




















Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
ie400 course document ie400 course document
Typology: Summaries
1 / 28
This page cannot be seen from the preview
Don't miss anything!





















Abdullah Talayhan - 26.11.
P(x, w) V(x)
A Sigma Protocol is a specific type of interactive protocol (3-move) with the following properties: Completeness Special Soundness (Knowledge Soundness) Honest Verifier Zero-Knowledge
$
V(x)
A Sigma Protocol is complete if given an honest execution of the protocol (a, c, z). V(x, a, c, z) = 1
$
If the prover is honest, then it should be able to convince the verifier. P(x, w)
V(x)
A Sigma Protocol is HVZK (Honest Verifier Zero Knowledge) if we can build a polynomial time simulator that outputs without knowing such that and is indistinguishable from a valid protocol execution. ๐ฎ (a, c, z) w V(x, a, c, z) = 1 (a, c, z)
$
P(x, w) If we can create that looks like an honest transcript without knowing and if is accepted by the verifier. Then the verifier doesnโt learn anything about (a, c, z) w (a, c, z) w.
I know w such that y = g w mod p Witness w Statement x : (g, q, p, y) r $ โ โค* q a โ g r
$
q
z โ r + c โ w
z ?
c P(x, w) (^) V(x)
10 I know w such that y = g w mod p Statement x : (g, q, p, y) Witness w P(x, w) r $ โ โค* q a โ g
$
q
z โ r + c โ w
z ?
c V(x) g z = a โ y c g zโzโฒ = y cโcโฒ g (zโzโฒ)/(cโcโฒ) g = y zโฒ = a โ y cโฒ โฐ(x, a, c, z, cโฒ, zโฒ) : w = (z โ zโฒ) โ (c โ cโฒ) โ 1 mod q Valid (a, c, z) and (a, cโฒ, zโฒ)
I know w such that y = g w mod p Statement x : (g, q, p, y) Witness w S(x) z, c $ โ โค* q a โ g z โ y โc
z ?
c V(x) Notice that S doesnโt know w. Distribution of (a, c, z) = (random group element, random exponent, random exponent) We are able to construct (a, c, z) that is indistinguishable from a valid protocol execution.
I know w such that y = g w mod p Witness w Statement x : (g, q, p, y) P(x, w) r $ โ โค* q a โ g r
$
q
z ?
c V(x) P(x, w) r $ โ โค* q a โ g r
z โ r + c โ w
z ?
c V(x)
From Non-interactive Sigma Protocol to a Signature Schnorr Signature 14 I know w such that y = g w mod p Witness w Statement x : (g, q, p, y) ๐ฒ๐ผ๐๐๐๐๐. ๐ฒ๐๐๐(x, sk, m) r $ โ โค* q a โ g r
z โ r + c โ sk
z ?
c ๐ฒ๐ผ๐๐๐๐๐. ๐ต๐พ๐๐๐ฟ๐(x, m)
Intuition: This is a signature because someone who knows the private key approves m.
I know w such that y = g w mod p, t = h w mod p Statement x : (g, h, q, p, y, t) Witness w P(x, w) r $ โ โค* q a g โ g
$
q
z โ r + c โ w
z ?
g
c V(x) a h โ h r
z ?
h
c
17 I know w such that y = g w mod p, t = h w mod p Statement x : (g, h, q, p, y, z) Witness w P(x, w) r $ โ โค* q a g โ g
$
q
z โ r + c โ w
z ?
g
c V(x) a h โ h r
z ?
h
g c z? = a g โ y c g r+cโ w? = g r โ (g w ) c g r+cโ w = g r+cโ w h z? = a h โ t c h r+cโ w ? = h r โ (h w ) c h r+cโ w = h r+cโ w
I know w such that y = g w mod p, t = h w mod p Statement x : (g, h, q, p, y, t) Witness w S(x) c, z $ โ โค* q a g โ g z โ y โc
g
h
z ?
g
c V(x) a h โ h z โ t โc
z ?
h
c
I know (w, s) such that ๐ผ๐๐ = g w โ h s mod p Statement x : (g, h, q, p, ๐ผ๐๐) Witness w, s P(x, w) r 1 , r 2 $ โ โค* q a โ g r 1 โ h r
$
q
1
2 z 1 โ r 1