calofmijuck/blog
1
0
Fork 0
mirror of https://github.com/calofmijuck/blog.git synced 2025-12-06 22:53:51 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat: breaking change (unstable) (#198)

Browse Source 
* [PUBLISHER] upload files #175

* PUSH NOTE : 3. Symmetric Key Encryption.md

* PUSH NOTE : 03. Symmetric Key Cryptography (2).md

* DELETE FILE : _posts/lecture-notes/modern-cryptography/2023-09-18-symmetric-key-cryptography-2.md

* DELETE FILE : _posts/lecture-notes/modern-cryptography/2023-09-19-symmetric-key-encryption.md

* [PUBLISHER] upload files #177

* PUSH NOTE : 3. Symmetric Key Encryption.md

* PUSH NOTE : 03. Symmetric Key Cryptography (2).md

* DELETE FILE : _posts/lecture-notes/modern-cryptography/2023-09-18-symmetric-key-cryptography-2.md

* DELETE FILE : _posts/lecture-notes/modern-cryptography/2023-09-19-symmetric-key-encryptio.md

* [PUBLISHER] upload files #178

* PUSH NOTE : 3. Symmetric Key Encryption.md

* PUSH NOTE : 03. Symmetric Key Cryptography (2).md

* DELETE FILE : _posts/lecture-notes/modern-cryptography/2023-09-18-symmetric-key-cryptography-2.md

* [PUBLISHER] upload files #179

* PUSH NOTE : 3. Symmetric Key Encryption.md

* PUSH NOTE : 03. Symmetric Key Cryptography (2).md

* DELETE FILE : _posts/lecture-notes/modern-cryptography/2023-09-18-symmetric-key-cryptography-2.md

* [PUBLISHER] upload files #180

* PUSH NOTE : 3. Symmetric Key Encryption.md

* PUSH NOTE : 03. Symmetric Key Cryptography (2).md

* DELETE FILE : _posts/lecture-notes/modern-cryptography/2023-09-18-symmetric-key-cryptography-2.md

* [PUBLISHER] upload files #181

* PUSH NOTE : 3. Symmetric Key Encryption.md

* PUSH NOTE : 03. Symmetric Key Cryptography (2).md

* DELETE FILE : _posts/lecture-notes/modern-cryptography/2023-09-18-symmetric-key-cryptography-2.md

* [PUBLISHER] upload files #182

* PUSH NOTE : 3. Symmetric Key Encryption.md

* PUSH NOTE : 03. Symmetric Key Cryptography (2).md

* [PUBLISHER] upload files #183

* PUSH NOTE : 3. Symmetric Key Encryption.md

* PUSH NOTE : 03. Symmetric Key Cryptography (2).md

* DELETE FILE : _posts/lecture-notes/modern-cryptography/2023-09-18-symmetric-key-cryptography-2.md

* [PUBLISHER] upload files #184

* PUSH NOTE : 3. Symmetric Key Encryption.md

* PUSH NOTE : 03. Symmetric Key Cryptography (2).md

* DELETE FILE : _posts/lecture-notes/modern-cryptography/2023-09-18-symmetric-key-cryptography-2.md

* [PUBLISHER] upload files #185

* PUSH NOTE : 3. Symmetric Key Encryption.md

* PUSH NOTE : 03. Symmetric Key Cryptography (2).md

* DELETE FILE : _posts/lecture-notes/modern-cryptography/2023-09-18-symmetric-key-cryptography-2.md

* [PUBLISHER] upload files #186

* PUSH NOTE : 3. Symmetric Key Encryption.md

* PUSH NOTE : 03. Symmetric Key Cryptography (2).md

* [PUBLISHER] upload files #187

* PUSH NOTE : 3. Symmetric Key Encryption.md

* PUSH NOTE : 14. Secure Multiparty Computation.md

* DELETE FILE : _posts/Lecture Notes/Modern Cryptography/2023-09-19-symmetric-key-encryption.md

* DELETE FILE : _posts/lecture-notes/modern-cryptography/2023-09-18-symmetric-key-cryptography-2.md

* [PUBLISHER] upload files #188

* PUSH NOTE : 3. Symmetric Key Encryption.md

* PUSH NOTE : 14. Secure Multiparty Computation.md

* DELETE FILE : _posts/Lecture Notes/Modern Cryptography/2023-09-19-symmetric-key-encryption.md

* chore: remove files

* [PUBLISHER] upload files #197

* PUSH NOTE : 수학 공부에 대한 고찰.md

* PUSH NOTE : 09. Lp Functions.md

* PUSH ATTACHMENT : mt-09.png

* PUSH NOTE : 08. Comparison with the Riemann Integral.md

* PUSH ATTACHMENT : mt-08.png

* PUSH NOTE : 04. Measurable Functions.md

* PUSH ATTACHMENT : mt-04.png

* PUSH NOTE : 06. Convergence Theorems.md

* PUSH ATTACHMENT : mt-06.png

* PUSH NOTE : 07. Dominated Convergence Theorem.md

* PUSH ATTACHMENT : mt-07.png

* PUSH NOTE : 05. Lebesgue Integration.md

* PUSH ATTACHMENT : mt-05.png

* PUSH NOTE : 03. Measure Spaces.md

* PUSH ATTACHMENT : mt-03.png

* PUSH NOTE : 02. Construction of Measure.md

* PUSH ATTACHMENT : mt-02.png

* PUSH NOTE : 01. Algebra of Sets and Set Functions.md

* PUSH ATTACHMENT : mt-01.png

* PUSH NOTE : Rules of Inference with Coq.md

* PUSH NOTE : 블로그 이주 이야기.md

* PUSH NOTE : Secure IAM on AWS with Multi-Account Strategy.md

* PUSH ATTACHMENT : separation-by-product.png

* PUSH NOTE : You and Your Research, Richard Hamming.md

* PUSH NOTE : 10. Digital Signatures.md

* PUSH ATTACHMENT : mc-10-dsig-security.png

* PUSH ATTACHMENT : mc-10-schnorr-identification.png

* PUSH NOTE : 9. Public Key Encryption.md

* PUSH ATTACHMENT : mc-09-ss-pke.png

* PUSH NOTE : 8. Number Theory.md

* PUSH NOTE : 7. Key Exchange.md

* PUSH ATTACHMENT : mc-07-dhke.png

* PUSH ATTACHMENT : mc-07-dhke-mitm.png

* PUSH ATTACHMENT : mc-07-merkle-puzzles.png

* PUSH NOTE : 6. Hash Functions.md

* PUSH ATTACHMENT : mc-06-merkle-damgard.png

* PUSH ATTACHMENT : mc-06-davies-meyer.png

* PUSH ATTACHMENT : mc-06-hmac.png

* PUSH NOTE : 5. CCA-Security and Authenticated Encryption.md

* PUSH ATTACHMENT : mc-05-ci.png

* PUSH ATTACHMENT : mc-05-etm-mte.png

* PUSH NOTE : 1. OTP, Stream Ciphers and PRGs.md

* PUSH ATTACHMENT : mc-01-prg-game.png

* PUSH ATTACHMENT : mc-01-ss.png

* PUSH NOTE : 4. Message Authentication Codes.md

* PUSH ATTACHMENT : mc-04-mac.png

* PUSH ATTACHMENT : mc-04-mac-security.png

* PUSH ATTACHMENT : mc-04-cbc-mac.png

* PUSH ATTACHMENT : mc-04-ecbc-mac.png

* PUSH NOTE : 3. Symmetric Key Encryption.md

* PUSH ATTACHMENT : is-03-ecb-encryption.png

* PUSH ATTACHMENT : is-03-cbc-encryption.png

* PUSH ATTACHMENT : is-03-ctr-encryption.png

* PUSH NOTE : 2. PRFs, PRPs and Block Ciphers.md

* PUSH ATTACHMENT : mc-02-block-cipher.png

* PUSH ATTACHMENT : mc-02-feistel-network.png

* PUSH ATTACHMENT : mc-02-des-round.png

* PUSH ATTACHMENT : mc-02-DES.png

* PUSH ATTACHMENT : mc-02-aes-128.png

* PUSH ATTACHMENT : mc-02-2des-mitm.png

* PUSH NOTE : 18. Bootstrapping & CKKS.md

* PUSH NOTE : 17. BGV Scheme.md

* PUSH NOTE : 16. The GMW Protocol.md

* PUSH ATTACHMENT : mc-16-beaver-triple.png

* PUSH NOTE : 15. Garbled Circuits.md

* PUSH NOTE : 14. Secure Multiparty Computation.md

* PUSH NOTE : 13. Sigma Protocols.md

* PUSH ATTACHMENT : mc-13-sigma-protocol.png

* PUSH ATTACHMENT : mc-13-okamoto.png

* PUSH ATTACHMENT : mc-13-chaum-pedersen.png

* PUSH ATTACHMENT : mc-13-gq-protocol.png

* PUSH NOTE : 12. Zero-Knowledge Proofs (Introduction).md

* PUSH ATTACHMENT : mc-12-id-protocol.png

* PUSH NOTE : 11. Advanced Topics.md

* PUSH NOTE : 0. Introduction.md

* PUSH NOTE : 02. Symmetric Key Cryptography (1).md

* PUSH NOTE : 09. Transport Layer Security.md

* PUSH ATTACHMENT : is-09-tls-handshake.png

* PUSH NOTE : 08. Public Key Infrastructure.md

* PUSH ATTACHMENT : is-08-certificate-validation.png

* PUSH NOTE : 07. Public Key Cryptography.md

* PUSH NOTE : 06. RSA and ElGamal Encryption.md

* PUSH NOTE : 05. Modular Arithmetic (2).md

* PUSH NOTE : 03. Symmetric Key Cryptography (2).md

* PUSH ATTACHMENT : is-03-feistel-function.png

* PUSH ATTACHMENT : is-03-cfb-encryption.png

* PUSH ATTACHMENT : is-03-ofb-encryption.png

* PUSH NOTE : 04. Modular Arithmetic (1).md

* PUSH NOTE : 01. Security Introduction.md

* PUSH ATTACHMENT : is-01-cryptosystem.png

* PUSH NOTE : Search Time in Hash Tables.md

* PUSH NOTE : 랜덤 PS일지 (1).md

* chore: rearrange articles

* feat: fix paths

* feat: fix all broken links

* feat: title font to palatino
This commit is contained in:
Sungchan Yi
2024-11-13 14:28:45 +09:00
committed by GitHub
parent c9f7af5f3d
commit 23aeb29ad8
78 changed files with 2105 additions and 2030 deletions
Download Patch File Download Diff File Expand all files Collapse all files

174
_posts/lecture-notes/modern-cryptography/2023-11-07-sigma-protocols.md
View File

@@ -56,7 +56,7 @@ The **soundness** property says that it is infeasible for any prover to make the
> 1. The adversary chooses a statement $y^{\ast} \in \mc{Y}$ and gives it to the challenger.
> 2. The adversary interacts with the verifier $V(y^{\ast})$, where the challenger plays the role of verifier, and the adversary is a possibly *cheating* prover.
>
> The adversary wins if $V(y^{\ast})$ outputs $\texttt{accept}$ but $y^{\ast} \notin L_\mc{R}$. The advantage of $\mc{A}$ with respect to $\Pi$ is denoted $\rm{Adv}_{\rm{Snd}}[\mc{A}, \Pi]$ and defined as the probability that $\mc{A}$ wins the game.
> The adversary wins if $V(y^{\ast})$ outputs $\texttt{accept}$ but $y^{\ast} \notin L _ \mc{R}$. The advantage of $\mc{A}$ with respect to $\Pi$ is denoted $\rm{Adv} _ {\rm{Snd}}[\mc{A}, \Pi]$ and defined as the probability that $\mc{A}$ wins the game.
>
> If the advantage is negligible for all efficient adversaries $\mc{A}$, then $\Pi$ is **sound**.
@@ -81,7 +81,7 @@ We also require that the challenge space is large, the challenger shouldn't be a
> For every efficient adversary $\mc{A}$,
>
> $$
> \rm{Adv}_{\rm{Snd}}[\mc{A}, \Pi] \leq \frac{1}{N}
> \rm{Adv} _ {\rm{Snd}}[\mc{A}, \Pi] \leq \frac{1}{N}
> $$
>
> where $N$ is the size of the challenge space.
@@ -112,24 +112,24 @@ The Schnorr identification protocol is actually a sigma protocol. Refer to [Schn
> The pair $(P, V)$ is a sigma protocol for the relation $\mc{R} \subset \mc{X} \times \mc{Y}$ where
>
> $$
> \mc{X} = \bb{Z}_q, \quad \mc{Y} = G, \quad \mc{R} = \left\lbrace (\alpha, u) \in \bb{Z}_q \times G : g^\alpha = u \right\rbrace.
> \mc{X} = \bb{Z} _ q, \quad \mc{Y} = G, \quad \mc{R} = \left\lbrace (\alpha, u) \in \bb{Z} _ q \times G : g^\alpha = u \right\rbrace.
> $$
>
> The challenge space $\mc{C}$ is a subset of $\bb{Z}_q$.
> The challenge space $\mc{C}$ is a subset of $\bb{Z} _ q$.
The protocol provides **special soundness**. If $(u_t, c, \alpha_z)$ and $(u_t, c', \alpha_z')$ are two accepting conversations with $c \neq c'$, then we have
The protocol provides **special soundness**. If $(u _ t, c, \alpha _ z)$ and $(u _ t, c', \alpha _ z')$ are two accepting conversations with $c \neq c'$, then we have
$$
g^{\alpha_z} = u_t \cdot u^c, \quad g^{\alpha_z'} = u_t \cdot u^{c'},
g^{\alpha _ z} = u _ t \cdot u^c, \quad g^{\alpha _ z'} = u _ t \cdot u^{c'},
$$
so we have $g^{\alpha_z - \alpha_z'} = u^{c - c'}$. Setting $\alpha^{\ast} = (\alpha_z - \alpha_z') /(c - c')$ satisfies $g^{\alpha^{\ast}} = u$, solving the discrete logarithm and $\alpha^{\ast}$ is a proof.
so we have $g^{\alpha _ z - \alpha _ z'} = u^{c - c'}$. Setting $\alpha^{\ast} = (\alpha _ z - \alpha _ z') /(c - c')$ satisfies $g^{\alpha^{\ast}} = u$, solving the discrete logarithm and $\alpha^{\ast}$ is a proof.
As for HVZK, the simulator chooses $\alpha_z \la \bb{Z}_q$, $c \la \mc{C}$ randomly and sets $u_t = g^{\alpha_z} \cdot u^{-c}$. Then $(u_t, c, \alpha_z)$ will be accepted. *Note that the order doesn't matter.* Also, the distribution is same, since $c$ and $\alpha_z$ are uniform over $\mc{C}$ and $\bb{Z}_q$ and the choice of $c$ and $\alpha_z$ determines $u_t$ uniquely. This is identical to the distribution in the actual protocol.
As for HVZK, the simulator chooses $\alpha _ z \la \bb{Z} _ q$, $c \la \mc{C}$ randomly and sets $u _ t = g^{\alpha _ z} \cdot u^{-c}$. Then $(u _ t, c, \alpha _ z)$ will be accepted. *Note that the order doesn't matter.* Also, the distribution is same, since $c$ and $\alpha _ z$ are uniform over $\mc{C}$ and $\bb{Z} _ q$ and the choice of $c$ and $\alpha _ z$ determines $u _ t$ uniquely. This is identical to the distribution in the actual protocol.
### Dishonest Verifier
In case of dishonest verifiers, $V$ may not follow the protocol. For example, $V$ may choose non-uniform $c \in \mc{C}$ depending on the commitment $u_t$. In this case, the conversation from the actual protocol and the conversation generated by the simulator will have different distributions.
In case of dishonest verifiers, $V$ may not follow the protocol. For example, $V$ may choose non-uniform $c \in \mc{C}$ depending on the commitment $u _ t$. In this case, the conversation from the actual protocol and the conversation generated by the simulator will have different distributions.
We need a different distribution. The simulator must also take the verifier's actions as input, to properly simulate the dishonest verifier.
@@ -137,8 +137,8 @@ We need a different distribution. The simulator must also take the verifier's ac
The original protocol can be modified so that the challenge space $\mc{C}$ is smaller. Completeness property is obvious, and the soundness error grows, but we can always repeat the protocol.
As for zero knowledge, the simulator $\rm{Sim}_{V^{\ast}}(u)$ generates a verifier's view $(u, c, z)$ as follows.
- Guess $c' \la \mc{C}$. Sample $z' \la \bb{Z}_q$ and set $u' = g^{z'}\cdot u^{-c'}$. Send $u'$ to $V^{\ast}$.
As for zero knowledge, the simulator $\rm{Sim} _ {V^{\ast}}(u)$ generates a verifier's view $(u, c, z)$ as follows.
- Guess $c' \la \mc{C}$. Sample $z' \la \bb{Z} _ q$ and set $u' = g^{z'}\cdot u^{-c'}$. Send $u'$ to $V^{\ast}$.
- If the response from the verifier $V^{\ast}(u')$ is $c$ and $c \neq c'$, restart.
- $c = c'$ holds with probability $1 / \left\lvert \mc{C} \right\lvert$, since $c'$ is uniform.
- Otherwise, output $(u, c, z) = (u', c', z')$.
@@ -155,22 +155,22 @@ But in most cases, it is enough to assume honest verifiers, as we will see soon.
This one is similar to Schnorr protocol. This is used for proving the representation of a group element.
Let $G = \left\langle g \right\rangle$ be a cyclic group of prime order $q$, let $h \in G$ be some arbitrary group element, fixed as a system parameter. A **representation** of $u$ relative to $g$ and $h$ is a pair $(\alpha, \beta) \in \bb{Z}_q^2$ such that $g^\alpha h^\beta = u$.
Let $G = \left\langle g \right\rangle$ be a cyclic group of prime order $q$, let $h \in G$ be some arbitrary group element, fixed as a system parameter. A **representation** of $u$ relative to $g$ and $h$ is a pair $(\alpha, \beta) \in \bb{Z} _ q^2$ such that $g^\alpha h^\beta = u$.
**Okamoto's protocol** for the relation
$$
\mc{R} = \bigg\lbrace \big( (\alpha, \beta), u \big) \in \bb{Z}_q^2 \times G : g^\alpha h^\beta = u \bigg\rbrace
\mc{R} = \bigg\lbrace \big( (\alpha, \beta), u \big) \in \bb{Z} _ q^2 \times G : g^\alpha h^\beta = u \bigg\rbrace
$$
goes as follows.
![mc-13-okamoto.png](../../../assets/img/posts/lecture-notes/modern-cryptography/mc-13-okamoto.png)
> 1. $P$ computes random $\alpha_t, \beta_t \la \bb{Z}_q$ and sends commitment $u_t \la g^{\alpha_t}h^{\beta_t}$ to $V$.
> 1. $P$ computes random $\alpha _ t, \beta _ t \la \bb{Z} _ q$ and sends commitment $u _ t \la g^{\alpha _ t}h^{\beta _ t}$ to $V$.
> 2. $V$ computes challenge $c \la \mc{C}$ and sends it to $P$.
> 3. $P$ computes $\alpha_z \la \alpha_t + \alpha c$, $\beta_z \la \beta_t + \beta c$ and sends $(\alpha_z, \beta_z)$ to $V$.
> 4. $V$ outputs $\texttt{accept}$ if and only if $g^{\alpha_z} h^{\beta_z} = u_t \cdot u^c$.
> 3. $P$ computes $\alpha _ z \la \alpha _ t + \alpha c$, $\beta _ z \la \beta _ t + \beta c$ and sends $(\alpha _ z, \beta _ z)$ to $V$.
> 4. $V$ outputs $\texttt{accept}$ if and only if $g^{\alpha _ z} h^{\beta _ z} = u _ t \cdot u^c$.
Completeness is obvious.
@@ -182,22 +182,22 @@ Completeness is obvious.
The **Chaum-Pederson protocol** is for convincing a verifier that a given triple is a DH-triple.
Let $G = \left\langle g \right\rangle$ be a cyclic group of prime order $q$. $(g^\alpha, g^\beta, g^\gamma)$ is a DH-triple if $\gamma = \alpha\beta$. Then, the triple $(u, v, w)$ is a DH-triple if and only if $v = g^\beta$ and $w = u^\beta$ for some $\beta \in \bb{Z}_q$.
Let $G = \left\langle g \right\rangle$ be a cyclic group of prime order $q$. $(g^\alpha, g^\beta, g^\gamma)$ is a DH-triple if $\gamma = \alpha\beta$. Then, the triple $(u, v, w)$ is a DH-triple if and only if $v = g^\beta$ and $w = u^\beta$ for some $\beta \in \bb{Z} _ q$.
The Chaum-Pederson protocol for the relation
$$
\mc{R} = \bigg\lbrace \big( \beta, (u, v, w) \big) \in \bb{Z}_q \times G^3 : v = g^\beta \land w = u^\beta \bigg\rbrace
\mc{R} = \bigg\lbrace \big( \beta, (u, v, w) \big) \in \bb{Z} _ q \times G^3 : v = g^\beta \land w = u^\beta \bigg\rbrace
$$
goes as follows.
![mc-13-chaum-pedersen.png](../../../assets/img/posts/lecture-notes/modern-cryptography/mc-13-chaum-pedersen.png)
> 1. $P$ computes random $\beta_t \la \bb{Z}_q$ and sends commitment $v_t \la g^{\beta_t}$, $w_t \la u^{\beta_t}$ to $V$.
> 1. $P$ computes random $\beta _ t \la \bb{Z} _ q$ and sends commitment $v _ t \la g^{\beta _ t}$, $w _ t \la u^{\beta _ t}$ to $V$.
> 2. $V$ computes challenge $c \la \mc{C}$ and sends it to $P$.
> 3. $P$ computes $\beta_z \la \beta_t + \beta c$, and sends it to $V$.
> 4. $V$ outputs $\texttt{accept}$ if and only if $g^{\beta_z} = v_t \cdot v^c$ and $u^{\beta_z} = w_t \cdot w^c$.
> 3. $P$ computes $\beta _ z \la \beta _ t + \beta c$, and sends it to $V$.
> 4. $V$ outputs $\texttt{accept}$ if and only if $g^{\beta _ z} = v _ t \cdot v^c$ and $u^{\beta _ z} = w _ t \cdot w^c$.
Completeness is obvious.
@@ -213,22 +213,22 @@ Schnorr, Okamoto, Chaum-Pedersen protocols look similar. They are special cases
### Sigma Protocol for RSA
Let $(n, e)$ be an RSA public key, where $e$ is prime. The **Guillou-Quisquater** (GQ) protocol is used to convince a verifier that he knows an $e$-th root of $y \in \bb{Z}_n^{\ast}$.
Let $(n, e)$ be an RSA public key, where $e$ is prime. The **Guillou-Quisquater** (GQ) protocol is used to convince a verifier that he knows an $e$-th root of $y \in \bb{Z} _ n^{\ast}$.
The Guillou-Quisquater protocol for the relation
$$
\mc{R} = \bigg\lbrace (x, y) \in \big( \bb{Z}_n^{\ast} \big)^2 : x^e = y \bigg\rbrace
\mc{R} = \bigg\lbrace (x, y) \in \big( \bb{Z} _ n^{\ast} \big)^2 : x^e = y \bigg\rbrace
$$
goes as follows.
![mc-13-gq-protocol.png](../../../assets/img/posts/lecture-notes/modern-cryptography/mc-13-gq-protocol.png)
> 1. $P$ computes random $x_t \la \bb{Z}_n^{\ast}$ and sends commitment $y_t \la x_t^e$ to $V$.
> 1. $P$ computes random $x _ t \la \bb{Z} _ n^{\ast}$ and sends commitment $y _ t \la x _ t^e$ to $V$.
> 2. $V$ computes challenge $c \la \mc{C}$ and sends it to $P$.
> 3. $P$ computes $x_z \la x_t \cdot x^c$ and sends it to $V$.
> 4. $V$ outputs $\texttt{accept}$ if and only if $x_z^e = y_t \cdot y^c$.
> 3. $P$ computes $x _ z \la x _ t \cdot x^c$ and sends it to $V$.
> 4. $V$ outputs $\texttt{accept}$ if and only if $x _ z^e = y _ t \cdot y^c$.
Completeness is obvious.
@@ -244,29 +244,29 @@ Using the basic sigma protocols, we can build sigma protocols for complex statem
The construction is straightforward, since we can just prove both statements.
Given two sigma protocols $(P_0, V_0)$ for $\mc{R}_0 \subset \mc{X}_0 \times \mc{Y}_0$ and $(P_1, V_1)$ for $\mc{R}_1 \subset \mc{X}_1 \times \mc{Y}_1$, we construct a sigma protocol for the relation $\mc{R}_\rm{AND}$ defined on $(\mc{X}_0 \times \mc{X}_1) \times (\mc{Y}_0 \times \mc{Y}_1)$ as
Given two sigma protocols $(P _ 0, V _ 0)$ for $\mc{R} _ 0 \subset \mc{X} _ 0 \times \mc{Y} _ 0$ and $(P _ 1, V _ 1)$ for $\mc{R} _ 1 \subset \mc{X} _ 1 \times \mc{Y} _ 1$, we construct a sigma protocol for the relation $\mc{R} _ \rm{AND}$ defined on $(\mc{X} _ 0 \times \mc{X} _ 1) \times (\mc{Y} _ 0 \times \mc{Y} _ 1)$ as
$$
\mc{R}_\rm{AND} = \bigg\lbrace \big( (x_0, x_1), (y_0, y_1) \big) : (x_0, y_0) \in \mc{R}_0 \land (x_1, y_1) \in \mc{R}_1 \bigg\rbrace.
\mc{R} _ \rm{AND} = \bigg\lbrace \big( (x _ 0, x _ 1), (y _ 0, y _ 1) \big) : (x _ 0, y _ 0) \in \mc{R} _ 0 \land (x _ 1, y _ 1) \in \mc{R} _ 1 \bigg\rbrace.
$$
Given a pair of statements $(y_0, y_1) \in \mc{Y}_0 \times \mc{Y}_1$, the prover tries to convince the verifier that he knows a proof $(x_0, x_1) \in \mc{X}_0 \times \mc{X}_1$. This is equivalent to proving the AND of both statements.
Given a pair of statements $(y _ 0, y _ 1) \in \mc{Y} _ 0 \times \mc{Y} _ 1$, the prover tries to convince the verifier that he knows a proof $(x _ 0, x _ 1) \in \mc{X} _ 0 \times \mc{X} _ 1$. This is equivalent to proving the AND of both statements.
> 1. $P$ runs $P_i(x_i, y_i)$ to get a commitment $t_i$. $(t_0, t_1)$ is sent to $V$.
> 1. $P$ runs $P _ i(x _ i, y _ i)$ to get a commitment $t _ i$. $(t _ 0, t _ 1)$ is sent to $V$.
> 2. $V$ computes challenge $c \la C$ and sends it to $P$.
> 3. $P$ uses the challenge for both $P_0, P_1$, obtains response $z_0$, $z_1$, which is sent to $V$.
> 4. $V$ outputs $\texttt{accept}$ if and only if $(t_i, c, z_i)$ is an accepting conversation for $y_i$.
> 3. $P$ uses the challenge for both $P _ 0, P _ 1$, obtains response $z _ 0$, $z _ 1$, which is sent to $V$.
> 4. $V$ outputs $\texttt{accept}$ if and only if $(t _ i, c, z _ i)$ is an accepting conversation for $y _ i$.
Completeness is clear.
> **Theorem.** If $(P_0, V_0)$ and $(P_1, V_1)$ provide special soundness and are special HVZK, then the AND protocol $(P, V)$ defined above also provides special soundness and is special HVZK.
> **Theorem.** If $(P _ 0, V _ 0)$ and $(P _ 1, V _ 1)$ provide special soundness and are special HVZK, then the AND protocol $(P, V)$ defined above also provides special soundness and is special HVZK.
*Proof*. For special soundness, let $\rm{Ext}_0$, $\rm{Ext}_1$ be the knowledge extractor for $(P_0, V_0)$ and $(P_1, V_1)$, respectively. Then the knowledge extractor $\rm{Ext}$ for $(P, V)$ can be constructed straightforward. For statements $(y_0, y_1)$, suppose that $\big( (t_0, t_1), c, (z_0, z_1) \big)$ and $\big( (t_0, t_1), c', (z_0', z_1') \big)$ are two accepting conversations. Feed $\big( y_0, (t_0, c, z_0), (t_0, c', z_0') \big)$ to $\rm{Ext}_0$, and feed $\big( y_1, (t_1, c, z_1), (t_1, c', z_1') \big)$ to $\rm{Ext}_1$.
*Proof*. For special soundness, let $\rm{Ext} _ 0$, $\rm{Ext} _ 1$ be the knowledge extractor for $(P _ 0, V _ 0)$ and $(P _ 1, V _ 1)$, respectively. Then the knowledge extractor $\rm{Ext}$ for $(P, V)$ can be constructed straightforward. For statements $(y _ 0, y _ 1)$, suppose that $\big( (t _ 0, t _ 1), c, (z _ 0, z _ 1) \big)$ and $\big( (t _ 0, t _ 1), c', (z _ 0', z _ 1') \big)$ are two accepting conversations. Feed $\big( y _ 0, (t _ 0, c, z _ 0), (t _ 0, c', z _ 0') \big)$ to $\rm{Ext} _ 0$, and feed $\big( y _ 1, (t _ 1, c, z _ 1), (t _ 1, c', z _ 1') \big)$ to $\rm{Ext} _ 1$.
For special HVZK, let $\rm{Sim}_0$ and $\rm{Sim}_1$ be simulators for each protocol. Then the simulator $\rm{Sim}$ for $(P, V)$ is built by using $(t_0, z_0) \la \rm{Sim}_0(y_0, c)$ and $(t_1, z_1) \la \rm{Sim}_1(y_1, c)$. Set
For special HVZK, let $\rm{Sim} _ 0$ and $\rm{Sim} _ 1$ be simulators for each protocol. Then the simulator $\rm{Sim}$ for $(P, V)$ is built by using $(t _ 0, z _ 0) \la \rm{Sim} _ 0(y _ 0, c)$ and $(t _ 1, z _ 1) \la \rm{Sim} _ 1(y _ 1, c)$. Set
$$
\big( (t_0, t_1), (z_0, z_1) \big) \la \rm{Sim}\big( (y_0, y_1), c \big).
\big( (t _ 0, t _ 1), (z _ 0, z _ 1) \big) \la \rm{Sim}\big( (y _ 0, y _ 1), c \big).
$$
We have used the fact that the challenge is used for both protocols.
@@ -275,83 +275,83 @@ We have used the fact that the challenge is used for both protocols.
However, OR-proof construction is difficult. The prover must convince the verifier that either one of the statement is true, but **should not reveal which one is true.**
If the challenge is known in advance, the prover can cheat. We exploit this fact. For the proof of $y_0 \lor y_1$, do the real proof for $y_b$ and cheat for $y_{1-b}$.
If the challenge is known in advance, the prover can cheat. We exploit this fact. For the proof of $y _ 0 \lor y _ 1$, do the real proof for $y _ b$ and cheat for $y _ {1-b}$.
Suppose we are given two sigma protocols $(P_0, V_0)$ for $\mc{R}_0 \subset \mc{X}_0 \times \mc{Y}_0$ and $(P_1, V_1)$ for $\mc{R}_1 \subset \mc{X}_1 \times \mc{Y}_1$. We assume that these both use the same challenge space, and both are special HVZK with simulators $\rm{Sim}_0$ and $\rm{Sim}_1$.
Suppose we are given two sigma protocols $(P _ 0, V _ 0)$ for $\mc{R} _ 0 \subset \mc{X} _ 0 \times \mc{Y} _ 0$ and $(P _ 1, V _ 1)$ for $\mc{R} _ 1 \subset \mc{X} _ 1 \times \mc{Y} _ 1$. We assume that these both use the same challenge space, and both are special HVZK with simulators $\rm{Sim} _ 0$ and $\rm{Sim} _ 1$.
We combine the protocols to form a sigma protocol for the relation $\mc{R}_\rm{OR}$ defined on $\big( \braces{0, 1} \times (\mc{X}_0 \cup \mc{X}_1) \big) \times (\mc{Y}_0\times \mc{Y}_1)$ as
We combine the protocols to form a sigma protocol for the relation $\mc{R} _ \rm{OR}$ defined on $\big( \braces{0, 1} \times (\mc{X} _ 0 \cup \mc{X} _ 1) \big) \times (\mc{Y} _ 0\times \mc{Y} _ 1)$ as
$$
\mc{R}_\rm{OR} = \bigg\lbrace \big( (b, x), (y_0, y_1) \big): (x, y_b) \in \mc{R}_b\bigg\rbrace.
\mc{R} _ \rm{OR} = \bigg\lbrace \big( (b, x), (y _ 0, y _ 1) \big): (x, y _ b) \in \mc{R} _ b\bigg\rbrace.
$$
Here, $b$ denotes the actual statement $y_b$ to prove. For $y_{1-b}$, we cheat.
Here, $b$ denotes the actual statement $y _ b$ to prove. For $y _ {1-b}$, we cheat.
> $P$ is initialized with $\big( (b, x), (y_0, y_1) \big) \in \mc{R}_\rm{OR}$ and $V$ is initialized with $(y_0, y_1) \in \mc{Y}_0 \times \mc{Y}_1$. Let $d = 1 - b$.
> $P$ is initialized with $\big( (b, x), (y _ 0, y _ 1) \big) \in \mc{R} _ \rm{OR}$ and $V$ is initialized with $(y _ 0, y _ 1) \in \mc{Y} _ 0 \times \mc{Y} _ 1$. Let $d = 1 - b$.
>
> 1. $P$ computes $c_d \la \mc{C}$ and $(t_d, z_d) \la \rm{Sim}_d(y_d, c_d)$.
> 2. $P$ runs $P_b(x, y_b)$ to get a real commitment $t_b$ and sends $(t_0, t_1)$ to $V$.
> 1. $P$ computes $c _ d \la \mc{C}$ and $(t _ d, z _ d) \la \rm{Sim} _ d(y _ d, c _ d)$.
> 2. $P$ runs $P _ b(x, y _ b)$ to get a real commitment $t _ b$ and sends $(t _ 0, t _ 1)$ to $V$.
> 3. $V$ computes challenge $c \la C$ and sends it to $P$.
> 4. $P$ computes $c_b \la c \oplus c_d$, feeds it to $P_b(x, y_b)$ obtains a response $z_b$.
> 5. $P$ sends $(c_0, z_0, z_1)$ to $V$.
> 6. $V$ computes $c_1 \la c \oplus c_0$, and outputs $\texttt{accept}$ if and only if $(t_0, c_0, z_0)$ is an accepting conversation for $y_0$ and $(t_1, c_1, z_1)$ is an accepting conversation for $y_1$.
> 4. $P$ computes $c _ b \la c \oplus c _ d$, feeds it to $P _ b(x, y _ b)$ obtains a response $z _ b$.
> 5. $P$ sends $(c _ 0, z _ 0, z _ 1)$ to $V$.
> 6. $V$ computes $c _ 1 \la c \oplus c _ 0$, and outputs $\texttt{accept}$ if and only if $(t _ 0, c _ 0, z _ 0)$ is an accepting conversation for $y _ 0$ and $(t _ 1, c _ 1, z _ 1)$ is an accepting conversation for $y _ 1$.
Step $1$ is the cheating part, where the prover chooses a challenge, and generates a commitment and a response from the simulator.
Completeness follows from the following.
- $c_b = c \oplus c_{1-b}$, so $c_1 = c \oplus c_0$ always holds.
- Both conversations $(t_0, c_0, z_0)$ and $(t_1, c_1, z_1)$ are accepted.
- An actual proof is done for statement $y_b$.
- For statement $y_{1-b}$, the simulator always outputs an accepting conversation.
- $c _ b = c \oplus c _ {1-b}$, so $c _ 1 = c \oplus c _ 0$ always holds.
- Both conversations $(t _ 0, c _ 0, z _ 0)$ and $(t _ 1, c _ 1, z _ 1)$ are accepted.
- An actual proof is done for statement $y _ b$.
- For statement $y _ {1-b}$, the simulator always outputs an accepting conversation.
$c_b = c \oplus c_d$ is random, so $P$ cannot manipulate the challenge. Also, $V$ checks $c_1 = c \oplus c_0$.
$c _ b = c \oplus c _ d$ is random, so $P$ cannot manipulate the challenge. Also, $V$ checks $c _ 1 = c \oplus c _ 0$.
> **Theorem.** If $(P_0, V_0)$ and $(P_1, V_1)$ provide special soundness and are special HVZK, then the OR protocol $(P, V)$ defined above also provides special soundness and is special HVZK.
> **Theorem.** If $(P _ 0, V _ 0)$ and $(P _ 1, V _ 1)$ provide special soundness and are special HVZK, then the OR protocol $(P, V)$ defined above also provides special soundness and is special HVZK.
*Proof*. For special soundness, suppose that $\rm{Ext}_0$ and $\rm{Ext}_1$ are knowledge extractors. Let
*Proof*. For special soundness, suppose that $\rm{Ext} _ 0$ and $\rm{Ext} _ 1$ are knowledge extractors. Let
$$
\big( (t_0, t_1), c, (c_0, z_0, z_1) \big), \qquad \big( (t_0, t_1), c', (c_0', z_0', z_1') \big)
\big( (t _ 0, t _ 1), c, (c _ 0, z _ 0, z _ 1) \big), \qquad \big( (t _ 0, t _ 1), c', (c _ 0', z _ 0', z _ 1') \big)
$$
be two accepting conversations with $c \neq c'$. Define $c_1 = c \oplus c_0$ and $c_1' = c' \oplus c_0'$. Since $c \neq c'$, it must be the case that either $c_0 \neq c_0'$ or $c_1 \neq c_1'$. Now $\rm{Ext}$ will work as follows.
be two accepting conversations with $c \neq c'$. Define $c _ 1 = c \oplus c _ 0$ and $c _ 1' = c' \oplus c _ 0'$. Since $c \neq c'$, it must be the case that either $c _ 0 \neq c _ 0'$ or $c _ 1 \neq c _ 1'$. Now $\rm{Ext}$ will work as follows.
- If $c_0 \neq c_0'$, output $\bigg( 0, \rm{Ext}_0\big( y_0, (t_0, c_0, z_0), (t_0, c_0', z_0') \big) \bigg)$.
- If $c_1 \neq c_1'$, output $\bigg( 1, \rm{Ext}_1\big( y_1, (t_1, c_1, z_1), (t_1, c_1', z_1') \big) \bigg)$.
- If $c _ 0 \neq c _ 0'$, output $\bigg( 0, \rm{Ext} _ 0\big( y _ 0, (t _ 0, c _ 0, z _ 0), (t _ 0, c _ 0', z _ 0') \big) \bigg)$.
- If $c _ 1 \neq c _ 1'$, output $\bigg( 1, \rm{Ext} _ 1\big( y _ 1, (t _ 1, c _ 1, z _ 1), (t _ 1, c _ 1', z _ 1') \big) \bigg)$.
Then $\rm{Ext}$ will extract the knowledge.
For special HVZK, define $c_0 \la \mc{C}$, $c_1 \la c \oplus c_0$. Then run each simulator to get
For special HVZK, define $c _ 0 \la \mc{C}$, $c _ 1 \la c \oplus c _ 0$. Then run each simulator to get
$$
(t_0, z_0) \la \rm{Sim}_0(y_0, c_0), \quad (t_1, z_1) \la \rm{Sim}_1(y_1, c_1).
(t _ 0, z _ 0) \la \rm{Sim} _ 0(y _ 0, c _ 0), \quad (t _ 1, z _ 1) \la \rm{Sim} _ 1(y _ 1, c _ 1).
$$
Then the simulator for $(P, V)$ outputs
$$
\big( (t_0, t_1), (c_0, z_0, z_1) \big) \la \rm{Sim}\big( (y_0, y_1), c \big).
\big( (t _ 0, t _ 1), (c _ 0, z _ 0, z _ 1) \big) \la \rm{Sim}\big( (y _ 0, y _ 1), c \big).
$$
The simulator just simulates for both of the statements and returns the messages as in the protocol. $c_b$ is random, and the remaining values have the same distribution since the original two protocols were special HVZK.
The simulator just simulates for both of the statements and returns the messages as in the protocol. $c _ b$ is random, and the remaining values have the same distribution since the original two protocols were special HVZK.
### Example: OR of Sigma Protocols with Schnorr Protocol
Let $G = \left\langle g \right\rangle$ be a cyclic group of prime order $q$. The prover wants to convince the verifier that he knows the discrete logarithm of either $h_0$ or $h_1$ in $G$.
Let $G = \left\langle g \right\rangle$ be a cyclic group of prime order $q$. The prover wants to convince the verifier that he knows the discrete logarithm of either $h _ 0$ or $h _ 1$ in $G$.
Suppose that the prover knows $x_b \in \bb{Z}_q$ such that $g^{x_b} = h_b$.
Suppose that the prover knows $x _ b \in \bb{Z} _ q$ such that $g^{x _ b} = h _ b$.
> 1. Choose $c_{1-b} \la \mc{C}$ and call simulator of $1-b$ to obtain $(u_{1-b}, z_{1-b}) \la \rm{Sim}_{1-b}$.
> 2. $P$ sends two commitments $u_0, u_1$.
> - For $u_b$, choose random $y \la \bb{Z}_q$ and set $u_b = g^y$.
> - For $u_{1-b}$, use the value from the simulator.
> 1. Choose $c _ {1-b} \la \mc{C}$ and call simulator of $1-b$ to obtain $(u _ {1-b}, z _ {1-b}) \la \rm{Sim} _ {1-b}$.
> 2. $P$ sends two commitments $u _ 0, u _ 1$.
> - For $u _ b$, choose random $y \la \bb{Z} _ q$ and set $u _ b = g^y$.
> - For $u _ {1-b}$, use the value from the simulator.
> 3. $V$ sends a single challenge $c \la \mc{C}$.
> 4. Using $c_{1-b}$, split the challenge into $c_0$, $c_1$ so that they satisfy $c_0 \oplus c_1 = c$. Then send $(c_0, c_1, z_0, z_1)$ to $V$.
> - For $z_b$, calculate $z_b \la y + c_b x$.
> - For $z_{1-b}$, use the value from the simulator.
> 5. $V$ checks if $c = c_0 \oplus c_1$. $V$ accepts if and only if $(u_0, c_0, z_0)$ and $(u_1, c_1, z_1)$ are both accepting conversations.
> 4. Using $c _ {1-b}$, split the challenge into $c _ 0$, $c _ 1$ so that they satisfy $c _ 0 \oplus c _ 1 = c$. Then send $(c _ 0, c _ 1, z _ 0, z _ 1)$ to $V$.
> - For $z _ b$, calculate $z _ b \la y + c _ b x$.
> - For $z _ {1-b}$, use the value from the simulator.
> 5. $V$ checks if $c = c _ 0 \oplus c _ 1$. $V$ accepts if and only if $(u _ 0, c _ 0, z _ 0)$ and $(u _ 1, c _ 1, z _ 1)$ are both accepting conversations.
- Since $c, c_{1-b}$ are random, $c_b$ is random. Thus one of the proofs must be valid.
- Since $c, c _ {1-b}$ are random, $c _ b$ is random. Thus one of the proofs must be valid.
### Generalized Constructions
@@ -376,7 +376,7 @@ Intuitively, it is hard to create a valid proof of a false statement.
> **Definition.** Let $\Phi = (G, V)$ be a non-interactive proof system for $\mc{R} \subset \mc{X} \times \mc{Y}$ with proof space $\mc{PS}$. An adversary $\mc{A}$ outputs a statement $y^{\ast} \in \mc{Y}$ and a proof $\pi^{\ast} \in \mc{PS}$ to attack $\Phi$.
>
> The adversary wins if $V(y^{\ast}, \pi^{\ast}) = \texttt{accept}$ and $y^{\ast} \notin L_\mc{R}$. The advantage of $\mc{A}$ with respect to $\Phi$ is defined as the probability that $\mc{A}$ wins, and is denoted as $\rm{Adv}_{\rm{niSnd}}[\mc{A}, \Phi]$.
> The adversary wins if $V(y^{\ast}, \pi^{\ast}) = \texttt{accept}$ and $y^{\ast} \notin L _ \mc{R}$. The advantage of $\mc{A}$ with respect to $\Phi$ is defined as the probability that $\mc{A}$ wins, and is denoted as $\rm{Adv} _ {\rm{niSnd}}[\mc{A}, \Phi]$.
>
> If the advantage is negligible for all efficient adversaries $\mc{A}$, $\Phi$ is **sound**.
@@ -390,10 +390,10 @@ The basic idea is **using a hash function to derive a challenge**, instead of a
> **Definition.** Let $\Pi = (P, V)$ be a sigma protocol for a relation $\mc{R} \subset \mc{X} \times \mc{Y}$. Suppose that conversations $(t, c, z) \in \mc{T} \times \mc{C} \times \mc{Z}$. Let $H : \mc{Y} \times \mc{T} \rightarrow \mc{C}$ be a hash function.
>
> Define the **Fiat-Shamir non-interactive proof system** $\Pi_\rm{FS} = (G_\rm{FS}, V_\rm{FS})$ with proof space $\mc{PS} = \mc{T} \times \mc{Z}$ as follows.
> Define the **Fiat-Shamir non-interactive proof system** $\Pi _ \rm{FS} = (G _ \rm{FS}, V _ \rm{FS})$ with proof space $\mc{PS} = \mc{T} \times \mc{Z}$ as follows.
>
> - For input $(x, y) \in \mc{R}$, $G_\rm{FS}$ runs $P(x, y)$ to obtain a commitment $t \in \mc{T}$. Then computes the challenge $c = H(y, t)$, which is fed to $P(x, y)$, obtaining a response $z \in \mc{Z}$. $G_\rm{FS}$ outputs $(t, z) \in \mc{T} \times \mc{Z}$.
> - For input $\big( y, (t, z) \big) \in \mc{Y} \times (\mc{T} \times \mc{Z})$, $V_\rm{FS}$ verifies that $(t, c, z)$ is an accepting conversation for $y$, where $c = H(y, t)$.
> - For input $(x, y) \in \mc{R}$, $G _ \rm{FS}$ runs $P(x, y)$ to obtain a commitment $t \in \mc{T}$. Then computes the challenge $c = H(y, t)$, which is fed to $P(x, y)$, obtaining a response $z \in \mc{Z}$. $G _ \rm{FS}$ outputs $(t, z) \in \mc{T} \times \mc{Z}$.
> - For input $\big( y, (t, z) \big) \in \mc{Y} \times (\mc{T} \times \mc{Z})$, $V _ \rm{FS}$ verifies that $(t, c, z)$ is an accepting conversation for $y$, where $c = H(y, t)$.
Any sigma protocol can be converted into a non-interactive proof system. Its completeness is automatically given by the completeness of the sigma protocol.
@@ -409,12 +409,12 @@ By modeling the hash function as a random oracle, we can show that:
### Soundness of the Fiat-Shamir Transform
> **Theorem.** Let $\Pi$ be a sigma protocol for a relation $\mc{R} \subset \mc{X} \times \mc{Y}$, and let $\Pi_\rm{FS}$ be the Fiat-Shamir non-interactive proof system derived from $\Pi$ with hash function $H$. If $\Pi$ is sound and $H$ is modeled as a random oracle, then $\Pi_\rm{FS}$ is also sound.
> **Theorem.** Let $\Pi$ be a sigma protocol for a relation $\mc{R} \subset \mc{X} \times \mc{Y}$, and let $\Pi _ \rm{FS}$ be the Fiat-Shamir non-interactive proof system derived from $\Pi$ with hash function $H$. If $\Pi$ is sound and $H$ is modeled as a random oracle, then $\Pi _ \rm{FS}$ is also sound.
>
> Let $\mc{A}$ be a $q$-query adversary attacking the soundness of $\Pi_\rm{FS}$. There exists an adversary $\mc{B}$ attacking the soundness of $\Pi$ such that
> Let $\mc{A}$ be a $q$-query adversary attacking the soundness of $\Pi _ \rm{FS}$. There exists an adversary $\mc{B}$ attacking the soundness of $\Pi$ such that
>
> $$
> \rm{Adv}_{\rm{niSnd^{ro}}}[\mc{A}, \Pi_\rm{FS}] \leq (q + 1) \rm{Adv}_{\rm{Snd}}[\mc{B}, \Pi].
> \rm{Adv} _ {\rm{niSnd^{ro}}}[\mc{A}, \Pi _ \rm{FS}] \leq (q + 1) \rm{Adv} _ {\rm{Snd}}[\mc{B}, \Pi].
> $$
*Proof Idea*. Suppose that $\mc{A}$ produces a valid proof $(t^{\ast}, z^{\ast})$ on a false statement $y^{\ast}$. Without loss of generality, $\mc{A}$ queries the random oracle at $(y^{\ast}, t^{\ast})$ within $q+1$ queries. Then $\mc{B}$ guesses which of the $q+1$ queries is the relevant one. If $\mc{B}$ guesses the correct query, the conversation $(t^{\ast}, c, z^{\ast})$ will be accepted and $\mc{B}$ succeeds. The factor $q+1$ comes from the choice of $\mc{B}$.
@@ -452,23 +452,23 @@ $n$ voters are casting a vote, either $0$ or $1$. At the end, all voters learn t
We can use the [multiplicative ElGamal encryption](../2023-10-19-public-key-encryption/#the-elgamal-encryption) scheme in this case. Assume that a trusted vote tallying center generates a key pair, keeps $sk = \alpha$ to itself and publishes $pk = g^\alpha$.
Each voter encrypts the vote $b_i$ and the ciphertext is
Each voter encrypts the vote $b _ i$ and the ciphertext is
$$
(u_i, v_i) = (g^{\beta_i}, h^{\beta_i} \cdot g^{b_i})
(u _ i, v _ i) = (g^{\beta _ i}, h^{\beta _ i} \cdot g^{b _ i})
$$
where $\beta_i \la\bb{Z}_q$. The vote tallying center aggregates all ciphertexts my multiplying everything. No need to decrypt yet. Then
where $\beta _ i \la\bb{Z} _ q$. The vote tallying center aggregates all ciphertexts my multiplying everything. No need to decrypt yet. Then
$$
(u^{\ast}, v^{\ast}) = \left( \prod_{i=1}^n g^{\beta_i}, \prod_{i=1}^n h^{\beta_i} \cdot g^{b_i} \right) = \big( g^{\beta^{\ast}}, h^{\beta^{\ast}} \cdot g^{b^{\ast}} \big),
(u^{\ast}, v^{\ast}) = \left( \prod _ {i=1}^n g^{\beta _ i}, \prod _ {i=1}^n h^{\beta _ i} \cdot g^{b _ i} \right) = \big( g^{\beta^{\ast}}, h^{\beta^{\ast}} \cdot g^{b^{\ast}} \big),
$$
where $\beta^{\ast} = \sum_{i=1}^n \beta_i$ and $b^{\ast} = \sum_{i=1}^n b_i$. Now decrypt $(u^{\ast}, v^{\ast})$ and publish the result $b^{\ast}$.[^4]
where $\beta^{\ast} = \sum _ {i=1}^n \beta _ i$ and $b^{\ast} = \sum _ {i=1}^n b _ i$. Now decrypt $(u^{\ast}, v^{\ast})$ and publish the result $b^{\ast}$.[^4]
Since the ElGamal scheme is semantically secure, the protocol is also secure if all voters follow the protocol. But a dishonest voter can encrypt $b_i = -100$ or some arbitrary value.
Since the ElGamal scheme is semantically secure, the protocol is also secure if all voters follow the protocol. But a dishonest voter can encrypt $b _ i = -100$ or some arbitrary value.
To fix this, we can make each voter prove that the vote is valid. Using the [Chaum-Pedersen protocol for DH-triples](../2023-11-07-sigma-protocols/#the-chaum-pedersen-protocol-for-dh-triples) and the [OR-proof construction](../2023-11-07-sigma-protocols/#or-proof-construction), the voter can submit a proof that the ciphertext is either a encryption of $b_i = 0$ or $1$. We can also apply the Fiat-Shamir transform here for efficient protocols, resulting in non-interactive proofs.
To fix this, we can make each voter prove that the vote is valid. Using the [Chaum-Pedersen protocol for DH-triples](../2023-11-07-sigma-protocols/#the-chaum-pedersen-protocol-for-dh-triples) and the [OR-proof construction](../2023-11-07-sigma-protocols/#or-proof-construction), the voter can submit a proof that the ciphertext is either a encryption of $b _ i = 0$ or $1$. We can also apply the Fiat-Shamir transform here for efficient protocols, resulting in non-interactive proofs.
[^1]: The message flows in a shape that resembles the greek letter $\Sigma$, hence the name *sigma protocol*.
[^2]: A Graduate Course in Applied Cryptography.