Zero-Knowledge Arguments and Public-Key ... - Semantic Scholar

Zero-Knowledge Arguments and Public-Key Cryptography1 Alfredo De Santis2

Giovanni Di Crescenzo 3

Giuseppe Persiano 4

This work has been partially supported by Ministero dell'Universita e della Ricerca Scienti ca e Tecnologica (M.U.R.S.T.) and by Consiglio Nazionale delle Ricerche (C.N.R.). 2 Dipartimento di Informatica ed Applicazioni { R.M. Capocelli, Universita di Salerno, 84081 Baronissi (SA), Italy. Part of this work was done while the author was visiting IBM Research Division, T. J. Watson Research Ctr, Yorktown Heights, NY 10598. 3 Dipartimento di Informatica ed Applicazioni { R.M. Capocelli, Universita di Salerno, 84081 Baronissi (SA), Italy. 4 Dipartimento di Matematica, Universita di Catania, Catania, Italy. Part of this work was done while the author was at Aiken Computation Laboratory, Harvard University, Cambridge, MA, USA supported by NSF grant # NSF-CCR-90-07677. Current address: Dipartimento di Informatica ed Applicazioni { R.M. Capocelli, Universita di Salerno, 84081 Baronissi (SA), Italy. 1

Running head: Zero-Knowledge Arguments for NP

Contact author for proofs:

Giuseppe Persiano Dipartimento di Informatica ed Appl. Universita di Salerno 84081 Baronissi (SA) ITALY e-mail: [email protected]

1

Abstract In this work we consider the Die-Hellman Public-key model in which an additional short random string is shared by all users. This, which we call Public-Key Public-Randomness (PKPR) model, is very powerful as we show that it supports simple non-interactive implementations of important cryptographic primitives. We give a non-interactive implementation of Oblivious Transfer in the PKPR model. Our implementation is secure against receivers with unlimited computational power. Building on this result, we show that all languages in NP have Perfect Zero-Knowledge Arguments in the PKPR model.

1 Introduction In Private-Key Cryptography interaction is an essential resource. If two parties want to communicate secretly, they have to meet and agree on a common secret key. The need to establish a common key, before any communication could take place, severely limits the usefulness of this paradigm. Nonetheless it had been considered necessary for any form of secret communication. The Public-Key model, introduced by Die and Hellman [23], suggests an elegant and ecient way to eliminate the need for preliminary secure interaction which is essential in Private-Key Cryptography. Each party A publishes in a public le his encryption key and keeps secret his decryption key. Once the public le has been established, each user can receive and send any number of encrypted messages on a public channel from and to any other user that has access to the public le. The security of this scheme rests upon the very natural assumption that only limited computational resources are available to each user and to a potential eavesdropper. The introduction of complexity-theoretic considerations in Cryptography caused much excitement and made possible protocols never thought of before. Most notably, the Oblivious Transfer protocol of Rabin (see [35]) and the Zero-Knowledge Proof System of [34] and [30]. Oblivious transfer is a protocol for two parties called the sender, who has a bit b, and the receiver. At the end of the protocol either the receiver learns the bit b or he gains no information about b, with each of the two possibilities being equally probable. On his part, the sender has no information about which of the two events has occurred. Surprisingly, oblivious transfer is sucient for more complex and sophisticated cryptographic protocols such as secret key exchange and secure circuit evaluation [37]. A zero-knowledge proof is a two-party protocol, too. Here, a non trusted prover wants to convince a veri er of the validity of a certain input statement without releasing any additional knowledge. It has been proved that all NP statements can be proven in a zero-knowledge fashion. The need of reducing the communication complexity of basic cryptographic primitives has lately emerged as a major research area. In fact, all of the new protocols made possible by the complexity-based approach to Cryptography have been implemented relying heavily on the possibility of communication between the parties involved. This is somewhat in contrast with the main motivation of the introduction of Complexity into Cryptography as a mean to reduce communication in the basic primitive of secure message-sending. Oblivious Transfer and Zero Knowledge have enjoyed dierent fortunes in this respect. In fact, recently, the study of models where non-interactive zero-knowledge proofs are possible has received much attention (see, e.g. [7] and [8]) while the same cannot be said for Oblivious Transfer. Bellare and Micali [2] have been the only ones to consider a non-interactive implementation of Oblivious Transfer in a public-key setting. They propose an implementation of Oblivious Transfer based on the discrete log assumption that is secure with respect to an all-powerful sender and a probabilistic polynomial-time receiver. In this paper we give the dual result based on a dierent complexity assumption. Before going any further a distinction is in order. In the design of zero-knowledge proofs, we have to take into account that both the prover and the veri er might deviate from the assigned protocol. A 1

dishonest prover might try to cheat the veri er into accepting a false statement; while a dishonest veri er might try to gain more knowledge than the mere fact that the statement in question is true. Dierent

avors of zero-knowledge are obtained depending on the computational power that dishonest parties are given. A computational zero-knowledge proof is secure against an in nitely powerful dishonest prover and is zero-knowledge with respect to polynomial-time veri ers. In other words, no prover (no matter how powerful) can convince the veri er with non negligible probability that a false statement is true while the proof may not be secure if the veri er is not restricted to probabilistic polynomial-time. For example, in the zero-knowledge proof for 3COL of [30], a veri er that is able to invert the speci c one-way function employed by the prover can compute the 3-coloring used in the proof. On the other hand, a statistical zero-knowledge proof is secure against an in nitely powerful veri er. Unfortunately, no statistical zero-knowledge proof for an NP-complete language is known and there is strong evidence suggesting that NP-complete languages do not possess statistical zero-knowledge proofs [28, 9]. A zero-knowledge argument [11] is a protocol secure only against provers bounded to probabilistic polynomial-time computations. That is, a prover with enough power could cheat the veri er. But what do we gain in doing this? Surprisingly, it turns out that all NP languages have interactive statistical zero-knowledge arguments [11]; that is, we are able to trade the prover's increased safety by decreasing the veri er's security. Despite the fact that the soundness is guaranteed only with respect to probabilistic polynomial-time provers, arguments can be used in cryptographic applications as in this case all parties are probabilistic polynomial-time machines and thus we don't have to worry against all-powerful adversaries. Another important practical aspect of the notion of argument is the following. Both for proofs and arguments if the computational assumption on which they are based turns out to be ill-founded the corresponding party can cheat the other (either get more knowledge or convince the other of a false theorem). However, while for proofs this attack can be carried o-line, for arguments it has to be performed on-line. That is, in an argument, a prover can cheat the veri er only if it breaks the computational assumption before or during the protocol and not after. Instead, the attack to extract more knowledge from a computational zero-knowledge proof can be performed even after the proof has been completed. Until now, the study of non-interactive zero-knowledge has almost exclusively considered computational zero-knowledge proofs for NP (see [7, 26, 19]). Damgard [17] gave a potential solution based on the discrete log assumption to the problem of constructing statistical zero-knowledge arguments in the shared-string model for an NP-complete language. The soundness of the proposed construction is based on the existence of \suciently random-looking" hash functions. No construction of these functions based on a natural complexity assumption is known. A protocol for statistical zero-knowledge argument for NP requiring a constant number of rounds is due to Brassard, Crepeau, and Yung [13].

Summary of the results. We consider the Die-Hellman model in which a short random string is shared

by all users. We call this model the Public-Key Public-Randomness Model (PKPR Model). The set up of the PKPR Model does not require any preprocessing stage: each user chooses and validates by himself 2

his own public and private keys without interacting with the other users. That is, no trusted center or distributed fault-tolerant computation (in the sense of [31, 3, 15]) is ever invoked to protect against possible \cheating" by users who select their own public keys. Even though interaction is never allowed, the PKPR Model is very powerful as we show that important cryptographic primitives have simple non-interactive implementations in this model. The PKPR model is inspired by the model presented in [2]. We give a completely non-interactive implementation of Oblivious Transfer in the PKPR model. This is the rst non-interactive implementation of Oblivious Transfer that does not require a trusted center or some distributed fault-tolerant computation and is secure against receivers with unlimited computing power. Our implementation is essentially optimal. Indeed, a result of Ostrovsky and Yung [40] shows that it is not possible to achieve a non-interactive Oblivious Transfer from scratch. We give the rst implementation of non-interactive nature for Perfect Zero-Knowledge Arguments for all NP-languages. Our result uses our non-interactive implementation of Oblivious Transfer. However, we would like to point out at this point that, for some subtle technical reasons, the simple replacing of interaction with Oblivious Transfer does not work in this context. Indeed some extra non trivial ideas are needed in order to obtain zero-knowledge arguments. Unlike previous implementations of non-interactive statistical zero knowledge with a common random string, our implementation is very simple and, most notably, allows any number of provers to be active. No statistical zero-knowledge proof with this property is known (not even the ones for speci c number-theoretic languages of [7]). Our results are based on the well known and widely used Quadratic Residuosity Assumption, and they demonstrate the added value of short Public Randomness in the context of Public-Key Cryptography.

2 Background and Notations 2.1 Basic de nitions. We denote by N the set of natural numbers. If n 2 N, by 1n we denote the concatenation of n 1's. We identify a binary string  with the integer x whose binary representation (with possible leading zeroes) is . By the expression jxj we denote the length of x if x is a string, the length of the binary string representing x if x is an integer, or the absolute value of x if x is a real number. By the expression x  y we denote the concatenation of x and y, if x and y are strings, or the composition of x and y, if they are permutations. We say that a function f(
) is negligible if for all constants c there exists an integer nc such that for all integers n > nc it holds that f(n) < n?c .

Algorithms and probability spaces. An algorithm is a Turing machine. An ecient algorithm is a

probabilistic Turing machine running in expected polynomial time. A sequence of probabilistic Turing machines fTn gnN is an ecient non-uniform algorithm if there exists a positive constant c such that, for all suciently large n, Tn halts in expected nc steps and the size of its program is at most nc . 3

If A(
) is a probabilistic algorithm, then for any input x, the notation A(x) refers to the probability space that assigns to the string  the probability that A, on input x, outputs . Instead, the notation A(c; x) refers to the output of A when run on input x and using c as coin tosses. If S is a probability space, then \x S" denotes the algorithm which assigns to x an element randomly selected according to S. If F is a nite set, then the notation \x F" denotes the algorithm which assigns to x an element selected according to the probability space whose sample space is F and uniform probability distribution on the sample points. If S is a probability space over strings, then by PrS () we denote the probability assigned by S to the string . If p(
;
;


) is a predicate, the notation Pr(x S; y T; ::: : p(x; y;


)) denotes the probability that p(x; y;


) will be true after the ordered execution of the algorithms x S; y T; :::. The notation fx S; y T;


: (x; y;


)g denotes the probability space over f(x; y;


)g generated by the ordered execution of the algorithms x S; y T;


.

2.2 Number Theory By Zx we denote the multiplicative group of the positive integers less than x and relatively prime to x. An element y 2 Zx is a quadratic residue modulo x i there is a w 2 Zx such that w2  y mod x. If this is not the case we call y a quadratic non residue modulo x. We de ne the quadratic residuosity predicate as  0 if y is a quadratic residue modulo x and QRx (y) = 1 otherwise. For p prime, the problem of deciding quadratic residuosity coincides with the problem of computing the Legendre symbol. In fact, for p prime and y 2 Zp , the Legendre symbol (yjp) of y modulo p is de ned as  +1 if y is a quadratic residue modulo p and (yjp) = ?1 otherwise; and can be computed in polynomial time by using Euler's criterion. Namely, (yjp)  y(p?1)=2 mod p: Euler's criterion and the following fact give an ecient algorithm for deciding quadratic residuosity modulo integers of known factorization. Fact 1. (see for instance [39]) y is a quadratic residue modulo x if and only if y is a quadratic residue modulo each of the prime divisors of x. In case the factorization is not known, some hints about the quadratic residuosity can be given by the Jacobi symbol de ned as (yjx) = ki=1 (yjpi )hi ; where x = ki=1 phi i and the pi's are prime and the hi 's are positive integers. Surprisingly, the Jacobi symbol can be computed in polynomial time even if the factorization of x is not given. 4

Now, if (yjx) = ?1, then y is certainly a quadratic non residue modulo x. However, no ecient algorithm is known for deciding quadratic residuosity if the Jacobi symbol is +1. In this case, the fastest way known consists of rst factoring x and then compute QRx (y). We use it in this paper with respect to the following special moduli. We denote by Zx+1 the set of integers y 2 Zx such that (yjx) = +1 and by QRx and NQR x the sets of quadratic residues modulo x and quadratic non residues modulo x with Jacobi symbol +1.

Blum integers. An integer x is a Blum integer if and only if x = pk qk , where p and q are dierent primes both  3 mod 4 and k1 and k2 are odd integers. By BL we denote the set of Blum integers and by 1

2

BL(n) the subset of Blum integers product of two primes (i.e., k1 = k2 = 1) congruent to 3 modulo 4 both of length n. Blum integers were introduced in Cryptography by [4]. There exists an ecient algorithm that, on input 1n, outputs the factorization of a randomly selected x 2 BL(n). The algorithm randomly generates integers of length n congruent to 3 mod 4 until two primes are found (the primality is tested using the algorithm of Adleman and Huang [1]) and x is set equal to their product. By the density of primes congruent to 3 mod 4 (de la Valle Poussin's extension of the prime number theorem [41]), the expected number of integers of length n tested until two primes congruent to 3 mod 4 are found is polynomial in n. Fact 2. Let x be a Blum integer and let y1 ; y2 2 Zx . Then, QRx(y1 y2 mod x) = QRx (y1 )  QRx(y2 ); where  denotes the logical exclusive or. Moreover, if x is a Blum integer, ?1 is a quadratic non residue with Jacobi symbol +1 modulo x. This property makes the selection of a random element of NQRx very easy: just pick r 2 Zx at random and output ?r2 mod x. The class of Blum integers product of two primes of the same length constitutes the hardest input for any known ecient factoring algorithm and this justi es the following

Quadratic Residuosity Assumption (QRA): For each ecient non uniform algorithm Q = fQng, all constants d, and all suciently large n, 



Pr x BL(n); y Zx+1 : Qn (x; y) = QRx (y) < 1=2 + n?d : That is, no ecient algorithm can guess the value of the quadratic residuosity predicate substantially better than by random guessing. This assumption has been used for the rst time by [33] and is now widely used in Cryptography. For instance, the proof system for 3SAT of [7] is based on it.

An encryption scheme based on quadratic residuosity. In their seminal paper [33], Goldwasser

and Micali introduced a public-key encryption scheme whose security is based on the quadratic residuosity assumption. The public key of user B contains a random integer xB product of two primes of the same length and yB , a quadratic non residue modulo xB with Jacobi symbol +1. B's secret key consists of the 5

prime factors of xB . To secretly send B an l-bit message m = m1


ml , a user A encrypts each bit mi by computing ci = yBmi ri2 mod xB , where ri is a randomly chosen element of ZxB . It is easily seen that ci is a quadratic residue if and only if mi = 0. This observation gives a very simple decryption algorithm: compute the quadratic residuosity of the ci 's he has received (this can be done in polynomial-time as xB 's factorization is known to B). What makes decryption possible in this scheme is the fact that yB is a quadratic non residue. In fact, should yB be a quadratic residue, then, independently of the value of mi , each ci is a randomly chosen quadratic residue, and therefore B has absolutely no information to recover the bits mi 's. This property will be used in the construction of our Oblivious Transfer protocol. In what follows, we will denote by GM E(x; y; m) the algorithm that returns a random encryption of m computed using the pair (x; y) and by GM D(p; q; c) the algorithm that returns the decryption of the ciphertext c computed using x's prime factors p and q.

3 Oblivious Transfer Oblivious Transfer has been introduced by Rabin (see [35]), who gave an implementation (for honest players) based on the diculty of factoring. Oblivious Transfer is a protocol for two parties: the Sender who has a string s, and the Receiver. Each of the following two events is equally likely to occur at the end of the protocol.  The Receiver learns the string s.  The Receiver does not get any information about s. Moreover, at the end of the protocol, the Sender does not know whether the Receiver got s or not. The wide applicability of the Oblivious Transfer was recognized since the early days of modern Cryptography; the paper by Blum [5] is an example of how Oblivious Transfer can be used to implement several other protocols. A dierent avor of Oblivious Transfer, the 1-out-of-2 Oblivious Transfer was later introduced by Even, Goldreich, and Lempel [24]. Here, the sender has two strings s0 and s1 . Each of the following two events is equally likely to occur at the end of a 1-out-of-2 Oblivious Transfer:  The Receiver learns the string s0 , and does not get any information about s1 .  The Receiver learns the string s1 , and does not get any information about s0 . The sender has no information on which string the receiver gets. It is clear that 1-out-of-2 Oblivious Transfer can be used to implement an Oblivious Transfer. Crepeau [16] established their equivalence in the interactive setting. In this paper we will consider the 1-out-of-2 Oblivious Transfer and will denote the 1-out-of-2 Oblivious Transfer by OT. The rest of this section is organized as follows. In Section 3.1 we formally de ne what we mean by PKPR Oblivious Transfer and in Section 3.2 we give an implementation of PKPR Oblivious Transfer based on the Quadratic Residuosity Assumption.

6

3.1 PKPR Oblivious Transfer. A PKPR Oblivious Transfer (PKPR OT, in short) is a quadruple of algorithms (Key Generator, Verify, Send, Receive). We call A and B the sender and the receiver, respectively, and assume the existence of a random string  that can be read by both parties. The mechanics of a PKPR OT is the following. B constructs two channels Ch0; Ch1, a validation Val and a secret key Key using algorithm Key Generator and publishes Ch0 ; Ch1; Val. Also, Key Generator returns a bit b that denotes which of the two channels is open (see the meaningfulness condition in the de nition below). We will refer to a pair of channels along with its validation as a public le for OT. Now, suppose that A has two strings (s0 ; s1 ) that he wants to obliviously transfer to B. First, A veri es B's public le by checking that Verify(; Ch0; Ch1 ; Val)=VALID. If the public le has been constructed by Key Generator, then this test is passed with very high probability (see the veri ability condition below). Then A computes and sends B the two messages msg 0 = Send(Ch0; s0 ) and msg 1 = Send(Ch1 ; s1). To retrieve one of the two strings, B computes Receive(Key; msg b ) (see the meaningfulness condition below). Moreover, there is no way for B to construct a public le that has a non negligible probability of being declared valid by Verify and that allows B to obtain information on both strings sent by A (see the 1-out-of-2 condition below). On the other hand, A has no way of guessing better than at random which of the two channels is open (see the obliviousness condition below). De nition 1. A PKPR OT is a quadruple of algorithms (Key Generator, Verify, Send, Receive), where Key Generator and Send are ecient and Verify and Receive are deterministic polynomial time, such that 1. Meaningfulness. For all constants c; d, all suciently large n, and all strings s0 ; s1 2 f0; 1gnc , 

Pr  f0; 1gn;(Ch0; Ch1; Key; Val; b) Key Generator();



msg0 Send(Ch0 ; s0 ); msg1 Send(Ch1 ; s1); b Receive(Key; msgb ) : b = sb > 1 ? n?d :

2. Veri ability. For all constants d > 0 and all suciently large n, 



Pr  f0; 1gn; (Ch0; Ch1; Key; Val; b) Key Generator() : Verify(; Ch0; Ch1; Val) = VALID > 1?n?d : 3. 1-out-of-2. For all algorithms Receive0 and Key Generator0, all constants c and d, all suciently large n, and all strings s0 ; s1 ; s2; s3 2 f0; 1gnc such that s0 6= s1 and s2 6= s3 , 

Pr  f0; 1gn; r0 fs0; s1 g; r1 fs2; s3g; (Ch0; Ch1; Val) Key Generator0();

msg0 Send(Ch0 ; r0); msg1 Send(Ch1; r1); (t0 ; t1)  Receive0(msg0; msg1; Ch0; Ch1; ) : Verify(; Ch0; Ch1; Val) = VALID ^ (t0; t1) = (r0; r1)  1=2 + n?d :

4. Obliviousness. For all ecient algorithms Adv, all constants d, and all suciently large n,

Pr( f0; 1gn; (Ch0; Ch1; Key; Val; b) Key Generator(); ~b Adv(; Ch0 ; Ch1; V al) : ~b = b) < 1=2+n?d : Remark. The 1-out-of-2 condition is inspired by the notion of security of [33]. Here, we do not let

Key Generator0 and Receive0 receive the strings s0 ; s1 ; s2; s3 as inputs. However, as Key Generator0 and

7

Receive0 are in nitely powerful and since we quantify over all algorithms, this is without loss of generality. Similarly, the algorithm Key Generator0 does not give any Key in output, as the algorithm Receive0 can be

in nitely powerful and thus compute Key by himself. Also notice that the strings s0 ; s1 ; s2; s3 are chosen independently from the random string . A stronger condition is obtained by letting an adversary choose the strings s0 ; s1 ; s2; s3 after seeing the string . We remark that our proposed solution satis es also this more stringent requirement.

3.2 Implementing Oblivious Transfer in the PKPR Model. We show how to implement a (non-interactive) Oblivious Transfer in the PKPR setting. For our construction we need a non-interactive perfect zero-knowledge proof system for a particular number-theoretic language. In [7] a non-interactive perfect zero-knowledge proof system for quadratic non residuosity modulo Regular (2) integers was given. An integer is Regular (2) if it has exactly two distinct odd prime divisors and is not a perfect square (see [7]). Combining this proof system with the one for the language of Blum integers presented in [18], we can construct a non-interactive perfect zero-knowledge proof system (A,B) for the language of pairs (x; y), where x is a Blum integer and y is a quadratic non residue modulo x. (A,B) for moduli of length n needs a reference string of n3 bits. Moreover, the program of the prover A can be performed in probabilistic polynomial time provided that x's factorization is available. The proof is obtained in a direct manner, that is without making use of reduction to 3SAT and, most importantly, the same string  can be used by any number of users to certify their own public-key entry. Following are the formal descriptions of the Key Generator algorithm and the Verify algorithm needed to initialize the public le and the Send and Receive algorithms to actually perform the OT.

Algorithm Key Generator() Input: An n3-bit reference string . 1. Construct channels and secret key. Randomly select two n-bit primes p; q  3 mod 4 and set x = pq. Randomly select z 2 Zx+1 and y 2 NQRx . 2. Construct validation. Run the algorithm A on input (x; y) using the reference string  and obtaining Proof as output. 3. Set Ch0 = (x; zy mod x), Ch1 = (x; z), Val = (Proof ; y), Key = (p; q), and b = QRx (z).

Output:(Ch0; Ch1; Key; Val; b).

8

Algorithm Verify(; Ch0; Ch1; Val) Input: An n3 -bit reference string  and a public key consisting of two channels Ch0 = (x0 ; v0), Ch1 = (x1 ; v1) and a validation Val = (y; Proof ). 1. Verify that x0 = x1, that v0 = v1y mod x0 and that y; v0 2 Zx+1 . 2. Run the algorithm B on input (x0; y), the reference string , and the string Proof . 0

Output: If all checks are successfully passed then output VALID else NONVALID.

Algorithm Send(Ch; s) Input: A channel Ch = (x; v) and a binary string s. Output: msg = GM E(x; v; s).

Algorithm Receive(Key; msg ) Input: A key Key = (p; q) and a message msg . Output: s =GM D(msg ; p; q).

Theorem 1. Under the QRA, the above quadruple of algorithms (Key Generator, Verify, Send, Receive) is a PKPR Oblivious Transfer.

Proof: First of all, the above algorithms run in polynomial time. Notice that, in the algorithms Key Generator and Receive, x's factorization is known.

Now we prove that properties 1-4 of a PKPR Oblivious Transfer also hold. Meaningfulness. Now, as y is a quadratic non residue then, by Fact 2, exactly one of z and zy mod x is a quadratic non residue and thus, by the properties of the encryption scheme, the corresponding string si will be read by the receiver. Veri ability. If the channels are constructed by Key Generator, then x is a Blum integer, z has Jacobi symbol +1 modulo x and y is a quadratic non residue modulo x. Thus it follows from the completeness of (A,B) that Verify will output VALID with overwhelming probability. 1-out-of-2. Suppose that there exists an algorithm that violates the 1-out-of-2 condition. Two cases need to be considered. If y is a quadratic non residue modulo x and x is a Blum integer, then, by Fact 2, one of z and zy is a quadratic residue modulo x. Thus, for the properties of the encryption scheme GM E, no information about the string encrypted with a quadratic residue can be obtained from its encryption. 9

Suppose now that y is a quadratic residue modulo x or that x is not a Blum integer. In this case, for the soundness of the proof system (A,B), it follows that with very high probability the algorithm Verify will output NONVALID. Obliviousness. We prove that the existence of an ecient algorithm Adv which, for some d > 0 and in nitely many n, violates the obliviousness condition contradicts the QRA. As (A,B) is a non-interactive perfect zero-knowledge proof system, there exists an ecient simulator algorithm S for (A,B). On input a pair (x; y), where x is a Blum integer and y is a quadratic non residue modulo x, S generates a pair (,Proof) where  is a random string of n3 bits and Proof has the same distribution of A's output on input  and (x; y). We exhibit an algorithm Q(
;
) that decides quadratic residuosity using Adv and S as subroutines. Algorithm Q(x; z). Input: x 2 BL(n); z 2 Zx+1

Construct Channels and Validation Randomly choose y in NQRx .

Run algorithm S on input (x; y) obtaining as output a pair (; Proof ). Set Ch0 = (x; zy mod x), Ch1 = (x; z) and Val = (Proof ; y), b = Adv(; Ch0; Ch1; Val). Output: b. Let us now compute Pr(x BL(n); z Zx+1 :Q(x; z)=QRx (z)). Suppose that QRx(z) = 1. Then, any string sent using Ch1 will be received; that is b = 1. As Adv guesses b with probability at least 1=2 + n?d , in this case Q is successful with the same probability. The same reasoning applies to the case QRx (z) = 0. Therefore, for in nitely many n,

Pr(x BL(n); z Zx+1 : Q(x; z) = QRx (z))  1=2 + n?d that contradicts the Quadratic Residuosity Assumption.

Dependent Oblivious Transfers.

The same pair of channels Ch0 ; Ch1 can be used to perform many OT's. However, these OT's will not be independent as the outcome of one of them determines the outcome of all of them. This is useful when we want that only one of two strings is received and not even one single bit of the other is leaked. If j independent OT's are desired, it is enough to have j independently chosen zB 2 Zx+1 in B's public key. B The problem of obtaining j independent OT's using the same public key (whose size does not depend on j) has its own interest and is currently open (see also the Extensions and Open Problems section at the end).

General Oblivious Transfer. 10

It is possible to generalize 1-out-of-2 OT to k-out-of-m OT. This is a protocol where A transfers to B k out of m strings s0 ; s1 ; :::; sm?1, in such a way that (1) B gets no information on the other m ? k strings, and (2) A does not know which k strings B received. Our protocol can be easily modi ed to implement a k-out-of-m OT. User B randomly chooses a Blum integer x, and z0 ;


; zm?1 2 Zx+1 , such that exactly k integers zi out of m are quadratic non residues. Then, B writes in his public le (x; z0 ;


; zm?1 ; ValB ), where Val is a proof that x is a Blum integer and that exactly k integers zi are quadratic non residues modulo x and keeps secret x's factorization. The proof Val can be given in Non-Interactive Perfect Zero Knowledge using the proof system for the language T(k; m) of tuples (x; z0;


; zm?1 ) such that x is a Blum integer and at least k si 's are quadratic non residues of [18]. To prove that exactly k of z0 ;


; zm?1 are quadratic non residues it is enough to prove that the tuple (x; z0;


; zm?1 ) belongs to T(k; m) and that the tuple (x; ?z0;


; ?zm?1 ) belongs to T(m ? k; m). To k-out-of-m obliviously transfer s0 ; s1 ; :::; sm?1, user A computes and sends B a random permutation  of them, and the encryptions GM E(x; zi ; s(i) ), i = 0; :::; m ? 1. Notice that if A does not permute the si 's, then we have a protocol for k-out-m disclosure in which the receiver \secretly" chooses which k-out-of-m secrets he will receive (de ned in [12]).

4 Zero-Knowledge Arguments in the PKPR model In this section, we formally de ne the concept of a PKPR Statistical Zero-Knowledge Argument. In the next section we show that PKPR Statistical Zero-Knowledge Arguments for all NP languages are possible under the Quadratic Residuosity Assumption. We start by describing the computational model for the prover and the veri er. We model the prover by a probabilistic polynomial-time Turing machine, Prover, with six tapes: a readonly input tape, a read-only auxiliary tape, a read-only reference tape, a read-only communication tape, a write-only communication tape, and a read/write work tape. By saying Proof Prover(; PK; x; w), we mean that the machine Prover, reading  on the reference tape, PK on the read-only communication tape, x on the input tape, and w on the auxiliary tape, writes Proof on the write-only communication tape. We model the veri er, Verifier, as a pair of algorithms (Verifier1 ,Verifier2 ). Verifier1 is a probabilistic Turing machine with four tapes: a read-only reference tape, a write-only communication tape, a write-only private key tape, and a read/write work tape. Verifier2 is a deterministic Turing machine with six tapes: a read-only reference tape, a read-only input tape, a read-only communication tape, a read-only private key tape, a write-only output tape, and a read/write work tape. By saying (PK,SK) Verifier1 () we mean that the machine Verifier1, after running with  on the reference tape, writes PK on the communication tape and (PK,SK) on the private key tape. Verifier2 (; x; Proof ; PK; SK) denotes the output of Verifier2 when given  on the reference tape, x on the input tape, (PK,SK) on the private key tape, and Proof on the communication tape. (Prover,Verifier) constitutes a PKPR pair if Prover, Verifier1 and Verifier2 share the reference tape; Prover and Verifier2 share the input tape; Prover's read-only communication tape is 11

Verifier1's write-only communication tape; Prover's write-only communication tape is Verifier2's read-only communication tape; and Verifier1 and Verifier2 share the private key tape. The interaction of a PKPR pair can be divided in two phases. In the rst phase, Verifier1 uses the

string  of the reference tape to compute his public and secret keys (PK,SK) and writes PK on his public communication tape and (PK,SK) on the private key tape. In the second phase, a pair (x; w) is selected, x is written on Prover's public input tape and w on Prover's auxiliary tape. Prover rst checks that PK (which has been written on his read-only communication tape by Verifier1 ) has been constructed properly and then writes a message Proof on his public communication tape. Algorithm Verifier2 reads Proof from his communication tape, x from his public input tape, and (PK,SK) from his private communication tape and computes its output. Before proceeding any further we recall the de nition of NP. De nition 2. A language L belongs to the class NP i there exists a constant c and a polynomial-time predicate RL such that x 2 L , 9w such that jwj  jxjc and RL (x; w) = 1:

For L 2 NP, the set WITL is de ned as the set of all the pairs (x; w) such that RL (x; w) = 1 and jwj  jxjc. Moreover, if (x; w) 2 WITL then we say that w is a witness for x. Next we formalize the concept of a PKPR Statistical Zero-Knowledge Argument. Informally, a PKPR pair is a PKPR Statistical Zero-Knowledge Argument for a language L if whenever x 2 L is given on the input tape and a witness w for x is provided on the auxiliary tape to the prover, then the veri er accepts with very high probability. On the other hand, if x 62 L then, regardless of the content of the auxiliary tape, no ecient prover can make the veri er accept with some non-negligible probability. Moreover, everything that the veri er sees can be reproduced by an ecient simulator S that can use Verifier as a subroutine. De nition 3. A PKPR pair (Prover, Verifier) is a PKPR Statistical Zero-Knowledge Argument for the language L if there exists a constant a such that 1. Completeness. For all (x; w) 2 WITL, for all constants d and all suciently long x, ?

Pr  f0; 1gjxja; (PK; SK) Verifier1 (); Proof Prover(; PK; x; w) : Verifier2 (; x; Proof ; PK; SK) = 1) > 1 ? jxj?d: 2. Soundness. For all ecient non-uniform algorithms Adv= fAdvn gn2N such that Advn on input a reference string  of length na and a public key PK outputs pairs (x; Proof ), with x 62 L and jxj = n,

Pr? f0; 1gna; (PK; SK) Verifier1(); (x; Proof ) Advn (; PK) : Verifier2 (; x; Proof ; PK; SK) = 1) < 2=3:

12

3. Statistical Zero Knowledge. Let V (
;
) be any probabilistic polynomial-time algorithm and d be any constant such that V stops after at most nd steps whenever its second input is of length n. Then, there exists a pair of ecient algorithms SV = (S0 ; S1 ) such that, for all constants d and all suciently long (x; w) 2 WIT ; L

X

2f0;1g





PrSV (x) () ? PrView V (x;w)() < jxj?d ;

where View V (x; w) and SV (x) denote the probability distributions View V (x; w) = f f0; 1gjxja; R f0; 1gjxjd; (PK; SK) V (R; ; x); Proof

Prover(; PK; x; w) : (R; ; PK; Proof )g

and SV (x) = f(; aux ) S0(1jxj ); R f0; 1gjxjd ; (PK; SK) V (R; ; x); Proof S1(; aux ; PK; x) : (R; ; PK; Proof )g: Notice that in soundness we require the probability of cheating to be smaller than 2=3. If a smaller probability of cheating is desired then the proof can be repeated using independently constructed public les. In the zero knowledge condition we let the view of the veri er include also his own random coin tosses. The stronger notion of perfect zero knowledge is obtained by requiring that the two probability distributions SV (x) and View V (x; w) are equal for all (x; w) 2 WITL .

5 Zero-Knowledge Arguments for all NP languages in the PKPR model In this section we show how to obtain PKPR Statistical Zero-Knowledge Arguments for all NP languages. For our construction we need a bit commitment scheme and a non-interactive zero-knowledge proof of knowledge that work also in the PKPR model.

Bit Commitment in the PKPR Model.

A bit-commitment protocol is a fundamental 2-party cryptographic protocol. It allows one party A to commit to a bit b by computing a commitment COM. Later, A can decommit the bit b by giving a decommitment key DEC. Any other party B that reads the string COM can not successfully guess b with probability better than 1=2. However, after receiving DEC and b, B can verify that b is the bit A has originally committed to. If B is restricted to be ecient, a bit commitment scheme can be implemented as follows: A chooses a secure encryption scheme (in the sense of [33]) and commits to a bit by encrypting it. To decommit b, A simply shows the random bits used for the encryption. 13

For our construction we actually need a bit-commitment scheme in which no limits are imposed on B's computing power. Thus the above would not work as B might be able to break the encryption. Instead, we use the unconditionally secure blobs of [10] for the commitment of A to B. B publishes in his public le a random integer xB 2 BL(n), sB a random quadratic residue modulo xB , and a non-interactive zeroknowledge proof that xB and sB are of the prescribed form (this is computed using the proof system of [18]). To commit to a bit b, A performs the procedure: (1) randomly select r 2 ZxB ; (2) compute u = sBb r2 mod xB . The commitment COM consists of u. If A wants to decommit the bit b committed by u, he reveals DEC=r that must be a square root of usB?b mod xB . It is clear that B, by just looking at u, cannot gure out whether A knows a root of u or usB?1 mod xB . On the other hand, if A could compute a square root of both u and usB?1 mod xB (so to decommit COM both as a 0 and as a 1) then he could compute a square root of sB as well. This implies that A can extract square roots of random squares and thus he can decide quadratic residuosity. Notice that the same pair (xB ; sB ) can be used to perform any number of bit commitments to B. Thus, we can commit to a string by committing to each bit individually. In what follows, we denote by BC the algorithm that commits to a bit. More precisely, BC receives as input a bit b, a Blum integer x, and s, a quadratic residue modulo x, and returns the pair (r; u) of decommitment and commitment keys. Instead, by VC we denote the algorithm that veri es the validity of a decommitment. That is, VC receives as input (x; s; u; r; b) and outputs 1 if and only if sb r2 = u mod x.

Non-Interactive Zero-Knowledge Proofs of Knowledge.

A Zero-Knowledge Proof of Knowledge is a protocol between two polynomial-time parties, a prover and a veri er. The prover wants to convince the veri er in zero knowledge that he knows the proof of a given theorem. This is dierent from Zero-Knowledge Proofs of Membership in which the prover convinces the veri er that the theorem holds. The concept of Zero-Knowledge Proofs of Knowledge has been informally introduced in [27] and [34] and then formalized in [25] for the interactive model, and in [21] for the noninteractive shared-string model of [7]. Moreover, [21] also proved that if public-key cryptosystems of a particular kind exist then all NP languages have non-interactive zero-knowledge proofs of knowledge in the shared-string model.

PKPR Statistical Zero-Knowledge Arguments for Hamiltonian Graphs. We give a PKPR Statistical Zero-Knowledge Argument (Prover ,Verifier) for the language HAM of Hamiltonian graphs. The graph G is Hamiltonian if it contains a Hamiltonian cycle, that is, a permutation  = h(1);


; (n)i of the vertices such that, f1; ng and fi; i+1g, for 1  i  n ? 1, are edges of G. Since HAM is NP-complete (see [29]), we obtain PKPR Statistical Zero-Knowledge Arguments for all languages in NP.

The basic idea.

Our construction is based on the oblivious transfer of the previous section and the bit commitment described above. The intuitive idea is to replace the interaction in an interactive zero-knowledge proof system with oblivious transfer (this technique has been used by [38]). More precisely, we consider the proof system of 14

Blum for Hamiltonian graphs [6]. Here, the prover commits to an isomorphic copy of the input graph and the veri er can choose between two challenges: either asks to open the commitment and thus verify that it is indeed an isomorphic copy of the input graph; or asks to show a Hamiltonian cycle in the committed graph by opening the commitments relative to the edges in the cycle. Such a protocol seems to be easily adapted to a non-interactive setting provided that oblivious transfer and bit commitment are possible. In fact, the veri er need not to ask which challenge he wants to propose but instead the prover will obliviously transfer the decommitment keys for both the challenges. Because of the properties of oblivious transfer, the veri er will receive exactly one of the two sets of decommitments and the prover does not know which one will be received. Thus it seems that both soundness and zero knowledge should hold.

Zero Knowledge and Soundness: two subtle points.

However, things are a little more complicated and both zero knowledge and soundness require some more thoughts. Let us consider zero knowledge rst. To prove the zero-knowledge property, for each possible veri er, we have to exhibit a simulator whose output has a distribution very close to what is seen by the veri er which includes also his random coin tosses. The rst thing that comes to mind is to use the well-known trial-and-error strategy. That is, the simulator is prepared to meet exactly one challenge of the two; if the veri er asks for the other challenge then he will start again until he is successful. In the interactive setting, the simulator knows which challenge has been requested by the veri er and whether the veri er has been satis ed by each of the challenges. In our case, the simulator does not know which challenge has been requested as the choice is implicitly made by the setting of the oblivious transfers channel made by the veri er. The only feedback he receives from the veri er is an ACCEPT/REJECT message which does not help much. Moreover, remember that the simulator has to output the coin tosses of the veri er and that we have to exhibit a simulator for each possible veri er. We circumvent this problem by having the veri er include in the public le a non-interactive zero-knowledge proof of knowledge that he knows the factorization of the modulus x for the oblivious transfer. In this way, the simulator can extract such knowledge and thus know for each channel what will be read by the veri er and prepare the commitments accordingly. A similar problem arises for the soundness. A formal proof of the soundness requires that we exhibit an algorithm Q that receives in input a Blum integer x and a randomly chosen element z of Zx+1 and decides the quadratic residuosity of z modulo x by using a fraudlent prover (that is a prover that succeeds in cheating the veri er) as subroutine. The simplest thing would be to use the x and z to set up an oblivious transfer channel. But then, as we do not know x's factorization, we can not read the oblivious channel and thus gain nothing from doing this. What we do instead is to have the veri er establish two oblivious transfer channels with two dierent moduli; moreover, we require that the corresponding z's have the same quadratic residuosity modulo their respective moduli. In this way, algorithm Q sets up one channel using a randomly chosen modulus x with known factorization and the other using the modulus x and, as we shall see, by reading the channel relative to x it can gain information on the quadratic residuosity of z. 15

An informal description of the protocol.

We rst describe how the public le is constructed and then show how the proof is actually performed. Construction of public le. The public le contains three public les: two are for oblivious transfer and

one for bit commitment. Verifier1 randomly chooses six primes p1; q1; p2; q2; p3; q3  3 mod 4 of the same length and sets x1 = p1q1, x2 = p2 q2, x3 = p3 q3. Next, Verifier1 randomly chooses s, a quadratic residue modulo x3; y1 , a random quadratic non residue modulo x1 ; y2 , a random quadratic non residue modulo x2; and z1 ; z2 , elements of Zx+1 ; Zx+1 respectively. Thus, the public le is composed of the two public les for the oblivious transfer ((x1 ; y1z1 mod x1); (x1; z1); (1 ; y1)) and ((x2 ; y2z2 mod x2 ); (x2; z2); (2 ; y2)) (1 and 2 are proofs of correctness); the public le for bit commitment (x3; s; 3 ) (3 is the proof of correctness); 4 , the non-interactive zero-knowledge proof that z1 and z2 have the same quadratic residuosity modulo x1 and x2 respectively; and by 5 and 6 , the zero-knowledge proofs of knowledge of the factorization of x1 and x2, respectively. The private key SK consists of the factorizations of x1 and x2. 1

2

Proving that G is Hamiltonian. On input a Hamiltonian graph G and a Hamiltonian cycle  for G,

Prover proceeds as follows. First, he randomly selects a permutation  of the vertices of G and computes

G^ = (G). Then, using s and x3, he computes a bit-by-bit commitment of the adjacency matrix of Gb and sends them to the veri er. Let  be the concatenation of the decommitment keys of the adjacency matrix of Gb and let be the concatenation of the decommitment keys of the entries of the adjacency b Finally Prover obliviously transfers matrix of Gb that correspond to edges in the Hamiltonian cycle of G. the pair (; ) by sending  using the channels (x1 ; y1z1 mod x1) and (x2; y2 z2 mod x2) and using the channels (x1 ; z1) and (x2; z2 ). Verifier2 checks that he receives the same string  on both channels and b or  is formed by that either  is formed by proper decommitment keys of the adjacency matrix of G; proper decommitment keys of the entries of the adjacency matrix of Gb which correspond to the edges of a Hamiltonian cycle. For constructing our pair (Prover,Verifier), we will use three proof systems (A,B), (C,D) and (F,H) as subroutines. (A,B) is a non-interactive perfect zero-knowledge proof system for the language of pairs (x; y) such that x is a Blum integer and y is a quadratic non residue modulo x ([7, 18]). (F,H) is instead a non-interactive zero-knowledge proof of knowledge of factorization. In [21], it is proved that the quadratic residuosity assumption is sucient for the existence of (F,H). Notice that (F,H) is computational zero-knowledge but this will be enough to obtain statistical zero-knowledge arguments. (C,D) is a noninteractive perfect zero-knowledge proof system for the language EQUAL of quadruples (x1; x2; z1; z2 ) such that x1 ; x2 are Blum integers and QRx (z1 ) = QRx (z2 ). In [18], the authors have presented a noninteractive perfect zero-knowledge proof system for the language OR of quadruples (x1 ; x2; y1; y2) where at least one of y1 and y2 is a quadratic non residue modulo its respective modulus. The proof system (C,D) is constructed by observing that a quadruple (x1 ; x2; z1; z2) belongs to EQUAL if and only if both quadruples (x1; x2; ?z1 mod x1 ; z2) and (x1; x2; z1; ?z2 mod x2 ) belong to OR. 2

1

A formal description of a PKPR Statistical Zero-Knowledge Argument can be found in gures 2, 3, 4. Here 16

by a; c; and f we denote the constants such that the proof systems (A,B), (C,D), and (F,H) on inputs of size n use strings of length at most na ; nc; nf . Now we can prove the following theorem.

Theorem 2. Under the QRA, the above pair (Prover,Verifier) is a PKPR Statistical Zero-Knowledge Argument for the language of Hamiltonian graphs.

Proof: We shall prove that the pair (Prover,Verifier) meets the requirements of De nition 3. First of all, the above algorithms run in polynomial time. In fact, algorithms Verifier1 and Verifier2 use

x1, x2, and x3 's factorization to run in polynomial time the algorithms A, C and F, and to decide the quadratic residuosity of integers z1 ; z2 modulo respectively x1 and x2 . Algorithm Prover is trivially seen to be executed in polynomial time. Completeness. Suppose that G 2 HAM and consider the algorithm Verifier2 . Obviously, 1 is always equal to 2 (see step 4 of Prover's program). Moreover, if z1 is a quadratic non residue modulo x1 then the string 1 is always of the right form (1 is actually the string  computed by Prover at step 3 of its program). On the other hand, if z1 is a quadratic residue modulo x1 then, by Fact 2, y1 z1 mod x1 is a quadratic non residue modulo x1 (remember that y1 is a quadratic non residue). Thus, in this case 1 is equal to the string computed by Prover at step 3 of its program and thus also in this case Verifier2 accepts. Soundness.

Soundness requires that no ecient non uniform algorithm Adv has probability of cheating greater than 2=3. We actually prove that no ecient non uniform algorithm has probability of cheating signi cantly better than 1=2. Suppose, for sake of contradiction, that there exists a constant c > 0 and an ecient non uniform algorithm Adv that, for in nitely many n, on input a string  of length 3na + nc + 2nf and a public le PK, outputs a pair G; Proof with G 62 HAM that is accepted by Verifier2 with probability greater than 1=2+ n?c : Then, we exhibit an algorithm Q(
;
) that, using Adv as subroutine, on input a randomly chosen x 2 BL(n) and a randomly chosen element z 2 Zx+1 computes QRx (z) with probability no smaller than 1=2+1=8nc , for in nitely many n. Let us now informally describe algorithm Q. A formal description can be found in Figure 5 where we denote by T1 ; T2 , and T3 the ecient simulators for (A,B), (C,D), and (F,H), respectively. In order to use Adv, Q has to construct a public key PK for Adv. PK will include, among other things, the two public les for OT that we denote by PK1 and PK2 , and are built by Q in the following way. A bit b is chosen at random and PK1+b is set equal to ((x; yz mod x); (x; z); (; y)), where y is randomly chosen quadratic non residue modulo x and  is the output of the simulator for the proof system (A,B) on input (x; y). On the other hand, PK2?b is set equal to ((x; y z mod x); (x; z); ( ; y)) where x 2 BL(n) is chosen randomly along with its factorization, z is a random element of Zx+1 , y is randomly chosen quadratic non residue modulo x and  is a proof, computed using algorithm A, that y is a quadratic non residue modulo x. After receiving Proof from Adv, Q runs the algorithm Receive on the pair of messages corresponding to 17

the public le PK2?b (the one for which Q knows the factorization of the modulus). Thus, Q knows which string would have been received by a veri er in both oblivious transfers (in fact the two strings have to be sent in the same order by Adv in the two oblivious transfers, otherwise the veri er rejects). After running the algorithm Receive, two events can occur: (a) Q receives a meaningful string (i.e., the b or for the bits of a Hamiltonian cycle) in concatenation of the decommitment keys either for the bits of G, which case it outputs QRx (z ) as a guess for QRx (z) (see steps 6 and 7 of Q's program); (b) Q receives an arbitrarily constructed and meaningless string in which case it outputs 1 ? QRx (z ) as a guess for QRx (z) (see step 8 of Q's program). Now, in order to compute the probability of the two events, we distinguish two cases.

Case 1. QRx (z1 ) = QRx (z2 ). 2

1

If the public le PK were constructed exactly as Adv sees it when trying to deceive the veri er, then we could conclude that the probability that Q reads something meaningful, and thus gives the correct answer, is at least the probability that Adv makes the veri er accept that is at least 1=2 + n?c . However, in this case, PK does not have the same distribution even though the only dierence between the public le PK constructed by Q and a real public le seen by Adv is in the strings relative to the proof of knowledge of x's factorization; that is, depending on the random bit b, either (5 ; 1) or (6 ; 2) have a dierent distribution (remember (A,B) and (C,D) are perfect zero-knowledge proof systems). Observe, though, that (F,H) is a zero-knowledge proof system and that T3 is a simulator for (F,H). This implies that the distribution of the public le constructed by Q is indistinguishable to ecient algorithms from the distribution of the \real" public le. This implies that Q's output is indistinguishable from the output of the algorithm which feeds Adv with a public le PK with the right distribution. In fact, were this not the case, we would construct an algorithm to distinguish the output of the simulator T3 from the real view, contradicting the zero-knowledgeness of (F,H). Because of the discussion above, we conclude that in this case Q computes QRx (z) correctly with probability at least 1=2 + 1=2nc, for in nitely many n.

Case 2. QRx (z1 ) 6= QRx (z2 ). 2

1

Assume that QRx (z1 ) = 0 (the other case is similar). If b = 0 then Q knows the factorization of x2 and thus can read the string encrypted using z2 . On the other hand, if b = 1 then Q knows the factorization of x1 and thus can read the string  encrypted using y1 z1 mod x1. As G 62 HAM, at least one of  and must be a meaningless string. Thus the probability that Q reads a meaningful string (and thus guesses QRx (z) incorrectly) is not greater than the probability that Adv guesses the bit b. If PK had the same distribution of a real public le then this probability would be 1=2. Notice, however, that the public le PK constructed by Q diers form the \real" public le only for the proof of knowledge of x1+b's factorization, the proof that z1 and z2 have the same quadratic residuosity and the relative reference strings. Therefore, for the zero-knowledgeness of (C,D) and (F,H) it follows that the probability that Adv guesses the bit b (and thus whether Q knows the factorization of x1 or of x2) is smaller than 1=2 + 1=4nc (actually it is smaller than 1=2 + n?d for all constants d). 1

18

By observing that each case has probability 1=2 of occurring then we conclude that, for in nitely many n,

Pr(x BL(n); z Zx+1 : Q(x; z) = QRx(z))  1=2 + 1=8nc; which contradicts the Quadratic Residuosity Assumption. Zero Knowledge.

As (F,H) is a proof system of knowledge for the factorization, there exists a pair (Ext 0 ; Ext 1) of ecient extractor algorithms with the following properties. Ext 0 receives as input 1n and gives in output two strings:  and aux. The string  is nf -bit long and its distribution, taken over the coin tosses of Ext 0, is statistically close to the uniform distribution. Ext 1 receives as input , aux, an integer x and a proof  of knowledge computed by a prover and outputs either the factorization of x (in which case we say that he had success) or NIL. The probability of success of Ext 1, taken over the coin tosses of Ext 0 ; Ext 1 and of the prover, is exponentially close to the probability that the prover convinces the veri er. To prove the zero-knowledge property, for each veri er V , we show an ecient simulator SV such that, for G 2 HAM, the probability space SV (G) is statistically close to the view of V . The algorithm SV uses Ext0 and Ext1 as subroutines. S consists of two algorithms S0 and S1 that operate as follows. S0 chooses the strings 1 ; 2 ; 3; ; 2 at random and runs the algorithm Ext0 to generate the string 1 and aux. Then it sets  equal to the concatenation of 1 ; 2 ; 3; ; 1 ; and 2 and feeds the veri er with  to obtain a public key PK = (((x1; y1 z1 mod x1); (x1; y1 ); (y1 ; 1)); ((x2; y2 z2 mod x2); (x2; y2 ); (y2; 2)); (x3 ; s; 3); 4; 5; 6 ): Then, by running Ext1 on input 1 , x1 , aux, and 5 , S0 computes x1 's factorization and QRx (z1 ). In this way it knows which of the two strings that will be obliviously transferred the veri er will read, and S1 will prepare them accordingly. A formal description of SV is in Figure 6. We notice that S0 stops in expected polynomial time. In fact, because of the soundness property of (F,H), the probability that the veri er does not reject the proof and the extractor does not succeed in extracting the factorization is negligible. Thus with overwhelming probability Phase I is performed just once. Moreover, S1 's program can be executed in probabilistic polynomial-time once the factorization of x1 is known. We prove now that the two probability spaces SV (G) and View V (G) are statistically close; that is, they satisfy the zero knowledge requirement. In our analysis we distinguish two cases depending on whether the public le PK provided by V has been properly constructed or not. Let us examine rst the case when V constructs PK correctly. By the properties of (F,H) the string 1 is statistically close to a random string and thus so is . Moreover, the uij 's computed by SV are all random quadratic residues modulo x3 just as in the output of the legitimate prover. Let us now look at the pair (msg 1 ; msg 2) (the same reasoning holds for the pair (msg 3 ; msg 4 )). In the view of the veri er the pair consists of two components: one is an encryption computed using a quadratic non residue modulo x1; the other is just a sequence of random quadratic residues modulo x1. Exactly the same happens in the output of SV . Moreover the component that is not made of random quadratic residues encrypts meaningful information in both distributions; 1

19

that is, either the decommitment keys relative to the edges of a random Hamiltonian cycle in Gb or the b decommitment keys of all edges in Gb along with a random isomorphism from G to G. Let us now consider the case when PK is not properly constructed. Then two cases are possible: SV realizes that at step 3 of Phase I (in which case the output of SV coincides with the view of the veri er) or SV does not realize it. In this second case we cannot say that SV 's output is identical to the view of the veri er but this does not compromise the statistical zero-knowledge property as this case occurs with a negligible probability (thanks to the soundness of the proof systems used).

6 Extensions and Open Problems A more general result. The proof system that we have presented heavily uses the properties of the

PKPR OT that we have presented in Section 3. However, we would like to remark that our construction of zero-knowledge arguments can be based on any PKPR OT for which it is possible to give a non interactive zero-knowledge proof of knowledge of the secret key and to prove that two pairs of channels are identical (i.e, either for both pairs the rst channel can be read or for both pairs the second channel can be read). Perfect zero-knowledge. We have just described a statistical zero-knowledge argument for HAM. This system is not perfect zero-knowledge as the following two cases are never simulated by SV . The rst case is when the veri er constructs the public le improperly but S0 does not notice it. For example, a veri er might choose s as a quadratic non residue modulo x3 and still have a positive (though negligible) probability that S0 does not notice it. Then, the commitment of the graph Gb has a quadratic non residue modulo x3 for each entry 1 and a quadratic residue modulo x3 for each entry 0. This is dierent from what S1 constructs in the case z1 is a quadratic non residue (see step 1.2 of S1 's program). The situation is made more complicated by the fact that S0 has no way of knowing whether the public le is correctly constructed or not. This problem can be resolved by having the veri er give a zero-knowledge proof of knowledge of the factorization of the three moduli used in the construction. This way, S0 can use the extractor of the proof system of knowledge and check directly whether the public le is constructed properly. In case it is not and it does not detect this by running the appropriate veri ers at step 3, it runs an O(n!) exaustive algorithm for nding a Hamiltonian cycle in the input graph G and then runs the prover's algorithm. To keep the expected running time of the simulator polynomial, we make sure that the probability that the veri er succeeds in cheating without getting caught is smaller than 1=n!. This is achieved by repeating the proofs of correctness with suciently many (but still no more than polynomial) independent random strings. A second reason for which the output of SV is not exactly the same as the view of the veri er is due to the following fact. It is possible that, even though the prover is convinced by the proofs of knowledge, the extractor fails to extract the factorizations of the moduli employed. In this case, which again has negligible probability of occurring, the simulator runs an exaustive algorithm for nding a Hamiltonian cycle in the input graph G. As above, we repeat the proof of correctness with suciently many random strings so to keep the probability of cheating smaller than 1=n!. 20

We summarize the above discussion in the following theorem. Theorem 3. Under the QRA, all languages in NP have PKPR perfect zero-knowledge arguments.

Multiple independent provers and large theorems. For sake of ease of exposition, our de nition

of zero-knowledge arguments only considers the case of a single prover which proves a single theorem (of length bounded by the length of the random string) to a single veri er. However we would like to remark that, as it can be easily veri ed by the reader, our proof system can handle any number of provers and any number of veri ers. Moreover, statistical zero-knowledge arguments for any theorem of length polynomial in the length of the reference string can be given.

Open problems. The obvious open problem suggested by our work is to reduce the complexity assumption

needed for Oblivious Transfer and Zero-Knowledge Arguments. Also of great interest, it would be to design a protocol for Oblivious Transfer that allows any polynomial number (in the length of the public le) number of independent oblivious transfers. The lack of independence in the oblivious transfer is a source of potential problems. In fact, the soundness of the system might be compromised if the veri er reveals whether he rejected or accepted a proof. This is similar to the problem of chosen ciphertext attack for cryptosystems.

Acknowledgments We are very grateful to Moti Yung for encouragement and helpful discussions. We thank Joe Kilian for his comments and useful suggestions. The third author would like to thank Michael Rabin for his constant support.

References [1] L. Adleman and M. A. Huang, Primality Testing and Abelian Varieties Over Finite Fields, Lecture Notes in Mathematics, vol. 1512, Springer Verlag. [2] M. Bellare and S. Micali, Non-Interactive Oblivious Transfer and Applications, in \Advances in Cryptology - CRYPTO 89," Ed. G. Brassard, vol. 435 of \Lecture Notes in Computer Science," SpringerVerlag, pp. 547{557. [3] M. Ben-Or, S. Goldwasser, and A. Wigderson, Completeness Theorems for Non-Cryptographic FaultTolerant Distributed Computations, Proceedings of the 20th Annual ACM Symposium on Theory of Computing, 1988, pp. 1{10. [4] M. Blum, Coin Flipping by Telephone, IEEE COMPCON 1982, pp. 133{137. [5] M. Blum, Three Applications of the Oblivious Transfer, Unpublished manuscript. [6] M. Blum, How to Prove a Theorem So No One Else Can Claim It, Proceedings of the International Congress of Mathematicians, Berkeley, California, 1986, pp. 1444{1451. 21

[7] M. Blum, A. De Santis, S. Micali, and G. Persiano, Non-Interactive Zero Knowledge, SIAM Journal on Computing, vol. 20 (1991), no. 6, pp. 1084{1118. [8] M. Blum, P. Feldman, and S. Micali, Non-Interactive Zero-Knowledge Proof Systems and Applications, Proceedings of the 20th Annual ACM Symposium on Theory of Computing, 1988, pp. 364{383. [9] R. Boppana, J. Hastad, and S. Zachos, Does co-NP have Short Interactive Proofs?, Information Processing Letters, vol. 25 (1987), pp. 127{132. [10] G. Brassard and C. Crepeau, Non-transitive Transfer of Con dence: A Perfect Zero-Knowledge Interactive Protocol for SAT and Beyond, Proceedings of the 27th IEEE Symposium on Foundations of Computer Science, 1986, pp. 188{195. [11] G. Brassard, C. Crepeau, and D. Chaum, Minimum Disclosure Proofs of Knowledge, Journal of Computer and System Sciences, vol. 37, no. 2, October 1988, pp. 156{189. [12] G. Brassard, C. Crepeau, and J.-M. Robert, Information Theoretic Reductions among Disclosure Problems, Proceedings of the 27th IEEE Symposium on Foundations of Computer Science, 1986, pp. 168{173. [13] G. Brassard, C. Crepeau, and M. Yung, Perfect Zero-Knowledge Computationally Convincing Proofs for NP in Constant Rounds, Theoretical Computer Science, vol. 84 (1991), n. 1, pp. 23-52. [14] D. Chaum, Demonstrating that a Public Predicate can be Satis ed Without Revealing any Information About How, in \Advances in Cryptology { CRYPTO 86," vol. 263 of \Lecture Notes in Computer Science," Springer Verlag, pp. 195{199. [15] D. Chaum, C. Crepeau, and I. Damgard, Multiparty Unconditionally Secure Protocols, Proceedings of the 20th Annual ACM Symposium on Theory of Computing, 1988, pp. 11{19. [16] C. Crepeau, Equivalence Between Two Flavors of Oblivious Transfer, in \Advances in Cryptology { CRYPTO 87," vol. 293 of \Lecture Notes in Computer Science," Springer Verlag, pp. 350{354. [17] I. Damgard, Non-interactive Circuit Based Proofs and Non-Interactive Perfect Zero-Knowledge with Preprocessing, in \Advances in Cryptology - EUROCRYPT 92," Ed. R. Rueppel, vol. 658 of \Lecture Notes in Computer Science," Springer-Verlag, pp. 341{355. [18] A. De Santis, G. Di Crescenzo, and G. Persiano, The Knowledge Complexity of Quadratic Residuosity Languages, Theoretical Computer Science, to appear. [19] A. De Santis, S. Micali, and G. Persiano, Non-Interactive Zero-Knowledge Proof Systems, in \Advances in Cryptology { CRYPTO 87," vol. 293 of \Lecture Notes in Computer Science," Springer Verlag, pp. 52{72.

22

[20] A. De Santis, S. Micali, and G. Persiano, Non-Interactive Zero-Knowledge Proof-Systems with Preprocessing, in \Advances in Cryptology - CRYPTO 88," Ed. S. Goldwasser, vol. 403 of \Lecture Notes in Computer Science," Springer-Verlag, pp. 269{282. [21] A. De Santis and G. Persiano, Zero-Knowledge Proofs of Knowledge Without Interaction, Proceedings of the 33rd Annual IEEE Symposium on Foundations of Computer Science, 1992, pp. 427{436. [22] A. De Santis and M. Yung, Cryptographic Applications of the Non-Interactive Metaproof and Manyprover Systems, in \Advances in Cryptology - CRYPTO 90," vol. 537 of \Lecture Notes in Computer Science," Springer-Verlag, pp. 366-377. [23] W. Die and M. E. Hellman, New Directions in Cryptography, IEEE Transactions on Information Theory, vol. IT-22 (1976), no. 6, pp. 644{654. [24] S. Even, O. Goldreich, and A. Lempel, A Randomized Protocol for Signing Contracts, Communications of the ACM, vol. 28, 1985, pp. 637{647. [25] U. Feige, A. Fiat, and A. Shamir, Zero-knowledge Proofs of Identity, Journal of Cryptology, vol. 1, 1988, pp. 77{94. Preliminary version in Proceedings of the 19th Annual ACM Symposium on Theory of Computing, 1987, pp. 210{217. [26] U. Feige, D. Lapidot, and A. Shamir, Multiple Non-Interactive Zero-Knowledge Proofs Based on a Single Random String, Proceedings of 22nd Annual Symposium on Theory of Computing, 1990, pp. 308{317. [27] M. Fischer, S. Micali, and C. Racko, A Secure Protocol for the Oblivious Transfer, Eurocrypt 1984. [28] L. Fortnow, The complexity of perfect zero-knowledge. Advances in Computing Research 5: Randomness and Computation, Micali, S., editor, JAI Press, 1989, pp. 327{343. Preliminary version in Proceedings of the 19th Annual ACM Symposium on Theory of Computing, 1987, pp. 204{209 (see discussion in [32]). [29] M. Garey and D. Johnson, Computers and Intractability: a Guide to the Theory of NP-Completeness, W. H. Freeman & Co., New York, 1979. [30] O. Goldreich, S. Micali, and A. Wigderson, Proofs that Yield Nothing but their Validity or All Languages in NP Have Zero-Knowledge Proof Systems, Journal of the ACM, vol. 38 (1991), n. 1, pp. 691{729. [31] O. Goldreich, S. Micali, and A. Wigderson, How to Play Any Mental Game, Proceedings of the 19th Annual ACM Symposium on Theory of Computing, 1987, pp. 218{229.

23

[32] O. Goldreich, R. Ostrovsky, and E. Petrank, Computational Complexity and Knowledge Complexity, Proceedings of the 26th Annual ACM Symposium on Theory of Computing, 1994, pp. 534{543. [33] S. Goldwasser and S. Micali, Probabilistic Encryption, Journal of Computer and System Sciences, vol. 28 (1984), n. 2, pp. 270{299. [34] S. Goldwasser, S. Micali, and C. Racko, The Knowledge Complexity of Interactive Proof-Systems, SIAM Journal on Computing, vol. 18 (1989), n. 1. [35] J. Halpern and M. O. Rabin, A Logic to Reason about Likelihood, Proceedings of the 15th Annual Symposium on Theory of Computing, 1983, pp. 310{319. [36] R. Impagliazzo and M. Yung, Direct Minimum Knowledge Computations, in \Advances in Cryptology { CRYPTO 87," vol. 293 of \Lecture Notes in Computer Science," Springer Verlag pp. 40{51. [37] J. Kilian, Founding Cryptography on Oblivious Transfer, Proceedings of the 20th Annual ACM Symposium on Theory of Computing, 1988, pp. 20{31. [38] J. Kilian, S. Micali, and R. Ostrovsky, Minimum-Resource Zero-Knowledge Proofs, Proceedings of the 30th IEEE Symposium on Foundation of Computer Science, 1989, pp. 474{479. [39] I. Niven and H. S. Zuckerman, An Introduction to the Theory of Numbers, John Wiley and Sons, 1960, New York. [40] R. Ostrovsky, R. Venkatesan, and M. Yung, Fair Games Against an All-Powerful Adversary, in Sequences II: Methods in Communication, Security and Computer Science, R. Capocelli, A. De Santis, and U. Vaccaro Eds., Springer-Verlag, 1993, pp. 418{429. [41] D. Shanks, Solved and Unsolved Problems in Number Theory, Chelsea, New York, 1976.

24

σ

R

Reference Tape

R

Work Tape

R x

R

w

R

R/W

Input Tape

Auxiliary Tape Verifier1

R R

PK

W

Communication Tape

W

Prover

(PK,SK) Proof

W R/W

Private Key

Communication Tape

R Work Tape

W R

Verifier2

R/W

Work Tape

Figure 1: A PKPR Pair

25

0/1 Output Tape

Algorithm Verifier1 () Input: A (3na +nc +2nf )-bit reference string  = 1  2  3    1  2, where j1j = j2 j = j3j = na , j j = nc and j1j = j2 j = nf . 1. Select public and secret keys. Randomly select six n-bit primes p1; q1; p2; q2; p3; q3  3 mod 4 and set x1 = p1q1, x2 = p2q2 and x3 = p3 q3. Randomly select z1 2 Zx+1 and z2 2 Zx+1 such that QRx (z1 ) = QRx (z2 ). Randomly select y1 , a quadratic non residue modulo x1 . Randomly select y2 , a quadratic non residue modulo x2 . Randomly select s, a quadratic residue modulo x3. 2. Prove that x1 and x2 are Blum integers and that y1 ; y2 are quadratic non residues modulo x1 and x2, respectively. Run the algorithm A on input (x1; y1 ) and (p1 ; q1) using 1 as reference string and obtaining 1 as output. Run the algorithm A on input (x2; y2 ) and (p2 ; q2) using 2 as reference string and obtaining 2 as output. 3. Prove that x3 is a Blum integer and s is a quadratic residue modulo x3. Run the algorithm A on input (x3; ?s mod x3) and (p3 ; q3) using 3 as reference string and obtaining 3 as output. 4. Prove that QRx (z1 ) = QRx (z2 ). Run the algorithm C on input (x1; x2; z1 ; z2) and (p1; q1; p2; q2) using  as reference string and obtaining 4 as output. 5. Prove the knowledge of x1 and x2 's factorizations. Run the algorithm F on input x1 and (p1 ; q1) using 1 as reference string obtaining 5 as output. Run the algorithm F on input x2 and (p2 ; q2) using 2 as reference string and obtaining 6 as output. 6. Set PK=(((x1 ; y1 z1 mod x1); (x1; z1 ); (1; y1 )); ((x2; y2z2 mod x2); (x2; z2); (2 ; y2)); (x3; s; 3 ); 4; 5; 6) and SK=(p1 ; q1; p2; q2). 1

1

2

1

2

Output: (PK,SK). Figure 2: The algorithm Verifier1.

26

2

Algorithm Prover(; PK; G; )

Input:  A (3na + nc + 2nf )-bit reference string  = 1  2  3    1  2 , where j1 j = j2 j = j3j = na , j j = nc and j1 j = j2j = nf .  A public le PK= (((x1 ; y1z1 ); (x1; z1 ); (1; y1 )); ((x2; y2z2 ); (x2; z2 ); (2; y2 )); (x3; s; 3); 4; 5 ; 6).  An adjacency matrix G = fgij g, with gij 2 f0; 1g for 1  i; j  n.  A Hamiltonian cycle  = h(1);


; (n)i. Phase I: \Veri cation of public le." Run the algorithm B on input (x1 ; y1) and 1 using 1 as reference string; run the algorithm B on input (x2; y2 ) and 2 using 2 as reference string; run the algorithm B on input (x3; ?s mod x3) and 3 using 3 as reference string; run the algorithm D on input (x1 ; x2; z1; z2) and 4 using  as reference string; run the algorithm G on input x1 and 5 using 1 as reference string; run the algorithm G on input x2 and 6 using 2 as reference string. If any of the veri cation fails then HALT. Phase II: \Proving that G 2 HAM." 1. (Compute a graph Gb isomorphic to G) Randomly choose a permutation  of f1;


; ng. Compute Gb = fg^ij g, where g^ij = g i ; j . ( )

( )

b 2. (Compute the commitments for G) For 1  i; j  n, compute (rij ; uij ) BC(^gij ; x3; s); 3. (Prepare strings for Oblivious Transfer.) Let =   ; set  =   r  r 


 rn n? rnn and =  r 


 r n? n  r n . 4. (Obliviously transfer twice the pair (; )) Run the algorithm Send on input ((x1 ; y1z1 mod x1 ); ) obtaining as output msg1 . Run the algorithm Send on input ((x1 ; z1); ) obtaining as output msg2 . Run the algorithm Send on input ((x2 ; y2z2 mod x2 ); ) obtaining as output msg3 . Run the algorithm Send on input ((x2 ; z2); ) obtaining as output msg4 . 11

12

(

1)

(1) (2)

Output:(fuijg,msg1, msg2 , msg3 , msg4). Figure 3: The algorithm Prover.

27

(

1) ( )

( ) (1)

Algorithm Verifier2 (G; msg 1 ; msg 2 ; msg 3 ; msg 4; PK; SK)

Input:  A (3na + nc + 2nf )-bit reference string  = 1  2  3    1  2 , where j1 j = j2 j = j3j = na , j j = nc and j1 j = j2j = nf .  A public le PK= (((x1 ; y1z1 ); (x1; z1 ); (1; y1 )); ((x2; y2z2 ); (x2; z2 ); (2; y2 )); (x3; s; 3), 4; 5 ; 6).

 A secret le SK= ((p1 ; q1); (p2 ; q2)).  An adjacency matrix G = fgij g, with gij 2 f0; 1g for 1  i; j  n.  Commitments fuij g and four strings msg1 , msg2 , msg3 , msg4. 1. Run the algorithm Receive on input ((x1 ; y1z1 mod x1); (p1 ; q1); msg 1), ((x1 ; z1); (p1; q1); msg 2 ), ((x2; y2 z2 mod x2); (p2; q2); msg 3 ), and ((x2 ; z2); (p2; q2); msg 4 ); verify to have received the same string  in two executions. 2. If QRx (z1 ) = 1 then write  as   r11 


 rnn; verify that  is a permutation of f1; : : :; ng; let G~ = (G) and let fg~ij g be its adjacency matrix; for 1  i; j  n, verify that VC(x3 ; s; uij ; rij ; g~ij ) = 1. 3. If QRx (z1 ) = 0 then write  as  t1 


 tn ; verify that is a permutation of f1; : : :; ng; for j = 1; : : :; n ? 1, verify that ( (j); (j + 1)) is an edge of G by checking that VC(x3 ; s; u j ; j ; tj ; 1) = 1. verify that ( (n); (1)) is an edge of G by checking that VC(x3; s; u n ; ; tn; 1) = 1; 1

1

( )

( )

If all the veri cations are successfull then Output: 1 else Output: 0. Figure 4: The algorithm Verifier2.

28

(1)

( +1)

Algorithm Q(x; z). Input: x 2 BL(n), z 2 Zx+1 . 1. Randomly select y 2 NQRx . Run the simulator T1 on input (x; y) thus obtaining (1 ; 1). Randomly select two n-bit primes p; q  3 mod 4 and set x = pq. Randomly select z 2 Zx+1 and y 2 NQR x . Randomly choose a na -bit string 2 and run algorithm A on input 2 and (x; y) thus obtaining a string 2. Randomly select two n-bit primes p3; q3  3 mod 4 and set x3 = p3 q3. Randomly choose a na -bit string 3 and run algorithm A on input 3 and (x3; ?s mod x3) thus obtaining a string 3. Run the simulator T3 on input x thus obtaining 1 and 5 . Randomly choose a nf -bit string 2 and run algorithm F on input 2 , x, and (p; q) thus obtaining a string 6 . 2. Toss a fair coin and let b 2 f0; 1g be its outcome. Set xb = x; zb = z and x1?b = x; z1?b = z. Run the simulator T2 on input (x0 ; x1; z0; z1) thus obtaining  and 4. 3. Set pk0 = ((x; yz mod x); (x; z); (y; 1)), pk1 = ((x; y z mod x); (x; z); (y; 2)). Set PK=(pkb ; pk1?b; (x3; s; 3); 4 ; 5+b; 6?b). Set  =  b   ?b  3     b   ?b . 4. Run the algorithm Adv on input (, PK) thus obtaining (G; Proof ). Write Proof as Proof = (fuij g; msg1; msg2 ; msg3 ; msg4 ). 5. Run the algorithm Receive on input ((x; y z mod x); (p; q); msg3?2b) ((x; z); (p; q); msg4?2b) obtaining as output 1; 2; b or one of 1 6. If one of 1 and 2 is the concatenation of the decommitment keys for the bits of G, and 2 is the concatenation of the decommitment keys for the bits of a Hamiltonian cycle then Output: QRx (z) else Output: 1 ? QRx (z). 1+

2

1+

2

Figure 5: The algorithm Q

29

The simulator S.

Input: A graph G 2 HAM, whose adjacency matrix is fgij g, with gij 2 f0; 1g for 1  i; j  n. Phase I: Algorithm S0 : \Extraction of x1's factorization." 0. Choose a random tape R for V . 1. Run the algorithm Ext0 obtaining (; aux ) as output. 2. Run the algorithm V using  as input, and obtaining PK= (((x1; y1 z1 mod x1); (x1; y1 ); (y1 ; 1))((x2 ; y2z2 mod x2 ); (x2; y2); (y2 ; 2)); (x3; s; 3); 4 ; 5; 6) as output. 3. Check the correctness of the proofs provided together with PK by running the appropriate veri cation algorithms. If any of the veri cations fails then Output: (R; ; PK) and STOP. 4. Run the algorithm Ext1 using aux,  and 5 as input, and obtaining x1's factorization as output. If Ext1 fails then goto 0. Phase II: Algorithm S1: \Simulation of the proof that G 2 HAM." 1. If QRx (z1 ) = 1 then 1.1 Randomly choose a permutation  of f1; : : :; ng; compute Gb = fg^ij g, where g^ij = g(i);(j ). 1.2 For i = 1; : : :; n, for j = 1; : : :; n, set (rij ; uij ) BC(^gij ; x3; s). 1.3 Set  =   r11  r12 


 rn(n?1)  rnn and = 0 


 0; 2. If QRx (z1 ) = 0 then 2.1 For i = 1; : : :; n, for j = 1; : : :; n, set (rij ; uij ) BC(1; x3; s). 2.2 Randomly choose a permutation  of f1;


; ng. Set  = 0 


 0 and =   r(1)(2) 


 r(n?1)(n)  r(n)(1). 3. Run the algorithm Send on input ((x1 ; y1z1 mod x1 ); ) obtaining as output msg1 . Run the algorithm Send on input ((x1 ; z1); ) obtaining as output msg2 . Run the algorithm Send on input ((x2 ; y2z2 mod x2 ); ) obtaining as output msg3 . Run the algorithm Send on input ((x2 ; z2); ) obtaining as output msg4 . Output: (R,,fuijg; msg 1, msg2, msg3, msg4). 1

1

Figure 6: The simulator S 30