Homework 3 Solutions

Similar documents
Cryptology. Vilius Stakėnas autumn

5199/IOC5063 Theory of Cryptology, 2014 Fall

Lecture 22. We first consider some constructions of standard commitment schemes. 2.1 Constructions Based on One-Way (Trapdoor) Permutations

MTAT Cryptology II. Zero-knowledge Proofs. Sven Laur University of Tartu

Notes on Zero Knowledge

An Identification Scheme Based on KEA1 Assumption

Winter 2011 Josh Benaloh Brian LaMacchia

Practical Verifiable Encryption and Decryption of Discrete Logarithms

PAPER An Identification Scheme with Tight Reduction

Katz, Lindell Introduction to Modern Cryptrography

Lecture 10: Zero-Knowledge Proofs

Lecture 3: Interactive Proofs and Zero-Knowledge

Privacy and Computer Science (ECI 2015) Day 4 - Zero Knowledge Proofs Mathematics

March 19: Zero-Knowledge (cont.) and Signatures

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018

A Note on the Cramer-Damgård Identification Scheme

Statistically Secure Sigma Protocols with Abort

Transitive Signatures Based on Non-adaptive Standard Signatures

Cryptographic Protocols FS2011 1

Threshold Undeniable RSA Signature Scheme

Lecture 10. Public Key Cryptography: Encryption + Signatures. Identification

III. Authentication - identification protocols

Session 4: Efficient Zero Knowledge. Yehuda Lindell Bar-Ilan University

Interactive protocols & zero-knowledge

Cryptography CS 555. Topic 23: Zero-Knowledge Proof and Cryptographic Commitment. CS555 Topic 23 1

Analysis - "Post-Quantum Security of Fiat-Shamir" by Dominic Unruh

CPSC 467b: Cryptography and Computer Security

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 9

Theory of Computation Chapter 12: Cryptography

Entity Authentication

Lecture Notes 20: Zero-Knowledge Proofs

Augmented Black-Box Simulation and Zero Knowledge Argument for NP

Non-Interactive Zero-Knowledge from Homomorphic Encryption. Ivan Damgård (Aarhus Universitet) Nelly Fazio, Antonio Nicolosi (NYU)

1 Recap: Interactive Proofs

Lecture 17: Constructions of Public-Key Encryption

Cryptographical Security in the Quantum Random Oracle Model

ON DEFINING PROOFS OF KNOWLEDGE IN THE BARE PUBLIC-KEY MODEL

Introduction to Cryptography Lecture 13

Introduction to cryptology (GBIN8U16) More on discrete-logarithm based schemes

Tightly-Secure Signatures From Lossy Identification Schemes

EXAM IN. TDA352 (Chalmers) - DIT250 (GU) 12 January 2018, 08:

Extracting Witnesses from Proofs of Knowledge in the Random Oracle Model

Non-Interactive ZK:The Feige-Lapidot-Shamir protocol

Impossibility and Feasibility Results for Zero Knowledge with Public Keys

Oblivious Transfer and Secure Multi-Party Computation With Malicious Parties

Lecture 9 and 10: Malicious Security - GMW Compiler and Cut and Choose, OT Extension

Lecture 11: Non-Interactive Zero-Knowledge II. 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian problem

Lecture Notes 17. Randomness: The verifier can toss coins and is allowed to err with some (small) probability if it is unlucky in its coin tosses.

Lecture 3,4: Universal Composability

Lecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004

1 Number Theory Basics

1 Recommended Reading 1. 2 Public Key/Private Key Cryptography Overview RSA Algorithm... 2

Interactive Zero-Knowledge with Restricted Random Oracles

Interactive protocols & zero-knowledge

CMSC 858K Introduction to Secure Computation October 18, Lecture 19

Probabilistically Checkable Arguments

Lecture 13: Seed-Dependent Key Derivation

Revisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives

14 Diffie-Hellman Key Agreement

Group Undeniable Signatures

On The (In)security Of Fischlin s Paradigm

Notes for Lecture 16

Theoretical Cryptography, Lectures 18-20

Lecture 15: Interactive Proofs

Lecture Notes. (electronic money/cash) Michael Nüsken b-it. IPEC winter 2008

On the Security of Classic Protocols for Unique Witness Relations

Lecture 18: Zero-Knowledge Proofs

CS 355: Topics in Cryptography Spring Problem Set 5.

Cryptographic Protocols. Steve Lai

CHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 11 April 2017, 8:30-12:30

The Knowledge-of-Exponent Assumptions and 3-Round Zero-Knowledge Protocols

Cryptanalysis of Threshold-Multisignature Schemes

Definition: For a positive integer n, if 0<a<n and gcd(a,n)=1, a is relatively prime to n. Ahmet Burak Can Hacettepe University

Commitment Schemes and Zero-Knowledge Protocols (2011)

Lecture 15 - Zero Knowledge Proofs

Complexity Theory. Jörg Kreiker. Summer term Chair for Theoretical Computer Science Prof. Esparza TU München

Cryptographic Protocols Notes 2

YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE

1 Rabin Squaring Function and the Factoring Assumption

Lecture 1: Introduction to Public key cryptography

How many rounds can Random Selection handle?

Lecture 12: Interactive Proofs

From Secure MPC to Efficient Zero-Knowledge

Digital Signatures. Saravanan Vijayakumaran Department of Electrical Engineering Indian Institute of Technology Bombay

Notes for Lecture 9. Last time, we introduced zero knowledge proofs and showed how interactive zero knowledge proofs could be constructed from OWFs.

Some ZK security proofs for Belenios

Pseudorandom Generators

1 What are Physical Attacks. 2 Physical Attacks on RSA. Today:

Lecture 15 & 16: Trapdoor Permutations, RSA, Signatures

Constant-round Leakage-resilient Zero-knowledge from Collision Resistance *

CPSC 467: Cryptography and Computer Security

Non-Conversation-Based Zero Knowledge

Interactive proof and zero knowledge protocols

ENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange

Lecture 18 - Secret Sharing, Visual Cryptography, Distributed Signatures

Batch Range Proof For Practical Small Ranges

Pairing-Based Identification Schemes

University of Tokyo: Advanced Algorithms Summer Lecture 6 27 May. Let s keep in mind definitions from the previous lecture:

Cryptography IV: Asymmetric Ciphers

Round-Efficient Multi-party Computation with a Dishonest Majority

Transcription:

5233/IOC5063 Theory of Cryptology, Fall 205 Instructor Prof. Wen-Guey Tzeng Homework 3 Solutions 7-Dec-205 Scribe Amir Rezapour. Consider an unfair coin with head probability 0.5. Assume that the coin is tossed 000 times independently. (a) Compute exactly the probability that at least two thirds of tosses are head. P r(x > 667) = 000 i=667 ( 000 ) i 0.5 i 0.49 000 i = 7.27354 0 24. (b) Use the Chebyshev s inequality to estimate the probability that at least two thirds of tosses are head. Let S i be the random variable of the event that the i-th toss is head. We have E(S i ) = 0.5 and V (S i ) = 0.5 0.49 = 0.2499. Let S = 000 i= S i. We have E(S) = np = 50 and V (S) = np( p) = 249.9. By the Chebyshev s inequality, we have Pr[ S 50 57] Pr[S 667] = 2 249.9 2 57 2 = 0.0050697633 (c) Use the Hoeffding s inequality to estimate the probability that at least two thirds of tosses are head. By the Hoeffding s inequality, we have Pr[S 667] = Pr[S (0.5 + 0.57) 000] e 2 0.572 000 = 3.8980 0 22 2. This problem is about proof of knowledge of x about given (n, y), where n = pq is a Blum integer, gcd(e, φ(n)) =, and y = x e mod n. -

(a) Give a (basic) zero-knowledge proof system for it. You need to show its completeness, soundness and zero-knowledge formally. Let P be the prover and V be the verifier. The basic zero-knowledge proof system is as follows i. Commitment P V A = r e mod n, where r R Z n. ii. Challenge V P h R Z 2. iii. Response P V B = x h r mod n. V accepts P if and only if B e y h A (mod n). Correctness of the zero-knowledge proof system is as follows Completeness If P knows y = x e mod n, he always convinces V by the protocol. Soundness Without knowing y = x e mod n, P can convince V by guessing V s challenge with probability 2 as follows i. Choose h R Z 2 and B R Z n, and compute A = B e /y h mod n. ii. Interact with V(A ) = h. iii. If h = h, respond B to convince V. If P convinces V with probability more than 2, we can extract the knowledge y = x e mod n by rewinding P to obtain two different accepting transcripts with the same commitment. For such two accepting transcripts (A, h, B) and (A, h, B ), we have { B e y h A (mod n) B e y h A (mod n) (B/B ) e y h h (mod n) y /e = (B/B ) h h mod n Since h h = ±, we can compute y /e = (B/B ) h h mod n. However, extracting the knowledge y = x e mod n implies solving the RSA problem, which contradicts the RSA assumption. Therefore, P without the knowledge m = c /e mod n cannot convince V with probability more than 2. Zero-Knowledge Define the accepting transcript function tr P,V (m) = {(A, h, B) Z n Z 2 Z n B e y h A (mod n)}. For any accepting transcript (A, h, B) tr P,V (m), we have Pr [tr P,V (m) = (A, h, B)] = Pr[V(A) = h] φ(n) On the other hand, we construct the probabilistic polynomial-time simulator S to simulate the accepting transcript tr P,V (m) by tr S,V (m) as follows i. Choose h R Z 2 and B R Z n, and compute A = B e /y h mod n. -2

ii. Invoke V(A ) = h. iii. If h = h, return (A, h, B ) as an accepting transcript. Otherwise, repeat the step i. For any accepting transcript (A, h, B ) tr S,V (m), we have Pr [ tr S,V (m) = (A, h, B ) ] = Pr[V(A ) = h ] 2 φ(n) The expected execution time of simulator S is t S = 2(t E + t V ), where t E is the execution time of the step i. and step iii., and t V is the execution time of verifier V. S is in polynomial time and the probability distributions of tr P,V (m) and tr S,V (m) are indistinguishable. Therefore, the proof system is zero-knowledge. (b) How to reduce the cheating probability by the prover? The cheating probability by P in the basic zero-knowledge proof system is 2. V can reduce the cheating probability to by asking P to prove himself for k 2 k times sequentially, where k is bounded by a polynomial of the security parameter. Let ZKPoK(P, V) denote the basic zero-knowledge proof system. The enhanced zero-knowledge proof system is as follows for (i=0; i<k; ++i) if (!ZKPoK(P, V)) return false; return true; (c) Give an (efficient) honest-verifier interactive zero-knowledge proof system for it. Let P be the prover and V be the verifier. The honest-verifier interactive zeroknowledge proof system is as follows i. Commitment P V A = r e mod n, where r R Z n. ii. Challenge V P h R Z n. iii. Response P V B = x h r mod n. V accepts P if and only if B e y h A (mod n). The challenge h is chosen randomly from Z n, although the group size is φ(n). 2 Therefore, P guesses h with probability at most φ(n). For honest verifier V, he chooses h R Z n as the definition of protocol. Therefore, the simulator S can choose h for himself and simulate in polynomial time without changing the probability distribution of accepting transcripts tr S,V (x). (d) Design a digital signature scheme based on the above honest-verifier interactive zero-knowledge proof system. 2-3

Fiat-Shamir gives a standard method for converting an interactive zero-knowledge proof system to a digital signature scheme. In doing so, we need to eliminate the communication between prover and verifier. We substitute the challenge part by a collision-resistance hash function which is publicly available to both prover and verifier. Let H {0, } Z n be such a secure hash function. The digital signature scheme is as follows i. KeyGen(π) = (sk, pk) Choose two safe primes p and q of π bits, and compute the RSA modulus n = pq. Choose e R Z φ(n), and compute d = e mod φ(n). Choose c R Z n, and compute k = c d mod n. Then sk = (n, d, k) and pk = (n, e, c). ii. Sign(sk, m) = (b, h) Compute a = r e mod n, h = H(n e c a m), and b = rk h mod n, where r R Z n. iii. Verify(pk, m, b, h) = {0, } Compute a = b e /c h mod n. Signature (m, b, h) is valid if and only if h = H(n e c a m). 3. Given (p, g, y, z, z 2 ), it is either log g y = log g z ( mod p) or log g y = log g z 2 ( mod p), but not both. (a) Assume that P knows x = log g y = log g z ( mod p). Give a zero-knowledge of proof P(x ), V of this knowledge without revealing which z i that y has the same exponent with. Show its completeness, soundness and zero-knowledge. Let P be the prover and V be the honest verifier. The honest-verifier zeroknowledge proof of knowledge of either x = log g z mod p or x 2 = log g z 2 mod p is as follows { i. Commitment P V A = g r mod p A 2 = g B 2 c 2, where (r, B 2 mod p 2, c 2 ) R (Z p ) 3. ii. Challenge V P c R Z { p iii. Response P V (c, B ) = (c c 2, c x + r) mod (p ). (c 2, B 2 ) c + c 2 c (mod (p )) V accepts P if and only if g B c A (mod p) g B 2 c 2 2 A 2 (mod p) Correctness of the above honest-verifier zero-knowledge proof system is as follows Completeness If P knows x = log g z mod p, he always convinces V by the above protocol. Soundness Without knowing x = log g z mod p and x 2 = log g z 2 mod p, P can convince V by guessing V s challenge with probability p as follows i. Choose (c, c 2, B, B 2 ) R (Z p ) 4 and compute A = gb c mod p and A 2 = gb 2 2 c 2 mod p. ii. Interact with V (A, A 2 ) = c. -4

iii. If c + c 2 = c, respond (c, c 2, B, B 2 ) to convince V. If P convinces V with probability more than p, there exists some commitments such that P can convince V for at least two different challenges with the same commitment. For such two accepting transcripts (A, A 2, c, c, c 2, B, B 2 ) and (A, A 2, c, c, c 2, B, B 2 ), i {, 2} such that c i c i ( c + c 2 c c c + c 2 (mod p )). Therefore, we can extract the knowledge x i = log g z i mod p for some i {, 2} as follows { g B i c i i A i (mod p) g B i i c i Ai (mod p) g B i B i i c i c i (mod p) B i B i c g i c i i (mod p) log g z i = B i B i c i c i mod (p ) However, extracting the knowledge x i = log g z i mod p implies solving the discrete logarithm problem, which contradicts the discrete logarithm assumption. Therefore, P without the knowledge x = log g z mod p and x 2 = log g z 2 mod p cannot convince V with probability more than p. Zero-Knowledge Suppose that V is an honest verifier. Define the accepting transcript function tr P,V (x i ) = {(A, A 2, c, c, c 2, B, B 2 ) (Z p) 2 (Z p ) 5 c + c 2 c (mod (p )), g B c A (mod p), g B 2 c 2 2 A 2 (mod p)}. For any accepting transcript (A R Z p, A 2 = g B 2 c 2 2, c R Z p, c = c c 2, c 2 R Z p, B = c x + r, B 2 R Z p ) tr P,V (x ), we have Pr [tr P,V (x ) = (A, A 2, c, c, c 2, B, B 2 )] = (p ) 4 For any accepting transcript (A = g B c, A 2 R Z p, c R Z p, c R Z p, c 2 = c c, B R Z p, B 2 = c 2 x 2 + r) tr P,V (x 2 ), we have Pr [tr P,V (x 2 ) = (A, A 2, c, c, c 2, B, B 2 )] = (p ) 4 Therefore, the zero-knowledge proof systems P (x ), V and P (x 2 ), V have the same distribution of transcripts. We construct the probabilistic polynomial-time simulator S to simulate the accepting transcript tr P,V (x i ) by tr S,V (x i ) as follows i. Choose (c, c 2, B, B 2 ) R (Z p ) 4. ii. Compute A = g B c mod p, A 2 = g B 2 c 2 2 mod p, and c = c + c 2 mod (p ). iii. Return (A, A 2, c, c, c 2, B, B 2 ) as an accepting transcript. For any accepting transcript (A, A 2, c, c, c 2, B, B 2 ) tr S,V (x i ), we have Pr [tr S,V (x i ) = (A, A 2, c, c, c 2, B, B 2 )] = (p ) 4-5

The expected execution time of simulator S is t S poly(k), where k is the security parameter. S is in polynomial time and the probability distributions of tr P,V (x i ) and tr S,V (x i ) are indistinguishable. Therefore, the honestverifier proof system is zero-knowledge. (b) Assume that P knows x 2 = log g y = log g z 2 ( mod p). Give a zero-knowledge of proof P(x 2 ), V of this knowledge without revealing which z i that y has the same exponent with. Let P be the prover and V be the honest verifier. The honest-verifier zeroknowledge proof of knowledge of either x = log g z mod p or x 2 = log g z 2 mod p is as follows { i. Commitment P V A = g B c mod p A 2 = g r, where (r, B mod p, c ) R (Z p ) 3. ii. Challenge V P c R Z { p iii. Response P V (c, B ) (c 2, B 2 ) = (c c, c 2 x 2 + r) mod (p ). c + c 2 c (mod (p )) V accepts P if and only if g B c A (mod p) g B 2 c 2 2 A 2 (mod p) (c) Show that the distributions of transcripts of P(x ), V and P(x 2 ), V are identical. Define the accepting transcript function tr P,V (x i ) = {(A, A 2, c, c, c 2, B, B 2 ) (Z p) 2 (Z p ) 5 c +c 2 c (mod (p )), g B c A (mod p), g B 2 2 c 2 A 2 (mod p)}. For any accepting transcript (A R Z p, A 2 = g B 2 /y 2 c 2, c, c = c c 2, c 2 R Z p, B = c x + r, B 2 R Z p ) tr P,V (x ), we have Pr [tr P,V (x ) = (A, A 2, c, c, c 2, B, B 2 )] = (p ) 4 For any accepting transcript (A = g B c, A 2 R Z p,, c R Z p, c 2 = c c, B R Z p, B 2 = c 2 x 2 + r) tr P,V (x 2 ), we have Pr [tr P,V (x 2 ) = (A, A 2, c, c, c 2, B, B 2 )] = (p ) 4 Therefore, the zero-knowledge proof systems P (x ), V and P (x 2 ), V have the same distribution of transcripts. -6

4. We consider the multi-authority secure electronic voting scheme without a trusted center, discussed in classes. How does the authority A i assures A j that the sent share s i,j = f i (x j ) is indeed consistent with all other shares sent to the other authorities? Let p = kq + be a large prime, where q is also a large prime, and G q = g be a cyclic multiplicative group of order q. Suppose that (A, A 2,, A n ) are the n authorities and any t-out-of-n authorities can tally votes. Each authority A i selects x i and a (t )-degree polynomial f i (x) = t k=0 b i,kx k with f i (0) = x i and publishes h i = g x i and B i,k = g b i,k for 0 k t. Then the public key is h = t i= h i and the secret key is x = t i= x i = t i= f i(0) = f(0), where f(x) = t i= f i(x). Each A i sends s i,j = f i (j) to A j via a secure channel. Each A j checks whether g s i,j t k=0 (B i,k) jk (mod p) and computes share s j = t i= s i,j = t i= f i(j) = f(j). -7

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback