Computer
Science
|
0368.3500
|
Fall 2007 |
T.A.: Ido Ben Eliezer – idobene at post dot tau dot ac dot il
When: Tuesdays, 10:10-12:00.
Date |
First meeting. Background. DLOG. ElGamal. Zero-knowledge proofs. |
Jan 22 |
Second meeting.
|
|
|
Fab 12 |
Submitting first design (Modules, interface, main algorithms). |
Feb 19 |
Final design. A short presentation of main algorithms. |
Feb 26 |
Design presentation. |
March 11 |
submission – first round. |
March 25 |
Final submission |
· Prêt à Vote Technical report, Wiki page (2 candidates). - רוזה, יוני, שי, עדי
· Three Ballot and VAV. Ronald L. Rivest, Warren D. Smith PDF | HTML. - עודד, ינון
· A combination of paper voting and cryptographic voting (k candidates). - סמדר, דנה, רביב, רון
· Paillier homomorphic encryption. The original paper. - יובל
· A nice online book with very good number theory background: http://shoup.net/ntb/ · A paper regarding non-interactive ZKP for signatures: Amos Fiat and Adi Shamir , How to prove yourself: practical solutions to identification and signature problems Source · A paper regarding threshold encryption. T. P. Pederson, Threshold cryptosystem without a trusted party
· A NY Times article. 8/1/2008. · Felten's testimony before the Congress, 2007. · Freedom to tinker.
Q1 |
Should we describe the ZKP needed in our project? |
|
Yes. |
Q2 |
What is the coverage of the design (e.g. how many pages are expected?) |
|
The
design should be such that it is clear to us (and to you) what you
are going to do. It should be only a few pages long, but it should
contain, for each part of your project: |
Q3 |
How do we know for sure on which elements one may trust (e.g, maybe the public board show a copy of your vote, then later changes it to something else)? |
|
Actually you don't. You should write in your design a short section describing the trust issue (i.e, what one has to trust so that we know the system works properly). |
Q4 |
How do we do a non-interactive ZKP? |
|
The
method we use is called Fiat-Shamir heuristic (or method) because
it is not proven (see link above). In their paper they presented a
signature protocol which uses it, and on the way,
|
Q5 |
Which hash should we use in practice for the non-interactive ZK signature? |
|
I dont think it really matters which hash you use. I basically like MD5 (Pseudocode and nice info at http://en.wikipedia.org/wiki/MD5). Also, you can google "md5 implementation" and find it implemented in any language. SHA-1 is also good (again, wiki is a good start http://en.wikipedia.org/wiki/SHA-1). Moreover, There are many implementations of other methods like in http://www.partow.net/programming/hashfunctions/ You just need to choose and google a little. |
Q6 |
Is there an example of a practical use of the Fiat-Shamir paper? |
|
There are few follow up papers which mention some theoretic problems in this method (like - http://www.mit.edu/~tauman/fiatshamirshort.pdf), but for specific uses (mainly signatures or voting protocols) it is common to use it (like CGF97). |
Q7 |
How can we generate a large prime with the respective generator? |
|
Corrected answer: Finding general large primes and generators is not an easy task, but, finding a specific kinds is an easier problem. Usually we use p = 2q + 1 as our primes (where p,q are primes), and then we can find a generator by: while 1 choose a random number x if x^2 != 1 (mod p) and x^q != 1 (mod p) return x See, for example, slides 5-6 at: http://www.pinkas.net/teaching/itc/2005/lectures/lecture6.pdf |
Q8 |
We have problems finding libraries which support large numbers on the one hand, and UI on the other hand, and can be easily compiled together. |
|
A few
suggestions: For C/C++ programs, you may want to use the GMP library. Unfortunately, it doesn't compile all that well with MSVC (it is possible, but really it's a lot easier to use on linux/unix systems). To make the UI programming easier, You may use a web-based solution: the UI is programmed in PHP. PHP has modules for GMP and MySQL databases, and it's very easy to learn (especially if you already know C or Java). The only glaring omission is secure random number generation. If you run the webserver on linux, you can bypass that by reading from
/dev/random
or /dev/urandom. You can see an example server at
where there is also a link to the source code. Other suggestions are Crypto++ and MIRACL. You may also search for “big integers” on google. |
Q9 |
|
|
|