CS 161
Computer Security
Fall 2005
Joseph/Tygar/Vazirani/Wagner
Notes 18
We will consider the following authentication scheme: the user selects a number
N
=
P
·
Q
product of two
large primes, and a number
y
=
x
2
mod
N
. The server is given
N
,
y
and to login the user must prove that she
knows
x
:
x
2
=
y
mod
N
. Notice the similarity between this and the RSA function — here we are squaring
instead of cubing to implement our hard to invert function. Indeed, it turns out that computing square roots
modulo
N
is provably as hard as factoring
N
(as always, this is proved by a reduction. The reduction shows
that how to use any algorithm for square root extraction as a subroutine to implement a fast algorithm for
factoring).
Before we can state the zeroknowledge protocol and establish its properties, we must state a few facts about
numbers which are perfect squares modulo
N
. Let us restrict our attention to numbers 0
≤
a
≤
N

1 which
are relatively prime to
N
(i.e.
gcd
(
a
,
N
) =
1; note that if the gcd is not 1 then it must be
P
or
Q
, so such
a
’s
are rare and lucky choices that we will not consider). This set of numbers is denoted
Z
*
N
. For example, for
N
=
15, we would consider the numbers
Z
15
=
{
1
,
2
,
4
,
7
,
8
,
11
,
13
,
14
}
. Among these numbers only 1 and 4
are perfect squares. Each has four square roots,
{
1
,
4
,
11
,
14
}
and
{
2
,
7
,
8
,
13
}
respectively. The square roots
come in pairs, e.g. 13
=

2 mod 15 and 8
=

7 mod 15. In fact, for general
N
=
P
·
Q
, exactly one quarter
of the elements of
Z
*
N
are perfect squares and every perfect square
a
mod
N
has four square roots
+

x
and
+

y
. Moreover, multiplying a square by a square gives another square, since
x
2
·
z
2
mod
N
= (
xz
)
2
mod
N
.
The protocol:
The prover knows
x
:
x
2
=
y
mod
N
. She wishes to prove to the verifier that she knows such a value
x
.
1. The prover picks a random value
r
mod
N
and computes
s
=
r
2
mod
N
and sends
s
to the verifier.
2. The verifier randomly selects one of the following two challenges: I) He asks the prover to send him
√
s
mod
N
. II) He asks the prover to send him
√
sy
mod
N
.
3. The prover sends either
r
or
rx
mod
N
depending upon the challenge.
4. The verifier checks that the received number when squared satisfies the challege.
Let us prove that this protocol provides a zeroknowledge proof of knowledge of a square root of
y
mod
N
.
We will show that if the prover does not know a square root of
y
mod
N
then the honest verifier will catch her
cheating with probability at least 1
/
2. This will establish that the protocol constitutes a proof of knowledge.
And we will show that the verifier cannot extract any extra information from the prover no matter how he