The Magic of Schnorr and Fiat-Shamir … Meet NI-ZKPs

With Zero-Knowledge Proofs (ZKPs), I can prove I have knowledge of my data, without revealing it. This might related to my password, my…
Photo by the blowup on Unsplash

The Magic of Schnorr and Fiat-Shamir … Meet NI-ZKPs

With Zero-Knowledge Proofs (ZKPs), I can prove I have knowledge of my data, without revealing it. This might relate to my password, my face biometrics, or even any digital data that I want to keep secret. So, let’s take an example of doing with the Schnorr methods and which implement a Fiat-Shamir approach. Our approach will be for Bob to register a secret (such as a password), and then create his own proof whenever required (such as logging into a system). Alice will then prove that he knows the secret, without Bob ever revealing it to her. As Bob generates his own proof, we define this as a Non-Interactive ZKP (NI-ZKP).

For the demo, I will use the Kryptology library for this and prove the knowledge of a text string. The demo is here:

https://asecuritysite.com/kryptology/ecc_zkp?b0=Testing%20123&a0=K256

Registering the secret

If we have a secret X, Bob first takes a hash of this:

X=Hash(x)

Bob then computes a statement (Y) of:

Y=X.G

and where G is the base point on the curve. This statement value can be registered with Alice, and Bob can now prove it with (C,S).

Creating the proof

To create a proof, Bob generates a random value (k) and generates a random point:

R=k.G

Next Bob generates a value of C by taking a hash of the following byte values:

C=H(X||G||Y||R)

S=k+x.G

Bob now passes the statement (Y), C and S to Alice as a proof of the knowledge of x.

Verifying

First Alice computes:

G_S=S.G

and next:

X_C=Y×(−C)

and then recovers R from:

R=G_S+X_C

Alice now can compute:

C′=H(X||G||Y||R)

and which check this against the C. If they are the same, the proof has been verified. This works because:

R=G_S+X_C=S.G+Y×(−C)=(k+x.C).Gk.G.C=k.G

Coding

The outline code is [here]:

For the P256 curve and a message of “Test 123” we get [here]:

Message to prove: Test 123
Curve: P-256
Proof Statement: 038e1abb750975191287dcf7df8d9026cf78ea49763c50d395fe57bc168d973df9
Proof C: cecc95d5efaabeb9f10d924f14696551ba2d53b10c39764cc2bcdc777f903869
Proof S: 5bb571b6e55242b4a5110d164d8785c3677be6b48c2006c50c8317a367acbb8b
ZKP has been proven

Note that the Proof statement is an elliptic curve point in a compressed format. We with we compress the point, by only storing the x-axis value, and whether the y-axis point is odd or even. A compressed point that starts with a “03” is an odd value or “02” for an even value. For a compressed point, we do not need to store the y-axis point, as we can derive this from the x-axis point. A “04” identifies an uncompressed point for sepc256k1 and P256. The values of C and S are scalar values.

Conclusions

So, just to recap. Bob has a secret (x) and registers a statement (Y). Whenever required, Bob then creates his own proof for it and sends C and S to Alice. Alice uses Y, C and S, and proves that Bob still knows x. Magic!