Lecture Notes On Applied Cryptography
Lecture Notes On Applied Cryptography
on
Introduction to Cryptography
Course 15356/15856, Fall 2020
Vipul Goyal
CMU
Acknowledgment
These lecture notes are largely based on scribe notes of the students who took CMU’s “In-
troduction to Cryptography” by Professor Vipul Goyal in 2018 and 2019. The notes were
later edited by the teaching assistant Elisaweta Masserova. We thank all of the students
who contributed to these notes:
If your name is not on the list (and you believe it should be) - please let us know.
The notes are not free of typos by any means and not all the chapters have been care-
fully edited. If you notice anything that should be changed, please get in touch with us.
Vipul Goyal: goyal [at] cs.cmu.edu
Elisaweta Masserova: elisawem [at] cs.cmu.edu
i
Contents
Contents ii
Introduction 2
1.1 Classical Symmetric Encryption Schemes . . . . . . . . . . . . . . . . . . 2
1.1.1 Caesar Cipher . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1.2 Substitution Ciphers . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1.3 Vigenère Cipher . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.2 Perfectly Secure Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.2.1 One-Time Pad . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
1.3 Shannon’s Theorem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
One-Way Functions 8
2.1 Polynomial Time and Probabilistic Polynomial Time Algorithms . . . . . 8
2.2 Negligible and Noticeable Functions . . . . . . . . . . . . . . . . . . . . . 9
2.3 One-way Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
2.3.1 Strong One-way Functions . . . . . . . . . . . . . . . . . . . . . . 9
2.3.2 Variants . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
2.3.3 Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
2.4 Constructing One-way Functions . . . . . . . . . . . . . . . . . . . . . . . 11
2.4.1 Hardness of Factorization and Chebyshev’s Theorem . . . . . . 11
2.4.2 OWF Based on Factorization . . . . . . . . . . . . . . . . . . . . 12
2.4.3 Weak OWF Based on Factorization . . . . . . . . . . . . . . . . . 13
2.5 Hardcore Predicates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
2.5.1 Weak One-to-One One-Way Functions . . . . . . . . . . . . . . . 15
2.6 Yao’s Hardness Amplification* (optional material) . . . . . . . . . . . . . 16
Pseudorandomness 18
3.1 Pseudorandom Generators (Informal) . . . . . . . . . . . . . . . . . . . . 18
3.1.1 Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
3.2 Computational Indistinguishability . . . . . . . . . . . . . . . . . . . . . . 19
3.3 Properties of Computational Indistinguishability . . . . . . . . . . . . . . 21
3.4 Pseudorandom Ensembles . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
3.5 Pseudorandom Generators . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
3.6 Construction of Pseudo-Random Generators . . . . . . . . . . . . . . . . 24
3.6.1 Construction of 1-bit stretch PRG . . . . . . . . . . . . . . . . . . 25
3.6.2 Construction of poly-stretch PRG . . . . . . . . . . . . . . . . . . 25
ii
CONTENTS iii
Key Agreement 45
6.1 Key Exchange Definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
6.2 Diffie-Hellman Key Exchange . . . . . . . . . . . . . . . . . . . . . . . . . 46
6.3 Diffie-Hellman Key Exchange Protocol . . . . . . . . . . . . . . . . . . . . 46
6.3.1 Active vs. Passive Adversaries . . . . . . . . . . . . . . . . . . . 46
6.3.2 Key Management Using Trusted Third Party . . . . . . . . . . . 46
Digital Signatures 60
9.1 One-time Signatures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
9.2 Signing Longer Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
9.3 Signing Multiple Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
9.4 An RSA Based Scheme . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Secret Sharing 65
10.1 Construction of a secret sharing scheme . . . . . . . . . . . . . . . . . . . 66
10.2 t-of-n secret sharing schemes . . . . . . . . . . . . . . . . . . . . . . . . . 68
10.2.1 Shamir’s Secret Sharing . . . . . . . . . . . . . . . . . . . . . . . 69
10.3 Threshold PKE (t-of-n) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
10.3.1 Threshold PKE based on El-Gamal PKE . . . . . . . . . . . . . . 71
Blockchains 72
11.1 Bitcoin History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
11.2 Blockchain as a public ledger . . . . . . . . . . . . . . . . . . . . . . . . . 72
11.2.1 Single Miner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
11.2.2 Multiple miners . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
11.2.3 Infanticide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
11.3 Cryptocurrency built on public ledger . . . . . . . . . . . . . . . . . . . . 74
11.3.1 Creation of Bitcoin . . . . . . . . . . . . . . . . . . . . . . . . . . 74
11.3.2 State and transactions . . . . . . . . . . . . . . . . . . . . . . . . 75
11.3.3 Weak anonymity . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
11.3.4 Rate control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
11.3.5 Mining pools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
11.4 Applications built on top of Bitcoin and the Blockchain . . . . . . . . . . 76
11.5 Information Verification on the Blockchain - Merkle trees . . . . . . . . . 77
11.6 Limitations of Bitcoin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
11.7 Types of forks in Bitcoin . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
11.8 Proof-of-Stake Blockchains . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
11.8.1 Highlevel idea . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
11.8.2 Generating rpk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
11.8.3 Posterior Corruptions in Proof-of-Stake Blockchains . . . . . . . 82
11.9 Existing Proposals to Solve POW Scalability Issues . . . . . . . . . . . . . 82
11.9.1 GHOST: Greedy Heaviest Observed Subtree . . . . . . . . . . . 83
11.9.2 Inclusive Blockchain Protocols . . . . . . . . . . . . . . . . . . . 83
Zero-Knowledge Proofs 85
12.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
12.2 Formal Definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
12.3 Zero-Knowledge Graph Isomorphism . . . . . . . . . . . . . . . . . . . . 86
12.3.1 Graph Isomorphism Problem Definition . . . . . . . . . . . . . . 86
12.3.2 Zero-Knowledge for Graph Isomorphism Protocol . . . . . . . . 87
12.4 Amplifying Soundness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
CONTENTS 1
Definition 1. A symmetric key encryption scheme SE = (Gen, Enc, Dec) is defined by the
following three algorithms:
• k ← Gen(κ). The key generation algorithm Gen takes as input a security parameter
κ 1 and generates a secret key k. The security parameter κ determines the length of
the key. Typically, the longer the key, the more secure is the scheme.
• c ← Enc(k, m). The encryption algorithm Enc takes as input a key k and a message
m, and outputs a ciphertext c.
1 Typically we use 1κ as a security parameter to make sure that Gen runs in time polynomial in the size of
2
INTRODUCTION 3
• m = Dec(k, c). The decryption algorithm Dec takes as input a key k and a ciphertext
c, and outputs a plaintext message m.
Correctness. The scheme is said to be correct, if for all security parameters κ and all mes-
sages m the following holds:
Remark 1. In the notation above we first specify the statement (m = Dec(k, c)), and then,
after the colon, we specify the condition (k ← Gen(κ), c ← Enc(k, m)). We will use this
notation throughout this manuscript.
We will now take a look at one of the oldest known classical symmetric encryption
schemes: the Caesar cipher.
Remark 2. One way to break the cipher is to test all possible keys (there are only 26 of
them) in a brute-force attack. Whichever results in a message that is not gibberish produces
probably the right message. Today’s computers make conducting this attack very fast, it is
hard to say how effective the cipher was in Caeser’s time.
Remark 3. Sometimes you do not need to be able to decrypt the complete ciphertext. Say
you know that the plaintext message is either “attack” or “defend”. Then, decrypting even
a single letter is enough.
Plaintext: DEFENCE
Key: COVERCO
Ciphertext: FSAIEES
Looking at what some famous mathematicians and historical figures have to say about
Vigenère Cipher reveals that the concept of security has changed significantly over the
years. Author and mathematician Lewis Carroll, known for Alice in the Wonderland as
INTRODUCTION 5
well as his mathematical works, proclaimed that the cipher was “unbreakable”. The Scien-
tific American magazine called it “impossible of translation”. However, one of the found-
ing fathers of computer science, Charles Babbage, managed to break it, but did not publish
his findings2 .
Remark 4. One way to break the scheme is the following: Start by guessing the key length
l. Then, arrange the letters of the ciphertext in a matrix as follows:
1 l+1 2l + 1 ...
2 l+2 2l + 2 ...
3 l+3 2l + 3 ...
.. .. .. ..
. . . .
and analyse each row using the frequency analysis. Note that it is possible since the
letters of a row were encrypted using a single letter key, just as in the Caesar cipher.
The classical ciphers we looked at previously all tried to provide some notion of security,
but have all been broken. This suggests that designing a secure encryption scheme is hard.
However, even defining security is entirely non-trivial. To see why, we take a look at some
intuitive attempts at defining it:
• Attempt 1: P r[A(c) = m : k ← Gen(·), c ← Enc(k, m)] = 0, where A is some
adversary. Now, note that even if all the adversary does it to just randomly guess the
key, it has a small probability of being correct. Thus, unfortunately, this definition
does not work.
• Attempt 2: P r[A(c) = m : k ← Gen(·), c ← Enc(k, m)] = α, where α is some
1
fixed very small number (say, α = 2100 ). Recall the “attack”-“defend” example. If the
adversary knows that there are only a few possible options for the plaintext message,
it will be able to guess it with a probability higher than α.
• The scheme hides every character perfectly, meaning the probability of guessing each
1
character is ≤ 26 . However, since in an english text some letters are more frequent
than others, the adversary will be able to guess some characters with higher proba-
bilities.
The problem is that we are trying to assign some fixed quantity to the probability of
guessing the right message, even though for different messages or message spaces the
“right” probability can be completely different. Thus, we should isolate the definition of
security from any specific message space. Intuitively, having some knowledge about the
message space is fine, as long as the ciphertext does not provide more information about
the message than the adversary had before seeing the ciphertext. Thus, we essentially want
the ciphertext to be independent of the message.
2 Note that if the key length of the Vigenère cipher is equal to the text length, and the key is used only once,
Definition 2. (Gen, Enc, Dec) is a perfectly secure encryption scheme if and only if for all
pairs of messages (m1 , m2 ) and all ciphertexts c the following holds:
Remark 5. Thus, no matter what message you start with, the distribution of the resulting
ciphertext is the same as for all other messages in the given message space.
Unfortunately, one-time pad has a number of very obvious limitations: what if the
message that we want to encrypt is very long? It would require a transmission of a very
long key. What if we want to encrypt not a single, but multiple messages? Since the key
can only be used once, we would need to transmit multiple keys. These issues prevent us
from using one-time pad in practice.
In 1948, Claude Shannon, a wartime coding theory researcher for the US government,
invented coding theory with his memorandum A Mathematical Theory of Communication,
and presented his Noisy-Channel Coding Theorem, also known as Shannons’s Theorem.
Theorem 2. (Shannon’s Theorem) For all perfectly secure symmetric key encryption
schemes with message space M and key space K, it holds that |K| ≥ |M |, where |K|
(resp. |M |) denotes the size of the key (resp. message) space.
INTRODUCTION 7
Proof. Assume there exists a perfectly secure encryption scheme (Gen, Enc, Dec) for which
|K| < |M |. Pick any ciphertext c such that there exists a message m00 that encrypts to
c using some key from K. Then, decrypt c using every key from K to recover a set of
messages S. Note that S is of size at most |K|, because we get at most one unique message
per decryption. Since |K| < |M | by the assumption, there exists a message m0 ∈ M such
that m0 6∈ S. Thus,
P r[Enc(k, m0 ) = c : k ← Gen(·)] = 0
At the same time, some message m00 must encrypt to c, which contradicts the assumption
that the scheme is perfectly secure, since
Remark 6. Note that for the proof of this theorem we assumed we could decrypt c with
every key from K, which can be hard to do in practice for a large enough key space. So, in
fact, there could be an encryption scheme that has a smaller key space and is “secure" with
respect to some other definition.
One-Way Functions
In the previous chapter, we explored several classical ciphers that attempt to hide infor-
mation in messages. However, only one of them (One-Time Pad) is perfectly secure. We
saw Shannon’s Theorem, which claims that it is impossible to have a perfectly secure sym-
metric key scheme with key space smaller than message space. These results imply that
perfect security might be too hard to achieve in many scenarios. However, it may be pos-
sible to define a weaker notion of security that might still be sufficient in many use cases.
In this chapter, we will discuss security against “reasonable” adversaries.
Intuitively, modern cryptography is based on the assumption that the adversary’s com-
putational power is limited (in some “reasonable” way, which we will define later). With
respect to encryption, this means that secure schemes should ensure that it is computation-
ally “hard” for the adversary to decrypt a message, while allowing for efficient enc- and
decryption for users that have the secret key. To construct such schemes we will require
primitives that posses useful computational hardness properties.
In this chapter we will introduce one such fundamental cryptographic primitive - one-
way functions, which are “easy” to compute, but “hard” to invert. Before we can dive in,
we need to consider a few helpful definitions.
Definition 3 (PT). An algorithm A, which runs on input x, is called polynomial time (PT) if
there exists a polynomial P (n) such that for all large enough n = |x|, the number of steps
in the computation of A(x) is bounded above by P (|x|).
8
ONE-WAY FUNCTIONS 9
Note that this algorithm does not necessarily halt in polynomial time. In fact, it might
run for arbitrarily many steps. However, in expectation, the number of steps taken by this
algorithm is 2. Therefore, this is a PPT algorithm.
The next definition that we will encounter quite frequently are negligible and noticeable
functions:
Definition 6. A function ν(n) is called negligible if for every polynomial P (n), for all large
1
enough n, ν(n) < P (n) .
Definition 7. A function f (n) is called noticeable if there exists two polynomials, P (n) and
1
Q(n), such that for all n large enough, P (n) ≤ f (n) ≤ Q(n).
We typically denote noticeable functions as notice(n). The following facts about negli-
gible and noticeable functions are easy to derive:
• f (n) = poly1 (n) · poly2 (n) is a polynomial.
• f (n) = notice1 (n) · notice2 (n) is noticeable.
• f (n) = notice(n) · negl(n) is negligible.
• f (n) = negl1 (n) · negl2 (n) is negligible.
• f (n) = notice1 (n) + notice2 (n) is noticeable.
• f (n) = notice(n) + negl(n) is noticeable.
• f (n) = negl1 (n) + negl2 (n) is negligible.
• f (n) = c · notice(n) is noticeable for constant c.
• f (n) = c · negl(n) is negligible for constant c.
Definition 8 (OWF). A function f : {0, 1}n → {0, 1}m is an one-way function if the following
holds:
1. f runs in polynomial time. Equivalently, the computation of f (x) is polynomial time
for all x.
2. For all PPT adversaries A, there exists a negligible function negl(n) such that for all
large enough n, we have
$ $
Pr[f (x) = f (x0 ) : x ←
− {0, 1}n , x0 ←
− A(f (x))] ≤ negl(n)
Remark 7. Here f (x) is called the image of x, and x is called the preimage of f (x). We can
easily extend this definition to f : D → R for any domain D and range R. Moreover, we
can either view the domain D as a set from which the input is sampled randomly, or as a
distribution.
There is an important subtlety to this definition: in the second condition, we require
that the probability of any adversary finding any preimage is negligible. It might be tempt-
ing to change the second condition to:
$ $
Pr[x = x0 : x ←
− {0, 1}n , x0 ←
− A(f (x))] ≤ negl(n)
However, this modified definition is not very useful. To see that, consider the function f
such that f (x) = 0 for all x. Then f is an OWF under this definition, but it is intuitively
useless for cryptographic purposes. Therefore, we strengthen condition 2 to the above
definition.
2.3.2 Variants
Technically, the definition provided above refers to strong one-way functions. Additionally,
there exist weak one-way functions, that can be quite useful as well:
Definition 9 (Weak OWF). A function f : {0, 1}n → {0, 1}m is a weak one-way function if
the following holds:
1. f runs in polynomial time. Equivalently, the computation of f (x) is polynomial time
for all x.
2. For all PPT adversaries A, there exists a noticeable function notice(n) such that for
all large enough n, we have
$ $
Pr[f (x) = f (x0 ) : x ←
− {0, 1}n , x0 ←
− A(f (x))] ≤ 1 − notice(n).
Intuitively, a weak one-way function should be hard to invert on some noticeable frac-
tion of inputs.
Definition 10. A function f : D → R is an injective one-way function if f is a one-way
function, and f is injective. Injective one-way functions are also called one-to-one one-way
functions.
Remark 8. An injective function (also known as one-to-one function) is a function that
maps distinct elements of its domain to distinct elements of its range.
Definition 11. A function f : D → R is a one-way permutation (OWP) if f is an injective
one-way function, and f is a permutation (i.e. D = R).
ONE-WAY FUNCTIONS 11
2.3.3 Limitations
Unfortunately, one-way functions only satisfy a weak sense of security. They only guaran-
tee that the input to function f is not leaked entirely, but it is still possible that a substantial
amount of information is leaked. In fact, the following statement is true:
Proposition 1. Given an one-way function f : {0, 1}n → {0, 1}n , we can build another
one-way function g : {0, 1}2n → {0, 1}2n , such that g leaks half of its input.
Proof. Let k denote concatenation. Consider the following definition of g: given input
x1 kx2 , where |x1 | = |x2 | = n, output f (x1 )kx2 . It suffices for us to argue that g is an
one-way function.
Assume for the sake of contradiction that there is an adversary A that inverts g with a
noticeable probability. We construct an adversary B that inverts f with noticeable proba-
bility. Consider the following algorithm:
1 : Given f (x), construct y = f (x)kt, where t is a random number from {0, 1}n .
2 : Run A(y).
3 : If A halts without failing, return the first n bits of A(y)’s output.
4 : Otherwise, return FAIL.
Now it’s easy to see that B succeeds as long as A succeeds. Since A has noticeable
probability of success, B has noticeable probability of success, which implies f is not an
one-way function, leading to a contradiction. Therefore g is an one-way function.
We also have the following statement about the existence of one-way functions:
Theorem 3. If P = NP, then one-way functions do not exist.
Proof. Here we present a sketch of the proof. Assume for the sake of contradiction that
there exists a one-way function f : D → R. Then, since f can be computed in polynomial
time, inverting f is in NP because given a preimage, it takes polynomial time to check its
validity. Assuming P = NP, finding a preimage for f could be computed in polynomial
time, which means f is not a one-way function, leading to a contradiction.
1: Run A(N ).
2: If it succeeds and returns x0 ∈ D, then interpret x0 as a set of n2 integers and use primality
test to find the first two primes in this set. If found, output the primes.
3: Else, output FAIL.
Note that we can’t analyze the success probability of B using the same methods in Propo-
sition 2, because the function f now have a probability of outputing FAIL, which means A
could receive FAIL as an input. Note that if f would output FAIL with noticeable proba-
bility, then even a basic adversary that returns (0, · · · , 0) all the time could have noticeable
probability of inverting f . Therefore, we prove the following claim:
Claim 1. The probability that f outputs FAIL is negligible.
ONE-WAY FUNCTIONS 13
We used Chebyshev’s theorem and the fact that Pr[p is prime] ≤ 1 in the first inequality,
and the fact that for x = − 21 the sequence (1 + nx )n is an increasing sequence converging
to ex in the third inequality. Since the product of a polynomial and a negligible function is
negligible, and the sum of two negligible funcitons is negligible, we get that the probability
of f outputting FAIL is negligible.
$ $
− D and x0 ←
Now let = Pr[f (x) = FAIL]. Assuming x ← − A(f (x)), we have:
Pr[f (x) = f (x0 )] = Pr[f (x) = f (x0 )|f (x) = FAIL] · + Pr[f (x) = f (x0 )|f (x) 6= FAIL] · (1 − )
≥ notice(n).
Since the probability that f outputs FAIL is negligible, and we assume that A inverts f with
noticeable probability, A must succeed on non-FAIL inputs with noticeable probability.
Thus, Pr[f (x) = f (x0 )|f (x) 6= FAIL] is noticeable. The probability that B succeeds is at
least the probability of A succeeding on non-FAIL inputs multiplied by the probability of
f not outputting FAIL. The probability of B’s success is therefore noticeable (as a product
of two noticeable functions), which is a contradiction. We conclude that f is a one-way
function.
Proof. From Chebyshev’s Theorem, we know the probability that both p and q are primes
1 2
is at least ( 2n ) = 4n1 2 . Now from Construction 1 and Proposition 2, if p, q are both prime,
for any PPT algorithm A, Pr[f (x) = f (x0 ) : x0 ← A(f (x))] ≤ negl(n). Therefore, we have
ONE-WAY FUNCTIONS 14
$
Pr[f (x) = f (x0 ) : x ←
− D, x0 ← B(f (x))]
$
= Pr[f (x) = f (x0 ) : x ←
− D, x0 ← B(f (x))|x = pkq, p, q ∈ Pn ] Pr[p, q ∈ Pn ]
$
+ Pr[f (x) = f (x0 ) : x ←
− D, x0 ← B(f (x))|x = pkq, p ∈
/ Pn ∨ q ∈
/ Pn ] Pr[p ∈
/ Pn ∨ q ∈
/ Pn ]
$
≤ Pr[f (x) = f (x0 ) : x ←
− D, x0 ← B(f (x))|x = pkq, p, q ∈ Pn ] + Pr[p ∈
/ Pn ∨ q ∈
/ Pn ]
1 1
≤ negl(n) + 1 − 2 ≤ 1 − ( 2 − negl(n)).
4n 4n
1
Since 4n2 is noticeable, we have that f is a weak one-way function.
As we learned in the previous sections, one-way functions guarantee only that the input x
to the one-way function is not leaked entirely. Thus, it is entirely possible that substantial
amounts of information are leaked. However, since the input is not leaked entirely, it
seems likely that there must be at least one bit of the input x that is hard to guess. Thus,
the question is whether we can pinpoint such bits of x. More formally: Given f (x) where
f : D → R is an one-way function, is there a predicate h such that h(x) is hard to predict?
This leads to the following definition:
$ 1
− {0, 1}n ] ≤
Pr[A(f (x)) = h(x) : x ← + negl(n).
2
It is a natural question to ask if there exists a single hardcore predicate that works for
all one-way functions f . However, if there exists such a predicate h, then we can construct
a one-way function f 0 from a generic one-way function f such that f 0 (x) = f (x)kh(x).
It is easy to check that f 0 is a one-way function, and h is not a hardcore predicate for
f 0 . Therefore, we have to be less ambitious when we’re constructing hardcore predicates.
Here the problem was that f could depend upon h. In the following, we will choose h at
random after f is chosen to make sure it is independent of f . This leads us to the next
theorem:
Definition
P 13 (Inner Product). Given x, r ∈ {0, 1}n , the inner product of x and r is hr, xi =
i ri xi mod 2.
Theorem 5 (Goldreich-Levin Theorem). Given a one-way function f : {0, 1}n → {0, 1}m ,
sample r at random from {0, 1}n . Then hr (x) = hr, xi is a hardcore predicate for f with
probability 1 − negl(n).
ONE-WAY FUNCTIONS 15
Proof Idea: Here we only present the simplest case of the proof. Assume there exists
an adversary A that predicts hr (x) with probability 1 for all r ∈ {0, 1}n . Let ei ∈ {0, 1}n be
the vector with 1 in the i-th entry and 0 in all other entries for all Pni ∈ {1, 2, · · · , n}. Then
we can use A to predict hei (x) for all ei . Since hei (x) = hei , xi = j=1 (ei )j xj mod 2 = xi ,
computing all hei (x) gives us x bit by bit. This contradicts the assumption that f is a one-
way function. Proof of the other cases, where A predicts hr (x) with probability less than 1
but better than 21 are generalization of this idea and are more complex.
2.5.1 Weak One-to-One One-Way Functions
Here we show an example of a weak one-to-one one-way function. We will use what we
call a signal string, which is a string used to tag a value with some extra information.
We often concatenate signal strings with output values to provide more information
about the values. Signal strings are useful for creating one-to-one functions.
Construction 4. We construct a function f which takes as input a string x in {0, 1}2n and
proceeds as follows:
Let x = x1 ||x2 , for x1 , x2 ∈ {0, 1}n .
Case 1: If x1 and x2 are primes, output x1 · x2 ||signal string
Case 2: Else, output x1 ||x2 ||signal string
Our signal string specifies whether x1 > x2 and which case of f created the output. It’s
not important to specify how we encode our signal string, but the encoding schema could
range from a compact binary representation (e.g. “10” to specify x1 > x2 and case 1) to
a verbose encoding (e.g. “x1 > x2 and we took case 1”, encoded to binary using ASCII).
Note that the signal string does not specify the values of x1 or x2 .
Proof. We now show that f is a weak one-way function. By Chebyshev’s Theorem, we
know that there is a noticeable probability of x1 and x2 both being prime (and the proba-
bility of f returning x1 · x2 || signal string is noticeable as well). Say some PPT adversary A
is able to invert conditioned on x1 , x2 both being prime with some non-negligible proba-
bility. In this case, we can construct a PPT adversary B breaking the factoring assumption
as follows: B takes as input an integer N , chooses a bit b at random and runs A on input
“N ||x1 > x2 and case 1” if b = 1, and on input “N ||x1 ≤ x2 and case 1’ if b = 0. Then,
B parses A’s output as x1 ||x2 and outputs x1 , x2 . If A succeeds with probability δ, B suc-
ceeds with probability δ as well. Thus, if A has a non-negligible success probability, then
B breaks factoring assumption with a non-negligible probability as well, which is a con-
tradiction. Thus, we have shown that there is a noticeable fraction of inputs that are hard
to invert and so f is a weak one-way function.
f is one-to-one because the input is unambiguously defined (though possibly hard to
compute) given the output. Fundamental theorem of arithmetic states that every number
has unique prime factors. Hence in case 1, N = x1 · x2 forces the input to be either x1 ||x2
or x2 ||x1 . However now the signal string tells us which one of these inputs is the correct
one. In case 2, the output contains the input in clear. The signal string also tells us which
case we are in.
Remark 9. Note that f is not a strong one-way function. Regardless of the value of n,
3
P r[x1 or x2 is even] =
4
ONE-WAY FUNCTIONS 16
This is a high probability and, in this case, we are in case 2 and thus the output contains
the input x1 ||x2 .
In this section, we show how to create a strong one-way function given a weak one-way
function.
Say we have a weak one-way function f with associated hardness 1 − q. Define a
function F as follows:
n
F (x1 , x2 , ..., xN ) = f (x1 )||f (x2 )||...||f (xN ), for N =
q
Theorem 6 (Yao’s Hardness Amplification). F is a strong one-way function.
Intuition:
F takes as input a long string interpreted as many strings of length n. F runs f on each
of these smaller strings and concatenates the results together. For an adversary to invert
F , they must invert each of f (x1 ), f (x2 ), ..., f (xN ). If even one of those is hard to invert, F
will be hard to invert.
Proof. Assume for the sake of contradiction that there exists a PPT adversary A which can
invert F with noticeable probability p.
We will construct a PPT adversary B which inverts f with probability greater than q,
which will contradict the assumption that f is a weak one-way function with associated
hardness q.
Idea: Define B as follows:
$
1 : Choose i ←
− [1, N ].
2 : For j 6= i, generate xj at random.
3 : Invoke A(f (x1 )||...||f (xi−1 )||y||f (xi+1 )||...||f (xN )).
4 : On A’s response, interpret its result as x01 , ..., x0i , ..., x0N , and return x0i .
pq
Definition 14. BAD = {x|P rcoins of B [B inverts f (x) in one iteration] ≤ 2n }
Claim 3. The fraction of BAD inputs is less than 2q , i.e. P rover x [x ∈ BAD] < 2q .
Proof. Assume for the sake of contradiction that P rover x [x ∈ BAD] ≥ 2q .
P r[A succeeds in inverting F (x1 , x2 , ..., xN )] = p =P r[A succeeds |∀i : xi 6∈ BAD] · P r[∀i : xi 6∈ BAD]+
P r[A succeeds |∃i : xi ∈ BAD] · P r[∃i : xi ∈ BAD]
q N
≤1 · 1 − + N · P r[A succeeds|xi ∈ BAD]
2
· P r[∃i : xi ∈ BAD]
q N n pq
≤ 1− + · ·1
2 q 2n
p
p ≤negl(n) +
2
p ≤2 · negl(n) ≤ negl(n)
Because good randomness can be hard to come by, we need to find a workaround for
generating keys purely through randomness. This forces us to ask the question: “Is it
possible to stretch a small random string into a longer random string?” Let us consider
$
a small random string s ← − {0, 1}n . Is there an algorithm A(s) that deterministically
produces another truly random string t such that t ∈ {0, 1}m and m > n?
Intuitively, even if we consider the simple case where m = n + 1, we know that this is
not possible, as we will only be able to generate 2n unique outputs as opposed to the 2n+1
unique outputs that a truly random string would have. Pseudorandomness can help us
overcome the bottleneck created by the lack of randomness. Intuitively, pseudorandom-
ness is used to generate objects that appear random despite containing only some small
amount of randomness.
Informally, a pseudorandom generator (PRG) is a function G : {0, 1}n → {0, 1}m , where
m > n, the input consists of n random bits and the output “looks random” to any prob-
abilistic polynomial time (PPT) algorithm. More formally, “looking random” means that
no PPT adversary can “distinguish” between a string generated by G and a truly random
string. Before we formalize the definition of pseudorandomness and pseudorandom gen-
erators, we need to define some vital concepts.
3.1.1 Definitions
Definition 15 (Uniform Distribution)). Distribution X is called a uniform distribution over
an n-bit string if for every s ∈ {0, 1}n the following holds:
$ 1
Pr[x = s : x ←
− X] =
2n
18
PSEUDORANDOMNESS 19
$ $
Pr[x = s : x ←
− X0 ] = Pr[x = s : x ←
− X1 ]
First Attempt. The distribution ensembles {X0n }n and {X1n }n are “identical to a PPT
adversary” if for all s the following holds:
$ $
− X0n ] − Pr[x = s : x ←
| Pr[x = s : x ← − X1n ]| ≤ negl(n)
Remark 10. Now we can see why the distribution ensembles (as opposed to distributions)
are important: they give us the parameter n used in asymptotic notions like noticeable and
negligible. In the following, we will simply represent them as X0n and X1n (as opposed to
{X0n } and {X1n })
Unfortunately, this definition is flawed. Let us consider the following distribution en-
sembles:
• {X0n }n represents all even numbers of length n.
• {X1n }n represents all odd numbers of length n.
Let us consider the case where s is even. We know that the total number of elements in
both ensembles is 2n , and thus, the number of elements in each ensemble is 2n−1 .
$ 1
− X0n ] =
Pr[x = s : x ←
2n−1
$
− X1n ] = 0
Pr[x = s : x ←
Substituting in the calculations from above:
$ $ 1
− X0n ] − Pr[x = s : x ←
| Pr[x = s : x ← − X1n ]| = ≤ negl(n)
2n−1
1
is a negligible function, which by the definition above means {X0n }n and {X1n }n
2n−1
are indistinguishable. However, this definitely should not be the case, as the two distribu-
tions are totally different and can easily be distinguished. Thus, this definition is flawed,
so we will need to find an alternate and correct definition.
PSEUDORANDOMNESS 20
$ $
− X0n ] − Pr[A(x) = 0 : x ←
≥ | Pr[A(x) = 0 : x ← − X1n ]|
Now, let us examine an alternate way to determine whether two distribution ensembles
are computationally indistinguishable.
$ $ 1
| Pr[A(x) = b : b ← − Xbn ] − | ≤
− {0, 1}, x ←
2
Definition 21 (Prediction Indistinguishability). We say that the distribution ensembles
{X0n }n and {X1n }n have prediction indistinguishability if the prediction advantage is negli-
gible.
We can now ask the question of how the notions of prediction indistinguishability and
computational indistinguishability are related. Does having prediction indistinguisability
imply that there is computational indistinguishability and vice versa?
PSEUDORANDOMNESS 21
Lemma 1. If {X0n }n and {X1n }n are computationally indistinguishable, then they also have
prediction indistinguishability and vice versa.
Proof. Assume that the distribution ensembles {X0n }n and {X1n }n have prediction ad-
vantage p . Then for all PPT A:
$ $ 1
p ≥ | Pr[A(x) = b : b ← − Xbn ] − |
− {0, 1}, x ←
2
$ $ 1
− X0n ] Pr[b = 0] + Pr[A(x) = 1 : x ←
= | Pr[A(x) = 0 : x ← − X1n ] Pr[b = 1] − |
2
1 $ n 1 $ n 1
= | Pr[A(x) = 0 : x ← − X0 ] + Pr[A(x) = 1 : x ← − X1 ] − |
2 2 2
1 $ n $ n
= | Pr[A(x) = 0 : x ← − X0 ] + Pr[A(x) = 1 : x ←− X1 ] − 1|
2
1 $ $
= | Pr[A(x) = 0 : x ← − X0n ] + (1 − Pr[A(x) = 0 : x ←− X1n ]) − 1|
2
1 $ $
= | Pr[A(x) = 0 : x ← − X0n ] + 1 − Pr[A(x) = 0 : x ←− X1n ] − 1|
2
1 $ $
= | Pr[A(x) = 0 : x ← − X0n ] − Pr[A(x) = 0 : x ←
− X1n ]|
2
$ $
− X0n ] − Pr[A(x) = 0 : x ←
| Pr[A(x) = 0 : x ← − X1n ]| is the expression for the distinguishing
advantage, so we get
1
p ≥ c ,
2
where c is the distinguishing advantage. If the distribution ensembles have prediction
indistinguishability, p is negligible, and thus c is negligible as well. The reverse direction
can be shown similarly by beginning with a computational indistinguishability assump-
tion.
Proof. Let us assume that the distribution ensembles {X0n }n and {X1n }n are compu-
tationally indistinguishable and A is a PPT algorithm. Assume there exists a PPT
PSEUDORANDOMNESS 22
algorithm B that distinguishes {A(X0n )}n and {A(X1n )}n with some non-negligible
advantage p(n):
$ $
− A(X0n )] − Pr[B(x) = 0 : x ←
| Pr[B(x) = 0 : x ← − A(X1n )]| ≥ p(n)
Thus, the PPT algorithm B(A(·)) (algorithm that works by first executing A on its in-
put, then executing B on the output of A, and finally outputting whatever B outputs)
distinguishes {X0n }n and {X1n }n with probability at least p(n), which contradicts the
initial assumption that the distribution ensembles are computationally indistinguish-
able.
Example We will now informally discuss a very intuitive hybrid argument example.
Suppose you are a car manufacturer and you can either buy branded car parts or generic
car parts for the car. All your lab tests show that branded and generic parts can’t be dis-
tinguished. But you are worried that when you actually put together all the generic parts,
PSEUDORANDOMNESS 23
overall the car might break down or quality will go down noticeably. Can you prove that
its ok to build a full car from generic parts assuming that each part in isolation is indistin-
guishable from branded?
Intuitively, we can define the hybrids where in each hybrid one more part (motor, then
brakes, then lights etc.) is changed from branded to generic. Note that if we can distinguish
one hybrid from the next, we can distinguish the branded from the generic version of the
specific part by building a car that uses the given challenge part (for example, the motor)
and then using the distinguisher for the two hybrids. Thus, any two consecutive hybrids
are indistinguishable. Since there are only polynomially many car parts, we can conclude
that the security holds by the hybrid lemma.
In the context of computational indistinguishability, one question is particularly inter-
esting: can seeing multiple samples help the adversary distinguish between distributions?
Theorem 8. Given two distribution ensembles {X0n }n and {X1n }n , if it holds that
$ $
| Pr[A(x) = 0 : x ← X0n ] − Pr[A(x) = 0 : x ← X1n ]| ≤
for every PPT algorithm A, then it holds that
$ $
| Pr[A(x1 , · · · , xk ) = 0 : x1 , · · · , xk ← X0n ]−Pr[A(x1 , · · · , xk ) = 0 : x1 , · · · , xk ← X1n ]| ≤ k
for every PPT algorithm A as well.
Proof. We begin by defining the following distributions:
$
H0 = x1 , · · · , xk where ∀i, xi ← X0n
$ $
H1 = x1 , · · · , xk where x1 ← X1n , and x2 , · · · , xk ← X0n
···
$
Hk = x1 , · · · , xk where ∀i, xi ← X1n
Now we prove the following lemma about these distributions:
Lemma 3. For all i ∈ [k − 1] holds:
$ $
| Pr[A(x) = 0 : x ← Hi ] − Pr[A(x) = 0 : x ← Hi+1 ]| ≤
Proof. Suppose the statement does not hold. Thus, there is a PPT adversary A that is able
to distinguish between some two distributions Hi , Hi+1 with advantage greater than .
Given this A, we construct a PPT adversary B on the indistinguishability of X0n , X1n . B
takes input a challenge u, where u is either sampled from X0n or X1n , and works as follows:
1 : Set xi = u.
$
2 : Set x1 , · · · , xi−1 ← X0n .
$
3 : Set xi+1 , · · · , xk ← X1n .
4 : Let U = x1 , · · · , xk .
5 : Run A(U )
6 : Output X0 if A outputs Hi , and output X1 otherwise.
PSEUDORANDOMNESS 24
Note that if u comes from X0 , then U comes from Hi , and if u comes from X1 , then U comes
from Hi+1 . Therefore, B succeeds whenever A succeeds, and thus B can distinguish X0
and X1 with advantage at least , which leads to contradiction.
The theorem follows from the lemma above and the Hybrid Lemma (Lemma 2), ap-
plied to H0 , Hk .
This theorem shows that sampling multiple samples does not help the adversary much.
Because when is some negligible function negl(n), so is k.
We are now ready to return to discuss pseudorandomness and provide formal definitions.
Intuitively, distribution ensemble is pseudorandom if it looks like a uniform distribution
to any PPT adversary:
{Xn }n =c {Ul(n) }
Now, for pseudorandom generators, we intuitively want to not only have the pseudoran-
domness property itself, but we also want the PRG to be efficiently computable and be
able to extend the length of the original string:
Definition 23 (Pseudorandom Generator (PRG)). A pseudorandom generator
G : {0, 1}n → {0, 1}l(n) is a deterministic algorithm with the following properties:
1. G(x) can be computed in polynomial time (PT) for every x ∈ {0, 1}n
2. l(n) > n
$
3. {G(x) : x ← − {0, 1}n } =c {Ul(n) }
The stretch of the PRG G is defined as |G(x)| − |x|.
Claim 4. G is a PRG.
Proof. Obviously G runs in polynomial time and l(n) > n. Therefore we only have to
$
prove {G(s) : s ← {0, 1}n } =c Un+1 . Define the following distributions
$
H0 = {f (s)|| h(s) : s ← {0, 1}n }
$
H1 = {f (s)|| U1 : s ← {0, 1}n }
H2 = Un+1
$ 1
∀x ∈ {0, 1}n Pr[f (s) = x : s ← {0, 1}n ] = .
2n
Since H1 is the concatenation of f with U1 , and H2 is uniform, we have
$ $ 1
Pr[x = x0 : x0 ← H1 ] = Pr[x = x0 : x0 ← H2 ] = ,
2n+1
which implies
H1 = H2 .
Therefore, by the transitivity of computational indistinguishability, we get
H0 =c H2 .
Hence, G is a PRG.
s0 ← s
s1 || b1 ← G(s0 )
s2 || b2 ← G(s1 )
···
sl(n) || bl(n) ← G(sl(n)−1 )
PSEUDORANDOMNESS 26
Claim 5. Gp is a PRG.
Proof. It is obvious that l(n) > n. Since G runs in polynomial time and Gp invokes G l(n)
times, Gp also runs in polynomial time. Therefore, we only have to prove
$
{Gp (s) : s ← {0, 1}n } =c {Ul(n) }
s0 ← s
s1 || b1 ← Un+1
···
si || bi ← Un+1
si+1 || bi+1 ← G(si )
···
sl(n) || bl(n) ← G(sl(n)−1 )
Consider b1 || · · · ||bl(n) . If u is from Un+1 , then it comes from Hi , and if u is from G, then
it comes from Hi−1 . Therefore, B succeeds whenever A succeeds and thus B distinguishes
G from Un+1 with a noticeable advantage, which leads to contradiction.
Note that
$
H0 = {Gp (s) : s ← {0, 1}n }.
The claim follows from the lemma above and the Hybrid Lemma (see 2), applied to H0
and Hl(n) = Ul(n) .
PSEUDORANDOMNESS 27
Recall that the one-time pad (see 1.2.1) requires that the length of key equals the length of
the message. So how can we encrypt a long message with only a short key? The idea is that
using a PRG, we can generate a long key from the short one. Since PRGs are deterministic,
we only have to transmit the short key, and the recipient of the message will be able to
compute the long key using the short one by himself. Thus, now we can encrypt arbitrarily
long messages using a short key. However, this approach has the following limitation: the
short key can only be used once. As we will see later, pseudorandom functions will allow
us to overcome this limitation.
1
Pr [D wins the guessing game] ≤ + negl(n)
2
where the guessing game is defined as follows:
We have a challenger C and a PPT adversary D.
$ n $
1. C samples s ← {0, 1} and a bit b ← {0, 1}.
2. For i = 1, . . . , q (where q is polynomial in n):
m
a) D chooses xi ∈ {0, 1} 1 and sends it to C.
m
b) If b = 0, C replies with F (s, xi ). If b = 1, C picks yi ∈ {0, 1} 2 uniformly at
random and sends it to D. If D has already queried xi (i.e. xi = xj for some
j < i), then C responds with yj (the same string as the last time).
3. Finally, D outputs a guess for b. If D is correct, then D wins the game.
PSEUDORANDOMNESS 28
3.8.1 Construction
n 2n n
Let g : {0, 1} → {0, 1} be a PRG, and for s ∈ {0, 1} , let g0 (s) denote the first n bits of
g(s) and g1 (s) the last n bits of g(s).
n n
Define F : {0, 1} × {0, 1} → {0, 1} as follows:
(
g0 (s) if x = 0
F (s, x) =
g1 (s) if x = 1
We will now use recursion to generalize this approach. Specifically, we can define
n m n n
F : {0, 1} × {0, 1} → {0, 1} in the following way: given a seed s ∈ {0, 1} and an input
m
x ∈ {0, 1} , define a sequence of n-bit strings:
s0 = s
s1 = gx1 (s0 )
s2 = gx2 (s1 )
..
.
sm = gxm (sm−1 )
0 0
1 1
leaves to uniform one by one, even if the distinguishing advantage is negligible at each
step, it could be noticeable overall. Hence, we need a smarter approach. Since the height
of the tree is m + 1 (which is polynomial in m), the number of queries to g is polynomial.
Intuitively, we will change responses to all these queries to uniform. However, it turns out
that we can’t change responses one by one. This is because responses are generated using
the same tree. Instead, we will conduct a hybrid over the levels of the tree.
Proposition 5. The function F defined above is a PRF.
Proof. Since g is deterministic, F is deterministic as well. Additionally, F is
polynomial-time in n (we run g, which is assumed to be poly-time, m times, where m is
polynomial in n). Thus, it suffices to check the second condition of the definition of PRF.
As mentioned, we will conduct a hybrid argument to show that F (s, x) is computationally
indistinguishable from uniform random output for every x that the adversary queries, and
this will allow us to conclude that the second condition of the PRF definition is satisfied.
We define the following hybrids:
H0 : Pick string s0 on level 0 uniformly at random, and calculate all the subsequent si ’s as
above.
Hi : Mark all nodes visited during the evaluation of adversary’s queries, pick strings cor-
responding to the nodes visited by the adversary on level i uniformly at random.
Note that strings corresponding to nodes up to and including level i are random, fur-
ther down we calculate all si s using the PRG as defined by the construction above.
Note that we do not need to pick nodes that are above level i since they are not used
in the evaluation of the queries.
..
.
Hm : All strings corresponding to the nodes visited during the evaluation of adversary’s
queries for level 0 and up to and including level m are random.
Intuitively, when evaluating an output for some string x in hybrid Hi , we just skip the first
i − 1 levels, pick a random string for the node visited at level i and continue the evaluation
as usual from there. Notice that Hm is just picking all the si uniformly at random. Now, it
just suffices to show that the output of Hi and Hi+1 are computationally indistinguishable.
Lemma 5. The probability in the guessing game can’t change more than by some negligible
amount when switching from hybrid Hi to hybrid Hi+1 .
Proof. Notice that, if an adversary D makes queries in the i/i + 1-th experiment, and D’s
challenger is using Hi , then the challenger generates all nodes up to the ith level uniformly
at random, but for the nodes on the (i + 1)-th level, the challenger uses the PRG g, as
described above. In contrast, if the challenger is using Hi+1 , then the nodes on the (i + 1)-
st level are generated uniformly at random as well. We can define a series of hybrids based
on the number q of the queries the adversary makes as follows:
Hi [0]: Same as Hi .
Hi [1]: For the first query made by D, generate the node v visited during the evaluation
of D’s query on level i + 1 and its sibling uniformly at random, but use g for all
subsequent queries (unless the node v or its sibling is visited multiple times, then
return the previously generated values).
PSEUDORANDOMNESS 30
..
.
Hi [q]: For all queries made by D, generate the nodes visited during the evaluation of D’s
query on level i + 1 and its sibling uniformly at random (if a node or its sibling is
visited multiple times for different queries of D, the same string is returned each
time).
Notice that for j ∈ {0, . . . , q − 1}, Hi [j] =c Hi [j + 1] holds by the security of the PRG g.
Since Hi [0] = Hi and Hi [q] = Hi+1 and q is polynomial, by the hybrid lemma we get that
Hi and Hi+1 are computationally indistinguishable.
Thus, by the hybrid argument, the output of F is computationally indistinguishable
from uniformly-random output, and we are done.
Remark 11. Another option is to apply a PRG to the PRF output to expand its length. This
construction is analyzed in more detail in future chapters.
Fun with Composition
Part 1 – One-Way Functions
Note that f (x) is a OWF (proof similar to that of Proposition 1). Thus, we can use f (x) to
construct g(x): (
( x2 )1 ||f 0 (( x2 )2 )||x1 ||f 0 (x2 ) x even
g(x) =
x2 ||f 0 (x1 )||x1 ||f 0 (x2 ) x odd
31
FUN WITH COMPOSITION, PART 1 – ONE-WAY FUNCTIONS 32
Answer: Yes.
Proof. Main idea is: given f (x0 ), x is still uniform and vice versa. We will now provide a
formal proof. Suppose g is not a OWF. Then there exists a PPT adversary A which inverts
g with some non-negligible probability α. Using A, we can design the adversary B that
inverts f with the same probability α as follows:
$
1. Given the challenge f (x), sample x0 ←
− Un and let y = f (x)||f (x0 ).
2. Since x0 was sampled uniformly from Un , we can claim that x||x0 comes from the
distribution equal to the distribution expected as input by g, and thus y comes from
the same distribution as the one expected by A. Note that we were not able to take
this step in Example 1 or 2 because there was no way to compute f2 (x) or f (2x).
3. Run x∗ = A(y). Since A succeeds with probability α, g(x∗ ) = y with probability α.
Let x1 denote the first half of some string x, and x2 the second half. If g(x∗ ) = y,
then it holds that g(x∗ ) = g(x∗1 ||x∗2 ) = f (x∗1 )||f (x∗2 ) = y = f (x)||f (x0 ), and thus in
particular f (x∗1 ) = f (x). Thus, when we output x∗1 as our guess for x, we succeed
with the same probability α.
Since B inverts f with non-negligible probability α and thus breaks the security of the
OWF f , we have reached a contradiction and g must therefore indeed be a OWF.
Symmetric Key Encryption
Recall that we already saw an example of a perfectly secure symmetric encryption – the
one-time pad. Although the one-time pad is perfectly secure, it requires that the key has
the same length as the message. In fact, Shannon’s Theorem tells us that any perfectly
secure symmetric key encryption scheme requires a key which is at least as long as the
message. Obviously, this is not very practical. To bypass this limitation, we need to relax
the security definition. We will now provide a formal definition of symmetric key encryp-
tion and its relaxed security notion:
Recall that we had the following definition for perfect security of the encryption
scheme: (Gen, Enc, Dec) is a perfectly secure encryption scheme if and only if for all pairs
of messages (m0 , m1 ) and all ciphertexts c the following holds:
Equivalently, we could have said that for all pairs of messages (m0 , m1 ) it holds that
{Enc(k, m0 ) : k ← Gen(·)} = {Enc(k, m1 ) : k ← Gen(·)}.
We now introduce the following definition for indistinguishability based security of
symmetric encryption:
3 Typically we use 1κ as a security parameter to make sure that Gen runs in time polynomial in the size of
33
SYMMETRIC KEY ENCRYPTION 34
The difference between perfect security and indistinguishable security is that perfect
security requires the distributions of {E(k, m0 ) : k ← G(n)} and {E(k, m1 ) : k ← G(n)}
to be identical, and indistinguishable security only requires them to be computationally
indistinguishable. We additionally have the following alternative notion:
Definition 27 (indistinguishability based security, alternative). (Gen, Enc, Dec) is an in-
distinguishability based secure symmetric encryption scheme if and only if for all pairs of
messages (m0 , m1 ) and all PPT adversaries A the following holds:
1
|P r[A(Enc(k, mb )) = b : k ← Gen(n), b ← {0, 1}] − | ≤ negl(n)
2
While the first notion of indistinguishability based security is inspired by the compu-
tational indistinguishability definition, the second one is inspired by prediction indistin-
guishability.
Claim 6. Both definitions of indistinguishability based security are equivalent.
Proof. The proof is very similar to the proof of equivalence of computational and predic-
tion indistinguishability. In the following, we show one direction:
Let (Gen, Enc, Dec) be a symmetric key encryption scheme with indistinguishable se-
curity as defined in Definition 26. Then, for any n, m0 , m1 , and PPT adversary A, define:
• p = P r[A(Enc(k, m0 )) = 0 : k ← Gen(n)]
• p0 = P r[A(Enc(k, m1 )) = 0 : k ← Gen(n)]
Since {Enc(k, m0 ) : k ← Gen(n)} =c {Enc(k, m1 ) : k ← Gen(n)}, we know that
p − p0 ≤ negl(n). Additionally, 1 − p0 = P r[A(Enc(k, m1 )) = 1 : k ← Gen(n)]. Let
q = P r[A(Enc(k, mb )) = b : k ← Gen(n), b ← {0, 1}], which is the probability of A
outputting the correct bit b. Then, we get the following:
1
|q − | = |P r[A(Enc(k, m0 )) = 0 : k ← Gen(n)]P r[b = 0 : b ← {0, 1}]
2
1
+ P r[A(Enc(k, m1 )) = 1 : k ← Gen(n)]P r[b = 1 : b ← {0, 1}] − |
2
1 1 1 1 1 1
= | · p + · (1 − p0 ) − | ≤ | · p + · (1 − p + negl(n)) − | = |1/2 · negl(n)|
2 2 2 2 2 2
Given a pseudo-random generator F : {0, 1}n → {0, 1}l(n) , we can define a symmetric key
encryption scheme with indistinguishable security as follows:
$
• Gen(n): sample a PRG seed k ← {0, 1}n
SYMMETRIC KEY ENCRYPTION 35
$ $
{m0 ⊕ P RG(k) : k ← {0, 1}n } =c {m0 ⊕ R : R ← {0, 1}l(n) },
$ $
{m1 ⊕ P RG(k) : k ← {0, 1}n } =c {m1 ⊕ R : R ← {0, 1}l(n) }
$ $
{m0 ⊕ R : R ← {0, 1}l(n) } = {m1 ⊕ R : R ← {0, 1}l(n) }
Note that the previous construction works only for a single message. However, it is pos-
sible to slightly modify this construction to allow for encryption of multiple messages.
Informally, we store a counter ctr which denotes the sum of the lengths of all messages
m1 ...mn that we sent. When we want to encrypt the (n + 1)-st message mn+1 , we xor mn+1
with bits of P RG(k) starting at ctr + 1. After we send the message, we update the counter:
ctr = ctr + |mn+1 |. Note that this doesn’t satisfy the usual definition since an updatable
counter is needed as input to the encryption and decryption algorithms. The kind of en-
cryption that uses such counters (or any other form of state that is updated with each use
of the encryption) is known as stateful.
We formally define the security of a multi-message symmetric key encryption scheme
as follows:
Definition 28. For every choice of vectors (m10 , m20 ...mq0 ) and (m11 , m21 ...mq1 ), where
q = poly(n), the following holds:
Using this definition, we will now show that a secure multi-message symmetric key en-
cryption scheme cannot be both stateless and deterministic (encryption that is both state-
less and deterministic means that if a plaintext is encrypted multiple times, the same ci-
phertext is generated each time).
SYMMETRIC KEY ENCRYPTION 36
We will now show that (Gen, Enc, Dec) is indistinguishablility based secure using a
hybrid argument:
Proof. Let M0 = {mi0 }qi=1 and M1 = {mi1 }qi=1 be two vectors of size q, where q = poly(n).
$
Let k ← {0, 1}n . Then, we construct the following hybrids:
H0 : {(ri , mi0 ⊕ P RF (k, ri ))}qi=1
H1 : {(ri , mi0 ⊕ RF (ri ))}qi=1 where RF is a truly random function
$
H2 : {(ri , mi0 ⊕ Ri : Ri ← {0, 1}n )}qi=1
$
H3 : {(ri , mi1 ⊕ Ri : Ri ← {0, 1}n )}qi=1
H4 : {(ri , mi1 ⊕ RF (ri ))}qi=1 where RF is a truly random function
H5 : {(ri , mi1 ⊕ P RF (k, ri ))}qi=1
SYMMETRIC KEY ENCRYPTION 37
First, note that H0 =c H1 because of the security guarantee of the PRF function: if there
exists an adversary A that distinguishes H0 and H1 with some non-negligible probability,
then we can construct another adversary B who can win the guessing game in the PRF
definition with probability 12 + notice(n) . Until A provides an output, in each round i the
adversary B works by sampling ri , querying ri from its challenger and using the response
Ri to construct input (ri , mi0 ⊕ Ri ) to its internal adversary A. Then, B outputs “PRF” if A
outputs “H0 ”, and “RF” otherwise. B wins with the same probability as A, and since we
assume that A wins with some non-negligible probability, we reach a contradiction to the
security of the given PRF.
Now, note that if all the ri s were different, then H1 and H2 would be identical distri-
butions. However, if there was a ri = rj , then RF (ri ) would be the same as RF (rj ), but
at the same time Ri would not be the same as Rj with a very high probability. Thus, an
adversary would be able to distinguish H1 and H2 with very high probability if there was
a vector with a repeated string.
However, the probability of some ri being equal to some rj for fixed indices iand j is
q
1 2
, so the probability of any two ri , rj being equal is bounded by above by which
2m1 2m1
is negligible. Therefore, any PPT adversary can only distinguish between H1 and H2 with
negligible probability, so H1 =c H2 .
H2 and H3 are identical because one-time pad is perfectly secure. H3 is induistinguish-
able from H4 by the same reasoning as used in the proof of indistinguishability of H1 and
H2 . H4 is induistinguishable from H5 by the same reasoning as used in the proof of indis-
tinguishability of H0 and H1 . By the hybrid lemma, we are done.
Fun with Hybrids
Part 2 – Encryption Schemes
We now continue with the hybrid lemma application examples. In this chapter, we will
focus on the examples considering encryption schemes. In all the examples below, we will
assume that the encryption schemes used as building blocks in the new construction are
secure.
In the following, Enc(k, m; r) denotes running the Enc algorithm with input (k, m) and
random tape r.
Answer: Yes.
Proof. Consider the following hybrids:
1. H0 : {Enc(k, m1 ; r)||Enc0 (k 0 , m1 ; r0 )}
2. H1 : {Enc(k, m1 ; r)||Enc0 (k 0 , m2 ; r0 )}
3. H2 : {Enc(k, m2 ; r)||Enc0 (k 0 , m2 ; r0 )}
Informally, H0 is computationally indistinguishable from H1 by the indistinguishability
based security of Enc0 . Similarly, H1 is computationally indistinguishable from H2 by the
indistinguishability based security of Enc. Intuitively, we can step from H0 to H1 and from
H1 to H2 since the parameters for each encryption in the concatenation are completely
independent, so we do not break the requirement that the randomness and key is chosen
uniformly at random. Unlike OWFs, encryption schemes do not require message to be
chosen at random.
Example 5 Does it hold that Enc(k, m1 ; r)||Enc0 (k, m1 , r0 ) ≈c Enc(k, m2 ; r)||Enc0 (k, m2 , r0 )?
Answer: No.
Proof. We now provide intuition for why the claim is not true. Let us try to use the same
hybrid approach as in the previous example:
1. H0 : {Enc(k, m1 ; r)||Enc0 (k, m1 ; r0 )}
2. H1 : {Enc(k, m1 ; r)||Enc0 (k, m2 ; r0 )}
38
FUN WITH HYBRIDS, PART 2 – ENCRYPTION SCHEMES 39
Already, we have made an incorrect step in our hybrid argument: H0 6≈c H1 . The reason
for this is because both encryptions Enc and Enc0 use the same key k. It is possible for
both encryptions to each leak some part of k, that when combined allows an adversary
to use k to distinguish between {Enc0 (k, m1 ; r0 )} and {Enc0 (k, m2 ; r0 )} which would mean
H0 6≈c H1 . (For example, suppose Enc leaked the first half of k and only used the second for
security, and then Enc0 leaked the second half and used the first half for security). Hence
the hybrid argument breaks down and we cannot continue.
To summarize: given Enc0 (k, m; r), k may no longer be uniform.
Example 6 Does it hold that Enc(k, m1 ; r)||Enc(k, m1 ; r0 ) ≈c Enc(k, m2 ; r)||Enc(k, m2 ; r0 )?
Answer: No (depends).
Proof. Looking at the question another way, what it is really asking is if the scheme is
multi-message secure. If it is not, then the hybrid argument fails:
1. H0 : {Enc(k, m1 ; r)||Enc(k, m1 ; r0 )}
2. H1 : {Enc(k, m1 ; r)||Enc(k, m2 ; r0 )}
3. H2 : {Enc(k, m2 ; r)||Enc(k, m2 ; r0 )}
Note that if Enc is multi-message secure, we can claim that H0 is computationally indistin-
guishable from H1 (and H1 is computationally indistinguishable form H2 ). If the scheme
is not multi-message secure, we cannot make such claims about H0 and H1 (and H1 and
H2 ). Intuitively, if we were to try to argue that Enc is not secure if H0 and H1 are distin-
guishable, we would fail since to construct an input to the distinguisher we would need to
know k (to compute Enc(k, m1 ; r)).
Example 7 Does it hold that Enc(k, m1 ; r)||Enc0 (k 0 , m1 ; r) ≈c Enc(k, m2 ; r)||Enc0 (k 0 , m2 ; r)?
Answer: No.
Proof. We provide an intuition. Similar to Example 5, this example fails the hybrid argu-
ment as for an encryption scheme, the randomness must be sampled uniformly at random.
An adversary given both encryptions with the same randomness may have enough infor-
mation to distinguish between the distributions of the encryption scheme on m1 vs m2 .
Exploring this further:
1. H0 : {Enc(k, m1 ; r)||Enc0 (k 0 , m1 ; r)}
2. H1 : {Enc(k, m1 ; r)||Enc0 (k 0 , m2 ; r)}
At this point, we cannot claim H0 ≈c H1 .
1. Suppose an adversary A exists which can distinguish H0 from H1 with non-
negligible probability. Then we will attempt to build adversary B against Enc0 .
2. Take A’s choices for m1 and m2 and send them to the challenger for B. Receive a
ciphertext c which is either Enc0 (k 0 , m1 , r) or Enc0 (k 0 , m2 , r).
3. In order to use A to win the game against the challenger for B, we need to construct
an input which is indistinguishable from the proposed scheme’s ciphertext. To do
this, we need to compute Enc(k, m1 , r) to prepend to c. However, we cannot do so
since the random choice r is the same for Enc and Enc0 , and we do not know it.
To summarize: given Enc(k, m1 ; r), r may not be uniform.
Facts from Number and Group Theory
In the previous lecture, we introduced the syntax of the symmetric key encryption scheme,
where the same key is used for encryption and decryption procedures. However, it is not
always feasible for the sender and the recipient to share and agree on the same secret
key. In subsequent lectures, we will introduce public-key encryption schemes where the
encryption and decryption keys are different but mathematically related. Such schemes
are based on the assumption that certain problems in number theory are hard. To better
understand such schemes, we need to recap some basic facts from number theory and
group theory.
In the following, we will use the following notation:
• N = set of all natural numbers ({1, 2, 3, . . .})
• R = set of all real numbers (e.g., 5.25)
• Z = set of all integers ({−∞, . . . , −1, 0, 1, . . . , +∞})
• For integers (a, b), gcd(a, b) denotes the greatest common divisor (the largest number
which divides both a and b).
Remark 12. The Greatest Common Divisor (GCD) can be computed in polynomial time
using Extended Euclidean Algorithm (EEA). Additionally, the EEA allows us to compute
(x, y) for any (a, b) such that ax + by = gcd(a, b).
Theorem 10. If a, b are relatively prime (i.e., gcd(a, b) = 1) and a > b, then there exists y
s.t.
by = 1 mod a
Proof. Using EEA, we can get x, y such that ax + by = gcd(a, b) = 1. Thus, (ax + by)
mod a = 1 mod a. Therefore, we get by = 1 mod a.
5.1 G ROUPS
40
FACTS FROM NUMBER AND GROUP THEORY 41
Informally, the Discrete Log Problem for multiplicative prime-order groups is the problem
that given such a group Gq and an element g x , where g is a generator, we want to try to
find x (x is called the discrete logarithm of g x ). In cryptography (in particular in certain
public-key encryption schemes), it is assumed that for certain groups this problem is hard.
Remark 16. CDH is a stronger assumption than DLA, since we are assuming something
extra than in DLA5 . Note that solving the Discrete Log problem means we can also solve
the CDH problem: given g x , g y , just compute y by DLA and we can compute g xy = (g x )y .
Intuitively, this means that given g x , g y randomly chosen from Gq , it is hard to distin-
guish g xy from some random g r in Gq in probabilistic polynomial time.
Remark 17. DDH is a stronger assumption than CDH: given g x , g y , g r , we can compute
g xy and compare it with g r .
In the last chapter, we introduced the decisional Diffie-Hellman assumption. Now we will
see that this is indeed a very useful assumption and describe a key exchange protocol that
is based on this assumption.
Key exchange is a way for cryptographic keys to be exchanged between two parties over a
public channel. This is necessary in symmetric cryptographic schemes like one-time pad,
where the sender and the receiver must agree on a key in order for the message to be enc-
and later decrypted.
More formally, we consider two PPT parties A and B with private randomness rA
and rB , respectively. Parties A and B interact with each other over multiple rounds. Let
n denote the size of the randomness, and π the key exchange protocol. Then, π(rA , rB )
denotes the execution of the protocol π between parties A and B that use randomness
rA and rB . The protocol execution results in a transcript τ , consisting of the sequence of
messages exchanged between A and B. The view of the party A in the protocol is (rA , τ ),
and view of the party B is (rB , τ ). In the end, party A outputs kA = compute key(rA , τ ),
and party B outputs kB = compute key(rB , τ ), where compute key is a PPT algorithm.
Definition 38 (Key Exchange Protocol (KEP)). A key exchange protocol (KEP) must satisfy
the following two properties:
1. Correctness: If both parties A and B are honest, kA must be equal to kB
P rrA ,rB [kA = kB ] = 1
Note that if kA = kB , then we can simply denote k = kA = kB .
2. Security: Consider a passive PPT adversary E (an eavesdropper) observing all mes-
sages transmitted over the network. The view of E is τ . Denote the length of the key
k by κ. Then, the protocol is secure if the following holds:
{k, τ } =c {Uκ , τ },
Alternatively, the protocol is secure if for all PPT E the following holds:
$ $
|P r[E(k, τ ) = 1 : rA , rB ← Un , τ = π(rA , rB )]−P r[E(Uκ , τ ) = 1 : rA , rB ← Un , τ = π(rA , rB )]| ≤ negl(κ).
45
KEY AGREEMENT 46
We are now ready to introduce a classic key exchange protocol designed by Diffie and
Hellman in 1976.
Let Gq be a group where the DDH assumption holds. Let g ∈ Gq be a generator in this
group. The protocol proceeds as follows.
$
− Z∗q as its own private randomness. Then, A sends X = g x to B.6
• A picks rA = x ←
$
− Z∗q as its own private randomness. Then, B sends Y = g y to A.
• B picks rB = y ←
• A outputs key kA = Y x , and B outputs key kB = X y .
6 Remember that g x is computed using the group operation (rather than plain multiplication).
Public Key Encryption
As we have seen in the previous chapter, using a symmetric key has some issues: if a party
wants to communicate with N other parties, it first needs to agree on a joint key with
each communication partner, and then store all N shared keys. Public key cryptography
allows to drop this requirement. Instead of a shared key generated for each conversion,
each party has a public key that can be disseminated widely, and a secret key that must be
kept private. To send messages to party A, other parties use A’s public key. To decrypt
the received messages, A uses its secret key. In the late 1980s and early 1990s, public key
encryption was considered too slow and therefore remained a largely theoretical research
topic. Now, given faster computers, public key encryption is widely used.
Like symmetric key encryption, public key encryption also consists three algorithms.
Definition 39 (Public Key Encryption (PKE)). A public key encryption scheme consists of
three algorithms (Gen, Enc, Dec) defined below:
• (pk, sk) ← Gen(κ). The PPT key generation algorithm Gen takes as input a security
parameter κ and generates a public key pk and a secret key sk.
• c ← Enc(pk, m). The PPT encryption algorithm Enc takes as input a public key pk
and a message m, and outputs a ciphertext c.
• m ← Dec(sk, c). The deterministic polynomial time decryption algorithm Dec takes
as input a secret key sk and a ciphertext c, and outputs a plaintext message m.
The public key encryption scheme must satisfy the following requirements:
• Correctness For all messages m the following holds:
Alternatively, the security holds if for all pairs of messages (m0 , m1 ) and for all PPT
adversaries A the following holds:
$ 1
|P r[A(pk, Enc(pk, mb )) = b : (pk, sk) ← Gen(κ), b ←
− {0, 1}] − | ≤ negl(n)
2
47
PUBLIC KEY ENCRYPTION 48
As we did for symmetric key encryption, we now provide a formal definition for a multi-
message secure public key encryption scheme.
Definition 40 (Multi-Message Public Key Encryption, security requirement). For every
choice of vectors (m10 , m20 , · · · , mq0 ) and (m11 , m21 , · · · , mq1 ), where q = poly(n), the following
holds:
{pk||{Enc(pk, mi0 )}qi=1 : (pk, sk) ← Gen(n)} =c {pk||{Enc(pk, mi1 )}qi=1 : (pk, sk) ← Gen(n)}
We will now show that for public key encryption, our standard security notion already
implies the multi-message security.
Theorem 18. Every one-time secure PKE (Definition 39) is also multi-time secure.
Proof. We use the hybrid argument. Given two message vectors (m10 , m20 , · · · , mq0 ) and
(m11 , m21 , · · · , mq1 ), we construct hybrids H0 , ..., Hq as follows: let H0 be the set of encryp-
tions of the messages (m10 , m20 , · · · , mq0 ). We slowly (one message at a time) change the set
to encryptions of the messages in the second vector, and eventually arrive at Hq , the set of
encryptions of the messages (m11 , m21 , · · · , mq1 ):
PUBLIC KEY ENCRYPTION 49
First, we prove the following claim about any two consecutive hybrids:
Claim 7. If a PKE is one-time secure, then for all k ∈ {1, 2, · · · , q}, Hk−1 =c Hk .
Proof. Assume for the sake of contradiction that there exists some k ∈ {1, 2, · · · , q} such
that Hk−1 is not computationally indistinguishable from Hk . Then, by the definition of
computational indistinguishability, there exists a PPT adversary A who can distinguish
Hk−1 from Hk with a non-negligible probability. Using A, we can construct a PPT ad-
versary B that distinguishes between encryptions of some two messages (m0 , m1 ) with a
non-negligible probability:
• B receives a challenge public key pk.
• B runs A, sends it pk, and receives two sets of messages (m10 , m20 , · · · , mq0 ) and
(m11 , m21 , · · · , mq1 ).
• B sends the k-th messages (mk0 , mk1 ) to its challenger and receives a challenge c.
• B constructs a vector S of encrypted messages by encrypting the first k − 1 elements
from the first set of messages, and the last q − k elements from the second set of
messages. The k-th element is the challenge c. Formally,
Since the two hybrids are indistinguishable for any choice of message vectors
(m10 , m20 , · · · , mq0 ) and (m11 , m21 , · · · , mq1 ), we have shown that if a PKE is single-message
secure, then it is also multi-message secure.
We now introduce the ElGamal public key encryption scheme, which is closely related to
the Diffie-Hellman key exchange protocol introduced in the last chapter. We first describe
the idea at a high level:
Recall that in Diffie-Hellman key exchange, given a generator g of a group Gq , two
parties A and B each sample a random element rA , rB from Z∗q , and send g rA (respectively,
g rB ) to the other party. In the end, both parties share a common secret key g rA ·rB that can
be used for encrypting messages between them.
Note that g rA , g rB are recorded in the transcript in clear. Suppose A needs to receive
a message from B. Then, A could publish g rA , and B could send (g rB , cB ) to A, where
cB is a message encrypted using g rA ·rB . A can first compute g rA ·rB in the same way as in
Diffie-Hellman key exchange, and then decrypt cB . This is the core idea of the ElGamal
encryption scheme.
We now formally describe this encryption scheme, and prove its correctness and secu-
rity.
7.3.1 Construction
Let Gq be a group over which the decisional Diffie-Hellman Assumption holds. Let g ∈ Gq
be a generator. The encryption scheme consists of the following three algorithms:
$
• Gen(n) : sample x ← Z∗q and return (pk = g x , sk = x).
$
• Enc(pk, m) : sample r ← Z∗q and return (g r , pk r · m).
• Dec(sk, (c1 , c2 )) : return c2 c−sk
1 .
Given (pk = g x , sk = x) ← Gen(n), and any message m ∈ Gq , the correctness of the
scheme is shown in the following derivation:
We now prove that the ElGamal scheme satisfies the public key encryption security defi-
nition.
PUBLIC KEY ENCRYPTION 51
$
H0 = {g x , g r , g xr · m0 : x, r ← Z∗q }
$
H1 = {g x , g r , g z · m0 : x, r, z ← Z∗q }
$
H2 = {g x , g r , g z : x, r, z ← Z∗q }
$
H3 = {g x , g r , g z · m1 : x, r, z ← Z∗q }
$
H4 = {g x , g r , g xr · m1 : x, r ← Z∗q }
RSA encryption scheme is another public key encryption scheme. While ElGamal relies
on the Decisional Diffie-Hellman assumption, RSA relies on the RSA assumption. We first
describe the RSA function and state the RSA assumption.
Definition 41 (RSA function). Let Pn denote the set of prime numbers of length n. We
construct the RSA function fN,e as follows:
$
• Sample p, q ← Pn , and set N = p · q.
• Choose e ∈ Z∗φ(N ) (i.e. e is relatively prime to φ(N ), and 1 ≤ e ≤ φ(N )).
• For x ∈ Z∗N , fN,e (x) = xe mod N .
In the above definition, N is called the RSA modulus, and φ(N ) is the Euler’s phi func-
tion (φ(N ) = |Z∗N | = (p − 1)(q − 1)).
Looking a bit ahead, informally, the RSA assumption states that inverting an RSA func-
tion is hard. However, given some additional information it becomes easy. Note that given
φ(N ), since e is relatively prime to φ(N ), the Extended Euclidean algorithm efficiently
computes two coefficients x, y ∈ Z such that
Taking the above equation in modulo φ(N ), we get ex ≡ 1 mod φ(N ). That is, there
always exists d such that ed ≡ 1 mod φ(N ). Now, given d as described above and
PUBLIC KEY ENCRYPTION 52
The second equality follows from Euler’s theorem, which states that for all a and b that
∗
are relatively prime holds aφ(b) ≡ 1 mod b. Since m ∈ ZN , m and N are indeed relatively
prime.
We have shown that given d, it becomes easy to invert the RSA function. For this
reason, d is called the trapdoor of the RSA function fN,e .
3. (Polynomial time) Given i, fi (x) can be computed in polynomial time for all i ∈ In
and x ∈ Di .
4. (Hard to invert) For all PPT adversaries A the following holds:
$
Pr[y = fi (x0 ) : (i, t) ← G(n), x ← Di , y ← fi (x), A(i, y) = x0 ] ≤ negl(n)
5. (Inverts with trapdoor) There exists a PPT algorithm I such that the following holds:
• Dec(sk, c = (c1 , c2 )) : recovers r from c1 using the trapdoor t and the inverting algo-
rithm I, and then outputs m = c2 ⊕ hi (r).
Notice that this construction is indeed a secure public-key encryption scheme. Correctness
follows from the properties of the trapdoor OWP. Now consider the security property.
Note that pk = (i, fi , hi ). Thus, we need to show that for all (m0 , m1 ) the following holds:
$
{(i, fi , hi )||(fi (r), hi (r) ⊕ m0 ) : ((i, fi , hi ), t) ← Gen(κ), r ← Di }
$
=c {(i, fi , hi )||(fi (r), hi (r) ⊕ m1 ) : ((i, fi , hi ), t) ← Gen(κ), r ← Di }
$
H0 := {(i, fi , hi )||(fi (r), hi (r) ⊕ m0 ) : ((i, fi , hi ), t) ← Gen(κ), r ← Di }
$ $
H1 := {(i, fi , hi )||(fi (r), b ⊕ m0 ) : ((i, fi , hi ), t) ← Gen(κ), r ← Di , b ← {0, 1}}
$ $
H2 := {(i, fi , hi )||(fi (r), b ⊕ m1 ) : ((i, fi , hi ), t) ← Gen(κ), r ← Di , b ← {0, 1}}
$
H3 := {(i, fi , hi )||(fi (r), hi (r) ⊕ m1 ) : ((i, fi , hi ), t) ← Gen(κ), r ← Di }
c0 = c ⊕ "Attack" ⊕ "Defend"
Thus, after intercepting some ciphertext c from Alice, Eve changes it to c0 and sends it to
Bob. In this case, although Eve knows nothing about the shared key between Alice and
Bob, she can still change the message.
Similarly, in the RSA context, say the message being sent is m. Eve can easily change
the message to 2m by multiplying the ciphertext with 2e mod N :
55
MAC AND HASH FUNCTIONS 56
• Unforgability: Probability of any PPT adversary A wining the forging game defined
below is negligible.
Forging Game
The game is played between a challenger C and an adversary A as follows:
• Sampling: C samples k ← Gen(n).
• Learning: A sends mi to C, C replies with σi = M AC(k, mi ). This step is repeated
l(n) times where l is polynomial in n.
• Guessing: A outputs (m, σ). A wins if for all i, m 6= mi and V erif y(k, m, σ) = 1
Intuitively, a forging game allows an adversary to see polynomially many valid MACs on
the messages of his choosing. In the end, the adversary needs to generate a new valid
(message, MAC) pair.
We now introduce another useful cryptographic primitive - Collision Resistant Hash Func-
tions(CRHFs). Intuitively, hash functions allow one to compress a message and are widely
used in multiple cryptographic schemes. First we introduce the so-called universal hash
functions:
Definition 45. A set H is a family of Universal Hash functions if for every x 6= y the follow-
ing holds:
1
P r[h(x) = h(y) : h ← H] ≤ ,
|R|
where R is the range of h.
Now we introduce the so-called Collision Resistant Hash Functions:
Definition 46 (Collision Resistant Hash Functions (CRHF)). A family of functions H =
{hi : Di → Ri }i∈I is a CRHF family if
• Sampling: There exists a PPT algorithm Gen which outputs i ∈ I such that hi is
uniformly random element from H.
• Easy to evaluate: For all i ∈ I, x ∈ Di , hi (x) can be computed in polynomial time.
• Compressing: For all i ∈ I, |Di | > |Ri |.
• Collision Resistance: For all PPT adversaries A the following holds:
Intuitively, a CRHF is compressing since |Di | > |Ri |, so there must be several inputs
map to the same output. However, due to the collision resistance property it must be hard
for an adversary to find such a collision.
8.2.1 Facts
• Fact 1: No single h can be collision resistant.
Every hash function will necessarily have collisions because of the compression
property: since |Di | > |Ri |, the pigeonhole principle guarantees that some inputs
will hash to the same output. Collision resistance does not mean that no collisions
exist; it only means that they are hard to find. With only one h there exists a PPT
adversary who might have two inputs with the same outputs hard coded in its code
description. When we have a family of functions H, we make it computationally
hard for adversaries to hard-core collision pairs for every hash function.
• Fact 2: A “sufficiently" compressing CRHF family implies one-way functions.
Proof Say for all i ∈ I holds |hi (x)| ≤ |x|
2 . Then we claim that hi is also a one-way
function. Suppose this is not true, and there exists a PPT adversary A who is able to
invert hi with noticeable probability. Then we can construct a PPT algorithm B that
is able to find collisions with noticeable probability as follows:
1. Sample x.
2. Invoke A on y = hi (x) and get x0 .
3. If x 6= x0 , output (x, x0 ) as a collision claim.
MAC AND HASH FUNCTIONS 58
Thus we have:
P R[B finds a collision] = P r[A successfully inverts hi AND x 6= x0 ]
= P r[A successfully inverts hi ] ∗ P r[x 6= x0 ]
1
= P r[A successfully inverts hi ] ∗ (1 − )
number of preimages of y
1
= notice(n) ∗ (1 − )
number of preimages of y
= notice(n)
Note that the second step can be done is because the probability of A to successfully
inverting hi is independent from the probability that x 6= x0 .
The last step can be done because we assume that the length of the CRHF output is
at most half the length of the input. Say there is at most some negligible fraction |Rpi |
of outputs that have two or more preimages. Denote the set of these outputs by S
(its size is p). Then, because the length of the output is at most half the length of the
input, the number of inputs that map to one of the elements in S is 1 − negl. Thus, we
can construct an adversary B 0 finding the collisions that works just by sampling and
outputting two input elements x1 , x2 . The probability that both of these elements
map to some elements in S is (1 − negl)2 . Then, the probability that both x1 and x2
map to the same element in S is (1 − negl)2 · p1 . Since the fraction |Rpi | is negligible,
1 2 1 0
p is noticeable and thus (1 − negl) · p is noticeable as well. Thus, B is able to
find a collision with a noticeable probability, which is a contradiction to the collision-
resistance property. Therefore, there exists a noticeable fraction of outputs that have
two or more inputs and thus the last equation step holds.
Since a CRHF family has the collision resistance property, the probability for B to
win must be negligible. Thus, we find the contradiction and hi is one-way.
We now provide a construction of a hash function that is based on the discrete logarithm
assumption:
Given a group G such that g ∈ G is a generator, and |G| = q where q is a prime number,
we define the hash function as follows:
• Gen(n): Sample r ← Z∗q , and set h = g r . Output i = h.
• Evaluate(h, x): Parse x as (x0 ||x1 ) (it must hold that x0 , x1 ∈ Zq ). Output g x0 hx1 ∈ G.
Note that in this construction h is sampled uniformly at random from G and g x0 hx1 clearly
can be computed in polynomial time. Since g x0 hx1 ∈ G, the size of the output is log(p)
where p = 2q + 1 (p is the Sophie-Germain prime). Since x = x0 ||x1 , where x0 , x1 ∈ Zq , the
size of the input is 2log(q). Thus, the construction compresses the input to roughly half of
its length.
Now we prove the collision resistance of this construction. Suppose there exists
an adversary A who can output x = (x0 , x1 ) and x0 = (x00 , x01 ) such that (x0 , x1 ) 6=
0 0
(x00 , x01 ) AND g x0 hx1 = g x0 hx1 with some noticeable probability. Then, we can construct
adversary B which is able to compute the discrete log of h with a noticeable probability as
follows:
MAC AND HASH FUNCTIONS 59
1. Take h as input.
2. Execute A on h to get x = (x0 , x1 ) and x0 = (x00 , x01 ).
x0 −x00
3. Compute the discrete log as follows: r = x01 −x1 (mod q)
Intuitively, after executing A, we get x = (x0 , x1 ) and x0 = (x00 , x01 ) such that with notice-
able probability x 6= x0 and the following holds:
0 0
g x0 hx1 = g x0 hx1
0 0
g (x0 +rx1 ) mod q = g (x0 +rx1 ) mod q
(x0 + rx1 ) mod q = (x00 + rx01 ) mod q
x −x0
Note that if x1 6= x01 , r = x00 −x10 (mod q) is not a division by zero. Thus, since A can find
1
x and x0 with noticeable probability, B can compute the discrete log of h with noticeable
probability, which is a contradiction to the discrete logarithm assumption.
There are generally three security goals for the authentication methods including Hash,
MAC and digital signature:
• Integrity: Can the recipient be confident that the message has not been modified?
• Authentication: Can the recipient be confident that the message originates from the
sender?
• Non-repudiation: If the recipient passes the message and the proof to a third party,
can the third party be confident that the message originated from the sender?
It is also important to note that if the recipient and the sender share a secret key, the
message authentication code method we discussed in this chapter can fulfil the first and
second requirements. Unfortunately, it does not achieve non-repudiation. Digital signa-
tures can fulfil all three requirements, but require asymmetric keys to implement. We will
discuss how digital signatures work in the following chapter.
Digital Signatures
A Digital Signature scheme differs from the Message Authentication Code (MAC) intro-
duced in the previous lecture by having a pair of public and secrete key, instead of a single
(secrete) key. As a consequence, while only the holder of the secrete key can generate a
valid signature, everyone can use the public key to verify a signature.
We now give the formal definition of a digital signature scheme:
Definition 47 (Digital Signature). A Digital Signature scheme consists of the following three
PPT algorithms:
• (pk, sk) ← Gen(n). The PPT key generation algorithm Gen takes as input a security
parameter n and outputs a public key pk and a secret key sk.
• σ ← Sign(sk, m). The PPT signing algorithm Sign takes as input a secret key sk and
a message mk and outputs a signature σ.
• b ← V erif y(pk, m, σ). The PT algorithm V erif y takes as input a public key pk, a
message mk, and a signature σ, and outputs “1” if the signature is valid, and “0”
otherwise.
A Digital Signature scheme must be correct and secure:
Definition 48 (Correctness of Digital Signature). For all messages m the following holds:
Forging Game The game is played between a challenger C and an adversary A as follows:
• (Keygen): C samples a key pair (pk, sk) ← Gen(n), and sends pk to A.
• (Learning): for 1 ≤ i ≤ l = poly(n), A sends a message mi to C and receives σi =
Sign(sk, mi ).
• (Guessing): A outputs (m, σ) and wins if m 6∈ {m1 , ..., ml }, and V erif y(pk, m, σ) = 1.
Note that in the “Learning” phase of the forging game, the adversary A can choose mi
adaptively, after seeing σj for all j < i.
60
DIGITAL SIGNATURES 61
We first start with a weaker scheme, called the One-time Signatures shown by Diffie and
Hellman 7 in their famous paper “New Directions in Cryptography”. This scheme is secure
if and only if the adversary A queries at most one message in the “Learning” phase of the
forging game. This scheme only assumes the existence of One-way Functions (OWF).
• Sign(sk, m): selects the random strings in sk according to the bits of m, and outputs
the selected strings as the signature σ:
Theorem 19. The above construction of Gen(·), Sign(·), and V erif y(·) satisfies the One-
time Signature security notion.
7 they credit it to Leslie Lamport
DIGITAL SIGNATURES 62
Proof. Suppose there exists PPT adversary A that wins the forging game with non-
negligible probability . We construct B that is able to invert f with non-negligible proba-
bility as follows:
$ $
• B takes input y, picks at random b ← {0, 1}, j ← {1, . . . , k}, and sets ybj = y. For all
0 $ 0 0
other b0 ∈ {0, 1}, j 0 ∈ {1, . . . , k}, B samples xjb0 ← {0, 1}k , and sets ybj0 = f (xbb0 ).
0
• B uses ybj as well as all ybj0 to construct pk, and sends pk to A.
• Upon receiving a query m from A: If m[j] = b, then abort. Otherwise, B creates a
valid signature σ following the construction of Sign(·), and sends σ to A.
• Upon receiving m0 , σ 0 from A: If m0 [j] = m[j], then abort. Otherwise, B parses
σ 0 = (x1 , . . . , xk ), and outputs xj .
The intuition is that in a lucky event, B creates a valid signature without needing to find
xjb such that f (xjb ) = ybj = y, while A returns a valid signature that contains such an xjb .
The probability of B aborting in step 3 is exactly 21 , as b is chosen at random. If A succeeds
in producing a valid pair m0 , σ 0 such that m0 6= m, then m0 , m differs by at least 1 bit. The
probability that m0 [j] 6= m[j] is at least k1 as j is chosen at random. Note that these three
events are clearly independent. The overall probability of B inverting f on y is
Pr[m[j] 6= b] Pr[A succeeds] Pr[m0 [j] 6= m[j]] =
2k
The first weakness of the One-time Signature scheme is that the key sizes are linear in the
message sizes, and also linear to the security parameter. To be able to sign longer messages,
we make the additional assumption that Collision Resistant Hash Functions (CRHF) exists.
Given a CRHF family hi : {0, 1}∗ → {0, 1}k , we construct the following improved
algorithms longSign(·), and longV erif y(·), that takes in arbitrary (polynomial in k) size
messages.
• Sign(sk, h(m)) ← longSign(sk, m, h)
• V erif y(pk, h(m), σ) ← longV erif y(pk, m, σ, h)
Where Sign(·), V erif y(·) are as defined in the One-time Signature scheme, and h is a
collision resistant hash function. We omit a detailed proof of its security, and provide a
brief sketch instead:
Proof. (sketch) Suppose a PPT algorithm A sees m, σ, pk, and outputs m0 , σ 0 , where m0 6= m,
and longV erif y(pk, m0 , σ 0 , h) = 1. Then one of the following happened:
• h(m0 ) = h(m), and we have found a collision.
• h(m0 ) 6= h(m), and we have broken the security of Sign(·).
DIGITAL SIGNATURES 63
Here is a simple idea that allows to extend the One-time Signature scheme for signing
multiple messages: as a part of each signature, we also sign the next public key we will
use. However, in the original scheme, signing a public key of size k would require a longer
key of size at least 2k, assuming the outputs of f are just single bits. For the idea to make
sense, we need to assume the existence of a CRHF family hi : {0, 1}∗ → {0, 1}k as in the
previous section. We also need to keep a counter, hence the modified scheme is a stateful
one.
We construct the new scheme as follows:
• (pk 1 , sk 1 ) ← Gen(n). (the same as original.)
• Sign(sk i , m, h, i):
First, generate a new pair of keys (pk i+1 , sk i+1 ) ← Gen(n), and compute m0i =
h(mi ||pi+1 i
k ). Next, generate σi using sk following the original construction (i.e., gen-
erate 2k random strings, and select k of them according to the bits of m0 ). Finally,
output σi0 = (σ1 , σ2 , . . . , σi , (m1 ||p2k ), . . . , (mi ||pi+1
k ))
• V erif y(pk 1 , mi , i, σi0 ):
First, parse σi0 = (σ1 , . . . , σi , (m1 ||p2k ), . . . , (mi ||pi+1
k ). Next, verify σj and
h(mj ||pk j+1 ) with pk j for all j = 1, . . . , i, following the original construction. If
all checks pass, then output 1. Otherwise, output 0.
The security of this scheme similarly relies on the security of CRHF and that of the original
scheme. We omit a detailed proof.
Note that the signature size is linear in the number of messages we have signed. In-
stead of signing the next pk in each signature, and using a chain-like structure to establish
security, there exists improved schemes that sign the next 2 pk ’s, and use a tree-like struc-
ture to establish security. In such schemes, the signature size is only logarithmic in the
number of message we have signed.
The schemes introduced in the previous sections have the advantages of only assuming the
existence of a generic OWF and CRHF, but unfortunately suffer from their large overheads.
In practice, more efficient constructions are used. One such construction is bases on the
RSA assumption. We first show an intuitive attempt to construct such a scheme using
only the RSA assumption, that unfortunately is not secure. Then, we provide the secure
construction.
Definition 52 (RSA Digital Signature, Insecure). The three algorithms Gen(·), Sign(·),
V erif y(·) are constructed as follows.
$
• Gen(n): Sample p, q ← Pn , where Pn are primes of length n, compute N = pq, and
∗
compute e, d ∈ Zφ(N ) such that ed ≡ 1 mod φ(N ). Output (pk = (e, N ), sk = (d, N )).
As mentioned above, this scheme is insecure. A simple attack exploits the homomor-
phic nature of the RSA function:
Given (m1 , σ1 = md1 mod N ) and (m2 , σ2 = md2 mod N ), we can easily compute (m =
m1 m2 , σ = (σ1 σ2 ) mod N = (m1 m2 )d mod N ). Clearly, σ is a valid signature of m.
To get around this issue, we require another assumption: the existence of a so-called
Random Oracle H, which behaves like an exponentially large random table. For each
query x, H(x) simply looks up the address x and returns the corresponding random string.
Note that H is deterministic, and H(x) always returns the same string for same x. Now,
we show a secure construction based on the RSA assumption:
Definition 53 (RSA Digital Signature, Secure). The three algorithms Gen(·), Sign(·),
V erif y(·) are constructed as follows.
$ ∗
• Gen(n): Sample p, q ← Pn , compute N = pq, and compute e, d ∈ Zφ(N ) such that
ed ≡ 1 mod φ(N ). Output (pk = (e, N ), sk = (d, N )).
• Sign(sk, m, H): Output σ = H(m)d mod N .
• V erif y(pk, σ, m, H): Compare σ e mod N with H(m). If they are equal, output 1.
Otherwise, output 0.
Although we omit a full proof of security of the above construction, we illustrate the
use of H for getting around the homomorphic issue in the previous attack:
Given (m1 , σ1 = H(m1 )d mod N ), and (m2 , σ2 = H(m2 )d mod N ), σ = σ1 σ2 =
(H(m1 )H(m2 ))d is not necessarily equal to H(m1 m2 )d . Hence, in general, σ is not a valid
signature of m = m1 m2 . In fact, the probability of forging a message m0 with σ (i.e. finding
m0 such that H(m0 ) = H(m1 )H(m2 )) is negligible (s denotes the output length of H):
1
∀m1 , m2 Pr[H(m3 ) = H(m1 )H(m2 )] = = negl(s)
2s
Remark 20. A true Random Oracle cannot exist in practice. However, assuming a Random
Oracle enables many efficient and secure constructions. In practice, random oracles are
approximated by carefully designed and tested hash functions, such as SHA-256. This is
called the “Random Oracle Heuristic”.
Another technicality is that H(m) may not be in Z∗N . We can solve this issue by com-
puting H(m||i) for i = 1, 2, ... until H(m||i) is in Z∗N .
How to Share a Secret
Suppose Alice is the CEO of a small company and she would like to scale up the operations
by renting some cloud storage. However, she is wary of storing all of the confidential
data on a single cloud provider. She decides to distribute the data across multiple cloud
providers. Suppose she decides to use 10 different cloud providers. Intuitively, she could
store the first 10% of the data on the first cloud provider, the second 10% on the second
cloud provider and so on. Unfortunately, this is not a very good idea because in this case
every individual cloud provider can still recover 10% of the original data. Is there a way
for Alice to store the data such that no information is leaked?
What Alice is looking for is a cryptographic primitive called a secret sharing scheme. Such
a primitive would allow Alice to compute n shares from a secret s such that no information
about s would be leaked if someone got access to any n − 1 shares. At the same time, the
secret s can be recovered if someone has access to all the n shares. We will now formally
define this primitive.
Definition 54 (n-of-n secret sharing). An n-of-n secret sharing scheme consists of the follow-
ing two algorithms:
1. (s1 , s2 , . . . , sn ) ← Share(s) : The PPT sharing algorithm takes as input a secret s, and
outputs n shares of the secret.
2. s ← Reconstruct(s1 , s2 , . . . , sn ) : The PPT reconstruction algorithm takes as input n
secret shares, and reconstructs the corresponding secret.
Every n-of-n secret sharing scheme must satisfy the following two properties:
1. Correctness: For all secrets s, the following holds:
In other words, if the shares are computed using the Share algorithm, then the
Reconstruct algorithm must be able to recover the original secret with probability
one.
2. Security: For all secrets s, s0 , and for all sets I such that I ⊆ {1, . . . , n} and |I| ≤ n−1,
the following holds:
Informally, this means that if an adversary has only up to n − 1 shares, then he has
no information about the secret.
65
SECRET SHARING 66
We will now construct an n-of-n secret sharing scheme. We define the scheme
hShare, Reconstructi as follows.
• Share(s): For i ∈ {1, . . . , n − 1}, sample si ← U|s| . Set sn ← s ⊕ s1 ⊕ . . . ⊕ sn−1 . Output
(s1 , . . . , sn ).
• Reconstruct(s1 , . . . , sn ): Output s ← s1 ⊕ . . . ⊕ sn .
Correctness: follows from the fact that sn is the XOR of the first n − 1 shares and the
secret s itself.
Security: Let s be a secret. Suppose I ⊆ {1, . . . , n} and |I| = n − 1. Let (Si )i∈I denote the
random variable representing the shares which are the output of Share(s) restricted to the
index set I in the random experiment. Now, we will calculate the probability that these
shares are equal to some particular sequence of shares (si )i∈I . The following probability
calculations hold for any secret s and sequence of shares (si )i∈I . We consider two cases:
Case 1: n ∈
/ I. Since |I| = n − 1, it means that I = {1, . . . , n − 1}.
The secret sharing schemes that we have seen so far all require that we have access to all
the n shares of the secret if we want to reconstruct the secret. However, suppose that Alice
would like to still be able to reconstruct the secret even if some of the cloud providers are
down, and she can only get a subset of the shares. Is such a scheme possible? We will now
formally define this problem.
Definition 55 (t-of-n secret sharing). An t-of-n secret sharing scheme consists of the following
two algorithms:
1. (s1 , s2 , . . . , sn ) ← Share(s) : The PPT sharing algorithm takes as input a secret s, and
outputs n shares of the secret.
2. s ← Reconstruct(I, (si )i∈I ) : The PPT reconstruction algorithm takes as input |I| se-
cret shares, and reconstructs the corresponding secret if |I| ≥ t. Otherwise, the algo-
rithm returns ⊥.
Every t-of-n secret sharing scheme must satisfy the following two properties:
1. Correctness: For all secrets s and all sets I ⊆ {1, . . . n} such that |I| ≥ t, the following
holds:
Pr[Reconstruct(I, (si )i∈I ) = s : (s1 , . . . , sn ) ← Share(s)] = 1
2. Security: For all secrets s, s0 , and for all sets I such that I ⊆ {1, . . . , n} and |I| ≤ t − 1,
the following holds:
Informally, this means that if an adversary has any t − 1 shares, then they have no in-
formation about the secret. On the other hand, any t shares can be used to reconstruct
the secret.
How do we construct such a scheme? A natural attempt is to extend the n-of-n secret
sharing scheme that we constructed earlier. The basic idea is to make sure that any t-subset
of the n secrets can be combined to reconstruct s. One way to do this is to use a t-of-t secret
sharing scheme as follows:
• Share(s): For all subsets I = {n1 , . . . , nt } ⊆ {1, . . . , n} of size t, using the t-of-t
sharing algorithm defined in Section 10.1, compute (sIn1 , . . . sInt ) ← Share(s). For
0
all i ∈ {1, . . . , n}, set si to be the concatenation of all sIi s.t. i ∈ I 0 .
Clearly, any t-subset of shares can be used to reconstruct s because we used t-of-t se-
cret sharing scheme for every subset. When t is a constant, this scheme takes poly(n) time.
However, in the general case, this algorithm runs in exponential time. Since nt ≥ ( nt )t ,
when t = n/2, we can see that the running time of the algorithm is at least Ω(2n/2 ). There-
fore, this is not a valid t-of-n secret sharing scheme.
SECRET SHARING 69
Now, suppose that there is some sequence of shares (si )i∈I such that the above proba-
1
bility is strictly less than pt−1 . Then, we have the following:
X
Pr[(Si )i∈I = (si )i∈I | S1 . . . Sn ← Share(s)]
(si )i∈I
X 1
<
pt−1
(si )i∈I
1
= pt−1
pt−1
=1
But the total probability must be equal to 1. Therefore, for all secrets s and for all shares
(si )i∈I , we have
1
Pr[(Si )i∈I = (si )i∈I | S1 . . . Sn ← Share(s)] =
pt−1
Therefore,
Thus, the scheme is secure. Note that we again did not assume any unproven crypto-
graphic assumptions. In particular, Shamir’s secret sharing scheme works even if P = NP.
Remark 21. There also exist variations of t-of-n secret sharing schemes where each party
may have a different weight. In this case, if the sum of the weights of the parties in a
particular subset exceeds a threshold, then the secret can be recovered. Another variation
is one in which some particular subsets are explicitly authorized. In this scenario, there is a
monotone boolean function8 that is true when the input subset is authorized to reconstruct
or not.
A secret sharing scheme is a one-time process. However, it has a limitation. Once the
secret is reconstructed, it is not a secret anymore. We can generalize this concept to what
is known as a threshold PKE. Such a scheme could be used in a situation where Alice
decides to distribute the partial secret keys to a group of people in her company. Then,
any group of t people would be able to decrypt the ciphertext without revealing their
secret key shares. The same partial keys could be reused to decrypt other ciphertexts in
the future.
Definition 56 (Threshold PKE). A threshold PKE scheme consists of the following four PPT
algorithms:
• Gen(κ): the generation algorithm takes as input a security parameter κ, and outputs
a public key pk and secret key shares sk1 , . . . skn .
8A monotone function f is a function such that if A1 ⊆ A2 , then f (A1 ) =⇒ f (A2 ).
SECRET SHARING 71
• Enc(pk, m): the encryption algorithm takes as input a public key pk and a message
m, and outputs a ciphertext c.
• P Dec(ski , c): the partial decryption algorithm takes as input a secret key share ski
and a ciphertext c, and outputs a share mi .
• Recover(I, (mi )i∈I ): the recovery algorithm takes as input an index set I and a se-
quence of shares (mi )i∈I . If |I| < t, output ⊥, else output m.
Any threshold PKE scheme must satisfy the following two properties:
1. Correctness: for all messages m, and all sets I ⊆ {1, . . . n} such that |I| = t, the
following holds:
Pr[Recover(I, (mi )i∈I ) = m : (pk, sk1 , . . . skn ) ← Gen, c = Enc(pk, m), mi = P Dec(ski , c)] = 1
2. Security: for all message m0 , m1 , all sets I ⊆ {1, . . . n} such that |I| ≤ t − 1, the
following holds:
We can construct a t-of-n PKE using any regular PKE (Gen, Enc, Dec) and any t-of-n
secret sharing scheme as a black box as follows:
• Gen(κ): Generate (pki , ski ) ← Gen(κ) for 1 ≤ i ≤ n. Set pk = pk1 ||pk2 || . . . ||pkn .
Output (pk, sk1 , . . . , skn ).
• Enc(pk, m): Using the t-of-n sharing scheme, get (s1 , . . . sn ) ← Share(m). Set
ci ← Enc(pki , si ) for all i ∈ {1, . . . n}. Output c = c1 ||c2 || . . . ||cn .
• P Dec(ski , c): Interpret c = t1 ||t2 || . . . ||tn . Output mi ← (Dec(ski , ti )).
• Recover(I, (mi )i∈I ): If |I| ≤ t − 1, output ⊥. Otherwise, we have |I| ≥ t. Output
m ← Reconstruct(I, (mi )i∈I ) using the t-of-n sharing scheme.
• Recover(I, (mi )i∈AP ): Parse each mi as (ci1 , c2 ) (note that all c2 are equal). Compute
r ski li (0)
i li (0)
= g rx . Compute y ← g −rx . Output m ← c2 y.
Q
i∈I (c1 ) =g i∈I
One advantage of this scheme is that during encryption, Alice doesn’t have to change any-
thing and she can simply encrypt using El-Gamal PKE as if she were not using a threshold
PKE. Then later at any point of time, she can compute the shares of the secret key and use
this as a Threshold PKE.
The idea used in the recovery algorithm is known as interpolation in the exponent. e
Blockchains
11.1 B ITCOIN H ISTORY
In 2008, a person under the pseudonym Satoshi Nakamoto published a paper Bitcoin: A
Peer-to-Peer Electronic Cash System. Bitcoin software was released in January 2009 and the
mining of the Bitcoin cryptocurrentcy officially started. The genesis block included the
“The Times” headline: “Chancellor on brink of second bailout for banks”. The article was
about the state of the British financial system following the 2007–2008 financial crisis, and
many believe that this is a hint to the purpose of Bitcoin: to create a more stable financial
system. Satoshi Nakamoto vanished from the digital space shortly after releasing the code
for Bitcoin, and it is unknown who this person (or possibly a group of people) is. The first
known commercial transaction using bitcoin happened in 2010 - two pizzas were bought
for 10000 bitcoin.
Blockchain can be viewed as a public ledger, where a block is one page of the ledger.
Anyone can write to the ledger, and the ledger is append-only. Data recorded on the ledger
is typically referred to as transactions. The process of finding the next block to append to
the existing ledger is called mining.
72
BLOCKCHAINS 73
was mined. Then, the miner can repeat the process to mine the next block Bi+2 by finding
ni+2 such that H(hi+2 , Ii+2 , pk, ni+2 ) is of the required form. Thus, each block is linked by
hash to the previous block and this way a chain of blocks is formed.
blocks based on block Bi+1 , the old block Bi0 is discarded. Suppose the miner that mined
Bi0 does not want to loose the mining reward. Then this miner has the incentive to not
follow the standard rules to resolve fork. Instead, that miner can try to keep mining on Bi0 .
If he is lucky enough and mines the next few blocks based on Bi0 faster than other miners
mine blocks on Bi+1 , there is a chance that other miners will later switch back to the branch
that contains the block Bi0 if it becomes the longest branch. Once that happens, the blocks
Bi , Bi+1 , and their associated reward are discarded.
The probability of mining the next block is proportional to the computing power of
the miner. In Bitcoin we assume that more than 50% of computing power is controlled by
honest miners. Honest miners are those that strictly follow the prescribed rules for mining
and validating blocks, while dishonest miners don’t. With this fundamental 50% assump-
tion, the probability that dishonest miners win a fork is less than that of the honest miners.
However, there is still a non-zero probability that the dishonest miners can invalidate any-
thing in the existing blockchain. A rule of thumb is to wait for 1 hour before a transaction
is treated as final.
11.2.3 Infanticide
Some large stake holders in Bitcoin network do not want alternative cryptocurrencies to
survive (the Bitcoin price would probably decrease if less people would use Bitcoin). For
this reason, miners from the Bitcoin network sometimes perform a 50% attack on newer
cryptocurrencies to destroy them. Typically, a large group of Bitcoin miners has a lot of
computing power and can thus easily generate longer chains in the newer cryptocurren-
cies. People eventually loose confidence in the new cryptocurrency. This is called infanti-
cide.
Signski (pki x
−−coins
−−→ pkj )
Essentially, it is a record showing that the public key pki is sending x coins to the public
key pkj . The record is signed by the secret key ski . Since only the holder of the secret
key ski can generate this transaction, the coins associated with pki can only be spent by
its true owner. Other miners check the validity of this transaction. The check includes the
following:
1. Signature is valid.
2. pki has enough coins to send.
The first can be checked directly using the public key pki , the second can be checked
against the Bitcoin system state, ie., the UTxOs. If both checks go through, the miners
will add this transaction to their Ii statement and try to mine the next block using Ii . In-
tuitively, the miner who includes this transaction in the next block will get a transaction
fee from pki . The holder of pki chooses the reward amount up front, and a higher amount
typically results in a better chance of inclusion in the next block.
miners in the pool mine blocks using this same key. Once a block is mined, the reward
goes to the pool manager, and the manager then distributes the reward to its pool mem-
bers according to a certain formula. The pool manager also makes sure that all its pool
members are indeed contributing to the mining process. This is achieved by having all
pool members submit the so-called proof of partial work:
· · · 0} XX · · · X
H(hi , Ii , pkm , n) = |000{z
k−
is set such that it is easy enough for each individual miner to successfully find a nonce
that satisfies the partial requirement. Also the hash does not satisfy the Proof-of-Work
requirement for mining the new block, it can only show to the pool manager that this
miner is indeed contributing its computing power. Indeed, note that a partial proof of
work is useless to a single miner - as long as > 0, it does not satisfy the Proof-of-Work
requirement that is needed to collect the reward (and even if = 0, the public key used in
the computation is the public key of the manager). The only purpose of such proof is to
show to the manager how much effort you are putting in, and the reward that you get is
proportional to this effort.
There are many applications that can be built on top of Bitcoin and the Blockchain. In this
section, we will enumerate a few examples of such applications:
• Bitcoin scripting language The Bitcoin scripting language enables custom transac-
tions based on certain criteria being met (which could occur in the future). Examples
of potential transactions enabled by the scripting language include:
1. “A will transfer 1 BTC to anyone who publishes the value f −1 (y), where f is a
hard-to-invert function". Note that if no one is ever able to satisfy the condition
by publishing the value f −1 (y), then no one ever gets this 1 BTC and it is even
lost by A. To prevent such scenarios, a time bound is put in the transactions.
So, a more realistic transaction would be -“A will transfer 1 BTC to anyone
who publishes the value f −1 (y) in the next 7 days, where f is a hard-to-invert
function".
BLOCKCHAINS 77
2. "A will transfer 1 BTC to B if B publishes a signed statement that ’B will ship
a TV to A’." Note that the transfer is automatic - if the condition is satisfied, the
transfer can not be stopped by A.
3. "A will transfer 1 BTC to a script being run at a particular address".
Typically, the script at this address will be run by a miner (who will be suitably
rewarded for running the script). Possible use cases for such scripts include
rent-collection, subscriptions, etc. These are examples of the so-called smart
contracts.
• Smart Assets Smart Assets are either a virtual representation of a physical asset, or
some virtual goods, such as an equity share. Examples of smart assets include:
1. Gold-backed cryptocurrency coins
The basic idea is that each coin represents a value of gold (e.g. 1 coin represents
1 gram of gold). The value of gold is stored by a trusted third-party custodian
and can be traded with other coin holders. Such coins can be used in smart
contracts, and the hope is that this approach would reduce volatility in coin
value (since the coins are backed by gold, the value of which is relatively more
stable).
2. Virtual representations of real-world goods
The basic idea is that real-world goods, such as shipping insurance, land
records, etc. are represented as abstract assets (using virtual currency tokens)
on the blockchain. These abstract assets act as a public record of ownership (us-
ing a mechanism similar to that used to represent Bitcoin ownership) and can
be transferred between owners securely and safely.
Recall that each blockchain block contains Ii – the set of transactions. This set can get
pretty big, so it seems advantageous to somehow shorten it so that not everyone has to
download all transactions whenever only one particular transaction needs to be verified.
The first naive idea would be to set Ii to be the hash all of the transactions. Ii would indeed
become shorter. However, verification would still be difficult because we would still need
to know all transactions in order to hash them and then verify the signature.
Merkle trees provide a solution to this problem. The key idea behind Merkle trees is to
arrange messages as the leaf nodes of a tree, and then repeatedly hash pairs of nodes, until
there is only one hash left at the root of the tree. Then, this root hash is signed.
Assume m2 is the message whose signature needs to be verified. For verification, we
need the signature, as well as the hashes of the siblings at every level. Referring to Figure 4,
we need the signature σ, as well as the hashes of the siblings at every level, i.e. H(m1 ),
H(H(m3 ), H(m4 )). Using m2 and the hashes of the siblings, we can generate the hash at
the root, H(H(H(m1 ), H(m2 )), H(H(m3 ), H(m4 ))) which can then be verified against the
signature σ using the public key.
Now, note the following:
• By signing the root, all messages are effectively signed.
• Size of the signature is of the order log(n), where n is the number of messages.
BLOCKCHAINS 78
Note that this construction has a very nice feature: a transaction can be verified simply by
downloading all blocks (which are now small since Ii ’s are small), and a single path in the
Merkle tree.
Security. Intuitively, security relies on the Collision Resistance of the hash functions
used as well as on the security of the signature scheme used: suppose the adversary gen-
erates a message m0 , say, in place of message m2 as shown in the figure. Given this new
message, and the original siblings at every level, the adversary must be able to generate
the same hash at the root. Doing so will require the root hash generated with the new
message to be the same as those generated using the old message, which is ruled out by
the collision resistance property of the hash functions used.
Properties.
1. Able to sign messages as a block.
2. Enables light weight verification on low-memory devices such as mobile devices.
Usage in Bitcoin
Merkle trees are used for lightweight verification of transactions in Bitcoin. To verify a
transactions in a block, one doesn’t need to download all the transactions in the block.
One can instead just download the hashes going down a particular branch of the Merkle
tree and compute the hashes all the way to the root.
Sometimes, the code of the blockchain needs to be changed. This can be due to e.g., new
features introduced to the blockchain, or fixing some issues. In such cases, the code need
to be permanently changed and a single blockchain splits into multiple forks. We typically
distinguish between the following two categories:
1. Soft forks
Soft forks are backward compatible means of upgrading software on the nodes of
the blockchain. Here, miners that did not upgrade are still able to verify transactions
and validate new blocks. However, the blocks that such miners mine will be rejected.
BLOCKCHAINS 80
A proof of-work system is very expensive, since its mining process requires the user to
solve hard-to-compute mathematical problems (such as inverting hash functions), and
miners solve these problems using their own computer’s computational power. This re-
sults in a huge amount of electricity being used. This is true especially in Bitcoin, where the
mining difficulty only increases as more miners join the network and mine more Bitcoin.
1
Currently, Bitcoin mining uses about 400 of the world’s electricity. Over a year, Bitcoin’s
power consumption amounts to roughly the same consumption as Switzerland.
To circumvent these high energy costs, an alternative system called Proof-of-Stake was
introduced, first implemented in Peercoin in 2012. In proof-of-stake, the next miner is
chosen through a pseudo-random process based on the potential miner’s amount of coin
(his ”stake”). In contrast, proof-of-work chooses the next miner as the one who first solves
the computationally hard problem. Since proof-of-stake chooses the next miner based on
his amount of coins rather than computing power, more individuals are incentivized to
join the network, leading to more decentralization.
is the amount of coin that pk owns. The inclusion of the random number prevents new
blocks from exclusively being mined by the wealthiest users.
In practice, instead of a single miner, a group of the miners that have the highest prob-
ability scores is chosen. This deals with the problem of offline miners.
funds to the best one. Here, the random number is based on the sequence of miners who
mined the previous blocks. However, to calculate the hash function, the signature must be
generated, which can only be done by the miner who holds the corresponding signature
key. Thus, intuitively, the random number is hard to predict and this scheme is secure.
One of the limitations of the above idea is that it suffers from posterior corruptions.
For instance, say that in Figure 5 when block Bi is published, a set S has majority of stake.
Next, suppose that the set S sells all of their stake in block Bi+1 to someone to avail their
services. After doing so, S becomes corrupt and creates a fork from node Bi and publishes
0 0
a block Bi+1 where they don’t sell all of their stake. Therefore, in the fork containing Bi+1 ,
S still has majority stake. The only problem is that this fork isn’t the longest chain at this
point of time. But, because S has the majority stake, they will get more opportunities to
publish blocks on the forked chain. Thus, they can go on to publish enough blocks so
that the forked chain becomes the longest. Once this happens, the forked chain becomes
longest and accepted by everyone. Hence, S is able to recover the money they already
spent. This is similar to double spending in Bitcoin, except that waiting for k more blocks
to get published won’t provide strong enough guarantee that a transaction will remain on
the longest chain. This is a non-trivial problem to solve and has complex solutions beyond
the scope of this course.
The Bitcoin blockchain was designed such that new blocks are created at an average of
every ten minutes. Typically, you would wait for a transaction to be about 6 blocks deep to
make sure it really stays on the blockchain, meaning that about an hour is needed to spend
the Bitcoin.
At first, it seems natural to simply increase the block size to solve the scalability issues.
Unfortunately, if we increase the block size to hold more transactions, the new larger blocks
take longer to propagate, allowing more miners to compute the new blocks by themselves.
This leads to an increased number of forks and conflicts between blocks, resulting in the
network being more vulnerable to attacks.
BLOCKCHAINS 83
Similarly, if we decrease the (average) time after which a new block is mined, effectively
increasing the rate of information being added to the blockchain, we will again increase
the number of forks in the chain. This could make it easier for a malicious miner to attack
the network with less than 50% hash power.
Problems with GHOST. Unfortunately, GHOST does not solve all issues. In some cases
miners and mining pools can exploit the protocol to gain better rewards than their fair
share:
1. Miners better connected to the network can gain rewards larger than their fair share.
2. Using the selfish mining strategy, small miners can deliberately add more forks to
the network by keeping their blocks created private. This can enable them to create
a private chain with a significant lead over the honest public chain.
SPECTRE
Spectre was proposed by Yoad Lewenberg, Yonatan Sompolinsky, and Aviv Zohar in 2016
to solve the throughput vs security trade-off. The authors describe a DAG (Directed
Acyclic Graph)-based permissionless, distributed ledger that aims to maintain high re-
silience to attackers while enabling high throughput through the network.
Bitcoin has a hash function that considers only the previous block to form the next
one, enabling the chain. Spectre allows several past blocks in its hash function which
BLOCKCHAINS 84
might have been created in parallel and be conflicting. The conflicts might include double-
spending, where A tries to send money to B, and the same money to C, trying to bamboozle
the network. However, this approach allows miners to create blocks concurrently and
much more frequently as the nodes do not need to align their world view of the graph at
the time of block creation.
Bitcoin’s longest-chain rule can viewed as a voting mechanism. When conflicts in the
chain occur, the nodes vote at the time of the next block’s creation on which block they
choose. This inhibits higher levels of throughput without disrupting the security of the
network. SPECTRE employs a voting mechanism where the next block can safely vote on
a conflicting previous block without making the miner align their world view at the time of
the next block’s creation. So, blocks are then voters and due to the design of SPECTRE, the
majority vote becomes irreversible very quickly. Using the majority vote one can extract
all accepted (non-conflicted) transactions easily.
Properties of SPECTRE.
Consistency. Transactions are accepted if and only if the block wins the majority vote in a
conflict and if all its inputs are accepted.
Safety. If a transaction is accepted by a node, then it is accepted by all nodes with a very
high probability.
Weak Liveness. A transaction without any conflicts will be accepted by the main chain in
the DAG very quickly.
Zero-Knowledge Proofs
12.1 I NTRODUCTION
A zero-knowledge protocol is an interaction between two parties (say Peggy and Victor) that
allows Peggy to convince Victor that some statement is true without revealing anything
but the veracity of the statement. The critical part about this informal definition is the fact
that Peggy does not reveal any extra knowledge: it would be trivial for Peggy to convince
Victor that she has the knowledge by simply giving it to him. However, the point of a
zero-knowledge protocol is that Victor is convinced that the statement is true but gains no
additional information.
For example, suppose Peggy wishes to prove to Victor that there exists (x1 , . . . , x6 ) ∈
{0, 1}6 such that (x1 ∨¬x2 ∨x3 )∧(¬x4 ∨x5 ∨¬x6 ) = 1. This is an example of a 3-Satisfiability
problem. Of course, she could just send the assignment of (x1 , . . . , x6 ) to Victor but in this
case, Victor learns more than whether there exists an assignment. All we want Victor
to learn is the existence of an assignment. While initially this might seem impossible,
zero-knowledge proofs were introduced in Goldwasser, Micali, and Rackoff’s paper "The
Knowledge Complexity of Interactive Proof-Systems". In the following, we will describe a
zero-knowledge protocol for the graph isomorphism problem.
Definition 57. Let L be a language, let x be a statement for which we are trying to prove
x ∈ L, and let w be a witness to x ∈ L. A zero-knowledge protocol (P, V ) for L consists of
the following interactive probabilistic polynomial-time stateful algorithms P and V :
• P (x, w, mVi ): Outputs mP V
i+1 where we set m0 = ⊥.
• V (x, mP V
i ): Outputs mi . At the end of the protocol, V outputs either Accept or
Reject.
which satisfy the following properties:
1. (Completeness) Suppose w is a valid witness for statement x, the prover P , and the
verifier V are honest. Then, V will always output Accept.
/ L. For all PPT provers P ∗ that use such x, if V interacts with
2. (Soundness) Suppose x ∈
∗
P , then V will output Reject with probability at least p. We call p the soundness
parameter.
3. (Zero-Knowledge) Suppose x ∈ L. For all PPT verifiers V ∗ , there exists an expected
PPT simulator S such that S(x, V ∗ ) outputs a transcript τsim ≈c τreal where τreal is
the transcript between an honest prover P and V ∗ .
85
ZERO-KNOWLEDGE PROOFS 86
Intuitively, P and V send messages between each other. The ith message of P is mP i
and the ith message of V is mVi . After this interaction the verifier outputs Accept if it
believes x ∈ L, and Reject otherwise. The sequence of messages exchanged between the
prover and verifier is called the transcript τ .
Completeness guarantees that the verifier believes the prover if x ∈ L and both parties
act honestly. Soundness implies that if x ∈/ L, then no dishonest prover can cause V to out-
put Accept with probability greater than 1 − p. Zero-knowledge implies that no dishonest
verifier will learn anything from the interaction, besides the statement itself. Any knowl-
edge in τreal (i.e. any knowledge that V ∗ can learn from) must also be present in τsim since
τsim ≈c τreal . Since S does not take w as an input, τsim contains no information on w. Note
that we only guarantee that a simulator exists if x ∈ L.
Given the zero-knowledge property, we might believe that the prover could simply run
the simulator when interacting with the verifier. However, note the simulator has the code
of the verifier and it is free to stop and rewind the verifier when creating its transcript.
The prover cannot do this. For example, suppose Peggy wishes to convince Victor that she
can make a fair coin land on heads 100 times in a row. With an interactive protocol, she
might flip the coin, show Victor the result, and then repeat this 100 times. The simulator,
on the other hand, can be thought of as a video recording. The video may show Peggy
flipping 100 heads, but the video could have easily been edited. Peggy could have flipped
the coin many times until she got 100 heads and then deleted the footage of all the flips
that resulted in tails.
So far, we have been talking about the computational zero-knowledge proofs. If we require
that the distribution of τsim and τreal are equal, then we have perfect zero-knowledge. On the
other hand, if we require that τsim and τreal be statistically close, then we have statistical
zero-knowledge.
In this section we give the example of a zero-knowledge protocol for the graph isomor-
phism problem.
Incorrect Simulator
Recall that S only has access to G0 , G1 and V ∗ , but not the witness π. The simulator
works as follows:
1. S generates a random permutation φ and random bit b0 . It sets G = φ(Gb0 ).
2. S generates bit b at random.
3. If b = b0 send φ. Otherwise, erase the transcript and repeat from Step 1.
4. Output Accept. Return the transcript.
Note that in the actual protocol, if b = 0, then k = σ defines an isomorphism between
G and G0 . When b = 1 then k = σ ◦ π −1 defines an isomorphism beteween G and G1 .
Similarly, in our simulator, when b0 = b = 0, φ defines an isomorphism between G and G0 .
When b0 = b = 1, φ describes an isomorphism between G and G1 . Intuitively, Step 3 of our
simulator is correct.
ZERO-KNOWLEDGE PROOFS 88
In the actual protocol σ is chosen randomly and in our simulator φ is chosen randomly.
Thus, by property 2 above, σ(G0 ) is indistinguishable from φ(Gb0 ) (note that for any graph
G0 , G0 ≈ G0 ). Thus, Step 1 in our simulator is correct.
However, Steps 2 and 4 pose a problem. For Step 2, an honest verifier chooses b at
random which our simulator indeed simulates. However, our simulator must work for
dishonest verifiers and a dishonest verifier can choose b however it wishes. So we need
to modify our simulator to choose b with the same prbability that V ∗ does. Recall that S
takes in V ∗ as an input. Therefore, we can simply run V ∗ to get b. Similarly, in Step 4, an
honest verifier would always output Accept if x ∈ L, but a dishonest verifier might not.
Thus in Step 4, we feed φ to the V ∗ we are running which will return Accept or Reject.
We will then output whatever this V ∗ returns.
Correct Simulator
1. S generates a random permutation φ and random bit b0 . It sets G = φ(Gb0 ).
2. S runs V ∗ and sends G to V ∗ . V ∗ returns b to S.
3. If b = b0 send φ to the V ∗ we are running. Otherwise, erase the transcript and repeat
from Step 1.
4. V ∗ will return Accept or Reject. Output whichever V ∗ returns and return the
transcript.
/ L] ≤ (1 − p)k
Pr[V outputs Accept all k times | x ∈
Thus, to achieve a soundness of 1−, we can run the protocol log1−p times. If any of these
trials output Reject, then we know x ∈ / L with probability 1.
The completeness of our new repeated protocol follows immediately from the com-
pleteness of the one-round protocol. Note that the protocol must be repeated in its entirety.
Suppose that in the graph isomorphism zero-knowledge protocol, we kept the same σ be-
tween runs. Then in some run V could get b = 0 and find σ. In another run, it could get
b = 1 and find σ ◦ π −1 . Given these two permutations, it would be trivial for the verifier to
calculate π, thus breaking the zero-knowledge property.
Additionally, suppose that our simulator for the repeated protocol was as following:
1.1 S generates a random permutation φ[1] and random bit b0 [1]. It sets G = φ[1](Gb0 [1] )
1.2 S runs V ∗ and sends G to V ∗ . V ∗ returns b[1] to S.
1.3 If b[1] = b0 [1], send φ[1] to the V ∗ we are running. Otherwise, erase the transcript and
repeat from Step 1.1.
ZERO-KNOWLEDGE PROOFS 89
2.1 S generates a random permutation φ[2] and random bit b0 [2]. It sets G = φ[2](Gb0 [2] )
2.2 S runs V ∗ and sends G to V ∗ . V ∗ returns b[2] to S.
2.3 If b[2] = b0 [2], send φ[2] to the V ∗ we are running. Otherwise, erase the transcript and
repeat from Step 1.1.
..
.
k.1 S generates a random permutation φ[k] and random bit b0 [k]. It sets G = φ[k](Gb0 [k] )
k.2 S runs V ∗ and sends G to V ∗ . V ∗ returns b[k] to S.
k.3 If b[k] = b0 [k], send φ[k] to the V ∗ we are running. Otherwise, erase the transcript and
repeat from Step 1.1.
k+1.1 V ∗ will return Accept or Reject. Output whichever V ∗ returns and return the
transcript.
Note that it would take exponential time for this simulator to finish. This is because
the probability of b[i] = b0 [i] is 0.5 in every trial i. Thus, the probability of getting through
all the steps is 2−k . So instead of going all the way back to Step 1.1, whenever a trial fails,
the simulator should simply go back to the beginning of that particular trial. For example,
suppose on Step k.3 the simulator found b 6= b0 . Then instead of going back to Step 1.1, it
should simply go back to Step k.1.
There is a subtlety to this, however. The algorithm V ∗ is stateful. Therefore, if we
restart a trial, V ∗ can still remember what occured during that failed trial. To mitigate this,
we use an idea called rewinding. At the beginning of each trial, we save the state of V ∗ . If
we need to restart that trial, we simply restore V ∗ to that saved state.
In the following, our goal will be to design a zero-knowledge protocol using the graph
3-coloring problem, an NP complete problem. Because all NP problems can be reduced to
the graph 3-coloring problem, we obtain an entire class of zero-knowledge protocols for
free. Before we provide the construction, we cover commitment schemes, an important
cryptographic primitive which will be used in the zero-knowledge protocol.
12.5.1 Definition
Formally, the protocol is separated in two stages:
1. Commit phase: Given a message m, the committer sends c = Com(m, s) for some
randomness s and for a PT algorithm Com to the receiver.
2. Decommit phase: The committer sends the pair (m, s), the receiver verifies that the
pair is indeed correct by computing Com(m, s), and comparing it with the previously
received c. If they are equal, the receiver accepts, and otherwise, the receiver rejects.
A valid commitment scheme must satisfy the following two properties:
1. Hiding: ∀(m0 , m1 ),
{Com(m0 , s) : s ← U } =c {Com(m1 , s) : s ← U }
Com(m0 , s0 ) 6= Com(m1 , s1 )
Intuitively, the hiding property establishes that the commitment does not leak any infor-
mation about the locked message. The binding property then establishes that the receiver
is guaranteed that the committer cannot send a fake (m0 , s0 ) pair with m 6= m0 and still
satisfy the equality check in the decommitment phase. Note: it may be possible to find
(m, s0 ) with s 6= s0 .
Remark 22. The binding property defined above is also known as perfect binding. A weaker
form of this is the computationally binding property, which merely establishes that it is
very difficult to find a fake (m0 , s0 ) pair with m 6= m0 that satisfies the decommitment re-
quirement. In these lecture notes, we will only use commitment schemes with the perfectly
binding property.
12.5.2 Examples
A natural attempt at constructing a commitment scheme might use encryption protocols
where the committer sends an encrypted message during the commit phase and later sends
the original message and the key in the decommit phase. However, it is not the case that
all encryption algorithms are valid commitment
L schemes. For example, consider one-time
pad: Suppose the committer sends c = m s. Then it is trivial for the committer to send
a different m0 , s0 pair such that m s = m0 s0 and m 6= m0 .
L L
Regarding the binding property, intuitively, note that the first two elements of c give us
g a , g b , which means that a, b are fixed. Therefore, g ab is fixed. Thus, m can be uniquely
computed as c(g ab )(−1) .
As for the hiding property, starting with the DDH assumption, we have:
{g a , g b , g ab } ≈c {g a , g b , g r }
Thus,
{g a , g b , mg ab } ≈c {g a , g b , mg r }
Since
{g a , g b , mg r } = {g a , g b , g r },
we get {g a , g b , mg ab } ≈c {g a , g b , g r }. The same holds for any other m0 . By the transitivity
of computational indistinguishability, we are done.
Therefore, the proposed scheme is a valid commitment scheme.
We now return to designing a zero-knowledge protocol for the graph 3-coloring problem.
ZERO-KNOWLEDGE PROOFS 92
12.6.2 Construction
In the zero-knowledge proof for the graph 3-coloring problem, the prover wants to prove
that some graph G is 3-colorable (that is, there exists a witness w that 3-colors G). Of
course, this has to be done without revealing any information about the coloring w; the
prover merely wants to prove that some valid coloring exists. The protocol works as fol-
lows:
1. Given a coloring of G, the prover permutes the colors randomly to obtain a new
(valid) coloring of G. For each vertex vi in G, the prover sends ci = Com(colori , si )
to the verifier, where colori is the (new) coloring of the vertex i and si is a random
string.
2. Verifier selects a random edge (i, j) and then asks the prover to decommit the colors
on vi and vj .
3. Upon receiving the decommitments from the prover, if the received decommitments
are valid and the colors are different, the verifier accepts. Otherwise, the verifier
rejects.
Now we show that this is a valid zero-knowledge protocol:
1. Completeness: This follows from the previously established fact 1 in that permut-
ing colors in a valid 3-coloring of a graph will still yield a valid 3-coloring. Thus,
regardless of the choice of (i, j), the colors of vi and vj will be different.
2. Soundness: From fact 2, we see that there is at least one edge where the coloring
between two connected vertices will be the same if the graph is not 3-colorable (or if
the prover provides a fake-coloring). Thus, because the verifier chooses an edge at
random, and the prover is not able to change the committed colors due to the binding
property of the commitment scheme, the verifier will reject with probability at least
1
|E| .
3. Zero Knowledge: This is the most difficult part of the proof, and we will prove it
below.
To show the zero-knowledge property, we design an EPPT simulator S that has G and the
code of the verifier V ∗ . Let colors be {1, 2, 3}. Then, the simulator S works as follows:
ZERO-KNOWLEDGE PROOFS 93
1. S picks a random edge (i0 , j 0 ) and colors ki0 , kj 0 ∈ {1, 2, 3} at random such that
ki0 6= kj 0 . S then generates commitments ci for all vertices in G: if i = i0 or i = j 0 , S
commits according to the protocol; else, S simply commits zero.
2. Invoke V ∗ and provide it with the commitments for all vertices in G.
3. Upon receiving an edge (i, j) from V ∗ , S does the following: If (i, j) = (i0 , j 0 ), S
reveals the colors by decommitting ci0 and cj 0 . Otherwise, restart, and goto step 1.
First, note that S is indeed an EPPT algorithm. This is because S picks i0 , j 0 at random, and
so for any V ∗ , the probability that (i, j) = (i0 , j 0 ) is roughly |E|
1
. Therefore, S is expected to
abort roughly |E| times. The rest of the operations are in polynomial time, so the expected
runtime is |E|poly(n), which is still polynomial. Of course, this is assuming that V ∗ cannot
purposefully select i, j such that (i, j) 6= (i0 , j 0 ); we will briefly sketch a proof of this below.
Because of the hiding property of the commitment scheme, we are guaranteed that no
PPT V ∗ can tell apart ci0 and cj 0 from any of the other ck . This means that V ∗ cannot
distinguish i0 , j 0 from any other vertex just from ci for all i, meaning it cannot query S for
a particular i, j to forcibly abort S. Formally, if we are given a V ∗ such that
1
P r[(i0 , j 0 ) = (i, j)] ≥ + notice(n)
|E|
it is possible to construct a PPT A that breaks the hiding property of the commitment
scheme. Thus, S is EPPT. Now, we prove that τsim =c τreal via a hybrid argument.
• H0 : In this hybrid, the algorithm S has a valid witness w and a code of V ∗ . S runs
V ∗ , and in its interaction with V ∗ , S behaves like an honest prover: S commits to the
colors of the vertices using (permutation of) the witness w, and opens commitments
ci , cj upon receiving an edge (i, j) from V ∗ . In the end, S outputs its transcript of the
interaction with V ∗ .
• H1 : In this hybrid, the algorithm S has a valid witness w and a code of V ∗ . S runs
V ∗ , and in its interaction with V ∗ , S picks random indices i0 , j 0 and then commits
honestly to the colors of the vertices using (permutation of) the witness w. When
S receives an edge (i, j) from V ∗ , and it restarts (including restarting V ∗ ) if (i, j) 6=
(i0 , j 0 ). Otherwise, S outputs its transcript of the (last) interaction with V ∗ .
• H2 : In this hybrid, S behaves the same as H1 , except that for each vertex i such that
i 6= i0 and i 6= j 0 , S now commits zero instead of the actual vertex color.
• H3 : In this hybrid, instead of using a valid witness, S now samples two colors for i0
and j 0 such that these two colors are different, and uses these colors in the commit-
ments ci0 , cj 0 instead of the (permutation of the) actual vertex colors of vertices i and
j. Note that S does not use the witness at all anymore.
First, note that H0 = τreal and H3 = τsim . Next, we see that H0 = H1 because i0 , j 0 are
chosen at random and once (i0 , j 0 ) are equal to (i, j), the generated transcript is exactly
the same as the one in H0 . H1 =c H2 because of the hiding property of the commitment
scheme. Finally, H2 =c H3 : note that in Step 1 of the protocol, we permute the colors.
Thus, in H3 , the distribution of colors under the commitments ci0 , cj 0 does not change.
Thus, H2 =c H3 , and therefore H0 =c H3 and τsim =c τreal .
ZERO-KNOWLEDGE PROOFS 94
P V
∀i : ci [1] : =com(colori [1]) ∀i : ci [k] : =com(colori [k])
Above, we constructed a zero-knowledge protocol for the graph 3-coloring problem with
1
the soundness parameter |E| . However, what we actually want is to get a protocol with the
soundness property close to 1. To reach this soundness, one option is to repeat the protocol
we have multiple times sequentially. This way, after repeating the protocol k times, we
1 k
achieve a soundness parameter 1 − (1 − |E| ) . However, this improvement comes at a
cost. Now, instead of a 3-round protocol, we actually have a 3k-round protocol. For the
1 k
expression 1 − (1 − |E| ) to get close to 1 in a graph with many edges, we would have
to use a very high k. Thus, we end up with a not very efficient protocol with a very high
number of rounds. So, the question is how we can change the protocol to make it more
efficient.
Idea: use parallel repetition instead of the sequential repetition!
P V
M1
M2 = H(M1 )
M3
Note that this is almost exactly the simulator designed for the sequential version, except
that now we consider k instances of the problem in each step. The problem with this
construction is the following: it is not a PPT construction. If there are k parallel repetitions,
the probability that the simulator correctly guesses the edge in each of these repetitions is
1 k
only ( |E| ) . Thus, if k is big, this probability is very small and the simulator has to go to
step 1 very often.
Now, it is possible that for some of the k instances, the simulator guessed the edge
correctly. So, one might wonder whether the simulator could “keep" the correctly guessed
edges and only change his guess where he did not guess correctly. Let us change Step 3 of
our protocol as follows:
3. If for all t it holds that (i0 [t], j 0 [t]) = (i[t], j[t]), the simulator opens all selected com-
mitments. Else, go to step 1 and obtain a fresh guess for instances where the simula-
tor was wrong.
The hope with this idea is that after each iteration, the number of unsuccessful guesses will
be reduced and thus eventually become zero. However, this logic is incorrect: the verifier
might be computing his challenge depending on how the prover’s entire message looks
like and thus there is no guarantee that all the “correct" guesses of the prover will remain
correct after correcting one “incorrect" guess. For example, changing the first message in
the t-th iteration could result in verifier message changing in t0 6= t-th session. Thus, this
approach also does not work.
12.7.2 Fiat-Shamir-Heuristic
While it is not known whether or not the protocol we defined above is secure, this protocol
has been known for many decades now and still no one came up with an attack for it. The
general assumption is that this construction is indeed secure, and it is exactly what is used
in the Fiat-Shamir-Heuristic we will now introduce.
Observe that PcZK is a public coin protocol. This means that in the second round the
verifier is essentially simply sampling and sending a random string to the prover.
Now, if the verifier is just sending some random string, we could instead just use an
“appropriate" hash function H to do the verifier’s job for him. Here, by “appropriate" we
mean that the hash function behaves like a random oracle. This is exactly the assumption
of a so-called random oracle model. Now we are able to construct a one-round protocol in
this model. This protocol is presented in Figure 7.
ZERO-KNOWLEDGE PROOFS 96
Bulletin Board
c1 = com(s1 , r1 )
c1 = com(s2 , r2 )
..
.
ci = com(si , ri )
Note that the prover “knows" that the verifier will send M2 = H(M1 ) and can just send
both M1 and M3 (according to M2 = H(M1 )) in the first message.
The completeness of this protocol is easy to see. The soundness relies on the fact that
M2 = H(M1 ) is indeed random. Zero-knowledge can be proven in the random oracle
model, but it is beyond the scope of this course.
12.7.3 NIZKs
Such protocols are known as NIZKs (non-interactive zero knowledge) in the random oracle
model. NIZKs are very useful: imagine for example a blockchain, where you want to prove
some statement to the entire world. You can not communicate with each party individually
(there are too many of them, and some are possibly not even online at the moment, but will
want to verify the statement in the future). In this setting, NIZKs are really the only option.
As mentioned in the previous lecture, Graph 3-Coloring is an NP-complete problem.
Thus, each problem in NP can be reduced to Graph 3-Coloring and hence we already have
a way to construct a non-interactive zero-knowledge proof for such problems. Note that
this may not be the most efficient solution - if you are given some problem it might be
better to design a protocol specifically for this problem rather than taking the detour using
the Graph 3-Coloring. Still, the fact that we have a solution for each problem in NP makes
the introduced solution very powerful.
Bulletin Board
s1
s5
..
.
sj
To initially obtain a coin in the Zerocoin∗ system, a user has to burn a Bitcoin. This
gives him the right to write one entry on the bulletin board. We will now discuss the most
interesting part: how exactly can some user (Alice) send a Zerocoin∗ ci to some other user
(Bob).
Attempt 1
1. Alice sends decommitment of ci (including si and randomness ri ) to Bob.
2. Bob creates cj .
3. Bob broadcasts cj , ci , decommitment of ci .
4. Everyone can verify that si is not on the spent coin list and that ci is a commitment
to si . If so, ci is put on the spent list and cj on the bulletin board.
Now ci has been destroyed and Bob has a new coin cj . Bob can spend cj by sending its
decommitment to another party.
The obvious problem with this approach is that everyone sees the relationship between
ci and cj and we thus do not get the desired unlinkability property – everyone is able to
track the whole movement of money.
Idea: use zero-knowledge proofs!
Attempt 2
1. Alice sends decommitment of ci (including si and ri ) to Bob.
2. Bob creates cj .
3. Bob broadcasts cj , si (but not ci , ri ) along with the following NIZK statement (de-
noted as σ in the following): ∃ci s.t. ci is a part of the bulletin board and si is the
value inside ci .
4. Everyone can verify that si is not on the spent coin list and that σ is a valid proof. If
so, si is put on the spent list and cj on the bulletin board.
Note that ci is hidden in Attempt 2 (because of the zero-knowledge property of the
used proof). Furthermore, note that the statement in Step 3 is indeed an NP statement (can
be proved by giving a short witness). In our case, we could prove the statement by giving
the witness w = (ci , si , ri ), where ri denotes the randomness used in the computation of ci .
The verifier could then check that ci is on the bulletin board and ci is indeed a commitment
to si when using the randomness ri .
One possible attack on Attempt 2 is the following: one can easily change (cj , si , σ) to
(c0j , si , σ) after Bob’s broadcast in Step 3, as the NIZK σ is completely disconnected from cj .
ZERO-KNOWLEDGE PROOFS 98
Thus, an adversary could use si , σ to create a coin c0j for himself (prior to everyone putting
si on the spent list and cj on the board). One possible solution to this problem is to put cj
in the NIZK statement as well. Such modified NIZK could look as following:
• ∃ci s.t. ci is a part of the bulletin board, si is the value inside ci and cj is a valid
commitment to some string.
This is still an NP statement, the witness consists of the witnesses of each of the two
parts of the AND-statement. Now, if one would try to change cj without changing σ, the
proof would not be valid anymore. However, there is still a minor problem with Attempt
2 – the NIZK can actually be malleable, so one might be able to change σ so that it accounts
for the change in cj . To get around this issue, one has to use the so-called non-malleable zero
knowledge, which roughly guarantees the following:
• Given a NIZK σ for a statement x no PPT adversary can construct σ 0 for a related
statement x0 (unless this adversary already knows the witness to x0 ).
For completeness purposes, we give the final version of the protocol.
Attempt 3 (final)
1. Alice sends decommitment of ci (including si and ri ) to Bob.
2. Bob creates cj .
3. Bob broadcasts cj , si along with the following non-malleable NIZK statement: ∃ci s.t.
ci is a part of the bulletin board, si is the value inside ci and cj is a valid commitment
to some string.
4. Everyone can verify that si is not on the spent coin list and that the given proof is
valid. If so, si is put on the spent list and cj on the bulletin board.
Note that this construction has the following nice property: nobody knows that Alice
and Bob are transacting with each other because ci is not revealed.
Secure Multi-Party Computation
13.1 I NTRODUCTION
13.1.1 Applications
There are many applications of Secure Multi-Party Computation.
• Privacy Preserving Data Mining: Privacy Preserving Data Mining is one such ap-
plication. It would be beneficial to have multiple hospitals run data mining on the
combined inputs of their data, but due to regulations like HIPAA, none of the hospi-
tals can share their data with the others. Here, secure multi-party computation can
be used to run the data mining algorithm.
• Information exchange between Intelligence Agencies: Another application could
be between Intelligence agencies of Allied countries to share some information only
if there was some information to be gained in return. In this case a secure multi-party
computation can be run to verify if there is some valid information on both sides.
Note. For the remainder of the class we will be focusing on Secure 2-Party Computation (in the
following, 2PC). The formal definition for Secure Multi-Party Computation can be generalized from
the Secure 2-Party Computation.
Recall that in Zero-Knowledge proofs we had a simulator which could produce a view
indistinguishable from the real view without knowing the witness. Thus we were able to
99
SECURE MULTI-PARTY COMPUTATION 100
conclude that no knowledge has been gained during the execution of the protocol. The
current definition has a similar flavor: we define a simulator which produces a view in-
distinguishable from the real view, knowing only f (x1 , x2 ). Thus we conclude that no
knowledge except for f (x1 , x2 ) has been gained during the execution of the protocol.
Note that we still need to formally define the inputs that the Simulator gets.
First Attempt Consider the following: Si is given as input f (x1 , x2 ) and code of Pi∗ .
Unfortunately, this does not work because f (x1 , x2 ) is not defined before the protocol – if
some party is malicious, it can use an input different from x1 /x2 .
Correct Definition Si is given a one time access to an output Oracle, the so-called ideal
functionality F (see Figure 12). Intuitively, this means that the simulator can choose an
input, and query the oracle to find the corresponding output. The simulator can do so
only once during the execution of the protocol.
Note. This definition is a basic definition of 2PC. It does not capture all the properties such as
correctness etc.
Note. MPC can be defined analogously by having n parties, n inputs and n Simulators.
Alice Bob
a0 , a1 b
ab
⊥
We can see that semi-honest adversary is weaker than fully malicious adversary, thus
any protocol which is secure against fully malicious adversaries is secure against semi-
honest adversaries. As we will see later there is a way to convert a protocol secure against
semi-honest adversaries to a protocol secure against fully malicious adversaries using
Zero-Knowledge proofs of Honesty.
We will now consider the first example of secure multi-party computation: oblivious trans-
fer (OT). As shown in Figure 11, in the OT setting two parties participate: Alice has inputs
a0 , a1 , and Bob has an input bit b. The goal of OT is for Alice to communicate ab to Bob
without gaining any knowledge about the value of b, and without Bob gaining any knowl-
edge about the value of a1−b .
Note that this scenario can be represented as a generalized MPC where the functions
learned by each of the parties differ. The definition of the generalized MPC is the fol-
lowing: Parties P1 , P2 hold inputs x1 , x2 , and wish to compute f1 (x1 , x2 ) and f2 (x1 , x2 ),
respectively. We say that, a protocol π is a secure 2PC for the functions f1 (·, ·), f2 (·, ·) if
there exist EPPT simulators S1 and S2 such that
Alice Bob
a0 , a1 b
$
yb = f (x), yb ←
−U
a0 ⊕ h(f −1 (y0 ))
ab
a1 ⊕ h(f −1 (y1 ))
⊥
Now, consider the case where A is corrupt. Then, the simulator S1 that has input a0 , a1
works as follows:
• S1 samples (fi , t) to compute the first message honestly.
• S1 samples (y0 , y1 ) uniformly at random from the range of fi .
• S1 uses t to invert y0 , y1 and then uses (a0 , a1 ) to compute c0 , c1 honestly.
• S1 outputs the recorded transcript τS1 .
Lemma 7. Distribution of output of S1 =c real world transcript.
Proof. Note that τS1 and τreal differ only in yb . B chooses x from the domain of fi and
then computes yb , while S1 chooses yb directly from the range of fi . However, since fi is
a permutation, the distribution of yb is the same in both cases. Since the same distribution
did not change, we know the transcripts are indistinguishable.
Note. This protocol is insecure against Fully malicious adversary. For example, A could choose
fi such that it is not a permutation and thus it can distinguish between y0 , y1 . B could choose y0 ,
y1 such that it knows both the preimages.
The GMW compiler is a general conversion technique which converts a protocol secure
against semi-honest adversaries into a protocol secure against fully malicious adversaries.
The basic idea is that at each step the party sends a zero knowledge proof of honestly
computing the messages. Before we introduce the correct compiler, we briefly discuss a
naive, but unfortunately insecure, construction.
Attempt 1
Take any protocol π and convert it as in Figure 13.4.1, where r1 and r2 are the random-
ness used by Alice and Bob to execute π. Note that the statement “m1 is consistent with
values in c1 " is in NP since given the opening of c1 the verification is easy.
SECURE MULTI-PARTY COMPUTATION 104
Alice Bob
x1 x2
com(x1 ||r1 , ra )
com(x2 ||r2 , rb )
···
···
Now suppose A is honest and B is dishonest. Since com(r1 , ra ) hides r1 , B intuitively has
zero knowledge of r1 before it generates r2 , and it follows that r2 is generated indepen-
dently from r1 . Since r1 is generated by A uniformly at random and is independent with
r2 , it follows that r = r1 ⊕ r2 is still random in this case.
Using the idea of the above coin flipping protocol, we can modify the protocol defined in
our first attempt and construct a fully working GMW compiler which takes any oblivious
transfer protocols that are secure against semi-honest adversaries and converts them into
protocols that are secure against malicious adversaries. This compiler is defined as follows
(let A’s message be ma , and B’s message be mb ):
1. A generates r1 uniformly and sends com(ma ||r1 , ra ) to B. Note that r1 is neither
the randomness used in the commitment scheme nor the entire randomness used by
A in the full new protocol (for example, ra is not part of r1 ). Instead, it is just the
randomness used by A in the underlying protocol.
2. B generates r10 uniformly at random and sends r10 to A.
3. B generates r2 uniformly and sends com(mb ||r2 ) to A. Note that r2 is neither the
randomness used in the commitment scheme, nor the random tape of B. Instead, it
is just a random string used for generating B’s randomness.
4. A generates r20 uniformly and sends r20 to B.
5. A sets its randomness to be rA = r1 ⊕ r10 , B sets its randomness to berB = r2 ⊕ r20 .
6. For any mA j in the transcript that A sends to B in the original protocol, A also sends
mAj to B, followed by running a ZKP protocol to prove the following NP statement:
mAj is consistent with (1) the transcript so far, and (2) (ma , rA ). Note that the tran-
script so far also contains messages sent from B to A.
7. For any mB j in the transcript that B sends to A in the original protocol, B also sends
B
mj to A, followed by running a ZKP protocol to prove the following NP statement:
mBj is consistent with (1) the transcript so far, and (2) (mb , rB ). Note that the tran-
script so far also contains messages sent from A to B.
The intuition is still the same: by leveraging the power of ZKP, we not only ensure both
parties learn nothing more than if we were simply running an oblivious transfer protocol,
but also prevent malicious parties from cheating because of the ZKP’s soundness. One
side note is that although this compiler is correct and can be used for all OT protocols,
it is actually very inefficient since the ZKP involved require reductions to NP-complete
problems.
In the following, we introduce a few notions that generalize the Oblivious Transfer prob-
lem.
2. B samples k ∈ [n] and x from the domain of f . B then sets yk = f (x) and samples
each yi6=k uniformly at random. B then sends (y1 , y2 , . . . , yn ) to A.
3. A computes xi = f −1 (yi ) using t, and then computes zi = h(xi ) ⊕ ai for all i and
sends (z1 , z2 , . . . , zn ) to B.
4. B can get ak by computing zk ⊕ h(x) = ak .
Recall that in the previous section we have shown how to construct an 1-out-of-n OT based
on a 1-out-of-2 construction. Unfortunately, the scheme we defined was not very efficient.
Now, we will use a 1-out-of-2 OT in combination with a symmetric encryption scheme to
provide an improved construction. Note that symmetric encryption requires only a very
weak assumption – that of the existence of a OWF.
Construction Suppose party A has input (a1 , a2 , . . . , an ) and party B has input k ∈ [n].
Then, the scheme works as follows:
SECURE MULTI-PARTY COMPUTATION 107
1. Set m = dlog ne. Generate m pairs of random keys (k01 , k11 ), (k02 , k12 ), . . . , (k0m , k1m ) for
the given symmetric encryption scheme. Define sets S1 , S2 , . . . , Sn such that for all i
holds that |Si | = m.
j
• Denote i as an m bit string. Let Si contains exactly ki[j] for all j ∈ [m], where
i[j] denotes the j-th bit in the binary representation of i. For example, if m = 3
and i = 2 (010 in binary), then S2 = {k00 , k11 , k02 }. Note that by this construction,
if i 6= j we must have Si 6= Sj since i and j must have different bit string
representation.
2. A encrypts ai using all keys from set Si , Denote the resulting ciphertext as ci . This is
done for all i ∈ [n]. Then, A then sends (c1 , c2 , . . . , cn ) to B.
3. A and B execute m instances of 1-out-of-2 OT protocol. In the i-th execution of the
protocol, input of A is (k0i , k1i ), and input of B is k[i].
4. After m executions of 1-out-of-2 OT protocol, it is clear that B has all the keys used
to encrypt ak . Since the keys are symmetric encryption keys, B can then decrypt ck
using these keys.
Note that in terms of performance, this construction is much better than the 1-out-of-n
scheme we defined in the previous section. In the previous scheme we had to make n calls
of trapdoor permutation (which are very expensive), but now we only need to make 2m
calls of trapdoor permutation in Step 3, and m is logarithmic in n. Of course, we have to
consider the cost of encrypting, but typically symmetric encryption is much cheaper than
trapdoor permutation, so the protocol above still has a much better performance.
Note that above, we made significant progress towards Secure 2 Party Computation by
giving solutions for functions that operate on domains of polynomial size. At FOCS’86,
Yao gave a solution for general circuits. This construction was cited as having contributed
to the decision to grant Yao the prestigious Turing Award in the year 2000. It is, in some
sense, a generalization of the construction we presented above. We will now present Yao’s
construction.
The following construction applies to boolean circuits that take two inputs x1 and x2 and
compute f (x1 , x2 ). For clarity we restrict ourselves to the case where f (x1 , x2 ) is a single
bit. An example of such a circuit is given by Figure 15. The circuits can be built with any
gates that have two input wires and one output wire.
The high level idea is as follows: the sender will send the encrypted (in some sense)
circuit to the receiver. The receiver will then use Oblivious Transfer to evaluate the circuit
on its input, with the help of the sender. In the following we denote by P1 the sender and
by P2 the receiver:
1. For every wire w in the circuit, sender P1 will generate two random keys: (K0w , K1w ).
Kbw represents the idea of the wire having value b.
2. P2 will eventually need to receive the keys corresponding to the input x1 ||x2 .
3. P1 will create "gate tables" that enable P2 , given keys for the input wires to the gate, to
recover the key for output wire. Consider a gate that has input wires i, j and output
`, and which implements functionality g(·, ·). Given keys K0i , K0j , P2 can recover
SECURE MULTI-PARTY COMPUTATION 108
x1,0
x1,1
x1,2
x1,3
f (x1 , x2 )
x2,0
x2,1
x2,2
x2,3
Figure 15: An example of a boolean circuit that could be securely evaluted using Yao’s
Garbled Circuits.
`
Kg(0,0) . Similarly given keys for K0i , K1j , P2 can recover Kg(0,1)
`
and so on. The natural
` i j
way to do this is to encrypt the Kg(b,b0 ) under Kb , Kb0 . Formally, the gate table for a
Note that we actually appended a number of zeroes after the value g(b, b0 ) before
encrypting. This is because when P2 does try to evaluate that gate, it will need some
way to know that it succeeded. This can be done by checking that the λ last bits of
the decryption are zeros, where λ is the security parameter, which would otherwise
happen with negligible probability.
Additionally, note that if we were to send the gate table as such it would be easy for
P2 to tell what bits were being input to the gate by simply looking at the row where
the matching with the zeros happened. P1 will thus have to shuffle the rows. P1 thus
randomly permutes the 4 entries and sends all gate tables to P2 .
4. Given keys for the inputs wires and the gate tables, P2 can compute a key for the
output wire. But P2 wants the output, not the key corresponding to the output.
5. Say wout is the output wire. P1 sends a mapping of keys to bits for wout . More pre-
cisely, P1 sends (K0wout , 0), (K1wout , 1), where Kbwout represents the idea of the output
wire having value b. As the protocol executes P2 will learn one of those values.
We have described how the circuit gets garbled and how it can then be evaluated given
the input keys. All that remains to be clarified is how P2 acquires the input keys in the first
place. For value x1 , P1 , knowing x1 , can simply send the right keys to P2 directly. The rest
of the keys will be obtained via 1-out-of-2 OT. Recall that we are in the semi-honest setting
SECURE MULTI-PARTY COMPUTATION 109
(the malicious setting can be solved using the compiler we studied during last lecture). If
we want P1 to also learn the output, then P2 should also send it to P1 at the end.
Secure 2PC
P1 P2
Construct garbled circuit
Garbled Circuit
message
message
...
message
message
Recover Kbww
Compute f (x1 , x2 )
This protocol is highly efficient, in fact it is one of the most practical ideas for secure
2PC even to date. In the semi-honest setting it mostly relies on symmetric encryption.
There are optimizations that make it possible to go to the malicious setting without relying
on expensive Zero Knowledge techniques. One such optimization is based on an idea
called Cut-and-Choose. P1 creates a large number of circuits. P2 asks P1 to reveal the secrets
of about half of them chosen at random to check that P1 generated them honestly. Then,
they evaluate the rest of the circuits and P1 bases the value of f (x1 , x2 ) on plurality voting.
There are also fairly efficient constructions for OT based on the DDH hardness assumption
that are directly secure again malicious adversaries.
a private channel between them. Again we only give a solution in the semi-honest setting,
and we additionally assume that the parties do not collude.
1. P1 creates a garbled circuit for f and sends it to Pn ;
2. P1 sends keys corresponding to x1 to Pn ;
3. Pn gets the keys corresponding to xn from P1 via 1-out-of-2 OT.
4. ∀i such that 2 ≤ i ≤ n − 1, Pi gets the keys corresponding to xi from P1 via 1-out-of-2
OT. Pi then sends these keys to Pn .
5. Pn evaluates the circuit and announces its output f (x1 , . . . , xn ).
Theorem 20. This protocol is secure as long as the parties don’t collude with each other.
Notice that if P1 colludes with Pn they can recover every other party’s input.
Goldreich, Micali and Wigderson (1987) also give a solution that remains secure even
if n − 1 parties collude with each other.
Additional Topics
In this last chapter, we would like to briefly explore the areas of cryptography we haven’t
touched upon yet.
Assume Alice wants to send a message to Bob, but they do not have a shared key. Alice will
first need to securely recover Bob’s public key. We know that key exchange protocols exist,
but they are not secure under Man-In-The-Middle Attacks, and on the internet, it might
be difficult for Alice to know that she’s actually exchanging a key with Bob (e.g. think of
Bob as a website). Certificate Authorities (CA) exist to address this problem. At a high level
they work as follows: Web browsers have the CA’s public key hardcoded. Websites must
go to the CA and get a certificate: a signed statement (from the CA’s private key) that a
given public key (the website’s public key) is the valid public key of the site (identified by
its domain name). That certificate lets the browser check the validity of the public key so
long as the certificate authority remains trustworthy.
Assume a situation involving a client and a server. The client (say, a hospital) wants to up-
load encrypted records (e.g., patient records) to the server (e.g., a cloud provider). Later on,
the client decides it wants to perform computations on records (e.g., compute some statis-
tics to help it do a better job at detecting or treating certain pathologies). Downloading
the entire dataset on hospital servers is cumbersome and somewhat defeats the purpose
of cloud computing. Sending the key to the server so it decrypts the data and performs
the computations is harmful to the privacy of the patients, and in some cases might even
be illegal. Instead, using Fully Homomorphic Encryption, the client can send a function f
to the server and the server can compute and return Enc(f (x)), where x denotes the set
of records. Fully Homomorphic Encryption was first envisionned in the late 70s, but no
solution was available. The existence of a solution remained unknown until Craig Gentry,
then one of Dan Boneh’s PhD students at Stanford, gave a scheme based on lattices in 2008.
Note that schemes for simple homomorphisms had been known for a long time. ElGa-
mal encryption is multiplicatively homomorphic. There are also additively homomorphic
schemes. Some schemes are even additively homomorphic and allow one multiplication
computation. Achieving additive and multiplicative homomorphism at the same time is
the key to enabling the computation of any circuit.
111
ADDITIONAL TOPICS 112
Consider a closed bid (first-price) auction. The bidders want to keep the values of their
bids private. A natural thing to do might be to have every participant commit to their bid,
send the commitment to the seller, and then, after the auction closes, reveal their bid. Not
that encryption is clearly not good enough for this use case because it doesn’t have any
binding property. But commitments may not be good enough either: there is nothing in
the definition of commitment schemes that says it shouldn’t be possible for a bidder to
intercept some other bidder’s commitment and to compute Com(b1 + 1) from Com(b1 ).
This justifies introducing a new primitive called non-malleable commitments, that
would provide such a guarantee.
Similarly, there are non-malleable encryption schemes and non-malleable Zero Knowl-
edge proof systems (which roughly means that a verifier can’t use a proof from some
prover to prove a related statement).
Program Obfuscation is an old problem in computer science. A typical use case would
be that of a software vendor who would like to distribute software in such a way that it
can’t be modified or analyzed. Many heuristics have been proposed, but all have eventu-
ally been broken. In fact, in 2001, Barak et al. showed that an ideal definition of Software
Obfuscation they termed Black Box Obfuscation was in fact impossible to achieve. They
suggested that Indistinguishibility Obfuscation, a relaxed definition, might be a more rea-
sonable goal. In 2013, Garg et al. gave a candidate solution for Indistinguishibility Ob-
fuscation, and the problem has been an important area of cryptographic research in recent
years. All solutions so far have been based on novel assumptions on which the commu-
nity’s confidence is limited, but one may hope that a satisfactory solution will appear in
the next decade.
The cryptographic schemes we studied in this class were mostly based on keys. But some-
times, where you are physically might be a more important factor. For instance, the US
Army in the Pentagon, near Washington DC, might want to send a message that could
only be read by parties physically located in some US military base in Afghanistan. This is
ADDITIONAL TOPICS 113
a high level description of Position Based Encryption, but one may also think about Posi-
tion Based Signatures, Position Based Key Exchange, or more generally about the area of
Position Based Cryptography. An important problem is that of secure positioning: a prover
is trying to prove his physical coordinates to some verifier, and solutions exist that do not
rely on a trusted third party.
Last but not Least
114