret which Alice tries to hide is the knowledge of
81a08931ecb4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 294 diff changeset	259	such an isomorphism $\sigma$ between two such graphs. But she
81a08931ecb4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 294 diff changeset	260	can convince Bob whether she knows such an isomorphism for two
297 530b98bcc36f updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 296 diff changeset	261	graphs, say $G_1$ and $G_2$, using the same idea as in the
530b98bcc36f updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 296 diff changeset	262	example with Alibaba's cave. For this Alice and Bob must
530b98bcc36f updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 296 diff changeset	263	follow the following protocol:
530b98bcc36f updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 296 diff changeset	264
530b98bcc36f updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 296 diff changeset	265	\begin{enumerate}
422 abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	266	\item Alice generates an isomorphic graph $H$ which she sends
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	267	to Bob (in each iteration she needs to generate a
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	268	different $H$).
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	269	\item
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	270	After receiving $H$, Bob asks Alice either for an
297 530b98bcc36f updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 296 diff changeset	271	isomorphism between $G_1$ and $H$, or $G_2$ and $H$.
530b98bcc36f updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 296 diff changeset	272	\item Alice and Bob repeat this procedure $n$ times.
530b98bcc36f updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 296 diff changeset	273	\end{enumerate}
530b98bcc36f updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 296 diff changeset	274
530b98bcc36f updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 296 diff changeset	275	\noindent In Step 1 it is important that Alice always
422 abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	276	generates a fresh isomorphic graph. I let you think what
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	277	would happen if Alice sends out twice the same graph $H$.
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	278
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	279	As said before, this is relatively easy to generate by
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	280	consistently relabelling nodes. If she started from $G_1$,
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	281	Alice will have generated
297 530b98bcc36f updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 296 diff changeset	282
530b98bcc36f updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 296 diff changeset	283	\begin{equation}
530b98bcc36f updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 296 diff changeset	284	H = \sigma'(G_1)\label{hiso}
530b98bcc36f updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 296 diff changeset	285	\end{equation}
530b98bcc36f updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 296 diff changeset	286
530b98bcc36f updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 296 diff changeset	287	\noindent where $\sigma'$ is the isomorphism between $H$ and
530b98bcc36f updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 296 diff changeset	288	$G_1$. But she could equally have started from $G_2$. In the
530b98bcc36f updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 296 diff changeset	289	case where $G_1$ and $G_2$ are isomorphic, if $H$ is
530b98bcc36f updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 296 diff changeset	290	isomorphic with $G_1$, it will also be isomorphic with
530b98bcc36f updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 296 diff changeset	291	$G_2$, and vice versa.
530b98bcc36f updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 296 diff changeset	292
530b98bcc36f updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 296 diff changeset	293	After generating $H$, Alice sends it to Bob. The important
530b98bcc36f updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 296 diff changeset	294	point is that she needs to ``commit'' to this $H$, therefore
530b98bcc36f updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 296 diff changeset	295	this kind of zero-knowledge protocols are called
530b98bcc36f updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 296 diff changeset	296	\emph{commitment protocols}. Only after receiving $H$, Bob
530b98bcc36f updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 296 diff changeset	297	will make up his mind about which isomorphism he asks
530b98bcc36f updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 296 diff changeset	298	for---whether between $H$ and $G_1$ or $H$ and $G_2$. For this
530b98bcc36f updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 296 diff changeset	299	he could flip a coin, since the choice should be as
530b98bcc36f updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 296 diff changeset	300	unpredictable for Alice as possible. Once Alice receives the
530b98bcc36f updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 296 diff changeset	301	request, she has to produce an isomorphism. If she generated
530b98bcc36f updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 296 diff changeset	302	$H$ as shown in \eqref{hiso} and is asked for an isomorphism
530b98bcc36f updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 296 diff changeset	303	between $H$ and $G_1$, she just sends $\sigma'$. If she had
530b98bcc36f updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 296 diff changeset	304	been asked for an isomorphism between $H$ and $G_2$, she just
530b98bcc36f updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 296 diff changeset	305	has to compose her secret isomorphism $\sigma$ and $\sigma'$.
530b98bcc36f updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 296 diff changeset	306	The main point for the protocol is that even knowing the
530b98bcc36f updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 296 diff changeset	307	isomorphism between $H$ and $G_1$ or $H$ and $G_2$, will not
530b98bcc36f updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 296 diff changeset	308	make the task easier to find the isomorphism between $G_1$ and
530b98bcc36f updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 296 diff changeset	309	$G_2$, which is the secret Alice tries to protect.
530b98bcc36f updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 296 diff changeset	310
530b98bcc36f updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 296 diff changeset	311	In order to make it crystal clear how this protocol proceeds,
530b98bcc36f updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 296 diff changeset	312	let us give a version using our more formal notation for
530b98bcc36f updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 296 diff changeset	313	protocols:
530b98bcc36f updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 296 diff changeset	314
530b98bcc36f updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 296 diff changeset	315	\begin{center}
530b98bcc36f updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 296 diff changeset	316	\begin{tabular}{lrl}
530b98bcc36f updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 296 diff changeset	317	0) & $A \to B:$ & $G_1$ and $G_2$\\
530b98bcc36f updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 296 diff changeset	318	1a) & $A \to B:$ & $H_1$ \\
530b98bcc36f updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 296 diff changeset	319	1b) & $B \to A:$ & produce isomorphism $G_1 \leftrightarrow H_1$?
530b98bcc36f updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 296 diff changeset	320	\quad(or $G_2 \leftrightarrow H_1$)\\
530b98bcc36f updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 296 diff changeset	321	1c) & $A \to B:$ & requested isomorphism\\
530b98bcc36f updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 296 diff changeset	322	2a) & $A \to B:$ & $H_2$\\
530b98bcc36f updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 296 diff changeset	323	2b) & $B \to A:$ & produce isomorphism $G_1 \leftrightarrow H_2$?
530b98bcc36f updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 296 diff changeset	324	\quad(or $G_2 \leftrightarrow H_2$)\\
530b98bcc36f updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 296 diff changeset	325	2c) & $A \to B:$ & requested isomorphism\\
530b98bcc36f updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 296 diff changeset	326	& \ldots\\
530b98bcc36f updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 296 diff changeset	327	\end{tabular}
530b98bcc36f updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 296 diff changeset	328	\end{center}
530b98bcc36f updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 296 diff changeset	329
530b98bcc36f updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 296 diff changeset	330	\noindent As can be seen the protocol runs for some
530b98bcc36f updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 296 diff changeset	331	agreed number of iterations. The $H_i$ Alice needs to
422 abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	332	produce, need to be all distinct. I hope you now know
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	333	why?
297 530b98bcc36f updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 296 diff changeset	334
530b98bcc36f updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 296 diff changeset	335	It is also crucial that in each iteration, Alice first sends
530b98bcc36f updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 296 diff changeset	336	$H_i$ and then Bob can decide which isomorphism he wants:
530b98bcc36f updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 296 diff changeset	337	either $G_1 \leftrightarrow H_i$ or $G_2 \leftrightarrow H_i$.
530b98bcc36f updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 296 diff changeset	338	If somehow Alice can find out before she committed to $H_i$,
530b98bcc36f updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 296 diff changeset	339	she can cheat. For this assume Alice does \emph{not} know an
530b98bcc36f updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 296 diff changeset	340	isomorphism between $G_1$ and $G_2$. If she knows which
370 ddac52c0014c updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 366 diff changeset	341	isomorphism Bob will ask for she can craft $H$ in such a way
297 530b98bcc36f updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 296 diff changeset	342	that it is isomorphism with either $G_1$ or $G_2$ (but it
530b98bcc36f updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 296 diff changeset	343	cannot with both). Then in each case she would send Bob
530b98bcc36f updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 296 diff changeset	344	a correct answer and he would come to the conclusion that
530b98bcc36f updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 296 diff changeset	345	all is well. I let you also answer the question whether
530b98bcc36f updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 296 diff changeset	346	such a protocol run between Alice and Bob would convince
530b98bcc36f updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 296 diff changeset	347	a third person, say Pete.
530b98bcc36f updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 296 diff changeset	348
530b98bcc36f updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 296 diff changeset	349	Since the interactive nature of the above PKZ protocol and the
530b98bcc36f updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 296 diff changeset	350	correct ordering of the messages is so important for the
530b98bcc36f updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 296 diff changeset	351	``correctness'' of the protocol, it might look surprising that
530b98bcc36f updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 296 diff changeset	352	the same goal can also me achieved in a completely offline
530b98bcc36f updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 296 diff changeset	353	manner. By this I mean Alice can publish all data at once, and
530b98bcc36f updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 296 diff changeset	354	then at a later time, Bob can inspect the data and come to the
530b98bcc36f updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 296 diff changeset	355	conclusion whether or not Alice knows the secret (again
530b98bcc36f updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 296 diff changeset	356	without actually learning about the secret). For this
530b98bcc36f updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 296 diff changeset	357	Alice has to do the following:
530b98bcc36f updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 296 diff changeset	358
530b98bcc36f updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 296 diff changeset	359	\begin{enumerate}
530b98bcc36f updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 296 diff changeset	360	\item Alice generates $n$ isomorphic graphs
530b98bcc36f updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 296 diff changeset	361	$H_{1..n}$ (they need to be all distinct)
530b98bcc36f updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 296 diff changeset	362	\item she feeds the $H_{1..n}$ into a hashing function
530b98bcc36f updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 296 diff changeset	363	(for example encoded as as matrix)
422 abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	364	\item she takes the first $n$ bits of the output of the hashing
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	365	function:
297 530b98bcc36f updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 296 diff changeset	366	whenever the output is $0$, she shows an isomorphism
530b98bcc36f updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 296 diff changeset	367	with $G_1$; for $1$ she shows an isomorphism
530b98bcc36f updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 296 diff changeset	368	with $G_2$
530b98bcc36f updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 296 diff changeset	369	\end{enumerate}
530b98bcc36f updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 296 diff changeset	370
530b98bcc36f updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 296 diff changeset	371	\noindent The reason why this works and achieves the same
530b98bcc36f updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 296 diff changeset	372	goal as the interactive variant is that Alice has no
422 abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	373	control over the hashing function. It would be
297 530b98bcc36f updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 296 diff changeset	374	computationally just too hard to assemble a set of
530b98bcc36f updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 296 diff changeset	375	$H_{1..n}$ such that she can force where $0$s and $1$s
530b98bcc36f updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 296 diff changeset	376	in the hash values are such that it would pass an external
530b98bcc36f updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 296 diff changeset	377	test. The point is that Alice can publish all this data
530b98bcc36f updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 296 diff changeset	378	on the comfort of her own web-page, for example, and
530b98bcc36f updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 296 diff changeset	379	in this way convince everybody who bothers to check.
530b98bcc36f updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 296 diff changeset	380
530b98bcc36f updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 296 diff changeset	381	The virtue of the use of graphs and isomorphism for a
530b98bcc36f updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 296 diff changeset	382	zero-knowledge protocol is that the idea why it works
530b98bcc36f updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 296 diff changeset	383	are relatively straightforward. The disadvantage is
530b98bcc36f updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 296 diff changeset	384	that encoding any secret into a graph-isomorphism, while
530b98bcc36f updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 296 diff changeset	385	possible, is awkward. The good news is that in fact
530b98bcc36f updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 296 diff changeset	386	any NP problem can be used as part of a ZKP protocol.
530b98bcc36f updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 296 diff changeset	387
294 5e8ffb58bdaa updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 290 diff changeset	388
422 abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	389	\subsubsection*{Using Modular Logarithms for ZKP Protocols}
290 045e6ea00132 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 289 diff changeset	390
366 34a8f73b2c94 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 357 diff changeset	391	While information can be encoded into graph isomorphisms, it
34a8f73b2c94 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 357 diff changeset	392	is not the most convenient carrier of information. Clearly it
34a8f73b2c94 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 357 diff changeset	393	is much easier to encode information into numbers. Let us look
34a8f73b2c94 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 357 diff changeset	394	at zero-knowledge proofs that use numbers as secrets. For this
34a8f73b2c94 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 357 diff changeset	395	the underlying NP-problem is to calculate discrete logarithms.
34a8f73b2c94 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 357 diff changeset	396	It can be used by choosing public numbers $A$, $B$, $p$, and
34a8f73b2c94 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 357 diff changeset	397	private $x$ such that
297 530b98bcc36f updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 296 diff changeset	398
530b98bcc36f updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 296 diff changeset	399	\begin{center}
530b98bcc36f updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 296 diff changeset	400	$A^x \equiv B\; mod\; p$
530b98bcc36f updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 296 diff changeset	401	\end{center}
530b98bcc36f updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 296 diff changeset	402
530b98bcc36f updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 296 diff changeset	403	\noindent holds. The secret Alice tries to keep secret is $x$.
422 abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	404	The point of the modular logarithm is that it is very hard
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	405	from the public data to calculate $x$ (for large primes).
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	406	Now the protocol proceeds in three stages:
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	407
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	408	\begin{itemize}
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	409	\item {\bf Commitment Stage}
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	410	\begin{enumerate}
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	411	\item Alice generates $z$ random numbers $r_1, \ldots, r_z$,
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	412	all less than $p - 1$. Alice then sends Bob for all
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	413	$i = 1,\ldots, z$:
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	414	\[ h_i = A^{r_i}\; mod\; p\]
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	415	\item Bob generates $z$ random bits, say $b_1,\ldots, b_z$. He can do this
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	416	by flipping $z$ times a coin, for example.
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	417	\item For each bit $b_i$, Alice sends Bob an $s_i$ where
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	418
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	419	\begin{center}
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	420	\begin{tabular}{ll}
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	421	if $b_i = 0$: & $s_i = r_i$\\
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	422	if $b_i = 1$: & $s_i = (r_i - r_j) \;mod\; (p -1)$\\
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	423	\end{tabular}
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	424	\end{center}
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	425
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	426	where $r_j$ is the lowest $j$ where $b_j = 1$.
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	427
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	428	\end{enumerate}
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	429	\end{itemize}
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	430
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	431	\noindent For understanding the last step, let $z$ be just 4.
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	432	We have four random values $r_i$ chosen by Alice and four
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	433	random bits $b_i$ chosen subsequently by Bob, for example
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	434
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	435	\begin{center}
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	436	\begin{tabular}{lcccc}
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	437	$r_i$:\; & 4 & 9 & 1 & 3\\
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	438	$b_i$:\; & 0 & 1 & 0 & 1\\
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	439	& & $\uparrow$ \\
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	440	& & $j$
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	441	\end{tabular}
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	442	\end{center}
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	443
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	444	\noindent The highlighted column is the lowest where $b_i =
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	445	1$ (counted from the left). That means $r_j = 9$. The reason
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	446	for letting Alice choose the random numbers $r_1, \ldots, r_z$
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	447	will become clear shortly. Next is the confirmation
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	448	phase where Bob essentially checks whether Alice has sent
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	449	him ``correct'' $s_i$ and $h_i$.
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	450
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	451	\begin{itemize}
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	452	\item {\bf Confirmation Stage}
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	453	\begin{enumerate}
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	454	\item For each $b_i$ Bob checks whether $s_i$
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	455	conform to the protocol
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	456
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	457	\begin{center}
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	458	\begin{tabular}{ll}
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	459	if $b_i = 0$: & $A^{s_i} \stackrel{?}{\equiv} h_i\;mod\;p$\\
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	460	if $b_i = 1$: & $A^{s_i} \stackrel{?}{\equiv} h_i * h_j^{-1} \;mod\; p$\\
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	461	\end{tabular}
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	462	\end{center}
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	463	\end{enumerate}
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	464	\end{itemize}
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	465
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	466	\noindent To understand the case for $b_i = 1$, you have
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	467	to do the following calculation:
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	468
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	469	\begin{center}
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	470	\begin{tabular}{r@{\hspace{1mm}}c@{\hspace{1mm}}l}
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	471	$A^{s_i}$ & $=$ & $A^{r_i - r_j}$\\
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	472	& $=$ & $A^{r_i} * A^{-r_j}$\\
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	473	& $=$ & $h_{r_i} * h_{r_j}^{-1}\;mod\;p$
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	474	\end{tabular}
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	475	\end{center}
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	476
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	477	\noindent What is interesting that so far nothing has been
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	478	sent about $x$, which is the secret Alice has. Also notice
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	479	that Bob does not know $r_j$. He received
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	480
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	481	\begin{center}
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	482	$r_j - r_j$, $r_m - r_j$, \ldots, $r_p - r_j \;mod \;p - 1$
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	483	\end{center}
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	484
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	485	\noindent whenever his corresponding bits were $1$. So Bob
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	486	does not know $r_j$ and also does not know any $r_i$ where the
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	487	bit was $1$. Information about the $x$ is sent in the next
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	488	stage (obviously not revealing $x$).
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	489
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	490	\begin{itemize}
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	491	\item {\bf Proving Stage}
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	492
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	493	\begin{enumerate}
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	494	\item Alice proves she knows $x$, the discrete log of $B$,
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	495	by sending
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	496
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	497	\begin{center}
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	498	$s_{z+1} = x - r_j\;mod\;p-1$
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	499	\end{center}
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	500
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	501	\item Bob confirms
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	502
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	503	\begin{center}
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	504	$A^{s_{z+1}} \stackrel{?}{\equiv} B * h_j^{-1} \;mod \; p$
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	505	\end{center}
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	506	\end{enumerate}
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	507	\end{itemize}
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	508
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	509	\noindent To understand the last step, you have to do the trick
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	510	again that
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	511
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	512	\[A^{s_{z+1}} = A^{x-r_j} = \ldots
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	513	\]
297 530b98bcc36f updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 296 diff changeset	514
530b98bcc36f updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 296 diff changeset	515	\noindent
422 abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	516	which I leave to you.
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	517
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	518	Now the question is how can Alice cheat? In order to cheat she
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	519	has to coordinate what she sends as $h_i$ in step 1 and $s_i$
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	520	in step 3 of the commitment stage, and also what to send as
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	521	$s_{z+1}$ in the proving stage. For the latter of course
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	522	Alice does not know $x$, so she just chooses some random
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	523	number for $s_{z+1}$ and calculates
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	524
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	525	\[A^{s_{z+1}}\]
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	526
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	527	\noindent
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	528	and then solves the equation
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	529
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	530	\[A^{s_{z+1}} \equiv B * y \;mod\;p\]
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	531
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	532	\noindent for $y$. This is easy since no logarithm needs to be
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	533	computed. If Alice can guess the $j$ where the first 1 will
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	534	appear in Bob's bit vector, then she sends the inverse of $y$
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	535	as $h_j$ and 0 as $s_j$. However, notice that when she
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	536	calculates a solution for $y$ she does not know $r_j$. For this she
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	537	would need to calculate the modular logarithm
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	538
436 8bf6704fc991 update Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 435 diff changeset	539	\[y \equiv A^{r_j}\;mod\;p\]
422 abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	540
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	541	\noindent which is hard (see step 1 in the commitment stage).
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	542
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	543	Having settled on what $h_j$ should be, now what should Alice
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	544	send as the other $h_i$ and other $s_i$? If the $b_i$ happens
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	545	to be a 1, then the $h_i$ and other $s_i$ need to satisfy the
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	546	test
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	547
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	548	\[A^{s_i} \stackrel{?}{\equiv} h_i * h_j^{-1} \;mod\; p\]
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	549
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	550	\noindent where she has already settled on the value of
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	551	$h_j^{-1}$. Lets say she choses $s_i$ at random, then she just
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	552	needs to solve
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	553
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	554	\[A^{s_i} \equiv z * h_j^{-1} \;mod\; p\]
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	555
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	556	\noindent for $z$. Again that is easy, but it does not allow
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	557	us to know $r_i$, because then we would again need to solve
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	558	a modular logarithm problem. Let us call an $h_i$ which was
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	559	solved the easy way as \emph{bogus}. Alice has to produce
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	560	bogus $h_i$ for all bits that are going to be $1$ in advance!
435 4603e6bb80c8 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 424 diff changeset	561	This means she has to guess all the bits correctly. (Yes?
4603e6bb80c8 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 424 diff changeset	562	I let you think about this.)
422 abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	563
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	564	Let us see what happens if she guesses wrongly: Suppose the
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	565	bit $b_i = 1$ where she thought she will get a 0. Then she has
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	566	already sent an $h_i$ and $h_j$ and now must find an $s_i$
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	567	such that
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	568
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	569	\[A^{s_i} \equiv h_i * h_j^{-1} \;mod\; p\]
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	570
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	571	\noindent holds. For this remember in calculating $h_i$, she
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	572	just chose a random $s_i$. Now she has to send a genuine one.
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	573	But this is of course too hard. If she knew the genuine $r_i$
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	574	and $r_j$ for $h_i$ and $h_j$, it would be easy (in this case
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	575	$s_i = r_i - r_j$). But she does not. So she will be found
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	576	out. If $b_i = 0$, but she thought she will get a 1, then
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	577	she has to send a $s_i$ which satisfies
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	578
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	579	\[A^{s_i} \equiv h_i\;mod\;p\]
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	580
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	581	\noindent Again she does not know $r_i$. So it is a too hard
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	582	task and she will be found out again.
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	583
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	584	To sum up, in order for Alice to successfully cheat Bob, she
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	585	needs to guess \emph{all} bits correctly. She has only a
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	586	$\frac{1}{2^z}$ chance of doing this.
290 045e6ea00132 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 289 diff changeset	587
357 5b91f5ad2772 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 297 diff changeset	588	\subsubsection*{Further Reading}
5b91f5ad2772 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 297 diff changeset	589
5b91f5ad2772 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 297 diff changeset	590	Make sure you understand what NP problems
422 abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	591	are.\footnote{\url{http://en.wikipedia.org/wiki/NP_(complexity)}}
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	592	They are the building blocks for zero-knowledge proofs.
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	593	Zero-Knowldege proofs are not yet widely used in production
423 11b46fa92a85 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 422 diff changeset	594	systems, but it is slowly gaining ground. One area of application
11b46fa92a85 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 422 diff changeset	595	where they pop up is crypto currencies (for example Zerocoins
11b46fa92a85 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 422 diff changeset	596	or how to make sure a Bitcoin exchange is solvent without
11b46fa92a85 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 422 diff changeset	597	revealing its assets).
422 abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	598
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	599	If you want to brush up on the modular logarithm problem,
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	600	the Khan Academy has a nice video:
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	601
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	602	\begin{center}
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	603	\url{https://www.khanacademy.org/video/discrete-logarithm-problem}
abe178b3197e finished ZKP protocols Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 419 diff changeset	604	\end{center}
290 045e6ea00132 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 289 diff changeset	605
283 40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	606	\end{document}
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	607
370 ddac52c0014c updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 366 diff changeset	608	http://blog.cryptographyengineering.com/2014/11/zero-knowledge-proofs-illustrated-primer.html
ddac52c0014c updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 366 diff changeset	609
297 530b98bcc36f updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 296 diff changeset	610	http://btravers.weebly.com/uploads/6/7/2/9/6729909/zero_knowledge_technique.pdf
530b98bcc36f updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 296 diff changeset	611	http://zk-ssh.cms.ac/docs/Zero_Knowledge_Prinzipien.pdf
530b98bcc36f updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 296 diff changeset	612	http://www.wisdom.weizmann.ac.il/~oded/PS/zk-tut02v4.ps
530b98bcc36f updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 296 diff changeset	613
366 34a8f73b2c94 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 357 diff changeset	614	socialist millionares problem
34a8f73b2c94 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 357 diff changeset	615	http://en.wikipedia.org/wiki/Socialist_millionaire
34a8f73b2c94 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 357 diff changeset	616	http://twistedoakstudios.com/blog/Post3724_explain-it-like-im-five-the-socialist-millionaire-problem-and-secure-multi-party-computation
34a8f73b2c94 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 357 diff changeset	617
34a8f73b2c94 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 357 diff changeset	618
283 40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	619	%%% Local Variables:
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	620	%%% mode: latex
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	621	%%% TeX-master: t
40511897fcc4 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	622	%%% End:

author	cu
	Tue, 03 Oct 2017 22:43:03 +0100
changeset 545	0697622fb181
parent 523	7a6e8f603e08
permissions	-rw-r--r--