13 serious applications of it. For example, if you solve |
13 serious applications of it. For example, if you solve |
14 crosswords with your friend, say Bob, you might want to |
14 crosswords with your friend, say Bob, you might want to |
15 convince him that you found a solution for one question, but |
15 convince him that you found a solution for one question, but |
16 of course you do not want to reveal the solution, as this |
16 of course you do not want to reveal the solution, as this |
17 might give Bob an advantage somewhere else in the crossword. |
17 might give Bob an advantage somewhere else in the crossword. |
|
18 |
18 So how to convince Bob that you know the answer (or a secret)? |
19 So how to convince Bob that you know the answer (or a secret)? |
19 One way would be to come up with the following protocol: |
20 One way would be to come up with the following protocol: |
20 Suppose the answer is \textit{folio}. Then look up the |
21 Suppose the answer is \textit{folio}. Then look up the |
21 definition of \textit{folio} in a dictionary. Say you find: |
22 definition of \textit{folio} in a dictionary. Say you find: |
22 |
23 |
90 to verify the hash. This might happen at some point, but |
91 to verify the hash. This might happen at some point, but |
91 equally it might never happen (what for example happens if the |
92 equally it might never happen (what for example happens if the |
92 authors lose their copy of the paper because of a disk |
93 authors lose their copy of the paper because of a disk |
93 failure?). Zero-knowledge proofs, in contrast, can be |
94 failure?). Zero-knowledge proofs, in contrast, can be |
94 immediately checked, even if the secret is not public yet |
95 immediately checked, even if the secret is not public yet |
95 and never will be. |
96 and perhaps never will be. |
96 |
97 |
97 \begin{figure} |
98 \begin{figure} |
98 \begin{center} |
99 \begin{center} |
99 \addtolength{\fboxsep}{4mm} |
100 \addtolength{\fboxsep}{4mm} |
100 \fbox{\includegraphics[scale=0.4]{../pics/Dismantling_Megamos_Crypto.png}} |
101 \fbox{\includegraphics[scale=0.4]{../pics/Dismantling_Megamos_Crypto.png}} |
109 The idea behind zero-knowledge proofs is not very obvious and |
110 The idea behind zero-knowledge proofs is not very obvious and |
110 will surely take some time for you to digest. Therefore let us |
111 will surely take some time for you to digest. Therefore let us |
111 start with a simple illustrative example. The example will not |
112 start with a simple illustrative example. The example will not |
112 be perfect, but hopefully explain the gist of the idea. The |
113 be perfect, but hopefully explain the gist of the idea. The |
113 example is called Alibaba's cave, which graphically looks as |
114 example is called Alibaba's cave, which graphically looks as |
114 follows: |
115 follows:\footnote{The example is taken from an |
|
116 article titled ``How to Explain Zero-Knowledge Protocols |
|
117 to Your Children'' available from |
|
118 \url{http://pages.cs.wisc.edu/~mkowalcz/628.pdf}.} |
115 |
119 |
116 \begin{center} |
120 \begin{center} |
117 \begin{tabular}{c@{\hspace{8mm}}c@{\hspace{8mm}}c} |
121 \begin{tabular}{c@{\hspace{8mm}}c@{\hspace{8mm}}c} |
118 \includegraphics[scale=0.1]{../pics/alibaba1.png} & |
122 \includegraphics[scale=0.1]{../pics/alibaba1.png} & |
119 \includegraphics[scale=0.1]{../pics/alibaba2.png} & |
123 \includegraphics[scale=0.1]{../pics/alibaba2.png} & |
128 magic wand. The point of the magic wand is that Alice knows |
132 magic wand. The point of the magic wand is that Alice knows |
129 the secret word for how to open it. She wants to keep the word |
133 the secret word for how to open it. She wants to keep the word |
130 secret, but wants to convince Bob that she knows it. |
134 secret, but wants to convince Bob that she knows it. |
131 |
135 |
132 One way of course would be to let Bob follow her, but then he |
136 One way of course would be to let Bob follow her, but then he |
133 would also find out the secret. This does not work. So let us |
137 would also find out the secret. So this does not work. To find |
134 first fix the rules: At the beginning Alice and Bob are |
138 a solution, let us first fix the rules: At the beginning Alice |
135 outside the cave. Alice goes in alone and takes either tunnel |
139 and Bob are outside the cave. Alice goes in alone and takes |
136 labelled $A$ in the picture, or the other one labelled $B$. |
140 either tunnel labelled $A$ in the picture, or the other tunnel |
137 She waits at the magic wand for the instructions from Bob, who |
141 labelled $B$. She waits at the magic wand for the instructions |
138 also goes into the gave and observes what happens at the fork. |
142 from Bob, who also goes into the gave and observes what |
139 He has no knowledge which tunnel Alice took and calls out |
143 happens at the fork. He has no knowledge which tunnel Alice |
140 (Step 2) that she should emerge from tunnel $A$, for example. |
144 took and calls out (in Step 2) that she should emerge from tunnel |
141 If she knows the secret for opening the wand, this will not be |
145 $A$, for example. If she knows the secret for opening the |
142 a problem for Alice. If she was already in the A-segment of |
146 wand, this will not be a problem for Alice. If she was already |
143 the tunnel, then she just comes back. If she was in the |
147 in the $A$-segment of the tunnel, then she just comes back. If |
144 B-segment of the tunnel she will say the magic work and goes |
148 she was in the $B$-segment of the tunnel she will say the magic |
145 through the wand to emerge from $A$ as requested by Bob. |
149 word and goes through the wand to emerge from $A$ as requested |
|
150 by Bob. |
146 |
151 |
147 Let us have a look at the case where Alice cheats, that is not |
152 Let us have a look at the case where Alice cheats, that is not |
148 knows the secret. She would still go into the cave and use, |
153 knows the secret. She would still go into the cave and use, |
149 for example the $B$-segment of the tunnel. If now Bob says she |
154 for example the $B$-segment of the tunnel. If now Bob says she |
150 should emerge from $B$, she is lucky. But if he says she |
155 should emerge from $B$, she is lucky. But if he says she |
151 should emerge from $A$ then Alice is in trouble: Bob will find |
156 should emerge from $A$ then Alice is in trouble: Bob will find |
152 out she does not actually know the secret. So in order to fool |
157 out she does not actually know the secret. So in order to fool |
153 Bob she needs to anticipate his call, and already go into the |
158 Bob she needs to anticipate his call, and already go into the |
154 corresponding tunnel. This of course also does not work. So |
159 corresponding tunnel. This of course also does not work. |
155 in order to find out whether Alice cheats, Bob just needs to |
160 Consequently in order to find out whether Alice cheats, Bob |
156 repeat this protocol many times. Each time Alice has a chance |
161 just needs to repeat this protocol many times. Each time Alice |
157 of $\frac{1}{2}$ to be lucky or being found out. Iterating |
162 has a chance of $\frac{1}{2}$ to be lucky or being found out. |
158 this $n$ means she must be right every time and the |
163 Iterating this $n$ times means she must be right every time |
159 probability for this is $\frac{1}{2}^n$. |
164 and when cheating the probability for this is $\frac{1}{2}^n$. |
160 |
165 |
161 |
166 |
162 There are some interesting observations we can make about |
167 There are some interesting observations we can make about |
163 Alibaba's cave and the ZKP protocol between Alice and Bob: |
168 Alibaba's cave and the ZKP protocol between Alice and Bob: |
164 |
169 |
175 for small $n$ say $> 10$ is very small indeed. |
180 for small $n$ say $> 10$ is very small indeed. |
176 \item {\bf Zero-Knowledge} Even if Bob accepts |
181 \item {\bf Zero-Knowledge} Even if Bob accepts |
177 the proof by Alice, he cannot convince anybody else. |
182 the proof by Alice, he cannot convince anybody else. |
178 \end{itemize} |
183 \end{itemize} |
179 |
184 |
180 \noindent The last property is the most interesting. Assume |
185 \noindent The last property is the most interesting one. |
181 Alice has convinced Bob that she knows the secret and Bob |
186 Assume Alice has convinced Bob that she knows the secret and |
182 filmed the whole protocol with a camera. Can he use the video |
187 Bob filmed the whole protocol with a camera. Can he use the |
183 to convince anybody else. After a moment thought you will |
188 video to convince anybody else? After a moment of thought, you |
184 agree that this is not the case. Alice and Bob might have just |
189 will agree that this is not the case. Alice and Bob might have |
185 made is all up and colluded by Bob telling Alice beforehand |
190 just made it all up and colluded by Bob telling Alice |
186 which tunnel he will call. In this way it appears as if all |
191 beforehand which tunnel he will call. In this way it appears |
187 iterations of the protocol were successful, but they prove |
192 as if all iterations of the protocol were successful, but they |
188 nothing. If another person wants to find out whether Alice |
193 prove nothing. If another person wants to find out whether |
189 knows the secret, he or she would have to conduct the protocol |
194 Alice knows the secret, he or she would have to conduct the |
190 again. This is actually the definition of a zero-knowledge |
195 protocol again. This is actually the formal definition of a |
191 proof: an independent observer cannot distinguish between |
196 zero-knowledge proof: an independent observer cannot |
192 a real protocol (where Alice knows the secret) and a fake |
197 distinguish between a real protocol (where Alice knows the |
193 one (where Bob and Alice colluded). |
198 secret) and a fake one (where Bob and Alice colluded). |
194 |
199 |
195 |
200 |
196 \subsubsection*{Using an Graph-Isomorphism Problem for ZKPs} |
201 \subsubsection*{Using an Graph-Isomorphism Problem for ZKPs} |
197 |
202 |
198 Now the question is how can we translate Alibaba's cave into a |
203 Now the question is how can we translate Alibaba's cave into a |
228 \end{tabular} |
233 \end{tabular} |
229 \end{tabular} |
234 \end{tabular} |
230 \end{center} |
235 \end{center} |
231 |
236 |
232 \noindent The table on the right gives a mapping of the nodes |
237 \noindent The table on the right gives a mapping of the nodes |
233 of the first graph to the nodes of the second. With this we |
238 of the first graph to the nodes of the second. With this |
234 can check: node $a$ is connected in $G_1$ with $g$, $h$ and |
239 mapping we can check: node $a$ is connected in $G_1$ with $g$, |
235 $i$. Node $a$ maps to node $1$ in $G_2$, which is connected to |
240 $h$ and $i$. Node $a$ maps to node $1$ in $G_2$, which is |
236 $2$, $4$ and $5$, which again correspond via the mapping. Let |
241 connected to $2$, $4$ and $5$, which again correspond via the |
237 us write $\sigma$ for such a table and let us write |
242 mapping to $h$, $i$ and $g$ respectively. Let us write |
|
243 $\sigma$ for such a table and let us write |
238 |
244 |
239 \[G_1 = \sigma(G_2)\] |
245 \[G_1 = \sigma(G_2)\] |
240 |
246 |
241 \noindent for two isomorphic graphs. It is actually very |
247 \noindent for two isomorphic graphs ($\sigma$ being the |
242 easy to construct two isomorphic graphs: Start with an |
248 isomorphism). It is actually very easy to construct two |
243 arbitrary graph, re-label the nodes consistently. What |
249 isomorphic graphs: Start with an arbitrary graph, re-label the |
244 Alice need for the protocol below is to generate such |
250 nodes consistently. Alice will need to do this frequently |
245 isomorphic graphs. |
251 for the protocol below. In order to be useful, we therefore |
|
252 would need to consider substantially larger graphs, like |
|
253 with thousand nodes. |
246 |
254 |
247 Now the secret which Alice tries to hide is the knowledge of |
255 Now the secret which Alice tries to hide is the knowledge of |
248 such an isomorphism $\sigma$ between two such graphs. But she |
256 such an isomorphism $\sigma$ between two such graphs. But she |
249 can convince Bob whether she knows such an isomorphism for two |
257 can convince Bob whether she knows such an isomorphism for two |
250 graphs. |
258 graphs using the same idea as in the example with Alibaba's |
|
259 cave. |
251 |
260 |
252 \subsubsection*{Using Modular Arithmetic for ZKP Protocols} |
261 \subsubsection*{Using Modular Arithmetic for ZKP Protocols} |
253 |
262 |
254 |
263 |
255 |
264 |