quadratic residuosity and two distinct prime factor zk protocols
DESCRIPTION
Quadratic Residuosity and Two Distinct Prime Factor ZK Protocols. By Stephen Hall. ZK Facts. In a ZK proof if the verifier does not tolerate any errors, the ZK proof is known as an “on-sided-error protocol.” - PowerPoint PPT PresentationTRANSCRIPT
Quadratic Residuosity and Two Distinct Prime Factor ZK
Protocols
By Stephen Hall
ZK Facts
• In a ZK proof if the verifier does not tolerate any errors, the ZK proof is known as an “on-sided-error protocol.”
• A protocol where both the verifier and challenger must tolerate errors is said to have “two-sided-errors” (probably fast and probably correct).
Review: Composite Number
• A composite number is a number N with the following properties
– N > 1
– N is not prime (factors other than N and 1)
Review: Quick Prime Test
• Given a number, check to see if the binary number has a rightmost bit of 1 or 0.
– If it is 0, it is even and divisible by 2.
– If it is 1, check up to N. If there are factors, then you have a non prime number.
• If there exists a factor N, then the other factor will be less than the N.
Quadratic Residue
• If there is an integer x such that x2 q (mod p).
• Example:
– Quadratic Residues of 15 are
– Quadratic Residues for 15 are {0,1,4,6,9,10}
– Numbers p not listed as a q are called quadratic nonresidues
– 0 is always square but is !QNR and !QR
Reference: http://mathworld.wolfram.com/QuadraticResidue.html
1
14
Q
X
0491106446101941
1513121110987654321
Why Quadratic Residue?
• For a composite number N, no algorithm is known to be able to decide quadratic residousity mod N in polynomial time without the factorization of N.
• It is hard to factor N, so you have no way of being able to test all the QR.
• Given a new number B, and P (an odd prime), you can check if B mod P is a quadratic residue in NP Time.– B(P-1)/2 mod P
Reference: http://mathworld.wolfram.com/QuadraticResidue.html
ZK Proof of Quadratic Residuosity
• Good for checking the proper encryption of a nonspecific bit string.
– Actually used in – Goldwasser-Micali Scheme
» Prevents passive adversary attacks
– Identity-based cryptosystems
» signatures
ZK Proof of Quadratic Residuosity Facts
1. Given the factorization of N, xQRN, y2 x % n can be determined efficiently.
2. For any xQNRN, Z*N, there is no square root of x.
3. If xQNRN, x*yQRN yQNRN
• (reference Jacobi Symbols of x,y and x*y)
ZK Proof of Quadratic Residuosity Proof
• The proof is shown via the “completeness” and “soundness” of the protocol.
• Completeness• It is said knowing Fact 1, the completeness is immediate.
– Given the factorization of N, any
» xQRN, y2 x % n,You can compute N efficiently
• Soundness• Verifier sends the commit before the Challenger has chosen a
challenge.
– This makes the Verifier cheating have a soundness error of 1/2.
ZK Proof of Quadratic Residuosity Example
• Take Input
– N, an odd composite integer not the power of a prime.
– xQRN,
• Verifier has a secret
– yZ*N, y2 x % N (quadratic residues for Z*
N)
• Verifier sends to Challenger xQRN.
• “handshaking process loop begins”– Preset amount of times for verification
• Verifier Starts
– Picks uUQRN
– Sends to Challenger a Commit u2 % N
ZK Proof of Quadratic Residuosity Example (Cont)
• Challenger action
– Picks ChallengeU {0,1}
– Sends to Verifier Challenge
• Verifier generates response based on challenge {0,1} and returns to challenger– Response { case (challenge == 0) u
– { case (challenge == 1) (u*y) % N
ZK Proof of Quadratic Residuosity Example (Cont)
• Challenger verifies Verifier Response
– Square Response and check against the commit already received.
– Response2 { case (challenge == 0) : Commit { case (challenge == 1) : (Commit*x) % N
• If the response fails, keep repeating a predetermined amount of times. If the Challenger still cannot verify, he quits the protocol.
ZK Proof of Quadratic Residuosity Example (Cont)
1
14
Q
X
491106446101941
13121110987654321
QRN = {1,4,6,9,10} QNRN ={2,3,5,7,8,11,12,13,14}
Verifier has a secret y Z*N
Lets choose y = 13
Challenger is given x such that y2 x % N
ZK Proof of Quadratic Residuosity Example (Cont)Verifier Step 1
1
14
Q
X
491106446101941
13121110987654321
QRN = {1,4,6,9,10} QNRN ={2,3,5,7,8,11,12,13,14}
y = 13, x = 4
Verifier picks uUQRN, u = 9
Send commit to challenger. Commit = u2 % N = 6
ZK Proof of Quadratic Residuosity Example (Cont)Challenger Step 1
1
14
Q
X
491106446101941
13121110987654321
QRN = {1,4,6,9,10} QNRN ={2,3,5,7,8,11,12,13,14}
y = 13, x = 4, uUQRN, u = 9, Commit = 6
Challenger picks a challenge = {0,1}
Send challenge to Verifier. Lets pick Challenge = 1
ZK Proof of Quadratic Residuosity Example (Cont)Verifier Step 2
1
14
Q
X
491106446101941
13121110987654321
QRN = {1,4,6,9,10} QNRN ={2,3,5,7,8,11,12,13,14}
y = 13, x = 4, uUQRN, u = 9, Commit = 6, Challenge = 1
Challenge == 1, send response of (u*y)%N to challenger.Response = (9*13)%15 = 12
Note: If the challenge was a 0, the Verifier would send backjust y, but the Challenger does not know that y is sent.
ZK Proof of Quadratic Residuosity Example (Cont)Challenger Step 2
1
14
Q
X
491106446101941
13121110987654321
QRN = {1,4,6,9,10} QNRN ={2,3,5,7,8,11,12,13,14}
y = 13, x = 4, uUQRN, u = 9, Commit = 6, challenge = 1,response = 12
Challenge == 1, verify response2 (Commit*x)%N122 (6*4)%N
122 (6*4) %N , (144%N) (24)%N, 9
Verification passes, “the end” unless there are more iterations of the same steps required.
Legendre Symbol
• Number Theoretic function is +-1 based on if a is a quadratic residue mod p.
• p is an odd prime.• a is a quadratic residue % p.• = (a|p) { 1, a is a quadratic residue % p
{ -1, a is a quadratic nonresidue % p
http://mathworld.wolfram.com/LegendreSymbol.html
=11111111111
95431
= -11111111111
108762
3
6
5
7
9
8
4
9
1
10
35941
54321
Jacobi’s Symbol
• Jacobi’s Symbol is a generalization of the Legendre Symbol that allows non prime numbers p.
• The Jacobi symbol looks just like the Legendre Symbol.– It is used for nonprime numbers p. When a prime p is given, it is assumed
you are using the Legendre Symbol.– When given an odd positive integer (p), you factor it.– You then use modulus on the numerator with each factor.
(2/15)
ZK Proof N has 2 Distinct Prime Factors
• Used to prove an odd composite integer has exactly two prime factors.
• Or, that N is a valid RSA modulus.
ZK Proof N has 2 Distinct Prime Factors Facts
• Given Facts (1-3) of QR,
1. Given the factorization of N, any xQRN, y2 x % n,can be determined efficiently.
2. For any xQNRN, Z*N, there is no square root of x.
3. If xQNRN, • x*yQRN yQNRN
– (reference Jacobi Symbols of x,y and x*y)• we add two more facts
ZK Proof N has 2 Distinct Prime Factors Facts (Cont)
1. If N is an odd composite integer that has two distinct odd prime factors,
JN(1) = {x|xZ*N, (x/n) = 1}
Precisely ½ are quadratic residues (1/2 must be positive Legendre Symbol).
2. If N is not an odd composite number with two distinct primes, not prime, and not a prime power then at most ¼ of JN(1) is quadratic residues.
– If N is a prime power all elements in JN(1) are quadratic residues
ZK Proof N has 2 Distinct Prime Factors
• Input N (has two distinct prime factors)
• Verifier Secret: N factors
• Output to Challenger N
• Algorithm
– Challenger checks to make sure N is not a prime or prime power.
– Challenger picks random group m numbers in JN(1) and sends to Prover
– Verifier takes challenger squares {x1,..xk} and proves they know the k elements are in QRN using ZK Quadratic Residuosity.
– If k (count of correct proofs of knowledge) > floor((3/8)m), Challenger accepts Prover’s knowledge.
ZK Proof N has 2 Distinct Prime Factors (Ex)
1
14
Q
X
0491106446101941
1513121110987654321
Challenger verifies N is not a prime or prime power.
Challenger picks random M numbers JN(1) and sends to Verifier
Z*N = {1,2,4,7,8,10,11,13,14}
1 2 3
1 1
1 2 3 4 5
1 4 1 1
ZK Proof N has 2 Distinct Prime Factors (Ex)
1
14
Q
X
0491106446101941
1513121110987654321
Z*N = {1,2,4,7,8,11,13,14}
(1/15) = (1/3)(1/5) = (1)(1) = 1
1 2 3
1 1
1 2 3 4 5
1 4 4 1
(2/15) = (2/3)(2/5) = (-1)(-1) = 1
(4/15) = (4/3)(4/5) = (1/3)(4/5) = (1)(1) = 1
(7/15) = (7/3)(7/5) = (1/3)(2/5) = (1)(-1) = -1
(8/15) = (8/3)(8/5) = (2/3)(3/5) =(-1)(-1)= 1
(11/15) = (11/3)(11/5) = (2/3)(1/5) = (-1)(1) = -1
(13/15) = (13/3)(13/5) = (1/3)(3/5) = (1)(-1) = -1
(14/15) = (14/3)(14/5) = (2/3)(4/5) = (-1)(1) = -1
JN(1) = {1,2,4,8}
ZK Proof N has 2 Distinct Prime Factors (Ex)
1
14
Q
X
0491106446101941
1513121110987654321
Challenger verifies N is not a prime or prime power.
Challenger picks random M numbers JN(1) and sends to Verifier
Z*N = {1,2,4,7,8,10,11,13,14}
JN(1) = {1,2,4,8} Challenger sends mNums={4,8} to the VerifierVerifier and Challenger check knowledge via QR.
If the error/success count is acceptable, challenger acceptsknowledge.
ZK Proof N has 2 Distinct Prime Factors
• As you might have noticed, this ZK method is not 100% secure or called “on-sided-error.”
• Errors can and will happen on both sides of the protocol
ZK Proof N has 2 Distinct Prime Factors Proof
• The Challenger might have unknowingly accepted Verifier knowledge by more than 3/8 of the random challenges are picked by the challenger are QR.
• This is known as “BadLuckBob” or in my slides as “BadLuckChallenger.”
ZK Proof N has 2 Distinct Prime Factors Proof
• Completeness
– The Challenger has to accept errors from the Verifier because the Challenger might pick nonresidues. A preset criterion should be developed by the Challenger as an acceptable amount of errors.
– The Law of Large Numbers states, the larger the number of challenges the Challenger picks, the larger the completeness probability will be.
• Basically the more times you run a challenge, the more likely the average probability is to even out.
ZK Proof N has 2 Distinct Prime Factors Proof (Cont)
• Soundness
– Because of the large amount of challenges of the Verifier knowledge, it is extremely unlikely for the Verifier to not be caught cheating. • Again the number of challenges and
acceptable errors is up to the Challenger.