ZKP for product of two primes
Cryptography Asked by yacovm on October 24, 2021
I’m struggling to understand the intuition of the zero knowledge-ness of this proof from the following paper.
The proof is a 2 round where the verifier asks the prover to extract square roots of quadratic residues.
I’ve read the HVZK proof (shown in the picture below) and I agree that you can produce a transcript that distributes like a normal proof, however I still can’t get over the simple fact that:
- Without the witness (factorization) you can’t extract a square root modulo $N$.
- When the proof is turned into a NIZK via the Fiat-Shamir transformation, the prover records square roots in their raw form inside the proof, so the verifier learns square roots of numbers in the group which it could not compute on its own before.
Isn’t that a "knowledge" leak? Why can this proof be turned into a NIZK?
Many thanks in advance.
2 Answers
so the verifier learns square roots of numbers in the group which it could not compute on its own before.
With Fiat-Shamir transform, these roots will be of random numbers. And the learner could easily compute those by sampling random $x$ and computing $x^2$ (modulo $N$). This distribution is not distinguishable from $(sqrt{x},x)$ pairs that would be given in the protocol.
Answered by Fractalice on October 24, 2021
I'm guessing:
"HVZK" stands for "honest-verifier zero knowledge", right? Your objection is that a dishonest verifier can choose a random $x_i$, compute $rho_iequiv x_i^2mod N$, and then when they get $sigma_i$ from the prover, there is a $1/4$ chance that $gcd(sigma_i-x_i,N)$ is a non-trivial factor. But an honest verifier should generate random $rho_i$.
This should be secure, based on the following: Suppose $A$ is an algorithm that can factor $N$ given random $rho_i$ and $sigma_i$ such that $sigma_i^2equiv rho_imod N$. Then we can factor any $N$ with $A$ by picking a random $sigma_i$, computing $rho_iequivsigma_i^2mod N$, and sending $rho_i$ and $sigma_i$ to $A$.
It seems intuitively true that the Fiat-Shamir tansform should be able to turn HVZKs into NIZKs (probably with some extra conditions). An HVZK could fail because a dishonest verifier can send a "dangerous" challenge which reveals information, but a Fiat-Shamir forces the challenges to be random. As long as such dangerous challenges are sufficiently rare, then the Fiat-Shamir transform should produce a NIZK.
Answered by Sam Jaques on October 24, 2021
Add your own answers!
Ask a Question
Get help from others!
Recent Answers
- Joshua Engel on Why fry rice before boiling?
- Jon Church on Why fry rice before boiling?
- Lex on Does Google Analytics track 404 page responses as valid page views?
- haakon.io on Why fry rice before boiling?
- Peter Machado on Why fry rice before boiling?
Recent Questions
- How can I transform graph image into a tikzpicture LaTeX code?
- How Do I Get The Ifruit App Off Of Gta 5 / Grand Theft Auto 5
- Iv’e designed a space elevator using a series of lasers. do you know anybody i could submit the designs too that could manufacture the concept and put it to use
- Need help finding a book. Female OP protagonist, magic
- Why is the WWF pending games (“Your turn”) area replaced w/ a column of “Bonus & Reward”gift boxes?