TransWikia.com

ZKP for product of two primes

Cryptography Asked by yacovm on October 24, 2021

I’m struggling to understand the intuition of the zero knowledge-ness of this proof from the following paper.

The proof is a 2 round where the verifier asks the prover to extract square roots of quadratic residues.

I’ve read the HVZK proof (shown in the picture below) and I agree that you can produce a transcript that distributes like a normal proof, however I still can’t get over the simple fact that:

  • Without the witness (factorization) you can’t extract a square root modulo $N$.
  • When the proof is turned into a NIZK via the Fiat-Shamir transformation, the prover records square roots in their raw form inside the proof, so the verifier learns square roots of numbers in the group which it could not compute on its own before.

Isn’t that a "knowledge" leak? Why can this proof be turned into a NIZK?

Many thanks in advance.

enter image description here

2 Answers

so the verifier learns square roots of numbers in the group which it could not compute on its own before.

With Fiat-Shamir transform, these roots will be of random numbers. And the learner could easily compute those by sampling random $x$ and computing $x^2$ (modulo $N$). This distribution is not distinguishable from $(sqrt{x},x)$ pairs that would be given in the protocol.

Answered by Fractalice on October 24, 2021

I'm guessing:

"HVZK" stands for "honest-verifier zero knowledge", right? Your objection is that a dishonest verifier can choose a random $x_i$, compute $rho_iequiv x_i^2mod N$, and then when they get $sigma_i$ from the prover, there is a $1/4$ chance that $gcd(sigma_i-x_i,N)$ is a non-trivial factor. But an honest verifier should generate random $rho_i$.

This should be secure, based on the following: Suppose $A$ is an algorithm that can factor $N$ given random $rho_i$ and $sigma_i$ such that $sigma_i^2equiv rho_imod N$. Then we can factor any $N$ with $A$ by picking a random $sigma_i$, computing $rho_iequivsigma_i^2mod N$, and sending $rho_i$ and $sigma_i$ to $A$.

It seems intuitively true that the Fiat-Shamir tansform should be able to turn HVZKs into NIZKs (probably with some extra conditions). An HVZK could fail because a dishonest verifier can send a "dangerous" challenge which reveals information, but a Fiat-Shamir forces the challenges to be random. As long as such dangerous challenges are sufficiently rare, then the Fiat-Shamir transform should produce a NIZK.

Answered by Sam Jaques on October 24, 2021

Add your own answers!

Ask a Question

Get help from others!

© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP