

Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
Prof. Salil Vadhan, Computer Science, Cryptography, Harvard, Exercises
Typology: Exercises
1 / 3
This page cannot be seen from the preview
Don't miss anything!


Assigned: Dec 14, 2006 Due: Jan 8, 2007 (1:10 PM)
Justify all of your answers. See the syllabus for collaboration and lateness policies. You can submit by email to ciocan@eecs (please include source files) or by hardcopy Carol Harlow in MD 343.
Problem 1. (1-out-of-k Oblivious Transfer)
Problem 2. (Proving Inequality of Encrypted Messages) When we covered homomorphic encryption in class (Lecture Notes 15), we saw various techniques for proving various properties of encrypted messages (such as equality) without revealing any additional information about the messages. With a bit more work, these can be made into genuine zero-knowledge proofs (currently, the proofs reveal information about the randomization used in the encryption process). Here you will see a zero-knowledge protocol for proving inequality of encrypted messages. Consider a public-key encryption scheme (G, E, D) with the property that ciphertexts can be efficiently re-randomized. That is, there is a probabilistic polynomial-time algorithm T such that given any valid public key pk and a ciphertext c = Epk (m; r) for some message m and randomness r, T (pk , c) outputs a random encryption of m with respect to pk. That is, T (pk , c) ≡ Epk (m; R) for uniformly random R. The homomorphic encryption schemes described in class (e.g. El Gamal, Paillier) both have this property. Assume for simplicity that it is also easy to recognize valid public keys and valid ciphertexts. (This holds for El Gamal.)
Interactive proof (P, V ) Common input: (pk , c 0 , c 1 ) Prover’s private input: sk corresponding to pk
(a) V : Choose b ← {R 0 , 1 }, let c ←R T (cb), and send c to P.
(b) P : Let m = Dsk (c). If m = m 0 , let g = 0, else let g = 1. Send g to V. (c) V : Accept iff g = b.
Problem 3. (Public-Key Identification Schemes) On Problem Set 6, you showed how to construct a protocol that allows a user to identify herself to a server, provided the user and the server share a secret key k. Here you will see how zero-knowledge proofs can be used to construct public-key identification schemes, where the user has a secret key sk and publishes a public key pk. The server only needs to know the public key of the user to verify the user’s identity. For security, we require that an adversary who is given the public key pk and engages in polynomially many executions of the identification protocol with the user still cannot successfully impersonate the user, except with negligible probability. Here is a construction of such a public-key identification scheme based on the zero-knowledge proof for Quadratic Residuosity given in class. On security parameter n, the user generates her keys by picking two random n-bit primes p 1 , p 2 , computing N = p 1 · p 2 , choosing q ←R Z∗ N , computing x = q^2 mod N , and setting pk = (N, x) and sk = (N, q). A single execution of the identification protocol between the user U and a server S proceeds as follows.