Complexity Theory and
Cryptography,
or the Power of Zero-Knowledge
Jörg Rothe
Institut für Informatik
„Computer Science is not about computers,
any more than astronomy is about telescopes.“
Edsger Dijkstra
Outline
• A Bit of Complexity Theory
• A Bit of Cryptography
• Zero-Knowledge Protocols
Secret-Key Exchange
Erich
Insecure Channel
Alice and Bob want to agree upon a
joint secret key via an insecure
channel on which Erich is an
eavesdropper.
One-Way Functions
A one-way function is:
• Easy to compute, but
• Hard to invert.
Examples of one-way functions:
•
•
Modular Exponentiation: k
•
•
The inverse function is called the Discrete Logarithm.
Modular Squaring: k
•
gk mod n, 0 < k < n.
2
k mod n, 0 < k < n.
The inverse function is Computing Square Roots modulo n.
Authentication
Erich
Insecure Channel
Protocol
Erich
Question: How can Alice prove her identity
beyond any doubt?
Answer: By proving that she knows her
personal secret!
Ideal: Bob knows Alice‘s secret neither before
nor after she proves her identity.
Zero-Knowledge Protocols
Zero-Knowledge
„There are known knowns. These are things we
know that we know.
There are known unknowns. That is to say, there
are things we know we don‘t know.
But, there are also unknown unknowns. These are
things we don‘t know we don‘t know.“
Don Rumsfeld
How can one prove that someone does
not know something?
How can one prove to know a secret without
conveying any information about it?
Zero-Knowledge Protocols
Alice‘s Secret:
Magical
Door
Number code
that opens the
magical door.
Left
Door
Protocol
Alice walks through
the left or right door.
Alice walks through the
desired door; if necessary
she uses her secret.
Right
Door
Lobby
Bob yells either
„Left!“ or Right!“
What is Zero-Knowledge?
Zero-Knowledge Property:
Simulator M can (without knowing the secret)
generate a simulated protocol, which cannot be
distinguished from the original protocol.
That is:
Since the simulator M doesn‘t put any information
into the simulated protocol, Erich cannot get any
information out of the original protocol.
In the example of the magical door:
• Bob video-tapes the original protocol.
• Simulator M generates an identical video tape by deleting
the „bad“ scenes.
Fiat-Shamir Protocol
Alice‘s Key Generation:
• picks large primes p and q
• publishes n = pq
• chooses her „secret“ s
2
• publishes v = s mod n
Protocol
• randomly picks r
• computes x = r 2 mod n
x
b
b
• computes y = r s mod n
• randomly picks a bit b
y
• checks whether or not
y 2 = x v b mod n
Analysis of Fiat-Shamir
The protocol works, since
2
b 2
2
y = (r s ) = r s
2b
2
= r v
b
b
= x v mod n
The protocol is correct, since the cheating probability is:
• at most ½ per round:
Erich can answer only one of the questions ,b=0‘ and ,b=1‘,
since y 2 = x and y 2 = xv imply (y / y )2 = v.
0
Hence, y / y
1
1
0
1
0
is a square root of v modulo n.
• at least ½ per round:
Erich guesses the bit b and prepares his answer by
x = r2v
-b
mod n
and
y = r.
t
• exactly (½) after t rounds.
For t = 20, the chance of cheating is less than 1 to 1 000 000.
Fiat-Shamir is Zero-Knowledge
M knows:
Simulator
M
• the public n = pq
• but neither p nor q
• the public v = s2 mod n
• but not the „secret“ s
Simulated Protocol
• randomly picks a bit c
• randomly picks a number r
• computes x = r 2v
-c
x
mod n
b
• if b = c, then y = r
• randomly picks a bit b
y
• accepts
• if b  c, delete and repeat
Application of Zero-Knowledge
Practice:
• The Fiat-Shamir protocol can be used to
decode Pay-TV.
• Because Fiat-Shamir is:
• A public-key protocol,
• More efficient than most other public-key protocols,
• Can be implemented on a chip card.
Theory:
• Interactive proof systems: IP = PSPACE.
• Every problem in NP is zero-knowledge (under
reasonable assumptions).
Epilogue
„Computer Science is not only about computers...
... but also about how to make TV-sets
not functioning.“
Zero-Knowledge