Quadratic Residuosity and Two Distinct Prime Factor ZK Protocols

Quadratic Residuosity and Two Distinct Prime Factor ZK

Protocols

By Stephen Hall

ZK Facts

• In a ZK proof if the verifier does not tolerate any errors, the ZK proof is known as an “on-sided-error protocol.”

• A protocol where both the verifier and challenger must tolerate errors is said to have “two-sided-errors” (probably fast and probably correct).

Review: Composite Number

• A composite number is a number N with the following properties

– N > 1

– N is not prime (factors other than N and 1)

Review: Quick Prime Test

• Given a number, check to see if the binary number has a rightmost bit of 1 or 0.

– If it is 0, it is even and divisible by 2.

– If it is 1, check up to N. If there are factors, then you have a non prime number.

• If there exists a factor N, then the other factor will be less than the N.

Quadratic Residue

• If there is an integer x such that x2 q (mod p).

• Example:

– Quadratic Residues of 15 are

– Quadratic Residues for 15 are {0,1,4,6,9,10}

– Numbers p not listed as a q are called quadratic nonresidues

– 0 is always square but is !QNR and !QR

Reference: http://mathworld.wolfram.com/QuadraticResidue.html

1

14

Q

X

0491106446101941

1513121110987654321

Why Quadratic Residue?

• For a composite number N, no algorithm is known to be able to decide quadratic residousity mod N in polynomial time without the factorization of N.

• It is hard to factor N, so you have no way of being able to test all the QR.

• Given a new number B, and P (an odd prime), you can check if B mod P is a quadratic residue in NP Time.– B(P-1)/2 mod P

Reference: http://mathworld.wolfram.com/QuadraticResidue.html

ZK Proof of Quadratic Residuosity

• Good for checking the proper encryption of a nonspecific bit string.

– Actually used in – Goldwasser-Micali Scheme

» Prevents passive adversary attacks

– Identity-based cryptosystems

» signatures

ZK Proof of Quadratic Residuosity Facts

1. Given the factorization of N, xQRN, y2 x % n can be determined efficiently.

2. For any xQNRN, Z*N, there is no square root of x.

3. If xQNRN, x*yQRN yQNRN

• (reference Jacobi Symbols of x,y and x*y)

ZK Proof of Quadratic Residuosity Proof

• The proof is shown via the “completeness” and “soundness” of the protocol.

• Completeness• It is said knowing Fact 1, the completeness is immediate.

– Given the factorization of N, any

» xQRN, y2 x % n,You can compute N efficiently

• Soundness• Verifier sends the commit before the Challenger has chosen a

challenge.

– This makes the Verifier cheating have a soundness error of 1/2.

ZK Proof of Quadratic Residuosity Example

• Take Input

– N, an odd composite integer not the power of a prime.

– xQRN,

• Verifier has a secret

– yZ*N, y2 x % N (quadratic residues for Z*

N)

• Verifier sends to Challenger xQRN.

• “handshaking process loop begins”– Preset amount of times for verification

• Verifier Starts

– Picks uUQRN

– Sends to Challenger a Commit u2 % N

ZK Proof of Quadratic Residuosity Example (Cont)

• Challenger action

– Picks ChallengeU {0,1}

– Sends to Verifier Challenge

• Verifier generates response based on challenge {0,1} and returns to challenger– Response { case (challenge == 0) u

– { case (challenge == 1) (u*y) % N


• Challenger verifies Verifier Response

– Square Response and check against the commit already received.

– Response2 { case (challenge == 0) : Commit { case (challenge == 1) : (Commit*x) % N

• If the response fails, keep repeating a predetermined amount of times. If the Challenger still cannot verify, he quits the protocol.


1

14

Q

X

491106446101941

13121110987654321

QRN = {1,4,6,9,10} QNRN ={2,3,5,7,8,11,12,13,14}

Verifier has a secret y Z*N

Lets choose y = 13

Challenger is given x such that y2 x % N

ZK Proof of Quadratic Residuosity Example (Cont)Verifier Step 1

1

14

Q

X

491106446101941

13121110987654321

QRN = {1,4,6,9,10} QNRN ={2,3,5,7,8,11,12,13,14}

y = 13, x = 4

Verifier picks uUQRN, u = 9

Send commit to challenger. Commit = u2 % N = 6

ZK Proof of Quadratic Residuosity Example (Cont)Challenger Step 1

1

14

Q

X

491106446101941

13121110987654321

QRN = {1,4,6,9,10} QNRN ={2,3,5,7,8,11,12,13,14}

y = 13, x = 4, uUQRN, u = 9, Commit = 6

Challenger picks a challenge = {0,1}

Send challenge to Verifier. Lets pick Challenge = 1

ZK Proof of Quadratic Residuosity Example (Cont)Verifier Step 2

1

14

Q

X

491106446101941

13121110987654321

QRN = {1,4,6,9,10} QNRN ={2,3,5,7,8,11,12,13,14}

y = 13, x = 4, uUQRN, u = 9, Commit = 6, Challenge = 1

Challenge == 1, send response of (u*y)%N to challenger.Response = (9*13)%15 = 12

Note: If the challenge was a 0, the Verifier would send backjust y, but the Challenger does not know that y is sent.

ZK Proof of Quadratic Residuosity Example (Cont)Challenger Step 2

1

14

Q

X

491106446101941

13121110987654321

QRN = {1,4,6,9,10} QNRN ={2,3,5,7,8,11,12,13,14}

y = 13, x = 4, uUQRN, u = 9, Commit = 6, challenge = 1,response = 12

Challenge == 1, verify response2 (Commit*x)%N122 (6*4)%N

122 (6*4) %N , (144%N) (24)%N, 9

Verification passes, “the end” unless there are more iterations of the same steps required.

Legendre Symbol

• Number Theoretic function is +-1 based on if a is a quadratic residue mod p.

• p is an odd prime.• a is a quadratic residue % p.• = (a|p) { 1, a is a quadratic residue % p

{ -1, a is a quadratic nonresidue % p

http://mathworld.wolfram.com/LegendreSymbol.html

=11111111111

95431

= -11111111111

108762

3

6

5

7

9

8

4

9

1

10

35941

54321

Jacobi’s Symbol

• Jacobi’s Symbol is a generalization of the Legendre Symbol that allows non prime numbers p.

• The Jacobi symbol looks just like the Legendre Symbol.– It is used for nonprime numbers p. When a prime p is given, it is assumed

you are using the Legendre Symbol.– When given an odd positive integer (p), you factor it.– You then use modulus on the numerator with each factor.

(2/15)

ZK Proof N has 2 Distinct Prime Factors

• Used to prove an odd composite integer has exactly two prime factors.

• Or, that N is a valid RSA modulus.

ZK Proof N has 2 Distinct Prime Factors Facts

• Given Facts (1-3) of QR,

1. Given the factorization of N, any xQRN, y2 x % n,can be determined efficiently.

2. For any xQNRN, Z*N, there is no square root of x.

3. If xQNRN, • x*yQRN yQNRN

– (reference Jacobi Symbols of x,y and x*y)• we add two more facts

ZK Proof N has 2 Distinct Prime Factors Facts (Cont)

1. If N is an odd composite integer that has two distinct odd prime factors,

JN(1) = {x|xZ*N, (x/n) = 1}

Precisely ½ are quadratic residues (1/2 must be positive Legendre Symbol).

2. If N is not an odd composite number with two distinct primes, not prime, and not a prime power then at most ¼ of JN(1) is quadratic residues.

– If N is a prime power all elements in JN(1) are quadratic residues


• Input N (has two distinct prime factors)

• Verifier Secret: N factors

• Output to Challenger N

• Algorithm

– Challenger checks to make sure N is not a prime or prime power.

– Challenger picks random group m numbers in JN(1) and sends to Prover

– Verifier takes challenger squares {x1,..xk} and proves they know the k elements are in QRN using ZK Quadratic Residuosity.

– If k (count of correct proofs of knowledge) > floor((3/8)m), Challenger accepts Prover’s knowledge.

ZK Proof N has 2 Distinct Prime Factors (Ex)

1

14

Q

X

0491106446101941

1513121110987654321

Challenger verifies N is not a prime or prime power.

Challenger picks random M numbers JN(1) and sends to Verifier

Z*N = {1,2,4,7,8,10,11,13,14}

1 2 3

1 1

1 2 3 4 5

1 4 1 1


1

14

Q

X

0491106446101941

1513121110987654321

Z*N = {1,2,4,7,8,11,13,14}

(1/15) = (1/3)(1/5) = (1)(1) = 1

1 2 3

1 1

1 2 3 4 5

1 4 4 1

(2/15) = (2/3)(2/5) = (-1)(-1) = 1

(4/15) = (4/3)(4/5) = (1/3)(4/5) = (1)(1) = 1

(7/15) = (7/3)(7/5) = (1/3)(2/5) = (1)(-1) = -1

(8/15) = (8/3)(8/5) = (2/3)(3/5) =(-1)(-1)= 1

(11/15) = (11/3)(11/5) = (2/3)(1/5) = (-1)(1) = -1

(13/15) = (13/3)(13/5) = (1/3)(3/5) = (1)(-1) = -1

(14/15) = (14/3)(14/5) = (2/3)(4/5) = (-1)(1) = -1

JN(1) = {1,2,4,8}


1

14

Q

X

0491106446101941

1513121110987654321

Challenger verifies N is not a prime or prime power.

Challenger picks random M numbers JN(1) and sends to Verifier

Z*N = {1,2,4,7,8,10,11,13,14}

JN(1) = {1,2,4,8} Challenger sends mNums={4,8} to the VerifierVerifier and Challenger check knowledge via QR.

If the error/success count is acceptable, challenger acceptsknowledge.


• As you might have noticed, this ZK method is not 100% secure or called “on-sided-error.”

• Errors can and will happen on both sides of the protocol

ZK Proof N has 2 Distinct Prime Factors Proof

• The Challenger might have unknowingly accepted Verifier knowledge by more than 3/8 of the random challenges are picked by the challenger are QR.

• This is known as “BadLuckBob” or in my slides as “BadLuckChallenger.”

ZK Proof N has 2 Distinct Prime Factors Proof

• Completeness

– The Challenger has to accept errors from the Verifier because the Challenger might pick nonresidues. A preset criterion should be developed by the Challenger as an acceptable amount of errors.

– The Law of Large Numbers states, the larger the number of challenges the Challenger picks, the larger the completeness probability will be.

• Basically the more times you run a challenge, the more likely the average probability is to even out.

ZK Proof N has 2 Distinct Prime Factors Proof (Cont)

• Soundness

– Because of the large amount of challenges of the Verifier knowledge, it is extremely unlikely for the Verifier to not be caught cheating. • Again the number of challenges and

acceptable errors is up to the Challenger.

Quadratic Residuosity and Two Distinct Prime Factor ZK Protocols

Documents

Transcript of Quadratic Residuosity and Two Distinct Prime Factor ZK Protocols