Protocols to do seemingly impossible
1
CHAPTER 10: Protocols to do seemingly impossible
A protocol is an algorithm two (or more) parties have to follow to perform a
communication/cooperation.
A cryptographical protocol is a protocol to achieve secure communication during some goal oriented
cooperation.
In this  chapter we deal with a variety of cryptographical protocols that allow to solve seemingly
unsolvable problems.
We present several cryptographic protocols for such basic cryptographic primitives as bit
commitment and oblivious transfer.
Of special importance are zero-knowledge protocols we discuss in second half of this chapter.
IV054

2
Protocols to do seemingly impossible
COIN-FLIPPING BY PHONE PROTOCOLS-EXAMPLE
Coin-flipping by telephone: Alice and Bob got divorced and they do not trust each other any longer.
They want to decide, communicating by phone only, who gets the car.
IV054
Protocol 1 Alice sends Bob messages head and tail encrypted by a one-way function f. Bob guesses
which one of them is encryption of head. Alice tells Bob whether his guess was correct. If Bob does
not believe her,  Alice  sends f to Bob.
Protocol 2 Alice chooses two large primes p,q, sends Bob n = pq and keeps p, q secret.
Bob chooses a random number y Î {1,…, n / 2},  sends Alice x = y2 mod n and tells Alice: if you
will guess y correctly, car is yours.
Alice computes four square roots (x1, n - x1) and (x2, n - x2) of x.
Let
 x1‘ = min(x1, n - x1), x2‘ = min(x2, n - x2).
Since y Î {1,…,n / 2}, either y = x1' or y = x2'.
Alice then guesses whether y = x1' or y = x2' and tells Bob her choice (for example by reporting
the position and value of the leftmost bit in which x1' and x2' differ).
Bob tells Alice whether her guess was correct.
(Later, if necessary, Alice reveals p and q, and Bob reveals y.)

3
Protocols to do seemingly impossible
COIN TOSSING
•In any coin tossing protocol both parties should influence outcome and should accept  the outcome.
Both outcomes should have the same probability.
•Requirements for a coin tossing protocol are sometimes generalized as follows:
–The outcome of the protocol is an element from the set {0, 1, reject}
–If both parties behave correctly, the outcome should be from the set {0, 1}
–If it is not the case that both parties behave correctly, the outcome should be reject
Problem: In some coin tossing protocols one party can find out the outcome sooner than second party
and in such a case can disrupt the protocol  to produce reject. A way out is to require that in
case of correct behavior no outcome should have probability > 1/2.
IV054

>

4
Protocols to do seemingly impossible
COIN TOSSING  USING  ONE-WAY FUNCTION f
Protocol:
           _      Alice chooses a one-way function f and informs Bob     about  the definition
domain of f.
–Bob chooses randomly r1 , r2 from dom(f) and sends them to Alice
–Alice sends to Bob one of the values f(r1) or f(r2)
–Bob announces Alice his guess which of the two values he received
–Alice announces Bob whether his guess was correct (0) or not (1)
–If one needs to verify correctness, Alice should send to Bob specification of f
The protocol is computationally secure. Indeed, to cheat, Alice should be able to find, for
randomly chosen r1, r2 such a one-way function f that f(r1) = f(r2).
1.
IV054

>

5
Protocols to do seemingly impossible
BIT COMMITMENT PROTOCOLS (BCP)
Basic ideas and solutions I
In a bit commitment protocol Alice chooses a bit b and gets committed to b, in the following sense:
Bob has no way of knowing which commitment  Alice has made, and Alice has no way of changing her
commitment once she has made it; say after Bob announces his guess as to what Alice has chosen.
An example of a “pre-computer era'' bit commitment protocol is that Alice writes her commitment on
a paper, locks it in a box, sends the box to Bob and, later, in the opening phase, she sends also
the key to Bob.
IV054
Complexity era solution I. Alice chooses a one-way function f and an even (odd) x if she wants to
commit herself to 0 (1) and sends to Bob f(x) and f.
Problem: Alice may know an even x1 and an odd x2 such that f(x1) = f(x2).
Complexity era solution II. Alice chooses a one-way function f, two random x1, x2 and a bit b she
wishes to commit to, and sends to Bob (f (x1, x2, b), x1) - a commitment.
When times comes for Alice to reveal her bit she sends to Bob f and the triple (x1, x2, b).

6
Protocols to do seemingly impossible
BIT COMMITMENT SCHEMES I
The basis of bit commitment protocols are bit commitment schemes:
A bit commitment scheme is a mapping f: {0,1} x X ® Y, where X and Y are finite sets.
A commitment to a b Î {0,1}, or an encryption of b,  is any value (called  a blow)  f(b, x), x Î X.
Each bit commitment protocol has  two phases:
Commitment phase: The sender sends a bit b he wants to commit to, in an encrypted form, to the
receiver.
Opening phase: If required, the senders sends to the receiver additional information that enables
the receiver to get b.
.
IV054

>

7
Protocols to do seemingly impossible
BIT COMMITMENT SCHEMES II
Each bit commitment scheme should have three properties:
Hiding (privacy): For no b Î {0,1} and no x Î X, it is feasible for Bob  to determine b from B =
f(b, x).
Binding: Alice can “open'' her commitment b, by revealing (opening)  x and b such that B = f(b, x),
but she  should not be able to open a commitment (blow) B as both 0 and 1.
Correctness: If both, the sender and the receiver, follow the protocol, then the receiver will
always learn (recover) the committed value b.

>

8
Protocols to do seemingly impossible
Bit Commitment with One-Way Function
Commitment phase:
–Alice and Bob choose a oneway function f
–Bob sends a randomly chosen r1 to Alice
–Alice chooses random r2 and her committed bit b and sends to Bob f (r1 , r2 , b).
Opening phase:
–Alice sends to Bob r2 and b
–Bob computes f (r1 , r2 , b) and compares with the value he has already received.
•
IV054

>

9
Protocols to do seemingly impossible
Hash functions and commitments
A commitment to a data w, without revealing w, using a hash function h, can be done as follows:
Commitment phase:  To commit to a w choose a random r and make public   h(wr).
Opening phase:   reveal r and w.
For this application the hash function h has to be one-way: from h(wr) it should be unfeasible to
determine wr

>

10
Protocols to do seemingly impossible
Bit commitment scheme II. p is a large Blum prime, X = {0,1,…, p-1} = Y,     is a primitive element
of Zp*.
where
Binding property of this bit commitment scheme follows from the fact that in the case of discrete
logarithms modulo Blum primes there is no effective way to determine second least significant bit
(SLB) of the discrete logarithm.
TWO SPECIAL BIT COMMITMENT SCHEMES
Bit commitment scheme I. Let p, q be large primes, n = pq, m Î QNR(n),            X = Y =  Zn*. Let
n,m be public.
Commitment: f(b, x) = m bx 2 mod n for a random x from X.
Since computation of quadratic residues is in general infeasible, this bit commitment scheme is
hiding.
Since m Î QNR(n), there are no x1, x2 such that mx12 = x22 mod n and therefore  the scheme is
binding.
IV054

11
Protocols to do seemingly impossible
MAKING COIN TOSSING FROM BIT COMMITMENT
Each bit commitment  scheme can be used to solve coin tossing problem as follows:
1. Alice tosses a coin, and commits itself to its outcome bA
(say heads = 0, tails = 1)     and sends the commitment to Bob.
IV054
2. Bob also tosses a coin and sends the outcome bB to Alice.
3. Alice opens her commitment.
4. Both Alice and Bob compute b = bA Ĺ bB.
Observe that if at least one of the parties follows the protocol, that is it tosses a random coin,
the outcome is indeed a random bit.
Note:  Observe that after step 2 Alice knows what will be the outcome, but Bob not. So Alice can
disrupt the protocol if the outcome is to be not good for her. This is  a weak
point of this protocol.

12
Protocols to do seemingly impossible
BASIC TYPES of HIDING and BINDING
IV054
 If the hiding or the binding property of a commitment protocol depends on the complexity of a
computational problem, we speak about computational hiding and computational binding.
In case, the binding or the hiding property does not depend on the complexity of a computational
problem, we speak about unconditional hiding or unconditional binding.

13
Protocols to do seemingly impossible
A commitment scheme based on discret logarithm
Alice wants to commit herself to an m Î {0,…,q - 1}.
Scheme setting:
Bob randomly chooses primes p and q such that
q | (p - 1).
Bob chooses random generators                 of the subgroup G of order q Î Zn*.
Bob sends p, q, g and v to Alice.
Commitment phase:
To commit to an m Î {0,…,q - 1}, Alice chooses a random r Î {0,…,q - 1}, and sends c= g rv m to
Bob.
Opening phase:
Alice sends r and m to Bob who then verifies whether c = g rv m.
IV054

14
Protocols to do seemingly impossible
COMMENTS
• If Alice, committed to an m, could open her commitment as           , then

                                           and therefore
Hence, Alice could compute lg g v of a randomly chosen element v ÎG, what contradicts the
assumption that computation of discrete logarithms in G is infeasible.
IV054
• Since g and v are generators of G, then g r is a uniformly chosen random element in G, perfectly
hiding v m and m in g rv m, as in the encryption with ONE-TIME PAD cryptosystem.

15
Protocols to do seemingly impossible
BIT COMMITMENT using ENCRYPTIONS
Commit phase:
1.Bob generates a random string r and sends it to Alice
2.Alice commit herself to a bit b using a key k through  an encryption
Ek(rb)
     and sends it to Bob.
Opening phase:
1.Alice sends the key k to Bob.
2.Bob decrypts the message to learn b and to verify r.
3.
Comment: without Bob’s random string r Alice could find a different key l
such that ek(b)=el(¬b).

>

16
Protocols to do seemingly impossible
COMMITMENTS and ELECTRONIC VOTING
Let com(r, m) = g rv m denote commitment to m in the commitment scheme based on discrete logarithm.
If r 1, r 2, m 1, m 2 Î {0,…,q - 1}, then
com(r 1, m 1) × com(r 2, m 2) = com(r 1 + r 2, m 1 + m 2).
Commitment schemes with such a property are called homomorphic commitment schemes.
Homomorphic schemes can be use to cast yes-no votes of n voters V 1,…, V n, by the trusted
authority TA for whom e T and d T are ElGamal encryption and decryption algorithms.
Each voter V i chooses his vote m i Î {0,1}, a random r I Î {0,…, q - 1} and computes his voting
commitment c I = com(r i, m i). Then V i makes c i public and sends e T(g ri) to TA and TA
computes
where                  and makes public g r.
Now, anybody can compute the result s of voting from publicly known c i and g r since
with
s can now be derived from v s by computing v 1, v 2, v 3,… and comparing with v s if the number of
voters is not too large.
IV054

17
Protocols to do seemingly impossible
Trust in cryptographic protocols
IV054
In any interaction between people, there is a certain level of risk,
trust, and expected behaviour, that is implicit in the interchanges.
People may behave properly for a variety of reasons: fear from
prosecution, desire to act in unethical manner due to social
influences, and so on.
However, in cryptographic protocols trust has to be kept to the lowest
possible level.
In any cryptographic protocol, if there is an absence of a mechanism
for verifying, say autencity, one must assume, as default, that other
participants can be dishonest (if for no other reason than for self-
preservation).

>

18
Protocols to do seemingly impossible
OBLIVIOUS TRANSFER (OT) PROBLEM
Story: Alice knows a secret and wants to send secret to Bob in such a way that he gets secret with
probability 1/2, and he knows whether he got secret, but Alice has no idea whether he received
secret. (Or Alice has several secrets and Bob wants to buy one of them but he does not want that
Alice knows which one he bought.)
IV054
Oblivious transfer problem: Design a protocol for sending a message from Alice to Bob in such a way
that Bob receives the message with probability 1/2 and “garbage'' with the probability 1/2.
Moreover, Bob knows whether he got the message or garbage, but Alice has no idea which one he got.
An Oblivious transfer protocol:
(1) Alice chooses two large primes p and q and sends n = pq to Bob.
(2) Bob chooses a random number x and sends y = x 2 mod n to Alice.
(3) Alice computes four square roots ± x 1, ± x 2 of y (mod n) and sends one of them to Bob. (She
can do it, but has no idea which of them is x.)
(4) Bob checks whether the number he got is congruent to x. If yes, he has received no new
information. Otherwise, Bob has two different square roots modulo n and can factor n. Alice has no
way of knowing whether this is the case.

19
Protocols to do seemingly impossible
1-OUT-OF-2 oblivious transfer problem
The 1-out-of-2 oblivious transfer problem: Alice sends two messages to Bob in such a way that Bob
can choose which of the messages he receives (but he cannot choose  both), but Alice cannot learn
Bob’s decision.
A generalization of 1-out-of-2 oblivious transfer problem is two-party oblivious
circuit evaluation problem:
Alice has a secret i and Bob has a secret j and they both know  some function f.
At the end of protocol the following conditions should hold:
1.Bob knows the value f(i,j), but he does not learn anything about i.
2.Alice learns nothing about j and nothing about f(i,j).
3.
Note: The 1-out-of-2 oblivious transfer problem is the instance of the oblivious circuit evaluation
problem for i=(b0,b1), f(i,j)=bj.
1.

>

Protocols to do seemingly impossible
20
1-out-2 oblivious transfer box
1-out-of-two oblivious transfer can be imagine as a box with three inputs and one output.
INPUTS: Alice inputs:   x0  and x1;                                                    ………….Bob
inputs a bit c
OUTPUT: Bob gets as the output: xc

21
Protocols to do seemingly impossible
Implementation of oblivious transfer
IV054
  • Alice generates two key pairs for a PKC P and sends their public keys to Bob.
  • Bob chooses a to-be random secret key k for a SKC S, encrypts it by one of Alice’s public keys
and sends it to Alice.
  • Alice uses her two secret keys to decrypt the message she received. One of outcome is garbage
g, another one is k, but she does not know which one.
  • Alice encrypts her two secret messages, one with k, another with g and sends them to Bob.
  • Bob uses S with k to decrypt both messages he got and one of the attempts is successful. Alice
has no idea which one.

>

22
Protocols to do seemingly impossible
Power of Oblivious Transfers
•C. Crépeau (1988) showed that both versions of oblivious transfer are equivalent  a protocol for
each version can be realized using any protocol for the other version, using a cryptographic
reduction
•Original definition of the oblivious transfer is due to J. Halpern and M. O. Rabin (1983);
1-out-of-2 olivious transfer suggested S. Even, O. Goldreich and A. Lempel in 1985.
•J. Kilian (1988) showed that oblivious transfers are very powerful protocols that allow secure
computation of the value f(x, y) of any binary function f , where x is a secret value known only by
Alice, and y is a secret value known only by Bob, in such a way that it holds:
–Both, Alice and Bob, learn f(x, y)
–Alice learns about y only so much she can learn from x and f(x, y)
–Bob learns about x only so much he can learn from y and    f(x, y)
1.
IV054

>

Protocols to do seemingly impossible
23
BIT COMMITMENT from 1-out-2 oblivious transfer
Using 1-out-of-2 oblivious transfer box (OT-box) one can design bit commitment:
COMMITMENT PHASE:
1.Alice selects a random bit r and her commitment bit b;
2. Alice inputs x0 = r and  x1  =r  xor b into the OT-box.
3. Alice sends a message to Bob telling him it is his turn.
4. Bob selects a random bit c, inputs c into the OT-box and records the output xc.
OPENING PHASE:
1.Alice sends r and b to Bob.
2.Bob checks to see if xc =r xor bc

24
Protocols to do seemingly impossible
Mental poker playing by phone - two players
Basic requirements:
•  All hands (sets of 5 cards) are equally likely.
•  The hands of Alice and Bob are disjoint.
•  Both players know their own hand but not that of the opponent.
•  Each player can detect eventual cheating of the other player.
A commutative cryptosystem is used with all functions kept secret.
Players agree on numbers w 1,…,w 52 as the names of 52 cards.
IV054
Protocol:
(1) Bob shuffles cards, encrypts them with e B, and tells e B (w 1),…, e B (w 52), in a randomly
chosen order, to Alice.
(2) Alice chooses five of the items e B (w i) as Bob's hands and tells them Bob.
(3) Alice chooses another five of e B (w i), encrypt them with e A and sends to Bob.
(4) Bob applies d B to five values e A (e B (w i)) he got from Alice and sends e A (w i) to Alice
as Alice's hands.
Remarque: The cryptosystem that is used cannot be public-key in the normal sense. Otherwise Alice
could compute e B (w i) and deal with the cards accordingly - a good hand for B but slightly better
for herself.

25
Protocols to do seemingly impossible
Mental poker with three players
1. Alice encrypts 52 cards w 1,…,w 52 with e A and sends them in a random order to Bob.
IV054
2. Bob, who cannot read the cards, chooses 5 of them, randomly. He encrypts them with e B, and
sends e B (e A (w i)) to Alice and the remaining 47 encrypted cards e A (w i) to Carol.
3. Carol, who cannot read any of the messages, chooses five at random, encrypts them with her key
and sends Alice e C (e A (w_i)).
4. Alice, who cannot read encrypted messages from Bob and Carol, decrypt them with her key and
sends back to the senders,
five d A (e B (e A (w i))) = e B (w i) to Bob,
five d A (e C (e A (w i))) = e C (w i) to Carol.
5. Bob and Carol decrypt the messages to learn their hands.
6. Carol chooses randomly 5 other messages e A (w i) from the remaining 42 and sends them to Alice.
7. Alice decrypt messages to learn her hands.
Additional cards can be dealt with in a similar manner. If either Bob or Carol wants a card, they
take an encrypted message e A (w i) and go through the protocol with Alice. If Alice wants a card,
whoever currently has the deck sends her a card.

Protocols to do seemingly impossible
26
Zero-knowledge proof protocols
To the most important primitives for cryptographic protocols, and at the same time  very
counterintuitive primitives,  belong so-called zero-knowledge proof protocols (of knowledge).
Very informally, a zero-knowledge proof protocol allows one party, usually called PROVER, to
convince another party, called VERIFIER, that PROVER knows some fact (a secret, a proof of a
theorem,...) without revealing to the VERIFIER ANY information about his knowledge (secret,
proof,...).
In the rest of this chapter we present and illustrate very basic ideas of zero-knowledge proof
protocols and their importance for cryptography.
Zero-knowledge proof protocols are a special type of so-called interactive proof systems.
By a theorem we  understand in the following a claim that a specific object has a specific
property. For example, that a specific graph is 3-collorable.
IV054

27
Protocols to do seemingly impossible
Illustrative example
(A cave with a door opening on a secret word)
Alice knows a secret word opening the door in cave. How  can she convince Bob about it without
revealing this secret word?
IV054
01

Protocols to do seemingly impossible
28
ZERO-KNOWLEDGE PROOFS
Informally speaking, an interactive proof systems has the property of being zero-knowledge if the
Verifier, that interacts with the honest Prover of the system, learns nothing from the interaction
beyond the validity of the statement being proved.
There are several variants of zero-knowledge protocols that differ in the specific way the notion
of learning nothing is formalized.
In each variant it is viewed that a particular Verifier learns nothing if there exists a polynomial
time simulator whose output is indistinguishable from the output of the Verifier  after interacting
with the Prover on any possible instant of the problem.
The different variants of zero-knowledge proof systems concern the strength of this
distinguishability. In particular, perfect or statistical zero-knowledge refer to the situation
where the simulator’s output and the Verifier’s output are indistinguishable in an information
theoretic sense.
Computational zero-knowledge refer to the case there is  no polynomial time
distinguishability.

29
Protocols to do seemingly impossible
INTERACTIVE PROOF PROTOCOLS
In an interactive proof system there are two parties
• An (all powerful) Prover, often called Peggy (a randomized algorithm that uses a private random
number generator);
•
• A (little (polynomially)  powerful) Verifier, often called Vic (a polynomial time randomized
algorithm that uses a private random number generator).
•
Prover knows some secret, or a knowledge, or a fact about a specific object, and wishes to convince
Vic, through a communication with him, that he has the above knowledge.
IV054
For example, both Prover and Verifier posses an input x and Prover wants to convince Verifier that
x has a certain Property and that Prover knows how to proof that.
The interactive proof system consists of several rounds. In each round Prover and Verifier
alternatively do the following.
1. Receive a message from the other party.
2. Perform a (private) computation.
3. Send a message to the  other party.
4.
Communication starts usually by a challenge of Verifier and a response of Prover.
At the end, Verifier either accepts or rejects Prover's attempts to convince Verifier.

30
Protocols to do seemingly impossible
Example - GRAPH NON-ISOMORPHISM
A simple interactive proof protocol exists  for a computationally very hard           graph
non-isomorphism problem.
Input: Two graphs G 1 and G 2, with the set of nodes {1,…,n }
Protocol: Repeat n times the following steps:
1. Vic chooses  randomly an integer i Î {1,2} and a permutation p of {1,…,n }. Vic then  computes
the image H of G i under permutation p and sends H to Peggy.
2.
2. Peggy determines the value j such that G J is isomorphic to H, and sends j to Vic.
3.
3. Vic checks to see if i = j.
Vic accepts Peggy's proof if i = j in each of  n rounds.
IV054
Completeness: If G 1 is not isomorphic to G 2, then probability that Vic accepts is clearly 1.
Soundness: If G 1 is  isomorphic to G 2, then Peggy can deceive Vic if and only if she correctly
guesses n times the i Vic choosed randomly. Probability that this happens is 2 -n.
Observe  that Vic's computations can be performed in polynomial time (with respect to the size of
graphs).

31
Protocols to do seemingly impossible
INTERACTIVE PROOF SYSTEMS
An interactive proof protocol is said to be an interactive proof system for a secret/knowledge or a
decision problem P if the following properties are satisfied.
Assume that  Prover and Verifier posses an input x (or Prover has secret knowledge) and Prover
wants to convince Verifier that x has a certain properties and that Prover knows how to proof that
(or that Prover knows the secret).
(Knowledge) Completeness: If x is a yes-instance of P, or Peggy knows the secret, then Vic always
accepts Peggy's “proof'' for sure.
(Knowledge) Soundness: If x is a no-instance of P, or Peggy does not know the secret,  then Vic
accepts Peggy's “proof'' only with very small probability.
IV054
CHEATING
• If the Prover and the Verifier of an interactive proof system fully follow the protocol they are
called honest Prover and honest Verifier.
•
• A Prover who does not know secret or proof and tries to convince the Verifier is called cheating
Prover.
•
• A Verifier who does not follow the behaviour specified in the protocol is called a cheating
verifier.

32
Protocols to do seemingly impossible
Zero-knowledge proof protocols informally
Very informally An interactive “proof protocol’’ at which a Prover tries to convince a Verifier
about the truth of a statement, or about possession of a knowledge, is called “zero-knowledge”
protocol if the Verifier does not learn from communication anything more except that the statement
is true or that Prover has  knowledge (secret) she claims to have.
IV054
Example The proof n = 670592745 = 12345 ´ 54321 is not a zero-knowledge proof that n is not a
prime.
Informally A zero-knowledge proof is an interactive proof protocol that provides highly convincing
evidence that a statement is true or that Prover has certain knowledge (of a secret) and that
Prover knows a (standard) proof of it while providing not a single bit of information about the
proof (knowledge or secret). (In particular, Verifier who got convinced about the correctnes of a
statement cannot convince the third person about that.)
More formally A zero-knowledge proof of a theorem T is an interactive two party protocol, in which
Prover is able to convince Verifier who follows the same protocol, by the overhelming statistical
evidence, that T is true, if T is indeed true, but no Prover is not able to convince Verifier that
T is true, if this is not so. In additions, during interactions, Prover does not reveal to Verifier
any other information, except whether T is true or not. Consequently, whatever Verifier can do
after he gets convinced, he can do just believing that T is true.
Similar arguments hold for the case Prover posseses a secret.

33
Protocols to do seemingly impossible
AGE DIFFERENCE FINDING PROTOCOLS
Alice and Bob wants to find out who is older without disclosing any other information about their
age.
The following protocol is based on a public-key cryptosystem, in which it is  assumed that neither
Bob nor Alice are older than 100 years.
Protocol Age of Bob: j, age of Alice: i.
1. Bob choose a random x, computes k = e A(x) and sends Alice s = k - j.
IV054
2. Alice first computes the numbers y u = d A(s + u);1 Ł u Ł 100, then chooses a large random prime
p and computes numbers
z u = y u mod p, 1 Ł u Ł 100         (*)
and verifies that for all u ą v
       |z u - z v | ł 2 and z u ą 0       (**)
(If this it not the case, Alice choose a new p, repeats computations in (*) and checks (**) again.)
Finally, Alice sends Bob the following sequence (order is important).
z 1,…,z i,   z i+1 + 1,…,z 100 + 1,   p
z'1,…,z'i,   z'i+1,…,z'100
3. Bob checks whether j-th number in the above sequence is congruent to x modulo p. If yes, Bob
knows that i ł j, otherwise i < j.
i ł j Þ z'J = zJ ş yJ= dA(k) ş x (mod p)
i < j Þ z'J = zJ + 1 ş yJ = dA(k) ş x (mod p)

34
Protocols to do seemingly impossible
3-COLORABILITY of GRAPHS
With the following protocol Peggy can convince Vic that a particular graph G, known to both of
them, is 3-colorable and that Peggy knows such a coloring, without revealing to Vic any information
how such coloring looks.
1 red e 1  e 1(red) = y 1
2 green e 2  e 2(green) = y 2
3 blue e 3  e 3(blue) = y 3
4 red e 4  e 4(red) = y 4
5 blue e 5  e 5(blue) = y 5
6 green e 6  e 6(green) = y 6
(a) (b)
Protocol: Peggy colors the graph G = (V, E ) with colors (red, blue, green) and she performs with
Vic |E| 2- times the following interactions, where v 1,…,v n are nodes of V.
1. Peggy choose a random permutation of colors, recolors G, and encrypts, for i = 1,2,…,n, the
color c i of node v i by an encryption procedure e i - for each i different.
•
Peggy then removes colors from nodes, labels the i-th node of G with cryptotext y i = e i(c i), and
designs Table (b).
Peggy finally shows Vic the graph with nodes labeled by cryptotexts.
IV054
02
2. Vic chooses an edge and asks Peggy to show him coloring of the corresponding nodes.
3. Peggy shows Vic entries of the table corresponding to the nodes of the chosen edge.
4. Vic performs encryptions to verify that nodes really have colors as shown.

35
Protocols to do seemingly impossible
Zero-knowledge proofs and cryptographic protocols
The fact that for a big class of statements there are zero-knowledge proofs can be used to design
secure cryptographic protocols. (All languages in NP have zero-knowledge proofs.)
A cryptographic protocol can be seen as a set of interactive programs to be executed by
non-trusting parties.
Each party keeps secret a local input.
The protocol specifies the actions parties should take, depending on their local secrets and
previous messages exchanged.
The main problem in this setting is how can a party verify that the other parties have really
followed the protocol?
The way out: a party A can convince a party B that the transmitted message was completed according
to the protocol without revealing its secrets .
IV054
An idea how to design a reliable protocol
1. Design a protocol under the assumption that all parties follow the protocol.
2.
2. Transform protocol, using known methods how to make zero-knowledge proofs out of normal ones,
into a protocol in which communication is based on zero-knowledge proofs, preserves both
correctness and privacy  and works even if some parties display an adversary behavior.

36
Protocols to do seemingly impossible
Zero-knowledge proof for quadratic residua
Input: An integer n = pq, where  p, q are primes and x Î QR(n).
Protocol: Repeat lg n times the following steps:
1. Peggy chooses a random v Î Z n* and sends to Vic
y = v 2 mod n.
2. Vic sends to Peggy a random i Î {0,1}.
3. Peggy computes a square root u of x and sends to Vic
z = u iv mod n.
4. Vic checks whether
z 2 ş x i y mod n.
Vic accepts Peggy's proof that x is QR if he succeeds in  point 4 in each of lg n rounds.
IV054
Completeness is straightforward:
Soundness If x is not a quadratic residue, then Peggy can answer only one of two possible
challenges (only if i = 0), because in such a case y is a quadratic residue if and only if xy is
not a quadratic residue.This means that Peggy will be caught in any given round of the protocol
with probability 1/2 .
The overall probability that prover deceives Vic is therefore 2 -lg n = 1/n.

37
Protocols to do seemingly impossible
Zero-knowledge proof for graph isomorphism
Input: Two graphs G 1 and G 2 with the set of nodes {1,…,n }.
Repeat the following steps n times:
1. Peggy chooses a random permutation p of {1,…,n } and computes H to be the image of G 1 under the
permutation p, and sends H to Vic.
IV054
2. Vic chooses randomly i Î {1,2} and sends it to Peggy. {This way Vic asks for isomorphism between
H and G i.}
3. Peggy creates a permutation r of {1,…,n } such that r specifies isomorphism between H and G
i and Peggy sends r to Vic.
{If i =1 Peggy takes r = p; if i = 2 Peggy takes r = s o p, where s is a fixed isomorphic mapping
of nodes of G 2 to G 1.}
4. Vic checks whether H provides the  isomorphism between G i and H.
Vic accepts Peggy's “proof” if H is the image of G i in each of the n rounds.
Completeness. It is obvious that if G 1 and G 2 are isomorphic then Vic accepts with probability 1.
Soundness: If graphs G 1 and G 2 are not isomorphic, then Peggy can deceive Vic only if she is able
to guess in each round the i Vic chooses and then sends as H the graph G i. However, the
probability that this happens is 2 -n.
Observe that Vic can perform all computations in polynomial time.However, why is this proof a
zero-knowledge proof?

38
Protocols to do seemingly impossible
Why is the last “proof” a “zero-knowledge proof”?
Because  Vic gets convinced, by the overwhelming statistical evidence, that graphs G 1 and G 2 are
isomorphic, but he does not get any information (“knowledge”) that would help him to create
isomorphism between G 1 and G 2.
In each round of the proof Vic see isomorphism between H (a random isomorphic copy of G 1) and G
1 or G 2, (but not between both of them)!
However, Vic can create such random copies H of the graphs by himself and therefore it seems very
unlikely that this can help Vic to find an isomorphism between G 1 and G 2.
Information that Vic can receive during the protocol, called transcript, contains:
• The graphs G 1 and G 2.
• All messages i transmitted during communications by Peggy and Vic.
• Random numbers r used by Peggy and Vic to generate their outputs.
Transcript has therefore the form
T = ((G 1, G 2); (H 1, i 1, r 1),…,(H n, i n, r n)).
The essential point, which is the basis for the formal definition of zero-knowledge proof, is that
Vic can forge transcript, without participating in the interactive proof, that look like “real
transcripts”, if graphs are isomorphic, by means of the following forging algorithm called
simulator.
IV054

>

39
Protocols to do seemingly impossible
SIMULATOR
A simulator for the previous graph isomorphism protocol.
• T = (G 1, G 2),
• for j = 1 to n do
IV054
   - Chose randomly ii Î {1,2}.
   - Chose ri to be a random permutation of {1,…,n }.
   - Compute Hi to be the image of G iJ under rJ;
   - Concatenate (HJ, iJ,  rJ) at the end of T.

40
Protocols to do seemingly impossible
CONSEQUENCES and FORMAL DEFINITION
The fact that a simulator can forge transcripts has several important consequences.
• Anything Vic can compute using the information obtained from the transcript can be computed using
only a forged transcript and therefore participation in such a communication does not increase Vic
capability  to perform any computation.
• Participation in such a proof does not allow Vic to prove isomorphism of G 1 and G 2.
• Vic cannot convince someone else that G 1 and G 2 are isomorphic by showing the transcript
because it is indistinguishable from a forged one.
IV054
Formal definition what does it mean that a forged transcript “looks like'' a real one:
Definition Suppose that we have an interactive proof system for a decision problem P and a
polynomial time simulator S.
Denote by G(x) the set of all possible transcripts that could be produced during the interactive
proof communication for a yes-instance x.
Denote F(x) the set of all possible forged transcripts produced by the simulator  S.
For any transcript T Î G(x), let p G (T) denote the probability that T is the transcript produced
during the interactive proof. Similarly, for T Î F(x), let p F(T) denote the probability that T is
the  transcript produced by S.
G(x) = F(x) and, for any T Î G(x),  p G (T) = p F(T) , then we say that the interactive proof
system is a zero-knowledge proof system.

41
Protocols to do seemingly impossible
Proof for graph isomorphism protocol
Theorem The interactive proof system for Graph isomorphism is a perfect zero-knowledge proof if Vic
follows protocol.
Proof Let G 1 and G 2 be isomorphic. A transcript (real or forged) contains triplets (HJ, iJ, rJ).
The set R of such triplets contains 2n! elements (because each pair i, r uniquely determines H and
there are n! permutation r.
In each round of the simulator each triplet occurs with the same probability, that is all triplets
have probability
Let us now try to determine probability that a triplet (H, i, r) occurs at a j-th round of the
interactive proof.
i is clearly chosen with the same probability. Concerning r this is either randomly chosen
permutation p or a composition p with a fixed permutation. Hence all triplets (H, i, r) have the
same probability
The next question is whether the above graph isomorphism protocol is zero-knowledge also if Vic
does not follow fully the  protocol.
IV054

42
Protocols to do seemingly impossible
The case Vic does not follow protocol
It is usually much more difficult to show that an interactive proof system is zero-knowledge even
if Vic does not follow the protocol.
In the case of graph isomorphism protocol the only way Vic can deviate from the protocol is that i
he does not choose in a completely random way.
The way around this difficulty is to prove that, no matter how a “cheating” Vic deviates from the
protocol, there exists a polynomial-time simulator that will produce forged transcripts that “look
like” the transcript T of the communication produced by Peggy and (the cheating) Vic during the
interactive proof.
As before, the term “looks like'' is formalized by requiring that two probability distributions are
the same.
IV054
Definition Suppose that we have an interactive proof system for a decision problem P.
Let V* be any polynomial time probabilistic algorithm that a (possibly cheating) Verifier uses to
generate his challenges.

43
Protocols to do seemingly impossible
The case Vic does not follow protocol
Denote  by G(V*, x) the set of all possible transcripts that could be produced as a result of Peggy
and  V* carrying out the interactive proof with a yes-instance x of P.
Suppose that for every such V* there exists an expected polynomial time probabilistic algorithm S*
= S*(V*) (the simulator) which will produce a forged transcript.
Denote by F(V*, x) the set of possible forged transcripts.
For any transcript T Î G(V*, x), let p G,V*(T) denote the probability that T is the transcript
produced by V* taking part in the interactive proof.
Similarly, for T Î F(x), let p F,V* (T) denote the probability that T is the (forged) transcript
produced by S*.
If G(V*, x) = F(V*, x) and for any T Î G(V*, x), p F,V* (T) = p G,V*(T), then the interactive proof
system is said to be a perfect zero-knowledge protocol.
IV054

44
Protocols to do seemingly impossible
ADDITIONS

• It can be proved that the graph isomorphism protocol is zero-knowledge even in the case Vic
cheats.
IV054
• If, in an interactive proof system, the probability distributions specified by the protocols with
Vic and with simulator are the same, then we speak about perfect zero-knowledge proof system.
• If, in an interactive proof system, the probability distributions specified by the protocols with
Vic and with simulator are computationally indistinguishable in polynomial time , then we speak
about computationally zero-knowledge proof system.