Computer
Science

0368.3500

Fall 2007 
T.A.: Ido Ben Eliezer – idobene at post dot tau dot ac dot il
When: Tuesdays, 10:1012:00.
Date 
First meeting. Background. DLOG. ElGamal. Zeroknowledge proofs. 
Jan 22 
Second meeting.



Fab 12 
Submitting first design (Modules, interface, main algorithms). 
Feb 19 
Final design. A short presentation of main algorithms. 
Feb 26 
Design presentation. 
March 11 
submission – first round. 
March 25 
Final submission 
· Prêt à Vote Technical report, Wiki page (2 candidates).  רוזה, יוני, שי, עדי
· Three Ballot and VAV. Ronald L. Rivest, Warren D. Smith PDF  HTML.  עודד, ינון
· A combination of paper voting and cryptographic voting (k candidates).  סמדר, דנה, רביב, רון
· Paillier homomorphic encryption. The original paper.  יובל
· A nice online book with very good number theory background: http://shoup.net/ntb/ · A paper regarding noninteractive ZKP for signatures: Amos Fiat and Adi Shamir , How to prove yourself: practical solutions to identification and signature problems Source · A paper regarding threshold encryption. T. P. Pederson, Threshold cryptosystem without a trusted party
· A NY Times article. 8/1/2008. · Felten's testimony before the Congress, 2007. · Freedom to tinker.
Q1 
Should we describe the ZKP needed in our project? 

Yes. 
Q2 
What is the coverage of the design (e.g. how many pages are expected?) 

The
design should be such that it is clear to us (and to you) what you
are going to do. It should be only a few pages long, but it should
contain, for each part of your project: 
Q3 
How do we know for sure on which elements one may trust (e.g, maybe the public board show a copy of your vote, then later changes it to something else)? 

Actually you don't. You should write in your design a short section describing the trust issue (i.e, what one has to trust so that we know the system works properly). 
Q4 
How do we do a noninteractive ZKP? 

The
method we use is called FiatShamir heuristic (or method) because
it is not proven (see link above). In their paper they presented a
signature protocol which uses it, and on the way,

Q5 
Which hash should we use in practice for the noninteractive ZK signature? 

I dont think it really matters which hash you use. I basically like MD5 (Pseudocode and nice info at http://en.wikipedia.org/wiki/MD5). Also, you can google "md5 implementation" and find it implemented in any language. SHA1 is also good (again, wiki is a good start http://en.wikipedia.org/wiki/SHA1). Moreover, There are many implementations of other methods like in http://www.partow.net/programming/hashfunctions/ You just need to choose and google a little. 
Q6 
Is there an example of a practical use of the FiatShamir paper? 

There are few follow up papers which mention some theoretic problems in this method (like  http://www.mit.edu/~tauman/fiatshamirshort.pdf), but for specific uses (mainly signatures or voting protocols) it is common to use it (like CGF97). 
Q7 
How can we generate a large prime with the respective generator? 

Corrected answer: Finding general large primes and generators is not an easy task, but, finding a specific kinds is an easier problem. Usually we use p = 2q + 1 as our primes (where p,q are primes), and then we can find a generator by: while 1 choose a random number x if x^2 != 1 (mod p) and x^q != 1 (mod p) return x See, for example, slides 56 at: http://www.pinkas.net/teaching/itc/2005/lectures/lecture6.pdf 
Q8 
We have problems finding libraries which support large numbers on the one hand, and UI on the other hand, and can be easily compiled together. 

A few
suggestions: For C/C++ programs, you may want to use the GMP library. Unfortunately, it doesn't compile all that well with MSVC (it is possible, but really it's a lot easier to use on linux/unix systems). To make the UI programming easier, You may use a webbased solution: the UI is programmed in PHP. PHP has modules for GMP and MySQL databases, and it's very easy to learn (especially if you already know C or Java). The only glaring omission is secure random number generation. If you run the webserver on linux, you can bypass that by reading from
/dev/random
or /dev/urandom. You can see an example server at
where there is also a link to the source code. Other suggestions are Crypto++ and MIRACL. You may also search for “big integers” on google. 
Q9 


