CS 161
Computer Security
Fall 2005
Joseph/Tygar/Vazirani/Wagner
Notes 18
We will consider the following authentication scheme: the user selects a number
N
=
P
·
Q
product of two
large primes, and a number
y
=
x
2
mod
N
. The server is given
N
,
y
and to login the user must prove that she
knows
x
:
x
2
=
y
mod
N
. Notice the similarity between this and the RSA function — here we are squaring
instead of cubing to implement our hard to invert function. Indeed, it turns out that computing square roots
modulo
N
is provably as hard as factoring
N
(as always, this is proved by a reduction. The reduction shows
that how to use any algorithm for square root extraction as a subroutine to implement a fast algorithm for
factoring).
Before we can state the zeroknowledge protocol and establish its properties, we must state a few facts about
numbers which are perfect squares modulo
N
. Let us restrict our attention to numbers 0
≤
a
≤
N

1 which
are relatively prime to
N
(i.e.
gcd
(
a
,
N
) =
1; note that if the gcd is not 1 then it must be
P
or
Q
, so such
a
’s
are rare and lucky choices that we will not consider). This set of numbers is denoted
Z
*
N
. For example, for
N
=
15, we would consider the numbers
Z
15
=
{
1
,
2
,
4
,
7
,
8
,
11
,
13
,
14
}
. Among these numbers only 1 and 4
are perfect squares. Each has four square roots,
{
1
,
4
,
11
,
14
}
and
{
2
,
7
,
8
,
13
}
respectively. The square roots
come in pairs, e.g. 13
=

2 mod 15 and 8
=

7 mod 15. In fact, for general
N
=
P
·
Q
, exactly one quarter
of the elements of
Z
*
N
are perfect squares and every perfect square
a
mod
N
has four square roots
+

x
and
+

y
. Moreover, multiplying a square by a square gives another square, since
x
2
·
z
2
mod
N
= (
xz
)
2
mod
N
.
The protocol:
The prover knows
x
:
x
2
=
y
mod
N
. She wishes to prove to the verifier that she knows such a value
x
.
1. The prover picks a random value
r
mod
N
and computes
s
=
r
2
mod
N
and sends
s
to the verifier.
2. The verifier randomly selects one of the following two challenges: I) He asks the prover to send him
√
s
mod
N
. II) He asks the prover to send him
√
sy
mod
N
.
3. The prover sends either
r
or
rx
mod
N
depending upon the challenge.
4. The verifier checks that the received number when squared satisfies the challege.
Let us prove that this protocol provides a zeroknowledge proof of knowledge of a square root of
y
mod
N
.
We will show that if the prover does not know a square root of
y
mod
N
then the honest verifier will catch her
cheating with probability at least 1
/
2. This will establish that the protocol constitutes a proof of knowledge.
And we will show that the verifier cannot extract any extra information from the prover no matter how he
This preview has intentionally blurred sections. Sign up to view the full version.
View Full Document
This is the end of the preview.
Sign up
to
access the rest of the document.
 Fall '05
 Joseph
 Cryptography, Computer Security, 2k, Square number, one quarter, mod N.

Click to edit the document details