• Table of Contents Modern Cryptography: Theory and Practice By Wenbo Mao Hewlett-Packard Company Publisher : Prentice Hall PTR Pub Date : July 25, 2003 ISBN : 0-13-066943-1 Pages : 648 Many cryptographic schemes and protocols, especially those based on public-keycryptography, have basic or so-called "textbook crypto" versions, as these versionsare usually the subjects for many textbooks on cryptography. This book takes adifferent approach to introducing cryptography: it pays much more attention tofit-for-application aspects of cryptography. It explains why "textbook crypto" isonly good in an ideal world where data are random and bad guys behave nicely.It reveals the general unfitness of "textbook crypto" for the real world by demonstratingnumerous attacks on such schemes, protocols and systems under variousreal- world application scenarios. This book chooses to introduce a set of practicalcryptographic schemes, protocols and systems, many of them standards or de factoones, studies them closely, explains their working principles, discusses their practicalusages, and examines their strong (i.e., fit-for-application) security properties, oftenwith security evidence formally established. The book also includes self-containedtheoretical background material that is the foundation for modern cryptography. result: . Theorem 18.1 where is the class of all languages whose membership questions can be answered by IP protocols. Moreover, from our study in § 4.4.1 we know that the completeness (respectively, soundness) probability bound can be enlarged (resp., reduced) to arbitrarily closing to 1 (resp., 0) by sequentially and independently repeating ( P , V ) polynomially many times (in the size of the common input) and by V taking "majority election" to reach an acceptance/rejection decision. Now let us review all the notions introduced so far by looking at a concrete example of IP protocol: Prot 18.1 . Protocol 18.1: An Interactive Proof Protocol for Subgroup Membership (* see Remark 18.1 regarding the name of this protocol *) COMMON INPUT: f : a one-way function over satisfying the homomorphic condition: i. X = f ( z ) for some ; ii. PRIVATE INPUT of Alice: z < n ; OUTPUT TO Bob: Membership X f (1) , i.e., X is generated by f (1). Repeat the following steps m times: Alice picks , computes Commit f ( k ) and sends Commit to Bob; 1. Bob picks Challenge U {0, 1} and sends it to Alice; 2. She sends Response to Bob; 3. 4. • Table of Contents Modern Cryptography: Theory and Practice By Wenbo Mao Hewlett-Packard Company Publisher : Prentice Hall PTR Pub Date : July 25, 2003 ISBN : 0-13-066943-1 Pages : 648 Many cryptographic schemes and protocols, especially those based on public-keycryptography, have basic or so-called "textbook crypto" versions, as these versionsare usually the subjects for many textbooks on cryptography. This book takes adifferent approach to introducing cryptography: it pays much more attention tofit-for-application aspects of cryptography. It explains why "textbook crypto" isonly good in an ideal world where data are random and bad guys behave nicely.It reveals the general unfitness of "textbook crypto" for the real world by demonstratingnumerous attacks on such schemes, protocols and systems under variousreal- world application scenarios. This book chooses to introduce a set of practicalcryptographic schemes, protocols and systems, many of them standards or de factoones, studies them closely, explains their working principles, discusses their practicalusages, and examines their strong (i.e., fit-for-application) security properties, oftenwith security evidence formally established. The book also includes self-containedtheoretical background material that is the foundation for modern cryptography. 3. he rejects and aborts the protocol if the checking shows error; 4. Bob accepts. Example 18.1. In Prot 18.1 , Alice is a prover and Bob is a verifier. The common input to (Alice, Bob) is X = f ( z ) where f is a one-way and homomorphic function over stated in Prot 18.1 . The membership claim made by Alice is that . This is in fact the subgroup membership X f (1) since X = f (1) z (see Remark 18.1 for a general condition for this problem to be hard for Bob). Alice's private input is as the pre-image of X under the one-way and homomorphic function f . In the protocol the two parties interact m times and produce the following proof transcript : The protocol outputs Accept if every checking conducted by Bob passes, and Reject otherwise. This protocol is complete . That is, if Alice does have in her possession of the pre-image z and follows the protocol instruction, then Bob will always accept. Completeness Indeed, the completeness probability expression ( 18.2.2 ) is met by = 1 since Alice's response always satisfies Bob's verification step: for either cases of his random choice of Challenge U {0, 1}. This protocol is sound . Soundness We need to find the soundness probability d . Bob's checking step (Step 4) depends on his random choice of Challenge which takes place after Alice has sent Commit . The consistent passing of Bob's verification shows him the following two cases: Case Challenge = 0: Bob sees that Alice knows pre-image( Commit ); Case Challenge = 1: Bob sees • Table of Contents Modern Cryptography: Theory and Practice By Wenbo Mao Hewlett-Packard Company Publisher : Prentice Hall PTR Pub Date : July 25, 2003 ISBN : 0-13-066943-1 Pages : 648 Many cryptographic schemes and protocols, especially those based on public-keycryptography, have basic or so-called "textbook crypto" versions, as these versionsare usually the subjects for many textbooks on cryptography. This book takes adifferent approach to introducing cryptography: it pays much more attention tofit-for-application aspects of cryptography. It explains why "textbook crypto" isonly good in an ideal world where data are random and bad guys behave nicely.It reveals the general unfitness of "textbook crypto" for the real world by demonstratingnumerous attacks on such schemes, protocols and systems under variousreal- world application scenarios. This book chooses to introduce a set of practicalcryptographic schemes, protocols and systems, many of them standards or de factoones, studies them closely, explains their working principles, discusses their practicalusages, and examines their strong (i.e., fit-for-application) security properties, oftenwith security evidence formally established. The book also includes self-containedtheoretical background material that is the foundation for modern cryptography. Since Alice cannot anticipate Bob's random choice of the challenge bit after she has sent out the commitment, in the case Challenge = 1, she should also know pre-image ( Commit ) and hence should know pre-image( X ) too. If Alice does not know pre-image( X ), then she has to cheat by guessing the random challenge bit before sending out the commitment. In her cheating "proof," the commitment can be computed as follows: choosing at random Response U ; guessing Challenge ; Clearly, in this cheating "proof," Bob will have 1/2 odds to reject each iteration of the interaction. Therefore, we have d = 1/2 as the soundness error probability (i.e., for Alice having survived successful cheating). If m iterations result in no rejection, then probability for Alice's successful cheating should be bounded by 2 – m . Bob will be sufficiently confident that Alice cannot survive successful cheating if m is sufficiently large, i.e., 2 – m is sufficiently small. For example, m = 100 provides a sufficiently high confidence for Bob to prevent Alice's cheating. Therefore, Alice's proof is valid upon Bob's acceptance. Later (in § 18.3.1 and Example 18.2 ) we shall further investigate a property of perfect zero- knowledge-ness : if the function f is indeed one-way, then Bob, as polynomially bounded verifier, cannot find any information about Alice's private input. . Remark 18.1 By homomorphism, f ( x ) = f (1) x for all x . Therefore Prot 18.1 is also (in fact, more often) called a protocol for Alice to prove her possession of the discrete logarithm of X to the base f (1). We have chosen to name the protocol "subgroup membership proof" because the membership problem is a more general one tackled by IP protocols. When using this (more general and appropriate) name, we should emphasize the general case of ord[ f (1)] being a proper and secret divisor of n, i.e., the general case where f (1) does not generate a group of n elements. In this general case, Bob cannot directly verify the subgroup membership without Alice's help . Remark 18.1 actually states that deciding subgroup membership is in general a hard problem. We should provide some further elaborations on the difficulty. Notice that although the set is a cyclic group (since it is generated by f (1), see § 5.2.3 ), Bob cannot easily decide . He will need to factor n down to individual primes in order to answer this question (i.e., to see • Table of Contents Modern Cryptography: Theory and Practice By Wenbo Mao Hewlett-Packard Company Publisher : Prentice Hall PTR Pub Date : July 25, 2003 ISBN : 0-13-066943-1 Pages : 648 Many cryptographic schemes and protocols, especially those based on public-keycryptography, have basic or so-called "textbook crypto" versions, as these versionsare usually the subjects for many textbooks on cryptography. This book takes adifferent approach to introducing cryptography: it pays much more attention tofit-for-application aspects of cryptography. It explains why "textbook crypto" isonly good in an ideal world where data are random and bad guys behave nicely.It reveals the general unfitness of "textbook crypto" for the real world by demonstratingnumerous attacks on such schemes, protocols and systems under variousreal- world application scenarios. This book chooses to introduce a set of practicalcryptographic schemes, protocols and systems, many of them standards or de factoones, studies them closely, explains their working principles, discusses their practicalusages, and examines their strong (i.e., fit-for-application) security properties, oftenwith security evidence formally established. The book also includes self-containedtheoretical background material that is the foundation for modern cryptography. if f (1) is a primitive root or an n th root of 1, see Definition 5.11 in § 5.4.4 ). Only for the case of # L n = n can Bob answer YES to the subgroup membership problem in Prot 18.1 without actually running the protocol with Alice (since then f (1) must generate all n elements in L n ). The difficulty for subgroup membership decision then rests on that for factoring n of a large magnitude. Therefore, for Prot 18.1 to tackle subgroup membership problem, the integer n must be a sufficiently large composite. For this reason, we stipulate log n as the security parameter for Prot 18.1 . In § 18.3.1.1 we will see a special case of common input parameter setting which will degeneralize Prot 18.1 into the special case for proving possession of discrete logarithm. 18.2.3 A Complexity Theoretic Result The material to be given here (in the scope of § 18.2.3 ) may be skipped without causing any trouble for understanding other notions of ZK protocols to be introduced in the rest of this chapter. We now derive a fact in the theory of computational complexity. The fact is stated in ( 4.5.1). In Chapter 4 we were not able to provide an evidence for this fact. Now we are. In applied cryptography , we shall only be interested in IP protocols which answer membership questions for a subclass languages of . For any L in the subclass, the membership question have the following two characterizations: It is not known whether there exists a polynomial-time (in | x |) algorithm, deterministic or probabilistic, to answer the question. Otherwise, there is no role for P to play in ( P , V ) since V alone can answer the question. i. The question can be answered by a polynomial-time (in | x |) algorithm if the algorithm has in its possession of a witness for the question. ii. Recall our classification for the complexity class (§ 4.5 ): we can see that (i) and (ii) characterize the class . Precisely, they characterize NP problems which have sparse witnesses. Since ( Definition 18.1 ), we have Therefore for any language , there exists an IP protocol ( P , V ) for L , that is, for any x L , ( P , V )( x ) = Accept terminates in time polynomial in | x |. In fact, this property has been demonstrated in a constructive manner by several authors. They construct ZK (IP) protocols for some NPC languages ( 4.5.1 ), e.g., Graph 3-Colourability by Goldreich, Micali and Wigderson [ 124 ], and Boolean Express Satisfiability by Chaum [ 71 ]. Once a ZK protocol ( P , V ) for an NPC language L has been constructed, it is clear that membership y L' for L' being an arbitrary NP language can be proved in ZK in the following two steps: P reduces y L' to x L where L is an NPC language (e.g., x is an instance of Graph 3- Colourability or one of Boolean Express Satisfiability. Since P knows y L' , this reduction 1. • Table of Contents Modern Cryptography: Theory and Practice By Wenbo Mao Hewlett-Packard Company Publisher : Prentice Hall PTR Pub Date : July 25, 2003 ISBN : 0-13-066943-1 Pages : 648 Many cryptographic schemes and protocols, especially those based on public-keycryptography, have basic or so-called "textbook crypto" versions, as these versionsare usually the subjects for many textbooks on cryptography. This book takes adifferent approach to introducing cryptography: it pays much more attention tofit-for-application aspects of cryptography. It explains why "textbook crypto" isonly good in an ideal world where data are random and bad guys behave nicely.It reveals the general unfitness of "textbook crypto" for the real world by demonstratingnumerous attacks on such schemes, protocols and systems under variousreal- world application scenarios. This book chooses to introduce a set of practicalcryptographic schemes, protocols and systems, many of them standards or de factoones, studies them closely, explains their working principles, discusses their practicalusages, and examines their strong (i.e., fit-for-application) security properties, oftenwith security evidence formally established. The book also includes self-containedtheoretical background material that is the foundation for modern cryptography. transformation can be performed by P in time polynomial in the size of y . P encrypts the transformation and sends the ciphertext to V . 1. P conducts a ZK proof for V to verify the correct encryption of the polynomial reduction transformation. We shall provide a convincing explanation in § 18.4.2 that ZK proof of correct encryption of a string can be easily done if the encryption is in Goldwasser-Micali probabilistic encryption scheme ( Alg 14.1 ). 2. Clearly, these two steps combining the concrete ZK protocol construction for proving membership x L do constitute a valid ZK proof for y L' . Notice that the method does not put any restriction of the NP language L' other than its membership in . Also clearly, such a general proof method for membership in an arbitrary NP language cannot have an efficiency for practical use. In § 18.6 we shall stipulate that a practically efficient ZK (and IP) protocol should have the number of interactions bounded by a linear function in a security parameter. A general proof method can hardly have its number of interactions be bounded by a linear polynomial, since at the moment we do not know any linear reduction method to transform an NP problem to an NPC one. Any known reduction is a polynomial of a very high degree. That is why we say that ZK proof for membership in an arbitrary NP language is only a theoretic result, albeit an important one. It provides a constructive evidence for . Equation is an open question in the theory of computational complexity. • Table of Contents Modern Cryptography: Theory and Practice By Wenbo Mao Hewlett-Packard Company Publisher : Prentice Hall PTR Pub Date : July 25, 2003 ISBN : 0-13-066943-1 Pages : 648 Many cryptographic schemes and protocols, especially those based on public-keycryptography, have basic or so-called "textbook crypto" versions, as these versionsare usually the subjects for many textbooks on cryptography. This book takes adifferent approach to introducing cryptography: it pays much more attention tofit-for-application aspects of cryptography. It explains why "textbook crypto" isonly good in an ideal world where data are random and bad guys behave nicely.It reveals the general unfitness of "textbook crypto" for the real world by demonstratingnumerous attacks on such schemes, protocols and systems under variousreal- world application scenarios. This book chooses to introduce a set of practicalcryptographic schemes, protocols and systems, many of them standards or de factoones, studies them closely, explains their working principles, discusses their practicalusages, and examines their strong (i.e., fit-for-application) security properties, oftenwith security evidence formally established. The book also includes self-containedtheoretical background material that is the foundation for modern cryptography. 18.3 Zero-knowledge Properties Let us now consider the case of Question I (in § 18.1 ) being answered ideally: ( P, V ) is a ZK protocol, that is, zero amount or no information whatsoever about P 's private input is disclosed to (or V ) after an execution of the protocol, except the validity of P 's claim. In order for ( P, V ) to achieve this quality, we must restrict the computational power of V (and ) so that it is bounded by a polynomial in the size of the common input. Clearly, without this restriction we needn't talk about zero knowledge since V of an unbounded computational resource can help itself to find P 's private input hidden behind the common input. In several sections to follow we shall identify several qualities of ZK-ness: perfect ZK (§ 18.3.1 ), honest-verifier ZK (§ 18.3.2 ), computational ZK (§ 18.3.3), and statistical ZK ( 18.3.4 ). 18.3.1 Perfect Zero-knowledge Let ( P, V ) be an IP protocol for a language L. For any x L, a proof run ( P, V )( x ) not only outputs Accept, but also produces a proof transcript which interleaves the prover's transcript and the verifier's transcript. The elements in the proof transcript are random variables of all input values including the random input to ( P, V ). Clearly, should ( P, V )( x ) disclose any information about P 's private input, then it can only be the case that it is the proof transcript that has been responsible for the information leakage. However, if the random variables in the proof transcript are uniformly random in their respective probability spaces and are independent of the common input, then it is quite senseless to allege that they can be responsible for any information leakage. We can consider that in such a situation (i.e., when the proof transcript is uniformly random and independent of the common input), the prover speaks to the verifier in a language which contains no redundancy, or contains the highest possible entropy (see Properties of Entropy in § 3.7.1 ). Therefore, no matter how clever (or how powerful) the verifier can be, it cannot learn anything conveyed by this language, even if it spends very very long time to learn the language! Now let us show that Prot 18.1 is perfect ZK. Example 18.2. Review Prot 18.1 . A proof transcript produced from a proof run of (Alice, Bob)( X ) is • Table of Contents Modern Cryptography: Theory and Practice By Wenbo Mao Hewlett-Packard Company Publisher : Prentice Hall PTR Pub Date : July 25, 2003 ISBN : 0-13-066943-1 Pages : 648 Many cryptographic schemes and protocols, especially those based on public-keycryptography, have basic or so-called "textbook crypto" versions, as these versionsare usually the subjects for many textbooks on cryptography. This book takes adifferent approach to introducing cryptography: it pays much more attention tofit-for-application aspects of cryptography. It explains why "textbook crypto" isonly good in an ideal world where data are random and bad guys behave nicely.It reveals the general unfitness of "textbook crypto" for the real world by demonstratingnumerous attacks on such schemes, protocols and systems under variousreal- world application scenarios. This book chooses to introduce a set of practicalcryptographic schemes, protocols and systems, many of them standards or de factoones, studies them closely, explains their working principles, discusses their practicalusages, and examines their strong (i.e., fit-for-application) security properties, oftenwith security evidence formally established. The book also includes self-containedtheoretical background material that is the foundation for modern cryptography. where (for i = 1, 2, , m ) Commit i = f ( k i ) with k i U ; clearly, since Alice chooses uniform k i , Commit i must also be uniform in the range space of the function f and is independent of the common input X ; Challenge i {0, 1}; Bob should pick the challenge bit uniformly, but we needn't demand him to do so, see Response below; Response i = k i + z Challenge i (mod n ); clearly, due to the uniformity of k i , Response i must be uniform in for either cases of Challenge i {0, 1} (even if Challenge i is non-uniform) and is independent of the common input X . Therefore the data sent from Alice in a run of Prot 18.1 are uniform. They can tell Bob no information whatsoever about Alice's private input. This protocol is a perfect ZK protocol. From this example we also see that the elements in Alice's transcript are uniform regardless of how Bob chooses his random challenge bits. In other words, Bob can have no strategy to make an influence on the distribution of Alice's transcript. Therefore, Prot 18.1 is perfect ZK even if Bob is dishonest. For a perfect ZK protocol, we do not have to run the protocol in order to obtain a proof transcript. Such a transcript (which is merely a string) can be produced via random coin flipping in time polynomial in the length of the transcript. Definition 18.2 captures this important notion of perfect ZK-ness. Definition 18.2: An IP protocol ( P , V ) for L is said to be perfect zero-knowledge if for any x L, a proof transcript of ( P , V )( x ) can be produced by a polynomial-time (in the size of the input) algorithm ( x ) with the same probability distributions . Conventionally, the efficient algorithm is named a simulator for a ZK protocol, which produces a simulation of a proof transcript. However, in the case of ( P, V ) being perfect ZK, we do not want to name a simulator. It is exactly an equator. 18.3.1.1 Schnorr's Identification Protocol In Prot 18.1 , Bob uses bit challenges. This results in a large soundness error probability value d = 1/2. Therefore the protocol has to repeat m times in order to reduce the error probability to 2 – m . Typically, m = 100 is required to achieve a high confidence against Alice's cheating. The necessity for a large number of interactions means a poor performance both in communication and in computation. Under certain conditions for setting the security parameter in the common input, it is possible to reduce the soundness error probability value and hence to reduce the number of interactions. The condition is: the verifier Bob should know the factorization of n . The reason why this condition is needed will be revealed in § 18.6.1 . A special case for Bob knowing the factorization of n is n being a prime number. Let us now see a concrete protocol using this case of parameter setting. The protocol is Schnorr's Identification Protocol which is proposed by Schnorr [ 256 ] • Table of Contents Modern Cryptography: Theory and Practice By Wenbo Mao Hewlett-Packard Company Publisher : Prentice Hall PTR Pub Date : July 25, 2003 ISBN : 0-13-066943-1 Pages : 648 Many cryptographic schemes and protocols, especially those based on public-keycryptography, have basic or so-called "textbook crypto" versions, as these versionsare usually the subjects for many textbooks on cryptography. This book takes adifferent approach to introducing cryptography: it pays much more attention tofit-for-application aspects of cryptography. It explains why "textbook crypto" isonly good in an ideal world where data are random and bad guys behave nicely.It reveals the general unfitness of "textbook crypto" for the real world by demonstratingnumerous attacks on such schemes, protocols and systems under variousreal- world application scenarios. This book chooses to introduce a set of practicalcryptographic schemes, protocols and systems, many of them standards or de factoones, studies them closely, explains their working principles, discusses their practicalusages, and examines their strong (i.e., fit-for-application) security properties, oftenwith security evidence formally established. The book also includes self-containedtheoretical background material that is the foundation for modern cryptography. for a real-world (smartcard-based) identification application. Schnorr's Identification Protocol is a special case of Prot 18.1 where the function f ( x ) is realized by g –x (mod p ) in the finite field where the subgroup < g > is of a prime order q | p – 1. It is easy to see that g –x (mod p ) is homomorphic. Moreover, for sufficiently large primes p and q , e.g., | p | = 1024, | q | = 160, g –x (mod p ) is also one-way due to the DL assumption ( Assumption 8.2 in § 8.4 ). In this parameter setting, Schnorr's Identification Protocol, which we specify in Prot 18.2 , permits Bob to use slightly enlarged challenges up to log 2 log 2 p bits. . Remark 18.2 With the prime q | p – 1 given publicly, Schnorr's Identification Protocol is no longer one for answering subgroup membership question. Now Bob himself alone can answer question y < g > without need of Alice's help by checking: y q g q 1 (mod p). Therefore, Schnorr's Identification Protocol is for proving a more specific problem: Alice has in her possession of the discrete logarithm of y to the base g, as her cryptographic credential. Now let us investigate security properties of Schnorr's Identification Protocol. Protocol 18.2: Schnorr's Identification Protocol COMMON INPUT: p, q : two primes satisfying q | p – 1; (* typical size setting: | p | = 1024, | q | = 160 *) g : ord p ( g ) = q ; y : y = g – a (mod p ); (* tuple ( p, q, g, y ) is Alice's public-key material, certified by an CA *) PRIVATE INPUT of Alice: a < q ; OUTPUT TO Bob: Alice knows some such that y g – a (mod p ). Repeating the following steps log 2 log 2 p times: Alice picks k U and computes Commit g k (mod p ); she sends Commit to Bob; 1. Bob picks Challenge U {0, 1} log 2 log 2 p ; he sends Challenge to Alice; 2. 3. • Table of Contents Modern Cryptography: Theory and Practice By Wenbo Mao Hewlett-Packard Company Publisher : Prentice Hall PTR Pub Date : July 25, 2003 ISBN : 0-13-066943-1 Pages : 648 Many cryptographic schemes and protocols, especially those based on public-keycryptography, have basic or so-called "textbook crypto" versions, as these versionsare usually the subjects for many textbooks on cryptography. This book takes adifferent approach to introducing cryptography: it pays much more attention tofit-for-application aspects of cryptography. It explains why "textbook crypto" isonly good in an ideal world where data are random and bad guys behave nicely.It reveals the general unfitness of "textbook crypto" for the real world by demonstratingnumerous attacks on such schemes, protocols and systems under variousreal- world application scenarios. This book chooses to introduce a set of practicalcryptographic schemes, protocols and systems, many of them standards or de factoones, studies them closely, explains their working principles, discusses their practicalusages, and examines their strong (i.e., fit-for-application) security properties, oftenwith security evidence formally established. The book also includes self-containedtheoretical background material that is the foundation for modern cryptography. 2. Alice computes Response k + a Challenge (mod q ); She sends Response to Bob; 3. Bob checks Commit g Response y Challenge (mod p ); he rejects and aborts if the checking shows error; 4. Bob accepts. (* Bob's computation of g Response y Challenge (mod p ) should apply Alg 15.2 and so the cost is similar to computing single modulo exponentiation *) 18.3.1.2 Security Properties of Schnorr's Identification Protocol Completeness Trivially preserved. In fact, = 1 can be obtained. This is left for the reader as an exercise ( Exercise 18.7 ). Soundness Suppose is a cheater, i.e., she does not have the correct discrete logarithm value. For Commit she sent in an iteration, Bob, after picking Challenge U {0, 1} log 2 , log 2 p , is waiting for Response = log g [ Commit y Challenge (mod p )] (mod q ). This equation shows that, for fixed Commit and y , there will be log 2 p distinct values for Response which correspond to log 2 p distinct values for Challenge , respectively. Given the small magnitude of log 2 p , the best strategy for computing the correct response from Commit y Challenge (mod p ) is to guess Challenge before fixing Commit as follows: picking Response U ; 1. guessing Challenge U {0, 1} log 2 log 2 p ; 2. computing Commit g Response y Challenge (mod p ).3. Clearly, the soundness probability for correct guessing is 1/log 2 p per iteration, that is, we have found d = 1/log 2 p as the soundness error probability for a single round of message interactions. The reduced soundness error probability for a single round of message exchange in Schnorr's Identification Protocol means an improved performance from that of Prot 18.1 . This is because, for Prot 18.1 running m iterations to achieve a negligibly small soundness error probability d = 2 – m , Schnorr's Identification Protocol only needs • Table of Contents Modern Cryptography: Theory and Practice By Wenbo Mao Hewlett-Packard Company Publisher : Prentice Hall PTR Pub Date : July 25, 2003 ISBN : 0-13-066943-1 Pages : 648 Many cryptographic schemes and protocols, especially those based on public-keycryptography, have basic or so-called "textbook crypto" versions, as these versionsare usually the subjects for many textbooks on cryptography. This book takes adifferent approach to introducing cryptography: it pays much more attention tofit-for-application aspects of cryptography. It explains why "textbook crypto" isonly good in an ideal world where data are random and bad guys behave nicely.It reveals the general unfitness of "textbook crypto" for the real world by demonstratingnumerous attacks on such schemes, protocols and systems under variousreal- world application scenarios. This book chooses to introduce a set of practicalcryptographic schemes, protocols and systems, many of them standards or de factoones, studies them closely, explains their working principles, discusses their practicalusages, and examines their strong (i.e., fit-for-application) security properties, oftenwith security evidence formally established. The book also includes self-containedtheoretical background material that is the foundation for modern cryptography. rounds of iterations while maintaining the soundness error probability unchanged from that of Prot 18.1 using m rounds of interactions. For p 2 1024 and m = 100, we have = 100/10 = 10. That is, the enlarged challenge reduces the number of interactions from that of Prot 18.1 by 10 fold while keeping the same low soundness error probability. Perfect ZK-ness For common input y , we can construct a polynomial-time (in | p |) equator ( y ) as follows: initializes Transcript as an empty string; 1. For i = 1, 2, , log 2 log 2 p : picks Response i U < g > a. picks Challenge i U {0, 1} log 2 log 2 p ; b. computes Commit i g Response i y Challenge i (mod p ); c. Transcript Transcript || Commit i , Challenge i , Response i d. 2. Clearly, Transcript can be produced in polynomial time, and the elements in it have distributions which are the same as those in a real proof transcript. From our analysis of Schnorr's Identification Protocol we see that enlarging challenge size reduces the number of interactions while maintaining the soundness error probability unchanged. Then why have we confined the size enlargement to a rather strange and small value log 2 log 2 p ? Enlarging challenge size not only improves performance (a positive result), in § 18.3.2 we will further see that this also has a negative consequence. Be careful, size matters! 18.3.2 Honest-Verifier Zero-knowledge At first glance of Schnorr's Identification Protocol, it is not very clear why we have restricted the size for the challenge bits to the case | Challenge | = log 2 log 2 p . It seems that if we use | Challenge | = log 2 p , then the protocol will become even more efficient: it only needs one interaction to achieve the same low soundness probability ( d 1/ p ) against Alice cheating. Moreover, it seems that the equator can be constructed in the same way for Schnorr's Identification Protocol; again, now only needs one single "loop" to produce Transcript which [...]... input their own randomness in the agreement ofN, however, we shall omit the details for doing this They can similarly agree on a random elementa < N so that gcd(a, N) = 1 • Table of Contents Modern Cryptography: Theory and Practice SinceN is large and random, with an overwhelming probability N has a large prime factor p ByWenbo Mao Hewlett-Packard Company unknown to both P and V, and moreover, p –... 2) and y U [0, N 2) are computational indistinguishable for z < N From Equation 18.3.4 • Table of Contents Modern Cryptography: Theory and Practice ByWenbo Mao Hewlett-Packard Company Publisher: Prentice Hall PTR Pub Date: July 25, 2003 we have ISBN: 0-13-066943-1 Pages: 648 Many cryptographic4.15 (in §4.7),Response especially those based andpublic-keycryptography, Following Definition schemes and. .. to Fact 2, even unbounded, QNRN, and hence has to guess Bob's random Completeness and Perfect Zero-knowledge-ness The completeness property is immediate from Fact 1 Protocol 18.3: A Perfect Zero-knowledge Proof Protocol for • Quadratic Residuosity Table of Contents Modern Cryptography: Theory and Practice COMMON Hewlett-Packard Company ByWenbo MaoINPUT: N: a large and odd composite integer which is... according to our "rule of thumb"), then we will have (100 ) 0.993 (so BadLuckAlice occurs with probability • Table of Contents 1 – (100 ) Modern Cryptography: Theory and Practice 0.0052 (probability for BadLuckAlice) These error 0.007) and d (100 ) probability bounds are far Company from satisfactory since the two "bad luck" events are too probable ByWenbo Mao Hewlett-Packard (i.e., the probabilities for both... following two cases: • Table of Contents Modern Cryptography: Theory and Practice ByWenbo Mao Hewlett-Packard Company i the equation was constructed by Alice using her private input, and hence Alice discloses the fact that she has been in interaction with, and fooled by, , or Publisher: Prentice Hall PTR July ii.Pub Date: has 25, 2003 successfully broken the pseudo-random function prf of the large output... Thus, with probability at least (N – 1) / N,Response in both transcripts are larger than z and are • Table of Contents both uniform They Theory and Practice Modern Cryptography: cannot be differentiated by any distinguisher even if it runs forever! ByWenbo Mao Hewlett-Packard Company Conceptually, statistical ZK and computational ZK have no essential difference Nevertheless, since the former is a more... being an odd composite number • Table of Contents Modern Cryptography: Theory and Practice 18.4.2.1 ZK Proof of Quadratic Residuosity ByWenbo Mao Hewlett-Packard Company LetN be a large and odd composite integer which has at least two distinct odd prime factors In §6.5 we have studied PTR Publisher: Prentice Hall quadratic residues modulo an integer and learned the following numbertheoretic facts:25,... protocol Example 18.3 Let (Alice, ) be a variation of Prot 18.1 using the one-way and homomorphic function f(x) constructed in §18.3.3.1, i.e., f(x) is defined in (18.3.3) • Table of Contents Modern Cryptography: Theory and Practice Now that Alice no longer knows n = ordN(a), she can no longer sample random numbers in ByWenbo Mao Hewlett-Packard Company with the uniform distribution In order for Alice to... does not cheat, then the verifier will Modern Cryptography: Theory and Practice always accept a proof Using the terminology for error probability characterization for randomized algorithms which we ByWenbo Mao Hewlett-Packard Companyhave studied in §4.4, we can say that all these protocols have one-sided-error in the Monte Carlo subclass (i.e., in "always fast and probably correct" subclass, see §4.4.3)... p being prime and i being an integer, then all elements in JN(1) are quadratic residues Fortunately, a prime power can be factored easily (review the hints in Exercises 8.7 and 8.8) Prot 18.4 allows Alice to conduct a perfect ZK proof of membership in E2_Prime • Table of Contents Modern now investigate security properties Let us Cryptography: Theory and Practice of Prot 18.4 ByWenbo Mao Hewlett-Packard . . Equation is an open question in the theory of computational complexity. • Table of Contents Modern Cryptography: Theory and Practice By Wenbo Mao Hewlett-Packard Company Publisher :. the verifier picks a truly random challenge, then the proof transcript can be equated efficiently. • Table of Contents Modern Cryptography: Theory and Practice By Wenbo Mao Hewlett-Packard Company . pre-image( Commit ); Case Challenge = 1: Bob sees • Table of Contents Modern Cryptography: Theory and Practice By Wenbo Mao Hewlett-Packard Company Publisher : Prentice Hall PTR Pub Date :