The Mad Hatter sets up what he believes is a zero-knowledge protocol. The integer n is the product of two large primes p and q and he wants to prove to the March Hare that he knows the factorization of n without revealing to anyone the actual factors $p$, $q$. He devises the following procedure:
March Hare chooses a random integer $x \pmod n$, computes $y \equiv x^2 \pmod n$, and sends $y$ to Mad Hatter. Mad Hatter then computes the square roots $z_i$ of $y$ modulo $n$ and sends $z = \min(z_i)$ to March Hare who verifies that $z^2 \equiv y \pmod n$. The Hatter offers to repeat this $10$ times with different values of $y$.
Should the March Hare be convinced that the Hatter knows $p$ and $q$?
My guess: yesIs March Hare able to use all this information to factor $n$? (In which cases this isn’t a zero knowledge procedure at all).
My guess: no- The Knave of Hearts, who eavesdropped the entire sequence, recovers all ten values of $\{y_i,z_i\}$. Can he use this to obtain any information about $p$ and $q$?
My guess: no
Does this look right?
Unless $x$ happens to be a multiple of $p$ or $q$, the number $y=x^2$ has four square roots modulo $pq$, namely the solutions for $z$ of the Chinese remainder systems $$ z \equiv \pm x \pmod p \\ z \equiv \pm x \pmod q $$ for each of the four combinations of $\pm$.
If the March Hare chooses $x$s at random, there's a pretty good chance that the response he gets back in at least one of the ten tries is not one of $x$ or $pq-x$. He then knows a $z$ that differs from his $x$ by some multiple of either $p$ or $q$, and therefore $\gcd(z-x,pq)$ will be one of the factors.
However, since the Hatter promises the numerically smallest square root, the Hare can do better than choosing $x$ completely at random. In fact, if he chooses $x$ between $\frac{n-\sqrt n}2$ and $\frac{n+\sqrt n}2$, then he can be certain that the $z$ he gets back will be useful to him (why?), and he only needs to ask a single question.
Does any of this help the Knave, though?