

Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
We will consider the following authentication scheme: the user selects a number N = P· Q product of two large primes, and a number y = x 2 mod N. The server is given N, y and to login the user must prove that she knows x : x 2 = y mod N. Notice the similarity between this and the RSA function — here we are squaring instead of cubing to implement our hard to invert function. Indeed, it turns out that computing square roots modulo N is provably as hard as factoring N (as always, this is proved by
Typology: Essays (high school)
1 / 3
This page cannot be seen from the preview
Don't miss anything!


We will consider the following authentication scheme: the user selects a number N = P · Q product of two large primes, and a number y = x^2 mod N. The server is given N , y and to login the user must prove that she knows x : x^2 = y mod N. Notice the similarity between this and the RSA function — here we are squaring instead of cubing to implement our hard to invert function. Indeed, it turns out that computing square roots modulo N is provably as hard as factoring N (as always, this is proved by a reduction. The reduction shows that how to use any algorithm for square root extraction as a subroutine to implement a fast algorithm for factoring).
Before we can state the zero-knowledge protocol and establish its properties, we must state a few facts about numbers which are perfect squares modulo N. Let us restrict our attention to numbers 0 ≤ a ≤ N − 1 which are relatively prime to N (i.e. gcd ( a , N ) = 1; note that if the gcd is not 1 then it must be P or Q , so such a ’s are rare and lucky choices that we will not consider). This set of numbers is denoted Z N ∗. For example, for N = 15, we would consider the numbers Z 15 = { 1 , 2 , 4 , 7 , 8 , 11 , 13 , 14 }. Among these numbers only 1 and 4 are perfect squares. Each has four square roots, { 1 , 4 , 11 , 14 } and { 2 , 7 , 8 , 13 } respectively. The square roots come in pairs, e.g. 13 = −2 mod 15 and 8 = −7 mod 15. In fact, for general N = P · Q , exactly one quarter
of the elements of Z N ∗ are perfect squares and every perfect square a mod N has four square roots
− x and
− y. Moreover, multiplying a square by a square gives another square, since x^2 · z^2 mod N = ( xz )^2 mod N.
The protocol:
The prover knows x : x^2 = y mod N. She wishes to prove to the verifier that she knows such a value x.
sy mod N.
Let us prove that this protocol provides a zero-knowledge proof of knowledge of a square root of y mod N. We will show that if the prover does not know a square root of y mod N then the honest verifier will catch her cheating with probability at least 1/2. This will establish that the protocol constitutes a proof of knowledge. And we will show that the verifier cannot extract any extra information from the prover no matter how he deviates from protocol. To do so we will show that for every verifier (no matter how dishonest), there is a simulator that can recreate the verifier’s view (his conversation with the prover) without any knowledge of a square root of y mod N. This will establish that the protocol is zero-knowledge.
Knowledge extractor:
If the prover wishes not to be caught cheating, she must be able to answer both possible challenges of the verifier. We will argue that such a prover must know a square root of y mod N. For the purposes of the proof let us assume that there is a hypothetical knowledge extractor who can travel backward in time, and after issuing the first challenge and receiving the answer, the knowledge extractor travels back in time and issues the second challenge. By our assumption the prover can answer both challenges and therefore the
knowledge extractor receives u : u^2 = s mod N and v : v^2 = sy mod N. Now w = v / u mod N is a square root of y mod N , since w^2 = v^2 / u^2 = sy / s = y mod N. Thus the knowledge extractor can obtain a square root of y mod N , therefore establishing that the prover must have known a square root of y mod N. It is important to understand that the knowledge extractor is a hyothetical construct. The protocol requires that the prover only answer if the verifier issues one of the two possible challenges. Also note that a dishonest prover can cheat with probability 1/2. This probability of cheating can be decreased to 1/ 2 k^ by repeating the protocol k times.
The Simulator:
What is the verifier’s view of the protocol. Note that we are now assuming that the prover is honest and that the verifier is trying to trick the prover into revealing information beyond her knowledge of some square root of y mod N. Challenge I by the verifier is s a uniformly random perfect square modulo N. Let us show that the second challenge sy mod N is also a uniformly random perfect square modulo N. To see this first notice that sy is a perfect square, since it is a product of two perfect squares. Also notice that multiplication by y mod N is a permutation of the numbers modulo N. This is because all the numbers we are working with are relatively prime to N , and therefore we can divide by y mod N to show that if sy = s ′ y mod N then s = s ′^ mod N. Thus multiplication by y is a one-to-one mapping from the set of perfect squares to itself, and is therefore a bijection. Thus if we pick s at random among the perfect squares, then sy mod N is also uniformly random among the perfect squares modulo N.
The simulator selects a random r mod N , and with probability 1/2 sends the verifier r^2 mod N and with probability 1/2 sends the verifier r^2 / y mod N. If the verifier issues challenge I, then in the first case the simulator responds with r mod N and otherwise rewinds the simulation and starts again. If the verifier issues challenge II, then in the second case, the simulator responds with r mod N , and otherwise it rewinds the simulation and starts again. Since the simulator’s choice is independent of the choice of challenge issued by the verifier, it follows that the simulation will succeed in satisying the verifier with probability at least 1/2. The verifier’s view is accurately recreated by the simulator, since it just consists of a challenge consisting of a uniformly random perfect square modulo N , followed by a response from the prover consisting of a square root of this number.
Multi-party Protocols:
In a multi-party protocol, we have n players, each with an input, who jointly wish to compute some function of these inputs. For example, in an election protocol, with two candidates — candidate 0 and candidate 1, each player has a single bit which represents his vote, and the protocol must compute the majority of all these n bits. Ideally at the end of the protocol, each player knows only the answer (which is the majority bit) and his own vote, and no further information is leaked during the protocol. We will consider three different models in which such a protocol can be implemented.
Before we do so, let us consider another example of a multi-party protocol: the millionaires problem. Suppose that n millionaires meet at a party and they wish to know who is the wealthiest. However, none of the players wishes to reveal any information about their net worth. Ideally we would like a protocol at the end of which each player learns who is the wealthiest, without learning any further information about the other players. i.e. at the end of the protocol each player knwos her net worth, and the identity of the wealthiest player, and nothing more.
A model in which it is easy to design such multi-party protocols is the trusted party model. For example, an election protocol can be implemented by having each party reveal their vote to the trusted party, who then computes the majority answer and broadcasts the results to all n players. Similarly, in the millionaires problem, each party could reveal their net worth to the trusted party who then figures out which one is the weathiest and broadcasts the answer.