Original article by Phan Duong Hieu.
…
From the relatively abstract principles ZKP, we will consider a specific proof and from there explicitly build an digital signature scheme. All we need is a finite set with multiplication so that from a element we can calculate all the other elements. To be more specific, we are working on a finite set , it is generated by an element and therefore the set will have the form . Then is called the degree of and is called a cyclic group. To ensure the security of cryptosystems, we must work with groups of very high degree ( is about ).
Then the following problem is considered very difficult to solve for current computers: Let and be a random element in , the requirement is to find that satisfies . If we try from to , we will find the answer, but this test will take billions of years (when is as large as ).
Image by Christopher Lee
I can easily generate an element by randomly choosing a secret and calculating . Then if is made public, only I will know , and you will not know because finding is solving the discrete logarithm problem. How can I prove to you that I know the secret that corresponds to ? The simplest way is for me to give to you to check whether is equal to or not. This method completely convinces you that I know the secret, but the price to pay is that I lose secret. I don’t want you to know but you’re still convinced by me that I know . Proving that I know but after proving that you still do not know anything about , that is a ZKP.
Proving knowledge of without revealing is quite simple. The prover (called ) gives and claims to know such that . The goal is that the verifier (called ), holding , needs to be convinced that knows but himself will still not know anything about after being convinced. The proof process is as follows:
- Step 1: generates a random number between and and then gives the element .
- Step 2: chooses a random number between and and gives it to .
- Step 3: gives the number as the remainder when dividing by .
- Step 4: checks and is convinced that knows if and only if .
The main idea in the proof is to require to give a representation of follows and , with the exponent of in that representation being chosen by . That is, needs to find so that . We see, if we know then already knows the representation of follows and therefore the representation of follows and can only be reduced to the representation of follows .
’s task then is extremely simple and just needs to calculate as the remainder when dividing by . Without knowing , “seems” to be independent compare to and ‘s task would be impossible. More specifically, below we will explain why needs to know the secret to answer a random question of and why is convinced that knows but still knows nothing about :
- must know to answer a random choice of . First of all, we see that, with the same value in step 1, only needs to give two answers for two different challenges of in step 2 means that must know (because then and the value is easily calculated). Therefore, the fact that with a random choice of of that gives the correct answer completely convinces that must know the answer on many different values of , and therefore must be known.
- Why doesn’t know anything about after the dialogue? The interesting point is that only needs to give an answer to a choice of . In response to a test value , receives no information about . The reason is that after dialogue with , all has is the set that satisfies the equation .
However, without having to converse with , can simulate that much information by choosing at random and then calculating . The distribution of the values is then exactly the same as if received through exchange with or not doesn’t provide any additional information for so doesn’t know anything more about the secret through dialogue with , even though is completely convinced that knows .
So we end up with a ZKP. From there we can build an digital signature scheme.
The purpose of an digital signature scheme is how we can sign a document - represented as a numeric value - so that no one can fake our signature, but everyone can check it. That signature is mine. The problem seems a bit similar to a ZKP but the basic difference is that digital signatures do not go through interactive Q&A, while ZKP necessarily goes through interaction.
Looking back at the ZKP above, the key point is that only knows after having chosen . This is easily achieved interactively, since only gives to after receiving . If can choose after knowing then can easily create a proof without knowing by choosing at random and then taking . Therefore, in a non-interactive context, the key is to ensure that is chosen before . The natural idea is that the value should be calculated as a function of . This can be achieved in the signature by forcing , with the function being a stochastic function, i.e. whatever the input the output is an unpredictable random value and from a corresponding input (in reality the function is hash functions like SHA3, MD5…). The fact that the value depends on also ensures that the proof is generated on the document but not some other document.
Taking the original interaction proof above and replacing the dialogue between and with the work of the signer, we have the following digital signature scheme, proposed by Schnorr:
- Step 1: The signer chooses the private key and publishes the public key . The purpose is to send a document and need to sign on it. The signer generates a random number between 1 and and then calculates .
- Step 2: The signer calculates .
- Step 3: The signer calculates as the remainder when dividing by and places the signature on document as .
- Step 4: On the document and the signature , the checker calculates and checks whether is equal to or not. If equal, accept the signature on document , otherwise reject.
If the function is sufficiently random, we cannot choose before because giving the value of the function first and then finding satisfies is as difficult as “find a needle in a haystack”. Furthermore, the fact that the value of depends on ensures that it is the signature on document and not on some other document.
In cryptography, the Schnorr digital signature we considered above is the basis for many digital signature standards used in practice (including the digital signature standard DSA - Digital signature algorithm).
Going from the vague (proving interaction without revealing knowledge - ZKP) to then applying it to do something specific (digital signature) is really interesting! What is too obvious may only have finite value, what is mysterious may have unlimited potential value.