Lecture 15 Zero-Knowledge Techniques

Lecture 15 Zero-Knowledge Techniques

Peggy: “I know the password to the Federal Reserve System computer, the ingredients in McDonald’s secret sauce, and the contents of Volume 4 of Knuth.”

Victor: “No, you don’t.” Peggy: “Yes, I do.” Victor: “Do not!” Peggy: “Do too!” Victor: “Prove it!” Peggy: “All right. I’ll tell you.” She whispers in

Victor’s ear. Victor: “That’s interesting. Now I know it, too.

I’m going to tell The Washington Post.”

A few years ago, it was reported that some thieves set up a fake automatic teller machine at a shopping mall. When a person inserted a bank card and typed in an identification number, the machine recorded the information but responded with the message that it could not accept the card. The thieves then made counterfeit bank cards and went to legitimate teller machines and withdrew cash, using the identification numbers they had obtained.

How can this be avoided? There are several situations where someone reveals a secret identification number or password in order to complete a transaction. Anyone who obtains this secret number, plus some (almost public) identification information (for example, the information on a bank card), can masquerade as this person. What is needed is a way to use the secret number without giving any information that can be reused by an eavesdropper. This is where zero-knowledge techniques come in.

Outline Overview of Zero-Knowledge Concepts Fiat-Shamir Identification Protocol Feige-Fiat-Shamir Identification Protocol GQ Identification Protocol Schnorr Identification Protocol

1 Overview of Zero-Knowledge Concepts1.1 Idea

1.1 Idea (Continued)

Peggy knows the secret of the cave. She wants to prove her knowledge to Victor, but she doesn’t want to reveal the magic words. Here’s how she convinces him:

(1) Victor stands at point A.

(2) Peggy walks all the way into the cave, either to point C or point D.

(3) After Peggy has disappeared into the cave, Victor walks to point B.


(4) Victor shouts to Peggy, asking her either to:

(4.1) come out of the left passage or

(4.2) come out of the right passage.

(5) Peggy complies, using the magic words to open the secret door if she has to.

(6) Peggy and Victor repeat steps (1) through (5) n times.


Comment.

The technique used in this protocol is called cut and choose, because of its similarity to the classic protocol for dividing anything fairly:

(1) Peggy cuts the thing in half.

(2) Victor chooses one of the halves for himself.

(3) Peggy takes the remaining half.

It is in Peggy’s best interest to divide fairly in step (1), because Victor will choose whichever half he wants in step (2).

1.2 Interactive Proof Systems and Zero-Knowledge Protocols

The ZK protocols to be discussed are instances of interactive proof systems, wherein a prover and verifier exchange multiple. The prover’s objective is to convince the verifier the truth of an assertion, e.g., claimed knowledge of a secret. The verifier either accepts or rejects the proof. The traditional mathematical notion of a proof, however, is altered to an interactive game wherein proofs are probabilistic rather than absolute; a proof in this context need be correct only with bounded probability. For this reason, an interactive proof is sometimes called a proof by protocol.

1.2 Interactive Proof Systems and Zero-Knowledge Protocols (Continued)

Interactive proofs used for identification may be formulated as proofs of knowledge. A possesses some secret s, and attempts to convince B it has knowledge of s by correctly responding to queries (involving publicly known inputs and agreed upon functions) which require knowledge of s to answer. Note that proving knowledge of s differs from proving that such s exists. An interactive proof is said to be a proof of knowledge if it has both the properties of completeness and soundness.


Definition 1 (completeness property) An interactive proof (protocol) is complete if, given an honest prover and an honest verifier, the protocol succeeds with overwhelming probability (i.e., the verifier accepts the prover’s claim).

Comment. Completeness is viewed as the customary requirement that a protocol functions properly given honest participants.The definition of overwhelming depends on the application, but generally implies that the probability of failure is not of practical significance.


Definition 2 (soundness property) An interactive proof (protocol) is sound if there exists an expected polynomial-time algorithm M with the following property: if a dishonest prover (impersonating A) can with non-negligible probability successfully execute the protocol with B, then M can be used to extract from this prover knowledge (essentially equivalent to A’s secret) which with overwhelming probability allows successful subsequent protocol executions.


Since any party capable of impersonating A must know the equivalent of A’s secret knowledge (M can be used to extract it from this party in polynomial time), soundness guarantees that the protocol does indeed provide a proof of knowledge – knowledge equivalent to that being queried is required to succeed. Soundness thus prevents a dishonest prover from convincing an honest verifier.


Definition 3 (zero-knowledge property) A protocol which is a proof of knowledge has the zero-knowledge property if it is simulatable in the following sense: there exists an expected polynomial-time algorithm (simulator) which can produce, upon input of the assertion(s) to be proven but without interacting with the real prover, transcripts indistinguishable from those resulting from interaction with the real prover.


Comment. (1) The zero-knowledge property implies that a pro

ver executing the protocol (even when interacting with a malicious verifier) does not release any information (about its secret knowledge, other than that the particular assertion itself is true) not otherwise computable in polynomial time from public information alone. Thus, participation does not increase the chances of subsequent impersonation.


(2) Consider an observer C who witnesses a zero-knowledge interactive proof (ZKIP) involving a prover A convincing a verifier B (B C) of some knowledge A has. The “proof” to B does not provide any guarantees to C. (Indeed, A and B might have a prior agreement, conspiring against C, on the challenges to be issued.) Similarly, a recorded ZKIP conveys no guarantees upon playback. This is fundamental to the idea of the zero-knowledge property and the condition that proofs be simulatable by a verifier alone.


(3) The zero-knowledge property (Definition 3) does not guarantee that a protocol is secure (i.e., that the probability of it being easily defeated is negligible). Similarly, the soundness property (Definition 2) does not guarantee that a protocol is secure. Neither property has much value unless the underlying problem faced by an adversary is computationally hard.

1.3 General Structure of Zero-Knowledge Protocols

witness.(public) associatedan computes thisfrom and

,commitmentsecret its asset defined-pre a fromelement

random a selects be toclaimingprover The

:protocols knowledge-zero move- threeof class

large a of structure general thesillustrate Above

response :

challenge :

witness:

A

BA

BA

BA

1.3 General Structure of Zero-Knowledge Protocols (Continued)

cheating. successful ofy probabilit thelimiting bound the

improve tonecessary, if iterated, is protocol The s.correctnes

for checks which response, its provides questions. these

of one selects challenge subsequent s' secret. term-long s'

about n informatio no provides theseof oneany answer to the

and questions, theall answering of capable truly is secret,

s' of knowledge with ,party legitimate only the design,

protocolBy response. gforthcominher ngconstraini priori

a thereby answer, toable be toclaimsprover which theof

all questions ofset a definesy essentiall and runs, protocol

other fromion for variat randomness initial provides This

B A

BA

AA

1.4 Zero-Knowledge VS. Asymmetric Protocols (1) No degradation with usage: protocols proven to have th

e ZK property do not suffer degradation of security with repeated use, and resist chosen-text attacks. This is perhaps the most appealing practical feature of ZK techniques.

(2) Encryption avoided: many ZK techniques avoid use of explicit encryption algorithms.

(3) Efficiency: while some ZK-based techniques are extremely efficient, protocols which formally have the zero-knowledge property typically have higher communications and/or computational overheads than PK protocols which do not. The computational efficiency of the more practical ZK-based schemes arises from their nature as interactive proofs, rather than their zero-knowledge aspect.

1.4 Zero-Knowledge VS. Asymmetric Protocols (Continued)

(4) Unproven assumptions: many ZK protocols ("proofs of knowledge") themselves rely on the same unproven assumptions as PK techniques (e.g., the intractability of factoring).

(5) ZK-based vs. ZK: although supported by prudent underlying principles, many techniques based on zero-knowledge concepts fall short of formally being zero-knowledge and/or formally sound in practice, due to parameter selection for reasons of efficiency, or for other technical reasons. In fact, many such concepts are asymptotic, and do not apply directly to practical protocols.

2 Fiat-Shamir Identification Protocol

succeed. rounds all if proof

theaccepts tly).independen andlly (sequentia times

iterated are steps following The actions. Protocol (2)

key. public

its as with registers and ,) mod( computes 1,

1 , tocoprimesecret a selects claimantEach (1.2)

secret. and primes keepsbut modulus

like-RSAan publishes and selects center A trusted (1.1)

setup. time-One (1)

protocol. pass-3 a

of executions in to of knowledge proves :SUMMARY

protocoltion identificaShamir -Fiat

2

t

B

t

Tvn svn

sns A

qpqpn

T

tBsA

1 Protocol

2 Fiat-Shamir Identification Protocol (Continued)

0.) case theprecludes 0 for checkingthat

Note ). (mod since ), (mod or

,on (Depending ). (mod yingupon verif

accepts otherwise and 0, if proof therejects (2.4)

1). (if ) (mod or 0) (if

either , response) (the tosends and computes (2.3)

. to sends and

1, or 0 bit )(challenge a selectsrandomly (2.2)

. to) (mod witness)(the sends and

1, 1 , t)(commitmen random a chooses (2.1)

222

2

2

ry

nsvnvxy xy

envxy

yB

ensryery

yBA

Ae

eeB

Bnrx

nrrA

e

BA) (mod 2 nrx

proof. therejects otherwise,

proof; theaccepts then

), (mod and 0 If 2

B

B

nvxyy e

1} {0,e

)(mod ns ry e



answered.ly successful are rounds) (over questions all if

only identity ' accepting with times, iterated is protocol

the40), = or 20 = (e.g., 2 of valuesmall acceptably

an y toarbitraril cheating ofy probabilit thedecrease

To detection. escaping of 1/2only y probabilit has so and

questions, two theof oneanswer best at can otherwise

but questions,both answer can knowing prover A

cheating.prevent toprovers)honest (for question easy an

other theand ,secret theof knowledgeher esdemonstrat

which of one questions, twoanswering of capable

be thatrequires exam)(or challenge The follows. as

justified informally and explained bemay (1)

tt

ABt

tt

sA

s

Ae

t

1 Protocol

Comment.


.challenges time-real epredict thcannot because

eimpersonat tounable is proofs, simulate ability to the

Despite property. knowledge-zero thesestablishe thisproduce;

would thosefrom ishableindistingu ison which distributi

yprobabilit a have ) ,( pairssuch pairs,such construct would

by which method not the is this.While ) mod(/or

defining then randomly, choosingby alone verifier aby

simulated be llequally we could from extracted ) ,( pairs

n Informatio . unknown to is random thebecause about

n informatio no provides also ) mod( response the

while,secret s' oft independen is response The(2)

22

B

AB

A

yxA

nv y yx

yB

Ayx

Brs

ns ry

sAry

Comment.

3 Feige-Fiat-Shamir Identification Protocol

. 1for ) (mod Compute (2.2)

.) ofion factorizat allows failure its as guaranteed

surely almost isbut required, is 1 ) ,gcd( reasons, ical(For techn

1, 1 range in the , . . . , , integers random Select (2.1)

following. thedoes entity Each secrets.entity -per ofSelection (2)

.parameterssecurity as

defined are and Integers factor. toinfeasiblenally computatio

is such that and users, allfor moduluscommon the

publishes center A trusted .parameters system ofSelection (1)

protocol. pass-3

a of executions in oidentity t its proves :SUMMARY

protocoltion identificaShamir -Fiat-Feige

2

21

kinsv

n

ns

nssss k

A

tk

nqpn

T

tBA

ii

i

ik

2 Protocol

3 Feige-Fiat-Shamir Identification Protocol (Continued)

0.) choosingby succeedingadversary an precludeslatter (The

0. and that verifiesand ), (mod computes (3.4)

.challenge) by the specified thoseand ofproduct

(the ) (mod :response) (the tosends and computes (3.3)

). , . . . ,( bit vector- random a )challenge, (the tosends (3.2)

. to witness)(the sends and

),mod( computes ,11 ,integer random a chooses (3.1)

). ; , . . . ,(key public

authentic s' has Assume succeed. rounds all ifidentity s' accepts

times; executed are steps following The actions. Protocol (3)

phase. up-set time-one thecompletes This

. and ) , . . . ,(key private its knows only

while), ; , . . . ,(key public s' registersreafter which the, to

id) photo (e.g., means hiccryptograp-nonby itself identifies (2.3)

1

2

1

1

2

1

1

1

r

zxznvyzB

sr

nsryBA

eekAB

Bx

n rxnrrA

nvv

AB tA

Bt

nssA

nvvA T

A

k

j

ej

j

k

j

ej

k

k

k

k

j

j


A B) (mod 2 nrx



, and ) 0(mod If1

2

B

B

xznvyzj

j

e

ej

1} {0, ), , . . . ,( 1 ik eee

) (mod 1

nsryje j


.0 and since

identity s' accepts and 528015 ) (mod computes (3.4)

403104. ) mod ( tosends and computes (3.3)

1). 0, (0, bit vector-3 the tosends (3.2)

. to thissends and 528015, computes 1279, chooses (3.1) (3)

4646). 43215, (157, iskey

private and 553913) 429490; 338402, (112068, iskey public As (2.3)

429490. and 338402, 112068, Computes (2.2)

4646. 43215, 157, integers random 3 Selects ) (2.1

following. thedoes Entity (2)

.parameters

security as defined are 1 and 3 Integers 553913.

publishes and 811, 683, primes theselects center trustedThe (1)

)parameters smallly artificial(with

32

3

321

321

zxz

AnvyzB

nsryBA

AB

BxrA

vvv

sss

A

tkqpn

qpT

1 Example


).(log and ) log O(log provided knowledge

of proof knowledge-zero (sound) a server, trusteda to

relative is, protocol The soundness. and knowledge- Zero(3)

. factoring of

that toequivalent is This ion.factorizatunknown of integers

composite large modulo roots square extracting of difficulty

on the reliessecurity The required. assumptionSecurity (2)

ion.impersonat successful of 2y probabilit a

hasattack best thedifficult, is factoring that provided

:sense following in theattack messagechosen against

secureprovably is forgery. ofy Probabilit (1)

ntnk

n

n

ntk

2 Protocol

Comment.


knowledge. of proof knowledge-zero alonger no is

protocol thecase in this however, ; decreasing while increasing

andconstant product theholding 1), (iteration single

a yield toparameterssecurity off by trading reduced bemay

ion communicat andn computatioBoth off.-radeSecurity t (5)

5. 6, :2for 4; 5, :2security for be,might

choicesparameter Specific e.appropriat as suggested originally

was181 off; tradedbecan ion communicat and memory,

n,Computatio or.impersonat be- wouldaby appearance

personal a requiresattempt tion identificaan that case in the

suffices which ion,impersonat of chancemillion ain 1 a allows

20 such that and Choosing selection.Parameter (4)

3020

tk

tkt

tktk

k

tkt k


rounds.

ofnumber theincreasing without decreased be to(forgery)error

ofy probabilit theallows proofs einteractivin iteration) sequential

toopposed (asexecution parallelSuch secure. be shown to becan

usly,simultaneo rounds allfor data respective thecontains messages

threeofeach in which protocol, theof version parallel The (6.3)

y.accordingl modifiedon verificati

s' with , of instead )( hash value a of) bits 128 (e.g.,

sends if reduced becan complexityion communicat The (6.2)

modulus. itsuser with

each associate toneeded still is . modulussuch own itspick

may user each , of (1) toealternativan As (6.1)

concerns.on Modificati (6)

t

BxxhB

A

Tn

2 Protocol


. tothese

gives and each of root square a computes , ofion factorizat

theknowing center, trustedThen the .function eappropriatan

using ) ,( as partiesother and both by derived

thenare 1 , valuespublic As e).corroborat omay wish t

verifier an which informatioother or address, name, As (e.g.,

partyeach to string gidentifyin heddistinguis a assigns

follows. as based-identity made becan scheme The (6.4)

A

vsn

f

iIfvBT

kiv

A

IT

ii

Ai

i

A


function.hash on the

attacks line-off preclude toincreased beally must typic challenge

theof bitsize thescheme, signature einteractiv-non a toscheme

tion identifica einteractivan converts thisAs verifier.of role the

playsy essentiall )( signed be messagemto theand witness theof

ion concatenat theof ),||( hash way -one by the verifier the

of challenge random thereplace :scheme signature a tosequence

response-challenge- witnessa involving schemetion identifica

an convert toused bemay techniquegeneral following The (6.5)

e

hx

mxhe

e

4 GQ Identification Protocol

users. allfor ty)authentici

guaranteed(with available made are ) ,( parameters System (1.3)

.) (mod exponent private its computes and 1),1)((

1where ) ,gcd( with 3 exponent public a defines (1.2)

.)factor toinfeasiblenally computatio bemust it

RSA,for (As . modulus a yielding and primes like

-RSA randomsecret selects keys, public toidentities binding

respect to with parties allby trusted, authority An (1.1)

.parameters system ofSelection (1)

protocol. pass-3 ain

to) of knowledge (viaidentity its proves :SUMMARY

protocoltion identifica GQ

1

nv

vsqp

vvT

n

qpnqp

T

B

sA A

3 Protocol

4 GQ Identification Protocol (Continued)

.successful are

executions all ifonly identity theaccepts following; theof

executions by oidentity t its proves actions. Protocol (3)

). (mod

)( data)tion (accreditasecret the togives (2.2)

1.) ) ,gcd( impliesdifficult is factoringthat

(Assuming .function redundancyknown a using derived

is , 1 satisfying ),( identity)redundant (the

whichfrom ,identity unique agiven is entity Each (2.1)

.parametersuser -per ofSelection (2)

tB

tBA

n

JsAT

Jn

f

nJIfJ

IA

sAA

A

AAA

A


0.) choosingby

succeedingadversary an precludeslatter (The 0. and both if

identity of proof s' accepts and ,)(mod computes

above), (see using from constructs , receives (3.5)

.)(mod response) (the tosends and computes (3.4)

.1

,challenge) (the integer random a tosends and selects (3.3)

). ,( integers ofpair the tosends (3.2)

). (mod witness)(the computes and 1,

1 ),commitment (the integer secret random a selects (3.1)

r

zxz

AnyJz

fIJyB

nsryBA

ve

eAB

xI BA

nrxnr

rA

veA

AA

eA

A

v


BA) (mod , nrxI v

A



, and ) 0(mod If

B

B

xznyJz veA

vee 1 where,

) (mod nsry eA


0. and since

identity s' accepts and 89525 )(mod computes (3.5)

. to83551 ) (mod sends (3.4)

38980. challenge random the tosends (3.3)

89525). ,(pair the tosends (3.2)

89525. ) (mod computes and 65446 selects (3.1) (3)

403154. ) (mod )( dataion accreditat the togives (2.2)

34579. isidentity redundant s' that Suppose (2.1) (2)

users. allfor available made are 420491) (54955, parameters System (1.3)

233875. mod computes

and 54955, selects 419184, 1)1)(( computes (1.2)

420491.

computes and 739, 569, primes selects authority The (1.1) (1)

1) and parameters smallly artificial(with

1

zxz

AnyJz B

BnsryA

eAB

IBA

nrxrA

nJsAT

JA

vs

vqpT

qpn

qpT

t

veA

eA

A

v

sAA

A

2 Example


. of factors theknowing without eintractablnally computatio

appears and , factoringn harder tha no is thisprotocol; defeat the to

necessary appears problem)RSA thesolving (i.e., integer composite

themodulo roots Extracting required. assumptionSecurity (2)

mounted. be could attacksh under whict environmen the

on depends thus ofbitlength drecommende The ould).verifier w

theas forming then (and priori acorrectly guessing

by chance in 1 a with protocol defeat thecan claimant fraudulent

A .advantages nalcomputatiooffer may 12 assuch values

some rounds;many are but there 2 whereShamir)-Fiat (cf. level

security thedetermines ,In forgery. ofy Probabilit (1)

th

16

n

n

n

v

v

yJxe

v

v

v

v

veA

3 Protocol

Comment.


identity. plausible

a toingcorrespond dataion accreditat false computingadversary

an preclude tois function redundancy theof purpose The (5)

. log

in polynomialn larger tha no bemust constant, for :allyasymptotic

on boundupper an imposing ,constantfor )) O((log

requires apparently knowledge-zero be toGQfor t,requiremen

soundness the tooppositionIn property. knowledge- Zero(4)

. log logn faster thaally asymptotic grow

must soundness,for nically then techconstant, is If . isforgery

ofy probabilit the), , ,( parameters dgeneralizeFor suggested.

often is primebit - a and 1 with GQ practice,In Soundness. (3)

f

n

tv

t cnvt

n

tvv

tvn

vkt

c

t

5 Schnorr Identification Protocol

e.certificat tedauthentica s' viakey public the

with ofn associatio he through t gidentifyin ), challenge a

on (dependingmanner variant timeain it) revealing(without

secret a of knowledge proves that is idea basic The bits.

ed transmittofnumber required thereduces also this1);(|

where,modulo integers of group tivemultiplica theof order

of subgroup a of use thefrom results efficiency nalcomputatio

important further A ability. nalcomputatio limited of

claimantsfor suitablely particular thusisit claimant; for the

n computatio time-real thereducing n,computatio-pre allows

design The problem. logarithm discrete theoflity intractabi

on the based is protocoltion identificaSchnorr ofsecurity The

Av

aAe

aA

pq

pq

5 Schnorr Identification Protocol (Continued)

)mechanism. signatureany be

may and signing, prior tofunction hash known suitable a involves (

.messageson )( signatures s' ofion verificatallowing , party

trusted theof key) (publicfunction ion verificat theand ) , ,(

parameters system theofcopy authentican obtainsparty Each (1.3)

.order

tivemultiplica having 1, 1 chosen, is element An (1.2)

.)infeasiblenally computatio

bemust modulo logarithms (Discrete .primeanother by

divisible is 1such that selected is prime suitableA (1.1)

.parameters system ofSelection (1)

protocol. pass-3 ain oidentity t its proves :SUMMARY

protocoltion identificaSchnorr

T

T

S

mmSTT

qp

q

p

p q

pp

BA

4 Protocol


. with binding from )),(

, ,( ecertificat a obtains and integrity, with totransfers

, topassport) (e.g., means alconventionby itself identifies (2.3)

.) (mod

computes and 1, 0 ,key private a chooses (2.2)

.identity unique agiven is claimant Each (2.1)

.parametersuser -per ofSelection (2)

).2 level

security a (definingchosen is , 2 40), (e.g., parameter A (1.4)

vIT vIS

vIcertT v

TA

p

vqaaA

IA

qtt

AAT

AA

a

A

t

t


. provided

identity s' accepts and ,) (mod computes (3.4)

). (mod

response) (the sends and 21 checks (3.3)

.21 ,challenge) (the

random used) previously(never a tosends then ,on

signature s' ngby verifyi key public s' tesauthentica (3.2)

. to),( sends and ,) (mod witness)(the computes

,1 1 ),commitment (the random a chooses (3.1)

follows. as verifier toitself identifies actions. Protocol (3)

xz

ApvβzB

qr

eayBeA

e

eAcert

TvAB

Bxcertpx

qrrA

BA

ey

t

t

A

Ar


BA) (mod , pxcert r

A



, ) (mod If

B

B

pxvz ey

qee t 21 where,

) (mod qreay


. since

identity s' accepts and 37123) (mod computes (3.4)

255.)(modnumber the sends (3.3)

129. challenge random the tosends (3.2)

. to37123 ) (mod sends and 274 chooses (3.1) (3)

7355.

) (mod computes and 357 key private a chooses (2)(2.1)

chosen. is 8 parameter The (1.4)

11444). 443, (48731, are parameters system The (1.3)

11444. )(mod

as computed is 6; is 48731 modulogenerator (1.2)

443. prime by the

divisible is 1 whereselected, is 48731 prime The (1.1) (1)

)parameters smallly artificial(with

1)/(

xz

ApvβzB

q r e ayBA

eAB

BpxrA

pvaA

t

p

A

q

pp

ey

r

a

qp

3 Example


.number random by the perturbed is and number,

random a is because aboutn informatio useful no reveals

protocol the,Informally .computing of capable bemust

as protocol thecompletingparty any i.e., , of knowledge

of proof a is protocol theshown that becan It Soundness. (2)

attacks. log discrete line-offother preclude

todrecommende is 2 and offs,-dememory tra-time

preclude tonecessary bemay larger ; negligible challenge

theguessingcorrectly of 2y probabilit themake tolarge

lysufficient bemust ,In forgery. ofy Probabilit (1)

160

ry

x a

a

Aa

q

q e

tt

4 Protocol

Comment.


tion.precomputa a as done be

maytion exponentia provided claimant, by thetion multiplica

modular line-on single aonly requiring of advantage

thehastion identificaSchnorr ns.computatio line-Off (5)

. of bits ingcorrespond to thiscompare having and bits),

tsignificanleast the(e.g., of bits specified-pre by message

in replacingby reduced becan protocol in the dtransmitte

bits ofnumber Thebandwidth.ion transmissReducing (4)

).on depend chosen to

were if (e.g., compute toable benot might itself which

,) (mod equation the to) , ,(solution the

obtains n,interactio through because , largefor knowledge

-zeronot is protocol The property. knowledge- Zero(3)

ztBt

xt

x

x

eB

pvβxeyx

Beey

Thank You!

Documents

Lecture 15 Zero-Knowledge Techniques