Quadratic Residuosity and Two Distinct Prime Factor ZK

Protocols

By Stephen Hall

ZK Facts

• In a ZK proof if the verifier does not tolerate any errors, the ZK proof is known as an “on-sided-error protocol.”

• A protocol where both the verifier and challenger must tolerate errors is said to have “two-sided-errors” (probably fast and probably correct).

Review: Composite Number

• A composite number is a number N with the following properties

– N > 1

– N is not prime (factors other than N and 1)

Review: Quick Prime Test

• Given a number, check to see if the binary number has a rightmost bit of 1 or 0.

– If it is 0, it is even and divisible by 2.

– If it is 1, check up to N. If there are factors, then you have a non prime number.

• If there exists a factor N, then the other factor will be less than the N.

Quadratic Residue

• If there is an integer x such that x2 q (mod p).

• Example:

– Quadratic Residues of 15 are

– Quadratic Residues for 15 are {0,1,4,6,9,10}

– Numbers p not listed as a q are called quadratic nonresidues

– 0 is always square but is !QNR and !QR

Reference: http://mathworld.wolfram.com/QuadraticResidue.html

1

14

Q

X

0491106446101941

1513121110987654321

Why Quadratic Residue?

• For a composite number N, no algorithm is known to be able to decide quadratic residousity mod N in polynomial time without the factorization of N.

• It is hard to factor N, so you have no way of being able to test all the QR.

• Given a new number B, and P (an odd prime), you can check if B mod P is a quadratic residue in NP Time.– B(P-1)/2 mod P

Reference: http://mathworld.wolfram.com/QuadraticResidue.html

ZK Proof of Quadratic Residuosity

• Good for checking the proper encryption of a nonspecific bit string.

– Actually used in – Goldwasser-Micali Scheme

» Prevents passive adversary attacks

– Identity-based cryptosystems

» signatures

ZK Proof of Quadratic Residuosity Facts

1. Given the factorization of N, xQRN, y2 x % n can be determined efficiently.

2. For any xQNRN, Z*N, there is no square root of x.

3. If xQNRN, x*yQRN yQNRN

• (reference Jacobi Symbols of x,y and x*y)

ZK Proof of Quadratic Residuosity Proof

• The proof is shown via the “completeness” and “soundness” of the protocol.

• Completeness• It is said knowing Fact 1, the completeness is immediate.

– Given the factorization of N, any

» xQRN, y2 x % n,You can compute N efficiently

• Soundness• Verifier sends the commit before the Challenger has chosen a

challenge.

– This makes the Verifier cheating have a soundness error of 1/2.

ZK Proof of Quadratic Residuosity Example

• Take Input

– N, an odd composite integer not the power of a prime.

– xQRN,

• Verifier has a secret

– yZ*N, y2 x % N (quadratic residues for Z*

N)

• Verifier sends to Challenger xQRN.

• “handshaking process loop begins”– Preset amount of times for verification

• Verifier Starts

– Picks uUQRN

– Sends to Challenger a Commit u2 % N

ZK Proof of Quadratic Residuosity Example (Cont)

• Challenger action

– Picks ChallengeU {0,1}

– Sends to Verifier Challenge

• Verifier generates response based on challenge {0,1} and returns to challenger– Response { case (challenge == 0) u

– { case (challenge == 1) (u*y) % N

ZK Proof of Quadratic Residuosity Example (Cont)

• Challenger verifies Verifier Response

– Square Response and check against the commit already received.

– Response2 { case (challenge == 0) : Commit { case (challenge == 1) : (Commit*x) % N

• If the response fails, keep repeating a predetermined amount of times. If the Challenger still cannot verify, he quits the protocol.

ZK Proof of Quadratic Residuosity Example (Cont)

1

14

Q

X

491106446101941

13121110987654321

QRN = {1,4,6,9,10} QNRN ={2,3,5,7,8,11,12,13,14}

Verifier has a secret y Z*N

Lets choose y = 13

Challenger is given x such that y2 x % N

ZK Proof of Quadratic Residuosity Example (Cont)Verifier Step 1

1

14

Q

X

491106446101941

13121110987654321

QRN = {1,4,6,9,10} QNRN ={2,3,5,7,8,11,12,13,14}

y = 13, x = 4

Verifier picks uUQRN, u = 9

Send commit to challenger. Commit = u2 % N = 6

ZK Proof of Quadratic Residuosity Example (Cont)Challenger Step 1

1

14

Q

X

491106446101941

13121110987654321

QRN = {1,4,6,9,10} QNRN ={2,3,5,7,8,11,12,13,14}

y = 13, x = 4, uUQRN, u = 9, Commit = 6

Challenger picks a challenge = {0,1}

Send challenge to Verifier. Lets pick Challenge = 1

ZK Proof of Quadratic Residuosity Example (Cont)Verifier Step 2

1

14

Q

X

491106446101941

13121110987654321

QRN = {1,4,6,9,10} QNRN ={2,3,5,7,8,11,12,13,14}

y = 13, x = 4, uUQRN, u = 9, Commit = 6, Challenge = 1

Challenge == 1, send response of (u*y)%N to challenger.Response = (9*13)%15 = 12

Note: If the challenge was a 0, the Verifier would send backjust y, but the Challenger does not know that y is sent.

ZK Proof of Quadratic Residuosity Example (Cont)Challenger Step 2

1

14

Q

X

491106446101941

13121110987654321

QRN = {1,4,6,9,10} QNRN ={2,3,5,7,8,11,12,13,14}

y = 13, x = 4, uUQRN, u = 9, Commit = 6, challenge = 1,response = 12

Challenge == 1, verify response2 (Commit*x)%N122 (6*4)%N

122 (6*4) %N , (144%N) (24)%N, 9

Verification passes, “the end” unless there are more iterations of the same steps required.

Legendre Symbol

• Number Theoretic function is +-1 based on if a is a quadratic residue mod p.

• p is an odd prime.• a is a quadratic residue % p.• = (a|p) { 1, a is a quadratic residue % p

{ -1, a is a quadratic nonresidue % p

http://mathworld.wolfram.com/LegendreSymbol.html

=11111111111

95431

= -11111111111

108762

3

6

5

7

9

8

4

9

1

10

35941

54321

Jacobi’s Symbol

• Jacobi’s Symbol is a generalization of the Legendre Symbol that allows non prime numbers p.

• The Jacobi symbol looks just like the Legendre Symbol.– It is used for nonprime numbers p. When a prime p is given, it is assumed

you are using the Legendre Symbol.– When given an odd positive integer (p), you factor it.– You then use modulus on the numerator with each factor.

(2/15)

ZK Proof N has 2 Distinct Prime Factors

• Used to prove an odd composite integer has exactly two prime factors.

• Or, that N is a valid RSA modulus.

ZK Proof N has 2 Distinct Prime Factors Facts

• Given Facts (1-3) of QR,

1. Given the factorization of N, any xQRN, y2 x % n,can be determined efficiently.

2. For any xQNRN, Z*N, there is no square root of x.

3. If xQNRN, • x*yQRN yQNRN

– (reference Jacobi Symbols of x,y and x*y)• we add two more facts

ZK Proof N has 2 Distinct Prime Factors Facts (Cont)

1. If N is an odd composite integer that has two distinct odd prime factors,

JN(1) = {x|xZ*N, (x/n) = 1}

Precisely ½ are quadratic residues (1/2 must be positive Legendre Symbol).

2. If N is not an odd composite number with two distinct primes, not prime, and not a prime power then at most ¼ of JN(1) is quadratic residues.

– If N is a prime power all elements in JN(1) are quadratic residues

ZK Proof N has 2 Distinct Prime Factors

• Input N (has two distinct prime factors)

• Verifier Secret: N factors

• Output to Challenger N

• Algorithm

– Challenger checks to make sure N is not a prime or prime power.

– Challenger picks random group m numbers in JN(1) and sends to Prover

– Verifier takes challenger squares {x1,..xk} and proves they know the k elements are in QRN using ZK Quadratic Residuosity.

– If k (count of correct proofs of knowledge) > floor((3/8)m), Challenger accepts Prover’s knowledge.

ZK Proof N has 2 Distinct Prime Factors (Ex)

1

14

Q

X

0491106446101941

1513121110987654321

Challenger verifies N is not a prime or prime power.

Challenger picks random M numbers JN(1) and sends to Verifier

Z*N = {1,2,4,7,8,10,11,13,14}

1 2 3

1 1

1 2 3 4 5

1 4 1 1

ZK Proof N has 2 Distinct Prime Factors (Ex)

1

14

Q

X

0491106446101941

1513121110987654321

Z*N = {1,2,4,7,8,11,13,14}

(1/15) = (1/3)(1/5) = (1)(1) = 1

1 2 3

1 1

1 2 3 4 5

1 4 4 1

(2/15) = (2/3)(2/5) = (-1)(-1) = 1

(4/15) = (4/3)(4/5) = (1/3)(4/5) = (1)(1) = 1

(7/15) = (7/3)(7/5) = (1/3)(2/5) = (1)(-1) = -1

(8/15) = (8/3)(8/5) = (2/3)(3/5) =(-1)(-1)= 1

(11/15) = (11/3)(11/5) = (2/3)(1/5) = (-1)(1) = -1

(13/15) = (13/3)(13/5) = (1/3)(3/5) = (1)(-1) = -1

(14/15) = (14/3)(14/5) = (2/3)(4/5) = (-1)(1) = -1

JN(1) = {1,2,4,8}

ZK Proof N has 2 Distinct Prime Factors (Ex)

1

14

Q

X

0491106446101941

1513121110987654321

Challenger verifies N is not a prime or prime power.

Challenger picks random M numbers JN(1) and sends to Verifier

Z*N = {1,2,4,7,8,10,11,13,14}

JN(1) = {1,2,4,8} Challenger sends mNums={4,8} to the VerifierVerifier and Challenger check knowledge via QR.

If the error/success count is acceptable, challenger acceptsknowledge.

ZK Proof N has 2 Distinct Prime Factors

• As you might have noticed, this ZK method is not 100% secure or called “on-sided-error.”

• Errors can and will happen on both sides of the protocol

ZK Proof N has 2 Distinct Prime Factors Proof

• The Challenger might have unknowingly accepted Verifier knowledge by more than 3/8 of the random challenges are picked by the challenger are QR.

• This is known as “BadLuckBob” or in my slides as “BadLuckChallenger.”

ZK Proof N has 2 Distinct Prime Factors Proof

• Completeness

– The Challenger has to accept errors from the Verifier because the Challenger might pick nonresidues. A preset criterion should be developed by the Challenger as an acceptable amount of errors.

– The Law of Large Numbers states, the larger the number of challenges the Challenger picks, the larger the completeness probability will be.

• Basically the more times you run a challenge, the more likely the average probability is to even out.

ZK Proof N has 2 Distinct Prime Factors Proof (Cont)

• Soundness

– Because of the large amount of challenges of the Verifier knowledge, it is extremely unlikely for the Verifier to not be caught cheating. • Again the number of challenges and

acceptable errors is up to the Challenger.