Score:0

How to Run the Public Key Protocol for a Zero-Knowledge Proof of Identity?

vn flag

In the paper Zero-Knowledge Proofs of Identity (by Feige, Fiat, and Shamir) a ZK protocol is described that leverages quadratic residues. Section 3 describes an "Efficient Identification Scheme," but (to my understanding) the PK algorithm seems to be broken (in the "does not work" sense, not in terms of "poor security").

The key generation protocol is (steps 1-3 are quoted from the paper, using the same notation as the paper):

Setup: Let $n$ be a Blum integer (the product of two primes, $p$ and $q$, where both $p$ and $q$ are congruent to 3 mod 4). Let $Z_n$ denote the ring of residues under the mod operation.

  1. Choose $k$ random numbers $S_1, ..., S_k$ in $Z_n$.
  2. Choose each $I_j$ (randomly and independently) as $\pm 1 / S_j^2$ (mod n).
  3. Publish $I = I_1, ..., I_k$ and keep $S = S_1, ..., S_k$ secret.

Without the notation, to get the public key we need to compute the square of each secret $S_j$ and then find either the modular inverse of this square, or $(n-1)$ times the this inverse. (I.E. $S_j^2 \cdot I_j = 1 (\text{mod}n)$ or $S_j^2 \cdot I_j = -1 (\text{mod}n)$).

The issue is that in Step 2, $Z_n$ is not a field which means that $I_j$ is not guaranteed to exist. Namely, any $g \in Z_n$ will not have an inverse if either $p | g$ or $q | g$. For a very large $n$ this is unlikely to happen, but it's easy to prove that it always happens.

Proof of existence: without loss of generality, let $p < q$. Then $p^2 \in Z_n$. Because $\text{gcd}(p^2, n) = p > 1$, we see that $p^2$ has no inverse in $Z_n$.

Small example: when $n = 21$, none of the members of this set have an inverse in $Z_n$ $\{0, 3, 6, 7, 9, 12, 14, 15, 18\}$. Some of them are valid candidates to result in an impossible $I_j$ (as above, is $S_j = 3$ then $S^2_j = 9$).

What are you supposed to do if you get one of these "broken" numbers? Draw again? For large $n$ the probability is small (it's easy to compute the number of "broken" numbers in $Z_n$ as $1 + (p-1) + (q-1) = p+q-1$, which vanishes in $pq$ for large $p$ and $q$) but at least in test implementations with small $n$ (like $n = 21$) it breaks any code trying to get that inverse.

sa flag
TMM
Anything that breaks with probability 1/N is not really anything to worry about - running into such a number is as likely as guessing a random prime and finding that it factors N. So the protocol failing is about as likely as guessing the secret key through pure luck in one guess.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.