(Most of this exercise is a review exercise on some of the notions we have encountered before.)
Common input: Graph \(G=(V,E)\) on \(n\) vertices.
Alice (Prover) private input: A function \(f:V\rightarrow \{1,2,3\}\) such that \(f(i)\neq f(j)\) for every \(\{i,j\}\in E\).
Bob’s decision: Bob accepts the proof iff \(f'(i),f'(j)\) as sent by Alice are two distinct numbers in \(\{1,2,3\}\) and the strings she sent satisfy the equations \(y_i = PRG(w_i)+f'(i)z +(f'(i) \mod\; 3)z' (\mod 2)\) and \(y_j = PRG(w_j)+f'(j)z +(f'(j) \mod\; 3)z' (\mod 2)\)
Prove that this system is a zero knowledge proof system for the 3 coloring problem by showing the following:
(Completeness, 10 points): Prove that if Alice and Bob are given inputs as above and both follow the protocol then Bob will accept the proof with probability \(1\).
(Soundness, 15 points): Prove that if there exists no 3-coloring for \(G\) (i.e., for every coloring of \(G\)’s vertices in \(\{1,2,3\}\) there is some edge \(\{i,j\}\) such that both \(i\) and \(j\) receive the same color), then with probability at least \(1/(10n^2)\) Bob will reject the proof. (This probability can be amplified to more than \(1-2^{-k}\) by \(100kn^2\) repetitions).
(Zero knowledge, 25 points) Prove that for every polynomial-time strategy \(B^*\) used by Bob, there exists an efficient algorithm \(S^*\), so that for every 3-colorable graph \(G\) and coloring \(f\), the output of \(S^*(G)\) is computationally indistinguishabl from the transcript \(B^*\) observes after interacting with the honest strategy of Alice on public input \(G\) and private input \(x\). (For partial credit of 15 points, prove only honest verifier zero knowledge : that the above holds when \(B^*\) is the honest strategy of Bob.)
KL 11.17 (20 points)
KL 12.14 (10 points)
KL 13.17 (15 points)
For starters, you can assume for partial credit the following claim: with probability at least \(1/100\), if we pick a random \(a\in {\mathbb{Z}}^*_m\) then \(a\) will have an even order and \(a^{r/2} \neq -1 (\mod m)\). Using the claim you can reduce factoring to order finding in a similar way to how we reduced factoring to finding square roots. For full credit, prove the claim by first proving using the chinese remainder theorem that for every \(a\), the order of \(a\) modulo \(m\) is the least common multiple of the order of \(a\) modulo \(P\) and the order of \(a\) modulo \(q\), and then use the fact that for every group \(G\), if \(G' \neq G\) is a subgroup of \(G\) then \(|G|/|G'| \geq 2\).↩