Quadratic Residuosity and Two Distinct Prime Factor ZK Protocols By Stephen Hall

ZK Facts In a ZK proof if the verifier does not tolerate any errors, the ZK proof is known as an “on-sided-error protocol.” A protocol where both the verifier and challenger must tolerate errors is said to have “two-sided-errors” (probably fast and probably correct).

Review: Composite Number A composite number is a number N with the following properties –N > 1 –N is not prime (factors other than N and 1)

Review: Quick Prime Test Given a number, check to see if the binary number has a rightmost bit of 1 or 0. –If it is 0, it is even and divisible by 2. –If it is 1, check up to  N . If there are factors, then you have a non prime number. If there exists a factor  N, then the other factor will be less than the  N.

Quadratic Residue If there is an integer x such that x 2  q (mod p). Example: –Quadratic Residues of 15 are –Quadratic Residues for 15 are {0,1,4,6,9,10} –Numbers  p not listed as a q are called quadratic nonresidues –0 is always square but is !QNR and !QR Reference: Q X

Why Quadratic Residue? For a composite number N, no algorithm is known to be able to decide quadratic residousity mod N in polynomial time without the factorization of N. It is hard to factor N, so you have no way of being able to test all the QR. Given a new number B, and P (an odd prime), you can check if B mod P is a quadratic residue in NP Time. –B (P-1)/2  mod P Reference:

ZK Proof of Quadratic Residuosity Good for checking the proper encryption of a nonspecific bit string. –Actually used in –Goldwasser-Micali Scheme »Prevents passive adversary attacks –Identity-based cryptosystems »signatures

ZK Proof of Quadratic Residuosity Facts 1.Given the factorization of N, x  QR N, y 2  x % n can be determined efficiently. 2.For any x  QNR N, Z * N, there is no square root of x. 3.If x  QNR N, x*y  QR N  y  QNR N (reference Jacobi Symbols of x,y and x*y)

ZK Proof of Quadratic Residuosity Proof The proof is shown via the “completeness” and “soundness” of the protocol. Completeness It is said knowing Fact 1, the completeness is immediate. –Given the factorization of N, any »x  QR N, y 2  x % n,You can compute N efficiently Soundness Verifier sends the commit before the Challenger has chosen a challenge. –This makes the Verifier cheating have a soundness error of 1/2.

ZK Proof of Quadratic Residuosity Example Take Input –N, an odd composite integer not the power of a prime. –x  QR N, Verifier has a secret –y  Z * N, y 2  x % N (quadratic residues for Z * N ) Verifier sends to Challenger x  QR N. “handshaking process loop begins” –Preset amount of times for verification Verifier Starts –Picks u  U  QR N –Sends to Challenger a Commit  u 2 % N

ZK Proof of Quadratic Residuosity Example (Cont) Challenger action –Picks Challenge  U {0,1} –Sends to Verifier Challenge Verifier generates response based on challenge {0,1} and returns to challenger –Response  { case (challenge == 0) u – { case (challenge == 1) (u*y) % N

ZK Proof of Quadratic Residuosity Example (Cont) Challenger verifies Verifier Response –Square Response and check against the commit already received. –Response 2  { case (challenge == 0) : Commit { case (challenge == 1) : (Commit*x) % N If the response fails, keep repeating a predetermined amount of times. If the Challenger still cannot verify, he quits the protocol.

ZK Proof of Quadratic Residuosity Example (Cont) 1 14 Q X QR N = {1,4,6,9,10}QNR N ={2,3,5,7,8,11,12,13,14} Verifier has a secret y  Z * N Lets choose y = 13 Challenger is given x such that y 2  x % N

ZK Proof of Quadratic Residuosity Example (Cont) Verifier Step Q X QR N = {1,4,6,9,10}QNR N ={2,3,5,7,8,11,12,13,14} y = 13, x = 4 Verifier picks u  U  QR N, u = 9 Send commit to challenger. Commit = u 2 % N = 6

ZK Proof of Quadratic Residuosity Example (Cont) Challenger Step Q X QR N = {1,4,6,9,10}QNR N ={2,3,5,7,8,11,12,13,14} y = 13, x = 4, u  U  QR N, u = 9, Commit = 6 Challenger picks a challenge = {0,1} Send challenge to Verifier. Lets pick Challenge = 1

ZK Proof of Quadratic Residuosity Example (Cont) Verifier Step Q X QR N = {1,4,6,9,10}QNR N ={2,3,5,7,8,11,12,13,14} y = 13, x = 4, u  U  QR N, u = 9, Commit = 6, Challenge = 1 Challenge == 1, send response of (u*y)%N to challenger. Response = (9*13)%15 = 12 Note: If the challenge was a 0, the Verifier would send back just y, but the Challenger does not know that y is sent.

ZK Proof of Quadratic Residuosity Example (Cont) Challenger Step Q X QR N = {1,4,6,9,10}QNR N ={2,3,5,7,8,11,12,13,14} y = 13, x = 4, u  U  QR N, u = 9, Commit = 6, challenge = 1, response = 12 Challenge == 1, verify response 2  (Commit*x)%N 12 2  (6*4)%N 12 2  (6*4) %N, (144%N)  (24)%N, 9  Verification passes, “the end” unless there are more iterations of the same steps required.

Legendre Symbol Number Theoretic function is +-1 based on if a is a quadratic residue mod p. p is an odd prime. a is a quadratic residue % p. = (a|p)  { 1, a is a quadratic residue % p { -1, a is a quadratic nonresidue % p = =

Jacobi’s Symbol Jacobi’s Symbol is a generalization of the Legendre Symbol that allows non prime numbers p. The Jacobi symbol looks just like the Legendre Symbol. –It is used for nonprime numbers p. When a prime p is given, it is assumed you are using the Legendre Symbol. –When given an odd positive integer (p), you factor it. –You then use modulus on the numerator with each factor. (2/15) 

ZK Proof N has 2 Distinct Prime Factors Used to prove an odd composite integer has exactly two prime factors. Or, that N is a valid RSA modulus.

ZK Proof N has 2 Distinct Prime Factors Facts Given Facts (1-3) of QR, 1.Given the factorization of N, any x  QR N, y 2  x % n, can be determined efficiently. 2.For any x  QNR N, Z * N, there is no square root of x. 3.If x  QNR N, x*y  QR N  y  QNR N –(reference Jacobi Symbols of x,y and x*y) we add two more facts

ZK Proof N has 2 Distinct Prime Factors Facts (Cont) 1.If N is an odd composite integer that has two distinct odd prime factors, J N (1) = {x|x  Z * N, (x/n) = 1} Precisely ½ are quadratic residues (1/2 must be positive Legendre Symbol). 2.If N is not an odd composite number with two distinct primes, not prime, and not a prime power then at most ¼ of J N (1) is quadratic residues. –If N is a prime power all elements in J N (1) are quadratic residues

ZK Proof N has 2 Distinct Prime Factors Input N (has two distinct prime factors) Verifier Secret: N factors Output to Challenger N Algorithm –Challenger checks to make sure N is not a prime or prime power. –Challenger picks random group m numbers in J N (1) and sends to Prover –Verifier takes challenger squares {x 1,..x k } and proves they know the k elements are in QR N using ZK Quadratic Residuosity. –If k (count of correct proofs of knowledge) > floor((3/8)m), Challenger accepts Prover’s knowledge.

ZK Proof N has 2 Distinct Prime Factors (Ex) 1 14 Q X Challenger verifies N is not a prime or prime power. Challenger picks random M numbers J N (1) and sends to Verifier Z * N = {1,2,4,7,8,10,11,13,14}

ZK Proof N has 2 Distinct Prime Factors (Ex) 1 14 Q X Z * N = {1,2,4,7,8,11,13,14} (1/15) = (1/3)(1/5) = (1)(1) = (2/15) = (2/3)(2/5) = (-1)(-1) = 1 (4/15) = (4/3)(4/5) = (1/3)(4/5) = (1)(1) = 1 (7/15) = (7/3)(7/5) = (1/3)(2/5) = (1)(-1) = -1 (8/15) = (8/3)(8/5) = (2/3)(3/5) =(-1)(-1)= 1 (11/15) = (11/3)(11/5) = (2/3)(1/5) = (-1)(1) = -1 (13/15) = (13/3)(13/5) = (1/3)(3/5) = (1)(-1) = -1 (14/15) = (14/3)(14/5) = (2/3)(4/5) = (-1)(1) = -1 J N (1) = {1,2,4,8}

ZK Proof N has 2 Distinct Prime Factors (Ex) 1 14 Q X Challenger verifies N is not a prime or prime power. Challenger picks random M numbers J N (1) and sends to Verifier Z * N = {1,2,4,7,8,10,11,13,14} J N (1) = {1,2,4,8} Challenger sends m Nums ={4,8} to the Verifier Verifier and Challenger check knowledge via QR. If the error/success count is acceptable, challenger accepts knowledge.

ZK Proof N has 2 Distinct Prime Factors As you might have noticed, this ZK method is not 100% secure or called “on-sided-error.” Errors can and will happen on both sides of the protocol

ZK Proof N has 2 Distinct Prime Factors Proof The Challenger might have unknowingly accepted Verifier knowledge by more than 3/8 of the random challenges are picked by the challenger are QR. This is known as “BadLuckBob” or in my slides as “BadLuckChallenger.”

ZK Proof N has 2 Distinct Prime Factors Proof Completeness –The Challenger has to accept errors from the Verifier because the Challenger might pick nonresidues. A preset criterion should be developed by the Challenger as an acceptable amount of errors. –The Law of Large Numbers states, the larger the number of challenges the Challenger picks, the larger the completeness probability will be. Basically the more times you run a challenge, the more likely the average probability is to even out.

ZK Proof N has 2 Distinct Prime Factors Proof (Cont) Soundness –Because of the large amount of challenges of the Verifier knowledge, it is extremely unlikely for the Verifier to not be caught cheating. Again the number of challenges and acceptable errors is up to the Challenger.