ie400 course document ie400 course document, Summaries of Engineering

ie400 course document ie400 course document

Typology: Summaries

2025/2026

Uploaded on 03/07/2026

emine-fidan
emine-fidan ๐Ÿ‡น๐Ÿ‡ท

3 documents

1 / 28

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
Abdullah Talayhan - 26.11.2025
CS470/519
Introduction to Applied Cryptography
Week10b
1
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c

Partial preview of the text

Download ie400 course document ie400 course document and more Summaries Engineering in PDF only on Docsity!

Abdullah Talayhan - 26.11.

CS470/

Introduction to Applied Cryptography

Week10b

Zero Knowledge Proofs

(contโ€™d)

P(x, w) V(x)

a

c

z

A Sigma Protocol is a specific type of interactive protocol (3-move) with the following properties: Completeness Special Soundness (Knowledge Soundness) Honest Verifier Zero-Knowledge

c

$

โ† R

Completeness

V(x)

a

c

z

A Sigma Protocol is complete if given an honest execution of the protocol (a, c, z). V(x, a, c, z) = 1

c

$

โ† R

If the prover is honest, then it should be able to convince the verifier. P(x, w)

Honest Verifier Zero Knowledge

V(x)

a

c

z

A Sigma Protocol is HVZK (Honest Verifier Zero Knowledge) if we can build a polynomial time simulator that outputs without knowing such that and is indistinguishable from a valid protocol execution. ๐’ฎ (a, c, z) w V(x, a, c, z) = 1 (a, c, z)

c

$

โ† R

P(x, w) If we can create that looks like an honest transcript without knowing and if is accepted by the verifier. Then the verifier doesnโ€™t learn anything about (a, c, z) w (a, c, z) w.

Example - Schnorr DLOG proof

I know w such that y = g w mod p Witness w Statement x : (g, q, p, y) r $ โ† โ„ค* q a โ† g r

a

c

$

q

c

z

z โ† r + c โ‹… w

g

z ?

= a โ‹… y

c P(x, w) (^) V(x)

Schnorr DLOG proof - Special Soundness

10 I know w such that y = g w mod p Statement x : (g, q, p, y) Witness w P(x, w) r $ โ† โ„ค* q a โ† g

r a

c

$

q

c

z

z โ† r + c โ‹… w

g

z ?

= a โ‹… y

c V(x) g z = a โ‹… y c g zโˆ’zโ€ฒ = y cโˆ’cโ€ฒ g (zโˆ’zโ€ฒ)/(cโˆ’cโ€ฒ) g = y zโ€ฒ = a โ‹… y cโ€ฒ โ„ฐ(x, a, c, z, cโ€ฒ, zโ€ฒ) : w = (z โˆ’ zโ€ฒ) โ‹… (c โˆ’ cโ€ฒ) โˆ’ 1 mod q Valid (a, c, z) and (a, cโ€ฒ, zโ€ฒ)

Schnorr DLOG proof - HVZK

I know w such that y = g w mod p Statement x : (g, q, p, y) Witness w S(x) z, c $ โ† โ„ค* q a โ† g z โ‹… y โˆ’c

(a, c, z)

g

z ?

= a โ‹… y

c V(x) Notice that S doesnโ€™t know w. Distribution of (a, c, z) = (random group element, random exponent, random exponent) We are able to construct (a, c, z) that is indistinguishable from a valid protocol execution.

Non-interactive Schnorr DLOG proof

I know w such that y = g w mod p Witness w Statement x : (g, q, p, y) P(x, w) r $ โ† โ„ค* q a โ† g r

a

c

$

q

c

z โ† r + c โ‹… w z

g

z ?

= a โ‹… y

c V(x) P(x, w) r $ โ† โ„ค* q a โ† g r

c โ† H(a, g, q, p, y)

a, z

z โ† r + c โ‹… w

g

z ?

= a โ‹… y

c V(x)

c โ† H(a, g, q, p, y)

From Non-interactive Sigma Protocol to a Signature Schnorr Signature 14 I know w such that y = g w mod p Witness w Statement x : (g, q, p, y) ๐–ฒ๐–ผ๐—๐—‡๐—ˆ๐—‹๐—‹. ๐–ฒ๐—‚๐—€๐—‡(x, sk, m) r $ โ† โ„ค* q a โ† g r

c โ† H(a, g, q, p, y, m)

ฯƒ = (a, z)

z โ† r + c โ‹… sk

g

z ?

= a โ‹… y

c ๐–ฒ๐–ผ๐—๐—‡๐—ˆ๐—‹๐—‹. ๐–ต๐–พ๐—‹๐—‚๐–ฟ๐—’(x, m)

c โ† H(a, g, q, p, y, m)

Intuition: This is a signature because someone who knows the private key approves m.

Chaum-Pedersen DLEQ proof

I know w such that y = g w mod p, t = h w mod p Statement x : (g, h, q, p, y, t) Witness w P(x, w) r $ โ† โ„ค* q a g โ† g

r ag,^ ah

c

$

q

c

z

z โ† r + c โ‹… w

g

z ?

= a

g

โ‹… y

c V(x) a h โ† h r

h

z ?

= a

h

โ‹… t

c

Chaum-Pedersen DLEQ proof - Completeness

17 I know w such that y = g w mod p, t = h w mod p Statement x : (g, h, q, p, y, z) Witness w P(x, w) r $ โ† โ„ค* q a g โ† g

r ag,^ ah

c

$

q

c

z

z โ† r + c โ‹… w

g

z ?

= a

g

โ‹… y

c V(x) a h โ† h r

h

z ?

= a

h

โ‹… t

g c z? = a g โ‹… y c g r+cโ‹…w? = g r โ‹… (g w ) c g r+cโ‹…w = g r+cโ‹…w h z? = a h โ‹… t c h r+cโ‹…w ? = h r โ‹… (h w ) c h r+cโ‹…w = h r+cโ‹…w

Chaum-Pedersen DLEQ proof - HVZK

I know w such that y = g w mod p, t = h w mod p Statement x : (g, h, q, p, y, t) Witness w S(x) c, z $ โ† โ„ค* q a g โ† g z โ‹… y โˆ’c

(a

g

, a

h

, c, z)

g

z ?

= a

g

โ‹… y

c V(x) a h โ† h z โ‹… t โˆ’c

h

z ?

= a

h

โ‹… t

c

Pedersen Commitment proof

I know (w, s) such that ๐–ผ๐—ˆ๐—† = g w โ‹… h s mod p Statement x : (g, h, q, p, ๐–ผ๐—ˆ๐—†) Witness w, s P(x, w) r 1 , r 2 $ โ† โ„ค* q a โ† g r 1 โ‹… h r

2 a

c

$

q

c

z

1

, z

2 z 1 โ† r 1

  • c โ‹… w g z 1 โ‹… h z 2 = a โ‹… ๐–ผ๐—ˆ๐—† c V(x) z 1 โ† r 2
  • c โ‹… s I know the opening value (w, s) for the commitment ๐–ผ๐—ˆ๐—†