Zero-Knowledge Proof and
Cryptographic Commitment
Unit-4
1
�Interactive Proof Systems
• Traditionally, a proof for a statement is a static
string such that one can verify for its correctness
– Follows axioms and deduction rules.
• Generalizing proof systems to be interactive
– A proof system involves an algorithm for a prover and
a verifier.
– A proof system can be probabilistic in ensuring
correctness of the statement being proved
2
�Zero Knowledge Proofs
• A protocol involving a prover and a verifier that
enables the prover to prove to a verifier without
revealing any other information
– E.g., proving that a number n is of the form of the
product of two prime number
– Proving that one knows p,q such that n=pq
– Proving that one knows x such gx mod p = y
3
�Two Kinds of Zero-Knowledge Proofs
• ZK proof of a statement
– convincing the verifier that a statement is true without
yielding any other information
– example of a statement, a propositional formula is
satisfiable
• ZK proof of knowledge
– convincing the verifier that one knows a secret, e.g.,
one knows the discrete logarithm logg(y)
4
�Fiat-Shamir Protocol for Proving
Quadratic Residues
• Statement: x is QR modulo n
• Prover knows w such that w2=x (mod n)
• Repeat the following one-round protocol t times
• One-round Protocol:
– P to V: y = r2 mod n, where r randomly chosen
– V to P: b {0,1}, randomly chosen
– P to V: z=rwb, i.e., z=r if b=0, z=rw if b=1
– V verifies: z2=yxb, i.e., z2=y if b=0, z2=yx if b=1
5
�Observations on the Protocol
• Multiple rounds
• Each round consists of 3 steps
– Commit; challenge; respond
• If challenge can be predicted, then cheating is
possible.
– Cannot convince a third party (even if the party is
online)
– Essense why it is ZK
• If respond to more than one challenge with one
commit, then the secret is revealed.
– Essence that this proves knowledge of the secret
6
�Properties of Interactive Zero-
Knowledge Proofs of Knowledge
• Completeness
– Given honest prover and honest verifier, the protocol
succeeds with overwhelming probability
• Soundness
– no one who doesn’t know the secret can convince the
verifier with nonnegligible probability
• Zero knowledge
– the proof does not leak any additional information
7
�Analysis of the Fair-Shamir
protocol
• Completeness, when proven is given w2=x and both party
follows protocol, the verification succeeds
• Soundness: if x is not QR, verifier will not be fooled.
– Needs to show that no matter what the prover does, the verifier’s
verification fails with some prob. (1/2 in this protocol)
– Assumes that x is not QR, V receives y
• Case 1: y is QR, then when b=1, checking z2=yx will fail.
• Case 2: y is QNR, then when b=0, checking z2=y will fail.
• Proof will be rejected with probability ½.
8
�Formalizing ZK property
• A protocol is ZK if a simulator exists
– Taking what the verifier knows before the proof, can
generate a communication transcript that is indistinguishable
from one generated during ZK proofs
• Intuition: One observes the communication transcript. If what
one sees can be generated oneself, one has not learned
anything new knowledge in the process.
• Three kinds of indistinguishability
– Perfect (information theoretic)
– Statistical
– Computational
9
�Honest Verifier ZK vs. Standard
ZK
• Honest Verifier ZK means that a simulator exists
for the Verifier algorithm V given in the protocol.
• Standard ZK requires that a simulator exists for
any algorithm V* that can play the role of the
verifier in the protocol.
10
�Fiat-Shamir is honest-verifier ZK
• The transcript of one round consists of
– (n, x, y, b, z) satisfying z2=yxb
– The bit b is generated by honest Verifier V is uniform
independent of other values
• Construct a simulator for one-round as follows
– Given (x,n)
– Pick at uniform random b{0,1},
– If b=0, pick random z and sets y=z2 mod n
– If b=1, pick random z, and sets y=z2x-1 mod n
– Output (n,x,y,b,z)
• The transcript generated by the simulator is from the
same prob. distribution as the protocol run
11
�Fiat-Shamir is ZK
• Given any possible verifier V*, A simulator works as
follows:
1. Given (x,n) where x is QR; let T=(x,n)
2. Repeat steps 3 to 7 for
3. Randomly chooses b {0,1},
4. When b=0, choose random z, set y=z 2 mod n
5. When b=1, choose random z, set y=z 2x-1 mod n
6. Invoke let b’=V*(T,y), if b’b, go to step 3
7. Output (n,x,y,b,z); [Link]((n,x,y,b,z));
• Observe that both z2 and z2x-1 are a random QR; they have
the same prob. distribution, thus the success prob. of one
round is at least ½
12
�Zero Knowledge Proof of
Knowledge
• A ZKP protocol is a proof of knowledge if it
satisfies a stronger soundness property:
– The prover must know the witness of the statement
• Soundness property: If a prover A can convince a
verifier, then a knowledge exactor exists
– a polynomial algorithm that given A can output the
secret
• The Fiat-Shamir protocol is also a proof of
knowledge:
13
�Knowledge Extractor for the QR
Protocol
• If A can convince V that x is QR with probability
significanly over ½, then after A outputs y, then A can
pass when challenged with both 0 and 1.
• Knowledge extractor
– Given an algorithm A that can convince a verifier,
– After A has sent y, first challenge it with 0, and receives z1
such that z12=y
– Then reset A to the state after sending y, challenge it with 1
and receives z2 such that z22=xy, then compute s=z1-1z2 , we
have s2=x
14
�Running in Parallel
• All rounds in Fiat-Shamir can be run in parallel
1. Prover: picks random r1,r2,…,rt, sends y1=r12, y2=r22, …, yt=rt2
2. Verifier checks the y’s are not 0 and sends t random bits b1,…bt
3. Prover sends z1,z2,…,zk,
4. Verifier accept if zj2yjxb_j mod n
• This protocol still a proof of knowledge.
• This protocol still honest verifier ZK.
• It is unknown whether this protocol is ZK or not!
– Consider the V* such that V* chooses b1,…bt to be the first t bits of
H(y1,y2,…,yt), where H is a cryptographic hash function.
• The above method for generating an indistinguishable transcript no longer
works.
15
