0

EDIT: At a high level I am trying to create a scheme where Alice can prove to Bob that some external site has a certain piece of data (say her Bank account has balance > X) . She does not want to give Bob access to her account, but wants to prove that her bank website returns a certain result without showing it... basically I'm trying to build a system to authenticate and verify data from arbitrary HTTPS servers to someone that should not be granted access to the actual account or contents. I've come up with the following scheme:

$Alice$ requests some data over HTTPS from Google ($G$), she encrypts her cipher parameters $s$ using $G$'s public key $P_g$ and sends $P_g(s)$ to $G$. $G$ encrypts the returned data $d$ with the cipher $C$, using parameters $s$ returning $C(d,s)$ to $Alice$. Let's assume $d$ is just some number $x$.

$Alice$ then sends $Bob$ her cipher parameters encrypted with Googles public key: $P_g(s)$, and $C(d,s)$. Now $Bob$ can send $P_g(s)$ to $G$ and confirm that $G$ indeed returns $C(d,s)$. This can be done without $Bob$ knowing $s$.

Now $Alice$ would like to provide a proof to $Bob$ that $d=x$. For demonstrations sake let's assume that $C$ is RC4.

It seems like this could be done with zero knowledge proofs? Basically RC4 is a function being applied to a value and $Alice$ knows the exact structure of the function.

Can someone guide me towards how I would implement it for the above algorithms (RC4)

user491880
  • 123
  • 5
  • 1
    Consider writing a simpler question that states your objective without being prescriptive about a particular approach. You may find that there is a much easier way to achieve your objective without adhering to your partially proposed solution. – knaccc Sep 09 '22 at 17:52
  • I edited the question to be clearer about my end goals – user491880 Sep 10 '22 at 00:12
  • So you want to be able to prove to Bob that Alice is able to generate $f(x)$ where $f$ is a function provided by some server, and $x$ is some input Alice has provided? In other words you want to prove $f(x)$ was generated using an $x$ that Alice and Bob know, without revealing $f$ to Bob? Would this accurately describe your question? – James Sep 10 '22 at 03:17
  • Basically yes, Let's say x is Alice's bank balance. Alice is fine with Bob requesting the encrypted contents of her bank account from her Bank website -- so she sends Bob TLS parameters encrypted by the Banks public key. Now that Bob has the cipher text sent by the bank, how can Alice prove the cipher text contains the number x. – user491880 Sep 10 '22 at 04:47
  • In an ideal world, the bank would just provide a signed message that says "Alice's bank balance is n dollars at timestamp t", and Alice could just share that signed message with other people. But, if the bank does not provide that functionality, I think you're asking whether you can use the traffic that occurred during your HTTPS session with the bank's web site to prove that the bank advised you of a certain balance? – knaccc Sep 10 '22 at 05:19
  • Thats exactly right... since Bob can send $P_g(s)$ to $G$ he can get the same cipher text Alice has. Alice can provide a zero knowledge proof to Bob regarding the cipher text without revealing the full contents of the cipher text. This schema would authenticate Alice's balance. – user491880 Sep 10 '22 at 12:18
  • You can't prove the server sent you something, because there is no mechanism to prevent the client from producing ciphertext that looks like it was encrypted using the server's TLS transmit key. – knaccc Sep 10 '22 at 12:58
  • This is why Alice sends $P_g(s)$ to Bob. Bob doesn't have to trust that Alice received it from the server, he can request it himself. Let's say the URL is "https://bank.com/account/alice" ... Bob already knows the account belongs to Alice from the URL. Alice wants to hide the contents from Bob. Bob wants to authenticate that Alice's content came from the server and contains a certain value. Does that make sense? – user491880 Sep 10 '22 at 13:45
  • I am finding it very hard to follow. Are you saying that Bob will partially impersonate Alice somehow in order to talk to "bank.com/account/alice", at which point Bob will receive back encrypted data that Bob can't decrypt himself. Then Bob, with Alice's help, can then verify that the encrypted data Bob received from the bank will partially decrypt in certain places to values that Alice needs Bob to see? What method are you using to enable Bob to initiate a TLS connection to the bank that allows him to retrieve information in encrypted form that normally only Alice can retrieve? – knaccc Sep 10 '22 at 14:59
  • That is exactly right! ... In essence Bob acts as a VPN for Alice, but when the TLS handshake happens Alice sends Bob the cipher parameters encrypted with the Banks public key ($P_g(s)$. This enables Bob to initiate the TLS connection. For purposes of demonstration we assume there is no authentication on the bank site, but you can imagine Alice sending Bob back ciphered auth data as well (as one would with a VPN) – user491880 Sep 10 '22 at 15:58
  • What I'm looking for is something like https://github.com/Sobuno/ZKBoo for HTTPS encryption (AES, RC4 etc.) – user491880 Sep 10 '22 at 16:27
  • I think there is still a vulnerability there, because if Alice can do a man-in-the-middle attack between Bob and the server, Alice can alter the ciphertext to say whatever she wants it to. If it's acceptable to ignore that threat vector, perhaps someone else reading this thread may have some useful suggestions. – knaccc Sep 10 '22 at 17:13
  • I don't think that is correct ... Bob is the man in the middle ... he see's the encrypted traffic going to Alice and Alice's encrypted cipher parameters. He only sees cipher text. – user491880 Sep 10 '22 at 17:41
  • I know that Alice is intentionally sending her traffic through Bob. However, Bob can't know for sure that Alice isn't also able to additionally position herself between Bob and the server, e.g. by installing malware in any router between Bob and the server. That's the whole point of certificate authorities - to ensure that you really are talking to a server without anyone interfering. – knaccc Sep 10 '22 at 18:18
  • Yes, we can assume that thread vector is out of scope, but I do see what you mean. – user491880 Sep 12 '22 at 16:36

0 Answers0