7

I am reading the Real-World Cryptography book and in the chapter on signatures it says:

The best way to understand how signatures work in cryptography is to understand where they come from. For this reason, let’s take a moment to briefly introduce ZKPs and then I’ll get back to signatures.

I find this hard to believe. Did digital signatures actually come from Zero Knowledge Proofs? I thought ZKP were a more recent advancement in Cryptography while digital signatures are older. If that is the case how could signatures could have originated from ZKPs?

Finlay Weber
  • 504
  • 1
  • 3
  • 11

1 Answers1

9

Did digital signatures actually come from Zero Knowledge Proofs?

You are correct; the original proposals for digital signatures were not based on zero knowledge proofs.

The idea of digital signatures were first presented in New Directions in Cryptography, which proposed using a trapdoor permutation to generate signatures (however, they did not give an example of such a permutation).

The first actual signature algorithm proposed was RSA; that is in fact based on a trapdoor permutation (and not a zero knowledge proof).

Now, a number of signature algorithms are, indeed, based on a noninteractive zero knowledge proof, however that's not how it got started (nor is it universal among signature algorithms, even skipping the example of RSA).

poncho
  • 147,019
  • 11
  • 229
  • 360
  • 3
    I wonder about “The first actual signature algorithm proposed was RSA”. Michael O. Rabin proposed “Digitalized Signatures” or is it “Digital Signatures Using Conventional Encryption Algorithms” (not based on integer factorization) in a 3 day workshop held Oct. 1977. Proceedings are “Foundations of Secure Computation”, by Richard A. DeMillo, David P. Dobkin, Anita K. Jones, Richard J. Lipton, Academic Press 1978, ISBN 0-12-210350-5/978-0-12-210350-6. The paper is on pages 155-168. Unfortunately the only version I found floating around stops at p.153. I ordered a paper copy, will arrive in July. – fgrieu Jun 06 '22 at 15:40
  • 3
    @fgrieu: that's news to me - I'm wondering if it was some sort of hash-based signature scheme (typically viewed as being invented by Lamport and made more practical by Merkle). Or, it is something else that has since been broken (and hence forgotten) – poncho Jun 06 '22 at 16:25
  • 3
    I wonder in the same direction. The mysterious paper I refer to is cited by Michael O. Rabin as "Digitalized signature" in his MIT-LCS-TR-212, and in the T.O.C. of Foundations of Secure Computation (January 1978). But there are many other references as “Digital Signatures Using Conventional Encryption Algorithms” October 1977, including on page 153 of “Foundations of Secure Computation”. Anyway, you are right: RSA would still be first, since that's April 1977. Pretty close call. – fgrieu Jun 06 '22 at 17:17
  • RSA is an example of a ZKP algorithm. One can use RSA to provide an interactive ZKP that one knows the factors of a particular number (without revealing anything about the factorization) by decrypting chosen ciphertext encyphered with it. All public-key encryption algorithms are examples of ZKP algorithms. – David Schwartz Jun 07 '22 at 00:18
  • 1
    @DavidSchwartz: volunteering to decrypt chosen ciphertexts is scarcely zero knowledge. More fundamentally, just because something can be used to implement a zero knowledge proof does not mean that something else that thing is used for (signatures in this case) is based on zero knowledge. – poncho Jun 07 '22 at 01:49
  • @poncho It is zero knowledge because it provides no information about the thing you are proving that you know. And you can, for example, require the plaintext in a particular round to start with some particular randomly-chosen prefix (or you refuse to disclose it). So it really is zero knowledge. More broadly, my point is that fundamentally every public key algorithm is also a zero knowledge proof system so it's impossible for ZKP systems to have come after public key systems. – David Schwartz Jun 07 '22 at 16:59
  • @DavidSchwartz I think the point is that RSA was created before the concept of ZKP was conceived (the earliest reference I can find on ZKP is from 1985, much later than RSA). If that is true, RSA couldn't have been based on ZKP even though RSA can be used to create a ZKP system. The concept of Zero-Knowledge in itself probably came before that, but I don't believe one can equate the idea of ZK to ZKP systems. – JensV Jun 07 '22 at 18:01
  • @JensV Do you agree that every public key system is a zero knowledge proof system because you can always prove that you possess the corresponding private key from the public key without revealing any of the private key? And do you agree that not every ZKP system can produce a public key system? (For example, the classic interactive ZK proof system that let's you prove you can tell red apples from green apples without revealing them can't produce a public key system but it is a ZKP system.) This necessarily means that public key systems are a subset of ZKP systems. – David Schwartz Jun 07 '22 at 19:23
  • @DavidSchwartz I agree with the second question, I would rephrase the first question to "can every public/private key system be used to construct a ZKP system" but that's more of a philosophical point. The answer to that appears to be true, but I'm not convinced enough to give a definite answer. Even if both are true, I would still argue that public key crypto overlaps with ZKP instead of saying it's a subset. (1/2) – JensV Jun 07 '22 at 19:35
  • @DavidSchwartz In any case, I don't disagree with a lot you're saying, but my interpretation of the original question is that's it's more of a historical question (which came first), where the assertion that public key crypto is a subset of ZKP doesn't conflict with that public key crypto came before the concept/formalization of ZKP – JensV Jun 07 '22 at 19:37
  • 1
    @poncho : received and scanned Michael O. Rabin's Oct. 1977 Digitalized Signatures. I'm still scratching my head about if it's a signature. – fgrieu Jun 29 '22 at 17:17