scholarly journals Zero-Knowledge Proofs for Finite Field Arithmetic or: Can Zero-Knowledge be for Free?

1997 ◽  
Vol 4 (27) ◽  
Author(s):  
Ronald Cramer ◽  
Ivan B. Damgård
Keyword(s):  
Finite Field ◽  
Prime Order ◽  
Error Probability ◽  
Communication Complexity ◽  
Boolean Circuit ◽  
Interactive Proof ◽  
Zero Knowledge ◽  
Order Group ◽  
Prime Fields ◽  
Interactive Proof System

We present zero-knowledge proofs and arguments for arithmetic circuits over finite prime fields, namely given a circuit, show in zero-knowledge that inputs can be selected leading to a given output. For a field GF(q), where q is an n-bit prime, a<br />circuit of size O(n), and error probability 2^−n, our protocols require communication of O(n^2) bits. This is the same worst-cast complexity as the trivial (non zero-knowledge)<br />interactive proof where the prover just reveals the input values. If the circuit involves n multiplications, the best previously known methods would in general require communication<br />of  Omega(n^3 log n) bits.<br />Variations of the technique behind these protocols lead to other interesting applications.<br />We first look at the Boolean Circuit Satisfiability problem and give zero-knowledge proofs and arguments for a circuit of size n and error probability 2^−n in which there is an interactive preprocessing phase requiring communication of O(n^2)<br />bits. In this phase, the statement to be proved later need not be known. Later the prover can non-interactively prove any circuit he wants, i.e. by sending only one message, of size O(n) bits.<br />As a second application, we show that Shamirs (Shens) interactive proof system for the (IP-complete) QBF problem can be transformed to a zero-knowledge proof<br />system with the same asymptotic communication complexity and number of rounds. The security of our protocols can be based on any one-way group homomorphism with a particular set of properties. We give examples of special assumptions sufficient for this, including: the RSA assumption, hardness of discrete log in a prime order group, and polynomial security of Die-Hellman encryption. We note that the constants involved in our asymptotic complexities are small enough for our protocols to be practical with realistic choices of parameters.

scholarly journals Linear Zero-Knowledgde. A Note on Efficient Zero-Knowledge Proofs and Arguments

1996 ◽  
Vol 3 (7) ◽  
Author(s):  
Ivan B. Damgård ◽  
Ronald Cramer
Keyword(s):  
Error Probability ◽  
Communication Complexity ◽  
Boolean Formula ◽  
Interactive Proof ◽  
Zero Knowledge ◽  
Bit Commitment ◽  
Commitment Scheme ◽  
Commitment Schemes ◽  
Realistic Situation ◽  
Language L

We present a zero-knowledge proof system [19] for any NP language L, which<br />allows showing that x in L with error probability less than 2^−k using communication<br />corresponding to O(|x|^c) + k bit commitments, where c is a constant depending only<br />on L. The proof can be based on any bit commitment scheme with a particular set<br />of properties. We suggest an efficient implementation based on factoring.<br />We also present a 4-move perfect zero-knowledge interactive argument for any NP-language<br />L. On input x in L, the communication complexity is O(|x|^c) max(k; l)<br />bits, where l is the security parameter for the prover. Again, the protocol can be<br />based on any bit commitment scheme with a particular set of properties. We suggest<br />efficient implementations based on discrete logarithms or factoring.<br />We present an application of our techniques to multiparty computations, allowing<br />for example t committed oblivious transfers with error probability 2^−k to be done<br />simultaneously using O(t+k) commitments. Results for general computations follow<br />from this.<br />As a function of the security parameters, our protocols have the smallest known<br />asymptotic communication complexity among general proofs or arguments for NP.<br />Moreover, the constants involved are small enough for the protocols to be practical in<br />a realistic situation: both protocols are based on a Boolean formula Phi containing and-<br />, or- and not-operators which verifies an NP-witness of membership in L. Let n be<br />the number of times this formula reads an input variable. Then the communication<br />complexity of the protocols when using our concrete commitment schemes can be<br />more precisely stated as at most 4n + k + 1 commitments for the interactive proof<br />and at most 5nl +5l bits for the argument (assuming k <= l). Thus, if we use k = n,<br />the number of commitments required for the proof is linear in n.<br />Both protocols are also proofs of knowledge of an NP-witness of membership in<br />the language involved.

REMARKS ON A QUERY-BASED VARIANT OF THE PARALLEL REPETITION THEOREM

2001 ◽  
Vol 12 (04) ◽  
pp. 517-531
Author(s):  
OLEG VERBITSKY
Keyword(s):  
Strong Correlation ◽  
Error Probability ◽  
Cryptographic Protocols ◽  
Parallel Execution ◽  
Proof System ◽  
Interactive Proof ◽  
Parallel Repetition ◽  
Interactive Proof System

The Parallel Repetition Theorem says that n-fold parallel execution of a two-prover one-round interactive proof system reduces the error probability exponentially in n. The bound on the error probability of the parallelized system depends on the error probability and the answer size of the single proof system. It is still unknown whether the theorem holds true with a bound depending only on the query size. This kind of a bound may be preferable whenever the query size is considerably smaller than the answer size, what really happens in some cryptographic protocols. Such a bound is only known in the case that queries to the provers are independent. The present paper extends this result to some cases of strong correlation between queries. In particular, a query-based variant of the Parallel Repetition Theorem is proven when the graph of dependence between queries to the provers is a tree and, in a bit weaker form, when this graph is a cycle.

scholarly journals GENERALIZED GELFAND–GRAEV REPRESENTATIONS IN SMALL CHARACTERISTICS

2016 ◽  
Vol 224 (1) ◽  
pp. 93-167 ◽  
Author(s):  
JAY TAYLOR
Keyword(s):  
Finite Field ◽  
Wave Front ◽  
Irreducible Character ◽  
Prime Order ◽  
Algebraic Closure ◽  
Characteristic Functions ◽  
Rational Structure ◽  
Reductive Algebraic Group ◽  
Wave Front Set ◽  
Frobenius Endomorphism

Let $\mathbf{G}$ be a connected reductive algebraic group over an algebraic closure $\overline{\mathbb{F}_{p}}$ of the finite field of prime order $p$ and let $F:\mathbf{G}\rightarrow \mathbf{G}$ be a Frobenius endomorphism with $G=\mathbf{G}^{F}$ the corresponding $\mathbb{F}_{q}$-rational structure. One of the strongest links we have between the representation theory of $G$ and the geometry of the unipotent conjugacy classes of $\mathbf{G}$ is a formula, due to Lusztig (Adv. Math. 94(2) (1992), 139–179), which decomposes Kawanaka’s Generalized Gelfand–Graev Representations (GGGRs) in terms of characteristic functions of intersection cohomology complexes defined on the closure of a unipotent class. Unfortunately, the formula given in Lusztig (Adv. Math. 94(2) (1992), 139–179) is only valid under the assumption that $p$ is large enough. In this article, we show that Lusztig’s formula for GGGRs holds under the much milder assumption that $p$ is an acceptable prime for $\mathbf{G}$ ($p$ very good is sufficient but not necessary). As an application we show that every irreducible character of $G$, respectively, character sheaf of $\mathbf{G}$, has a unique wave front set, respectively, unipotent support, whenever $p$ is good for $\mathbf{G}$.

scholarly journals Graph polynomials and symmetries

2019 ◽  
Vol 18 (09) ◽  
pp. 1950172 ◽  
Author(s):  
Nafaa Chbili
Keyword(s):  
Automorphism Group ◽  
Finite Field ◽  
Characteristic Polynomial ◽  
Prime Order ◽  
Tutte Polynomial ◽  
Quotient Graph ◽  
Graph Polynomials ◽  
Tutte Polynomials

In a recent paper, we studied the interaction between the automorphism group of a graph and its Tutte polynomial. More precisely, we proved that certain symmetries of graphs are clearly reflected by their Tutte polynomials. The purpose of this paper is to extend this study to other graph polynomials. In particular, we prove that if a graph [Formula: see text] has a symmetry of prime order [Formula: see text], then its characteristic polynomial, with coefficients in the finite field [Formula: see text], is determined by the characteristic polynomial of its quotient graph [Formula: see text]. Similar results are also proved for some generalization of the Tutte polynomial.

Introduction

2012 ◽  
Author(s):  
Nicholas M. Katz
Keyword(s):  
Finite Field ◽  
Open Questions ◽  
Prime Fields

This introductory chapter sets out the book's focus, namely equidistribution results over larger and larger finite extensions of a given finite field. Emanuel Kowalski drew attention to the interest of having equidistribution results over, for example, prime fields 𝔽p, that become better and better as p grows. This question is addressed in Chapter 28, where the problem is to make effective the estimates, already given in the equicharacteristic setting of larger and larger extensions of a given finite field. Chapter 29 points out some open questions about “the situation over ℤ” and gives some illustrative examples. The chapter concludes by pointing out two potential ambiguities of notation.

Zero Knowledge Proofs

2018 ◽  
pp. 111-123 ◽  
Author(s):  
Kannan Balasubramanian ◽  
Mala K.
Keyword(s):  
Real World ◽  
The Other ◽  
Interactive Proof ◽  
Zero Knowledge ◽  
Practical Applications ◽  
Proof Of Knowledge ◽  
Real World Applications ◽  
Special Case ◽  
Zero Knowledge Proof

Zero knowledge protocols provide a way of proving that a statement is true without revealing anything other than the correctness of the claim. Zero knowledge protocols have practical applications in cryptography and are used in many applications. While some applications only exist on a specification level, a direction of research has produced real-world applications. Zero knowledge protocols, also referred to as zero knowledge proofs, are a type of protocol in which one party, called the prover, tries to convince the other party, called the verifier, that a given statement is true. Sometimes the statement is that the prover possesses a particular piece of information. This is a special case of zero knowledge protocol called a zero-knowledge proof of knowledge. Formally, a zero-knowledge proof is a type of interactive proof.

scholarly journals Program extraction applied to monadic parsing

2019 ◽  
Vol 29 (4) ◽  
pp. 487-518 ◽  
Author(s):  
Ulrich Berger ◽  
Alison Jones ◽  
Monika Seisenberger
Keyword(s):  
Natural Language ◽  
Case Studies ◽  
Proof System ◽  
Theoretic Approach ◽  
Formal Proofs ◽  
Interactive Proof ◽  
Program Extraction ◽  
Interactive Proof System

Abstract This article outlines a proof-theoretic approach to developing correct and terminating monadic parsers. Using modified realizability, we extract formally verified and terminating programs from formal proofs. By extracting both primitive parsers and parser combinators, it is ensured that all complex parsers built from these are also correct, complete and terminating for any input. We demonstrate the viability of our approach by means of two case studies: we extract (i) a small arithmetic calculator and (ii) a non-deterministic natural language parser. The work is being carried out in the interactive proof system Minlog.

On a variant of sum-product estimates and explicit exponential sum bounds in prime fields

2009 ◽  
Vol 146 (1) ◽  
pp. 1-21 ◽  
Author(s):  
J. BOURGAIN ◽  
M. Z. GARAEV
Keyword(s):  
Prime Order ◽  
Exponential Sums ◽  
Exponential Sum ◽  
Complex Numbers ◽  
Number Of Solutions ◽  
Prime Fields ◽  
Explicit Bounds ◽  
Multiplicative Subgroup ◽  
Image Position

AbstractLet Fp be the field of a prime order p and F*p be its multiplicative subgroup. In this paper we obtain a variant of sum-product estimates which in particular implies the bound for any subset A ⊂ Fp with 1 < |A| < p12/23. Then we apply our estimate to obtain explicit bounds for some exponential sums in Fp. We show that for any subsets X, Y, Z ⊂ F*p and any complex numbers αx, βy, γz with |αx| ≤ 1, |βy| ≤ 1, |γz| ≤ 1, the following bound holds: We apply this bound further to show that if H is a subgroup of F*p with |H| > p1/4, then Finally we show that if g is a generator of F*p then for any M < p the number of solutions of the equation is less than $M^{3-1/24+o(1)}\Bigl(1+(M^2/p)^{1/24}\Bigr).$. This implies that if p1/2 < M < p, then

scholarly journals CALCULATION OF PARAMETERS OF CRYPTIC CRIVIAE EDWARDS OVER THE FIELDS OF CHARACTERISTICS 5 AND 7

2018 ◽  
pp. 94-104 ◽  
Author(s):  
Anatoliy V. Bessalov
Keyword(s):  
Prime Order ◽  
Discrete Logarithm ◽  
Problem Solution ◽  
Characteristic P ◽  
System Parameters ◽  
Calculation Of Parameters ◽  
Edwards Curves ◽  
Primitive Polynomials ◽  
Prime Fields ◽  
Edwards Curve

The method of search of cryptographic strong elliptic curves in the Edwards form (where parameter d is non square in the field) over the extended finite fields of small characteristics p ≠ 2.3 is proposed. For these curves is performed the completeness of the points addition law, so they are called as complete Edwards curve. In the first stage over a small prime fields and we find the parameters d of complete Edwards curves who have minimum orders . For both curves we obtain the same values d = 3, which are non square in the fields and . Next with help recurrent formulae for both curves we calculated the orders (where n is odd) of these curves over the extended fields with prime degrees of extension m within known cryptographic standards (with the same bit-length field module 200 ... 600 bits). The calculated values n are tested on primelity. The extensions m, which provide a psevdoprime order 4n of curve with a prime value n, are selected. This provides the highest cryptographic stability of curve by the discrete logarithm problem solution. As a result, over the fields of the characteristic p = 5 we obtain two curves with degrees of expansion m = 181 and m = 277, and over the fields of the characteristic p = 7 one curve with the degree m = 127. For them, the corresponding large prime values of n are determined. The next stage is the calculation of other system-parameters of cryptographic systems based on complete Edwards curves. over the fields of characteristics 5 and 7. The arithmetic of extended fields is based on irreducible primitive polynomials P (z) of degree m. The search and construction of polynomial tables P (z) (for 10 different polynomials for each value m, respectively, for the values of the characteristics p = 5 and p = 7) has been performed. On the basis of each polynomial according to the developed method, the coordinates of the random point P of the curve are calculated. The possible order of this point is the value of 4n, 2n or n. The double doubling of this point is the coordinates and for 30 different generators G = 4P cryptosystems that have a prime order n. The set of parameters that satisfy the standard cryptographic requirements and can be recommended in projecting cryptosystems is obtained.

Sign in / Sign up

Export Citation Format

Share Document