2

Is it possible to construct a zero knowledge proof that one encrypted number is larger (or not) than another encrypted number without releasing the values of either numbers?

e-sushi
  • 17,891
  • 12
  • 83
  • 229
B T
  • 194
  • 1
  • 8
  • Is the encryption public-key? If yes, does the prover know the private key or the randomness used for encryption? –  Sep 23 '14 at 00:25
  • use orderpreserving encryption ? – sashank Sep 23 '14 at 00:42
  • I don't care what encryption is used, as long as the values aren't knowable by any but the holder of the value. – B T Sep 23 '14 at 01:06
  • @BT : $:$ In that case, you need a statistically binding commitment to the key. $;;;;$ –  Sep 23 '14 at 01:20
  • Do you need to compare each number in a pair only once, or multiple times? – Henrick Hellström Sep 23 '14 at 02:03
  • I'm interested in all kinds of solutions. If you know one or know a piece to the puzzle, please write an answer! – B T Sep 23 '14 at 02:04
  • You need to specify if the person trying to prove this statement was, e.g., also the person that encrypted the values? Or what other additional information this person has, that might help her prove the statement.

    If, for example, the person trying to generate the proof only knows the ciphertexts, then generating such a proof would most likely break the encryption scheme.

     – Guut Boy Sep 23 '14 at 14:18
  • Similar to Yao's Millionaires' Problem, except here it's one party knowing both values instead of two parties wanting to compare their values. – CodesInChaos Sep 23 '14 at 15:42
  • @CodesInChaos can you please make that an answer instead of a comment. Yao's Millionaires' problem is actually exactly what i'm looking for. – B T Sep 23 '14 at 22:30

2 Answers2

4

Yes, it is possible. Actually, any statement in NP can be proven in zero knowledge. This means that if something can be proven by releasing some information, it is possible to prove the same without releasing any information, i.e. in zero knowledge.

abacabadabacaba
  • 436
  • 1
  • 3
  • 8
  • Very interesting. The article you link to looks like its for-pay only. What is an NP language? Is there somewhere I can read about them that is more understandable than the wikipedia page? – B T Sep 23 '14 at 04:30
  • @BT I replaced the link with a free one. I think the wikipedia article on NP is sufficiently understandable. – abacabadabacaba Sep 23 '14 at 04:39
  • Thanks for the answer, if you know, I'd be very curious to see an explanation of how this could be done specifically – B T Sep 23 '14 at 22:28
2

An efficient proof of "more or equal" statement about integers committed is possible starting from Lagrange 4-squares theorem as follows:

  1. use a group of a hidden order (that is, unknown to proving party), like RSA;
  2. find four integers such that sum of their squares is the difference of original numbers committed;
  3. commit that four numbers and send all commitments to verifying party;
  4. prove knowledge of two original numbers and 4 "witness" numbers with a Schnorr-like protocol.

Low probability (like inverse challenge space) of protocol soundness error in a single run is the major difference from general proof for any NP statement.

"Proving knowledge" above holds for a protocol of argument type, on condition that proving party cant find logarithm and cant find order of the group used.

Protocol above is a generalization into proving polynomial identities of degree larger that linear in challenge, doable with Schwartz-Zippel lemma.

Vadym Fedyukovych
  • 2,267
  • 13
  • 19