References Zero Knowledge Proofs on Wikipedia, Zero Knowledge - - PowerPoint PPT Presentation

SLIDE 1

Zero Knowledge Protocols

Jim Royer

Introduction to Cryptography

November 6, 2018

1 / 1

References

Zero Knowledge Proofs on Wikipedia,

https://en.wikipedia.org/wiki/Zero-knowledge_proof

Zero Knowledge Proofs: An Illustrated Primer by M. Green. Part I: https://blog.cryptographyengineering.com/2014/11/27/

zero-knowledge-proofs-illustrated-primer/

Part II: https://blog.cryptographyengineering.com/2017/01/21/

zero-knowledge-proofs-an-illustrated-primer-part-2/

A Gentle Introduction to Zero-Knowledge Proofs with Applications to Cryptography by

• A. Mohr http://www.austinmohr.com/work/files/zkp.pdf

2 / 1

Zero Knowledge Proofs, the Parties

Interactive Proof Systems Prover ≡ Pat — very smart, not to be trusted Verifier ≡ Vanna — average smart, has a fair coin Pat’s Goals Wants to prove to Vanna that he knows a solution to an instance of some yes/no problem. (He may be lying.) But he does not want to give the solution away. Vanna’s Goals If Pat is truthful, she wants to be convinced. If Pat is lying, she wants to catch him (with high probability).

3 / 1

Zero Knowledge Proofs, the Framework

Challenge–Response Protocol Start Pat claims x is a yes-instance. Completeness If x is a yes-instance, then Vanna will always accept Pat’s proof. Soundness If x is a no-instance, then Prob

• Vanna accepts
• is small.

Zero Knowledge Not yet.

4 / 1

SLIDE 2

Example: The Cave of Ali Baba, Setup

The Cave. There is a cave that splits into two passages (A and B) that meet again on either side of a magic door that opens if you speak the magic word. Pat and Vanna. Pat wants to convince Vanna that he knows the magic word. But Pat doesn’t want Vanna to learn the word (at least, not for free).

5 / 1

Example: The Cave of Ali Baba, Protocol

P and V agree to the following protocol (which is repeated n-times):

• 1. Pat enters the cave, chooses A or B, and

takes that passage to the magic door.

• 2. Vanna enters the cave, walks to the A/B

split, and calls out a passage (A or B).

• 3. Pat exits the passage that Vanna called
• ut (using the magic word if he needs to

switch passages).

• 4. Vanna verifies that Pat exits the correct

passage.

6 / 1

Example: The Cave of Ali Baba, Analysis

Completeness

• If Pat knows the magic

word, he can always meet Vanna’s challenge. Soundness

• Suppose Pat doesn’t know

the magic word. Soundness (Continued)

• To meet a challenge, Pat

needs to guess Vanna’s choice.

• Suppose Vanna flips a fair

coin to choose. Soundness (Concluded)

• Prob[Pat meets a challenge]

= 1

2.

• Prob[Pat meets n

challenges] = 1

2n .

7 / 1

Recall: Zero Knowledge Proofs

Pat (the prover) very smart, not-trusted Vanna (the verifier) average smart, has a fair coin Pat’s Goals Wants to prove to Vanna that he knows a solution to an instance of some yes/no problem without giving away the secret. (He may be lying.) Vanna’s Goals If Pat is truthful, she wants to be convinced. If Pat is lying, she wants to catch him (with high probability).

Challenge–Response Protocol

Start Pat claims x is a yes-instance. Completeness If x really is a yes-instance, then Vanna will accept Pat’s proof. Soundness If x really is a no-instance, then Prob[Vanna accepts] is small. Zero Knowledge Not yet.

8 / 1

SLIDE 3

Example: Graph Nonisomorphism

Problem: Graph Isomorphism Given: G1 = (V1, E1) and G2 = (V2, E2) where V1 = V2 = { 1, . . . , n } for some n. Question: ∃π : V1

1-1, onto

− − − − → V2 ∋{ u, v } ∈ E1 ⇐ ⇒ { π(u), π(v) } ∈ E2 Problem: Graph nonisomorphism Given: G1 = (V1, E1) and G2 = (V2, E2) as above. Question: ∃π : V1

1-1, onto

− − − − → V2 as above.

1

❦

2

❦

3

❦

4

❦

G1

1

❦

2

❦

3

❦

4

❦

• G2

4

❦

1

❦

2

❦

3

❦

G3

9 / 1

Aside: The Complexity of Graph Isomorphism

∼ = Theorem 1 (Babai 2017). Graph Isomorphism is solvable in quasipolynomial time, i.e., time-O(2(log2 s)k) for some k > 0, where s is the size of the graphs. See https://www.quantamagazine.org/graph-isomorphism-vanquished-again-20170114/

10 / 1

A Protocol for Graph Nonisomorphism

Input G1, G2 Pat claims G1 ∼ = G2 Repeat n times Vanna Flips her coin to determine: (i) i

ran

∈ { 1, 2 } and (ii) π, a random permutation of { 1, . . . , n }. Private Computes H = π(Gi) and sends H to Pat. (* The challenge *) Pat Determines a j ∈ { 1, 2 } with Gj isomorphic to H. Sends j to Vanna. Vanna Checks whether i = j. If i = j, REJECTS. End repeat Vanna ACCEPTS Completeness If Pat is truthful: Pat can always meet Vanna’s challenges. Soundness If Pat is lying (so G1 ∼ = G2): Prob[Pat meets one challenge] = 1

2.

Prob[Pat meets n challenges] = 1

2n .

11 / 1

Perfect Zero Knowledge Proofs: Back to the Cave

• Same setup as IP, but Pat wants proofs to reveal nothing about the secret.

A Faked Protocol Run Vanna does her coin flips ahead of time and tells Pat. Then Pat can meet all challenges without knowing the magic word. Suppose an observer knows everything Vanna does and sees except her flips of coins. Q: Can an observer tell the difference between

• a true protocol run vs.
• a faked protocol run?

If not, perfect and fake runs carry the same info.

12 / 1

SLIDE 4

Perfect Zero Knowledge Proofs

• Same setup as IP, except Pat wants proofs to reveal no info on the secret.

A Perfect Zero-Knowledge Proof for Graph Isomorphism Input G1 = ({ 1, . . . , n }, E1) and G2 = ({ 1, . . . , n }, E2). Pat claims G1 ∼ = G2 // If correct, let σ : G2 ∼ = G1. So σ(G2) = G1. Repeat n times: Pat Chooses a random permutation π of { 1, . . . , n }. Computes H = π(G1) and sends H to Vanna. Vanna Chooses i

ran

∈ { 1, 2 } and sends i to Pat. Pat If i = 1 then Pat sets ρ ← π // So H = ρ(G1). else Pat sets ρ ← π ◦ σ. // So H = ρ(G2). Sends ρ to Vanna. Vanna Checks that H = ρ(Gi). If not, REJECT. End repeat Vanna ACCEPTS Completeness, Soundness, ZK: On board

13 / 1

Perfect Zero Knowledge Proofs

• Same setup as IP, except Pat wants proofs to reveal no info on the secret.

A Perfect Zero-Knowledge Proof for Graph Isomorphism Input G1 = ({ 1, . . . , n }, E1) and G2 = ({ 1, . . . , n }, E2). Pat claims G1 ∼ = G2 // If correct, let σ : G2 ∼ = G1. So σ(G2) = G1. Repeat n times: Pat Chooses a random permutation π of { 1, . . . , n }. Computes H = π(G1) and sends H to Vanna. Vanna Chooses i ran ∈ { 1, 2 } and sends i to Pat. Pat If i = 1 then Pat sets ρ ← π // So H = ρ(G1). else Pat sets ρ ← π ◦ σ. // So H = ρ(G2). Sends ρ to Vanna. Vanna Checks that H = ρ(Gi). If not, REJECT. End repeat Vanna ACCEPTS Completeness, Soundness, ZK: On board

2018-11-06

Zero Knowledge Protocols Zero Knowledge Proofs Perfect Zero Knowledge Proofs Completeness:

• Suppose Pat tells the truth.

Thus: G1 ∼ = G2.

∴ No matter if i = 1, 2, H = ρ(Gi).

Soundness:

• Suppose Pat lies.

Thus: G1 ∼ = G2.

• Pat cannot predict whether i = 1 or i = 2.

∴ He has a 50% chance of being wrong (and caught!)

• ( 1

2)n → 0 fast!

ZK: . . .

Towards Formalizing ZKP, I

Transcript: T = [(G1, G2), (H1, i1, ρ1), . . . , (Hn, in, ρn)] (G1, G2) and all messages between Pat and Vanna A forgery algorithm for the Graph Isomorphism Protocol for G1 and G2 n ← the number of vertices of G1 (and G2) T ← [(G1, G2)] For j ← 1 to n do: Choose ij

ran

∈ { 1, 2 } and ρj, a random permutation of { 1, . . . , n } Compute Hj = ρj(Gij) and set T ← T || [(Hj, ij, ρj)] || = string concat. Return T Informally, no one can tell a forged transcript from the real thing. Formally ...

14 / 1

Towards Formalizing ZKP, II

Definition 2 (Goldwasser, Micali, and Rackoff — Cook).

Suppose we have an interactive protocol for a problem Π, and a polytime simulation S to produce forgeries. For x ∈ the yes-instances of Π, define: True(x) = set of all possible legal transcript for x. Forged(x) = set of all possible forgeries from S for x. ProbTrue(T, x) = Prob[T ∈ True(x)]. ProbForged(T, x) = Prob[T ∈ Forged(x)]. The interactive protocol is said to be perfect zero knowledge for Vanna when: (∀x, T)[ True(x) = Forged(x) & ProbTrue(T, x) = ProbForged(T, x) ].

15 / 1

SLIDE 5

Towards Formalizing ZKP, III

Theorem 3. The I.P. for Graph Isomorphism is Perfect Zero-Knowledge. proof on board What if Vanna cheats? Can she learn something? No! Vanna is just another observer. Open Problem Is the Graph Nonisomorphism Protocol Perfect Zero-Knowledge?

If you loosen Definition ?? a bit (e.g., by permitting the verifier to make an error with small probability), the answer is yes.

16 / 1

Towards Formalizing ZKP, III

Theorem 3. The I.P. for Graph Isomorphism is Perfect Zero-Knowledge. proof on board What if Vanna cheats? Can she learn something? No! Vanna is just another observer. Open Problem Is the Graph Nonisomorphism Protocol Perfect Zero-Knowledge? If you loosen Definition ?? a bit (e.g., by permitting the verifier to make an error with small probability), the answer is yes.

2018-11-06

Zero Knowledge Protocols Formalizing Perfect Zero Knowledge Protocols Towards Formalizing ZKP, III Proof: Suppose G1 ∼ = G2 n = number of vertices A valid triple (H, i, ρ) is:

• ρ, a perm of { 1, . . . , n }
• i ∈ { 1, 2 }
• H = ρ(Gi)

Let R be the set of valid triples. R = (poss. for i)×(poss. for ρ) = 2 · n! In the forging algorithm in each round, each valid triple appears with equal probability:

1 2·n!.

In the real transcript — the same probabilies!! So: 1 2 · n! = ProbTrue(T) = ProbForged(T)

Quadratic Residues: Legendre & Jacobi Symbols

Definition 4. (a) Let QRn =def { y2 mod n y ∈ (Z − { 0 }) }.

[Copy defs on board]

(b) The Legendre symbol: For prime p and a ∈ Z, let a p

• =def

     0, if a ≡ 0 (mod p), 1, if a ≡ 0 (mod p) & (∃x)[x2 ≡ a (mod p)], −1,

• therwise.

(c) The Jacobi symbol: For n = pe1

1 . . . pek k (where each pi is prime),

a n

• =def

k

∏

i=1

a pi ei .

N.B. The standard (but antique) notation (a

n), has nothing to do with the fraction a n.

Legendre Jacobi

17 / 1

Quadratic Residues: Legendre & Jacobi Symbols

Definition 4. (a) Let QRn =def { y2 mod n y ∈ (Z − { 0 }) }. [Copy defs on board] (b) The Legendre symbol: For prime p and a ∈ Z, let a p

• =def

     0, if a ≡ 0 (mod p), 1, if a ≡ 0 (mod p) & (∃x)[x2 ≡ a (mod p)], −1,

• therwise.

(c) The Jacobi symbol: For n = pe1

1 . . . pek k (where each pi is prime),

a n

• =def

k

∏

i=1

a pi ei . N.B. The standard (but antique) notation (a

n), has nothing to do with the fraction a n.

Legendre Jacobi

2018-11-06

Zero Knowledge Protocols Quadratic Residues Again Quadratic Residues: Legendre & Jacobi Symbols References:

• Chapter 9 in Andrews
• https://en.wikipedia.org/wiki/Quadratic_residue
• https://en.wikipedia.org/wiki/Legendre_symbol
• https://en.wikipedia.org/wiki/Jacobi_symbol
• https://exploringnumbertheory.wordpress.com/tables-of-contents/

See the Legendre- and Jacobi-Symbols sections.

SLIDE 6

Quadratic Residues: Jacobi Symbols When n = p · q

Suppose n = p · q (p & q primes, p = q) and a ∈ (Z − { 0 }). Then a n

• =
• 1,

if (a

p) = (a q);

−1,

• therwise.

For each a ∈ Z: a ∈ QRn ⇐ ⇒ a ∈ QR(p) a ∈ QR(q)

• (⋆)

⇐ ⇒ a p

• =

a q

• = 1.

(⋆) We showed this before.

Definition 5. Suppose n = p · q as above and (a

p) = (a q) = −1.

We call such an a a pseudo-residue mod n.

18 / 1

Quadratic Residues: Jacobi Symbols When n = p · q

Suppose n = p · q (p & q primes, p = q) and a ∈ (Z − { 0 }). Then a n

• =
• 1,

if (a

p) = (a q);

−1,

• therwise.

For each a ∈ Z: a ∈ QRn ⇐ ⇒ a ∈ QR(p) a ∈ QR(q)

• (⋆)

⇐ ⇒ a p

• =

a q

• = 1.

(⋆) We showed this before. Definition 5. Suppose n = p · q as above and (a p) = (a q) = −1. We call such an a a pseudo-residue mod n.

2018-11-06

Zero Knowledge Protocols Quadratic Residues Again Quadratic Residues: Jacobi Symbols When n = p · q Suppose p and q are distinct primes.

• Claim. x2 ∼

= y (mod p · q) ⇐ ⇒ x2 ∼ = y (mod p) & x2 ∼ = y (mod q). Proof. (= ⇒) x2 ∼ = y (mod p · q) ⇐ ⇒ (x2 − y) = k · p · q for some k. So clearly p|(x2 − y) and q|(x2 − y), i.e., y ∈ QRp and y ∈ QRq. (⇐ =) This direction follows from: Exercise: Show that if p|z and q|z, then (p · q)|z.

Example: Quadratic Residues When n = p · q

a ∈ QR35 ⇐ ⇒ a ∈ QR5 & a ∈ QR7 QR5 = { 1, 4 } QR7 = { 1, 2, 4 } QR35 = { 1, 4, 9, 11, 16, 29 } 1 ∼ = 1 (mod 5) 1 ∼ = 1 (mod 7) 16 ∼ = 1 (mod 5) 16 ∼ = 2 (mod 7) 11 ∼ = 1 (mod 5) 11 ∼ = 4 (mod 7) 29 ∼ = 4 (mod 5) 29 ∼ = 1 (mod 7) 9 ∼ = 4 (mod 5) 9 ∼ = 2 (mod 7) 4 ∼ = 4 (mod 5) 4 ∼ = 4 (mod 7)

19 / 1

Jacobi Symbols: Some Basic Facts, I

Theorem 6 (See Andrews, Chapter 9). Suppose n is odd and gcd(a, n) = 1 = gcd(b, n).

(a)(a n) = (a mod n n

).

(b)(ab n) = (a n)(b n). (c)(−1 n ) = (−1)

n−1 2 , and, of course, (1

n) = 1. (d)(2 n) =

• +1,

if n ≡ 1 or 7 (mod 8); −1, if n ≡ 3 or 5 (mod 8).

(e)Gauss’s law of quadratic reciprocity (aka, Jacobi’s reciprocity law):

For m positive and odd, (m

n) =

• −(n

m),

if m ≡ n ≡ 3 (mod 4); +(n

m),

• therwise.

⋆ The theorem lets us compute (a

n) reasonably fast for odd n.

20 / 1

SLIDE 7

Computing (a

n) for odd n

• - (jacobi a n) = the jacobi symbol of a and n where n is odd.

jacobi :: (Integral a) => a -> a -> a jacobi 0 _ = 0 jacobi _ n | even n = error "n is supposed to be odd" jacobi 1 n = 1 jacobi (-1) n = if odd (div (n-1) 2) then (-1) else 1 jacobi 2 n = if i==3 || i==5 then (-1) else 1 where i = mod n 8 jacobi m n | m>n = jacobi (mod m n) n | even m = (jacobi 2 n) * (jacobi (m div 2) n) | (mod m 4)==3 && (mod n 4)==3 = -(jacobi n m) | otherwise = jacobi n m

21 / 1

Jacobi Symbols: Basic Facts, II

Proposition 7. Suppose p and q are distinct odd primes and n = p · q. QRn = { a ∈ Z (a

p) = (a q) = 1 } = the quadratic residues.

QRn = { a ∈ Z (a

p) = (a q) = −1 } = the pseudo-residues.

Then, for a, b ∈ Z we have: a ∈ QRn & b ∈ QRn = ⇒ a · b ∈ QRn a ∈ QRn & b ∈ QRn = ⇒ a · b ∈ QRn a ∈ QRn & b ∈ QRn = ⇒ a · b ∈ QRn a ∈ QRn & b ∈ QRn = ⇒ a · b ∈ QRn Proof on board. Recall Theorem ??(b): (ab

n) = (a n)(b n) when n is odd.

22 / 1

Jacobi Symbols: Basic Facts, II

Proposition 7. Suppose p and q are distinct odd primes and n = p · q. QRn = { a ∈ Z (a p) = (a q) = 1 } = the quadratic residues. QRn = { a ∈ Z (a p) = (a q) = −1 } = the pseudo-residues. Then, for a, b ∈ Z we have: a ∈ QRn & b ∈ QRn = ⇒ a · b ∈ QRn a ∈ QRn & b ∈ QRn = ⇒ a · b ∈ QRn a ∈ QRn & b ∈ QRn = ⇒ a · b ∈ QRn a ∈ QRn & b ∈ QRn = ⇒ a · b ∈ QRn Proof on board. Recall Theorem ??(b): (ab n) = (a n)(b n) when n is odd.

2018-11-06

Zero Knowledge Protocols Quadratic Residues Again Jacobi Symbols: Basic Facts, II Proof of Proposition ??:

• By Thm ??(d): (ab

m) = ( a m) · ( b m).

Sample cases CASE: a ∈ QRn & b ∈ QRn. Then (a

p) = (a q) = −1 and (b p) = (b q) = 1.

So (ab

p ) = (a p)(b p) = −1 = (a q)(b q) = (ab q ), hence, ab ∈ QRn.

CASE: a ∈ QRn & b ∈ QRn. Then (a

p) = (a q) = (b p) = (b q) = −1.

So (ab

p ) = (a p)(b p) = 1 = (a q)(b q) = (ab q ), hence, ab ∈ QRn.

The Quadratic Residue Problem

FACT Suppose n = p · q, where p and q are distinct odd primes. Then (a

n) = 1

= ⇒ a ∈ QRn, because we could have (a

p) = (a q) = −1.

The Quadratic Residue Problem (QRP) Given: p and q distinct odd primes and x ∈ Z∗

pq with ( x pq) = 1.

Question: Is x ∈ QRpq?

23 / 1

SLIDE 8

An Interactive Proof System for the QRP

Input n and x ∈ Z∗

n.

// n = p · q, where p and q are distinct odd primes.

Pat claims x ∈ QRn. // If Pat is truthful, let u2 = x (mod n). Repeat ⌊log2 n⌋ times.

(⌊log2 n⌋ ≈ the number of bits in n’s binary rep.)

Pat Chooses v

ran

∈ Z∗

n.

Computes y = v2 mod n. Sends y to Vanna. Vanna Chooses i

ran

∈ { 0, 1 }. Sends i to Pat. Pat Computes and sends to Vanna: z = uiv mod n. Note: z2 = u2iv2 = xy, if i = 1; y, if i = 0. Vanna Checks whether z2 = xiy mod n and REJECTS if not. End Repeat Vanna ACCEPTS if she hasn’t rejected yet. Soundness: Easy. Completeness: Easy. ZK: See next slide

24 / 1

Perfect Zero Knowledge for the QRP

A transcript looks like: [x, (y1, i1, z1), . . . , (yk, ik, zk)]. In an honest transcript we have that:

y is the square of a random v ∈ Z∗

n.

i is a random element of { 0, 1 }. z = uiv.

In a forgery, we can:

Pick i and z at random. Set y = z2 · (xi)−1 (mod n). When i = 0: y ≡ z2 (mod n). When i = 1: y ≡ z2x−1 (mod n). So, xy ≡ z2 (mod n).

The probability distributions work out to be the same in the honest and forged cases.

25 / 1

Less-Than-Perfect Zero Knowledge

The definition of a perfect zero knowledge protocol has the requirement: (∀ transcripts T) (∀ problem instances x)

• the probability that T is legal transcript for x

= the probability that T is forged (by the simulator) transcript for x

• That “=” limits the applicability of perfect zero knowledge.

We want to define a notion of computational zero knowledge by replacing the “=” in perfect zero-knowledge with “computationally hard to tell apart within reasonable resources.” To pin down a precise meaning for “computationally hard to tell apart,” we first consider pseudo-random generators, that should be “computationally hard to tell apart” from a true random source.

26 / 1

Pseudo-Random Generation, Again

a few random bits ⇒ PRG ⇒ many pseudo-random bits What is “Random”? unpredicable no computable betting procedure typical passes all computable statistical tests patternless no computable compression technique Definition 8 (Pseudo-Random Bit Generator (PRBG)).

Suppose p is a polynomial with x < p(x) for all x. A (k, p(k))-PRBG is a polytime f such that f : (Z2)k → (Z2)p(k) for all k. (We usually write ℓ for p(k).) y = f(s): y = PR-bit string, s = seed

27 / 1

SLIDE 9

PRG Examples

Linear Congruential Generator: Easy, insecure Suppose m ≥ 2, a, b ∈ Z∗

m

k = ⌊log2 m⌋ ℓ ∋ k < ℓ ≤ m − 1 s0 ∈ Zm si+1 = (a · si + b) mod m f(s0) = (z1, . . . , zℓ) zi = si mod 2

Example: m = 31 / a = 3 / b = 5 / k = 5 / ℓ = 10

The RSA-Based Generator: Harder, secure(?) Suppose p, q, two k/2-bit primes, distinct n = p · q b ∈ Z∗

ϕ(n)

s0 ∈ Zn si+1 = sb

i mod n

f(s0) = (z1, . . . , zℓ) zi = si mod 2

28 / 1

What Is a Secure PRG?

GOALS: Fast, secure IDEA: The bits produced by the PRG should look random to an “ordinary opponent.” Definition 9. Suppose: p0 and p1 are two probability distribution on Zℓ

2 and ǫ > 0.

A : Zℓ

2 → { 0, 1 } is computed by an O(poly(ℓ))-time algorithm.

Define: EA(pj) =def ∑

• z∈Zℓ

2 pj(

• z) · Prob[A(
• z) = 1 |

z ], where j = 0, 1. A is an ǫ-distinguisher of p0 and p1 ⇐ ⇒ |EA(p0) − EA(p1)| ≥ ǫ. p0 and p1 are ǫ-indistinguishable ⇐ ⇒ ∃ an ǫ-distinguisher for them.

29 / 1

PRGs and Distributions

distributions on seeds = ⇒ distributions on pseudo-random sequences

Suppose f is a (k, ℓ)-PRBG p0 is the uniform distributions on { 0, 1 }ℓ. (Each seq. has prob. 2−ℓ.) p1 is the distr. on { 0, 1 }ℓ induced by f and the unif. distr. on { 0, 1 }k. roughly 2k many sequences, each with probability 2−k. (Some collisions likely.) roughly 2ℓ − 2k (= 2ℓ(1 −

1 2ℓ−k )) many seqs., each with prob. 0.

This is very nonuniform, but still might be ǫ-indist. for “small” ǫ. Suppose f always produces seqs with exactly half the bits are 1. A(

• z) =

     1, if exactly 1/2 of the bits in z are 1; 0,

• therwise.

◮ EA(p0) = ( ℓ

ℓ/2)2−ℓ ℓ→∞

− − − → 0

◮ EA(p1) = 1 ℓ→∞

− − − → 1

∴ p0 & p1 are ǫ-dstng. for large ℓ.

30 / 1

Next Bit Predictors and Effective Gambling, I

Definition 10. Suppose f is a (k, ℓ)-PRBG and f(s0) = (z1, . . . , zℓ). Bi(z1, . . . , zi−1) = a guess at zi. (s0 unknown / Bi may be probabilistic) We say that Bi is an ǫ-next bit predictor iff Bi can correctly predict the i-th bit for z1, . . . , zi−1 with prob. ≥ 1

2 + ǫ.

Theorem 11. Suppose f is a (k, ℓ)-PRBG. Then: A probabalistic algorithm Bi is an ǫ-next bit predictor for f if and only if

∑

z1...zi−1

p1(z1 . . . zi−1) · Prob

• zi = Bi(z1 . . . zi−1)
• z1 . . . zi−1
• ≥ 1

2 + ǫ

Proof: Just unpack the definition.

31 / 1

SLIDE 10

Next Bit Predictors and Effective Gambling, II

Example 12. Recall the example linear congruential generator from before:

• f(s0) = (z1, . . . , z10) where si+1 = (3 · si + 5) mod 31 and zi = si mod 2.
• For i = 1, . . . , 9, Bi(z1, . . . , zi−1) = 1 − zi−1.

It turns out that Bi is a 9

62-next bit predictor for f.

∴ Correct with probability ≥ 20

31!!!!

Theorem 13. Suppose Bi is an ǫ-next bit predictor for an (k, ℓ)-PRBG f & p0 and p1 as before and A ≡ λz1 . . . zℓ [if (Bi(z1 . . . zi−1) = zi) then 1 else 0]. Then: A is an ǫ-distinguisher of p0 and p1.

Proof: Not too hard.

Theorem 14. Suppose is an ǫ-distinguisher of p0 and p1 (as before). Then: for some i ∈ { 1, . . . , ℓ − 1 }, there is an ǫ

2-next bit pred. Bi for f.

Proof: Harder.

32 / 1

Next Bit Predictors and Effective Gambling, II

Example 12. Recall the example linear congruential generator from before:

• f(s0) = (z1, . . . , z10) where si+1 = (3 · si + 5) mod 31 and zi = si mod 2.
• For i = 1, . . . , 9, Bi(z1, . . . , zi−1) = 1 − zi−1.

It turns out that Bi is a 9 62-next bit predictor for f.

∴ Correct with probability ≥ 20

31!!!! Theorem 13. Suppose Bi is an ǫ-next bit predictor for an (k, ℓ)-PRBG f & p0 and p1 as before and A ≡ λz1 . . . zℓ [if (Bi(z1 . . . zi−1) = zi) then 1 else 0]. Then: A is an ǫ-distinguisher of p0 and p1. Proof: Not too hard. Theorem 14. Suppose is an ǫ-distinguisher of p0 and p1 (as before). Then: for some i ∈ { 1, . . . , ℓ − 1 }, there is an ǫ 2-next bit pred. Bi for f. Proof: Harder.

2018-11-06

Zero Knowledge Protocols Next Bit Predictors and Effective Gambling Next Bit Predictors and Effective Gambling, II

• - a linear congr. PRG

pseq a b p s = (s ‘mod‘ 2):(pseq a b p ((a*s+b) ‘mod‘ p))

• - a linear congr. PRG with some parameters plugged in

pseq’ s = pseq 3 5 31 s

• - gather stats on the ‘‘opposite-bit-test’’

stat sq = fromIntegral success / fromIntegral total where pairs = zip sq (tail sq) success = length( [(y,z) | (y,z) <- pairs, y/=z]) total = length pairs

Quadratic Residue Facts, Restated

QR(m) = { x2 mod m x ∈ Z∗

m } = the quadratic residues mod m

Legendre symbol, p prime Jacobi symbol, n = p · q (a

p) =

     0, if a ≡ 0 (mod p); 1, if a ∈ QR(p); −1,

• therwise.

(a

n) =

     0, if gcd(a, n) = 1; 1, if (a

p) = (a q);

−1,

• therwise.

a ∈ QRn iff (a

p) = (a q) = 1.

QRn

def

= { z ∈ Z∗

n − QRn

(x

n) = 1 } = { z ∈ Z∗ n

(x

p) = (x q) = −1 }.

a ∈ QRn, b ∈ QRn = ⇒ (a · b mod n) ∈ QRn. a ∈ QRn, b ∈ QRn = ⇒ (a · b mod n) ∈ QRn. a ∈ QRn, b ∈ QRn = ⇒ (a · b mod n) ∈ QRn. a ∈ QRn, b ∈ QRn = ⇒ (a · b mod n) ∈ QRn.

The Quadratic Residue Problem (No known polytime algorithm)

Given p and q prime, n = p · q, and z ∈ Z∗

n ∋ (z n) = 1.

Q: Is z ∈ QRn?

33 / 1

The Blum-Blum-Shub Generator

Setup p and q, two distinct k/2-bit primes with p ≡ q ≡ 3 (mod 4). n = p · q. (k = log2 n) The BBS Generator s0 ∈ QRn, a seed For i = 1, . . . , ℓ, set: (a) si = s2

i−1 mod n

(b) zi = si mod 2 Define f(s0) = (z1 . . . zℓ) Theorem 15 (The Security Theorem). If (k, ℓ)-BBS can be ǫ-distinguished from ℓ-random bits for some ǫ > 0, then there is a good probablistic polytime algorithm for the Quadratic Residues Problem. (The existence of such an algorithm is believed unlikely.)

34 / 1

SLIDE 11

A Problem with (Na¨ ıve) Deterministic Encryption

Suppose you want to send a message x ∈ { 0, 1 } by a PKCS. Alice When x = 0: Computes and sends y0 = eB(0). Bob Receives y0 and computes dB(y0) = 0. Alice When x = 1: Computes and sends y1 = eB(1). Bob Receives y1 and computes dB(y1) = 1. Eve Computes y0 = eB(0) & y1 = eB(1) and knows everything. Probablistic Encryption dk(ek(x, r)) = x, where x is a message and r is a randomizer. ek(x, r) conveys “no information” about x.

35 / 1

Probabilistic Encryption

Definition 16. A probabilistic PKC consists of P = plaintexts K = keys C = ciphertexts R = randomizers ∀k ∈ K: ek : P × R → C and dk : C → P are such that: For all x ∈ P, r ∈ R, dk(ek(x, r)) = x. For all x, x′ ∈ P, r ∈ R: x = x′ = ⇒ ek(x, r) = ek(x′, r). Definition 17. An ǫ-security parameter RPKC is one ∋ For all x, x′ ∈ P with x = x′ and all r ∈ R, pk,x and pk,x′ are ǫ-indistingushable, where: ∀k ∈ K ∀x ∈ P pk,x(y) =def Prob[y = dk(ek(x, r)) | given x and k ].

∴ To Eve an encryption of x looks like an encryption of x′.

36 / 1

The Goldwasser and Micali RPKC

Setup p and q, distinct odd primes (p and q private) n = p · q and a ∈ QRn (n and a public) P = { 0, 1 }. C = R = Z∗

n.

K = { (n, p, q, a) : . . . }. ek(x, r) = axr2 (mod n). dk(y) =

• 0,

if y ∈ QRn; 1, if y ∈ QRn. (How to compute???) axr2 (mod n) is sometimes called a blob.

Recall: (y

p) = (y

p−1 2 mod p) = 1

⇐ ⇒ y ∈ QR(p).

37 / 1

The Blum-Goldwasser RPKC, I

Setup p and q: distinct primes, k

2 bits, and ≡ 3 (mod 4)

(Private) n = p · q (Public) Alice Wants to send Bob x ∈ Zℓ

2.

(Knows n, but not p or q.) Chooses s0

ran

∈ QRn : seed For i = 1, . . . , ℓ + 1, computes: si = s2

i−1 mod n

/ / ≡ (s0)2i (mod n) zi = si mod 2 Sends (x ⊗ (z1 . . . zℓ), sℓ+1) Bob Receives (y, sℓ+1) (Knows p and q.) Computes s0 from sℓ+1 How?? Computes x = y ⊗ (z1 . . . zℓ)

38 / 1

SLIDE 12

The Blum-Goldwasser RPKC, II

Definition 18. The principle square root of x ∈ QRn is the y ∈ QRn with x ≡ y2 (mod n). Facts Each si−1 is the principle square root of si mod n. Suppose x ∈ QRn. (So x ∈ QRp and x ∈ QRq.)

The square roots (mod p) of x are ±x

p+1 4

mod p. Since x ∈ QRp, (x

p+1 4

p ) = (x p)

p+1 4

= (1)

p+1 4

= 1.

∴ x

p+1 4

mod p is the principle square root of x mod p.

Similarly, x

q+1 4 is the principle square root of x mod q.

More ...

39 / 1

Blum-Goldwasswer, III

So for x ∈ QRn: Mod p: x

p+1 4 is the principle square root of x.

Mod q: x

q+1 4 is the principle square root of x.

Let: a1 = ( p+1

4 )ℓ+1 mod (p − 1)

b1 = sa1

ℓ+1 mod p

a2 = ( q+1

4 )ℓ+1 mod (q − 1)

b2 = sa2

ℓ+1 mod q

Then: s0 ≡ b1 (mod p) s0 ≡ b2 (mod q) (Why?) So we can compute s0 by the CRT.

40 / 1

Bit Commitment: Using the Blum-Goldwasswer RPKC

f : { 0, 1 } × X → Y Y = Blobs Concealing Vanna cannot feasibly determine b from f(b, x). Binding Pat can open the blob revealing x, but cannot open a blob as both 0 and 1. Setup p, q primes n= p · q m∈ QRn Commit Pat chooses b ∈ { 0, 1 } and x ∈ Z∗

n.

Computes y = f(b, x) = (mbx2 mod n). Sends y to Vanna. Reveal Pat sends b and x to Vanna. Vanna checks that y = mbx2 mod n. CLAIM This satisfies the concealing and binding properties. proof on board

41 / 1

Bit Commitment: Using the Blum-Goldwasswer RPKC

f : { 0, 1 } × X → Y Y = Blobs Concealing Vanna cannot feasibly determine b from f(b, x). Binding Pat can open the blob revealing x, but cannot open a blob as both 0 and 1. Setup p, q primes n= p · q m∈ QRn Commit Pat chooses b ∈ { 0, 1 } and x ∈ Z∗

n.

Computes y = f(b, x) = (mbx2 mod n). Sends y to Vanna. Reveal Pat sends b and x to Vanna. Vanna checks that y = mbx2 mod n. CLAIM This satisfies the concealing and binding properties. proof on board

2018-11-06

Zero Knowledge Protocols Bit-Commitments Bit Commitment: Using the Blum-Goldwasswer RPKC Concealing: Given c ∈ QRn ∪ QRn, deciding whether c ∈ QRn is equivalent to factoring n. Binding: Suppose y = m0x2 = m1z2. Then m = (x(z−1))2. So m ∈ QRn, contradiction. Problem: How to initially convince Vanna that m ∈ QRn?

SLIDE 13

Bit-Commitment: Using the Second-lowest Bit

Suppose p ≡ 3 (mod 4) and Z∗

p has a hard discrete log problem.

Suppose α is a primitive element of Z∗

p.

Recall: SLB(x) =def

• 0,

if x ≡ 0, 1 (mod 4); 1, if x ≡ 2, 3 (mod 4); Recall: When p ≡ 3 (mod 4) computing the SLB of a discrete log is as hard as computing the discrete log itself. FACT: SLB(x) ≡ SLB(p − x), since p ≡ 3 (mod 4) So define, for b ∈ { 0, 1 } and x

ran

∈ Z∗

p−1

f(b, x) =

• αx mod p,

if SLB(x) = b; αp−x mod p, if SLB(x) = b. So f(b, x) = αy and SLB(y) = b. Binding? Concealing?

42 / 1

Bit-Commitment: Using the Second-lowest Bit

Suppose p ≡ 3 (mod 4) and Z∗

p has a hard discrete log problem.

Suppose α is a primitive element of Z∗

p.

Recall: SLB(x) =def

• 0,

if x ≡ 0, 1 (mod 4); 1, if x ≡ 2, 3 (mod 4); Recall: When p ≡ 3 (mod 4) computing the SLB of a discrete log is as hard as computing the discrete log itself. FACT: SLB(x) ≡ SLB(p − x), since p ≡ 3 (mod 4) So define, for b ∈ { 0, 1 } and x

ran

∈ Z∗

p−1

f(b, x) =

• αx mod p,

if SLB(x) = b; αp−x mod p, if SLB(x) = b. So f(b, x) = αy and SLB(y) = b. Binding? Concealing?

2018-11-06

Zero Knowledge Protocols Bit-Commitments Bit-Commitment: Using the Second-lowest Bit Concealing: The second-lowest bit problem is equivalent to discrete log. Binding: By the definition of f, SLB(dlogα(f(b, x))) = b. So there is no x′ such that f(1 − b, x′) = f(b, x).

Computational Zero Knowledge Proofs

The Graph Three-Colorability Problem Given: G = ({ 1, . . . , n }, E). Question: Is there a three-coloring of G? I.e., ∃g : { 1, . . . , n } → { blue, green, red } ∋ (∀{ u, v } ∈ E)[ g(u) = g(v) ]?

❡ ❡ ❡ ❡ ❅ ❅ ❅

• ❡

❡ ❡ ❡ ❅ ❅ ❅

• three-colorable

not three-colorable

43 / 1

A ZKP for Graph Three-coloring

Assume a trit-commitment scheme f : { 1, 2, 3 } × X → Y Trit =def base-3 digit Input G = ({ 1, . . . , n }, E) / / m = |E| Pat claims G is three-colorable / / ϕ = Pat’s private coloring function Repeat m2 times: Pat Chooses π, a random permutation of 1,2,3. For i = 1, . . . , n: ci = π(ϕ(i)); ri

ran

∈ X; Ri = f(ci, ri), a blob Sends (R1, . . . , Rn) to Vanna. Vanna Chooses { u, v }

ran

∈ E and sends it to Pat. Pat Sends cu, ru, cv, rv to Vanna. Vanna Checks that cu = cv and Ru = f(cu, ru) and Rv = f(cv, rv). If fails, REJECT End repeat Vanna ACCEPTS if we get this far. Example on board

44 / 1

SLIDE 14

Analysis of the ZKP for Three-coloring

Completeness Clear Soundness Suppose G is not three-colorable.

∴ In any coloring, ∃{ u, v } ∈ E ∋ u and v have the same color.

Vanna’s chance of choosing this edge in a given round is 1

m.

∴ The probability of Pat fooling Vanna in all m2 rounds is:

lim

m→∞

• 1 − 1

m m2 → 0. proof sketch on board

∴ Soundness

What about ZK?

45 / 1

Analysis of the ZKP for Three-coloring

Completeness Clear Soundness Suppose G is not three-colorable.

∴ In any coloring, ∃{ u, v } ∈ E ∋ u and v have the same color.

Vanna’s chance of choosing this edge in a given round is 1

m.

∴ The probability of Pat fooling Vanna in all m2 rounds is:

lim

m→∞

• 1 − 1

m m2 → 0. proof sketch on board

∴ Soundness

What about ZK?

2018-11-06

Zero Knowledge Protocols Computational Zero-Knowledge Proofs Analysis of the ZKP for Three-coloring From calculus: lim

n→∞

• 1 + x

n n = ex So it is no surprise that lim

m→∞

• 1 + −1

m mm ≈ lim

m→∞

1 e m = 0. (The idea for a proof—not a proof!! For a proof you need to break out the ǫs and δs.)

Zero Knowledge

perfect : identitical distributions computational : ǫ-indistinguishable distributions A Forging Algorithm for Three-Coloring Input G = ({ 1, . . . , n }, E). // m = |E| T ← [G] For k = 1, . . . , m2 do Choose { u, v }

ran

∈ E and c, d, and e random distinct colors. For i = 1, . . . , n, choose ri

ran

∈ X. Set Ru = f(c, ru), Rv = f(d, rv), and Rj = f(e, rj) for each j ∈ ({ 1, . . . , n } − { u, v }). T ← T++[(R1 . . . Rn u v c d ru rv)]

46 / 1

Analysis Continued

Claim The probability distributions of the protocol and the forgery are ǫ-indistinguishable. proof

• mitted

Corollary 19. All NP-complete problems have ZKPs. Proof. Since Three-colorability is NP-complete and since all NP-complete problems are interreducible if you have a ZKP for one, you have ZKPs for them all. NP-completeness ref: https://en.wikipedia.org/wiki/NP-completeness

47 / 1

SLIDE 15

Aside: Is There a Limit to What IP Can Do?

IP = { decision problems provable by an IP protocol } PSpace = { decision problems computable in poly-space } Theorem 20 (Shamir 1992). IP = PSpace. (And this can be zero knowledge.) Proof.

Based on earlier results by C. Lund, L. Fortnow, H. Karloff, and N. Nisan. See: http://en.wikipedia.org/wiki/IP_(complexity). For more information on PSpace see: http://en.wikipedia.org/wiki/PSPACE http://en.wikipedia.org/wiki/PSPACE-complete

48 / 1

A ZKP Application: Oblivious Transfer

An oblivious transfer channel from Pat to Vanna A scheme for Pat to send Vanna two encrypted packets ∋

• 1. Vanna can decipher and read exactly one of these.
• 2. Pat does not know which of the two Vanna can read.
• 3. Pat and Vanna are certain of 1 and 2.

49 / 1

Oblivious Transfer: Preliminaries

Fix Fq, a large finite field. Fn

2 ∼

= n-tuples of binary bits b, a primitive element of Fq ∋ (bx, by) → bx·y is hard The DH-assumption + ∼ = exclusive-or ψ : Fq

1–1

− → Fn

2 ∋

ψ is easy to compute and invert, and

1 2Fn 2 ≤ Fq ≤ Fn 2

messages = length n binary strings c ∈ F∗

q (from by TA) ∋ neither Pat nor Vanna knows dlogb(c).

50 / 1

Oblivious Transfer: Setup

Setup for Vanna Chooses x

ran

∈ { 1, . . . , q − 2 } and i

ran

∈ { 1, 2 }. Private Sets βi = bx and β3−i = c · b−x. Publishes (β1, β2). Note c · b−x = (bx′), for some x′. So, dlogb(c) = (x′ + x) mod (q − 1). (Why?)

∴ Vanna knows x = dlogb(βi),

but she doesn’t know x′ = dlogb(β3−i) because otherwise she knows dlogb(c).

51 / 1

SLIDE 16

Oblivious Transfer: The Protocol

Pat wants to send m1 and m2 to Vanna ∋ she can open only one.

Pat Checks that β1β2 = c

∴ Pat knows Vanna doesn’t know both dlogb(β1) & dlogb(β2).

Chooses y1, y2

ran

∈ { 1, . . . , q − 2 } Private Sends to Vanna:

◮ by1 ∈ F∗

q

◮ α1 = m1 ⊕ ψ(βy1

1 )

◮ by2 ∈ F∗

q

◮ α2 = m2 ⊕ ψ(βy2

2 )

Vanna As Vanna knows byi and x, she can compute (byi)x = βyi

i

(Fq). Then she computes: αi ⊕ ψ(βyi

i ) =

• mi ⊕ ψ(βyi

i )

• ⊕ ψ(βyi

i )

= mi ⊕

• ψ(βyi

i ) ⊕ ψ(βyi i )

• = mi

52 / 1

Oblivious Transfer: Notes

Recall: An oblivious transfer channel from Pat to Vanna

A scheme for Pat to send Vanna two encrypted packets ∋

• 1. Vanna can decipher and read exactly one of these.
• 2. Pat does not know which of the two Vanna can read.
• 3. Pat and Vanna are certain of 1 and 2.

The key assumption is that Vanna does not know dlogb(c). If Vanna wanted to find out m3−i, then she would have to find out: βy3−i

3−i = bx′·y3−i.

But knowing x′, she would know dlogb(c). Since Pat checks, he knows that Vanna does not know both dlogb(β1) and dlogb(β2). There is no way for Pat to distinguish which of β1 and β2 correspond to bx and c/bx.

∴ Pat and Vanna are confident of 1 and 2.

53 / 1

A Noninteractive Proof of Factorization via OT

Characters Pat / Vanna / TA Situation Pat claims to know how to factor n into primes p and q. Vanna wants to know whether to believe Pat’s claim. Setup Vanna sends Pat a long sequence of OT public keys. Facts y has a square root mod (p · q) iff y has exactly four distinct square roots: x, −x, x′, −x′. Computing an arbitrary square root mod p · q is equivalent to knowing how to factor n.

54 / 1

The OT Factoring Protocol: A Round

T.A. Chooses x

ran

∈ { 1, . . . , n − 1 }. Private Computes y = x2 mod n. Sends y to Pat and Vanna. Pat Finds the four square roots of y mod n: ±x, ±x′. Chooses x0

ran

∈ { x, −x, x′, −x′ } and r

ran

∈ { 1, . . . , n − 1 }. Computes: s = r2 mod n m1 = r m2 = (x0 · r) mod n Sends s to Vanna and sends (m1, m2) to Vanna by OT. (So Vanna can choose to know one of m1 and m2, but not the other.) Vanna If she chose m1, then checks that (m1)2 = s (mod n). If she chose m2, then checks that (m2)2 = y · s (mod n). If the test fails, then Pat is caught lying. If Pat is telling the truth, then (m2)2 = (x0 · r)2 = x2

0 · r2 = y · s (mod n).

If after k rounds, Vanna has not caught Pat lying, then Prob[Pat is telling the truth] ≥ 1 − 2−k. Challenge: Argue the above is zero knowledge.

55 / 1

SLIDE 17

The Feige-Fiat-Shamir Identification Scheme

Setup n = p·q, p and q prime Private to T.A.: p, q s1, . . . , sk∈ Z∗

n

v1, . . . , vk ∋ vi = (si)−2 mod n and (§§) Private to Pat+TA: s1, . . . , sk Public: n, v1, . . . , vk Pat is prob. ptime powerful (§§) card{ vb1

1 vb2 2 · . . . · vbk k

b1, . . . , bk ∈ { 0, 1 } } = 2k

Pat’s Claim: He knows s1, . . . , sk.

Round (Q: What is the purpose of r below?) Pat Chooses r

ran

∈ Z∗

n; computes x = r2 mod n; sends x to Vanna.

Vanna Chooses b1, . . . , bk

ran

∈ { 0, 1 } and sends them to Pat. (Challenge: What is the sq. rt. of x · v−b1

1

· . . . · v−bk

k

?) Pat Computes y = r · sb1

1 · . . . · sbk k (mod n) and sends y to Vanna.

Vanna Checks that x = y2 · vb1

1 · . . . · vbk k (mod n). If not, REJECT.

CLAIM: This is (a) Complete, (b) Sound, and (c) ZK. proof on board

56 / 1

The Feige-Fiat-Shamir Identification Scheme

Setup n = p·q, p and q prime Private to T.A.: p, q s1, . . . , sk∈ Z∗ n v1, . . . , vk ∋ vi = (si)−2 mod n and (§§) Private to Pat+TA: s1, . . . , sk Public: n, v1, . . . , vk Pat is prob. ptime powerful (§§) card{ vb1 1 vb2 2 · . . . · vbk k b1, . . . , bk ∈ { 0, 1 } } = 2k Pat’s Claim: He knows s1, . . . , sk. Round (Q: What is the purpose of r below?) Pat Chooses r ran ∈ Z∗ n; computes x = r2 mod n; sends x to Vanna. Vanna Chooses b1, . . . , bk ran ∈ { 0, 1 } and sends them to Pat. (Challenge: What is the sq. rt. of x · v−b1 1 · . . . · v−bk k ?) Pat Computes y = r · sb1 1 · . . . · sbk k (mod n) and sends y to Vanna. Vanna Checks that x = y2 · vb1 1 · . . . · vbk k (mod n). If not, REJECT. CLAIM: This is (a) Complete, (b) Sound, and (c) ZK. proof on board

2018-11-06

Zero Knowledge Protocols The Feige-Fiat-Shamir Identification Scheme The Feige-Fiat-Shamir Identification Scheme Completeness: Suppose Pat is telling the truth. So y = r · sb1

1 . . . sbk k (mod n) and

y2 · vb1

1 . . . vbk k ∼

= r2 · (sb1

1 )2 . . . (sbk k )2 · vb1 1 . . . vbk k

∼ = r2 · v−b1

1

. . . v−bk

k

· vb1

1 . . . vbk k

∼ = r2 ∼ = x (mod n)

The Feige-Fiat-Shamir Identification Scheme

Setup n = p·q, p and q prime Private to T.A.: p, q s1, . . . , sk∈ Z∗ n v1, . . . , vk ∋ vi = (si)−2 mod n and (§§) Private to Pat+TA: s1, . . . , sk Public: n, v1, . . . , vk Pat is prob. ptime powerful (§§) card{ vb1 1 vb2 2 · . . . · vbk k b1, . . . , bk ∈ { 0, 1 } } = 2k Pat’s Claim: He knows s1, . . . , sk. Round (Q: What is the purpose of r below?) Pat Chooses r ran ∈ Z∗ n; computes x = r2 mod n; sends x to Vanna. Vanna Chooses b1, . . . , bk ran ∈ { 0, 1 } and sends them to Pat. (Challenge: What is the sq. rt. of x · v−b1 1 · . . . · v−bk k ?) Pat Computes y = r · sb1 1 · . . . · sbk k (mod n) and sends y to Vanna. Vanna Checks that x = y2 · vb1 1 · . . . · vbk k (mod n). If not, REJECT. CLAIM: This is (a) Complete, (b) Sound, and (c) ZK. proof on board

2018-11-06

Zero Knowledge Protocols The Feige-Fiat-Shamir Identification Scheme The Feige-Fiat-Shamir Identification Scheme Soundness: Suppose Pat is lying. By (§§) { x · v−b1

1

· . . . · v−bk

k

(mod n) : b1, . . . , bk ∈ { 0, 1 } } = 2k So Pat has a 1 in 2k chance of guessing correctly.

Q: Why is (§§) needed?

ZK: Another probability calculation.

The ID Scheme

The T.A. I = Pat’s name, birthday, . . . H = a public hash function For j = 1, 2, . . . , m do: // m ≈ 4 · k Check if H(I||j) has a square root mod n. If so, make H(I||j) one of the vi’s. Make I, n, j1, . . . , jk public. // vi = H(I||ji) Send Pat s1, . . . , sk // Goes into Pat’s smart card Throw away p and q. // Each person gets a different // p and q. Pat Submits his smart card to an Autoteller (Vanna). Vanna Downloads Pat’s I, n, j1, . . . , jk. Goes through several rounds of the ZK protocol. If she accepts, she lets Pat withdraw money. Eve Can watch the whole exchange, but learns nothing about s1, . . . , sk.

57 / 1

SLIDE 18

BONUS: Identity-Based Encryption

• What if you could use

your name or email address as your public key?

• Identity-Based

Encryption schemes let you do this.

• These schemes require a

trusted third party (the Private Key Generator (PKG))

• Cocks came up a

quadratic-residue-based ID-based encryption scheme.

58 / 1

Clifford Cocks

In 1973, while working for UK’s GCHQ (the British equivalent to the NSA), he invented what we call the RSA algorithm. This work was declassified in 1997. Rivest, Shamir, and Adleman independently invented RSA in 1977 and published in 1978.

59 / 1

Cocks’s Scheme, 1

Setup by the PKG

1 Pick to two primes, p and q, with

p ∼ = q ∼ = 3 (mod 4). (Private)

2 Let n = p · q and let h: { 0, 1 }∗ → Zn

be a secure hash function. (Public) messages = { −1, 1 } ciphertexts = Zn. User ID asks PKG for a private key The PKG:

1 From ID, computes (using h) an a

with (a

n) = 1 and an r with either

r2 = or r2 = −a. (We’ll assume r2 = a.)

2 sends r to ID.

Bob wants to send m ∈ { −1, 1 } to ID Picks t

ran

∈ (Zn − { 0 }) with m = (t

n)

& sends s = t + a · t−1 (mod n) to ID. ID wants to decipher s ID computes m′ = (s+2r

n ).

Claim: m = m′. Note: t(1 + r · t−1)2 = t + 2r + r2 · t−1 = (t + a · t−1) + 2r = s + 2r. So, m′ = (s+2t

n ) = (t n) = m.

60 / 1

Cocks’s Scheme, 2

Security: Breaking the scheme is equivalent to solving the quadratic residuosity problem Efficiency:

Time is not so bad. Space is quite bad. 1 bit takes 1024 bits to encode.

For more: https://en.wikipedia.org/wiki/Cocks_IBE_scheme#Security

61 / 1