Search in book...
Toggle Font Controls
Create new playlist

Name your new playlist

Playlist description (optional)
Sign In

Email address

Password

Forgot Password?

or

Continue with Facebook

Continue with Google
Sign Up

Full Name

Email address

Confirm Email Address

Password

or

Continue with Facebook

Continue with Google

19.3 Exercises

Consider the diagram of tunnels in Figure 19.2. Suppose each of the four doors to the central chamber is locked so that a key is needed to enter, but no key is needed to exit. Peggy claims she has the key to one of the doors. Devise a zero-knowledge protocol in which Peggy proves to Victor that she can enter the central chamber. Victor should obtain no knowledge of which door Peggy can unlock.

Figure 19.2 Diagram for Exercise 1

Figure 19.2 Full Alternative Text
Suppose $p$ $p$ is a large prime, $α$ $α$ is a primitive root, and $β \equiv α^{a} (m o d p)$ $β \equiv α^{a} (m o d p)$ . The numbers $p, α, β$ $p, α, β$ are public. Peggy wants to prove to Victor that she knows $a$ $a$ without revealing it. They do the following:
1. Peggy chooses a random number $r (m o d p - 1)$ $r (m o d p - 1)$ .
2. Peggy computes $h_{1} \equiv α^{r} (m o d p)$ $h_{1} \equiv α^{r} (m o d p)$ and $h_{2} \equiv α^{a - r} (m o d p)$ $h_{2} \equiv α^{a - r} (m o d p)$ and sends $h_{1}, h_{2}$ $h_{1}, h_{2}$ to Victor.
3. Victor chooses $i = 1$ $i = 1$ or $i = 2$ $i = 2$ and asks Peggy to send either $r_{1} = r$ $r_{1} = r$ or $r_{2} = a - r (m o d p - 1) .$ $r_{2} = a - r (m o d p - 1) .$
4. Victor checks that $h_{1} h_{2} \equiv β (m o d p)$ $h_{1} h_{2} \equiv β (m o d p)$ and that $h_{i} \equiv α^{r_{i}} (m o d p)$ $h_{i} \equiv α^{r_{i}} (m o d p)$ .
They repeat this procedure $t$ $t$ times, for some specified $t$ $t$ .
1. Suppose Peggy does not know $a$ $a$ . Why will she usually be unable to produce numbers that convince Victor?
2. If Peggy does not know $a$ $a$ , what is the probability that Peggy can convince Victor that she knows $a$ $a$ ?
3. Suppose naive Nelson tries a variant. He wants to convince Victor that he knows $a$ $a$ , so he chooses a random $r$ $r$ as before, but does not send $h_{1}, h_{2}$ $h_{1}, h_{2}$ . Victor asks for $r_{i}$ $r_{i}$ and Nelson sends it. They do this several times. Why is Victor not convinced of anything? What is the essential difference between Nelson’s scheme and Peggy’s scheme that causes this?
Naive Nelson thinks he understands zero-knowledge protocols. He wants to prove to Victor that he knows the factorization of $n$ $n$ (which equals $p q$ $p q$ for two large primes $p$ $p$ and $q$ $q$ ) without revealing this factorization to Victor or anyone else. Nelson devises the following procedure: Victor chooses a random integer $x$ $x$ mod $n$ $n$ , computes $y \equiv x^{2} (m o d n)$ $y \equiv x^{2} (m o d n)$ , and sends $y$ $y$ to Nelson. Nelson computes a square root $s$ $s$ of $y$ $y$ mod $n$ $n$ and sends $s$ $s$ to Victor. Victor checks that $s^{2} \equiv y (m o d n)$ $s^{2} \equiv y (m o d n)$ . Victor repeats this 20 times.
1. Describe how Nelson computes $s$ $s$ . You may assume that $p$ $p$ and $q$ $q$ are $\equiv 3 (m o d 4)$ $\equiv 3 (m o d 4)$ (see Section 3.9).
2. Explain how Victor can use this procedure to have a high probability of finding the factorization of $n$ $n$ . (Therefore, this is not a zero-knowledge protocol.)
3. Suppose Eve is eavesdropping and hears the values of each $y$ $y$ and $s$ $s$ . Is it likely that Eve obtains any useful information? (Assume no value of $y$ $y$ repeats.)
Exercise 2 gave a zero-knowledge proof that Peggy knows a discrete logarithm. Here is another method. Suppose $p$ $p$ is a large prime, $α$ $α$ is a primitive root, and $β \equiv α^{a} (m o d p)$ $β \equiv α^{a} (m o d p)$ . The numbers $p, α, β$ $p, α, β$ are public. Peggy wants to prove to Victor that she knows $a$ $a$ without revealing it. They do the following:
1. Peggy chooses a random integer $k$ $k$ with $1 \leq k < p - 1$ $1 \leq k < p - 1$ , computes $γ \equiv α^{k} (m o d p)$ $γ \equiv α^{k} (m o d p)$ , and sends $γ$ $γ$ to Victor.
2. Victor chooses a random integer $r$ $r$ with $1 \leq r < p - 1$ $1 \leq r < p - 1$ and sends $r$ $r$ to Peggy.
3. Peggy computes $y \equiv k - a r (m o d p - 1)$ $y \equiv k - a r (m o d p - 1)$ and sends $y$ $y$ to Victor.
4. Victor checks whether $γ \equiv α^{y} β^{r} (m o d p)$ $γ \equiv α^{y} β^{r} (m o d p)$ . If so, he believes that Peggy knows $a$ $a$ .
1. Show that the verification equation holds if the procedure is followed correctly.
2. Does Victor obtain any information that will allow him to compute $a$ $a$ ?
3. Suppose Eve finds out the values of $γ$ $γ$ , $r$ $r$ , and $y$ $y$ . Will she be able to determine $a$ $a$ ?
4. Suppose Peggy repeats the procedure with the same value of $k$ $k$ , but Victor uses different values $r_{1}$ $r_{1}$ and $r_{2}$ $r_{2}$ . How can Eve, who has listened to all communications between Victor and Peggy, determine $a$ $a$ ?
The preceding procedure is the basis for the Schnorr identification scheme. Victor could be a bank and $a$ $a$ could be Peggy’s personal identification number. The bank stores $β$ $β$ , and Peggy must prove she knows $a$ $a$ to access her account. Alternatively, Victor could be a central computer and Peggy could be logging on to the computer through nonsecure telephone lines. Peggy’s password is $a$ $a$ , and the central computer stores $β$ $β$ .

In the Schnorr scheme, $p$ $p$ is usually chosen so that $p - 1$ $p - 1$ has a large prime factor $q$ $q$ , and $α$ $α$ , instead of being a primitive root, is taken to satisfy $α^{q} \equiv 1 (m o d p)$ $α^{q} \equiv 1 (m o d p)$ . The congruence defining $y$ $y$ is then taken mod $q$ $q$ . Moreover, $r$ $r$ is taken to satisfy $1 \leq r \leq 2^{t}$ $1 \leq r \leq 2^{t}$ for some $t$ $t$ , for example, $t = 40$ $t = 40$ .
Peggy claims that she knows an RSA plaintext. That is, $n, e, c$ $n, e, c$ are public and Peggy claims that she knows $m$ $m$ such that $m^{e} \equiv c (m o d n)$ $m^{e} \equiv c (m o d n)$ . She wants to prove this to Victor using a zero-knowledge protocol. Peggy and Victor perform the following steps:
1. Peggy chooses a random integer $r_{1}$ $r_{1}$ and computes $r_{2} \equiv m \cdot r_{1}^{- 1} (m o d n)$ $r_{2} \equiv m \cdot r_{1}^{- 1} (m o d n)$ (assume that $gcd (r_{1}, n) = 1$ $gcd (r_{1}, n) = 1$ .)
2. Peggy computes $x_{1} \equiv r_{1}^{e} (m o d n)$ $x_{1} \equiv r_{1}^{e} (m o d n)$ and $x_{2} \equiv r_{2}^{e} (m o d n)$ $x_{2} \equiv r_{2}^{e} (m o d n)$ and sends $x_{1}, x_{2}$ $x_{1}, x_{2}$ to Victor.
3. Victor checks that $x_{1} x_{2} \equiv c (m o d n)$ $x_{1} x_{2} \equiv c (m o d n)$ .
Give the remaining steps of the protocol. Victor should be at least 99% convinced that Peggy is not lying.
1. Suppose that $p$ $p$ is a large prime, and $g, h \equiv 0 (mod p)$ $g, h \equiv 0 (mod p)$ . Peggy wants to prove to Victor, using a zero-knowledge protocol, that she knows a value of $x$ $x$ with $g^{x} \equiv h (m o d p)$ $g^{x} \equiv h (m o d p)$ . Peggy and Victor do the following:
  1. Peggy chooses three random integers $r_{1}, r_{2}, r_{3}$ $r_{1}, r_{2}, r_{3}$ with $r_{1} + r_{2} + r_{3} \equiv x (m o d p - 1)$ $r_{1} + r_{2} + r_{3} \equiv x (m o d p - 1)$ .
  2. Peggy computes $h_{i} \equiv g^{r_{i}}$ $h_{i} \equiv g^{r_{i}}$ , for $i = 1, 2, 3$ $i = 1, 2, 3$ and sends $h_{1}, h_{2}, h_{3}$ $h_{1}, h_{2}, h_{3}$ to Victor.
  3. Victor checks that $h_{1} h_{2} h_{3} \equiv h (m o d n)$ $h_{1} h_{2} h_{3} \equiv h (m o d n)$ .
  Design the remaining steps of this protocol so that Victor is at least 99% convinced that Peggy is not lying. (Note: There are two ways for Victor to proceed in Step 4. One has a higher probability of catching Peggy, if she is cheating, than the other.)
2. Give a reasonable method for Peggy to choose the three random numbers such that $r_{1} + r_{2} + r_{3} =\equiv x (m o d p - 1)$ $r_{1} + r_{2} + r_{3} =\equiv x (m o d p - 1)$ . (A method that doesn’t work is “Choose three random numbers and see if their sum is $x$ $x$ . If not, try again.)
Suppose that $n$ $n$ is the product of two large primes, and that $s$ $s$ is given. Peggy wants to prove to Victor, using a zero-knowledge protocol, that she knows a value of $x$ $x$ with $x^{2} \equiv s (m o d n)$ $x^{2} \equiv s (m o d n)$ . Peggy and Victor do the following:
1. Peggy chooses three random integers $r_{1}, r_{2}, r_{3}$ $r_{1}, r_{2}, r_{3}$ with $r_{1} r_{2} r_{3} \equiv x (m o d n)$ $r_{1} r_{2} r_{3} \equiv x (m o d n)$ .
2. Peggy computes $x_{i} \equiv r_{i}^{2}$ $x_{i} \equiv r_{i}^{2}$ , for $i = 1, 2, 3$ $i = 1, 2, 3$ and sends $x_{1}, x_{2}, x_{3}$ $x_{1}, x_{2}, x_{3}$ to Victor.
3. Victor checks that $x_{1} x_{2} x_{3} \equiv s (m o d n)$ $x_{1} x_{2} x_{3} \equiv s (m o d n)$ .
1. Design the remaining steps of this protocol so that Victor is at least 99% convinced that Peggy is not lying. (Note: There are two ways for Victor to proceed in Step 4. One has a higher probability of catching Peggy, if she is cheating, than the other.)
2. Give a reasonable method for Peggy to choose the three random numbers such that $r_{1} r_{2} r_{3} =\equiv x (m o d n)$ $r_{1} r_{2} r_{3} =\equiv x (m o d n)$ . (A method that doesn’t work is “Choose three random numbers and see if their product is $x$ $x$ . If not, try again.”)
Peggy claims that she knows an RSA plaintext. That is, $n, e, c$ $n, e, c$ are public and Peggy claims that she knows $m$ $m$ such that $m^{e} \equiv c (m o d n)$ $m^{e} \equiv c (m o d n)$ . Devise a zero-knowledge protocol similar to that used in Exercises 6 and 7 for Peggy to convince Victor that she knows $m$ $m$ .

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.

Table of Contents for 19.3 Exercises

Create new playlist

Sign In

Sign Up

Table of Contents for
19.3 Exercises