Cryptographic Protocols: Lecture Slides

1/210

Lecture SlidesCryptographic Protocols

Version 1.6January 30, 2021

Berry SchoenmakersDepartment of Mathematics and Computer Science,

Technical University of Eindhoven,P.O. Box 513, 5600 MB Eindhoven, The Netherlands.

[email protected]@tue.nl

Cryptographic Protocols (2DMI00)www.win.tue.nl/˜berry/2DMI00/

Spring 2021

mailto:[email protected]

mailto:[email protected]

https://www.win.tue.nl/~berry/2DMI00/

2/210

Preface

Course Plan

Lecture notes consist of eight chapters:1 Introduction2 Key Exchange Protocols3 Commitment Schemes4 Identification Protocols5 Zero-Knowledge Proofs6 Threshold Cryptography7 Secure Multiparty Computation8 Blind Signatures

Chapters 1–2 are covered in 5 to 6 lectures.Chapters 3–5 are covered in 5 to 6 lectures.Chapters 6–8 are covered in 2 to 3 lectures.

https://www.win.tue.nl/~berry/CryptographicProtocols/LectureNotes.pdf

https://www.win.tue.nl/~berry/CryptographicProtocols/LectureNotes.pdf#page=7








3/210

Preface

Course Grading 2DMI00

2DMI00 course: 5 ECTS

Written exam (closed book): 80%

MPyC programming assignment: 20%

Requirement: passing grade at least 5.5 for written exam.

Appendix B Rating of Exercises tells you which exercises are at exam level.

https://www.win.tue.nl/~berry/CryptographicProtocols/Exams2004-present.pdf

https://github.com/lschoe/mpyc

4/210

Preface

Motivating Example: Secret Santa

Web server (acting as trusted party) generates randompermutation π of {1, 2, . . . , n} without fixed points (so π(i) 6= i).Web server sends π(i) to party Pi in private.

Cheating web server couldpick an arbitrary function for π (e.g., with π(1) = π(2))influence who picks whotell others who picked who...

Q: How to do this by means of a cryptographic protocol—no trusted party?A: Use a secure multiparty computation protocol!

5/210

Preface

Electronic Voting Using Verifiable Mixes

6/210

Preface

Zero-knowledge Proof in Your Laptop?Direct Anonymous Attestation

Advanced NoninteractiveZero-Knowledge proof,effectively a Group Signature

To prove thatPC/laptop is authentic(signing key belongs togenuine “trusted computer”)but without giving away itsidentity

7/210

Preface

Zero-knowledge Proof in Your Cryptocurrencies?

Enhance privacy properties of cryptocurrencies.

By hiding transaction details such as payer’s identity or amount.

Monero based on CryptoNote.CryptoNote white paper includes 1-out-of-m Σ-proof (Exercise 5.4.3) to hidethe payer’s identity among ad hoc groups of m potential payers. Σ-proof usedfor one-time ring signatures, or, rather, list signatures.

Building on Zerocoin, Zcash employs a type of zero-knowledge proofs knownas zk-SNARKs.

Also related: Bulletproofs. See Exercise 5.3.2 for a Σ-protocol for rangeproofs (or, interval proofs).

https://en.wikipedia.org/wiki/Monero_(cryptocurrency)

https://en.wikipedia.org/wiki/CryptoNote

https://cryptonote.org/whitepaper.pdf#page=9

https://en.wikipedia.org/wiki/Zerocoin_protocol

https://en.wikipedia.org/wiki/Zcash

https://web.stanford.edu/~buenz/pubs/bulletproofs.pdf

8/210

Preface

Secure Multiparty Computation Unleashed!

In four 2018 Gartner Hype Cycle reports, see unboundtech.com.

To implement blockchains like Cardano.Blockchains and cryptocurrencies utilize wealth of cryptographic protocols(implemented as open-source software, written in high-level programminglanguages, using advanced cryptography libraries, running on fast PCs/servers).

https://www.unboundtech.com/unbound-listed-5-gartner-hype-cycle-reports-2nd-year-row/

https://cardanodocs.com/cardano/differences/

9/210

Preface

Crypto 1.0: Caesar Cipher

Rotate the alphabet by a fixed offset

10/210

Preface

Crypto 1.0

Crypto 1.0 concerns- encryption and authentication of data,- during communication and storage/retrieval

Crypto 1.0 primitives:Symmetric (secret key):

Stream/block ciphersMessage authentication codes

Asymmetric (public key):Public-key encryptionDigital signaturesKey-exchange protocols

Keyless:Cryptographic hash functions

11/210

Preface

Crypto 2.0

Crypto 2.0 additionally concerns- computing with encrypted data,- partial information release of data,- hiding identity of data owners or any link with them.

Crypto 2.0 primitives:homomorphic encryption Rivest-Adleman-Dertouzos 1978, Gentry 2009

secret sharing Blakley 1979, Shamir 1979

blind signatures Chaum 1982

oblivious transfer M. Rabin 1981, Even-Goldreich-Lempel 1985

zero-knowledge proofs Goldwasser-Micali-Rackoff 1985, Goldreich-Micali-Wigderson 1986

secure two/multi-party computation Yao 1982–1986, GMW 1987, BGW 1988, CCD 1988

functional encryption Sahai-Waters 2005, Boneh-Sahai-Waters 2011, GKPVZ 2013

indistinguishability obfuscation Garg-Gentry-Halevi-Raykova-Sahai-Waters 2013, GMMSSZ 2016

12/210

Preface

Crypto 1.0 vs Crypto 2.0

Crypto 1.0 encryption and authentication:protect against malicious outsiders

attacks on storage or communication media

can be achieved using symmetric cryptovery high performance

Crypto 2.0 primitives additionally:protect against malicious or corrupt insiders

attacks by your protocol “partners”

uses more powerful cryptographic primitives, essentially asymmetric cryptomuch harder to do efficiently

13/210

Contents

1 Introduction

1.1 Terminology

1.2 Preliminaries1.2.1 Number Theory1.2.2 Group Theory1.2.3 Probability Theory1.2.4 Complexity Theory

1.3 Assumptions1.3.1 Discrete Log and Diffie-Hellman Assumptions1.3.2 Indistinguishability1.3.3 Random Self-Reducibility1.3.4 Random Oracle Model

14/210

Contents

2 Key Exchange Protocols

2.1 Diffie-Hellman Key Exchange2.1.1 Basic Protocol2.1.2 Passive Attacks2.1.3 A Practical Variant2.1.4 Aside: ElGamal Encryption

2.2 Authenticated Key Exchange2.2.1 Man-in-the-Middle Attacks2.2.2 A Protocol Using Digital Signatures2.2.3 A Protocol Using Password-Based Encryption

15/210

Contents

3 Commitment Schemes

3.1 Definitions

3.2 Examples3.2.1 Using a Cryptographic Hash Function3.2.2 Using a Discrete Log Setting3.2.3 Impossibility Result

3.3 Homomorphic Commitments

16/210

Contents

4 Identification Protocols

4.1 Definitions

4.2 Password-Based Schemes4.3 One-Way Hash Chains

4.4 Basic Challenge-Response Protocols4.4.1 Using Symmetric Encryption4.4.2 Using Symmetric Authentication4.4.3 Using Asymmetric Encryption4.4.4 Using Asymmetric Authentication4.5 Zero-Knowledge Identification Protocols4.5.1 Schnorr Zero-Knowledge Protocol4.5.2 Schnorr Protocol4.5.3 Guillou-Quisquater Protocol4.6 Witness Hiding Identification Protocols4.6.1 Okamoto Protocol

17/210

Contents

5 Zero-Knowledge Proofs

5.1 Σ-Protocols

5.2 Composition of Σ-Protocols5.2.1 Parallel Composition5.2.2 AND-Composition5.2.3 EQ-Composition5.2.4 OR-Composition5.2.5 NEQ-Composition

5.3 Miscellaneous Constructions

5.4 Noninteractive Σ-Proofs5.4.1 Digital Signatures from Σ-Protocols5.4.2 Proofs of Validity5.4.3 Group Signatures

18/210

Contents

6 Threshold Cryptography

6.1 Secret Sharing6.1.1 Shamir Threshold Scheme

6.2 Verifiable Secret Sharing6.2.1 Feldman VSS6.2.2 Pedersen VSS

6.3 Threshold Cryptosystems6.3.1 Threshold ElGamal Cryptosystem

19/210

Contents

7 Secure Multiparty Computation

7.1 Electronic Voting

7.2 Based on Threshold Homomorphic Cryptosystems

7.3 Based on Oblivious Transfer

20/210

Contents

8 Blind Signatures

8.1 Definitions

8.2 Chaum Blind Signature Scheme

8.3 Blind Signatures from Σ-Protocols

21/210

Contents

Appendices

A Fundamental Lemma of Cryptology

B Rating of Exercises

C Spell Check

22/210

1 Introduction

1.1 Terminology1.2 Preliminaries1.3 Assumptions

Cryptology = Cryptography + Cryptanalysis

Field of cryptology is divided into two mutually dependent fields:Cryptography: design of (mathematical) schemes related to information security

which resist cryptanalysis.Cryptanalysis: study of (mathematical) techniques for attacking cryptographic

schemes.

IACRInternational Association for Cryptologic Researchwww.iacr.org

IACR employs e-voting since 2010! See www.iacr.org/elections. (Underlyingcryptographic voting scheme is covered in Section 7.1.)

www.iacr.org

https://www.iacr.org/elections/

23/210

1 Introduction


Cryptographic Algorithms/Protocols/Schemes

Definition 1.1Cryptographic Algorithm: well-defined transformation, which on a given input

value produces an output value, achieving certain securityobjectives.

Cryptographic Protocol: distributed algorithm describing precisely the interactionsbetween two or more entities, achieving certain security objectives.

Cryptographic Scheme: suite of related cryptographic algorithms andcryptographic protocols, achieving certain security objectives.

ExampleDigital signature schemes consist of three cryptographic algorithms:

key generationsignature generationsignature verification

24/210

1 Introduction


Communication Model

Entities in a cryptographic scheme are connected by communication channels.

Entities can be persons, organizations, devices, etc.In cryptography, one often speaks of parties.

Entities interact in a cryptographic protocol by exchanging messagesover specific communication channels.

Communication model describes mix of available channels:point-to-point channelbroadcast channelprivate channel (secure channel)public channel (insecure channel)bulletin board (similar to blockchain)

25/210

1 Introduction


Adversaries and Attacks

Adversary = coalition of attacker and/orcorrupt entities of cryptographic scheme.

Attacker: outsiderCorrupt entities: insiders.

Definition 1.2Passive Attack: adversary does not interfere with execution of

algorithms/protocols. Passive adversary eavesdrops oncommunication between entities, and records all information,including all private information of corrupt entities.

Active attack: adversary may—in addition—interfere with communicationwithin cryptographic scheme by deleting, injecting, or modifyingmessages; moreover, adversary may have corrupt entities deviatefrom prescribed behavior in arbitrary ways.

26/210

1 Introduction


Attacks

Example (Passive Attacks)Eavesdropping on communication (by outsiders).Collecting data within a system (by insiders).Perform cryptanalysis on all acquired data.

Example (Active Attacks)Man-in-the-middle attacks (“grandmaster chess attack”).Injection/deletion/modification of messages.Initiate/terminate protocol executions.Masquerading/spoofing attacks.Replay attacks.Reflection attacks.

27/210

1 Introduction


1.2.1 Number Theory1.2.2 Group Theory1.2.3 Probability Theory1.2.4 Complexity Theory

Basic Number Theoretic Notions

For positive integer n:

Zn = Z/nZ = {0, 1, . . . , n − 1} “set of integers modulo n”

Z∗n = {x ∈ Zn : gcd(x , n) = 1} “integers with multiplicative inverse mod n”

φ(n) = |Z∗n | = n∏

p|n(1− 1/p) “Euler’s phi function”

Hence, φ(n) can be computed efficiently given the prime divisors of n.

Useful fact: nφ(n) =

∏p|n

pp − 1 = O(log log n)

Exercise 1.2.1Prove the elementary bound n/φ(n) = O(log n), using that the number of distinctprime factors ω(n) of n is O(log n), and that the ith smallest prime factor of n isat least i + 1 for i = 1, 2, . . . , ω(n).

28/210

1 Introduction



More Advanced: A Generalization of Euler’s Phi Function

The (order-2) Schemmel totient function:

φ2(n) = |{x ∈ Zn : gcd(x , n) = gcd(x + 1, n) = 1}|

For n even, φ2(n) = 0. For n odd, φ2(n) = n∏

p|n(1− 2/p).Useful fact: n

φ2(n) =∏p|n

pp − 2 = O((log log n)2)

Exercise 1.2.2For n odd, prove the elementary bound n/φ2(n) = O(log2 n), using again thatω(n) = O(log n) and that the ith smallest prime factor of n is now at least i + 2for i = 1, 2, . . . , ω(n).

Schemmel totient function shows up in the analysis of a variant of the decisionDiffie-Helmann problem (see Exercise 1.3.5(b)).

29/210

1 Introduction



Discrete Log SettingCyclic group of order n with generator g :

Gn = 〈g〉 = {1, g , g2, g3, . . . , gn−1}, gn = 1

x = logg h: discrete log of h ∈ Gn is unique x ∈ Zn such that h = gx .

Example 1.3 (Groups Z∗p , F∗q )

Integers modulo prime p: Gn = Z∗p cyclic group of order n = p − 1.Multiplicative group of order-q finite field: Gn = F∗q cyclic, order n = q − 1.

Example 1.4 (Prime order subgroups of Z∗p , F∗q )

Gn = 〈g〉, with g an element of prime order p′ in Z∗p , or in F∗q .Then Gn is a cyclic group of prime order n = p′.

Example 1.5 (Group E(Fq) of Fq-rational points on an elliptic curve E)E(Fq) isomorphic to Zn1 × Zn2 , hence not necessarily cyclic.Take Gn = E(Fq) if n1 = 1; otherwise, take a cyclic subgroup of E(Fq) for Gn.

30/210

1 Introduction



Convenient Notation: 〈g〉∗

Definition (Set of all generators of 〈g〉)〈g〉∗ = {gx : x ∈ Z∗n}

Clearly: |〈g〉∗| = φ(n).

Exercise 1.2.3Show that for any h ∈ 〈g〉, the following conditions are equivalent:

(i) h ∈ 〈g〉∗,(ii) ord(h) = ord(g),(iii) 〈h〉 = 〈g〉,(iv) 〈h〉∗ = 〈g〉∗.

Exercise 1.2.4(a) Show alogh b = blogh a for any a, b ∈ 〈g〉 and h ∈ 〈g〉∗. (b) For a, b ∈ 〈g〉, definea ∗ b = alogg b as the Diffie-Hellman (DH) product of a and b. Show that(〈g〉∗, ∗) is an abelian group.

31/210

1 Introduction



NotationDiscrete random variables X ,Y ,Z , . . . with a finite range V .

Probability distribution of X : (i) 0 ≤ Pr[X = v ] ≤ 1 for all v ∈ V ,(ii)

∑v∈V Pr[X = v ] = 1,

X ∈R V: random variable X distributed uniformly on V , Pr[X = v ] = 1/|V |.

Example (Random bits)X ∈R {0, 1} denotes a uniformly random bit. Let Y = 1− X .

X 6= Y , in fact Pr[X = Y ] = 0,Pr[X = 0] = Pr[Y = 0] = 1/2, andPr[X = 1] = Pr[Y = 1] = 1/2.

Example (Probability distributions)

{u : u ∈R {0, 1}} = {0 7→ 12 , 1 7→

12} = {1− u : u ∈R {0, 1}}

{t + u : t, u ∈R {0, 1}} = {0 7→ 14 , 1 7→

12 , 2 7→

14}

{tu : t, u ∈R {0, 1}} = {0 7→ 34 , 1 7→

14}

32/210

1 Introduction



Statistical Distance

Definition 1.6The statistical distance ∆(X ; Y ) between random variables X and Y is defined as

∆(X ; Y ) = 12∑v∈V

∣∣Pr[X = v ]− Pr[Y = v ]∣∣,

where V denotes the set of possible values for X and Y .

Statistical distance is a bounded metric in the following sense.

Proposition 1.7For random variables X ,Y ,Z:

(i) 0 ≤ ∆(X ; Y ) ≤ 1, “nonnegativity” and “boundedness”(ii) ∆(X ; Y ) = 0 ⇔ ∀v∈V Pr[X = v ] = Pr[Y = v ], “identical distributions”(iii) ∆(X ; Y ) = 1 ⇔ ∀v∈V Pr[X = v ] Pr[Y = v ] = 0, “disjoint distributions”(iv) ∆(X ; Y ) = ∆(Y ; X), “symmetry”(v) ∆(X ; Z) ≤ ∆(X ; Y ) + ∆(Y ; Z). “triangle inequality”

33/210

1 Introduction



House Edge (Advantage) in French Roulette

0 5 10 15 20 25 30 35

0.005

0.010

0.015

0.020

0.025

∆(X ; Y ) = 137 ≈ 0.027 for

{X ∈R {1, . . . , 36}Y ∈R {0, . . . , 36}

34/210

1 Introduction



Statistical Distance: Equivalent Characterizations

Proposition 1.8For random variables X and Y , ∆(X ; Y ) is equal to each of:

(i)∑

v∈V + Pr[X = v ]− Pr[Y = v ] with V + = {v∈V : Pr[X=v ]>Pr[Y =v ]},(ii)

∑v∈V Pr[X = v ] .− Pr[Y = v ] with x .− y = max(x − y , 0),

(iii) 1−∑

v∈V min(Pr[X = v ],Pr[Y = v ]),(iv) maxW⊆V

∣∣Pr[X ∈W ]− Pr[Y ∈W ]∣∣.

Exercise 1.2.5(a) Prove Proposition 1.7. (b) Prove Proposition 1.8.

Exercise 1.2.6Prove that ∆(f (X); f (Y )) ≤ ∆(X ; Y ) for any function f defined on V .

35/210

1 Introduction



Statistical Distance: More Exercises

Exercise 1.2.7For n, d ≥ 1, consider distributions X and Y given by

X = {u : u ∈R {0, . . . , n − 1},Y = {u + d : u ∈R {0, . . . , n − 1}}.

Compute ∆(X ; Y ), assuming d ≤ n. Also, what is ∆(X ; Y ) if d > n?

Exercise 1.2.8For n ≥ 1, consider distributions X ,Y ,Z given by

X = {u : u ∈R {0, . . . , n − 1}}Y = {2u : u ∈R {0, . . . , n − 1}}Z = {2u + 1 : u ∈R {0, . . . , n − 1}}.

Show that ∆(Y ; Z) = 1. Show that ∆(X ; Y ) = ∆(X ; Z) = 1/2 for even n, andalso determine ∆(X ; Y ) and ∆(X ; Z) for odd n.

36/210

1 Introduction




Exercise 1.2.9For n ≥ 1, let X ∈R Zn and Y ∈R Z∗n . (a) Determine ∆(X ; Y ). (b) Show that∆(X + Y ; XY ) = 0, where addition and multiplication are done modulo n.

Exercise 1.2.10For n prime, let h and M0 be arbitrary, fixed elements of Gn = 〈g〉, h 6= 1.Consider distributions X, Y , and Z given by

X = {(A,B) : A ∈R 〈g〉,B ∈R 〈g〉},Y = {(gu, huM) : u ∈R Zn,M ∈R 〈g〉},Z = {(gu, huM0) : u ∈R Zn}.

Show that ∆(X ; Y ) = 0 and that ∆(Y ; Z) = 1− 1/n. Show also that∆(X ; Z) = 1− 1/n, using triangle inequalities.

37/210

1 Introduction




Exercise 1.2.11For n ≥ d ≥ 1, let random variable X take on values in {0, . . . , d−1}, and letU∈R {0, . . ., n−1}. Show ∆(U; X+U)≤(d−1)/n, and that this bound is tight.

The result of this exercise implies that ∆(U; X + U) vanishes if d � n: forn = d2k , we get ∆(U; X + U) ≤ (d − 1)/n < 2−k , which approaches 0exponentially fast.

This leads to a kind of one-time pad encryption with integers, with X asplaintext, U as one-time pad, and C = X + U as ciphertext.

Near-perfect secrecy is achieved, as the mutual information I(X ; C) betweenplaintext/ciphertext vanishes for d � n. See the next exercise.

38/210

1 Introduction




Exercise 1.2.12See Exercise 1.2.11. Let I(X ; C) = H(X)− H(X |C), where C = X + U and

H(X) = −d−1∑w=0

Pr[X = w ] log2 Pr[X = w ],

H(X |C) = −d+n−2∑

v=0

Pr[C = v ]d−1∑w=0

Pr[X = w | C = v ] log2 Pr[X = w | C = v ].

are the (Shannon) entropy of X and the conditional entropy of X given C, resp.Show that I(X ; C) ≤ H(X) (d − 1)/n.

Exercise 1.2.13Prove that ∆(X ; Y ) = 1− |S ∩ T |/max(|S|, |T |) for X ∈R S and Y ∈R T .

39/210

1 Introduction



Complexity Classes P vs NP

P: deterministic Polynomial time “easy to solve”NP: Nondeterministic Polynomial time “easy to check”

Clearly: P ⊆ NP

Long-standing conjecture: P 6= NP

$1,000,000 Millennium Prize Problemof the Clay Mathematics Institute

NP

NP-intermediate 6= ∅(R. Ladner, 1975)

P

NP-complete

Problems in P: easy, e.g., Sorting, Primality, ...NP-intermediate problems: DL, Factoring, Graph Isomorphism (all conjectured!)NP-complete problems: hardest in NP, e.g., 3SAT, Hamiltonian Circuit, ...(NP-hard problems: ≥ NP-complete, e.g., Traveling Salesman, ...)

40/210

1 Introduction



Worst-Case vs Average-Case Complexity

NP-complete problems: hard in the worst case.

Over all problem instances of a given size.

But potentially easy in the average case!!

Uniformly random problem instances of a given size may be easy.(Chances of hitting the worst case may be negligible.)

41/210

1 Introduction



Probabilistic Turing Machines

Church’s thesis: “Turing machines are powerful enoughto describe any kind of algorithm”

Turing machine: finite control part plus an infinite data tape.

Three important types of Turing machines:Deterministic: unique successor configuration.Nondeterministic: one of several possible successor configurations.Probabilistic: one of several possible successor configurations,

chosen uniformly at random.

Probabilistic Turing machines ⇔ probabilistic/randomized algorithms(deterministic Turing machines extended with random tape)

42/210

1 Introduction



Complexity Class BPP

Complexity class BPP: problems solved with Bounded-errorby Probabilistic Polynomial time (p.p.t.) Turing machines

For every YES-instance: Pr[“accept”] ≥ 2/3For every NO-instance: Pr[“accept”] ≤ 1/3

Probability over all internal random choices (random tapes).

Clearly: P ⊆ BPPConjectured: P = BPP

Thus, BPP class of “easy” (efficiently solvable) problems.

Note: relation of BPP versus NP not known.

43/210

1 Introduction


1.3.1 Discrete Log and Diffie-Hellman Assumptions1.3.2 Indistinguishability1.3.3 Random Self-Reducibility1.3.4 Random Oracle Model

Discrete Log and Diffie-Hellman Assumptions

Definition 1.9 (Discrete Logarithm (DL) assumption)For group 〈g〉, hard to compute x given random group element g x .

Definition 1.10 ((Computational) Diffie-Hellman (DH) assumption)For group 〈g〉, hard to compute gxy given random group elements g x , g y .

Definition 1.11 (Decisional Diffie-Hellman (DDH) assumption)For group 〈g〉, hard to distinguish g xy from random group element g z

given random group elements gx , g y .

Evidently: DDH assumption ⇒ DH assumption ⇒ DL assumption.

44/210

1 Introduction



Negligible Function

Definition 1.12Nonnegative function f : N→ R is negligible if for every γ ∈ N there exists ak0 ∈ N such that for all k ≥ k0, f (k) ≤ 1/kγ .

ExampleNegligible:

1/2k = 2−k “exponentially fast to 0”

1/2√

k = 2−√

k “sub-exponentially fast to 0”1/k log k = k− log k “quasi-polynomially fast to 0”

Not negligible:1/k = k−1 “linearly fast to 0”1/k2 = k−2 “quadratically fast to 0”1/k100 = k−100 “polynomially fast to 0”

45/210

1 Introduction



Indistinguishability

Definition 1.13Let X = {Xi} and Y = {Yi} be two families of random variables.Then X and Y are:

(i) perfectly indistinguishable if ∆(Xi ; Yi ) = 0(ii) statistically indistinguishable if ∆(Xi ; Yi ) is negligible(iii) computationally indistinguishable if ∆(D(Xi ); D(Yi )) is negligible for all

p.p.t. Boolean distinguishers D

Advantage AdvD(Xi ,Yi ) =∣∣Pr[D(Xi ) = 1]− Pr[D(Yi ) = 1]

∣∣Exercise 1.3.1Show AdvD(Xi ,Yi ) = ∆(D(Xi ); D(Yi )) for any Boolean distinguisher D.

Exercise 1.3.2Show that computational indistinguishability is implied by statisticalindistinguishability. Hint: use Proposition 1.8(iv), cf. Exercise 1.2.6.

46/210

1 Introduction



Boolean Distinguisher D

Xi oYi o

o{

1 “I guess Xi”0 “I guess Yi”

Distinguisher samples from fixed (but unknown) “source”, either Xi or Yi .

For computational indistinguishability, distinguisher should failusing any p.p.t. statistical test.

47/210

1 Introduction



DDH Assumption (Definition 1.11)

X〈g〉 = {(g x , g y , gxy ) : x , y ∈R Zn} “DH triples”Y〈g〉 = {(g x , g y , g z ) : x , y , z ∈R Zn, z 6= xy} “non-DH triples”

DDH assumption: X〈g〉 and Y〈g〉 are computationally indistinguishable.Also possible to take:

Y ′〈g〉 = {(g x , gy , g z ) : x , y , z ∈R Zn} “random triples”

∆(Y ; Y ′) = 12

(∑x,y,z∈Zn

∣∣Pr[Y = (gx , gy , g z )]− Pr[Y ′ = (g x , gy , g z )]∣∣)

= 12

(∑x,y,z∈Zn,z 6=xy

∣∣Pr[Y = (gx , gy , g z )]− Pr[Y ′ = (gx , gy , g z )]∣∣

+∑

x,y,z∈Zn,z=xy

∣∣Pr[Y = (gx , gy , g z )]− Pr[Y ′ = (g x , g y , g z )]∣∣)

= 12

((n3 − n2)

∣∣ 1n3−n2 − 1

n3

∣∣+ n2∣∣0− 1

n3

∣∣)= 1/n.

Since n is exponentially large in security parameter,statistical distance of 1/n is negligible.

48/210

1 Introduction



DDH Assumption

X = {(gx , gy , gxy ) : x , y ∈R Zn}Y = {(gx , gy , g z ) : x , y , z ∈R Zn, z 6= xy}.

∆(X ; Y ) = 12

(∑x,y,z∈Zn

∣∣Pr[X = (gx , gy , g z )]− Pr[Y = (g x , g y , g z )]∣∣)

= 12

(∑x,y,z∈Zn,z=xy

∣∣Pr[X = (gx , g y , g z )]− Pr[Y = (g x , g y , g z )]∣∣

+∑

x,y,z∈Zn,z 6=xy

∣∣Pr[X = (gx , gy , g z )]− Pr[Y = (gx , gy , g z )]∣∣)

= 12

(n2∣∣ 1

n2 − 0∣∣+ (n3 − n2)

∣∣0− 1n3−n2

∣∣)= 1.

∆(X ; Y ) = 1 not surprising, since X and Y are disjoint!Triangle inequality: ∆(X ; Y ′) ≥ ∆(X ; Y )−∆(Y ; Y ′) = 1− 1/n.

Exercise 1.3.3Check that actually ∆(X ; Y ′) = 1− 1/n.

49/210

1 Introduction



Random Self-Reducibility

Definition 1.14Problem is (perfectly) random self-reducible if any instance I can be solved bythese three steps:

1 Transform instance I into uniformly random instance I ′.2 Solve instance I ′.3 Extract solution for I from solution for I ′.

Only steps 1 and 3 are required to run in polynomial time.

Commonly random self-reducible:DL/DH/DDH problems for fixed DL setting 〈g〉.RSA-based problems for fixed RSA modulus N.

Likely to be not random self-reducible:Factoring integers of fixed bit length.Any NP-complete problem.

50/210

1 Introduction



Reduction to Average Case

Proposition 1.15 (Informal)Any random self-reducible problem that is hard in the worst case is also hard onthe average.

Proof (sketch).Suppose random self-reducible problem is easy on the average.Then any problem instance can be solved easily:

1 Transform given instance into a uniformly random instance.2 Solve it (easy because it’s the average case).3 Extract solution to original problem.

Note that the algorithm in the proof itself is probabilistic.

51/210

1 Introduction



Random Self-Reducible Discrete Log Problems

We consider a fixed group 〈g〉 of any order n ≥ 1.

Definition (DL, DH, DDH problems)DL Compute x, given g x with x ∈ Zn.DH Compute gxy , given g x , gy with x , y ∈ Zn.

DDH Distinguish g xy from g z , given g x , gy with x , y , z ∈ Zn, z − xy ∈ Z∗n .

For n prime, DDH problem corresponds to distinguishing (disjoint) distributions

X〈g〉 = {(gx , gy , gxy ) : x , y ∈R Zn}Y〈g〉 = {(gx , gy , g z ) : x , y , z ∈R Zn, z 6= xy}

Proposition 1.16DL, DH, and DDH problems are random self-reducible.

52/210

1 Introduction



Proof (DL, DH problems are random self-reducible).Given any DL problem instance h = g x with x ∈ Zn:

1 Transform h into uniformly random instance h′ = hgu with u ∈R Zn.2 Solve instance h′ yielding x ′ = logg h′.3 Extract solution as x = logg h = x ′ − u mod n.

Given any DH problem instance I = (g x , g y ) with x , y ∈ Zn:1 Transform I into I ′ = (g x′ , g y′) = (gx g t , gy gu) with t, u ∈R Zn.2 Solve instance I ′ yielding gx′y′ = g (x+t)(y+u) = gxy+xu+ty+tu.3 Extract solution as g xy = gx′y′/((g x )u(g y )tg tu).

Note: I ′ = (g x′ , g y′) is distributed uniformly on 〈g〉 × 〈g〉.

53/210

1 Introduction



Proof (DDH problem is random self-reducible).Given any DDH problem instance I = (gx , gy , g z ) with x , y , z ∈ Zn:

1 Transform I into I ′ = (gxs+t , gy+u, g zs+xsu+yt+tu), with s ∈R Z∗n , t, u ∈R Zn.2 Solve instance I ′ yielding bit b′.3 Output b = b′.

Since s ∈ Z∗n , I ′ = (gx′ , gy′ , g z′) satisfies z ′ = x ′y ′ iff I satisfies z = xy :

z ′ − x ′y ′ = zs + xsu + yt + tu − (xs + t)(y + u) = (z − xy)s.

If z = xy , triple I ′ is uniform among all triples (g x′ , gy′ , gx′y′): for v ,w ∈ Zn

Pr[x ′ = v , y ′ = w , z ′ = vw ] = 1n2 .

If z − xy ∈ Z∗n , s, t, u determined by s = (z ′−x ′y ′)/(z−xy), t = x ′−xs,u = y ′−y , hence I ′ uniform among all (g x′ , g y′ , g z′) with z ′ − x ′y ′ ∈ Z∗n :

Pr[x ′ = v , y ′ = w , z ′ = r ] = Pr[s = r−vwz−xy , t = v−xs, u = w−y ] = 1

φ(n)n2 ,

for any r , v ,w ∈ Zn with r − vw ∈ Z∗n :

54/210

1 Introduction



Random Self-Reducible DL Variants

Definition (DL∗, DH∗, DH∗∗, DDH∗, DDH∗∗ problems)DL∗ Compute x, given g x with x ∈ Z∗n .DH∗ Compute gxy , given g x , g y with x ∈ Z∗n and y ∈ Zn.DH∗∗ Compute gxy , given g x , g y with x , y ∈ Z∗n .

DDH∗ Distinguish gxy from g z , given g x , gy with x∈Z∗n , y , z ∈ Zn, z−xy ∈ Z∗n .DDH∗∗ Distinguish gxy from g z , given g x , gy with x , y , z ∈ Z∗n , z − xy ∈ Z∗n .

Example 1.17 (DL∗ problem is random self-reducible)Given any instance h = g x with x ∈ Z∗n :

1 Transform h into a uniformly random instance h′ = hu with u ∈R Z∗n .2 Solve instance h′ yielding x ′ = logg h′.3 Extract solution as x = logg h = x ′/u mod n.

Note: h′ is distributed uniformly on 〈g〉∗.

55/210

1 Introduction



Example (cont.)Alternatively, use transformation for DL problem in proof of Proposition 1.15.

Given any instance h = g x with x ∈ Z∗n :1 Transform h into uniformly random h′ = hgu, u ∈R Zn until ord(h′) = n.2 Solve instance h′ yielding x ′ = logg h′.3 Extract solution as x = logg h = x ′ − u mod n.

Condition ord(h′) = n ensures h′ ∈ 〈g〉∗ in step 2, cf. Exercise 1.2.3.In fact, h′ is distributed uniformly on 〈g〉∗ as required.

Test ord(h′) = n can be evaluated efficiently, given prime factorization of n.Expected running time of step 1 polynomial in size of n: on averagen/φ(n) = O(log log n) uniformly random h′ ∈ 〈g〉 needed to find one h′ ∈ 〈g〉∗.

Note: if n is prime, ord(h′) = n is equivalent to h′ 6= 1.

56/210

1 Introduction



Exercises

Exercise 1.3.4Show (a) DH∗ problem, and (b) DH∗∗ problem are both random self-reducible.

Exercise 1.3.5Show (a) DDH∗ problem is random self-reducible, and (b) given primefactorization of n, DDH∗∗ problem is random self-reducible. Hints: for both partsuse three random numbers for transformation in step 1, s, t ∈R Z∗n and u ∈R Zn;for part (b), also test for invalid inputs, cf. end of Example 1.17.

57/210

1 Introduction



Exercises

Exercise 1.3.6Show that these problems are random self-reducible for group 〈g〉 of order n:

(a) given gx with x ∈ Zn, compute g x2;

(b) given gx with x ∈ Z∗n , compute g1/x ;(c) given gx , g y with x , y ∈ Z∗n , compute g x/y ;(d) given gx , g y with x ∈ Zn, y ∈ Z∗n , compute g x/y ;(e) given gx with x ∈ Z∗n , compute g x3

;(f) given gx , g x2

with x ∈ Zn, compute g x3;

(g) given gx , g y with x , y ∈ Zn, compute g (x+y)2;

(h) given gx , g y with x , y ∈ Zn, x − y ∈ Z∗n , compute g1/(x−y).

58/210

1 Introduction



Exercises

Exercise 1.3.7Let N = pq be an RSA modulus, that is, p and q are large, distinct primes of bitlength k, for some integer k. Let e satisfy gcd(e, φ(N)) = 1, whereφ(N) = (p − 1)(q − 1). The RSA problem is to compute x = y 1/e mod N giveny ∈ Z∗N . Show that the RSA problem is random self-reducible.

Exercise 1.3.8Let N be an RSA modulus, as in the previous exercise. LetJN = {y ∈ Z∗N : (y/N) = 1}, the set of all integers in Z∗N with Jacobi symbol 1.The Quadratic Residuosity (QR) problem is to decide whether a given y ∈ JN is aquadratic residue modulo N or not, that is, whether y ∈ QRN , whereQRN = {y ∈ Z∗N : ∃x∈Z∗N

y = x 2 mod N}. Show that the QR problem is randomself-reducible.

59/210

1 Introduction



Cryptographic Hash Functions

Definition 1.18

Function H : {0, 1}∗ → {0, 1}k is a cryptographic hash function, if H(x) is easyto compute for any x , and one or more of the following properties hold:

preimage resistance (one-wayness):given y , hard to find preimage x such that H(x) = y .2nd-preimage resistance (weak collision resistance):given x , hard to find 2nd-preimage x ′ 6= x such that H(x ′) = H(x).collision resistance (strong collision resistance):hard to find collision (x , x ′) with x 6= x ′ such that H(x) = H(x ′).

Well-known examples: MD5, SHA-1, SHA-256.

Collisions for MD5, SHA-0, SHA-1 and some other “old” hash functions:CryptographicHash-Collisions.nb

https://www.win.tue.nl/~berry/CryptographicProtocols/CryptographicHash-Collisions.nb

60/210

1 Introduction



Random Oracle Model

View cryptographic hash function H : {0, 1}∗ → {0, 1}k as a random oracle.

Random oracle H: random function of type {0, 1}∗ → {0, 1}k .

We only use a finite portion S of H as follows.Initially, S = ∅.Upon a query x :

if x 6∈ S, set H(x) ∈R {0, 1}k and S ← S ∪ {x};return H(x).

Then:(i) H is a function: same input value, same output value;(ii) H is random: for different input values, output values are distributed

uniformly at random (and mutually independent).

61/210

1 Introduction



Random Oracle Model

Ultimately, use of random oracle model is heuristic!

Concrete hash function such as SHA-256 is not a random function—not at all!1

Practical upshot: protocol proved secure in random oracle model can only bebroken if the attacker uses specific properties of hash function H.

1Protocols do exist that can be proved secure in the random oracle model, but are insecure whenused with some concrete hash function. Yet, these “counterexamples” are not realistic. See alsoExercise 5.4.1.

62/210

1 Introduction



Random Oracle Model

Proposition 1.19

Let H be a cryptographic hash function, viewed as a random oracle.Let (unlimitedly powerful) adversary E make at most t hash queries.(iii) Let E output (x , x ′). Then Pr[x 6= x ′,H(x) = H(x ′)] ≤ t2/2k .

Proof. W.l.o.g. assume that all hash queries are distinct.

(iii) Write m = 2k and assume t <√

m. For hash queries x1, . . . , xt , probability ofat least one collision is:

1−m(m − 1)(m − 2) · · · (m − t + 1)/mt

= 1− (1− 1/m)(1− 2/m) · · · (1− (t − 1)/m)≤ 1− e−2/me−4/m · · · e−2(t−1)/m 1−x≥e−2x for 0≤x≤3/4

= 1− e−t(t−1)/m

≤ 1− (1− t(t − 1)/m) ex≥1+x for x∈R

= t(t − 1)/m≤ t2/m.

63/210

1 Introduction



Birthday Paradox

Exercise 1.3.9See the proof of Proposition 1.19(iii). Show that the upper bound for theprobability of finding at least one collision is almost tight by showing that thisprobability is bounded below by 1

4 t(t − 1)/m, for t <√

m.

Exact collision probability as function of t:

Among group of 23 people, prob. 50% that two share same birthday!At t = 2

√m = 2

√2k almost surely (prob. ≈ 1) a collision.

64/210

1 Introduction



Further Requirements for Cryptographic Hash Functions

Any deviation from what statistically holds for random functions should be:absent,unlikely, orin any case, infeasible to exploit.

Example (Partial preimage resistance (or, local one-wayness))Given y , hard to find (partial) information about any preimage x s.t. H(x) = y .

Exercise 1.3.10Let H be a preimage resistant hash function. Show that partial preimageresistance is strictly stronger than preimage resistance, by constructing a preimageresistant hash function H ′ (from H) which is not partial preimage resistant.

65/210

1 Introduction



Exercises

Exercise 1.3.11Suppose one demands of a hash function H that it is hard to find a pair of bitstrings (x , x ′) satisfying H(x)=H(x ′), where s denotes the bitwise complement ofbit string s. Analyze the probability that an adversary E making at most t hashqueries finds such a pair, where H is viewed as a random oracle.

Exercise 1.3.12Let y = H2(x), where x ∈ {0, 1}∗. Let E be an adversary that, given y only,makes t hash queries on distinct inputs x1, . . . , xt ∈ {0, 1}k . ViewH : {0, 1}∗ → {0, 1}k as a random oracle to show that E finds a preimage of ywith probability exactly equal to ε(2− ε), with ε = t/2k . Also, argue why there isno contradiction with Proposition 1.19(i) even though ε(2− ε) ≥ ε.

66/210


2.1 Diffie-Hellman Key Exchange2.2 Authenticated Key Exchange

2.1.1 Basic Protocol2.1.2 Passive Attacks2.1.3 A Practical Variant2.1.4 Aside: ElGamal Encryption

Diffie-Hellman Key Exchange (1976)

Discrete Log setting: finite cyclic group 〈g〉 of order n.

Party A Party B

xA ∈R Z∗n xB ∈R Z∗nhA ← gxA hB ← gxB

−−−−−hA−−−−−−−→

←−−−−−hB−−−−−−−

KAB ← hxAB KBA ← hxB

A

Key K = KAB = KBA is a shared key for A and B, meaning that:(i) K is the same for A and B(ii) K is private, only known to A and B(iii) K is actually equal to gxAxB (with contributions from both parties)

Often, key K is subsequently used as a session key.How “secure” is this protocol?

67/210




Exercise

Exercise 2.1.1Explain what happens if the secret exponents xA and xB are chosen from Zninstead of Z∗n . Confirm your findings by computing the statistical distance∆(K ; K ′), where K = g xAxB with xA, xB ∈R Z∗n and K ′ = gx′Ax′B withx ′A, x ′B ∈R Zn.

68/210




Security against Passive Attacks

Passive attacker E eavesdrops on communication,gets hA = gxA and hB = g xB .E knows the DL setting in use.Thus, E may try to compute xA = logg hA.

But, success would contradict the DL assumption (Definition 1.9).

Similarly, computation of xB = logg hB cannot be successful.

Can we make this line of reasoning rigorous?

69/210




Security Proof by Reduction

Reduction:If attacker E can find K from hA and hB,then we can use E to solve the DL problem.

Given an instance of the DL problem: h = gx .How to use E to find x = logg h?

Attempt at reduction:1 put hA = h2 put hB = gx′ with x ′ ∈R Z∗n3 let E perform its attack4 upon success, E outputs g xx′ .5 ... ?

How to find x from g xx′? Even knowing x ′.

Way out: introduce DH assumption (Definition 1.10).

70/210




Enough Security?Under DH assumption, attacker E cannot find key K given hA and hB. But,suppose K is used to encrypt 1-bit message M ∈ {0, 1}: ciphertext C = gMK .

Example 2.1

Let 〈g〉 = Z∗p , with p′ = (p − 1)/2 prime. Then Z∗p = QRp ∪ QRp with

QRp = {1, g2, . . . , g2p′−2} quadratic residues mod pQRp = {g , g3, . . . , g2p′−1} quadratic nonresidues mod p

hA hB KQRp QRp QRp 25%QRp QRp QRp 25%QRp QRp QRp 25%QRp QRp QRp 25%

Assume M ∈R {0, 1}.Given C = gMK .

Guess: M̂ ={

0, if C ∈ QRp ,

1, if C ∈ QRp .

Pr[M̂ = M] = 3/4 (check this!)Even worse: M can be recovered deterministically from the quadratic residuosity ofhA, hB, and C . See Exercise 2.1.5.

71/210




Choice for Prime Order Groups

DDH assumption (Definition 1.11) to exclude any leakage of partial information.

Exercise 2.1.2Argue that the DDH assumption is false when n contains a small prime factor.

Simple way to exclude small prime factors: let n be sufficiently large prime.

Additional benefit: Zn is a field!

72/210




Security under DDH Assumption

Balanced function f : 〈g〉 → {0, 1}, if a priori Pr[f (u) = 0] = Pr[f (u) = 1] = 1/2for u ∈R 〈g〉.Suppose E predicts f (K) better than guessing at random:

Pr[E(hA, hB) = f (K)] > 1/2 + ε, for nonnegligible ε

Given E , define distinguisher D for DDH:

D(gx , gy , g z ) :={

1, if E(gx , gy ) = f (g z ),0, if E(gx , gy ) 6= f (g z ).

On DH-triples:

Pr[D(hA, hB,K) = 1]= Pr[E(hA, hB) = f (K)]> 1/2 + ε

On random triples:

Pr[D(hA, hB, g z ) = 1]= Pr[E(hA, hB) = f (g z )]

“f is balanced”= 1/2

Advantage of D exceeds ε. Contradicts DDH assumption.

73/210




Exercise

Exercise 2.1.3Extend the above analysis to the case that the a priori probabilities are given byPr[f (u) = 0] = p0 and Pr[f (u) = 1] = p1 = 1− p0.

74/210




Hashed DH Key Exchange

Cryptographic hash function H : 〈g〉 → {0, 1}k .

Party A Party B

xA ∈R Z∗n xB ∈R Z∗nhA ← gxA hB ← g xB

−−−−−hA−−−−−−−→

←−−−−−hB−−−−−−−

KAB ← H(hxAB ) KBA ← H(hxB

A )

K = H(g xAxB ) is a k-bit approximately uniformly random key.Assuming n� 2k (e.g., n ≈ 2256 and k = 128).

75/210




Security Proof

Balanced function f : {0, 1}k → {0, 1}, if a prioriPr[f (u) = 0] = Pr[f (u) = 1] = 1/2 for u ∈R {0, 1}k .Intuition is to consider “lucky” event L: “E queries H on input g xAxB”If ¬L, then E has no advantage over guessing at random:

Pr[E(hA, hB) = f (K) | ¬L] = 1/2

If L, then E might be successful, so use trivial upper bound:

Pr[E(hA, hB) = f (K) | L] ≤ 1

Hence:

Pr[E(hA, hB) = f (K)]= Pr[E(hA, hB) = f (K) | L] Pr[L] + Pr[E(hA, hB) = f (K) | ¬L] Pr[¬L]≤ Pr[L] + Pr[E(hA, hB) = f (K) | ¬L] Pr[¬L]= Pr[L] + 1

2 (1− Pr[L])= 1

2 + 12 Pr[L].

76/210




Security Proof: Bounding Pr[L]

Event L: during attack, E queries H on input g xAxB .

We show that Pr[L] is negligible under the DH assumption.

Define p.p.t. algorithm E ′, using p.p.t. E as a subroutine:1 take hA and hB as inputs;2 run E on these inputs, while recording all H queries made by E ;3 return an H query (made by E) at random.

Let t denote total number of H queries. Then:

Pr[E ′(hA, hB) = gxAxB ] = Pr[L]/t⇔ Pr[L] = t Pr[E ′(hA, hB) = g xAxB ].

E is p.p.t. ⇒ t is polynomialDH assumption ⇒ Pr[E ′(hA, hB) = g xAxB ] is negligible

Hence, Pr[L] is negligible.

77/210




Exercise

Exercise 2.1.4Extend the above analysis to the case that the a priori probabilities are given byPr[f (u) = 0] = p0 and Pr[f (u) = 1] = p1 = 1− p0.

78/210




ElGamal Encryption

ElGamal cryptosystem, for security parameter kKey generation. Pick group 〈g〉 of order n at random among “size” k groups.

Pick private key x ∈R Z∗n . Set public key as h = gx .Encryption. Given plaintext M ∈ 〈g〉 and public key h. The ciphertext is the

pair (gu, huM), where u ∈R Zn.Decryption. Given ciphertext (A,B), the plaintext is recovered as M = B/Ax ,

using private key x .

Semantically secure under DDH assumption: ciphertext leaks no information.

ElGamal encryption ' Diffie-Hellman Key Exchange plus transfer of M

Party A Party BxA ∈R Z∗n xB ∈R Zn

hA ← gxA−−−−−

hA−−−−−−−→ KBA ← hxB

A

KAB ← hxAB ←−−−−−

hB−−−−−−− hB ← g xB

M ← cB/KAB ←−−−−−cB−−−−−− cB ← KBAM

79/210




Exercise

Exercise 2.1.5Show how to break the ElGamal cryptosystem for 〈g〉 = Z∗p , with p = 2p′ + 1,p, p′ both prime. Focus on the case that M ∈ {1, g}, and show how to recover M.

80/210




Practical ElGamal Encryption

Practical ElGamal cryptosystem, using cryptographic hash H : 〈g〉 → {0, 1}k

Key generation. As above.Encryption. Given plaintext M ∈ {0, 1}k and public key h. The ciphertext is

the pair (gu,H(hu)⊕M), where u ∈R Zn.Decryption. Given ciphertext (A,B), the plaintext is recovered as

M = H(Ax )⊕ B, using private key x .

Semantically secure under DH assumption, in Random Oracle model.

Connection with Hashed DH Key Exchange

Party A Party BxA ∈R Z∗n xB ∈R Zn

hA ← g xA−−−−−

hA−−−−−−−→ KBA ← hxB

A

KAB ← hxAB ←−−−−−

hB−−−−−−− hB ← g xB

M ← H(KAB)⊕ cB ←−−−−−cB−−−−−− cB ← H(KBA)⊕M

81/210



2.2.1 Man-in-the-Middle Attacks2.2.2 A Protocol Using Digital Signatures2.2.3 A Protocol Using Password-Based Encryption

Man-in-the-Middle Attacks

Active attacker may impersonate your protocol partner.

Classic man-in-the-middle attack

Party A Attacker E Party BxA ∈R Z∗n x ′A, x ′B ∈R Z∗n xB ∈R Z∗nhA ← gxA h′A, h′B ← gx′A , gx′B hB ← gxB

−−−hA−−−−−→ −−−

h′A−−−−−→

←−−−h′B−−−−− ←−−−

hB−−−−−

KAE ← h′BxA KAE ,KEB ← hx′B

A , hx′AB KEB ← h′A

xB

Man-in-the-middle E :session key KAE with Asession key KEB with Baccess to all traffic in clear between A and B; can also modify things.

82/210




Man-in-the-Middle Attacks

Arbitrary man-in-the-middle attacks

Party A Attacker E Party BxA ∈R Z∗n xB ∈R Z∗nhA ← gxA h′A, h′B ← . . . , . . . hB ← gxB

−−−hA−−−−−→ −−−

h′A−−−−−→

←−−−h′B−−−−− ←−−−

hB−−−−−

KAE ← h′BxA KEB ← h′A

xB

h′A h′B KAE KEBAttack 0 1 1 1 1Attack 1 g g g xA gxB

Attack 2 g x′A g x′B g xAx′B g x′AxB

Attack 3 hAgu hB g xAxB g (xA+u)xB

Attack 4 1/hA 1/hB g−xAxB g−xAxB

83/210




Signature-Based Authenticated Key Exchange

(pkA, skA) key pair of party A(pkB, skB) key pair of party BS signature generation algorithmV signature verification algorithm

Party A Party BxA ∈R Z∗n xB ∈R Z∗nhA ← g xA hB ← gxB

sA ← SskA(hA,B) −−hA, sA−−−−−−→

←−−hB, sB−−−−−− sB ← SskB (hA, hB,A)

VpkB (sB, (hA, hB,A))? VpkA(sA, (hA,B))?KAB ← hxA

B KBA ← hxBA

Secure under DDH assumption, assuming digital signature scheme is secure(against adaptive chosen-message attack).Use of digital signatures is somewhat costly.

84/210




Password-Based Authenticated Key Exchangew ∈ {0, 1}∗ password known to A and B onlyE ,D : {0, 1}∗ × 〈g〉 → 〈g〉 symmetric encryption/decryption algorithms

Party A Party BxA ∈R Z∗n xB ∈R Z∗nhA ← g xA hB ← gxB

cA ← Ew (hA) cB ← Ew (hB)

−−−−cA−−−−−−→

←−−−−cB−−−−−

KAB ← (Dw (cB))xA KBA ← (Dw (cA))xB

Then KAB = KBA = gxAxB .Passive attacker sees Ew (hA) and Ew (hB). No information on w , since hA andhB are random and unknown to the attacker. But, use of K in ensuing sessionmay reveal information on K , hence on w .Active attacker may try w ′ by sending Ew′(hA) on behalf of A. When sessionsucceeds, w ′ is correct. Best attacker can do is trying passwords one at a time.No off-line dictionary attack.

85/210




Figure 2.1 (Three-pass encryption?)

Party A Protocol I Party BxA ∈R Z∗n

hA ← MxA−−−

hA−−−−−→ xB ∈R Z∗n

←−−−hAB−−−−−− hAB ← hxB

A

hB ← h1/xAAB −−−

hB−−−−−→M′ ← h1/xB

B

Party A Protocol II Party BbA ∈R {0, 1}cA ← b ⊕ bA −−−

cA−−−−−→ bB ∈R {0, 1}

←−−−cAB−−−−−− cAB ← cA ⊕ bB

cB ← cAB ⊕ bA−−−−cB−−−−−→ b′ ← cB ⊕ bB

Exercise 2.2.1Consider protocols I and II for sending plaintexts M ∈ 〈g〉∗ and b ∈ {0, 1} securelyfrom A to B over an insecure channel. The object of both protocols is that theplaintexts remain completely hidden from other parties than A and B, and thatthe plaintexts cannot be modified by other parties than A or B.Verify that M′ = M and b′ = b if A and B follow protocols I and II, resp. Next,determine for protocol I whether it is secure against passive attacks, and whetherit is secure against active attacks. If secure, describe the relevant computationalassumption (if any); if insecure, show an attack. Do the same for protocol II.

86/210


3.1 Definitions3.2 Examples


Commitments

Party A Party B

Commit phase :

Put message incommitment.Keep key.

−−−−−−−−−−−−−→Commitmentstored for later.

Reveal phase :

−−−−−−−−−−−−→Check messagein commitment.

87/210




Coin Flipping by Telephone

Mutually random bit?

Party A Party BbA ∈R {0, 1} −−−−−

bA−−−−−−−→

←−−−−−bB−−−−−−− bB ∈R {0, 1}

b ← bA ⊕ bB b ← bA ⊕ bB

Protocol flaw:

Party B can set bB = bA ⊕ b∗ for bit value b∗ of its liking.

Insider attack! By your protocol partner.

88/210




Coin Flipping by Telephone

Use commitments.

Mutually random bit!

Party A Party BbA ∈R {0, 1} −

“commit to bA”−−−−−−−−−−−−−→

←−−−−−−bB−−−−−−−− bB ∈R {0, 1}

−−“reveal bA”−−−−−−−−−−→

b ← bA ⊕ bB b ← bA ⊕ bB

If A or B is honest, bit b is distributed uniformly at random, provided:commitment hides bA from party Bcommitment binds party A to bA (no change possible).

89/210




Asymmetric functionality.

Definition 3.1 (Commitment schemes)

Let commit : {0, 1}k × {0, 1}∗ → {0, 1}∗ be a deterministic polynomial timealgorithm. Noninteractive commitment scheme between sender and receiver:Commit Phase. Protocol in which sender commits to x ∈ {0, 1}∗ by computing

C = commit(u, x) with u ∈R {0, 1}k , and sending C to receiver.Receiver stores C for later use.

Reveal Phase. Protocol in which sender opens commitment C = commit(u, x) bysending u and x to receiver. Receiver computes commit(u, x) andverifies equality to C .

Security for sender: commit(u, x) should not leak information on x .Let X = {commit(u, 0) : u ∈R {0, 1}k}, Y = {commit(u, 1) : u ∈R {0, 1}k}.Computationally hiding. X and Y computationally indistinguishable.Information-theoretically hiding. X and Y statistically indistinguishable.Security for receiver: commit(u, x) can be opened in one way only.Computationally binding. Adversary restricted to p.p.t. algorithm.Information-theoretically binding. Adversary unlimitedly powerful.

90/210




3.2.1 Using a Cryptographic Hash Function3.2.2 Using a Discrete Log Setting3.2.3 Impossibility Result

Given cryptographic hash function H.

Hash-based bit commitment scheme

commit0(u, x) = H(u ‖ x), u ∈R {0, 1}k

Computationally binding:Implied by collision resistance:H(u ‖ x) = H(u′ ‖ 1− x) is a collision.Hence, also binding in the random oracle model.

Computationally hiding:Preimage resistance necessary but not sufficient:H(u ‖ x) might leak partial information on input u, x(See also Exercise 1.3.10 on partial preimage resistance.)Hiding in the random oracle model:H(u ‖ x) is uniformly random and independent of x

91/210





Two Complementary SchemesDL setting: generators g , h such that nobody knows logg h.

Pedersen’s bit commitment scheme

commit1(u, x) = guhx , u ∈R Zn

Computationally binding under DL assumption:

commit1(u, x) = commit1(u′, 1− x)⇔ guhx = gu′h1−x ⇔ logg h = u − u′

1− 2xInformation-theoretically hiding: guhx is statistically independent of x .

ElGamal-based bit commitment scheme

commit2(u, x) = (gu, hu+x ), u ∈R Zn

Information-theoretically binding:

commit2(u, x) = commit2(u′, 1− x)⇔ (gu, hu+x ) = (gu′ , hu′+1−x )⇔ false

Computationally hiding under DDH assumption (DL assumption not sufficient).

92/210





Exercises

Exercise 3.2.1Analyze the security properties of commit1 and commit2 for the case that x ∈ Zn.

Exercise 3.2.2What happens if the receiver knows logg h in scheme commit1? Same question forscheme commit2.

Exercise 3.2.3Discuss the security of the following commitment scheme for values x ∈ 〈g〉:

commit(u, x) = gux ,

where u ∈R Zn. Is it binding? Is it hiding?

93/210





binding hidingcommit0(u, x) = H(u ‖ x) computational computationalcommit1(u, x) = guhx computational information-theoreticcommit2(u, x) = (gu , hu+x ) information-theoretic computationalcommit3(u, x) = impossible information-theoretic information-theoretic

Consider any bit commitment scheme commit3.

Assume commit3 is information-theoretically binding.

Then no u, u′ exist s.t. commit3(u, 0) = commit3(u′, 1),otherwise an unlimitedly powerful sender would find u, u′(by exhausting the finite set of possibilities).

But, if the sender commits to 0, say, using C = commit3(u, 0) for some u, anunlimitedly powerful receiver notices that no u′ exists s.t. C = commit3(u′, 1)(by exhausting the finite set of possibilities).

Hence the receiver knows that the committed value must be 0.

So, commit3 is not information-theoretically hiding.

94/210




Homomorphic Commitments

Recall: homomorphic mapping preserves algebraic structure.

Example (Pedersen’s commitment scheme)commit1(u, x) = guhx , u ∈R Zn and x ∈ Zn is additively homomorphic:

commit1(u, x) commit1(u′, x ′) = commit1(u + u′, x + x ′).

Multiplication on the left-hand side is in 〈g〉.Additions on the right-hand side are in Zn; x + x ′ is sum of committed values.

Exercise 3.3.1 (see Exercise 1.3.8)Quadratic Residuosity (QR) assumption states that QR problem is hard.Let y ∈ JN denote a quadratic nonresidue modulo N. Consider the following bitcommitment scheme:

commit(u, x) = u2y x mod N,

where u ∈R Z∗N and x ∈ {0, 1}. In what sense is the scheme binding? In whatsense is the scheme hiding? In what sense is the scheme homomorphic?

95/210

4 Identification Protocols4.1 Definitions


4.4 Basic Challenge-Response Protocols4.5 Zero-Knowledge Identification Protocols4.6 Witness Hiding Identification Protocols

Identification protocol: two-party protocol to let verifier V get convincedthat prover P is as claimed.

Examples: secure login, secured room.

Identification protocols may be based on (combinations of):What you are. Biometrics, such as fingerprints, iris scans, etc.What you have. Smart cards, SIM cards, or similar hardware tokens.What you know. Passwords, PIN codes, secret keys.

Our focus: purely cryptographic identification protocols, using secret keys.

Identification 6= message authenticationIdentification 6= digital signaturesIdentification 6= authenticated key exchange

96/210




Identification Scheme

Registration protocol: once to set up a shared secret key or a public key pair.Identification protocol: many runs, should withstand impersonation attacks

Passive attacks: eavesdropping, key only

Active attacks: guessing, cheating verifier, man-in-the-middle

Cheating verifier impersonation attack1 Attacker runs protocol (many times) as cheating V∗ with honest P;2 attacker runs protocol as cheating P∗ with honest V.

97/210




Password: usually a human-memorable string x .

Registration (over secure channel)

Prover P Verifier V−−−−−

x−−−−−−→ store x

Identification

Prover P Verifier V−−−−−

x−−−−−−→ check x

No security against eavesdropping attacks.

98/210




Lamport’s Identification SchemeHash chain with xi+1 = H(xi ) for cryptographic hash function H:

x0H−→ x1

H−→ x2H−→ . . .

H−→ x`−2H−→ x`−1

H−→ x`

Registration (over secure channel)

Prover P Verifier Vx0 ∈R {0, 1}k

x` ← H`(x0) −−−−−x`−−−−−−→ v ← x`

Identification, ith run (i = 1, . . . , `)

Prover P Verifier Vx`−i ← H`−i (x0) −−−−

x`−i−−−−−−−→ v ?= H(x`−i )

v ← x`−i

Value v stored by verifier is not secret (but should be authentic).Key-only attack: in random oracle model.Eavesdropping attack: infeasible as x`−i does not help attacker insucceeding in subsequent runs of identification protocol.

99/210




Ultra Long Hash Chains

Hash chain of length ` allows for ` runs of identification protocol.Suppose smart card must support maximum of ` = 232 runs.Direct computation of H`−i (x0) impedes fast identification.

Remark 4.1 (Pebbling algorithms)

Prover space timestoring only x0 O(1) O(`)storing all of x0, . . . , x`−i O(`) O(1)pebbling O(log `) O(log `)

Each pebble stores one value xi of the hash chain.Initial positions of pebbles •, for ` = 16:• · · · · · · · • · · · • · • • ·

Operations on pebbles:clone to create new pebble at same positionmove one position to the right (using one application of H)

See www.win.tue.nl/˜berry/pebbling/ for optimal pebbling (incl. sample code).

https://www.win.tue.nl/~berry/pebbling/

100/210




Pebbling Algorithm VisualizationSimple pebbling at speed 1, e.g., for ` = 16:

x0 x1 x2 x3 x4 x5 x6 x7 x8 x9 x10 x11 x12 x13 x14 x15 output1 • • • • • x152 • • • • x143 • ↘• • ↘• • ↘• x134 • ↘• • ↘• • x125 • ↘• • • ↘• x116 • ↘• • • x107 • • ↘• • ↘• x98 • • ↘• • x89 • • • ↘• x7

10 • • • x611 • ↘• • ↘• x512 • ↘• • x413 • • ↘• x314 • • x215 • ↘• x116 • x0

101/210




Pebbling Algorithm VisualizationSpace-efficient pebbling at speed 2, e.g., for ` = 16:

x0 x1 x2 x3 x4 x5 x6 x7 x8 x9 x10 x11 x12 x13 x14 x15 output1 • • • • • x152 • • • • x143 • • • ↘• x134 • • • • x125 • • • ↘• x116 • • • • x107 • • • ↘• x98 • • • • x89 • • • ↘• x7

10 • • • x611 • • ↘• x512 • • • x413 • • ↘• x314 • • x215 • ↘• x116 • x0

102/210




4.4.1 Using Symmetric Encryption4.4.2 Using Symmetric Authentication4.4.3 Using Asymmetric Encryption4.4.4 Using Asymmetric Authentication

Figure 4.1 (Four basic challenge-response protocols)

Prover Verifierc ∈R {0, 1}k

←−−−c−−−

r ← EK (c)−−−

r−−−→

c ?= DK (r)(a)


←−−−c−−−

r ← H(K‖c)−−−

r−−−→

r ?= H(K‖c)(b)

Prover VerifierM ∈R {0, 1}k

←−−−c−−− c ← Epk (M)

r ← Dsk (c)−−−

r−−−→

r ?= M(c)


←−−−c−−−

r ← Ssk (c)−−−

r−−−→

Vpk (r , c)?(d)

103/210





Basic challenge-response protocol (a)


←−−c−−

r ← EK (c)−−

r−−→

c ?= DK (r)

Exercise 4.4.1Consider the alternative protocol in which the verifier challenges the prover withc = EK (M), where M ∈R {0, 1}k , and for which the prover is supposed to produceresponse r = M. Discuss eavesdropping attacks and cheating verifier attacks forthis protocol.

104/210





Basic challenge-response protocol (b)


←−−c−−

r ← H(K ‖ c)−−

r−−→

r ?= H(K ‖ c)

105/210





Basic challenge-response protocol (c)

Prover VerifierM ∈R {0, 1}k

c ← Epk (M)←−−

c−−

r ← Dsk (c)−−

r−−→

r ?= M

106/210





Basic challenge-response protocol (d)

Prover Verifier

c ∈R {0, 1}k

←−−c−−

r ← Ssk (c)−−

r−−→

Vpk (r , c)?

107/210




4.5.1 Schnorr Zero-Knowledge Protocol4.5.2 Schnorr Protocol4.5.3 Guillou-Quisquater Protocol

Where’s Waldo?

Find in

Click this PowerPoint slide show.

https://www.win.tue.nl/~berry/CryptographicProtocols/ZK-Waldo-NP.pps

108/210





Zero-knowledge Identification SchemeRegistration. P generates public key pair, keeps private key to itself, and gives

public key to V.Identification. P engages in zero-knowledge proof to convince V of knowledge of

private key.

Soundness property (security for V): cheating P∗ not knowing private key doesnot succeed in convincing V.

Zero-knowledge property (security for P): cheating V∗ does not learn anythinguseful about private key from interacting with P.

109/210





Discrete log setting 〈g〉.Prover registered public key h, and knows private key x satisfying h = gx .

Figure 4.2 (Schnorr’s zero-knowledge protocol)

Prover Verifier(x = logg h)

u ∈R Zn

a← gu−−−−−−

a−−−−−−→

c ∈R {0, 1}←−−−−−−

c−−−−−−

r ←n

{u, if c = 0u + x , if c = 1 −−−−−−

r−−−−−−→

g r ?={

a, if c = 0ah, if c = 1

110/210





Soundness

SoundnessOnly prover P knowing private key x = logg h succeeds.

Without knowledge of x , cheating prover P∗ can do one of the following:Either, prepare for c = 0 by setting a = gu and using response r = u.Or, prepare for c = 1 by setting a = gu/h and using response r = u.

Verification g r = ahc holds in both cases.

50% success probability for P∗

But P∗ cannot do better than 50%!

111/210





Soundness

Suppose P∗ can answer both challenges c = 0 and c = 1 correctly,after sending announcement a to V.

Hence P∗ can compute responses r0 and r1 such that:

g r0 = a, g r1 = ah.

This impliesh = g r1−r0 .

But then P∗ actually knows x , since x = r1 − r0 mod n holds!

In other words, private key x can be extracted from two correct responses r0 andr1 to two different challenges c = 0 and c = 1 for the same announcement a.

112/210





Zero-Knowledge

Cheating verifier V∗ may run protocol (polynomially) many times with P,to obtain conversations (a; c; r).

Simulation paradigmV∗ can efficiently generate (simulate) these conversations on its own,given only public key h—and no access to prover P who knows x = logg h.

Identification protocol is zero-knowledge if simulator S exists which, given publickey h, generates conversations indistinguishable from conversations of real protocolruns between P and V∗.

Usually, simulator S is using V∗ only as a rewindable black-box.(I.e., usually, no need for S to know how V∗ operates internally.)

113/210





Simulation Paradigm

P V∗

x

h

SV∗ V∗

h

h

V∗ cannot distinguish between protocol with P and protocol with SV∗

⇒ protocol is zero-knowledge w.r.t. private key x

114/210





Simulation of Schnorr’s Protocol

Real conversationsInput: private key xOutput: conversation (a; c; r)

1 u ∈R Zn

2 a← gu

3 c ∈R {0, 1}4 r ←n u + cx5 output (a; c; r)

Simulated conversationsInput: public key hOutput: conversation (a; c; r)

1 c ∈R {0, 1}2 r ∈R Zn

3 a← g r h−c

4 output (a; c; r)

All real and simulated conversations (a; c; r) are accepting, as g r = ahc holds.

115/210





Why Are These Distributions Identical?

Consider fixed key pair (h; x).

For fixed c, 1-to-1 correspondence between u = logg a in real conversations and rin simulated conversations, as r = u + cx holds in both cases.

Each accepting conversation (a; c; r) occurs with probability 12n in both cases.

More precisely, let (A; C ; R) be any accepting conversation, hence gR = AhC .For simulated conversations:

Pr[(a; c; r) = (A; C ; R)] = Pr[a = A, c = C , r = R]

= Pr[g r h−c = gR h−C , c = C , r = R]= Pr[c = C , r = R]= Pr[c = C ] Pr[r = R]= 1

21n = 1

2n

116/210





Passive Impersonation Attacks

Security against passive impersonation attacks extends to any eavesdropper.

Remark 4.2Honest-verifier zero-knowledge reduces any passive impersonation attack to akey-only attack: eavesdropping conversations does not yield anything aboutprover’s private key beyond what can be deduced from corresponding public key.

Eavesdropped conversations (a; c; r) for honest runs of Schnorr’s protocol can besimulated as well given public key h only.

But, eavesdropper may learn something new!From a single conversation (a; c; r) with c 6= 0,eavesdropper may recover prover’s public key as h = (g r/a)1/c

(thus, potentially establishing prover’s identity).

117/210





Simulation of Schnorr’s Protocol

Recall V∗ is p.p.t. algorithm (Turing machine).Rewinding V∗: going back to a previous configuration(configuration = state + tape contents + position of read/write heads).

Real conversationsInput: private key xOutput: conversation (a; c; r)

1 u ∈R Zn

2 a← gu

3 send a to V∗

4 receive c ∈ {0, 1} from V∗

5 r ←n u + cx6 output (a; c; r)

Simulated conversationsInput: public key hOutput: conversation (a; c; r)

1 c ∈R {0, 1}2 r ∈R Zn

3 a← g r h−c

4 send a to V∗

5 receive c ′ ∈ {0, 1} from V∗

6 if c 6= c ′ rewind V∗ to point prior toreceiving a and go to step 1

7 output (a; c; r)Sequential iterations can be simulated as well.Cheating probability 1/2k for k iterations.

118/210





Figure 4.3 (Schnorr’s identification protocol)


u ∈R Zn

a← gu−−−−−−

a−−−−−−→

←−−−−−−c−−−−−− c ∈R Zn

r ←n u + cx −−−−−−r−−−−−−→ g r ?= ahc

Soundness: cheating probability down to 1/|Zn| = 1/n.Zero-knowledge: only for honest verifier V.Identical distributions of real/simulated conversations:

{(a; c; r) : u, c ∈R Zn; a← gu; r ←n u + cx},{(a; c; r) : c, r ∈R Zn; a← g r h−c}.

119/210





RSA setting: RSA modulus N, public exponent large prime e.Prover registered public key y , and knows private key x s.t. y = x e mod N.

Figure 4.4 (Guillou-Quisquater’s identification protocol)

Prover Verifier(x = y 1/e mod N)

u ∈R Z∗Na←N ue

−−−−−−a−−−−−−→

←−−−−−−c−−−−−− c ∈R Ze

r ←N ux c−−−−−−

r−−−−−−→ r e ?=N ay c

Soundness: cheating probability 1/|Ze | = 1/e.Zero-knowledge: only for honest verifier V.Identical distributions of real/simulated conversations:

{(a; c; r) : u ∈R Z∗N ; c ∈R Ze ; a←N ue ; r ←N ux c},{(a; c; r) : c ∈R Ze ; r ∈R Z∗N ; a←N r ey−c}.

120/210





Soundness of Guillou-Quisquater’s Protocol

Assume prover able to produce accepting (a; c; r), (a; c ′; r ′), with c 6= c ′.Then (modulo N):

r e = ay c , r ′e = ay c′

⇒ (r/r ′)e = y c−c′

1st attempt: rewrite as y = (r/r ′)e/(c−c′).But inversion of c − c ′ modulo φ(N) cannot be computed efficiently, as φ(N) isnot known. Moreover, inverse of c − c ′ modulo φ(N) need not even exist.

2nd attempt: gcd(e, c − c ′) = 1, since e is prime and c, c ′ ∈ Ze , c 6= c ′.Extended Euclidean algorithm yields s, t ∈ Z satisfying se + t(c − c ′) = 1.Raise both sides to power t:

(r/r ′)te = y t(c−c′) = y 1−se

⇒ y = (y s(r/r ′)t)e

Private key x ←N y s(r/r ′)t thus known to prover.

121/210





Identity-Based Identification Scheme

Remark 4.3Prover does not need to know factorization of N.Therefore, users may share same modulus N.

Identity-based identification scheme: public keys determined by users’ identities.

Set user A’s public key as yA = H(IDA), where IDA may consist of user’s nameand/or email address.

Trusted third party T required to compute private key of each user.Only T needs to know factorization of N: to compute user A’s private key asxA = H(IDA)1/e mod N.

Advantage: public keys need not be certified by a digital signature from T .Disadvantage: T knows private key of every user; problem may be alleviated bydistributing role of T between many parties, using threshold cryptography.

122/210




4.6.1 Okamoto Protocol

Witness Hiding vs Zero-Knowledge

Schnorr’s identification protocol:1 iteration with c ∈R Zn: efficient, but only honest-verifier zero-knowledgek iterations with c ∈R {0, 1}: zero-knowledge, but not efficient

Witness hiding protocols: strike a balance between security and efficiency.

Identification protocol is witness hiding if cheating verifier is not able to obtainthe complete prover’s private key.

Witness hiding protocol is not necessarily zero-knowledge:cheating verifier may be able to extract some partial information on private key,but not sufficient for successful impersonation of the prover.

123/210





Private key (x1, x2) satisfies h = g x11 gx2

2 for public key h.

Figure 4.5 (Okamoto’s identification protocol)

Prover Verifier(h = gx1

1 gx22 )

u1, u2 ∈R Zn

a← gu11 gu2

2 −−−−−−a−−−−−−→

c ∈R Zn

←−−−−−−c−−−−−−

r1 ←n u1 + cx1

r2 ←n u2 + cx2 −−−−r1, r2−−−−−−−→

g r11 g r2

2?= ahc

Assume logg1 g2 not known to anybody (cf. Pedersen commitments).Okamoto’s protocol is witness hiding:

cheating verifier V∗ cannot find “witness” (x1, x2).

Note: not excluded that V∗ can find partial information on (x1, x2) !

124/210





Witness Indistinguishability

Px1,x2 V∗

x

h

Px′1,x′2 V∗

x ′

h

V∗ cannot distinguish between protocol with Px1,x2 and protocol with Px′1,x′2

⇒ protocol is witness indistinguishable

125/210





Witness Indistinguishability of Okamoto’s ProtocolConsider conversation (a; c; r1, r2) between Px1,x2 and V∗, where a = gu1

1 gu22 .

Let (x ′1, x ′2) be any witness satisfying h = gx′11 gx′2

2 .Then unique u′1, u′2 exist that yield same conversation (a; c; r1, r2) for Px′1,x

′2:

u′1, u′2 ←n u1 + c(x1 − x ′1), u2 + c(x2 − x ′2)

Indeed:

a′ = gu′11 gu′2

2 = gu11 gu2

2 (g x11 gx2

2 )c/(g x′11 gx′2

2 )c = ar ′1 = u′1 + cx ′1 = u1 + c(x1 − x ′1) + cx ′1 = r1

r ′2 = u′2 + cx ′2 = u2 + c(x2 − x ′2) + cx ′2 = r2

Perfect witness indistinguishability as conversations with Px1,x2 and conversationswith Px′1,x

′2

are distributed identically:

{(a; c; r1, r2) : u1, u2 ∈R Zn; a← gu11 gu2

2 ; c ← V∗(a); r1, r2 ←n u1 + cx1, u2 + cx2}

{(a; c; r1, r2) : u′1, u′2 ∈R Zn; a← gu′11 gu′2

2 ; c ← V∗(a); r1, r2 ←n u′1 + cx ′1, u′2 + cx ′2}

126/210





Witness Hidingness of Okamoto’s Protocol

Proposition (Okamoto’s protocol is witness hiding)Under DL assumption, no p.p.t. verifier is able to extract a prover’s private key.

Proof.Suppose V∗ finds (x ′1, x ′2) by running protocol with Px1,x2 .Witness indistinguishability implies Pr[(x ′1, x ′2) = (x1, x2)] = 1/n.

Define p.p.t. algorithm E as Px1,x2 and V∗ combined: Px1,x2 V∗x

h

Then E computes with probability 1− 1n two pairs (x1, x2) 6= (x ′1, x ′2) satisfying

h = gx11 gx2

2 , h = g x′11 gx′2

2 .

But this implies: g2 = g (x′1−x1)/(x′2−x2)1 , hence E computes logg1 g2, in

contradiction with DL assumption.

127/210





Witness Hidingness of Okamoto’s Protocol

Px1,0 V∗x1

hP0,x2 V∗

x2

h

V∗ cannot distinguish between protocol with Px1,0 and protocol with P0,x2

⇒ protocol is witness indistinguishable

Remark 4.4There are n possible witnesses (x1, x2) for a given public key h = g x1

1 gx22 in

Okamoto’s protocol. Interestingly, the protocol remains witness hiding even if thenumber of possible witnesses used by P is limited to just two. E.g., if either x1 = 0or x2 = 0 (hence either h = gx1

1 or h = gx22 ), the same analysis applies, except that

the probability for two different witnesses is now bounded below by 1/2.

128/210


5.1 Σ-Protocols5.2 Composition of Σ-Protocols5.3 Miscellaneous Constructions

5.4 Noninteractive Σ-Proofs

Zero-Knowledge Proofs for NP-Statements

Schnorr identification protocol is zero-knowledge proof for statement

“I know private key x for public key h = g x ”

Corresponding relation: R = {(h; x) : h = gx} ⊆ 〈g〉 × Zn

NP-statement: “I know witness w satisfying (v ; w) ∈ R”

R = {(v ; w)} ⊆ V ×W : easy to check binary relationv ∈ V : common input to prover and verifierw ∈W s.t. (v ; w) ∈ R: witness, private input to prover

LR = {v ∈ V : ∃w∈W (v ; w) ∈ R}: NP-language corresponding to relation R

129/210




Σ-Protocols

Σ-protocol well-chosen abstraction of many protocols incl. identificationprotocols by Schnorr, Guillou-Quisquater, Okamoto.

Many variations of Σ-protocols exists in today’s literature.

Not to mention this one:

https://en.wikipedia.org/wiki/The_Sigma_Protocol

130/210




Figure 5.1 (Σ-protocol for relation R (p.p.t. algorithms α, ρ, p.t. predicate ϕ))

Prover P Verifier V((v ; w) ∈ R, random tape uP) (v ∈ V )

a← α(v ; w ; uP) −announcement a−−−−−−−−−−−−−→

←−−−challenge c−−−−−−−−−−− c ∈R C

r ← ρ(v ; w ; c; uP) −−−response r−−−−−−−−−−→ ϕ(v ; a; c; r)?

Definition 5.1Σ-protocol for relation R is a protocol of the above form satisfying:Completeness. If P and V follow the protocol, then V always accepts.Special soundness. Efficient extractor E : given v ∈ V and acceptingconversations (a; c; r) and (a; c ′; r ′), c 6= c ′, output witness w with (v ; w) ∈ R.Special honest-verifier zero-knowledge. Efficient simulator S: given v ∈ LR andchallenge c, output conversations (a; c; r) with same probability distribution asconversations between honest P and V on common input v and challenge c, whereP uses any witness w with (v ; w) ∈ R.For v ∈ V \LR , S outputs arbitrary accepting conversations with challenge c.

131/210




Plain vs Special Honest Verifier Zero-Knowledge

plain honest-verifier zero-knowledge:no input c for simulator Ssimulator is free to output conversation with any challenge c

special honest-verifier zero-knowledge:input c for simulator Ssimulator must output conversation for challenge c

special honest-verifier zero-knowledge ⇒ plain honest-verifier zero-knowledge

But special honest-verifier zero-knowledge is not much stronger.

132/210




From Plain to Special Honest Verifier Zero-Knowledge

Without loss of generality, let (C ,+) be an additive finite group.

Figure 5.2 (Transformed Σ-protocol for relation R)

Prover P Verifier V((v ; w) ∈ R, random tape uP) (v ∈ V )

a← α(v ; w ; uP)cP ∈R C −−−−

a, cP−−−−−−−→

←−−−−−cV−−−−−− cV ∈R C

r ← ρ(v ; w ; cP + cV ; uP) −−−−−−r−−−−−−→ ϕ(v ; a; cP + cV ; r)?

Proposition 5.2The transformed protocol in Figure 5.2 is a Σ-protocol for relation R, providedthat the original protocol as given in Figure 5.1 satisfies completeness, specialsoundness, and plain honest-verifier zero-knowledgeness.

133/210




Proposition 5.3 (Schnorr’s protocol)The protocol in Figure 4.3 is a Σ-protocol for relation {(h; x) : h = g x}.

Proof.Completeness. g r = gu+cx = gu(gx )c = ahc .Special soundness. For accepting (a; c; r), (a; c ′; r ′), c 6= c ′:

g r = ahc , g r′ = ahc′ ⇒ g r−r′ = hc−c′ ⇔ h = gr−r′c−c′ .

Witness x extracted as x ←n (r − r ′)/(c − c ′) satisfies h = gx .Special honest-verifier zero-knowledgeness. For challenge c, distributions forconversations with honest verifier and simulated conversations are resp.:

{(a; c; r) : u ∈R Zn; a← gu; r ←n u + cx},{(a; c; r) : r ∈R Zn; a← g r h−c}.

Identical distributions: each conversation occurs with probability 1/n.

134/210




Figure 5.3 (Insecure variant of Schnorr’s protocol)


u ∈R Z∗na← gu

−−−−−−a−−−−−−→

c ∈R Zn

←−−−−−−c−−−−−−

r ←n cu + x−−−−−−

r−−−−−−→

g r ?= ac h

Exercise 5.1.1To see that honest-verifier zero-knowledge does not imply zero-knowledge againstarbitrarily cheating verifiers, consider the protocol in Figure 5.3. Show that theprotocol is complete, special sound, and honest-verifier zero-knowledge. Also,show that the protocol is completely insecure against a cheating verifier.

135/210




Exercise 5.1.2The protocol in Figure 5.3 avoids the value u = 0, but this is not essential. Showthat the protocol remains complete, special sound, and honest-verifierzero-knowledge (and insecure against a cheating verifier) if one uses u ∈R Zninstead of u ∈R Z∗n , by exhibiting a slightly more involved simulation.

Remark 5.4By applying the transformation of Proposition 5.2 to the protocol in Figure 5.3, weobtain a Σ-protocol which is completely insecure against a cheating verifier.

136/210




5.2.1 Parallel Composition5.2.2 AND-Composition5.2.3 EQ-Composition5.2.4 OR-Composition5.2.5 NEQ-Composition

Five Forms of Composition

Parallel composition maintains Σ-protocol propertiesAND-composition prove knowledge of two witnessesEQ-composition prove equality of witnessesOR-composition prove knowledge of 1-out-of-2 witnesses, not revealing whichNEQ-composition prove inequality of witnesses

All illustrated for Schnorr’s Σ-protocol.

137/210





Figure 5.4 (Parallel composition of Schnorr’s protocol)

Prover Verifier(x = logg h)u1, u2 ∈R Zn

a1 ← gu1

a2 ← gu2−−−−

a1, a2−−−−−−−→

c1, c2 ∈R Zn

←−−−−c1, c2−−−−−−−

r1 ←n u1 + c1xr2 ←n u2 + c2x −−−−

r1, r2−−−−−−−→

g r1 ?= a1hc1

g r2 ?= a2hc2

138/210





Proposition 5.5 (Parallel composition)The protocol in Figure 5.4 is a Σ-protocol for relation

{(h; x) : h = gx}

Proof.Special honest-verifier zero-knowledgeness. Given challenge (c1, c2), distribu-tions of real conversations and simulated conversations are:

{(a1, a2; c1, c2; r1, r2) : u1, u2 ∈R Zn; a1 ← gu1 ; a2 ← gu2 ;r1 ←n u1 + c1x ; r2 ←n u2 + c2x}

{(a1, a2; c1, c2; r1, r2) : r1, r2 ∈R Zn; a1 ← g r1 h−c1 ; a2 ← g r2 h−c2}

Identical distributions: each conversation occurs with probability 1/n2.

139/210





AND-CompositionGiven Σ-protocols for relations R1 and R2, construct Σ-protocol for relation:

R1 ∧ R2 := {(v1, v2; w1,w2) : (v1; w1) ∈ R1, (v2; w2) ∈ R2}

So, run Σ-protocols for relations R1 and R2 in parallel?

Fails! See Exercise 5.2.1.

Run Σ-protocols for relations R1 and R2 in parallel, using common challenge c.

140/210





Figure 5.5 (AND-composition of Schnorr’s protocol)

Prover Verifier(x1 = logg h1, x2 = logg h2)

u1, u2 ∈R Zna1 ← gu1

a2 ← gu2−−−−

a1, a2−−−−−−−→

c ∈R Zn

←−−−−−−c−−−−−−

r1 ←n u1 + cx1

r2 ←n u2 + cx2 −−−−r1, r2−−−−−−−→

g r1 ?= a1hc1

g r2 ?= a2hc2

141/210





Proposition 5.6 (AND-composition)The protocol in Figure 5.5 is a Σ-protocol for relation

{(h1, h2; x1, x2) : h1 = gx1 , h2 = g x2}.

Proof.Special honest-verifier zero-knowledgeness. Given challenge c, distribution ofreal conversations and simulated conversations are:

{(a1, a2; c; r1, r2) : u1, u2 ∈R Zn; a1 ← gu1 ; a2 ← gu2 ;r1 ←n u1 + cx1; r2 ←n u2 + cx2}

{(a1, a2; c; r1, r2) : r1, r2 ∈R Zn; a1 ← g r1 h−c1 ; a2 ← g r2 h−c

2 }

Identical distributions: each conversation occurs with probability 1/n2.

142/210





Exercise

Exercise 5.2.1By considering the special soundness property, explain why running the SchnorrΣ-protocol (see Figure 4.3) in parallel for h1 and h2 does not yield a Σ-protocol forrelation {(h1, h2; x1, x2) : h1 = gx1 , h2 = gx2}. Hint: consider a prover who knowsx1 = logg h1 but does not know x2 = logg h2.

143/210





Figure 5.6 (Alternative to AND-composition of Schnorr’s protocol?)

Prover Verifier(x1 = logg h1, x2 = logg h2)

u ∈R Zn

a← gu−−−−−−

a−−−−−−→

←−−−−−−c−−−−−− c ∈R Zn

r ←n u + cx1 + c2x2 −−−−−−r−−−−−−→ g r ?= ahc

1hc22

Exercise 5.2.2Consider the protocol in Figure 5.6 for relation {(h1, h2; x1, x2) : h1=g x1 , h2=gx2}.(i) Show that the protocol is complete and special honest-verifier zero-knowledge.(ii) Why does special soundness not hold for this protocol? Hint: consider proverwho knows x1 = logg h1 but does not know x2 = logg h2. (iii) Show that soundnessholds in this sense: for any (h1, h2) ∈ 〈g〉 × 〈g〉, given three acceptingconversations (a; c; r), (a; c ′; r ′), (a; c ′′; r ′′) with c 6= c ′, c 6= c ′′, c ′ 6= c ′′ one canefficiently compute witness (x1, x2) satisfying h1 = g x1 and h2 = gx2 .

144/210





EQ-CompositionGiven Σ-protocol for relation R, construct Σ-protocol for relation:

{(v1, v2; w) : (v1; w) ∈ R, (v2; w) ∈ R}

Special case of AND-composition, with common witness w for v1 and v2.

Use AND-composition, but prover uses same random tape uP (see Figure 5.1) inboth cases.

Run two instances of Σ-protocol for R in parallel, usingcommon randomness uP , common challenge c and common response r .

145/210





Figure 5.7 (EQ-composition of Schnorr’s protocol)

Prover Verifier(x = logg1 h1 = logg2 h2)

u ∈R Zna1 ← gu

1

a2 ← gu2 −−−−

a1, a2−−−−−−−→

c ∈R Zn

←−−−−−−c−−−−−−

r ←n u + cx−−−−−−

r−−−−−−→

g r1

?= a1hc1

g r2

?= a2hc2

146/210





Proposition 5.7 (EQ-composition)The protocol in Figure 5.7 is a Σ-protocol for relation

{(g1, h1, g2, h2; x) : h1 = gx1 , h2 = g x

2 }.

Proof.Special honest-verifier zero-knowledgeness. Given challenge c, distribution ofreal conversations and simulated conversations are:

{(a1, a2; c; r) : u ∈R Zn; a1 ← gu1 ; a2 ← gu

2 ; r ←n u + cx}{(a1, a2; c; r) : r ∈R Zn; a1 ← g r

1 h−c1 ; a2 ← g r

2 h−c2 }

Identical distributions provided logg1 h1 = logg2 h2, cf. Definition 5.1; furthermore,if logg1 h1 6= logg2 h2, simulated conversations are accepting, as required.

147/210





OR-CompositionGiven Σ-protocols for relations R1 and R2, construct Σ-protocol for relation:

R1 ∨ R2 = {(v1, v2; w1,w2) : (v1; w1) ∈ R1 ∨ (v2; w2) ∈ R2}

Suppose prover knows w1 with (v1; w1) ∈ R1 (but no w2 with (v2; w2) ∈ R2).

Prover can run Σ-protocol for R1 but not for R2.

Verifier lets prover “cheat” by allowing prover to use simulation for R2.

Prover allowed to split challenge c into “challenges” c1, c2 satisfying c1 + c2 = c.

148/210





Figure 5.8 (OR-composition of Schnorr’s protocol)

Prover Verifier

(using x1 = logg h1) (using x2 = logg h2)c2, r2, u1 ∈R Zn c1, r1, u2 ∈R Zn

a1 ← gu1 a1 ← g r1 h−c11

a2 ← g r2 h−c22 a2 ← gu2

−−−a1, a2−−−−−−→

c ∈R Zn

←−−−−c−−−−

c1 ←n c−c2 c2 ←n c−c1

r1 ←n u1 + c1x1 r2 ←n u2 + c2x2 −c1, c2, r1, r2−−−−−−−−−→ c1 + c2

?=n cg r1 ?= a1hc1

1

g r2 ?= a2hc22

149/210





Proposition 5.8 (OR-composition)The protocol in Figure 5.8 is a Σ-protocol for relation

{(h1, h2; x1, x2) : h1 = g x1 ∨ h2 = gx2}.

Proof.Special soundness. Given accepting conversations (a1, a2; c; c1, c2, r1, r2) and(a1, a2; c ′; c ′1, c ′2, r ′1, r ′2), c 6= c ′. Then c = c1 + c2 6= c ′1 + c ′2 = c ′ implies c1 6= c ′1and/or c2 6= c ′2.

g r1 = a1hc11 , g r2 = a2hc2

2 , g r′1 = a1hc′11 , g r′2 = a2hc′2

2

⇒ g r1−r′1 = hc1−c′11 , g r2−r′2 = hc2−c′2

2

If c1 6= c ′1, set x1 ←n (r1 − r ′1)/(c1 − c ′1);otherwise c2 6= c ′2, and set x2 ←n (r2 − r ′2)/(c2 − c ′2).Witness (x1, x2) satisfies h1 = g x1 ∨ h2 = g x2 .

150/210





Remark (Witness indistinguishability of OR-composition)Real conversations in case prover uses x1:

{(a1, a2; c; c1, c2, r1, r2) : u1, c2, r2 ∈R Zn; a1 ← gu1 ; a2 ← g r2 h−c22 ;

c1 ←n c − c2; r1 ←n u1 + c1x1}

Real conversations in case prover uses x2:

{(a1, a2; c; c1, c2, r1, r2) : u2, c1, r1 ∈R Zn; a1 ← g r1 h−c11 ; a2 ← gu2 ;

c2 ←n c − c1; r2 ←n u2 + c2x2}

Identical distributions (both identical to distribution of simulated conversations).Protocol is witness indistinguishable (also witness hiding under DL assumption).

Exercise 5.2.3 (OR-composition slightly optimized)See Figure 5.8. The prover may omit sending c2, in which case the verifier mustreplace test c1 + c2

?=n c by assignment c2 ←n c − c1. (Thus, prover always omitssending c2 independent of whether it knows x1 and/or x2.) Prove that theresulting protocol is a Σ-protocol for the same relation as before.

151/210





NEQ-CompositionGiven Σ-protocol for relation R, construct Σ-protocol for relation:

{(v1, v2; w1,w2) : (v1; w1) ∈ R, (v2; w2) ∈ R,w1 6= w2}

AND-composition proves knowledge of w1 and w2. How to prove w1 6= w2?

For Schnorr’s protocol, with public keys g1, h1 and g2, h2,use AND-composition to prove knowledge of x1 = logg1 h1 and x2 = logg2 h2.

Since x1 6= x2, multiplicative inverse of x1 − x2 modulo n is defined. Hence,

h1h2 = gx11 g x2

2 = (g1g2)x1 g x2−x12

impliesg2 = (g1g2)x1/(x1−x2)(h1h2)1/(x2−x1). (5.1)

Use instance of Okamoto’s protocol with public key g2, generators g1g2 and h1h2,witnesses x1/(x1 − x2) and 1/(x2 − x1).

152/210





Figure 5.9 (NEQ-composition of Schnorr’s protocol)

Prover Verifier(x1 = logg1 h1, x2 = logg2 h2)

u1, u2, u3, u4 ∈R Zna1 ← gu1

1a2 ← gu2

2a3 ← (g1g2)u3 (h1h2)u4

−−−a1, a2, a3−−−−−−−−−→

c ∈R Zn

←−−−−−−c−−−−−−

r1 ←n u1 + cx1r2 ←n u2 + cx2

r3 ←n u3 + cx1/(x1 − x2)r4 ←n u4 + c/(x2 − x1) −−

r1, r2, r3, r4−−−−−−−−−→ g r1

1?= a1hc

1

g r22

?= a2hc2

(g1g2)r3 (h1h2)r4 ?= a3g c2

153/210





Proposition 5.9 (NEQ-composition)The protocol in Figure 5.9 is a Σ-protocol for relation

{(g1, h1, g2, h2; x1, x2) : h1 = gx11 , h2 = gx2

2 , x1 6= x2},

assuming logg1 g2 is unknown.

Proof.Special soundness. Given (a1, a2, a3; c; r1, r2, r3, r4), (a1, a2, a3; c ′; r ′1, r ′2, r ′3, r ′4) bothaccepting, c 6= c ′. As for AND-composition, witness (x1, x2) is extracted as x1 ←n(r ′1 − r1)/(c ′ − c) and x2 ←n (r ′2 − r2)/(c ′ − c).Moreover,

g2 = (g1g2)(r3−r′3 )/(c−c′)(h1h2)(r4−r′4 )/(c−c′).

Suppose x1 = x2. Then g2 = (g1g2)α for known α 6= 0, 1 (as g1, g2 6= 1), henceg2 = gα/(1−α)

1 , contradicting that logg1 g2 is unknown. Therefore x1 6= x2.

154/210




Example 5.10Σ-protocol needed for relation R:

R = {(A,B; x , y , z) : A = gx hy ∧ B = gxy h(1−x)z ∧ x ∈ {0, 1}}.

Distinguish cases x = 0 and x = 1 for given (A,B; x , y , z) ∈ R.If x = 0, then A = hy ∧ B = hz ; if x = 1, then A = ghy ∧ B = gy .For relation R, apply OR-composition to:

R0 = {(A,B; y , z) : A = hy ∧ B = hz},R1 = {(A,B; y) : A = ghy ∧ B = gy}.

For relation R0, apply AND-composition to:

R0A = {(A; y) : A = hy}, R0B = {(B; z) : B = hz}.

For relation R1, apply EQ-composition to:

R1A = {(A; y) : A/g = hy}, R1B = {(B; y) : B = g y}.

R0A, R0B , R1A, R1B are instances of (slight variations of) Schnorr’s protocol.

155/210




Figure 5.10 (Σ-protocol for {(A,B; x ,y ,z):A=gx hy ∧ B=gxy h(1−x)z ∧ x∈{0, 1}})

Prover Verifier(case x = 0) (case x = 1)u0A, u0B ∈R Zn u1 ∈R Zna0A ← hu0A a1A ← hu1

a0B ← hu0B a1B ← gu1

c1, r1 ∈R Zn c0, r0A, r0B ∈R Zna1A ← hr1 (A/g)−c1 a0A ← hr0A A−c0

a1B ← g r1 B−c1 a0B ← hr0B B−c0−a0A, a0B , a1A, a1B−−−−−−−−−−−−−→

c0 ←n c − c1 c1 ←n c − c0 ←−−−−−−c−−−−−− c ∈R Zn

r0A ←n u0A + c0y r1 ←n u1 + c1yr0B ←n u0B + c0z −

c0, c1, r0A, r0B , r1−−−−−−−−−−−−→ c0 + c1

?=n chr0A ?= a0AAc0

hr0B ?= a0BBc0

hr1 ?= a1A(A/g)c1

g r1 ?= a1BBc1

156/210




Exercises

Exercise 5.3.1Prove that the protocol of Figure 5.10 is a Σ-protocol for relation R, as defined inExample 5.10.

157/210




Exercise 5.3.2 (logg h unknown to anyone)Design (and prove so!) Σ-protocol for {(B; x , y) : B = g x hy , ψ(x , y)}, where:

(a) ψ(x , y) ≡ true;(b) ψ(x , y) ≡ x = y;(c) ψ(x , y) ≡ αx + βy = γ for given α ∈ Z∗n , β, γ ∈ Zn;(d) ψ(x , y) ≡ x ∈ {0, 1};(e) ψ(x , y) ≡ x ∈ {0, 1, . . . , 2` − 1}, fixed integer `, 1 ≤ ` ≤ blog2 nc;(f) ψ(x , y) ≡ x 6= 0;(g) ψ(x , y) ≡ x 6= y;(h) ψ(x , y) ≡ αx + βy 6= γ for given α ∈ Z∗n , β, γ ∈ Zn;(i) ψ(x , y) ≡ xy = 1;(j) ψ(x , y) ≡ ∃χ∈Zn x = χ2;(k) ψ(x , y) ≡ x2 = y2.

Hints: (a) use Okamoto’s protocol; (b) eliminate variable y using x = y; (c) eliminate variable x using given equation; (d) use OR-composition

cf. Example 5.10; (e) consider binary representation of x and use ` instances of protocol of part (d); (f) use instance of Okamoto’s protocol by

isolating g in equation B = gx hy , cf. Eq. (5.1); (g) and (h) are generalizations of part (f); (i) isolate g in equation for By and use

EQ-composition with equation for B; (j) use AND-composition and EQ-composition; (k) eliminate one variable and use OR-composition.

158/210




Figure 5.11 (Alternative to Okamoto’s protocol?)

Prover Verifier(h = g x1

1 gx22 )

u1, u2 ∈R Zn

a1 ← gu11 ; a2 ← gu2

2 −−−−a1, a2−−−−−−−→

r1 ←n u1 + cx1 ←−−−−−−c−−−−−− c ∈R Zn

r2 ←n u2 + cx2 −−−−r1, r2−−−−−−−→ g r1

1 g r22

?= a1a2hc

Exercise 5.3.3See Figure 4.5. Is Figure 5.11 a Σ-protocol for {(h; x1, x2) : h = g x1

1 gx22 }?

Exercise 5.3.4 (logg h unknown to anyone)

Design Σ-protocols (and prove correctness) for relations:(a) {(A,B; x , y , z) : A = gx hy ,B = g1/x hz , x 6= 0};(b) {(A1,A2,B; x1, x2, y1, y2, z) : A1 = gx1 hy1 ,A2 = gx2 hy2 ,B = g x1x2 hz}.

159/210





For Boolean variables v1, . . . , v`, consider instance of 3SAT problem, given byBoolean formula Φ consisting of m clauses, which each consist of 3 literals:

Φ = (l1,1 ∨ l1,2 ∨ l1,3) ∧ · · · ∧ (lm,1 ∨ lm,2 ∨ lm,3).

Each literal is of the form li,j = vk or li,j = v k = 1− vk (negation of vk ),1 ≤ k ≤ `. Construct a Σ-protocol (incl. correctness proof) for relation:

R ′3SAT = {(Φ,B1, . . . ,B`; x1, y1, . . . , x`, y`) : Φ(x1, . . . , x`),∀`k=1Bk = gxk hyk , xk ∈ {0, 1} }.

Exercise 5.3.6 (see previous exercise)Σ-protocol for R ′3SAT actually proves knowledge of witnesses to open thecommitments B1, . . . ,B`. Construct a more efficient way for proving that Φ issatisfiable, by considering instead relation:

R3SAT = {(Φ; x1, . . . , x`) : Φ(x1, . . . , x`)}.

160/210





Design two alternative Σ-protocols (and prove correctness) for relation

Rneq0 = {(A,B; x , y , z) : A = g x hy ,B = gxn−1hz}.

(i) By applying OR-composition distinguishing cases x = 0 and x 6= 0 for the firstprotocol.(ii) By applying an appropriate form of EQ-composition for exponent x for thesecond protocol (not using OR-composition at all).The Σ-protocols you are looking for both have announcements consisting of four〈g〉-elements each, but the response for (i) will comprise six Zn-elements (usingthe optimization of Exercise 5.2.3), whereas (ii) can be done with a responsecomprising four Zn-elements only.

161/210




5.4.1 Digital Signatures from Σ-Protocols5.4.2 Proofs of Validity5.4.3 Group Signatures

Schnorr SignaturesCryptographic hash function H.

Fiat-Shamir heuristicTransform identification scheme into digital signature scheme by “computingchallenge as hash of prover’s announcement and message to be signed.”

For Schnorr’s protocol (Figure 4.3): put c ← H(a; M).

Example (Schnorr signature scheme)Key generation. Key pair (h; x) with private key x ∈R Zn, public key h← g x .Signature generation. On input of message M, private key x , set

u ∈R Zn; a← gu; c ← H(a; M); r ←n u + cx .

Signature on M is pair (c, r).Signature verification. On input of message M, pair (c, r), public key h, accept

(c, r) as signature on M iff c = H(g r h−c ; M).

Schnorr signatures secure in random oracle model: challenge c is unpredictable.

162/210





Figure 5.12 (Parametrized insecure variant of Schnorr’s protocol)

Prover Verifieru ∈R Z∗n ; a← gu

−−−−−−a−−−−−−→

←−−−−−−c−−−−−− c ∈R Zn

r ←n (c − F (a))u + x −−−−−−r−−−−−−→ g r ?= ac−F (a)h

Exercise 5.4.1To see that Fiat-Shamir heuristic does not necessarily lead to secure signatureschemes, consider the protocol in Figure 5.12. Function F : 〈g〉 → Zn can be yourfavorite hash function; for simplicity assumed that F maps into Zn. Note thatfunction F (w) = 0 for w ∈ 〈g〉 yields the protocol of Exercise 5.1.1.

(i) Show that the protocol is complete, special sound, and honest-verifierzero-knowledge (for any function F : 〈g〉 → Zn).

(ii) What happens if we generate the challenge as c ← F (a) to obtain anoninteractive version of the protocol? That is, what happens if weinstantiate the random oracle with H = F .

163/210





Proofs of Validity

Fiat-Shamir heuristic can be applied to any Σ-protocol.Result: noninteractive Σ-proof.

Definition 5.11Let H be a cryptographic hash function. For any Σ-protocol as in Figure 5.1, a(noninteractive) Σ-proof for relation R is defined in terms of two algorithms.Proof generation. Given (v ; w) ∈ R, a Σ-proof is a pair (a; r), where

a = α(v ; w ; uP) and r = ρ(v ; w ; H(a; v); uP).Proof verification. For v ∈ V , (a; r) is accepted as Σ-proof if and only if

ϕ(v ; a; H(a; v); r) holds.

Σ-proof consists of announcement a and response r .

Typically, size of Σ-proof reduced by replacing announcement a by challenge c.

164/210





Example 5.12 (Proof of validity)Turn solution to Exercise 5.3.2(d) into Σ-proof.Let B = gx hy where x ∈ {0, 1}, y ∈ Zn is prover’s witness. Write x = 1− x .Proof generation. ux , rx , cx ∈R Zn; ax ← hux ; ax ← hrx (B/gx )−cx ;

c ← H(a0, a1; B); cx ←n c − cx ; rx ←n ux + cx y .Output (c0, c1, r0, r1) as proof.

Proof verification. On input of proof (c0, c1, r0, r1) for commitment B, acceptproof iff c0 + c1 =n H(hr0 B−c0 , hr1 (B/g)−c1 ; B).

B needed in input to H to fix “context”: otherwise proofs can be forged!

Exercise 5.4.2Show how to forge a Σ-proof (c0, c1, r0, r1) for a commitment B if proofverification is changed into c0 + c1 =n H(hr0 B−c0 , hr1 (B/g)−c1 ) by making asuitable choice for B. Hint: B can be set after c = H(a0, a1) is computed.

165/210





Anonymous Signatures: Group Signatures

P0P1

P2

...

Pm

Group manager: P0Group members: P1, . . . ,Pm

Any group member Pi can signon behalf of the group.Actual signer remainsanonymous.Anonymity is revocable: groupmanager can prove which groupmember produced a givensignature.

Group public key: hParty Pi ’s private key: xi

166/210





Definition 5.13 (Group signature scheme)Four components, involving group manager P0, group members P1, . . . ,Pm.Key generation. Protocol between P0,P1, . . . ,Pm for generating public key h for

the group, private key x0 for group manager P0 and private key xifor each group member Pi , 1 ≤ i ≤ m.

Signature generation. Algorithm that on input of message M, public key h of thegroup, private key xi of group member Pi , outputs signature S.

Signature verification. Algorithm that on input of message M, public key h of thegroup, signature S, tests if S is valid group signature on M w.r.t.public key h.

Signature opening. Algorithm that on input of message M, public key h of thegroup, valid signature S, private key x0 of group manager, outputsidentity of group member who generated S.

167/210





Simple Construction

Party Pi holds a discrete log key pair (hi ; xi ) with hi = gxi .

To sign a message, apply the Fiat-Shamir heuristic to Σ-protocol for provingknowledge of 1-out-of-m private keys x1, . . . , xm.

Exercise 5.4.3Construct Σ-protocol for relation

Rm = {(h1, . . . , hm; x) : ∃mi=1hi = gx}

by generalizing OR-composition, and show it is indeed a Σ-protocol.

For revocability, include an encryption of the actual key pair used.

168/210





Example (ElGamal-based group signatures)Pi includes ElGamal encryption of hi under P0’s public key in group signature.Key generation. Each Pi picks private key xi ∈R Zn. Public key of group is

(h0, h1, . . . , hm) with hi = g xi .Signature generation. Group member Pi computes (A,B) = (gu, hu

0 hi ) withu ∈R Zn, and Σ-proof for R ′m showing (A,B) encrypts one ofh1, . . . , hm for which Pi knows private key:

R ′m = {(A,B, h0, h1, . . . , hm; u, x) : A = gu,B = hu0 g x ,∃m

i=1hi = gx}.

Signature verification. Σ-proof contained in group signature is verified.Signature opening. Group manager P0 decrypts ElGamal encryption (A,B)

contained in group signature and proves validity: P0 outputsd = Ax0 and Σ-proof for x0 = logg h0 = logA d .Anyone may now compute B/d , which will match the public keyof the group member who produced the signature.

169/210





Exercise

Exercise 5.4.4Give a Σ-protocol for relation R ′m and prove its correctness, in each of thefollowing cases: (i) m = 1, (ii) m = 2, and (iii) arbitrary m ≥ 1.

170/210


6.1 Secret Sharing6.2 Verifiable Secret Sharing

6.3 Threshold Cryptosystems

5-Way Latch

1-out-of-5 threshold scheme

5 padlocks “in series”:

opening any 1 padlockwill open gate.

171/210




Threshold cryptography (group-oriented cryptography)Techniques to distribute cryptographic schemes between multiple parties.

Examples:Safe-deposit box requires use of two keys, one kept by the owner of the boxand one kept by the bank.Control of nuclear weapons in Russia involves a 2-out-of-3 accessmechanism, where the three parties are the President, the Defense Ministerand the Defense Ministry (Time Magazine, May 4, 1992, p.13).Distributing power to issue digital signatures (e.g., issuance of rootcertificates in public key infrastructures).

Group signature ≈ 1-out-of-m threshold signature.

Distributing power to decrypt messages (key escrow, key recovery).Electronic voting: distributing power to decrypt votes.

172/210



6.3 Threshold Cryptosystems6.1.1 Shamir Threshold Scheme

Example 6.1 (See also Mathematica notebook d3.nb.)RSA cryptosystem, public exponent e = 3, modulus N = pq, gcd(e, φ(N)) = 1.Two persons split private key d = 1/e mod φ(N) into most-significant half andleast-significant half. How secure?Since 0 < d < φ(N), 3d = 1 + lφ(N) holds either for l = 1 or l = 2. Since p andq not divisible by 3, φ(N) 6≡ 2 (mod 3), hence l ≡ 2 (mod 3). Thus l = 2.Approximation d̂ =

⌊1+2(N−2

√N+1)

3

⌋for d = 1+2φ(N)

3 .

Approximation error: d̂ − d =⌊ 2

3 (p + q − 2√

N)⌋

. Since p + q > 2√

N (use(√p −√q)2 > 0):

0 ≤ d̂ − d <√

N,

as p and q of equal bit length.Thus, most-significant half of d matches most-significant half of d̂ .Person receiving least-significant half of d is able to construct all of d ’s bits!

https://www.win.tue.nl/~berry/CryptographicProtocols/d3.nb

173/210




Splitting the Bit

Breaking bit string into pieces not a secure way to share a secret.And, how do we “split the bit”?

Critical step: use additional randomness.

Splitting secret bit s ∈ {0, 1} into shares s1, s2 ∈ {0, 1}To split s into s1, s2: pick u ∈R {0, 1}, set s1 = s ⊕ u and s2 = u.To recover s from s1, s2: compute s1 ⊕ s2 = s ⊕ u ⊕ u = s.

Neither s1 nor s2 on its own reveals any information on s.

Exercise 6.1.1Suppose u is uniformly distributed. Show that s1 and s2 are also uniformlydistributed, irrespective of the distribution of s.

174/210




Visual Secret Sharing (Naor & Shamir, Eurocrypt 1994)

175/210




Definition 6.2 (Secret sharing scheme)Two protocols, involving dealer D and participants P1, . . . ,Pm.

Distribution. Protocol in which dealer D shares secret s such that eachparticipant Pi obtains share si , 1 ≤ i ≤ m.

Reconstruction. Protocol in which secret s is recovered by pooling shares si ,i ∈ Q, of any qualified set of participants Q ⊆ {P1, . . . ,Pm}.

Security requirements for secret sharing scheme:(i) any qualified set of participants can determine s by pooling their shares,(ii) any nonqualified set of participants cannot find any information on s when

pooling their shares.

176/210




Polynomials over Finite Field Zp

straight line (mod 97) parabola (mod 97)

Mathematically, same behavior as polynomials over R:Polynomial of degree d > 0 has at most d roots.Polynomial of degree d is uniquely determined by d + 1 points.

177/210




Threshold Secret Sharing Scheme

Participants P1, . . . ,Pm.Threshold t, 0 ≤ t < m.

(t,m)-threshold access structure:

Γ = {Q ⊆ {P1, . . . ,Pm} : |Q| > t}.

Also referred to as a t+1-out-of-m (threshold) access structure.

Perfect (t,m)-threshold secret sharing scheme:Any group of t + 1 participants is able to recover the secret.No group of t or less participants can do so:

t or less participants no information on the secret.

178/210




Shamir’s (t,m)-threshold schemeFor secret s ∈ Zp .

Distribution. Dealer picks random polynomial a(X) ∈R Zp[X ] of degree ≤ tsatisfying a(0) = s, and sends share si = a(i) to participant Pi , fori = 1, . . . ,m.

Reconstruction. Any set Q of t + 1 participants may recover secret s from theirshares by Lagrange interpolation:a

s =∑i∈Q

siλQ,i , with λQ,i =∏

j∈Q\{i}

jj − i .

aNote: i ∈ Q shorthand for Pi ∈ Q.

Example ((1, 5)-threshold scheme)Distribution. Let a(X) = s + uX with u ∈R Zp . Send share si = a(i) to Pi .

Reconstruction. Any pair Pi ,Pj recovers secret as s = (isj − jsi )/(i − j).

179/210




6.2.1 Feldman VSS6.2.2 Pedersen VSS

Secret sharing schemes resists passive attacks only.

Verifiable secret sharing (VSS)VSS scheme resists (combinations of) two types of active attacks:

Dealer sending incorrect shares to some/all participants during distribution.Participants submitting incorrect shares during reconstruction.

Shamir’s scheme is not a VSS scheme:During distribution, no guarantee shares si correspond to single polynomiala(X) of degree ≤ t.During reconstruction, no guarantee share si provided by Pi is correct.

Nothing prevents Pi from using s̃i ∈R Zp instead; reconstructed value s̃ will beuseless, and if only Pi is cheating, Pi finds value of s using the other t correctshares.

180/210





Discrete log setting 〈g〉.

Feldman’s (t,m)-threshold VSS schemeFor secret s ∈ Zn.

Distribution. Dealer chooses random polynomial (u0 = s):

a(X) = u0 + u1X + · · ·+ utX t , u1, . . . , ut ∈R Zn.

Dealer sends shares si = a(i) to Pi in private, for i = 1, . . . ,m,and broadcasts commitments Bj = guj , 0 ≤ j ≤ t. Upon receipt ofshare si , Pi checks:

g si =t∏

j=0

B i jj . (6.1)

Reconstruction. Share si contributed by Pi checked using Eq. (6.1). Secrets = a(0) recovered as in Shamir’s scheme from t + 1 valid shares.

Commitments Bj define unique polynomial with coefficients logg Bj .

181/210





Security of Feldman VSS

No more than t cheating participants, t < m/2.1. Dealer and participants bound to unique polynomial by Eq. (6.1).2. Secret s hidden even given B0 = g s ,B1 = gu1 , . . . ,Bt = gut .Reduction proof: given instance of DL problem h successful collusion ofparticipants P∗1 , . . . ,P∗t would compute logg h. As follows.Dealer sets B0 = h, s1, . . . , st ∈R Zn, and Bj for j = 1, . . . , t such that Eq. (6.1)holds for P∗1 , . . . ,P∗t , without knowing s = logg h:

Bj =t∏

k=1

(g sk /h)γj,k , (6.2)

where

(γj,k ) =

1 1 · · · 12 22 · · · 2t

......

...t t2 · · · tt

−1

Shares for Pt+1, . . . ,Pm are irrelevant.

182/210





Simulation View

D P∗1 , . . . ,P∗t

s

S P∗1 , . . . ,P∗t

P∗1 , . . . ,P∗t cannot distinguish between protocol with D and protocol with S⇒ protocol is “zero-knowledge” w.r.t. secret s

183/210





Exercises

Exercise 6.2.1Verify that Eq. (6.1) holds for 1 ≤ i ≤ t if B0 = h and Bj , 1 ≤ j ≤ t, are definedby (6.2).

Exercise 6.2.2The special case of an m-out-of-m threshold scheme for secrets s ∈ Zn can besolved simply by setting the shares as follows: choose si ∈R Zn for i = 2, . . . ,mand set s1 = (s −

∑mi=2 si ) mod n. Extend this basic secret sharing scheme to a

Feldman VSS scheme, and provide a security analysis of the resulting VSS scheme.

Note: m-out-of-m threshold scheme same as an (m − 1,m)-threshold scheme.

184/210





Discrete log setting 〈g〉, h ∈R 〈g〉 such that logg h not known.

Pedersen’s (t,m)-threshold VSS schemeFor secret s ∈ Zn.

Distribution. Dealer chooses random polynomials a(X), b(X) with u0 = s:

a(X) = u0 + u1X + · · ·+ utX t , u1, . . . , ut ∈R Znb(X) = v0 + v1X + · · ·+ vtX t , v0, . . . , vt ∈R Zn

Dealer sends shares si = (a(i), b(i)) to Pi in private, andbroadcasts commitments Cj = guj hvj , 0 ≤ j ≤ t.Upon receipt of si = (si1, si2), Pi checks:

g si1 hsi2 =t∏

j=0

C i jj . (6.3)

Reconstruction. Share si contributed by Pi checked using Eq. (6.3). Secrets = a(0) recovered as in Shamir’s scheme from t + 1 valid shares.

185/210





Security of Pedersen VSS

1. Dealer and participants bound to unique polynomial by Eq. (6.3).Under DL assumption!

Cf. Pedersen commitments are computationally binding.

2. Secret s hidden information-theoretically,even given commitments C0,C1, . . . ,Ct .

Cf. Pedersen commitments are information-theoretically hiding.

Exercise 6.2.3See Exercise 6.2.2. This time extend the basic m-out-of-m scheme, where sharessi1 ∈R Zn for i = 2, . . . ,m and s11 = (s −

∑mi=2 si1) mod n, to a Pedersen VSS

scheme, and provide a security analysis of the resulting VSS scheme.

186/210




Definition 6.3 ((t,m)-threshold cryptosystem)Three components involving parties P1, . . . ,Pm.Distributed key generation. Protocol between P1, . . . ,Pm for generating public key

h such that Pi obtains private share xi (of private key xcorresponding to h) and public verification key hi , 1 ≤ i ≤ m.The protocol depends on t.

Encryption. Algorithm that on input of plaintext M, public key h, outputsciphertext C of M under public key h.

Threshold decryption. Protocol between t + 1 parties Pi0 , . . . ,Pit that on input ofciphertext C , private shares xi0 , . . . , xit , verification keyshi0 , . . . , hit , outputs plaintext M.

Exercise 6.3.1See Section 2.1.4. Assuming honest behavior of parties P1, . . . ,Pm, design anm-out-of-m threshold ElGamal cryptosystem with public key h =

∏mi=1 hi , where

xi ∈ Zn is the private share of Pi and hi = gxi is the corresponding verification key,1 ≤ i ≤ m. Discuss its security against passive attacks.

187/210




Distributed key generation protocol1 Each Pi picks random polynomial ai (X) ∈ Zn[X ] of degree ≤ t, and

broadcasts commitment to g si , where si = ai (0).

2 Each Pi opens its commitment to g si . Public key h is set as h = g∑m

i=1si .

3 Each Pi , 1 ≤ i ≤ m, runs instance of Feldman’s VSS scheme, using si ∈ Zn assecret value. Pi plays the role of dealer, and P1, . . . ,Pm play the role ofparticipants. (Hence, Pi plays a double role.)

4 Let sij denote the share of si as sent by party Pi to party Pj , for 1 ≤ i , j ≤ m.Each party Pi sums all its received shares sji to obtain its share xi =

∑mj=1 sji

of the private key x . The verification key of party Pi is defined as hi = gxi .

Note that sji = aj (i). Since a(X) =∑m

i=1 ai (X), it follows that xi = a(i).

Nobody knows x !

188/210




Threshold decryption protocolLet C = (A,B) be an ElGamal ciphertext for public key h.

1 Each Pi takes A as input and uses its share xi to produce di = Axi along witha Σ-proof for xi = logg hi = logA di (using EQ-composition, cf. Figure 5.7).

2 Let Q be a set of t + 1 parties who produced valid di values. Then plaintextM can be recovered by evaluating:

B/∏i∈Q

dλQ,ii = B/Ax = M,

where λQ,i =∏

j∈Q\{i}j

j−i denote Lagrange coefficients as in Shamir’sscheme.

189/210


7.1 Electronic Voting7.2 Based on Threshold Homomorphic Cryptosystems


YES/NO referendum is secure multiparty computation for function

f (x1, . . . , xm) = x1 + · · ·+ xm, for votes x1, . . . , xm ∈ {0, 1}.

Inputs x1, . . . , xm are private.Output x1 + · · ·+ xm is public.

Security requirements:Eligibility: only eligible voters can cast vote, at most one vote.Privacy: assured against any reasonably sized coalition of parties (notincluding the voter herself).Universal Verifiability: anyone can check that the election is fair, i.e.,published final tally is computed fairly from ballots that were correctly cast.Robustness: faulty behavior (benign or malicious) of any reasonably sizedcoalition of participants can be tolerated (e.g., cheating voter can be detectedand discarded).

190/210




Threshold Homomorphic ElGamal Cryptosystem

Threshold ElGamal cryptosystem with Zn as plaintext space instead of 〈g〉.

Homomorphic ElGamal encryptionFor plaintext M ∈ Zn and public key h, ciphertext is defined as

(A,B) = (gu, hugM), u ∈R Zn.

In other words: M ∈ Zn is encoded as gM ∈ 〈g〉.

(Additive) homomorphic property

Product of encryptions (A,B), (A′,B′) of plaintexts M,M′, respectively, isencryption of sum of plaintexts M + M′:

(A,B) ∗ (A′,B′) = (AA′,BB′) = (gu+u′ , hu+u′gM+M′).

191/210




Electronic voting schemeKey generation. Talliers T1, . . . , Tm run DKG protocol of (t,m)-threshold ElGamal

cryptosystem. Let h denote resulting public key.Voting. Voter Vi casts vote vi ∈ {0, 1} ' {“no”, “yes”} by broadcasting a

ballot consisting of ElGamal encryption (Ai ,Bi ) = (gui , hui gvi ),ui ∈R Zn, and noninteractive Σ-proof that (Ai ,Bi ) is correctlyformed.

Tallying. Talliers decrypt (A,B) =∏m′

i=1(Ai ,Bi ) to obtain g∑m′

i=1vi , from

which∑m′

i=1 vi is easily determined using 0 ≤∑m′

i=1 vi ≤ m′.

If all (Ai ,Bi ) are correctly formed, homomorphic property yields

(A,B) = (gu, hug∑m′

i=1vi ) for some u ∈ Zn, ensuring validity of final tally.

Exercise 7.1.1Construct a Σ-protocol (and prove its correctness) for proving that (Ai ,Bi ) iscorrectly formed, and turn it into a Σ-proof (see Section 5.4.2 for a similar case).

192/210




Exercise 7.1.2 (boardroom election scheme)Voter Vi has a public key hi = gxi , where xi ∈R Zn is Vi ’s private key. LetHi = hm

∏i−1j=1 hj , for 1 ≤ i ≤ m.

First, voter Vm publishes the following encryption of its vote vm ∈ {0, 1}:

(Am,Bm) = (gum ,Humm g vm ), um ∈R Zn.

Next, for i = m − 1, . . . , 1 (in this order), voter Vi publishes the followingencryption of its vote vi ∈ {0, 1}:

(Ai ,Bi ) = (Ai+1gui ,Bi+1A−xii+1 Hui

i g vi ), ui ∈R Zn.

Finally, voter Vm publishes logg B1A−xm1 .

Let ti =∑m

j=i vj , for 1 ≤ i ≤ m. (i) Prove by induction on i that (Ai ,Bi ) isElGamal encryption of g ti under public key Hi . Hence, Vm publishes

∑mj=1 vj at

the end of the protocol. (ii) Show how Vm,V1, . . . ,Vi−1 for any i, 2 ≤ i ≤ m, arejointly able to decrypt (Ai ,Bi ), hence able to determine intermediate electionresult ti . (iii) Describe the relations to be proved in each protocol step to showthat the voter’s output is formed correctly.

193/210




Matching without Embarrassments

Alice’s rule separator Bob’s rule

for “yes” for “no” for “yes” for “no”Suppose Alice thinks “yes” separator Suppose Bob thinks “yes”

Alice and Bob make a random cut:

and open the cards ...

194/210




Five-Card Trick (Bert den Boer, Eurocrypt 1989)

MATCH

yes yesNO MATCH

yes no

no yes

no no“NO MATCH” cases are indistinguishable!If you put “no” you don’t find out the other’s preference.

195/210




Tom Verhoeff turned the 5-card trick into a wonderful 3D printable smiley design:

Check out TNO’s cool MPC animation demoing the 3D smiley!

Figure 7.1 (Matching without embarrassments)

x y xy0 0 01 0 00 1 01 1 1

∼=

Alice Bob match?no no -yes no -no yes -yes yes ♥

https://www.win.tue.nl/~wstomv/publications/liber-AMiCorum-arjeh-bijdrage-van-tom-verhoeff.pdf

https://www.win.tue.nl/~wstomv/publications/liber-AMiCorum-arjeh-bijdrage-van-tom-verhoeff.pdf

https://youtu.be/JnmESTrsQbg

196/210




A and B set up (1, 2)-threshold homomorphic ElGamal with public key h.

Secure multiplication: private inputs x , y , public output xy

Party A Party B(x ∈ {0, 1}) (y ∈ {0, 1})

u ∈R ZnA← gu

B ← hug x−−−−−−

(A,B)−−−−−−−−−−→ v ∈R Zn

C ← g v Ay

←−−−−−−(C ,D)−−−−−−−−−− D ← hv By

←−jointly decrypt−−−−−−−−−−−−

(C ,D)−−−−−→

output xy output xy

Note: (C ,D) = (g v+uy , hv+uy g xy ).

197/210




Let X = (−1)x and Y = (−1)y .Encryptions E(X), E(Y ) common input to parties A and B.

Secure multiplication: input E(X), E(Y ), output E(XY )

Party A Party Bu ∈R {1,−1}

−−−−E(Xu),E(Yu)−−−−−−−−−−−−−−→ v ∈R {1,−1}

←−−−E(Xuv),E(Yuv)−−−−−−−−−−−−−−−

←−jointly decrypt−−−−−−−−−−−−

E(Xuv)−−−−−−→

output E(Yuv)Xuv output E(Yuv)Xuv

Note:E(Yuv)Xuv = E(YuvXuv) = E(XYu2v 2) = E(XY ).Xuv as decrypted during protocol is statistically independent of X :

from A’s point of view: A does not know v ∈R {1,−1}from B’s point of view: B does not know u ∈R {1,−1}

198/210




“Raw” OT

Figure 7.2 (Rabin OT protocol)

Sender Receiver(b ∈ {0, 1})

←−−−−−−−−−−−−−−−−−−−−−−−−→

output b or ⊥

Both cases probability 50%.Receiver knows whether it gets b or ⊥.Sender does not know whether bit b was transferred successfully or not.

Strange functionality of OT sufficiently powerful to construct secure computationfor any computable function: OT is complete for secure computation.

199/210




1-out-of-2 OT

Sender holds two data bits x0, x1, receiver holds one selection bit s.Functionality: OT (x0, x1; s) = xs .

Figure 7.3 ((2

1

)-OT protocol)

Sender Receiver(x0, x1 ∈ {0, 1}) (s ∈ {0, 1})

u ∈R Znhs ← gu

h1−s ← h/gu

←−−−−−h0, h1−−−−−−−−−

u0, u1 ∈R Zn(A0,B0)← (gu0 , hu0

0 g x0 )(A1,B1)← (gu1 , hu1

1 g x1 )−(A0,B0), (A1,B1)−−−−−−−−−−−−−→

xs ← logg (Bs/Aus )

200/210




Property: OT (0, x ; y) = xy

Secure multiplication: private inputs x , y , public output xy

Party A Party B(x ∈ {0, 1}) (y ∈ {0, 1})

u ∈R Znhy ← gu

h1−y ← h/gu

←−−−−−h0, h1−−−−−−−−−

u0, u1 ∈R Zn(A0,B0)← (gu0 , hu0

0 )(A1,B1)← (gu1 , hu1

1 gx )−(A0,B0), (A1,B1)−−−−−−−−−−−−−→

xy ← logg (By/Auy )

←−−−−−−xy−−−−−−−

output xy output xy

Note: xy = logg (By/Auy ) = xy .

201/210




A and B hold (1, 2)-threshold secret shares of bits x , y , cf. Exercise 6.1.1.

Secure multiplication: input x = xa ⊕ xb,y = ya ⊕ yb, output xy = za ⊕ zb

Party A Party B(xa, ya ∈ {0, 1}) (xb, yb ∈ {0, 1})

ua ∈R {0, 1} ub ∈R {0, 1}

−OT (ua, xa ⊕ ua; yb)−−−−−−−−−−−−−−−→

←−OT (ub, xb ⊕ ub; ya)−−−−−−−−−−−−−−−

va ← OT (ub, xb ⊕ ub; ya) vb ← OT (ua, xa ⊕ ua; yb)za ← xaya ⊕ ua ⊕ va zb ← xbyb ⊕ ub ⊕ vb

Property: OT (x0, x1; s) = xs = x0(1− s)⊕ x1s.Therefore: va = ub ⊕ xbya and vb = ua ⊕ xayb.

So z = za ⊕ zb = xy follows from:{

za = xaya ⊕ ua ⊕ ub ⊕ xbyazb = xbyb ⊕ ub ⊕ ua ⊕ xayb

Shares za, zb uniform and independent of other values due to ub, ua, resp.

202/210

8 Blind Signatures

8.1 Definitions8.2 Chaum Blind Signature Scheme


Definition 8.1 (Blind signature scheme)Key generation. Algorithm that on input of security parameter k, generates key

pair (sk, pk) consisting of private key sk and public key pk.Signature generation. Two-party protocol between signer S and receiver R with

public key pk as common input. Private input of S is private keysk, and private input of R is message M. At the end of theprotocol, R obtains signature S on M as private output.

Signature verification. Algorithm that on input of message M, public key pk, andsignature S, determines whether S is a valid signature on M w.r.t.public key pk.

unforgeabilityunlinkability

203/210

8 Blind Signatures



Chaum’s Blind SignaturesRSA setting: RSA modulus N, public exponent e.

Figure 8.1 (Chaum’s blind signature protocol)

Signer Receiver(d = 1/e mod φ(N))

u ∈R Z∗Ny ←N H(M)ue

←−−−−−−y−−−−−−−

x ←N yd

−−−−−−x−−−−−−−→

S ←N x/uSe ?=N H(M)

Receiver obtains RSA signature S on message M:

Se = (x/u)e = (y 1/e/u)e = y/ue = H(M) mod N

Perfect unlinkability: (x , y) is uniformly random, independent of (M, S).

204/210

8 Blind Signatures



Figure 8.2 (Schnorr-based blind signature protocol)

Signer Receiver(x = logg h)

u ∈R Zn

a← gu−−−−−−

a−−−−−−→ s, t ∈R Zn

a′ ← ag sh−t

c ′ ← H(a′; M)←−−−−−−

c−−−−−− c ←n c ′ − t

r ←n u + cx−−−−−−

r−−−−−−→

r ′ ←n r + sg r′ ?= a′hc′

Receiver obtains Schnorr signature S = (c ′, r ′) on message M:

c ′ = H(a′; M) = H(ag sh−t ; M) = H(g r+sh−c−t ; M) = H(g r′h−c′ ; M).

Perfect unlinkability: (c, r) is uniformly random, independent of (c ′, r ′).

205/210

8 Blind Signatures



Exercises

Exercise 8.2.1Consider Chaum’s blind signature protocol (Figure 8.1) for a fixed message M.Show that the pair (x , y) is distributed uniformly random by proving that

Pr[(x , y) = (x0, y0)] = 1/φ(N)

for any x0, y0 ∈ Z∗N satisfying y0 = x e0 mod N.

Exercise 8.3.1Consider the Schnorr-based blind signature protocol (Figure 8.2) for a fixedmessage M. Show that the triples (a, c, r), (a′, c ′, r ′) are distributed uniformlyrandom and independent of each other by proving that

Pr[(a; c; r) = (a0; c0; r0) ∧ (a′; c ′; r ′) = (a′0; c ′0; r ′0)] = 1/n3

for any (a0; c0; r0), (a′0; c ′0; r ′0) s.t. g r0 = a0hc0 , c ′0 = H(a′0; M), and g r′0 = a′0hc′0 .

206/210

Appendices

A Fundamental Lemma of CryptologyB Rating of Exercises

C Spell Check

Proposition (“Fundamental Lemma of Cryptology”)Let G be a group of order n. Let a ∈ G be any random variable and b ∈R G. Thenwe have:

Pr[ab = v ] = Pr[ba = v ] = 1n , for all values v ∈ G.

Proof.Pr[ab = v ]

=∑

w∈G Pr[ab = v , b = w ] “split on value of b”=

∑w∈G Pr[aw = v , b = w ] “substitute b = w”

=∑

w∈G Pr[aw = v ] Pr[b = w ] “a and b independent”=

∑w∈G Pr[aw = v ]/n “b uniform on G”

=∑

w∈G Pr[a = vw−1]/n “multiply with w−1 from the right”=

∑w′∈G Pr[a = w ′]/n “one-to-one map w ′ = vw−1”

= 1/n. “random variable a ∈ G”

Same proof for Pr[ba = v ], but using multiplication with w−1 from the left.

207/210

Appendices


C Spell Check

Proposition (“Corollary of Fundamental Lemma of Cryptology”)Let G be a group of order n. Let a ∈ G be any random variable and b ∈R G.Then a and ab are statistically independent, and so are a and ba.

Proof.For any values u, v ∈ G:

Pr[a = u, ab = v ]= Pr[a = u, vb = v ] “substitute a = v”= Pr[a = u, b = u−1v ] “multiply with u−1 from the left”= Pr[a = u] Pr[b = u−1v ] “a and b independent”= Pr[a = u]/n “b uniform on G”= Pr[a = u] Pr[ab = v ]. “Fundamental Lemma of Cryptology”

Same proof for a and ba, but using multiplication with u−1 from the right.

208/210

Appendices


C Spell Check

Fundamental Lemma of Cryptology

Lemma even holds for quasigroups, using right division / and left division \, resp.Latin square property for Cayley (multiplication) table of quasigroups.No associativity, commutativity, identity element required for quasigroups.

G Examples of uniform ab or ba with a ∈ G and b ∈R G{0, 1}k - Shannon’s perfect secrecy of one-time pad: C = M ⊕ K

- perfect secret sharing of bit s: share s1 = s ⊕ u〈g〉 - additive RSR of DL problem: h′ = h gu

- perfect hiding Pedersen commitment: C = guhx

- special HVZK of Schnorr protocol: a = g r h−c

〈g〉∗ - multiplicative RSR of DL∗ problem: h′ = hu = h ∗ gu

(DH-product ∗, see Exercise 1.2.4)Z∗N - special HVZK of GQ protocol: a = r ey−c mod N

- RSR of RSA problem: y ′ = yue mod N- perfect unlinkability of Chaum’s blind signatures: y = H(M)ue mod N

Also, recognizable in random reencryption of ElGamal ciphertexts, and so on!

https://en.wikipedia.org/wiki/Quasigroup

209/210

Appendices


C Spell Check

Rating of Exercises

Chapter 1: 1.2.1∗, 1.2.2∗∗, 1.2.3, 1.2.4(a),(b)∗, 1.2.5(a),(b)(i)–(iii)(iv)∗,1.2.6∗, 1.2.7, 1.2.8, 1.2.9, 1.2.10, 1.2.11∗, 1.2.12∗, 1.2.13,1.3.1, 1.3.2∗, 1.3.3, 1.3.4, 1.3.5(a)∗,(b)∗∗, 1.3.6, 1.3.7, 1.3.8∗,1.3.9∗, 1.3.10, 1.3.11∗, 1.3.12∗

Chapter 2: 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.2.1Chapter 3: 3.2.1, 3.2.2, 3.2.3, 3.3.1∗Chapter 4: 4.4.1Chapter 5: 5.1.1∗, 5.1.2∗∗, 5.2.1, 5.2.2, 5.2.3, 5.3.1, 5.3.2(a)–(i),(j)∗,(k),

5.3.3, 5.3.4, 5.3.5∗, 5.3.6∗, 5.3.7(i),(ii)∗∗, 5.4.1, 5.4.2, 5.4.3,5.4.4

Chapter 6: 6.2.1∗, 6.2.2, 6.2.3, 6.3.1Chapter 7: 7.1.1, 7.1.2Chapter 8: 8.2.1, 8.3.1No star: regular exercisesOne star *: bit beyond exam level, sometimes bit beyond course scope,

maybe involving somewhat more advanced mathematicsTwo stars **: more advanced mathematics, possibly towards research

level problems—but still very relevant to the course

210/210

Appendices


C Spell Check

Spell Check

authentication authentificationciphertext cipher textcryptanalysis cryptoanalysis, crypto analysiscryptosystem crypto systemidentification indentificationplaintext plain text

Cryptographic Protocols: Lecture Slides

Documents

Transcript of Cryptographic Protocols: Lecture Slides