Cryptography Asked by yacovm on October 24, 2021
I’m struggling to understand the intuition of the zero knowledge-ness of this proof from the following paper.
The proof is a 2 round where the verifier asks the prover to extract square roots of quadratic residues.
I’ve read the HVZK proof (shown in the picture below) and I agree that you can produce a transcript that distributes like a normal proof, however I still can’t get over the simple fact that:
Isn’t that a "knowledge" leak? Why can this proof be turned into a NIZK?
Many thanks in advance.
so the verifier learns square roots of numbers in the group which it could not compute on its own before.
With Fiat-Shamir transform, these roots will be of random numbers. And the learner could easily compute those by sampling random $x$ and computing $x^2$ (modulo $N$). This distribution is not distinguishable from $(sqrt{x},x)$ pairs that would be given in the protocol.
Answered by Fractalice on October 24, 2021
I'm guessing:
"HVZK" stands for "honest-verifier zero knowledge", right? Your objection is that a dishonest verifier can choose a random $x_i$, compute $rho_iequiv x_i^2mod N$, and then when they get $sigma_i$ from the prover, there is a $1/4$ chance that $gcd(sigma_i-x_i,N)$ is a non-trivial factor. But an honest verifier should generate random $rho_i$.
This should be secure, based on the following: Suppose $A$ is an algorithm that can factor $N$ given random $rho_i$ and $sigma_i$ such that $sigma_i^2equiv rho_imod N$. Then we can factor any $N$ with $A$ by picking a random $sigma_i$, computing $rho_iequivsigma_i^2mod N$, and sending $rho_i$ and $sigma_i$ to $A$.
It seems intuitively true that the Fiat-Shamir tansform should be able to turn HVZKs into NIZKs (probably with some extra conditions). An HVZK could fail because a dishonest verifier can send a "dangerous" challenge which reveals information, but a Fiat-Shamir forces the challenges to be random. As long as such dangerous challenges are sufficiently rare, then the Fiat-Shamir transform should produce a NIZK.
Answered by Sam Jaques on October 24, 2021
Get help from others!
Recent Questions
Recent Answers
© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP