1/210
Lecture SlidesCryptographic Protocols
Version 1.6January 30, 2021
Berry SchoenmakersDepartment of Mathematics and Computer Science,
Technical University of Eindhoven,P.O. Box 513, 5600 MB Eindhoven, The Netherlands.
[email protected]@tue.nl
Cryptographic Protocols (2DMI00)www.win.tue.nl/˜berry/2DMI00/
Spring 2021
2/210
Preface
Course Plan
Lecture notes consist of eight chapters:1 Introduction2 Key Exchange Protocols3 Commitment Schemes4 Identification Protocols5 Zero-Knowledge Proofs6 Threshold Cryptography7 Secure Multiparty Computation8 Blind Signatures
Chapters 1–2 are covered in 5 to 6 lectures.Chapters 3–5 are covered in 5 to 6 lectures.Chapters 6–8 are covered in 2 to 3 lectures.
3/210
Preface
Course Grading 2DMI00
2DMI00 course: 5 ECTS
Written exam (closed book): 80%
MPyC programming assignment: 20%
Requirement: passing grade at least 5.5 for written exam.
Appendix B Rating of Exercises tells you which exercises are at exam level.
4/210
Preface
Motivating Example: Secret Santa
Web server (acting as trusted party) generates randompermutation π of {1, 2, . . . , n} without fixed points (so π(i) 6= i).Web server sends π(i) to party Pi in private.
Cheating web server couldpick an arbitrary function for π (e.g., with π(1) = π(2))influence who picks whotell others who picked who...
Q: How to do this by means of a cryptographic protocol—no trusted party?A: Use a secure multiparty computation protocol!
5/210
Preface
Electronic Voting Using Verifiable Mixes
6/210
Preface
Zero-knowledge Proof in Your Laptop?Direct Anonymous Attestation
Advanced NoninteractiveZero-Knowledge proof,effectively a Group Signature
To prove thatPC/laptop is authentic(signing key belongs togenuine “trusted computer”)but without giving away itsidentity
7/210
Preface
Zero-knowledge Proof in Your Cryptocurrencies?
Enhance privacy properties of cryptocurrencies.
By hiding transaction details such as payer’s identity or amount.
Monero based on CryptoNote.CryptoNote white paper includes 1-out-of-m Σ-proof (Exercise 5.4.3) to hidethe payer’s identity among ad hoc groups of m potential payers. Σ-proof usedfor one-time ring signatures, or, rather, list signatures.
Building on Zerocoin, Zcash employs a type of zero-knowledge proofs knownas zk-SNARKs.
Also related: Bulletproofs. See Exercise 5.3.2 for a Σ-protocol for rangeproofs (or, interval proofs).
8/210
Preface
Secure Multiparty Computation Unleashed!
In four 2018 Gartner Hype Cycle reports, see unboundtech.com.
To implement blockchains like Cardano.Blockchains and cryptocurrencies utilize wealth of cryptographic protocols(implemented as open-source software, written in high-level programminglanguages, using advanced cryptography libraries, running on fast PCs/servers).
9/210
Preface
Crypto 1.0: Caesar Cipher
Rotate the alphabet by a fixed offset
10/210
Preface
Crypto 1.0
Crypto 1.0 concerns- encryption and authentication of data,- during communication and storage/retrieval
Crypto 1.0 primitives:Symmetric (secret key):
Stream/block ciphersMessage authentication codes
Asymmetric (public key):Public-key encryptionDigital signaturesKey-exchange protocols
Keyless:Cryptographic hash functions
11/210
Preface
Crypto 2.0
Crypto 2.0 additionally concerns- computing with encrypted data,- partial information release of data,- hiding identity of data owners or any link with them.
Crypto 2.0 primitives:homomorphic encryption Rivest-Adleman-Dertouzos 1978, Gentry 2009
secret sharing Blakley 1979, Shamir 1979
blind signatures Chaum 1982
oblivious transfer M. Rabin 1981, Even-Goldreich-Lempel 1985
zero-knowledge proofs Goldwasser-Micali-Rackoff 1985, Goldreich-Micali-Wigderson 1986
secure two/multi-party computation Yao 1982–1986, GMW 1987, BGW 1988, CCD 1988
functional encryption Sahai-Waters 2005, Boneh-Sahai-Waters 2011, GKPVZ 2013
indistinguishability obfuscation Garg-Gentry-Halevi-Raykova-Sahai-Waters 2013, GMMSSZ 2016
12/210
Preface
Crypto 1.0 vs Crypto 2.0
Crypto 1.0 encryption and authentication:protect against malicious outsiders
attacks on storage or communication media
can be achieved using symmetric cryptovery high performance
Crypto 2.0 primitives additionally:protect against malicious or corrupt insiders
attacks by your protocol “partners”
uses more powerful cryptographic primitives, essentially asymmetric cryptomuch harder to do efficiently
13/210
Contents
1 Introduction
1.1 Terminology
1.2 Preliminaries1.2.1 Number Theory1.2.2 Group Theory1.2.3 Probability Theory1.2.4 Complexity Theory
1.3 Assumptions1.3.1 Discrete Log and Diffie-Hellman Assumptions1.3.2 Indistinguishability1.3.3 Random Self-Reducibility1.3.4 Random Oracle Model
14/210
Contents
2 Key Exchange Protocols
2.1 Diffie-Hellman Key Exchange2.1.1 Basic Protocol2.1.2 Passive Attacks2.1.3 A Practical Variant2.1.4 Aside: ElGamal Encryption
2.2 Authenticated Key Exchange2.2.1 Man-in-the-Middle Attacks2.2.2 A Protocol Using Digital Signatures2.2.3 A Protocol Using Password-Based Encryption
15/210
Contents
3 Commitment Schemes
3.1 Definitions
3.2 Examples3.2.1 Using a Cryptographic Hash Function3.2.2 Using a Discrete Log Setting3.2.3 Impossibility Result
3.3 Homomorphic Commitments
16/210
Contents
4 Identification Protocols
4.1 Definitions
4.2 Password-Based Schemes4.3 One-Way Hash Chains
4.4 Basic Challenge-Response Protocols4.4.1 Using Symmetric Encryption4.4.2 Using Symmetric Authentication4.4.3 Using Asymmetric Encryption4.4.4 Using Asymmetric Authentication4.5 Zero-Knowledge Identification Protocols4.5.1 Schnorr Zero-Knowledge Protocol4.5.2 Schnorr Protocol4.5.3 Guillou-Quisquater Protocol4.6 Witness Hiding Identification Protocols4.6.1 Okamoto Protocol
17/210
Contents
5 Zero-Knowledge Proofs
5.1 Σ-Protocols
5.2 Composition of Σ-Protocols5.2.1 Parallel Composition5.2.2 AND-Composition5.2.3 EQ-Composition5.2.4 OR-Composition5.2.5 NEQ-Composition
5.3 Miscellaneous Constructions
5.4 Noninteractive Σ-Proofs5.4.1 Digital Signatures from Σ-Protocols5.4.2 Proofs of Validity5.4.3 Group Signatures
18/210
Contents
6 Threshold Cryptography
6.1 Secret Sharing6.1.1 Shamir Threshold Scheme
6.2 Verifiable Secret Sharing6.2.1 Feldman VSS6.2.2 Pedersen VSS
6.3 Threshold Cryptosystems6.3.1 Threshold ElGamal Cryptosystem
19/210
Contents
7 Secure Multiparty Computation
7.1 Electronic Voting
7.2 Based on Threshold Homomorphic Cryptosystems
7.3 Based on Oblivious Transfer
20/210
Contents
8 Blind Signatures
8.1 Definitions
8.2 Chaum Blind Signature Scheme
8.3 Blind Signatures from Σ-Protocols
21/210
Contents
Appendices
A Fundamental Lemma of Cryptology
B Rating of Exercises
C Spell Check
22/210
1 Introduction
1.1 Terminology1.2 Preliminaries1.3 Assumptions
Cryptology = Cryptography + Cryptanalysis
Field of cryptology is divided into two mutually dependent fields:Cryptography: design of (mathematical) schemes related to information security
which resist cryptanalysis.Cryptanalysis: study of (mathematical) techniques for attacking cryptographic
schemes.
IACRInternational Association for Cryptologic Researchwww.iacr.org
IACR employs e-voting since 2010! See www.iacr.org/elections. (Underlyingcryptographic voting scheme is covered in Section 7.1.)
23/210
1 Introduction
1.1 Terminology1.2 Preliminaries1.3 Assumptions
Cryptographic Algorithms/Protocols/Schemes
Definition 1.1Cryptographic Algorithm: well-defined transformation, which on a given input
value produces an output value, achieving certain securityobjectives.
Cryptographic Protocol: distributed algorithm describing precisely the interactionsbetween two or more entities, achieving certain security objectives.
Cryptographic Scheme: suite of related cryptographic algorithms andcryptographic protocols, achieving certain security objectives.
ExampleDigital signature schemes consist of three cryptographic algorithms:
key generationsignature generationsignature verification
24/210
1 Introduction
1.1 Terminology1.2 Preliminaries1.3 Assumptions
Communication Model
Entities in a cryptographic scheme are connected by communication channels.
Entities can be persons, organizations, devices, etc.In cryptography, one often speaks of parties.
Entities interact in a cryptographic protocol by exchanging messagesover specific communication channels.
Communication model describes mix of available channels:point-to-point channelbroadcast channelprivate channel (secure channel)public channel (insecure channel)bulletin board (similar to blockchain)
25/210
1 Introduction
1.1 Terminology1.2 Preliminaries1.3 Assumptions
Adversaries and Attacks
Adversary = coalition of attacker and/orcorrupt entities of cryptographic scheme.
Attacker: outsiderCorrupt entities: insiders.
Definition 1.2Passive Attack: adversary does not interfere with execution of
algorithms/protocols. Passive adversary eavesdrops oncommunication between entities, and records all information,including all private information of corrupt entities.
Active attack: adversary may—in addition—interfere with communicationwithin cryptographic scheme by deleting, injecting, or modifyingmessages; moreover, adversary may have corrupt entities deviatefrom prescribed behavior in arbitrary ways.
26/210
1 Introduction
1.1 Terminology1.2 Preliminaries1.3 Assumptions
Attacks
Example (Passive Attacks)Eavesdropping on communication (by outsiders).Collecting data within a system (by insiders).Perform cryptanalysis on all acquired data.
Example (Active Attacks)Man-in-the-middle attacks (“grandmaster chess attack”).Injection/deletion/modification of messages.Initiate/terminate protocol executions.Masquerading/spoofing attacks.Replay attacks.Reflection attacks.
27/210
1 Introduction
1.1 Terminology1.2 Preliminaries1.3 Assumptions
1.2.1 Number Theory1.2.2 Group Theory1.2.3 Probability Theory1.2.4 Complexity Theory
Basic Number Theoretic Notions
For positive integer n:
Zn = Z/nZ = {0, 1, . . . , n − 1} “set of integers modulo n”
Z∗n = {x ∈ Zn : gcd(x , n) = 1} “integers with multiplicative inverse mod n”
φ(n) = |Z∗n | = n∏
p|n(1− 1/p) “Euler’s phi function”
Hence, φ(n) can be computed efficiently given the prime divisors of n.
Useful fact: nφ(n) =
∏p|n
pp − 1 = O(log log n)
Exercise 1.2.1Prove the elementary bound n/φ(n) = O(log n), using that the number of distinctprime factors ω(n) of n is O(log n), and that the ith smallest prime factor of n isat least i + 1 for i = 1, 2, . . . , ω(n).
28/210
1 Introduction
1.1 Terminology1.2 Preliminaries1.3 Assumptions
1.2.1 Number Theory1.2.2 Group Theory1.2.3 Probability Theory1.2.4 Complexity Theory
More Advanced: A Generalization of Euler’s Phi Function
The (order-2) Schemmel totient function:
φ2(n) = |{x ∈ Zn : gcd(x , n) = gcd(x + 1, n) = 1}|
For n even, φ2(n) = 0. For n odd, φ2(n) = n∏
p|n(1− 2/p).Useful fact: n
φ2(n) =∏p|n
pp − 2 = O((log log n)2)
Exercise 1.2.2For n odd, prove the elementary bound n/φ2(n) = O(log2 n), using again thatω(n) = O(log n) and that the ith smallest prime factor of n is now at least i + 2for i = 1, 2, . . . , ω(n).
Schemmel totient function shows up in the analysis of a variant of the decisionDiffie-Helmann problem (see Exercise 1.3.5(b)).
29/210
1 Introduction
1.1 Terminology1.2 Preliminaries1.3 Assumptions
1.2.1 Number Theory1.2.2 Group Theory1.2.3 Probability Theory1.2.4 Complexity Theory
Discrete Log SettingCyclic group of order n with generator g :
Gn = 〈g〉 = {1, g , g2, g3, . . . , gn−1}, gn = 1
x = logg h: discrete log of h ∈ Gn is unique x ∈ Zn such that h = gx .
Example 1.3 (Groups Z∗p , F∗q )
Integers modulo prime p: Gn = Z∗p cyclic group of order n = p − 1.Multiplicative group of order-q finite field: Gn = F∗q cyclic, order n = q − 1.
Example 1.4 (Prime order subgroups of Z∗p , F∗q )
Gn = 〈g〉, with g an element of prime order p′ in Z∗p , or in F∗q .Then Gn is a cyclic group of prime order n = p′.
Example 1.5 (Group E(Fq) of Fq-rational points on an elliptic curve E)E(Fq) isomorphic to Zn1 × Zn2 , hence not necessarily cyclic.Take Gn = E(Fq) if n1 = 1; otherwise, take a cyclic subgroup of E(Fq) for Gn.
30/210
1 Introduction
1.1 Terminology1.2 Preliminaries1.3 Assumptions
1.2.1 Number Theory1.2.2 Group Theory1.2.3 Probability Theory1.2.4 Complexity Theory
Convenient Notation: 〈g〉∗
Definition (Set of all generators of 〈g〉)〈g〉∗ = {gx : x ∈ Z∗n}
Clearly: |〈g〉∗| = φ(n).
Exercise 1.2.3Show that for any h ∈ 〈g〉, the following conditions are equivalent:
(i) h ∈ 〈g〉∗,(ii) ord(h) = ord(g),(iii) 〈h〉 = 〈g〉,(iv) 〈h〉∗ = 〈g〉∗.
Exercise 1.2.4(a) Show alogh b = blogh a for any a, b ∈ 〈g〉 and h ∈ 〈g〉∗. (b) For a, b ∈ 〈g〉, definea ∗ b = alogg b as the Diffie-Hellman (DH) product of a and b. Show that(〈g〉∗, ∗) is an abelian group.
31/210
1 Introduction
1.1 Terminology1.2 Preliminaries1.3 Assumptions
1.2.1 Number Theory1.2.2 Group Theory1.2.3 Probability Theory1.2.4 Complexity Theory
NotationDiscrete random variables X ,Y ,Z , . . . with a finite range V .
Probability distribution of X : (i) 0 ≤ Pr[X = v ] ≤ 1 for all v ∈ V ,(ii)
∑v∈V Pr[X = v ] = 1,
X ∈R V: random variable X distributed uniformly on V , Pr[X = v ] = 1/|V |.
Example (Random bits)X ∈R {0, 1} denotes a uniformly random bit. Let Y = 1− X .
X 6= Y , in fact Pr[X = Y ] = 0,Pr[X = 0] = Pr[Y = 0] = 1/2, andPr[X = 1] = Pr[Y = 1] = 1/2.
Example (Probability distributions)
{u : u ∈R {0, 1}} = {0 7→ 12 , 1 7→
12} = {1− u : u ∈R {0, 1}}
{t + u : t, u ∈R {0, 1}} = {0 7→ 14 , 1 7→
12 , 2 7→
14}
{tu : t, u ∈R {0, 1}} = {0 7→ 34 , 1 7→
14}
32/210
1 Introduction
1.1 Terminology1.2 Preliminaries1.3 Assumptions
1.2.1 Number Theory1.2.2 Group Theory1.2.3 Probability Theory1.2.4 Complexity Theory
Statistical Distance
Definition 1.6The statistical distance ∆(X ; Y ) between random variables X and Y is defined as
∆(X ; Y ) = 12∑v∈V
∣∣Pr[X = v ]− Pr[Y = v ]∣∣,
where V denotes the set of possible values for X and Y .
Statistical distance is a bounded metric in the following sense.
Proposition 1.7For random variables X ,Y ,Z:
(i) 0 ≤ ∆(X ; Y ) ≤ 1, “nonnegativity” and “boundedness”(ii) ∆(X ; Y ) = 0 ⇔ ∀v∈V Pr[X = v ] = Pr[Y = v ], “identical distributions”(iii) ∆(X ; Y ) = 1 ⇔ ∀v∈V Pr[X = v ] Pr[Y = v ] = 0, “disjoint distributions”(iv) ∆(X ; Y ) = ∆(Y ; X), “symmetry”(v) ∆(X ; Z) ≤ ∆(X ; Y ) + ∆(Y ; Z). “triangle inequality”
33/210
1 Introduction
1.1 Terminology1.2 Preliminaries1.3 Assumptions
1.2.1 Number Theory1.2.2 Group Theory1.2.3 Probability Theory1.2.4 Complexity Theory
House Edge (Advantage) in French Roulette
0 5 10 15 20 25 30 35
0.005
0.010
0.015
0.020
0.025
∆(X ; Y ) = 137 ≈ 0.027 for
{X ∈R {1, . . . , 36}Y ∈R {0, . . . , 36}
34/210
1 Introduction
1.1 Terminology1.2 Preliminaries1.3 Assumptions
1.2.1 Number Theory1.2.2 Group Theory1.2.3 Probability Theory1.2.4 Complexity Theory
Statistical Distance: Equivalent Characterizations
Proposition 1.8For random variables X and Y , ∆(X ; Y ) is equal to each of:
(i)∑
v∈V + Pr[X = v ]− Pr[Y = v ] with V + = {v∈V : Pr[X=v ]>Pr[Y =v ]},(ii)
∑v∈V Pr[X = v ] .− Pr[Y = v ] with x .− y = max(x − y , 0),
(iii) 1−∑
v∈V min(Pr[X = v ],Pr[Y = v ]),(iv) maxW⊆V
∣∣Pr[X ∈W ]− Pr[Y ∈W ]∣∣.
Exercise 1.2.5(a) Prove Proposition 1.7. (b) Prove Proposition 1.8.
Exercise 1.2.6Prove that ∆(f (X); f (Y )) ≤ ∆(X ; Y ) for any function f defined on V .
35/210
1 Introduction
1.1 Terminology1.2 Preliminaries1.3 Assumptions
1.2.1 Number Theory1.2.2 Group Theory1.2.3 Probability Theory1.2.4 Complexity Theory
Statistical Distance: More Exercises
Exercise 1.2.7For n, d ≥ 1, consider distributions X and Y given by
X = {u : u ∈R {0, . . . , n − 1},Y = {u + d : u ∈R {0, . . . , n − 1}}.
Compute ∆(X ; Y ), assuming d ≤ n. Also, what is ∆(X ; Y ) if d > n?
Exercise 1.2.8For n ≥ 1, consider distributions X ,Y ,Z given by
X = {u : u ∈R {0, . . . , n − 1}}Y = {2u : u ∈R {0, . . . , n − 1}}Z = {2u + 1 : u ∈R {0, . . . , n − 1}}.
Show that ∆(Y ; Z) = 1. Show that ∆(X ; Y ) = ∆(X ; Z) = 1/2 for even n, andalso determine ∆(X ; Y ) and ∆(X ; Z) for odd n.
36/210
1 Introduction
1.1 Terminology1.2 Preliminaries1.3 Assumptions
1.2.1 Number Theory1.2.2 Group Theory1.2.3 Probability Theory1.2.4 Complexity Theory
Statistical Distance: More Exercises
Exercise 1.2.9For n ≥ 1, let X ∈R Zn and Y ∈R Z∗n . (a) Determine ∆(X ; Y ). (b) Show that∆(X + Y ; XY ) = 0, where addition and multiplication are done modulo n.
Exercise 1.2.10For n prime, let h and M0 be arbitrary, fixed elements of Gn = 〈g〉, h 6= 1.Consider distributions X, Y , and Z given by
X = {(A,B) : A ∈R 〈g〉,B ∈R 〈g〉},Y = {(gu, huM) : u ∈R Zn,M ∈R 〈g〉},Z = {(gu, huM0) : u ∈R Zn}.
Show that ∆(X ; Y ) = 0 and that ∆(Y ; Z) = 1− 1/n. Show also that∆(X ; Z) = 1− 1/n, using triangle inequalities.
37/210
1 Introduction
1.1 Terminology1.2 Preliminaries1.3 Assumptions
1.2.1 Number Theory1.2.2 Group Theory1.2.3 Probability Theory1.2.4 Complexity Theory
Statistical Distance: More Exercises
Exercise 1.2.11For n ≥ d ≥ 1, let random variable X take on values in {0, . . . , d−1}, and letU∈R {0, . . ., n−1}. Show ∆(U; X+U)≤(d−1)/n, and that this bound is tight.
The result of this exercise implies that ∆(U; X + U) vanishes if d � n: forn = d2k , we get ∆(U; X + U) ≤ (d − 1)/n < 2−k , which approaches 0exponentially fast.
This leads to a kind of one-time pad encryption with integers, with X asplaintext, U as one-time pad, and C = X + U as ciphertext.
Near-perfect secrecy is achieved, as the mutual information I(X ; C) betweenplaintext/ciphertext vanishes for d � n. See the next exercise.
38/210
1 Introduction
1.1 Terminology1.2 Preliminaries1.3 Assumptions
1.2.1 Number Theory1.2.2 Group Theory1.2.3 Probability Theory1.2.4 Complexity Theory
Statistical Distance: More Exercises
Exercise 1.2.12See Exercise 1.2.11. Let I(X ; C) = H(X)− H(X |C), where C = X + U and
H(X) = −d−1∑w=0
Pr[X = w ] log2 Pr[X = w ],
H(X |C) = −d+n−2∑
v=0
Pr[C = v ]d−1∑w=0
Pr[X = w | C = v ] log2 Pr[X = w | C = v ].
are the (Shannon) entropy of X and the conditional entropy of X given C, resp.Show that I(X ; C) ≤ H(X) (d − 1)/n.
Exercise 1.2.13Prove that ∆(X ; Y ) = 1− |S ∩ T |/max(|S|, |T |) for X ∈R S and Y ∈R T .
39/210
1 Introduction
1.1 Terminology1.2 Preliminaries1.3 Assumptions
1.2.1 Number Theory1.2.2 Group Theory1.2.3 Probability Theory1.2.4 Complexity Theory
Complexity Classes P vs NP
P: deterministic Polynomial time “easy to solve”NP: Nondeterministic Polynomial time “easy to check”
Clearly: P ⊆ NP
Long-standing conjecture: P 6= NP
$1,000,000 Millennium Prize Problemof the Clay Mathematics Institute
NP
NP-intermediate 6= ∅(R. Ladner, 1975)
P
NP-complete
Problems in P: easy, e.g., Sorting, Primality, ...NP-intermediate problems: DL, Factoring, Graph Isomorphism (all conjectured!)NP-complete problems: hardest in NP, e.g., 3SAT, Hamiltonian Circuit, ...(NP-hard problems: ≥ NP-complete, e.g., Traveling Salesman, ...)
40/210
1 Introduction
1.1 Terminology1.2 Preliminaries1.3 Assumptions
1.2.1 Number Theory1.2.2 Group Theory1.2.3 Probability Theory1.2.4 Complexity Theory
Worst-Case vs Average-Case Complexity
NP-complete problems: hard in the worst case.
Over all problem instances of a given size.
But potentially easy in the average case!!
Uniformly random problem instances of a given size may be easy.(Chances of hitting the worst case may be negligible.)
41/210
1 Introduction
1.1 Terminology1.2 Preliminaries1.3 Assumptions
1.2.1 Number Theory1.2.2 Group Theory1.2.3 Probability Theory1.2.4 Complexity Theory
Probabilistic Turing Machines
Church’s thesis: “Turing machines are powerful enoughto describe any kind of algorithm”
Turing machine: finite control part plus an infinite data tape.
Three important types of Turing machines:Deterministic: unique successor configuration.Nondeterministic: one of several possible successor configurations.Probabilistic: one of several possible successor configurations,
chosen uniformly at random.
Probabilistic Turing machines ⇔ probabilistic/randomized algorithms(deterministic Turing machines extended with random tape)
42/210
1 Introduction
1.1 Terminology1.2 Preliminaries1.3 Assumptions
1.2.1 Number Theory1.2.2 Group Theory1.2.3 Probability Theory1.2.4 Complexity Theory
Complexity Class BPP
Complexity class BPP: problems solved with Bounded-errorby Probabilistic Polynomial time (p.p.t.) Turing machines
For every YES-instance: Pr[“accept”] ≥ 2/3For every NO-instance: Pr[“accept”] ≤ 1/3
Probability over all internal random choices (random tapes).
Clearly: P ⊆ BPPConjectured: P = BPP
Thus, BPP class of “easy” (efficiently solvable) problems.
Note: relation of BPP versus NP not known.
43/210
1 Introduction
1.1 Terminology1.2 Preliminaries1.3 Assumptions
1.3.1 Discrete Log and Diffie-Hellman Assumptions1.3.2 Indistinguishability1.3.3 Random Self-Reducibility1.3.4 Random Oracle Model
Discrete Log and Diffie-Hellman Assumptions
Definition 1.9 (Discrete Logarithm (DL) assumption)For group 〈g〉, hard to compute x given random group element g x .
Definition 1.10 ((Computational) Diffie-Hellman (DH) assumption)For group 〈g〉, hard to compute gxy given random group elements g x , g y .
Definition 1.11 (Decisional Diffie-Hellman (DDH) assumption)For group 〈g〉, hard to distinguish g xy from random group element g z
given random group elements gx , g y .
Evidently: DDH assumption ⇒ DH assumption ⇒ DL assumption.
44/210
1 Introduction
1.1 Terminology1.2 Preliminaries1.3 Assumptions
1.3.1 Discrete Log and Diffie-Hellman Assumptions1.3.2 Indistinguishability1.3.3 Random Self-Reducibility1.3.4 Random Oracle Model
Negligible Function
Definition 1.12Nonnegative function f : N→ R is negligible if for every γ ∈ N there exists ak0 ∈ N such that for all k ≥ k0, f (k) ≤ 1/kγ .
ExampleNegligible:
1/2k = 2−k “exponentially fast to 0”
1/2√
k = 2−√
k “sub-exponentially fast to 0”1/k log k = k− log k “quasi-polynomially fast to 0”
Not negligible:1/k = k−1 “linearly fast to 0”1/k2 = k−2 “quadratically fast to 0”1/k100 = k−100 “polynomially fast to 0”
45/210
1 Introduction
1.1 Terminology1.2 Preliminaries1.3 Assumptions
1.3.1 Discrete Log and Diffie-Hellman Assumptions1.3.2 Indistinguishability1.3.3 Random Self-Reducibility1.3.4 Random Oracle Model
Indistinguishability
Definition 1.13Let X = {Xi} and Y = {Yi} be two families of random variables.Then X and Y are:
(i) perfectly indistinguishable if ∆(Xi ; Yi ) = 0(ii) statistically indistinguishable if ∆(Xi ; Yi ) is negligible(iii) computationally indistinguishable if ∆(D(Xi ); D(Yi )) is negligible for all
p.p.t. Boolean distinguishers D
Advantage AdvD(Xi ,Yi ) =∣∣Pr[D(Xi ) = 1]− Pr[D(Yi ) = 1]
∣∣Exercise 1.3.1Show AdvD(Xi ,Yi ) = ∆(D(Xi ); D(Yi )) for any Boolean distinguisher D.
Exercise 1.3.2Show that computational indistinguishability is implied by statisticalindistinguishability. Hint: use Proposition 1.8(iv), cf. Exercise 1.2.6.
46/210
1 Introduction
1.1 Terminology1.2 Preliminaries1.3 Assumptions
1.3.1 Discrete Log and Diffie-Hellman Assumptions1.3.2 Indistinguishability1.3.3 Random Self-Reducibility1.3.4 Random Oracle Model
Boolean Distinguisher D
Xi oYi o
o{
1 “I guess Xi”0 “I guess Yi”
Distinguisher samples from fixed (but unknown) “source”, either Xi or Yi .
For computational indistinguishability, distinguisher should failusing any p.p.t. statistical test.
47/210
1 Introduction
1.1 Terminology1.2 Preliminaries1.3 Assumptions
1.3.1 Discrete Log and Diffie-Hellman Assumptions1.3.2 Indistinguishability1.3.3 Random Self-Reducibility1.3.4 Random Oracle Model
DDH Assumption (Definition 1.11)
X〈g〉 = {(g x , g y , gxy ) : x , y ∈R Zn} “DH triples”Y〈g〉 = {(g x , g y , g z ) : x , y , z ∈R Zn, z 6= xy} “non-DH triples”
DDH assumption: X〈g〉 and Y〈g〉 are computationally indistinguishable.Also possible to take:
Y ′〈g〉 = {(g x , gy , g z ) : x , y , z ∈R Zn} “random triples”
∆(Y ; Y ′) = 12
(∑x,y,z∈Zn
∣∣Pr[Y = (gx , gy , g z )]− Pr[Y ′ = (g x , gy , g z )]∣∣)
= 12
(∑x,y,z∈Zn,z 6=xy
∣∣Pr[Y = (gx , gy , g z )]− Pr[Y ′ = (gx , gy , g z )]∣∣
+∑
x,y,z∈Zn,z=xy
∣∣Pr[Y = (gx , gy , g z )]− Pr[Y ′ = (g x , g y , g z )]∣∣)
= 12
((n3 − n2)
∣∣ 1n3−n2 − 1
n3
∣∣+ n2∣∣0− 1
n3
∣∣)= 1/n.
Since n is exponentially large in security parameter,statistical distance of 1/n is negligible.
48/210
1 Introduction
1.1 Terminology1.2 Preliminaries1.3 Assumptions
1.3.1 Discrete Log and Diffie-Hellman Assumptions1.3.2 Indistinguishability1.3.3 Random Self-Reducibility1.3.4 Random Oracle Model
DDH Assumption
X = {(gx , gy , gxy ) : x , y ∈R Zn}Y = {(gx , gy , g z ) : x , y , z ∈R Zn, z 6= xy}.
∆(X ; Y ) = 12
(∑x,y,z∈Zn
∣∣Pr[X = (gx , gy , g z )]− Pr[Y = (g x , g y , g z )]∣∣)
= 12
(∑x,y,z∈Zn,z=xy
∣∣Pr[X = (gx , g y , g z )]− Pr[Y = (g x , g y , g z )]∣∣
+∑
x,y,z∈Zn,z 6=xy
∣∣Pr[X = (gx , gy , g z )]− Pr[Y = (gx , gy , g z )]∣∣)
= 12
(n2∣∣ 1
n2 − 0∣∣+ (n3 − n2)
∣∣0− 1n3−n2
∣∣)= 1.
∆(X ; Y ) = 1 not surprising, since X and Y are disjoint!Triangle inequality: ∆(X ; Y ′) ≥ ∆(X ; Y )−∆(Y ; Y ′) = 1− 1/n.
Exercise 1.3.3Check that actually ∆(X ; Y ′) = 1− 1/n.
49/210
1 Introduction
1.1 Terminology1.2 Preliminaries1.3 Assumptions
1.3.1 Discrete Log and Diffie-Hellman Assumptions1.3.2 Indistinguishability1.3.3 Random Self-Reducibility1.3.4 Random Oracle Model
Random Self-Reducibility
Definition 1.14Problem is (perfectly) random self-reducible if any instance I can be solved bythese three steps:
1 Transform instance I into uniformly random instance I ′.2 Solve instance I ′.3 Extract solution for I from solution for I ′.
Only steps 1 and 3 are required to run in polynomial time.
Commonly random self-reducible:DL/DH/DDH problems for fixed DL setting 〈g〉.RSA-based problems for fixed RSA modulus N.
Likely to be not random self-reducible:Factoring integers of fixed bit length.Any NP-complete problem.
50/210
1 Introduction
1.1 Terminology1.2 Preliminaries1.3 Assumptions
1.3.1 Discrete Log and Diffie-Hellman Assumptions1.3.2 Indistinguishability1.3.3 Random Self-Reducibility1.3.4 Random Oracle Model
Reduction to Average Case
Proposition 1.15 (Informal)Any random self-reducible problem that is hard in the worst case is also hard onthe average.
Proof (sketch).Suppose random self-reducible problem is easy on the average.Then any problem instance can be solved easily:
1 Transform given instance into a uniformly random instance.2 Solve it (easy because it’s the average case).3 Extract solution to original problem.
Note that the algorithm in the proof itself is probabilistic.
51/210
1 Introduction
1.1 Terminology1.2 Preliminaries1.3 Assumptions
1.3.1 Discrete Log and Diffie-Hellman Assumptions1.3.2 Indistinguishability1.3.3 Random Self-Reducibility1.3.4 Random Oracle Model
Random Self-Reducible Discrete Log Problems
We consider a fixed group 〈g〉 of any order n ≥ 1.
Definition (DL, DH, DDH problems)DL Compute x, given g x with x ∈ Zn.DH Compute gxy , given g x , gy with x , y ∈ Zn.
DDH Distinguish g xy from g z , given g x , gy with x , y , z ∈ Zn, z − xy ∈ Z∗n .
For n prime, DDH problem corresponds to distinguishing (disjoint) distributions
X〈g〉 = {(gx , gy , gxy ) : x , y ∈R Zn}Y〈g〉 = {(gx , gy , g z ) : x , y , z ∈R Zn, z 6= xy}
Proposition 1.16DL, DH, and DDH problems are random self-reducible.
52/210
1 Introduction
1.1 Terminology1.2 Preliminaries1.3 Assumptions
1.3.1 Discrete Log and Diffie-Hellman Assumptions1.3.2 Indistinguishability1.3.3 Random Self-Reducibility1.3.4 Random Oracle Model
Proof (DL, DH problems are random self-reducible).Given any DL problem instance h = g x with x ∈ Zn:
1 Transform h into uniformly random instance h′ = hgu with u ∈R Zn.2 Solve instance h′ yielding x ′ = logg h′.3 Extract solution as x = logg h = x ′ − u mod n.
Given any DH problem instance I = (g x , g y ) with x , y ∈ Zn:1 Transform I into I ′ = (g x′ , g y′) = (gx g t , gy gu) with t, u ∈R Zn.2 Solve instance I ′ yielding gx′y′ = g (x+t)(y+u) = gxy+xu+ty+tu.3 Extract solution as g xy = gx′y′/((g x )u(g y )tg tu).
Note: I ′ = (g x′ , g y′) is distributed uniformly on 〈g〉 × 〈g〉.
53/210
1 Introduction
1.1 Terminology1.2 Preliminaries1.3 Assumptions
1.3.1 Discrete Log and Diffie-Hellman Assumptions1.3.2 Indistinguishability1.3.3 Random Self-Reducibility1.3.4 Random Oracle Model
Proof (DDH problem is random self-reducible).Given any DDH problem instance I = (gx , gy , g z ) with x , y , z ∈ Zn:
1 Transform I into I ′ = (gxs+t , gy+u, g zs+xsu+yt+tu), with s ∈R Z∗n , t, u ∈R Zn.2 Solve instance I ′ yielding bit b′.3 Output b = b′.
Since s ∈ Z∗n , I ′ = (gx′ , gy′ , g z′) satisfies z ′ = x ′y ′ iff I satisfies z = xy :
z ′ − x ′y ′ = zs + xsu + yt + tu − (xs + t)(y + u) = (z − xy)s.
If z = xy , triple I ′ is uniform among all triples (g x′ , gy′ , gx′y′): for v ,w ∈ Zn
Pr[x ′ = v , y ′ = w , z ′ = vw ] = 1n2 .
If z − xy ∈ Z∗n , s, t, u determined by s = (z ′−x ′y ′)/(z−xy), t = x ′−xs,u = y ′−y , hence I ′ uniform among all (g x′ , g y′ , g z′) with z ′ − x ′y ′ ∈ Z∗n :
Pr[x ′ = v , y ′ = w , z ′ = r ] = Pr[s = r−vwz−xy , t = v−xs, u = w−y ] = 1
φ(n)n2 ,
for any r , v ,w ∈ Zn with r − vw ∈ Z∗n :
54/210
1 Introduction
1.1 Terminology1.2 Preliminaries1.3 Assumptions
1.3.1 Discrete Log and Diffie-Hellman Assumptions1.3.2 Indistinguishability1.3.3 Random Self-Reducibility1.3.4 Random Oracle Model
Random Self-Reducible DL Variants
Definition (DL∗, DH∗, DH∗∗, DDH∗, DDH∗∗ problems)DL∗ Compute x, given g x with x ∈ Z∗n .DH∗ Compute gxy , given g x , g y with x ∈ Z∗n and y ∈ Zn.DH∗∗ Compute gxy , given g x , g y with x , y ∈ Z∗n .
DDH∗ Distinguish gxy from g z , given g x , gy with x∈Z∗n , y , z ∈ Zn, z−xy ∈ Z∗n .DDH∗∗ Distinguish gxy from g z , given g x , gy with x , y , z ∈ Z∗n , z − xy ∈ Z∗n .
Example 1.17 (DL∗ problem is random self-reducible)Given any instance h = g x with x ∈ Z∗n :
1 Transform h into a uniformly random instance h′ = hu with u ∈R Z∗n .2 Solve instance h′ yielding x ′ = logg h′.3 Extract solution as x = logg h = x ′/u mod n.
Note: h′ is distributed uniformly on 〈g〉∗.
55/210
1 Introduction
1.1 Terminology1.2 Preliminaries1.3 Assumptions
1.3.1 Discrete Log and Diffie-Hellman Assumptions1.3.2 Indistinguishability1.3.3 Random Self-Reducibility1.3.4 Random Oracle Model
Example (cont.)Alternatively, use transformation for DL problem in proof of Proposition 1.15.
Given any instance h = g x with x ∈ Z∗n :1 Transform h into uniformly random h′ = hgu, u ∈R Zn until ord(h′) = n.2 Solve instance h′ yielding x ′ = logg h′.3 Extract solution as x = logg h = x ′ − u mod n.
Condition ord(h′) = n ensures h′ ∈ 〈g〉∗ in step 2, cf. Exercise 1.2.3.In fact, h′ is distributed uniformly on 〈g〉∗ as required.
Test ord(h′) = n can be evaluated efficiently, given prime factorization of n.Expected running time of step 1 polynomial in size of n: on averagen/φ(n) = O(log log n) uniformly random h′ ∈ 〈g〉 needed to find one h′ ∈ 〈g〉∗.
Note: if n is prime, ord(h′) = n is equivalent to h′ 6= 1.
56/210
1 Introduction
1.1 Terminology1.2 Preliminaries1.3 Assumptions
1.3.1 Discrete Log and Diffie-Hellman Assumptions1.3.2 Indistinguishability1.3.3 Random Self-Reducibility1.3.4 Random Oracle Model
Exercises
Exercise 1.3.4Show (a) DH∗ problem, and (b) DH∗∗ problem are both random self-reducible.
Exercise 1.3.5Show (a) DDH∗ problem is random self-reducible, and (b) given primefactorization of n, DDH∗∗ problem is random self-reducible. Hints: for both partsuse three random numbers for transformation in step 1, s, t ∈R Z∗n and u ∈R Zn;for part (b), also test for invalid inputs, cf. end of Example 1.17.
57/210
1 Introduction
1.1 Terminology1.2 Preliminaries1.3 Assumptions
1.3.1 Discrete Log and Diffie-Hellman Assumptions1.3.2 Indistinguishability1.3.3 Random Self-Reducibility1.3.4 Random Oracle Model
Exercises
Exercise 1.3.6Show that these problems are random self-reducible for group 〈g〉 of order n:
(a) given gx with x ∈ Zn, compute g x2;
(b) given gx with x ∈ Z∗n , compute g1/x ;(c) given gx , g y with x , y ∈ Z∗n , compute g x/y ;(d) given gx , g y with x ∈ Zn, y ∈ Z∗n , compute g x/y ;(e) given gx with x ∈ Z∗n , compute g x3
;(f) given gx , g x2
with x ∈ Zn, compute g x3;
(g) given gx , g y with x , y ∈ Zn, compute g (x+y)2;
(h) given gx , g y with x , y ∈ Zn, x − y ∈ Z∗n , compute g1/(x−y).
58/210
1 Introduction
1.1 Terminology1.2 Preliminaries1.3 Assumptions
1.3.1 Discrete Log and Diffie-Hellman Assumptions1.3.2 Indistinguishability1.3.3 Random Self-Reducibility1.3.4 Random Oracle Model
Exercises
Exercise 1.3.7Let N = pq be an RSA modulus, that is, p and q are large, distinct primes of bitlength k, for some integer k. Let e satisfy gcd(e, φ(N)) = 1, whereφ(N) = (p − 1)(q − 1). The RSA problem is to compute x = y 1/e mod N giveny ∈ Z∗N . Show that the RSA problem is random self-reducible.
Exercise 1.3.8Let N be an RSA modulus, as in the previous exercise. LetJN = {y ∈ Z∗N : (y/N) = 1}, the set of all integers in Z∗N with Jacobi symbol 1.The Quadratic Residuosity (QR) problem is to decide whether a given y ∈ JN is aquadratic residue modulo N or not, that is, whether y ∈ QRN , whereQRN = {y ∈ Z∗N : ∃x∈Z∗N
y = x 2 mod N}. Show that the QR problem is randomself-reducible.
59/210
1 Introduction
1.1 Terminology1.2 Preliminaries1.3 Assumptions
1.3.1 Discrete Log and Diffie-Hellman Assumptions1.3.2 Indistinguishability1.3.3 Random Self-Reducibility1.3.4 Random Oracle Model
Cryptographic Hash Functions
Definition 1.18
Function H : {0, 1}∗ → {0, 1}k is a cryptographic hash function, if H(x) is easyto compute for any x , and one or more of the following properties hold:
preimage resistance (one-wayness):given y , hard to find preimage x such that H(x) = y .2nd-preimage resistance (weak collision resistance):given x , hard to find 2nd-preimage x ′ 6= x such that H(x ′) = H(x).collision resistance (strong collision resistance):hard to find collision (x , x ′) with x 6= x ′ such that H(x) = H(x ′).
Well-known examples: MD5, SHA-1, SHA-256.
Collisions for MD5, SHA-0, SHA-1 and some other “old” hash functions:CryptographicHash-Collisions.nb
60/210
1 Introduction
1.1 Terminology1.2 Preliminaries1.3 Assumptions
1.3.1 Discrete Log and Diffie-Hellman Assumptions1.3.2 Indistinguishability1.3.3 Random Self-Reducibility1.3.4 Random Oracle Model
Random Oracle Model
View cryptographic hash function H : {0, 1}∗ → {0, 1}k as a random oracle.
Random oracle H: random function of type {0, 1}∗ → {0, 1}k .
We only use a finite portion S of H as follows.Initially, S = ∅.Upon a query x :
if x 6∈ S, set H(x) ∈R {0, 1}k and S ← S ∪ {x};return H(x).
Then:(i) H is a function: same input value, same output value;(ii) H is random: for different input values, output values are distributed
uniformly at random (and mutually independent).
61/210
1 Introduction
1.1 Terminology1.2 Preliminaries1.3 Assumptions
1.3.1 Discrete Log and Diffie-Hellman Assumptions1.3.2 Indistinguishability1.3.3 Random Self-Reducibility1.3.4 Random Oracle Model
Random Oracle Model
Ultimately, use of random oracle model is heuristic!
Concrete hash function such as SHA-256 is not a random function—not at all!1
Practical upshot: protocol proved secure in random oracle model can only bebroken if the attacker uses specific properties of hash function H.
1Protocols do exist that can be proved secure in the random oracle model, but are insecure whenused with some concrete hash function. Yet, these “counterexamples” are not realistic. See alsoExercise 5.4.1.
62/210
1 Introduction
1.1 Terminology1.2 Preliminaries1.3 Assumptions
1.3.1 Discrete Log and Diffie-Hellman Assumptions1.3.2 Indistinguishability1.3.3 Random Self-Reducibility1.3.4 Random Oracle Model
Random Oracle Model
Proposition 1.19
Let H be a cryptographic hash function, viewed as a random oracle.Let (unlimitedly powerful) adversary E make at most t hash queries.(iii) Let E output (x , x ′). Then Pr[x 6= x ′,H(x) = H(x ′)] ≤ t2/2k .
Proof. W.l.o.g. assume that all hash queries are distinct.
(iii) Write m = 2k and assume t <√
m. For hash queries x1, . . . , xt , probability ofat least one collision is:
1−m(m − 1)(m − 2) · · · (m − t + 1)/mt
= 1− (1− 1/m)(1− 2/m) · · · (1− (t − 1)/m)≤ 1− e−2/me−4/m · · · e−2(t−1)/m 1−x≥e−2x for 0≤x≤3/4
= 1− e−t(t−1)/m
≤ 1− (1− t(t − 1)/m) ex≥1+x for x∈R
= t(t − 1)/m≤ t2/m.
63/210
1 Introduction
1.1 Terminology1.2 Preliminaries1.3 Assumptions
1.3.1 Discrete Log and Diffie-Hellman Assumptions1.3.2 Indistinguishability1.3.3 Random Self-Reducibility1.3.4 Random Oracle Model
Birthday Paradox
Exercise 1.3.9See the proof of Proposition 1.19(iii). Show that the upper bound for theprobability of finding at least one collision is almost tight by showing that thisprobability is bounded below by 1
4 t(t − 1)/m, for t <√
m.
Exact collision probability as function of t:
Among group of 23 people, prob. 50% that two share same birthday!At t = 2
√m = 2
√2k almost surely (prob. ≈ 1) a collision.
64/210
1 Introduction
1.1 Terminology1.2 Preliminaries1.3 Assumptions
1.3.1 Discrete Log and Diffie-Hellman Assumptions1.3.2 Indistinguishability1.3.3 Random Self-Reducibility1.3.4 Random Oracle Model
Further Requirements for Cryptographic Hash Functions
Any deviation from what statistically holds for random functions should be:absent,unlikely, orin any case, infeasible to exploit.
Example (Partial preimage resistance (or, local one-wayness))Given y , hard to find (partial) information about any preimage x s.t. H(x) = y .
Exercise 1.3.10Let H be a preimage resistant hash function. Show that partial preimageresistance is strictly stronger than preimage resistance, by constructing a preimageresistant hash function H ′ (from H) which is not partial preimage resistant.
65/210
1 Introduction
1.1 Terminology1.2 Preliminaries1.3 Assumptions
1.3.1 Discrete Log and Diffie-Hellman Assumptions1.3.2 Indistinguishability1.3.3 Random Self-Reducibility1.3.4 Random Oracle Model
Exercises
Exercise 1.3.11Suppose one demands of a hash function H that it is hard to find a pair of bitstrings (x , x ′) satisfying H(x)=H(x ′), where s denotes the bitwise complement ofbit string s. Analyze the probability that an adversary E making at most t hashqueries finds such a pair, where H is viewed as a random oracle.
Exercise 1.3.12Let y = H2(x), where x ∈ {0, 1}∗. Let E be an adversary that, given y only,makes t hash queries on distinct inputs x1, . . . , xt ∈ {0, 1}k . ViewH : {0, 1}∗ → {0, 1}k as a random oracle to show that E finds a preimage of ywith probability exactly equal to ε(2− ε), with ε = t/2k . Also, argue why there isno contradiction with Proposition 1.19(i) even though ε(2− ε) ≥ ε.
66/210
2 Key Exchange Protocols
2.1 Diffie-Hellman Key Exchange2.2 Authenticated Key Exchange
2.1.1 Basic Protocol2.1.2 Passive Attacks2.1.3 A Practical Variant2.1.4 Aside: ElGamal Encryption
Diffie-Hellman Key Exchange (1976)
Discrete Log setting: finite cyclic group 〈g〉 of order n.
Party A Party B
xA ∈R Z∗n xB ∈R Z∗nhA ← gxA hB ← gxB
−−−−−hA−−−−−−−→
←−−−−−hB−−−−−−−
KAB ← hxAB KBA ← hxB
A
Key K = KAB = KBA is a shared key for A and B, meaning that:(i) K is the same for A and B(ii) K is private, only known to A and B(iii) K is actually equal to gxAxB (with contributions from both parties)
Often, key K is subsequently used as a session key.How “secure” is this protocol?
67/210
2 Key Exchange Protocols
2.1 Diffie-Hellman Key Exchange2.2 Authenticated Key Exchange
2.1.1 Basic Protocol2.1.2 Passive Attacks2.1.3 A Practical Variant2.1.4 Aside: ElGamal Encryption
Exercise
Exercise 2.1.1Explain what happens if the secret exponents xA and xB are chosen from Zninstead of Z∗n . Confirm your findings by computing the statistical distance∆(K ; K ′), where K = g xAxB with xA, xB ∈R Z∗n and K ′ = gx′Ax′B withx ′A, x ′B ∈R Zn.
68/210
2 Key Exchange Protocols
2.1 Diffie-Hellman Key Exchange2.2 Authenticated Key Exchange
2.1.1 Basic Protocol2.1.2 Passive Attacks2.1.3 A Practical Variant2.1.4 Aside: ElGamal Encryption
Security against Passive Attacks
Passive attacker E eavesdrops on communication,gets hA = gxA and hB = g xB .E knows the DL setting in use.Thus, E may try to compute xA = logg hA.
But, success would contradict the DL assumption (Definition 1.9).
Similarly, computation of xB = logg hB cannot be successful.
Can we make this line of reasoning rigorous?
69/210
2 Key Exchange Protocols
2.1 Diffie-Hellman Key Exchange2.2 Authenticated Key Exchange
2.1.1 Basic Protocol2.1.2 Passive Attacks2.1.3 A Practical Variant2.1.4 Aside: ElGamal Encryption
Security Proof by Reduction
Reduction:If attacker E can find K from hA and hB,then we can use E to solve the DL problem.
Given an instance of the DL problem: h = gx .How to use E to find x = logg h?
Attempt at reduction:1 put hA = h2 put hB = gx′ with x ′ ∈R Z∗n3 let E perform its attack4 upon success, E outputs g xx′ .5 ... ?
How to find x from g xx′? Even knowing x ′.
Way out: introduce DH assumption (Definition 1.10).
70/210
2 Key Exchange Protocols
2.1 Diffie-Hellman Key Exchange2.2 Authenticated Key Exchange
2.1.1 Basic Protocol2.1.2 Passive Attacks2.1.3 A Practical Variant2.1.4 Aside: ElGamal Encryption
Enough Security?Under DH assumption, attacker E cannot find key K given hA and hB. But,suppose K is used to encrypt 1-bit message M ∈ {0, 1}: ciphertext C = gMK .
Example 2.1
Let 〈g〉 = Z∗p , with p′ = (p − 1)/2 prime. Then Z∗p = QRp ∪ QRp with
QRp = {1, g2, . . . , g2p′−2} quadratic residues mod pQRp = {g , g3, . . . , g2p′−1} quadratic nonresidues mod p
hA hB KQRp QRp QRp 25%QRp QRp QRp 25%QRp QRp QRp 25%QRp QRp QRp 25%
Assume M ∈R {0, 1}.Given C = gMK .
Guess: M̂ ={
0, if C ∈ QRp ,
1, if C ∈ QRp .
Pr[M̂ = M] = 3/4 (check this!)Even worse: M can be recovered deterministically from the quadratic residuosity ofhA, hB, and C . See Exercise 2.1.5.
71/210
2 Key Exchange Protocols
2.1 Diffie-Hellman Key Exchange2.2 Authenticated Key Exchange
2.1.1 Basic Protocol2.1.2 Passive Attacks2.1.3 A Practical Variant2.1.4 Aside: ElGamal Encryption
Choice for Prime Order Groups
DDH assumption (Definition 1.11) to exclude any leakage of partial information.
Exercise 2.1.2Argue that the DDH assumption is false when n contains a small prime factor.
Simple way to exclude small prime factors: let n be sufficiently large prime.
Additional benefit: Zn is a field!
72/210
2 Key Exchange Protocols
2.1 Diffie-Hellman Key Exchange2.2 Authenticated Key Exchange
2.1.1 Basic Protocol2.1.2 Passive Attacks2.1.3 A Practical Variant2.1.4 Aside: ElGamal Encryption
Security under DDH Assumption
Balanced function f : 〈g〉 → {0, 1}, if a priori Pr[f (u) = 0] = Pr[f (u) = 1] = 1/2for u ∈R 〈g〉.Suppose E predicts f (K) better than guessing at random:
Pr[E(hA, hB) = f (K)] > 1/2 + ε, for nonnegligible ε
Given E , define distinguisher D for DDH:
D(gx , gy , g z ) :={
1, if E(gx , gy ) = f (g z ),0, if E(gx , gy ) 6= f (g z ).
On DH-triples:
Pr[D(hA, hB,K) = 1]= Pr[E(hA, hB) = f (K)]> 1/2 + ε
On random triples:
Pr[D(hA, hB, g z ) = 1]= Pr[E(hA, hB) = f (g z )]
“f is balanced”= 1/2
Advantage of D exceeds ε. Contradicts DDH assumption.
73/210
2 Key Exchange Protocols
2.1 Diffie-Hellman Key Exchange2.2 Authenticated Key Exchange
2.1.1 Basic Protocol2.1.2 Passive Attacks2.1.3 A Practical Variant2.1.4 Aside: ElGamal Encryption
Exercise
Exercise 2.1.3Extend the above analysis to the case that the a priori probabilities are given byPr[f (u) = 0] = p0 and Pr[f (u) = 1] = p1 = 1− p0.
74/210
2 Key Exchange Protocols
2.1 Diffie-Hellman Key Exchange2.2 Authenticated Key Exchange
2.1.1 Basic Protocol2.1.2 Passive Attacks2.1.3 A Practical Variant2.1.4 Aside: ElGamal Encryption
Hashed DH Key Exchange
Cryptographic hash function H : 〈g〉 → {0, 1}k .
Party A Party B
xA ∈R Z∗n xB ∈R Z∗nhA ← gxA hB ← g xB
−−−−−hA−−−−−−−→
←−−−−−hB−−−−−−−
KAB ← H(hxAB ) KBA ← H(hxB
A )
K = H(g xAxB ) is a k-bit approximately uniformly random key.Assuming n� 2k (e.g., n ≈ 2256 and k = 128).
75/210
2 Key Exchange Protocols
2.1 Diffie-Hellman Key Exchange2.2 Authenticated Key Exchange
2.1.1 Basic Protocol2.1.2 Passive Attacks2.1.3 A Practical Variant2.1.4 Aside: ElGamal Encryption
Security Proof
Balanced function f : {0, 1}k → {0, 1}, if a prioriPr[f (u) = 0] = Pr[f (u) = 1] = 1/2 for u ∈R {0, 1}k .Intuition is to consider “lucky” event L: “E queries H on input g xAxB”If ¬L, then E has no advantage over guessing at random:
Pr[E(hA, hB) = f (K) | ¬L] = 1/2
If L, then E might be successful, so use trivial upper bound:
Pr[E(hA, hB) = f (K) | L] ≤ 1
Hence:
Pr[E(hA, hB) = f (K)]= Pr[E(hA, hB) = f (K) | L] Pr[L] + Pr[E(hA, hB) = f (K) | ¬L] Pr[¬L]≤ Pr[L] + Pr[E(hA, hB) = f (K) | ¬L] Pr[¬L]= Pr[L] + 1
2 (1− Pr[L])= 1
2 + 12 Pr[L].
76/210
2 Key Exchange Protocols
2.1 Diffie-Hellman Key Exchange2.2 Authenticated Key Exchange
2.1.1 Basic Protocol2.1.2 Passive Attacks2.1.3 A Practical Variant2.1.4 Aside: ElGamal Encryption
Security Proof: Bounding Pr[L]
Event L: during attack, E queries H on input g xAxB .
We show that Pr[L] is negligible under the DH assumption.
Define p.p.t. algorithm E ′, using p.p.t. E as a subroutine:1 take hA and hB as inputs;2 run E on these inputs, while recording all H queries made by E ;3 return an H query (made by E) at random.
Let t denote total number of H queries. Then:
Pr[E ′(hA, hB) = gxAxB ] = Pr[L]/t⇔ Pr[L] = t Pr[E ′(hA, hB) = g xAxB ].
E is p.p.t. ⇒ t is polynomialDH assumption ⇒ Pr[E ′(hA, hB) = g xAxB ] is negligible
Hence, Pr[L] is negligible.
77/210
2 Key Exchange Protocols
2.1 Diffie-Hellman Key Exchange2.2 Authenticated Key Exchange
2.1.1 Basic Protocol2.1.2 Passive Attacks2.1.3 A Practical Variant2.1.4 Aside: ElGamal Encryption
Exercise
Exercise 2.1.4Extend the above analysis to the case that the a priori probabilities are given byPr[f (u) = 0] = p0 and Pr[f (u) = 1] = p1 = 1− p0.
78/210
2 Key Exchange Protocols
2.1 Diffie-Hellman Key Exchange2.2 Authenticated Key Exchange
2.1.1 Basic Protocol2.1.2 Passive Attacks2.1.3 A Practical Variant2.1.4 Aside: ElGamal Encryption
ElGamal Encryption
ElGamal cryptosystem, for security parameter kKey generation. Pick group 〈g〉 of order n at random among “size” k groups.
Pick private key x ∈R Z∗n . Set public key as h = gx .Encryption. Given plaintext M ∈ 〈g〉 and public key h. The ciphertext is the
pair (gu, huM), where u ∈R Zn.Decryption. Given ciphertext (A,B), the plaintext is recovered as M = B/Ax ,
using private key x .
Semantically secure under DDH assumption: ciphertext leaks no information.
ElGamal encryption ' Diffie-Hellman Key Exchange plus transfer of M
Party A Party BxA ∈R Z∗n xB ∈R Zn
hA ← gxA−−−−−
hA−−−−−−−→ KBA ← hxB
A
KAB ← hxAB ←−−−−−
hB−−−−−−− hB ← g xB
M ← cB/KAB ←−−−−−cB−−−−−− cB ← KBAM
79/210
2 Key Exchange Protocols
2.1 Diffie-Hellman Key Exchange2.2 Authenticated Key Exchange
2.1.1 Basic Protocol2.1.2 Passive Attacks2.1.3 A Practical Variant2.1.4 Aside: ElGamal Encryption
Exercise
Exercise 2.1.5Show how to break the ElGamal cryptosystem for 〈g〉 = Z∗p , with p = 2p′ + 1,p, p′ both prime. Focus on the case that M ∈ {1, g}, and show how to recover M.
80/210
2 Key Exchange Protocols
2.1 Diffie-Hellman Key Exchange2.2 Authenticated Key Exchange
2.1.1 Basic Protocol2.1.2 Passive Attacks2.1.3 A Practical Variant2.1.4 Aside: ElGamal Encryption
Practical ElGamal Encryption
Practical ElGamal cryptosystem, using cryptographic hash H : 〈g〉 → {0, 1}k
Key generation. As above.Encryption. Given plaintext M ∈ {0, 1}k and public key h. The ciphertext is
the pair (gu,H(hu)⊕M), where u ∈R Zn.Decryption. Given ciphertext (A,B), the plaintext is recovered as
M = H(Ax )⊕ B, using private key x .
Semantically secure under DH assumption, in Random Oracle model.
Connection with Hashed DH Key Exchange
Party A Party BxA ∈R Z∗n xB ∈R Zn
hA ← g xA−−−−−
hA−−−−−−−→ KBA ← hxB
A
KAB ← hxAB ←−−−−−
hB−−−−−−− hB ← g xB
M ← H(KAB)⊕ cB ←−−−−−cB−−−−−− cB ← H(KBA)⊕M
81/210
2 Key Exchange Protocols
2.1 Diffie-Hellman Key Exchange2.2 Authenticated Key Exchange
2.2.1 Man-in-the-Middle Attacks2.2.2 A Protocol Using Digital Signatures2.2.3 A Protocol Using Password-Based Encryption
Man-in-the-Middle Attacks
Active attacker may impersonate your protocol partner.
Classic man-in-the-middle attack
Party A Attacker E Party BxA ∈R Z∗n x ′A, x ′B ∈R Z∗n xB ∈R Z∗nhA ← gxA h′A, h′B ← gx′A , gx′B hB ← gxB
−−−hA−−−−−→ −−−
h′A−−−−−→
←−−−h′B−−−−− ←−−−
hB−−−−−
KAE ← h′BxA KAE ,KEB ← hx′B
A , hx′AB KEB ← h′A
xB
Man-in-the-middle E :session key KAE with Asession key KEB with Baccess to all traffic in clear between A and B; can also modify things.
82/210
2 Key Exchange Protocols
2.1 Diffie-Hellman Key Exchange2.2 Authenticated Key Exchange
2.2.1 Man-in-the-Middle Attacks2.2.2 A Protocol Using Digital Signatures2.2.3 A Protocol Using Password-Based Encryption
Man-in-the-Middle Attacks
Arbitrary man-in-the-middle attacks
Party A Attacker E Party BxA ∈R Z∗n xB ∈R Z∗nhA ← gxA h′A, h′B ← . . . , . . . hB ← gxB
−−−hA−−−−−→ −−−
h′A−−−−−→
←−−−h′B−−−−− ←−−−
hB−−−−−
KAE ← h′BxA KEB ← h′A
xB
h′A h′B KAE KEBAttack 0 1 1 1 1Attack 1 g g g xA gxB
Attack 2 g x′A g x′B g xAx′B g x′AxB
Attack 3 hAgu hB g xAxB g (xA+u)xB
Attack 4 1/hA 1/hB g−xAxB g−xAxB
83/210
2 Key Exchange Protocols
2.1 Diffie-Hellman Key Exchange2.2 Authenticated Key Exchange
2.2.1 Man-in-the-Middle Attacks2.2.2 A Protocol Using Digital Signatures2.2.3 A Protocol Using Password-Based Encryption
Signature-Based Authenticated Key Exchange
(pkA, skA) key pair of party A(pkB, skB) key pair of party BS signature generation algorithmV signature verification algorithm
Party A Party BxA ∈R Z∗n xB ∈R Z∗nhA ← g xA hB ← gxB
sA ← SskA(hA,B) −−hA, sA−−−−−−→
←−−hB, sB−−−−−− sB ← SskB (hA, hB,A)
VpkB (sB, (hA, hB,A))? VpkA(sA, (hA,B))?KAB ← hxA
B KBA ← hxBA
Secure under DDH assumption, assuming digital signature scheme is secure(against adaptive chosen-message attack).Use of digital signatures is somewhat costly.
84/210
2 Key Exchange Protocols
2.1 Diffie-Hellman Key Exchange2.2 Authenticated Key Exchange
2.2.1 Man-in-the-Middle Attacks2.2.2 A Protocol Using Digital Signatures2.2.3 A Protocol Using Password-Based Encryption
Password-Based Authenticated Key Exchangew ∈ {0, 1}∗ password known to A and B onlyE ,D : {0, 1}∗ × 〈g〉 → 〈g〉 symmetric encryption/decryption algorithms
Party A Party BxA ∈R Z∗n xB ∈R Z∗nhA ← g xA hB ← gxB
cA ← Ew (hA) cB ← Ew (hB)
−−−−cA−−−−−−→
←−−−−cB−−−−−
KAB ← (Dw (cB))xA KBA ← (Dw (cA))xB
Then KAB = KBA = gxAxB .Passive attacker sees Ew (hA) and Ew (hB). No information on w , since hA andhB are random and unknown to the attacker. But, use of K in ensuing sessionmay reveal information on K , hence on w .Active attacker may try w ′ by sending Ew′(hA) on behalf of A. When sessionsucceeds, w ′ is correct. Best attacker can do is trying passwords one at a time.No off-line dictionary attack.
85/210
2 Key Exchange Protocols
2.1 Diffie-Hellman Key Exchange2.2 Authenticated Key Exchange
2.2.1 Man-in-the-Middle Attacks2.2.2 A Protocol Using Digital Signatures2.2.3 A Protocol Using Password-Based Encryption
Figure 2.1 (Three-pass encryption?)
Party A Protocol I Party BxA ∈R Z∗n
hA ← MxA−−−
hA−−−−−→ xB ∈R Z∗n
←−−−hAB−−−−−− hAB ← hxB
A
hB ← h1/xAAB −−−
hB−−−−−→M′ ← h1/xB
B
Party A Protocol II Party BbA ∈R {0, 1}cA ← b ⊕ bA −−−
cA−−−−−→ bB ∈R {0, 1}
←−−−cAB−−−−−− cAB ← cA ⊕ bB
cB ← cAB ⊕ bA−−−−cB−−−−−→ b′ ← cB ⊕ bB
Exercise 2.2.1Consider protocols I and II for sending plaintexts M ∈ 〈g〉∗ and b ∈ {0, 1} securelyfrom A to B over an insecure channel. The object of both protocols is that theplaintexts remain completely hidden from other parties than A and B, and thatthe plaintexts cannot be modified by other parties than A or B.Verify that M′ = M and b′ = b if A and B follow protocols I and II, resp. Next,determine for protocol I whether it is secure against passive attacks, and whetherit is secure against active attacks. If secure, describe the relevant computationalassumption (if any); if insecure, show an attack. Do the same for protocol II.
86/210
3 Commitment Schemes
3.1 Definitions3.2 Examples
3.3 Homomorphic Commitments
Commitments
Party A Party B
Commit phase :
Put message incommitment.Keep key.
−−−−−−−−−−−−−→Commitmentstored for later.
Reveal phase :
−−−−−−−−−−−−→Check messagein commitment.
87/210
3 Commitment Schemes
3.1 Definitions3.2 Examples
3.3 Homomorphic Commitments
Coin Flipping by Telephone
Mutually random bit?
Party A Party BbA ∈R {0, 1} −−−−−
bA−−−−−−−→
←−−−−−bB−−−−−−− bB ∈R {0, 1}
b ← bA ⊕ bB b ← bA ⊕ bB
Protocol flaw:
Party B can set bB = bA ⊕ b∗ for bit value b∗ of its liking.
Insider attack! By your protocol partner.
88/210
3 Commitment Schemes
3.1 Definitions3.2 Examples
3.3 Homomorphic Commitments
Coin Flipping by Telephone
Use commitments.
Mutually random bit!
Party A Party BbA ∈R {0, 1} −
“commit to bA”−−−−−−−−−−−−−→
←−−−−−−bB−−−−−−−− bB ∈R {0, 1}
−−“reveal bA”−−−−−−−−−−→
b ← bA ⊕ bB b ← bA ⊕ bB
If A or B is honest, bit b is distributed uniformly at random, provided:commitment hides bA from party Bcommitment binds party A to bA (no change possible).
89/210
3 Commitment Schemes
3.1 Definitions3.2 Examples
3.3 Homomorphic Commitments
Asymmetric functionality.
Definition 3.1 (Commitment schemes)
Let commit : {0, 1}k × {0, 1}∗ → {0, 1}∗ be a deterministic polynomial timealgorithm. Noninteractive commitment scheme between sender and receiver:Commit Phase. Protocol in which sender commits to x ∈ {0, 1}∗ by computing
C = commit(u, x) with u ∈R {0, 1}k , and sending C to receiver.Receiver stores C for later use.
Reveal Phase. Protocol in which sender opens commitment C = commit(u, x) bysending u and x to receiver. Receiver computes commit(u, x) andverifies equality to C .
Security for sender: commit(u, x) should not leak information on x .Let X = {commit(u, 0) : u ∈R {0, 1}k}, Y = {commit(u, 1) : u ∈R {0, 1}k}.Computationally hiding. X and Y computationally indistinguishable.Information-theoretically hiding. X and Y statistically indistinguishable.Security for receiver: commit(u, x) can be opened in one way only.Computationally binding. Adversary restricted to p.p.t. algorithm.Information-theoretically binding. Adversary unlimitedly powerful.
90/210
3 Commitment Schemes
3.1 Definitions3.2 Examples
3.3 Homomorphic Commitments
3.2.1 Using a Cryptographic Hash Function3.2.2 Using a Discrete Log Setting3.2.3 Impossibility Result
Given cryptographic hash function H.
Hash-based bit commitment scheme
commit0(u, x) = H(u ‖ x), u ∈R {0, 1}k
Computationally binding:Implied by collision resistance:H(u ‖ x) = H(u′ ‖ 1− x) is a collision.Hence, also binding in the random oracle model.
Computationally hiding:Preimage resistance necessary but not sufficient:H(u ‖ x) might leak partial information on input u, x(See also Exercise 1.3.10 on partial preimage resistance.)Hiding in the random oracle model:H(u ‖ x) is uniformly random and independent of x
91/210
3 Commitment Schemes
3.1 Definitions3.2 Examples
3.3 Homomorphic Commitments
3.2.1 Using a Cryptographic Hash Function3.2.2 Using a Discrete Log Setting3.2.3 Impossibility Result
Two Complementary SchemesDL setting: generators g , h such that nobody knows logg h.
Pedersen’s bit commitment scheme
commit1(u, x) = guhx , u ∈R Zn
Computationally binding under DL assumption:
commit1(u, x) = commit1(u′, 1− x)⇔ guhx = gu′h1−x ⇔ logg h = u − u′
1− 2xInformation-theoretically hiding: guhx is statistically independent of x .
ElGamal-based bit commitment scheme
commit2(u, x) = (gu, hu+x ), u ∈R Zn
Information-theoretically binding:
commit2(u, x) = commit2(u′, 1− x)⇔ (gu, hu+x ) = (gu′ , hu′+1−x )⇔ false
Computationally hiding under DDH assumption (DL assumption not sufficient).
92/210
3 Commitment Schemes
3.1 Definitions3.2 Examples
3.3 Homomorphic Commitments
3.2.1 Using a Cryptographic Hash Function3.2.2 Using a Discrete Log Setting3.2.3 Impossibility Result
Exercises
Exercise 3.2.1Analyze the security properties of commit1 and commit2 for the case that x ∈ Zn.
Exercise 3.2.2What happens if the receiver knows logg h in scheme commit1? Same question forscheme commit2.
Exercise 3.2.3Discuss the security of the following commitment scheme for values x ∈ 〈g〉:
commit(u, x) = gux ,
where u ∈R Zn. Is it binding? Is it hiding?
93/210
3 Commitment Schemes
3.1 Definitions3.2 Examples
3.3 Homomorphic Commitments
3.2.1 Using a Cryptographic Hash Function3.2.2 Using a Discrete Log Setting3.2.3 Impossibility Result
binding hidingcommit0(u, x) = H(u ‖ x) computational computationalcommit1(u, x) = guhx computational information-theoreticcommit2(u, x) = (gu , hu+x ) information-theoretic computationalcommit3(u, x) = impossible information-theoretic information-theoretic
Consider any bit commitment scheme commit3.
Assume commit3 is information-theoretically binding.
Then no u, u′ exist s.t. commit3(u, 0) = commit3(u′, 1),otherwise an unlimitedly powerful sender would find u, u′(by exhausting the finite set of possibilities).
But, if the sender commits to 0, say, using C = commit3(u, 0) for some u, anunlimitedly powerful receiver notices that no u′ exists s.t. C = commit3(u′, 1)(by exhausting the finite set of possibilities).
Hence the receiver knows that the committed value must be 0.
So, commit3 is not information-theoretically hiding.
94/210
3 Commitment Schemes
3.1 Definitions3.2 Examples
3.3 Homomorphic Commitments
Homomorphic Commitments
Recall: homomorphic mapping preserves algebraic structure.
Example (Pedersen’s commitment scheme)commit1(u, x) = guhx , u ∈R Zn and x ∈ Zn is additively homomorphic:
commit1(u, x) commit1(u′, x ′) = commit1(u + u′, x + x ′).
Multiplication on the left-hand side is in 〈g〉.Additions on the right-hand side are in Zn; x + x ′ is sum of committed values.
Exercise 3.3.1 (see Exercise 1.3.8)Quadratic Residuosity (QR) assumption states that QR problem is hard.Let y ∈ JN denote a quadratic nonresidue modulo N. Consider the following bitcommitment scheme:
commit(u, x) = u2y x mod N,
where u ∈R Z∗N and x ∈ {0, 1}. In what sense is the scheme binding? In whatsense is the scheme hiding? In what sense is the scheme homomorphic?
95/210
4 Identification Protocols4.1 Definitions
4.2 Password-Based Schemes4.3 One-Way Hash Chains
4.4 Basic Challenge-Response Protocols4.5 Zero-Knowledge Identification Protocols4.6 Witness Hiding Identification Protocols
Identification protocol: two-party protocol to let verifier V get convincedthat prover P is as claimed.
Examples: secure login, secured room.
Identification protocols may be based on (combinations of):What you are. Biometrics, such as fingerprints, iris scans, etc.What you have. Smart cards, SIM cards, or similar hardware tokens.What you know. Passwords, PIN codes, secret keys.
Our focus: purely cryptographic identification protocols, using secret keys.
Identification 6= message authenticationIdentification 6= digital signaturesIdentification 6= authenticated key exchange
96/210
4 Identification Protocols4.1 Definitions
4.2 Password-Based Schemes4.3 One-Way Hash Chains
4.4 Basic Challenge-Response Protocols4.5 Zero-Knowledge Identification Protocols4.6 Witness Hiding Identification Protocols
Identification Scheme
Registration protocol: once to set up a shared secret key or a public key pair.Identification protocol: many runs, should withstand impersonation attacks
Passive attacks: eavesdropping, key only
Active attacks: guessing, cheating verifier, man-in-the-middle
Cheating verifier impersonation attack1 Attacker runs protocol (many times) as cheating V∗ with honest P;2 attacker runs protocol as cheating P∗ with honest V.
97/210
4 Identification Protocols4.1 Definitions
4.2 Password-Based Schemes4.3 One-Way Hash Chains
4.4 Basic Challenge-Response Protocols4.5 Zero-Knowledge Identification Protocols4.6 Witness Hiding Identification Protocols
Password: usually a human-memorable string x .
Registration (over secure channel)
Prover P Verifier V−−−−−
x−−−−−−→ store x
Identification
Prover P Verifier V−−−−−
x−−−−−−→ check x
No security against eavesdropping attacks.
98/210
4 Identification Protocols4.1 Definitions
4.2 Password-Based Schemes4.3 One-Way Hash Chains
4.4 Basic Challenge-Response Protocols4.5 Zero-Knowledge Identification Protocols4.6 Witness Hiding Identification Protocols
Lamport’s Identification SchemeHash chain with xi+1 = H(xi ) for cryptographic hash function H:
x0H−→ x1
H−→ x2H−→ . . .
H−→ x`−2H−→ x`−1
H−→ x`
Registration (over secure channel)
Prover P Verifier Vx0 ∈R {0, 1}k
x` ← H`(x0) −−−−−x`−−−−−−→ v ← x`
Identification, ith run (i = 1, . . . , `)
Prover P Verifier Vx`−i ← H`−i (x0) −−−−
x`−i−−−−−−−→ v ?= H(x`−i )
v ← x`−i
Value v stored by verifier is not secret (but should be authentic).Key-only attack: in random oracle model.Eavesdropping attack: infeasible as x`−i does not help attacker insucceeding in subsequent runs of identification protocol.
99/210
4 Identification Protocols4.1 Definitions
4.2 Password-Based Schemes4.3 One-Way Hash Chains
4.4 Basic Challenge-Response Protocols4.5 Zero-Knowledge Identification Protocols4.6 Witness Hiding Identification Protocols
Ultra Long Hash Chains
Hash chain of length ` allows for ` runs of identification protocol.Suppose smart card must support maximum of ` = 232 runs.Direct computation of H`−i (x0) impedes fast identification.
Remark 4.1 (Pebbling algorithms)
Prover space timestoring only x0 O(1) O(`)storing all of x0, . . . , x`−i O(`) O(1)pebbling O(log `) O(log `)
Each pebble stores one value xi of the hash chain.Initial positions of pebbles •, for ` = 16:• · · · · · · · • · · · • · • • ·
Operations on pebbles:clone to create new pebble at same positionmove one position to the right (using one application of H)
See www.win.tue.nl/˜berry/pebbling/ for optimal pebbling (incl. sample code).
100/210
4 Identification Protocols4.1 Definitions
4.2 Password-Based Schemes4.3 One-Way Hash Chains
4.4 Basic Challenge-Response Protocols4.5 Zero-Knowledge Identification Protocols4.6 Witness Hiding Identification Protocols
Pebbling Algorithm VisualizationSimple pebbling at speed 1, e.g., for ` = 16:
x0 x1 x2 x3 x4 x5 x6 x7 x8 x9 x10 x11 x12 x13 x14 x15 output1 • • • • • x152 • • • • x143 • ↘• • ↘• • ↘• x134 • ↘• • ↘• • x125 • ↘• • • ↘• x116 • ↘• • • x107 • • ↘• • ↘• x98 • • ↘• • x89 • • • ↘• x7
10 • • • x611 • ↘• • ↘• x512 • ↘• • x413 • • ↘• x314 • • x215 • ↘• x116 • x0
101/210
4 Identification Protocols4.1 Definitions
4.2 Password-Based Schemes4.3 One-Way Hash Chains
4.4 Basic Challenge-Response Protocols4.5 Zero-Knowledge Identification Protocols4.6 Witness Hiding Identification Protocols
Pebbling Algorithm VisualizationSpace-efficient pebbling at speed 2, e.g., for ` = 16:
x0 x1 x2 x3 x4 x5 x6 x7 x8 x9 x10 x11 x12 x13 x14 x15 output1 • • • • • x152 • • • • x143 • • • ↘• x134 • • • • x125 • • • ↘• x116 • • • • x107 • • • ↘• x98 • • • • x89 • • • ↘• x7
10 • • • x611 • • ↘• x512 • • • x413 • • ↘• x314 • • x215 • ↘• x116 • x0
102/210
4 Identification Protocols4.1 Definitions
4.2 Password-Based Schemes4.3 One-Way Hash Chains
4.4 Basic Challenge-Response Protocols4.5 Zero-Knowledge Identification Protocols4.6 Witness Hiding Identification Protocols
4.4.1 Using Symmetric Encryption4.4.2 Using Symmetric Authentication4.4.3 Using Asymmetric Encryption4.4.4 Using Asymmetric Authentication
Figure 4.1 (Four basic challenge-response protocols)
Prover Verifierc ∈R {0, 1}k
←−−−c−−−
r ← EK (c)−−−
r−−−→
c ?= DK (r)(a)
Prover Verifierc ∈R {0, 1}k
←−−−c−−−
r ← H(K‖c)−−−
r−−−→
r ?= H(K‖c)(b)
Prover VerifierM ∈R {0, 1}k
←−−−c−−− c ← Epk (M)
r ← Dsk (c)−−−
r−−−→
r ?= M(c)
Prover Verifierc ∈R {0, 1}k
←−−−c−−−
r ← Ssk (c)−−−
r−−−→
Vpk (r , c)?(d)
103/210
4 Identification Protocols4.1 Definitions
4.2 Password-Based Schemes4.3 One-Way Hash Chains
4.4 Basic Challenge-Response Protocols4.5 Zero-Knowledge Identification Protocols4.6 Witness Hiding Identification Protocols
4.4.1 Using Symmetric Encryption4.4.2 Using Symmetric Authentication4.4.3 Using Asymmetric Encryption4.4.4 Using Asymmetric Authentication
Basic challenge-response protocol (a)
Prover Verifierc ∈R {0, 1}k
←−−c−−
r ← EK (c)−−
r−−→
c ?= DK (r)
Exercise 4.4.1Consider the alternative protocol in which the verifier challenges the prover withc = EK (M), where M ∈R {0, 1}k , and for which the prover is supposed to produceresponse r = M. Discuss eavesdropping attacks and cheating verifier attacks forthis protocol.
104/210
4 Identification Protocols4.1 Definitions
4.2 Password-Based Schemes4.3 One-Way Hash Chains
4.4 Basic Challenge-Response Protocols4.5 Zero-Knowledge Identification Protocols4.6 Witness Hiding Identification Protocols
4.4.1 Using Symmetric Encryption4.4.2 Using Symmetric Authentication4.4.3 Using Asymmetric Encryption4.4.4 Using Asymmetric Authentication
Basic challenge-response protocol (b)
Prover Verifierc ∈R {0, 1}k
←−−c−−
r ← H(K ‖ c)−−
r−−→
r ?= H(K ‖ c)
105/210
4 Identification Protocols4.1 Definitions
4.2 Password-Based Schemes4.3 One-Way Hash Chains
4.4 Basic Challenge-Response Protocols4.5 Zero-Knowledge Identification Protocols4.6 Witness Hiding Identification Protocols
4.4.1 Using Symmetric Encryption4.4.2 Using Symmetric Authentication4.4.3 Using Asymmetric Encryption4.4.4 Using Asymmetric Authentication
Basic challenge-response protocol (c)
Prover VerifierM ∈R {0, 1}k
c ← Epk (M)←−−
c−−
r ← Dsk (c)−−
r−−→
r ?= M
106/210
4 Identification Protocols4.1 Definitions
4.2 Password-Based Schemes4.3 One-Way Hash Chains
4.4 Basic Challenge-Response Protocols4.5 Zero-Knowledge Identification Protocols4.6 Witness Hiding Identification Protocols
4.4.1 Using Symmetric Encryption4.4.2 Using Symmetric Authentication4.4.3 Using Asymmetric Encryption4.4.4 Using Asymmetric Authentication
Basic challenge-response protocol (d)
Prover Verifier
c ∈R {0, 1}k
←−−c−−
r ← Ssk (c)−−
r−−→
Vpk (r , c)?
107/210
4 Identification Protocols4.1 Definitions
4.2 Password-Based Schemes4.3 One-Way Hash Chains
4.4 Basic Challenge-Response Protocols4.5 Zero-Knowledge Identification Protocols4.6 Witness Hiding Identification Protocols
4.5.1 Schnorr Zero-Knowledge Protocol4.5.2 Schnorr Protocol4.5.3 Guillou-Quisquater Protocol
Where’s Waldo?
Find in
Click this PowerPoint slide show.
108/210
4 Identification Protocols4.1 Definitions
4.2 Password-Based Schemes4.3 One-Way Hash Chains
4.4 Basic Challenge-Response Protocols4.5 Zero-Knowledge Identification Protocols4.6 Witness Hiding Identification Protocols
4.5.1 Schnorr Zero-Knowledge Protocol4.5.2 Schnorr Protocol4.5.3 Guillou-Quisquater Protocol
Zero-knowledge Identification SchemeRegistration. P generates public key pair, keeps private key to itself, and gives
public key to V.Identification. P engages in zero-knowledge proof to convince V of knowledge of
private key.
Soundness property (security for V): cheating P∗ not knowing private key doesnot succeed in convincing V.
Zero-knowledge property (security for P): cheating V∗ does not learn anythinguseful about private key from interacting with P.
109/210
4 Identification Protocols4.1 Definitions
4.2 Password-Based Schemes4.3 One-Way Hash Chains
4.4 Basic Challenge-Response Protocols4.5 Zero-Knowledge Identification Protocols4.6 Witness Hiding Identification Protocols
4.5.1 Schnorr Zero-Knowledge Protocol4.5.2 Schnorr Protocol4.5.3 Guillou-Quisquater Protocol
Discrete log setting 〈g〉.Prover registered public key h, and knows private key x satisfying h = gx .
Figure 4.2 (Schnorr’s zero-knowledge protocol)
Prover Verifier(x = logg h)
u ∈R Zn
a← gu−−−−−−
a−−−−−−→
c ∈R {0, 1}←−−−−−−
c−−−−−−
r ←n
{u, if c = 0u + x , if c = 1 −−−−−−
r−−−−−−→
g r ?={
a, if c = 0ah, if c = 1
110/210
4 Identification Protocols4.1 Definitions
4.2 Password-Based Schemes4.3 One-Way Hash Chains
4.4 Basic Challenge-Response Protocols4.5 Zero-Knowledge Identification Protocols4.6 Witness Hiding Identification Protocols
4.5.1 Schnorr Zero-Knowledge Protocol4.5.2 Schnorr Protocol4.5.3 Guillou-Quisquater Protocol
Soundness
SoundnessOnly prover P knowing private key x = logg h succeeds.
Without knowledge of x , cheating prover P∗ can do one of the following:Either, prepare for c = 0 by setting a = gu and using response r = u.Or, prepare for c = 1 by setting a = gu/h and using response r = u.
Verification g r = ahc holds in both cases.
50% success probability for P∗
But P∗ cannot do better than 50%!
111/210
4 Identification Protocols4.1 Definitions
4.2 Password-Based Schemes4.3 One-Way Hash Chains
4.4 Basic Challenge-Response Protocols4.5 Zero-Knowledge Identification Protocols4.6 Witness Hiding Identification Protocols
4.5.1 Schnorr Zero-Knowledge Protocol4.5.2 Schnorr Protocol4.5.3 Guillou-Quisquater Protocol
Soundness
Suppose P∗ can answer both challenges c = 0 and c = 1 correctly,after sending announcement a to V.
Hence P∗ can compute responses r0 and r1 such that:
g r0 = a, g r1 = ah.
This impliesh = g r1−r0 .
But then P∗ actually knows x , since x = r1 − r0 mod n holds!
In other words, private key x can be extracted from two correct responses r0 andr1 to two different challenges c = 0 and c = 1 for the same announcement a.
112/210
4 Identification Protocols4.1 Definitions
4.2 Password-Based Schemes4.3 One-Way Hash Chains
4.4 Basic Challenge-Response Protocols4.5 Zero-Knowledge Identification Protocols4.6 Witness Hiding Identification Protocols
4.5.1 Schnorr Zero-Knowledge Protocol4.5.2 Schnorr Protocol4.5.3 Guillou-Quisquater Protocol
Zero-Knowledge
Cheating verifier V∗ may run protocol (polynomially) many times with P,to obtain conversations (a; c; r).
Simulation paradigmV∗ can efficiently generate (simulate) these conversations on its own,given only public key h—and no access to prover P who knows x = logg h.
Identification protocol is zero-knowledge if simulator S exists which, given publickey h, generates conversations indistinguishable from conversations of real protocolruns between P and V∗.
Usually, simulator S is using V∗ only as a rewindable black-box.(I.e., usually, no need for S to know how V∗ operates internally.)
113/210
4 Identification Protocols4.1 Definitions
4.2 Password-Based Schemes4.3 One-Way Hash Chains
4.4 Basic Challenge-Response Protocols4.5 Zero-Knowledge Identification Protocols4.6 Witness Hiding Identification Protocols
4.5.1 Schnorr Zero-Knowledge Protocol4.5.2 Schnorr Protocol4.5.3 Guillou-Quisquater Protocol
Simulation Paradigm
P V∗
x
h
SV∗ V∗
h
h
V∗ cannot distinguish between protocol with P and protocol with SV∗
⇒ protocol is zero-knowledge w.r.t. private key x
114/210
4 Identification Protocols4.1 Definitions
4.2 Password-Based Schemes4.3 One-Way Hash Chains
4.4 Basic Challenge-Response Protocols4.5 Zero-Knowledge Identification Protocols4.6 Witness Hiding Identification Protocols
4.5.1 Schnorr Zero-Knowledge Protocol4.5.2 Schnorr Protocol4.5.3 Guillou-Quisquater Protocol
Simulation of Schnorr’s Protocol
Real conversationsInput: private key xOutput: conversation (a; c; r)
1 u ∈R Zn
2 a← gu
3 c ∈R {0, 1}4 r ←n u + cx5 output (a; c; r)
Simulated conversationsInput: public key hOutput: conversation (a; c; r)
1 c ∈R {0, 1}2 r ∈R Zn
3 a← g r h−c
4 output (a; c; r)
All real and simulated conversations (a; c; r) are accepting, as g r = ahc holds.
115/210
4 Identification Protocols4.1 Definitions
4.2 Password-Based Schemes4.3 One-Way Hash Chains
4.4 Basic Challenge-Response Protocols4.5 Zero-Knowledge Identification Protocols4.6 Witness Hiding Identification Protocols
4.5.1 Schnorr Zero-Knowledge Protocol4.5.2 Schnorr Protocol4.5.3 Guillou-Quisquater Protocol
Why Are These Distributions Identical?
Consider fixed key pair (h; x).
For fixed c, 1-to-1 correspondence between u = logg a in real conversations and rin simulated conversations, as r = u + cx holds in both cases.
Each accepting conversation (a; c; r) occurs with probability 12n in both cases.
More precisely, let (A; C ; R) be any accepting conversation, hence gR = AhC .For simulated conversations:
Pr[(a; c; r) = (A; C ; R)] = Pr[a = A, c = C , r = R]
= Pr[g r h−c = gR h−C , c = C , r = R]= Pr[c = C , r = R]= Pr[c = C ] Pr[r = R]= 1
21n = 1
2n
116/210
4 Identification Protocols4.1 Definitions
4.2 Password-Based Schemes4.3 One-Way Hash Chains
4.4 Basic Challenge-Response Protocols4.5 Zero-Knowledge Identification Protocols4.6 Witness Hiding Identification Protocols
4.5.1 Schnorr Zero-Knowledge Protocol4.5.2 Schnorr Protocol4.5.3 Guillou-Quisquater Protocol
Passive Impersonation Attacks
Security against passive impersonation attacks extends to any eavesdropper.
Remark 4.2Honest-verifier zero-knowledge reduces any passive impersonation attack to akey-only attack: eavesdropping conversations does not yield anything aboutprover’s private key beyond what can be deduced from corresponding public key.
Eavesdropped conversations (a; c; r) for honest runs of Schnorr’s protocol can besimulated as well given public key h only.
But, eavesdropper may learn something new!From a single conversation (a; c; r) with c 6= 0,eavesdropper may recover prover’s public key as h = (g r/a)1/c
(thus, potentially establishing prover’s identity).
117/210
4 Identification Protocols4.1 Definitions
4.2 Password-Based Schemes4.3 One-Way Hash Chains
4.4 Basic Challenge-Response Protocols4.5 Zero-Knowledge Identification Protocols4.6 Witness Hiding Identification Protocols
4.5.1 Schnorr Zero-Knowledge Protocol4.5.2 Schnorr Protocol4.5.3 Guillou-Quisquater Protocol
Simulation of Schnorr’s Protocol
Recall V∗ is p.p.t. algorithm (Turing machine).Rewinding V∗: going back to a previous configuration(configuration = state + tape contents + position of read/write heads).
Real conversationsInput: private key xOutput: conversation (a; c; r)
1 u ∈R Zn
2 a← gu
3 send a to V∗
4 receive c ∈ {0, 1} from V∗
5 r ←n u + cx6 output (a; c; r)
Simulated conversationsInput: public key hOutput: conversation (a; c; r)
1 c ∈R {0, 1}2 r ∈R Zn
3 a← g r h−c
4 send a to V∗
5 receive c ′ ∈ {0, 1} from V∗
6 if c 6= c ′ rewind V∗ to point prior toreceiving a and go to step 1
7 output (a; c; r)Sequential iterations can be simulated as well.Cheating probability 1/2k for k iterations.
118/210
4 Identification Protocols4.1 Definitions
4.2 Password-Based Schemes4.3 One-Way Hash Chains
4.4 Basic Challenge-Response Protocols4.5 Zero-Knowledge Identification Protocols4.6 Witness Hiding Identification Protocols
4.5.1 Schnorr Zero-Knowledge Protocol4.5.2 Schnorr Protocol4.5.3 Guillou-Quisquater Protocol
Figure 4.3 (Schnorr’s identification protocol)
Prover Verifier(x = logg h)
u ∈R Zn
a← gu−−−−−−
a−−−−−−→
←−−−−−−c−−−−−− c ∈R Zn
r ←n u + cx −−−−−−r−−−−−−→ g r ?= ahc
Soundness: cheating probability down to 1/|Zn| = 1/n.Zero-knowledge: only for honest verifier V.Identical distributions of real/simulated conversations:
{(a; c; r) : u, c ∈R Zn; a← gu; r ←n u + cx},{(a; c; r) : c, r ∈R Zn; a← g r h−c}.
119/210
4 Identification Protocols4.1 Definitions
4.2 Password-Based Schemes4.3 One-Way Hash Chains
4.4 Basic Challenge-Response Protocols4.5 Zero-Knowledge Identification Protocols4.6 Witness Hiding Identification Protocols
4.5.1 Schnorr Zero-Knowledge Protocol4.5.2 Schnorr Protocol4.5.3 Guillou-Quisquater Protocol
RSA setting: RSA modulus N, public exponent large prime e.Prover registered public key y , and knows private key x s.t. y = x e mod N.
Figure 4.4 (Guillou-Quisquater’s identification protocol)
Prover Verifier(x = y 1/e mod N)
u ∈R Z∗Na←N ue
−−−−−−a−−−−−−→
←−−−−−−c−−−−−− c ∈R Ze
r ←N ux c−−−−−−
r−−−−−−→ r e ?=N ay c
Soundness: cheating probability 1/|Ze | = 1/e.Zero-knowledge: only for honest verifier V.Identical distributions of real/simulated conversations:
{(a; c; r) : u ∈R Z∗N ; c ∈R Ze ; a←N ue ; r ←N ux c},{(a; c; r) : c ∈R Ze ; r ∈R Z∗N ; a←N r ey−c}.
120/210
4 Identification Protocols4.1 Definitions
4.2 Password-Based Schemes4.3 One-Way Hash Chains
4.4 Basic Challenge-Response Protocols4.5 Zero-Knowledge Identification Protocols4.6 Witness Hiding Identification Protocols
4.5.1 Schnorr Zero-Knowledge Protocol4.5.2 Schnorr Protocol4.5.3 Guillou-Quisquater Protocol
Soundness of Guillou-Quisquater’s Protocol
Assume prover able to produce accepting (a; c; r), (a; c ′; r ′), with c 6= c ′.Then (modulo N):
r e = ay c , r ′e = ay c′
⇒ (r/r ′)e = y c−c′
1st attempt: rewrite as y = (r/r ′)e/(c−c′).But inversion of c − c ′ modulo φ(N) cannot be computed efficiently, as φ(N) isnot known. Moreover, inverse of c − c ′ modulo φ(N) need not even exist.
2nd attempt: gcd(e, c − c ′) = 1, since e is prime and c, c ′ ∈ Ze , c 6= c ′.Extended Euclidean algorithm yields s, t ∈ Z satisfying se + t(c − c ′) = 1.Raise both sides to power t:
(r/r ′)te = y t(c−c′) = y 1−se
⇒ y = (y s(r/r ′)t)e
Private key x ←N y s(r/r ′)t thus known to prover.
121/210
4 Identification Protocols4.1 Definitions
4.2 Password-Based Schemes4.3 One-Way Hash Chains
4.4 Basic Challenge-Response Protocols4.5 Zero-Knowledge Identification Protocols4.6 Witness Hiding Identification Protocols
4.5.1 Schnorr Zero-Knowledge Protocol4.5.2 Schnorr Protocol4.5.3 Guillou-Quisquater Protocol
Identity-Based Identification Scheme
Remark 4.3Prover does not need to know factorization of N.Therefore, users may share same modulus N.
Identity-based identification scheme: public keys determined by users’ identities.
Set user A’s public key as yA = H(IDA), where IDA may consist of user’s nameand/or email address.
Trusted third party T required to compute private key of each user.Only T needs to know factorization of N: to compute user A’s private key asxA = H(IDA)1/e mod N.
Advantage: public keys need not be certified by a digital signature from T .Disadvantage: T knows private key of every user; problem may be alleviated bydistributing role of T between many parties, using threshold cryptography.
122/210
4 Identification Protocols4.1 Definitions
4.2 Password-Based Schemes4.3 One-Way Hash Chains
4.4 Basic Challenge-Response Protocols4.5 Zero-Knowledge Identification Protocols4.6 Witness Hiding Identification Protocols
4.6.1 Okamoto Protocol
Witness Hiding vs Zero-Knowledge
Schnorr’s identification protocol:1 iteration with c ∈R Zn: efficient, but only honest-verifier zero-knowledgek iterations with c ∈R {0, 1}: zero-knowledge, but not efficient
Witness hiding protocols: strike a balance between security and efficiency.
Identification protocol is witness hiding if cheating verifier is not able to obtainthe complete prover’s private key.
Witness hiding protocol is not necessarily zero-knowledge:cheating verifier may be able to extract some partial information on private key,but not sufficient for successful impersonation of the prover.
123/210
4 Identification Protocols4.1 Definitions
4.2 Password-Based Schemes4.3 One-Way Hash Chains
4.4 Basic Challenge-Response Protocols4.5 Zero-Knowledge Identification Protocols4.6 Witness Hiding Identification Protocols
4.6.1 Okamoto Protocol
Private key (x1, x2) satisfies h = g x11 gx2
2 for public key h.
Figure 4.5 (Okamoto’s identification protocol)
Prover Verifier(h = gx1
1 gx22 )
u1, u2 ∈R Zn
a← gu11 gu2
2 −−−−−−a−−−−−−→
c ∈R Zn
←−−−−−−c−−−−−−
r1 ←n u1 + cx1
r2 ←n u2 + cx2 −−−−r1, r2−−−−−−−→
g r11 g r2
2?= ahc
Assume logg1 g2 not known to anybody (cf. Pedersen commitments).Okamoto’s protocol is witness hiding:
cheating verifier V∗ cannot find “witness” (x1, x2).
Note: not excluded that V∗ can find partial information on (x1, x2) !
124/210
4 Identification Protocols4.1 Definitions
4.2 Password-Based Schemes4.3 One-Way Hash Chains
4.4 Basic Challenge-Response Protocols4.5 Zero-Knowledge Identification Protocols4.6 Witness Hiding Identification Protocols
4.6.1 Okamoto Protocol
Witness Indistinguishability
Px1,x2 V∗
x
h
Px′1,x′2 V∗
x ′
h
V∗ cannot distinguish between protocol with Px1,x2 and protocol with Px′1,x′2
⇒ protocol is witness indistinguishable
125/210
4 Identification Protocols4.1 Definitions
4.2 Password-Based Schemes4.3 One-Way Hash Chains
4.4 Basic Challenge-Response Protocols4.5 Zero-Knowledge Identification Protocols4.6 Witness Hiding Identification Protocols
4.6.1 Okamoto Protocol
Witness Indistinguishability of Okamoto’s ProtocolConsider conversation (a; c; r1, r2) between Px1,x2 and V∗, where a = gu1
1 gu22 .
Let (x ′1, x ′2) be any witness satisfying h = gx′11 gx′2
2 .Then unique u′1, u′2 exist that yield same conversation (a; c; r1, r2) for Px′1,x
′2:
u′1, u′2 ←n u1 + c(x1 − x ′1), u2 + c(x2 − x ′2)
Indeed:
a′ = gu′11 gu′2
2 = gu11 gu2
2 (g x11 gx2
2 )c/(g x′11 gx′2
2 )c = ar ′1 = u′1 + cx ′1 = u1 + c(x1 − x ′1) + cx ′1 = r1
r ′2 = u′2 + cx ′2 = u2 + c(x2 − x ′2) + cx ′2 = r2
Perfect witness indistinguishability as conversations with Px1,x2 and conversationswith Px′1,x
′2
are distributed identically:
{(a; c; r1, r2) : u1, u2 ∈R Zn; a← gu11 gu2
2 ; c ← V∗(a); r1, r2 ←n u1 + cx1, u2 + cx2}
{(a; c; r1, r2) : u′1, u′2 ∈R Zn; a← gu′11 gu′2
2 ; c ← V∗(a); r1, r2 ←n u′1 + cx ′1, u′2 + cx ′2}
126/210
4 Identification Protocols4.1 Definitions
4.2 Password-Based Schemes4.3 One-Way Hash Chains
4.4 Basic Challenge-Response Protocols4.5 Zero-Knowledge Identification Protocols4.6 Witness Hiding Identification Protocols
4.6.1 Okamoto Protocol
Witness Hidingness of Okamoto’s Protocol
Proposition (Okamoto’s protocol is witness hiding)Under DL assumption, no p.p.t. verifier is able to extract a prover’s private key.
Proof.Suppose V∗ finds (x ′1, x ′2) by running protocol with Px1,x2 .Witness indistinguishability implies Pr[(x ′1, x ′2) = (x1, x2)] = 1/n.
Define p.p.t. algorithm E as Px1,x2 and V∗ combined: Px1,x2 V∗x
h
Then E computes with probability 1− 1n two pairs (x1, x2) 6= (x ′1, x ′2) satisfying
h = gx11 gx2
2 , h = g x′11 gx′2
2 .
But this implies: g2 = g (x′1−x1)/(x′2−x2)1 , hence E computes logg1 g2, in
contradiction with DL assumption.
127/210
4 Identification Protocols4.1 Definitions
4.2 Password-Based Schemes4.3 One-Way Hash Chains
4.4 Basic Challenge-Response Protocols4.5 Zero-Knowledge Identification Protocols4.6 Witness Hiding Identification Protocols
4.6.1 Okamoto Protocol
Witness Hidingness of Okamoto’s Protocol
Px1,0 V∗x1
hP0,x2 V∗
x2
h
V∗ cannot distinguish between protocol with Px1,0 and protocol with P0,x2
⇒ protocol is witness indistinguishable
Remark 4.4There are n possible witnesses (x1, x2) for a given public key h = g x1
1 gx22 in
Okamoto’s protocol. Interestingly, the protocol remains witness hiding even if thenumber of possible witnesses used by P is limited to just two. E.g., if either x1 = 0or x2 = 0 (hence either h = gx1
1 or h = gx22 ), the same analysis applies, except that
the probability for two different witnesses is now bounded below by 1/2.
128/210
5 Zero-Knowledge Proofs
5.1 Σ-Protocols5.2 Composition of Σ-Protocols5.3 Miscellaneous Constructions
5.4 Noninteractive Σ-Proofs
Zero-Knowledge Proofs for NP-Statements
Schnorr identification protocol is zero-knowledge proof for statement
“I know private key x for public key h = g x ”
Corresponding relation: R = {(h; x) : h = gx} ⊆ 〈g〉 × Zn
NP-statement: “I know witness w satisfying (v ; w) ∈ R”
R = {(v ; w)} ⊆ V ×W : easy to check binary relationv ∈ V : common input to prover and verifierw ∈W s.t. (v ; w) ∈ R: witness, private input to prover
LR = {v ∈ V : ∃w∈W (v ; w) ∈ R}: NP-language corresponding to relation R
129/210
5 Zero-Knowledge Proofs
5.1 Σ-Protocols5.2 Composition of Σ-Protocols5.3 Miscellaneous Constructions
5.4 Noninteractive Σ-Proofs
Σ-Protocols
Σ-protocol well-chosen abstraction of many protocols incl. identificationprotocols by Schnorr, Guillou-Quisquater, Okamoto.
Many variations of Σ-protocols exists in today’s literature.
Not to mention this one:
130/210
5 Zero-Knowledge Proofs
5.1 Σ-Protocols5.2 Composition of Σ-Protocols5.3 Miscellaneous Constructions
5.4 Noninteractive Σ-Proofs
Figure 5.1 (Σ-protocol for relation R (p.p.t. algorithms α, ρ, p.t. predicate ϕ))
Prover P Verifier V((v ; w) ∈ R, random tape uP) (v ∈ V )
a← α(v ; w ; uP) −announcement a−−−−−−−−−−−−−→
←−−−challenge c−−−−−−−−−−− c ∈R C
r ← ρ(v ; w ; c; uP) −−−response r−−−−−−−−−−→ ϕ(v ; a; c; r)?
Definition 5.1Σ-protocol for relation R is a protocol of the above form satisfying:Completeness. If P and V follow the protocol, then V always accepts.Special soundness. Efficient extractor E : given v ∈ V and acceptingconversations (a; c; r) and (a; c ′; r ′), c 6= c ′, output witness w with (v ; w) ∈ R.Special honest-verifier zero-knowledge. Efficient simulator S: given v ∈ LR andchallenge c, output conversations (a; c; r) with same probability distribution asconversations between honest P and V on common input v and challenge c, whereP uses any witness w with (v ; w) ∈ R.For v ∈ V \LR , S outputs arbitrary accepting conversations with challenge c.
131/210
5 Zero-Knowledge Proofs
5.1 Σ-Protocols5.2 Composition of Σ-Protocols5.3 Miscellaneous Constructions
5.4 Noninteractive Σ-Proofs
Plain vs Special Honest Verifier Zero-Knowledge
plain honest-verifier zero-knowledge:no input c for simulator Ssimulator is free to output conversation with any challenge c
special honest-verifier zero-knowledge:input c for simulator Ssimulator must output conversation for challenge c
special honest-verifier zero-knowledge ⇒ plain honest-verifier zero-knowledge
But special honest-verifier zero-knowledge is not much stronger.
132/210
5 Zero-Knowledge Proofs
5.1 Σ-Protocols5.2 Composition of Σ-Protocols5.3 Miscellaneous Constructions
5.4 Noninteractive Σ-Proofs
From Plain to Special Honest Verifier Zero-Knowledge
Without loss of generality, let (C ,+) be an additive finite group.
Figure 5.2 (Transformed Σ-protocol for relation R)
Prover P Verifier V((v ; w) ∈ R, random tape uP) (v ∈ V )
a← α(v ; w ; uP)cP ∈R C −−−−
a, cP−−−−−−−→
←−−−−−cV−−−−−− cV ∈R C
r ← ρ(v ; w ; cP + cV ; uP) −−−−−−r−−−−−−→ ϕ(v ; a; cP + cV ; r)?
Proposition 5.2The transformed protocol in Figure 5.2 is a Σ-protocol for relation R, providedthat the original protocol as given in Figure 5.1 satisfies completeness, specialsoundness, and plain honest-verifier zero-knowledgeness.
133/210
5 Zero-Knowledge Proofs
5.1 Σ-Protocols5.2 Composition of Σ-Protocols5.3 Miscellaneous Constructions
5.4 Noninteractive Σ-Proofs
Proposition 5.3 (Schnorr’s protocol)The protocol in Figure 4.3 is a Σ-protocol for relation {(h; x) : h = g x}.
Proof.Completeness. g r = gu+cx = gu(gx )c = ahc .Special soundness. For accepting (a; c; r), (a; c ′; r ′), c 6= c ′:
g r = ahc , g r′ = ahc′ ⇒ g r−r′ = hc−c′ ⇔ h = gr−r′c−c′ .
Witness x extracted as x ←n (r − r ′)/(c − c ′) satisfies h = gx .Special honest-verifier zero-knowledgeness. For challenge c, distributions forconversations with honest verifier and simulated conversations are resp.:
{(a; c; r) : u ∈R Zn; a← gu; r ←n u + cx},{(a; c; r) : r ∈R Zn; a← g r h−c}.
Identical distributions: each conversation occurs with probability 1/n.
134/210
5 Zero-Knowledge Proofs
5.1 Σ-Protocols5.2 Composition of Σ-Protocols5.3 Miscellaneous Constructions
5.4 Noninteractive Σ-Proofs
Figure 5.3 (Insecure variant of Schnorr’s protocol)
Prover Verifier(x = logg h)
u ∈R Z∗na← gu
−−−−−−a−−−−−−→
c ∈R Zn
←−−−−−−c−−−−−−
r ←n cu + x−−−−−−
r−−−−−−→
g r ?= ac h
Exercise 5.1.1To see that honest-verifier zero-knowledge does not imply zero-knowledge againstarbitrarily cheating verifiers, consider the protocol in Figure 5.3. Show that theprotocol is complete, special sound, and honest-verifier zero-knowledge. Also,show that the protocol is completely insecure against a cheating verifier.
135/210
5 Zero-Knowledge Proofs
5.1 Σ-Protocols5.2 Composition of Σ-Protocols5.3 Miscellaneous Constructions
5.4 Noninteractive Σ-Proofs
Exercise 5.1.2The protocol in Figure 5.3 avoids the value u = 0, but this is not essential. Showthat the protocol remains complete, special sound, and honest-verifierzero-knowledge (and insecure against a cheating verifier) if one uses u ∈R Zninstead of u ∈R Z∗n , by exhibiting a slightly more involved simulation.
Remark 5.4By applying the transformation of Proposition 5.2 to the protocol in Figure 5.3, weobtain a Σ-protocol which is completely insecure against a cheating verifier.
136/210
5 Zero-Knowledge Proofs
5.1 Σ-Protocols5.2 Composition of Σ-Protocols5.3 Miscellaneous Constructions
5.4 Noninteractive Σ-Proofs
5.2.1 Parallel Composition5.2.2 AND-Composition5.2.3 EQ-Composition5.2.4 OR-Composition5.2.5 NEQ-Composition
Five Forms of Composition
Parallel composition maintains Σ-protocol propertiesAND-composition prove knowledge of two witnessesEQ-composition prove equality of witnessesOR-composition prove knowledge of 1-out-of-2 witnesses, not revealing whichNEQ-composition prove inequality of witnesses
All illustrated for Schnorr’s Σ-protocol.
137/210
5 Zero-Knowledge Proofs
5.1 Σ-Protocols5.2 Composition of Σ-Protocols5.3 Miscellaneous Constructions
5.4 Noninteractive Σ-Proofs
5.2.1 Parallel Composition5.2.2 AND-Composition5.2.3 EQ-Composition5.2.4 OR-Composition5.2.5 NEQ-Composition
Figure 5.4 (Parallel composition of Schnorr’s protocol)
Prover Verifier(x = logg h)u1, u2 ∈R Zn
a1 ← gu1
a2 ← gu2−−−−
a1, a2−−−−−−−→
c1, c2 ∈R Zn
←−−−−c1, c2−−−−−−−
r1 ←n u1 + c1xr2 ←n u2 + c2x −−−−
r1, r2−−−−−−−→
g r1 ?= a1hc1
g r2 ?= a2hc2
138/210
5 Zero-Knowledge Proofs
5.1 Σ-Protocols5.2 Composition of Σ-Protocols5.3 Miscellaneous Constructions
5.4 Noninteractive Σ-Proofs
5.2.1 Parallel Composition5.2.2 AND-Composition5.2.3 EQ-Composition5.2.4 OR-Composition5.2.5 NEQ-Composition
Proposition 5.5 (Parallel composition)The protocol in Figure 5.4 is a Σ-protocol for relation
{(h; x) : h = gx}
Proof.Special honest-verifier zero-knowledgeness. Given challenge (c1, c2), distribu-tions of real conversations and simulated conversations are:
{(a1, a2; c1, c2; r1, r2) : u1, u2 ∈R Zn; a1 ← gu1 ; a2 ← gu2 ;r1 ←n u1 + c1x ; r2 ←n u2 + c2x}
{(a1, a2; c1, c2; r1, r2) : r1, r2 ∈R Zn; a1 ← g r1 h−c1 ; a2 ← g r2 h−c2}
Identical distributions: each conversation occurs with probability 1/n2.
139/210
5 Zero-Knowledge Proofs
5.1 Σ-Protocols5.2 Composition of Σ-Protocols5.3 Miscellaneous Constructions
5.4 Noninteractive Σ-Proofs
5.2.1 Parallel Composition5.2.2 AND-Composition5.2.3 EQ-Composition5.2.4 OR-Composition5.2.5 NEQ-Composition
AND-CompositionGiven Σ-protocols for relations R1 and R2, construct Σ-protocol for relation:
R1 ∧ R2 := {(v1, v2; w1,w2) : (v1; w1) ∈ R1, (v2; w2) ∈ R2}
So, run Σ-protocols for relations R1 and R2 in parallel?
Fails! See Exercise 5.2.1.
Run Σ-protocols for relations R1 and R2 in parallel, using common challenge c.
140/210
5 Zero-Knowledge Proofs
5.1 Σ-Protocols5.2 Composition of Σ-Protocols5.3 Miscellaneous Constructions
5.4 Noninteractive Σ-Proofs
5.2.1 Parallel Composition5.2.2 AND-Composition5.2.3 EQ-Composition5.2.4 OR-Composition5.2.5 NEQ-Composition
Figure 5.5 (AND-composition of Schnorr’s protocol)
Prover Verifier(x1 = logg h1, x2 = logg h2)
u1, u2 ∈R Zna1 ← gu1
a2 ← gu2−−−−
a1, a2−−−−−−−→
c ∈R Zn
←−−−−−−c−−−−−−
r1 ←n u1 + cx1
r2 ←n u2 + cx2 −−−−r1, r2−−−−−−−→
g r1 ?= a1hc1
g r2 ?= a2hc2
141/210
5 Zero-Knowledge Proofs
5.1 Σ-Protocols5.2 Composition of Σ-Protocols5.3 Miscellaneous Constructions
5.4 Noninteractive Σ-Proofs
5.2.1 Parallel Composition5.2.2 AND-Composition5.2.3 EQ-Composition5.2.4 OR-Composition5.2.5 NEQ-Composition
Proposition 5.6 (AND-composition)The protocol in Figure 5.5 is a Σ-protocol for relation
{(h1, h2; x1, x2) : h1 = gx1 , h2 = g x2}.
Proof.Special honest-verifier zero-knowledgeness. Given challenge c, distribution ofreal conversations and simulated conversations are:
{(a1, a2; c; r1, r2) : u1, u2 ∈R Zn; a1 ← gu1 ; a2 ← gu2 ;r1 ←n u1 + cx1; r2 ←n u2 + cx2}
{(a1, a2; c; r1, r2) : r1, r2 ∈R Zn; a1 ← g r1 h−c1 ; a2 ← g r2 h−c
2 }
Identical distributions: each conversation occurs with probability 1/n2.
142/210
5 Zero-Knowledge Proofs
5.1 Σ-Protocols5.2 Composition of Σ-Protocols5.3 Miscellaneous Constructions
5.4 Noninteractive Σ-Proofs
5.2.1 Parallel Composition5.2.2 AND-Composition5.2.3 EQ-Composition5.2.4 OR-Composition5.2.5 NEQ-Composition
Exercise
Exercise 5.2.1By considering the special soundness property, explain why running the SchnorrΣ-protocol (see Figure 4.3) in parallel for h1 and h2 does not yield a Σ-protocol forrelation {(h1, h2; x1, x2) : h1 = gx1 , h2 = gx2}. Hint: consider a prover who knowsx1 = logg h1 but does not know x2 = logg h2.
143/210
5 Zero-Knowledge Proofs
5.1 Σ-Protocols5.2 Composition of Σ-Protocols5.3 Miscellaneous Constructions
5.4 Noninteractive Σ-Proofs
5.2.1 Parallel Composition5.2.2 AND-Composition5.2.3 EQ-Composition5.2.4 OR-Composition5.2.5 NEQ-Composition
Figure 5.6 (Alternative to AND-composition of Schnorr’s protocol?)
Prover Verifier(x1 = logg h1, x2 = logg h2)
u ∈R Zn
a← gu−−−−−−
a−−−−−−→
←−−−−−−c−−−−−− c ∈R Zn
r ←n u + cx1 + c2x2 −−−−−−r−−−−−−→ g r ?= ahc
1hc22
Exercise 5.2.2Consider the protocol in Figure 5.6 for relation {(h1, h2; x1, x2) : h1=g x1 , h2=gx2}.(i) Show that the protocol is complete and special honest-verifier zero-knowledge.(ii) Why does special soundness not hold for this protocol? Hint: consider proverwho knows x1 = logg h1 but does not know x2 = logg h2. (iii) Show that soundnessholds in this sense: for any (h1, h2) ∈ 〈g〉 × 〈g〉, given three acceptingconversations (a; c; r), (a; c ′; r ′), (a; c ′′; r ′′) with c 6= c ′, c 6= c ′′, c ′ 6= c ′′ one canefficiently compute witness (x1, x2) satisfying h1 = g x1 and h2 = gx2 .
144/210
5 Zero-Knowledge Proofs
5.1 Σ-Protocols5.2 Composition of Σ-Protocols5.3 Miscellaneous Constructions
5.4 Noninteractive Σ-Proofs
5.2.1 Parallel Composition5.2.2 AND-Composition5.2.3 EQ-Composition5.2.4 OR-Composition5.2.5 NEQ-Composition
EQ-CompositionGiven Σ-protocol for relation R, construct Σ-protocol for relation:
{(v1, v2; w) : (v1; w) ∈ R, (v2; w) ∈ R}
Special case of AND-composition, with common witness w for v1 and v2.
Use AND-composition, but prover uses same random tape uP (see Figure 5.1) inboth cases.
Run two instances of Σ-protocol for R in parallel, usingcommon randomness uP , common challenge c and common response r .
145/210
5 Zero-Knowledge Proofs
5.1 Σ-Protocols5.2 Composition of Σ-Protocols5.3 Miscellaneous Constructions
5.4 Noninteractive Σ-Proofs
5.2.1 Parallel Composition5.2.2 AND-Composition5.2.3 EQ-Composition5.2.4 OR-Composition5.2.5 NEQ-Composition
Figure 5.7 (EQ-composition of Schnorr’s protocol)
Prover Verifier(x = logg1 h1 = logg2 h2)
u ∈R Zna1 ← gu
1
a2 ← gu2 −−−−
a1, a2−−−−−−−→
c ∈R Zn
←−−−−−−c−−−−−−
r ←n u + cx−−−−−−
r−−−−−−→
g r1
?= a1hc1
g r2
?= a2hc2
146/210
5 Zero-Knowledge Proofs
5.1 Σ-Protocols5.2 Composition of Σ-Protocols5.3 Miscellaneous Constructions
5.4 Noninteractive Σ-Proofs
5.2.1 Parallel Composition5.2.2 AND-Composition5.2.3 EQ-Composition5.2.4 OR-Composition5.2.5 NEQ-Composition
Proposition 5.7 (EQ-composition)The protocol in Figure 5.7 is a Σ-protocol for relation
{(g1, h1, g2, h2; x) : h1 = gx1 , h2 = g x
2 }.
Proof.Special honest-verifier zero-knowledgeness. Given challenge c, distribution ofreal conversations and simulated conversations are:
{(a1, a2; c; r) : u ∈R Zn; a1 ← gu1 ; a2 ← gu
2 ; r ←n u + cx}{(a1, a2; c; r) : r ∈R Zn; a1 ← g r
1 h−c1 ; a2 ← g r
2 h−c2 }
Identical distributions provided logg1 h1 = logg2 h2, cf. Definition 5.1; furthermore,if logg1 h1 6= logg2 h2, simulated conversations are accepting, as required.
147/210
5 Zero-Knowledge Proofs
5.1 Σ-Protocols5.2 Composition of Σ-Protocols5.3 Miscellaneous Constructions
5.4 Noninteractive Σ-Proofs
5.2.1 Parallel Composition5.2.2 AND-Composition5.2.3 EQ-Composition5.2.4 OR-Composition5.2.5 NEQ-Composition
OR-CompositionGiven Σ-protocols for relations R1 and R2, construct Σ-protocol for relation:
R1 ∨ R2 = {(v1, v2; w1,w2) : (v1; w1) ∈ R1 ∨ (v2; w2) ∈ R2}
Suppose prover knows w1 with (v1; w1) ∈ R1 (but no w2 with (v2; w2) ∈ R2).
Prover can run Σ-protocol for R1 but not for R2.
Verifier lets prover “cheat” by allowing prover to use simulation for R2.
Prover allowed to split challenge c into “challenges” c1, c2 satisfying c1 + c2 = c.
148/210
5 Zero-Knowledge Proofs
5.1 Σ-Protocols5.2 Composition of Σ-Protocols5.3 Miscellaneous Constructions
5.4 Noninteractive Σ-Proofs
5.2.1 Parallel Composition5.2.2 AND-Composition5.2.3 EQ-Composition5.2.4 OR-Composition5.2.5 NEQ-Composition
Figure 5.8 (OR-composition of Schnorr’s protocol)
Prover Verifier
(using x1 = logg h1) (using x2 = logg h2)c2, r2, u1 ∈R Zn c1, r1, u2 ∈R Zn
a1 ← gu1 a1 ← g r1 h−c11
a2 ← g r2 h−c22 a2 ← gu2
−−−a1, a2−−−−−−→
c ∈R Zn
←−−−−c−−−−
c1 ←n c−c2 c2 ←n c−c1
r1 ←n u1 + c1x1 r2 ←n u2 + c2x2 −c1, c2, r1, r2−−−−−−−−−→ c1 + c2
?=n cg r1 ?= a1hc1
1
g r2 ?= a2hc22
149/210
5 Zero-Knowledge Proofs
5.1 Σ-Protocols5.2 Composition of Σ-Protocols5.3 Miscellaneous Constructions
5.4 Noninteractive Σ-Proofs
5.2.1 Parallel Composition5.2.2 AND-Composition5.2.3 EQ-Composition5.2.4 OR-Composition5.2.5 NEQ-Composition
Proposition 5.8 (OR-composition)The protocol in Figure 5.8 is a Σ-protocol for relation
{(h1, h2; x1, x2) : h1 = g x1 ∨ h2 = gx2}.
Proof.Special soundness. Given accepting conversations (a1, a2; c; c1, c2, r1, r2) and(a1, a2; c ′; c ′1, c ′2, r ′1, r ′2), c 6= c ′. Then c = c1 + c2 6= c ′1 + c ′2 = c ′ implies c1 6= c ′1and/or c2 6= c ′2.
g r1 = a1hc11 , g r2 = a2hc2
2 , g r′1 = a1hc′11 , g r′2 = a2hc′2
2
⇒ g r1−r′1 = hc1−c′11 , g r2−r′2 = hc2−c′2
2
If c1 6= c ′1, set x1 ←n (r1 − r ′1)/(c1 − c ′1);otherwise c2 6= c ′2, and set x2 ←n (r2 − r ′2)/(c2 − c ′2).Witness (x1, x2) satisfies h1 = g x1 ∨ h2 = g x2 .
150/210
5 Zero-Knowledge Proofs
5.1 Σ-Protocols5.2 Composition of Σ-Protocols5.3 Miscellaneous Constructions
5.4 Noninteractive Σ-Proofs
5.2.1 Parallel Composition5.2.2 AND-Composition5.2.3 EQ-Composition5.2.4 OR-Composition5.2.5 NEQ-Composition
Remark (Witness indistinguishability of OR-composition)Real conversations in case prover uses x1:
{(a1, a2; c; c1, c2, r1, r2) : u1, c2, r2 ∈R Zn; a1 ← gu1 ; a2 ← g r2 h−c22 ;
c1 ←n c − c2; r1 ←n u1 + c1x1}
Real conversations in case prover uses x2:
{(a1, a2; c; c1, c2, r1, r2) : u2, c1, r1 ∈R Zn; a1 ← g r1 h−c11 ; a2 ← gu2 ;
c2 ←n c − c1; r2 ←n u2 + c2x2}
Identical distributions (both identical to distribution of simulated conversations).Protocol is witness indistinguishable (also witness hiding under DL assumption).
Exercise 5.2.3 (OR-composition slightly optimized)See Figure 5.8. The prover may omit sending c2, in which case the verifier mustreplace test c1 + c2
?=n c by assignment c2 ←n c − c1. (Thus, prover always omitssending c2 independent of whether it knows x1 and/or x2.) Prove that theresulting protocol is a Σ-protocol for the same relation as before.
151/210
5 Zero-Knowledge Proofs
5.1 Σ-Protocols5.2 Composition of Σ-Protocols5.3 Miscellaneous Constructions
5.4 Noninteractive Σ-Proofs
5.2.1 Parallel Composition5.2.2 AND-Composition5.2.3 EQ-Composition5.2.4 OR-Composition5.2.5 NEQ-Composition
NEQ-CompositionGiven Σ-protocol for relation R, construct Σ-protocol for relation:
{(v1, v2; w1,w2) : (v1; w1) ∈ R, (v2; w2) ∈ R,w1 6= w2}
AND-composition proves knowledge of w1 and w2. How to prove w1 6= w2?
For Schnorr’s protocol, with public keys g1, h1 and g2, h2,use AND-composition to prove knowledge of x1 = logg1 h1 and x2 = logg2 h2.
Since x1 6= x2, multiplicative inverse of x1 − x2 modulo n is defined. Hence,
h1h2 = gx11 g x2
2 = (g1g2)x1 g x2−x12
impliesg2 = (g1g2)x1/(x1−x2)(h1h2)1/(x2−x1). (5.1)
Use instance of Okamoto’s protocol with public key g2, generators g1g2 and h1h2,witnesses x1/(x1 − x2) and 1/(x2 − x1).
152/210
5 Zero-Knowledge Proofs
5.1 Σ-Protocols5.2 Composition of Σ-Protocols5.3 Miscellaneous Constructions
5.4 Noninteractive Σ-Proofs
5.2.1 Parallel Composition5.2.2 AND-Composition5.2.3 EQ-Composition5.2.4 OR-Composition5.2.5 NEQ-Composition
Figure 5.9 (NEQ-composition of Schnorr’s protocol)
Prover Verifier(x1 = logg1 h1, x2 = logg2 h2)
u1, u2, u3, u4 ∈R Zna1 ← gu1
1a2 ← gu2
2a3 ← (g1g2)u3 (h1h2)u4
−−−a1, a2, a3−−−−−−−−−→
c ∈R Zn
←−−−−−−c−−−−−−
r1 ←n u1 + cx1r2 ←n u2 + cx2
r3 ←n u3 + cx1/(x1 − x2)r4 ←n u4 + c/(x2 − x1) −−
r1, r2, r3, r4−−−−−−−−−→ g r1
1?= a1hc
1
g r22
?= a2hc2
(g1g2)r3 (h1h2)r4 ?= a3g c2
153/210
5 Zero-Knowledge Proofs
5.1 Σ-Protocols5.2 Composition of Σ-Protocols5.3 Miscellaneous Constructions
5.4 Noninteractive Σ-Proofs
5.2.1 Parallel Composition5.2.2 AND-Composition5.2.3 EQ-Composition5.2.4 OR-Composition5.2.5 NEQ-Composition
Proposition 5.9 (NEQ-composition)The protocol in Figure 5.9 is a Σ-protocol for relation
{(g1, h1, g2, h2; x1, x2) : h1 = gx11 , h2 = gx2
2 , x1 6= x2},
assuming logg1 g2 is unknown.
Proof.Special soundness. Given (a1, a2, a3; c; r1, r2, r3, r4), (a1, a2, a3; c ′; r ′1, r ′2, r ′3, r ′4) bothaccepting, c 6= c ′. As for AND-composition, witness (x1, x2) is extracted as x1 ←n(r ′1 − r1)/(c ′ − c) and x2 ←n (r ′2 − r2)/(c ′ − c).Moreover,
g2 = (g1g2)(r3−r′3 )/(c−c′)(h1h2)(r4−r′4 )/(c−c′).
Suppose x1 = x2. Then g2 = (g1g2)α for known α 6= 0, 1 (as g1, g2 6= 1), henceg2 = gα/(1−α)
1 , contradicting that logg1 g2 is unknown. Therefore x1 6= x2.
154/210
5 Zero-Knowledge Proofs
5.1 Σ-Protocols5.2 Composition of Σ-Protocols5.3 Miscellaneous Constructions
5.4 Noninteractive Σ-Proofs
Example 5.10Σ-protocol needed for relation R:
R = {(A,B; x , y , z) : A = gx hy ∧ B = gxy h(1−x)z ∧ x ∈ {0, 1}}.
Distinguish cases x = 0 and x = 1 for given (A,B; x , y , z) ∈ R.If x = 0, then A = hy ∧ B = hz ; if x = 1, then A = ghy ∧ B = gy .For relation R, apply OR-composition to:
R0 = {(A,B; y , z) : A = hy ∧ B = hz},R1 = {(A,B; y) : A = ghy ∧ B = gy}.
For relation R0, apply AND-composition to:
R0A = {(A; y) : A = hy}, R0B = {(B; z) : B = hz}.
For relation R1, apply EQ-composition to:
R1A = {(A; y) : A/g = hy}, R1B = {(B; y) : B = g y}.
R0A, R0B , R1A, R1B are instances of (slight variations of) Schnorr’s protocol.
155/210
5 Zero-Knowledge Proofs
5.1 Σ-Protocols5.2 Composition of Σ-Protocols5.3 Miscellaneous Constructions
5.4 Noninteractive Σ-Proofs
Figure 5.10 (Σ-protocol for {(A,B; x ,y ,z):A=gx hy ∧ B=gxy h(1−x)z ∧ x∈{0, 1}})
Prover Verifier(case x = 0) (case x = 1)u0A, u0B ∈R Zn u1 ∈R Zna0A ← hu0A a1A ← hu1
a0B ← hu0B a1B ← gu1
c1, r1 ∈R Zn c0, r0A, r0B ∈R Zna1A ← hr1 (A/g)−c1 a0A ← hr0A A−c0
a1B ← g r1 B−c1 a0B ← hr0B B−c0−a0A, a0B , a1A, a1B−−−−−−−−−−−−−→
c0 ←n c − c1 c1 ←n c − c0 ←−−−−−−c−−−−−− c ∈R Zn
r0A ←n u0A + c0y r1 ←n u1 + c1yr0B ←n u0B + c0z −
c0, c1, r0A, r0B , r1−−−−−−−−−−−−→ c0 + c1
?=n chr0A ?= a0AAc0
hr0B ?= a0BBc0
hr1 ?= a1A(A/g)c1
g r1 ?= a1BBc1
156/210
5 Zero-Knowledge Proofs
5.1 Σ-Protocols5.2 Composition of Σ-Protocols5.3 Miscellaneous Constructions
5.4 Noninteractive Σ-Proofs
Exercises
Exercise 5.3.1Prove that the protocol of Figure 5.10 is a Σ-protocol for relation R, as defined inExample 5.10.
157/210
5 Zero-Knowledge Proofs
5.1 Σ-Protocols5.2 Composition of Σ-Protocols5.3 Miscellaneous Constructions
5.4 Noninteractive Σ-Proofs
Exercise 5.3.2 (logg h unknown to anyone)Design (and prove so!) Σ-protocol for {(B; x , y) : B = g x hy , ψ(x , y)}, where:
(a) ψ(x , y) ≡ true;(b) ψ(x , y) ≡ x = y;(c) ψ(x , y) ≡ αx + βy = γ for given α ∈ Z∗n , β, γ ∈ Zn;(d) ψ(x , y) ≡ x ∈ {0, 1};(e) ψ(x , y) ≡ x ∈ {0, 1, . . . , 2` − 1}, fixed integer `, 1 ≤ ` ≤ blog2 nc;(f) ψ(x , y) ≡ x 6= 0;(g) ψ(x , y) ≡ x 6= y;(h) ψ(x , y) ≡ αx + βy 6= γ for given α ∈ Z∗n , β, γ ∈ Zn;(i) ψ(x , y) ≡ xy = 1;(j) ψ(x , y) ≡ ∃χ∈Zn x = χ2;(k) ψ(x , y) ≡ x2 = y2.
Hints: (a) use Okamoto’s protocol; (b) eliminate variable y using x = y; (c) eliminate variable x using given equation; (d) use OR-composition
cf. Example 5.10; (e) consider binary representation of x and use ` instances of protocol of part (d); (f) use instance of Okamoto’s protocol by
isolating g in equation B = gx hy , cf. Eq. (5.1); (g) and (h) are generalizations of part (f); (i) isolate g in equation for By and use
EQ-composition with equation for B; (j) use AND-composition and EQ-composition; (k) eliminate one variable and use OR-composition.
158/210
5 Zero-Knowledge Proofs
5.1 Σ-Protocols5.2 Composition of Σ-Protocols5.3 Miscellaneous Constructions
5.4 Noninteractive Σ-Proofs
Figure 5.11 (Alternative to Okamoto’s protocol?)
Prover Verifier(h = g x1
1 gx22 )
u1, u2 ∈R Zn
a1 ← gu11 ; a2 ← gu2
2 −−−−a1, a2−−−−−−−→
r1 ←n u1 + cx1 ←−−−−−−c−−−−−− c ∈R Zn
r2 ←n u2 + cx2 −−−−r1, r2−−−−−−−→ g r1
1 g r22
?= a1a2hc
Exercise 5.3.3See Figure 4.5. Is Figure 5.11 a Σ-protocol for {(h; x1, x2) : h = g x1
1 gx22 }?
Exercise 5.3.4 (logg h unknown to anyone)
Design Σ-protocols (and prove correctness) for relations:(a) {(A,B; x , y , z) : A = gx hy ,B = g1/x hz , x 6= 0};(b) {(A1,A2,B; x1, x2, y1, y2, z) : A1 = gx1 hy1 ,A2 = gx2 hy2 ,B = g x1x2 hz}.
159/210
5 Zero-Knowledge Proofs
5.1 Σ-Protocols5.2 Composition of Σ-Protocols5.3 Miscellaneous Constructions
5.4 Noninteractive Σ-Proofs
Exercise 5.3.5 (logg h unknown to anyone)
For Boolean variables v1, . . . , v`, consider instance of 3SAT problem, given byBoolean formula Φ consisting of m clauses, which each consist of 3 literals:
Φ = (l1,1 ∨ l1,2 ∨ l1,3) ∧ · · · ∧ (lm,1 ∨ lm,2 ∨ lm,3).
Each literal is of the form li,j = vk or li,j = v k = 1− vk (negation of vk ),1 ≤ k ≤ `. Construct a Σ-protocol (incl. correctness proof) for relation:
R ′3SAT = {(Φ,B1, . . . ,B`; x1, y1, . . . , x`, y`) : Φ(x1, . . . , x`),∀`k=1Bk = gxk hyk , xk ∈ {0, 1} }.
Exercise 5.3.6 (see previous exercise)Σ-protocol for R ′3SAT actually proves knowledge of witnesses to open thecommitments B1, . . . ,B`. Construct a more efficient way for proving that Φ issatisfiable, by considering instead relation:
R3SAT = {(Φ; x1, . . . , x`) : Φ(x1, . . . , x`)}.
160/210
5 Zero-Knowledge Proofs
5.1 Σ-Protocols5.2 Composition of Σ-Protocols5.3 Miscellaneous Constructions
5.4 Noninteractive Σ-Proofs
Exercise 5.3.7 (logg h unknown to anyone)
Design two alternative Σ-protocols (and prove correctness) for relation
Rneq0 = {(A,B; x , y , z) : A = g x hy ,B = gxn−1hz}.
(i) By applying OR-composition distinguishing cases x = 0 and x 6= 0 for the firstprotocol.(ii) By applying an appropriate form of EQ-composition for exponent x for thesecond protocol (not using OR-composition at all).The Σ-protocols you are looking for both have announcements consisting of four〈g〉-elements each, but the response for (i) will comprise six Zn-elements (usingthe optimization of Exercise 5.2.3), whereas (ii) can be done with a responsecomprising four Zn-elements only.
161/210
5 Zero-Knowledge Proofs
5.1 Σ-Protocols5.2 Composition of Σ-Protocols5.3 Miscellaneous Constructions
5.4 Noninteractive Σ-Proofs
5.4.1 Digital Signatures from Σ-Protocols5.4.2 Proofs of Validity5.4.3 Group Signatures
Schnorr SignaturesCryptographic hash function H.
Fiat-Shamir heuristicTransform identification scheme into digital signature scheme by “computingchallenge as hash of prover’s announcement and message to be signed.”
For Schnorr’s protocol (Figure 4.3): put c ← H(a; M).
Example (Schnorr signature scheme)Key generation. Key pair (h; x) with private key x ∈R Zn, public key h← g x .Signature generation. On input of message M, private key x , set
u ∈R Zn; a← gu; c ← H(a; M); r ←n u + cx .
Signature on M is pair (c, r).Signature verification. On input of message M, pair (c, r), public key h, accept
(c, r) as signature on M iff c = H(g r h−c ; M).
Schnorr signatures secure in random oracle model: challenge c is unpredictable.
162/210
5 Zero-Knowledge Proofs
5.1 Σ-Protocols5.2 Composition of Σ-Protocols5.3 Miscellaneous Constructions
5.4 Noninteractive Σ-Proofs
5.4.1 Digital Signatures from Σ-Protocols5.4.2 Proofs of Validity5.4.3 Group Signatures
Figure 5.12 (Parametrized insecure variant of Schnorr’s protocol)
Prover Verifieru ∈R Z∗n ; a← gu
−−−−−−a−−−−−−→
←−−−−−−c−−−−−− c ∈R Zn
r ←n (c − F (a))u + x −−−−−−r−−−−−−→ g r ?= ac−F (a)h
Exercise 5.4.1To see that Fiat-Shamir heuristic does not necessarily lead to secure signatureschemes, consider the protocol in Figure 5.12. Function F : 〈g〉 → Zn can be yourfavorite hash function; for simplicity assumed that F maps into Zn. Note thatfunction F (w) = 0 for w ∈ 〈g〉 yields the protocol of Exercise 5.1.1.
(i) Show that the protocol is complete, special sound, and honest-verifierzero-knowledge (for any function F : 〈g〉 → Zn).
(ii) What happens if we generate the challenge as c ← F (a) to obtain anoninteractive version of the protocol? That is, what happens if weinstantiate the random oracle with H = F .
163/210
5 Zero-Knowledge Proofs
5.1 Σ-Protocols5.2 Composition of Σ-Protocols5.3 Miscellaneous Constructions
5.4 Noninteractive Σ-Proofs
5.4.1 Digital Signatures from Σ-Protocols5.4.2 Proofs of Validity5.4.3 Group Signatures
Proofs of Validity
Fiat-Shamir heuristic can be applied to any Σ-protocol.Result: noninteractive Σ-proof.
Definition 5.11Let H be a cryptographic hash function. For any Σ-protocol as in Figure 5.1, a(noninteractive) Σ-proof for relation R is defined in terms of two algorithms.Proof generation. Given (v ; w) ∈ R, a Σ-proof is a pair (a; r), where
a = α(v ; w ; uP) and r = ρ(v ; w ; H(a; v); uP).Proof verification. For v ∈ V , (a; r) is accepted as Σ-proof if and only if
ϕ(v ; a; H(a; v); r) holds.
Σ-proof consists of announcement a and response r .
Typically, size of Σ-proof reduced by replacing announcement a by challenge c.
164/210
5 Zero-Knowledge Proofs
5.1 Σ-Protocols5.2 Composition of Σ-Protocols5.3 Miscellaneous Constructions
5.4 Noninteractive Σ-Proofs
5.4.1 Digital Signatures from Σ-Protocols5.4.2 Proofs of Validity5.4.3 Group Signatures
Example 5.12 (Proof of validity)Turn solution to Exercise 5.3.2(d) into Σ-proof.Let B = gx hy where x ∈ {0, 1}, y ∈ Zn is prover’s witness. Write x = 1− x .Proof generation. ux , rx , cx ∈R Zn; ax ← hux ; ax ← hrx (B/gx )−cx ;
c ← H(a0, a1; B); cx ←n c − cx ; rx ←n ux + cx y .Output (c0, c1, r0, r1) as proof.
Proof verification. On input of proof (c0, c1, r0, r1) for commitment B, acceptproof iff c0 + c1 =n H(hr0 B−c0 , hr1 (B/g)−c1 ; B).
B needed in input to H to fix “context”: otherwise proofs can be forged!
Exercise 5.4.2Show how to forge a Σ-proof (c0, c1, r0, r1) for a commitment B if proofverification is changed into c0 + c1 =n H(hr0 B−c0 , hr1 (B/g)−c1 ) by making asuitable choice for B. Hint: B can be set after c = H(a0, a1) is computed.
165/210
5 Zero-Knowledge Proofs
5.1 Σ-Protocols5.2 Composition of Σ-Protocols5.3 Miscellaneous Constructions
5.4 Noninteractive Σ-Proofs
5.4.1 Digital Signatures from Σ-Protocols5.4.2 Proofs of Validity5.4.3 Group Signatures
Anonymous Signatures: Group Signatures
P0P1
P2
...
Pm
Group manager: P0Group members: P1, . . . ,Pm
Any group member Pi can signon behalf of the group.Actual signer remainsanonymous.Anonymity is revocable: groupmanager can prove which groupmember produced a givensignature.
Group public key: hParty Pi ’s private key: xi
166/210
5 Zero-Knowledge Proofs
5.1 Σ-Protocols5.2 Composition of Σ-Protocols5.3 Miscellaneous Constructions
5.4 Noninteractive Σ-Proofs
5.4.1 Digital Signatures from Σ-Protocols5.4.2 Proofs of Validity5.4.3 Group Signatures
Definition 5.13 (Group signature scheme)Four components, involving group manager P0, group members P1, . . . ,Pm.Key generation. Protocol between P0,P1, . . . ,Pm for generating public key h for
the group, private key x0 for group manager P0 and private key xifor each group member Pi , 1 ≤ i ≤ m.
Signature generation. Algorithm that on input of message M, public key h of thegroup, private key xi of group member Pi , outputs signature S.
Signature verification. Algorithm that on input of message M, public key h of thegroup, signature S, tests if S is valid group signature on M w.r.t.public key h.
Signature opening. Algorithm that on input of message M, public key h of thegroup, valid signature S, private key x0 of group manager, outputsidentity of group member who generated S.
167/210
5 Zero-Knowledge Proofs
5.1 Σ-Protocols5.2 Composition of Σ-Protocols5.3 Miscellaneous Constructions
5.4 Noninteractive Σ-Proofs
5.4.1 Digital Signatures from Σ-Protocols5.4.2 Proofs of Validity5.4.3 Group Signatures
Simple Construction
Party Pi holds a discrete log key pair (hi ; xi ) with hi = gxi .
To sign a message, apply the Fiat-Shamir heuristic to Σ-protocol for provingknowledge of 1-out-of-m private keys x1, . . . , xm.
Exercise 5.4.3Construct Σ-protocol for relation
Rm = {(h1, . . . , hm; x) : ∃mi=1hi = gx}
by generalizing OR-composition, and show it is indeed a Σ-protocol.
For revocability, include an encryption of the actual key pair used.
168/210
5 Zero-Knowledge Proofs
5.1 Σ-Protocols5.2 Composition of Σ-Protocols5.3 Miscellaneous Constructions
5.4 Noninteractive Σ-Proofs
5.4.1 Digital Signatures from Σ-Protocols5.4.2 Proofs of Validity5.4.3 Group Signatures
Example (ElGamal-based group signatures)Pi includes ElGamal encryption of hi under P0’s public key in group signature.Key generation. Each Pi picks private key xi ∈R Zn. Public key of group is
(h0, h1, . . . , hm) with hi = g xi .Signature generation. Group member Pi computes (A,B) = (gu, hu
0 hi ) withu ∈R Zn, and Σ-proof for R ′m showing (A,B) encrypts one ofh1, . . . , hm for which Pi knows private key:
R ′m = {(A,B, h0, h1, . . . , hm; u, x) : A = gu,B = hu0 g x ,∃m
i=1hi = gx}.
Signature verification. Σ-proof contained in group signature is verified.Signature opening. Group manager P0 decrypts ElGamal encryption (A,B)
contained in group signature and proves validity: P0 outputsd = Ax0 and Σ-proof for x0 = logg h0 = logA d .Anyone may now compute B/d , which will match the public keyof the group member who produced the signature.
169/210
5 Zero-Knowledge Proofs
5.1 Σ-Protocols5.2 Composition of Σ-Protocols5.3 Miscellaneous Constructions
5.4 Noninteractive Σ-Proofs
5.4.1 Digital Signatures from Σ-Protocols5.4.2 Proofs of Validity5.4.3 Group Signatures
Exercise
Exercise 5.4.4Give a Σ-protocol for relation R ′m and prove its correctness, in each of thefollowing cases: (i) m = 1, (ii) m = 2, and (iii) arbitrary m ≥ 1.
170/210
6 Threshold Cryptography
6.1 Secret Sharing6.2 Verifiable Secret Sharing
6.3 Threshold Cryptosystems
5-Way Latch
1-out-of-5 threshold scheme
5 padlocks “in series”:
opening any 1 padlockwill open gate.
171/210
6 Threshold Cryptography
6.1 Secret Sharing6.2 Verifiable Secret Sharing
6.3 Threshold Cryptosystems
Threshold cryptography (group-oriented cryptography)Techniques to distribute cryptographic schemes between multiple parties.
Examples:Safe-deposit box requires use of two keys, one kept by the owner of the boxand one kept by the bank.Control of nuclear weapons in Russia involves a 2-out-of-3 accessmechanism, where the three parties are the President, the Defense Ministerand the Defense Ministry (Time Magazine, May 4, 1992, p.13).Distributing power to issue digital signatures (e.g., issuance of rootcertificates in public key infrastructures).
Group signature ≈ 1-out-of-m threshold signature.
Distributing power to decrypt messages (key escrow, key recovery).Electronic voting: distributing power to decrypt votes.
172/210
6 Threshold Cryptography
6.1 Secret Sharing6.2 Verifiable Secret Sharing
6.3 Threshold Cryptosystems6.1.1 Shamir Threshold Scheme
Example 6.1 (See also Mathematica notebook d3.nb.)RSA cryptosystem, public exponent e = 3, modulus N = pq, gcd(e, φ(N)) = 1.Two persons split private key d = 1/e mod φ(N) into most-significant half andleast-significant half. How secure?Since 0 < d < φ(N), 3d = 1 + lφ(N) holds either for l = 1 or l = 2. Since p andq not divisible by 3, φ(N) 6≡ 2 (mod 3), hence l ≡ 2 (mod 3). Thus l = 2.Approximation d̂ =
⌊1+2(N−2
√N+1)
3
⌋for d = 1+2φ(N)
3 .
Approximation error: d̂ − d =⌊ 2
3 (p + q − 2√
N)⌋
. Since p + q > 2√
N (use(√p −√q)2 > 0):
0 ≤ d̂ − d <√
N,
as p and q of equal bit length.Thus, most-significant half of d matches most-significant half of d̂ .Person receiving least-significant half of d is able to construct all of d ’s bits!
173/210
6 Threshold Cryptography
6.1 Secret Sharing6.2 Verifiable Secret Sharing
6.3 Threshold Cryptosystems6.1.1 Shamir Threshold Scheme
Splitting the Bit
Breaking bit string into pieces not a secure way to share a secret.And, how do we “split the bit”?
Critical step: use additional randomness.
Splitting secret bit s ∈ {0, 1} into shares s1, s2 ∈ {0, 1}To split s into s1, s2: pick u ∈R {0, 1}, set s1 = s ⊕ u and s2 = u.To recover s from s1, s2: compute s1 ⊕ s2 = s ⊕ u ⊕ u = s.
Neither s1 nor s2 on its own reveals any information on s.
Exercise 6.1.1Suppose u is uniformly distributed. Show that s1 and s2 are also uniformlydistributed, irrespective of the distribution of s.
174/210
6 Threshold Cryptography
6.1 Secret Sharing6.2 Verifiable Secret Sharing
6.3 Threshold Cryptosystems6.1.1 Shamir Threshold Scheme
Visual Secret Sharing (Naor & Shamir, Eurocrypt 1994)
175/210
6 Threshold Cryptography
6.1 Secret Sharing6.2 Verifiable Secret Sharing
6.3 Threshold Cryptosystems6.1.1 Shamir Threshold Scheme
Definition 6.2 (Secret sharing scheme)Two protocols, involving dealer D and participants P1, . . . ,Pm.
Distribution. Protocol in which dealer D shares secret s such that eachparticipant Pi obtains share si , 1 ≤ i ≤ m.
Reconstruction. Protocol in which secret s is recovered by pooling shares si ,i ∈ Q, of any qualified set of participants Q ⊆ {P1, . . . ,Pm}.
Security requirements for secret sharing scheme:(i) any qualified set of participants can determine s by pooling their shares,(ii) any nonqualified set of participants cannot find any information on s when
pooling their shares.
176/210
6 Threshold Cryptography
6.1 Secret Sharing6.2 Verifiable Secret Sharing
6.3 Threshold Cryptosystems6.1.1 Shamir Threshold Scheme
Polynomials over Finite Field Zp
straight line (mod 97) parabola (mod 97)
Mathematically, same behavior as polynomials over R:Polynomial of degree d > 0 has at most d roots.Polynomial of degree d is uniquely determined by d + 1 points.
177/210
6 Threshold Cryptography
6.1 Secret Sharing6.2 Verifiable Secret Sharing
6.3 Threshold Cryptosystems6.1.1 Shamir Threshold Scheme
Threshold Secret Sharing Scheme
Participants P1, . . . ,Pm.Threshold t, 0 ≤ t < m.
(t,m)-threshold access structure:
Γ = {Q ⊆ {P1, . . . ,Pm} : |Q| > t}.
Also referred to as a t+1-out-of-m (threshold) access structure.
Perfect (t,m)-threshold secret sharing scheme:Any group of t + 1 participants is able to recover the secret.No group of t or less participants can do so:
t or less participants no information on the secret.
178/210
6 Threshold Cryptography
6.1 Secret Sharing6.2 Verifiable Secret Sharing
6.3 Threshold Cryptosystems6.1.1 Shamir Threshold Scheme
Shamir’s (t,m)-threshold schemeFor secret s ∈ Zp .
Distribution. Dealer picks random polynomial a(X) ∈R Zp[X ] of degree ≤ tsatisfying a(0) = s, and sends share si = a(i) to participant Pi , fori = 1, . . . ,m.
Reconstruction. Any set Q of t + 1 participants may recover secret s from theirshares by Lagrange interpolation:a
s =∑i∈Q
siλQ,i , with λQ,i =∏
j∈Q\{i}
jj − i .
aNote: i ∈ Q shorthand for Pi ∈ Q.
Example ((1, 5)-threshold scheme)Distribution. Let a(X) = s + uX with u ∈R Zp . Send share si = a(i) to Pi .
Reconstruction. Any pair Pi ,Pj recovers secret as s = (isj − jsi )/(i − j).
179/210
6 Threshold Cryptography
6.1 Secret Sharing6.2 Verifiable Secret Sharing
6.3 Threshold Cryptosystems
6.2.1 Feldman VSS6.2.2 Pedersen VSS
Secret sharing schemes resists passive attacks only.
Verifiable secret sharing (VSS)VSS scheme resists (combinations of) two types of active attacks:
Dealer sending incorrect shares to some/all participants during distribution.Participants submitting incorrect shares during reconstruction.
Shamir’s scheme is not a VSS scheme:During distribution, no guarantee shares si correspond to single polynomiala(X) of degree ≤ t.During reconstruction, no guarantee share si provided by Pi is correct.
Nothing prevents Pi from using s̃i ∈R Zp instead; reconstructed value s̃ will beuseless, and if only Pi is cheating, Pi finds value of s using the other t correctshares.
180/210
6 Threshold Cryptography
6.1 Secret Sharing6.2 Verifiable Secret Sharing
6.3 Threshold Cryptosystems
6.2.1 Feldman VSS6.2.2 Pedersen VSS
Discrete log setting 〈g〉.
Feldman’s (t,m)-threshold VSS schemeFor secret s ∈ Zn.
Distribution. Dealer chooses random polynomial (u0 = s):
a(X) = u0 + u1X + · · ·+ utX t , u1, . . . , ut ∈R Zn.
Dealer sends shares si = a(i) to Pi in private, for i = 1, . . . ,m,and broadcasts commitments Bj = guj , 0 ≤ j ≤ t. Upon receipt ofshare si , Pi checks:
g si =t∏
j=0
B i jj . (6.1)
Reconstruction. Share si contributed by Pi checked using Eq. (6.1). Secrets = a(0) recovered as in Shamir’s scheme from t + 1 valid shares.
Commitments Bj define unique polynomial with coefficients logg Bj .
181/210
6 Threshold Cryptography
6.1 Secret Sharing6.2 Verifiable Secret Sharing
6.3 Threshold Cryptosystems
6.2.1 Feldman VSS6.2.2 Pedersen VSS
Security of Feldman VSS
No more than t cheating participants, t < m/2.1. Dealer and participants bound to unique polynomial by Eq. (6.1).2. Secret s hidden even given B0 = g s ,B1 = gu1 , . . . ,Bt = gut .Reduction proof: given instance of DL problem h successful collusion ofparticipants P∗1 , . . . ,P∗t would compute logg h. As follows.Dealer sets B0 = h, s1, . . . , st ∈R Zn, and Bj for j = 1, . . . , t such that Eq. (6.1)holds for P∗1 , . . . ,P∗t , without knowing s = logg h:
Bj =t∏
k=1
(g sk /h)γj,k , (6.2)
where
(γj,k ) =
1 1 · · · 12 22 · · · 2t
......
...t t2 · · · tt
−1
Shares for Pt+1, . . . ,Pm are irrelevant.
182/210
6 Threshold Cryptography
6.1 Secret Sharing6.2 Verifiable Secret Sharing
6.3 Threshold Cryptosystems
6.2.1 Feldman VSS6.2.2 Pedersen VSS
Simulation View
D P∗1 , . . . ,P∗t
s
S P∗1 , . . . ,P∗t
P∗1 , . . . ,P∗t cannot distinguish between protocol with D and protocol with S⇒ protocol is “zero-knowledge” w.r.t. secret s
183/210
6 Threshold Cryptography
6.1 Secret Sharing6.2 Verifiable Secret Sharing
6.3 Threshold Cryptosystems
6.2.1 Feldman VSS6.2.2 Pedersen VSS
Exercises
Exercise 6.2.1Verify that Eq. (6.1) holds for 1 ≤ i ≤ t if B0 = h and Bj , 1 ≤ j ≤ t, are definedby (6.2).
Exercise 6.2.2The special case of an m-out-of-m threshold scheme for secrets s ∈ Zn can besolved simply by setting the shares as follows: choose si ∈R Zn for i = 2, . . . ,mand set s1 = (s −
∑mi=2 si ) mod n. Extend this basic secret sharing scheme to a
Feldman VSS scheme, and provide a security analysis of the resulting VSS scheme.
Note: m-out-of-m threshold scheme same as an (m − 1,m)-threshold scheme.
184/210
6 Threshold Cryptography
6.1 Secret Sharing6.2 Verifiable Secret Sharing
6.3 Threshold Cryptosystems
6.2.1 Feldman VSS6.2.2 Pedersen VSS
Discrete log setting 〈g〉, h ∈R 〈g〉 such that logg h not known.
Pedersen’s (t,m)-threshold VSS schemeFor secret s ∈ Zn.
Distribution. Dealer chooses random polynomials a(X), b(X) with u0 = s:
a(X) = u0 + u1X + · · ·+ utX t , u1, . . . , ut ∈R Znb(X) = v0 + v1X + · · ·+ vtX t , v0, . . . , vt ∈R Zn
Dealer sends shares si = (a(i), b(i)) to Pi in private, andbroadcasts commitments Cj = guj hvj , 0 ≤ j ≤ t.Upon receipt of si = (si1, si2), Pi checks:
g si1 hsi2 =t∏
j=0
C i jj . (6.3)
Reconstruction. Share si contributed by Pi checked using Eq. (6.3). Secrets = a(0) recovered as in Shamir’s scheme from t + 1 valid shares.
185/210
6 Threshold Cryptography
6.1 Secret Sharing6.2 Verifiable Secret Sharing
6.3 Threshold Cryptosystems
6.2.1 Feldman VSS6.2.2 Pedersen VSS
Security of Pedersen VSS
1. Dealer and participants bound to unique polynomial by Eq. (6.3).Under DL assumption!
Cf. Pedersen commitments are computationally binding.
2. Secret s hidden information-theoretically,even given commitments C0,C1, . . . ,Ct .
Cf. Pedersen commitments are information-theoretically hiding.
Exercise 6.2.3See Exercise 6.2.2. This time extend the basic m-out-of-m scheme, where sharessi1 ∈R Zn for i = 2, . . . ,m and s11 = (s −
∑mi=2 si1) mod n, to a Pedersen VSS
scheme, and provide a security analysis of the resulting VSS scheme.
186/210
6 Threshold Cryptography
6.1 Secret Sharing6.2 Verifiable Secret Sharing
6.3 Threshold Cryptosystems6.3.1 Threshold ElGamal Cryptosystem
Definition 6.3 ((t,m)-threshold cryptosystem)Three components involving parties P1, . . . ,Pm.Distributed key generation. Protocol between P1, . . . ,Pm for generating public key
h such that Pi obtains private share xi (of private key xcorresponding to h) and public verification key hi , 1 ≤ i ≤ m.The protocol depends on t.
Encryption. Algorithm that on input of plaintext M, public key h, outputsciphertext C of M under public key h.
Threshold decryption. Protocol between t + 1 parties Pi0 , . . . ,Pit that on input ofciphertext C , private shares xi0 , . . . , xit , verification keyshi0 , . . . , hit , outputs plaintext M.
Exercise 6.3.1See Section 2.1.4. Assuming honest behavior of parties P1, . . . ,Pm, design anm-out-of-m threshold ElGamal cryptosystem with public key h =
∏mi=1 hi , where
xi ∈ Zn is the private share of Pi and hi = gxi is the corresponding verification key,1 ≤ i ≤ m. Discuss its security against passive attacks.
187/210
6 Threshold Cryptography
6.1 Secret Sharing6.2 Verifiable Secret Sharing
6.3 Threshold Cryptosystems6.3.1 Threshold ElGamal Cryptosystem
Distributed key generation protocol1 Each Pi picks random polynomial ai (X) ∈ Zn[X ] of degree ≤ t, and
broadcasts commitment to g si , where si = ai (0).
2 Each Pi opens its commitment to g si . Public key h is set as h = g∑m
i=1si .
3 Each Pi , 1 ≤ i ≤ m, runs instance of Feldman’s VSS scheme, using si ∈ Zn assecret value. Pi plays the role of dealer, and P1, . . . ,Pm play the role ofparticipants. (Hence, Pi plays a double role.)
4 Let sij denote the share of si as sent by party Pi to party Pj , for 1 ≤ i , j ≤ m.Each party Pi sums all its received shares sji to obtain its share xi =
∑mj=1 sji
of the private key x . The verification key of party Pi is defined as hi = gxi .
Note that sji = aj (i). Since a(X) =∑m
i=1 ai (X), it follows that xi = a(i).
Nobody knows x !
188/210
6 Threshold Cryptography
6.1 Secret Sharing6.2 Verifiable Secret Sharing
6.3 Threshold Cryptosystems6.3.1 Threshold ElGamal Cryptosystem
Threshold decryption protocolLet C = (A,B) be an ElGamal ciphertext for public key h.
1 Each Pi takes A as input and uses its share xi to produce di = Axi along witha Σ-proof for xi = logg hi = logA di (using EQ-composition, cf. Figure 5.7).
2 Let Q be a set of t + 1 parties who produced valid di values. Then plaintextM can be recovered by evaluating:
B/∏i∈Q
dλQ,ii = B/Ax = M,
where λQ,i =∏
j∈Q\{i}j
j−i denote Lagrange coefficients as in Shamir’sscheme.
189/210
7 Secure Multiparty Computation
7.1 Electronic Voting7.2 Based on Threshold Homomorphic Cryptosystems
7.3 Based on Oblivious Transfer
YES/NO referendum is secure multiparty computation for function
f (x1, . . . , xm) = x1 + · · ·+ xm, for votes x1, . . . , xm ∈ {0, 1}.
Inputs x1, . . . , xm are private.Output x1 + · · ·+ xm is public.
Security requirements:Eligibility: only eligible voters can cast vote, at most one vote.Privacy: assured against any reasonably sized coalition of parties (notincluding the voter herself).Universal Verifiability: anyone can check that the election is fair, i.e.,published final tally is computed fairly from ballots that were correctly cast.Robustness: faulty behavior (benign or malicious) of any reasonably sizedcoalition of participants can be tolerated (e.g., cheating voter can be detectedand discarded).
190/210
7 Secure Multiparty Computation
7.1 Electronic Voting7.2 Based on Threshold Homomorphic Cryptosystems
7.3 Based on Oblivious Transfer
Threshold Homomorphic ElGamal Cryptosystem
Threshold ElGamal cryptosystem with Zn as plaintext space instead of 〈g〉.
Homomorphic ElGamal encryptionFor plaintext M ∈ Zn and public key h, ciphertext is defined as
(A,B) = (gu, hugM), u ∈R Zn.
In other words: M ∈ Zn is encoded as gM ∈ 〈g〉.
(Additive) homomorphic property
Product of encryptions (A,B), (A′,B′) of plaintexts M,M′, respectively, isencryption of sum of plaintexts M + M′:
(A,B) ∗ (A′,B′) = (AA′,BB′) = (gu+u′ , hu+u′gM+M′).
191/210
7 Secure Multiparty Computation
7.1 Electronic Voting7.2 Based on Threshold Homomorphic Cryptosystems
7.3 Based on Oblivious Transfer
Electronic voting schemeKey generation. Talliers T1, . . . , Tm run DKG protocol of (t,m)-threshold ElGamal
cryptosystem. Let h denote resulting public key.Voting. Voter Vi casts vote vi ∈ {0, 1} ' {“no”, “yes”} by broadcasting a
ballot consisting of ElGamal encryption (Ai ,Bi ) = (gui , hui gvi ),ui ∈R Zn, and noninteractive Σ-proof that (Ai ,Bi ) is correctlyformed.
Tallying. Talliers decrypt (A,B) =∏m′
i=1(Ai ,Bi ) to obtain g∑m′
i=1vi , from
which∑m′
i=1 vi is easily determined using 0 ≤∑m′
i=1 vi ≤ m′.
If all (Ai ,Bi ) are correctly formed, homomorphic property yields
(A,B) = (gu, hug∑m′
i=1vi ) for some u ∈ Zn, ensuring validity of final tally.
Exercise 7.1.1Construct a Σ-protocol (and prove its correctness) for proving that (Ai ,Bi ) iscorrectly formed, and turn it into a Σ-proof (see Section 5.4.2 for a similar case).
192/210
7 Secure Multiparty Computation
7.1 Electronic Voting7.2 Based on Threshold Homomorphic Cryptosystems
7.3 Based on Oblivious Transfer
Exercise 7.1.2 (boardroom election scheme)Voter Vi has a public key hi = gxi , where xi ∈R Zn is Vi ’s private key. LetHi = hm
∏i−1j=1 hj , for 1 ≤ i ≤ m.
First, voter Vm publishes the following encryption of its vote vm ∈ {0, 1}:
(Am,Bm) = (gum ,Humm g vm ), um ∈R Zn.
Next, for i = m − 1, . . . , 1 (in this order), voter Vi publishes the followingencryption of its vote vi ∈ {0, 1}:
(Ai ,Bi ) = (Ai+1gui ,Bi+1A−xii+1 Hui
i g vi ), ui ∈R Zn.
Finally, voter Vm publishes logg B1A−xm1 .
Let ti =∑m
j=i vj , for 1 ≤ i ≤ m. (i) Prove by induction on i that (Ai ,Bi ) isElGamal encryption of g ti under public key Hi . Hence, Vm publishes
∑mj=1 vj at
the end of the protocol. (ii) Show how Vm,V1, . . . ,Vi−1 for any i, 2 ≤ i ≤ m, arejointly able to decrypt (Ai ,Bi ), hence able to determine intermediate electionresult ti . (iii) Describe the relations to be proved in each protocol step to showthat the voter’s output is formed correctly.
193/210
7 Secure Multiparty Computation
7.1 Electronic Voting7.2 Based on Threshold Homomorphic Cryptosystems
7.3 Based on Oblivious Transfer
Matching without Embarrassments
Alice’s rule separator Bob’s rule
for “yes” for “no” for “yes” for “no”Suppose Alice thinks “yes” separator Suppose Bob thinks “yes”
Alice and Bob make a random cut:
and open the cards ...
194/210
7 Secure Multiparty Computation
7.1 Electronic Voting7.2 Based on Threshold Homomorphic Cryptosystems
7.3 Based on Oblivious Transfer
Five-Card Trick (Bert den Boer, Eurocrypt 1989)
MATCH
yes yesNO MATCH
yes no
no yes
no no“NO MATCH” cases are indistinguishable!If you put “no” you don’t find out the other’s preference.
195/210
7 Secure Multiparty Computation
7.1 Electronic Voting7.2 Based on Threshold Homomorphic Cryptosystems
7.3 Based on Oblivious Transfer
Tom Verhoeff turned the 5-card trick into a wonderful 3D printable smiley design:
Check out TNO’s cool MPC animation demoing the 3D smiley!
Figure 7.1 (Matching without embarrassments)
x y xy0 0 01 0 00 1 01 1 1
∼=
Alice Bob match?no no -yes no -no yes -yes yes ♥
196/210
7 Secure Multiparty Computation
7.1 Electronic Voting7.2 Based on Threshold Homomorphic Cryptosystems
7.3 Based on Oblivious Transfer
A and B set up (1, 2)-threshold homomorphic ElGamal with public key h.
Secure multiplication: private inputs x , y , public output xy
Party A Party B(x ∈ {0, 1}) (y ∈ {0, 1})
u ∈R ZnA← gu
B ← hug x−−−−−−
(A,B)−−−−−−−−−−→ v ∈R Zn
C ← g v Ay
←−−−−−−(C ,D)−−−−−−−−−− D ← hv By
←−jointly decrypt−−−−−−−−−−−−
(C ,D)−−−−−→
output xy output xy
Note: (C ,D) = (g v+uy , hv+uy g xy ).
197/210
7 Secure Multiparty Computation
7.1 Electronic Voting7.2 Based on Threshold Homomorphic Cryptosystems
7.3 Based on Oblivious Transfer
Let X = (−1)x and Y = (−1)y .Encryptions E(X), E(Y ) common input to parties A and B.
Secure multiplication: input E(X), E(Y ), output E(XY )
Party A Party Bu ∈R {1,−1}
−−−−E(Xu),E(Yu)−−−−−−−−−−−−−−→ v ∈R {1,−1}
←−−−E(Xuv),E(Yuv)−−−−−−−−−−−−−−−
←−jointly decrypt−−−−−−−−−−−−
E(Xuv)−−−−−−→
output E(Yuv)Xuv output E(Yuv)Xuv
Note:E(Yuv)Xuv = E(YuvXuv) = E(XYu2v 2) = E(XY ).Xuv as decrypted during protocol is statistically independent of X :
from A’s point of view: A does not know v ∈R {1,−1}from B’s point of view: B does not know u ∈R {1,−1}
198/210
7 Secure Multiparty Computation
7.1 Electronic Voting7.2 Based on Threshold Homomorphic Cryptosystems
7.3 Based on Oblivious Transfer
“Raw” OT
Figure 7.2 (Rabin OT protocol)
Sender Receiver(b ∈ {0, 1})
←−−−−−−−−−−−−−−−−−−−−−−−−→
output b or ⊥
Both cases probability 50%.Receiver knows whether it gets b or ⊥.Sender does not know whether bit b was transferred successfully or not.
Strange functionality of OT sufficiently powerful to construct secure computationfor any computable function: OT is complete for secure computation.
199/210
7 Secure Multiparty Computation
7.1 Electronic Voting7.2 Based on Threshold Homomorphic Cryptosystems
7.3 Based on Oblivious Transfer
1-out-of-2 OT
Sender holds two data bits x0, x1, receiver holds one selection bit s.Functionality: OT (x0, x1; s) = xs .
Figure 7.3 ((2
1
)-OT protocol)
Sender Receiver(x0, x1 ∈ {0, 1}) (s ∈ {0, 1})
u ∈R Znhs ← gu
h1−s ← h/gu
←−−−−−h0, h1−−−−−−−−−
u0, u1 ∈R Zn(A0,B0)← (gu0 , hu0
0 g x0 )(A1,B1)← (gu1 , hu1
1 g x1 )−(A0,B0), (A1,B1)−−−−−−−−−−−−−→
xs ← logg (Bs/Aus )
200/210
7 Secure Multiparty Computation
7.1 Electronic Voting7.2 Based on Threshold Homomorphic Cryptosystems
7.3 Based on Oblivious Transfer
Property: OT (0, x ; y) = xy
Secure multiplication: private inputs x , y , public output xy
Party A Party B(x ∈ {0, 1}) (y ∈ {0, 1})
u ∈R Znhy ← gu
h1−y ← h/gu
←−−−−−h0, h1−−−−−−−−−
u0, u1 ∈R Zn(A0,B0)← (gu0 , hu0
0 )(A1,B1)← (gu1 , hu1
1 gx )−(A0,B0), (A1,B1)−−−−−−−−−−−−−→
xy ← logg (By/Auy )
←−−−−−−xy−−−−−−−
output xy output xy
Note: xy = logg (By/Auy ) = xy .
201/210
7 Secure Multiparty Computation
7.1 Electronic Voting7.2 Based on Threshold Homomorphic Cryptosystems
7.3 Based on Oblivious Transfer
A and B hold (1, 2)-threshold secret shares of bits x , y , cf. Exercise 6.1.1.
Secure multiplication: input x = xa ⊕ xb,y = ya ⊕ yb, output xy = za ⊕ zb
Party A Party B(xa, ya ∈ {0, 1}) (xb, yb ∈ {0, 1})
ua ∈R {0, 1} ub ∈R {0, 1}
−OT (ua, xa ⊕ ua; yb)−−−−−−−−−−−−−−−→
←−OT (ub, xb ⊕ ub; ya)−−−−−−−−−−−−−−−
va ← OT (ub, xb ⊕ ub; ya) vb ← OT (ua, xa ⊕ ua; yb)za ← xaya ⊕ ua ⊕ va zb ← xbyb ⊕ ub ⊕ vb
Property: OT (x0, x1; s) = xs = x0(1− s)⊕ x1s.Therefore: va = ub ⊕ xbya and vb = ua ⊕ xayb.
So z = za ⊕ zb = xy follows from:{
za = xaya ⊕ ua ⊕ ub ⊕ xbyazb = xbyb ⊕ ub ⊕ ua ⊕ xayb
Shares za, zb uniform and independent of other values due to ub, ua, resp.
202/210
8 Blind Signatures
8.1 Definitions8.2 Chaum Blind Signature Scheme
8.3 Blind Signatures from Σ-Protocols
Definition 8.1 (Blind signature scheme)Key generation. Algorithm that on input of security parameter k, generates key
pair (sk, pk) consisting of private key sk and public key pk.Signature generation. Two-party protocol between signer S and receiver R with
public key pk as common input. Private input of S is private keysk, and private input of R is message M. At the end of theprotocol, R obtains signature S on M as private output.
Signature verification. Algorithm that on input of message M, public key pk, andsignature S, determines whether S is a valid signature on M w.r.t.public key pk.
unforgeabilityunlinkability
203/210
8 Blind Signatures
8.1 Definitions8.2 Chaum Blind Signature Scheme
8.3 Blind Signatures from Σ-Protocols
Chaum’s Blind SignaturesRSA setting: RSA modulus N, public exponent e.
Figure 8.1 (Chaum’s blind signature protocol)
Signer Receiver(d = 1/e mod φ(N))
u ∈R Z∗Ny ←N H(M)ue
←−−−−−−y−−−−−−−
x ←N yd
−−−−−−x−−−−−−−→
S ←N x/uSe ?=N H(M)
Receiver obtains RSA signature S on message M:
Se = (x/u)e = (y 1/e/u)e = y/ue = H(M) mod N
Perfect unlinkability: (x , y) is uniformly random, independent of (M, S).
204/210
8 Blind Signatures
8.1 Definitions8.2 Chaum Blind Signature Scheme
8.3 Blind Signatures from Σ-Protocols
Figure 8.2 (Schnorr-based blind signature protocol)
Signer Receiver(x = logg h)
u ∈R Zn
a← gu−−−−−−
a−−−−−−→ s, t ∈R Zn
a′ ← ag sh−t
c ′ ← H(a′; M)←−−−−−−
c−−−−−− c ←n c ′ − t
r ←n u + cx−−−−−−
r−−−−−−→
r ′ ←n r + sg r′ ?= a′hc′
Receiver obtains Schnorr signature S = (c ′, r ′) on message M:
c ′ = H(a′; M) = H(ag sh−t ; M) = H(g r+sh−c−t ; M) = H(g r′h−c′ ; M).
Perfect unlinkability: (c, r) is uniformly random, independent of (c ′, r ′).
205/210
8 Blind Signatures
8.1 Definitions8.2 Chaum Blind Signature Scheme
8.3 Blind Signatures from Σ-Protocols
Exercises
Exercise 8.2.1Consider Chaum’s blind signature protocol (Figure 8.1) for a fixed message M.Show that the pair (x , y) is distributed uniformly random by proving that
Pr[(x , y) = (x0, y0)] = 1/φ(N)
for any x0, y0 ∈ Z∗N satisfying y0 = x e0 mod N.
Exercise 8.3.1Consider the Schnorr-based blind signature protocol (Figure 8.2) for a fixedmessage M. Show that the triples (a, c, r), (a′, c ′, r ′) are distributed uniformlyrandom and independent of each other by proving that
Pr[(a; c; r) = (a0; c0; r0) ∧ (a′; c ′; r ′) = (a′0; c ′0; r ′0)] = 1/n3
for any (a0; c0; r0), (a′0; c ′0; r ′0) s.t. g r0 = a0hc0 , c ′0 = H(a′0; M), and g r′0 = a′0hc′0 .
206/210
Appendices
A Fundamental Lemma of CryptologyB Rating of Exercises
C Spell Check
Proposition (“Fundamental Lemma of Cryptology”)Let G be a group of order n. Let a ∈ G be any random variable and b ∈R G. Thenwe have:
Pr[ab = v ] = Pr[ba = v ] = 1n , for all values v ∈ G.
Proof.Pr[ab = v ]
=∑
w∈G Pr[ab = v , b = w ] “split on value of b”=
∑w∈G Pr[aw = v , b = w ] “substitute b = w”
=∑
w∈G Pr[aw = v ] Pr[b = w ] “a and b independent”=
∑w∈G Pr[aw = v ]/n “b uniform on G”
=∑
w∈G Pr[a = vw−1]/n “multiply with w−1 from the right”=
∑w′∈G Pr[a = w ′]/n “one-to-one map w ′ = vw−1”
= 1/n. “random variable a ∈ G”
Same proof for Pr[ba = v ], but using multiplication with w−1 from the left.
207/210
Appendices
A Fundamental Lemma of CryptologyB Rating of Exercises
C Spell Check
Proposition (“Corollary of Fundamental Lemma of Cryptology”)Let G be a group of order n. Let a ∈ G be any random variable and b ∈R G.Then a and ab are statistically independent, and so are a and ba.
Proof.For any values u, v ∈ G:
Pr[a = u, ab = v ]= Pr[a = u, vb = v ] “substitute a = v”= Pr[a = u, b = u−1v ] “multiply with u−1 from the left”= Pr[a = u] Pr[b = u−1v ] “a and b independent”= Pr[a = u]/n “b uniform on G”= Pr[a = u] Pr[ab = v ]. “Fundamental Lemma of Cryptology”
Same proof for a and ba, but using multiplication with u−1 from the right.
208/210
Appendices
A Fundamental Lemma of CryptologyB Rating of Exercises
C Spell Check
Fundamental Lemma of Cryptology
Lemma even holds for quasigroups, using right division / and left division \, resp.Latin square property for Cayley (multiplication) table of quasigroups.No associativity, commutativity, identity element required for quasigroups.
G Examples of uniform ab or ba with a ∈ G and b ∈R G{0, 1}k - Shannon’s perfect secrecy of one-time pad: C = M ⊕ K
- perfect secret sharing of bit s: share s1 = s ⊕ u〈g〉 - additive RSR of DL problem: h′ = h gu
- perfect hiding Pedersen commitment: C = guhx
- special HVZK of Schnorr protocol: a = g r h−c
〈g〉∗ - multiplicative RSR of DL∗ problem: h′ = hu = h ∗ gu
(DH-product ∗, see Exercise 1.2.4)Z∗N - special HVZK of GQ protocol: a = r ey−c mod N
- RSR of RSA problem: y ′ = yue mod N- perfect unlinkability of Chaum’s blind signatures: y = H(M)ue mod N
Also, recognizable in random reencryption of ElGamal ciphertexts, and so on!
209/210
Appendices
A Fundamental Lemma of CryptologyB Rating of Exercises
C Spell Check
Rating of Exercises
Chapter 1: 1.2.1∗, 1.2.2∗∗, 1.2.3, 1.2.4(a),(b)∗, 1.2.5(a),(b)(i)–(iii)(iv)∗,1.2.6∗, 1.2.7, 1.2.8, 1.2.9, 1.2.10, 1.2.11∗, 1.2.12∗, 1.2.13,1.3.1, 1.3.2∗, 1.3.3, 1.3.4, 1.3.5(a)∗,(b)∗∗, 1.3.6, 1.3.7, 1.3.8∗,1.3.9∗, 1.3.10, 1.3.11∗, 1.3.12∗
Chapter 2: 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.2.1Chapter 3: 3.2.1, 3.2.2, 3.2.3, 3.3.1∗Chapter 4: 4.4.1Chapter 5: 5.1.1∗, 5.1.2∗∗, 5.2.1, 5.2.2, 5.2.3, 5.3.1, 5.3.2(a)–(i),(j)∗,(k),
5.3.3, 5.3.4, 5.3.5∗, 5.3.6∗, 5.3.7(i),(ii)∗∗, 5.4.1, 5.4.2, 5.4.3,5.4.4
Chapter 6: 6.2.1∗, 6.2.2, 6.2.3, 6.3.1Chapter 7: 7.1.1, 7.1.2Chapter 8: 8.2.1, 8.3.1No star: regular exercisesOne star *: bit beyond exam level, sometimes bit beyond course scope,
maybe involving somewhat more advanced mathematicsTwo stars **: more advanced mathematics, possibly towards research
level problems—but still very relevant to the course
210/210
Appendices
A Fundamental Lemma of CryptologyB Rating of Exercises
C Spell Check
Spell Check
authentication authentificationciphertext cipher textcryptanalysis cryptoanalysis, crypto analysiscryptosystem crypto systemidentification indentificationplaintext plain text