300 likes | 442 Vues
Quadratic Residuosity and Two Distinct Prime Factor ZK Protocols. By Stephen Hall. ZK Facts. In a ZK proof if the verifier does not tolerate any errors, the ZK proof is known as an “on-sided-error protocol.”
E N D
Quadratic Residuosity and Two Distinct Prime Factor ZK Protocols By Stephen Hall
ZK Facts • In a ZK proof if the verifier does not tolerate any errors, the ZK proof is known as an “on-sided-error protocol.” • A protocol where both the verifier and challenger must tolerate errors is said to have “two-sided-errors” (probably fast and probably correct).
Review: Composite Number • A composite number is a number N with the following properties • N > 1 • N is not prime (factors other than N and 1)
Review: Quick Prime Test • Given a number, check to see if the binary number has a rightmost bit of 1 or 0. • If it is 0, it is even and divisible by 2. • If it is 1, check up to N. If there are factors, then you have a non prime number. • If there exists a factorN, then the other factor will be less than the N.
X 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 Q 1 4 9 1 10 6 4 4 6 10 1 9 4 1 0 Quadratic Residue • If there is an integer x such that x2q (mod p). • Example: • Quadratic Residues of 15 are • Quadratic Residues for 15 are {0,1,4,6,9,10} • Numbers p not listed as a q are called quadratic nonresidues • 0 is always square but is !QNR and !QR Reference: http://mathworld.wolfram.com/QuadraticResidue.html
Why Quadratic Residue? • For a composite number N, no algorithm is known to be able to decide quadratic residousity mod N in polynomial time without the factorization of N. • It is hard to factor N, so you have no way of being able to test all the QR. • Given a new number B, and P (an odd prime), you can check if B mod P is a quadratic residue in NP Time. • B(P-1)/21 mod P Reference: http://mathworld.wolfram.com/QuadraticResidue.html
ZK Proof of Quadratic Residuosity • Good for checking the proper encryption of a nonspecific bit string. • Actually used in • Goldwasser-Micali Scheme • Prevents passive adversary attacks • Identity-based cryptosystems • signatures
ZK Proof of Quadratic Residuosity Facts • Given the factorization of N, xQRN, y2 x % n can be determined efficiently. • For any xQNRN, Z*N, there is no square root of x. • IfxQNRN, x*yQRN yQNRN • (reference Jacobi Symbols of x,y and x*y)
ZK Proof of Quadratic Residuosity Proof • The proof is shown via the “completeness” and “soundness” of the protocol. • Completeness • It is said knowing Fact 1, the completeness is immediate. • Given the factorization of N, any • xQRN, y2 x % n,You can compute N efficiently • Soundness • Verifier sends the commit before the Challenger has chosen a challenge. • This makes the Verifier cheating have a soundness error of 1/2.
ZK Proof of Quadratic Residuosity Example • Take Input • N, an odd composite integer not the power of a prime. • xQRN, • Verifier has a secret • yZ*N, y2x % N (quadratic residues for Z*N) • Verifier sends to Challenger xQRN. • “handshaking process loop begins” • Preset amount of times for verification • Verifier Starts • Picks uUQRN • Sends to Challenger a Commit u2 % N
ZK Proof of Quadratic Residuosity Example (Cont) • Challenger action • Picks ChallengeU {0,1} • Sends to Verifier Challenge • Verifier generates response based on challenge {0,1} and returns to challenger • Response { case (challenge == 0) u • { case (challenge == 1) (u*y) % N
ZK Proof of Quadratic Residuosity Example (Cont) • Challenger verifies Verifier Response • Square Response and check against the commit already received. • Response2{ case (challenge == 0) : Commit { case (challenge == 1) : (Commit*x) % N • If the response fails, keep repeating a predetermined amount of times. If the Challenger still cannot verify, he quits the protocol.
X 1 2 3 4 5 6 7 8 9 10 11 12 13 14 Q 1 4 9 1 10 6 4 4 6 10 1 9 4 1 ZK Proof of Quadratic Residuosity Example (Cont) QRN = {1,4,6,9,10} QNRN ={2,3,5,7,8,11,12,13,14} Verifier has a secret y Z*N Lets choose y = 13 Challenger is given x such that y2x % N
X 1 2 3 4 5 6 7 8 9 10 11 12 13 14 Q 1 4 9 1 10 6 4 4 6 10 1 9 4 1 ZK Proof of Quadratic Residuosity Example (Cont)Verifier Step 1 QRN = {1,4,6,9,10} QNRN ={2,3,5,7,8,11,12,13,14} y = 13, x = 4 Verifier picks uUQRN, u = 9 Send commit to challenger. Commit= u2 % N = 6
X 1 2 3 4 5 6 7 8 9 10 11 12 13 14 Q 1 4 9 1 10 6 4 4 6 10 1 9 4 1 ZK Proof of Quadratic Residuosity Example (Cont)Challenger Step 1 QRN = {1,4,6,9,10} QNRN ={2,3,5,7,8,11,12,13,14} y = 13, x = 4, uUQRN, u = 9, Commit = 6 Challenger picks a challenge = {0,1} Send challenge to Verifier. Lets pick Challenge= 1
X 1 2 3 4 5 6 7 8 9 10 11 12 13 14 Q 1 4 9 1 10 6 4 4 6 10 1 9 4 1 ZK Proof of Quadratic Residuosity Example (Cont)Verifier Step 2 QRN = {1,4,6,9,10} QNRN ={2,3,5,7,8,11,12,13,14} y = 13, x = 4, uUQRN, u = 9, Commit = 6, Challenge = 1 Challenge== 1, send response of (u*y)%N to challenger. Response = (9*13)%15 = 12 Note: If the challenge was a 0, the Verifier would send back just y, but the Challenger does not know that y is sent.
X 1 2 3 4 5 6 7 8 9 10 11 12 13 14 Q 1 4 9 1 10 6 4 4 6 10 1 9 4 1 ZK Proof of Quadratic Residuosity Example (Cont)Challenger Step 2 QRN = {1,4,6,9,10} QNRN ={2,3,5,7,8,11,12,13,14} y = 13, x = 4, uUQRN, u = 9, Commit = 6, challenge = 1, response = 12 Challenge== 1, verify response2 (Commit*x)%N 122 (6*4)%N 122 (6*4) %N , (144%N) (24)%N, 9 9 Verification passes, “the end” unless there are more iterations of the same steps required.
1 2 3 4 5 6 7 8 9 10 1 4 9 5 3 3 5 9 4 1 1 3 4 5 9 2 6 7 8 10 11 11 11 11 11 = -1 11 11 11 11 11 =1 Legendre Symbol • Number Theoretic function is +-1 based on if a is a quadratic residue mod p. • p is an odd prime. • a is a quadratic residue % p. • = (a|p) { 1, a is a quadratic residue % p { -1, a is a quadratic nonresidue % p http://mathworld.wolfram.com/LegendreSymbol.html
Jacobi’s Symbol • Jacobi’s Symbol is a generalization of the Legendre Symbol that allows non prime numbers p. • The Jacobi symbol looks just like the Legendre Symbol. • It is used for nonprime numbers p. When a prime p is given, it is assumed you are using the Legendre Symbol. • When given an odd positive integer (p), you factor it. • You then use modulus on the numerator with each factor. (2/15) 2/(3*5) 232/5)
ZK Proof N has 2 Distinct Prime Factors • Used to prove an odd composite integer has exactly two prime factors. • Or, that N is a valid RSA modulus.
ZK Proof N has 2 Distinct Prime Factors Facts • Given Facts (1-3) of QR, • Given the factorization of N, any xQRN, y2 x % n,can be determined efficiently. • For any xQNRN, Z*N, there is no square root of x. • IfxQNRN, • x*yQRN yQNRN • (reference Jacobi Symbols of x,y and x*y) • we add two more facts
ZK Proof N has 2 Distinct Prime Factors Facts (Cont) • If N is an odd composite integer that has two distinct odd prime factors, JN(1) = {x|xZ*N, (x/n) = 1} Precisely ½ are quadratic residues (1/2 must be positive Legendre Symbol). • If N is not an odd composite number with two distinct primes, not prime, and not a prime power then at most ¼ of JN(1) is quadratic residues. • If N is a prime power all elements in JN(1) are quadratic residues
ZK Proof N has 2 Distinct Prime Factors • Input N (has two distinct prime factors) • Verifier Secret: N factors • Output to Challenger N • Algorithm • Challenger checks to make sure N is not a prime or prime power. • Challenger picks random group m numbers in JN(1) and sends to Prover • Verifier takes challenger squares {x1,..xk} and proves they know the k elements are in QRN using ZK Quadratic Residuosity. • If k (count of correct proofs of knowledge) > floor((3/8)m), Challenger accepts Prover’s knowledge.
X 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 Q 1 4 9 1 10 6 4 4 6 10 1 9 4 1 0 ZK Proof N has 2 Distinct Prime Factors (Ex) Challenger verifies N is not a prime or prime power. Challenger picks random M numbers JN(1) and sends to Verifier Z*N = {1,2,4,7,8,10,11,13,14}
X 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 Q 1 4 9 1 10 6 4 4 6 10 1 9 4 1 0 ZK Proof N has 2 Distinct Prime Factors (Ex) Z*N = {1,2,4,7,8,11,13,14} (1/15) = (1/3)(1/5) = (1)(1) = 1 JN(1) = {1,2,4,8} (2/15) = (2/3)(2/5) = (-1)(-1) = 1 (4/15) = (4/3)(4/5) = (1/3)(4/5) = (1)(1) = 1 (7/15) = (7/3)(7/5) = (1/3)(2/5) = (1)(-1) = -1 (8/15) = (8/3)(8/5) = (2/3)(3/5) =(-1)(-1)= 1 (11/15) = (11/3)(11/5) = (2/3)(1/5) = (-1)(1) = -1 (13/15) = (13/3)(13/5) = (1/3)(3/5) = (1)(-1) = -1 (14/15) = (14/3)(14/5) = (2/3)(4/5) = (-1)(1) = -1
X 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 Q 1 4 9 1 10 6 4 4 6 10 1 9 4 1 0 ZK Proof N has 2 Distinct Prime Factors (Ex) Challenger verifies N is not a prime or prime power. Challenger picks random M numbers JN(1) and sends to Verifier Z*N = {1,2,4,7,8,10,11,13,14} JN(1) = {1,2,4,8} Challenger sends mNums={4,8} to the Verifier Verifier and Challenger check knowledge via QR. If the error/success count is acceptable, challenger accepts knowledge.
ZK Proof N has 2 Distinct Prime Factors • As you might have noticed, this ZK method is not 100% secure or called “on-sided-error.” • Errors can and will happen on both sides of the protocol
ZK Proof N has 2 Distinct Prime Factors Proof • The Challenger might have unknowingly accepted Verifier knowledge by more than 3/8 of the random challenges are picked by the challenger are QR. • This is known as “BadLuckBob” or in my slides as “BadLuckChallenger.”
ZK Proof N has 2 Distinct Prime Factors Proof • Completeness • The Challenger has to accept errors from the Verifier because the Challenger might pick nonresidues. A preset criterion should be developed by the Challenger as an acceptable amount of errors. • The Law of Large Numbers states, the larger the number of challenges the Challenger picks, the larger the completeness probability will be. • Basically the more times you run a challenge, the more likely the average probability is to even out.
ZK Proof N has 2 Distinct Prime Factors Proof (Cont) • Soundness • Because of the large amount of challenges of the Verifier knowledge, it is extremely unlikely for the Verifier to not be caught cheating. • Again the number of challenges and acceptable errors is up to the Challenger.