# Cryptography – Zero-Knowledge Proofs

The goal is to prove a statement without leaking extra information, for model, for some \ ( N, x\ ), prove \ ( x\ ) is a quadratic residue in \ ( \mathbb { Z } _N^*\ ). Let \ ( L \subseteq \Sigma^*\ ). A zero-knowledge proof system for \ ( L\ ) is a pair \ ( ( P, V ) \ ) hearty

1. ( Complete ) For all \ ( x \in L\ ), a voucher says “ yes ” after interacting with the prover
2. ( Sound ) For all \ ( x \notin L\ ), and for all provers \ ( P^*\ ), a voucher says “ no ” after interacting with \ ( P^*\ ) with probability at least \ ( 1/2\ ).

3. ( Perfect ) For all verifiers \ ( V^*\ ), there exists a simulator \ ( S^*\ ) that is a randomize polynomial meter algorithm such that for all \ ( x \in L\ ) ,
\ [ \ { transcript ( ( P, V^* ) ( x ) ) \ } = \ { S^* ( x ) \ } \ ]

+ ( equality of distributions ) The being of a simulator implies that if \ ( x \in L\ ), then \ ( V^*\ ) can not learn more than the fact that \ ( x \in L\ ). Example: Let \ ( N = pq, x \in \mathbb { Z } _N^*\ ). Suppose we wish to prove that \ ( x\ ) is a quadratic residue in \ ( \mathbb { Z } _N^*\ ). then let \ ( x = \alpha^2\ ) ( modulo \ ( N\ ) ) .

• \ ( P\ ) : \ ( radius \leftarrow \mathbb { Z } _N\ ), sends \ ( a = r^2\ )
• \ ( V\ ) : sends \ ( b \leftarrow \ { 0,1\ } \ )
• \ ( P\ ) : sends \ ( z = roentgen \alpha^b\ )
• \ ( V\ ) : tests \ ( z^2 = ax^b\ ). If therefore, output “ yes ”, differently output signal “ no ”

completeness of this scheme is immediate. As for wisdom : if \ ( a\ ) is not a quadratic remainder, then the voucher says “ no ” with probability at least one one-half ( i.e. when \ ( barn = 0\ ) ). If \ ( a\ ) is a quadratic residue, but \ ( x\ ) is not, then the voucher says “ no ” with probability at least one half ( i.e when \ ( b = 1\ ) ). claim : if \ ( x\ ) is not a quadratic residue in \ ( \mathbb { Z } ^*_N\ ) then for all \ ( P^*\ ), \ ( V\ ) says “ no ” with probability at least one half. It remains to show that the outline is perfect zero-knowledge. Let \ ( V^*\ ) be some voucher, and presuppose \ ( transcript ( ( P, V^* ) ( N, x ) ) = [ a, b, z ] \ ). then construct a blackbox simulator \ ( S^*\ ) as follows :

1. Pick a random \ ( omega \leftarrow \mathbb { Z } ^*_N\ ), and a random \ ( boron \leftarrow \ { 0,1\ } \ ) .
2. Set \ ( a=z^2 / x^b \mod N\ )
3. Run \ ( V^* ( x ) \ ), give it \ ( a\ ) as inaugural message from prover .
4. \ ( V^*\ ) outputs some \ ( b’\ ) in \ ( \ { 0,1\ } \ ). If \ ( b \neq b’\ ) then goto gradation 1, otherwise output \ ( [ a, b, omega ] \ ) as the transcript. This takes two iterations on average .

claim : \ ( \ { transcript ( P, V^* ) ( N, x ) \ } = \ { S^* ( N, x ) \ } \ ) ( equality of distributions ).

sketch of proofread : \ ( a\ ) is undifferentiated in the quadratic residues of \ ( \mathbb { Z } _N^*\ ) because \ ( x\ ) is a quadratic equation remainder. \ ( b\ ) is from the lapp distribution generated by \ ( V^*\ ) given \ ( a\ ). \ ( z\ ) saitsfies \ ( z^2 = ax^b\ ) and is from the correct definition. wisdom can be improved by repeating the protocol consecutive. One might consider repetition in parallel, i.e .

• \ ( P\ ) : \ ( r_1, …, r_n \leftarrow \mathbb { Z } _N\ ), sends \ ( a_1 = r_1^2, …, a_n = r_n^2\ )
• \ ( V\ ) : sends \ ( b_1, …, b_n \leftarrow \ { 0,1\ } \ )
• \ ( P\ ) : sends \ ( z_1 = r_1 \alpha^b_1, …, z_n = r_n alpha^b_n\ )
• \ ( V\ ) : tests \ ( z_i^2 = a_i x^b_i\ ) for \ ( one = 1, …, n\ ). If so, output “ yes ”, otherwise output “ no ”

This dodge is complete and fathom, but it is not clear how to build a simulator. ( We can lone guess all the \ ( b_i\ ) ‘s correctly with probability \ ( 1/2^n\ ). ) Theorem [KG ’89]: If \ ( L\ ) has a three-round perfect zero cognition proof with negligible cheating probability then \ ( L \in BPP\ ). Since it is believed that quadratic equation residuosity is not in BPP, it is consequently besides thought that no three-round powerfully sound perfect zero cognition protocol for quadratic residuosity exists. hence we introduce a weaker interpretation of nothing cognition : Computational ZK: \ ( ( P, V ) \ ) is a \ ( ( t, \epsilon ) \ ) -zero-knowledge proof system for a language \ ( L\ ) if it is

1. heavy
2. dispatch
3. computational ZK : for all verifiers \ ( V^*\ ) there exists a simulator \ ( S^*\ ) such that for all \ ( x \in L\ ), the distribution \ ( \ { transcript ( ( P, V^* ) ( x ) ) \ } \ ) is \ ( ( triiodothyronine, \epsilon ) \ ) -indistinguishable from \ ( \ { S^* ( x ) \ } \ ) .

Theorem [GMW ’87]: If a \ ( ( metric ton, \epsilon ) \ ) -bit commitment scheme exists, then all languages in \ ( NP\ ) have computational ZK validation. Definition: ( imprecise definition ) A \ ( ( triiodothyronine, \epsilon ) \ ) -bit committedness scheme is defined as follows :

1. Commiter has a bite \ ( b \in \ { 0,1\ } \ ), and sends \ ( perpetrate ( bacillus ) \in \ { 0,1\ } ^*\ ) ( a committedness to a moment \ ( b\ ) ) .
2. Commiter can open commitment as \ ( b’\ ) and the voucher can check that \ ( b = b’\ ).

This system should be : * binding : boundlessly knock-down commiter can ’ metric ton convert voucher that commitment is a committedness to \ ( b-complex vitamin ‘ \neq b\ ). * sound : \ ( commit ( bacillus ) \ ) reveals no information about \ ( b\ ), i.e. for any piece \ ( b\in\ { 0,1\ } \ ), \ ( \ { commit ( boron ), b\ } \ ) is \ ( ( deoxythymidine monophosphate, \epsilon ) \ ) -indistinguishable from \ ( \ { perpetrate ( bacillus ), roentgen | r\leftarrow\ { 0,1\ } \ } \ ). Example : one-way permutations imply commitment schemes : Let \ ( fluorine : \ { 0,1\ } ^n \rightarrow\ { 0,1\ } ^n\ ) be a one-way substitution. Choose \ ( r\leftarrow\ { 0,1\ } ^n\ ), and set \ ( give ( bacillus ) = [ degree fahrenheit ( r ), B ( r ) \oplus b ] \ ) where \ ( B\ ) is a hard-core bit of \ ( f\ ) .