Security in Computing (3rd Edition)

Info icon This preview shows pages 1–2. Sign up to view the full content.

CS 161 Computer Security Fall 2005 Joseph/Tygar/Vazirani/Wagner Notes 18 We will consider the following authentication scheme: the user selects a number N = P · Q product of two large primes, and a number y = x 2 mod N . The server is given N , y and to login the user must prove that she knows x : x 2 = y mod N . Notice the similarity between this and the RSA function — here we are squaring instead of cubing to implement our hard to invert function. Indeed, it turns out that computing square roots modulo N is provably as hard as factoring N (as always, this is proved by a reduction. The reduction shows that how to use any algorithm for square root extraction as a subroutine to implement a fast algorithm for factoring). Before we can state the zero-knowledge protocol and establish its properties, we must state a few facts about numbers which are perfect squares modulo N . Let us restrict our attention to numbers 0 a N - 1 which are relatively prime to N (i.e. gcd ( a , N ) = 1; note that if the gcd is not 1 then it must be P or Q , so such a ’s are rare and lucky choices that we will not consider). This set of numbers is denoted Z * N . For example, for N = 15, we would consider the numbers Z 15 = { 1 , 2 , 4 , 7 , 8 , 11 , 13 , 14 } . Among these numbers only 1 and 4 are perfect squares. Each has four square roots, { 1 , 4 , 11 , 14 } and { 2 , 7 , 8 , 13 } respectively. The square roots come in pairs, e.g. 13 = - 2 mod 15 and 8 = - 7 mod 15. In fact, for general N = P · Q , exactly one quarter of the elements of Z * N are perfect squares and every perfect square a mod N has four square roots + - x and + - y . Moreover, multiplying a square by a square gives another square, since x 2 · z 2 mod N = ( xz ) 2 mod N . The protocol: The prover knows x : x 2 = y mod N . She wishes to prove to the verifier that she knows such a value x . 1. The prover picks a random value r mod N and computes s = r 2 mod N and sends s to the verifier. 2. The verifier randomly selects one of the following two challenges: I) He asks the prover to send him s mod N . II) He asks the prover to send him sy mod N . 3. The prover sends either r or rx mod N depending upon the challenge. 4. The verifier checks that the received number when squared satisfies the challege. Let us prove that this protocol provides a zero-knowledge proof of knowledge of a square root of y mod N . We will show that if the prover does not know a square root of y mod N then the honest verifier will catch her cheating with probability at least 1 / 2. This will establish that the protocol constitutes a proof of knowledge.
Image of page 1

Info icon This preview has intentionally blurred sections. Sign up to view the full version.

Image of page 2
This is the end of the preview. Sign up to access the rest of the document.

{[ snackBarMessage ]}

What students are saying

  • Left Quote Icon

    As a current student on this bumpy collegiate pathway, I stumbled upon Course Hero, where I can find study resources for nearly all my courses, get online help from tutors 24/7, and even share my old projects, papers, and lecture notes with other students.

    Student Picture

    Kiran Temple University Fox School of Business ‘17, Course Hero Intern

  • Left Quote Icon

    I cannot even describe how much Course Hero helped me this summer. It’s truly become something I can always rely on and help me. In the end, I was not only able to survive summer classes, but I was able to thrive thanks to Course Hero.

    Student Picture

    Dana University of Pennsylvania ‘17, Course Hero Intern

  • Left Quote Icon

    The ability to access any university’s resources through Course Hero proved invaluable in my case. I was behind on Tulane coursework and actually used UCLA’s materials to help me move forward and get everything together on time.

    Student Picture

    Jill Tulane University ‘16, Course Hero Intern