Study of Quadratic Residuosity in Cryptography: Interactive & Zero-Knowledge Proofs, Study notes of Cryptography and System Security

A lecture note from cs 120/ e-177: introduction to cryptography course, focusing on interactive proofs and zero-knowledge proofs. The authors, salil vadhan and alon rosen, discuss the concept of interactive proofs, which transform protocols secure against honest-but-curious adversaries into ones secure against malicious adversaries. They introduce the concept of zero-knowledge proofs, where the verifier learns nothing about the prover's input, and present an interactive proof for quadratic residuosity. The document also includes recommended readings for further study.

Typology: Study notes

2010/2011

Uploaded on 11/02/2011

thecoral
thecoral 🇺🇸

4.5

(30)

395 documents

1 / 3

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
CS 120/ E-177: Introduction to Cryptography
Salil Vadhan and Alon Rosen Dec. 12, 2006
Lecture Notes 20:
Zero-Knowledge Proofs
Recommended Reading.
Vadhan,
Interactive & Zero-Knowledge Proofs
, from IAS/PCMI Summer School on Compu-
tational Complexity, Secs 1.1, 1.2, 2.1, 2.2.
Goldreich, Chapter 4 (up to 4.4)
1 Interactive Proofs
Motivation:
transforming protocols secure against honest-but-curious adversaries into ones secure
against malicious adversaries.
Have parties `prove' that they are following the protocol.
How can this be done without leaking information (e.g. their input)?
1.1 Classical Proofs
Denition 1
An
NP
proof system
for membership in a language
L
is an algorithm
V
such that
1. (Completeness) If
xL
, then there exists
proof
s.t.
V(x, proof ) = accept
.
2. (Soundness) If
x /L
, then for all
proof
,
V(x, proof ) = reject
.
3. (Eciency)
V(x, proof )
runs in time
poly(kxk)
.
NP
proofs inherently provide more knowledge than
xL
.
1.2 Interactive Proofs
Two new ingredients: interaction and randomization. Instead of having the proof be a static
object, we have a dynamic prover who interacts with the verier. The verier
V
is probabilistic
and is allowed to make a small error probability.
Interactive (2-party) protocol: A pair of algorithms
(A, B)
taking input, history, and coin
tosses to next message, e.g.
m1=A(x;rA)
,
m2=B(x, m1;rB)
,
m3=A(x, m1, m2;rA)
,
. . .
Denition 2
An
interactive proof
for a language
L
is an interactive protocol
(P, V )
such that
1. (Completeness) If
xL
, then
V
accepts in
(P, V )(x)
with probability at least
2/3
.
2. (Soundness) If
x /L
, then for all
P
,
V
accepts in
(P, V )(x)
with probability at most
1/3
.
1
pf3

Partial preview of the text

Download Study of Quadratic Residuosity in Cryptography: Interactive & Zero-Knowledge Proofs and more Study notes Cryptography and System Security in PDF only on Docsity!

CS 120/ E-177: Introduction to Cryptography

Salil Vadhan and Alon Rosen Dec. 12, 2006

Lecture Notes 20:

Zero-Knowledge Proofs

Recommended Reading.

  • Vadhan, Interactive & Zero-Knowledge Proofs, from IAS/PCMI Summer School on Compu- tational Complexity, Secs 1.1, 1.2, 2.1, 2.2.
  • Goldreich, Chapter 4 (up to 4.4)

1 Interactive Proofs

Motivation: transforming protocols secure against honest-but-curious adversaries into ones secure against malicious adversaries.

  • Have parties `prove' that they are following the protocol.
  • How can this be done without leaking information (e.g. their input)?

1.1 Classical Proofs

Denition 1 An NP proof system for membership in a language L is an algorithm V such that

  1. (Completeness) If x ∈ L, then there exists proof s.t. V (x, proof ) = accept.
  2. (Soundness) If x /∈ L, then for all proof ∗, V (x, proof ∗) = reject.
  3. (Eciency) V (x, proof ) runs in time poly(‖x‖).
    • NP proofs inherently provide more knowledge than x ∈ L.

1.2 Interactive Proofs

  • Two new ingredients: interaction and randomization. Instead of having the proof be a static object, we have a dynamic prover who interacts with the verier. The verier V is probabilistic and is allowed to make a small error probability.
  • Interactive (2-party) protocol: A pair of algorithms (A, B) taking input, history, and coin tosses to next message, e.g. m 1 = A(x; rA), m 2 = B(x, m 1 ; rB ), m 3 = A(x, m 1 , m 2 ; rA),...

Denition 2 An interactive proof for a language L is an interactive protocol (P, V ) such that

  1. (Completeness) If x ∈ L, then V accepts in (P, V )(x) with probability at least 2 / 3.
  2. (Soundness) If x /∈ L, then for all P ∗, V accepts in (P ∗, V )(x) with probability at most 1 / 3.
  1. (Eciency) The total computation time of V and total communication in (P, V )(x) is at most poly(‖x‖).
  • Eciency of honest prover P

 Complexity theory: allow P to be computationally unbounded, and study the power of interactive proofs (IP) as compared to classical proofs (NP).  Cryptography: restrict to L ∈ NP, require P to be polynomial time given an NP proof, and hope for additional properties not possible with NP proofs (namely, zero knowledge)

  • Error probabilities can be made exponentially small by repetition as usual.

1.3 Quadratic Residuosity

  • L = {(N, x) : x ∈ QR(N )}.
  • How can we prove that x ∈ QR(N ) without revealing a square root of x?
  • Idea: cut and choose

 x ∈ QR(N ) ⇔ ∃y y ∈ QR(N ) ∧ xy ∈ QR(N )  Prover cuts' by choosing random y, verierchooses' which of the two statements should be proven.

Proof system for Quadratic Residuosity, on common input (N, x):

  1. P : Let q be such that x = q^2 mod N.
  2. P : Choose r ←R Z∗ N. Send y = r^2 mod N.
  3. V : Choose and send b ← {R 0 , 1 }.
  4. P : If b = 0, let s = r. If b = 1, let s = qr mod N. Send s to V.
  5. V : If b = 0, accept if s^2 ≡ y (mod N ). If b = 1, accept if s^2 ≡ xy (mod N ).

Proposition 3 Above is an interactive proof for Quadratic Residuosity.

Proof: