Scribd
Upload
39 views2 pages

Handout 11: Problem Set #6: Problem 1 Perfectly Hiding Commitment

This document contains 4 problems related to cryptography. Problem 1 defines a perfectly hiding commitment scheme and asks to prove that a given protocol satisfies this definition. Problem 2 defines a 5-round zero-knowledge proof system for graph isomorphism and asks to prove it is zero-knowledge. Problem 3 asks to prove or disprove if a commitment scheme can be both perfectly hiding and perfectly binding. Problem 4 asks to provide a formal definition of a zero-knowledge proof of knowledge.

Uploaded by

Mar Loyola
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
39 views2 pages

Handout 11: Problem Set #6: Problem 1 Perfectly Hiding Commitment

This document contains 4 problems related to cryptography. Problem 1 defines a perfectly hiding commitment scheme and asks to prove that a given protocol satisfies this definition. Problem 2 defines a 5-round zero-knowledge proof system for graph isomorphism and asks to prove it is zero-knowledge. Problem 3 asks to prove or disprove if a commitment scheme can be both perfectly hiding and perfectly binding. Problem 4 asks to provide a formal definition of a zero-knowledge proof of knowledge.

Uploaded by

Mar Loyola
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 2

6.875/18.

425J Cryptography and Cryptanalysis April 20, 2005

Handout 11: Problem Set #6

This problem set is due on: May 3, 2005.

Problem 1 ­ Perfectly Hiding Commitment

Definition:
A two­round perfectly­hiding commitment scheme is a triple of efficient algorithms

(GEN, COM, V ER) satisfying the following properties.

Correctness: For all security parameters k and inputs α,

P r[g ← GEN (1k ); (c, d) ← COM (g, α) : V ER(g, c, d, α) = T RU E] = 1

Binding: For all k, and for any probabilistic polynomial­time cheating commiter C ∗ :

P r[g ← GEN (1k ); (c, d1 , d2 , α1 , α2 ) ← C ∗ (g) :

V ER(g, c, d1 , α1 ) = V ER(g, c, d2 , α2 ) = T RU E ∧ α1 =
� α2 ] < negligible(k)

Perfect Hiding: For all k, and all inputs α and β the following distributions are identical:

�g ← GEN (1k ); (c, d) ← COM (g, α) : (g, c)� = �g ← GEN (1k ) : (c, d) ← COM (g, β) : (g, c)�

Protocol:
Consider the following two­round protocol for committing to a k­bit value, α. The
algorithm GEN randomly selects (p, g, h) subject only to the following conditions: (1)
p is a k + 1­bit prime number and (2) g and h are generators of Zp∗ . The algorithm
COM on input (p, g, h) and α selects a random t ∈ Zp∗ and outputs the commitment
message c = g t hα mod p and the decommitment message t. The algorithm V ER on
input (p, g, h), c, t and α outputs T RU E if and only if c = g t hα (mod p).
Prove: the above protocol is, in fact, a perfectly­hiding commitment scheme.

11­1
Problem 2 ­ Zero­Knowledge in Parallel

Let (GEN, COM, V ER) be a perfectly hiding commitment scheme. Here we provide a
five­round proof system for ISO.1 with negligible soundness error.

1. The prover selects g ← GEN (1k ) and sends g to the verifier.

2. The verifier chooses a k­bit random string r, selects (c, d) ← COM (g, r) and sends
c to the prover.

3. The prover randomly selects k graphs C1 , . . . Ck such that each Ci is isomorphic to


G and sends C1 , . . . , Ck to the verifier.

4. The verifier sends d and r to the prover.

5. If r = V ER(g, c, d) then for each graph Ci the prover sends the verifier a random
isomorphism mapping G to Ci if the ith bit of r is 0 and a random isomorphism
mapping H to Ci if the ith bit of r is 1.

Prove: the above protocol is, in fact, a zero­knowledge proof system for ISO.

Problem 3 ­ Hiding and Binding

Prove or Disprove: There exists a bit commitment scheme which is both perfectly
hiding and perfectly binding.
Note: A perfectly hiding commitment scheme is defined in problem 1. A commitment
scheme is perfectly binding if the binding condition holds with respect to all cheating com­
miters (as opposed to only those running in probabilistic polynomial­time). Encryption
is an example of a perfectly binding commitment scheme.

Problem 4 ­ Proofs of Knowledge

Let L be a language in N P and for x ∈ L let Wx be the set of NP­witnesses for x.


Informally, (P, V ) is a ZK proof of knowledge for L if on common input x, P convinces
V that he knows an element of Wx and yet interacting with P provides V provides P
with no knowledge other than that x ∈ L. (In particular, V learns nothing about which
element of Wx the prover knows!)
Provide a formal definition of a zero­knowledge proof of knowledge and explain why your
definition captures informal notion above.
1
The language of all pairs of graphs (G, H) such that G is isomorphic to H.

11­2

You might also like