** Summary **

Today we show that the graph isomorphism protocol we defined last time is indeed a zero-knowledge protocol. Then we discuss the *quadratic residuosity problem* modulo a composite, and define a protocol for proving quadratic residuosity. (We shall prove that the protocol is zero knowledge next time.)

**1. The Graph Isomorphism Protocol **

Last time we considered the following protocol for the graph isomorphism protocol.

- Verifier’s input: two graphs , ;
- Prover’s input: and permutation such that ; the prover wants to convince the verifier that the graphs are isomorphic
- The prover picks a random permutation and sends the graph
- The verifier picks at random and sends to the prover
- The prover sends back if , and otherwise
- The verifier cheks that the permutation received at the previous round is such that , and accepts if so.

In order to prove that this protocol is zero knowledge, we to show the existence of an efficient simulator.

Theorem 1For every verifier algorithm of complexity there is a simulator algorithm of expected complexity such that, for every two isomorphic graphs , and for every isomorphism between them, the distributions of transcriptsand

are identical.

**2. The Quadratic Residuosity Problem **

We review some basic facts about quadratic residuosity modulo a composite.

If is the product of two distinct odd primes, and is the set of all numbers in having no common factor with , then we have the following easy consequences of the Chinese remainder theorem:

- has elements, and is a group with respect to multiplications;
- If is a quadratic residue, and is an element of , then it has exactly 4 square roots in
- Precisely elements of are quadratic residues
- Knowing the factorization of , there is an efficient algorithm to check if a given is a quadratic residue and, if so, to find a square root.

It is, however, believed to be hard to find square roots and to check residuosity modulo if the factorization of is not known.

Indeed, we can show that from any algorithm that is able to find square roots efficiently mod we can derive an algorithm that factors efficiently

**3. The Quadratic Residuosity Protocol **

We consider the following protocol for proving quadratic residuosity.

- Verifier’s input: an integer (product of two unknown odd primes) and a integer ;
- Prover’s input: and a square root such that .
- The prover picks a random and sends to the verifier
- The verifier picks at random and sends to the prover
- The prover sends back if or if
- The verifier cheks that if or that if , and accepts if so.

We show that:

- If is a quadratic residue, the prover is given a square root , and the parties follow the protocol, then the verifier accepts with probability 1;
- If is not a quadratic residue, then for every cheating prover strategy , the verifier rejects with probability .

Next time we shall prove that the protocol is zero knowledge.