# ZKP of password

* We want Peggy to generate a ZK proof of knowledge of password and publish this proof. 
* Victor issues a challenge tied to the ZKP of password to Peggy.
* Peggy now proves that she still knows the committed password.

Many ways exist to solve the above, but one commonly used method is the "non-interactive random oracle access" for ZKP defined as the Fiat-Shamir heuristic. The process relies on the discrete log problem that is easy for Peggy to prove, but computationally non efficient for Eve to prove, and efficient for Victor to verify. The method is as follows (all operations are done in mod p):

1. Victor and Peggy agree on a generator $g$ and a prime number $p$.
2. Peggy picks a password and uses a cryptographic hashing algorithm $H()$ to generate a digest of her password.
3. Peggy does: $x=\texttt{int(H(password))}$
4. Peggy sends: $y = g^x \mod p$
5. When Peggy wants to log on, she generates a random value $v \leftarrow \texttt{rand()}$ and computes $t = g^v \mod p$
6. Victor sends Peggy a challenge $c \leftarrow \texttt{rand()}$ 
7. Peggy computes $r = v - c \times t \mod p$ and sends $r$ to Victor
8. Victor computes $g^ry^c \mod p$ and checks if it equals $t$.

This works because:

* Peggy cannot generate $(y,t,r)$ without knowing $(x,v,c)$
* Victor sends a public challenge $c$
* Eve cannot generate $(y,r)$ as she does not know $x$ and cannot solve discrete log efficiently
* Since $g^r y^c = g^{v-cx}(g^{x})^c = g^v = t$, assuming $\mod p$, Victor can verify that Peggy indeed knows $x$

In [1]:
from Crypto.Util import number
from Crypto.Hash import SHA256

In [2]:
g, p = 3, pow(2,19)-1
password = "Thisisabadpassword"
x = SHA256.new(bytes(password, 'utf-8'))
x = int(x.hexdigest(), 16)
y = pow(g, x, p) # Peggy sends this to Victor

# To authenticate, Peggy generates t = g ** v and sends this as auth request to Victor
v = number.getRandomNBitInteger(64)
t = pow(g, v, p)

# Victor generates c and sends c to Peggy, who returns r = v - c*x. 
c = number.getRandomNBitInteger(64) # Public
r = v - c * x # Peggy computes and makes public

# Victor computes
verify = (pow(g, r, p) * pow(y, c , p)) % p
verify == t

True

## DF ZKP of knowing secret $x$

Alice will prove she knows $x$, without revealing $x$.

* Alice and Bob agree on two bases for their calculations $(g,h)$ and a prime $(n)$
* Bob sends Alice a random number, $r$
* Alice generates her own random number, $r_1$

$
c_1 = g^x h^{r_1} \\
r_2 = r - xr_1 \\
c_2 = c_1^x h^{r_2} \mod n \\
$

Alice sends Bob $c_2$. Bob tests if $c_2 == g ^{x^2} h^r \mod n$. The above works because:

* If Alice does not have a specific number in mind, she cannot generate both $g^x$ and $xr_1$.
* Alice hides $x$ with $r_1$.
* For Bob to find $g^x$ he must solve discrete log prob.
* Note that $c_1^x h^{r_2} \mod n = (g^x h^{r_1})^x h^{r - xr_1} \mod n$ 
* Which gives $g^{x^2} h^{xr_1} \cdot h^{r - xr_1} \mod n = g^{x^2}h^r \mod n$

In [5]:
import libnum
import random

In [6]:
def c2(c_1, x, h, r_2, n):
    if r_2 > 0:
        return pow(c_1, x, n) * libnum.invmod(pow(h, -r_2, n), n) % n
    else:
        return pow(c_1, x, n) * pow(h, r_2, n) % n

In [7]:
# We first agree on generators and modulus
g,h,n = 3,5,pow(2,19)-1

In [8]:
# Alice picks a number x, gets a random r from Bob, generates her own random r_1
x = 2
r = random.getrandbits(16)
r_1 = random.getrandbits(16)

# Alice computes c_1 and c_2
c_1 = pow(g, x, n) * pow(h, r_1, n) % n
r_2 = (r - x * r_1)
c_2 = c2(c_1, x, h, r_2, n)

#Alice sends c_2 and g^(x^2)h^r to Bob, who compares
c_2 == pow(g, x * x, n) * pow(h, r, n) % n # true IFF Alice had a number in mind.

True