Presentation is loading. Please wait.

Presentation is loading. Please wait.

Quadratic Residuosity and Two Distinct Prime Factor ZK Protocols By Stephen Hall.

Published byRosamond Parker Modified over 8 years ago

Similar presentations

Presentation on theme: "Quadratic Residuosity and Two Distinct Prime Factor ZK Protocols By Stephen Hall."— Presentation transcript:

1 Quadratic Residuosity and Two Distinct Prime Factor ZK Protocols By Stephen Hall

2 ZK Facts In a ZK proof if the verifier does not tolerate any errors, the ZK proof is known as an “on-sided-error protocol.” A protocol where both the verifier and challenger must tolerate errors is said to have “two-sided-errors” (probably fast and probably correct).

3 Review: Composite Number A composite number is a number N with the following properties –N > 1 –N is not prime (factors other than N and 1)

4 Review: Quick Prime Test Given a number, check to see if the binary number has a rightmost bit of 1 or 0. –If it is 0, it is even and divisible by 2. –If it is 1, check up to  N . If there are factors, then you have a non prime number. If there exists a factor  N, then the other factor will be less than the  N.

5 Quadratic Residue If there is an integer x such that x 2  q (mod p). Example: –Quadratic Residues of 15 are –Quadratic Residues for 15 are {0,1,4,6,9,10} –Numbers  p not listed as a q are called quadratic nonresidues –0 is always square but is !QNR and !QR Reference: http://mathworld.wolfram.com/QuadraticResidue.html 1 14 Q X 0491106446 1941 1513121110987654321

6 Why Quadratic Residue? For a composite number N, no algorithm is known to be able to decide quadratic residousity mod N in polynomial time without the factorization of N. It is hard to factor N, so you have no way of being able to test all the QR. Given a new number B, and P (an odd prime), you can check if B mod P is a quadratic residue in NP Time. –B (P-1)/2  mod P Reference: http://mathworld.wolfram.com/QuadraticResidue.html

7 ZK Proof of Quadratic Residuosity Good for checking the proper encryption of a nonspecific bit string. –Actually used in –Goldwasser-Micali Scheme »Prevents passive adversary attacks –Identity-based cryptosystems »signatures

8 ZK Proof of Quadratic Residuosity Facts 1.Given the factorization of N, x  QR N, y 2  x % n can be determined efficiently. 2.For any x  QNR N, Z * N, there is no square root of x. 3.If x  QNR N, x*y  QR N  y  QNR N (reference Jacobi Symbols of x,y and x*y)

9 ZK Proof of Quadratic Residuosity Proof The proof is shown via the “completeness” and “soundness” of the protocol. Completeness It is said knowing Fact 1, the completeness is immediate. –Given the factorization of N, any »x  QR N, y 2  x % n,You can compute N efficiently Soundness Verifier sends the commit before the Challenger has chosen a challenge. –This makes the Verifier cheating have a soundness error of 1/2.

10 ZK Proof of Quadratic Residuosity Example Take Input –N, an odd composite integer not the power of a prime. –x  QR N, Verifier has a secret –y  Z * N, y 2  x % N (quadratic residues for Z * N ) Verifier sends to Challenger x  QR N. “handshaking process loop begins” –Preset amount of times for verification Verifier Starts –Picks u  U  QR N –Sends to Challenger a Commit  u 2 % N

11 ZK Proof of Quadratic Residuosity Example (Cont) Challenger action –Picks Challenge  U {0,1} –Sends to Verifier Challenge Verifier generates response based on challenge {0,1} and returns to challenger –Response  { case (challenge == 0) u – { case (challenge == 1) (u*y) % N

12 ZK Proof of Quadratic Residuosity Example (Cont) Challenger verifies Verifier Response –Square Response and check against the commit already received. –Response 2  { case (challenge == 0) : Commit { case (challenge == 1) : (Commit*x) % N If the response fails, keep repeating a predetermined amount of times. If the Challenger still cannot verify, he quits the protocol.

13 ZK Proof of Quadratic Residuosity Example (Cont) 1 14 Q X 491106446 1941 13121110987654321 QR N = {1,4,6,9,10}QNR N ={2,3,5,7,8,11,12,13,14} Verifier has a secret y  Z * N Lets choose y = 13 Challenger is given x such that y 2  x % N

14 ZK Proof of Quadratic Residuosity Example (Cont) Verifier Step 1 1 14 Q X 491106446 1941 13121110987654321 QR N = {1,4,6,9,10}QNR N ={2,3,5,7,8,11,12,13,14} y = 13, x = 4 Verifier picks u  U  QR N, u = 9 Send commit to challenger. Commit = u 2 % N = 6

15 ZK Proof of Quadratic Residuosity Example (Cont) Challenger Step 1 1 14 Q X 491106446 1941 13121110987654321 QR N = {1,4,6,9,10}QNR N ={2,3,5,7,8,11,12,13,14} y = 13, x = 4, u  U  QR N, u = 9, Commit = 6 Challenger picks a challenge = {0,1} Send challenge to Verifier. Lets pick Challenge = 1

16 ZK Proof of Quadratic Residuosity Example (Cont) Verifier Step 2 1 14 Q X 491106446 1941 13121110987654321 QR N = {1,4,6,9,10}QNR N ={2,3,5,7,8,11,12,13,14} y = 13, x = 4, u  U  QR N, u = 9, Commit = 6, Challenge = 1 Challenge == 1, send response of (u*y)%N to challenger. Response = (9*13)%15 = 12 Note: If the challenge was a 0, the Verifier would send back just y, but the Challenger does not know that y is sent.

17 ZK Proof of Quadratic Residuosity Example (Cont) Challenger Step 2 1 14 Q X 491106446 1941 13121110987654321 QR N = {1,4,6,9,10}QNR N ={2,3,5,7,8,11,12,13,14} y = 13, x = 4, u  U  QR N, u = 9, Commit = 6, challenge = 1, response = 12 Challenge == 1, verify response 2  (Commit*x)%N 12 2  (6*4)%N 12 2  (6*4) %N, (144%N)  (24)%N, 9  Verification passes, “the end” unless there are more iterations of the same steps required.

18 Legendre Symbol Number Theoretic function is +-1 based on if a is a quadratic residue mod p. p is an odd prime. a is a quadratic residue % p. = (a|p)  { 1, a is a quadratic residue % p { -1, a is a quadratic nonresidue % p http://mathworld.wolfram.com/LegendreSymbol.html =111 95431 = -111 108762 3 6 5 7 9 8 4 9 1 35941 54321

19 Jacobi’s Symbol Jacobi’s Symbol is a generalization of the Legendre Symbol that allows non prime numbers p. The Jacobi symbol looks just like the Legendre Symbol. –It is used for nonprime numbers p. When a prime p is given, it is assumed you are using the Legendre Symbol. –When given an odd positive integer (p), you factor it. –You then use modulus on the numerator with each factor. (2/15) 

20 ZK Proof N has 2 Distinct Prime Factors Used to prove an odd composite integer has exactly two prime factors. Or, that N is a valid RSA modulus.

21 ZK Proof N has 2 Distinct Prime Factors Facts Given Facts (1-3) of QR, 1.Given the factorization of N, any x  QR N, y 2  x % n, can be determined efficiently. 2.For any x  QNR N, Z * N, there is no square root of x. 3.If x  QNR N, x*y  QR N  y  QNR N –(reference Jacobi Symbols of x,y and x*y) we add two more facts

22 ZK Proof N has 2 Distinct Prime Factors Facts (Cont) 1.If N is an odd composite integer that has two distinct odd prime factors, J N (1) = {x|x  Z * N, (x/n) = 1} Precisely ½ are quadratic residues (1/2 must be positive Legendre Symbol). 2.If N is not an odd composite number with two distinct primes, not prime, and not a prime power then at most ¼ of J N (1) is quadratic residues. –If N is a prime power all elements in J N (1) are quadratic residues

23 ZK Proof N has 2 Distinct Prime Factors Input N (has two distinct prime factors) Verifier Secret: N factors Output to Challenger N Algorithm –Challenger checks to make sure N is not a prime or prime power. –Challenger picks random group m numbers in J N (1) and sends to Prover –Verifier takes challenger squares {x 1,..x k } and proves they know the k elements are in QR N using ZK Quadratic Residuosity. –If k (count of correct proofs of knowledge) > floor((3/8)m), Challenger accepts Prover’s knowledge.

24 ZK Proof N has 2 Distinct Prime Factors (Ex) 1 14 Q X 0491106446 1941 1513121110987654321 Challenger verifies N is not a prime or prime power. Challenger picks random M numbers J N (1) and sends to Verifier Z * N = {1,2,4,7,8,10,11,13,14} 123 11 12345 1411

25 ZK Proof N has 2 Distinct Prime Factors (Ex) 1 14 Q X 0491106446 1941 1513121110987654321 Z * N = {1,2,4,7,8,11,13,14} (1/15) = (1/3)(1/5) = (1)(1) = 1 123 11 12345 1441 (2/15) = (2/3)(2/5) = (-1)(-1) = 1 (4/15) = (4/3)(4/5) = (1/3)(4/5) = (1)(1) = 1 (7/15) = (7/3)(7/5) = (1/3)(2/5) = (1)(-1) = -1 (8/15) = (8/3)(8/5) = (2/3)(3/5) =(-1)(-1)= 1 (11/15) = (11/3)(11/5) = (2/3)(1/5) = (-1)(1) = -1 (13/15) = (13/3)(13/5) = (1/3)(3/5) = (1)(-1) = -1 (14/15) = (14/3)(14/5) = (2/3)(4/5) = (-1)(1) = -1 J N (1) = {1,2,4,8}

26 ZK Proof N has 2 Distinct Prime Factors (Ex) 1 14 Q X 0491106446 1941 1513121110987654321 Challenger verifies N is not a prime or prime power. Challenger picks random M numbers J N (1) and sends to Verifier Z * N = {1,2,4,7,8,10,11,13,14} J N (1) = {1,2,4,8} Challenger sends m Nums ={4,8} to the Verifier Verifier and Challenger check knowledge via QR. If the error/success count is acceptable, challenger accepts knowledge.

27 ZK Proof N has 2 Distinct Prime Factors As you might have noticed, this ZK method is not 100% secure or called “on-sided-error.” Errors can and will happen on both sides of the protocol

28 ZK Proof N has 2 Distinct Prime Factors Proof The Challenger might have unknowingly accepted Verifier knowledge by more than 3/8 of the random challenges are picked by the challenger are QR. This is known as “BadLuckBob” or in my slides as “BadLuckChallenger.”

29 ZK Proof N has 2 Distinct Prime Factors Proof Completeness –The Challenger has to accept errors from the Verifier because the Challenger might pick nonresidues. A preset criterion should be developed by the Challenger as an acceptable amount of errors. –The Law of Large Numbers states, the larger the number of challenges the Challenger picks, the larger the completeness probability will be. Basically the more times you run a challenge, the more likely the average probability is to even out.

30 ZK Proof N has 2 Distinct Prime Factors Proof (Cont) Soundness –Because of the large amount of challenges of the Verifier knowledge, it is extremely unlikely for the Verifier to not be caught cheating. Again the number of challenges and acceptable errors is up to the Challenger.

Download ppt "Quadratic Residuosity and Two Distinct Prime Factor ZK Protocols By Stephen Hall."

Similar presentations

On the Amortized Complexity of Zero-Knowledge Proofs Ronald Cramer, CWI Ivan Damgård, Århus University.

On the Amortized Complexity of Zero-Knowledge Proofs Ronald Cramer, CWI Ivan Damgård, Århus University.
Mental Poker The SRA Protocol. What is Mental Poker? Playing poker without cards (ie over telephone or internet). No Trusted Third Party or source of.

Mental Poker The SRA Protocol. What is Mental Poker? Playing poker without cards (ie over telephone or internet). No Trusted Third Party or source of.
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
Computability and Complexity

Computability and Complexity
Primality Testing Patrick Lee 12 July 2003 (updated on 13 July 2003)

Primality Testing Patrick Lee 12 July 2003 (updated on 13 July 2003)
Public Key Cryptosystems - RSA Receiver Sender Eavesdroppe r 175753411947 p q p q p q p and q prime.

Public Key Cryptosystems - RSA Receiver Sender Eavesdroppe r p q p q p q p and q prime.
Introduction to Modern Cryptography Lecture 6 1. Testing Primitive elements in Z p 2. Primality Testing. 3. Integer Multiplication & Factoring as a One.

Introduction to Modern Cryptography Lecture 6 1. Testing Primitive elements in Z p 2. Primality Testing. 3. Integer Multiplication & Factoring as a One.
Notation Intro. Number Theory Online Cryptography Course Dan Boneh

Notation Intro. Number Theory Online Cryptography Course Dan Boneh
Theoretical Program Checking Greg Bronevetsky. Background The field of Program Checking is about 13 years old. Pioneered by Manuel Blum, Hal Wasserman,

Theoretical Program Checking Greg Bronevetsky. Background The field of Program Checking is about 13 years old. Pioneered by Manuel Blum, Hal Wasserman,
15-251 Great Theoretical Ideas in Computer Science.

Great Theoretical Ideas in Computer Science.
CS426Fall 2010/Lecture 351 Computer Security CS 426 Lecture 35 Commitment & Zero Knowledge Proofs.

CS426Fall 2010/Lecture 351 Computer Security CS 426 Lecture 35 Commitment & Zero Knowledge Proofs.
and Factoring Integers (I)

and Factoring Integers (I)
The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.

The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.
Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.

Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.
Introduction to Modern Cryptography Homework assignments.

Introduction to Modern Cryptography Homework assignments.
Introduction to Modern Cryptography Lecture 5 Number Theory: 1. Quadratic residues. 2. The discrete log problem. Intro to Public Key Cryptography Diffie.

Introduction to Modern Cryptography Lecture 5 Number Theory: 1. Quadratic residues. 2. The discrete log problem. Intro to Public Key Cryptography Diffie.
Electronic Voting Schemes and Other stuff. Requirements Only eligible voters can vote (once only) No one can tell how voter voted Publish who voted (?)

Electronic Voting Schemes and Other stuff. Requirements Only eligible voters can vote (once only) No one can tell how voter voted Publish who voted (?)
and Factoring Integers

and Factoring Integers
CMSC 414 Computer and Network Security Lecture 19 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 19 Jonathan Katz.
Introduction to Modern Cryptography, Lecture 7/6/07 Zero Knowledge and Applications.

Introduction to Modern Cryptography, Lecture 7/6/07 Zero Knowledge and Applications.

Similar presentations

Ads by Google