5pm (submit via Grade scope. Friday. and monitor Piazza. will. try. knowledge. nothing than The fact that the statement is true

Transcription

1 Yt Pove At CS 355 Lectue 4 ( 4111 Poblem set 1 due Fidy t Poblem set 2 will be posted Fidy 5pm (submit vi Gde scope No fice hous Thusdy / Fidy will ty nd mito Pizz Pevious lectue intoduced noti intective pos nd Zeo Intective po whee pooe cvinces veifie Tht some sttement X is tue Zeo fomlized po ( hve lso computed itself by unning evels moe o po nothing thn fct tht sttement is tue by defining noti simulto nything veifie could hve lened fom executi it could simulto Zeo fo 3 gph coloing enoditesnue FIIIHIIIGIYEII diffeent nodes 0 cn be coloed such 11 g Logistics vetices Let V denote set 2 Let 4 V {0/12} be Recp Pye colo in G nd let E denote set edges in G coloing functi commit Choose ndom pemutti / f {01/2} to pemuted colos veifie ndomness Committee t#y epet commits to ( v gph coloing To ( v R F IEI Times mplify soundness veifie s FtohnEglYlYuo@chedokntidtowIHYYI single ndy edge nthyndistint # vlid to openings Cu cv espectively ( unde n Cfess Follows by inspecti Sounded G is not 3 coloble n poe did not commit To vlid 3 coloing lest 1 edge must be bd so veifie ctches cheting YIEI ech iteti 11 ' s te succeeds IEI itetis t most

2 Cstuct simulto fo veifie V* s follows? looks indistinguishble fom view in el Owise tnegkx 1 Simulto commits To ndol colo fo evey vetex in G by hiding popety s 2 Simulto invokes V * committed vlues V* queies 3 fo n edge ( v whee simulto committed To distinct simulto succeeds so fte 0 ( XIEI simulto colos epetitis n simulto Those s opens 213 outputs IEI vlid Tnscipts ( up simulto ewinds V * to ound beginning simulto outputs simulted Tnscipts fo ech ound simulted tnscipt ech ound is Computtilly indistinguishble fom el in ech ound Tnscipt ( by hiding scheme popety _y Zenge Pos E s ( Sigm s In Thie Npeltk mny cses wnt stge popety ctully specificlly should know w1y sttement is tue Fo instnce cside following lnguge { HE 61 I Xekq hg } I gooupdq e 6 geneto In This cse ll sttements in G e Tue ( ie ctined in L discete log n element he G Questi Wht does it men to quntity fom knows witness Note this definiti L G R ( h cceptully stge popety know something? [ GMR 85 ] is ble to cvince n hest veifie Tht it knows something implicitly defines n NP elti R x 1 E hg E 6 but cn still cside noti Thn po membeship poving n it should be possible to extct Tht Deft An intective po system ( PV is po fo n extcto E Such tht fo ny if e exists n efficient Is x nd p* ; po pmeteized by specific ny pope R ( s opposed to lnguge L P[w EP*( x RK w L ] zpkp* moe genelly could be polynomilly } smlle v ( L ] e eo elti Tivil Po sends witness in cle to veifie In most pplictis dditilly equie is stictly Note stge popety Thn soundness if hs eo E it lso hs soundness eo E ( ie dishest cvinces n hest veifie flse sttement t most E

3 Send h Let czjt We n ssume g he G whee hs ode pime q pove it knows X such Tht h lie PWingdiscetelogtochnobpotocco Suppose po wnts To veifie pee demsttes discete log h bse g uehg! # e z +cx 7 veify tht g Uli Completeness if Z tcx n gtcx ggex uli HestVeifieZeoKnowkdg build simulto s follows (fmili sttegy un in evese input lg h 1 2 smple smple 3 set u Z I C ± goup f unifomly ndom gl?my9tdydotnf Men chosen so tht element z is unifomly since ndom he elti stisfied by ( vlid po lgsimuktedetlitt?iidpentiiyfndintibnotiedt veifie Questi Wht goes wg Above simulti no lge To get genel if c is not chosen unifomly t ndom? woks ( since cnnot smple z fist tht veifie fist equie cduit to Its ( using sttisticlly hiding Knowledge Suppose P* is ( possibly mlicious Tht cvinces hest veifie fo ssume simplicity P* succeeds 1 cstuct n extcto s follows Run Rewind P* to obtin n initil 4 to P* cz messge U eplies espse P* so its intenl stte is sme s it ws t end Step 1 # to P* zz be espse P* Zi send no 4 Compute nd output X ( Z zz ( c ct ' e 2g Since P* succeeds 1 nd extcto pefectly simultes hest veifie's behvio 1 both ( it C Z nd ( u cz Zz e both ' u Tnscipts This ccepting nd g mens tht h ' gn2 f gz' +9 2t9 X ( z zz ( c E ovewhelming citcz Thus extcto succeeds ovedid

4 Yq bsed No Pinkos Veifie ( Beh Shoup Lemm 192 P* succeeds Tnscipts t lest E2 E n need To ely Rewinding Lemm to gue tht extcto obtins two ccepting extcto Intuitively succeeds so el veifie by focing to ns multiple s ( vi extct secet by cnnot intecting ewinding Hove el veifie cnnot ewind Identifictipotoeolfomdiscetelogsuppose client wnts To unticte To seve Gol dvesies ( secuity ginst dvesy sees ctents seve nd cn intect ctive Cn diectly build such scheme fom Schno 's client ( x client 's secet ( cedentil seve ( g hg V Public veificti key bitily client is pecisely 3 ound Schno po discete by Coectness This follows fom completeness Schno 's Potocol ( Active secuity follows fom popety nd Intuitively sys tht ny client tht successfully untictes must know secet X Zeo sys tht intectis hest client lie ( fo ctive secuity equie Tht do not evel nything povides genel thn just bout X HVZK Moe view E genel s ( Sigm s ( x g hg Veifie & + C X Potocols This stuctue ( (ndom sting public veifie hs no ~ secet idomness ( Athu coin Melin pos Popeties 1 Completeness espse flow esembles I 2 Hest Zeo Knowledge clled E espse e ( s Sigm s 3 Po Knowledge Mny Vints Schno s cn be used To pove sttements like Comm discete log X such Tht h g? nd hzgix ( useful fo veifible ndom functi building DDH Tuple lg u v w is DDH tuple nmely Tht gd vgp nd wg P fo xpe Useful fo poving eltis El Gml ciphe texts leg pticul El Gml ciphe text encypts tht Useful block in cstuctis DDH building Reduces +0 poving comm oblivious tnsfe ( OT s discete log ( u g v w is DDH tuple if nd ly ei 0 o 1 ( moe detils next lectue if e is n X such Tht g nd wu

5 Since Cn Pee g 27 veifie + E Sh_wingththg ndhegi t z ttx check tht g hit nd g? Uihz Completeness nd HVZK follows s in Schno 's Knowledge Two scenios / ndomness Uses incsistent ( ie n z cn + u g Jhigtth ly X t succeed U g nd Uzgz2 whee t most Yq z + Xzt (if veifie ccepts tuzge nzgz 2 This mens tht ( d tlxz # k n ove choice hest veifie 's itz e is t most 1 tee whee This elti holds t is unifom ove veifie ccepts t most Yq 2 succeeds toy ( x n it must use csistent build extcto just s in Schno 's Knowledge eo lge by dditive Yq tem ( fom bove nlysis E s Nettle nint#e s nd signtues