Consider the diagram of tunnels in Figure 19.2. Suppose each of the four doors to the central chamber is locked so that a key is needed to enter, but no key is needed to exit. Peggy claims she has the key to one of the doors. Devise a zero-knowledge protocol in which Peggy proves to Victor that she can enter the central chamber. Victor should obtain no knowledge of which door Peggy can unlock.
Suppose is a large prime, is a primitive root, and . The numbers are public. Peggy wants to prove to Victor that she knows without revealing it. They do the following:
Peggy chooses a random number .
Peggy computes and and sends to Victor.
Victor chooses or and asks Peggy to send either or
Victor checks that and that .
They repeat this procedure times, for some specified .
Suppose Peggy does not know . Why will she usually be unable to produce numbers that convince Victor?
If Peggy does not know , what is the probability that Peggy can convince Victor that she knows ?
Suppose naive Nelson tries a variant. He wants to convince Victor that he knows , so he chooses a random as before, but does not send . Victor asks for and Nelson sends it. They do this several times. Why is Victor not convinced of anything? What is the essential difference between Nelson’s scheme and Peggy’s scheme that causes this?
Naive Nelson thinks he understands zero-knowledge protocols. He wants to prove to Victor that he knows the factorization of (which equals for two large primes and ) without revealing this factorization to Victor or anyone else. Nelson devises the following procedure: Victor chooses a random integer mod , computes , and sends to Nelson. Nelson computes a square root of mod and sends to Victor. Victor checks that . Victor repeats this 20 times.
Describe how Nelson computes . You may assume that and are (see Section 3.9).
Explain how Victor can use this procedure to have a high probability of finding the factorization of . (Therefore, this is not a zero-knowledge protocol.)
Suppose Eve is eavesdropping and hears the values of each and . Is it likely that Eve obtains any useful information? (Assume no value of repeats.)
Exercise 2 gave a zero-knowledge proof that Peggy knows a discrete logarithm. Here is another method. Suppose is a large prime, is a primitive root, and . The numbers are public. Peggy wants to prove to Victor that she knows without revealing it. They do the following:
Peggy chooses a random integer with , computes , and sends to Victor.
Victor chooses a random integer with and sends to Peggy.
Peggy computes and sends to Victor.
Victor checks whether . If so, he believes that Peggy knows .
Show that the verification equation holds if the procedure is followed correctly.
Does Victor obtain any information that will allow him to compute ?
Suppose Eve finds out the values of , , and . Will she be able to determine ?
Suppose Peggy repeats the procedure with the same value of , but Victor uses different values and . How can Eve, who has listened to all communications between Victor and Peggy, determine ?
The preceding procedure is the basis for the Schnorr identification scheme. Victor could be a bank and could be Peggy’s personal identification number. The bank stores , and Peggy must prove she knows to access her account. Alternatively, Victor could be a central computer and Peggy could be logging on to the computer through nonsecure telephone lines. Peggy’s password is , and the central computer stores .
In the Schnorr scheme, is usually chosen so that has a large prime factor , and , instead of being a primitive root, is taken to satisfy . The congruence defining is then taken mod . Moreover, is taken to satisfy for some , for example, .
Peggy claims that she knows an RSA plaintext. That is, are public and Peggy claims that she knows such that . She wants to prove this to Victor using a zero-knowledge protocol. Peggy and Victor perform the following steps:
Peggy chooses a random integer and computes (assume that .)
Peggy computes and and sends to Victor.
Victor checks that .
Give the remaining steps of the protocol. Victor should be at least 99% convinced that Peggy is not lying.
Suppose that is a large prime, and . Peggy wants to prove to Victor, using a zero-knowledge protocol, that she knows a value of with . Peggy and Victor do the following:
Peggy chooses three random integers with .
Peggy computes , for and sends to Victor.
Victor checks that .
Design the remaining steps of this protocol so that Victor is at least 99% convinced that Peggy is not lying. (Note: There are two ways for Victor to proceed in Step 4. One has a higher probability of catching Peggy, if she is cheating, than the other.)
Give a reasonable method for Peggy to choose the three random numbers such that . (A method that doesn’t work is “Choose three random numbers and see if their sum is . If not, try again.)
Suppose that is the product of two large primes, and that is given. Peggy wants to prove to Victor, using a zero-knowledge protocol, that she knows a value of with . Peggy and Victor do the following:
Peggy chooses three random integers with .
Peggy computes , for and sends to Victor.
Victor checks that .
Design the remaining steps of this protocol so that Victor is at least 99% convinced that Peggy is not lying. (Note: There are two ways for Victor to proceed in Step 4. One has a higher probability of catching Peggy, if she is cheating, than the other.)
Give a reasonable method for Peggy to choose the three random numbers such that . (A method that doesn’t work is “Choose three random numbers and see if their product is . If not, try again.”)
Peggy claims that she knows an RSA plaintext. That is, are public and Peggy claims that she knows such that . Devise a zero-knowledge protocol similar to that used in Exercises 6 and 7 for Peggy to convince Victor that she knows .