*Scribed by Alexandra Constantin*

** Summary **

Today we show that the graph isomorphism protocol we defined last time is indeed a zero-knowledge protocol. Then we discuss the *quadratic residuosity problem* modulo a composite, and define a protocol for proving quadratic residuosity. (We shall prove that the protocol is zero knowledge next time.)

**1. The Graph Isomorphism Protocol **

Last time we considered the following protocol for the graph isomorphism problem.

- Verifier’s input: two graphs , ;
- Prover’s input: and permutation such that ; the prover wants to convince the verifier that the graphs are isomorphic
- The prover picks a random permutation and sends the graph
- The verifier picks at random and sends to the prover
- The prover sends back if , and otherwise
- The verifier cheks that the permutation received at the previous round is such that , and accepts if so.

In order to prove that this protocol is zero knowledge, we have to show the existence of an efficient simulator.

Theorem 1 (Honest-Verifier Zero Knowledge)There exists an efficient simulator algorithm such that, for every two isomorphic graphs , and for every isomorphism between them, the distributions of transcriptsand

are identical, where is the prover algorithm and is the verifier algorithm in the above protocol.

*Proof:*

Algorithm on input is described as follows:

- Input: graphs ,
- pick uniformly at random ,
- output the transcript:
- 1. prover sends
- 2. verifier sends
- 3. prover sends

At the first step, in the original protocol we have a random permutation of , while in the simulation we have either a random permutation of or a random permutation of ; a random permutation of , however, is distributed as , where is uniformly distributed and is fixed. This is the same as a random permutation of , because composing a fixed permutation with a random permutation produces a random permutation.

The second step, both in the simulation and in the original protocol, is a random bit , selected independently of the graph sent in the first round. This is true in the simulation too, because the distribution of conditioned on is, by the above reasoning, identical to the distribution of conditioned on .

Finally, the third step is, both in the protocol and in the simulation, a distribution uniformly distributed among those establishing an isomorphism between and .

To establish that the protocol satisfies the general zero knowledge protocol, we need to be able to simulate cheating verifiers as well.

Theorem 2 (General Zero Knowledge)For every verifier algorithm of complexity there is a simulator algorithm of expected complexity such that, for every two isomorphic graphs , and for every isomorphism between them, the distributions of transcriptsand

are identical.

*Proof:*

Algorithm on input is described as follows:

Input ,

- 1. pick uniformly at random ,
- let be the second-round message of given input , , first message
- if , abort the simulation and go to 1.
- else output the transcript
- prover sends
- verifier sends
- prover sends

As in the proof of Theorem 1, has the same distribution in the protocol and in the simulation.

The important observation is that depends only on and on the input graphs, and hence is statistically independent of . Hence, and so, on average, we only need two attempts to generate a transcript (taking overall average time at most ). Finally, conditioned on outputting a transcript, is distributed equally in the protocol and in the simulation, is the answer of , and at the last round is uniformly distributed among permutations establishing an isomorphism between and .

**2. The Quadratic Residuosity Problem **

We review some basic facts about quadratic residuosity modulo a composite.

If is the product of two distinct odd primes, and is the set of all numbers in having no common factor with , then we have the following easy consequences of the Chinese remainder theorem:

- has elements, and is a group with respect to multiplication;
*Proof:*Consider the mapping ; it is a bijection because of the Chinese remainder theorem. (We will abuse notation and write .) The elements of are precisely those which are mapped into pairs such that and , so there are precisely elements in .

If , , and , then ; note that if then are all non-zero, and so and are both non-zero and .

If we consider any and we denote , then .

Therefore, is a group with respect to multiplication.

- If is a quadratic residue, and is an element of , then it has exactly 4 square roots in
*Proof:*If is a quadratic residue, and is an element of , then:

.

Define and and consider the following four numbers:

.

.

Therefore, are distinct square roots of , so has 4 square roots.

- Precisely elements of are quadratic residues
*Proof:*According to the previous results, has elements, and each quadratic residue in has exactly 4 square roots. Therefore, elements of are quadratic residues.

- Knowing the factorization of , there is an efficient algorithm to check if a given is a quadratic residue and, if so, to find a square root.

It is, however, believed to be hard to find square roots and to check residuosity modulo if the factorization of is not known.

Indeed, we can show that from any algorithm that is able to find square roots efficiently mod we can derive an algorithm that factors efficiently.

Theorem 3If there exists an algorithm of running time that finds quadratic residues modulo with probability , then there exists an algorithm of running time that factors with probability .

*Proof:* Suppose that, for a quadratic residue , we can find two square roots such that . Then , then . Therefore, . So either or contains as a factor, the other contains as a factor.

The algorithm is described as follows:

Given

- pick
- if has common factors with , return
- if
- mod
- if mod return

WIth probability over the choice of , the algorithm finds a square root of . Now the behavior of the algorithm is independent of how we selected , that is which of the four square roots of we selected as our . Hence, there is probability that, conditioned on the algorithm finding a square root of , the square root satisfies , where is the element we selected to generate .

**3. The Quadratic Residuosity Protocol **

We consider the following protocol for proving quadratic residuosity.

- Verifier’s input: an integer (product of two unknown odd primes) and a integer ;
- Prover’s input: and a square root such that .
- The prover picks a random and sends to the verifier
- The verifier picks at random and sends to the prover
- The prover sends back if or if
- The verifier cheks that if or that if , and accepts if so.

We show that:

- If is a quadratic residue, the prover is given a square root , and the parties follow the protocol, then the verifier accepts with probability 1;
- If is not a quadratic residue, then for every cheating prover strategy , the verifier rejects with probability .

*Proof:*

Suppose is not a quadratic residue. Then it is not possible that both and are quadratic residues. If and , then , meaning that is also a perfect square.

With probability , the verifier rejects no matter what the Prover’s strategy is.

Next time we shall prove that the protocol is zero knowledge.