Zero-knowledge proof

A zero-knowledge proof (also knowledgeable clear evidence ) or zero-knowledge protocol (also knowledgeable free protocol ) is a protocol in the field of cryptography. In a zero-knowledge protocol, two parties ( the prover and the verifier ) communicate with each other. The prover convinces the verifier with a certain probability that he knows a secret, without using the information about the secret itself known.

A known method is the fig - Fiat -Shamir protocol.

Properties

Zero - knowledge protocols are used, inter alia, authentication. In practice, they are rarely used because they, as a rule, for a sufficient level of safety a high level of interaction that is the exchange of many messages require. The authentication protocols used and standardized in practical applications are based instead on digital signatures. However, there are also constructions that certain zero-knowledge transfer protocols in non-interactive variants.

Zero - knowledge protocols are an extension of interactive proof systems dar. to the terms completeness and reliability of interactive proof systems still takes the zero-knowledge property, which ensures that the verifier obtains no information about the secret.

In a zero-knowledge protocol should always be shown that an input of a formal language belongs. For this, a zero-knowledge protocol must meet three conditions:

Classic

Peggy wants to prove Victor that she has secret knowledge ( may open a door in a cave ) without opening the door before his eyes (and thus him and third shows how to open the door ).

Viktor is at 4 and sees Peggy go into the cave. He does not know if Peggy goes to 1 or 2. Then Viktor goes to 3 and asks Peggy that it comes on a determination of which side of the cave. Depending on whether Peggy is on the right side, she has to open the red door or not. Can Peggy open the door, they can always come forth to the information required by Viktor page. Can they do not open the door, it will appear in 50 % of cases on the wrong side.

Peggy comes after n trials each time required by Viktor side of the cave, Viktor can go out with a probability of the fact that Peggy knows the secret of the door, but no new knowledge has gained over the door, for example, whether these can only be opened from one side.

Observed a third party, which looks Viktor, he is not convinced that Peggy knows the secret of the door, as Victor and Peggy may have agreed which side Victor will require in each of the passages.

Historical zero-knowledge proof

In the 16th century proved Nicolo Tartaglia to be third degree held by the solution formula for equations by calculating the zeros. He had the solution formula itself does not publish because he was able to calculate the zeros and thus it could be concluded that he had to be in possession of a solution path.

Note: This is not a real zero-knowledge method, because the verifier obtains new knowledge: the solution of a cubic equation. Strictly speaking, should not happen.

Example of a zero-knowledge protocol

A zero-knowledge authentication between two instances can take place using the Graphenisomorphieproblems. This requires the prover initially once a public key pair are created:

• The prover generates a very large graphs.
• Numbered in order with a permutation randomly and uniformly selected. The resulting graph is so.
• The couple will be published, the permutation keeps secret.

Suppose a person, called " verifier " would like to check the identity of, ie determine whether in fact in possession of the corresponding private key to the public key. Then, this fact can be proved using the following zero-knowledge protocol, without revealing the private key of the verifier or a third person:

We now consider the three necessary conditions for a zero-knowledge protocol:

• The above protocol is clearly completely as being constructed so that it satisfies the equation required.
• A dishonest prover or a third person, who wants to spend as can convince the verifier only with a probability of 0.5 ( by proper rates in the value in the first step ) without knowledge. If the protocol is repeated sufficiently often, and assuming that the provision of out is hard, the protocol is so reliable.
• The communication between the prover and verifier in a round (step 1 to 4) is of the form. Then produces a random and uniform and simulator, and thus calculates the graph, the resulting probability distribution is identical to the distribution, which is implied by the real protocol entities. Consequently, no secret knowledge (in this case the permutation ) to be transferred ( Zero - Knowledge ).