Summary
Today we show that the graph isomorphism protocol we defined last time is indeed a zero-knowledge protocol. Then we discuss the quadratic residuosity problem modulo a composite, and define a protocol for proving quadratic residuosity. (We shall prove that the protocol is zero knowledge next time.)
1. The Graph Isomorphism Protocol
Last time we considered the following protocol for the graph isomorphism protocol.
- Verifier’s input: two graphs
,
;
- Prover’s input:
and permutation
such that
; the prover wants to convince the verifier that the graphs are isomorphic
- The prover picks a random permutation
and sends the graph
- The verifier picks at random
and sends
to the prover
- The prover sends back
if
, and
otherwise
- The verifier cheks that the permutation
received at the previous round is such that
, and accepts if so.
In order to prove that this protocol is zero knowledge, we to show the existence of an efficient simulator.
Theorem 1 For every verifier algorithm
of complexity
there is a simulator algorithm
of expected complexity
such that, for every two isomorphic graphs
, and for every isomorphism
between them, the distributions of transcripts
and
are identical.
2. The Quadratic Residuosity Problem
We review some basic facts about quadratic residuosity modulo a composite.
If is the product of two distinct odd primes, and
is the set of all numbers in
having no common factor with
, then we have the following easy consequences of the Chinese remainder theorem:
-
has
elements, and is a group with respect to multiplications;
- If
is a quadratic residue, and is an element of
, then it has exactly 4 square roots in
- Precisely
elements of
are quadratic residues
- Knowing the factorization of
, there is an efficient algorithm to check if a given
is a quadratic residue and, if so, to find a square root.
It is, however, believed to be hard to find square roots and to check residuosity modulo if the factorization of
is not known.
Indeed, we can show that from any algorithm that is able to find square roots efficiently mod we can derive an algorithm that factors
efficiently
3. The Quadratic Residuosity Protocol
We consider the following protocol for proving quadratic residuosity.
- Verifier’s input: an integer
(product of two unknown odd primes) and a integer
;
- Prover’s input:
and a square root
such that
.
- The prover picks a random
and sends
to the verifier
- The verifier picks at random
and sends
to the prover
- The prover sends back
if
or
if
- The verifier cheks that
if
or that
if
, and accepts if so.
We show that:
- If
is a quadratic residue, the prover is given a square root
, and the parties follow the protocol, then the verifier accepts with probability 1;
- If
is not a quadratic residue, then for every cheating prover strategy
, the verifier rejects with probability
.
Next time we shall prove that the protocol is zero knowledge.