├── src ├── PRF.jpg ├── prg.jpg ├── tree.jpg ├── feistel1.png ├── feistel2.png ├── header.tex ├── lec18 - Proofs of Knowledge.tex ├── lec15 - Zero Knowledge and Interactive Proofs.tex ├── lec12 - Chosen-Ciphertext Attacks and Digital Signatures.tex ├── lec08 - Pseudorandom Functions.tex ├── lec13 - Many-Time Digital Signatures.tex ├── lec14 - Random Oracles and Signatures.tex ├── lec04 - Number Theory and OWFs.tex ├── lec06 - PRG Expansion and Blum-Micali.tex ├── lec09 - Pseudorandom Permutations and Symmetric Encryption.tex ├── lec20 - Secure Two-Party Computation.tex ├── lec16 - Zero-Knowledge Proofs.tex └── lec05 - Indistinguishability and Pseudorandomness.tex ├── lec18 - Proofs of Knowledge.pdf ├── lec02 - Computational Hardness.pdf ├── lec04 - Number Theory and OWFs.pdf ├── lec08 - Pseudorandom Functions.pdf ├── lec10 - Asymmetric Encryption.pdf ├── lec11 - Message Authentication.pdf ├── lec16 - Zero-Knowledge Proofs.pdf ├── lec17 - Zero Knowledge for NP.pdf ├── lec21 - Identity-Based Encryption.pdf ├── lec01 - Overview and Perfect Secrecy.pdf ├── lec06 - PRG Expansion and Blum-Micali.pdf ├── lec13 - Many-Time Digital Signatures.pdf ├── lec14 - Random Oracles and Signatures.pdf ├── lec20 - Secure Two-Party Computation.pdf ├── lec15 - Zero Knowledge and Interactive Proofs.pdf ├── .gitignore ├── lec05 - Indistinguishability and Pseudorandomness.pdf ├── lec03 - One-Way Functions and Hardness Amplification.pdf ├── lec12 - Chosen-Ciphertext Attacks and Digital Signatures.pdf ├── lec09 - Pseudorandom Permutations and Symmetric Encryption.pdf ├── README └── .github └── workflows └── build-latex.yml /src/PRF.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cpeikert/TheoryOfCryptography/HEAD/src/PRF.jpg -------------------------------------------------------------------------------- /src/prg.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cpeikert/TheoryOfCryptography/HEAD/src/prg.jpg -------------------------------------------------------------------------------- /src/tree.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cpeikert/TheoryOfCryptography/HEAD/src/tree.jpg -------------------------------------------------------------------------------- /src/feistel1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cpeikert/TheoryOfCryptography/HEAD/src/feistel1.png -------------------------------------------------------------------------------- /src/feistel2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cpeikert/TheoryOfCryptography/HEAD/src/feistel2.png -------------------------------------------------------------------------------- /lec18 - Proofs of Knowledge.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cpeikert/TheoryOfCryptography/HEAD/lec18 - Proofs of Knowledge.pdf -------------------------------------------------------------------------------- /lec02 - Computational Hardness.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cpeikert/TheoryOfCryptography/HEAD/lec02 - Computational Hardness.pdf -------------------------------------------------------------------------------- /lec04 - Number Theory and OWFs.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cpeikert/TheoryOfCryptography/HEAD/lec04 - Number Theory and OWFs.pdf -------------------------------------------------------------------------------- /lec08 - Pseudorandom Functions.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cpeikert/TheoryOfCryptography/HEAD/lec08 - Pseudorandom Functions.pdf -------------------------------------------------------------------------------- /lec10 - Asymmetric Encryption.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cpeikert/TheoryOfCryptography/HEAD/lec10 - Asymmetric Encryption.pdf -------------------------------------------------------------------------------- /lec11 - Message Authentication.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cpeikert/TheoryOfCryptography/HEAD/lec11 - Message Authentication.pdf -------------------------------------------------------------------------------- /lec16 - Zero-Knowledge Proofs.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cpeikert/TheoryOfCryptography/HEAD/lec16 - Zero-Knowledge Proofs.pdf -------------------------------------------------------------------------------- /lec17 - Zero Knowledge for NP.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cpeikert/TheoryOfCryptography/HEAD/lec17 - Zero Knowledge for NP.pdf -------------------------------------------------------------------------------- /lec21 - Identity-Based Encryption.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cpeikert/TheoryOfCryptography/HEAD/lec21 - Identity-Based Encryption.pdf -------------------------------------------------------------------------------- /lec01 - Overview and Perfect Secrecy.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cpeikert/TheoryOfCryptography/HEAD/lec01 - Overview and Perfect Secrecy.pdf -------------------------------------------------------------------------------- /lec06 - PRG Expansion and Blum-Micali.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cpeikert/TheoryOfCryptography/HEAD/lec06 - PRG Expansion and Blum-Micali.pdf -------------------------------------------------------------------------------- /lec13 - Many-Time Digital Signatures.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cpeikert/TheoryOfCryptography/HEAD/lec13 - Many-Time Digital Signatures.pdf -------------------------------------------------------------------------------- /lec14 - Random Oracles and Signatures.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cpeikert/TheoryOfCryptography/HEAD/lec14 - Random Oracles and Signatures.pdf -------------------------------------------------------------------------------- /lec20 - Secure Two-Party Computation.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cpeikert/TheoryOfCryptography/HEAD/lec20 - Secure Two-Party Computation.pdf -------------------------------------------------------------------------------- /lec15 - Zero Knowledge and Interactive Proofs.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cpeikert/TheoryOfCryptography/HEAD/lec15 - Zero Knowledge and Interactive Proofs.pdf -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | **/*.aux 2 | **/*.pdf 3 | **/*.pdfsync 4 | **/*.log 5 | **/*.out 6 | **/*.gz 7 | **/*.rel 8 | **/*.thm 9 | **/*.xsim 10 | **/*.fls 11 | **/*.fdb_latexmk -------------------------------------------------------------------------------- /lec05 - Indistinguishability and Pseudorandomness.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cpeikert/TheoryOfCryptography/HEAD/lec05 - Indistinguishability and Pseudorandomness.pdf -------------------------------------------------------------------------------- /lec03 - One-Way Functions and Hardness Amplification.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cpeikert/TheoryOfCryptography/HEAD/lec03 - One-Way Functions and Hardness Amplification.pdf -------------------------------------------------------------------------------- /lec12 - Chosen-Ciphertext Attacks and Digital Signatures.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cpeikert/TheoryOfCryptography/HEAD/lec12 - Chosen-Ciphertext Attacks and Digital Signatures.pdf -------------------------------------------------------------------------------- /lec09 - Pseudorandom Permutations and Symmetric Encryption.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cpeikert/TheoryOfCryptography/HEAD/lec09 - Pseudorandom Permutations and Symmetric Encryption.pdf -------------------------------------------------------------------------------- /README: -------------------------------------------------------------------------------- 1 | These are lecture notes from my graduate-level Theory of Cryptography 2 | course taught at Georgia Tech and University of Michigan. 3 | 4 | Feedback (or even better, pull requests) welcome! 5 | -------------------------------------------------------------------------------- /.github/workflows/build-latex.yml: -------------------------------------------------------------------------------- 1 | name: Compile LaTeX and Upload PDFs 2 | 3 | on: [push] 4 | 5 | jobs: 6 | build_latex: 7 | runs-on: ubuntu-latest 8 | steps: 9 | - name: Set up Git repository 10 | uses: actions/checkout@v3 11 | with: 12 | fetch-depth: 0 13 | 14 | - name: Compile LaTeX documents 15 | uses: xu-cheng/latex-action@v2 16 | with: 17 | working_directory: "src/" 18 | root_file: "lec*.tex" 19 | glob_root_file: true 20 | 21 | - name: Move PDF files and commit them 22 | run: | 23 | mv src/*.pdf . 24 | git config --local user.email "test@github.com" 25 | git config --local user.name "GitHub Action [bot]" 26 | git add -f "*.pdf" 27 | git commit -m "auto-update PDF files" 28 | 29 | - name: Push changes 30 | uses: ad-m/github-push-action@master 31 | with: 32 | github_token: ${{ secrets.GITHUB_TOKEN }} 33 | force: true -------------------------------------------------------------------------------- /src/header.tex: -------------------------------------------------------------------------------- 1 | \usepackage{fullpage} 2 | \usepackage{newtxtext} 3 | \usepackage{microtype} 4 | \usepackage[T1]{fontenc} 5 | 6 | \usepackage{hyperref} 7 | \hypersetup{hypertexnames=false,breaklinks=true,colorlinks=true,linkcolor=blue,filecolor=blue,citecolor=blue,urlcolor=blue} 8 | 9 | \usepackage{mathtools} 10 | % show equation numbers only for referenced equations 11 | \mathtoolsset{showonlyrefs} 12 | 13 | \usepackage{amsfonts,amssymb} 14 | \usepackage[amsmath,amsthm,thmmarks,hyperref]{ntheorem} 15 | \usepackage{thmtools} 16 | 17 | \usepackage{zref-clever} 18 | \zcsetup{ 19 | cap=true, % capitalize types 20 | nameinlink, 21 | } 22 | % for migration from cleveref 23 | \newcommand{\cref}[1]{\zcref{#1}} 24 | \newcommand{\Cref}[1]{\zcref[S]{#1}} 25 | 26 | %%% BLACKBOARD SYMBOLS 27 | 28 | \newcommand{\C}{\ensuremath{\mathbb{C}}} 29 | \newcommand{\D}{\ensuremath{\mathbb{D}}} 30 | \newcommand{\F}{\ensuremath{\mathbb{F}}} 31 | \newcommand{\G}{\ensuremath{\mathbb{G}}} 32 | \newcommand{\J}{\ensuremath{\mathbb{J}}} 33 | \newcommand{\N}{\ensuremath{\mathbb{N}}} 34 | \newcommand{\Q}{\ensuremath{\mathbb{Q}}} 35 | \newcommand{\R}{\ensuremath{\mathbb{R}}} 36 | \newcommand{\T}{\ensuremath{\mathbb{T}}} 37 | \newcommand{\Z}{\ensuremath{\mathbb{Z}}} 38 | \newcommand{\QR}{\ensuremath{\mathbb{QR}}} 39 | 40 | \newcommand{\Zt}{\ensuremath{\Z_t}} 41 | \newcommand{\Zp}{\ensuremath{\Z_p}} 42 | \newcommand{\Zq}{\ensuremath{\Z_q}} 43 | \newcommand{\ZN}{\ensuremath{\Z_N}} 44 | \newcommand{\Zps}{\ensuremath{\Z_p^*}} 45 | \newcommand{\ZNs}{\ensuremath{\Z_N^*}} 46 | \newcommand{\JN}{\ensuremath{\J_N}} 47 | \newcommand{\QRN}{\ensuremath{\QR_{N}}} 48 | \newcommand{\QRp}{\ensuremath{\QR_{p}}} 49 | 50 | %%% THEOREM COMMANDS 51 | 52 | \declaretheorem[numberwithin=section]{theorem} 53 | 54 | \declaretheorem[sibling=theorem,style=plain] 55 | {lemma,corollary,proposition,claim,fact} 56 | 57 | \declaretheorem[sibling=theorem,style=definition] 58 | {definition,conjecture,construction,assumption,protocol} 59 | 60 | \declaretheorem[sibling=theorem,style=remark] 61 | {remark,example,note} 62 | 63 | % teach zref-clever these names 64 | 65 | \zcRefTypeSetup{claim}{Name-sg=Claim,Name-pl=Claims,name-sg=claim,name-pl=claims} 66 | \zcRefTypeSetup{fact}{Name-sg=Fact,Name-pl=Facts,name-sg=fact,name-pl=facts} 67 | \zcRefTypeSetup{maintheorem}{Name-sg=Main Theorem,Name-pl=Main 68 | Theorems,name-sg=main theorem,name-pl=main theorems} 69 | \zcRefTypeSetup{conjecture}{Name-sg=Conjecture,Name-pl=Conjectures,name-sg=conjecture,name-pl=conjectures} 70 | \zcRefTypeSetup{construction}{Name-sg=Construction,Name-pl=Constructions,name-sg=construction,name-pl=constructions} 71 | \zcRefTypeSetup{assumption}{Name-sg=Assumption,Name-pl=Assumptions,name-sg=assumption,name-pl=assumptions} 72 | \zcRefTypeSetup{protocol}{Name-sg=Protocol,Name-pl=Protocols,name-sg=protocol,name-pl=protocols} 73 | \zcRefTypeSetup{question}{Name-sg=Question,Name-pl=Questions,name-sg=question,name-pl=questions} 74 | 75 | % equation numbering style 76 | \numberwithin{equation}{section} 77 | 78 | %%% GENERAL COMPUTING 79 | 80 | \newcommand{\bit}{\ensuremath{\set{0,1}}} 81 | \newcommand{\pmone}{\ensuremath{\set{-1,1}}} 82 | 83 | % asymptotics 84 | \DeclareMathOperator{\poly}{poly} 85 | \DeclareMathOperator{\polylog}{polylog} 86 | \DeclareMathOperator{\negl}{negl} 87 | \newcommand{\Otil}{\ensuremath{\tilde{O}}} 88 | 89 | % probability/distribution stuff 90 | \DeclareMathOperator*{\E}{E} 91 | \DeclareMathOperator*{\Var}{Var} 92 | 93 | % sets in calligraphic type 94 | \newcommand{\calD}{\ensuremath{\mathcal{D}}} 95 | \newcommand{\calF}{\ensuremath{\mathcal{F}}} 96 | \newcommand{\calG}{\ensuremath{\mathcal{G}}} 97 | \newcommand{\calH}{\ensuremath{\mathcal{H}}} 98 | \newcommand{\calX}{\ensuremath{\mathcal{X}}} 99 | \newcommand{\calY}{\ensuremath{\mathcal{Y}}} 100 | 101 | % types of indistinguishability 102 | \newcommand{\compind}{\ensuremath{\stackrel{c}{\approx}}} 103 | \newcommand{\statind}{\ensuremath{\stackrel{s}{\approx}}} 104 | \newcommand{\perfind}{\ensuremath{\equiv}} 105 | 106 | % font for general-purpose algorithms 107 | \newcommand{\algo}[1]{\ensuremath{\mathsf{#1}}} 108 | % font for general-purpose computational problems 109 | \newcommand{\problem}[1]{\ensuremath{\mathsf{#1}}} 110 | % font for complexity classes 111 | \newcommand{\class}[1]{\ensuremath{\mathsf{#1}}} 112 | 113 | % complexity classes and languages 114 | \renewcommand{\P}{\class{P}} 115 | \newcommand{\BPP}{\class{BPP}} 116 | \newcommand{\NP}{\class{NP}} 117 | \newcommand{\coNP}{\class{coNP}} 118 | \newcommand{\AM}{\class{AM}} 119 | \newcommand{\coAM}{\class{coAM}} 120 | \newcommand{\IP}{\class{IP}} 121 | 122 | %%% "LEFT-RIGHT" PAIRS OF SYMBOLS 123 | 124 | 125 | % inner product 126 | \DeclarePairedDelimiter\inner{\langle}{\rangle} 127 | % absolute value 128 | \DeclarePairedDelimiter\abs{\lvert}{\rvert} 129 | % a set 130 | \DeclarePairedDelimiter\set{\{}{\}} 131 | % parens 132 | \DeclarePairedDelimiter\parens{(}{)} 133 | % tuple, alias for parens 134 | \DeclarePairedDelimiter\tuple{(}{)} 135 | % square brackets 136 | \DeclarePairedDelimiter\bracks{[}{]} 137 | % rounding off 138 | \DeclarePairedDelimiter\round{\lfloor}{\rceil} 139 | % floor function 140 | \DeclarePairedDelimiter\floor{\lfloor}{\rfloor} 141 | % ceiling function 142 | \DeclarePairedDelimiter\ceil{\lceil}{\rceil} 143 | % length of some vector, element 144 | \DeclarePairedDelimiter\length{\lVert}{\rVert} 145 | % "lifting" of a residue class 146 | \DeclarePairedDelimiter\lift{\llbracket}{\rrbracket} 147 | \DeclarePairedDelimiter\len{\lvert}{\rvert} 148 | 149 | %%% CRYPTO-RELATED NOTATION 150 | 151 | % KEYS AND RELATED 152 | 153 | \newcommand{\key}[1]{\ensuremath{#1}} 154 | 155 | \newcommand{\pk}{\key{pk}} 156 | \newcommand{\vk}{\key{vk}} 157 | \newcommand{\sk}{\key{sk}} 158 | \newcommand{\mpk}{\key{mpk}} 159 | \newcommand{\msk}{\key{msk}} 160 | \newcommand{\fk}{\key{fk}} 161 | \newcommand{\id}{id} 162 | \newcommand{\keyspace}{\ensuremath{\mathcal{K}}} 163 | \newcommand{\msgspace}{\ensuremath{\mathcal{M}}} 164 | \newcommand{\ctspace}{\ensuremath{\mathcal{C}}} 165 | \newcommand{\tagspace}{\ensuremath{\mathcal{T}}} 166 | \newcommand{\idspace}{\ensuremath{\mathcal{ID}}} 167 | 168 | \newcommand{\concat}{\ensuremath{\|}} 169 | 170 | % GAMES 171 | 172 | % advantage 173 | \newcommand{\advan}{\ensuremath{\mathbf{Adv}}} 174 | 175 | % different attack models 176 | \newcommand{\attack}[1]{\ensuremath{\text{#1}}} 177 | 178 | \newcommand{\atk}{\attack{atk}} % dummy attack 179 | \newcommand{\indcpa}{\attack{ind-cpa}} 180 | \newcommand{\indcca}{\attack{ind-cca}} 181 | \newcommand{\anocpa}{\attack{ano-cpa}} % anonymous 182 | \newcommand{\anocca}{\attack{ano-cca}} 183 | \newcommand{\euacma}{\attack{eu-acma}} % forgery: adaptive chosen-message 184 | \newcommand{\euscma}{\attack{eu-scma}} % forgery: static chosen-message 185 | \newcommand{\suacma}{\attack{su-acma}} % strongly unforgeable 186 | 187 | % ADVERSARIES 188 | \newcommand{\attacker}[1]{\ensuremath{\mathcal{#1}}} 189 | 190 | \newcommand{\Adv}{\attacker{A}} 191 | \newcommand{\AdvA}{\attacker{A}} 192 | \newcommand{\AdvB}{\attacker{B}} 193 | \newcommand{\Dist}{\attacker{D}} 194 | \newcommand{\Sim}{\attacker{S}} 195 | \newcommand{\Ora}{\attacker{O}} 196 | \newcommand{\Inv}{\attacker{I}} 197 | \newcommand{\For}{\attacker{F}} 198 | 199 | % CRYPTO SCHEMES 200 | 201 | \newcommand{\scheme}[1]{\ensuremath{\text{#1}}} 202 | 203 | % pseudorandom stuff 204 | \newcommand{\prg}{\algo{PRG}} 205 | \newcommand{\prf}{\algo{PRF}} 206 | \newcommand{\prp}{\algo{PRP}} 207 | 208 | % symmetric-key cryptosystem 209 | \newcommand{\skc}{\scheme{SKC}} 210 | \newcommand{\skcgen}{\algo{Gen}} 211 | \newcommand{\skcenc}{\algo{Enc}} 212 | \newcommand{\skcdec}{\algo{Dec}} 213 | 214 | % public-key cryptosystem 215 | \newcommand{\pkc}{\scheme{PKC}} 216 | \newcommand{\pkcgen}{\algo{Gen}} 217 | \newcommand{\pkcenc}{\algo{Enc}} % can also use \kemenc and \kemdec 218 | \newcommand{\pkcdec}{\algo{Dec}} 219 | 220 | % digital signatures 221 | \newcommand{\sig}{\scheme{SIG}} 222 | \newcommand{\siggen}{\algo{Gen}} 223 | \newcommand{\sigsign}{\algo{Sign}} 224 | \newcommand{\sigver}{\algo{Ver}} 225 | 226 | % message authentication code 227 | \newcommand{\mac}{\scheme{MAC}} 228 | \newcommand{\macgen}{\algo{Gen}} 229 | \newcommand{\mactag}{\algo{Tag}} 230 | \newcommand{\macver}{\algo{Ver}} 231 | 232 | % key-encapsulation mechanism 233 | \newcommand{\kem}{\scheme{KEM}} 234 | \newcommand{\kemgen}{\algo{Gen}} 235 | \newcommand{\kemenc}{\algo{Encaps}} 236 | \newcommand{\kemdec}{\algo{Decaps}} 237 | 238 | % identity-based encryption 239 | \newcommand{\ibe}{\scheme{IBE}} 240 | \newcommand{\ibesetup}{\algo{Setup}} 241 | \newcommand{\ibeext}{\algo{Ext}} 242 | \newcommand{\ibeenc}{\algo{Enc}} 243 | \newcommand{\ibedec}{\algo{Dec}} 244 | 245 | % hierarchical IBE (as key encapsulation) 246 | \newcommand{\hibe}{\scheme{HIBE}} 247 | \newcommand{\hibesetup}{\algo{Setup}} 248 | \newcommand{\hibeext}{\algo{Extract}} 249 | \newcommand{\hibeenc}{\algo{Encaps}} 250 | \newcommand{\hibedec}{\algo{Decaps}} 251 | 252 | % binary tree encryption (as key encapsulation) 253 | \newcommand{\bte}{\scheme{BTE}} 254 | \newcommand{\btesetup}{\algo{Setup}} 255 | \newcommand{\bteext}{\algo{Extract}} 256 | \newcommand{\bteenc}{\algo{Encaps}} 257 | \newcommand{\btedec}{\algo{Decaps}} 258 | 259 | % trapdoor functions 260 | \newcommand{\tdf}{\scheme{TDF}} 261 | \newcommand{\tdfgen}{\algo{Gen}} 262 | \newcommand{\tdfeval}{\algo{Eval}} 263 | \newcommand{\tdfinv}{\algo{Invert}} 264 | \newcommand{\tdfver}{\algo{Ver}} 265 | 266 | %%% PROTOCOLS 267 | 268 | \newcommand{\out}{\text{out}} 269 | \newcommand{\view}{\text{view}} 270 | 271 | %%% COMMANDS FOR LECTURES/HOMEWORKS 272 | 273 | \RequirePackage{fancyhdr} 274 | 275 | \newcommand{\lecheader}{% 276 | \chead{\large \textbf{Lecture \lecturenum\\\lecturetopic}} 277 | 278 | \lhead{\small 279 | \textbf{\href{https://github.com/cpeikert/TheoryOfCryptography}{Theory 280 | of Cryptography}}\\} 281 | 282 | \rhead{\small \textbf{Instructor: 283 | \href{http://www.eecs.umich.edu/~cpeikert/}{Chris Peikert}\\Scribe: 284 | \scribename}} 285 | 286 | \setlength{\headheight}{20pt} 287 | \setlength{\headsep}{16pt} 288 | } 289 | 290 | 291 | %%% xsim settings 292 | 293 | \RequirePackage{xsim} 294 | \RequirePackage{needspace} 295 | 296 | \DeclareExerciseEnvironmentTemplate{QRef}{% 297 | \par\addvspace{\baselineskip} 298 | \Needspace*{2\baselineskip} 299 | \noindent 300 | \hyperref[ans:\GetExerciseProperty{ID}]{\textbf{\XSIMmixedcase{\GetExerciseName}~\GetExerciseProperty{counter}.}} 301 | \label{ques:\GetExerciseProperty{ID}} 302 | }{\par\addvspace{\baselineskip}} 303 | 304 | \DeclareExerciseEnvironmentTemplate{ARef}{% 305 | \Needspace*{2\baselineskip} 306 | \noindent 307 | \hyperref[ques:\GetExerciseProperty{ID}]{\textbf{\XSIMmixedcase{\GetExerciseParameter{exercise-name}}~\GetExerciseProperty{counter}.}} 308 | \label{ans:\GetExerciseProperty{ID}} 309 | \GetExerciseBody{exercise} 310 | \par \medskip \noindent 311 | \textbf{\XSIMmixedcase{\GetExerciseName}.} 312 | }{\par\addvspace{\baselineskip}} 313 | 314 | \DeclareExerciseHeadingTemplate{simple}{% 315 | \section*{\XSIMmixedcase{\GetExerciseParameter{solution-name}s}} 316 | } 317 | 318 | \DeclareExerciseType{question}{% 319 | exercise-env = question, 320 | solution-env = answer, 321 | exercise-name = Question, 322 | solution-name = Answer, 323 | exercise-template = QRef, 324 | solution-template = ARef, 325 | } 326 | 327 | \xsimsetup{% 328 | path = {questions}, 329 | file-extension = {aux}, 330 | print-solutions/headings-template=simple, 331 | exercise/template=runin 332 | } 333 | 334 | \loadxsimstyle{layouts} 335 | 336 | \AtEndDocument{\pagebreak\printsolutions} 337 | -------------------------------------------------------------------------------- /src/lec18 - Proofs of Knowledge.tex: -------------------------------------------------------------------------------- 1 | \documentclass[11pt]{article} 2 | 3 | \input{header} 4 | 5 | % VARIABLES 6 | 7 | \newcommand{\lecturenum}{18} 8 | \newcommand{\lecturetopic}{Proofs of Knowledge} 9 | \newcommand{\scribename}{Joel Odom} 10 | 11 | % END OF VARIABLES 12 | 13 | \lecheader 14 | 15 | \pagestyle{plain} % default: no special header 16 | 17 | \begin{document} 18 | 19 | \thispagestyle{fancy} % first page should have special header 20 | 21 | % LECTURE MATERIAL STARTS HERE 22 | 23 | \section{Proofs of Knowledge} 24 | \label{sec:pok} 25 | 26 | Up to this point we have studied zero-knowledge proofs that are 27 | capable of proving whether a statement is ``true'' or ``false,'' i.e., 28 | whether a statement lies in or out of a language. Sometimes, though, 29 | the notion of membership in a language does not capture the claim that 30 | the prover wants to demonstrate. For example, if the statement is 31 | true, might it be that \emph{anyone} can give an acceptable proof? 32 | The definition of an interactive proof doesn't give us much insight 33 | into this question; it only says that \emph{false} theorems can't be 34 | proved (even by an unbounded prover). Here we will see that it is 35 | sometimes useful to have a \emph{proof of knowledge}, in which a 36 | prover convinces a verifier that the prover ``knows why'' a statement 37 | is true. 38 | 39 | Take, for example, the application we considered at the end of the 40 | last lecture. Alice wanted to convince Bob, in zero knowledge, that 41 | she is a CIA agent --- or more precisely, that the CIA has signed the 42 | message ``Alice is a CIA agent'' under its public key. (ZK is useful 43 | here because it would make the proof nontransferable by Bob.) How can 44 | we go about proving this in ZK? If Alice just reveals the signature, 45 | that conveys knowledge to Bob that he could not have simulated himself 46 | (and is transferable). If Alice proves merely that there 47 | \emph{exists} a valid signature (under the CIA's public key) of the 48 | message ``Alice is a CIA agent,'' this doesn't necessarily prove 49 | anything meaningful, because by the completeness of the signature 50 | scheme, there exists a signature for \emph{every} message! What Alice 51 | really wants to prove is that she \emph{knows} a valid signature of 52 | the appropriate message. 53 | 54 | \subsection{Example Protocol} 55 | \label{sec:example-protocol} 56 | 57 | What we want to capture is not only the truth of a proposition ($x \in 58 | L$), but also that the prover ``possesses'' a suitable witness to this 59 | fact. We demonstrate this concept by an example protocol which proves 60 | knowledge of a discrete logarithm in a cyclic group. 61 | 62 | \begin{protocol} 63 | \label{prot:dlog} 64 | Let $G = \langle g \rangle$ be a cyclic group of known order $q$ 65 | with known generator $g$, and let $x \in G$ be an arbitrary group 66 | element having discrete logarithm $w = \log_{g}(x)$. The common 67 | input to $P$ and $V$ is $x$, and $P$ is additionally given $w$. 68 | \begin{enumerate} 69 | 70 | \item $P(x,w)$ selects a random $r \gets \Zq$ and sends $z = g^{r}$ 71 | to $V$. 72 | 73 | \item $V(x)$ sends a random challenge bit $b \in \bit$ to $P$. (Here 74 | $V$ is challenging the prover to reply with the discrete log of $z$, 75 | or of $z \cdot x$.) 76 | 77 | \item $P$ responds with $a = r + b \cdot w \in \Zq$. 78 | 79 | \item $V$ accepts if $g^{a} = z \cdot x^{b}$. 80 | 81 | \end{enumerate} 82 | Schematically, 83 | 84 | \begin{center} 85 | \begin{tabular}{ccc} 86 | $P(x,w = \log_{g}(y))$ & & $V(x)$ \\ \\ 87 | $r \gets \Zq$ & $\underrightarrow{\quad z = g^{r} \quad}$ & \\ 88 | & & $b \gets \bit$ \\ 89 | & $\underleftarrow{\quad b \quad}$ & \\ 90 | & & \\ 91 | & $\underrightarrow{\quad a = r + b w \quad}$ & accept iff 92 | $g^{a}=z\cdot x^{b}$ 93 | \end{tabular} 94 | \end{center} 95 | \end{protocol} 96 | 97 | Is the protocol \emph{complete}? Yes: if $P$ and $V$ act as 98 | described, then $g^{a} = g^{r + bw} = g^{r} \cdot (g^{w})^{b} = z 99 | \cdot x^{b}$. Is the protocol \emph{zero-knowledge}? Let $V^{*}$ be 100 | a (possibly malicious) nuppt verifier. We define a simulator 101 | $\Sim^{V^{*}}(x)$: 102 | \begin{enumerate} 103 | 104 | \item Choose a random bit $b \gets \bit$ and a random group element $a 105 | \gets G$. (This can be done by choosing $t \gets \Zq$ and letting 106 | $a = g^{t}$.) 107 | 108 | \item Send $z = g^{a} / x^{b}$ to $V^{*}$ (run with fresh random 109 | coins) and get back a challenge bit $b^{*}$. (If $V^{*}$ responds 110 | with a malformed message or aborts, just output the view so far.) 111 | 112 | \item If $b^{*} = b$, complete the view using $a$ as the prover's last 113 | message, otherwise rewind $V^{*}$ and repeat the simulation (up to 114 | $n$ total iterations). 115 | \end{enumerate} 116 | It is relatively easy to show that $\Sim$ reproduces $V^{*}$'s view, 117 | up to negligible statistical distance. (Briefly, this is because the 118 | value $z$ calculated by $\Sim$ is statistically independent of its bit 119 | $b$, so $b^{*} = b$ with probability $1/2$.) 120 | 121 | Is the protocol \emph{sound}? Note that \emph{every} $x \in G$ has a 122 | discrete logarithm, so the notion of soundness is not particularly 123 | meaningful here! A separate question is whether the protocol gives 124 | evidence that the prover possesses \emph{knowledge} of the discrete 125 | logarithm $x$. An informal inspection of the protocol seems to 126 | indicate that it does: if the prover can answer both challenges, then 127 | it is prepared to reply with both $\log_{g}(z)$ and $\log_{g}(z \cdot 128 | x) = \log_{g}(z) + \log_{g}(x)$, whose difference is exactly 129 | $\log_{g}(x)$. But we need to formalize some notions before we can 130 | come to any definite conclusion. 131 | 132 | \subsection{Definition of an $\NP$-Relation} 133 | \label{sec:def-pok} 134 | 135 | \begin{definition} 136 | \label{def:NP-relation} 137 | An \emph{$\NP$-relation} $R \subseteq \bit^{*} \times \bit^{*}$ is 138 | given by a deterministic algorithm $W(\cdot,\cdot)$ that runs in 139 | time polynomial in the length of its first input. The relation 140 | is \[ R = \set{(x,w) : W(x,w) \text{ accepts}}. \] The associated 141 | $\NP$-language $L_{R} = \set{x : \exists\; w \text{ such that } 142 | W(x,w) \text{ accepts}}$. The witness set for an $x \in \bit^{*}$ 143 | is $R(x) = \set{w : W(x,w) = 1}$. 144 | \end{definition} 145 | 146 | That is, the $\NP$-relation $R$ is just the set of theorem-witness 147 | pairs $(x,w)$ that are accepted by the verifier $W$. It is easily 148 | seen that the language $L_{R}$ associated with the relation is an 149 | $\NP$ language. 150 | 151 | \begin{example} 152 | \label{ex:dlog-relation} 153 | For the discrete logarithm problem in $G$, the natural relation 154 | is \[ R = \set{(x \in G, w \in \Zq) : g^{w} = x}. \] 155 | \end{example} 156 | 157 | \subsection{Definition of a Proof of Knowledge} 158 | \label{sec:defin-proof-knowl} 159 | 160 | We can now define a proof of knowledge for a relation $R$. The 161 | definition captures the intuition that from \emph{any} (possibly 162 | cheating) prover $P^{*}$ that is able to convince the verifier with 163 | good enough probability on a statement $x \in L_{R}$, there is a way 164 | to extract a valid witness for $x$ from $P^{*}$ with a related (not 165 | too small) probability. 166 | 167 | \begin{definition} 168 | \label{def:pok} 169 | An interactive proof system $(P,V)$ is a \emph{proof of knowledge} 170 | with \emph{knowledge error} $\kappa \in [0,1]$ for an $\NP$-relation 171 | $R$ if there exists an nuppt oracle machine $K^{\cdot}$ (the 172 | \emph{knowledge extractor}) such that for any $x \in L_{R}$, and for 173 | any (possibly unbounded) $P^{*}$ for which $p^{*}_{x} = 174 | \Pr[\out_{V}[P^{*} \leftrightarrow V(x)] = 1] > \kappa$, we have \[ 175 | \Pr[K^{P^{*}}(x) \in R(x)] \geq \poly(p^{*}_{x} - \kappa). \] 176 | \end{definition} 177 | 178 | In words, the probability that the knowledge extractor $K$ finds a 179 | valid witness for $x$ using its access to prover $P^{*}$ is at least 180 | polynomially related to the probability $p^{*}_{x}$ that $P^{*}$ 181 | convinces the honest verifier on $x$, less some knowledge error. 182 | 183 | \begin{remark} 184 | \label{rem:pok} 185 | A number of remarks on this definition are appropriate. 186 | 187 | \begin{enumerate} 188 | 189 | \item We don't make any restriction on the kind of prover $P^{*}$ 190 | under consideration: it could be unbounded and/or malicious. 191 | 192 | \item The definition is \emph{per instance} $x$: if $P^{*}$ 193 | convinces $V$ that a \emph{particular} $x$ is true, then it should 194 | know a witness for \emph{that} $x$. 195 | 196 | \item Notice that in the discrete logarithm protocol above, there is 197 | a trivial cheating prover that convinces the verifier with 198 | probability $\frac{1}{2}$. (This is the prover that prepares an 199 | answer for a known $b$ and succeeds only if the verifier issues 200 | $b$ as its challenge bit.) There is no hope of extracting any 201 | witness from this prover, without just solving the discrete log 202 | problem directly. Just as with soundness error, the knowledge 203 | error $\kappa$ captures the ``threshold'' probability with which a 204 | cheating prover $P^{*}$ must convince the verifier before it can 205 | be said to know a valid witness. 206 | 207 | \item Because the relation $R$ is efficiently checkable, we can run 208 | $K^{P^{*}}$ many times and output any valid witness for $x$ that 209 | is found in any execution. The expected running time of this is 210 | $1/\poly(p^{*}_{x} - \kappa)$. If $p^{*}_{x}-\kappa$ is at least 211 | inverse-polynomial in the security parameter, then a witness is 212 | extracted in expected polynomial time. 213 | 214 | \item The definition is not formally related to soundness (i.e., 215 | neither property necessarily implies the other). However, notice 216 | that the definition only applies to $x \in L_{R}$, because 217 | otherwise the set $R(x)$ is empty and therefore $K$ could never 218 | output a valid witness. 219 | \end{enumerate} 220 | \end{remark} 221 | 222 | \subsection{Knowledge Extractor for Discrete Log Protocol} 223 | \label{sec:knowl-extr-discr} 224 | 225 | \begin{theorem} 226 | \cref{prot:dlog} is a proof of knowledge for the discrete 227 | logarithm relation, with knowledge error $\kappa = 1/2$. 228 | \end{theorem} 229 | 230 | \begin{proof} 231 | We construct a knowledge extractor $K^{P^{*}}(x)$ that works as 232 | follows: 233 | \begin{enumerate} 234 | \item Run $P^{*}$ and receive a message $z \in G$ from $P^{*}$. 235 | \item Send challenge bit $b = 0$ to $P^{*}$ and receive an answer 236 | $a_{0}$.\label{item:chall-zero} 237 | \item Rewind $P^{*}$ to its state before \cref{item:chall-zero}. 238 | Send challenge bit $b = 1$ to $P^{*}$, and receive an answer 239 | $a_{1}$. 240 | \item Output $a_{1} - a_{0}$. 241 | \end{enumerate} 242 | 243 | Note that \emph{if} $a_{0}$ and $a_{1}$ are both correct answers to 244 | the respective challenges on $z$, then $a_{1} - a_{0} = \log_{g}(z 245 | \cdot x) - \log_{g}(z) = \log_{g}(x)$, so the knowledge extractor's 246 | output is a correct witness for $x$. 247 | 248 | Suppose that $\Pr[\out_{V}[P^{*} \leftrightarrow V(x)] = 1] = 1/2 + 249 | \alpha$ for some positive $\alpha$ (otherwise, we have nothing to 250 | prove). We claim that \[ \Pr[a_{0} \text{ and } a_{1} \text{ 251 | correct}] \geq \alpha^{3}/2 = \poly(\alpha), \] as required by 252 | \cref{def:pok}. 253 | 254 | To prove the claim, define \[ p_{z} = \Pr[P^{*} \text{ convinces } 255 | V(x) \mid P^{*} \text{ outputs $z$ in the first message}]. \] By an 256 | averaging argument (Markov inequality), we have $\Pr_{z \gets 257 | P^{*}}[p_{z} \geq \tfrac{1}{2} + \tfrac{\alpha}{2}] \geq 258 | \frac{\alpha}{2}$. 259 | 260 | Now consider any such ``good'' $z$, where $p_{z} \geq \tfrac12 + 261 | \tfrac{\alpha}{2}$. Define \[ p_{z, b} = \Pr[P^{*} \text{ convinces 262 | } V(x) \mid z \text{, challenge $b$}]. \] Because $p_{z} = (p_{z,0} 263 | + p_{z,1})/2$ and both $p_{z,0}, p_{z,1} \leq 1$, we have both 264 | $p_{z, 0}, p_{z, 1} \geq \alpha$. The events that $P^{*}$ returns a 265 | valid $a_{0}$ (respectively, $a_{1}$) \emph{conditioned} on $z$ and 266 | challenge $b=0$ (resp., $b=1$) are \emph{independent}, so both occur 267 | with probability at least $\alpha^{2}$. All together then, the 268 | probability that $K$ outputs $\log_{g}(x)$ is at least 269 | $\alpha^{3}/2$, as claimed. 270 | 271 | \end{proof} 272 | 273 | \end{document} 274 | 275 | %%% Local Variables: 276 | %%% mode: latex 277 | %%% TeX-master: t 278 | %%% End: 279 | -------------------------------------------------------------------------------- /src/lec15 - Zero Knowledge and Interactive Proofs.tex: -------------------------------------------------------------------------------- 1 | \documentclass[11pt]{article} 2 | 3 | \input{header} 4 | 5 | % VARIABLES 6 | 7 | \newcommand{\lecturenum}{15} 8 | \newcommand{\lecturetopic}{Zero Knowledge, Interactive Proofs} 9 | \newcommand{\scribename}{Abhinav Shantanam} 10 | 11 | % END OF VARIABLES 12 | 13 | \lecheader 14 | 15 | \pagestyle{plain} % default: no special header 16 | 17 | \begin{document} 18 | 19 | \thispagestyle{fancy} % first page should have special header 20 | 21 | % LECTURE MATERIAL STARTS HERE 22 | 23 | \section{Zero Knowledge} 24 | \label{sec:zero-knowledge} 25 | 26 | \subsection{Warm-Up: Zero Information} 27 | \label{sec:warm-up-zero-inf} 28 | 29 | When does a random variable $Y$ reveal \emph{no information} about 30 | another random variable $X$? In probability theory, the answer to 31 | this question is: when $X$ and $Y$ are \emph{independent}. One 32 | equivalent form of independence is that for \emph{any} fixed value of 33 | $X$, the conditional distribution of $Y$ (given $X$) is always just 34 | some certain distribution $D_{Y}$. 35 | 36 | Observe that perfect secrecy can be seen in this light: a shared-key 37 | encryption scheme is perfectly secure if (and only if) for any message 38 | $m \in \msgspace$, the distribution of the ciphertext $c \in \ctspace$ 39 | (over the choice of $k \gets \skcgen$) is the same: some fixed 40 | distribution $D'$ over $\ctspace$. 41 | 42 | \subsection{Zero \emph{Computational} Knowledge} 43 | \label{sec:zero-comp-knowl} 44 | 45 | What is the \emph{computational} analogue of revealing no information? 46 | When working with bounded computation, we speak of \emph{knowledge} 47 | instead of information. This is because even though a value $Y$ might 48 | reveal \emph{all} the information in $X$, that information might not 49 | be accessible to a bounded algorithm. For example, for a one-way 50 | permutation $f$ with hard-core predicate $h$, the value $f(x)$ reveals 51 | all the information in $x$, but it gives no \emph{knowledge} about 52 | $h(x)$, because $h(x)$ ``looks like'' a uniformly random bit. Seen 53 | another way: up to computational indistinguishability, $h(x)$ ``might 54 | as well have been'' produced by an \emph{efficient algorithm that is 55 | not given $x$ at all!} (That is, the algorithm that just outputs a 56 | uniformly random bit.) 57 | 58 | Let us see a concrete example of this kind of definition for 59 | shared-key encryption. Informally, it says that a ciphertext of a 60 | message $m$ might as well be produced by an efficient algorithm (a 61 | simulator) that is not given the message. (Note the syntactic 62 | similarity to the information-theoretic statements above.) 63 | 64 | \begin{definition} 65 | \label{def:zk-skc} 66 | A shared-key cryptosystem $\skc$ for message space $\msgspace$ is 67 | \emph{zero-knowledge} if there exists an nuppt \emph{simulator} 68 | $\Sim$ such that for all $m \in \msgspace$, \[ \set{k \gets 69 | \skcgen(1^{n}) : \skcenc_{k}(m)} \compind \set{\Sim(1^{n})}. \] 70 | \end{definition} 71 | 72 | Recall our simplest definition of security for shared-key encryption, 73 | one-time indistinguishability, which says that for all $m_{0}, m_{1} 74 | \in \msgspace$, \[ \set{k \gets \skcgen : \skcenc_{k}(m_{0})} \compind 75 | \set{k \gets \skcgen : \skcenc_{k}(m_{1})}. \] 76 | 77 | \begin{theorem} 78 | \label{thm:zk-iff-indist} 79 | A shared-key cryptosystem $\skc$ is one-time indistinguishable if 80 | and only if it is zero-knowledge. 81 | \end{theorem} 82 | 83 | \begin{proof} 84 | If $\skc$ is zero-knowledge, let $\Sim$ be the simulator guaranteed 85 | by \cref{def:zk-skc}. Then by hypothesis, for all $m_{0}, 86 | m_{1} \in \mathcal{M}$, 87 | \[ \set{k \gets \skcgen(1^{n}): \skcenc_{k}(m_0)} \compind 88 | \set{\Sim(1^{n})} \compind \set{k \gets \skcgen(1^{n}) : 89 | \skcenc_{k}(m_1)}. \] One-time indistinguishability follows by the 90 | hybrid lemma. 91 | 92 | If $\skc$ is one-time indistinguishable, let $m' \in \msgspace$ 93 | denote some arbitrary message, and define $\Sim(1^{n})$ to choose $k 94 | \gets \skcgen(1^{n})$ and output $c \gets \skcenc_{k}(m')$. Then by 95 | one-time indistinguishability, for any $m \in \msgspace$ we have 96 | \[ \set{k \gets \skcgen(1^{n}): \skcenc_{k}(m)} \compind \set{k 97 | \gets \skcgen(1^{n}) : \skcenc_{k}(m')} \equiv 98 | \set{\Sim(1^{n})}. \] 99 | \end{proof} 100 | 101 | \subsection{Why Zero Knowledge?} 102 | \label{sec:why-zero-knowledge} 103 | 104 | What do we gain from zero-knowledge/simulation-style security 105 | definitions? So far, not much other than a new perspective. However, 106 | this new perspective is very powerful: it can capture, in a unified 107 | way, many of the disparate security definitions we have seen so far 108 | (e.g., for pseudorandom generators/functions, signatures, etc.). Even 109 | more importantly, this perspective will allow us to give meaningful 110 | security definitions for protocols in which the adversary may be an 111 | \emph{active participant}. By ``active'' we mean not just that the 112 | adversary can make queries to the scheme (e.g., chosen-message or 113 | chosen-ciphertext attacks), but that it instead \emph{plays the role} 114 | of one of the scheme's algorithms (possibly in a malicious way). 115 | 116 | \section{Interactive Proofs} 117 | \label{sec:interactive-proofs} 118 | 119 | \subsection{Motivation} 120 | \label{sec:motivation} 121 | 122 | What is a (mathematical) proof? Two of the most common answers 123 | include: 124 | \begin{enumerate} 125 | \item A sequence of sound logical deductions, starting from a set of 126 | axioms and/or hypotheses, that concludes in a theorem? 127 | \item An argument that convinces the peer community? 128 | \end{enumerate} 129 | 130 | A ``classical'' proof (in the mold of the first answer above) is a 131 | \emph{static} object, which can be easily checked by applying 132 | mechanical rules. In contrast, many proofs in mathematics have 133 | required a lot of effort to find --- much more effort than it takes to 134 | verify them. Intuitively, then, a classical proof may reveal more 135 | than zero knowledge to the party verifying it, in that the verifier 136 | may not have been able to generate the proof itself. 137 | 138 | In practice, many proofs are partially ``interactive:'' a prover 139 | asserts a theorem, and a verifier (e.g., the peer community) asks 140 | questions of the prover until it is satisfied that the theorem is 141 | correct. It turns out that this style of proof in some cases appears 142 | to be qualitatively \emph{more powerful} than a static, classical 143 | proof. 144 | 145 | Consider the following example ``theorem:'' Coke and Pepsi are 146 | different soft drinks. To prove this claim, it might not suffice to 147 | give different recipes for the two drinks. First, how does one check 148 | that a given recipe corresponds to the claimed drink? And even if one 149 | could, how can one be sure that two different recipes don't end up 150 | producing the same end product (e.g., by a different sequence of 151 | chemical reactions)? 152 | 153 | On the other hand, consider the following interactive ``proof'' for 154 | establishing the theorem: the verifier secretly buys either a bottle 155 | of Coke or Pepsi at random, pours it into a glass, and asks the prover 156 | to identify the drink (by looking at, tasting it, or whatever the 157 | prover requires to decide). The prover and verifier may repeat the 158 | exercise multiple times (with a fresh random choice of drink each 159 | time). If the theorem is indeed true (Coke and Pepsi are different), 160 | then a sufficiently talented prover can always identify correctly. 161 | However, if the theorem is false (Coke and Pepsi are exactly the 162 | same), then the prover would have only a $1/2$ chance of guessing 163 | successfully in each iteration. Therefore, if the prover succeeds in 164 | every iteration, the verifier can conclude --- with very high but not 165 | complete confidence --- that the theorem is true. 166 | 167 | \subsection{Formalization} 168 | \label{sec:formalization} 169 | 170 | Let $P$ and $V$ denote ``interactive'' algorithms, which take inputs 171 | and random coins as usual, but also (informally speaking) can pass 172 | messages to each other. Only one machine at a time performs ``work;'' 173 | when it passes a message to the other, the other machine starts 174 | working. We denote their joint execution on their respective inputs 175 | by $P(\cdot) \leftrightarrow V(\cdot)$. The notation 176 | $\out_{V}[\cdot]$ denotes the output of $V$ in the specified 177 | interaction. A \emph{language} $L$ is just a subset of $\bit^{*}$, 178 | whose elements we often call ``theorems.'' 179 | 180 | \begin{definition} 181 | \label{def:ips} 182 | An \emph{interactive proof system} (with \emph{soundness error} $s 183 | \in [0,1]$) for a language $L \subseteq \bit^{*}$ is a pair of 184 | algorithms: a (possibly computationally unbounded) prover $P$, and a 185 | ppt verifier $V$, with the following properties: 186 | \begin{enumerate} 187 | \item \emph{Completeness} (``the specified prover convinces the 188 | specified verifier of a true statement''): For all $x \in L$, 189 | $\out_{V}[ P(x) \leftrightarrow V(x) ] = 1$, with probability $1$. 190 | \item \emph{Soundness} (``\emph{no} possibly cheating prover can 191 | convince the specified verifier of a false statement''): For every 192 | computationally unbounded $P^*$ and all $x \not\in L$, 193 | \[ \Pr\left[ \out_{V}[ P^{*}(x) \leftrightarrow V(x) ] = 1 \right] 194 | \leq s. \] 195 | \end{enumerate} 196 | \end{definition} 197 | 198 | \begin{remark} 199 | \label{rem:ips} 200 | Some notes on the above definition: 201 | \begin{itemize} 202 | \item Completeness is a property of the specified (``honest'') 203 | prover and verifier algorithms, and says nothing about security. 204 | Soundness protects the verifier: as long as it runs its specified 205 | $V$ algorithm, a cheating prover --- \emph{no matter how it might 206 | arbitrarily deviate from the protocol!} --- will not be able to 207 | convince it of a false theorem (with probability greater than 208 | $s$). 209 | \item We could relax the completeness condition to require 210 | $\out_{V}[ P(x) \leftrightarrow V(x) ] = 1$ with probability at 211 | least $1-c > s$ for some $c$ called the \emph{completeness} error. 212 | Every proof system we'll see in this course will have 213 | \emph{perfect} completeness, i.e., $c=0$. 214 | \item If we allow the probabilistic verifier machine and the 215 | all-powerful prover to interact for a polynomial number of rounds, 216 | we get the class of problems called IP. In 1992, Adi Shamir found 217 | one of the central results of complexity theory: IP equals PSPACE, 218 | the class of problems solvable by an ordinary deterministic Turing 219 | machine using polynomial space (and unbounded time). 220 | \end{itemize} 221 | \end{remark} 222 | 223 | \subsection{Interactive Proof for Graph Nonisomorphism} 224 | \label{sec:inter-proof-graph} 225 | 226 | A formal analogue of the Coke-versus-Pepsi question is the \emph{graph 227 | nonisomorphism} problem, defined below. 228 | 229 | \newcommand{\gni}{\problem{GNI}} 230 | 231 | A graph $G = (V,E)$ consists of a finite set $V$ of vertices, and an 232 | edge set $E \subseteq V \times V$ (where $(v_{0}, v_{1}) \in E$ means 233 | that there is an edge between vertices $v_{0}$ and $v_{1}$). Without 234 | loss of generality, we often say that the vertex set is $[n] = \set{1, 235 | \ldots, n}$ for some nonnegative integer $n$. 236 | 237 | \begin{definition} 238 | Two graphs $G_{0} = (V_{0}, E_{0})$ and $G_{1} = (V_{1}, E_{1})$ are 239 | \emph{isomorphic}, written $G_{0} \equiv G_{1}$, if there exists a 240 | bijection $\rho \colon V_{0} \to V_{1}$ such that $(v_{0}, v_{1}) 241 | \in E_{0}$ if and only if $(\rho(v_{0}), \rho(v_{1})) \in E_{1}$. 242 | \end{definition} 243 | 244 | \begin{definition} 245 | \label{def:gni} 246 | The \emph{graph nonisomorphism language} $\gni$ is defined as \[ 247 | \gni = \set{(G_{0}, G_{1}) : G_{0}, G_{1} \text{ are graphs such 248 | that } G_{0} \not\equiv G_{1}}. \] 249 | \end{definition} 250 | 251 | To date, it is unknown whether there exists an efficient algorithm 252 | that decides the graph (non)isomorphism language (though there 253 | \emph{are} efficient algorithms that decide it for a broad class of 254 | special cases). It is not even known if $\gni$ is in $\NP$, i.e., if 255 | membership in $\gni$ can be efficiently verified given a 256 | (polynomial-length) static proof. However, we are able to give a very 257 | simple \emph{interactive} proof for $\gni$. 258 | 259 | \begin{protocol} 260 | We define the following verifier and prover algorithms for $\gni$, 261 | which interact as follows: 262 | \begin{enumerate} 263 | \item $V(G_{0}, G_{1})$: Choose $b \gets \bit$ and a uniformly 264 | random permutation $\pi$ of $V_{b}$ (the vertex set of $G_{b}$). 265 | Send the permuted graph $H = \rho(G_{b})$ to the prover. 266 | (Intuitively, the verifier is challenging the prover to identify 267 | which of the original two graphs $H$ is isomorphic to.) 268 | \item $P(G_{0}, G_{1})$: Upon receiving a graph $H$ from the 269 | verifier, find (perhaps using a large amount of computation) a $b' 270 | \in \bit$ such that $G'$ is isomorphic to $G_{b'}$. Send $b'$ to 271 | the verifier. (Note that if $G_{0}$ and $G_{1}$ are not 272 | isomorphic, then there is at most one valid $b'$.) 273 | \item $V(G_{0}, G_{1})$: If $b' = b$, accept; otherwise, reject. 274 | \end{enumerate} 275 | \end{protocol} 276 | 277 | \begin{theorem} 278 | The algorithm pair $(P,V)$ described above forms an interactive 279 | proof system for $\gni$, with soundness error $1/2$. 280 | \end{theorem} 281 | 282 | \begin{proof} 283 | First we show completeness. Let $(G_{0}, G_{1}) \in \gni$, i.e., 284 | $G_0$ and $G_1$ are not isomorphic. Then no graph can be isomorphic 285 | to both $G_0$ and $G_1$. It follows that for any $H$ generated by 286 | (honest) $V$ with random choice $b$, the bit $b'$ computed by the 287 | prover always equals the $b$ chosen by the verifier, and $V$ always 288 | accepts. 289 | 290 | Now we show soundness. If $(G_0, G_{1}) \not\in \gni$, i.e., 291 | $G_{0}$ and $G_1$ are isomorphic, then a uniformly random 292 | permutation of $G_{0}$ and $G_{1}$ are identically distributed. 293 | More precisely, suppose that $G_{1} = \pi(G_{0})$ for some 294 | permutation $\pi$. Then for any permutation $\rho$, we have 295 | $\rho(G_{1}) = (\rho \circ \pi)(G_{0})$. In particular, if $\rho$ 296 | is a uniformly random permutation, then $\rho \circ \pi$ is also 297 | uniformly random, hence $\rho(G_{0})$ and $(\rho \circ \pi)(G_{0})$ 298 | are identically distributed. Therefore, the graph $H$ sent by the 299 | verifier is statistically independent of its internal bit $b$, and 300 | for any prover reply $b'$, the probability that $b' = b$ is exactly 301 | $1/2$, as desired. 302 | \end{proof} 303 | 304 | \end{document} 305 | 306 | %%% Local Variables: 307 | %%% mode: latex 308 | %%% TeX-master: t 309 | %%% End: 310 | -------------------------------------------------------------------------------- /src/lec12 - Chosen-Ciphertext Attacks and Digital Signatures.tex: -------------------------------------------------------------------------------- 1 | \documentclass[11pt]{article} 2 | 3 | \input{header} 4 | 5 | % VARIABLES 6 | 7 | \newcommand{\lecturenum}{12} 8 | \newcommand{\lecturetopic}{CCA, Digital Signatures} 9 | \newcommand{\scribename}{Rajiv Iyer} 10 | 11 | % END OF VARIABLES 12 | 13 | \lecheader 14 | 15 | \pagestyle{plain} % default: no special header 16 | 17 | \begin{document} 18 | 19 | \thispagestyle{fancy} % first page should have special header 20 | 21 | % LECTURE MATERIAL STARTS HERE 22 | 23 | \section{Chosen-Ciphertext Attacks} 24 | \label{sec:chos-ciph-attacks} 25 | 26 | \subsection{Motivation} 27 | \label{sec:cca-motivation} 28 | 29 | In the preceding lectures, our notion of security for encryption was 30 | constrained to work against so-called \emph{passive} adversaries. 31 | Such adversaries are permitted to see the ciphertexts for messages of 32 | their choice, and (in the public-key setting) to generate ciphertexts 33 | on their own. However, the adversary never gets to see the 34 | \emph{decryptions} of any messages. For some applications, we will 35 | need a stronger definition in which the adversary gets (limited) 36 | access to the decryption machinery as well. 37 | 38 | To establish the motivation for this stricter definition, imagine an 39 | auction scenario, where Alice and Eve are bidders for some item that 40 | Bob has for sale. Alice is the honest participant, while Eve is the 41 | malicious adversary who tries to outbid Alice by the smallest amount 42 | possible. Consider how it might work: 43 | \begin{itemize} 44 | \item Alice encrypts her bid $b_{A}$ under a key $k$, and sends the 45 | resulting ciphertext $c$ to Bob. 46 | \item Eve intercepts the ciphertext $c$ and modifies some bit(s), 47 | dispatching the modified ciphertext $c'$ to Bob. To Bob, $c'$ looks 48 | like a ciphertext and is treated as such. Bob decrypts Alice's and 49 | Eve's ciphertexts, yielding bids $b_{A}$ and $b_{E}$, and decides who 50 | has bid the highest. 51 | \item To the highest bidder, Bob sends a message to the effect of 52 | ``Congratulations, you won with a bid of $b$!'' where $b = b_A$ or 53 | $b=b_E$, whichever is larger. 54 | \end{itemize} 55 | 56 | Suppose that the encryption scheme used in this scenario allows Eve to 57 | modify the ciphertext $c$, so that the result $c'$ encrypts a message 58 | that is related (in a predictable way) to $b_{A}$, \emph{even though 59 | Eve does not know what $b_{A}$ is}? For example, what if Eve can 60 | increase the underlying bid by $1$? Then she will always win the 61 | auction with the lowest possible bid, \emph{and} she will learn the 62 | value of Alice's bid! 63 | 64 | It turns out that many encryption schemes are ``malleable'' in the 65 | above-described way. For example, consider our PRF-based scheme, 66 | where $c = (r , f_{k}(r) \oplus m)$. Flipping any bit of the second 67 | component causes the same bit in the underlying message to flip. So 68 | if Alice's bid happened to be even, Eve can increment it by $1$ by 69 | flipping the least significant bit. (If Even suspects that Alice's 70 | bid is odd, she can flip other bits to increase it by $1$ or more.) 71 | %In the public-key setting, textbook RSA is similarly vulnerable: given 72 | %Alice's ciphertext $c = b_{A}^{e} \bmod N$, Eve can (for example) 73 | %double Alice's bid with $2^{e} \cdot c = (2b_{A})^{e} \bmod N$. 74 | 75 | The example illustrates some fine points: 76 | \begin{itemize} 77 | \item Eve is \emph{generating} ciphertexts of her own, not just seeing 78 | ciphertexts that come from an encryption oracle. She is mounting a 79 | so-called ``chosen-ciphertext attack'' on the scheme. 80 | \item Bob is taking some action based on the result of 81 | $\skcdec_{k}(c)$. In this case, when Bob sends his congratulations 82 | message, he is even acting as a \emph{decryption oracle}! 83 | \end{itemize} 84 | 85 | These issues are not just philosophical curiosities. PKCS\#1 is a 86 | family of public-key cryptographic standards implemented by web 87 | servers and browsers, smart cards, etc. In 1998, Bleichenbacher 88 | demonstrated a ``chosen-ciphertext'' attack against the PKCS\#1 89 | standard, which queried the decryption device (e.g., an SSL-equipped 90 | web server) on a large number of specially crafted ciphertexts, which 91 | gradually revealed information to the attacker. In practical terms, 92 | this meant that an SSL session key could be exposed in a reasonable 93 | amount of time, perhaps a day or less. (PKCS\#1 has since been 94 | updated with a ``chosen ciphertext-secure'' protocol that withstands 95 | such attacks.) 96 | 97 | \subsection{Definition} 98 | \label{sec:cca-definition} 99 | 100 | We seek a very conservative definition that ensures security 101 | \emph{even if the attacker is given access to a decryption oracle}. 102 | Of course, the attacker can learn the underlying message of any 103 | ciphertext simply by querying its decryption oracle, so how can we 104 | hope to achieve any meaningful notion of secrecy? The answer is that 105 | we slightly weaken the decryption oracle (in one of a couple of 106 | possible ways) to prevent the adversary from querying it on the 107 | challenge ciphertext. 108 | 109 | \begin{definition} 110 | \label{def:skc-cca} 111 | We say that $\skc$ is secure under \emph{chosen-ciphertext attack} 112 | (IND-CCA-secure) if the following tuple of oracles is 113 | indistinguishable for $b=0,1$: 114 | \[ \langle k \gets \skcgen : \skcenc_{k}(\cdot), 115 | \algo{D}_{k}(\cdot), \algo{C}_{k}^{b}(\cdot, \cdot) \rangle, \] 116 | where $\algo{C}_{k}(m_{0},m_{1})$ is the usual challenge oracle that 117 | outputs $c^{*} = \skcenc_{k}(m_{b})$ and terminates, and 118 | $\algo{D}_{k}(c)$ is an oracle that outputs $\bot$ if $c = c^{*}$ 119 | (the challenge ciphertext), else it outputs $\skcdec_{k}(c)$. 120 | 121 | We say that $\skc$ is IND-CCA1-secure (or secure under ``lunchtime'' 122 | attacks) if the above holds where $\algo{D}_{k}$ is a decryption 123 | oracle that answers queries \emph{before} $\algo{C}_{k}$ is invoked, 124 | then terminates (i.e., it does not answer queries after the 125 | challenge ciphertext $c^{*}$ has been produced). 126 | \end{definition} 127 | 128 | (``Lunchtime'' security is weaker than full IND-CCA security. The 129 | name refers to the following whimsical scenario: Eve breaks into Bob's 130 | office while Bob is out to lunch, thus temporarily gaining access to 131 | his decryption machinery. She wants to formulate a sequence of 132 | queries so that later on, when Bob comes back from lunch and she no 133 | longer has a decryption oracle, she can violate the secrecy of 134 | encrypted messages sent to/from Bob.) 135 | 136 | \subsection{Achieving CCA Security} 137 | \label{sec:achi-cca-secur} 138 | 139 | Our PRF-based scheme is not CCA-secure, as it is vulnerable to the 140 | bit-flipping attack described above. 141 | 142 | To design a CCA-secure scheme, we wish to use the notion of 143 | \emph{invalid ciphertexts}, i.e., we allow the decryption algorithm 144 | $\skcdec_{k}(\cdot)$ to output $\bot$ on ciphertexts that don't look 145 | ``well-formed.'' The intuition is to design the scheme so that the 146 | only way an adversary can obtain a well-formed ciphertext is by 147 | directly querying the encryption oracle. This way, it already 148 | ``knows'' the underlying message, hence the decryption oracle is 149 | ``useless!'' (This is just the intuition for how we think about 150 | designing a CCA-secure scheme.) 151 | 152 | It can be shown that in the shared-key setting, combining a message 153 | authentication code ($\mac$) with an IND-CPA-secure in the right way 154 | yields Authenticated Encryption (AE), a concept from last lecture. 155 | Moreover, it can be proved that an Authenticated Encryption (AE) 156 | scheme is, in fact, IND-CCA-secure. (You will prove these facts in 157 | your homework.) 158 | 159 | \begin{question} 160 | Can textbook RSA ciphertexts be manipulated with predictable 161 | consequences to the underlying plaintexts (similar to the PRF-based 162 | scheme)? Recall that RSA encryption takes a plaintext \(m \in \Z_n\) 163 | (where \(n = pq\) for primes \(p\), \(q\)) and returns 164 | \(m^e \pmod {n}\). 165 | \end{question} 166 | 167 | \begin{answer} 168 | Yes. Multiplying a ciphertext that encrypts a message \(m\) by 169 | \(x^e\) yields a ciphertext that encrypts \(m \cdot x\): 170 | \[ \pkcenc(m) \cdot x^e \equiv m^e \cdot x^e \equiv (mx)^e \equiv 171 | \pkcenc(mx) . 172 | \] 173 | \end{answer} 174 | 175 | \begin{question} 176 | How does the ``bit-flipping'' trick for our PRF-based encryption 177 | scheme violate our precise definition of CCA security? 178 | \end{question} 179 | 180 | \begin{answer} 181 | Let \(m\) be any \(n-1\) bitstring. On input \(k\) an attacker 182 | simply queries \(c^* \gets C_k^b(1\concat m, 0 \concat m)\), then 183 | queries the decryption oracle on \(\overline{c^*}\) and outputs the 184 | first bit of the resulting plaintext. Note that 185 | \(\overline{c^*} \neq c^*\) so the decryption oracle does not output 186 | \(\bot\). Since \(D_k(\overline{c^*} = \overline{D_k(c^*)})\) by 187 | the ``bit-flipping'' trick, the first bit of the resulting plaintext 188 | will be 0 if \(c^*\) is an encryption of \(1 \concat m\) and 1 189 | otherwise. 190 | \end{answer} 191 | 192 | \section{Digital Signatures} 193 | \label{sec:digital-signatures} 194 | 195 | We now switch back to message authentication itself. Just as with 196 | encryption, a natural question is whether the tagging algorithm 197 | $\mactag$ and verification algorithm $\macver$ must use the 198 | \emph{same} key, or could they be \emph{asymmetric}? That is, is it 199 | possible for verification to be performed by anyone (using a public 200 | verification key), while signing can be performed by only one party? 201 | 202 | Digital signatures are the asymmetric analogue of $\mac$s. For 203 | messages sent over an insecure channel, a properly implemented digital 204 | signature gives the receiver reason to believe the message was sent by 205 | the claimed sender. 206 | 207 | \subsection{Model} 208 | \label{sec:model} 209 | 210 | Very similarly to a $\mac$, a digital signature scheme $\sig$ is a 211 | triple of algorithms: 212 | 213 | \begin{itemize} 214 | \item $\siggen$: outputs a (public) verification key $\vk$ and a 215 | (secret) signing key $\sk$. 216 | \item $\sigsign_{\sk}(m) = \sigsign(\sk,m)$: given a message $m \in 217 | \msgspace$, outputs a signature $\sigma$. 218 | \item $\sigver_{\vk}(m,\sigma) = \sigver(\vk,m,\sigma)$: given a 219 | message $m$ and signature $\sigma$, either accepts or rejects. 220 | \end{itemize} 221 | 222 | \subsection{Definition} 223 | \label{sec:uf-cma-definition} 224 | 225 | We seek a security definition in which the adversary (forger) may see 226 | signatures for messages that it selects arbitrarily (hence 227 | \textit{chosen-message-attack} or CMA), but still cannot forge a 228 | signature for another message. Therefore, we give the adversary 229 | oracle access to $\sigsign_{\sk}(\cdot)$. Moreover, the forger should 230 | explicitly be given the signature verification key $\vk$, because it 231 | is public information. 232 | 233 | \begin{definition} 234 | \label{def:uf-cma-sig} 235 | We say that $\sig$ is \emph{(strongly) unforgeable under 236 | chosen-message-attack} (UF-CMA-secure) if for every nuppt $\For$, 237 | \[ \advan_{\sig}(\For) := \Pr_{(\vk,\sk) \gets \siggen} 238 | \bracks*{\For^{\sigsign_{\sk}(\cdot)}(\vk) \text{ succeeds}} \leq 239 | \negl(n), \] where ``succeeds'' means that $\For$ outputs $(m' , 240 | \sigma')$ such that $\sigver_{v_{k}}(m' , \sigma') = 1$, and either 241 | \begin{itemize} 242 | \item \emph{Standard} unforgeability: $m'$ differs from all queries 243 | $m_{i}$ to the $\sigsign$ oracle; 244 | \item \emph{Strong} unforgeability: $(m', \sigma')$ differs from all 245 | query/response pairs $(m_{i}, \sigma_{i})$ of the $\sigsign$ 246 | oracle. 247 | \end{itemize} 248 | \end{definition} 249 | 250 | As with a $\mac$, the definition of \emph{strong} unforgeability 251 | corresponds to a looser notion of success, implying a stricter 252 | definition of security. 253 | 254 | \subsection{A (Failed) Proposal} 255 | \label{sec:failed-proposal} 256 | 257 | We sketch out a scheme with the view of making it UF-CMA-secure, but 258 | which we will show fails to live up the definition. The scheme is 259 | based on a family of trapdoor one-way permutations. Recall that a TDP 260 | family is a family $\calF = \set{f_{s} : D_{s} \to D_{s}}$ of one-way 261 | permutations, where the function sampler $\algo{S}$ outputs, along 262 | with $f_{s} \gets \calF$, a \emph{trapdoor} $t$ that makes it easy to 263 | compute $f_{s}^{-1}$. The intuition is that the signer can use the 264 | trapdoor to compute a signature by inverting $f_{s}$ on the message, 265 | which the verifier can check by computing $f_{s}$ in the ``forward'' 266 | direction. 267 | 268 | Formally, we define the following triplet of algorithms: 269 | \begin{itemize} 270 | \item $\siggen$: choose $(s,t) \gets \algo{S}$. Output $\vk = s$ and 271 | $\sk = t$. 272 | \item $\sigsign_{t} (m \in D_{s})$: output $\sigma = f_{s}^{-1}(m)$. 273 | \item $\sigver_{s}(m , \sigma)$: accept if $f_{s}(\sigma) = m$, 274 | otherwise reject. 275 | \end{itemize} 276 | 277 | The scheme is correct by inspection. And $f_{s}$ is ``hard to 278 | invert'' by assumption, so why isn't the scheme secure according to 279 | \cref{def:uf-cma-sig}? The key point is that $f_{s}$ is 280 | hard to invert on a \emph{random} value $y \in D_{s}$, but a forger 281 | gets to \emph{choose} the message on which it inverts $f_{s}$! In 282 | fact, observe that there is a trivial attack on the above scheme 283 | (which doesn't even make use of a signing oracle): given $\vk = s$, 284 | choose some $\sigma \in D_{s}$, let $m = f_{s}(\sigma)$, and output 285 | $(m,\sigma)$ as a forgery. Clearly, $\sigver_{s}$ accepts this pair! 286 | 287 | Designing a truly UF-CMA-secure signature scheme is quite tricky, and 288 | involves several steps. We will see how to do so in the next lecture. 289 | 290 | \end{document} 291 | 292 | \subsection{A One-Time Signature} 293 | \label{sec:one-time-signature} 294 | 295 | We suggest a "one time" secure signature scheme based on one way 296 | functions. We constrain the $\sigsign_{s_{k}}(\cdot)$ oracle to be 297 | able to answer \emph{only one} query. We describe the construction 298 | based on an OWF $f$ over a message space $M = \bit^{n}$ as the 299 | following triplet of algorithms: 300 | 301 | \begin{itemize} 302 | \item $\siggen$ works as follows: 303 | \begin{itemize} 304 | \item for $i \in [n]$ and $b \in \bit$, we choose $X_{i}^{b} 305 | \leftarrow \bit^{n}$ and let $Y_{i}^{b} = f(X_{i}^{b})$. 306 | \item We select $s_{k} = \set{X_{i}^{b}}$ and $v_{k} = 307 | \set{Y_{i}^{b}}$ 308 | \end{itemize} 309 | \item $\sigsign (s_{k} , m \in \bit^{n})$ ouputs $\sigma = 310 | (X_{i}^{m_{i}})$ where $\sigma$ is a tuple in $\set{\bit^{n}}^{n}$ 311 | \item $\sigver (v_{k} , m , \sigma)$ checks $f(\sigma_{i}) = 312 | Y_{i}^{m_{i}}$ , $\forall i \in [n]$. 313 | \end{itemize} 314 | 315 | The completeness is evident on inspection. Also, for any forgery $(m' 316 | , \sigma')$ there must exist an $i$ such that $m_{i}' \neq m_{i}$ 317 | (where $m$ was the query). If $\sigma'$ is verified, then $\sigma_{i}' 318 | \in f^{-1}(Y_{i}^{m_{i}})$. 319 | 320 | \end{document} 321 | 322 | %%% Local Variables: 323 | %%% mode: latex 324 | %%% TeX-master: t 325 | %%% End: 326 | -------------------------------------------------------------------------------- /src/lec08 - Pseudorandom Functions.tex: -------------------------------------------------------------------------------- 1 | \documentclass[11pt]{article} 2 | 3 | \input{header} 4 | 5 | \usepackage{graphicx} 6 | \usepackage{algorithm,algorithmic} 7 | 8 | % VARIABLES 9 | 10 | \newcommand{\lecturenum}{8} 11 | \newcommand{\lecturetopic}{Pseudorandom Functions} 12 | \newcommand{\scribename}{Indranil Banerjee} 13 | 14 | % END OF VARIABLES 15 | 16 | \lecheader 17 | 18 | \pagestyle{plain} % default: no special header 19 | 20 | \begin{document} 21 | 22 | \thispagestyle{fancy} % first page should have special header 23 | 24 | % LECTURE MATERIAL STARTS HERE 25 | 26 | \section{Recap: Pseudorandom Generators} 27 | \label{sec:recap:-pseud-gener} 28 | 29 | \begin{enumerate} 30 | \item It is possible to construct a hard-core predicate for any 31 | one-way function. Let $f: \{0,1\}^{*} \rightarrow \{0,1\}^{*}$ be 32 | any one-way function (or permutation). We define $f'(r,x) = 33 | (r,f(x))$ for $\len{r} = \len{x}$. Then $f'$ is also a one way 34 | function (or permutation, respectively), and $h(r,x) = \inner{r,x} 35 | \bmod 2$ is a hard core predicate for $f'$. 36 | \item A pseudorandom generator exists under the assumption that a 37 | one-way permutation exists. Formally, if $f$ is a OWP and $h$ is a 38 | hard-core predicate for $f$, then $G(s) = (f(s), h(s))$ is a PRG 39 | with output length $\ell(n) = n+1$. 40 | \item If there exists a PRG $G(s) = (f(s), h(s))$ with output length 41 | $\ell(n) = n+1$, then 42 | \[G'(s) = (h(s), h(f(s)), h(f^{(2)}(s)), \cdots ,h(f^{(m-1)}(s))) \] 43 | is a PRG of output length $m$ for any $m = \poly(\abs{s})$. 44 | \end{enumerate} 45 | 46 | While it is well-known that the existence of a PRG implies that a OWF 47 | must exist, is the converse also true? That is, does the existence of 48 | a one-way function also imply that a pseudorandom generator must 49 | exist? In fact, this turns out to be true as well. Hastad, 50 | Impagliazzo, Levin, and Luby established in $1989$ that a PRG can be 51 | constructed from any OWF. Their construction is much more complicated 52 | than the one for OWPs, because it must address the issue that the OWF 53 | $f$ may be very ``unstructured,'' and thus the distribution of $f(x)$ 54 | may be very different from uniform, even when $x$ is uniform. The 55 | HILL PRG construction utilizes a random seed of length $n^{10}$ for a 56 | OWF of input length $n$. The details of the construction are beyond 57 | the scope of this class. 58 | 59 | \section{Pseudorandom Functions} 60 | \label{sec:pseud-funct} 61 | 62 | \subsection{Preliminary Concepts} 63 | \label{sec:preliminary-concepts} 64 | 65 | Having already developed a precise definition for a pseudorandom 66 | \emph{string} of bits, a natural extension is, what would a random 67 | \emph{function} look like? 68 | 69 | A function from $\bit^{n}$ to $\bit$ is given by specifying an output 70 | bit for every one of its inputs, of which there are $2^{n}$. 71 | Therefore, the set of \emph{all} functions from $\bit^{n}$ to $\bit$ 72 | contains exactly $2^{2^{n}}$ functions; a ``random function'' (with 73 | this domain and range) is a uniformly choice from this set. Such a 74 | function can also be viewed as a uniformly random $2^{n}$-bit string, 75 | which simply lists all the function's outputs. However, stated this 76 | way, it is impossible to even look at the entire string efficiently 77 | (in $\poly(n)$ time). Therefore, we define a model in which we give 78 | \emph{oracle} access to a function. 79 | 80 | Writing $\Adv^{f}$ signifies that $\Adv$ has query access to $f$, 81 | i.e., $\Adv$ can (adaptively) query the oracle on any input $x$ and 82 | receive the output $f(x)$. However, $\Adv$ only has a 83 | ``\emph{black-box}'' (input/output) view of $f$, without any knowledge 84 | of how the function $f$ is evaluated. 85 | 86 | \begin{definition}[Oracle indistinguishability] 87 | Let $\Ora = \{O_{n}\}$ and $\Ora'=\{O'_{n}\}$ be ensembles of 88 | probability distributions over functions from 89 | $\bit^{\ell_{1}(n)}$ to $\bit^{\ell_{2}(n)}$, for some 90 | $\ell_{1}(n), \ell_{2}(n) = \poly(n)$. We say that $\Ora \compind 91 | \Ora'$ if, for all nuppt distinguishers $\Dist$, 92 | \[\advan_{\Ora,\Ora'}(\Dist) := 93 | \abs*{\Pr_{f \gets O_{n}}[\Dist^{f}(1^n) = 1] - \Pr_{f \gets 94 | O'_{n}}[\Dist^{f}(1^n) = 1]} = \negl(n). \] 95 | \end{definition} 96 | 97 | Naturally, we say that $\Ora = \{O_{n}\}$ is \emph{pseudorandom} if \[ 98 | \Ora \compind \set*{U\parens*{\bit^{\ell_{1}(n)} \to 99 | \bit^{\ell_{2}(n)}}}, \] i.e., if no efficient adversary can 100 | distinguish (given only oracle access) between a function sampled 101 | according to $O_n$, and a uniformly random function, with more than 102 | negligible advantage. 103 | 104 | \begin{definition}[PRF Family] 105 | A family $\set*{f_{s}: \bit^{\ell_{1}(n)} \rightarrow 106 | \bit^{\ell_2(n)}}_{s \in \bit^{n}}$ is a \emph{pseudorandom 107 | function family} if it is: 108 | \begin{itemize} 109 | \item \emph{Efficiently computable}: there exists a deterministic 110 | polynomial-time algorithm $F$ such that $F(s,x) = f_{s}(x)$ for 111 | all $s \in \bit^{n}$ and $x \in \bit^{\ell_{1}(n)}$. 112 | \item \emph{Pseudorandom}: $\set*{U(\set{f_{s}})}$ is 113 | pseudorandom. 114 | \end{itemize} 115 | \end{definition} 116 | 117 | Having developed a precise definition of a pseudorandom family of 118 | functions, the natural questions arises: Does such a primitive even 119 | exist? And under what assumptions? 120 | 121 | Notice that if $\ell_{1}(n) = O(\log n)$, all the outputs values of a 122 | function $f : \bit^{\ell_{1}(n)} \to \bit^{\ell_{2}(n)}$ can be 123 | written down as a string of exactly $2^{\ell_{1}(n)} \cdot \ell_{2}(n) 124 | = \poly(n)$ bits. Moreover, all the function values can be queried in 125 | polynomial time, given oracle access. Therefore, a PRF family with 126 | $O(\log n)$-length input may be seen as a PRG, and vice-versa. But do 127 | there exist PRF families with longer input lengths --- say, $n$? 128 | 129 | \begin{question} 130 | Let \(\set{f_s}\) be a pseudorandom function family. Is the family 131 | \(\set{g_s}\) where \(g_s(x) = f_s(x) \concat 0\) also pseudorandom? 132 | \end{question} 133 | 134 | \begin{answer} 135 | No. Intuitively, the output of \(g_s\) always ends in a 0, something 136 | which occurs only half the time in truly uniformly random 137 | strings. Concretely, an adversary simply choses an arbitrary string 138 | \(m\), queries its oracle on \(m\) and returns 1 if the output ends 139 | in 0 and zero otherwise. When its oracle is \(g_s\), the adversary 140 | always outputs \(1\) and when its oracle is a uniformly random 141 | function, it returns \(1\) with probability \(\frac{1}{2}\). Hence, 142 | the adversary has a non-negligible advantage of \(\frac{1}{2}\). 143 | \end{answer} 144 | 145 | \subsection{Constructing PRFs} 146 | \label{sec:constructing-prfs} 147 | 148 | \begin{theorem} 149 | \label{thm:prg-implies-prf} 150 | If a pseudorandom generator exists (i.e., if a one-way function 151 | exists), then a pseudorandom function family exists for any 152 | $\ell_{1}(n), \ell_{2}(n) = \poly(n)$. 153 | \end{theorem} 154 | 155 | At first glance, this theorem may seem completely absurd. The number 156 | of functions in the family $\set{f_{s}}$ with a seed length $\len{s} = 157 | n$ is at most $2^n$, whereas the total number of functions overall 158 | (even with just one-bit outputs) is at least $2^{2^{n}}$. Therefore, 159 | our function family is $\approx 2^{-2^{n}}$-sparse, i.e., the family 160 | $\set{f_s}$ makes up only a \emph{doubly exponentially} small subset 161 | of the entire space of functions. 162 | 163 | \begin{proof}[Proof of \cref{thm:prg-implies-prf}] 164 | For simplicity, we prove the theorem for $\ell_{1}(n) = \ell_{2}(n) 165 | = n$; extending to other values is straightforward. 166 | 167 | Our objective is to ``stretch'' an $n$-bit uniformly random string 168 | to produce an exponential (at least $2^{n}$) number of 169 | ``random-looking'' strings. Assume without loss of generality that 170 | $G$ is a PRG with output length $\ell(n) = 2n$. The basic idea is 171 | to view the output of $G$ as two length-$n$ pseudorandom strings, 172 | which can be used recursively as inputs to $G$ to generate an 173 | exponential number of strings. 174 | 175 | Formally, view $G$ as a pair of length-preserving functions $G_{0}$, 176 | $G_{1}$ (i.e., $\len{G_{0}(s)} = \len{G_{1}(s)} = \len{s}$), where 177 | \[ G(s) = G_{0}(s) \mid G_{1}(s). \] The idea behind the PRF 178 | construction is that the function $f_{s}(x)$ computes a path, 179 | specified by the bits of $x$ starting from the root seed $s$, as 180 | shown below: 181 | \begin{center} 182 | \includegraphics[width=.6\linewidth]{PRF.jpg} 183 | \end{center} 184 | 185 | Formally, we define the function $f_{s}(\cdot)$ as 186 | \[f_{s}(x) = G_{x_{n}}(\cdots G_{x_{2}}(G_{x_{1}}(s)) \cdots). \] 187 | Why might we expect $f_{s}$ to ``look random,'' for a uniformly 188 | random (secret) seed $s$? Intuitively, $G_{0}(s)$ and $G_{1}(s)$ 189 | ``look like'' independent uniform $n$-bit strings, and we might 190 | expect this pseudorandomness to propagate downward through the 191 | layers of the tree. Let us try to prove this rigorously. 192 | 193 | \emph{Attempt 1}: Design a sequence of hybrid experiments where each 194 | leaf of the tree is successively replaced by its ``ideal'' form, 195 | i.e., with a uniform $n$-bit string. Clearly, the $0$th hybrid 196 | corresponds to the ``real'' tree construction, and the $2^{n}$th 197 | corresponds to a truly random function. However, this approach is 198 | flawed, as it requires $2^n$ hybrid steps. (As an exercise, show 199 | that the hybrid lemma is \emph{false}, in general, for an 200 | exponential number of hybrid steps.) 201 | 202 | \emph{Attempt 2:} Successively replace each \emph{layer} of the tree 203 | with ideal uniform, independent entries (all at once). Thus, 204 | $H_{0}$ corresponds to the real tree construction, and $H_{n}$ 205 | corresponds to a truly random function. Note that we now have only 206 | $n$ hybrid steps. 207 | 208 | More formally, we describe hybrid distributions defining (a 209 | distribution over functions) $f$ as follows: 210 | \begin{itemize} 211 | \item $H_{0}$ is the real tree construction, with a uniformly random 212 | root $s$, and $f(x) = G_{x_{n}}(\cdots G_{x_{1}}(s) \cdots)$. 213 | \item For $i \in [n]$, $H_{i}$ is the tree construction, but using 214 | uniformly random seeds across the $i$th layer of the tree. 215 | Formally, $f(x) = G_{x_{n}}(\cdots G_{x_{i+1}}(s_{x_{i}\cdots 216 | x_{1}})$, where the seeds $s_{y}$ are uniformly random and 217 | independent for each $y \in \bit^{i}$. 218 | \end{itemize} 219 | 220 | As a warm-up, we first show that $H_{0} \compind H_{1}$ (in the 221 | sense of oracle indistinguishability) assuming that $G$ is a PRG. 222 | To prove this, we need to construct a simulator $\Sim$ that emulates 223 | one of $H_{0}$ or $H_{1}$ (as oracles), depending on whether its 224 | input is $G(U_{n})$ or $U_{2n}$. That is, the simulator should use 225 | its input to answer arbitrary queries. The simulator $\Sim$ works 226 | as follows: given $(z_{0}, z_{1}) \in \bit^{2n}$, it answers each 227 | query $x$ by returning $G_{x_{n}}(\cdots G_{x_{2}}(z_{x_{1}})\cdots 228 | )$. 229 | 230 | It is easy to check that the simulator emulates the desired hybrids. 231 | First, if $(z_{0}, z_{1}) = (G_{0}(s), G_{1}(s))$ for $s \gets 232 | U_{n}$, then $\Sim(z_{0}, z_{1})$ answers each query $x \in 233 | \bit^{n}$ as 234 | \[ G_{x_{n}}(\cdots G_{x_{2}}(G_{x_{1}}(s)) \cdots ) = f_{s}(x), \] 235 | exactly as in $H_{0}$. Similarly, if $(z_0, z_1) \gets (U_n, 236 | U_n)$, then $\Sim$ answers each query exactly as in $H_{1}$. Now 237 | because $G(U_{n}) \compind U_{2n}$ and $\Sim$ is efficient, by the 238 | composition lemma we conclude that $H_0 \compind H_1$. 239 | 240 | Unfortunately, this approach does not seem to scale too well when we 241 | go down to the deeper layers of the tree, because the simulator 242 | $\Sim$ would need to take as input an exponential number of input 243 | strings. However, we can make two observations: 244 | \begin{itemize} 245 | \item In $H_{i}$, all the subtrees growing from the $i$th level are 246 | \emph{symmetric}, i.e., they are identically distributed and 247 | independent. 248 | \item The polynomial-time distinguisher $\Dist$ attacking the PRF 249 | can make only a \emph{polynomial} number of queries to its oracle. 250 | \end{itemize} 251 | The key point is that the simulator then only needs to simulate 252 | $q(n) = \poly(n)$ number of subtrees in order to answer all the 253 | queries of the distinguisher correctly. 254 | 255 | For the hybrids $H_{i-1}$ and $H_{i}$, \cref{alg:simulator} 256 | defines a simulator that takes $q(n) = \poly(n)$ pairs of $n$-bit 257 | strings. 258 | 259 | \renewcommand{\algorithmicrequire}{\textbf{Input:}} 260 | 261 | \begin{algorithm} 262 | \caption{Simulator $\Sim_{i}$ for emulating either $H_{i-1}$ or $H_{i}$.} 263 | \label{alg:simulator} 264 | \begin{algorithmic}[1] 265 | \REQUIRE $(z^1_0, z^1_1), \ldots , (z^q_0, z^q_1) \in \bit^{2n}$ 266 | for some large enough $q(n) = \poly(n)$ 267 | \STATE $j \gets 1$ 268 | \WHILE{there is a query $x \in \bit^{n}$ to answer} 269 | \IF{prefix $x_{1} \cdots x_{i}$ is not yet associated with any $k$} 270 | \STATE associate $j$ to $x_{1} \cdots x_{i}$ 271 | \STATE $j \gets j+1$ 272 | \ENDIF 273 | \STATE look up the $k$ associated with prefix $x_{1} \cdots 274 | x_{i}$ 275 | \STATE answer $G_{x_{n}}(\cdots G_{x_{i+1}}(z^{k}_{x_{i}}) 276 | \cdots)$ 277 | \ENDWHILE 278 | \end{algorithmic} 279 | \end{algorithm} 280 | 281 | We analyze the behavior of $\Sim_{i}$. Suppose that the 282 | distinguisher $\Dist$ (making queries to $\Sim_{i}$) makes at most 283 | $q$ queries, so the counter $j$ never ``overflows.'' Now, if each 284 | of the pairs $(z^{j}_{0}, z^{j}_{1}) \gets G(U^{j}_{n})$ are 285 | independent pseudorandom strings, then $\Sim_{i}$ answers each query 286 | $x$ by $G_{x_{n}}(\cdots (G_{x_{i+1}}(G_{x_{i}}(U^{k}_{n}))\cdots)$, 287 | for a distinct $k$ associated uniquely with the $i$-bit prefix of 288 | $x$. By construction, $\Sim_{i}$ therefore emulates $H_{i-1}$ 289 | exactly. Similarly, if the $(z^{j}_{0}, z^{j}_{1}) \gets U^j_{2n}$ 290 | are uniformly random and independent, then $\Sim_{i}$ simulates 291 | $H_{i}$. 292 | 293 | At this point, we would like to conclude that $H_{i-1} \compind 294 | H_{i}$, but can we? To do so using the hybrid lemma, we would need 295 | to show that the two types of inputs to $\Sim_{i}$ (namely, a 296 | sequence of $q = \poly(n)$ \emph{independent pairs} $(z_{0}, z_{1})$ 297 | each drawn from either $G(U_{n})$ or $U_{2n}$) are 298 | indistinguishable. This can be shown via a straightforward hybrid 299 | argument, using the hypothesis that $G$ is a PRG, and is left as an 300 | exercise. 301 | \end{proof} 302 | 303 | \subsection{Consequences for (Un)Learnability} 304 | \label{sec:cons-learning} 305 | 306 | A family of functions is said to be \emph{learnable} if any member of 307 | the family can be reconstructed efficiently (i.e., as code), given 308 | oracle access to the function. In this sense, a PRF family is 309 | \emph{completely unlearnable}, in that no efficient adversary can 310 | determine \emph{anything} about the values of the function (given 311 | oracle access) on any of the unqueried points. As a consequence, if a 312 | class of functions is expressive enough to ``contain'' a PRF family, 313 | then this class is unlearnable. E.g., under standard assumptions, the 314 | class $\class{NC}^{1}$ can implement PRFs, hence it is unlearnable. 315 | 316 | \end{document} 317 | 318 | %%% Local Variables: 319 | %%% mode: latex 320 | %%% TeX-master: t 321 | %%% End: 322 | -------------------------------------------------------------------------------- /src/lec13 - Many-Time Digital Signatures.tex: -------------------------------------------------------------------------------- 1 | \documentclass[11pt]{article} 2 | 3 | \input{header} 4 | 5 | % VARIABLES 6 | 7 | \newcommand{\lecturenum}{13} 8 | \newcommand{\lecturetopic}{Many-Time Signatures} 9 | \newcommand{\scribename}{Anand Louis} 10 | 11 | % END OF VARIABLES 12 | 13 | \lecheader 14 | 15 | \pagestyle{plain} % default: no special header 16 | 17 | \begin{document} 18 | 19 | \thispagestyle{fancy} % first page should have special header 20 | 21 | % LECTURE MATERIAL STARTS HERE 22 | 23 | \section{One-Time Signatures} 24 | \label{sec:one-time-signatures} 25 | 26 | We recall the definition of unforgeability under chosen-message attack 27 | for a signature scheme, which requires that for all nuppt $\For$, 28 | \[ \Pr_{(vk,sk) \gets \siggen} \left[ \calF^{\sigsign_{sk}(\cdot)}(vk) 29 | \text{ forges} \right] \leq \negl(n). \] 30 | 31 | Constructing a scheme that satisfies such a strong security notion is 32 | very involved, so we start with an easier goal: unforgeability under a 33 | \emph{one-time} chosen-message attack (uf-1cma). The definition is 34 | syntactically identical to the one above, but $\For$ is restricted to 35 | make (at most) one query to its signing oracle. 36 | 37 | \newcommand{\ots}{\scheme{OTS}} 38 | 39 | Here we describe \emph{Lamport's one-time signature scheme} $\ots$ for 40 | messages of length $\ell = \poly(n)$, which is based on a one-way 41 | function $f$: 42 | \begin{itemize} 43 | \item $\siggen$: for $i \in [\ell]$, $b \in \bit$, choose independent 44 | $x^{i,b} \gets \bit^n$ and let $y^{i,b} = f(x^{i,b})$. Output 45 | signing key $\sk = \set{x^{i,b}}$ and verification key $\vk = 46 | \set{y^{i,b}}$. 47 | 48 | Visually, we can represent the keys as tables: 49 | 50 | \renewcommand{\arraystretch}{1.2} 51 | $\sk = $ \begin{tabular}{|c|c|c|c|} 52 | \hline 53 | $x^{1,0}$ & $x^{2,0}$ & $\cdots$ & $x^{\ell,0}$ \\ \hline 54 | $x^{1,1}$ & $x^{2,1}$ & $\cdots$ & $x^{\ell,1}$ \\ \hline 55 | \end{tabular} 56 | \qquad $\vk = $ 57 | \begin{tabular}{|c|c|c|c|} 58 | \hline 59 | $y^{1,0}$ & $y^{2,0}$ & $\cdots$ & $y^{\ell,0}$ \\ \hline 60 | $y^{1,1}$ & $y^{2,1}$ & $\cdots$ & $y^{\ell,1}$ \\ \hline 61 | \end{tabular} 62 | 63 | \item $\sigsign(sk,m \in \bit^{\ell})$ reveals 64 | $\sigma=(x^{1,m_1},x^{2,m_2},\ldots,x^{\ell,m_{\ell}})$. That is, 65 | for each bit of the message it reveals one of the two preimages 66 | (either $x^{i,0}$ or $x^{i,1}$), as determined by the message bit. 67 | 68 | \item $\sigver(vk,m,\sigma)$ accepts if $y^{i,m_i} = f(\sigma_i)$ for 69 | all $i \in [\ell]$. 70 | \end{itemize} 71 | 72 | \noindent Correctness is by inspection. 73 | 74 | \begin{question} 75 | Verify that this scheme is indeed only one-time (at most). 76 | That is, show that if $\For$ is allowed to make two calls to the signing oracle, a forgery can be produced. 77 | \end{question} 78 | 79 | \begin{answer} 80 | The key thing to notice is that when a message is signed, half the secret key is revealed. 81 | For example, if the oracle is queried on~$0^{\ell}$, then the entire first row of the secret key is revealed. 82 | Similarly, querying~$1^{\ell}$ reveals the second row. 83 | As such, an attacker that is allowed two oracle queries can simply query~$0^{\ell}$ and~$1^{\ell}$ to reveal the entire secret key. 84 | From there, a valid signature can be produced for any message. 85 | \end{answer} 86 | 87 | \begin{theorem}% 88 | \label{thm:ots-1cma} 89 | Lamport's OTS is unforgable under a one-time chosen-message attack (uf-1cma-secure), assuming that~$f$ is a OWF\@. 90 | \end{theorem} 91 | 92 | \begin{proof} 93 | The idea is to give a reduction that uses a hypothetical forger 94 | $\For$ to the break the one-wayness of~$f$. More precisely, design 95 | a simulator $\Sim$ which, given $y = f(x)$ for a uniformly random 96 | (but unknown) $x \gets \bit^{n}$, uses $\For$ to find an $x' \in 97 | f^{-1}(y)$ with non-negligible advantage. The simulator will do 98 | this by ``plugging'' its given value of $y$ into a random cell of 99 | the verification key $\vk$ (and constructing the rest of $\vk$ as 100 | usual), and ``hoping'' that it will be able to answer $\For$'s 101 | signing query while also extracting a preimage $x' \in f^{-1}(y)$ 102 | from the resulting forgery. 103 | 104 | More formally, the simulator $\Sim^{\calF}(y)$ works as follows. 105 | Given input $y$, it chooses $i^* \gets [\ell]$ and $b^* \in \bit$. 106 | Let $y^{i^*,b^*} = y$. For all other indices, pick $x^{i,b} \gets 107 | \bit^n$ and let $y^{i,b} = f(x^{i,b})$. Give $vk = \set{y^{i,b}}$ 108 | to $\For$. (We note that $\vk$ is properly distributed as in the 109 | real scheme, and that conditioned on the value of $\vk$, the indices 110 | $(i^*,b^*)$ are still uniformly random.) 111 | 112 | Next, $\For$ is allowed at most one query to its signing oracle, 113 | which $\Sim$ must emulate. If $\For$ queries its signing oracle on 114 | a message $m \in \bit^{\ell}$, then $\Sim$ does the following: 115 | \begin{itemize} 116 | \item If $m_{i^*} = b^*$, then $\Sim$ quits (outputs $\bot$), as it 117 | does not know an inverse of $y^{i^{*},b^{*}} = y$. 118 | \item Otherwise, $\Sim$ returns $\sigma = (x^{1,m_{1}}, \ldots, 119 | x^{\ell,m_{\ell}})$ as required. 120 | \item If $m_{i^*}' = b^*$ then output $\sigma_{i^*}'$ else output 121 | $\bot$. 122 | \end{itemize} 123 | 124 | Finally, $\For$ outputs a forgery $(m', \sigma')$. If $m'_{i^{*}} = 125 | b^{*}$, then $\Sim$ outputs $\sigma'_{i^{*}}$; otherwise it quits 126 | (outputs $\bot$). Note that if $m'_{i^{*}} = b^{*}$ and 127 | $\sigma'_{i^*}$ is a valid forgery for $m'$, then $\sigma'_{i^{*}} 128 | \in f^{-1}(y^{i^*,b^*} = y)$, as desired. 129 | 130 | We now analyze $\Sim^{\For}$. Clearly it is nuppt, hence 131 | $\advan_{f}(\Sim^{\For})$ must be negligible. By the following 132 | claim, $\advan_{\ots}(\For)$ must therefore be negligible as well, 133 | as desired. 134 | 135 | \begin{claim} 136 | $\advan_{f}(\Sim^{\For}) \geq \frac{1}{2\ell} \cdot 137 | \advan_{\ots}(\For)$. 138 | \end{claim} 139 | 140 | We prove the claim: first, since $b^* \in \bit$ remains uniform 141 | (even given the $\vk$), $\Pr[b^* \neq m_{i*}] = \frac{1}{2}$, so 142 | $\Sim$ is able to answer the signature query with probability $1/2$. 143 | Next, conditioned on a successful query phase, the index $i^{*} \in 144 | [\ell]$ is still uniformly random. Thus, for any $m' \neq m$ output 145 | by $\For$, \[ \Pr[m'_{i^*} = b^{*} \mid b^* \neq m_{i^{*}} ] \geq 146 | \frac{1}{\ell}, \] because $m'$ and $m$ must differ in at least one 147 | position. Finally, conditioned on $m'_{i^{*}} = b^{*} \neq 148 | m_{i^{*}}$ (which occurs with probability at least $1/2\ell$ as 149 | argued above), the simulator outputs a valid preimage of $y$ exactly 150 | when $\For$ outputs a valid forgery for $m'$. This completes the 151 | proof. 152 | \end{proof} 153 | 154 | \begin{question} 155 | Notice that the proof above showed \emph{standard} unforgeability, not \emph{strong} unforgeability. 156 | Is the scheme strongly unforgeable? 157 | \end{question} 158 | 159 | \begin{answer} 160 | Not necessarily. 161 | In particular, it is not strongly unforgeable if, given one preimage (under~$f$) of a value~$y$, it is easy to find another preimage. 162 | For example, suppose that~$f$ ignores the first bit of its input, i.e., $f(0x)=f(1x)$ for all~$x$. 163 | Then a forger can simply flip the first bit of any component $x^{i,b}$ of any valid signature~$\sigma$ for any message~$m$, to produce a different valid signature for the same message. 164 | \end{answer} 165 | 166 | \section{From One-Time to Many-Time} 167 | \label{sec:many-time-signatures} 168 | 169 | As you showed above, Lamport's scheme is only one-time. Still, we 170 | might imagine a way to obtain a many-time signature by choosing a 171 | ``fresh'' one-time signature key with each signed message, and 172 | authenticating it along with the message. However, this cannot work 173 | on its own, because the verification key $\vk$ in the one-time 174 | signature is much \emph{longer} than the messages it can sign (about 175 | $2 \ell n$ bits, for a length-preserving function $f$, versus $\ell$ 176 | bits). 177 | 178 | We will now see a way to overcome this problem by ``compressing'' the 179 | fresh verification key using a special kind of hash function. 180 | 181 | \subsection{Collision-Resistant Hash Functions} 182 | \label{sec:coll-resist-hash} 183 | 184 | We want a function that ``compresses'' its input, but for which it is 185 | hard to find two inputs that hash to the same output. This does not 186 | make much sense for a single \emph{fixed} function, because a 187 | non-uniform adversary can simply have two colliding inputs 188 | ``hard-wired'' into it. But it does make sense for a function chosen 189 | at random from a family. We also want the function (i.e., its 190 | description) to be \emph{public}, so that it can be run and checked by 191 | anyone. This means that the adversary should be given the description 192 | of the function, rather than just an oracle to it. 193 | 194 | \begin{definition} 195 | A family of hash functions $\set{h_s \colon D \to R}$ (where 196 | $\abs{R} < \abs{D}$) is \emph{collision-resistant} if for all nuppt 197 | $\Adv$, 198 | \[ \Pr_{h \gets \{ h_s \}} [\Adv(s) \text{ outputs distinct } x, x' 199 | \text{ such that } h(x) = h(x')] \leq \negl(n). \] 200 | \end{definition} 201 | 202 | \begin{example}[Based on discrete logarithm] 203 | Consider the family $\set{h_{p,g,y} \colon \Zp^{*} \times \bit \to 204 | \Zp^{*}}$ for prime $p$, generator $g$ of $\Z_p^*$, and $y \in 205 | \Z_p^*$: 206 | \[h_{p,g,y}(x,b) = y^b g^x \bmod p. \] 207 | \end{example} 208 | 209 | A function from this family shrinks its input by $1$ bit. To get 210 | additional compression, we can simply iterate the function by feeding 211 | its output (plus an additional bit) back to itself repeatedly. It is 212 | easy to check that a collision in the basic function can always be 213 | extracted from any collision in the iterated function (even if the 214 | colliding strings have different lengths). 215 | 216 | \begin{claim} 217 | Under the discrete log assumption (i.e., that computing 218 | $\log_{g}(y)$ is hard), the family $\set{h_{p,g,y}}$ is a 219 | collision-resistant hash family. 220 | \end{claim} 221 | 222 | \begin{proof} 223 | We will construct a reduction $\Sim(p,g,y)$ that uses a 224 | collision-finder for $\set{h_{p,g,y}}$ to compute $\log_{g}(y)$, 225 | i.e., finds the $z \in \Zp^{*}$ such that $y = g^z \bmod p$. The 226 | reduction $\Sim$ simply asks for a collision $(x,b), (x',b')$ in 227 | $h_{p,g,y}$, and returns $x-x' \in \Zp^{*}$. We claim that $\Sim$ 228 | succeeds whenever the collision is valid. To see why, observe that 229 | we cannot have $b = b'$, as $y^b g^x = y^{b} g^{x'} \in \Zp^{*}$ 230 | implies $x = x' \in \Zp^{*}$ by cancellation and the fact that 231 | exponentiation $x \mapsto g^{x}$ is a permutation on $\Zp^{*}$. 232 | Therefore, $b \neq b'$; without loss of generality, assume $b = 0$ 233 | and $b' = 1$. Then $g^x = y g^{x'} \Rightarrow y = g^{x - x'}$, and 234 | $x-x' = \log_{g}(y)$, as desired. 235 | \end{proof} 236 | 237 | \begin{example}[Based on subset-sum] 238 | Let $N= 2^{n}$, and for a vector $a=(a_1,a_2,\ldots, a_{2n}) \in 239 | \Z_N$, define $h_a \colon \bit^{2n} \to \Z_N$ as $h_a(x) = \sum_i 240 | x_i a_i \bmod N$. Finding distinct $x,x' \in \bit^{2n}$ such that 241 | $h_{a}(x) = h_{a}(x')$ implies finding $z = x-x' \in \{0, \pm 1 242 | \}^{2n}$ such that $\sum_i a_i z_i = 0 \mod N$. This is widely 243 | believed to be hard for a \emph{uniformly random} $a$. (Moreover, 244 | there is some strong and surprising evidence of hardness based on 245 | lattice problems, which we may return to later in the course.) Also 246 | note that the function already compresses its input by a factor of 247 | $2$; moreover, the input length can be made even larger (say, 248 | $100n$) without making collisions significantly easier to find. 249 | \end{example} 250 | 251 | \subsection{Improved OTS} 252 | 253 | Using a collision-resistant hash family $\set{h_{s} : \bit^{\ell'} \to 254 | \bit^{\ell}}$, we can now define a slightly modified $\ots'$ that 255 | uses $\ots$ to sign messages of length $\ell' > \ell$: 256 | 257 | \begin{itemize} 258 | \item $\siggen$: choose $h \gets \set{h_s}$ and $(vk,sk) \gets 259 | \ots.\siggen$. Output $\vk' = (\vk, h)$ and $\sk' = (\sk,h)$. 260 | \item $\sigsign_{(\sk,h)}(m \in \bit^{\ell'})$: output $\sigma \gets 261 | \ots.\sigsign_{\sk}(h(m))$. 262 | \item $\sigver_{(\vk,h)}(m,\sigma)$: output 263 | $\ots.\sigver_{\vk}(h(m),\sigma)$. 264 | \end{itemize} 265 | 266 | Correctness is apparent. The unforgeability of this scheme (under 267 | one-time chosen-message attack) follows directly from the fact that to 268 | produce a valid forgery, $\For$ must either find a collision in $h$ or 269 | break $\ots$, both of which are hard. 270 | 271 | \subsection{Chaining Signatures} 272 | \label{sec:chaining-signatures} 273 | 274 | We will now see how to use a CRHF and the concept of \emph{chaining} 275 | one-time signatures to obtain a secure many-time signature scheme. 276 | The main idea is to generate a \emph{fresh} key pair along with each 277 | signed message, and to authenticate it along with the message. The 278 | next message is signed with the key generated with the prior message 279 | (and a new key pair is generated and authenticated along with it, 280 | etc.). Notice, however, that the signer must keep \emph{state} to 281 | know which key to use and what to include in a given signature. 282 | 283 | Assume we have a secure one-time signature scheme $\ots$, which we 284 | assume can sign messages that are as long as a verification key $\vk$ 285 | of $\ots$, plus $\ell$. The full many-time signature scheme signs 286 | messages of length $\ell$, and works as follows: 287 | 288 | \begin{itemize} 289 | \item $\siggen$: 290 | \begin{itemize} 291 | \item generate $(\sk_1,\vk_1) \gets \ots.\siggen$ 292 | \item output $\sk = sk_1$ and $\vk = \vk_1$ 293 | \end{itemize} 294 | 295 | \item $\sigsign(sk_i,m_i)$ (for $i=1,2, \ldots$) 296 | \begin{itemize} 297 | \item generate a fresh $(sk_{i+1}, vk_{i+1}) \gets \ots.\siggen$ 298 | \item let $\sigma_i = \ots.\sigsign_{sk_{i}}(m_i \concat vk_{i+1})$ 299 | \item output $(\vk_{i+1}, \sigma_{i}, m_{i}; \ldots; \vk_{2}, 300 | \sigma_1, m_1; \vk_1)$ 301 | 302 | (The signature is the entire authentication chain; the message 303 | $m_{i}$ itself appears in the chain.) 304 | \end{itemize} 305 | 306 | \item $\sigver_{\vk}(\vk_{i+1}, \sigma_i,m_i; \ldots; \vk_{2}, 307 | \sigma_1, m_1; \vk_1)$ 308 | \begin{itemize} 309 | \item accept if $\vk_{1} = \vk$ and 310 | $\ots.\sigver_{\vk_{j}}(\sigma_{j}, m_j||vk_{j+1})$ accepts for 311 | all $j \in [i]$; otherwise, reject. 312 | \end{itemize} 313 | \end{itemize} 314 | 315 | Notice that not only does the signer keep state, but the signature 316 | size increases \emph{linearly} in the number of signatures ever 317 | generated by the signer. (The verification time also increases 318 | linearly, but at least the verifier does not need to keep any state.) 319 | It can be shown that this signature scheme is uf-cma-secure. The 320 | intuition is that a forgery must somewhere ``break off'' of the chain 321 | produced by the legitimate signer, and hence is a forgery against one 322 | of the $\vk_{i}$, which is hard to produce due to the uf-1cma security 323 | of $\ots$. A formal proof is relatively routine. 324 | 325 | \subsection{Improvements} 326 | \label{sec:improvements} 327 | 328 | One way to improve the above many-message scheme is to authenticate 329 | \emph{two} new verification keys instead of one at each step. This 330 | new construction builds, in a depth-first manner, a binary tree of 331 | depth $n$, where each node in the tree is associated with one key pair 332 | $(\sk,\vk)$. Such a digital signature algorithm can perform up to 333 | $2^n$ signatures with signature size that depends only linearly in 334 | $n$. 335 | 336 | \begin{center} 337 | \includegraphics[scale = 0.35]{tree} 338 | \end{center} 339 | 340 | At any point of time, the signer maintains a special node which it 341 | calls the \emph{current node}. To sign a message $m$, if the current 342 | node is at a depth less than $n$ in the tree, the signer generates and 343 | stores $2$ more key-pairs and sets them as the children of the current 344 | node. It uses the signing key in the current node to sign the message 345 | together with the two new verification keys, and updates the current 346 | node as the left child. Otherwise, (i.e., if the current node is 347 | already at a depth $n$), the signer uses the current node to sign the 348 | message and updates the current node to be the successor in the 349 | preorder traversal of the tree. 350 | 351 | Here the signer need only include a transcript of all the previously 352 | signed messages \emph{down the path from the root to the current 353 | node}. In addition, the signer need only keep state containing the 354 | keys along the path to the current node, and their siblings. 355 | 356 | Moreover, we can make the scheme entirely \emph{stateless} by viewing 357 | the tree as \emph{implicitly} fully determined by a PRF $f_{k}$. That 358 | is, in order to generate the key pair at a certain node, the signer 359 | computes $f_{k}$ on a corresponding input, and uses the result as the 360 | random coins for $\ots.\siggen$. Because $f_{k}$ always returns the 361 | same output on the same input, the signer can consistently regenerate 362 | any desired node as needed. To sign a message, the signer then just 363 | signs relative to a randomly chosen leaf node. With high probability, 364 | no leaf is ever used more than once, so (intuitively, at least) the 365 | scheme is secure. A full proof is rather involved, but not especially 366 | difficult. 367 | 368 | \end{document} 369 | 370 | %%% Local Variables: 371 | %%% mode: latex 372 | %%% TeX-master: t 373 | %%% End: 374 | -------------------------------------------------------------------------------- /src/lec14 - Random Oracles and Signatures.tex: -------------------------------------------------------------------------------- 1 | \documentclass[11pt]{article} 2 | 3 | \input{header} 4 | 5 | \usepackage[noend]{algorithmic} 6 | \usepackage{algorithm} 7 | 8 | % VARIABLES 9 | 10 | \newcommand{\lecturenum}{14} 11 | \newcommand{\lecturetopic}{Random Oracle Signatures} 12 | \newcommand{\scribename}{Steven Ehrlich} 13 | 14 | % END OF VARIABLES 15 | 16 | \lecheader 17 | 18 | \pagestyle{plain} % default: no special header 19 | 20 | \begin{document} 21 | 22 | \thispagestyle{fancy} % first page should have special header 23 | 24 | % LECTURE MATERIAL STARTS HERE 25 | 26 | \section{Recap and Looking Ahead} 27 | \label{sec:recap-looking-ahead} 28 | 29 | Previously we demonstrated a signature scheme that was derived from 30 | any one-way function, plus a collision-resistant hash family; this 31 | latter assumption can be replaced with a slightly weaker primitive 32 | that also follows from one-way functions. This means that even though 33 | they are a ``public-key'' object, signature schemes exist in 34 | minicrypt. 35 | 36 | Unfortunately our scheme was quite inefficient. Now we'll consider an 37 | alternative signature scheme that is efficient and simpler to analyse. 38 | To do this, we'll rely on stronger assumptions: we will rest our 39 | scheme on trapdoor permutations instead of just OWFs, and the security 40 | analysis will be in an \emph{idealized} setting called the Random 41 | Oracle Model. 42 | 43 | \section{Random Oracle Model} 44 | \label{sec:random-oracle-model} 45 | 46 | A random oracle is a ``public truly random function:'' 47 | \begin{itemize} 48 | \item Anyone can query it as a ``black box.'' 49 | \item It gives a \emph{consistent}, \emph{uniform}, and 50 | \emph{independent} random output for each distinct input. 51 | \end{itemize} 52 | 53 | Is a random oracle substantially different from a PRF? On the 54 | surface, no: a PRF can be queried, and gives consistent outputs that 55 | appear uniformly random and independent. However, the point of having 56 | a random oracle is for it to be \emph{public}. If the seed of a PRF 57 | is revealed, then it loses all its security guarantees. 58 | 59 | \subsection{Methodology} 60 | \label{sec:ro-methodology} 61 | 62 | \href{http://cseweb.ucsd.edu/users/mihir/papers/ro.html}{Bellare and 63 | Rogaway} introduced a methodology for using random oracles in 64 | cryptography: 65 | \begin{enumerate} 66 | \item Design a scheme in the RO model: all algorithms (of the scheme, 67 | and the adversary) have ``black-box'' access to the oracle. 68 | \item Analyze/prove security (in the RO model) by giving a security 69 | reduction. 70 | \item \emph{Instantiate} the oracle with a ``sufficiently crazy'' 71 | public hash function (such as SHA-1), and hope that this does not 72 | introduce any security vulnerabilities in the scheme. 73 | \end{enumerate} 74 | 75 | \subsection{Advantages and Caveats} 76 | \label{sec:advantages-caveats} 77 | 78 | Why does having a random oracle help? In the RO model, security is 79 | often easier to prove, even for very simple and efficient schemes. 80 | Generally speaking, this is because the simulator/security reduction 81 | has some extra flexibility: it gets to provide the view of the oracle 82 | to the adversary. This not only allows the simulator to know what 83 | queries the adversary makes, but also to `control' (or `program') the 84 | oracle outputs that the adversary sees. We shall see both of these 85 | properties used in the security proof below. 86 | 87 | However, there is (sometimes heated) dispute over the value of a 88 | security proof in the random oracle model. The difficulty lies with 89 | the \emph{instantiation} step. Because its code is fixed and public, 90 | a given hash function is \emph{not} a black box, nor does it give 91 | uniformly random and independent outputs. In fact, 92 | \href{http://arxiv.org/abs/cs.CR/0010019}{Canetti, Goldreich, and 93 | Halevi} showed that there exists (under standard assumptions) a 94 | signature scheme that is secure in the random oracle model, but which 95 | becomes \emph{trivially breakable} with \emph{any} public 96 | instantiation of the oracle! In this sense, the random oracle 97 | methodology does \emph{not} yield secure schemes in general. However, 98 | the problematic CGH signature scheme is very contrived, and would 99 | never be proposed for practice. Most signature schemes used in the 100 | real world are much more ``natural,'' and don't seem to have obvious 101 | (or even non-obvious) flaws when instantiated with strong hash 102 | functions. 103 | 104 | \section{A Signature Scheme in the RO Model} 105 | \label{sec:signature-scheme-ro} 106 | 107 | \href{https://github.com/cpeikert/TheoryOfCryptography/blob/master/lec10 - Asymmetric Encryption.pdf}{Recall 108 | the definition of a trapdoor permutation family:} it is a set 109 | $\set{f_{s} \colon D_{s} \to D_{s}}$ of permutations where $f_{s}$ is 110 | easy to invert with knowledge of the trapdoor (which is generated 111 | along with the index $s$), and otherwise hard to invert on uniformly 112 | random values $y \in D_{s}$. The RSA and Rabin function families are 113 | plausible trapdoor permutation candidates. 114 | 115 | \href{https://github.com/cpeikert/TheoryOfCryptography/blob/master/lec12 - Chosen-Ciphertext Attacks and Digital Signatures.pdf}{Previously}, 116 | we attempted to design a secure signature scheme based on trapdoor 117 | permutations. Our old scheme was simple: the public verification key 118 | was a function $f_{s}$, the secret signing key was its trapdoor (also 119 | produced by the function sampler $\algo{S}$), and the signature for a 120 | message $m \in D_{s}$ was $f_{s}^{-1}(m)$. Unfortunately, this 121 | succumbs to a trivial attack: first pick some signature $\sigma \in 122 | D_{s}$, then set $m=f_s(\sigma)$. Then $(m,\sigma)$ is clearly is a 123 | valid message/signature pair. 124 | 125 | Fortunately, we can resurrect this scheme in the random oracle model, 126 | with a small change: we first \emph{hash} the message using the 127 | oracle, then invert the hash. The following scheme $\sig$, often 128 | called \emph{full-domain hash}, uses a trapdoor permutation family 129 | $\set{f_{s}}$ (where the domain of every $f_{s}$ is $\bit^{n}$, for 130 | convenience) and a function $H : \bit^{*} \to \bit^{n}$, modelled as a 131 | random oracle. 132 | \begin{itemize} 133 | \item $\siggen^{H}$: choose $(s,t) \gets \algo{S}$ and output $\vk=s$, 134 | $\sk=t$. 135 | \item $\sigsign^{H}_{t}(m \in \bit^{*})$: output $\sigma = 136 | f_s^{-1}\parens*{H(m)}$. 137 | \item $\sigver^{H}_{s}(m,\sigma \in \bit^{n})$: accept if 138 | $f_s(\sigma)=H(m)$, otherwise reject. 139 | \end{itemize} 140 | 141 | Despite the similarly with our previous signature scheme, we cannot 142 | apply the same kind of attack: after choosing $\sigma \in \bit^{n}$, 143 | we would then have to find a message $m$ such that $H(m) = 144 | f_{s}(\sigma)$. Because $H$ is a random oracle, this could only be 145 | done by brute-force search, which would take about $2^{n}$ attempts. 146 | 147 | Of course, just because \emph{this} attack is thwarted does not mean 148 | that our scheme is secure. Happily, we can prove security in the 149 | idealized model. 150 | 151 | \begin{theorem} 152 | \label{thm:fdh-uf-cma} 153 | The $\sig$ scheme described above is strongly unforgeable under 154 | chosen-message attack (in the RO model), assuming that $\set{f_{s}}$ 155 | is a TDP family. 156 | \end{theorem} 157 | 158 | \begin{proof} 159 | First note that for any oracle $H$, every message $m$ has exactly 160 | one signature, so to proving strong unforgeability it suffices to 161 | prove standard unforgeability. 162 | 163 | We want to design a simulator algorithm $\Sim(s,y)$ that uses a 164 | hypothetical forger $\For$ to find $x = f_{s}^{-1}(y)$, given $s$ 165 | generated by $\algo{S}$ and uniformly random $y \gets \bit^{n}$. 166 | (Note that $y = f_{s}(x) \in \bit^{n}$ is uniformly random because 167 | $x \gets \bit^{n}$ is, and because $f_{s}$ is a permutation.) The 168 | basic idea is that $\Sim$ will answer the random oracle queries 169 | (``program the oracle'') so that it knows the preimages (under 170 | $f_{s}$) of all but one of them, which it answers as its challenge 171 | value $y$. This allows the simulator to answer signing queries for 172 | all but one message, which it hopes is the message that $\For$ will 173 | forge, in which case the forged signature is exactly 174 | $f_{s}^{-1}(y)$, as desired. 175 | 176 | We now proceed in more detail. Without loss of generality, we may 177 | make some simplifying assumptions about $\For$. In particular, we 178 | assume that: 179 | \begin{itemize} 180 | \item \emph{$\For$ makes at most $q=\poly(n)$ queries to $H$.} 181 | Because $\For$ runs in polynomial time, it can't make more than 182 | $\poly(n)$ queries no matter what its execution path is. 183 | \item \emph{$\For$ always outputs some (possibly invalid) forgery 184 | $(m^{*}, \sigma^{*})$.} We can always ``wrap'' $\For$ in a 185 | program that outputs an arbitrary ``junk'' forgery if $\For$ 186 | fails to. 187 | \item \emph{$\For$ always queries $H(m)$ (or $H(m^{*})$) before 188 | querying $\sigsign(m)$ (or outputting its forgery 189 | $(m^*,\sigma^*)$, respectively).} We can wrap $\For$ in another 190 | algorithm that inserts the needed queries, and ignores the 191 | results. 192 | \item \emph{$\For$ never repeats any query to $H$.} We can always 193 | wrap $\For$ in another algorithm that watches all of $\For$'s 194 | queries, and store all queries/response pairs in a table. Before 195 | forwarding each query to the random oracle, it first checks its 196 | table and returns the answer if it is already known. (We note 197 | that we can enforce this condition on either the forger's end, or 198 | in the simulator's responses, with the same effect.) 199 | \end{itemize} 200 | 201 | The forger $\For$ expects to perform a chosen-message attack against 202 | the scheme, which means that $\Sim$ must provide it with access to: 203 | \begin{enumerate} 204 | \item a verification key $\vk$; 205 | \item a signing oracle $\sigsign_{\sk}(\cdot)$; 206 | \item a random oracle $H$. 207 | \end{enumerate} 208 | 209 | Our simulator $\Sim(s,y)$ works as follows: it first chooses $i^* 210 | \gets [q]$ uniformly at random; this is a ``guess'' as to which 211 | query to $H$ will correspond to the message in the eventual forgery. 212 | It then invokes $\For$ on $\vk = s$, and simulates the oracles $H$ 213 | and $\sigsign(\cdot)$ as follows: 214 | 215 | \begin{algorithm} 216 | \caption{Simulation of $H(\cdot)$.} 217 | \begin{algorithmic}[1] 218 | \STATE On $\For$'s $i$th query $m_{i} \in \bit^{*}$, 219 | \IF {$i=i^*$} 220 | \STATE Store $(\bot, y, m_{i^{*}})$ in an internal table. 221 | \RETURN $y_{i^*}=y$ to $\For$ 222 | \ELSE 223 | \STATE Choose $x_i\gets \bit^n$ 224 | \STATE Let $y_i=f_s(x_i)$ 225 | \STATE Store $(x_i,y_i,m_i)$ in the internal table. 226 | \RETURN $y_i$ to $\For$ 227 | \ENDIF 228 | \end{algorithmic} 229 | \end{algorithm} 230 | 231 | \begin{algorithm} 232 | \caption{Simulation of $\sigsign(\cdot)$.} 233 | \begin{algorithmic}[1] 234 | \STATE On a query $m \in \bit^{*}$, look up $(x,y,m)$ in the 235 | internal table. 236 | \COMMENT{Such an entry exists because $\For$ always queries $H(m)$ before 237 | querying $\sigsign(m)$.} 238 | \IF {$x\neq \bot$} 239 | \RETURN $x$ to $\For$ 240 | \ELSE 241 | \STATE Abort the simulation and fail. 242 | \ENDIF 243 | \end{algorithmic} 244 | \end{algorithm} 245 | 246 | Finally, when $\For$ outputs its purported forgery $(m^*,\sigma^*)$, 247 | check that $m^*=m_{i^*}$. If so, $\Sim$ outputs $\sigma^*$; 248 | otherwise, it fails. 249 | 250 | We shall analyze the simulation in the claims below. By 251 | \cref{lem:adv-Sim} below, we conclude that the existence of a 252 | forger of non-negligible advantage implies that we have a 253 | non-negligible advantage in inverting the trapdoor permutation, as 254 | desired. 255 | \end{proof} 256 | 257 | \begin{question}[ID=oracle-sim] 258 | Justify that the \(H(\cdot)\) constructed by \(\Sim\) actually 259 | behaves as a random oracle from the point of view of \(\For\). 260 | \end{question} 261 | 262 | \begin{answer} 263 | First, clearly \(H\) returns the same result when queried on the 264 | same input thanks to the internal table. When \(i \neq i^*\), the 265 | string returned by \(H\) is uniformly random as expected. When 266 | \(i = i^*\), \(y\) is returned. Recall that in the trapdoor 267 | permutation game, \(y = f_s(x)\) for an \(x\) that is chosen 268 | uniformly at random. Since \(x\) is uniformly random and \(f_s\) is 269 | a permutation, \(y\) is uniformly random as well. 270 | \end{answer} 271 | 272 | \subsection{Analysis} 273 | 274 | \begin{lemma} 275 | \label{lem:adv-Sim} 276 | For the above simulation strategy, 277 | \[ \advan_{\scheme{TDP}}(\Sim) = \frac{1}{q} \cdot \advan_{\sig}(\For). \] 278 | \end{lemma} 279 | 280 | \noindent This fact follows from two claims: 281 | 282 | \begin{claim} 283 | Conditioned on not failing, $\Sim(s,y)$ simulates the chosen-message 284 | attack perfectly, and hence outputs $f_{s}^{-1}(y)$ with probability 285 | $\advan_{\sig}(\For)$. 286 | \end{claim} 287 | 288 | \begin{proof} 289 | We first note that $\vk=s$ is distributed precisely as in $\sig$, 290 | because $\Sim$ is playing the TDP inversion game. As you saw in 291 | \cref{ques:oracle-sim}, $\Sim$ simulates \(H\) perfectly. Lastly, 292 | because $\Sim$ did not fail, it answered every signing query with 293 | its unique valid signature. 294 | 295 | Now $\Sim$ does not fail exactly when $m^{*}$ is $\For$'s $i^{*}$th 296 | query to $H$, where $(m^{*}, \sigma^{*})$ is $\For$'s output 297 | forgery. Observe that in this case, $\sigma^*$ is a valid signature 298 | if and only if $\sigma^*=f_{s^{-1}}(y)$. Because $\Sim$ simulates 299 | the chosen-message attack perfectly, $\For$ outputs such 300 | $\sigma^{*}$ with probability $\advan_{\sig}(\For)$, as desired. 301 | \end{proof} 302 | 303 | \begin{claim} 304 | The probability of $\Sim$ not failing equals $1/q$. 305 | \end{claim} 306 | 307 | \begin{proof} 308 | By assumption, $\For$ must query $H$ on $m^{*}$ before outputting 309 | its forgery $(m^{*}, \sigma^{*})$. By construction of $\Sim$, it 310 | does not fail exactly when $m^{*}$ is the $i^*$th query to $H$. 311 | Moreover, we claim that $m^{*}$ is the $i^{*}$th query to $H$ with 312 | probability exactly $1/q$. This is because we can imagine an 313 | alternative experiment in which \emph{every} query to $\sigsign$ is 314 | answered correctly, and $i^{*}$ is chosen uniformly; in such an 315 | experiment, $i^{*}$ is independent of $\For$'s view an hence $m^{*}$ 316 | is the $i^{*}$th query with probability $1/q$. 317 | \end{proof} 318 | 319 | \section{Variants} 320 | \label{sec:variants} 321 | 322 | Notice the factor of $\frac{1}{q}$ in the advantage of the simulator. 323 | The reduction (from breaking the TDP to breaking the signature scheme) 324 | is ``loose'' in the sense that the simulator's probability of 325 | inverting is much less than the forger's probability of forging. For 326 | concrete security, this might mean that we need to use a large 327 | security parameter for our TDP in order to achieve a small enough 328 | forging probability for our signature scheme. Also notice that $q$ is 329 | the number of \emph{hash} queries, not signing queries. In practice, 330 | the number of times an attacker can compute the hash function is 331 | probably much larger than the number of signatures to which it has 332 | access. 333 | 334 | People have tried to improve the ``quality'' of the reduction in a 335 | number of ways. One notable way, due to 336 | \href{http://www.cs.umd.edu/~jkatz/papers/CCCS03_sigs.pdf}{Katz and 337 | Wang}, is to use ``claw-free'' pairs of TDPs; these are analogous to 338 | collision-resistant hash functions. In a claw-free family, the 339 | function sampler generates two functions $f_{s_{0}}$ and $f_{s_{1}}$, 340 | and the security property is that it should be hard to find a pair of 341 | (not necessarily distinct) inputs $x_{0}, x_{1} \in \bit^{n}$ such 342 | that $f_{s_{0}}(x_{0}) = f_{s_{1}}(x_{1})$. As usual, there are 343 | trapdoors that make it easy to invert the functions. (The connection 344 | to collision resistance is the following: define $f(b,x) = 345 | f_{s_{b}}(x)$. Then $f$ maps $n+1$ bits to $n$ bits, and a collision 346 | in $f$ immediately gives us a claw in $f_{s_{0}}, f_{s_{1}}$; the 347 | values of $b$ must be different because the functions $f_{s_{b}}$ are 348 | permutations.) 349 | 350 | We can tweak the signature scheme so that the public verification key 351 | consists of two functions $f_{s_{0}}, f_{s_{1}}$, and the signing 352 | algorithm on message $m$ chooses one of the functions at random and 353 | inverts it on $H(m)$.\footnote{If the forger queries the signing 354 | oracle on the same message more than once, the signer should invert 355 | the same function every time; this can be enforced by keeping state 356 | or using a PRF. Without this condition, it is easy to see that the 357 | signer will eventually give away a claw!} In the security proof, 358 | the simulator is attempting to find a claw in $f_{s_{0}}, f_{s_{1}}$. 359 | When simulating the random oracle on each new message $m_{i}$, it 360 | \emph{always} chooses a fresh $x_{i}$ and applies one of the two 361 | functions (chosen at random) to compute and return $y_{i}$. If the 362 | forger later queries the signing oracle on $m_{i}$, the simulator can 363 | always reply with a properly distributed signature. (But it only 364 | knows \emph{one} valid signature, which is why the real scheme must 365 | also give away only one distinct signature for each message.) 366 | Finally, when the forger outputs a forgery, half of the time it will 367 | end up forging using the same function that the simulator used (so we 368 | fail), and the other half of the time it finds a preimage under the 369 | other function, yielding a claw. So the simulator's advantage is 370 | \emph{half} that of the forger, which is a drastic improvement! 371 | 372 | \end{document} 373 | 374 | %%% Local Variables: 375 | %%% mode: latex 376 | %%% TeX-master: t 377 | %%% End: 378 | -------------------------------------------------------------------------------- /src/lec04 - Number Theory and OWFs.tex: -------------------------------------------------------------------------------- 1 | \documentclass[11pt]{article} 2 | 3 | \input{header} 4 | 5 | \usepackage{algorithm,algorithmic} 6 | 7 | % VARIABLES 8 | 9 | \newcommand{\lecturenum}{4} 10 | \newcommand{\lecturetopic}{Number Theory, OWF Variants} 11 | \newcommand{\scribename}{Shiva Kintali} 12 | 13 | % END OF VARIABLES 14 | 15 | \lecheader 16 | 17 | \pagestyle{plain} % default: no special header 18 | 19 | \begin{document} 20 | 21 | \thispagestyle{fancy} % first page should have special header 22 | 23 | % LECTURE MATERIAL STARTS HERE 24 | 25 | Today we will see some concrete one-way function candidates that arise 26 | from number theory, and abstract out some of their other special 27 | properties that will be useful when we proceed to investigate 28 | pseudorandomness. 29 | 30 | \section{Collections of OWFs} 31 | \label{sec:coll-owfs-vari} 32 | 33 | Our generic definition of a one-way function is concise, and very 34 | useful for complexity-theoretic crypto. However, it tends not to be 35 | as appropriate for the kinds of hard functions that we use in 36 | ``real-life'' crypto; below we give a more flexible definition. (In 37 | your homework, you will show that the generic OWF definition is 38 | equivalent to this one.) 39 | 40 | \begin{definition} 41 | \label{def:collection-owfs} 42 | A \emph{collection of one-way functions} is a family $F = \set{ 43 | f_{s} \colon D_{s} \to R_{s} }_{s \in S}$ satisfying the following 44 | conditions: 45 | \begin{enumerate} 46 | \item \emph{Easy to sample a function:} there is a PPT algorithm 47 | $\algo{S}$ such that $\algo{S}()$ outputs some $s \in S$ 48 | (according to some arbitrary distribution). 49 | \item \emph{Easy to sample from domain:} there is a PPT algorithm 50 | $\algo{D}$ such that $\algo{D}(s)$ outputs some $x \in D_{s}$ 51 | (according to some arbitrary distribution). 52 | \item \emph{Easy to evaluate function:} there is a deterministic 53 | polynomial-time algorithm $\algo{F}$ for which 54 | $\algo{F}(s,x)=f_{s}(x)$ for all $s \in S$, $x \in D_{s}$. 55 | \item \emph{Hard to invert:} for any non-uniform PPT algorithm 56 | $\Inv$, \[ \Pr_{s \gets \algo{S}(1^n), x \gets \algo{D}(s)} 57 | \bracks*{\Inv(s,f_{s}(x)) \in f_{s}^{-1}(f_{s}(x))} = \negl(n). \] 58 | \end{enumerate} 59 | \end{definition} 60 | 61 | For example, the subset-sum function $f_{\text{ss}}$ is more naturally 62 | defined as a collection, as follows. Let $S_{n} = (\Z_{N})^{n}$ where 63 | $N=2^{n}$, and let the full index set $S = \cup_{n=1}^{\infty} S_{n}$. 64 | Define the domain $D_{\vec{a}} = \bit^{n}$ and the range $R_{\vec{a}} 65 | = \Z_{N}$, for all $\vec{a} = (a_{1}, \ldots, a_{n}) \in S_{n}$. The 66 | corresponding function is defined as \[ f_{\vec{a}}(x) = 67 | \sum_{i=1}^{n} a_{i} \cdot x_{i} \bmod N. \] The algorithms $\algo{S}$ 68 | (function sampler), $\algo{D}$ (domain sampler), and $\algo{F}$ 69 | (function evaluator) are all straightforward. 70 | 71 | In the remainder of the lecture, we will see other examples of OWF 72 | collections (some with other special properties) that arise from 73 | number theory. 74 | 75 | \section{Number Theory Background} 76 | \label{sec:numb-theory-backgr} 77 | 78 | \begin{definition} 79 | \label{def:gcd} 80 | For positive integers $a,b \in \N$, their \emph{greatest common 81 | divisor} $d = \gcd(a,b)$ is the largest integer $d$ such that $d 82 | \mid a$ and $d \mid b$. 83 | \end{definition} 84 | 85 | As a consequence of \cref{alg:exteuclid} below, there always 86 | exist integers $x,y \in \Z$ such that $ax + by = \gcd(a,b)$. We say 87 | that $a$ and $b$ are \emph{co-prime} (or \emph{relatively prime}) if 88 | $\gcd(a,b) = 1$, i.e., $ax = 1 \bmod b$. From this, $x$ is the 89 | multiplicative inverse of $a$ modulo $b$, and likewise $y$ is the 90 | multiplicative inverse of $b$ modulo $a$. The following deterministic 91 | algorithm shows that $\gcd(a,b)$ (and additionally, the integers $x$ 92 | and $y$) can be computed efficiently. 93 | 94 | \newcommand{\exteuclid}{\algo{ExtendedEuclid}} 95 | \renewcommand{\algorithmicrequire}{\textbf{Input:}} 96 | \renewcommand{\algorithmicensure}{\textbf{Output:}} 97 | 98 | \begin{algorithm} 99 | \caption{Algorithm $\exteuclid(a,b)$ for computing the greatest 100 | common divisor of $a$ and $b$.} 101 | \label{alg:exteuclid} 102 | 103 | \begin{algorithmic}[1] 104 | \REQUIRE Positive integers $a \geq b > 0$. 105 | 106 | \ENSURE $(x,y) \in \Z^{2}$ such that $ax + by = \gcd(a,b)$. 107 | 108 | \IF {$b \mid a$} 109 | \RETURN $(0,1)$ 110 | \ELSE 111 | \STATE Let $a = b \cdot q + r$ for $r \in \set{1, \ldots, b-1}$ 112 | \STATE $(x',y') \gets \exteuclid(b,r)$ 113 | \RETURN $(y', x' - q \cdot y')$ 114 | \ENDIF 115 | \end{algorithmic} 116 | \end{algorithm} 117 | 118 | \begin{theorem} 119 | \label{thm:exteuclid} 120 | $\exteuclid$ is correct and runs in polynomial time in the 121 | \emph{lengths} of $a$ and $b$, i.e., in $poly(\log a + \log b)$ 122 | time. 123 | \end{theorem} 124 | 125 | \begin{proof} 126 | For correctness, we argue by induction on the second argument $b$. 127 | Clearly the algorithm is correct when $b=1$. If $b \mid a$, then 128 | $\gcd(a,b) = b$, hence $\exteuclid$ correctly returns $(0,1)$. If 129 | $b \nmid a$ then by the inductive hypothesis (using $b > r$), the 130 | recursive call correctly returns $(x',y')$ such that $bx' + ry' = 131 | \gcd(b,r)$. It can be checked that $\gcd(a,b) = \gcd(b,r)$, because 132 | any common divisor of $a$ and $b$ is also a divisor of $r$. 133 | Finally, observe that \[ \gcd(b,r) = bx' + ry' = bx' + (a - b \cdot 134 | q)y' = ay' + (x' - q \cdot y')b. \] Hence $\exteuclid$ correctly 135 | returns $(y', x' - q \cdot y')$. 136 | 137 | For the running time, observe that all the basic operations (not 138 | including the recursive call) can be implemented in polynomial 139 | time. The following claim establishes the overall efficiency. 140 | 141 | \begin{claim} 142 | For $2^{n} > a \geq b > 0$, $\exteuclid$ makes at most $2n$ 143 | recursive calls. 144 | \end{claim} 145 | 146 | We use induction. The claim is true when $a < 2^{1}$. Suppose the 147 | claim is true for all $a < 2^n$, and suppose $a < 2^{n+1}$. Two 148 | cases arise: 149 | \begin{itemize} 150 | \item If $b < 2^n$, the first recursive call is on $(b, r)$. 151 | Since $b < 2^n$, by the inductive hypothesis we make at most 152 | $2n$ more recursive calls. Hence the total number of recursive 153 | calls is at most $1 + 2n < 2(n+1)$. 154 | \item If $b \geq 2^n$, i.e., $2^{n+1} > a \geq b \geq 2^n$, we have 155 | $a = b \cdot 1 + r$ for $r = a-b < 2^n < b$. The first recursive 156 | call is on $(b \geq 2^n, r < 2^n)$. In turn, its recursive call 157 | uses $r < 2^n$ as its first parameter. By the inductive 158 | hypothesis, the number of recursive calls following the second one 159 | is at most $2n$. Hence the total number of recursive calls is at 160 | most $2 + 2n \leq 2(n+1)$. 161 | \end{itemize} 162 | \end{proof} 163 | 164 | \noindent We frequently work with the ring $(\ZN, +, \cdot)$ of 165 | integers modulo a positive integer $N$. 166 | 167 | \begin{lemma}[Chinese remainder theorem, special case] 168 | Let $N = p \cdot q$ for distinct primes $p,q$. The ring $\Z_N$ is 169 | isomorphic to the product ring $\Zp \times \Zq$, via the isomorphism 170 | $h(x) = (x \bmod p, x \bmod q)$. 171 | \end{lemma} 172 | 173 | \noindent A few remarks about the above lemma: 174 | \begin{itemize} 175 | \item In the product ring $\Zp \times \Zq$, addition and 176 | multiplication are coordinate-wise. 177 | \item Clearly the isomorphism $h$ is efficiently computable. Less 178 | obvious is that it is also efficiently \emph{invertible}. Suppose 179 | we know some elements $c_{p}, c_{q} \in \ZN$ such that 180 | $h(c_{p}) = (1,0)$ and $h(c_{q}) = (0,1)$; such a pair is sometimes 181 | called a \emph{CRT basis}. Then given $(x,y) \in \Zp \times \Zq$, 182 | it is easy to see that 183 | $h^{-1}(x,y) = \bar{x} \cdot c_{p} + \bar{y} \cdot c_{q}$, where 184 | $\bar{x}, \bar{y} \in \ZN$ are any elements such that 185 | $\bar{x} = x \pmod{p}$ and $\bar{y} = y \pmod{q}$. (For example, we 186 | could take the ``smallest'' elements in~$\ZN$ that have the required 187 | residues modulo~$p$ and~$q$, respectively.) 188 | \end{itemize} 189 | 190 | \begin{question} 191 | For the CRT isomorphism on $\Z_{15}$, verify that the following 192 | example equations hold: $h(7 \cdot 9) = h(7) \cdot h(9)$ and 193 | $h(6 + 11) = h(6) + h(11)$. 194 | \end{question} 195 | 196 | \begin{answer} 197 | Note that $15$ is the product of two primes, $3$ and $5$, so 198 | \(\Z_{15} \cong \Z_3 \times \Z_5\). 199 | 200 | First, we consider \(h(7 \cdot 9)\). We have 201 | \(7 \cdot 9 = 3 \pmod{15}\) and 202 | \(h(3) = (3 \bmod 3, 3 \bmod 5) = (0, 3)\). Next, 203 | \(h(7) = (7 \bmod{3}, 7 \bmod{5}) = (1,2)\) and 204 | \(h(9) = (9 \bmod{3}, 9 \bmod 5) = (0, 4)\). Finally, we multiply 205 | the pairs elementwise, recalling that the first elements of each 206 | pair are from~\(\Z_3\) and the second elements are from~\(\Z_5\). We 207 | see that \((1,2) \cdot (0,4) = (0 \bmod 3, 8 \bmod 5) = (0,3)\), as 208 | expected. 209 | 210 | Now we consider \(h(6 + 11)\). We have \(6 + 11 = 2 \pmod{15}\) and 211 | \(h(2) = (2 \bmod 3, 2 \bmod 5) = (2,2)\). Next, 212 | \(h(6) = (6 \bmod{3}, 6 \bmod{5}) = (0,1)\) and 213 | \(h(11) = (11 \bmod{3}, 11 \bmod{5}) = (2,1)\). Finally, adding the 214 | pairs elementwise (and reducing modulo the appropriate moduli) 215 | yields \((0,1) + (2,1) = (2,2)\), as expected. 216 | \end{answer} 217 | 218 | \begin{question} 219 | Show that \(h^{-1}(x,y) = \bar{x} \cdot c_p + \bar{y} \cdot c_q\), 220 | as claimed above. 221 | \end{question} 222 | 223 | \begin{answer} 224 | We use the CRT isomorphism several times: 225 | \begin{align*} 226 | (x,y) &= (x, 0) + (0, y) \\ 227 | &= h(\bar{x}) \cdot (1,0) + h(\bar{y}) \cdot (0,1) \\ 228 | &= h(\bar{x}) \cdot h(c_p) + h(\bar{y}) \cdot h(c_q) \\ 229 | &= h(\bar{x} \cdot c_p + \bar{y} \cdot c_q), 230 | \end{align*} 231 | and the result follows by applying the bijection~$h^{-1}$ to both 232 | sides. 233 | \end{answer} 234 | 235 | \begin{question} 236 | Show how to compute $c_{p}, c_{q}$ efficiently (hint: use 237 | $\exteuclid$ on $p,q$). 238 | \end{question} 239 | 240 | \begin{answer} 241 | Because $p,q$ are distinct primes, their gcd is 1, so 242 | $\exteuclid(p,q)$ returns integers $a,b \in \Z$ such that 243 | $a \cdot p + b \cdot q = 1$. We claim that 244 | $c_{p} = b \cdot q \bmod{p}$ and $c_{q} = a \cdot p \bmod{q}$. To 245 | see this, observe that $b \cdot q = 1 - a \cdot p = 1 \pmod{p}$ 246 | (because~$a$ is an integer) and $b \cdot q = 0 \pmod{q}$ 247 | (because~$b$ is an integer), so $h(b \cdot q) = (1,0)$, as needed. A 248 | similar calculation shows that $h(a \cdot p) = (0,1)$. 249 | \end{answer} 250 | 251 | \begin{definition} 252 | The multiplicative group $\ZN^{*} := \set{ x \in \Z_N : x \text{ 253 | is invertible mod $N$, i.e., } \gcd(x,N) = 1 }$. 254 | \end{definition} 255 | 256 | \noindent Here are some useful facts about the multiplicative group 257 | $\ZN^{*}$: 258 | \begin{itemize} 259 | \item For a prime $p$, $\Zp^{*} = \set{1, \ldots, p-1}$. 260 | \item When $N=pq$ for distinct primes $p,q$, we have $\Z^{*}_N \cong 261 | \Zp^{*} \times \Zq^{*}$. 262 | \end{itemize} 263 | 264 | \begin{definition} 265 | For $N \in \Z^+$, Euler's \emph{totient function} $\varphi(N)$ is 266 | defined to be $\abs{\ZN^{*}}$, i.e., the number of positive integers 267 | $a \leq N$ that are relatively prime to $N$. 268 | \end{definition} 269 | 270 | \noindent Here are some useful facts about the totient function: 271 | \begin{itemize} 272 | \item For a prime $p$, we have $\varphi(p) = p - 1$. 273 | \item For a prime $p$ and positive integer $a$, we have $\varphi(p^a) 274 | = (p-1) p^{a-1} = p^a - p^{a-1}$. 275 | \item If $\gcd(a,b) = 1$, then $\varphi(a \cdot b) = \varphi(a) \cdot 276 | \varphi(b)$. 277 | \end{itemize} 278 | 279 | \begin{definition} 280 | The subgroup of \emph{quadratic residues} is defined as \[ \QRN^{*} 281 | = \set{y \in \ZN^{*} : \exists\; x \in \ZN^{*} \text{ s.t. } y = x^2 282 | \bmod N} \subseteq \ZN^{*}. \] 283 | \end{definition} 284 | 285 | \noindent Here are some useful facts about $\QRN^{*}$: 286 | \begin{itemize} 287 | \item For an odd prime $p$, $\abs{\QRp^{*}} = \frac{p-1}{2}$, because 288 | $x \mapsto x^{2}$ is $2$-to-$1$ over $\Zp^{*}$. (Exercise: prove 289 | this.) 290 | 291 | \item When $N = pq$ for distinct odd primes $p,q$, we have $\QRN^{*} 292 | \cong \QRp^{*} \times \QR_{q}^{*}$, hence $\abs{\QRN^{*}} = 293 | \frac{p-1}{2} \cdot \frac{q-1}{2}$. 294 | 295 | \item For an odd prime $p$, we have $-1 \in \QRp^{*}$ if and only if 296 | $p = 1 \bmod 4$. 297 | \end{itemize} 298 | 299 | \begin{question} 300 | Verify that the CRT isomorphism works in $\Z_{15}$ by checking that $h(7 \cdot 9) = h(7) \cdot h(9)$. 301 | \end{question} 302 | \begin{answer} 303 | Note that $15$ is the product of two primes: $3$ and $5$, so \(\Z_{15} \cong \Z_3 304 | \times \Z_5\). First, we consider \(h(7 \cdot 9)\). \(7 \cdot 9 \equiv 3 \pmod{15}\) 305 | and \(h(3) = (3 \bmod 3, 3 \bmod 5) = (0, 3)\). Next, \(h(7) = (7 \bmod{3}, 7 306 | \bmod{5}) = (1,2)\) and \(h(9) = (9 \bmod{3}, 9 \bmod 5) = (0, 4)\). Finally we 307 | multiply the pairs elementwise, recalling that the first elements of each pair are 308 | from \(\Z_3\) and the second elements are from \(\Z_5\). \((1,2) \cdot (0,4) = 309 | (0,3)\) as expected. 310 | \end{answer} 311 | \begin{question} 312 | Show that \(h^{-1}(x,y) = x \cdot c_p + y \cdot c_q\). 313 | \end{question} 314 | \begin{answer} 315 | Consider that 316 | \begin{align*} 317 | (x,y) &= (x, 0) + (0, y) \\ 318 | &= h(x) \cdot (1,0) + h(y) \cdot (0,1) \\ 319 | &= h(x) \cdot h(c_p) + h(y) \cdot h(c_q) \\ 320 | &= h(x \cdot c_p + y \cdot c_q) \\ 321 | h^{-1}(x,y) &= x \cdot c_p + y \cdot c_q 322 | \end{align*} 323 | \end{answer} 324 | 325 | \section{Factoring-Related Functions} 326 | \label{sec:fact-related} 327 | 328 | We can abstract out a modulus generation algorithm $\algo{S}$, which 329 | given the security parameter $1^{n}$ outputs the product $N$ of two 330 | primes $p,q$. For example, $\algo{S}$ might choose $p$ and $q$ to be 331 | uniformly random and independent $n$-bit primes. 332 | 333 | \emph{Rabin's function} $f_{N} \colon \ZN^{*} \to \QRN^{*}$ is defined 334 | as follows: \[ f_{N}(x) = x^{2} \bmod N. \] Precisely defining the 335 | collection according to \cref{def:collection-owfs} is a 336 | simple exercise. Note that $f_{N}$ is $4$-to-$1$, because each $y \in 337 | \QRN^{*}$ has two square roots modulo $p$, and two modulo $q$. 338 | 339 | \begin{theorem} 340 | \label{thm:rabin-owf-factor} 341 | If factoring is hard (with respect to $\algo{S}$), then the Rabin 342 | collection (with function generator $\algo{S}$) is one-way. 343 | \end{theorem} 344 | 345 | To prove the theorem, we will rely on the following essential number-theoretic fact. 346 | 347 | \begin{claim} 348 | \label{claim:roots-factor} 349 | Let $N = pq$ be the product of distinct odd primes. 350 | Given any $x_{1}, x_{2} \in \ZN^{*}$ such that $x_{1}^{2} = x_{2}^{2} \bmod N$ but $x_{1} \neq \pm x_{2} \bmod N$, the factors of $N$ can be computed efficiently. 351 | \end{claim} 352 | 353 | \begin{proof} 354 | We have $x_{1}^{2} = x_{2}^{2} \bmod p$ and $x_{1}^{2} = x_{2}^{2} 355 | \bmod q$, which implies $x_{1} = \pm x_{2} \bmod p$ and $x_{1} = 356 | \pm x_{2} \bmod q$. But we cannot have both $+$ or both $-$, by 357 | assumption. Wlog, we have $x_{1} = + x_{2} \bmod p$ and $x_{1} = 358 | - x_{2} \bmod q$. Then $p \mid (x_{1}-x_{2})$ but $q \nmid 359 | (x_{1}-x_{2})$, otherwise we'd have $q \mid (2x_{2}) \Rightarrow q 360 | \mid x_{2} \Rightarrow x_{2} \not\in \ZN^{*}$. Then 361 | $\gcd(x_{1}-x_{2},N) = p$, which we can compute efficiently. 362 | \end{proof} 363 | 364 | \begin{proof}[Proof of \cref{thm:rabin-owf-factor}] 365 | First, as already discussed it is easy to generate a function, 366 | sample its domain, and evaluate the function. 367 | 368 | We prove one-wayness by contrapositive, via a reduction. 369 | Assuming we have an inverter for the Rabin function, the idea is to choose our own $x_{1} \in \ZN^{*}$ and invoke the inverter on $y = f_{N}(x_{1}) = x_{1}^{2} \bmod N$. 370 | The square root $x_{2}$ it returns will be $\neq \pm x_{1}$, with probability $1/2$. 371 | In such a case, we get the prime factorization of $N$ by \cref{claim:roots-factor}. 372 | We now proceed more formally. 373 | 374 | Assume a non-uniform PPT inverter $\Inv$ violating the one-wayness 375 | of the Rabin collection, i.e., \[ \Pr_{N \gets \algo{S}(1^{n}), x 376 | \gets \ZN^{*}}[\Inv(N, y = x^{2} \bmod N) \in \sqrt{y} \bmod N] = 377 | \delta(n) \] is non-negligible. 378 | 379 | Our factoring algorithm $\Adv(N)$ works as follows: first, generate 380 | a uniform $x_{1} \gets \ZN^{*}$. Let $y = x_{1}^{2} \bmod N$ and 381 | let $x_{2} \gets \Inv(N, y)$. If $x_{2}^{2} = y \bmod N$ but $x_{1} 382 | \neq \pm x_{2} \bmod N$, then compute the factorization of $N$ by 383 | \cref{claim:roots-factor}. 384 | 385 | We now analyze the reduction. First, $N$ and $y$ are distributed as 386 | expected, so $\Inv$ outputs $x_{2}$ such that $x_{2}^{2} = y \bmod 387 | N$ with probability $\delta$. Conditioned on the fixed value of 388 | $y$, there are four possible values for $x_{1}$, each equally likely 389 | by construction. So we have $x_{2}^{2} = y \bmod N$ and $x_{2} \neq 390 | \pm x_{1} \bmod N$ with prob $\delta/2$, which is non-negligible by 391 | assumption. 392 | \end{proof} 393 | 394 | Suppose $p,q = 3 \bmod 4$. Then $-1$ is not a square modulo $p$ 395 | (respectively, $q$). So for any $x \in \Zp^{*}$ (resp., $\Zq^{*}$), 396 | exactly one of $\pm x$ is a square modulo $p$ (resp., $q$). From this 397 | it can be seen that if we restrict the Rabin function to have domain 398 | $\QRN^{*}$, i.e., $f_{N} \colon \QRN^{*} \to \QRN^{*}$, it becomes a 399 | \emph{permutation} (bijection). 400 | 401 | \medskip 402 | \noindent {\bf{Question}}: Our proof that $f_{N}$ is one-way used 403 | (quite essentially) the fact that $f_{N}$ is $4$-to-$1$. Now that we 404 | have changed its domain to make $f_{N}$ a permutation, is the proof 405 | still valid? 406 | 407 | \begin{definition}[One-Way Permutation] 408 | A collection $F = \set{f_{s} \colon D_{s} \to D_{s}}_{s \in S}$ is a 409 | collection of \emph{one-way permutations} if it is a collection of 410 | one-way functions $f_{s}$ under the \emph{uniform} distribution over 411 | $D_{s}$, and each $f_{s}$ is a \emph{permutation} of $D_{s}$ (i.e., 412 | a bijection). 413 | \end{definition} 414 | 415 | \end{document} 416 | 417 | %%% Local Variables: 418 | %%% mode: latex 419 | %%% TeX-master: t 420 | %%% End: 421 | -------------------------------------------------------------------------------- /src/lec06 - PRG Expansion and Blum-Micali.tex: -------------------------------------------------------------------------------- 1 | \documentclass[11pt]{article} 2 | 3 | \input{header} 4 | 5 | \usepackage{algorithm,algorithmic} 6 | \usepackage{graphicx} 7 | 8 | % VARIABLES 9 | 10 | \newcommand{\lecturenum}{6} 11 | \newcommand{\lecturetopic}{PRG Expansion, Blum-Micali} 12 | \newcommand{\scribename}{Alessio Guerrieri} 13 | 14 | % END OF VARIABLES 15 | 16 | \lecheader 17 | 18 | \pagestyle{plain} % default: no special header 19 | 20 | \begin{document} 21 | 22 | \thispagestyle{fancy} % first page should have special header 23 | 24 | % LECTURE MATERIAL STARTS HERE 25 | 26 | \section{Expanding a PRG} 27 | \label{sec:expanding-prg} 28 | 29 | In the last lecture we saw the definition of a Pseudorandom Generator 30 | (PRG) as a deterministic function that, given a seed of size $n$, 31 | outputs a pseudorandom string of length $\ell(n)$. We can ask the 32 | following question: how big can $\ell(n)$ be? Is there any limit on 33 | how much pseudorandom data we can generate starting from a seed of a 34 | certain size? We will find out that if we can get a PRG with even 35 | \emph{one bit} of expansion (i.e., $\ell(n) = n+1$), then we can get a 36 | PRG with \emph{any} polynomial output length. 37 | 38 | \begin{theorem} 39 | \label{thm:prg-expansion} 40 | Suppose that there exists a PRG $G$ with output of length 41 | $\ell(n)=n+1$. Then for any $t(n)=\poly(n)$ (where $t(n) > n$), 42 | there exists a PRG $G_t$ with output length $t(n)$. 43 | \end{theorem} 44 | 45 | \begin{remark} 46 | The size of the set $\set{G_{t}(s) : s \in \bit^{n}}$ is at most 47 | $2^n$ (because $G_{t}$ is deterministic), while the number of 48 | possible $t(n)$-bit string is $|\bit^{t(n)}| = 2^{t(n)}$. The ratio 49 | of possible output strings that could actually be output by the PRG 50 | is at most $2^n/2^{t(n)}= 2^{n-t(n)}$, which is absurdly small when 51 | $t(n) \geq 2n$ (and even smaller when $t(n) = n^{10}$, say). 52 | \end{remark} 53 | 54 | \begin{proof} 55 | We will construct $G_t(s)$ from $G$. Our construction will apply 56 | the function $G(\cdot)$ $t(n)$ times, outputting one new bit at each 57 | step and reusing the other $n$ bits of the previous step's output as 58 | a seed. See the following picture for intuition about the 59 | construction. 60 | 61 | \begin{figure}[h!] 62 | \centering 63 | \includegraphics[]{./prg.jpg} 64 | \end{figure} 65 | 66 | Formally, $G_t$ is defined as follows (note that it always applies 67 | $G$ on string of the same length, $n$ bits): 68 | \begin{algorithm}[h] 69 | \caption{$G_t(s)$} 70 | \begin{algorithmic} 71 | \IF{$t = 0$} \RETURN $\varepsilon$ (the empty string) 72 | \ELSE \STATE let $(x|b)=G(s)$, where $x \in \bit^{n}$, $b \in \bit$ 73 | \RETURN $b|G_{t-1}(x)$ 74 | \ENDIF 75 | \end{algorithmic} 76 | \end{algorithm} 77 | 78 | By construction, $|G_t(s)|=t$. We want to show that $G_t$ is a PRG. 79 | The function clearly runs in polynomial time (each call to $G$ can 80 | be resolved in polynomial time and we only use a polynomial number 81 | of steps), so what's left is to prove that $\set{G_t(U_n)} \compind 82 | \set{U_{t(n)}}$. We need to be careful: we already know that $G$ is 83 | a PRG, but in our construction we are giving a \emph{pseudorandom} 84 | seed to $G$, instead of a truly random seed. We will see that this 85 | fact will not affect the pseudorandomness of $G_t$. Intuitively, 86 | because no efficient algorithm can tell a pseudorandom seed apart 87 | from a random string, then in particular neither can $G$. 88 | 89 | To prove that $G_t$ is a PRG we will define a set of ``hybrid 90 | experiments.'' We will build a sequence of distributions, where the 91 | first is equal to our ``real'' construction $G_t(U_{n})$, the last 92 | is equal to the ``ideal'' truly uniform distribution $U_{t(n)}$, and 93 | each consecutive pair of distributions are computationally 94 | indistinguishable. By the hybrid lemma, we conclude that 95 | $\set{G_t(U_{n})}$ and $\set{U_{t(n)}}$ are computationally 96 | indistinguishable and that $G_t$ is a PRG, thus proving the theorem. 97 | 98 | To give some intuition about how we design the hybrid experiments, 99 | we imagine that instead of invoking the first $G$ on $n$ uniform 100 | bits, what if we replaced its output with $n+1$ truly uniform bits? 101 | Intuitively, these two cases should not be distinguishable, because 102 | $G$ is a PRG. And then what if we replaced the first two 103 | invocations of $G$, and so on? Eventually, we would end up with $t 104 | = t(n)$ truly uniform output bits, as desired. 105 | 106 | Formally, the hybrid experiments are defined as follows: 107 | \begin{itemize} 108 | \item $H_0 = G_t(U_n)$ 109 | \item $H_1 = U_1 | G_{t-1}(U_n)$ 110 | \item In general, $H_i = U_i | G_{t-i}(U_n)$ for $i \in \set{0} \cup 111 | [t]$ 112 | \item $H_t = U_{t}$ 113 | \end{itemize} 114 | 115 | We now show that for all $i \in [t-1]$, $H_i \compind H_{i+1}$. We 116 | will do this by using the simulation/composition lemma, and the fact 117 | that $G$ is a PRG. For each $i$, we design a PPT ``simulator'' 118 | algorithm $\Sim_i$ such that $\Sim_i(G(U_n))=H_{i-1}$, and 119 | $\Sim_i(U_{n+1})=H_i$. Since we know that $G(U_n) \compind U_{n+1}$ 120 | from the fact that $G$ is a PRG, the composition lemma implies that 121 | $H_{i-1} \compind H_i$. 122 | 123 | We define $\Sim_i$ as follows: 124 | \begin{algorithm}[h] 125 | \caption{$\Sim_i(y \in \bit^{n+1})$} 126 | \begin{algorithmic} 127 | \STATE parse $y$ as $(x|b)$ for $x \in \bit^{n}$, $b \in \bit$ 128 | \RETURN $U_{i-1} | b | G_{t-i}(x)$ 129 | \end{algorithmic} 130 | \end{algorithm} 131 | 132 | This algorithm clearly runs in polynomial time. We need to check 133 | that it maps $G(U_n)$ to $H_{i-1}$, and $U_{n+1}$ to $H_i$. First 134 | suppose that the input of $\Sim_i$ comes from $U_{n+1}$: 135 | \[ \Sim_i(U_{n+1})= U_{i-1} | b | G_{t-i}(x) = U_{i-1} | U_1 | 136 | G_{t-i}(U_n)=U_i | G_{t-i}(U_n) = H_i. \] Now suppose that the input 137 | comes from $G(U_n)$. By the definition of $G_t$, we can see the 138 | following: 139 | \[ \Sim_i(G(U_n)) = U_{i-1} | b | G_{t-i}(x) = U_{i-1} | 140 | G_{t-i+1}(U_n)=H_{i-1}. \] 141 | This completes the proof. 142 | \end{proof} 143 | 144 | \noindent To recap, our proof of \cref{thm:prg-expansion} took 145 | the following path: 146 | \begin{itemize} 147 | \item We defined a construction: the actual PRG $G_t$ having a 148 | pseudorandom output of polynomial length. 149 | \item We defined the sequence of hybrid (``imaginary'') experiments. 150 | In each step, we replaced \emph{one} ``real'' invocation of a crypto 151 | primitive ($G(U_{n})$) with its ``ideal'' counterpart ($U_{n+1}$). 152 | \item We proved that consecutive pairs of hybrids are computationally 153 | indistinguishable, using the composition lemma and the security 154 | properties of the underlying primitives (i.e., that $G$ is a PRG). 155 | \begin{itemize} 156 | \item To apply the composition lemma, we defined a 157 | ``simulator'' (reduction) for each pair of adjacent hybrids and 158 | analyzed its behavior. 159 | \end{itemize} 160 | \end{itemize} 161 | 162 | \section{Obtaining a PRG} 163 | \label{sec:obtaining-prg} 164 | 165 | Thanks to \cref{thm:prg-expansion}, we know that all we need is 166 | to obtain a PRG with one extra bit of output. We describe a 167 | number-theoretic construction, due to Blum and Micali, of such an 168 | object. 169 | 170 | \subsection{Number Theory Background} 171 | \label{sec:background} 172 | 173 | \begin{theorem}[Euler's theorem] 174 | \label{thm:euler-thm} 175 | Let $G$ be a finite abelian (i.e., commutative) multiplicative 176 | group. For every $a \in G$, we have $a^{\abs{G}} = 1$. 177 | \end{theorem} 178 | 179 | \begin{proof} 180 | Consider the set $A = a \cdot G = \set{ ax\; :\; x \in G}$. Because 181 | $G$ is a group, $a$ is invertible, and we have $A = G$. Taking 182 | products over all elements in $A = G$, we have \[ \prod_{x \in G} 183 | (ax) = \prod_{x \in G} x. \] Because $G$ is commutative, the LHS is 184 | $a^{\abs{G}} \cdot \prod_{x \in G} x$, and we can multiply by the 185 | inverse of the RHS to obtain $a^{\abs{G}} = 1$. 186 | \end{proof} 187 | 188 | 189 | When $G = \Zp^{*}$ for a prime $p$, we have $\abs{\Zp^{*}} = 190 | \varphi(p) = p-1$, so we obtain the following corollary: 191 | 192 | \begin{corollary}[Fermat's ``little'' theorem] 193 | Let $p$ be a prime. For any $a \in \Zp^{*}$, we have $a^{p-1} = 1 194 | \bmod p$. 195 | \end{corollary} 196 | 197 | The following structural theorem will be very useful. (Its proof is 198 | elementary bur rather tedious, so we won't go through it today.) 199 | 200 | \begin{theorem} 201 | \label{thm:Zps-cyclic} 202 | Let $p$ be a prime. The multiplicative group $\Zp^{*}$ is 203 | \emph{cyclic}, i.e., there exists some \emph{generator} 204 | $g \in \Zp^{*}$ such that 205 | $\Zp^{*} = \langle g \rangle := \set{g^{1}, g^{2}, \ldots, 206 | g^{p-1}=g^{0}=1}$. (Equivalently, we can write the group as 207 | $\Zp^{*} = \set{g^{0}, g^{1}, \ldots, g^{p-2}}$.) 208 | \end{theorem} 209 | 210 | \begin{question} 211 | Suppose there is a ``black box'' \(\algo{B}\) that outputs a 212 | uniformly random element of \(\Z_{p-1}\) for some known prime 213 | \(p\). Show that there exists an algorithm that, using~\(\algo{B}\) 214 | as its only source of randomness, samples a uniformly random element 215 | of \(\Z_p^*\). 216 | \end{question} 217 | 218 | \begin{answer} 219 | By \cref{thm:Zps-cyclic}, there exists a generator~\(g\) 220 | of~\(\Zp^{*}\). So, there exists an algorithm \(\algo{A}\) that 221 | simply samples an $x \gets \algo{B}$ and returns \(g^{x}\). By 222 | \cref{thm:Zps-cyclic}, we know that 223 | \(\inner{g} = \set{g^0, \ldots, g^{p-2}} = \Z_p^*\), and since 224 | \(\abs{\Z_p^*} = p - 1\), it must be the case that for each 225 | \(x \in \Z_p^*\), there exists a \emph{unique} \(i \in \Z_{p-1}\) 226 | such that \(x = g^i\). Hence, 227 | \(\Pr[\algo{A} \text{ outputs } x] = \Pr[B \text{ outputs } i] = 228 | 1/(p-1)\), as needed. 229 | \end{answer} 230 | 231 | \subsection{Discrete Logarithm Problem and One-Way Function} 232 | \label{sec:dlp-owf} 233 | 234 | \Cref{thm:Zps-cyclic} leads naturally to the so-called 235 | \emph{discrete logarithm problem}, which is: given $y \in \Zp^{*}$ 236 | (and prime $p$ and generator $g$ of $\Zp^{*}$), find $\log_{g} y$, 237 | i.e., the $x \in \set{1, \ldots, p-1}$ for which $y = g^{x} \bmod p$. 238 | This problem is believed to be infeasible for large values of $p$. 239 | 240 | \begin{conjecture}[Discrete logarithm assumption] 241 | Let $\algo{S}(1^{n})$ be a PPT algorithm that outputs some prime $p$ 242 | and generator $g$ of $\Zp^{*}$. For every non-uniform PPT algorithm 243 | $\Adv$, \[ \Pr_{(p,g) \gets \algo{S}(1^{n}), y \gets \Zp^{*}} 244 | [\Adv(p,g,y) = \log_{g} y] = \negl(n). \] 245 | \end{conjecture} 246 | 247 | We would like to design a collection of OWFs based on the discrete 248 | logarithm assumption. The collection is made up of the functions 249 | $f_{p,g} \colon \set{1, \ldots, p-1} \to \Zp^{*}$ (for prime $p$ and 250 | generator $g$ of $\Zp^{*}$), defined as 251 | \[ f_{p,g}(x) = g^{x} \bmod p. \] Moreover, these functions are even 252 | \emph{permutations} if we identify $\set{1, \ldots, p-1}$ with 253 | $\Zp^{*}$ in the natural way. 254 | 255 | It is a tautology that the collection is one-way under the discrete 256 | logarithm assumption. It is also clear that we can efficiently sample 257 | from the domain of $f_{p,g}$. But we still need to check that 258 | $f_{g,p}$ can be evaluated efficiently, and that $(p,g)$ can be 259 | generated efficiently. 260 | 261 | For the first, we use the standard ``repeated squaring'' technique for 262 | exponentiation, which requires $O(\len{x})$ multiplications modulo 263 | $p$. The solution to the second issue is not entirely 264 | straightforward. Given only the prime $p$, it is unknown (in general) 265 | how to find a generator $g$ of $\Zp^{*}$ efficiently. However, given 266 | the \emph{factorization} of $p-1$, which can be generated along with 267 | $p$, it is possible: every element in $\Zp^{*}$ has order dividing 268 | $p-1$, so $g$ is a generator if and only if $g^{(p-1)/q} \neq 1 \bmod 269 | p$ for every prime divisor $q$ of $p-1$. The number of non-generators 270 | is at most the sum of $(p-1)/q$ over all prime divisors $q$ of $p-1$, 271 | so the density of generators is typically large enough. An often-used 272 | special case is $p = 2q+1$ for prime $q$, for which there are $q = 273 | (p-1)/2$ generators. However, it is not even known whether there 274 | exist infinitely many such ``Sophie Germain'' primes of this form! 275 | (Empirically, though, they are abundant.) 276 | 277 | %% TODO: think of a question for the end of this section 278 | 279 | \subsection{Blum-Micali PRG} 280 | \label{sec:blum-micali-prg} 281 | 282 | We now present a PRG that uses the ideas presented in the previous 283 | section. From \cref{sec:expanding-prg} we know that if we have 284 | a PRG that is able to generate one extra bit of randomness, we can 285 | generate a polynomial number of pseudorandom bits. Our goal will be 286 | the following: we want to construct a PRG $G_{p,g} \colon \Zp^* \to 287 | \Zp^* \times \bit$.\footnote{To be pedantic, $G_{p,g}$ is a 288 | ``collection'' of PRGs, where the input seed comes from a set that 289 | depends on the function index $(p,g)$. It it easy to check that our 290 | construction from \cref{sec:expanding-prg} is compatible with 291 | this collection $G_{p,g}$.} 292 | 293 | Our solution is a function with the following form: \[ G_{p,g}(x)= 294 | (f_{p,g}(x)=g^x \bmod p \quad, \quad h(x)). \] Note that $f_{p,g}(x)$ 295 | performs the modular exponentiation function (which is a one-way under 296 | the discrete log assumption), while $h \colon \Zp^{*} \to \bit$ is 297 | some function (yet to be defined) that provides the additional bit. 298 | 299 | Looking at the function, we can make the following observation: if $x 300 | \in \Zp^{*}$ is chosen uniformly at random, then also $f_{p,g}(x)$ is 301 | uniform (because $f_{p,g}$ is a permutation). We still need to choose 302 | the function $h$, keeping in mind what we want from from the function: 303 | $h(x)$ should ``look like a random bit,'' \emph{even given 304 | $f_{p,g}(x)$}. That is, $h(x)$ should compute ``something about 305 | $x$'' that $f$ hides \emph{completely}. 306 | 307 | We can think of many possible candidates for $h$: apply the xor 308 | function to all the bit of $x$; take the least significant bit of $x$ 309 | (though you will show that this \emph{does not} meet our 310 | requirements!); take the ``most significant bit'' of $x$ (more 311 | precisely, test if $x>\frac{p-1}{2}$); etc. 312 | 313 | Let's formalize the security property we want from~$h$. Informally, we 314 | want it to be the case that no efficient algorithm, given $f(x)$, 315 | should be able to guess $h(x)$ with probability much better than 316 | the~$\frac{1}{2}$ that is achievable by random guessing. 317 | 318 | \begin{definition}[Hardcore predicate] 319 | \label{def:hard-core-pred} 320 | A predicate $h \colon \bit^* \to \bit$ is \emph{hard-core} for~$f$ 321 | if for all non-uniform PPT algorithms $\Adv$, 322 | \[ \advan_{f,h}(\Adv) := \Pr_{x}[\Adv(f(x))=h(x)] - \frac12 = 323 | \negl(n). \] 324 | \end{definition} 325 | 326 | Next time, we will show that under the discrete log assumption, the 327 | ``most significant bit'' predicate $h(x) = [x > \frac{p-1}{2}]$ is 328 | hard-core for $f_{p,g}$. 329 | 330 | \begin{question} 331 | Prove that if $h$ is hard-core for a one-way permutation 332 | $f \colon D \to D$, then 333 | \[ (f(x),h(x)) \compind (U(D),U_1) \equiv (f(x),b), \] where 334 | $x \gets D$ and $b \gets \bit$ are independent. This means that 335 | $G(x)=(f(x),h(x)) \in D \times \bit$ is a PRG that expands by one 336 | bit. \emph{Hint:} give a reduction that converts any distinguisher 337 | for the above two distributions into a predictor of~$h(x)$ 338 | given~$f(x)$. 339 | \end{question} 340 | 341 | \begin{answer} 342 | We prove this by reduction. Let~$\calD$ be an nuPPT algorithm that 343 | seeks to distinguish $(f(x),h(x))$ from $(f(x), b)$, where 344 | $x \gets D, b \gets \bit$ are independent. We construct an nuPPT 345 | predictor~$\AdvA$ against the hard-core predicate~$h$ for~$f$, which 346 | uses~$\calD$ as a black box and has the same advantage. The key idea 347 | is that~$\AdvA$, given some $y=f(x)$ for unknown~$x$, will simply 348 | guess a candidate value~$b$ for the hard-core bit~$h(x)$, and 349 | invoke~$\calD(y,b)$ to get some indication of whether this guess is 350 | correct. Since~$\calD$ may not be a perfect distinguisher, its 351 | answer may not always be ``correct,'' so it requires some care to 352 | analyze this reduction. 353 | 354 | Formally, we define the predictor~$\AdvA$ to work as follows: given 355 | input $y \in D$, choose a uniformly random bit $b \gets \bit$ and 356 | invoke $\calD(y,b)$. If~$\calD$ accepts (i.e., outputs 1), then 357 | output~$b$ as the prediction for $h(f^{-1}(y))$; otherwise, output 358 | $\overline{b}$ as the prediction. Clearly, $\AdvA$ is nuPPT. 359 | 360 | We now relate $\AdvA$'s advantage in the prediction game to 361 | $\calD$'s advantage in the distinguishing game. First, observe that 362 | $\AdvA$'s advantage is 363 | \begin{align*} 364 | \advan(\AdvA) 365 | &= \Pr_{x \gets D}[\AdvA(f(x))=h(x)] - 1/2 \\ 366 | &= \frac12 \parens*{\Pr_{x \gets D}[\calD(f(x),h(x))=1] + \Pr_{x 367 | \gets D}[\calD(f(x),\overline{h(x)})=0] - 1} \\ 368 | &= \frac12 \parens*{\Pr_{x \gets D}[\calD(f(x),h(x))=1] - \Pr_{x 369 | \gets D}[\calD(f(x),\overline{h(x)})=1]}, 370 | \end{align*} 371 | because~$\AdvA(f(x))$ outputs the correct bit~$h(x)$ if~$\AdvA$ 372 | chooses $b=h(x)$ and $\calD(f(x),b)$ accepts, or if~$\AdvA$ chooses 373 | $b=\overline{h(x)}$ and $\calD(f(x),b)$ rejects. These events are 374 | disjoint, so we can add their probabilities, and~$b$ is uniform and 375 | independent of~$x$, leading to the $1/2$ factor. 376 | 377 | Now let 378 | \begin{align*} 379 | p_{U} 380 | &= \Pr_{x \gets D, b \gets \bit}[\calD(f(x),b) = 1] \\ 381 | &= \frac12 \parens*{\Pr_{x \gets D}[\calD(f(x),h(x)) = 1] + 382 | \Pr_{x \gets D}[\calD(f(x), \overline{h(x)}) = 1]}, 383 | \end{align*} 384 | because each of $b=h(x)$ and $b=\overline{h(x)}$ occur with 385 | probability $1/2$. Similarly, define 386 | \[ p_{G} = \Pr_{x \gets D}[\calD(f(x), h(x))=1]. \] By definition, 387 | $\calD$'s advantage is 388 | \begin{align*} 389 | \advan(\calD) = p_{G}-p_{U} 390 | &= \frac12 \parens*{\Pr_{x \gets D}[\calD(f(x), 391 | h(x))=1] - \Pr_{x \gets D}[\calD(f(x),\overline{h(x)})=1]} \\ 392 | &= \advan(\AdvA). 393 | \end{align*} 394 | Since $\AdvA$'s advantage is negligible by the hypothesis that~$h$ 395 | is hard-core for~$f$, so is $\calD$'s advantage, as desired. 396 | \end{answer} 397 | 398 | \end{document} 399 | 400 | %%% Local Variables: 401 | %%% mode: latex 402 | %%% TeX-master: t 403 | %%% End: 404 | -------------------------------------------------------------------------------- /src/lec09 - Pseudorandom Permutations and Symmetric Encryption.tex: -------------------------------------------------------------------------------- 1 | \documentclass[11pt]{article} 2 | 3 | \input{header} 4 | 5 | \usepackage{graphicx} 6 | 7 | % VARIABLES 8 | 9 | \newcommand{\lecturenum}{9} 10 | \newcommand{\lecturetopic}{PRPs, Symmetric Encryption} 11 | \newcommand{\scribename}{Pushkar Tripathi} 12 | 13 | % END OF VARIABLES 14 | 15 | \lecheader 16 | 17 | \pagestyle{plain} % default: no special header 18 | 19 | \begin{document} 20 | 21 | \thispagestyle{fancy} % first page should have special header 22 | 23 | % LECTURE MATERIAL STARTS HERE 24 | 25 | \section{Pseudorandom Permutations} 26 | \label{sec:pseud-perm} 27 | 28 | In the first part of this lecture we will discuss pseudorandom 29 | \emph{permutations}. A function $f \colon \bit^n \to \bit^n$ is said 30 | to be a permutation if and only if it is a bijection. Note that the 31 | PRFs considered in the previous lecture may not be permutations. 32 | (Exercise: construct a secure PRF family where the functions are 33 | \emph{not} permutations.) 34 | 35 | \subsection{Definition} 36 | \label{sec:definition} 37 | 38 | \begin{definition}[Pseudorandom permutation] 39 | \label{def:prp} 40 | A family of permutations $\set{f_s \colon \bit^{n} \to \bit^{n}}$ is 41 | a \emph{strong PRP family} (also known as ``block cipher'') if it 42 | is: 43 | \begin{itemize} 44 | \item \emph{Efficiently computable}: there is a deterministic 45 | polynomial-time algorithm $F$ such that $F(s,x) = f_s(x)$ for all 46 | choices of seed $s$ and input $x \in \bit^{n}$. 47 | \item \emph{Pseudorandom}: For every n.u.p.p.t.~$\Adv$, 48 | \[ \abs*{ \Pr_{f \gets \set{f_{s}} } \left[ \Adv^{f,f^{-1}} 49 | (1^n) = 1 \right] - \Pr_{F \gets \mathcal{P}(\bit^n)} \left[ 50 | \mathcal A^{F,F^{-1}} (1^n) = 1 \right] } = \negl(n). \] Here 51 | $\mathcal{P}(\bit^n)$ is the set of \emph{all} permutations from 52 | $\bit^n$ to $\bit^n$, and $\Adv^{f,f^{-1}}$ denotes that the 53 | algorithm $\Adv$ has oracle access to both the function $f$ and 54 | its inverse. 55 | 56 | Written more succinctly using oracle indistinguishability, \[ 57 | \left\langle f \gets \set{f_{s}} : f, f^{-1} \right\rangle 58 | \compind \left\langle F \gets \mathcal{P}(\bit^{n}) : F, F^{-1} 59 | \right\rangle. \] 60 | \end{itemize} 61 | 62 | We say that the family is a \emph{weak} PRP family if it is 63 | pseudorandom in the forward direction, i.e., if the pseudorandomness 64 | condition holds when the adversary is given oracle access to only 65 | $f$ (or $F$), and not their inverses. 66 | \end{definition} 67 | 68 | \subsection{Feistel Construction} 69 | \label{sec:feistel-construction} 70 | 71 | Perhaps surprisingly, a PRP family can be obtained from any PRF family 72 | (even though the functions in the PRF family may not themselves be 73 | permutations!). To accomplish this, we first show a way to obtain a 74 | permutation from \emph{any} (length-preserving) function $f$; this 75 | process is called a \emph{Feistel round}, after its inventor. (One 76 | can think of $f$ as being drawn from a PRF family, though the Feistel 77 | construction makes no complexity assumption on $f$.) 78 | 79 | \begin{definition} 80 | \label{def:feistel-round} 81 | For a function $f \colon \bit^{n} \to \bit^{n}$, the Feistel 82 | function $\mathcal D_f : \bit^{2n} \rightarrow \bit^{2n}$ is defined 83 | as follows: 84 | \[ D_f(L, R) = (R,L \oplus f(R) ). \] 85 | \end{definition} 86 | 87 | \Cref{fig:feistel_1_pic} gives a pictorial representation of 88 | this construction. 89 | 90 | \begin{figure}[h] 91 | \centering 92 | \includegraphics[width=0.20\textwidth]{feistel1.png} 93 | \caption{The Feistel transformation.} 94 | \label{fig:feistel_1_pic} 95 | \end{figure} 96 | 97 | \begin{question} 98 | \(D_f\) is a bijection. What is its inverse? 99 | \end{question} 100 | 101 | \begin{answer} 102 | Note that for $L'$ and $R'$ as defined above, we have 103 | $L = f(L') \oplus R'$ and $R = L'$. Formally, we can write 104 | $D_{f}^{-1} = \rho \circ D_f \circ \rho$, where $\rho(L,R) = (R,L)$. 105 | \end{answer} 106 | 107 | However, $D_{f}$ by itself does \emph{not} define a PRF. This is 108 | because $\textsc{LEFT}( D_f(L,R) ) = R$ for any $L,R$, which is rarely 109 | be the case for a truly random permutation. But what happens if we 110 | use \emph{two} Fesitel rounds, each with a (possibly different) round 111 | function (see \cref{fig:feistel_2_pic})? 112 | 113 | \begin{figure}[h] 114 | \centering 115 | \includegraphics[width=0.20\textwidth]{feistel2.png} 116 | \caption{Two rounds of the Feistel transformation.} 117 | \label{fig:feistel_2_pic} 118 | \end{figure} 119 | 120 | Unfortunately, two Feistel rounds also does not yield a PRP family. 121 | Consider arbitrary $L_1, L_2, R \in \bit^n$ with $L_{1} \neq L_{2}$, 122 | and any function $f : \bit^n \rightarrow \bit^n$. We have 123 | $\textsc{Left}(D_g( D_f(L_1,R) )) = \textsc{Right}( D_f(L_1,R) )$ 124 | $= L_1\oplus f(R)$ and $\textsc{Left}(D_g( D_f(L_2,R) )) = $ 125 | $\textsc{Right}( D_f(L_2,R) )= L_2\oplus f(R)$. Taking the 126 | exclusive-or of both equations, we get 127 | \begin{align*} 128 | \textsc{Left}(D_g( D_f(L_1,R) ) \oplus D_g( D_f(L_2,R) )) &= 129 | \textsc{Left}(D_g( D_f(L_1,R) ))\oplus\textsc{Left}(D_g( D_f(L_2,R) ))\\ 130 | &= (L_1\oplus f(R)) \oplus (L_2\oplus f(R))\\ 131 | &= L_1 \oplus L_2. 132 | \end{align*} 133 | On the other 134 | hand, for a truly random permutation $\mathcal P$, $\mathcal P(L_1,R) 135 | \oplus \mathcal P(L_2, R)$ is the exclusive-or of two distinct random 136 | strings and $\textsc{Left}(\mathcal P(L_1,R) 137 | \oplus \mathcal P(L_2, R))$ would equal $L_1\oplus L_2$ with only 138 | negligible probability. 139 | 140 | Fortunately, all is not lost: we have the following theorem of Luby 141 | and Rackoff. 142 | 143 | \begin{theorem}[Luby-Rackoff Theorem] 144 | \label{thm:luby-rackoff} 145 | Three rounds of the Feistel construction, each with a round function 146 | drawn independently from a PRF family, yields a \emph{weak} PRP 147 | family. Moreover, four rounds yields a \emph{strong} PRP family. 148 | \end{theorem} 149 | 150 | \subsection{Historical Notes} 151 | \label{sec:historical-notes} 152 | 153 | The Data Encryption Standard (DES) from 1977 is a Feistel 154 | construction, but with dependent and only ``weakly'' pseudorandom 155 | round functions. The Feistel idea predates any rigorous definitions 156 | or analysis. A large fraction of fast block ciphers use a Feistel 157 | network, though more recently designers have started using other 158 | structures. For example, the Advanced Encryption Standard (AES) is 159 | not based on a Feistel network. 160 | 161 | \section{Security for Shared-Key Encryption} 162 | \label{sec:security-shared-key} 163 | 164 | We now take the first steps towards building a secure shared-key 165 | (symmetric) encryption system. Before we proceed, recall the model 166 | for a shared-key cryptosystem, which is represented by a triple of 167 | algorithms $(\skcgen, \skcenc,\skcdec)$, where 168 | \begin{itemize} 169 | \item $\skcgen$ is a randomized algorithm that takes no input (aside 170 | from the implicit security parameter $1^{n}$), and outputs a key $k$ 171 | in some (finite) set $\keyspace$. 172 | \item $\skcenc_k(m) = \skcenc(k,m)$ takes a key $k \in \keyspace$ and 173 | message $m \in \msgspace$, and outputs a ciphertext $c \in 174 | \ctspace$. 175 | \item $\skcdec_k(c) = \skcdec(k, c)$ takes a key $k \in \keyspace$ and 176 | ciphertext $c \in \ctspace$, and outputs a message $m \in 177 | \msgspace$. 178 | \end{itemize} 179 | 180 | Also recall the definition of perfect secrecy. 181 | 182 | \begin{definition} 183 | A shared-key encryption scheme $(\skcgen, \skcenc, \skcdec)$ with 184 | message space $\msgspace$ and ciphertext space $\ctspace$ is 185 | \textit{perfectly secret} if for all $m_0, m_1 \in \msgspace$ and 186 | all $\bar{c} \in \ctspace$, 187 | \[ \Pr_{k \gets Gen} \left[ \skcenc_k(m_0) = \bar{c} \right] = 188 | \Pr_{k \gets Gen} \left[ \skcenc_k(m_1) = \bar{c} \right]. \] That 189 | is, the distributions of $\skcenc_{k}(m_{0})$ and 190 | $\skcenc_{k}(m_{1})$ are \emph{identical}, over the choice of the 191 | key $k \gets \skcgen$. 192 | \end{definition} 193 | 194 | \subsection{A Computational Analogue of Perfect Secrecy} 195 | \label{sec:comp-anal-perf} 196 | 197 | The definition of perfect secrecy suggests a natural analogue for the 198 | computational setting. 199 | 200 | \begin{definition}[Single-message indistinguishability] 201 | \label{def:single-msg-indist} 202 | An encryption scheme satisfies \emph{single-message 203 | indistinguishability} if for all messages $m_0,m_1 \in \msgspace$, 204 | \[ \left\{ k \gets \skcgen : \skcenc_k(m_0) \right\} \compind 205 | \left\{ k \gets \skcgen : \skcenc_k(m_1) \right\}. \] 206 | \end{definition} 207 | 208 | The following lemma follows immediately. 209 | 210 | \begin{lemma} 211 | \label{lem:pseudorand-one_msg_secure} 212 | For a symmetric encryption scheme $\skc$, if $\set{k \gets \skcgen : 213 | \skcenc_k(m)}$ is pseudorandom over $\ctspace$ for every $m \in 214 | \msgspace$, then the scheme is single-message indistinguishable. 215 | \end{lemma} 216 | 217 | \begin{proof} 218 | Fix any two messages $m_0, m_1 \in \msgspace$. Using the definition 219 | of pseudorandomness, we have 220 | \[ \left\{ \skcenc_k(m_0) \right\} \compind \left\{ U(\ctspace) 221 | \right\} \compind \left\{ \skcenc_k(m_1) \right\}. \] By the 222 | \emph{hybrid lemma} we have $ \left\{ \skcenc_k(m_0) \right\} 223 | \compind \left\{ \skcenc_k(m_1) \right\}$, as desired. 224 | \end{proof} 225 | 226 | Now we describe a symmetric encryption scheme, and use 227 | \cref{lem:pseudorand-one_msg_secure} to prove its one-message 228 | security. Let $\keyspace = \bit^n$ be the keyspace, and let 229 | $\msgspace = \bit^{\ell(n)}$ be the message space, where $\ell(n)$ is 230 | a polynomial in $n$. Let $G$ be a PRG with output length $\ell(n)$. 231 | The following algorithms specify the encryption scheme. 232 | \begin{itemize} 233 | \item $\skcgen$ outputs a uniformly random $k \gets \bit^{n}$. 234 | \item $\skcenc_k(m) = \skcenc(k,m)$ outputs $c = m \oplus G(k)$. 235 | \item $\skcdec_k(c) = \skcdec(k, c)$ outputs $m = c \oplus G(k)$. 236 | \end{itemize} 237 | 238 | \begin{claim} 239 | For any $m \in \bit^{\ell(n)}$, the distribution of ciphertexts 240 | $\left\{ k \gets \skcgen : \skcenc_k(m) \right\}$ produced by the 241 | above scheme is pseudorandom. 242 | \end{claim} 243 | 244 | \begin{proof} 245 | \begin{align} 246 | \left\{ k \gets \skcgen : \skcenc_k(m) \right\} &\equiv 247 | \left\{ k \gets \bit^{n} : m \oplus G(k) \right\} \label{eq:scheme} \\ 248 | &\compind \left\{ x \gets U_{\ell(n)} : m \oplus x 249 | \right\} \label{eq:prg} \\ 250 | &\equiv \left\{ U_{\ell(n)} \right\}. \label{eq:prob} 251 | \end{align} 252 | \Cref{eq:scheme} is by definition of the scheme. \Cref{eq:prg} is 253 | true because $G$ is a PRG, and by a trivial 254 | simulation. \Cref{eq:prob} is by basic probability. 255 | \end{proof} 256 | 257 | Note that the scheme constructed above is good for encrypting only 258 | \emph{one} message; it would fail completely if we encrypt two 259 | different messages using the same key. For example, consider $m_0, 260 | m_1 \in \msgspace$ that are encrypted using the above scheme with the 261 | same key $k \in \keyspace$. Then we have $\skcenc_k(m_0) = m_0 \oplus 262 | G(k)$ and $\skcenc_k(m_1) = m_1 \oplus G(k)$. Taking the exclusive-or 263 | of these two ciphertexts, we get $m_0 \oplus m_1$. In many cases 264 | (such as when the two messages are English prose), this is enough 265 | information to recover the two messages completely! 266 | 267 | A possible way to counter the problem is to encrypt every message with 268 | a different key. But this would require the two communicating parties 269 | to have a large set of predecided secret keys. Alternatively, we 270 | might modify the encryption algorithm to append to its message a fresh 271 | key that would be used to encrypt the subsequent message (note that 272 | this is possible because the message length is longer than the key 273 | length, which is something we could not achieve with perfect secrecy). 274 | But this method also suffers from a drawback: the encryption and 275 | decryption algorithms are \emph{stateful}. If even a single message 276 | fails to reach the receiver, it might cause the entire scheme to 277 | become out of sync. 278 | 279 | More fundamentally, though, before thinking about ways to securely 280 | encrypt multiple messages, we first need a \emph{definition} of 281 | security that captures this intended mode of usage. 282 | 283 | \subsection{Multiple-Message Indistinguishability} 284 | \label{sec:mult-mess-indist} 285 | 286 | \begin{definition}[Multi-message indistinguishability] 287 | \label{def:multi-msg-indist} 288 | An encryption scheme is multi-message indistinguishable if for all 289 | $q=\poly(n)$ and all message tuples $\left( m_0, m_1 \cdots m_q 290 | \right) \in \msgspace^q$ and $\left( m'_0, m'_1 \cdots m'_q \right) 291 | \in \msgspace^q$, we have 292 | \[ \left( \skcenc_k(m_0), \skcenc_k(m_1) \cdots \skcenc_k(m_q) 293 | \right) \compind \left( \skcenc_k(m'_0), \skcenc_k(m'_1) \cdots 294 | \skcenc_k(m'_q) \right), \] where both experiments are over $k 295 | \gets \skcgen$ and any randomness of $\skcenc$. 296 | \end{definition} 297 | 298 | \begin{question} 299 | This definition may seem problematic. Identify the problem in the 300 | following ``proof'' that multiple-message indistinguishability is 301 | impossible and determine what, if 302 | anything, it actually proves. 303 | 304 | \medskip\noindent \emph{``Proof.''} Let 305 | \((\skcgen, \skcenc, \skcdec)\) be any encryption scheme with 306 | multiple-message indistinguishability and let \(m_0 \neq m_1\) be 307 | two messages. Consider a distinguisher which on input \((c_0, c_1)\) 308 | returns 1 if \(c_0 = c_1\) and 0 otherwise. This distinguisher 309 | successfully distinguishes between a world in which 310 | \((c_0, c_1) = (\skcenc_k(m_0), \skcenc_(m_0))\) and a world in 311 | which \((c_0, c_1) = (\skcenc_k(m_0), \skcenc_(m_1))\) with 312 | probability 1, since \(\skcenc_k(m_0) = \skcenc_k(m_0)\) and 313 | \(\skcenc_k(m_0) \neq \skcenc_k(m_1)\). Hence, 314 | \((\skcgen, \skcenc, \skcdec)\) does not have multiple-message 315 | indistinguishability. 316 | \end{question} 317 | 318 | \begin{answer} 319 | The problem with this proof is that it assumes that \(\skcenc\) is 320 | \emph{deterministic}. In other words, it assumes that two distinct 321 | encryptions of \(m_0\) will yield the same ciphertext. However, 322 | nothing in our definition of \(\skcenc\) requires this. Indeed, what 323 | this proof actually does show, is that in order to have 324 | multiple-message indistinguishability, \(\skcenc\) must not be 325 | deterministic, and instead must either be \emph{randomized} or 326 | \emph{stateful}. 327 | \end{answer} 328 | 329 | Unfortunately, we are still not done. In order to make our definition 330 | completely water-tight, we need to capture some additional (realistic) 331 | power of the adversary: that it may be able to influence the choice of 332 | messages that are encrypted. Specifically, the adversary may have the 333 | power to \textbf{adaptively} choose these encrypted messages, based on 334 | its view of the prior ciphertexts. 335 | 336 | \subsection{Indistinguishability under (Adaptive) Chosen-Plaintext Attack} 337 | \label{sec:indist-under-chos} 338 | 339 | The above considerations prompt us to adopt 340 | \textit{indistinguishability under (adaptive) chosen-plaintext attack 341 | (IND-CPA)} as our notion of security. Before giving a precise 342 | definition of security, we list some of the aspects that the 343 | definition should capture. 344 | 345 | \begin{itemize} 346 | \item We allow the adversary $\Adv$ to \emph{adaptively} query the 347 | encryption oracle, based on the ciphertexts it has already seen. 348 | \item We still want indistinguishability between the encryptions of 349 | two messages (also chosen by $\Adv$). 350 | \end{itemize} 351 | 352 | Now we present a formal definition satisfying the above goals. 353 | 354 | \begin{definition}[IND-CPA security] 355 | \label{def:ind-cpa} 356 | An encryption scheme is said to be IND-CPA secure if the following 357 | pairs of oracles are computationally indistinguishable: 358 | \[ \left\langle k \gets \skcgen : C^0_k(\cdot, \cdot) \right\rangle 359 | \compind \left\langle k \gets \skcgen : C^1_k(\cdot, \cdot) 360 | \right\rangle. \] Here $C^{b}_{k}(m_{0}, m_{1})$, called the 361 | \emph{challenge oracle}, simply runs $\skcenc_{k}(m_{b})$ and 362 | outputs the result, using fresh randomness (or keeping any state) 363 | with each invocation. 364 | \end{definition} 365 | 366 | Observe that the only difference between the two oracles is in the bit 367 | $b$ used by the challenger, i.e., which message is encrypted to 368 | produce the challenge ciphertext. Also observe that given access to 369 | either $C^{b}_{k}(\cdot,\cdot)$, we have implicit access to 370 | $\skcenc_{k}(\cdot)$ just by querying $C^{b}_{k}$ on two equal 371 | messages. 372 | 373 | \begin{question} 374 | Show that IND-CPA security implies multi-message security, but the 375 | converse is false. \textit{Hint:}~Define a ``pathological'' scheme 376 | that gives away its secret key via a certain sequence of adaptive 377 | queries. 378 | \end{question} 379 | 380 | We now describe a PRF-based encryption scheme enjoying IND-CPA 381 | security. Define $\keyspace = \msgspace = \bit^{n}$ for the 382 | encryption scheme, and assume that $\set{f_{k} \colon \bit^{n} \to 383 | \bit^{n}}_{k \in \bit^{n}}$ is a PRF family. 384 | \begin{itemize} 385 | \item $\skcgen$: output $k \gets \bit^n$. 386 | \item $\skcenc_k(m)$: choose $r \gets U_n$ and output $(r, f_k(r) 387 | \oplus m)$ as the cipher text. 388 | \item $\skcdec_k(r,c)$: output $f_k(r) \oplus c$ as the decrypted 389 | message. 390 | \end{itemize} 391 | 392 | It is easy to observe that the scheme is correct, 393 | i.e. $\skcdec_k(\skcenc_k (m)) = f_k(r) \oplus f_k(r) \oplus m = 394 | m$. In the next lecture we will prove that this scheme is IND-CPA 395 | secure. 396 | 397 | \begin{question} 398 | IND-CPA security ensures that the encryptions of any two messages 399 | are indistinguishable (by a polynomial-time bounded adversary), 400 | however when thinking about a security definition it is also 401 | important to consider what is \emph{not} hidden by the scheme. What 402 | information about the message is not guaranteed to be hidden by the 403 | definition of IND-CPA security? 404 | \end{question} 405 | 406 | \begin{answer} 407 | Answers may vary, but what springs most readily to mind is the 408 | length of the message itself. Consider the ciphertexts produced by 409 | the construction above which are of the form \((r, f_k(r))\) where 410 | \(r \gets U_n\). An adversary need only count the number of bits in 411 | \(r\) in order to determine the length of the message. 412 | \end{answer} 413 | 414 | \end{document} 415 | 416 | %%% Local Variables: 417 | %%% mode: latex 418 | %%% TeX-master: t 419 | %%% End: 420 | -------------------------------------------------------------------------------- /src/lec20 - Secure Two-Party Computation.tex: -------------------------------------------------------------------------------- 1 | \documentclass[11pt]{article} 2 | 3 | \input{header} 4 | 5 | % VARIABLES 6 | 7 | \newcommand{\lecturenum}{20} 8 | \newcommand{\lecturetopic}{Secure 2-Party Computation} 9 | \newcommand{\scribename}{Anand Louis} 10 | 11 | % END OF VARIABLES 12 | 13 | \lecheader 14 | 15 | \pagestyle{plain} % default: no special header 16 | 17 | \begin{document} 18 | 19 | \thispagestyle{fancy} % first page should have special header 20 | 21 | % LECTURE MATERIAL STARTS HERE 22 | 23 | \section{Introduction} 24 | 25 | Consider the {\em Billionaire's Problem}: {\em Larry} and {\em Sergey} 26 | are both wealthy men. They want to design a protocol to find out 27 | whose net worth is higher, without having to reveal their net worths 28 | to each other. Since they are business partners, they trust each 29 | other to follow the protocol truthfully (i.e., to use their true worth 30 | as inputs and to follow the protocol instructions faithfully), but 31 | they still do not want the protocol to reveal more about their net 32 | worths than is absolutely necessary. Can this be achieved? More 33 | fundamentally, how do we define the notion of security for this goal? 34 | 35 | Note that ``total'' privacy cannot be achieved, as they will each 36 | learn something new about the other's wealth, namely, whether it is 37 | greater or less than his own. In some special cases, Larry can infer 38 | Sergey's net worth \emph{entirely} from just this single piece of 39 | knowledge. For example, if Larry's net worth is \$1 and Sergey's net 40 | worth is \$0, then when Larry learns that Sergey's worth is less than 41 | his own, he can infer that Sergey's net worth is exactly \$0 (we 42 | ignore the possibility of Sergey being in debt). However, this 43 | leakage of knowledge is \emph{inherent in the task they are carrying 44 | out for these values}, and therefore should not should not be 45 | considered a deficiency of any particular protocol they might use. 46 | 47 | Alternatively, Larry might start with some prior knowledge about 48 | Sergey's wealth that might enable him to infer Sergey's exact net 49 | worth from just knowing whose net worth is higher. For example, if 50 | Larry knows that Sergey's net worth is either \$4 billion or \$5 51 | billion, and his own worth is \$4.5 billion, then learning who is 52 | wealthier immediately reveals Sergey's net worth to Larry. This also 53 | should not be considered a violation of our security goal. 54 | 55 | In both of these examples, we must be content to let Larry learn 56 | whatever he can infer from the final result (i.e., who is wealthier) 57 | --- \emph{but we want him to learn nothing more than that}! So in 58 | defining security, we will aim to restrict the ``\emph{relative 59 | knowledge}'' revealed by a protocol, versus what is learned from the 60 | outcome alone. Similarly to the setting of zero knowledge, we will do 61 | so using the notion of an efficient simulator that is given only the 62 | input and output of the party, and must simulate the entire view of 63 | that party in the protocol. 64 | 65 | \section{Secure Two-Party Computation} 66 | \label{sec:2pc} 67 | 68 | Here we formalize a model and security definition for the informal 69 | goals described above. 70 | 71 | \subsection{Model} 72 | \label{sec:model} 73 | 74 | We will consider a very simplified model that does not capture many 75 | real-world concerns, but is still rich enough to make the problem 76 | interesting and non-trivial. 77 | 78 | \begin{enumerate} 79 | \item There are two parties (more formally, two ppt algorithms) $P_1$ 80 | and $P_2$, who have inputs $x_1$ and $x_2$ respectively, and wish to 81 | evaluate a public polynomial time-computable function 82 | $f(\cdot,\cdot)$ on those inputs. For example, in the billionaire's 83 | problem, $f(x_{1}, x_{2}) = [x_{1} > x_{2}]$. 84 | 85 | Without loss of generality, we may assume that $f$ is a 86 | \emph{deterministic} function that outputs a \emph{single} value 87 | that is given to both parties. If we wish for $P_{1}$ and $P_{2}$ 88 | to receive the outputs of two possibly different deterministic 89 | functions $f_{1}(\cdot, \cdot)$, $f_{2}(\cdot,\cdot)$ 90 | (respectively), this can be emulated using a single function 91 | $f'((x_1,r_1),(x_2,r_2)) = (f_1(x_1,x_2) \oplus r_1 \| f_2(x_1,x_2) 92 | \oplus r_2 )$, where each $P_{i}$ augments its own input $x_{i}$ by 93 | a uniformly random string $r_{i}$ of appropriate length. Since 94 | $r_1$ and $r_2$ are chosen uniformly at random and are independent 95 | of everything else, the output $f_{1}(x_{1}, x_{2})$ is perfectly 96 | hidden from $P_{2}$, as is $f_{2}(x_{1}, x_{2})$ from $P_{1}$. 97 | 98 | We can also evaluate a \emph{randomized} function $f$ by emulating 99 | it with a deterministic function (showing how to do this is one of 100 | your homework problems). However, security becomes quite a bit 101 | subtler to define in this case; see below. 102 | 103 | \item We assume that the parties are {\em semi-honest}, often called 104 | ``honest but curious.'' That is, they run the protocol exactly as 105 | specified (no deviations, malicious or otherwise), but may try to 106 | learn as much as possible about the input of the other party from 107 | their views of the protocol. Hence, we want the view of each party 108 | not to leak more knowledge than necessary. 109 | 110 | \item As usual, the view of a party $P_i$ in an interaction with the 111 | other party on their inputs $x_{1}, x_{2}$, denoted 112 | $\view_{P_{i}}[P_{1}(x_{1}) \leftrightarrow P_{2}(x_{2})]$, consists 113 | of its input $x_i$, the random coins $r_{P_i}$ used by $P_{i}$, and 114 | all the messages received from the other party. The final output of 115 | $P_{i}$ is denoted $\out_{P_{i}}[P_{1}(x_{1}) \leftrightarrow 116 | P_{2}(x_{2})]$. 117 | \end{enumerate} 118 | 119 | \subsection{Security Definition} 120 | \label{sec:security-definition} 121 | 122 | \begin{definition} 123 | \label{def:two-party} 124 | A pair of ppt machines $(P_1,P_2)$ is a secure 2-party protocol (for 125 | static, semi-honest adversaries) for a deterministic polynomial 126 | time-computable function $f(\cdot,\cdot)$ if the following 127 | properties hold: 128 | \begin{enumerate} 129 | \item \emph{Completeness}: for all $i \in \set{1,2}$ and all $x_1, 130 | x_2 \in \bit^{*}$, we have (with probability $1$): \[ 131 | \out_{P_{i}}[P_{1}(x_{1}) \leftrightarrow P_{2}(x_{2})] = 132 | f(x_1,x_2). \] 133 | 134 | \item \emph{Privacy}: there exist nuppt simulators $\Sim_1, \Sim_2$ 135 | such that for all $x_{1}, x_{2} \in \bit^{*}$ and all $i \in 136 | \set{1,2}$, \[ \view_{P_{i}}[P_{1}(x_{1}) \leftrightarrow 137 | P_{2}(x_{2})] \compind \Sim_{i}(x_{i}, f(x_{1}, x_{2})). \] 138 | \end{enumerate} 139 | \end{definition} 140 | 141 | A few remarks are in order. First, privacy is \emph{per-instance}: 142 | the only knowledge leaked to a party by the protocol on inputs $x_{1}, 143 | x_{2}$ is whatever can be inferred (efficiently) from the party's own 144 | input and the value of $f(x_{1}, x_{2})$. For example, if the inputs 145 | are such that $f(x_{1}, x_{2})$ reveals nothing at all, then the 146 | execution of the protocol on those inputs should also reveal nothing; 147 | conversely, if the output reveals everything about both parties' 148 | inputs, then the protocol is allowed to leak everything as well. 149 | Second, any ``prior knowledge'' that the parties have about each 150 | others' inputs is captured by the non-uniformity of the simulator (and 151 | implicit distinguisher) in the definition of privacy. 152 | 153 | \subsection{Definition for Randomized Functions} 154 | \label{sec:defin-rand-funct} 155 | 156 | \Cref{def:two-party} is relatively straightforward due to 157 | the simplicities of our model, in particular, the deterministic nature 158 | of $f$. We briefly discuss some of the issues that arise in defining 159 | security for randomized functions. First, how should completeness be 160 | defined? It no longer makes sense to demand that $\out_{P_{1}} = 161 | f(x_{1}, x_{2})$, since we now have a random variable $f(x_{1}, x_{2}; 162 | r)$ over the choice of $r$ (which neither party should be able to 163 | influence). Instead, we want that both $\out_{P_{1}}$ and 164 | $\out_{P_{2}}$ in a \emph{single} execution of the protocol are 165 | \emph{simultaneously} distributed as $f(x_{1}, x_{2}; r)$ for 166 | \emph{the same} random $r$. This is so that the protocol between 167 | $P_{1}$ and $P_{2}$ has the effect of emulating a single, consistent 168 | randomized evaluation of $f$. Formally, we want that for all $x_{1}, 169 | x_{2}$, \[ (\out_{P_{1}}, \out_{P_{2}})[P_{1}(x_{1}) \leftrightarrow 170 | P_{2}(x_{2})] \compind (f(x_{1}, x_{2}; r), f(x_{1}, x_{2}; r)), \] 171 | where $r$ is uniformly random and the same in both appearances of $f$. 172 | 173 | The next natural question is how to define \emph{privacy} against a 174 | semi-honest party. Again, simultaneity of the respective views of 175 | $P_{1}$ and $P_{2}$ is an important issue, and is even more subtle to 176 | get right. It turns out that the proper way of addressing all these 177 | concerns is to define correctness and privacy \emph{all together} by 178 | comparing two \emph{joint} distributions: the ``real world'' 179 | distribution of the parties' outputs and the semi-honest party's view, 180 | versus the ``ideal world'' distribution of the function output and 181 | simulated view (again, for a \emph{single} randomized evaluation of 182 | $f$). Formally, we require that there exist nuppt simulators 183 | $\Sim_{1}$, $\Sim_{2}$ such that for all $x_{1}, x_{2}$ and all $i \in 184 | \set{1,2}$, \[ (\out_{P_{1}}, \out_{P_{2}},\view_{P_i})[P_1(x_1) 185 | \leftrightarrow P_2(x_2)] \compind (f(x_{1}, x_{2}; r), 186 | f(x_1,x_2;r),S_i(x_i,f(x_1,x_2;r))). \] Note that the above condition 187 | automatically implies the correctness condition above, so it is the 188 | only one needed to prove security. 189 | 190 | \subsection{Secure Protocol for Addition} 191 | \label{sec:secure-prot-addit} 192 | 193 | As a brief test case, we consider a contrived protocol for evaluating 194 | the addition function $f(x_{1}, x_{2}) = x_{1} + x_{2}$. 195 | 196 | \begin{center} 197 | \begin{tabular}{ccc} 198 | $P_1(x_1)$ & & $P_2(x_2)$ \\ 199 | & $\underrightarrow{\quad x_1 \quad}$ & \\ 200 | & $\underleftarrow{\quad x_2 \quad}$ & \\ 201 | \text{output} $x_1 + x_2$ & & \text{output} $x_1 + x_2$ 202 | \end{tabular} 203 | \end{center} 204 | 205 | Clearly the protocol is complete. For privacy, since $P_1$ is 206 | entitled to know the value of $x_1 + x_2$, and also already knows 207 | $x_1$, he can trivially infer the value of $x_2$. Formally, we can 208 | give a simulator $\Sim_{1}(x_{1}, s = f(x_{1}, x_{2}) = x_{1}+x_{2})$ 209 | that just outputs the view consisting of input $x_{1}$, empty 210 | randomness, and a single message $s-x_{1}$ coming from $P_{2}$. 211 | Clearly, this view is identical to $P_{1}$'s view in the real 212 | protocol. 213 | 214 | \section{Secure Protocol for Arbitrary Circuits} 215 | \label{sec:secure-prot-circuits} 216 | 217 | We now describe a protocol, originally described by Yao, for 218 | evaluating an \emph{arbitrary} function $f$ represented as a boolean 219 | (logical) circuit. We describe the basic idea for just a single logic 220 | gate, and then outline how it generalizes to arbitrary circuits. 221 | 222 | Let $g : \bit \times \bit \to \bit$ be an arbitrary logic gate on two 223 | input bits (e.g., the NAND function). Party $P_1$ holds the first 224 | input bit $x_1 \in \bit$ and party $P_2$ holds the second input bit 225 | $x_2 \in \bit$. Together they wish to compute $g(x_1,x_2)$ securely, 226 | in the sense of \cref{def:two-party}. 227 | 228 | At a high level, the protocol works like this: 229 | \begin{center} 230 | \begin{tabular}{ccc} 231 | $P_1(x_1)$ & & $P_2(x_2)$ \\ 232 | & $\underrightarrow{\quad \text{``garbled'' gate $g$} \quad}$ & \\ 233 | & $\underrightarrow{\quad \text{``garbled'' input $x_{1}$} \quad}$ & \\ 234 | & \fbox{$\underrightarrow{\quad \text{oblivious transfer of 235 | ``garbled'' input $x_{2}$} \quad}$} & \\ 236 | & & compute garbled output \\ 237 | & $\underrightarrow{\quad \text{``dictionary'' for garbled outputs} 238 | \quad}$ & 239 | \\ 240 | & & look up actual value $g(x_{1}, x_{2})$ \\ 241 | & $\underleftarrow{\quad g(x_{1}, x_{2}) \quad}$ & \\ 242 | output $g(x_1,x_2)$ & & output $g(x_1,x_2)$ 243 | \end{tabular} 244 | \end{center} 245 | 246 | For intuition, the crucial points for security are: 247 | \begin{itemize} 248 | \item $P_{2}$ never sees $x_{1}$ in an ``ungarbled'' form, so 249 | $P_{2}$ learning nothing about $x_{1}$. 250 | \item By the security of the ``oblivious transfer'' sub-protocol 251 | (described below), $P_{1}$ learns nothing about $x_{2}$. 252 | \item Using the garbled inputs $x_{1}$, $x_{2}$ with the garbled gate, 253 | $P_{2}$ can ``obliviously'' compute the garbled output for 254 | \emph{only} the correct value of $g(x_{1}, x_{2})$. 255 | \end{itemize} 256 | 257 | Concretely, these ideas are implemented using basic symmetric-key 258 | encryption. The idea is the following: each ``wire'' of the gate (the 259 | two inputs and one output) is associated with a pair of random 260 | symmetric encryption keys, chosen by $P_{1}$; the two keys correspond 261 | to the two possible ``values'' (0 or 1) that the wire can take. For 262 | $i= 1,2$, let $k^i_0, k^i_1$ be the keys corresponding to the input 263 | wire $x_{i}$, and let $k^{o}_0, k^o_1$ be the keys corresponding to 264 | the output wire. The ``garbled circuit'' that $P_1$ sends to $P_2$ is 265 | a table of four doubly encrypted values, presented in a \emph{random} 266 | order: 267 | 268 | \begin{center} 269 | \begin{tabular}{|c|} 270 | \hline 271 | $\skcenc_{k^1_0}(\skcenc_{k^2_0}(k^o_{g(0,0)}))$ \\ 272 | $\skcenc_{k^1_0}(\skcenc_{k^2_1}(k^o_{g(0,1)}))$ \\ 273 | $\skcenc_{k^1_1}(\skcenc_{k^2_0}(k^o_{g(1,0)}))$ \\ 274 | $\skcenc_{k^1_1}(\skcenc_{k^2_1}(k^o_{g(1,1)}))$ \\ \hline 275 | \end{tabular} 276 | \end{center} 277 | 278 | Observe that if $P_{2}$ knows (say) $k^{1}_{0}$ and $k^{2}_{1}$, i.e., 279 | the keys corresponding to inputs $x_{1}=0$ and $x_{2} = 1$, then 280 | $P_{1}$ can decrypt $k^{o}_{g(0,1)}$, the key corresponding to the 281 | output value of the gate, \emph{but none of the other entries!} (Note 282 | that this requires the encryption scheme to satisfy some simple 283 | properties, such as the ability to detect when a ciphertext has 284 | decrypted successfully. These properties are easy to obtain.) The 285 | random order of the table prevents $P_{1}$ from learning the 286 | ``meaning'' of the keys that it knows, otherwise this information 287 | would be leaked by which of the table entries decrypt properly. In 288 | conclusion, knowing exactly one key for each input wire allows $P_{2}$ 289 | to learn exactly one key (the correct one) for the output wire, 290 | without learning the meanings of any of the keys. 291 | 292 | The only remaining question is how $P_{2}$ obtains the right keys for 293 | the input wires. For $x_{1}$, this is easy: $P_1$ just sends $P_2$ 294 | the key $k^{1}_{x_{1}}$ corresponding to its input bit $x_{1}$. Note 295 | that $P_2$ learns nothing about $x_1$ from this. Next, $P_1$ and 296 | $P_2$ run an ``oblivious transfer'' protocol (described in the next 297 | subsection) which allows $P_2$ to learn $k^{2}_{x_{2}}$, and 298 | \emph{only} $k^{2}_{x_{2}}$, without revealing anything about the 299 | value of $x_{2}$ to $P_{1}$. 300 | 301 | Finally, $P_{1}$ tells $P_{2}$ the ``meanings'' of the two possible 302 | output keys $k^{o}_{0}, k^{o}_{1}$, which reveals to $P_{2}$ the value 303 | of $g(x_{1}, x_{2})$. Then $P_{2}$ sends this value to $P_{1}$ as 304 | well (recall that both parties are semi-honest, so neither will lie). 305 | 306 | For more complex circuits $f$, the protocol generalizes in a 307 | straightforward manner: $P_{1}$ chooses two keys for every wire in the 308 | circuit, and constructs a garbled table for each gate, using the 309 | appropriate keys for the input and output wires. $P_{2}$ can compute 310 | the garbled gates iteratively, while remaining oblivious to the 311 | meanings of the intermediate wires. Then $P_{1}$ finally reveals the 312 | meanings of just the output wires. 313 | 314 | A proof of security for this construction is beyond the scope of this 315 | lecture, but contains no surprises; see the paper by Lindell and 316 | Pinkas for a full rigorous proof. The key point is that a simulator 317 | can construct garbled gates that \emph{always} result in the same key 318 | being decrypted (irrespective of which inputs keys were used), thus 319 | allowing the simulator to ``force'' $P_{2}$ to output the correct 320 | value $f(x_{1}, x_{2})$. Security of the symmetric encryption scheme 321 | prevents $P_{2}$ from detecting these malformed garbled gates, since 322 | $P_{2}$ can only decrypt one entry from each gate. 323 | 324 | \section{Oblivious Transfer} 325 | \label{sec:oblivious-transfer} 326 | 327 | We conclude by describing how to perform an oblivious transfer between 328 | the two parties. We will consider the specific form of oblivious 329 | transfer that is required to complete our protocol: $P_1$ is holding 330 | two bits $b_0,b_1$ and wants to transfer \emph{exactly one} of them to 331 | $P_2$, according to $P_{2}$'s choice bit $\sigma = x_{2}$, while 332 | learning nothing about which one was received. (To transfer entire 333 | keys $k_{0}, k_{1} \in \bit^{n}$, the parties can just run the 334 | protocol $n$ times, using the same choice bit $\sigma$ and the 335 | corresponding pairs of bits from $k_{0}, k_{1}$). 336 | 337 | Our protocol relies on a family of trapdoor permutations $\set{f_{s} 338 | \colon \bit^{n} \to \bit^{n}}$ with hard-core predicate $h \colon 339 | \bit^{n} \to \bit$. 340 | 341 | \begin{center} 342 | \begin{tabular}{ccc} 343 | $P_1(b_0,b_1)$ & & $P_2(\sigma)$ \\ 344 | choose $(f_s, f_{s}^{-1})$ & & \\ 345 | & $\underrightarrow{\quad f_s \quad}$ & \\ 346 | & & $v_{\sigma} \gets \bit^{n}$ \\ 347 | & & $w_{\sigma} = f_{s}(v_{\sigma})$ \\ 348 | & & $w_{1-\sigma} \gets \bit^{n}$ \\ 349 | & $\underleftarrow{\quad w_{0}, w_{1} \quad}$ & \\ 350 | let $v_{0} = f_{s}^{-1}(w_{0})$, $v_{1} = f_{s}^{-1}(w_{1})$ & 351 | & \\ 352 | & $\underrightarrow{\quad c_{0} = h(v_{0}) \oplus b_{0}, c_{1} = 353 | h(v_{1}) \oplus b_{1} \quad}$ & \\ 354 | & & output $h(v_{\sigma}) \oplus c_{\sigma}$ 355 | \end{tabular} 356 | \end{center} 357 | 358 | In words, $P_1$ picks a random function $f_s$ (with trapdoor) from the 359 | family and sends it to $P_2$. Then $P_2$ chooses uniformly random 360 | $w_{0}, w_{1} \in \bit^{n}$ so that it knows the preimage of 361 | \emph{only} $w_{\sigma}$, and sends these to $P_{1}$. (Observe that 362 | this reveals no information about $\sigma$ to $P_{1}$ because $w_{0}, 363 | w_{1}$ are uniform and independent.) Next, $P_{1}$ encrypts its two 364 | bits $b_{0}, b_{1}$ using the hard-core predicate $h$ on the preimages 365 | of $w_{0}, w_{1}$, respectively. Finally $P_{2}$, knowing the 366 | preimage $w_{\sigma}$, can decrypt $b_{\sigma}$, but it learns nothing 367 | about $b_{1-\sigma}$ due to the hardness of~$h$. Note that the 368 | protocol crucially relies on the fact that $P_{2}$ is semi-honest, 369 | otherwise it could choose $w_{0}, w_{1}$ so that it knew both 370 | preimages. (A full, formal proof of security for this protocol is not 371 | too hard, and is a worthwhile exercise.) 372 | 373 | \end{document} 374 | 375 | %%% Local Variables: 376 | %%% mode: latex 377 | %%% TeX-master: t 378 | %%% End: 379 | -------------------------------------------------------------------------------- /src/lec16 - Zero-Knowledge Proofs.tex: -------------------------------------------------------------------------------- 1 | \documentclass[11pt]{article} 2 | 3 | \input{header} 4 | 5 | \usepackage{algorithmic} 6 | 7 | % VARIABLES 8 | 9 | \newcommand{\lecturenum}{16} 10 | \newcommand{\lecturetopic}{Zero-Knowledge Proofs} 11 | \newcommand{\scribename}{Alessio Guerrieri} 12 | 13 | % END OF VARIABLES 14 | 15 | \lecheader 16 | 17 | \pagestyle{plain} % default: no special header 18 | 19 | \begin{document} 20 | 21 | \thispagestyle{fancy} % first page should have special header 22 | 23 | % LECTURE MATERIAL STARTS HERE 24 | 25 | \section{Recap: Interactive Proofs} 26 | \label{sec:recap:IP} 27 | 28 | \begin{definition} 29 | \label{def:ips} 30 | An \emph{interactive proof system} with \emph{soundness error} $s 31 | \in [0,1]$ for a language $L \subseteq \bit^{*}$ is a pair of 32 | algorithms: a (possibly computationally unbounded) prover $P$, and a 33 | ppt verifier $V$, having the following properties: 34 | \begin{enumerate} 35 | \item \emph{Completeness} (``the specified prover convinces the 36 | specified verifier of a true statement''): for all $x \in L$, 37 | $\out_{V}[ P(x) \leftrightarrow V(x) ] = 1$, with probability $1$. 38 | \item \emph{Soundness}: (``\emph{no} possibly cheating prover can 39 | convince the specified verifier of a false statement''): 40 | \[ \Pr\left[ \out_{V}[ P^{*}(x) \leftrightarrow V(x) ] = 1 \right] 41 | \leq s. \] 42 | \end{enumerate} 43 | \end{definition} 44 | 45 | \newcommand{\gni}{\problem{GNI}} 46 | 47 | Last time we studied an interactive proof for the graph nonisomorphism 48 | problem ($\gni$). Remember the definition: $ \gni=\set{(G_0,G_1) : 49 | G_0 \not\equiv G_1}$, where $G_0 \equiv G_1$ if there exists a 50 | bijection $\pi \colon V_0 \to V_1$ such that $(v_0,v_1) \in E_0$ if an 51 | only if $(\pi(v_0),\pi(v_1)) \in E_1$. The protocol is as follows: 52 | 53 | \begin{center} 54 | \begin{tabular}{ccc} 55 | $P(G_{0}, G_{1})$ & & $V(G_{0},G_{1})$ \\ \\ 56 | & & $b \gets \bit$\\ 57 | && choose random permutation $\pi$ on $G_{b}$'s vertices \\ 58 | &$\underleftarrow{H=\pi(G_b)}$ & \\ 59 | find $b'$ such that $H\equiv G_{b'}$ &&\\ 60 | & $\underrightarrow{\qquad b' \qquad}$ &\\ 61 | && accept iff $b=b'$ 62 | \end{tabular} 63 | \end{center} 64 | 65 | We already proved that this protocol is complete (if the graph are not 66 | isomorphic, then the unbounded prover always convinces the verifier) 67 | and that the protocol is sound (if the graphs are isomorphic, then the 68 | best any prover can do is to convince the verifier with one-half 69 | probability). 70 | 71 | \section{Zero-Knowledge Proofs} 72 | \label{sec:zero-knowl-proofs} 73 | 74 | Notice a curious property of the above protocol: the prover just 75 | replies with $b' = b$, the verifier's own random bit. Intuitively, 76 | therefore, $V$ doesn't seem to get anything from its interaction with 77 | $P$ that it ``doesn't already know itself'' --- aside from the fact 78 | that the theorem is true (because the prover gives a convincing 79 | proof). Properly formalized, this property is called ``zero 80 | knowledge.'' 81 | 82 | \subsection{Honest-Verifier Zero-Knowledge} 83 | \label{sec:honest-verifier-zero} 84 | 85 | \begin{definition} 86 | \label{def:hvzk} 87 | An interactive proof system $(P,V)$ for a language $L$ is said to be 88 | \emph{honest-verifier zero-knowledge} if there exists an nuppt 89 | simulator $\Sim$ such that for all $x \in L$, \[ \view_{V}[ P(x) 90 | \leftrightarrow V(x) ] \statind \Sim(x), \] where $\view_{V}$ is the 91 | ``view'' of the verifier in the interaction, consisting of its input 92 | $x$, its random coins $r_V$, and the sequence of the prover's 93 | messages. 94 | \end{definition} 95 | 96 | The idea behind the definition is that given an $x \in L$, it is 97 | possible to simulate everything the (honest) verifier ``sees'' in the 98 | interaction \emph{without the help of the unbounded prover}. Said 99 | another way, anything revealed by the prover in the interaction could 100 | have been generated by a simulator that knows nothing more than the 101 | verifier itself. 102 | 103 | Let us take a closer look at the definition of $\view_V$. The 104 | verifier's ``view'' is the tuple of all its various inputs throughout 105 | the execution of the protocol. These are precisely its input $x$, its 106 | random coins, and the prover's messages. Observe that given these 107 | values, the messages that $V$ sends to $P$ can be generated 108 | deterministically, so we do not need to include them in the view. 109 | 110 | \begin{lemma} 111 | \label{lem:gni-hvzk} 112 | The above protocol for the $\gni$ problem is honest-verifier 113 | zero-knowledge. 114 | \end{lemma} 115 | 116 | \begin{proof} 117 | To prove this lemma we define a ppt simulator $\Sim$ that is able to 118 | generate a transcript that is indistinguishable from (actually, 119 | identical to) the view of $V$. The simulator $\Sim(G_{0}, G_{1})$ 120 | works as follows: first, choose $b \gets \bit$ and a random 121 | permutation $\pi$ on $G_{b}$'s vertices. Then, output the view $(x 122 | = (G_{0}, G_{1}), r_V=(b,\pi), b' = b)$. 123 | 124 | We show that when $(G_0,G_1) \in \gni$, we have that $S(G_0,G_1) 125 | \equiv \view_V[P(x)\leftrightarrow V(x)]$. The random coins 126 | $(b,\pi)$ are distributed identically to $V$'s random coins. And 127 | since we are assuming that $(G_0,G_1) \in \gni$, the prover always 128 | answers with the message $b'=b$. This completes the proof. 129 | \end{proof} 130 | 131 | \subsection{Full Zero-Knowledge} 132 | \label{sec:full-zero-knowledge} 133 | 134 | The above definition says that the verifier gains no knowledge from 135 | the interaction, as long as it runs the prescribed algorithm $V$. But 136 | what if the verifier tries to gain some knowledge from its interaction 137 | with the prover by \emph{deviating} from the prescribed protocol? We 138 | should consider an arbitrary (but efficient) \emph{cheating} verifier 139 | $V^{*}$, and show that its view can be efficiently simulated as well. 140 | 141 | \begin{definition} 142 | \label{def:zk} 143 | An interactive proof system $(P,V)$ for a language $L$ is 144 | \emph{zero-knowledge} if for every nuppt $V^{*}$ there exists an 145 | nuppt simulator $\Sim$ such that for all $x \in L$, \[ \view_{V^{*}}[ 146 | P(x) \leftrightarrow V^{*}(x) ] \statind \Sim(x). \] 147 | \end{definition} 148 | 149 | Does our protocol for $\gni$ enjoy full zero-knowledge? Let's try to 150 | create a simulator $\Sim$. Since $V^{*}$ is arbitrary, we do not know 151 | how $V^*$ will construct its first message (the graph $H$), so the 152 | only thing $\Sim$ seems to be able to do is to choose random coins 153 | $r_{V^*}$ and run $V^*$ using those random coins to get a message $H$. 154 | This $H$ can be anything (it might not even be a graph at all!). If 155 | it's a malformed message, then $\Sim$ can do exactly what the honest 156 | prover $P$ would do: abort. But what if $H$ is a valid message? Note 157 | that $\Sim$ can't hope to determine the correct graph just by 158 | ``inspecting'' the random coins $r_{V^{*}}$, because we have no idea 159 | how $V^{*}$ generates $H$ from its random coins. So how can $\Sim$ 160 | know if $H$ is isomorphic to $G_0$ or $G_1$, without solving the graph 161 | isomorphism problem? 162 | 163 | The problem here is that the protocol in fact \emph{may not be} 164 | zero-knowledge. Notice that in this protocol, the prover is acting as 165 | an \emph{isomorphism oracle}, and $V^*$ might be able to exploit the 166 | prover to get some extra knowledge that it didn't have before. 167 | Suppose for example that $V^*$ has $H$ hardcoded into it, and wants to 168 | know if $H \equiv G_0$ or $H \equiv G_1$ (or neither). Then $V^*$ can 169 | simply send $H$ to the prover, and from the answer $V^*$ will learn 170 | that $H\equiv G_{b'}$, or that $H$ is isomophic to neither of $G_0, 171 | G_1$ (if the prover happens to abort). 172 | 173 | \section{Graph Isomorphism} 174 | \label{sec:graph-isomorphism} 175 | 176 | \newcommand{\gi}{\problem{GI}} 177 | \newcommand{\iso}{\text{iso}} 178 | 179 | It is possible to give a zero-knowledge proof for graph 180 | nonisomorphism, but the protocol and proof are quite involved (the 181 | solution effectively forces $V^{*}$ itself to prove that $H$ is indeed 182 | isomorphic to one of $G_{0}$ or $G_{1}$, which effectively eliminates 183 | the problem we identified above). Instead, let's look at a different 184 | problem for which we will be able to give a simple zero-knowledge 185 | proof. We define the \emph{graph isomorphism} problem $\gi = 186 | \set{(G_{0}, G_{1}) : G_{0} \equiv G_{1}}$. This problem is just the 187 | complement of the $\gni$ problem. Can we create a zero-knowledge 188 | interactive proof system for this problem? Before just giving the 189 | solution, let's develop some intuition for how it might work. 190 | 191 | Support that a spelunker wants to prove that a certain cave contains a 192 | ``loop,'' but without giving any other knowledge about the structure 193 | of the cave. A solution might be the following: the verifier stays at 194 | any point of the claimed loop, and the prover moves to some hidden 195 | part of the loop. When the prover announces that he is ready, the 196 | verifier will choose one of the two directions and will challenge the 197 | prover to come to him from that direction. If the prover knows the 198 | loop, he will be able to find a way to the verifier, while if there is 199 | no loop the prover will be able to walk to the verifier from only one 200 | direction and will succeed only half of the time. 201 | 202 | We will use this basic idea for the $\gi$ problem. The prover will 203 | generate a random graph $H$ isomorphic to the two graphs, and the 204 | verifier will challenge it to give a permutation proving that $H$ is 205 | isomorphic to $G_b$, for $b$ chosen at random. Let $\iso(G)$ denote 206 | the set of all graphs isomorphic to a graph $G$. 207 | 208 | \begin{center} 209 | \begin{tabular}{ccc} 210 | $P(G_0,G_1)$ & & $V(G_0, G_1)$ \\ \\ 211 | Choose random $H \gets \iso(G_0) = \iso(G_{1})$ & & \\ 212 | & $\underrightarrow{\quad H \quad }$ & \\ 213 | && Choose $b \gets \bit$\\ 214 | & $\underleftarrow{\quad b \quad}$ & \\ 215 | Choose \emph{random} perm. $\rho$ s.t.~$H=\rho(G_b)$&& \\ 216 | & $\underrightarrow{\quad \rho \quad}$ & \\ 217 | && Accept iff $H=\rho(G_b)$ 218 | \end{tabular} 219 | \end{center} 220 | 221 | Implicitly, $V$ should check that $\rho$ really is a legal permutation 222 | on $G_{b}$'s vertices, and reject if it is not; is important for 223 | soundness. Note also that it is very important that when replying to 224 | the challenge bit $b$, the honest prover $P$ chooses a \emph{random} 225 | permutation $\rho$ such that $H = \rho(G_{b})$, and not just (for 226 | example) the first one it encounters (since there may be more than 227 | one). This will turn out to be crucial for the proof of 228 | zero-knowledge (\cref{claim:statind-conditional} below). 229 | 230 | \begin{theorem} 231 | \label{thm:gi-zkp} 232 | The above protocol for the $\gi$ problem is a zero-knowledge 233 | interactive proof system. 234 | \end{theorem} 235 | 236 | \begin{proof} 237 | First we show completeness: if $G_0 \equiv G_1$, then $G_0 \equiv H 238 | \equiv G_1$ and $P$ can always find an appropriate $\rho$ such that 239 | $V$ accepts. 240 | 241 | Next we show soundness, and calculate the probability that $V$ 242 | accepts when $G_0 \not\equiv G_1$ and interacting with some 243 | arbitrary $P^{*}$. For any $H$ output by $P^{*}$, we have that $H 244 | \equiv G_{b'}$ for at most one $b'$. The verifier chooses $b \in 245 | \bit$ at random, and if $b\neq b'$ then there is \emph{no} reply 246 | which will make $V$ accept. We can conclude that the soundness 247 | error is at most $\frac{1}{2}$. 248 | 249 | Now we prove that the protocol is zero-knowledge. To do this, let 250 | $V^{*}$ be an arbitrary nuppt algorithm. Unlike in our above proof 251 | of \emph{honest-verifier} zero-knowledge for the $\gni$ problem, we 252 | do not know how $V^{*}$ will choose its challenge bit $b$ --- it 253 | might introduce some bias, or choose $b$ to depend on the prover's 254 | initial message $H$ in some bizarre way. Our simulator $\Sim$ will 255 | work by preparing a message $H$ so that it knows how to answer 256 | \emph{just one} of $V^{*}$'s possible challenges. If $V^{*}$ 257 | happens to make that challenge, the simulator answers and outputs 258 | the view; otherwise, it tries again from scratch by re-running 259 | (``rewinding'') the verifier with fresh new choices until it 260 | succeeds. 261 | 262 | More formally, $\Sim(G_{0},G_{1})$ works as follows: 263 | \begin{algorithmic} 264 | \REPEAT 265 | 266 | \STATE Choose a random permutation $\rho$ and $b \gets \bit$ 267 | 268 | \STATE Let $H= \rho(G_b)$ 269 | 270 | \STATE Run $V^*(G_{0}, G_{1})$ with fresh random coins $r_{V^*}$, 271 | and send $H$ as the prover's first message to $V^{*}$ 272 | 273 | \STATE Receive a bit $b^{*}$ from $V^*$ (or if $V^{*}$ sends a 274 | malformed message, just output the view so far) 275 | 276 | \UNTIL{$b^{*}=b$, or we've looped more than $n$ times} 277 | 278 | \RETURN $(x = (G_{0}, G_{1}), r_{V^*}, H, \rho)$ 279 | \end{algorithmic} 280 | 281 | We now need to show that for any $x = (G_{0},G_{1}) \in \gi$, 282 | \[ \view_{V^{*}} [ P(x) \leftrightarrow V^{*}(x) ] \statind 283 | \Sim(x). \] This follows by 284 | \cref{claim:statind-conditional,claim:output-iteration} below, 285 | because conditioned on $\Sim$ succeeding in some iteration, its 286 | output is identically distributed with the view of $V^{*}$, and it 287 | fails in all $n$ iterations with probability at most $2^{-n}$. 288 | \end{proof} 289 | 290 | \begin{claim} 291 | \label{claim:statind-conditional} 292 | For any $x = (G_{0},G_{1}) \in \gi$, conditioned on $\Sim(x)$ 293 | succeeding in a particular iteration, its output is identically 294 | distributed with $\view_{V^{*}}[ P(x) \leftrightarrow V^{*}(x) ]$. 295 | \end{claim} 296 | 297 | \begin{claim} 298 | \label{claim:output-iteration} 299 | For any $x = (G_{0},G_{1}) \in \gi$, the probability that $\Sim(x)$ 300 | succeeds in any particular iteration is at least $1/2$. 301 | \end{claim} 302 | 303 | \begin{proof}[Proof of \cref{claim:statind-conditional}] 304 | The output of $\Sim$ is $((G_{0}, G_{1}), r_{V^*},H,\rho)$. By 305 | construction, $r_{V^*}$ is uniform. Since we choose $\rho$ 306 | uniformly at random, we get that $H$ is uniform in 307 | $iso(G_0)=iso(G_1)$. Furthermore, conditioned on $H$ and bit $b$, 308 | $\rho$ is a \emph{uniformly random} permutation such that 309 | $H=\rho(G_b)$. This is exactly the prover's distribution. (This is 310 | where we have used the fact that the prover returns a random $\rho$ 311 | such that $H = \rho(G_{b})$.) 312 | \end{proof} 313 | 314 | \begin{proof}[Proof of \cref{claim:output-iteration}] 315 | Because $G_0 \equiv G_1$, the graph $H=\rho(G_{b})$ constructed by 316 | the simulator is uniform in $\iso(G_{0}) = \iso(G_{1})$, and 317 | simulator $\Sim$'s bit $b$ is statistically independent from $H$. 318 | Thus, for any challenge bit $b^{*}$ output by $V^*$, we have that 319 | $\Pr[b^{*}=b] = 1/2$. 320 | \end{proof} 321 | 322 | \section{Enhancements} 323 | \label{sec:enhancements} 324 | 325 | A few observations on these results: 326 | \begin{enumerate} 327 | \item \emph{Efficient provers.} The definition of an interactive 328 | proof allows the prover to be unbounded, but how could we hope to 329 | \emph{use} such a prover in practice? To be applicable in the real 330 | world, we would like the prover to be \emph{efficient}. Of course, 331 | if the prover is given just the same inputs as the verifier, then it 332 | can't accomplish anything that the verifier can't accomplish itself. 333 | But in many proof systems, the prover can be made efficient by 334 | giving it an \emph{extra} input to help it do its job. (This input 335 | might represent some extra knowledge that the prover may generated 336 | in connection with the theorem, and would like to keep secret.) For 337 | example, in the $\gi$ proof we can give the prover an isomorphism 338 | $\sigma$ such that $G_{0} = \sigma(G_{1})$, and the prover can 339 | choose $H = \pi(G_{0})$ for a uniformly random permutation $\pi$. 340 | Then if $V$ asks for an isomorphism between $H$ and $G_0$, the 341 | prover answers $\pi$; if $V$ asks for an isomorphism between $H$ and 342 | $G_1$, the prover answers $(\pi \circ \sigma)$. 343 | 344 | An application of zero-knowledge is to identification: a prover who 345 | knows an isomorphism between the graphs (because he constructed 346 | them, for example) can give a convincing proof. Due to the 347 | zero-knowledge property, after seeing some proofs, nobody can 348 | impersonate the prover with an advantage greater than if they hadn't 349 | seen any proofs at all. (To argue this more formally require the 350 | notion of a \emph{proof of knowledge}, which intuitively says that 351 | not only is the theorem true, but that any (possibly cheating) 352 | prover capable of giving a convincing proof must ``know a reason why'' 353 | (i.e., a witness). We will investigate proofs of knowledge in more 354 | detail later.) 355 | 356 | \item \emph{Improved soundness error.} Our soundness error is still 357 | $1/2$, which is quite bad. One obvious way to improve the error is 358 | to repeat $N$ \emph{independent} iterations of the proof, and accept 359 | if every iteration is acceptable. It is not too hard to show that 360 | the soundness error then becomes $2^{-N}$. Furthermore, it can be 361 | shown (though it is not trivial!) that the zero-knowledge property 362 | is also preserved under such sequential repetition. A downside is 363 | that this approach is not very efficient in the number of rounds. 364 | 365 | Another approach is to run $N$ copies of the proof in 366 | \emph{parallel}, and accept if all iterations are acceptable. This 367 | is clearly more round-efficient, and also reduces the soundness 368 | error to $2^{-N}$ just as with sequential repetition. However, this 369 | parallel protocol scheme may \emph{not} preserve the zero-knowledge 370 | property! To see why, notice that when we proved that the $\gi$ 371 | protocol is zero-knowledge, we created a simulator that had to 372 | ``predict'' the challenge bit chosen by the cheating verifier 373 | $V^{*}$. To create a simulator for this parallel protocol, it seems 374 | that we would need to guess all $N$ challenge bits at once --- 375 | otherwise, the simulator would not be able to output a full 376 | accepting transcript for the entire protocol. (Recall that $V^{*}$ 377 | can choose its $N$ challenge bits in any arbitrary way, perhaps 378 | depending on all $N$ of the prover's initial messages.) In the 379 | sequential approach, a simulator can guess each bit one by one 380 | (without having to ``rewind'' all the way to the start of the 381 | protocol), but in the parallel case all the bits need to be guessed 382 | in one step, which would succeed with only $2^{-N}$ probability. 383 | This would translate to a simulation running time that is 384 | exponential in $N$. 385 | 386 | Note that nothing in the above argument rules out a more clever 387 | simulation strategy, so we are \emph{not} saying that the parallel 388 | protocol is \emph{definitely not} zero-knowledge. All we are saying 389 | is that its status is unknown, and a valid proof of the 390 | zero-knowledge property seems hard to obtain. 391 | \end{enumerate} 392 | 393 | \end{document} 394 | 395 | %%% Local Variables: 396 | %%% mode: latex 397 | %%% TeX-master: t 398 | %%% End: 399 | -------------------------------------------------------------------------------- /src/lec05 - Indistinguishability and Pseudorandomness.tex: -------------------------------------------------------------------------------- 1 | \documentclass[11pt]{article} 2 | 3 | \input{header} 4 | 5 | \usepackage{algorithm,algorithmic} 6 | 7 | % VARIABLES 8 | 9 | \newcommand{\lecturenum}{5} 10 | \newcommand{\lecturetopic}{Indistinguishability, Pseudorandomness} 11 | \newcommand{\scribename}{Abhinav Shantanam} 12 | 13 | % END OF VARIABLES 14 | 15 | \lecheader 16 | 17 | \pagestyle{plain} % default: no special header 18 | 19 | \begin{document} 20 | 21 | \thispagestyle{fancy} % first page should have special header 22 | 23 | % LECTURE MATERIAL STARTS HERE 24 | 25 | \section{Indistinguishability} 26 | \label{sec:indistinguishability} 27 | 28 | We'll now start a major unit on \emph{indistinguishability} and 29 | \emph{pseudorandomness}. These concepts are a cornerstone of modern 30 | cryptography, underlying several foundational applications such as 31 | pseudorandom generators, secure encryption, ``commitment'' schemes, 32 | and much more. 33 | 34 | For example, our most immediate application of indistinguishability 35 | will be to construct cryptographically strong \emph{pseudorandom bit 36 | generators}. These are algorithms that produce many 37 | ``random-looking'' bits, while using very little ``true'' randomness. 38 | (In particular, the bits they output will necessarily be ``very far'' 39 | from truly random, in a statistical sense.) One easy-to-imagine 40 | application would be to use the pseudorandom bit stream as a one-time 41 | encryption pad, which would allow the shared secret key to be much 42 | smaller than the message. But what does it \emph{mean} for a string 43 | of bits to be ``random-looking''? And how can we be confident that 44 | using such bits does not introduce any unforeseen weaknesses in our 45 | system? 46 | 47 | More generally, the motivating question for our study is: 48 | \begin{center} 49 | When can two (possibly different) objects be considered 50 | \emph{effectively the same}? 51 | \end{center} 52 | The answer: 53 | \begin{center} 54 | \emph{When they can't be told apart!} 55 | \end{center} 56 | Though seemingly glib, this answer encapsulates a very powerful 57 | mindset that will serve us well as we go forward. 58 | 59 | \subsection{Statistical Indistinguishability} 60 | \label{sec:stat-indist} 61 | 62 | We use probability theory to model (in)distinguishability. If two 63 | distributions are identical, then they certainly should be considered 64 | indistinguishable. We relax this condition to define 65 | \emph{statistical} indistinguishability, for when the 66 | \emph{statistical distance} between the two distributions is 67 | negligible. The statistical distance between two distributions $X$ 68 | and $Y$ over a domain $\Omega$ is defined as\footnote{For a set~$S$ of 69 | real numbers, its \emph{supremum} $\sup(S)$ is the least upper bound 70 | of the elements of~$S$. The suprenum can be thought of as a 71 | generalization of the maximum element to (infinite) sets where no 72 | such element may exist. For example, there is no maximum element of 73 | the set $[0,1) \subseteq \R$, but the suprenum is 1 since it is the 74 | smallest real number that is larger than every element of 75 | $[0,1)$. When~$S$ is finite, the supremum is simply the maximum.} 76 | \[ \Delta(X,Y) := \sup_{A \subseteq \Omega} \abs{X(A) - Y(A)}, \] 77 | where $X(A) = \sum_{w \in A} \Pr[X=w]$ is the probability that a draw 78 | from~$X$ lands in~$A$, and likewise for~$Y(A)$. We can 79 | view~$A \subseteq \Omega$ as a statistical ``test'' that has some 80 | probability of ``passing'' when given an element drawn from~$X$, or 81 | from~$Y$; the statistical distance is essentially the maximum 82 | difference between these two probabilities, taken over all tests. 83 | Note that $A$ and $\bar{A}$ are effectively the same test, since 84 | \[ \abs{X(\bar{A})-Y(\bar{A})} = \abs{1-X(A)-(1-Y(A))} = 85 | \abs{Y(A)-X(A)} = \abs{X(A)-Y(A)}. \] 86 | 87 | \begin{lemma} 88 | \label{lem:stat-dist} 89 | For distributions $X,Y$ over a finite domain $\Omega$, 90 | \[ \Delta(X,Y) = \frac12 \sum_{w \in \Omega} \abs{X(w) - Y(w)}. \] 91 | \end{lemma} 92 | 93 | \begin{proof} 94 | Let the test $A = \set{w \in \Omega\; :\; X(w) > Y(w)}$. This makes 95 | $X(A) - Y(A)$ as large as possible, so 96 | $\Delta(X,Y) = X(A)-Y(A) = \sum_{w \in A} \abs{X(w)-Y(w)}$. As 97 | noted above, we also have 98 | $\Delta(X,Y) = Y(\bar{A})-X(\bar{A}) = \sum_{w \in \bar{A}} 99 | \abs{X(w)-Y(w)}$. Summing the two equations, we have 100 | $2\Delta(X,Y) = \sum_{w \in \Omega} \abs{X(w)-Y(w)}$, as desired. 101 | \end{proof} 102 | 103 | Statistical distance is very robust, which enhances its usefulness. 104 | Using \cref{lem:stat-dist}, the following facts are 105 | straightforward to prove. 106 | 107 | \begin{lemma} 108 | \label{lem:ipl} 109 | Let $f$ be a function (or more generally, randomized procedure) on 110 | the domain of $X,Y$. Then $\Delta(f(X), f(Y)) \leq \Delta(X,Y)$. 111 | \end{lemma} 112 | In other words, statistical distance cannot be increased by the 113 | application of any (randomized) procedure. 114 | 115 | \begin{lemma} 116 | Statistical distance is a metric; in particular, it satisfies the 117 | following three properties: 118 | \begin{itemize} 119 | \item Identity of indiscernibles: $\Delta(X,Y) = 0 \iff X = Y$ 120 | \item Symmetry: $\Delta(X,Y) = \Delta(Y,X)$ 121 | \item Subadditivity (triangle inequality): 122 | $\Delta(X,Z) \leq \Delta(X,Y) + \Delta(Y, Z)$ 123 | \end{itemize} 124 | \end{lemma} 125 | 126 | \begin{question} 127 | Justify why it is the case that $\Delta(X,Y) = 0 \iff X = Y$. 128 | \end{question} 129 | 130 | \begin{answer} 131 | In the forward direction, because $\Delta(X,Y) = 0$ and all the 132 | terms in the sum from \cref{lem:stat-dist} are non-negative, 133 | we have that $\abs{X(w) - Y(w)} = 0$ for all $w \in \Omega$, i.e., 134 | $X(w) = Y(w)$. Hence, $X = Y$. In the other direction, if $X = Y$, 135 | then by definition $X(A) - Y(A) = 0$ for all $A$, so 136 | $\Delta(X,Y) = \sup(\set{0}) = 0$. 137 | \end{answer} 138 | 139 | Statistical distance lets us say when two (sequences of) distributions 140 | are ``essentially the same,'' in an asymptotic sense. 141 | 142 | \begin{definition} 143 | \label{def:stat-ind} 144 | Let $\calX = \set{X_{n}}_{n \in \N}$ and 145 | $\calY = \set{Y_{n}}_{n \in \N}$ be sequences of probability 146 | distributions, called \emph{ensembles}. We say that $\calX$ and 147 | $\calY$ are \emph{statistically indistinguishable}, written 148 | $\calX \statind \calY$, if \[ \Delta(X_{n}, Y_{n}) = \negl(n). \] 149 | \end{definition} 150 | 151 | \begin{example} 152 | Let $X_{n}$ be the uniform distribution over $\bit^{n}$, and let 153 | $Y_{n}$ be the uniform distribution over the nonzero strings 154 | $\bit^{n} \backslash \set{0^{n}}$. An optimal test $A$ is the 155 | singleton set $A = \set{0^{n}}$, yielding 156 | $\Delta(X_{n}, Y_{n}) = 2^{-n} = \negl(n)$, so 157 | $\calX \statind \calY$. (This can also be seen by calculating the 158 | summation in \cref{lem:stat-dist}.) The analysis extends 159 | similarly to any $Y_{n}$ that leaves out a $\negl(n)$ fraction of 160 | $\bit^{n}$. From this we can say that such ensembles $\calY$ are 161 | ``essentially uniform,'' or \emph{statistically pseudorandom}. 162 | \end{example} 163 | 164 | Can a statistically peudorandom generator exist? This 165 | depends on the definition of ``generator'' (which we give below), but 166 | for any meaningful definition of the term, it isn't possible! This 167 | can be shown by explicitly demonstrating an appropriate subset (or 168 | test) that distinguishes strings output by the generator from 169 | uniformly random ones; see \cref{ques:3} below. 170 | 171 | \subsection{Computational Indistinguishability} 172 | \label{sec:comp-indist} 173 | 174 | We can define a natural analogue of statistical distance in the 175 | computational setting, where the ``test'' is implemented by an 176 | \emph{efficient algorithm}. Namely, for distributions $X$ and $Y$ and 177 | an algorithm $\Adv$ (possibly randomized), define $\Adv$'s 178 | \emph{distinguishing advantage} between $X$ and $Y$ as 179 | \[ \advan_{X,Y}(\Adv) = \abs*{\Pr[\Adv(X)=1] - \Pr[\Adv(Y)=1]}. \] 180 | (The output of $\Adv$ can be arbitrary, but we interpret $1$ as a 181 | special output indicating that the test implemented by $\Adv$ is 182 | ``satisfied,'' and any other output as ``not satisfied.'') We extend 183 | this to ensembles $\calX$ and $\calY$, making 184 | $\advan_{\calX,\calY}(\Adv)$ a function of $n \in \N$. 185 | 186 | \begin{definition} 187 | \label{def:comp-ind} 188 | Let $\calX = \set{X_{n}}$ and $\calY = \set{Y_{n}}$ be ensembles, 189 | where $X_{n}$ and $Y_{n}$ are distributions over $\bit^{l(n)}$ for 190 | $l(n) = \poly(n)$. We say that $\calX$ and $\calY$ are 191 | \emph{computationally indistinguishable}, written 192 | $\calX \compind \calY$, if $\advan_{\calX,\calY}(\Adv) = \negl(n)$ 193 | for all non-uniform PPT algorithms $\Adv$. We say that $\calX$ is 194 | (computationally) \emph{pseudorandom} if 195 | $\calX \compind \set{U_{l(n)}}$, the ensemble of uniform 196 | distributions over $\bit^{l(n)}$. 197 | \end{definition} 198 | 199 | The basic facts about statistical distance also carry over to computational indistinguishability, where we restrict all functions/tests to be \emph{efficient}. 200 | We call the analogue of \cref{lem:ipl} the \emph{composition lemma}, because it involves the composition of an applied procedure and a distinguisher. 201 | We call the analogue of the triangle inequality the \emph{hybrid lemma}, because (as we will see soon) we usually invoke it on a sequence of ``hybrid'' distributions that interpolate step-by-step between two distributions we ultimately care about. 202 | 203 | \begin{lemma}[Composition lemma] 204 | \label{lem:composition} 205 | Let $\calX = \set{X_{n}}$ and $\calY = \set{Y_{n}}$ be ensembles, $\Sim$ be any non-uniform PPT algorithm, and $\calX' = \set{X'_{n} = \Sim(X_{n})}$ and $\calY' = \set{Y'_{n} = \Sim(Y_{n})}$. 206 | Then for any non-uniform PPT algorithm~$\Dist'$, we have that $\advan_{\calX',\calY'}(\Dist') = \advan_{\calX,\calY}(\Dist' \circ \Sim)$. 207 | In particular, if $\calX \compind \calY$, then $\calX' \compind \calY'$. 208 | \end{lemma} 209 | 210 | \begin{proof} 211 | Consider the composed algorithm $\Dist = \Dist' \circ \Sim$, i.e., on input~$x$, it runs $\Dist(\Sim(x))$ and outputs the same answer. 212 | By construction, we have that 213 | \[ 214 | \begin{aligned} 215 | \advan_{\calX',\calY'}(\Dist') 216 | &= \abs{\Pr[\Dist'(X'_{n})=1] - \Pr[\Dist'(Y'_{n})=1]} \\ 217 | &= \abs{\Pr[\Dist'(\Sim(X_{n}))=1] - \Pr[\Dist'(\Sim(Y_{n}))=1]} \\ 218 | &= \advan_{\calX,\calY}(\Dist) , 219 | \end{aligned} 220 | \] 221 | as claimed. 222 | In particular, if $\calX \compind \calY$, then because~$\calD$ is non-uniform PPT by construction, the right-hand side is $\negl(n)$, hence so is the left-hand side. 223 | \end{proof} 224 | 225 | \begin{lemma}[Hybrid lemma] 226 | \label{lem:hybrid} 227 | Let $X^{i}$ for $i \in \set{0, 1, \ldots, m}$ be distributions for some positive integer~$m$. 228 | Then for \emph{any} algorithm~$\Dist$ (regardless of efficiency), 229 | \[ \advan_{X^{0},X^{m}}(\Dist) \leq \sum_{i \in [m]} \advan_{X^{i-1}, X^{i}}(\Dist) . 230 | \] 231 | In particular, let $\calX^{i} = \set{X^{i}_{n}}$ be~$m$ ensembles, where~$m$ is a constant independent of~$n$. 232 | If $\calX^{i-1} \compind \calX^{i}$ for every $i \in [m]$, then $\calX^{0} \compind \calX^{m}$. 233 | \end{lemma} 234 | 235 | \begin{proof} 236 | For each~$i$, let $p_{i} = \Pr[\Dist(X^{i}) = 1]$. 237 | By the triangle inequality, we can write $\Dist$'s advantage as 238 | \[ \advan_{X^{0}, X^{m}}(\Dist) = \abs{p_{0} - p_{m}} \leq \sum_{i \in [m]} \abs{p_{i-1} - p_{i}} = \sum_{i \in [m]} \advan_{X^{i-1},X^{i}}(\Dist) . 239 | \] 240 | 241 | Now consider the ensembles $\calX^{i}$, and restrict to non-uniform PPT~$\Dist$. 242 | By assumption, each $\advan_{\calX^{i-1}, \calX^{i}}(\Dist) = \nu_{i}(n)$, where $\nu_{i}(n)$ is a negligible function that may be \emph{different for each $i \in [m]$}. 243 | Fortunately, the sum of any \emph{constant} number of negligible functions is indeed negligible: letting $\nu(n) = \sum_{i} \nu_{i}(n)$, we need to show that for all $c > 0$, there exists some constant~$n_{0}$ such that $\nu(n) \leq n^{-c}$ for all $n \geq n_{0}$. 244 | We know that for each $i \in [m]$, there is a constant~$n_{i}$ such that $\nu_{i}(n) \leq n^{-(c+1)} \leq n^{-c}/m$ for all $n \geq n_{i}$. 245 | Letting $n_{0} = \max_{i \in [m]} n_{i}$ be the largest of these---which is a constant (independent of~$n$) because~$m$ is constant---it follows that $\nu(n) \leq n^{-c}$ for all $n \geq n_{0}$, as desired. 246 | \end{proof} 247 | 248 | \begin{remark} 249 | In the proof of the lemma, we used the triangle inequality on the quantities $\advan_{X^{i-1},X^{i}}(\Dist)$ to conclude something about $\advan_{X^{0},X^{m}}(\Dist)$. 250 | Syntactically this is unremarkable, but observe closely what we have done: even though $\Dist$'s ``goal in life'' is to distinguish between~$X^{0}$ and~$X^{m}$, by referring to the quantities $\advan_{X^{i-1},X^{i}}(\Dist)$, we are implicitly considering how $\Dist$ behaves on \emph{all} the hybrid distributions~$X^{i}$---even ones on which $\Dist$ was never ``designed'' to run! 251 | Yet because~$\Dist$ is ``just an algorithm,'' we can run it and use it for whatever purposes we like. 252 | The hybrid lemma says that in order for~$\Dist$ to distinguish (with non-negligible advantage) between the ensembles~$\calX^{0}$ and~$\calX^{m}$, it must also distinguish between~$\calX^{i}$ and~$\calX^{i+1}$ for some $i$, which is impossible by hypothesis. 253 | \end{remark} 254 | 255 | Importantly, the asymptotic part of \cref{lem:hybrid} considers only a \emph{constant} number of hybrid ensembles, because it critically relies on the fact that the sum of a constant number of negligible functions is negligible. 256 | However, in many applications we will need to consider a number of hybrid distributions that \emph{grows with the security parameter}~$n$. 257 | This is considerably more subtle: first, since the distributions in an ensemble are themselves indexed by~$n$, it is not so clear how to meaningfully define a number of ensembles that varies with~$n$. 258 | Second, it turns out that the sum of $\poly(n)$-many \emph{different} negligible functions may be non-negligible!\footnote{Consider the sequence of functions $\nu_{i}$ for $i \in \N$, where $\nu_{i}(n) = 1$ if $n=i$, and $\nu_{i}(n)=0$ otherwise. 259 | Then each individual~$\nu_{i}$ is negligible, because $\nu_{i}(n) = 0$ for all $n > n_{0} := i$. 260 | However, defining $\nu(n) = \sum_{i=1}^{n} \nu_{i}(n)$ as the sum of the first~$n$ functions in the sequence, we have that $\nu(n) = 1$ for all~$n$, which is clearly not negligible. 261 | The proof of \cref{lem:hybrid} fails here because the~$n_{0}$ defined therein is not a constant, but instead depends on~$n$.} 262 | 263 | The following corollary side-steps the first issue by considering ensembles for only the ``endpoint'' distributions, not the intermediate hybrids, and deals with the second issue by requiring that each advantage term be bounded by the \emph{same} negligible function. 264 | This will indeed be the case in all the applications we consider, because all such terms will arise from applying the composition lemma (\cref{lem:composition}) for the \emph{same pair} of indistinguishable ``source'' ensembles $\calX,\calY$, with the \emph{same (composed) distinguisher} $\Dist = \Dist' \circ \Sim$. 265 | (Or, slightly more generally, a constant number of indistinguishable pairs, with one composed distinguisher for each.) 266 | 267 | \begin{corollary} 268 | \label{cor:hybrid-poly} 269 | Let $\calX = \set{X_{n}}$ and $\calY = \set{Y_{n}}$ be ensembles, and $H^{i}_{n}$ be ``hybrid'' distributions for $i \in \set{0, \ldots, m}$ where $m=\poly(n)$ may vary with~$n$, and where $H^{0}_{n} = X_{n}$ and $H^{m}_{n} = Y_{n}$. 270 | If $\advan_{H_{n}^{i-1},H_{n}^{i}}(\Dist) \leq \nu(n)$ for all $i \in [m]$ and a \emph{single} negligible function $\nu(n) = \negl(n)$, then $\advan_{\calX,\calY}(\Dist) = \negl(n)$ as well. 271 | \end{corollary} 272 | 273 | \begin{proof} 274 | This follows immediately from (the first part of) \cref{lem:hybrid} and the fact that $m \cdot \nu(n) = \negl(n)$, because $m = \poly(n)$. 275 | \end{proof} 276 | 277 | \section{Pseudorandom Generators} 278 | \label{sec:prgs} 279 | 280 | \begin{definition} 281 | \label{def:prg} 282 | A \emph{deterministic} function $G : \bit^{*} \to \bit^{*}$ is a 283 | \emph{pseudorandom generator} (PRG) with output length $\ell(n) > n$ 284 | if: 285 | \begin{itemize} 286 | \item $G$ can be computed by a polynomial-time algorithm, 287 | \item $\len{G(x)} = \ell(\len{x}) > \len{x}$ for all 288 | $x \in \bit^{*}$, and 289 | \item the ensemble $\set{G(U_{n})}$ is (computationally) 290 | pseudorandom. 291 | \end{itemize} 292 | 293 | This last property essentially says that $\set{G(U_{n})}$ and 294 | $\set{U_{\ell(n)}}$ are computationally indistinguishable. By the 295 | composition lemma, it follows that $G(U_{n})$ can be used in place 296 | of $U_{\ell(n)}$ in \emph{any} (efficient) application! 297 | \end{definition} 298 | 299 | \begin{question} 300 | Let \(G\) be a PRG. Is \(H(x) := \overline{G(x)}\) 301 | \emph{necessarily} a PRG as well? \emph{Hint:} think about the 302 | composition lemma. 303 | \end{question} 304 | 305 | \begin{answer} 306 | Yes. The intuition here is that if \(G(x)\) looks random, then its 307 | complement \(\overline{G(x)}\) should look like the complement of a 308 | uniformly random string, which itself is uniformly random. 309 | 310 | The formal proof is a straightforward application of the composition 311 | lemma. Since \(G\) is a PRG, we have 312 | \(G(U_n) \compind U_{\ell(n)}\), where $\ell(n)$ is $G$'s 313 | expansion. Consider the efficient algorithm 314 | \(\Sim(x) := \overline{x}\). Observe that 315 | \(H(x) = \overline{G(x)} = \Sim(G(x))\) for any~$x$. By the 316 | composition lemma, we have 317 | \[ H(U_{n}) = \Sim(G(U_n)) \compind \Sim(U_{\ell(n)}) \equiv 318 | U_{\ell(n)}, \] where the last equivalence holds because any 319 | bijective function applied to the uniform distribution yields the 320 | uniform distribution. Thus, \(H(U_n) \compind U_{\ell(n)}\), as 321 | needed. 322 | \end{answer} 323 | 324 | \begin{question} 325 | Prove (or at least sketch a proof) that a \emph{statistically} 326 | pseudorandom generator cannot exist. \emph{Hint:} think about the 327 | sizes of $G(\bit^n)$ and $\bit^{\ell(n)}$, and define an appropriate 328 | statistical test (i.e., subset of $\bit^{\ell(n)}$). 329 | \end{question} 330 | 331 | \begin{answer} 332 | Since $G$ has $n$-bit seeds (of which there are $2^n$), there are at 333 | most $2^n$ possible outputs of $G$ (which reside in 334 | $\bit^{\ell(n)}$). However, $\bit^{\ell(n)}$ is significantly larger 335 | than this; it has $2^{\ell(n)} \geq 2^{n+1}$ elements, making it at 336 | least twice as big as the image of \(G\). Informally, we can think 337 | of our statistical test as checking whether or not its given string 338 | is in the image of $G$. When the string is an output of~$G$, the 339 | check always succeeds; when the string is uniformly random, there is 340 | a significant (at least $1/2$) probability that the check fails. 341 | 342 | More formally and in the language of statistical indistinguishably: 343 | let $A = G(\bit^n) \subseteq \bit^{\ell(n)}$, i.e., the image of 344 | $G$, as suggested above. Because~$G$ is deterministic, we have 345 | $\abs{A} \leq 2^{n}$. Then 346 | \[ 347 | \begin{aligned} 348 | \abs{G(U_n)(A) - U_{\ell(n)}(A)} 349 | &= \abs{1 - U_{\ell(n)}(A)} \\ 350 | &= 1 - \abs{A} \cdot 2^{-\ell(n)} \\ 351 | &\geq 1 - 2^{n-\ell(n)} \\ 352 | &\geq 1 - 2^{-1} = 1/2, 353 | \end{aligned} 354 | \] 355 | which is (very much) non-negligible. Since we have demonstrated a 356 | particular~$A$ for which 357 | $\abs{G(U_n)(A) - U_{\ell(n)}(A)} \geq 1/2$, the suprenum over all 358 | possible~$A$ cannot be smaller, so 359 | $\Delta(G(U_n), U_{\ell(n)}) \geq 1/2$. 360 | \end{answer} 361 | 362 | \subsection{Expansion of a PRG} 363 | \label{sec:properties} 364 | 365 | From the definition, it is easy to see that the ``weakest'' PRG we 366 | could ask for would be one that stretches its input by just 1 bit, 367 | i.e., $\ell(n) = n+1$. Is there an upper limit on how much a PRG can 368 | stretch? The following theorem says that there is (effectively) 369 | \emph{no limit}: if you can stretch by even just 1 bit, then you can 370 | stretch by essentially any (polynomial) amount! 371 | 372 | \begin{theorem} 373 | \label{thm:expansion} 374 | Suppose there exists a PRG $G$ with expansion $\ell(n)=n+1$. Then 375 | for any polynomial $t(\cdot) = \poly(n)$, there exists a PRG 376 | $G_t: \bit^n \to \bit^{t(n)}$. 377 | \end{theorem} 378 | 379 | \noindent 380 | We will prove this theorem in the next lecture. 381 | 382 | \begin{remark} 383 | This theorem says something extremely strong. Observe that the 384 | image $\set{G_{t}(s) : s \in \bit^{n}}$ of $G_t$ is an extremely 385 | small fraction $2^{n-t(n)}$ of its range set $\bit^{t(n)}$. Yet no 386 | computationally bounded algorithm can distinguish a random element 387 | from this small subset, from a truly random one over the whole 388 | space! 389 | \end{remark} 390 | 391 | \end{document} 392 | 393 | %%% Local Variables: 394 | %%% mode: latex 395 | %%% TeX-master: t 396 | %%% End: 397 | --------------------------------------------------------------------------------