Zero Knowledge Proofs: Interactive Proof Systems and Graph Isomorphism, Study notes of Computer Science

Zero knowledge proofs, specifically focusing on interactive proof systems and the graph isomorphism problem. It includes an illustration of the concept using a cave door example, a protocol for graph nonisomorphism, and a discussion on formalizing zero knowledge proofs. The document also touches upon the quadratic residue problem and its relation to the blum-blum-shub generator.

Typology: Study notes

Pre 2010

Uploaded on 08/09/2009

koofers-user-iva-1
koofers-user-iva-1 🇺🇸

5

(1)

10 documents

1 / 42

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
ZERO KNOWLEDGE PROTOCOLS
CIS 400/628 Spring 2005
Introduction to Cryptography
This is based on Chapter 12 of Trappe and Washington &
Chapters 12 and 13 of “Cryptography: Theory & Practice/1e”
by D. Stinson
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23
pf24
pf25
pf26
pf27
pf28
pf29
pf2a

Partial preview of the text

Download Zero Knowledge Proofs: Interactive Proof Systems and Graph Isomorphism and more Study notes Computer Science in PDF only on Docsity!

ZERO KNOWLEDGE PROTOCOLS

CIS 400/628 — Spring 2005

Introduction to Cryptography

This is based on Chapter 12 of Trappe and Washington & Chapters 12 and 13 of “Cryptography: Theory & Practice/1e” by D. Stinson

ZERO KNOWLEDGE PROOFS, I

Interactive Proof Systems

Prover ≡ Pat — very smart, not to be trusted

Verifier ≡ Vanna — average smart, has a fair coin

Pat

Wants to prove to Vanna that he knows a solution to

an instance of some yes/no problem.

But he does no want to give the solution away.

Vanna

If Pat is truthful, she wants to be convinced.

If Pat is lying, she wants to catch him (with high probability).

AN ILLUSTRATION

Pat claims he knows the password to open the cave door.

I Vanna waits at A.

I Pat enters the cave, and

goes to C or D.

I Vanna enters the cave to B,

and flips a coin. Calls out C

or D based on coin flip.

I Pat comes out the tunnel

Vanna names.

I Repeat until Vanna is satisfied.

I Pat has 2 −n^ probability of fooling Vanna over n trials.

Vanna can videotape the whole thing and still learn nothing!

AN EXAMPLE INTERACTIVE PROOF

Problem: Graph Isomorphism

Given: G 1 = (V 1 , E 1 ) and G 2 = (V 2 , E 2 ) where

V 1 = V 2 = { 1 ,... , n } for some n.

Question: ∃π : V 1

1-1, onto

−−−−−→ V 2 3

{ u, v } ∈ E 1 ⇐⇒ { π(u), π(v) } ∈ E 2

Problem: Graph Non-isomorphism

Given: G 1 = (V 1 , E 1 ) and G 2 = (V 2 , E 2 ) as above.

Question: 6 ∃π : V 1

1-1, onto

−−−−−→ V 2 as above.

G 1

@@ @@ @

G 2

G 3

PERFECT ZERO KNOWLEDGE PROOFS

Same set up as IP. But Pat does not want to reveal any details of the proof.

A Perfect Zero-Knowledge Proof for Graph Isomorphism.

Input G 1 = ({ 1 ,... , n }, E 1 ) and G 2 = ({ 1 ,... , n }, E 2 ). Pat claims G 1 ∼= G 2 If correct, let σ : G 1 ∼= G 2

Repeat n times Pat chooses a random permutation π of { 1 ,... , n } and Computes H = π(G 1 ) and sends H to Vanna. Vanna chooses i

ran ∈ { 1 , 2 } and sends i to Pat. Pat If i = 1 then Pat sets ρ : = π So H = ρ(G 1 ). else Pat sets ρ : = π ◦ σ So H = ρ(G 2 ). Pat sends ρ to Vanna. Vanna checks that H = ρ(Gi). If not, REJECT.

End repeat

Vanna ACCEPTS Completeness, Soundness, ZK: On board

TOWARDS FORMALIZING ZKP, I

Transcript:

I (G 1 , G 2 ) I all messages between Pat and Vanna I Vanna’s random numbers T = [(G 1 , G 2 ), (H 1 , i 1 , ρ 1 ),... , (Hn, in, ρn)]

A forgery algorithm for the G.I. Protocol

Set: { 1 ,... , n } T : = [(G 1 , G 2 )] For j : = 1 to n do: Choose ij

ran ∈ { 1 , 2 } Choose ρj, a random perm. of { 1 ,... , n }. Compute Hj = ρj(Gij ) T : = T + +[(Hj, ij, ρj)] Return T

Informally, no one can tell a forged transcript from the real thing. Formally...

QUADRATIC RESIDUES

Legendre symbol For prime p and a ∈ Zp,

( a p

=def

0 , if a /∈ Z∗ p; 1 , if (∃b ∈ Z∗ p)[ a ≡ b^2 (mod p) ] − 1 , otherwise.

Jacobi symbol For n = pe 11... pe kk and a ∈ Zn,

(a n

=def

∏k i=

( (^) a pi

)ei . When n = p · q,

(a

n

0 , if a /∈ Z∗ p; 1 , if

(a p

(a q

− 1 , otherwise.

Let QR(n) =def { y^2 mod n y ∈ Z∗ p }.

The Quadratic Residue Problem Given: n = p · q with p & q prime and x ∈ Z∗ n with

(x n

Question: Is x ∈ QR(n)?

AN INTERACTIVE PROOF SYSTEM FOR QR

Input n and x ∈ Z∗ n (Pat claims x ∈ QR(n).

Repeat blog 2 nc times.

Pat Chooses v

ran ∈ Z∗ n. Computes y = v^2 mod n. Sends y to Vanna. Vanna Chooses i

ran ∈ { 0 , 1 }. Sends i to Pat. Pat Computes z = uiv mod n, where u is the square root of x.

Note: z^2 = u^2 iv^2 =

xy, if i = 1; y, if i = 0. Vanna Checks whether z^2 = xiy mod n and REJECTS if not.

End Repeat

Vanna ACCEPTS Proof of soundness, completeness, & ZK on board

PRG EXAMPLES

Linear Congruential Generator Easy, insecure

Suppose m ≥ 2 , a, b ∈ Z∗ m

k = blog 2 mc 3 k < ≤ m − 1

s 0 ∈ Zm si+1 = (a · si + b) mod m

f (s 0 ) = (z 1 ,... , z`) zi = si mod 2

Example: m = 31 / a = 3 / b = 5 / k = 5 / ` = 10

The RSA Based Generator Harder, secure(?)

Suppose

p, q, two k/ 2 -bit primes

n = p · q b ∈ Z∗ ϕ(n)

s 0 ∈ Zn si+1 = sbi mod n

f (s 0 ) = (z 1 ,... , z`) zi = si mod 2

WHAT IS A SECURE PRG?

GOALS: fast, secure

IDEA: The bits produced by the PRG should look random to an ordinary opponent.

DEFINITION Suppose:

I p 0 and p 1 are two prob. distr. on Z2 I A : Z 2 → { 0 , 1 } — computed by a polytime (in `) algorithm I  > 0 I For j = 0, 1 , define EA(pj) =

~z∈Z` 2 pj(~z)^ ·^ Prob[A(~z^ = 1|~z)] I A is an -distinguisher of p 0 and p 1 iff |EA(p 0 ) − EA(p 1 )| ≥ . I p 0 and p 1 are -indistinguishable iff 6 ∃ an -distinguisher for them.

NEXT BIT PREDICTORS AND EFFECTIVE GAMBLING

DEFINTION

Suppose f is a (k, )-PRBG and f (s 0 ) = (z 1 ,... , z)

Bi(z 1 ,... , zi− 1 ) = a guess at zi (s 0 unknown)

Bi is an -next bit predictor iff

Bi can correctly predict the i-th bit for

z 1 ,... , zi− 1 with prob. ≥ 12 + 

THEOREM

Suppose f is a (k, `)-PRBG.

Then the probabalistic alg. Bi is an -next bit predictor for

f where

z 1 ...zi− 1

p 1 (z 1... zi− 1 ) · Prob[zi = Bi(z 1... zi− 1 )|z 1... zi− 1 ] ≥

Proof Just unpack the definition.

NEXT BIT PREDICTORS AND EFFECTIVE GAMBLING, II

EXAMPLE

Recall the linear congr. generator from before: f For i = 1,... , 9 , Bi(z 1 ,... , zi− 1 ) = 1 − zi− 1. It turns out that Bi is a 629 -next bit predictor for f.

∴ Correct with probability 2031

THEOREM Suppose Bi is an -next bit predictor for an (k, )-PRBG f and p 0 & p 1 as before and A as below. Algorithm for A(z 1... z) If (Bi(z 1... zi− 1 ) = zi) then return 1 else return 0. Then A is an -disting. of p 0 and p 1.

Proof Not too hard.

THEOREM Suppose is an -disting. of p 0 & p 1 (as before). Then for some i ∈ { 1 ,... , − 1 } there is an /-next bit pred. Bi for f.

Proof Harder (see Stinson, 1e, pp. 368-370).

THE BLUM-BLUM-SHUB GENERATOR, II

The Quadratic Residue Problem Given p and q prime, n = p · q, and z ∈ Z∗ n 3

(z n

Question: Is z ∈ QR(n) (or is z ∈ QR(n))?

I There is no known polytime algorithm for the QR Problem. I If we could factor ( n = pq, then we can easily compute z p

(or similarly,

(z q

I So we can test if z ∈ QR(n) by seeing if

(z q

Observation: There doesn’t seem to be any easier way of solving the QR problem than to factor n.

THE BLUM-BLUM-SHUB GENERATOR, II

SETUP

I p and q, two distinct k/ 2 -bit primes with p ≡ q ≡ 3 (mod 4). I n = p · q.

The BBS Generator

I s 0 ∈ QR(n), a seed I For i = 1,... , , set: (a) si = s^2 i− 1 mod n (b) zi = si mod 2 I Define f (s 0 ) = (z 1... z)

Security Theorem IF the (k, )-BBS Generator can be -distinguished from-random bits Then there is a good probablistic polytime algorithm for the Quadratic Residues problem. (Not known, but believed unlikely.)