Zero Knowledge Proofs
Sam Goto
This is an interactive explanation of the protocol described here.
Alice wants to prove that it knows x = such that g ^ x mod p = y without revealing to Bob the value of x, having agreed ahead of time on a large prime number p = , a primitive root g = and an integer y = .
The way they accomplish that is by:
Alicegenerates a random numberr= and commits to it by computingC=g ^ r mod p=^mod==Cand sending it toBob.Bobasks forw=(x + r) mod (p - 1)with the samerthat was committed toCAlicecomputesw=(x + r) mod (p - 1)= (+) mod (- 1)==wand sends it toBob.Bobknows that:a ^ x * a ^ y = a ^ (x + y)(arithmetic),a ^ x mod p = a ^ (x mod (p - 1)) mod p(fermat's little theorem)y = g ^ x mod p(definition)
- So
y * C mod p=g ^ x * g ^ r mod p=g ^ (x + r) mod p=g ^ ((x + r) mod (p - 1))=g ^ w mod p. Bobcomputesy * C mod p=*mod=andg ^ w mod p=^mod=- And if these numbers match,
Bobknows thatAliceknowsxunlessAlicewasn't cheating.
Bobis suspicious that if Alice picks a specificr=z= and responded withC=g ^ (z / y) mod p=^ (/) mod==Candw=z==w, then- Then
Bobwould compute=y * C mod p=y * g ^ (z / y) mod p=g ^ z mod p=withoutAliceknowing whatxis.
Bobalso knows that:- To prove that
Alicechose a randomr, Bob would have to ask for it, so that it can check ifg ^ r mod p=Cmatches what he got. - But, if
Bobasks for both(x + r) mod (p - 1)andr, then that reveals toBobwhatxis.
- To prove that
- So,
BobasksAlicerepeatedly until it is confident thatAliceisn't cheating- Commit and send me a
Cand - I'll ask you one of the following requests after you commit to a
C:- Send me
r(without revealing mex) so that I can check if you didn't cheat at constructingC=g ^ (z / y) mod pbut rather usedg ^ r mod p=Cthat I got. - Send me
w(without revealing mer), so that I can check ify * C mod p=g ^ w mod pwith theCthat I got.
- Send me
- Commit and send me a
- Every time
Bobrepeats this process, he gets exponentially confident thatAlice(a) isn't cheating and (b) knows the value ofx.