5233/IOC5063 Theory of Cryptology, Fall 205 Instructor Prof. Wen-Guey Tzeng Homework 3 Solutions 7-Dec-205 Scribe Amir Rezapour. Consider an unfair coin with head probability 0.5. Assume that the coin is tossed 000 times independently. (a) Compute exactly the probability that at least two thirds of tosses are head. P r(x > 667) = 000 i=667 ( 000 ) i 0.5 i 0.49 000 i = 7.27354 0 24. (b) Use the Chebyshev s inequality to estimate the probability that at least two thirds of tosses are head. Let S i be the random variable of the event that the i-th toss is head. We have E(S i ) = 0.5 and V (S i ) = 0.5 0.49 = 0.2499. Let S = 000 i= S i. We have E(S) = np = 50 and V (S) = np( p) = 249.9. By the Chebyshev s inequality, we have Pr[ S 50 57] Pr[S 667] = 2 249.9 2 57 2 = 0.0050697633 (c) Use the Hoeffding s inequality to estimate the probability that at least two thirds of tosses are head. By the Hoeffding s inequality, we have Pr[S 667] = Pr[S (0.5 + 0.57) 000] e 2 0.572 000 = 3.8980 0 22 2. This problem is about proof of knowledge of x about given (n, y), where n = pq is a Blum integer, gcd(e, φ(n)) =, and y = x e mod n. -
(a) Give a (basic) zero-knowledge proof system for it. You need to show its completeness, soundness and zero-knowledge formally. Let P be the prover and V be the verifier. The basic zero-knowledge proof system is as follows i. Commitment P V A = r e mod n, where r R Z n. ii. Challenge V P h R Z 2. iii. Response P V B = x h r mod n. V accepts P if and only if B e y h A (mod n). Correctness of the zero-knowledge proof system is as follows Completeness If P knows y = x e mod n, he always convinces V by the protocol. Soundness Without knowing y = x e mod n, P can convince V by guessing V s challenge with probability 2 as follows i. Choose h R Z 2 and B R Z n, and compute A = B e /y h mod n. ii. Interact with V(A ) = h. iii. If h = h, respond B to convince V. If P convinces V with probability more than 2, we can extract the knowledge y = x e mod n by rewinding P to obtain two different accepting transcripts with the same commitment. For such two accepting transcripts (A, h, B) and (A, h, B ), we have { B e y h A (mod n) B e y h A (mod n) (B/B ) e y h h (mod n) y /e = (B/B ) h h mod n Since h h = ±, we can compute y /e = (B/B ) h h mod n. However, extracting the knowledge y = x e mod n implies solving the RSA problem, which contradicts the RSA assumption. Therefore, P without the knowledge m = c /e mod n cannot convince V with probability more than 2. Zero-Knowledge Define the accepting transcript function tr P,V (m) = {(A, h, B) Z n Z 2 Z n B e y h A (mod n)}. For any accepting transcript (A, h, B) tr P,V (m), we have Pr [tr P,V (m) = (A, h, B)] = Pr[V(A) = h] φ(n) On the other hand, we construct the probabilistic polynomial-time simulator S to simulate the accepting transcript tr P,V (m) by tr S,V (m) as follows i. Choose h R Z 2 and B R Z n, and compute A = B e /y h mod n. -2
ii. Invoke V(A ) = h. iii. If h = h, return (A, h, B ) as an accepting transcript. Otherwise, repeat the step i. For any accepting transcript (A, h, B ) tr S,V (m), we have Pr [ tr S,V (m) = (A, h, B ) ] = Pr[V(A ) = h ] 2 φ(n) The expected execution time of simulator S is t S = 2(t E + t V ), where t E is the execution time of the step i. and step iii., and t V is the execution time of verifier V. S is in polynomial time and the probability distributions of tr P,V (m) and tr S,V (m) are indistinguishable. Therefore, the proof system is zero-knowledge. (b) How to reduce the cheating probability by the prover? The cheating probability by P in the basic zero-knowledge proof system is 2. V can reduce the cheating probability to by asking P to prove himself for k 2 k times sequentially, where k is bounded by a polynomial of the security parameter. Let ZKPoK(P, V) denote the basic zero-knowledge proof system. The enhanced zero-knowledge proof system is as follows for (i=0; i<k; ++i) if (!ZKPoK(P, V)) return false; return true; (c) Give an (efficient) honest-verifier interactive zero-knowledge proof system for it. Let P be the prover and V be the verifier. The honest-verifier interactive zeroknowledge proof system is as follows i. Commitment P V A = r e mod n, where r R Z n. ii. Challenge V P h R Z n. iii. Response P V B = x h r mod n. V accepts P if and only if B e y h A (mod n). The challenge h is chosen randomly from Z n, although the group size is φ(n). 2 Therefore, P guesses h with probability at most φ(n). For honest verifier V, he chooses h R Z n as the definition of protocol. Therefore, the simulator S can choose h for himself and simulate in polynomial time without changing the probability distribution of accepting transcripts tr S,V (x). (d) Design a digital signature scheme based on the above honest-verifier interactive zero-knowledge proof system. 2-3
Fiat-Shamir gives a standard method for converting an interactive zero-knowledge proof system to a digital signature scheme. In doing so, we need to eliminate the communication between prover and verifier. We substitute the challenge part by a collision-resistance hash function which is publicly available to both prover and verifier. Let H {0, } Z n be such a secure hash function. The digital signature scheme is as follows i. KeyGen(π) = (sk, pk) Choose two safe primes p and q of π bits, and compute the RSA modulus n = pq. Choose e R Z φ(n), and compute d = e mod φ(n). Choose c R Z n, and compute k = c d mod n. Then sk = (n, d, k) and pk = (n, e, c). ii. Sign(sk, m) = (b, h) Compute a = r e mod n, h = H(n e c a m), and b = rk h mod n, where r R Z n. iii. Verify(pk, m, b, h) = {0, } Compute a = b e /c h mod n. Signature (m, b, h) is valid if and only if h = H(n e c a m). 3. Given (p, g, y, z, z 2 ), it is either log g y = log g z ( mod p) or log g y = log g z 2 ( mod p), but not both. (a) Assume that P knows x = log g y = log g z ( mod p). Give a zero-knowledge of proof P(x ), V of this knowledge without revealing which z i that y has the same exponent with. Show its completeness, soundness and zero-knowledge. Let P be the prover and V be the honest verifier. The honest-verifier zeroknowledge proof of knowledge of either x = log g z mod p or x 2 = log g z 2 mod p is as follows { i. Commitment P V A = g r mod p A 2 = g B 2 c 2, where (r, B 2 mod p 2, c 2 ) R (Z p ) 3. ii. Challenge V P c R Z { p iii. Response P V (c, B ) = (c c 2, c x + r) mod (p ). (c 2, B 2 ) c + c 2 c (mod (p )) V accepts P if and only if g B c A (mod p) g B 2 c 2 2 A 2 (mod p) Correctness of the above honest-verifier zero-knowledge proof system is as follows Completeness If P knows x = log g z mod p, he always convinces V by the above protocol. Soundness Without knowing x = log g z mod p and x 2 = log g z 2 mod p, P can convince V by guessing V s challenge with probability p as follows i. Choose (c, c 2, B, B 2 ) R (Z p ) 4 and compute A = gb c mod p and A 2 = gb 2 2 c 2 mod p. ii. Interact with V (A, A 2 ) = c. -4
iii. If c + c 2 = c, respond (c, c 2, B, B 2 ) to convince V. If P convinces V with probability more than p, there exists some commitments such that P can convince V for at least two different challenges with the same commitment. For such two accepting transcripts (A, A 2, c, c, c 2, B, B 2 ) and (A, A 2, c, c, c 2, B, B 2 ), i {, 2} such that c i c i ( c + c 2 c c c + c 2 (mod p )). Therefore, we can extract the knowledge x i = log g z i mod p for some i {, 2} as follows { g B i c i i A i (mod p) g B i i c i Ai (mod p) g B i B i i c i c i (mod p) B i B i c g i c i i (mod p) log g z i = B i B i c i c i mod (p ) However, extracting the knowledge x i = log g z i mod p implies solving the discrete logarithm problem, which contradicts the discrete logarithm assumption. Therefore, P without the knowledge x = log g z mod p and x 2 = log g z 2 mod p cannot convince V with probability more than p. Zero-Knowledge Suppose that V is an honest verifier. Define the accepting transcript function tr P,V (x i ) = {(A, A 2, c, c, c 2, B, B 2 ) (Z p) 2 (Z p ) 5 c + c 2 c (mod (p )), g B c A (mod p), g B 2 c 2 2 A 2 (mod p)}. For any accepting transcript (A R Z p, A 2 = g B 2 c 2 2, c R Z p, c = c c 2, c 2 R Z p, B = c x + r, B 2 R Z p ) tr P,V (x ), we have Pr [tr P,V (x ) = (A, A 2, c, c, c 2, B, B 2 )] = (p ) 4 For any accepting transcript (A = g B c, A 2 R Z p, c R Z p, c R Z p, c 2 = c c, B R Z p, B 2 = c 2 x 2 + r) tr P,V (x 2 ), we have Pr [tr P,V (x 2 ) = (A, A 2, c, c, c 2, B, B 2 )] = (p ) 4 Therefore, the zero-knowledge proof systems P (x ), V and P (x 2 ), V have the same distribution of transcripts. We construct the probabilistic polynomial-time simulator S to simulate the accepting transcript tr P,V (x i ) by tr S,V (x i ) as follows i. Choose (c, c 2, B, B 2 ) R (Z p ) 4. ii. Compute A = g B c mod p, A 2 = g B 2 c 2 2 mod p, and c = c + c 2 mod (p ). iii. Return (A, A 2, c, c, c 2, B, B 2 ) as an accepting transcript. For any accepting transcript (A, A 2, c, c, c 2, B, B 2 ) tr S,V (x i ), we have Pr [tr S,V (x i ) = (A, A 2, c, c, c 2, B, B 2 )] = (p ) 4-5
The expected execution time of simulator S is t S poly(k), where k is the security parameter. S is in polynomial time and the probability distributions of tr P,V (x i ) and tr S,V (x i ) are indistinguishable. Therefore, the honestverifier proof system is zero-knowledge. (b) Assume that P knows x 2 = log g y = log g z 2 ( mod p). Give a zero-knowledge of proof P(x 2 ), V of this knowledge without revealing which z i that y has the same exponent with. Let P be the prover and V be the honest verifier. The honest-verifier zeroknowledge proof of knowledge of either x = log g z mod p or x 2 = log g z 2 mod p is as follows { i. Commitment P V A = g B c mod p A 2 = g r, where (r, B mod p, c ) R (Z p ) 3. ii. Challenge V P c R Z { p iii. Response P V (c, B ) (c 2, B 2 ) = (c c, c 2 x 2 + r) mod (p ). c + c 2 c (mod (p )) V accepts P if and only if g B c A (mod p) g B 2 c 2 2 A 2 (mod p) (c) Show that the distributions of transcripts of P(x ), V and P(x 2 ), V are identical. Define the accepting transcript function tr P,V (x i ) = {(A, A 2, c, c, c 2, B, B 2 ) (Z p) 2 (Z p ) 5 c +c 2 c (mod (p )), g B c A (mod p), g B 2 2 c 2 A 2 (mod p)}. For any accepting transcript (A R Z p, A 2 = g B 2 /y 2 c 2, c, c = c c 2, c 2 R Z p, B = c x + r, B 2 R Z p ) tr P,V (x ), we have Pr [tr P,V (x ) = (A, A 2, c, c, c 2, B, B 2 )] = (p ) 4 For any accepting transcript (A = g B c, A 2 R Z p,, c R Z p, c 2 = c c, B R Z p, B 2 = c 2 x 2 + r) tr P,V (x 2 ), we have Pr [tr P,V (x 2 ) = (A, A 2, c, c, c 2, B, B 2 )] = (p ) 4 Therefore, the zero-knowledge proof systems P (x ), V and P (x 2 ), V have the same distribution of transcripts. -6
4. We consider the multi-authority secure electronic voting scheme without a trusted center, discussed in classes. How does the authority A i assures A j that the sent share s i,j = f i (x j ) is indeed consistent with all other shares sent to the other authorities? Let p = kq + be a large prime, where q is also a large prime, and G q = g be a cyclic multiplicative group of order q. Suppose that (A, A 2,, A n ) are the n authorities and any t-out-of-n authorities can tally votes. Each authority A i selects x i and a (t )-degree polynomial f i (x) = t k=0 b i,kx k with f i (0) = x i and publishes h i = g x i and B i,k = g b i,k for 0 k t. Then the public key is h = t i= h i and the secret key is x = t i= x i = t i= f i(0) = f(0), where f(x) = t i= f i(x). Each A i sends s i,j = f i (j) to A j via a secure channel. Each A j checks whether g s i,j t k=0 (B i,k) jk (mod p) and computes share s j = t i= s i,j = t i= f i(j) = f(j). -7