Comment by tooltower 4 days ago
Are we sure that the base reveals nothing about the factors if n is composite? I have never seen a proof of that.
Usually, zero knowledge proofs also require a prover who knows the answer (the factors in this case). This is just a primality test that can be performed locally.
On a related note, I've often wondered what each congruence in the quadratic seive reveals. Once you have enough of them you can factor the number, but what does a partial set of congruences reveal?
Its a matrix problem, so each row could be reducing the degrees of freedom of something. But what? And in what space?
If:
a^2 = b^2 (mod m)
Then:
a^2 - b^2 = 0 (mod m)
(a + b)(a - b) = 0 (mod m)
So, (a + b) must be a multiple of one of the factors of m. And (a - b) must be a multiple of the other factor of m.
> I've often wondered what each congruence in the quadratic seive reveals.
Each congruence reveals that the sum of the bases (a plus b) contains a factor of m. And the difference of the bases (a minus b) contains another factor of m.
The only thing you have to watch out for is the trivial case when one of the factors you find through this method is "1" and the other factor is "m". That case isn't very helpful.
It's not that each congruence gives you new information. You only have to find one single non-trivial congruence. But the other (trivial) congruences you find along the way only reveal that 1*m=m, which you already knew.
> It's not that each congruence gives you new information
So it's not that each congruence gives you N bits of information, and you want kN bits in total. It's more like each congruence has a 1/k chance of giving you the full kN bits.
But in some information theory sense those are the same! Or concretely, if you were testing a large quantity of numbers in parallel, you would get information from each congruence.
My understanding is that there is a difference between the concept of a Zero-Knowledge Proof (ZKP), and then the applications that such a thing is possible.
In the example given, I can prove that N is composite without revealing anything (well, almost anything) about the factors. But in practice we want to use a ZKP to show that I have specific knowledge without revealing the knowledge itself.
For example:
You can give me a graph, and I can claim that I can three-colour it. You may doubt this, but there is a process by which I can ... to any desired level of confidence ... demonstrate that I have a colouring, without revealing what the colouring is. I colour the vertices RGB, map those colours randomly to ABC, and cover all the vertices. You choose any edge, and I reveal the "colours" (from ABC) of the endpoints. If I really can colour the graph then I will always be able to reveal two different colours. If I can't colour the graph then as we do this more and more, eventually I will fail.
So you are right, but the message of the post is, I think, still useful and relevant.
Suppose the graph admits only 4+ colorings, but when attempting a 3-coloring it's possible for only one edge to be misaligned. Then (A) you need O(n_edges) calls to the oracle to gain any confidence about the 3-colorability of a 3-colorable graph (else you might be easily duped by the one misaligned edge), and (B) in so doing, you learn almost all of the structure of the graph (since you have way more random calls than there are edges).
Restating, not only is the ZK algorithm slow, but by the time you have confidence in the ZK proof you also have additional knowledge about the structure whose properties you're proving.
In the version I'm discussing, both parties already know the graph, so your point (B) seems irrelevant. The interrogator needs to know the graph in order to specify an edge (and to know that they've done so), so I'm not sure of the precise version you are thinking of.
Put point (A) is relevant ... certainly each call only provides a small amount of additional confidence, so a lot of calls might be required. Even so, the system seems sound to me, and I'd appreciate any details of ways in which it is not.
See also my comment here: https://news.ycombinator.com/item?id=46121137
That gives more detail of the setup, and how it can be implemented digitally.
The key insight is that Colin can show you a red-green-blue coloring of the graph, and flip the whole graph secretly, so it's blue-red-green instead when you look at an individual section, but really the graph is yellow-pink-orange colored. Even after showing you all the intersections of the graph individually in the red green blue coloring to satisfy that he can 3-color it, you still have no idea what is yellow pink or orange on his copy of the graph.
I can certainly explain it more, a question of "better" is debatable!
Here's the process:
(A) You give me a graph to 3-colour;
(B) I claim I can 3-colour it;
(C) You demand that I prove it;
(D) I colour it with colours ABC and cover the vertices;
(E) You point at an edge;
(F) I reveal the colours of the vertices at the ends of the edge;
(G) If I have coloured the graph then the colours revealed will always be different;
(H) We repeat this process with a permutation of the colours between each trial;
(I) If I'm lying then eventually you'll pick an edge where either the vertices are not coloured, or the have the same colour.
(J) This process reveals nothing about the colouring, but proves (to some level of confidence) that I'm telling the truth.
So ... what's unclear?
Instructions on how to email me are in my profile if you prefer ...
Ah, I see. This is not an example of a ZKP, because you are relying on a third party who has full knowledge of the coloring, which is wherever you have drawn your coloring.
No, that is not the case. The process does not rely on a third party.
Person A provides person B with the graph.
Person B claims to have coloured it.
Person A demands that they prove it.
Person B hides the colouring
Repeatedly:
* Person A points at an edge
* Person B reveals that the endpoints are differently coloured
* Person B re-hides the colouring and permutes the colours
If person B does not have a colouring, with probability 1 this process will fail and person A will know that person B does not have a colouring.
But if person B does have a colouring then each step will succeed, and by repeating the process person A can achieve any desired degree of confidence that person B must, indeed, have a colouring.
This process can be made digital rather than physical, and no third party need be involved. As a sketch of one step:
* Person B colours the graph
* For each vertex, person B generates a long random string, pre-pends the colour, applies a cryptographically strong hash function to that, and sends the result to A. This "Fixes and hides" the colouring
* Person A asked for two "colours" to be revealed
* Person B provide the associated "colour and random string"s, the pre-images of the requested hashes
* Person A checks the hashes and now knows the colours of those two vertices.
Should I write this up "properly"? It's already discussed elsewhere on the 'net.
We also don't technically have proofs for some of the computational hardness assumptions that popular "real" ZK proof constructions rely on!
This might feel different because those assumptions were chosen in part because people had studied them and they certainly seem to be right, whereas perhaps here nobody has really studied this particular random number theory topic one way or the other.
But in some sense, there isn't a proof that regular ZK proof methods are actually completely zero-knowledge (against a computationally bounded adversary).
That's a very good question. It all depends on how you pick the witness b: there is a procedure that definitely is not zero-knowledge: say, if prover uses his knowledge of factorization to construct an explicit b that betrays that factorization.
For example, if n = p1*p2*...*pk is square-free and not a Carmichael number, then by Korselt's criterion there exists a pi such that pi-1 does not divide n-1 (this also implies that pi>2). Use the Chinese Remainder Theorem to produce b such that b=1 (mod pj) for all j!=i, and b (mod pi) is a generator of (Z/piZ)^*. Then b is a Fermat witness: gcd(b, n) = 1 (because b is non-zero modulo every prime factor) and b^(n-1) != 1 (mod n) because b^(n-1) != 1 (mod pi) (as pi-1 does not divide n-1).
However, b "betrays" the prime factorization of n, since gcd(b-1, n)>1 (by construction b-1 is divisible by all pj with j!=i, but not divisible by pi>2), and thus gcd(b-1, n) is a non-trivial factor of n. (I assumed square-free above but if pi^ei (ei>=2) divides n, then b=1+pi^(ei-1) (mod pi^ei), b=1 (mod pj^ej) (j!=i) also would have worked.)
On the other hand, it is also known that for non-Carmichael numbers at least half of the bases b with gcd(b, n) = 1 are Fermat witnesses. So if you pick b uniformly at random, the verifier does not gain any new information from seeing b: they could have sampled such a witness themselves by running the same random test. Put another way, the Fermat test itself is an OK ingredient, but a prover who chooses b in a factorization-dependent way can absolutely leak the factors - the final protocol won't be ZK.