0% found this document useful (0 votes)
281 views119 pages

Lecture Notes On Applied Cryptography

A good book on cryptography. Includes: Simple ciphers Symmetric cryptography Public key cryptography One way functions MACs And a lot more

Uploaded by

benign hacker
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
281 views119 pages

Lecture Notes On Applied Cryptography

A good book on cryptography. Includes: Simple ciphers Symmetric cryptography Public key cryptography One way functions MACs And a lot more

Uploaded by

benign hacker
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 119

Lecture Notes

on

Introduction to Cryptography
Course 15356/15856, Fall 2020

Vipul Goyal
CMU
Acknowledgment

These lecture notes are largely based on scribe notes of the students who took CMU’s “In-
troduction to Cryptography” by Professor Vipul Goyal in 2018 and 2019. The notes were
later edited by the teaching assistant Elisaweta Masserova. We thank all of the students
who contributed to these notes:

Danniel Yang Elisaweta Masserova


Zhiyang He Macallan Cruff
Maxwell Johnson Huzaifa Abbasi
Jaron Chen Jie Zhou
Ziyi Zhong Edouard Dufour Sans
Jacob Neumann
Logan Snow
Shaoyan Li
Justin Cheng
Yi Zhou
Sahil Hasan
Yan Shen
Rebecca Stevens
Hanjun Li
Hariank Muthakana
Jin Yan
Ke Wang Bhuvan Agrawal
Eipe Koshy Raghav Behl
Walter Tan Nikhil Vanjani
Kartik Chitturi Arushi Bandi
Chuta Sano Yifan Song

If your name is not on the list (and you believe it should be) - please let us know.
The notes are not free of typos by any means and not all the chapters have been care-
fully edited. If you notice anything that should be changed, please get in touch with us.
Vipul Goyal: goyal [at] cs.cmu.edu
Elisaweta Masserova: elisawem [at] cs.cmu.edu

i
Contents

Contents ii

Introduction 2
1.1 Classical Symmetric Encryption Schemes . . . . . . . . . . . . . . . . . . 2
1.1.1 Caesar Cipher . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1.2 Substitution Ciphers . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1.3 Vigenère Cipher . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.2 Perfectly Secure Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.2.1 One-Time Pad . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
1.3 Shannon’s Theorem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

One-Way Functions 8
2.1 Polynomial Time and Probabilistic Polynomial Time Algorithms . . . . . 8
2.2 Negligible and Noticeable Functions . . . . . . . . . . . . . . . . . . . . . 9
2.3 One-way Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
2.3.1 Strong One-way Functions . . . . . . . . . . . . . . . . . . . . . . 9
2.3.2 Variants . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
2.3.3 Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
2.4 Constructing One-way Functions . . . . . . . . . . . . . . . . . . . . . . . 11
2.4.1 Hardness of Factorization and Chebyshev’s Theorem . . . . . . 11
2.4.2 OWF Based on Factorization . . . . . . . . . . . . . . . . . . . . 12
2.4.3 Weak OWF Based on Factorization . . . . . . . . . . . . . . . . . 13
2.5 Hardcore Predicates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
2.5.1 Weak One-to-One One-Way Functions . . . . . . . . . . . . . . . 15
2.6 Yao’s Hardness Amplification* (optional material) . . . . . . . . . . . . . 16

Pseudorandomness 18
3.1 Pseudorandom Generators (Informal) . . . . . . . . . . . . . . . . . . . . 18
3.1.1 Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
3.2 Computational Indistinguishability . . . . . . . . . . . . . . . . . . . . . . 19
3.3 Properties of Computational Indistinguishability . . . . . . . . . . . . . . 21
3.4 Pseudorandom Ensembles . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
3.5 Pseudorandom Generators . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
3.6 Construction of Pseudo-Random Generators . . . . . . . . . . . . . . . . 24
3.6.1 Construction of 1-bit stretch PRG . . . . . . . . . . . . . . . . . . 25
3.6.2 Construction of poly-stretch PRG . . . . . . . . . . . . . . . . . . 25

ii
CONTENTS iii

3.7 Application: one-time pad key generation . . . . . . . . . . . . . . . . . . 27


3.8 Pseudorandom Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
3.8.1 Construction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
3.8.2 PRF Application to Encryption . . . . . . . . . . . . . . . . . . . 30

Fun with Composition, Part 1 – One-Way Functions 31

Symmetric Key Encryption 33


4.1 Syntax of Symmetric Key Encryption . . . . . . . . . . . . . . . . . . . . . 33
4.2 One-Time Encryption Using a PRG . . . . . . . . . . . . . . . . . . . . . . 34
4.3 Multi-Message Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
4.3.1 Multi-Message Encryption using a PRF . . . . . . . . . . . . . . 36

Fun with Hybrids, Part 2 – Encryption Schemes 38

Facts from Number and Group Theory 40


5.1 Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
5.1.1 Basic Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
5.1.2 Examples of Groups . . . . . . . . . . . . . . . . . . . . . . . . . 41
5.2 Discrete Logarithm Assumption and its Variations . . . . . . . . . . . . . 43
5.2.1 Discrete Log Assumption (DLA) . . . . . . . . . . . . . . . . . . 43
5.2.2 Variations of DLA . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Key Agreement 45
6.1 Key Exchange Definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
6.2 Diffie-Hellman Key Exchange . . . . . . . . . . . . . . . . . . . . . . . . . 46
6.3 Diffie-Hellman Key Exchange Protocol . . . . . . . . . . . . . . . . . . . . 46
6.3.1 Active vs. Passive Adversaries . . . . . . . . . . . . . . . . . . . 46
6.3.2 Key Management Using Trusted Third Party . . . . . . . . . . . 46

Public Key Encryption 47


7.1 Stateless and Deterministic Public Key Encryption . . . . . . . . . . . . . 48
7.2 Multi-Message Public Key Encryption . . . . . . . . . . . . . . . . . . . . 48
7.3 ElGamal Encryption Scheme . . . . . . . . . . . . . . . . . . . . . . . . . . 50
7.3.1 Construction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
7.4 RSA Encryption Scheme . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
7.4.1 RSA assumption . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
7.4.2 Trapdoor One-way Permutations (Trapdoor OWP) . . . . . . . . 52
7.4.3 RSA Implies Trapdoor OWP . . . . . . . . . . . . . . . . . . . . . 53
7.4.4 From Trapdoor OWP to Public Key Encryption . . . . . . . . . . 53

MAC and Hash Functions 55


8.1 Message Authentication Code . . . . . . . . . . . . . . . . . . . . . . . . . 55
8.1.1 Definition and properties . . . . . . . . . . . . . . . . . . . . . . 55
8.1.2 Construction based on PRF . . . . . . . . . . . . . . . . . . . . . 56
8.2 Collision Resistant Hash Function . . . . . . . . . . . . . . . . . . . . . . 57
8.2.1 Facts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
8.3 Construction based on Discrete Logarithm Assumption . . . . . . . . . . 58
CONTENTS iv

8.3.1 Better compression functions? . . . . . . . . . . . . . . . . . . . . 59


8.4 Further Thoughts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

Digital Signatures 60
9.1 One-time Signatures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
9.2 Signing Longer Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
9.3 Signing Multiple Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
9.4 An RSA Based Scheme . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

Secret Sharing 65
10.1 Construction of a secret sharing scheme . . . . . . . . . . . . . . . . . . . 66
10.2 t-of-n secret sharing schemes . . . . . . . . . . . . . . . . . . . . . . . . . 68
10.2.1 Shamir’s Secret Sharing . . . . . . . . . . . . . . . . . . . . . . . 69
10.3 Threshold PKE (t-of-n) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
10.3.1 Threshold PKE based on El-Gamal PKE . . . . . . . . . . . . . . 71

Blockchains 72
11.1 Bitcoin History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
11.2 Blockchain as a public ledger . . . . . . . . . . . . . . . . . . . . . . . . . 72
11.2.1 Single Miner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
11.2.2 Multiple miners . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
11.2.3 Infanticide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
11.3 Cryptocurrency built on public ledger . . . . . . . . . . . . . . . . . . . . 74
11.3.1 Creation of Bitcoin . . . . . . . . . . . . . . . . . . . . . . . . . . 74
11.3.2 State and transactions . . . . . . . . . . . . . . . . . . . . . . . . 75
11.3.3 Weak anonymity . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
11.3.4 Rate control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
11.3.5 Mining pools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
11.4 Applications built on top of Bitcoin and the Blockchain . . . . . . . . . . 76
11.5 Information Verification on the Blockchain - Merkle trees . . . . . . . . . 77
11.6 Limitations of Bitcoin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
11.7 Types of forks in Bitcoin . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
11.8 Proof-of-Stake Blockchains . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
11.8.1 Highlevel idea . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
11.8.2 Generating rpk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
11.8.3 Posterior Corruptions in Proof-of-Stake Blockchains . . . . . . . 82
11.9 Existing Proposals to Solve POW Scalability Issues . . . . . . . . . . . . . 82
11.9.1 GHOST: Greedy Heaviest Observed Subtree . . . . . . . . . . . 83
11.9.2 Inclusive Blockchain Protocols . . . . . . . . . . . . . . . . . . . 83

Zero-Knowledge Proofs 85
12.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
12.2 Formal Definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
12.3 Zero-Knowledge Graph Isomorphism . . . . . . . . . . . . . . . . . . . . 86
12.3.1 Graph Isomorphism Problem Definition . . . . . . . . . . . . . . 86
12.3.2 Zero-Knowledge for Graph Isomorphism Protocol . . . . . . . . 87
12.4 Amplifying Soundness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
CONTENTS 1

12.5 Commitment Schemes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89


12.5.1 Definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
12.5.2 Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
12.6 Zero-Knowledge for Graph 3-Coloring . . . . . . . . . . . . . . . . . . . . 91
12.6.1 Graph n-Coloring Problem . . . . . . . . . . . . . . . . . . . . . 92
12.6.2 Construction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
12.7 Amplifying Soundness - Part 2 . . . . . . . . . . . . . . . . . . . . . . . . 94
12.7.1 Candidate protocol for Graph 3-Coloring using parallel repetition 94
12.7.2 Fiat-Shamir-Heuristic . . . . . . . . . . . . . . . . . . . . . . . . . 95
12.7.3 NIZKs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
12.7.4 ZK in the Context of Blockchains . . . . . . . . . . . . . . . . . . 96

Secure Multi-Party Computation 99


13.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
13.1.1 Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
13.2 Formal Definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
13.3 Types of Adversaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
13.4 Oblivious Transfer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
13.4.1 Protocol against Semi-Honest Adversaries . . . . . . . . . . . . 101
13.5 GMW Compiler . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
13.6 More General Versions of Oblivious Transfer . . . . . . . . . . . . . . . . 105
13.6.1 1-out-of-n Oblivious Transfer . . . . . . . . . . . . . . . . . . . . 105
13.6.2 1-out-of-n String Oblivious Transfer . . . . . . . . . . . . . . . . 106
13.6.3 General Secure 2PC for Small Input Size . . . . . . . . . . . . . . 106
13.7 Precursor to Yao’s Garbled Circuits . . . . . . . . . . . . . . . . . . . . . . 106
13.8 Yao’s Garbled Circuits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
13.9 Construction for MPC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109

Additional Topics 111


14.1 Public-key Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
14.2 Fully-Hommorphic Encryption . . . . . . . . . . . . . . . . . . . . . . . . 111
14.3 Non-malleable Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . 112
14.4 Attribute Based Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . 112
14.5 Program Obfuscation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
14.6 Position Based Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . 112

Last but not Least 114


Introduction
Cryptography studies techniques aimed at securing communication in the presence of
adversaries. While encryption is probably the most prominent example of a crypto-
graphic problem, modern cryptography is much more than that. In this class, we will
learn about pseudorandom number generators, digital signatures, zero-knowledge proofs,
multi-party computation, to name just a few examples.
While the techniques used in current systems are relatively modern, the problems tack-
led by cryptography have been around for thousands of years. In particular, the problem of
encryption was especially appealing to the humankind. Indeed, until recent times “cryp-
tography” was essentially a synonym for “encryption”. The goal of encryption is to allow
parties to communicate securely in the presence of an adversary. Say Alice wants to send
a secret message to Bob. Can she do it so that the eavesdropper Eve who is intercept-
ing communication between Alice and Bob does not get any useful information about the
secret?
Throughout history, many encryption schemes have been proposed. They have been
mainly used in military and warfare. The ones that span from the ancient Roman Republic
to around 50 years ago are considered to be classical encryption schemes, whereas the later
ones we call modern encryption schemes. The classical encryption schemes typically did
not provide any sort of provable security guarantees, they have been used just because
people thought they work (until they were broken). Modern encryption schemes try to
take a different approach by proving the security of the schemer relying on some assump-
tions. In this chapter we will look at some classical encryption schemes. We will start
by looking at the symmetric encryption schemes. In constrast to asymmetric, or public-key
encryption, the encryption- and decryption keys of the symmetric schemes are the same.

1.1 C LASSICAL S YMMETRIC E NCRYPTION S CHEMES

Definition 1. A symmetric key encryption scheme SE = (Gen, Enc, Dec) is defined by the
following three algorithms:
• k ← Gen(κ). The key generation algorithm Gen takes as input a security parameter
κ 1 and generates a secret key k. The security parameter κ determines the length of
the key. Typically, the longer the key, the more secure is the scheme.
• c ← Enc(k, m). The encryption algorithm Enc takes as input a key k and a message
m, and outputs a ciphertext c.
1 Typically we use 1κ as a security parameter to make sure that Gen runs in time polynomial in the size of

the input. For simplicity, we will just write κ.

2
INTRODUCTION 3

• m = Dec(k, c). The decryption algorithm Dec takes as input a key k and a ciphertext
c, and outputs a plaintext message m.
Correctness. The scheme is said to be correct, if for all security parameters κ and all mes-
sages m the following holds:

P r[m = Dec(k, c) : k ← Gen(κ), c ← Enc(k, m)] = 1

Remark 1. In the notation above we first specify the statement (m = Dec(k, c)), and then,
after the colon, we specify the condition (k ← Gen(κ), c ← Enc(k, m)). We will use this
notation throughout this manuscript.

We will now take a look at one of the oldest known classical symmetric encryption
schemes: the Caesar cipher.

1.1.1 Caesar Cipher


Caesar cipher was used by Julius Caesar in the ancient Roman Republic more than 2000
years ago. It was used to encrypt military information passed around in the army. Here’s
what Suetonius, a Roman historian, records in Life of Julius Caesar:
If he had anything confidential to say, he wrote it in cipher, that is, by so chang-
ing the order of the letters of the alphabet, that not a word could be made out. If
anyone wishes to decipher these, and get at their meaning, he must substitute
the fourth letter of the alphabet, namely D, for A, and so with the others.
The Caesar cipher is a specific instance of substitution ciphers which we will define later.
Because of the cipher’s historical origin, we will assume that the message consists of letters,
although it can be extended to a larger message space.
Formally, the Caesar cipher is defined as follows:
• k ← Gen(·). The key generation algorithm outputs the key k, a value from 0 to 25.
• c ← Enc(k, m). The encryption algorithm substitutes each letter of the message m
by a letter k positions further in the alphabet.
• m = Dec(k, c). The decryption algorithm substitutes each letter of the ciphertext c
by a letter k positions earlier in the alphabet.
Example. For key k = 1 and message m = “attack”, we get:
• Enc(1, “attack”) = “buubdl”
• Dec(1, “buubdl”) = “attack”

Remark 2. One way to break the cipher is to test all possible keys (there are only 26 of
them) in a brute-force attack. Whichever results in a message that is not gibberish produces
probably the right message. Today’s computers make conducting this attack very fast, it is
hard to say how effective the cipher was in Caeser’s time.

1.1.2 Substitution Ciphers


In substitution ciphers the key is some mapping P of the alphabet. To produce a ciphertext,
each letter of the message is substituted by another letter as defined by the mapping P .
Note that Caesar cipher is indeed a special case of a substitution cipher.
More formally, substitution ciphers are defined by the following three algorithms:
INTRODUCTION 4

• P ← Gen(·). The key generation algorithm outputs a uniformly generated random


permutation (mapping) P of English letters from a to z.
• c ← Enc(P, m). The encryption algorithm substitutes each letter λ of the message m
with P (λ).
• m ← Enc(P, c). The decryption algorithm substitutes each letter λ of the ciphertext
c with P −1 (λ), where P −1 is the inverse permutation of P .
Note that in the English alphabet there are 26! possible permutations. Thus, a way to
break this scheme is to try all these 26! permutations (brute force attack). However, there
are much better ways to break the scheme:
1. Frequency Analysis: Some letters are more frequent than others. For example, if you
notice that the most frequent letter in the ciphertext is ‘d’, there is a high probability
that it was mapped from ‘e’. Note that for this attack to work, the adversary needs
to have access to a ciphertext that is long enough.
2. Bigrams: Some pairs of letters are more frequent than others. Say we know (e.g.
from the frequence analysis) that ‘t’ maps to ‘d’. Then, if in the ciphertext ‘e’ follows
‘d’ very frequently, there is a high probability that it was mapped from ‘h’.

Remark 3. Sometimes you do not need to be able to decrypt the complete ciphertext. Say
you know that the plaintext message is either “attack” or “defend”. Then, decrypting even
a single letter is enough.

1.1.3 Vigenère Cipher


Vigenère cipher is an extension of Caesar Cipher named after French cryptographer
Blaise de Vigenère. Its main idea is to use a key sequence, instead of a single key as in
the Caeser cipher. More formally:
• s ← Gen(κ). The key generation algorithm outputs a uniformly generated random
string s of length κ.
• c ← Enc(s, m). The encryption algorithm repeats the string s until it has the same
length as the message m. Let mi be the letter at position i of m, and si is the letter at
position i of s. Then, each letter mi is substituted by the letter ki positions further in
the alphabet, where ki corresponds to the position of si in the alphabet.
• m ← Enc(s, c). The decryption algorithm repeats the string s until it has the same
length as the message m. Then, each letter ci is substituted by the letter ki positions
earlier in the alphabet, where ki corresponds to the position of si in the alphabet.
Example.

Plaintext: DEFENCE
Key: COVERCO
Ciphertext: FSAIEES

Looking at what some famous mathematicians and historical figures have to say about
Vigenère Cipher reveals that the concept of security has changed significantly over the
years. Author and mathematician Lewis Carroll, known for Alice in the Wonderland as
INTRODUCTION 5

well as his mathematical works, proclaimed that the cipher was “unbreakable”. The Scien-
tific American magazine called it “impossible of translation”. However, one of the found-
ing fathers of computer science, Charles Babbage, managed to break it, but did not publish
his findings2 .

Remark 4. One way to break the scheme is the following: Start by guessing the key length
l. Then, arrange the letters of the ciphertext in a matrix as follows:

1 l+1 2l + 1 ...
2 l+2 2l + 2 ...
3 l+3 2l + 3 ...
.. .. .. ..
. . . .

and analyse each row using the frequency analysis. Note that it is possible since the
letters of a row were encrypted using a single letter key, just as in the Caesar cipher.

1.2 P ERFECTLY S ECURE E NCRYPTION

The classical ciphers we looked at previously all tried to provide some notion of security,
but have all been broken. This suggests that designing a secure encryption scheme is hard.
However, even defining security is entirely non-trivial. To see why, we take a look at some
intuitive attempts at defining it:
• Attempt 1: P r[A(c) = m : k ← Gen(·), c ← Enc(k, m)] = 0, where A is some
adversary. Now, note that even if all the adversary does it to just randomly guess the
key, it has a small probability of being correct. Thus, unfortunately, this definition
does not work.
• Attempt 2: P r[A(c) = m : k ← Gen(·), c ← Enc(k, m)] = α, where α is some
1
fixed very small number (say, α = 2100 ). Recall the “attack”-“defend” example. If the
adversary knows that there are only a few possible options for the plaintext message,
it will be able to guess it with a probability higher than α.
• The scheme hides every character perfectly, meaning the probability of guessing each
1
character is ≤ 26 . However, since in an english text some letters are more frequent
than others, the adversary will be able to guess some characters with higher proba-
bilities.
The problem is that we are trying to assign some fixed quantity to the probability of
guessing the right message, even though for different messages or message spaces the
“right” probability can be completely different. Thus, we should isolate the definition of
security from any specific message space. Intuitively, having some knowledge about the
message space is fine, as long as the ciphertext does not provide more information about
the message than the adversary had before seeing the ciphertext. Thus, we essentially want
the ciphertext to be independent of the message.
2 Note that if the key length of the Vigenère cipher is equal to the text length, and the key is used only once,

the cipher is indeed unbreakable.


INTRODUCTION 6

Definition 2. (Gen, Enc, Dec) is a perfectly secure encryption scheme if and only if for all
pairs of messages (m1 , m2 ) and all ciphertexts c the following holds:

P r[c = Enc(k1 , m1 ) : k1 ← Gen(·)] = P r[c = Enc(k2 , m2 ) : k2 ← Gen(·)]

Remark 5. Thus, no matter what message you start with, the distribution of the resulting
ciphertext is the same as for all other messages in the given message space.

1.2.1 One-Time Pad


We now discuss a scheme that achieves the above definition of perfect security -
One Time Pad. This scheme is essentially a generalization of the Vigenère Cipher, where
the length of the key is the same as the length of the message and the key is used only
once. In the following, for simplicity, we assume that we are working with a binary al-
phabet. Let ⊕ denote the “exclusive or” of two binary strings. Formally, One Time Pad is
defined as follows:
• s ← Gen(κ). The key generation algorithm outputs a uniformly random binary
string of length κ.
• (s ⊕ m) ← Enc(s, m). The encryption algorithm outputs an exclusive or of the key
and the message string. This key must only be used once.
• (s ⊕ c) ← Dec(s, c). The decryption algorithm outputs an exclusive or of the key and
the ciphertext string.
Theorem 1. One-time pad is a perfect symmetric key encryption scheme.
Proof. For all pairs of messages (m1 , m2 ) and for all c, where |m1 | = |m2 | = |c| =: n, the
following holds:
1
P r[c = Enc(s, m1 ) : s ← Gen(n)] = P r[c = Enc(s, m2 ) : s ← Gen(n)] = ,
2n
since for each c and mi , where i ∈ {1, 2}, there exists exactly one s such that c = Enc(s, mi ):
s = mi ⊕ c.

Unfortunately, one-time pad has a number of very obvious limitations: what if the
message that we want to encrypt is very long? It would require a transmission of a very
long key. What if we want to encrypt not a single, but multiple messages? Since the key
can only be used once, we would need to transmit multiple keys. These issues prevent us
from using one-time pad in practice.

1.3 S HANNON ’ S T HEOREM

In 1948, Claude Shannon, a wartime coding theory researcher for the US government,
invented coding theory with his memorandum A Mathematical Theory of Communication,
and presented his Noisy-Channel Coding Theorem, also known as Shannons’s Theorem.
Theorem 2. (Shannon’s Theorem) For all perfectly secure symmetric key encryption
schemes with message space M and key space K, it holds that |K| ≥ |M |, where |K|
(resp. |M |) denotes the size of the key (resp. message) space.
INTRODUCTION 7

Proof. Assume there exists a perfectly secure encryption scheme (Gen, Enc, Dec) for which
|K| < |M |. Pick any ciphertext c such that there exists a message m00 that encrypts to
c using some key from K. Then, decrypt c using every key from K to recover a set of
messages S. Note that S is of size at most |K|, because we get at most one unique message
per decryption. Since |K| < |M | by the assumption, there exists a message m0 ∈ M such
that m0 6∈ S. Thus,
P r[Enc(k, m0 ) = c : k ← Gen(·)] = 0
At the same time, some message m00 must encrypt to c, which contradicts the assumption
that the scheme is perfectly secure, since

0 = P r[c = Enc(k1 , m0 ) : k1 ← Gen(·)] 6= P r[c = Enc(k2 , m00 ) : k2 ← Gen(·)] > 0

Remark 6. Note that for the proof of this theorem we assumed we could decrypt c with
every key from K, which can be hard to do in practice for a large enough key space. So, in
fact, there could be an encryption scheme that has a smaller key space and is “secure" with
respect to some other definition.
One-Way Functions

In the previous chapter, we explored several classical ciphers that attempt to hide infor-
mation in messages. However, only one of them (One-Time Pad) is perfectly secure. We
saw Shannon’s Theorem, which claims that it is impossible to have a perfectly secure sym-
metric key scheme with key space smaller than message space. These results imply that
perfect security might be too hard to achieve in many scenarios. However, it may be pos-
sible to define a weaker notion of security that might still be sufficient in many use cases.
In this chapter, we will discuss security against “reasonable” adversaries.
Intuitively, modern cryptography is based on the assumption that the adversary’s com-
putational power is limited (in some “reasonable” way, which we will define later). With
respect to encryption, this means that secure schemes should ensure that it is computation-
ally “hard” for the adversary to decrypt a message, while allowing for efficient enc- and
decryption for users that have the secret key. To construct such schemes we will require
primitives that posses useful computational hardness properties.
In this chapter we will introduce one such fundamental cryptographic primitive - one-
way functions, which are “easy” to compute, but “hard” to invert. Before we can dive in,
we need to consider a few helpful definitions.

2.1 P OLYNOMIAL T IME AND P ROBABILISTIC P OLYNOMIAL T IME A LGORITHMS

We now explain what we meant by “reasonable” in the previous paragraph. Typically,


modern cryptographic algorithms consider probabilistic adversaries that run in polynomial
time:

Definition 3 (PT). An algorithm A, which runs on input x, is called polynomial time (PT) if
there exists a polynomial P (n) such that for all large enough n = |x|, the number of steps
in the computation of A(x) is bounded above by P (|x|).

Definition 4 (PPT). An algorithm Ar , which runs on input x and uses randomness r, is


called probabilistic polynomial time (PPT) if there exists a polynomial P (n) such that for all
large enough n = |x|, the number of steps in the computation of Ar (x) is bounded above
by P (|x|).
Definition 5 (EPPT). An algorithm Ar , which runs on input x and uses randomness r, is
called expected probabilistic polynomial time (EPPT) if there exists a polynomial P (n) such
that for all large enough n = |x|, the expected number of steps in the computation of
Ar (x) is bounded above by P (|x|). Generally, all theorems and proofs will hold for EPPT
algorithms as well.

8
ONE-WAY FUNCTIONS 9

Example. Consider the following algorithm A:

1 : At each step, toss a coin.


2 : If it turns out head, return 1.
3 : Otherwise, toss again.

Note that this algorithm does not necessarily halt in polynomial time. In fact, it might
run for arbitrarily many steps. However, in expectation, the number of steps taken by this
algorithm is 2. Therefore, this is a PPT algorithm.

2.2 N EGLIGIBLE AND N OTICEABLE F UNCTIONS

The next definition that we will encounter quite frequently are negligible and noticeable
functions:

Definition 6. A function ν(n) is called negligible if for every polynomial P (n), for all large
1
enough n, ν(n) < P (n) .

We typically denote negligible functions as negl(n). As an example, ν(n) = 21n is a neg-


ligible function since the exponential function 2n grows faster than any polynomial p(n).
In general, we want the probability of an adversary breaking our system to be negligible.

Definition 7. A function f (n) is called noticeable if there exists two polynomials, P (n) and
1
Q(n), such that for all n large enough, P (n) ≤ f (n) ≤ Q(n).

We typically denote noticeable functions as notice(n). The following facts about negli-
gible and noticeable functions are easy to derive:
• f (n) = poly1 (n) · poly2 (n) is a polynomial.
• f (n) = notice1 (n) · notice2 (n) is noticeable.
• f (n) = notice(n) · negl(n) is negligible.
• f (n) = negl1 (n) · negl2 (n) is negligible.
• f (n) = notice1 (n) + notice2 (n) is noticeable.
• f (n) = notice(n) + negl(n) is noticeable.
• f (n) = negl1 (n) + negl2 (n) is negligible.
• f (n) = c · notice(n) is noticeable for constant c.
• f (n) = c · negl(n) is negligible for constant c.

2.3 O NE - WAY F UNCTIONS

2.3.1 Strong One-way Functions


We now present an important definition for this lecture: one-way Functions (OWF). Intu-
itively, we would like a function f (x) such that computing f is “easy" for all x, but invert-
ing f (x) is “hard" for a randomly chosen x. Here "easy" and "hard" refers to computability
in polynomial time. This leads us to the following definition:
ONE-WAY FUNCTIONS 10

Definition 8 (OWF). A function f : {0, 1}n → {0, 1}m is an one-way function if the following
holds:
1. f runs in polynomial time. Equivalently, the computation of f (x) is polynomial time
for all x.
2. For all PPT adversaries A, there exists a negligible function negl(n) such that for all
large enough n, we have
$ $
Pr[f (x) = f (x0 ) : x ←
− {0, 1}n , x0 ←
− A(f (x))] ≤ negl(n)

Remark 7. Here f (x) is called the image of x, and x is called the preimage of f (x). We can
easily extend this definition to f : D → R for any domain D and range R. Moreover, we
can either view the domain D as a set from which the input is sampled randomly, or as a
distribution.
There is an important subtlety to this definition: in the second condition, we require
that the probability of any adversary finding any preimage is negligible. It might be tempt-
ing to change the second condition to:
$ $
Pr[x = x0 : x ←
− {0, 1}n , x0 ←
− A(f (x))] ≤ negl(n)
However, this modified definition is not very useful. To see that, consider the function f
such that f (x) = 0 for all x. Then f is an OWF under this definition, but it is intuitively
useless for cryptographic purposes. Therefore, we strengthen condition 2 to the above
definition.
2.3.2 Variants
Technically, the definition provided above refers to strong one-way functions. Additionally,
there exist weak one-way functions, that can be quite useful as well:
Definition 9 (Weak OWF). A function f : {0, 1}n → {0, 1}m is a weak one-way function if
the following holds:
1. f runs in polynomial time. Equivalently, the computation of f (x) is polynomial time
for all x.
2. For all PPT adversaries A, there exists a noticeable function notice(n) such that for
all large enough n, we have
$ $
Pr[f (x) = f (x0 ) : x ←
− {0, 1}n , x0 ←
− A(f (x))] ≤ 1 − notice(n).

Intuitively, a weak one-way function should be hard to invert on some noticeable frac-
tion of inputs.
Definition 10. A function f : D → R is an injective one-way function if f is a one-way
function, and f is injective. Injective one-way functions are also called one-to-one one-way
functions.
Remark 8. An injective function (also known as one-to-one function) is a function that
maps distinct elements of its domain to distinct elements of its range.
Definition 11. A function f : D → R is a one-way permutation (OWP) if f is an injective
one-way function, and f is a permutation (i.e. D = R).
ONE-WAY FUNCTIONS 11

2.3.3 Limitations
Unfortunately, one-way functions only satisfy a weak sense of security. They only guaran-
tee that the input to function f is not leaked entirely, but it is still possible that a substantial
amount of information is leaked. In fact, the following statement is true:
Proposition 1. Given an one-way function f : {0, 1}n → {0, 1}n , we can build another
one-way function g : {0, 1}2n → {0, 1}2n , such that g leaks half of its input.
Proof. Let k denote concatenation. Consider the following definition of g: given input
x1 kx2 , where |x1 | = |x2 | = n, output f (x1 )kx2 . It suffices for us to argue that g is an
one-way function.
Assume for the sake of contradiction that there is an adversary A that inverts g with a
noticeable probability. We construct an adversary B that inverts f with noticeable proba-
bility. Consider the following algorithm:

1 : Given f (x), construct y = f (x)kt, where t is a random number from {0, 1}n .
2 : Run A(y).
3 : If A halts without failing, return the first n bits of A(y)’s output.
4 : Otherwise, return FAIL.

Now it’s easy to see that B succeeds as long as A succeeds. Since A has noticeable
probability of success, B has noticeable probability of success, which implies f is not an
one-way function, leading to a contradiction. Therefore g is an one-way function.
We also have the following statement about the existence of one-way functions:
Theorem 3. If P = NP, then one-way functions do not exist.
Proof. Here we present a sketch of the proof. Assume for the sake of contradiction that
there exists a one-way function f : D → R. Then, since f can be computed in polynomial
time, inverting f is in NP because given a preimage, it takes polynomial time to check its
validity. Assuming P = NP, finding a preimage for f could be computed in polynomial
time, which means f is not a one-way function, leading to a contradiction.

2.4 C ONSTRUCTING O NE - WAY F UNCTIONS

We will now try to provide concrete constructions of one-way functions. In particular,


we will assume the hardness of certain problems, i.e. they cannot be solved in PPT, and
construct one-way functions based on such assumptions. The first such example would be
the hardness of factorization.

2.4.1 Hardness of Factorization and Chebyshev’s Theorem


Assumption 1 (Factoring Assumption). Define Pn = {p : p is prime and p ≤ 2n } as the set
of all n-bit prime numbers. Then for all PPT algorithms A:
$ $
Pr[A(N ) = (p, q) : p ←
− Pn , q ←
− Pn , N = p · q] ≤ negl(n).

Theorem 4 (Chebyshev’s Theorem). Let p be a n-bit number chosen uniformly at random.


1
Then Pr[p is prime] ≥ 2n .
ONE-WAY FUNCTIONS 12

2.4.2 OWF Based on Factorization


We now propose two one-way function constructions based on the factorization assump-
tion. The first construction we consider is defined for a somewhat contrived input distri-
bution, the second one for uniform inputs.
Construction 1. Consider the following distribution as the input domain D: Sample p, q
from Pn uniformly at random, return x = pkq. Define the function f : D → R that takes in
2n-bit input pkq and output p · q.
Proposition 2. f is a one-way function for D under Assumption 1.
Proof. Assume for the sake of contradiction f is not an one-way function. Then there must
exist PPT adversary A that has a noticeable probability of inverting f . Using A, we’ll build
a PPT algorithm B that breaks the factoring assumption with noticeable probability. B
takes as input a challenge N and will attempt to factor it. Consider the following definition
for B:
1 : Run A(N ), let its output be x = pkq.
2 : If p · q = N , return (p, q).
3 : Otherwise, return FAIL.

Note that here we assume N is a product of 2 primes, as in Assumption 1. It is easy to see


that if A succeeds, then B succeeds as well. Therefore, we have
$
notice(n) ≤ Pr[f (x) = N : x ←
− A(N )] = Pr[B(N ) = (p, q)].

This is a contradiction. Therefore, f is a one-way function.


3
Construction 2. Let D = {0, 1}n and R = {0, 1}2n . Given x ∈ D, f interprets x as a set S
of n2 n-bit integers, and uses deterministic PT primality test to find the first two 2 primes
in S. If f finds p and q, then output p · q. Otherwise, it outputs FAIL.
Proposition 3. f is an one-way function for the uniform distribution under assumption 1.
Proof. Assume for the sake of contradiction that there is a PPT adversary A that inverts f
with noticeable probability. Consider the following PPT algorithm B that gets a challenge
integer N as input and attempts to break the factoring assumption:

1: Run A(N ).
2: If it succeeds and returns x0 ∈ D, then interpret x0 as a set of n2 integers and use primality
test to find the first two primes in this set. If found, output the primes.
3: Else, output FAIL.

Note that we can’t analyze the success probability of B using the same methods in Propo-
sition 2, because the function f now have a probability of outputing FAIL, which means A
could receive FAIL as an input. Note that if f would output FAIL with noticeable proba-
bility, then even a basic adversary that returns (0, · · · , 0) all the time could have noticeable
probability of inverting f . Therefore, we prove the following claim:
Claim 1. The probability that f outputs FAIL is negligible.
ONE-WAY FUNCTIONS 13

Proof. Here we have

Pr[f outputs FAIL] = Pr[There is at most 1 prime in S]


= Pr[There is no prime in S] + Pr[There is exactly 1 prime in S]
1 n2 1 n2 −1
≤ (1 − ) + n2 · (1 − ) ·1
2n 2n
1 n n 1 n n
≤ ((1 − ) ) + 2n2 ((1 − ) )
2n 2n
≤ (e−1/2 )n + 2n2 (e−1/2 )n
= e−n/2 + 2n2 e−n/2 .

We used Chebyshev’s theorem and the fact that Pr[p is prime] ≤ 1 in the first inequality,
and the fact that for x = − 21 the sequence (1 + nx )n is an increasing sequence converging
to ex in the third inequality. Since the product of a polynomial and a negligible function is
negligible, and the sum of two negligible funcitons is negligible, we get that the probability
of f outputting FAIL is negligible.

$ $
− D and x0 ←
Now let  = Pr[f (x) = FAIL]. Assuming x ← − A(f (x)), we have:

Pr[f (x) = f (x0 )] = Pr[f (x) = f (x0 )|f (x) = FAIL] ·  + Pr[f (x) = f (x0 )|f (x) 6= FAIL] · (1 − )
≥ notice(n).

Since the probability that f outputs FAIL is negligible, and we assume that A inverts f with
noticeable probability, A must succeed on non-FAIL inputs with noticeable probability.
Thus, Pr[f (x) = f (x0 )|f (x) 6= FAIL] is noticeable. The probability that B succeeds is at
least the probability of A succeeding on non-FAIL inputs multiplied by the probability of
f not outputting FAIL. The probability of B’s success is therefore noticeable (as a product
of two noticeable functions), which is a contradiction. We conclude that f is a one-way
function.

2.4.3 Weak OWF Based on Factorization


Besides standard one-way functions, we can also construct weak one-way functions for
uniform inputs based on Assumption 1 in a simpler way. Consider the following example:

Construction 3. Define the function f : D → R that takes in a uniform 2n-bit input,


interprets it as a concatenation of two n-bit integers pkq, and outputs p · q.

Proposition 4. f is a weak one-way function under Assumption 1.

Proof. From Chebyshev’s Theorem, we know the probability that both p and q are primes
1 2
is at least ( 2n ) = 4n1 2 . Now from Construction 1 and Proposition 2, if p, q are both prime,
for any PPT algorithm A, Pr[f (x) = f (x0 ) : x0 ← A(f (x))] ≤ negl(n). Therefore, we have
ONE-WAY FUNCTIONS 14

for any PPT algorithm B,

$
Pr[f (x) = f (x0 ) : x ←
− D, x0 ← B(f (x))]
$
= Pr[f (x) = f (x0 ) : x ←
− D, x0 ← B(f (x))|x = pkq, p, q ∈ Pn ] Pr[p, q ∈ Pn ]
$
+ Pr[f (x) = f (x0 ) : x ←
− D, x0 ← B(f (x))|x = pkq, p ∈
/ Pn ∨ q ∈
/ Pn ] Pr[p ∈
/ Pn ∨ q ∈
/ Pn ]
$
≤ Pr[f (x) = f (x0 ) : x ←
− D, x0 ← B(f (x))|x = pkq, p, q ∈ Pn ] + Pr[p ∈
/ Pn ∨ q ∈
/ Pn ]
1 1
≤ negl(n) + 1 − 2 ≤ 1 − ( 2 − negl(n)).
4n 4n
1
Since 4n2 is noticeable, we have that f is a weak one-way function.

2.5 H ARDCORE P REDICATES

As we learned in the previous sections, one-way functions guarantee only that the input x
to the one-way function is not leaked entirely. Thus, it is entirely possible that substantial
amounts of information are leaked. However, since the input is not leaked entirely, it
seems likely that there must be at least one bit of the input x that is hard to guess. Thus,
the question is whether we can pinpoint such bits of x. More formally: Given f (x) where
f : D → R is an one-way function, is there a predicate h such that h(x) is hard to predict?
This leads to the following definition:

Definition 12 (Hardcore Predicate). A predicate h : {0, 1}n → {0, 1} is a hardcore predi-


cate (HCP) for an one-way function f : {0, 1}n → {0, 1}m if
1. h runs in polynomial time.
2. For all PPT adversaries A and for all n large enough,

$ 1
− {0, 1}n ] ≤
Pr[A(f (x)) = h(x) : x ← + negl(n).
2

It is a natural question to ask if there exists a single hardcore predicate that works for
all one-way functions f . However, if there exists such a predicate h, then we can construct
a one-way function f 0 from a generic one-way function f such that f 0 (x) = f (x)kh(x).
It is easy to check that f 0 is a one-way function, and h is not a hardcore predicate for
f 0 . Therefore, we have to be less ambitious when we’re constructing hardcore predicates.
Here the problem was that f could depend upon h. In the following, we will choose h at
random after f is chosen to make sure it is independent of f . This leads us to the next
theorem:
Definition
P 13 (Inner Product). Given x, r ∈ {0, 1}n , the inner product of x and r is hr, xi =
i ri xi mod 2.

Theorem 5 (Goldreich-Levin Theorem). Given a one-way function f : {0, 1}n → {0, 1}m ,
sample r at random from {0, 1}n . Then hr (x) = hr, xi is a hardcore predicate for f with
probability 1 − negl(n).
ONE-WAY FUNCTIONS 15

Proof Idea: Here we only present the simplest case of the proof. Assume there exists
an adversary A that predicts hr (x) with probability 1 for all r ∈ {0, 1}n . Let ei ∈ {0, 1}n be
the vector with 1 in the i-th entry and 0 in all other entries for all Pni ∈ {1, 2, · · · , n}. Then
we can use A to predict hei (x) for all ei . Since hei (x) = hei , xi = j=1 (ei )j xj mod 2 = xi ,
computing all hei (x) gives us x bit by bit. This contradicts the assumption that f is a one-
way function. Proof of the other cases, where A predicts hr (x) with probability less than 1
but better than 21 are generalization of this idea and are more complex.
2.5.1 Weak One-to-One One-Way Functions
Here we show an example of a weak one-to-one one-way function. We will use what we
call a signal string, which is a string used to tag a value with some extra information.
We often concatenate signal strings with output values to provide more information
about the values. Signal strings are useful for creating one-to-one functions.
Construction 4. We construct a function f which takes as input a string x in {0, 1}2n and
proceeds as follows:
Let x = x1 ||x2 , for x1 , x2 ∈ {0, 1}n .
Case 1: If x1 and x2 are primes, output x1 · x2 ||signal string
Case 2: Else, output x1 ||x2 ||signal string
Our signal string specifies whether x1 > x2 and which case of f created the output. It’s
not important to specify how we encode our signal string, but the encoding schema could
range from a compact binary representation (e.g. “10” to specify x1 > x2 and case 1) to
a verbose encoding (e.g. “x1 > x2 and we took case 1”, encoded to binary using ASCII).
Note that the signal string does not specify the values of x1 or x2 .
Proof. We now show that f is a weak one-way function. By Chebyshev’s Theorem, we
know that there is a noticeable probability of x1 and x2 both being prime (and the proba-
bility of f returning x1 · x2 || signal string is noticeable as well). Say some PPT adversary A
is able to invert conditioned on x1 , x2 both being prime with some non-negligible proba-
bility. In this case, we can construct a PPT adversary B breaking the factoring assumption
as follows: B takes as input an integer N , chooses a bit b at random and runs A on input
“N ||x1 > x2 and case 1” if b = 1, and on input “N ||x1 ≤ x2 and case 1’ if b = 0. Then,
B parses A’s output as x1 ||x2 and outputs x1 , x2 . If A succeeds with probability δ, B suc-
ceeds with probability δ as well. Thus, if A has a non-negligible success probability, then
B breaks factoring assumption with a non-negligible probability as well, which is a con-
tradiction. Thus, we have shown that there is a noticeable fraction of inputs that are hard
to invert and so f is a weak one-way function.
f is one-to-one because the input is unambiguously defined (though possibly hard to
compute) given the output. Fundamental theorem of arithmetic states that every number
has unique prime factors. Hence in case 1, N = x1 · x2 forces the input to be either x1 ||x2
or x2 ||x1 . However now the signal string tells us which one of these inputs is the correct
one. In case 2, the output contains the input in clear. The signal string also tells us which
case we are in.
Remark 9. Note that f is not a strong one-way function. Regardless of the value of n,
3
P r[x1 or x2 is even] =
4
ONE-WAY FUNCTIONS 16

This is a high probability and, in this case, we are in case 2 and thus the output contains
the input x1 ||x2 .

2.6 YAO ’ S H ARDNESS A MPLIFICATION * ( OPTIONAL MATERIAL )

In this section, we show how to create a strong one-way function given a weak one-way
function.
Say we have a weak one-way function f with associated hardness 1 − q. Define a
function F as follows:
n
F (x1 , x2 , ..., xN ) = f (x1 )||f (x2 )||...||f (xN ), for N =
q
Theorem 6 (Yao’s Hardness Amplification). F is a strong one-way function.
Intuition:
F takes as input a long string interpreted as many strings of length n. F runs f on each
of these smaller strings and concatenates the results together. For an adversary to invert
F , they must invert each of f (x1 ), f (x2 ), ..., f (xN ). If even one of those is hard to invert, F
will be hard to invert.
Proof. Assume for the sake of contradiction that there exists a PPT adversary A which can
invert F with noticeable probability p.
We will construct a PPT adversary B which inverts f with probability greater than q,
which will contradict the assumption that f is a weak one-way function with associated
hardness q.
Idea: Define B as follows:
$
1 : Choose i ←
− [1, N ].
2 : For j 6= i, generate xj at random.
3 : Invoke A(f (x1 )||...||f (xi−1 )||y||f (xi+1 )||...||f (xN )).
4 : On A’s response, interpret its result as x01 , ..., x0i , ..., x0N , and return x0i .

The probability of B inverting f is noticeable, because A has a noticeable probability


of inverting F . However, a noticeable probability of inverting f is not sufficient; we must
construct an adversary that inverts B with probability greater than q.
Attempt: “Just try again”
Repeat k times: Put y in a random position, choose the other xj ’s at random, and invoke
A, as described in the definition of B above.
A succeeds with probability p, so the probability of failing to invert f (x) should be
(1 − p)k , right?
No! Since y is in every input, each invocation of A is not independent. It is possible that
y is simply hard to invert, so repeated attempts will not increase the chances of inverting
y under f .
Final attempt:
As in our previous attempt, B will rerandomize and reinvoke A. This time, it will
2
repeat this process npq times. We will show that this is sufficient for B to invert f with
probability greater than q.
First, we must introduce a definition:
ONE-WAY FUNCTIONS 17

pq
Definition 14. BAD = {x|P rcoins of B [B inverts f (x) in one iteration] ≤ 2n }

Claim 2. If x 6∈ BAD, B inverts y = f (x) with probability ≥ 1 − negl(n).


Proof.
 pq 
Pr[B not inverting f (x), x 6∈ BAD in one iteration] ≤ 1 −
2n
2
n2  pq  npq
Pr[B not inverting f (x), x 6∈ BAD in iterations] ≤ 1 −
pq 2n
  n2
1
 pq  pq
≤ 1− 2n
2n
  n2
1

e
≤negl(n)

Claim 3. The fraction of BAD inputs is less than 2q , i.e. P rover x [x ∈ BAD] < 2q .
Proof. Assume for the sake of contradiction that P rover x [x ∈ BAD] ≥ 2q .

P r[A succeeds in inverting F (x1 , x2 , ..., xN )] = p =P r[A succeeds |∀i : xi 6∈ BAD] · P r[∀i : xi 6∈ BAD]+
P r[A succeeds |∃i : xi ∈ BAD] · P r[∃i : xi ∈ BAD]
 q N
≤1 · 1 − + N · P r[A succeeds|xi ∈ BAD]
2 
· P r[∃i : xi ∈ BAD]
 q N n pq
≤ 1− + · ·1
2 q 2n
p
p ≤negl(n) +
2
p ≤2 · negl(n) ≤ negl(n)

This is a contradiction to the definition of A, because we know p ≥ notice(n).


So, we get that
q
P r[B fails ] = P r[B fails|x ∈ BAD]P r[x ∈ BAD] + P r[B fails|x 6∈ BAD]P r[x 6∈ BAD] < 1 · + negl(n) · 1
2
and thus Pr[B succeeds] > 1 − 2q − negl(n) > 1 − q. This contradicts the assumption
that f is a weak one-way function which can only be inverted with probability ≤ 1 − q.
Therefore, F is a strong one-way function.
Pseudorandomness
Randomness plays an important role for various schemes in cryptography, as any scheme
requires a uniformly sampled key. Schemes such as encrypting a session key in an SSL
connection or encrypting a hard drive require randomness. Randomness can come from
various input sources, such as mouse movements, key presses, or the temperature of the
computer. However, these sources can only generate a limited amount of randomness,
and this amount is often insufficient for most schemes in cryptography. As intuition
suggests, the longer a key is, the harder it is for an adversary to guess the key, so if there
is insufficient randomness, the key is no longer secure.

Because good randomness can be hard to come by, we need to find a workaround for
generating keys purely through randomness. This forces us to ask the question: “Is it
possible to stretch a small random string into a longer random string?” Let us consider
$
a small random string s ← − {0, 1}n . Is there an algorithm A(s) that deterministically
produces another truly random string t such that t ∈ {0, 1}m and m > n?

Intuitively, even if we consider the simple case where m = n + 1, we know that this is
not possible, as we will only be able to generate 2n unique outputs as opposed to the 2n+1
unique outputs that a truly random string would have. Pseudorandomness can help us
overcome the bottleneck created by the lack of randomness. Intuitively, pseudorandom-
ness is used to generate objects that appear random despite containing only some small
amount of randomness.

3.1 P SEUDORANDOM G ENERATORS (I NFORMAL )

Informally, a pseudorandom generator (PRG) is a function G : {0, 1}n → {0, 1}m , where
m > n, the input consists of n random bits and the output “looks random” to any prob-
abilistic polynomial time (PPT) algorithm. More formally, “looking random” means that
no PPT adversary can “distinguish” between a string generated by G and a truly random
string. Before we formalize the definition of pseudorandomness and pseudorandom gen-
erators, we need to define some vital concepts.

3.1.1 Definitions
Definition 15 (Uniform Distribution)). Distribution X is called a uniform distribution over
an n-bit string if for every s ∈ {0, 1}n the following holds:

$ 1
Pr[x = s : x ←
− X] =
2n
18
PSEUDORANDOMNESS 19

Definition 16 (Identical Distributions). Distributions X0 and X1 are said to be identical


distributions if for every s the following holds:

$ $
Pr[x = s : x ←
− X0 ] = Pr[x = s : x ←
− X1 ]

Definition 17 (Distribution Ensembles). A sequence {X n }n∈N is called a distribution en-


semble (or distribution family) if for each n ∈ N , X n is a distribution over {0, 1}n .

For example, X n can be the distribution of all uniform n-bit strings.

3.2 C OMPUTATIONAL I NDISTINGUISHABILITY

Before discussing pseudorandomness, it is necessary to discuss the notion of computa-


tional indistinguishability. The term “computationally indistinguishablity” formalizes the
notion of two distributions looking “identical to a PPT adversary.”

First Attempt. The distribution ensembles {X0n }n and {X1n }n are “identical to a PPT
adversary” if for all s the following holds:
$ $
− X0n ] − Pr[x = s : x ←
| Pr[x = s : x ← − X1n ]| ≤ negl(n)

Remark 10. Now we can see why the distribution ensembles (as opposed to distributions)
are important: they give us the parameter n used in asymptotic notions like noticeable and
negligible. In the following, we will simply represent them as X0n and X1n (as opposed to
{X0n } and {X1n })

Unfortunately, this definition is flawed. Let us consider the following distribution en-
sembles:
• {X0n }n represents all even numbers of length n.
• {X1n }n represents all odd numbers of length n.
Let us consider the case where s is even. We know that the total number of elements in
both ensembles is 2n , and thus, the number of elements in each ensemble is 2n−1 .

$ 1
− X0n ] =
Pr[x = s : x ←
2n−1
$
− X1n ] = 0
Pr[x = s : x ←
Substituting in the calculations from above:

$ $ 1
− X0n ] − Pr[x = s : x ←
| Pr[x = s : x ← − X1n ]| = ≤ negl(n)
2n−1
1
is a negligible function, which by the definition above means {X0n }n and {X1n }n
2n−1
are indistinguishable. However, this definitely should not be the case, as the two distribu-
tions are totally different and can easily be distinguished. Thus, this definition is flawed,
so we will need to find an alternate and correct definition.
PSEUDORANDOMNESS 20

Definition 18 (Computational Indistinguishability). Two distribution ensembles {X0n }n


and {X1n }n are computationally indistinguishable if for every PPT adversary A,
$ $
− X0n ] − Pr[A(x) = 0 : x ←
| Pr[A(x) = 0 : x ← − X1n ]| ≤ negl(n)
A(x) can be thought of as a guess by A regarding which ensemble x is coming from.
We require this guess to not change as we change the ensemble.

Example. Consider the following uniform distribution ensembles:


• {X0n }n represents all even strings of length n.
• {X1n }n represents all odd strings of length n.
Let us say the PPT adversary A outputs 0 if x is even and 1 if x is odd. We get:
$
− X0n ] = 1
Pr[A(x) = 0 : x ←
$
− X1n ] = 0
Pr[A(x) = 0 : x ←
Using the definition of computational indistinguishability,
$ $
− X0n ] − Pr[A(x) = 0 : x ←
| Pr[A(x) = 0 : x ← − X1n ]| = 1 ≥ negl(n)
Thus, {X0n }n and {X1n }n do not satisfy the definition of computational indistinguisha-
bility, which we intuitively know clearly must be true.
The notion of computational indistinguishability allows us to define the computational
indistinguishability advantage:

Definition 19 (Distinguishing Advantage). The distinguishing advantage for ensembles X0n


and X1n is  if for all PPT A the following holds:

$ $
− X0n ] − Pr[A(x) = 0 : x ←
 ≥ | Pr[A(x) = 0 : x ← − X1n ]|

Now, let us examine an alternate way to determine whether two distribution ensembles
are computationally indistinguishable.

Additionally, we introduce related notions of prediction advantage and prediction in-


distinguishability:

Definition 20 (Prediction Advantage). Distribution ensembles {X0n }n and {X1n }n have


prediction advantage  if for all PPT A the following holds:

$ $ 1
| Pr[A(x) = b : b ← − Xbn ] − | ≤ 
− {0, 1}, x ←
2
Definition 21 (Prediction Indistinguishability). We say that the distribution ensembles
{X0n }n and {X1n }n have prediction indistinguishability if the prediction advantage  is negli-
gible.

We can now ask the question of how the notions of prediction indistinguishability and
computational indistinguishability are related. Does having prediction indistinguisability
imply that there is computational indistinguishability and vice versa?
PSEUDORANDOMNESS 21

Lemma 1. If {X0n }n and {X1n }n are computationally indistinguishable, then they also have
prediction indistinguishability and vice versa.
Proof. Assume that the distribution ensembles {X0n }n and {X1n }n have prediction ad-
vantage p . Then for all PPT A:

$ $ 1
p ≥ | Pr[A(x) = b : b ← − Xbn ] − |
− {0, 1}, x ←
2
$ $ 1
− X0n ] Pr[b = 0] + Pr[A(x) = 1 : x ←
= | Pr[A(x) = 0 : x ← − X1n ] Pr[b = 1] − |
2
1 $ n 1 $ n 1
= | Pr[A(x) = 0 : x ← − X0 ] + Pr[A(x) = 1 : x ← − X1 ] − |
2 2 2
1 $ n $ n
= | Pr[A(x) = 0 : x ← − X0 ] + Pr[A(x) = 1 : x ←− X1 ] − 1|
2
1 $ $
= | Pr[A(x) = 0 : x ← − X0n ] + (1 − Pr[A(x) = 0 : x ←− X1n ]) − 1|
2
1 $ $
= | Pr[A(x) = 0 : x ← − X0n ] + 1 − Pr[A(x) = 0 : x ←− X1n ] − 1|
2
1 $ $
= | Pr[A(x) = 0 : x ← − X0n ] − Pr[A(x) = 0 : x ←
− X1n ]|
2
$ $
− X0n ] − Pr[A(x) = 0 : x ←
| Pr[A(x) = 0 : x ← − X1n ]| is the expression for the distinguishing
advantage, so we get
1
p ≥ c ,
2
where c is the distinguishing advantage. If the distribution ensembles have prediction
indistinguishability, p is negligible, and thus c is negligible as well. The reverse direction
can be shown similarly by beginning with a computational indistinguishability assump-
tion.

Theorem 7. The computational indistinguishability advantage and the prediction advan-


tage are within a factor of 2 of each other.

Now that we understand what computational indistinguishability entails, we can dis-


cuss some of the properties of computational indistinguishability.

3.3 P ROPERTIES OF C OMPUTATIONAL I NDISTINGUISHABILITY

1. Notation: If distribution ensembles {X0n }n and {X1n }n are computationally indistin-


guishable, then we write
{X0n }n =c {X1n }n

2. Closure: If {X0n }n =c {X1n }n , then for every PPT algorithm A,

{A(X0n )}n =c {A(X1n )}n

Proof. Let us assume that the distribution ensembles {X0n }n and {X1n }n are compu-
tationally indistinguishable and A is a PPT algorithm. Assume there exists a PPT
PSEUDORANDOMNESS 22

algorithm B that distinguishes {A(X0n )}n and {A(X1n )}n with some non-negligible
advantage p(n):
$ $
− A(X0n )] − Pr[B(x) = 0 : x ←
| Pr[B(x) = 0 : x ← − A(X1n )]| ≥ p(n)

Rewriting the equation, we get:


$ $
− X0n ] − Pr[B(A(x)) = 0 : x ←
| Pr[B(A(x)) = 0 : x ← − X1n ]| ≥ p(n)

Thus, the PPT algorithm B(A(·)) (algorithm that works by first executing A on its in-
put, then executing B on the output of A, and finally outputting whatever B outputs)
distinguishes {X0n }n and {X1n }n with probability at least p(n), which contradicts the
initial assumption that the distribution ensembles are computationally indistinguish-
able.

3. Transitivity: If the computational indistinguishability advantage between {Xn } and


{Yn } is 1 , and the computational indistinguishability advantage between {Yn } and
{Zn } is 2 , then the computational indistinguishability advantage between {Xn } and
{Zn } is ≤ 1 + 2 .

Proof. Using the triangle inequality,


$ $
 = | Pr[A(x) = 0 : x ←
− Xn ] − Pr[A(x) = 0 : x ←
− Zn ]|
$ $ $ $
= | Pr[A(x) = 0 : x ←
− Xn ] − Pr[A(x) = 0 : x ←
− Yn ] + Pr[A(x) = 0 : x ←
− Yn ] − Pr[A(x) = 0 : x ←
− Zn ]|
$ $ $ $
≤ | Pr[A(x) = 0 : x ←
− Xn ] − Pr[A(x) = 0 : x ←
− Yn ]| + | Pr[A(x) = 0 : x ←
− Yn ] − Pr[A(x) = 0 : x ←
− Zn ]|
≤ 1 + 2

With the knowledge of the properties of computational indistinguishability, we can ex-


amine a useful lemma that is used in many proofs that contain so-called hybrid arguments:
Lemma 2 (Hybrid Lemma). Let X1 , X2 , . . . , Xm be distribution ensembles where
m = poly(n). If there exists a PPT algorithm D that has computational indistinguishabil-
ity advantage  with respect to X1 and Xm , then there exists an i ∈ [1, 2 . . . , m − 1] such

that D distinguishes Xi and Xi+1 with advantage at least m .
Proof. Let i denote the computational indistinguishability advantage between Xi and

Xi+1 . Assume that i ≤ m ∀i. Using the transitivity property,
m−1
X m−1
≤ i ⇒  ≤ 
i=1
m

This cannot be true, which means there exists an i such that i ≥ m.

Example We will now informally discuss a very intuitive hybrid argument example.
Suppose you are a car manufacturer and you can either buy branded car parts or generic
car parts for the car. All your lab tests show that branded and generic parts can’t be dis-
tinguished. But you are worried that when you actually put together all the generic parts,
PSEUDORANDOMNESS 23

overall the car might break down or quality will go down noticeably. Can you prove that
its ok to build a full car from generic parts assuming that each part in isolation is indistin-
guishable from branded?
Intuitively, we can define the hybrids where in each hybrid one more part (motor, then
brakes, then lights etc.) is changed from branded to generic. Note that if we can distinguish
one hybrid from the next, we can distinguish the branded from the generic version of the
specific part by building a car that uses the given challenge part (for example, the motor)
and then using the distinguisher for the two hybrids. Thus, any two consecutive hybrids
are indistinguishable. Since there are only polynomially many car parts, we can conclude
that the security holds by the hybrid lemma.
In the context of computational indistinguishability, one question is particularly inter-
esting: can seeing multiple samples help the adversary distinguish between distributions?
Theorem 8. Given two distribution ensembles {X0n }n and {X1n }n , if it holds that
$ $
| Pr[A(x) = 0 : x ← X0n ] − Pr[A(x) = 0 : x ← X1n ]| ≤ 
for every PPT algorithm A, then it holds that
$ $
| Pr[A(x1 , · · · , xk ) = 0 : x1 , · · · , xk ← X0n ]−Pr[A(x1 , · · · , xk ) = 0 : x1 , · · · , xk ← X1n ]| ≤ k
for every PPT algorithm A as well.
Proof. We begin by defining the following distributions:
$
H0 = x1 , · · · , xk where ∀i, xi ← X0n
$ $
H1 = x1 , · · · , xk where x1 ← X1n , and x2 , · · · , xk ← X0n
···
$
Hk = x1 , · · · , xk where ∀i, xi ← X1n
Now we prove the following lemma about these distributions:
Lemma 3. For all i ∈ [k − 1] holds:
$ $
| Pr[A(x) = 0 : x ← Hi ] − Pr[A(x) = 0 : x ← Hi+1 ]| ≤ 
Proof. Suppose the statement does not hold. Thus, there is a PPT adversary A that is able
to distinguish between some two distributions Hi , Hi+1 with advantage greater than .
Given this A, we construct a PPT adversary B on the indistinguishability of X0n , X1n . B
takes input a challenge u, where u is either sampled from X0n or X1n , and works as follows:

1 : Set xi = u.
$
2 : Set x1 , · · · , xi−1 ← X0n .
$
3 : Set xi+1 , · · · , xk ← X1n .
4 : Let U = x1 , · · · , xk .
5 : Run A(U )
6 : Output X0 if A outputs Hi , and output X1 otherwise.
PSEUDORANDOMNESS 24

Note that if u comes from X0 , then U comes from Hi , and if u comes from X1 , then U comes
from Hi+1 . Therefore, B succeeds whenever A succeeds, and thus B can distinguish X0
and X1 with advantage at least , which leads to contradiction.

The theorem follows from the lemma above and the Hybrid Lemma (Lemma 2), ap-
plied to H0 , Hk .
This theorem shows that sampling multiple samples does not help the adversary much.
Because when  is some negligible function negl(n), so is k.

3.4 P SEUDORANDOM E NSEMBLES

We are now ready to return to discuss pseudorandomness and provide formal definitions.
Intuitively, distribution ensemble is pseudorandom if it looks like a uniform distribution
to any PPT adversary:

Definition 22 (Pseudorandom Ensembles). A distribution ensemble {Xn }n over {0, 1}l(n)


is a pseudorandom ensemble (PRE) if

{Xn }n =c {Ul(n) }

where Ul(n) denotes a uniform distribution over l(n) bits.

3.5 P SEUDORANDOM G ENERATORS

Now, for pseudorandom generators, we intuitively want to not only have the pseudoran-
domness property itself, but we also want the PRG to be efficiently computable and be
able to extend the length of the original string:
Definition 23 (Pseudorandom Generator (PRG)). A pseudorandom generator
G : {0, 1}n → {0, 1}l(n) is a deterministic algorithm with the following properties:
1. G(x) can be computed in polynomial time (PT) for every x ∈ {0, 1}n
2. l(n) > n
$
3. {G(x) : x ← − {0, 1}n } =c {Ul(n) }
The stretch of the PRG G is defined as |G(x)| − |x|.

3.6 C ONSTRUCTION OF P SEUDO -R ANDOM G ENERATORS

We will discuss how pseudo-random generators can be constructed based on OWP. We


have only seen 1-1 OWF so far, but we will see a construction of a OWP later in the class.
PSEUDORANDOMNESS 25

3.6.1 Construction of 1-bit stretch PRG


We start by constructing a 1-bit stretch PRG using the HCP (recall Definition 12). Suppose
f is a one-way permutation of n-bit input, and h is a HCP of f . Construct G : {0, 1}n →
{0, 1}n+1 to be G(s) = f (s) || h(s). Here, l(n) = n + 1.

Claim 4. G is a PRG.
Proof. Obviously G runs in polynomial time and l(n) > n. Therefore we only have to
$
prove {G(s) : s ← {0, 1}n } =c Un+1 . Define the following distributions

$
H0 = {f (s)|| h(s) : s ← {0, 1}n }
$
H1 = {f (s)|| U1 : s ← {0, 1}n }
H2 = Un+1

By definition of HCP, we have


H0 =c H1
n
Now, consider an arbitrary x ∈ {0, 1} . Since f is a one-way permutation,we have

$ 1
∀x ∈ {0, 1}n Pr[f (s) = x : s ← {0, 1}n ] = .
2n
Since H1 is the concatenation of f with U1 , and H2 is uniform, we have

$ $ 1
Pr[x = x0 : x0 ← H1 ] = Pr[x = x0 : x0 ← H2 ] = ,
2n+1
which implies
H1 = H2 .
Therefore, by the transitivity of computational indistinguishability, we get

H0 =c H2 .

Hence, G is a PRG.

3.6.2 Construction of poly-stretch PRG


Given a 1-bit stretch PRG G, we can now construct a poly-stretch PRG
Gp : {0, 1}n → {0, 1}l(n) (l(n) = poly(n)) as follows:
i) Take as input n-bit string s.
ii) Invoke 1-bit stretch PRG G and do the following

s0 ← s
s1 || b1 ← G(s0 )
s2 || b2 ← G(s1 )
···
sl(n) || bl(n) ← G(sl(n)−1 )
PSEUDORANDOMNESS 26

iii) Output b1 || · · · || bl(n) .

Claim 5. Gp is a PRG.

Proof. It is obvious that l(n) > n. Since G runs in polynomial time and Gp invokes G l(n)
times, Gp also runs in polynomial time. Therefore, we only have to prove

$
{Gp (s) : s ← {0, 1}n } =c {Ul(n) }

Define Hi (i ∈ [0, l(n)]) be the distribution generated as follows


i) Take as input n-bit string s.
ii) Do the following

s0 ← s
s1 || b1 ← Un+1
···
si || bi ← Un+1
si+1 || bi+1 ← G(si )
···
sl(n) || bl(n) ← G(sl(n)−1 )

iii) Output b1 || · · · || bl(n) .


First we prove the following lemma.
Lemma 4. For every 0 ≤ i ≤ l(n), we have Hi =c Hi−1
Proof. Assume that the statement is not true. Then, there exists a PPT algorithm A that
can distinguish Hi from Hi−1 with some noticeable advantage δ. Then we can construct a
PPT algorithm B that distinguishes G from Un+1 with the same advantage δ. B takes as
input the challenge u, which is either from Un+1 or from G(·) applied to a random seed,
and works as follows:
1 : Generate b1 , · · · , bi−1 at random.
2 : Set si || bi ← u.
3 : Set sj || bj ← G(sj−1 ) for every j > i.
4 : Run A(b1 || · · · ||bl(n) ).
5 : Output Un+1 if A outputs Hi , and output G otherwise.

Consider b1 || · · · ||bl(n) . If u is from Un+1 , then it comes from Hi , and if u is from G, then
it comes from Hi−1 . Therefore, B succeeds whenever A succeeds and thus B distinguishes
G from Un+1 with a noticeable advantage, which leads to contradiction.
Note that
$
H0 = {Gp (s) : s ← {0, 1}n }.
The claim follows from the lemma above and the Hybrid Lemma (see 2), applied to H0
and Hl(n) = Ul(n) .
PSEUDORANDOMNESS 27

3.7 A PPLICATION : ONE - TIME PAD KEY GENERATION

Recall that the one-time pad (see 1.2.1) requires that the length of key equals the length of
the message. So how can we encrypt a long message with only a short key? The idea is that
using a PRG, we can generate a long key from the short one. Since PRGs are deterministic,
we only have to transmit the short key, and the recipient of the message will be able to
compute the long key using the short one by himself. Thus, now we can encrypt arbitrarily
long messages using a short key. However, this approach has the following limitation: the
short key can only be used once. As we will see later, pseudorandom functions will allow
us to overcome this limitation.

3.8 P SEUDORANDOM F UNCTIONS

Before we discuss pseudorandom functions, we need to understand what a random func-


tion is. Intuitively, it is a function f that maps each unique input to an output chosen
uniformly at random from the output domain (same inputs result in same outputs). It can
be thought of as a large table that maps each input x to an output f (x). If the input consists
of n bits and the output of m bits, such table is of size 2n ·m bits. Clearly, this table becomes
very large very fast and we would like to have a more efficient alternative.
As we have seen, pseudorandom generators (PRGs) provide a way to generate a long
string of bits – which is computationally indistinguishable from a string generated uni-
formly at random – from a shorter string of bits. Now we would like to construct some-
thing even more powerful – something that allows us to generate exponentially many
pseudorandom bits from a short string of bits. However, there is a catch - since our con-
struction should still run in polynomial time, there is no time to even write down such
exponentially long string. Thus, we will settle for random access to this pseudorandom
string:
n m m
Definition 24 (Pseudorandom function). A function F : {0, 1} × {0, 1} 1 → {0, 1} 2 is
called a pseudorandom function (PRF) if it satisfies the following conditions:
n m
• F is deterministic and, for all s ∈ {0, 1} and all x ∈ {0, 1} 1 , F (s, x) can be com-
puted in polynomial time.
• For all PPT algorithms D,

1
Pr [D wins the guessing game] ≤ + negl(n)
2
where the guessing game is defined as follows:
We have a challenger C and a PPT adversary D.
$ n $
1. C samples s ← {0, 1} and a bit b ← {0, 1}.
2. For i = 1, . . . , q (where q is polynomial in n):
m
a) D chooses xi ∈ {0, 1} 1 and sends it to C.
m
b) If b = 0, C replies with F (s, xi ). If b = 1, C picks yi ∈ {0, 1} 2 uniformly at
random and sends it to D. If D has already queried xi (i.e. xi = xj for some
j < i), then C responds with yj (the same string as the last time).
3. Finally, D outputs a guess for b. If D is correct, then D wins the game.
PSEUDORANDOMNESS 28

Essentially, F is a PRF if F is deterministic and poly-time, but no PPT adversary D can,


given polynomially-many queries to F (s, ·) for a uniformly random seed s, distinguish
m m
F (s, ·) from a truly random function FR : {0, 1} 1 → {0, 1} 2 .
We will now give an example of how to construct a PRF, given a PRG.

3.8.1 Construction
n 2n n
Let g : {0, 1} → {0, 1} be a PRG, and for s ∈ {0, 1} , let g0 (s) denote the first n bits of
g(s) and g1 (s) the last n bits of g(s).
n n
Define F : {0, 1} × {0, 1} → {0, 1} as follows:
(
g0 (s) if x = 0
F (s, x) =
g1 (s) if x = 1

We will now use recursion to generalize this approach. Specifically, we can define
n m n n
F : {0, 1} × {0, 1} → {0, 1} in the following way: given a seed s ∈ {0, 1} and an input
m
x ∈ {0, 1} , define a sequence of n-bit strings:

s0 = s
s1 = gx1 (s0 )
s2 = gx2 (s1 )
..
.
sm = gxm (sm−1 )

where xi is the ith bit of x. We then define F (s, x) = sm .


Note that even though this construction provides n-bit output, we can generalize it to
produce a longer output simply by applying a PRG to the output.
We will now show that this construction indeed defines a PRF. Intuitively, we can think
of this procedure as traversing the following binary tree:
s = s0 0
0
1
s1 = g1 (s0 ) 1
s1 = g0 (s0 )

0 0
1 1

s2 = g0 (s1 ) s2 = g1 (s1 ) s2 = g0 (s1 ) s2 = g1 (s1 ) 2


.. .. .. ..
. . . .
We begin at the root node (level 0) and traverse the tree according to the bits of x: if the first
bit is 0, then we go to the left (the node marked s1 = g0 (s0 )); if the first bit is 1, we go to the
right. We proceed in this manner until we get to the bottom of the tree (which is at level
m). Note that the number of leaves is exponential and hence we cannot naively apply the
hybrid argument. This is because if we have an exponential number of hybrids changing
PSEUDORANDOMNESS 29

leaves to uniform one by one, even if the distinguishing advantage is negligible at each
step, it could be noticeable overall. Hence, we need a smarter approach. Since the height
of the tree is m + 1 (which is polynomial in m), the number of queries to g is polynomial.
Intuitively, we will change responses to all these queries to uniform. However, it turns out
that we can’t change responses one by one. This is because responses are generated using
the same tree. Instead, we will conduct a hybrid over the levels of the tree.
Proposition 5. The function F defined above is a PRF.
Proof. Since g is deterministic, F is deterministic as well. Additionally, F is
polynomial-time in n (we run g, which is assumed to be poly-time, m times, where m is
polynomial in n). Thus, it suffices to check the second condition of the definition of PRF.
As mentioned, we will conduct a hybrid argument to show that F (s, x) is computationally
indistinguishable from uniform random output for every x that the adversary queries, and
this will allow us to conclude that the second condition of the PRF definition is satisfied.
We define the following hybrids:
H0 : Pick string s0 on level 0 uniformly at random, and calculate all the subsequent si ’s as
above.
Hi : Mark all nodes visited during the evaluation of adversary’s queries, pick strings cor-
responding to the nodes visited by the adversary on level i uniformly at random.
Note that strings corresponding to nodes up to and including level i are random, fur-
ther down we calculate all si s using the PRG as defined by the construction above.
Note that we do not need to pick nodes that are above level i since they are not used
in the evaluation of the queries.
..
.
Hm : All strings corresponding to the nodes visited during the evaluation of adversary’s
queries for level 0 and up to and including level m are random.
Intuitively, when evaluating an output for some string x in hybrid Hi , we just skip the first
i − 1 levels, pick a random string for the node visited at level i and continue the evaluation
as usual from there. Notice that Hm is just picking all the si uniformly at random. Now, it
just suffices to show that the output of Hi and Hi+1 are computationally indistinguishable.
Lemma 5. The probability in the guessing game can’t change more than by some negligible
amount when switching from hybrid Hi to hybrid Hi+1 .
Proof. Notice that, if an adversary D makes queries in the i/i + 1-th experiment, and D’s
challenger is using Hi , then the challenger generates all nodes up to the ith level uniformly
at random, but for the nodes on the (i + 1)-th level, the challenger uses the PRG g, as
described above. In contrast, if the challenger is using Hi+1 , then the nodes on the (i + 1)-
st level are generated uniformly at random as well. We can define a series of hybrids based
on the number q of the queries the adversary makes as follows:
Hi [0]: Same as Hi .
Hi [1]: For the first query made by D, generate the node v visited during the evaluation
of D’s query on level i + 1 and its sibling uniformly at random, but use g for all
subsequent queries (unless the node v or its sibling is visited multiple times, then
return the previously generated values).
PSEUDORANDOMNESS 30

..
.
Hi [q]: For all queries made by D, generate the nodes visited during the evaluation of D’s
query on level i + 1 and its sibling uniformly at random (if a node or its sibling is
visited multiple times for different queries of D, the same string is returned each
time).
Notice that for j ∈ {0, . . . , q − 1}, Hi [j] =c Hi [j + 1] holds by the security of the PRG g.
Since Hi [0] = Hi and Hi [q] = Hi+1 and q is polynomial, by the hybrid lemma we get that
Hi and Hi+1 are computationally indistinguishable.
Thus, by the hybrid argument, the output of F is computationally indistinguishable
from uniformly-random output, and we are done.

3.8.2 PRF Application to Encryption


We can use pseudorandom functions to ensure secure message communication. For ex-
ample, suppose Alice had a message m she wanted to securely communicate to Bob. First,
they agree on a PRF F and a seed value s. Then, to securely communicate a message m,
Alice does the following:
1. Generate a random x of the appropriate length.
2. Calculate c = F (s, x) ⊕ m, and send the ciphertext (c, x) to Bob.
3. Bob calculates F (s, x) and recovers m = c ⊕ F (s, x).
If m is longer than the length of input F accepts, then Alice can send m in several pieces,
generating a fresh x each time (and each time sending it to Bob).

Remark 11. Another option is to apply a PRG to the PRF output to expand its length. This
construction is analyzed in more detail in future chapters.
Fun with Composition
Part 1 – One-Way Functions

We now consider a few examples focusing on one-way functions.


Example 1 Suppose we have two OWFs f1 and f2 . Let g(x) = f1 (x)||f2 (x). Is g a OWF?
Answer: No.
Proof. Consider the following f1 and f2 :
• Let x = x1 ||x2 and f be a OWF.
• Define f1 (x) = f1 (x1 ||x2 ) = x1 ||f (x2 ) and f2 (x) = f2 (x1 ||x2 ) = x2 ||f (x1 ).
We know that both f1 (x) and f2 (x) are one-way functions (see Proposition 1 for proof).
Thus, we can use f1 (x) and f2 (x) to construct g(x):
g(x) = g(x1 ||x2 ) = f1 (x1 ||x2 )||f2 (x1 ||x2 ) = x1 ||f (x1 )||x2 ||f (x2 )
Clearly, g leaks the entirety of the input x, so it is not a OWF (an adversary can guess the
input x with probability 1 by extracting x1 and x2 from the output).
The intuition behind why g fails the definition for a OWF is because we are given the
outputs of two OWFs applied to x. f1 (x) is hard to invert only if x is uniform. However,
given f2 (x), x is no longer uniform (i.e., easy to tell apart x from a random number). Simi-
lar reasoning holds for f2 (x).
Example 2 Suppose f is a OWF. Let g(x) = f (x)||f (2x). Is g a OWF?
Answer: No.
Proof. Let f 0 (x) be some OWF. Let x1 denote the first half of the bit representation of x,
and x2 the second. Similarly, let ( x2 )1 and ( x2 )2 denote the first and second halves of the bit
representation of the value x2 .
Now consider the following function f (x):
(
( x2 )1 ||f 0 (( x2 )2 ) x even
f (x) =
x2 ||f 0 (x1 ) x odd

Note that f (x) is a OWF (proof similar to that of Proposition 1). Thus, we can use f (x) to
construct g(x): (
( x2 )1 ||f 0 (( x2 )2 )||x1 ||f 0 (x2 ) x even
g(x) =
x2 ||f 0 (x1 )||x1 ||f 0 (x2 ) x odd

31
FUN WITH COMPOSITION, PART 1 – ONE-WAY FUNCTIONS 32

We can design a PPT adversary A against g as follows:


1. Assume x is odd (note that this happens with probability 21 )
2. Then g(x) = f (x)||f (2x) = x2 ||f 0 (x1 )||( 2x 0 2x 0 0
2 )1 ||f (( 2 )2 ) = x2 ||f (x1 )||x1 ||f (x2 ).
3. Output x = x1 ||x2
Note that if the input x is indeed odd, A succeeds with probability 1. Thus, overall A
succeeds with the non-negligible probability 21 . The reason why g does not have the same
security as f is because an adversary against g has access to both f (x) and f (2x). Certain
OWFs for f may leak different information given either f (x) or f (2x), which is sufficient to
construct A to invert g(x) with a non-negligible probability. In other words, given f (x), the
input of f (2x) is not uniformly random, so it is possible that f (2x) will leak information
which combined with f (x) can help to invert f (x).

Example 3 Suppose f is a deterministic OWF. Let g(x||x0 ) = f (x)||f (x0 ). Is g a OWF?

Answer: Yes.
Proof. Main idea is: given f (x0 ), x is still uniform and vice versa. We will now provide a
formal proof. Suppose g is not a OWF. Then there exists a PPT adversary A which inverts
g with some non-negligible probability α. Using A, we can design the adversary B that
inverts f with the same probability α as follows:
$
1. Given the challenge f (x), sample x0 ←
− Un and let y = f (x)||f (x0 ).
2. Since x0 was sampled uniformly from Un , we can claim that x||x0 comes from the
distribution equal to the distribution expected as input by g, and thus y comes from
the same distribution as the one expected by A. Note that we were not able to take
this step in Example 1 or 2 because there was no way to compute f2 (x) or f (2x).
3. Run x∗ = A(y). Since A succeeds with probability α, g(x∗ ) = y with probability α.
Let x1 denote the first half of some string x, and x2 the second half. If g(x∗ ) = y,
then it holds that g(x∗ ) = g(x∗1 ||x∗2 ) = f (x∗1 )||f (x∗2 ) = y = f (x)||f (x0 ), and thus in
particular f (x∗1 ) = f (x). Thus, when we output x∗1 as our guess for x, we succeed
with the same probability α.
Since B inverts f with non-negligible probability α and thus breaks the security of the
OWF f , we have reached a contradiction and g must therefore indeed be a OWF.
Symmetric Key Encryption

Recall that we already saw an example of a perfectly secure symmetric encryption – the
one-time pad. Although the one-time pad is perfectly secure, it requires that the key has
the same length as the message. In fact, Shannon’s Theorem tells us that any perfectly
secure symmetric key encryption scheme requires a key which is at least as long as the
message. Obviously, this is not very practical. To bypass this limitation, we need to relax
the security definition. We will now provide a formal definition of symmetric key encryp-
tion and its relaxed security notion:

4.1 S YNTAX OF S YMMETRIC K EY E NCRYPTION

Definition 25. A symmetric key encryption scheme consists of three algorithms


(Gen, Enc, Dec) defined below:
• k ← Gen(κ). The PPT key generation algorithm Gen takes as input a security param-
eter κ 3 and generates a secret key k.
• c ← Enc(k, m). The PPT encryption algorithm Enc takes as input a key k and a
message m, and outputs a ciphertext c.
• m ← Dec(k, c). The deterministic polynomial time decryption algorithm Dec takes as
input a key k and a ciphertext c, and outputs a plaintext message m.
Additionally, symmetric key encryption must satisfy correctness:
Correctness. The scheme is said to be correct, if for all security parameters κ and all
messages m the following holds:

P r[m = Dec(k, c) : k ← Gen(κ), c ← Enc(k, m)] = 1

Recall that we had the following definition for perfect security of the encryption
scheme: (Gen, Enc, Dec) is a perfectly secure encryption scheme if and only if for all pairs
of messages (m0 , m1 ) and all ciphertexts c the following holds:

P r[c = Enc(k, m0 ) : k ← Gen(·)] = P r[c = Enc(k, m1 ) : k ← Gen(·)]

Equivalently, we could have said that for all pairs of messages (m0 , m1 ) it holds that
{Enc(k, m0 ) : k ← Gen(·)} = {Enc(k, m1 ) : k ← Gen(·)}.
We now introduce the following definition for indistinguishability based security of
symmetric encryption:
3 Typically we use 1κ as a security parameter to make sure that Gen runs in time polynomial in the size of

the input. For simplicity, we will just write κ.

33
SYMMETRIC KEY ENCRYPTION 34

Definition 26 (indistinguishability based security). (Gen, Enc, Dec) is an indistinguisha-


bility based secure symmetric encryption scheme if and only if for all pairs of messages
(m0 , m1 ) the following holds:

{Enc(k, m0 ) : k ← Gen(n)} =c {Enc(k, m1 ) : k ← Gen(n)}

The difference between perfect security and indistinguishable security is that perfect
security requires the distributions of {E(k, m0 ) : k ← G(n)} and {E(k, m1 ) : k ← G(n)}
to be identical, and indistinguishable security only requires them to be computationally
indistinguishable. We additionally have the following alternative notion:
Definition 27 (indistinguishability based security, alternative). (Gen, Enc, Dec) is an in-
distinguishability based secure symmetric encryption scheme if and only if for all pairs of
messages (m0 , m1 ) and all PPT adversaries A the following holds:
1
|P r[A(Enc(k, mb )) = b : k ← Gen(n), b ← {0, 1}] − | ≤ negl(n)
2
While the first notion of indistinguishability based security is inspired by the compu-
tational indistinguishability definition, the second one is inspired by prediction indistin-
guishability.
Claim 6. Both definitions of indistinguishability based security are equivalent.
Proof. The proof is very similar to the proof of equivalence of computational and predic-
tion indistinguishability. In the following, we show one direction:
Let (Gen, Enc, Dec) be a symmetric key encryption scheme with indistinguishable se-
curity as defined in Definition 26. Then, for any n, m0 , m1 , and PPT adversary A, define:
• p = P r[A(Enc(k, m0 )) = 0 : k ← Gen(n)]
• p0 = P r[A(Enc(k, m1 )) = 0 : k ← Gen(n)]
Since {Enc(k, m0 ) : k ← Gen(n)} =c {Enc(k, m1 ) : k ← Gen(n)}, we know that
p − p0 ≤ negl(n). Additionally, 1 − p0 = P r[A(Enc(k, m1 )) = 1 : k ← Gen(n)]. Let
q = P r[A(Enc(k, mb )) = b : k ← Gen(n), b ← {0, 1}], which is the probability of A
outputting the correct bit b. Then, we get the following:
1
|q − | = |P r[A(Enc(k, m0 )) = 0 : k ← Gen(n)]P r[b = 0 : b ← {0, 1}]
2
1
+ P r[A(Enc(k, m1 )) = 1 : k ← Gen(n)]P r[b = 1 : b ← {0, 1}] − |
2
1 1 1 1 1 1
= | · p + · (1 − p0 ) − | ≤ | · p + · (1 − p + negl(n)) − | = |1/2 · negl(n)|
2 2 2 2 2 2

4.2 O NE -T IME E NCRYPTION U SING A PRG

Given a pseudo-random generator F : {0, 1}n → {0, 1}l(n) , we can define a symmetric key
encryption scheme with indistinguishable security as follows:
$
• Gen(n): sample a PRG seed k ← {0, 1}n
SYMMETRIC KEY ENCRYPTION 35

• Enc(k, m), m ∈ {0, 1}l(n) : Output c = m ⊕ P RG(k)


• Dec(k, c): Output m = c ⊕ P RG(k)
It is clear that Gen, Enc, and Dec are all polynomial time algorithms, since PRG(k) is poly-
time by definition, and ⊕ is linear.
Correctness holds because given any m and k, Dec(k, Enc(k, m)) = Dec(k, m ⊕
P RG(k)) = (m ⊕ P RG(k)) ⊕ P RG(k) = m.
We now show that indistinguishable security holds:
Proof. We want to show that for all messages m0 , m1 the following holds:
$ $
{m0 ⊕ P RG(k) : k ← {0, 1}n } =c {m1 ⊕ P RG(k) : k ← {0, 1}n }
First, note that the following holds by the security of PRG:

$ $
{m0 ⊕ P RG(k) : k ← {0, 1}n } =c {m0 ⊕ R : R ← {0, 1}l(n) },
$ $
{m1 ⊕ P RG(k) : k ← {0, 1}n } =c {m1 ⊕ R : R ← {0, 1}l(n) }

Now, note that by perfect security of the one-time pad we have

$ $
{m0 ⊕ R : R ← {0, 1}l(n) } = {m1 ⊕ R : R ← {0, 1}l(n) }

Thus, we get that {Enc(k, m0 ) : k ← Gen(n)} =c {Enc(k, m1 ) : k ← Gen(n)}.

4.3 M ULTI -M ESSAGE E NCRYPTION

Note that the previous construction works only for a single message. However, it is pos-
sible to slightly modify this construction to allow for encryption of multiple messages.
Informally, we store a counter ctr which denotes the sum of the lengths of all messages
m1 ...mn that we sent. When we want to encrypt the (n + 1)-st message mn+1 , we xor mn+1
with bits of P RG(k) starting at ctr + 1. After we send the message, we update the counter:
ctr = ctr + |mn+1 |. Note that this doesn’t satisfy the usual definition since an updatable
counter is needed as input to the encryption and decryption algorithms. The kind of en-
cryption that uses such counters (or any other form of state that is updated with each use
of the encryption) is known as stateful.
We formally define the security of a multi-message symmetric key encryption scheme
as follows:
Definition 28. For every choice of vectors (m10 , m20 ...mq0 ) and (m11 , m21 ...mq1 ), where
q = poly(n), the following holds:

{{Enc(k, mi0 )}qi=1 : k ← Gen(n)} =c {{Enc(k, mi1 )}qi=1 : k ← Gen(n)}

Using this definition, we will now show that a secure multi-message symmetric key en-
cryption scheme cannot be both stateless and deterministic (encryption that is both state-
less and deterministic means that if a plaintext is encrypted multiple times, the same ci-
phertext is generated each time).
SYMMETRIC KEY ENCRYPTION 36

Theorem 9. A multi-message secure symmetric key encryption scheme cannot be both


deterministic and stateless.
Proof. Let (Gen, Enc, Dec) be a multi-message secure symmetric key encryption scheme
that is stateless and deterministic. Consider the following two message vectors: (m00 , m10 ),
where m00 = m10 , and (m01 , m11 ), where m01 6= m11 . Let k ← Gen(n) be chosen at random.
Since Enc is stateless and deterministic, encryption of the vector (m00 , m10 ), where m00 = m10 ,
results in a vector (c00 , c10 ) with two identical ciphertexts (c00 = c10 ) because inputs to Enc are
identical and Enc is deterministic. In contrast, encryption of the vector (m01 , m11 ), where
m01 6= m11 , results in a vector (c01 , c11 ) with two different ciphertexts, since otherwise the
decryptor would not know whether the ciphertext corresponds to m01 or m11 (contradiction
to the correctness property of the encryption scheme).
Thus, a PPT adversary A can use these two message vectors to distinguish the dis-
tributions {{Enc(k, mi0 )}qi=1 : k ← Gen(n)} and {{Enc(k, mi1 )}qi=1 : k ← Gen(n)} with
probability 1, contradicting the security of the given encryption scheme.

4.3.1 Multi-Message Encryption using a PRF


We have shown that stateless non-randomized encryption schemes cannot be multi-
message secure. However, stateless nondeterministic encryption schemes can be multi-
message secure. We will now show an example of such a scheme.
n m m
Given a pseudo-random function F : {0, 1} × {0, 1} 1 → {0, 1} 2 , we constuct an
encryption scheme (Gen, Enc, Dec) as follows:
$
• Gen(n) : Output k ← {0, 1}n
$
• Enc(k, m) : Sample r ← {0, 1}m1 , set c1 = r, compute c2 = m ⊕ P RF (k, r), and
output c = (c1 , c2 ).
• Dec(k, (c1 , c2 )) : Output c2 ⊕ P RF (k, c1 ).
First, note that Gen, Enc, and Dec are all polynomial time algorithms, since PRF and
xor can be computed in polynomial time.
To show correctness, note that the following holds for all messages m and keys k:

(m ⊕ P RF (k, r)) ⊕ P RF (k, r) = m

We will now show that (Gen, Enc, Dec) is indistinguishablility based secure using a
hybrid argument:
Proof. Let M0 = {mi0 }qi=1 and M1 = {mi1 }qi=1 be two vectors of size q, where q = poly(n).
$
Let k ← {0, 1}n . Then, we construct the following hybrids:
H0 : {(ri , mi0 ⊕ P RF (k, ri ))}qi=1
H1 : {(ri , mi0 ⊕ RF (ri ))}qi=1 where RF is a truly random function
$
H2 : {(ri , mi0 ⊕ Ri : Ri ← {0, 1}n )}qi=1
$
H3 : {(ri , mi1 ⊕ Ri : Ri ← {0, 1}n )}qi=1
H4 : {(ri , mi1 ⊕ RF (ri ))}qi=1 where RF is a truly random function
H5 : {(ri , mi1 ⊕ P RF (k, ri ))}qi=1
SYMMETRIC KEY ENCRYPTION 37

First, note that H0 =c H1 because of the security guarantee of the PRF function: if there
exists an adversary A that distinguishes H0 and H1 with some non-negligible probability,
then we can construct another adversary B who can win the guessing game in the PRF
definition with probability 12 + notice(n) . Until A provides an output, in each round i the
adversary B works by sampling ri , querying ri from its challenger and using the response
Ri to construct input (ri , mi0 ⊕ Ri ) to its internal adversary A. Then, B outputs “PRF” if A
outputs “H0 ”, and “RF” otherwise. B wins with the same probability as A, and since we
assume that A wins with some non-negligible probability, we reach a contradiction to the
security of the given PRF.
Now, note that if all the ri s were different, then H1 and H2 would be identical distri-
butions. However, if there was a ri = rj , then RF (ri ) would be the same as RF (rj ), but
at the same time Ri would not be the same as Rj with a very high probability. Thus, an
adversary would be able to distinguish H1 and H2 with very high probability if there was
a vector with a repeated string.
However, the probability of some ri being equal to some rj for fixed indices iand j is
q
1 2
, so the probability of any two ri , rj being equal is bounded by above by which
2m1 2m1
is negligible. Therefore, any PPT adversary can only distinguish between H1 and H2 with
negligible probability, so H1 =c H2 .
H2 and H3 are identical because one-time pad is perfectly secure. H3 is induistinguish-
able from H4 by the same reasoning as used in the proof of indistinguishability of H1 and
H2 . H4 is induistinguishable from H5 by the same reasoning as used in the proof of indis-
tinguishability of H0 and H1 . By the hybrid lemma, we are done.
Fun with Hybrids
Part 2 – Encryption Schemes

We now continue with the hybrid lemma application examples. In this chapter, we will
focus on the examples considering encryption schemes. In all the examples below, we will
assume that the encryption schemes used as building blocks in the new construction are
secure.
In the following, Enc(k, m; r) denotes running the Enc algorithm with input (k, m) and
random tape r.

Example 4 Does it hold that


Enc(k, m1 ; r)||Enc0 (k 0 , m1 ; r0 ) ≈c Enc(k, m2 ; r)||Enc0 (k 0 , m2 ; r0 )?

Answer: Yes.
Proof. Consider the following hybrids:
1. H0 : {Enc(k, m1 ; r)||Enc0 (k 0 , m1 ; r0 )}
2. H1 : {Enc(k, m1 ; r)||Enc0 (k 0 , m2 ; r0 )}
3. H2 : {Enc(k, m2 ; r)||Enc0 (k 0 , m2 ; r0 )}
Informally, H0 is computationally indistinguishable from H1 by the indistinguishability
based security of Enc0 . Similarly, H1 is computationally indistinguishable from H2 by the
indistinguishability based security of Enc. Intuitively, we can step from H0 to H1 and from
H1 to H2 since the parameters for each encryption in the concatenation are completely
independent, so we do not break the requirement that the randomness and key is chosen
uniformly at random. Unlike OWFs, encryption schemes do not require message to be
chosen at random.

Example 5 Does it hold that Enc(k, m1 ; r)||Enc0 (k, m1 , r0 ) ≈c Enc(k, m2 ; r)||Enc0 (k, m2 , r0 )?

Answer: No.
Proof. We now provide intuition for why the claim is not true. Let us try to use the same
hybrid approach as in the previous example:
1. H0 : {Enc(k, m1 ; r)||Enc0 (k, m1 ; r0 )}
2. H1 : {Enc(k, m1 ; r)||Enc0 (k, m2 ; r0 )}

38
FUN WITH HYBRIDS, PART 2 – ENCRYPTION SCHEMES 39

Already, we have made an incorrect step in our hybrid argument: H0 6≈c H1 . The reason
for this is because both encryptions Enc and Enc0 use the same key k. It is possible for
both encryptions to each leak some part of k, that when combined allows an adversary
to use k to distinguish between {Enc0 (k, m1 ; r0 )} and {Enc0 (k, m2 ; r0 )} which would mean
H0 6≈c H1 . (For example, suppose Enc leaked the first half of k and only used the second for
security, and then Enc0 leaked the second half and used the first half for security). Hence
the hybrid argument breaks down and we cannot continue.
To summarize: given Enc0 (k, m; r), k may no longer be uniform.
Example 6 Does it hold that Enc(k, m1 ; r)||Enc(k, m1 ; r0 ) ≈c Enc(k, m2 ; r)||Enc(k, m2 ; r0 )?
Answer: No (depends).
Proof. Looking at the question another way, what it is really asking is if the scheme is
multi-message secure. If it is not, then the hybrid argument fails:
1. H0 : {Enc(k, m1 ; r)||Enc(k, m1 ; r0 )}
2. H1 : {Enc(k, m1 ; r)||Enc(k, m2 ; r0 )}
3. H2 : {Enc(k, m2 ; r)||Enc(k, m2 ; r0 )}
Note that if Enc is multi-message secure, we can claim that H0 is computationally indistin-
guishable from H1 (and H1 is computationally indistinguishable form H2 ). If the scheme
is not multi-message secure, we cannot make such claims about H0 and H1 (and H1 and
H2 ). Intuitively, if we were to try to argue that Enc is not secure if H0 and H1 are distin-
guishable, we would fail since to construct an input to the distinguisher we would need to
know k (to compute Enc(k, m1 ; r)).
Example 7 Does it hold that Enc(k, m1 ; r)||Enc0 (k 0 , m1 ; r) ≈c Enc(k, m2 ; r)||Enc0 (k 0 , m2 ; r)?
Answer: No.
Proof. We provide an intuition. Similar to Example 5, this example fails the hybrid argu-
ment as for an encryption scheme, the randomness must be sampled uniformly at random.
An adversary given both encryptions with the same randomness may have enough infor-
mation to distinguish between the distributions of the encryption scheme on m1 vs m2 .
Exploring this further:
1. H0 : {Enc(k, m1 ; r)||Enc0 (k 0 , m1 ; r)}
2. H1 : {Enc(k, m1 ; r)||Enc0 (k 0 , m2 ; r)}
At this point, we cannot claim H0 ≈c H1 .
1. Suppose an adversary A exists which can distinguish H0 from H1 with non-
negligible probability. Then we will attempt to build adversary B against Enc0 .
2. Take A’s choices for m1 and m2 and send them to the challenger for B. Receive a
ciphertext c which is either Enc0 (k 0 , m1 , r) or Enc0 (k 0 , m2 , r).
3. In order to use A to win the game against the challenger for B, we need to construct
an input which is indistinguishable from the proposed scheme’s ciphertext. To do
this, we need to compute Enc(k, m1 , r) to prepend to c. However, we cannot do so
since the random choice r is the same for Enc and Enc0 , and we do not know it.
To summarize: given Enc(k, m1 ; r), r may not be uniform.
Facts from Number and Group Theory

In the previous lecture, we introduced the syntax of the symmetric key encryption scheme,
where the same key is used for encryption and decryption procedures. However, it is not
always feasible for the sender and the recipient to share and agree on the same secret
key. In subsequent lectures, we will introduce public-key encryption schemes where the
encryption and decryption keys are different but mathematically related. Such schemes
are based on the assumption that certain problems in number theory are hard. To better
understand such schemes, we need to recap some basic facts from number theory and
group theory.
In the following, we will use the following notation:
• N = set of all natural numbers ({1, 2, 3, . . .})
• R = set of all real numbers (e.g., 5.25)
• Z = set of all integers ({−∞, . . . , −1, 0, 1, . . . , +∞})
• For integers (a, b), gcd(a, b) denotes the greatest common divisor (the largest number
which divides both a and b).

Remark 12. The Greatest Common Divisor (GCD) can be computed in polynomial time
using Extended Euclidean Algorithm (EEA). Additionally, the EEA allows us to compute
(x, y) for any (a, b) such that ax + by = gcd(a, b).

Theorem 10. If a, b are relatively prime (i.e., gcd(a, b) = 1) and a > b, then there exists y
s.t.
by = 1 mod a

Proof. Using EEA, we can get x, y such that ax + by = gcd(a, b) = 1. Thus, (ax + by)
mod a = 1 mod a. Therefore, we get by = 1 mod a.

Remark 13. If by = 1 mod a, we say that y is an inverse of b with respect to a.

5.1 G ROUPS

A group is a fundamental object in algebra and is widely used in constructing crypto-


graphic algorithms. For example, the Diffie–Hellman key exchange makes use of finite
cyclic groups. Before delving into cryptographic schemes that utilize groups, let us famil-
iarize ourselves with some basic group theory concepts and see some examples of groups.

40
FACTS FROM NUMBER AND GROUP THEORY 41

5.1.1 Basic Definitions


Definition 29. Let G be a set, and : G × G → G be an operation. A group (G, ) is an
algebraic structure that satisfies the following properties:
1. Closure: If a, b ∈ G, then a b ∈ G.
2. Existence of Identity: ∃e ∈ G such that for all a ∈ G, a e = e a = a.
3. Associativity: ∀a, b, c ∈ G, (a b) c = a (b c).
4. Existence of Inverse: ∀a ∈ G, ∃b ∈ G such that a b = e = b a.
Definition 30. An Abelian group G is a group such that ∀a, b ∈ G, a b = b a.
Definition 31. The order of a group G (denoted as |G|) is the number of elements in G.
5.1.2 Examples of Groups
Now we take a look at some examples of groups. An additive group is a group where the
group operation is an addition of some type.
Example of an Additive Group
(Zn , ) where Zn = {0, 1, . . . , n − 1}, = addition mod n, is an additive group.
Proof.
1. Closure: if a, b ∈ Zn , then a b = (a + b) mod n. Since 0 ≤ (a + b) mod n ≤ n − 1, it
holds that a b ∈ G.
2. Existence of Identity: e = 0.
3. Associativity: This follows from the fact that addition modulo n is associative.
4. Existence of Inverse: Given a ∈ Zn , its inverse is b = n − a. Since 0 ≤ b ≤ n − 1,
b ∈ Zn .

Example of a Multiplicative Group


A multiplicative group is a group where the group operation is a multiplication of some
type.
(Z∗p , ) where p is a prime number, Z∗p = {1, 2, 3, . . . p − 1} 4 , and = multiplication
mod n, is a multiplicative group.
Proof.
1. Closure: Suppose a, b ∈ Z∗p . Since a, b are relatively prime to p, we know that a · b 6=
k · p (note that the left-hand side is not divisible by p, and the right-hand side is).
Since additionally 0 < (a · b) mod p < p, it holds that a · b ∈ Z∗p .
2. Existence of Identity: e = 1.
3. Associativity: This follows from the fact that multiplication modulo n is associative.
4. Existence of Inverse: Given a ∈ Z∗p , we know by Theorem 10 that there exists b such
that a · b = 1 mod p. Note that b = (b − p) mod p. Thus, there exists b such that
a · b = 1 mod p and 1 ≤ b ≤ p − 1.

Remark 14. For (Z∗p , ), the order of the group is p − 1.


4 In general, Z∗n denotes the set of all integers from the set {1, 2, 3, . . . n − 1} relatively prime to n.
FACTS FROM NUMBER AND GROUP THEORY 42

Fundamental Theorem of Arithmetic


The Fundamental Theorem of Arithmetic is also called the Unique Factorization Theorem.
It is important to know this theorem since integer factorization into primes is an important
tool for securing public-key encryption.
Theorem 11 (Fundamental Theorem of Arithmetic). For all integer N > 1, there ex-
ists k > 0 different primes p1 , p2 , . . . , pk , p1 < p2 < . . . < pk , and k positive integers
{e1 , e2 , . . . , ek } such that N can be expressed as
Y
N= pei i ,
i

and moreover, this representation is unique.


Euler’s Phi(Totient) Function
We introduce Euler’s Phi Function (also sometimes called Euler’s Totient Function), de-
noted φ(N ), which is important for defining the RSA encryption scheme.
Definition 32 (Euler’s Phi (Totient) Function). Euler’s phi function of a positive integer N ,
denoted φ(N ), is the number of integers from set {1, 2, . . . N − 1} which are relative prime
to N . We have Y
φ(N ) = piei −1 · (pi − 1),
i
Q ei
where N = i pi .

Example 1 For p prime φ(p) = p0 · p0 · (p − 1) = p − 1.


Example 2 Say N is a product of two primes N = p1 p2 , where p1 6= p2 . Then,
φ(N ) = (p1 − 1)(p2 − 1) = |Z∗N |.

Theorem 12. For all N ≥ 2, φ(N ) = |Z∗N |.


Theorem 13 (Fermat’s Little Theorem). ∀a ∈ Z∗p , ap−1 mod p = 1.
Proof. Suppose a ∈ Z∗p , then a is relatively prime to p. Multiplying each element in Z∗p by a,
we get a set aZ∗p = {a, 2a, · · · , (p − 1)a}. By the laws of modular arithmetic, these elements
are distinct from one another modulo p (if ma = na mod p, then m = n mod p, but we
know that each element in Z∗p is distinct). Therefore, Z∗p = aZ∗p . Thus, if we multiply the
elements in both sets, the resulting products must be equal: 1·2·. . .·(p−1) = a·2a·. . .·(p−1)a
mod p. We can now divide both sides by 1 · 2 · . . . · (p − 1) to get ap−1 mod p = 1.
Theorem 14 (Euler’s Generalization). ∀a ∈ Z∗n , aφ(n) mod n = 1.
Multiplicative Group of Prime Order
Definition 33. A group whose order is prime is called a group of prime order, or prime-order
group.
Multiplicative groups of prime order are extremely important in cryptography. Un-
fortunately, for an integer N > 3, the order of Z∗N (i.e., Euler’s phi function of N ) is not
prime. Therefore, we cannot use multiplicative groups Z∗N and need to find another way
to construct a multiplicative group of prime order.
FACTS FROM NUMBER AND GROUP THEORY 43

Example Construction of a Multiplicative Group of Prime Order Choose p = 2q + 1


where p, q are prime numbers (such p is called a Sophie-Germain prime.) Then,
Gq = {x2 mod p : x ∈ Z∗p } is a multiplicative prime-order group.
Theorem 15. |Gq | = q.
Proof. Note that both x and p − x from Z∗p map to the same element x2 = (p − x)2 mod p of
Gq . Since |Z∗p | = p − 1 = 2q, it holds that |Gq | ≤ q. Suppose x, y are two different elements
in Z∗p and y 6= p − x. Assume x2 = y 2 mod p. This means that (x + y)(x − y) = 0 mod p.
Since p is prime, either x + y or x − y divides p. We know that x + y 6= 0 mod p, so it
must hold that x − y = 0 mod p. Thus, x = y mod p, which contradicts the assumption
that x 6= y. Therefore, we know that x2 6= y 2 mod p. Thus, unless two elements in Gq are
not inverses of each other in Zp , they map to different elements in Gq . Therefore, we have
|Gq | = q.
Generator of a Multiplicative Group
Definition 34. g ∈ G is a generator of the group G if G = {g 1 , g 2 , g 3 , . . . , g |G| }.
Note that g x = g g · · · g (x times).
Remark 15. Suppose g ∈ G is a generator of the group G, then g |G| is the identity element
in G.
Theorem 16. Every non-identity element of a multiplicative prime order group is a gener-
ator.

5.2 D ISCRETE L OGARITHM A SSUMPTION AND ITS VARIATIONS

Informally, the Discrete Log Problem for multiplicative prime-order groups is the problem
that given such a group Gq and an element g x , where g is a generator, we want to try to
find x (x is called the discrete logarithm of g x ). In cryptography (in particular in certain
public-key encryption schemes), it is assumed that for certain groups this problem is hard.

5.2.1 Discrete Log Assumption (DLA)


Definition 35 (Discrete Log Assumption, DLA). Suppose Gq is a prime order multiplica-
tive group, and g ∈ Gq is a generator. Then, for every PPT algorithm A, the following
holds:
$
Pr[A(g x ) = x : x ← Zq ] ≤ negl(q)
Theorem 17. f (x) = g x is a one-way function.

5.2.2 Variations of DLA


Definition 36 (Computational Diffie-Hellman Assumption,CDH). Suppose Gq is a prime
order multiplicative group, and g ∈ Gq is a generator. Then for every PPT algorithm A,
$
Pr[A(g x , g y ) = g xy : x, y ← Zq ] ≤ negl(q)
Intuitively, this means that given g x , g y randomly chosen from Gq , it is hard to compute
xy
g in probabilistic polynomial time.
FACTS FROM NUMBER AND GROUP THEORY 44

Remark 16. CDH is a stronger assumption than DLA, since we are assuming something
extra than in DLA5 . Note that solving the Discrete Log problem means we can also solve
the CDH problem: given g x , g y , just compute y by DLA and we can compute g xy = (g x )y .

Definition 37 (Decisional Diffie-Hellman Assumption). Suppose Gq is a prime order mul-


tiplicative group, and g ∈ Gq is a generator. Then for every PPT algorithm A, the following
two distributions are computationally indistinguishable:
$ $
{(g xy , g x , g y ) : x, y ← Zq } =c {(g r , g x , g y ) : r, x, y ← Zq }

Intuitively, this means that given g x , g y randomly chosen from Gq , it is hard to distin-
guish g xy from some random g r in Gq in probabilistic polynomial time.

Remark 17. DDH is a stronger assumption than CDH: given g x , g y , g r , we can compute
g xy and compare it with g r .

5 Note that in cryptography weaker assumptions are typically more desirable.


Key Agreement

In the last chapter, we introduced the decisional Diffie-Hellman assumption. Now we will
see that this is indeed a very useful assumption and describe a key exchange protocol that
is based on this assumption.

6.1 K EY E XCHANGE D EFINITION

Key exchange is a way for cryptographic keys to be exchanged between two parties over a
public channel. This is necessary in symmetric cryptographic schemes like one-time pad,
where the sender and the receiver must agree on a key in order for the message to be enc-
and later decrypted.
More formally, we consider two PPT parties A and B with private randomness rA
and rB , respectively. Parties A and B interact with each other over multiple rounds. Let
n denote the size of the randomness, and π the key exchange protocol. Then, π(rA , rB )
denotes the execution of the protocol π between parties A and B that use randomness
rA and rB . The protocol execution results in a transcript τ , consisting of the sequence of
messages exchanged between A and B. The view of the party A in the protocol is (rA , τ ),
and view of the party B is (rB , τ ). In the end, party A outputs kA = compute key(rA , τ ),
and party B outputs kB = compute key(rB , τ ), where compute key is a PPT algorithm.
Definition 38 (Key Exchange Protocol (KEP)). A key exchange protocol (KEP) must satisfy
the following two properties:
1. Correctness: If both parties A and B are honest, kA must be equal to kB
P rrA ,rB [kA = kB ] = 1
Note that if kA = kB , then we can simply denote k = kA = kB .
2. Security: Consider a passive PPT adversary E (an eavesdropper) observing all mes-
sages transmitted over the network. The view of E is τ . Denote the length of the key
k by κ. Then, the protocol is secure if the following holds:
{k, τ } =c {Uκ , τ },

Alternatively, the protocol is secure if for all PPT E the following holds:
$ $
|P r[E(k, τ ) = 1 : rA , rB ← Un , τ = π(rA , rB )]−P r[E(Uκ , τ ) = 1 : rA , rB ← Un , τ = π(rA , rB )]| ≤ negl(κ).

Remark 18. An alternative definition where we require k to be indistinguishable from a


uniform group element is also valid.

45
KEY AGREEMENT 46

6.2 D IFFIE -H ELLMAN K EY E XCHANGE

We are now ready to introduce a classic key exchange protocol designed by Diffie and
Hellman in 1976.

6.3 D IFFIE -H ELLMAN K EY E XCHANGE P ROTOCOL

Let Gq be a group where the DDH assumption holds. Let g ∈ Gq be a generator in this
group. The protocol proceeds as follows.
$
− Z∗q as its own private randomness. Then, A sends X = g x to B.6
• A picks rA = x ←
$
− Z∗q as its own private randomness. Then, B sends Y = g y to A.
• B picks rB = y ←
• A outputs key kA = Y x , and B outputs key kB = X y .

Note that this protocol satisfies the definition for KEP:

• It satisfies correctness since kA = Y x = g xy = g yx = X y = kB .


• As for the security, note that the adversary knows g x and g y . If the adversary can
then distinguish g xy from a uniformly random g r with a non-negligible probability,
this directly breaks the DDH assumption.

6.3.1 Active vs. Passive Adversaries


So far, we have only considered passive attackers. In general, however, attackers may
tamper with messages sent over networks. As such, we can categorize attackers into passive
adversaries and active adversaries. Passive adversaries just observe the messages sent over
the network. Active adversaries can modify or drop messages sent by other parties.
Now, one might ask: assuming two parties A and B have never met before, is it possible
to design a protocol that protects against active attackers? The answer is no, and that any
key exchange protocol will fail in such settings. The idea is that if A and B have never met,
there exist no shared secrets, no notion of identity. As such, an attacker E could perform
a man-in-the-middle attack by impersonating A and B: E can engage in a key exchange
separately with A and with B (A will think that it is exchanging keys with B and vice
versa), and then mediate the conversation between the two parties.

6.3.2 Key Management Using Trusted Third Party


In the 90s, people faced the problem of key management. A community with N mem-
bers, generally require O(N 2 ) keys for each member to securely communicate with an-
other member. This problem was later addressed using a trusted central server. Keberos is
one such protocol. Imagine two parties that wish to communicate with each other. In Ker-
beros, they will first each authenticate themselves with a trusted central key distribution
server. Then, instead of trying to directly exchange keys with each other, the parties will
rely on the central server to generate the key and send the key to them.

6 Remember that g x is computed using the group operation (rather than plain multiplication).
Public Key Encryption

As we have seen in the previous chapter, using a symmetric key has some issues: if a party
wants to communicate with N other parties, it first needs to agree on a joint key with
each communication partner, and then store all N shared keys. Public key cryptography
allows to drop this requirement. Instead of a shared key generated for each conversion,
each party has a public key that can be disseminated widely, and a secret key that must be
kept private. To send messages to party A, other parties use A’s public key. To decrypt
the received messages, A uses its secret key. In the late 1980s and early 1990s, public key
encryption was considered too slow and therefore remained a largely theoretical research
topic. Now, given faster computers, public key encryption is widely used.
Like symmetric key encryption, public key encryption also consists three algorithms.

Definition 39 (Public Key Encryption (PKE)). A public key encryption scheme consists of
three algorithms (Gen, Enc, Dec) defined below:
• (pk, sk) ← Gen(κ). The PPT key generation algorithm Gen takes as input a security
parameter κ and generates a public key pk and a secret key sk.
• c ← Enc(pk, m). The PPT encryption algorithm Enc takes as input a public key pk
and a message m, and outputs a ciphertext c.
• m ← Dec(sk, c). The deterministic polynomial time decryption algorithm Dec takes
as input a secret key sk and a ciphertext c, and outputs a plaintext message m.

The public key encryption scheme must satisfy the following requirements:
• Correctness For all messages m the following holds:

P r[Dec(sk, c) = m : (pk, sk) ← Gen(κ), c ← Enc(pk, m)] = 1

• Security For all pairs of messages (m0 , m1 ) the following holds:

{pk||Enc(pk, m0 ) : (pk, sk) ← Gen(κ)} =c {pk||Enc(pk, m1 ) : (pk, sk) ← Gen(κ)}

Alternatively, the security holds if for all pairs of messages (m0 , m1 ) and for all PPT
adversaries A the following holds:

$ 1
|P r[A(pk, Enc(pk, mb )) = b : (pk, sk) ← Gen(κ), b ←
− {0, 1}] − | ≤ negl(n)
2

47
PUBLIC KEY ENCRYPTION 48

7.1 S TATELESS AND D ETERMINISTIC P UBLIC K EY E NCRYPTION

As we have shown in previous chapters, in symmetric key encryption any deterministic


and stateless protocol cannot be secure in a multi-message setting. The same applies for
public key encryption, but in a stronger way. The reasoning is as follows:
• If a symmetric key encryption is deterministic, then an attacker can perform “replay
attacks”. Intuitively, an adversary may notice identical ciphertexts repeated trans-
mitted over the network. Then, the adversary knows that the same message is being
transmitted again (although it may not be able to compute the message).
• In public key encryption, an adversary can perform an even stronger attack. Imag-
ine we have a deterministic public key encryption scheme, two messages m0 , m1
and a ciphertext c which is either m0 or m1 . Then, the attacker could simply run
Enc(pk , m0 ) and Enc(pk , m1 ) to figure out what the original message is.
Thus, we have established that deterministic PKE is unsafe. That being said, there do exist
interesting applications of deterministic PKE. Imagine you have a database containing sen-
sitive entries such as patient medical records which, by law, cannot be uploaded to public
storage systems unencrypted. So, you encrypt the entire database before uploading it to
cloud. Your client, a hospital, wants to run queries on the database to answer questions
like “how many patients have disease X”. However, the search functionality is gone. Since
the database is now encrypted, it is unclear how the hospital can proceed.
However, if the database was encrypted using deterministic PKE, conducting such
search is indeed easy. Indeed, the hospital may encrypt the keyword “disease X” using
the public key and perform simple string matching to count the number of occurrences of
this disease. Note that a non-deterministic PKE scheme will not work in this scenario be-
cause the same key can generate different ciphertexts for the same message over multiple
executions.

7.2 M ULTI -M ESSAGE P UBLIC K EY E NCRYPTION

As we did for symmetric key encryption, we now provide a formal definition for a multi-
message secure public key encryption scheme.
Definition 40 (Multi-Message Public Key Encryption, security requirement). For every
choice of vectors (m10 , m20 , · · · , mq0 ) and (m11 , m21 , · · · , mq1 ), where q = poly(n), the following
holds:

{pk||{Enc(pk, mi0 )}qi=1 : (pk, sk) ← Gen(n)} =c {pk||{Enc(pk, mi1 )}qi=1 : (pk, sk) ← Gen(n)}

We will now show that for public key encryption, our standard security notion already
implies the multi-message security.
Theorem 18. Every one-time secure PKE (Definition 39) is also multi-time secure.
Proof. We use the hybrid argument. Given two message vectors (m10 , m20 , · · · , mq0 ) and
(m11 , m21 , · · · , mq1 ), we construct hybrids H0 , ..., Hq as follows: let H0 be the set of encryp-
tions of the messages (m10 , m20 , · · · , mq0 ). We slowly (one message at a time) change the set
to encryptions of the messages in the second vector, and eventually arrive at Hq , the set of
encryptions of the messages (m11 , m21 , · · · , mq1 ):
PUBLIC KEY ENCRYPTION 49

H0 = {pk||Enc(pk, m10 ), Enc(pk, m20 ), · · · , Enc(pk, mq0 ) : (pk, sk) ← Gen(n)}


H1 = {pk||Enc(pk, m11 ), Enc(pk, m20 ), · · · , Enc(pk, mq0 ) : (pk, sk) ← Gen(n)}
..
.
Hk−1 = {pk||Enc(pk, m11 ), · · · , Enc(pk, mk−1
1 ), Enc(pk, mk0 ), · · · , Enc(pk, mq0 ) : (pk, sk) ← Gen(n)}
Hk = {pk||Enc(pk, m11 ), · · · , Enc(pk, mk1 ), Enc(pk, mk+1
0 ), · · · , Enc(pk, mq0 ) : (pk, sk) ← Gen(n)}
..
.
Hq = {pk||Enc(pk, m11 ), Enc(pk, m21 ), · · · , Enc(pk, mq1 ) : (pk, sk) ← Gen(n)}

First, we prove the following claim about any two consecutive hybrids:
Claim 7. If a PKE is one-time secure, then for all k ∈ {1, 2, · · · , q}, Hk−1 =c Hk .
Proof. Assume for the sake of contradiction that there exists some k ∈ {1, 2, · · · , q} such
that Hk−1 is not computationally indistinguishable from Hk . Then, by the definition of
computational indistinguishability, there exists a PPT adversary A who can distinguish
Hk−1 from Hk with a non-negligible probability. Using A, we can construct a PPT ad-
versary B that distinguishes between encryptions of some two messages (m0 , m1 ) with a
non-negligible probability:
• B receives a challenge public key pk.
• B runs A, sends it pk, and receives two sets of messages (m10 , m20 , · · · , mq0 ) and
(m11 , m21 , · · · , mq1 ).
• B sends the k-th messages (mk0 , mk1 ) to its challenger and receives a challenge c.
• B constructs a vector S of encrypted messages by encrypting the first k − 1 elements
from the first set of messages, and the last q − k elements from the second set of
messages. The k-th element is the challenge c. Formally,

S = {Enc(pk, m10 ), · · · , Enc(pk, mk−1


0 ), c, Enc(pk, mk+1
1 ), · · · , Enc(pk, mq1 )}

• Then, B gives pk||S as input to A.


• If A outputs that S is from set b, then B outputs b.
Note that the only element that differentiates Hk−1 from Hk is the kth element. Thus, if
the challenge ciphertext is the encryption of mk0 , then pk||S is from Hk−1 . Otherwise, pk||S
is from Hk . Thus, B succeeds with the same probability as A. Note that B is PPT because
A is PPT, and the only extra work B does compared to A, is constructing vector S, which
is of polynomial length. Since the existence of attacker B violates the security requirement
of PKE, we reached a contradiction. Note that the difference from SKE is that B was able
to encrypt messages on its own.
Given Claim 1, we can apply the Hybrid Lemma to get
PKE is one-time secure =⇒ H0 =c Hq
PUBLIC KEY ENCRYPTION 50

Since the two hybrids are indistinguishable for any choice of message vectors
(m10 , m20 , · · · , mq0 ) and (m11 , m21 , · · · , mq1 ), we have shown that if a PKE is single-message
secure, then it is also multi-message secure.

7.3 E L G AMAL E NCRYPTION S CHEME

We now introduce the ElGamal public key encryption scheme, which is closely related to
the Diffie-Hellman key exchange protocol introduced in the last chapter. We first describe
the idea at a high level:
Recall that in Diffie-Hellman key exchange, given a generator g of a group Gq , two
parties A and B each sample a random element rA , rB from Z∗q , and send g rA (respectively,
g rB ) to the other party. In the end, both parties share a common secret key g rA ·rB that can
be used for encrypting messages between them.
Note that g rA , g rB are recorded in the transcript in clear. Suppose A needs to receive
a message from B. Then, A could publish g rA , and B could send (g rB , cB ) to A, where
cB is a message encrypted using g rA ·rB . A can first compute g rA ·rB in the same way as in
Diffie-Hellman key exchange, and then decrypt cB . This is the core idea of the ElGamal
encryption scheme.
We now formally describe this encryption scheme, and prove its correctness and secu-
rity.

7.3.1 Construction
Let Gq be a group over which the decisional Diffie-Hellman Assumption holds. Let g ∈ Gq
be a generator. The encryption scheme consists of the following three algorithms:
$
• Gen(n) : sample x ← Z∗q and return (pk = g x , sk = x).
$
• Enc(pk, m) : sample r ← Z∗q and return (g r , pk r · m).
• Dec(sk, (c1 , c2 )) : return c2 c−sk
1 .
Given (pk = g x , sk = x) ← Gen(n), and any message m ∈ Gq , the correctness of the
scheme is shown in the following derivation:

Dec(sk, Enc(pk, m)) = Dec(sk, (g r , pk r m))


= pk r m · g −r·sk
= g x·r m · g −r·x
=m

We now prove that the ElGamal scheme satisfies the public key encryption security defi-
nition.
PUBLIC KEY ENCRYPTION 51

Proof. We define the following hybrid distributions:

$
H0 = {g x , g r , g xr · m0 : x, r ← Z∗q }
$
H1 = {g x , g r , g z · m0 : x, r, z ← Z∗q }
$
H2 = {g x , g r , g z : x, r, z ← Z∗q }
$
H3 = {g x , g r , g z · m1 : x, r, z ← Z∗q }
$
H4 = {g x , g r , g xr · m1 : x, r ← Z∗q }

By the DDH assumption we get H0 =c H1 , and H3 =c H4 . Since g is a generator of Gq and


m0 , m1 ∈ Gq , there exists a, b ∈ Z∗q such that g a = m0 and g b = m1 . That is: g z · m0 = g z+a ,
g z ·m1 = g z+b . Clearly, the distribution of a random sample z from Z∗q , and the distribution
of a random sample plus a fixed element z +a and z +b from Z∗q are exactly the same. Thus,
we get H1 = H2 = H3 . By the Hybrid Lemma, we conclude that H0 =c H4 .
By construction, given any two messages m0 , m1 ∈ Gq , we have
(pk = g x , sk = x) ← Gen(n), and (c01 = g r , c02 = pk r · m0 ) ← Enc(pk, m0 ) for elements
x, r ∈ Z∗q sampled uniformly at random. The distribution pk, c01 , c02 is exactly H0 . Similarly,
with (pk = g x , sk = x) ← Gen(n), and (c11 = g r , c12 = prk · m1 ) ← Enc(pk, m1 ), the distribu-
tion pk, c11 , c12 is exactly H4 . We can now conclude that the ElGammal encryption scheme
satisfies the public key encryption security.

7.4 RSA E NCRYPTION S CHEME

RSA encryption scheme is another public key encryption scheme. While ElGamal relies
on the Decisional Diffie-Hellman assumption, RSA relies on the RSA assumption. We first
describe the RSA function and state the RSA assumption.
Definition 41 (RSA function). Let Pn denote the set of prime numbers of length n. We
construct the RSA function fN,e as follows:
$
• Sample p, q ← Pn , and set N = p · q.
• Choose e ∈ Z∗φ(N ) (i.e. e is relatively prime to φ(N ), and 1 ≤ e ≤ φ(N )).
• For x ∈ Z∗N , fN,e (x) = xe mod N .

In the above definition, N is called the RSA modulus, and φ(N ) is the Euler’s phi func-
tion (φ(N ) = |Z∗N | = (p − 1)(q − 1)).
Looking a bit ahead, informally, the RSA assumption states that inverting an RSA func-
tion is hard. However, given some additional information it becomes easy. Note that given
φ(N ), since e is relatively prime to φ(N ), the Extended Euclidean algorithm efficiently
computes two coefficients x, y ∈ Z such that

ex + φ(N )y = gcd(e, φ(N )) = 1

Taking the above equation in modulo φ(N ), we get ex ≡ 1 mod φ(N ). That is, there
always exists d such that ed ≡ 1 mod φ(N ). Now, given d as described above and
PUBLIC KEY ENCRYPTION 52

fN,e (m) = y = me mod N , one can easily invert it as follows:

yd mod N = med mod N


= med mod φ(N )
mod N
1
=m mod N = m

The second equality follows from Euler’s theorem, which states that for all a and b that

are relatively prime holds aφ(b) ≡ 1 mod b. Since m ∈ ZN , m and N are indeed relatively
prime.
We have shown that given d, it becomes easy to invert the RSA function. For this
reason, d is called the trapdoor of the RSA function fN,e .

7.4.1 RSA assumption


We now give the formal definition of the RSA assumption.
Definition 42 (RSA assumption). For all PPT adversaries A,
$ $ $
Pr[A(y, (e, N )) = x : p, q ← Pn , N = pq, e ← Z∗φ(N ) , x ← Z∗N , y = xe mod N ] ≤ negl(n)

An alternative statement of the above definition is that computing the eth roots in ZN is
hard.
RSA vs. Factoring Assumption
As we discussed above, given φ(N ), an adversary can efficiently compute the trapdoor
d, and then return y d as x. One way to compute φ(N ) is to factor N and then compute
φ(N ) = (p − 1)(q − 1). Thus, for the RSA assumption to hold the Factoring assumption
must hold. However, it is not clear whether this is sufficient or whether there are ways
to compute x that do not involve factorization. It is an open problem whether the RSA
assumption is equivalent to the Factoring assumption.
RSA Encryption – First Attempt
Our ultimate goal is to design a public key encryption scheme using the RSA assumption.
A naive attempt is to use (N, e) as the public key, d as the secret key, Enc((N, e), m) =
fN,e (m) as the encryption algorithm, and Dec(d, c) = cd as the decryption algorithm. Al-
though this naive scheme is clearly correct, it is not secure, since the encryption algorithm
is deterministic. In order to build a secure public key encryption scheme using the RSA
assumption, we need to introduce a new variant of one-way functions.

7.4.2 Trapdoor One-way Permutations (Trapdoor OWP)


Definition 43 (Trapdoor One-way permuation). A collection of functions
Fn = {fi : Di → Ri }i∈In is a family of trapdoor one-way permutations if the following
conditions are satisfied:
1. (Function sampler) There exists a PPT algorithm G(n) that takes as input the security
parameter n and outputs (i, t) where i ∈ In , and t is the trapdoor associated with
fi ∈ Fn .
2. (Input sampler) There exists a PPT algorithm S that takes i as input and outputs a
uniformly random element from Di .
PUBLIC KEY ENCRYPTION 53

3. (Polynomial time) Given i, fi (x) can be computed in polynomial time for all i ∈ In
and x ∈ Di .
4. (Hard to invert) For all PPT adversaries A the following holds:

$
Pr[y = fi (x0 ) : (i, t) ← G(n), x ← Di , y ← fi (x), A(i, y) = x0 ] ≤ negl(n)

5. (Inverts with trapdoor) There exists a PPT algorithm I such that the following holds:

Pr[y = fi (x0 ) : (i, t) ← G(n), x ← Di , y ← fi (x), I(i, y, t) = x0 ] = 1

6. (Permutation) For all i ∈ In , fi is a permutation.


Remark 19. Note that in the above definition, we consider a family of functions instead of
just a single function. The reason is that given a single function f and a trapdoor t, even
though finding the trapdoor information may require exponential time, the adversary may
simply have it inbuilt inside its code. If everything is encrypted with the same trapdoor,
the adversary is then able to recover every message that was ever encrypted. Using a
family of functions prevents this problem.

7.4.3 RSA Implies Trapdoor OWP


We now show that the RSA assumption implies trapdoor one-way permutations.
We construct a trapdoor one-way permutation as follows:
• Function sampler: G(n) samples two prime numbers p, q, and computes N = pq.
$
Then, G samples a random exponent e ← Z∗φ(N ) and computes d such that
ed ≡ 1 mod φ(N ) using the Extended Euclidean algorithm. Finally, G outputs
(i = (N, e), t = d).
• Input Sampler: note that Di = Z∗N . Thus there exists a PPT algorithm to sample a
random element from Di .
• For each i = (N, e), fi (x) = xe mod N .
Note that condition 3 of Definition 43 is satisfied because computing fi (x) is clearly possi-
ble in PPT. Condition 4 follows directly from the RSA assumption. Condition 5 holds since
we can easily construct I as follows: taking ((N, e), y, d) as input, I outputs y d = xed = x
mod N . Finally, notice that because of the existence of the trapdoor fi is one-to-one for

all i ∈ In . Additionally, the input and output space are both ZN . Thus, for all i ∈ In our
construction fi is a permutation.

7.4.4 From Trapdoor OWP to Public Key Encryption


Given a family of trapdoor one-way permutations with the corresponding function sam-
pler algorithm G(·), inverting algorithm I, and an input sampler D, we can construct a
secure public key encryption scheme as follows:
• Gen(n) : runs the function sampler algorithm (i, t) ← G(n), selects the hard-core
predicate hi for fi , and returns (pk = (i, fi , hi ), sk = t).
$
• Enc(pk, m) : for a single bit message m ∈ {0, 1}, samples r ← Di and outputs
c = (fi (r), hi (r) ⊕ m).
PUBLIC KEY ENCRYPTION 54

• Dec(sk, c = (c1 , c2 )) : recovers r from c1 using the trapdoor t and the inverting algo-
rithm I, and then outputs m = c2 ⊕ hi (r).
Notice that this construction is indeed a secure public-key encryption scheme. Correctness
follows from the properties of the trapdoor OWP. Now consider the security property.
Note that pk = (i, fi , hi ). Thus, we need to show that for all (m0 , m1 ) the following holds:

$
{(i, fi , hi )||(fi (r), hi (r) ⊕ m0 ) : ((i, fi , hi ), t) ← Gen(κ), r ← Di }
$
=c {(i, fi , hi )||(fi (r), hi (r) ⊕ m1 ) : ((i, fi , hi ), t) ← Gen(κ), r ← Di }

Consider the following four hybrids:

$
H0 := {(i, fi , hi )||(fi (r), hi (r) ⊕ m0 ) : ((i, fi , hi ), t) ← Gen(κ), r ← Di }
$ $
H1 := {(i, fi , hi )||(fi (r), b ⊕ m0 ) : ((i, fi , hi ), t) ← Gen(κ), r ← Di , b ← {0, 1}}
$ $
H2 := {(i, fi , hi )||(fi (r), b ⊕ m1 ) : ((i, fi , hi ), t) ← Gen(κ), r ← Di , b ← {0, 1}}
$
H3 := {(i, fi , hi )||(fi (r), hi (r) ⊕ m1 ) : ((i, fi , hi ), t) ← Gen(κ), r ← Di }

Informally, by the security of the hard-core predicate, hi (r) is indistinguishable from


$
b ← {0, 1}. Thus, H0 =c H1 . By perfect security of the one-time pad we get H1 = H2 .
Finally, again by the security requirement of the hard-core predicate, we get H2 =c H3 . By
the Hybrid Lemma we get H0 =c H3 .
MAC and Hash Functions
In the previous chapters we mostly considered passive adversaries. Now we would like
to consider a stronger adversary who might want to alter messages passed between the
two parties. Perhaps surprisingly, with some schemes that we have proven secure in the
previous chapters doing so is not that hard.
Say Alice is trying to send message to Bob using a one-time pad, and an adversary Eve
is able to observe the network and intercept messages passed over this network. Assuming
that Alice only sends “Attack" or “Defend" to Bob, Eve can always change the message
from “Attack” to “Defend” and vice versa by

c0 = c ⊕ "Attack" ⊕ "Defend"

Thus, after intercepting some ciphertext c from Alice, Eve changes it to c0 and sends it to
Bob. In this case, although Eve knows nothing about the shared key between Alice and
Bob, she can still change the message.
Similarly, in the RSA context, say the message being sent is m. Eve can easily change
the message to 2m by multiplying the ciphertext with 2e mod N :

c0 = me ∗ 2e mod N = (2m)e mod N

Thus, encryption only guarantees hiding, but not non-tamperability. Obviously, we


would like to make sure that we know the originator of the message that we received and
that this message was not altered. In this chapter we will introduce so-called Message
Authentication Codes (MACs) that provide us with such guarantee.

8.1 M ESSAGE A UTHENTICATION C ODE

8.1.1 Definition and properties


Definition 44 (Message Authentication Code). A Message Authentication Code (MAC)
scheme consists of the following algorithms:
• k ← Gen(n): The PPT algorithm Gen takes a security parameter n as input and
outputs key k.
• σ ← M ac(k, m): The PPT algorithm M AC takes key k and message m as inputs and
output MAC σ.
• V erif y(k, m, σ): The deterministic PT algorithm V erif y takes key k, message m and
MAC σ as inputs and outputs a bit b indicating whether the MAC is correct or not.
A MAC scheme must satisfy the following two properties:

55
MAC AND HASH FUNCTIONS 56

• Correctness: for all messages m, the following holds:

P r[V erif y(k, m, σ) = 1 : k ← Gen(n), σ ← M AC(k, m)] = 1

• Unforgability: Probability of any PPT adversary A wining the forging game defined
below is negligible.
Forging Game
The game is played between a challenger C and an adversary A as follows:
• Sampling: C samples k ← Gen(n).
• Learning: A sends mi to C, C replies with σi = M AC(k, mi ). This step is repeated
l(n) times where l is polynomial in n.
• Guessing: A outputs (m, σ). A wins if for all i, m 6= mi and V erif y(k, m, σ) = 1
Intuitively, a forging game allows an adversary to see polynomially many valid MACs on
the messages of his choosing. In the end, the adversary needs to generate a new valid
(message, MAC) pair.

8.1.2 Construction based on PRF


We will now discuss a MAC construction that is based on PRF:
• Gen(n) : Takes a security parameter n as input and outputs k ← GenP RF (n).
• M AC(k, m) : Takes key k and message m as inputs and outputs σ = P RF (k, m) as a
MAC.
• V erif y(k, m, σ) : Takes key k, message m and MAC σ as inputs and outputs 1 if
σ = P RF (k, m), and 0 otherwise.
Correctness clearly holds. We now prove the security of this scheme.
Proof. Suppose there exists an adversary A who wins the forging game with noticeable
probability δ. Then, we can construct an adversary B who wins the PRF guessing game
with some noticeable advantage as follows:
1. Run A.
2. On input mi from A, B passes it to C. On reply ci from C, B passes ci to A.
3. Once A outputs (m, σ), B queries C with m and matches output with σ. If they match
and m has not been queried before by A, then B guesses “PRF", else B outputs a
random bit.
Note that if C uses the PRF, then the game that A is playing is the forging game and A
wins in this game with some noticeable probability δ. Thus, in this case B wins the game
with a noticeable probability as well. If C uses a truly random function RF (·), then we do
not know how A behaves. However, the probability that A outputs a new (m, σ) such that
σ = RF (m) and m has not been queried before is negligible. Thus, in this case B outputs a
right guess with an overwhelming probability. Therefore, B wins the PRF guessing game
with probability 21 + notice(n).
MAC AND HASH FUNCTIONS 57

8.2 C OLLISION R ESISTANT H ASH F UNCTION

We now introduce another useful cryptographic primitive - Collision Resistant Hash Func-
tions(CRHFs). Intuitively, hash functions allow one to compress a message and are widely
used in multiple cryptographic schemes. First we introduce the so-called universal hash
functions:
Definition 45. A set H is a family of Universal Hash functions if for every x 6= y the follow-
ing holds:
1
P r[h(x) = h(y) : h ← H] ≤ ,
|R|
where R is the range of h.
Now we introduce the so-called Collision Resistant Hash Functions:
Definition 46 (Collision Resistant Hash Functions (CRHF)). A family of functions H =
{hi : Di → Ri }i∈I is a CRHF family if
• Sampling: There exists a PPT algorithm Gen which outputs i ∈ I such that hi is
uniformly random element from H.
• Easy to evaluate: For all i ∈ I, x ∈ Di , hi (x) can be computed in polynomial time.
• Compressing: For all i ∈ I, |Di | > |Ri |.
• Collision Resistance: For all PPT adversaries A the following holds:

P r[x 6= x0 AND hi (x) = hi (x0 ) : i ← Gen(n), (x, x0 ) ← A(i)] ≤ negl(n)

Intuitively, a CRHF is compressing since |Di | > |Ri |, so there must be several inputs
map to the same output. However, due to the collision resistance property it must be hard
for an adversary to find such a collision.

8.2.1 Facts
• Fact 1: No single h can be collision resistant.
Every hash function will necessarily have collisions because of the compression
property: since |Di | > |Ri |, the pigeonhole principle guarantees that some inputs
will hash to the same output. Collision resistance does not mean that no collisions
exist; it only means that they are hard to find. With only one h there exists a PPT
adversary who might have two inputs with the same outputs hard coded in its code
description. When we have a family of functions H, we make it computationally
hard for adversaries to hard-core collision pairs for every hash function.
• Fact 2: A “sufficiently" compressing CRHF family implies one-way functions.
Proof Say for all i ∈ I holds |hi (x)| ≤ |x|
2 . Then we claim that hi is also a one-way
function. Suppose this is not true, and there exists a PPT adversary A who is able to
invert hi with noticeable probability. Then we can construct a PPT algorithm B that
is able to find collisions with noticeable probability as follows:
1. Sample x.
2. Invoke A on y = hi (x) and get x0 .
3. If x 6= x0 , output (x, x0 ) as a collision claim.
MAC AND HASH FUNCTIONS 58

Thus we have:
P R[B finds a collision] = P r[A successfully inverts hi AND x 6= x0 ]
= P r[A successfully inverts hi ] ∗ P r[x 6= x0 ]
1
= P r[A successfully inverts hi ] ∗ (1 − )
number of preimages of y
1
= notice(n) ∗ (1 − )
number of preimages of y
= notice(n)
Note that the second step can be done is because the probability of A to successfully
inverting hi is independent from the probability that x 6= x0 .
The last step can be done because we assume that the length of the CRHF output is
at most half the length of the input. Say there is at most some negligible fraction |Rpi |
of outputs that have two or more preimages. Denote the set of these outputs by S
(its size is p). Then, because the length of the output is at most half the length of the
input, the number of inputs that map to one of the elements in S is 1 − negl. Thus, we
can construct an adversary B 0 finding the collisions that works just by sampling and
outputting two input elements x1 , x2 . The probability that both of these elements
map to some elements in S is (1 − negl)2 . Then, the probability that both x1 and x2
map to the same element in S is (1 − negl)2 · p1 . Since the fraction |Rpi | is negligible,
1 2 1 0
p is noticeable and thus (1 − negl) · p is noticeable as well. Thus, B is able to
find a collision with a noticeable probability, which is a contradiction to the collision-
resistance property. Therefore, there exists a noticeable fraction of outputs that have
two or more inputs and thus the last equation step holds.
Since a CRHF family has the collision resistance property, the probability for B to
win must be negligible. Thus, we find the contradiction and hi is one-way.

8.3 C ONSTRUCTION BASED ON D ISCRETE L OGARITHM A SSUMPTION

We now provide a construction of a hash function that is based on the discrete logarithm
assumption:
Given a group G such that g ∈ G is a generator, and |G| = q where q is a prime number,
we define the hash function as follows:
• Gen(n): Sample r ← Z∗q , and set h = g r . Output i = h.
• Evaluate(h, x): Parse x as (x0 ||x1 ) (it must hold that x0 , x1 ∈ Zq ). Output g x0 hx1 ∈ G.
Note that in this construction h is sampled uniformly at random from G and g x0 hx1 clearly
can be computed in polynomial time. Since g x0 hx1 ∈ G, the size of the output is log(p)
where p = 2q + 1 (p is the Sophie-Germain prime). Since x = x0 ||x1 , where x0 , x1 ∈ Zq , the
size of the input is 2log(q). Thus, the construction compresses the input to roughly half of
its length.
Now we prove the collision resistance of this construction. Suppose there exists
an adversary A who can output x = (x0 , x1 ) and x0 = (x00 , x01 ) such that (x0 , x1 ) 6=
0 0
(x00 , x01 ) AND g x0 hx1 = g x0 hx1 with some noticeable probability. Then, we can construct
adversary B which is able to compute the discrete log of h with a noticeable probability as
follows:
MAC AND HASH FUNCTIONS 59

1. Take h as input.
2. Execute A on h to get x = (x0 , x1 ) and x0 = (x00 , x01 ).
x0 −x00
3. Compute the discrete log as follows: r = x01 −x1 (mod q)
Intuitively, after executing A, we get x = (x0 , x1 ) and x0 = (x00 , x01 ) such that with notice-
able probability x 6= x0 and the following holds:
0 0
g x0 hx1 = g x0 hx1
0 0
g (x0 +rx1 ) mod q = g (x0 +rx1 ) mod q
(x0 + rx1 ) mod q = (x00 + rx01 ) mod q
x −x0
Note that if x1 6= x01 , r = x00 −x10 (mod q) is not a division by zero. Thus, since A can find
1
x and x0 with noticeable probability, B can compute the discrete log of h with noticeable
probability, which is a contradiction to the discrete logarithm assumption.

8.3.1 Better compression functions?


An interesting question is: Can we achieve better compression rates? The answer is yes,
and we can provide a construction similar to the one discussed above:
• Gen(n): Sample r1 , ..., rk ∈ Z∗q , and set hm = g rm for 1 ≤ m ≤ k
• Evaluate((g, h1 , · · · , hk ), x): Parse x as (x0 , x1 , ..., xk ). Output g x0 hx1 1 hx2 2 ...hxkk ∈ G.
Now we get a hash function which input is very long but the output is rather short and
belongs to G.

8.4 F URTHER T HOUGHTS

There are generally three security goals for the authentication methods including Hash,
MAC and digital signature:
• Integrity: Can the recipient be confident that the message has not been modified?
• Authentication: Can the recipient be confident that the message originates from the
sender?
• Non-repudiation: If the recipient passes the message and the proof to a third party,
can the third party be confident that the message originated from the sender?
It is also important to note that if the recipient and the sender share a secret key, the
message authentication code method we discussed in this chapter can fulfil the first and
second requirements. Unfortunately, it does not achieve non-repudiation. Digital signa-
tures can fulfil all three requirements, but require asymmetric keys to implement. We will
discuss how digital signatures work in the following chapter.
Digital Signatures

A Digital Signature scheme differs from the Message Authentication Code (MAC) intro-
duced in the previous lecture by having a pair of public and secrete key, instead of a single
(secrete) key. As a consequence, while only the holder of the secrete key can generate a
valid signature, everyone can use the public key to verify a signature.
We now give the formal definition of a digital signature scheme:
Definition 47 (Digital Signature). A Digital Signature scheme consists of the following three
PPT algorithms:
• (pk, sk) ← Gen(n). The PPT key generation algorithm Gen takes as input a security
parameter n and outputs a public key pk and a secret key sk.
• σ ← Sign(sk, m). The PPT signing algorithm Sign takes as input a secret key sk and
a message mk and outputs a signature σ.
• b ← V erif y(pk, m, σ). The PT algorithm V erif y takes as input a public key pk, a
message mk, and a signature σ, and outputs “1” if the signature is valid, and “0”
otherwise.
A Digital Signature scheme must be correct and secure:
Definition 48 (Correctness of Digital Signature). For all messages m the following holds:

Pr[V erif y(pk, σ, m) = 1 : (pk, sk) ← Gen(n), σ ← Sign(sk, m)] = 1

i.e. The V erif y(·) algorithm always outputs 1 if σ is a valid signature.


Definition 49 (Security of Digital Signature (Unforgeability)). For all PPT adversaries A,
the chances of winning in the following forging game are negligible:

Pr[A wins] ≤ negl(n)

Forging Game The game is played between a challenger C and an adversary A as follows:
• (Keygen): C samples a key pair (pk, sk) ← Gen(n), and sends pk to A.
• (Learning): for 1 ≤ i ≤ l = poly(n), A sends a message mi to C and receives σi =
Sign(sk, mi ).
• (Guessing): A outputs (m, σ) and wins if m 6∈ {m1 , ..., ml }, and V erif y(pk, m, σ) = 1.
Note that in the “Learning” phase of the forging game, the adversary A can choose mi
adaptively, after seeing σj for all j < i.

60
DIGITAL SIGNATURES 61

9.1 O NE - TIME S IGNATURES

We first start with a weaker scheme, called the One-time Signatures shown by Diffie and
Hellman 7 in their famous paper “New Directions in Cryptography”. This scheme is secure
if and only if the adversary A queries at most one message in the “Learning” phase of the
forging game. This scheme only assumes the existence of One-way Functions (OWF).

Definition 50 (Construction of One-time Signatures). Suppose f is a OWF, and a message


m has length k. The one-time signature scheme is constructed by
$
• Gen(n): samples k pairs of random strings x10 , x11 , . . . , xk0 , xk1 ← {0, 1}n , and com-
putes ybi = f (xib ) for all b = {0, 1}, i = 1, . . . , k. The algorithm outputs

y0 = f (x10 ) y02 = f (x20 ) . . . y0k = f (xk0 ) x0 x20 . . . xk0


  1   1 
pk = , sk =
y11 = f (x11 ) y12 = f (x21 ) . . . y1k = f (xk1 ) x11 x21 . . . xk1

• Sign(sk, m): selects the random strings in sk according to the bits of m, and outputs
the selected strings as the signature σ:

σ = (x1m[1] , x2m[2] , . . . , xkm[k] ),

where m[i] denotes the ith bit of m.


• V erif y(pk, m, σ): parse σ as σ = (x1 , ..., xk ), and compare y i = f (xi ) with ym[i]
i
for
all i = 1, . . . , k. If all checks pass, output 1. Otherwise, output 0.
Intuitively, the security of this one-time signature scheme relies on the fact that given
only ybi = f (xib ) in the public key, it’s hard to invert f and find out xib . If an adversary is to
forge a signature for a new message, he needs to invert at least one such string, and thus
break the security of OWF.
To prove the security of this scheme, we first need define the weaker (one-time) security
notion that we want to prove.

Definition 51 (Security of One-time Signatures). A challenger C and an adversary A play


the following forging game:
• (Keygen): C samples a key pair (pk, sk) ← Gen(n), and sends pk to A.
• (Learning): A sends a single message m to C and receives σ = Sign(sk, m).
• (Guessing): A outputs (m0 , σ 0 ) and wins if m 6= m0 , and V erif y(pk, m0 , σ 0 ) = 1.
For all PPT adversaries A, the chance of winning the forging game is negligible:

Pr[A wins] ≤ negl(n)

And we now prove the following theorem.

Theorem 19. The above construction of Gen(·), Sign(·), and V erif y(·) satisfies the One-
time Signature security notion.
7 they credit it to Leslie Lamport
DIGITAL SIGNATURES 62

Proof. Suppose there exists PPT adversary A that wins the forging game with non-
negligible probability . We construct B that is able to invert f with non-negligible proba-
bility as follows:
$ $
• B takes input y, picks at random b ← {0, 1}, j ← {1, . . . , k}, and sets ybj = y. For all
0 $ 0 0
other b0 ∈ {0, 1}, j 0 ∈ {1, . . . , k}, B samples xjb0 ← {0, 1}k , and sets ybj0 = f (xbb0 ).
0
• B uses ybj as well as all ybj0 to construct pk, and sends pk to A.
• Upon receiving a query m from A: If m[j] = b, then abort. Otherwise, B creates a
valid signature σ following the construction of Sign(·), and sends σ to A.
• Upon receiving m0 , σ 0 from A: If m0 [j] = m[j], then abort. Otherwise, B parses
σ 0 = (x1 , . . . , xk ), and outputs xj .
The intuition is that in a lucky event, B creates a valid signature without needing to find
xjb such that f (xjb ) = ybj = y, while A returns a valid signature that contains such an xjb .
The probability of B aborting in step 3 is exactly 21 , as b is chosen at random. If A succeeds
in producing a valid pair m0 , σ 0 such that m0 6= m, then m0 , m differs by at least 1 bit. The
probability that m0 [j] 6= m[j] is at least k1 as j is chosen at random. Note that these three
events are clearly independent. The overall probability of B inverting f on y is

Pr[m[j] 6= b] Pr[A succeeds] Pr[m0 [j] 6= m[j]] =
2k

9.2 S IGNING L ONGER M ESSAGES

The first weakness of the One-time Signature scheme is that the key sizes are linear in the
message sizes, and also linear to the security parameter. To be able to sign longer messages,
we make the additional assumption that Collision Resistant Hash Functions (CRHF) exists.
Given a CRHF family hi : {0, 1}∗ → {0, 1}k , we construct the following improved
algorithms longSign(·), and longV erif y(·), that takes in arbitrary (polynomial in k) size
messages.
• Sign(sk, h(m)) ← longSign(sk, m, h)
• V erif y(pk, h(m), σ) ← longV erif y(pk, m, σ, h)
Where Sign(·), V erif y(·) are as defined in the One-time Signature scheme, and h is a
collision resistant hash function. We omit a detailed proof of its security, and provide a
brief sketch instead:
Proof. (sketch) Suppose a PPT algorithm A sees m, σ, pk, and outputs m0 , σ 0 , where m0 6= m,
and longV erif y(pk, m0 , σ 0 , h) = 1. Then one of the following happened:
• h(m0 ) = h(m), and we have found a collision.
• h(m0 ) 6= h(m), and we have broken the security of Sign(·).
DIGITAL SIGNATURES 63

9.3 S IGNING M ULTIPLE M ESSAGES

Here is a simple idea that allows to extend the One-time Signature scheme for signing
multiple messages: as a part of each signature, we also sign the next public key we will
use. However, in the original scheme, signing a public key of size k would require a longer
key of size at least 2k, assuming the outputs of f are just single bits. For the idea to make
sense, we need to assume the existence of a CRHF family hi : {0, 1}∗ → {0, 1}k as in the
previous section. We also need to keep a counter, hence the modified scheme is a stateful
one.
We construct the new scheme as follows:
• (pk 1 , sk 1 ) ← Gen(n). (the same as original.)
• Sign(sk i , m, h, i):
First, generate a new pair of keys (pk i+1 , sk i+1 ) ← Gen(n), and compute m0i =
h(mi ||pi+1 i
k ). Next, generate σi using sk following the original construction (i.e., gen-
erate 2k random strings, and select k of them according to the bits of m0 ). Finally,
output σi0 = (σ1 , σ2 , . . . , σi , (m1 ||p2k ), . . . , (mi ||pi+1
k ))
• V erif y(pk 1 , mi , i, σi0 ):
First, parse σi0 = (σ1 , . . . , σi , (m1 ||p2k ), . . . , (mi ||pi+1
k ). Next, verify σj and
h(mj ||pk j+1 ) with pk j for all j = 1, . . . , i, following the original construction. If
all checks pass, then output 1. Otherwise, output 0.
The security of this scheme similarly relies on the security of CRHF and that of the original
scheme. We omit a detailed proof.
Note that the signature size is linear in the number of messages we have signed. In-
stead of signing the next pk in each signature, and using a chain-like structure to establish
security, there exists improved schemes that sign the next 2 pk ’s, and use a tree-like struc-
ture to establish security. In such schemes, the signature size is only logarithmic in the
number of message we have signed.

9.4 A N RSA B ASED S CHEME

The schemes introduced in the previous sections have the advantages of only assuming the
existence of a generic OWF and CRHF, but unfortunately suffer from their large overheads.
In practice, more efficient constructions are used. One such construction is bases on the
RSA assumption. We first show an intuitive attempt to construct such a scheme using
only the RSA assumption, that unfortunately is not secure. Then, we provide the secure
construction.
Definition 52 (RSA Digital Signature, Insecure). The three algorithms Gen(·), Sign(·),
V erif y(·) are constructed as follows.
$
• Gen(n): Sample p, q ← Pn , where Pn are primes of length n, compute N = pq, and

compute e, d ∈ Zφ(N ) such that ed ≡ 1 mod φ(N ). Output (pk = (e, N ), sk = (d, N )).

• Sign(sk, m): Output σ = md mod N .


• V erif y(pk, σ, m): Compare σ e mod N with m. If they are equal, output 1. Other-
wise, output 0.
DIGITAL SIGNATURES 64

As mentioned above, this scheme is insecure. A simple attack exploits the homomor-
phic nature of the RSA function:
Given (m1 , σ1 = md1 mod N ) and (m2 , σ2 = md2 mod N ), we can easily compute (m =
m1 m2 , σ = (σ1 σ2 ) mod N = (m1 m2 )d mod N ). Clearly, σ is a valid signature of m.
To get around this issue, we require another assumption: the existence of a so-called
Random Oracle H, which behaves like an exponentially large random table. For each
query x, H(x) simply looks up the address x and returns the corresponding random string.
Note that H is deterministic, and H(x) always returns the same string for same x. Now,
we show a secure construction based on the RSA assumption:
Definition 53 (RSA Digital Signature, Secure). The three algorithms Gen(·), Sign(·),
V erif y(·) are constructed as follows.
$ ∗
• Gen(n): Sample p, q ← Pn , compute N = pq, and compute e, d ∈ Zφ(N ) such that
ed ≡ 1 mod φ(N ). Output (pk = (e, N ), sk = (d, N )).
• Sign(sk, m, H): Output σ = H(m)d mod N .
• V erif y(pk, σ, m, H): Compare σ e mod N with H(m). If they are equal, output 1.
Otherwise, output 0.
Although we omit a full proof of security of the above construction, we illustrate the
use of H for getting around the homomorphic issue in the previous attack:
Given (m1 , σ1 = H(m1 )d mod N ), and (m2 , σ2 = H(m2 )d mod N ), σ = σ1 σ2 =
(H(m1 )H(m2 ))d is not necessarily equal to H(m1 m2 )d . Hence, in general, σ is not a valid
signature of m = m1 m2 . In fact, the probability of forging a message m0 with σ (i.e. finding
m0 such that H(m0 ) = H(m1 )H(m2 )) is negligible (s denotes the output length of H):

1
∀m1 , m2 Pr[H(m3 ) = H(m1 )H(m2 )] = = negl(s)
2s
Remark 20. A true Random Oracle cannot exist in practice. However, assuming a Random
Oracle enables many efficient and secure constructions. In practice, random oracles are
approximated by carefully designed and tested hash functions, such as SHA-256. This is
called the “Random Oracle Heuristic”.
Another technicality is that H(m) may not be in Z∗N . We can solve this issue by com-
puting H(m||i) for i = 1, 2, ... until H(m||i) is in Z∗N .
How to Share a Secret
Suppose Alice is the CEO of a small company and she would like to scale up the operations
by renting some cloud storage. However, she is wary of storing all of the confidential
data on a single cloud provider. She decides to distribute the data across multiple cloud
providers. Suppose she decides to use 10 different cloud providers. Intuitively, she could
store the first 10% of the data on the first cloud provider, the second 10% on the second
cloud provider and so on. Unfortunately, this is not a very good idea because in this case
every individual cloud provider can still recover 10% of the original data. Is there a way
for Alice to store the data such that no information is leaked?
What Alice is looking for is a cryptographic primitive called a secret sharing scheme. Such
a primitive would allow Alice to compute n shares from a secret s such that no information
about s would be leaked if someone got access to any n − 1 shares. At the same time, the
secret s can be recovered if someone has access to all the n shares. We will now formally
define this primitive.
Definition 54 (n-of-n secret sharing). An n-of-n secret sharing scheme consists of the follow-
ing two algorithms:
1. (s1 , s2 , . . . , sn ) ← Share(s) : The PPT sharing algorithm takes as input a secret s, and
outputs n shares of the secret.
2. s ← Reconstruct(s1 , s2 , . . . , sn ) : The PPT reconstruction algorithm takes as input n
secret shares, and reconstructs the corresponding secret.
Every n-of-n secret sharing scheme must satisfy the following two properties:
1. Correctness: For all secrets s, the following holds:

Pr[Reconstruct(s1 , . . . sn ) = s : (s1 , . . . , sn ) ← Share(s)] = 1

In other words, if the shares are computed using the Share algorithm, then the
Reconstruct algorithm must be able to recover the original secret with probability
one.
2. Security: For all secrets s, s0 , and for all sets I such that I ⊆ {1, . . . , n} and |I| ≤ n−1,
the following holds:

{(si )i∈I : (s1 , . . . , sn ) ← Share(s)} ≈c {(si )i∈I : (s1 , . . . , sn ) ← Share(s0 )}

Informally, this means that if an adversary has only up to n − 1 shares, then he has
no information about the secret.

65
SECRET SHARING 66

10.1 C ONSTRUCTION OF A SECRET SHARING SCHEME

We will now construct an n-of-n secret sharing scheme. We define the scheme
hShare, Reconstructi as follows.
• Share(s): For i ∈ {1, . . . , n − 1}, sample si ← U|s| . Set sn ← s ⊕ s1 ⊕ . . . ⊕ sn−1 . Output
(s1 , . . . , sn ).
• Reconstruct(s1 , . . . , sn ): Output s ← s1 ⊕ . . . ⊕ sn .
Correctness: follows from the fact that sn is the XOR of the first n − 1 shares and the
secret s itself.
Security: Let s be a secret. Suppose I ⊆ {1, . . . , n} and |I| = n − 1. Let (Si )i∈I denote the
random variable representing the shares which are the output of Share(s) restricted to the
index set I in the random experiment. Now, we will calculate the probability that these
shares are equal to some particular sequence of shares (si )i∈I . The following probability
calculations hold for any secret s and sequence of shares (si )i∈I . We consider two cases:
Case 1: n ∈
/ I. Since |I| = n − 1, it means that I = {1, . . . , n − 1}.

Pr[(Si )i∈I = (si )i∈I : S1 . . . Sn ← Share(s)]


= Pr[S1 = s1 , S2 = s2 , . . . , Sn−1 = sn−1 : S1 . . . Sn ← Share(s)]
n−1
Y
= Pr[Si = si : S1 . . . Sn ← Share(s)] (Since S1 , . . . , Sn−1 are independent)
i=1
n−1
Y 1
= (Since s1 , . . . , sn−1 are sampled uniformly at random)
i=1
2|s|
1
=
2|s|(n−1)
SECRET SHARING 67

Case 2: n ∈ I. Since |I| = n − 1, ∃k s.t. k ∈


/ I. WLOG suppose k = 1. Then, I = {2, . . . , n}.
Pr[(Si )i∈I = (si )i∈I : S1 . . . Sn ← Share(s)]
= Pr[S2 = s2 , S3 = s3 , . . . , Sn = sn : S1 . . . Sn ← Share(s)]
n−2
Y 1
= · Pr[Sn = sn : S2 = s2 , . . . , Sn−1 = sn−1 , S1 . . . Sn ← Share(s)]
i=1
2|s|
n−2
Y 1
= · Pr[s ⊕ S1 ⊕ . . . ⊕ Sn−1 = sn : S2 = s2 , . . . , Sn−1 = sn−1 , S1 . . . Sn ← Share(s)]
i=1
2|s|
n−2
Y 1
= · Pr[S1 = sn ⊕ s ⊕ S2 ⊕ . . . ⊕ Sn−1 : S2 = s2 , . . . , Sn−1 = sn−1 , S1 . . . Sn ← Share(s)]
i=1
2|s|
n−2
Y 1
= · Pr[S1 = sn ⊕ s ⊕ S2 ⊕ . . . ⊕ Sn−1 : S1 . . . Sn ← Share(s)]
i=1
2|s|
(Since S1 is independent of S2 , . . . , Sn−1 )
n−2
Y 1 1
= ·
i=1
2|s| 2|s|
1
=
2|s|(n−1)
Therefore, for all secrets s, s0 , and all index sets I ⊆ {1, . . . , n} such that |I| = n − 1, the
following holds:
Pr[(Si )i∈I = (si )i∈I : s1 . . . sn ← Share(s)] = Pr[(Si )i∈I = (si )i∈I : s1 . . . sn ← Share(s0 )]
Therefore,
{(si )i∈I : s1 , . . . , sn ← Share(s)} ≡ {(si )i∈I : s1 , . . . , sn ← Share(s0 )}
Note that these two distributions are equivalent and we did not use any unproven
cryptographic assumptions in the construction. In other words, this secret sharing scheme
is secure even if P = NP.
One drawback of this particular scheme is that the length of each share is equal to the
length of the secret itself. Coming back to our motivating example, if Alice wanted to store
a 1 GB file on different cloud providers, she would have to generate n different shares,
each of size 1 GB and upload them to the cloud. Clearly, this is not very useful in practice.
A natural question to ask is the following: Can we do better? Can the length of each share
be strictly less than the size of the secret?
If we want the two distributions to be identical like in the construction above, then the
answer is no. However, we can have such a scheme if we just want the distributions to be
computationally indistinguishable. In the following, we give the outline of such a construc-
tion. Specifically, given a SKE (Gen, Enc, Dec), we show how to build a secret sharing
scheme using the SKE as a black box:
• Share(s): Set k ← Gen(·), c ← Enc(k, s). Then, using the sharing algorithm defined
in Section 10.1, compute (k1 , . . . , kn ) ← Share(k). For i ∈ {1, . . . , n − 1}, set si ← ki .
Set sn ← kn ||c. Output (s1 , . . . , sn ).
SECRET SHARING 68

• Reconstruct(s1 , . . . , sn ): Interpret sn = kn ||c. Then, using the reconstruction algo-


rithm defined in Section 10.1, compute k ← Reconstruct(s1 , . . . , sn−1 , kn ). Output
s ← Dec(k, c).

10.2 t- OF -n SECRET SHARING SCHEMES

The secret sharing schemes that we have seen so far all require that we have access to all
the n shares of the secret if we want to reconstruct the secret. However, suppose that Alice
would like to still be able to reconstruct the secret even if some of the cloud providers are
down, and she can only get a subset of the shares. Is such a scheme possible? We will now
formally define this problem.
Definition 55 (t-of-n secret sharing). An t-of-n secret sharing scheme consists of the following
two algorithms:
1. (s1 , s2 , . . . , sn ) ← Share(s) : The PPT sharing algorithm takes as input a secret s, and
outputs n shares of the secret.
2. s ← Reconstruct(I, (si )i∈I ) : The PPT reconstruction algorithm takes as input |I| se-
cret shares, and reconstructs the corresponding secret if |I| ≥ t. Otherwise, the algo-
rithm returns ⊥.
Every t-of-n secret sharing scheme must satisfy the following two properties:
1. Correctness: For all secrets s and all sets I ⊆ {1, . . . n} such that |I| ≥ t, the following
holds:
Pr[Reconstruct(I, (si )i∈I ) = s : (s1 , . . . , sn ) ← Share(s)] = 1

2. Security: For all secrets s, s0 , and for all sets I such that I ⊆ {1, . . . , n} and |I| ≤ t − 1,
the following holds:

{(si )i∈I : s1 , . . . , sn ← Share(s)} ≈c {(si )i∈I : s1 , . . . , sn ← Share(s0 )}

Informally, this means that if an adversary has any t − 1 shares, then they have no in-
formation about the secret. On the other hand, any t shares can be used to reconstruct
the secret.
How do we construct such a scheme? A natural attempt is to extend the n-of-n secret
sharing scheme that we constructed earlier. The basic idea is to make sure that any t-subset
of the n secrets can be combined to reconstruct s. One way to do this is to use a t-of-t secret
sharing scheme as follows:
• Share(s): For all subsets I = {n1 , . . . , nt } ⊆ {1, . . . , n} of size t, using the t-of-t
sharing algorithm defined in Section 10.1, compute (sIn1 , . . . sInt ) ← Share(s). For
0
all i ∈ {1, . . . , n}, set si to be the concatenation of all sIi s.t. i ∈ I 0 .
Clearly, any t-subset of shares can be used to reconstruct s because we used t-of-t se-
cret sharing scheme for every subset. When t is a constant, this scheme takes poly(n)  time.
However, in the general case, this algorithm runs in exponential time. Since nt ≥ ( nt )t ,
when t = n/2, we can see that the running time of the algorithm is at least Ω(2n/2 ). There-
fore, this is not a valid t-of-n secret sharing scheme.
SECRET SHARING 69

10.2.1 Shamir’s Secret Sharing


Adi Shamir constructed a t-of-n secret sharing scheme in 1979. This scheme relies on some
properties of the polynomials, which we will now recall. We assume that everything is
computed (mod p) where p is prime.
1. Define: A degree d polynomial f (x) = ad xd + ad−1 xd−1 + . . . + a0 with ad 6= 0 can
be defined by choosing d + 1 points. One possibility is for example to simply pick
f (1), f (2), . . . , f (d + 1) ∈ {0, 1, . . . p − 1}.
2. Interpolate: Any t = d + 1 points are enough to compute a degree d polynomial f (x)
for any x. Given {xi , f (xi )}ti=1 , f (x0 ) = `1 (x0 )f (x1 ) +Q`2 (x0 )f (x2 ) + . . . + `t (x0 )f (xt ),
where `j (x) is a Lagrange coefficient given by `j (x) = i6=j xx−x i
j −xi
.
3. No Interpolation (Informal property): Given any t − 1 points, every other point is
“perfectly hidden”.
Shamir’s secret sharing scheme uses the above properties of polynomials to construct
a t-of-n sharing scheme.
• Share(s): Define a polynomial f of degree d = t − 1 as follows: f (0) = s, and
$
f (i) ←
− Fp for i ∈ {1, . . . t − 1}. Now, for i ∈ {1, . . . n}, set si ← f (i).
• Reconstruct(I, (si )i∈I ): If |I| < t, output ⊥. Otherwise we have at least
Pt = d + 1
points and can use these points to reconstruct f (0). Output f (0) = i∈I `i (0)si ,
where i ∈ I.
Correctness: Correctness follows from the interpolation property of polynomials.
Security: Suppose I ⊆ {1, . . . , n} and |I| = t − 1. Let (Si )i∈I denote the random variable
representing the shares which are the output of Share(s) restricted to the index set I in the
random experiment. Now, we will calculate the probability that these shares are equal to
some particular sequence of shares (si )i∈I . The following probability calculations hold for
any secret s and sequence of shares (si )i∈I . In the following, Interpolate(·) takes as input t
shares (points on the polynomial) and a desired index j and outputs the value of the j-th
share.

Pr[(Si )i∈I = (si )i∈I | S1 . . . Sn ← Share(s)]


= Pr[(Si )i∈I = (si )i∈I ∧ (Sj )∀j = Interpolate((i, Si )i∈I , j) | S1 . . . Sn ← Share(s)]
= Pr[(Si )i∈I = (si )i∈I ∧ (Sj )j<t = Interpolate((i, Si )i∈I , j) ∧ (Sj )j≥t = Interpolate((i, Si )i∈I , j) | S1 . . . Sn ← Share(s)]
≤ Pr[(Sj )j<t = Interpolate((i, Si )i∈I ) | S1 . . . Sn ← Share(s)] (Pr[A ∧ B] ≤ Pr[A])
t−1
Y
= Pr[Si = Interpolate((i, Si )i∈I ) | S1 . . . Sn ← Share(s)] (Since S1 , . . . , St−1 are independent)
i=1
t−1
Y 1
= (Since S1 , . . . , St−1 are sampled uniformly randomly)
i=1
p
1
=
pt−1
SECRET SHARING 70

Now, suppose that there is some sequence of shares (si )i∈I such that the above proba-
1
bility is strictly less than pt−1 . Then, we have the following:
X
Pr[(Si )i∈I = (si )i∈I | S1 . . . Sn ← Share(s)]
(si )i∈I
X 1
<
pt−1
(si )i∈I
1
= pt−1
pt−1
=1

But the total probability must be equal to 1. Therefore, for all secrets s and for all shares
(si )i∈I , we have
1
Pr[(Si )i∈I = (si )i∈I | S1 . . . Sn ← Share(s)] =
pt−1
Therefore,

{(si )i∈I : s1 , . . . , sn ← Share(s)} ≡ {(si )i∈I : s1 , . . . , sn ← Share(s0 )}

Thus, the scheme is secure. Note that we again did not assume any unproven crypto-
graphic assumptions. In particular, Shamir’s secret sharing scheme works even if P = NP.
Remark 21. There also exist variations of t-of-n secret sharing schemes where each party
may have a different weight. In this case, if the sum of the weights of the parties in a
particular subset exceeds a threshold, then the secret can be recovered. Another variation
is one in which some particular subsets are explicitly authorized. In this scenario, there is a
monotone boolean function8 that is true when the input subset is authorized to reconstruct
or not.

10.3 T HRESHOLD PKE (t- OF -n)

A secret sharing scheme is a one-time process. However, it has a limitation. Once the
secret is reconstructed, it is not a secret anymore. We can generalize this concept to what
is known as a threshold PKE. Such a scheme could be used in a situation where Alice
decides to distribute the partial secret keys to a group of people in her company. Then,
any group of t people would be able to decrypt the ciphertext without revealing their
secret key shares. The same partial keys could be reused to decrypt other ciphertexts in
the future.
Definition 56 (Threshold PKE). A threshold PKE scheme consists of the following four PPT
algorithms:
• Gen(κ): the generation algorithm takes as input a security parameter κ, and outputs
a public key pk and secret key shares sk1 , . . . skn .
8A monotone function f is a function such that if A1 ⊆ A2 , then f (A1 ) =⇒ f (A2 ).
SECRET SHARING 71

• Enc(pk, m): the encryption algorithm takes as input a public key pk and a message
m, and outputs a ciphertext c.
• P Dec(ski , c): the partial decryption algorithm takes as input a secret key share ski
and a ciphertext c, and outputs a share mi .
• Recover(I, (mi )i∈I ): the recovery algorithm takes as input an index set I and a se-
quence of shares (mi )i∈I . If |I| < t, output ⊥, else output m.
Any threshold PKE scheme must satisfy the following two properties:
1. Correctness: for all messages m, and all sets I ⊆ {1, . . . n} such that |I| = t, the
following holds:

Pr[Recover(I, (mi )i∈I ) = m : (pk, sk1 , . . . skn ) ← Gen, c = Enc(pk, m), mi = P Dec(ski , c)] = 1

2. Security: for all message m0 , m1 , all sets I ⊆ {1, . . . n} such that |I| ≤ t − 1, the
following holds:

{(c, pk, (ski )i∈I ) : (pk, sk1 , . . . skn ) ← Gen, c = Enc(pk, m0 )} ≈c


{(c, pk, (ski )i∈I ) : (pk, sk1 , . . . skn ) ← Gen, c = Enc(pk, m1 )}

We can construct a t-of-n PKE using any regular PKE (Gen, Enc, Dec) and any t-of-n
secret sharing scheme as a black box as follows:
• Gen(κ): Generate (pki , ski ) ← Gen(κ) for 1 ≤ i ≤ n. Set pk = pk1 ||pk2 || . . . ||pkn .
Output (pk, sk1 , . . . , skn ).
• Enc(pk, m): Using the t-of-n sharing scheme, get (s1 , . . . sn ) ← Share(m). Set
ci ← Enc(pki , si ) for all i ∈ {1, . . . n}. Output c = c1 ||c2 || . . . ||cn .
• P Dec(ski , c): Interpret c = t1 ||t2 || . . . ||tn . Output mi ← (Dec(ski , ti )).
• Recover(I, (mi )i∈I ): If |I| ≤ t − 1, output ⊥. Otherwise, we have |I| ≥ t. Output
m ← Reconstruct(I, (mi )i∈I ) using the t-of-n sharing scheme.

10.3.1 Threshold PKE based on El-Gamal PKE


This construction is based on El-Gamal’s PKE. Suppose we have a prime-order multiplica-
tive group G with a generator g. Then, using El-Gamal PKE and Shamir’s secret sharing
scheme, we have the following threshold PKE:
$
• Gen(κ): Sample x ← Z∗q . Set pk ← g x . Set (sk1 . . . skn ) ← Share(x) using Shamir
secret sharing. Output (pk, sk1 . . . skn ).
$
• Enc(pk, m): Sample r ← Z∗q . Output c = (g r , pk r · m).
• P Dec(ski , c): Parse c as (c1 , c2 ). Output mi ← (csk
1 , c2 ).
i

• Recover(I, (mi )i∈AP ): Parse each mi as (ci1 , c2 ) (note that all c2 are equal). Compute
r ski li (0)
i li (0)
= g rx . Compute y ← g −rx . Output m ← c2 y.
Q
i∈I (c1 ) =g i∈I

One advantage of this scheme is that during encryption, Alice doesn’t have to change any-
thing and she can simply encrypt using El-Gamal PKE as if she were not using a threshold
PKE. Then later at any point of time, she can compute the shares of the secret key and use
this as a Threshold PKE.
The idea used in the recovery algorithm is known as interpolation in the exponent. e
Blockchains
11.1 B ITCOIN H ISTORY

In 2008, a person under the pseudonym Satoshi Nakamoto published a paper Bitcoin: A
Peer-to-Peer Electronic Cash System. Bitcoin software was released in January 2009 and the
mining of the Bitcoin cryptocurrentcy officially started. The genesis block included the
“The Times” headline: “Chancellor on brink of second bailout for banks”. The article was
about the state of the British financial system following the 2007–2008 financial crisis, and
many believe that this is a hint to the purpose of Bitcoin: to create a more stable financial
system. Satoshi Nakamoto vanished from the digital space shortly after releasing the code
for Bitcoin, and it is unknown who this person (or possibly a group of people) is. The first
known commercial transaction using bitcoin happened in 2010 - two pizzas were bought
for 10000 bitcoin.

11.2 B LOCKCHAIN AS A PUBLIC LEDGER

Blockchain can be viewed as a public ledger, where a block is one page of the ledger.
Anyone can write to the ledger, and the ledger is append-only. Data recorded on the ledger
is typically referred to as transactions. The process of finding the next block to append to
the existing ledger is called mining.

11.2.1 Single Miner


For simplicity, assume that there is only one miner M , whose public- and secret key
is (pk, sk). Let Ii be the data to be written on the next block (the next page on
the public ledger). B0 represents the genesis block. To find the next block Bi+1 =
(hi+2 , Ii+1 , pk, ni+1 )9 , miner M needs to do the following:
· · · 0} XX · · · X, set hi+2 = H(hi+1 , Ii+1 , pk, ni+1 ).
• Find ni+1 s.t H(hi+1 , Ii+1 , pk, ni+1 ) = |000{z
k
Here ni is referred to as nonce, and k is the parameter that tunes the difficulty of mining
the block. H is a hash function (SHA-256 in Bitcoin). Bi is the i-th block. The data Ii that
the miner wants to include in the new block contains newly generated transactions.
Intuitively, the mining process can be described as the miner trying different nonce val-
ues until the resulting hash satisfies the requirement that the first k bits of the hash output
are 0. The mining requirement is also referred to as Proof-of-Work (PoW) requirement. With
the random oracle assumption, Pr[M successful in a single attempt] is approximately 21k .
Once a nonce that satisfies the mining requirement was found, we say the new block Bi+1
9 Note that hi+1 denotes the hash of the block Bi , it is used in the computation of the block Bi+1 .

72
BLOCKCHAINS 73

was mined. Then, the miner can repeat the process to mine the next block Bi+2 by finding
ni+2 such that H(hi+2 , Ii+2 , pk, ni+2 ) is of the required form. Thus, each block is linked by
hash to the previous block and this way a chain of blocks is formed.

11.2.2 Multiple miners


In the case of multiple miners, miners try to mine new blocks independently. If one miner
is successful in mining the block, it broadcasts the newly found block Bi+1 to the rest of
the miners. Other miners then check that Bi+1 is indeed valid. The check consists of the
following:
• The hash included in Bi+1 satisfies the Proof-of-Work requirement: it starts with k
zeroes, and is a valid hash of hi+1 , transactions Ii+1 , public key pk, and nonce ni+1 .
• The data Ii+1 contains valid transactions.
If the new block is indeed valid, other miners restart to mine Bi+2 based on Bi+1 . However,
with multiple miners, the following issues arise:
Issue 1: blockchain forks
Due to the network delay for block propagation, there may be two independent min-
ers who found two valid blocks roughly at the same time, Bi and Bi0 . This is called a
blockchain fork. Bitcoin adopts the following rules to resolve a fork:
1. Longest chain is the right chain.
2. First received chain is the right chain (to break ties that may arise in rule 1).
When a fork happens as shown in Figure 1, some of the miners receive Bi first, while others
receive Bi0 first. This is totally fine. The first group of miners continues mining the next
block based on Bi , the second group works on Bi0 . Eventually one miner will find the next
block. Suppose this miner is from the group working on Bi (shown in Figure 2). Then, all
miners switch to mine on Bi+1 as the branch represented by Bi+1 is longer than the one
represented by Bi0 now.

Figure 1: Blockchain fork

Issue 2: dishonest miners


As we will discuss later, miners currently receive a certain amount of Bitcoins as a reward
for mining a new block. In the previous example, when all miners switch to mine new
BLOCKCHAINS 74

Figure 2: Resolving forks

blocks based on block Bi+1 , the old block Bi0 is discarded. Suppose the miner that mined
Bi0 does not want to loose the mining reward. Then this miner has the incentive to not
follow the standard rules to resolve fork. Instead, that miner can try to keep mining on Bi0 .
If he is lucky enough and mines the next few blocks based on Bi0 faster than other miners
mine blocks on Bi+1 , there is a chance that other miners will later switch back to the branch
that contains the block Bi0 if it becomes the longest branch. Once that happens, the blocks
Bi , Bi+1 , and their associated reward are discarded.
The probability of mining the next block is proportional to the computing power of
the miner. In Bitcoin we assume that more than 50% of computing power is controlled by
honest miners. Honest miners are those that strictly follow the prescribed rules for mining
and validating blocks, while dishonest miners don’t. With this fundamental 50% assump-
tion, the probability that dishonest miners win a fork is less than that of the honest miners.
However, there is still a non-zero probability that the dishonest miners can invalidate any-
thing in the existing blockchain. A rule of thumb is to wait for 1 hour before a transaction
is treated as final.

11.2.3 Infanticide
Some large stake holders in Bitcoin network do not want alternative cryptocurrencies to
survive (the Bitcoin price would probably decrease if less people would use Bitcoin). For
this reason, miners from the Bitcoin network sometimes perform a 50% attack on newer
cryptocurrencies to destroy them. Typically, a large group of Bitcoin miners has a lot of
computing power and can thus easily generate longer chains in the newer cryptocurren-
cies. People eventually loose confidence in the new cryptocurrency. This is called infanti-
cide.

11.3 C RYPTOCURRENCY BUILT ON PUBLIC LEDGER

11.3.1 Creation of Bitcoin


Bitcoin is created whenever a new block is mined. Reward for mining a new block is
halved every 4 years, and by 2040 no new Bitcoins will be rewarded. Then, the incentive
for the miners will come solely from collecting transaction fees inside a block. This design
favors the early adopters of Bitcoin as it is much harder to gain Bitcoins as time goes. This
is regarded as one of the key reasons that make Bitcoin successful.
BLOCKCHAINS 75

11.3.2 State and transactions


The reward of mining a new block is associated with the public key of the miner. Bitcoin
system tracks how many Bitcoins a public key has. The state that records this information
is called UTxOs, and it can be constructed by scanning the whole blockchain and keeping
track of how many bitcoins each public key has received or sent. Bitcoins can be transferred
from one public key to another. The transactions very roughly are of the following form:

Signski (pki x
−−coins
−−→ pkj )
Essentially, it is a record showing that the public key pki is sending x coins to the public
key pkj . The record is signed by the secret key ski . Since only the holder of the secret
key ski can generate this transaction, the coins associated with pki can only be spent by
its true owner. Other miners check the validity of this transaction. The check includes the
following:
1. Signature is valid.
2. pki has enough coins to send.
The first can be checked directly using the public key pki , the second can be checked
against the Bitcoin system state, ie., the UTxOs. If both checks go through, the miners
will add this transaction to their Ii statement and try to mine the next block using Ii . In-
tuitively, the miner who includes this transaction in the next block will get a transaction
fee from pki . The holder of pki chooses the reward amount up front, and a higher amount
typically results in a better chance of inclusion in the next block.

11.3.3 Weak anonymity


Bitcoin only provides weak anonymity. While people can perform transactions using pub-
lic keys, and their real identities are hidden, the transaction graph itself as shown in Fig-
ure 3 is public and can be accessed by anyone. This graph can provide valuable informa-
tion. For example, if you know that pk2 is owned by Alice, then you can infer that pk3 is
controlled by Bob as you know that in real life Alice and Bob recently have transacted with
each other. The inferred identity may not be perfectly accurate every time, but intuitively
this is still information that you should not be able to gain. There exist alternative cryp-
tocurrencies like Zcash, that are designed to hide the transaction graph. We will give more
details on Zcash when we discuss zero-knowledge proofs.

11.3.4 Rate control


Recall that there exist a parameter k that can tune the difficulty of mining a new block.
Bitcoin sets the mining difficulty such that on average one block is mined every 10 minutes.
As the total computing power of Bitcoin miners increases, the difficulty parameter is also
increased. More specifically, this parameter is automatically adjusted by code rather than
any central authority.

11.3.5 Mining pools


It is quite difficult for individual miners to mine a block. It is even possible that a sin-
gle miner never mines a block. To smooth out mining rewards and make them more
predictable, individual miners can join large mining pools, where a set of miners share
rewards with each other. A mining pool has a pool manager, with a public key pkm . All
BLOCKCHAINS 76

Figure 3: Transaction graph

miners in the pool mine blocks using this same key. Once a block is mined, the reward
goes to the pool manager, and the manager then distributes the reward to its pool mem-
bers according to a certain formula. The pool manager also makes sure that all its pool
members are indeed contributing to the mining process. This is achieved by having all
pool members submit the so-called proof of partial work:

· · · 0} XX · · · X
H(hi , Ii , pkm , n) = |000{z
k−

 is set such that it is easy enough for each individual miner to successfully find a nonce
that satisfies the partial requirement. Also the hash does not satisfy the Proof-of-Work
requirement for mining the new block, it can only show to the pool manager that this
miner is indeed contributing its computing power. Indeed, note that a partial proof of
work is useless to a single miner - as long as  > 0, it does not satisfy the Proof-of-Work
requirement that is needed to collect the reward (and even if  = 0, the public key used in
the computation is the public key of the manager). The only purpose of such proof is to
show to the manager how much effort you are putting in, and the reward that you get is
proportional to this effort.

11.4 A PPLICATIONS BUILT ON TOP OF B ITCOIN AND THE B LOCKCHAIN

There are many applications that can be built on top of Bitcoin and the Blockchain. In this
section, we will enumerate a few examples of such applications:
• Bitcoin scripting language The Bitcoin scripting language enables custom transac-
tions based on certain criteria being met (which could occur in the future). Examples
of potential transactions enabled by the scripting language include:
1. “A will transfer 1 BTC to anyone who publishes the value f −1 (y), where f is a
hard-to-invert function". Note that if no one is ever able to satisfy the condition
by publishing the value f −1 (y), then no one ever gets this 1 BTC and it is even
lost by A. To prevent such scenarios, a time bound is put in the transactions.
So, a more realistic transaction would be -“A will transfer 1 BTC to anyone
who publishes the value f −1 (y) in the next 7 days, where f is a hard-to-invert
function".
BLOCKCHAINS 77

2. "A will transfer 1 BTC to B if B publishes a signed statement that ’B will ship
a TV to A’." Note that the transfer is automatic - if the condition is satisfied, the
transfer can not be stopped by A.
3. "A will transfer 1 BTC to a script being run at a particular address".
Typically, the script at this address will be run by a miner (who will be suitably
rewarded for running the script). Possible use cases for such scripts include
rent-collection, subscriptions, etc. These are examples of the so-called smart
contracts.
• Smart Assets Smart Assets are either a virtual representation of a physical asset, or
some virtual goods, such as an equity share. Examples of smart assets include:
1. Gold-backed cryptocurrency coins
The basic idea is that each coin represents a value of gold (e.g. 1 coin represents
1 gram of gold). The value of gold is stored by a trusted third-party custodian
and can be traded with other coin holders. Such coins can be used in smart
contracts, and the hope is that this approach would reduce volatility in coin
value (since the coins are backed by gold, the value of which is relatively more
stable).
2. Virtual representations of real-world goods
The basic idea is that real-world goods, such as shipping insurance, land
records, etc. are represented as abstract assets (using virtual currency tokens)
on the blockchain. These abstract assets act as a public record of ownership (us-
ing a mechanism similar to that used to represent Bitcoin ownership) and can
be transferred between owners securely and safely.

11.5 I NFORMATION V ERIFICATION ON THE B LOCKCHAIN - M ERKLE TREES

Recall that each blockchain block contains Ii – the set of transactions. This set can get
pretty big, so it seems advantageous to somehow shorten it so that not everyone has to
download all transactions whenever only one particular transaction needs to be verified.
The first naive idea would be to set Ii to be the hash all of the transactions. Ii would indeed
become shorter. However, verification would still be difficult because we would still need
to know all transactions in order to hash them and then verify the signature.
Merkle trees provide a solution to this problem. The key idea behind Merkle trees is to
arrange messages as the leaf nodes of a tree, and then repeatedly hash pairs of nodes, until
there is only one hash left at the root of the tree. Then, this root hash is signed.
Assume m2 is the message whose signature needs to be verified. For verification, we
need the signature, as well as the hashes of the siblings at every level. Referring to Figure 4,
we need the signature σ, as well as the hashes of the siblings at every level, i.e. H(m1 ),
H(H(m3 ), H(m4 )). Using m2 and the hashes of the siblings, we can generate the hash at
the root, H(H(H(m1 ), H(m2 )), H(H(m3 ), H(m4 ))) which can then be verified against the
signature σ using the public key.
Now, note the following:
• By signing the root, all messages are effectively signed.
• Size of the signature is of the order log(n), where n is the number of messages.
BLOCKCHAINS 78

Figure 4: Merkle Trees. Image source: https://en.wikipedia.org/wiki/Merkle_


tree

Note that this construction has a very nice feature: a transaction can be verified simply by
downloading all blocks (which are now small since Ii ’s are small), and a single path in the
Merkle tree.
Security. Intuitively, security relies on the Collision Resistance of the hash functions
used as well as on the security of the signature scheme used: suppose the adversary gen-
erates a message m0 , say, in place of message m2 as shown in the figure. Given this new
message, and the original siblings at every level, the adversary must be able to generate
the same hash at the root. Doing so will require the root hash generated with the new
message to be the same as those generated using the old message, which is ruled out by
the collision resistance property of the hash functions used.
Properties.
1. Able to sign messages as a block.
2. Enables light weight verification on low-memory devices such as mobile devices.

Usage in Bitcoin
Merkle trees are used for lightweight verification of transactions in Bitcoin. To verify a
transactions in a block, one doesn’t need to download all the transactions in the block.
One can instead just download the hashes going down a particular branch of the Merkle
tree and compute the hashes all the way to the root.

11.6 L IMITATIONS OF B ITCOIN

Bitcoins have several limitations including:


1. Transactions are not instantaneous.
BLOCKCHAINS 79

2. Wastage of computational resources.


Bitcoin uses Proof of Work as the mechanism for validation, which consumes a lot
of resources. As a solution, we can use alternate energy-efficient validation mecha-
nisms, such as:
• Proof of Stake: Voting power is proportional to stake amount held by the miner
(as opposed to computation power).
• Proof of Storage: Voting power is proportional to storage.
3. Scalability
Based on the current block sizes and mining rates, Bitcoin can process 7 transactions
per second. In comparison, Visa can process > 5000 transactions per second.
4. Usability (Can be better)
Bitcoin is completely decentralized and while this is great for network security, it
presents a lot of usability issues. In the Fiat Money system, a bank takes care of any
issues arising with one’s bank account, making the system very usable. No such
structure exists in the Bitcoin world, one is responsible for one’s own wallet and
consequentially one’s secret key. No reversals exist as a feature of the network.
5. Anonymity
The Bitcoin network makes all transactions between public keys visible. A user
on the network participates in a transaction by using a public key, a cryptographic
pseudonym. One can track users in a number of ways, from tracking payments to
monitoring one’s IP address related to transactions.
Moreover, here are some further considerations that could be problematic in some scenar-
ios:
Government Intervention and Regulations. Governments remain a big threat to the
future of the Bitcoin network as they have various tools at their disposal to halt the Bitcoin
network. For eg. Due to a reservoir of funds at their disposal, governments can potentially
launch a 51% attack against the Bitcoin network. Governments control the monetary policy
of their respective country, and crytpocurrencies like Bitcoin are a direct threat to that. So,
the adoption and regulation of Bitcoin in most countries is still up in the air.
Quantum Computers. Quantum computers pose a real threat to all Proof-of-Work
blockchains like Ethereum and Bitcoin as they are extremely powerful and can be used to
launch a 51% attack against blockchain networks. The threat is a while away though and
a solution is being thought through.

11.7 T YPES OF FORKS IN B ITCOIN

Sometimes, the code of the blockchain needs to be changed. This can be due to e.g., new
features introduced to the blockchain, or fixing some issues. In such cases, the code need
to be permanently changed and a single blockchain splits into multiple forks. We typically
distinguish between the following two categories:
1. Soft forks
Soft forks are backward compatible means of upgrading software on the nodes of
the blockchain. Here, miners that did not upgrade are still able to verify transactions
and validate new blocks. However, the blocks that such miners mine will be rejected.
BLOCKCHAINS 80

Examples of soft forks 10 include:


• BIP 66: A soft fork on Bitcoin’s signature validation.
• P2SH: A soft fork that enabled multi-signature addresses in Bitcoin’s network.
2. Hard forks
Hard forks are non-backward compatible means of upgrading software on nodes
of the blockchain, where the original and forked chain run different software and
rules, which are not compatible with each other. Blocks mined on one chain are not
compatible with the other chain, and the miners that did not upgrade are not able to
validate new transactions.

Examples of hard forks 11 include:


• Ethereum’s Byzantium: Represents a planned multi-phase upgrade of Ethereum’s
blockchain base to deliver features such as better scalability and integration of
private transactions.
• Monero hard fork: Represents an upgrade to Monero network to implement a
feature called Ring Confidential Transactions (RCT) to improve privacy and se-
curity.

11.8 P ROOF - OF -S TAKE B LOCKCHAINS

A proof of-work system is very expensive, since its mining process requires the user to
solve hard-to-compute mathematical problems (such as inverting hash functions), and
miners solve these problems using their own computer’s computational power. This re-
sults in a huge amount of electricity being used. This is true especially in Bitcoin, where the
mining difficulty only increases as more miners join the network and mine more Bitcoin.
1
Currently, Bitcoin mining uses about 400 of the world’s electricity. Over a year, Bitcoin’s
power consumption amounts to roughly the same consumption as Switzerland.
To circumvent these high energy costs, an alternative system called Proof-of-Stake was
introduced, first implemented in Peercoin in 2012. In proof-of-stake, the next miner is
chosen through a pseudo-random process based on the potential miner’s amount of coin
(his ”stake”). In contrast, proof-of-work chooses the next miner as the one who first solves
the computationally hard problem. Since proof-of-stake chooses the next miner based on
his amount of coins rather than computing power, more individuals are incentivized to
join the network, leading to more decentralization.

11.8.1 Highlevel idea


A Proof-of-Stake protocol assigns a probability score to each miner and then chooses the
miner with the highest score to mine the next block. This score is proportional to the
product:
rpk · cpk
where pk is the public key of the miner, rpk is a randomly generated number for the
miner with the public key pk (different schemes of generation will be defined), and cpk
10 https://masterthecrypto.com/guide-to-forks-hard-fork-soft-fork/
11 https://masterthecrypto.com/guide-to-forks-hard-fork-soft-fork/
BLOCKCHAINS 81

is the amount of coin that pk owns. The inclusion of the random number prevents new
blocks from exclusively being mined by the wealthiest users.
In practice, instead of a single miner, a group of the miners that have the highest prob-
ability scores is chosen. This deals with the problem of offline miners.

11.8.2 Generating rpk


Before we explain how the random parameter rpk is generated, we consider a few straight-
forward, but insecure solutions.
1. Miner with pk chooses rpk
Any adversary can choose a high rpk and guarantee being chosen as the next miner. Thus,
this scheme is insecure.
For the remaining schemes, let H(·) be a deterministic hash function which is used to
generate the miners’ random numbers, rpk .
2. rpk,i+1 = H(Bi , pk)
Let Bi be the i-th and latest block which is not yet mined. B0 is the genesis block. Suppose
that the miner mining Bi has the public key pkm and is dishonest. He can just keep com-
puting H(Bi , pkm ) for different values of Bi and searching for the one Bi that gives a high
rpk for the next block. Thus if you mine a block, you have an unfair advantage in the next
block. Note that miners have some degree of freedom in deciding the block which they
are mining since they can decide which transaction to include. Thus, this scheme is also
insecure.
3. rpk,i+1 = H(i, pk)
Let i be the index of the latest block. Unlike the previous scheme, an adversary can just
choose several public keys and compute their random numbers. Then he can transfer all
his coins to whichever public key gives the highest rpk . This is known as a prediction
attack.
winner
4. rpk,i+1 = H(rpk,i , pk)
Assume that an adversary knows all the public keys currently in the system as well as
winner
rpk,i , which is the random number of the latest block’s winner. He can compute the
random number for each public key for every future block. Then he will transfer funds to
the public key that gives the maximum rpk . This is known as a semi-predictable attack.
Finally, we consider the following proposal:
winner
5. rpk,i+1 = H(sign(rpk,i ), pk)
Assume that when a miner mines Bi , he signs his winning random number, and broadcasts
that signature. Now we distinguish the case where the miner is an honest party from the
case where the miner is an adversarial party and provide an intuitive explanation as to
why this scheme is secure.
If he is an honest party, then the broadcasted signature is unpredictable to an adversary.
Also, the random number is not computable for any public key without knowing this
signature.
Otherwise, if the miner is an adversarial party, then he can compute hash outputs of any
public key. But it is also too late for the adversary to create new public keys and transfer
BLOCKCHAINS 82

funds to the best one. Here, the random number is based on the sequence of miners who
mined the previous blocks. However, to calculate the hash function, the signature must be
generated, which can only be done by the miner who holds the corresponding signature
key. Thus, intuitively, the random number is hard to predict and this scheme is secure.

11.8.3 Posterior Corruptions in Proof-of-Stake Blockchains

Figure 5: Posterior corruptions in PoS blockchains

One of the limitations of the above idea is that it suffers from posterior corruptions.
For instance, say that in Figure 5 when block Bi is published, a set S has majority of stake.
Next, suppose that the set S sells all of their stake in block Bi+1 to someone to avail their
services. After doing so, S becomes corrupt and creates a fork from node Bi and publishes
0 0
a block Bi+1 where they don’t sell all of their stake. Therefore, in the fork containing Bi+1 ,
S still has majority stake. The only problem is that this fork isn’t the longest chain at this
point of time. But, because S has the majority stake, they will get more opportunities to
publish blocks on the forked chain. Thus, they can go on to publish enough blocks so
that the forked chain becomes the longest. Once this happens, the forked chain becomes
longest and accepted by everyone. Hence, S is able to recover the money they already
spent. This is similar to double spending in Bitcoin, except that waiting for k more blocks
to get published won’t provide strong enough guarantee that a transaction will remain on
the longest chain. This is a non-trivial problem to solve and has complex solutions beyond
the scope of this course.

11.9 E XISTING P ROPOSALS TO S OLVE POW S CALABILITY I SSUES

The Bitcoin blockchain was designed such that new blocks are created at an average of
every ten minutes. Typically, you would wait for a transaction to be about 6 blocks deep to
make sure it really stays on the blockchain, meaning that about an hour is needed to spend
the Bitcoin.
At first, it seems natural to simply increase the block size to solve the scalability issues.
Unfortunately, if we increase the block size to hold more transactions, the new larger blocks
take longer to propagate, allowing more miners to compute the new blocks by themselves.
This leads to an increased number of forks and conflicts between blocks, resulting in the
network being more vulnerable to attacks.
BLOCKCHAINS 83

Similarly, if we decrease the (average) time after which a new block is mined, effectively
increasing the rate of information being added to the blockchain, we will again increase
the number of forks in the chain. This could make it easier for a malicious miner to attack
the network with less than 50% hash power.

11.9.1 GHOST: Greedy Heaviest Observed Subtree


The GHOST protocol is an innovation first introduced by Yonatan Sompolinsky and Aviv
Zohar in December 2013 to solve the scalability issue plaguing a lot of the proof of work
based blockchains. The Ethereum blockchain implements a simplified version of GHOST
which only goes down seven levels.
GHOST is a proof-of-work protocol similar to Bitcoin’s, except that the main branch of
the blockchain is chosen differently. Bitcoin follows a longest chain consensus rule, where
the correct chain is the longest chain containing the most amount of total work. GHOST
instead follows the path of the subtree with the most amount of total work, rather than
a chained linked list. The advantage of GHOST over the usual Bitcoin protocol is that
changing the block size doesn’t compromise the security of the network.
GHOST is a recursive algorithm implemented as follows:
Let B0 be the genesis block.
1. Look at all of Bi ’s subtrees, pick the heaviest computation subtree (the one with the
most nodes).
2. If heaviest subtrees have equal weights, pick the one received first.

Problems with GHOST. Unfortunately, GHOST does not solve all issues. In some cases
miners and mining pools can exploit the protocol to gain better rewards than their fair
share:
1. Miners better connected to the network can gain rewards larger than their fair share.
2. Using the selfish mining strategy, small miners can deliberately add more forks to
the network by keeping their blocks created private. This can enable them to create
a private chain with a significant lead over the honest public chain.

11.9.2 Inclusive Blockchain Protocols


Motivation. The problem with present proof of work blockchains like Bitcoin is that the
network security is compromised with high throughput. It’s a trade-off between security
and throughput. We need a protocol where the protocol security imposes no bottleneck to
the throughput of the network. The network will be secure under all throughput parame-
ters and the limitations of the network will be the infrastructure supporting the network.
This will bring more/faster transactions on the main chain.

SPECTRE
Spectre was proposed by Yoad Lewenberg, Yonatan Sompolinsky, and Aviv Zohar in 2016
to solve the throughput vs security trade-off. The authors describe a DAG (Directed
Acyclic Graph)-based permissionless, distributed ledger that aims to maintain high re-
silience to attackers while enabling high throughput through the network.
Bitcoin has a hash function that considers only the previous block to form the next
one, enabling the chain. Spectre allows several past blocks in its hash function which
BLOCKCHAINS 84

might have been created in parallel and be conflicting. The conflicts might include double-
spending, where A tries to send money to B, and the same money to C, trying to bamboozle
the network. However, this approach allows miners to create blocks concurrently and
much more frequently as the nodes do not need to align their world view of the graph at
the time of block creation.
Bitcoin’s longest-chain rule can viewed as a voting mechanism. When conflicts in the
chain occur, the nodes vote at the time of the next block’s creation on which block they
choose. This inhibits higher levels of throughput without disrupting the security of the
network. SPECTRE employs a voting mechanism where the next block can safely vote on
a conflicting previous block without making the miner align their world view at the time of
the next block’s creation. So, blocks are then voters and due to the design of SPECTRE, the
majority vote becomes irreversible very quickly. Using the majority vote one can extract
all accepted (non-conflicted) transactions easily.

The voting process to resolve conflicts is as follows:.


• For a pair of blocks a and b in conflict, determine whether a defeats b (represented as
a < b), or b defeats a (represented as b < a). Here a < b, or a defeats b, means that a
is before in the order of precedence than b.
• Release a set of accepted transactions to the network. Accepted transactions in block
a are the ones which have defeated all conflicts and have all inputs accepted.

Properties of SPECTRE.

Consistency. Transactions are accepted if and only if the block wins the majority vote in a
conflict and if all its inputs are accepted.

Safety. If a transaction is accepted by a node, then it is accepted by all nodes with a very
high probability.

Weak Liveness. A transaction without any conflicts will be accepted by the main chain in
the DAG very quickly.
Zero-Knowledge Proofs

12.1 I NTRODUCTION

A zero-knowledge protocol is an interaction between two parties (say Peggy and Victor) that
allows Peggy to convince Victor that some statement is true without revealing anything
but the veracity of the statement. The critical part about this informal definition is the fact
that Peggy does not reveal any extra knowledge: it would be trivial for Peggy to convince
Victor that she has the knowledge by simply giving it to him. However, the point of a
zero-knowledge protocol is that Victor is convinced that the statement is true but gains no
additional information.
For example, suppose Peggy wishes to prove to Victor that there exists (x1 , . . . , x6 ) ∈
{0, 1}6 such that (x1 ∨¬x2 ∨x3 )∧(¬x4 ∨x5 ∨¬x6 ) = 1. This is an example of a 3-Satisfiability
problem. Of course, she could just send the assignment of (x1 , . . . , x6 ) to Victor but in this
case, Victor learns more than whether there exists an assignment. All we want Victor
to learn is the existence of an assignment. While initially this might seem impossible,
zero-knowledge proofs were introduced in Goldwasser, Micali, and Rackoff’s paper "The
Knowledge Complexity of Interactive Proof-Systems". In the following, we will describe a
zero-knowledge protocol for the graph isomorphism problem.

12.2 F ORMAL D EFINITION

Definition 57. Let L be a language, let x be a statement for which we are trying to prove
x ∈ L, and let w be a witness to x ∈ L. A zero-knowledge protocol (P, V ) for L consists of
the following interactive probabilistic polynomial-time stateful algorithms P and V :
• P (x, w, mVi ): Outputs mP V
i+1 where we set m0 = ⊥.
• V (x, mP V
i ): Outputs mi . At the end of the protocol, V outputs either Accept or
Reject.
which satisfy the following properties:
1. (Completeness) Suppose w is a valid witness for statement x, the prover P , and the
verifier V are honest. Then, V will always output Accept.
/ L. For all PPT provers P ∗ that use such x, if V interacts with
2. (Soundness) Suppose x ∈

P , then V will output Reject with probability at least p. We call p the soundness
parameter.
3. (Zero-Knowledge) Suppose x ∈ L. For all PPT verifiers V ∗ , there exists an expected
PPT simulator S such that S(x, V ∗ ) outputs a transcript τsim ≈c τreal where τreal is
the transcript between an honest prover P and V ∗ .

85
ZERO-KNOWLEDGE PROOFS 86

Intuitively, P and V send messages between each other. The ith message of P is mP i
and the ith message of V is mVi . After this interaction the verifier outputs Accept if it
believes x ∈ L, and Reject otherwise. The sequence of messages exchanged between the
prover and verifier is called the transcript τ .
Completeness guarantees that the verifier believes the prover if x ∈ L and both parties
act honestly. Soundness implies that if x ∈/ L, then no dishonest prover can cause V to out-
put Accept with probability greater than 1 − p. Zero-knowledge implies that no dishonest
verifier will learn anything from the interaction, besides the statement itself. Any knowl-
edge in τreal (i.e. any knowledge that V ∗ can learn from) must also be present in τsim since
τsim ≈c τreal . Since S does not take w as an input, τsim contains no information on w. Note
that we only guarantee that a simulator exists if x ∈ L.
Given the zero-knowledge property, we might believe that the prover could simply run
the simulator when interacting with the verifier. However, note the simulator has the code
of the verifier and it is free to stop and rewind the verifier when creating its transcript.
The prover cannot do this. For example, suppose Peggy wishes to convince Victor that she
can make a fair coin land on heads 100 times in a row. With an interactive protocol, she
might flip the coin, show Victor the result, and then repeat this 100 times. The simulator,
on the other hand, can be thought of as a video recording. The video may show Peggy
flipping 100 heads, but the video could have easily been edited. Peggy could have flipped
the coin many times until she got 100 heads and then deleted the footage of all the flips
that resulted in tails.
So far, we have been talking about the computational zero-knowledge proofs. If we require
that the distribution of τsim and τreal are equal, then we have perfect zero-knowledge. On the
other hand, if we require that τsim and τreal be statistically close, then we have statistical
zero-knowledge.

12.3 Z ERO -K NOWLEDGE G RAPH I SOMORPHISM

In this section we give the example of a zero-knowledge protocol for the graph isomor-
phism problem.

12.3.1 Graph Isomorphism Problem Definition


Two graphs, G0 = (V0 , E0 ) and G1 = (V1 , E1 ) are isomorphic if and only if there exists a
permutation π of V1 such that (i, j) ∈ E0 ⇔ (π(i), π(j)) ∈ E1 . Less formally, two graphs
G0 and G1 are isomorphic if renaming the vertices in G0 gives you G1 and vice versa.
We denote isomorphic graphs as G0 ≈ G1 , and non-isomorphic graphs as G0 6≈ G1 . The
problem of deciding whether two graphs are isomorphic is not known to be in P nor is it
known if it is N P -complete.
Before we go over a zero-knowledge protocol for graph isomorphism, we provide the
following two facts:
1. If G0 6≈ G1 , then for any G such that G ≈ G0 , G 6≈ G1 . Moreover, graph isomorphism
is an equivalence relation, meaning that it is reflexive, symmetric and transitive.
2. Suppose G0 ≈ G1 . Let P be the group of permutations on these graphs. Then

{π(G0 ) : π ← P} = {π(G1 ) : π ← P},


ZERO-KNOWLEDGE PROOFS 87

12.3.2 Zero-Knowledge for Graph Isomorphism Protocol


The following is a ZK-protocol for the graph isomorphism problem. Both parties P and V
share two graphs G0 and G1 . P also has a witness π, which is a permutation of G0 such
that π(G0 ) = G1 .
1. P chooses a random permutation σ ∈ P. It sends G = σ(G0 ) to V .
2. V chooses a random bit b and sends this to P .
3. If b = 0, P sends k = σ to V . Otherwise it sends k = σ ◦ π −1 .
4. V checks if k(Gb ) = G. If so, it outputs Accept. Otherwise, it outputs Reject.
Completeness. Assume that G0 ≈ G1 and π is a valid witness for this. The point of our
protocol is that V selects either G0 or G1 and P must prove that that graph is isomorphic
to G. Since, by construction, G ≈ G0 , we know that G ≈ G1 . If b = 0, then V will receive
k = σ and can easily verify k(Gb ) = σ(G0 ) = G (i.e. G0 ≈ G). If b = 1, then V will receive
k ◦ π −1 and can easily verify k(Gb ) = σ ◦ π −1 (G1 ) = σ(G0 ) = G (i.e. G1 ≈ G). Thus in
either case, it outputs Accept.
Soundness. Suppose G0 6≈ G1 . For all graphs G, G 6≈ G0 or G 6≈ G1 (or G is not
isomorphic to either). If this weren’t true (i.e. G ≈ G0 and G ≈ G1 ) then we would
conclude G0 ≈ G1 . In other words, there exists b0 ∈ {0, 1} such that G 6≈ Gb0 . With
probability 0.5, b = b0 , where b is the random bit that V chose in Step 2 of the protocol. If
b0 = b = 0, then G 6≈ G0 . As specified by the protocol, P ∗ can send some permutation σ 0
to V . Note that if the two graphs are not isomorphic, there exists no permutation σ ∗ such
that G = σ ∗ (G0 ). V will see that σ 0 (Gb ) = σ 0 (G0 ) 6= G and output Reject. Similarly, if
b0 = b = 1, then G 6≈ G1 and when P ∗ sends some permutation σ 00 to V , V will see that
σ 00 (Gb ) = σ 00 (G1 ) 6= G and output Reject.
Thus, whenever b0 = b, V outputs Reject. This occurs with probability 0.5 meaning
that in general, V rejects with probability at least 0.5. Therefore, our protocol is sound with
soundness parameter 0.5.
Zero-Knowledge. To show this property, for any verifier V ∗ , we construct a PPT sim-
ulator S((G0 , G1 ), V ∗ ) that outputs a transcript that is computationally indistinguishable
from the real transcript. Before we show the correct construction, we briefly discuss a naive
incorrect attempt.

Incorrect Simulator
Recall that S only has access to G0 , G1 and V ∗ , but not the witness π. The simulator
works as follows:
1. S generates a random permutation φ and random bit b0 . It sets G = φ(Gb0 ).
2. S generates bit b at random.
3. If b = b0 send φ. Otherwise, erase the transcript and repeat from Step 1.
4. Output Accept. Return the transcript.
Note that in the actual protocol, if b = 0, then k = σ defines an isomorphism between
G and G0 . When b = 1 then k = σ ◦ π −1 defines an isomorphism beteween G and G1 .
Similarly, in our simulator, when b0 = b = 0, φ defines an isomorphism between G and G0 .
When b0 = b = 1, φ describes an isomorphism between G and G1 . Intuitively, Step 3 of our
simulator is correct.
ZERO-KNOWLEDGE PROOFS 88

In the actual protocol σ is chosen randomly and in our simulator φ is chosen randomly.
Thus, by property 2 above, σ(G0 ) is indistinguishable from φ(Gb0 ) (note that for any graph
G0 , G0 ≈ G0 ). Thus, Step 1 in our simulator is correct.
However, Steps 2 and 4 pose a problem. For Step 2, an honest verifier chooses b at
random which our simulator indeed simulates. However, our simulator must work for
dishonest verifiers and a dishonest verifier can choose b however it wishes. So we need
to modify our simulator to choose b with the same prbability that V ∗ does. Recall that S
takes in V ∗ as an input. Therefore, we can simply run V ∗ to get b. Similarly, in Step 4, an
honest verifier would always output Accept if x ∈ L, but a dishonest verifier might not.
Thus in Step 4, we feed φ to the V ∗ we are running which will return Accept or Reject.
We will then output whatever this V ∗ returns.

Correct Simulator
1. S generates a random permutation φ and random bit b0 . It sets G = φ(Gb0 ).
2. S runs V ∗ and sends G to V ∗ . V ∗ returns b to S.
3. If b = b0 send φ to the V ∗ we are running. Otherwise, erase the transcript and repeat
from Step 1.
4. V ∗ will return Accept or Reject. Output whichever V ∗ returns and return the
transcript.

12.4 A MPLIFYING S OUNDNESS

The soundness parameter of a zero-knowledge protocol is essentially the probability that


a dishonest prover can convince the verifier that x ∈ L when in fact it’s not. A soundness
parameter of 1 implies that the verifier always outputs Reject when x ∈ / L. We would
like the soundness of our protocol to be as close to 1 as possible. In this section, we explain
how to amplify a protocol soundness.
Suppose a zero-knowledge protocol has soundness parameter p. If we perform k trials
of the protocol, then the following must hold:

/ L] ≤ (1 − p)k
Pr[V outputs Accept all k times | x ∈

Thus, to achieve a soundness of 1−, we can run the protocol log1−p  times. If any of these
trials output Reject, then we know x ∈ / L with probability 1.
The completeness of our new repeated protocol follows immediately from the com-
pleteness of the one-round protocol. Note that the protocol must be repeated in its entirety.
Suppose that in the graph isomorphism zero-knowledge protocol, we kept the same σ be-
tween runs. Then in some run V could get b = 0 and find σ. In another run, it could get
b = 1 and find σ ◦ π −1 . Given these two permutations, it would be trivial for the verifier to
calculate π, thus breaking the zero-knowledge property.
Additionally, suppose that our simulator for the repeated protocol was as following:
1.1 S generates a random permutation φ[1] and random bit b0 [1]. It sets G = φ[1](Gb0 [1] )
1.2 S runs V ∗ and sends G to V ∗ . V ∗ returns b[1] to S.
1.3 If b[1] = b0 [1], send φ[1] to the V ∗ we are running. Otherwise, erase the transcript and
repeat from Step 1.1.
ZERO-KNOWLEDGE PROOFS 89

2.1 S generates a random permutation φ[2] and random bit b0 [2]. It sets G = φ[2](Gb0 [2] )
2.2 S runs V ∗ and sends G to V ∗ . V ∗ returns b[2] to S.
2.3 If b[2] = b0 [2], send φ[2] to the V ∗ we are running. Otherwise, erase the transcript and
repeat from Step 1.1.
..
.
k.1 S generates a random permutation φ[k] and random bit b0 [k]. It sets G = φ[k](Gb0 [k] )
k.2 S runs V ∗ and sends G to V ∗ . V ∗ returns b[k] to S.
k.3 If b[k] = b0 [k], send φ[k] to the V ∗ we are running. Otherwise, erase the transcript and
repeat from Step 1.1.
k+1.1 V ∗ will return Accept or Reject. Output whichever V ∗ returns and return the
transcript.
Note that it would take exponential time for this simulator to finish. This is because
the probability of b[i] = b0 [i] is 0.5 in every trial i. Thus, the probability of getting through
all the steps is 2−k . So instead of going all the way back to Step 1.1, whenever a trial fails,
the simulator should simply go back to the beginning of that particular trial. For example,
suppose on Step k.3 the simulator found b 6= b0 . Then instead of going back to Step 1.1, it
should simply go back to Step k.1.
There is a subtlety to this, however. The algorithm V ∗ is stateful. Therefore, if we
restart a trial, V ∗ can still remember what occured during that failed trial. To mitigate this,
we use an idea called rewinding. At the beginning of each trial, we save the state of V ∗ . If
we need to restart that trial, we simply restore V ∗ to that saved state.

Z ERO -K NOWLEDGE FOR G RAPH 3-C OLORING

In the following, our goal will be to design a zero-knowledge protocol using the graph
3-coloring problem, an NP complete problem. Because all NP problems can be reduced to
the graph 3-coloring problem, we obtain an entire class of zero-knowledge protocols for
free. Before we provide the construction, we cover commitment schemes, an important
cryptographic primitive which will be used in the zero-knowledge protocol.

12.5 C OMMITMENT S CHEMES

A commitment scheme is a protocol that allows a committer to send a “locked” message,


which the receiver cannot “unlock” by itself. In the future, the committer can provide a
key to “unlock” the message, allowing the receiver to read the message while guaranteeing
that the message that the receiver will obtain is exactly the message that was locked (the
committer cannot lie about the locked message). Intuitively, it is similar to a safe: the
committer puts a message in the safe, and hands the locked safe to a receiver without the
corresponding key. At this point, the receiver cannot read the message but is guaranteed
that the committer cannot change the contents of the message. The committer can then
send the key to open the safe at any point in the future.
ZERO-KNOWLEDGE PROOFS 90

12.5.1 Definition
Formally, the protocol is separated in two stages:
1. Commit phase: Given a message m, the committer sends c = Com(m, s) for some
randomness s and for a PT algorithm Com to the receiver.
2. Decommit phase: The committer sends the pair (m, s), the receiver verifies that the
pair is indeed correct by computing Com(m, s), and comparing it with the previously
received c. If they are equal, the receiver accepts, and otherwise, the receiver rejects.
A valid commitment scheme must satisfy the following two properties:
1. Hiding: ∀(m0 , m1 ),

{Com(m0 , s) : s ← U } =c {Com(m1 , s) : s ← U }

2. Binding: ∀(m0 , m1 ) such that m0 6= m1 and ∀(s0 , s1 ),

Com(m0 , s0 ) 6= Com(m1 , s1 )

Intuitively, the hiding property establishes that the commitment does not leak any infor-
mation about the locked message. The binding property then establishes that the receiver
is guaranteed that the committer cannot send a fake (m0 , s0 ) pair with m 6= m0 and still
satisfy the equality check in the decommitment phase. Note: it may be possible to find
(m, s0 ) with s 6= s0 .
Remark 22. The binding property defined above is also known as perfect binding. A weaker
form of this is the computationally binding property, which merely establishes that it is
very difficult to find a fake (m0 , s0 ) pair with m 6= m0 that satisfies the decommitment re-
quirement. In these lecture notes, we will only use commitment schemes with the perfectly
binding property.

12.5.2 Examples
A natural attempt at constructing a commitment scheme might use encryption protocols
where the committer sends an encrypted message during the commit phase and later sends
the original message and the key in the decommit phase. However, it is not the case that
all encryption algorithms are valid commitment
L schemes. For example, consider one-time
pad: Suppose the committer sends c = m s. Then it is trivial for the committer to send
a different m0 , s0 pair such that m s = m0 s0 and m 6= m0 .
L L

El-Gamal Commitment Scheme


The El-Gamal commitment scheme, which is very similar to the El-Gamal encryption scheme,
relies on the DDH assumption. We are given a group G with order q and generator g ∈ G.
The scheme proceeds as follows:
1. Commit phase: Given a message m ∈ G, the committer generates s = (a, b) with
a, b ∈ Zq , and sends c = (g a , g b , mg ab ) to the receiver.
2. Decommit phase: The committer sends m, (a, b), and the receiver checks if c matches
(g a , g b , mg ab ).
ZERO-KNOWLEDGE PROOFS 91

Regarding the binding property, intuitively, note that the first two elements of c give us
g a , g b , which means that a, b are fixed. Therefore, g ab is fixed. Thus, m can be uniquely
computed as c(g ab )(−1) .
As for the hiding property, starting with the DDH assumption, we have:

{g a , g b , g ab } ≈c {g a , g b , g r }

Thus,
{g a , g b , mg ab } ≈c {g a , g b , mg r }
Since
{g a , g b , mg r } = {g a , g b , g r },
we get {g a , g b , mg ab } ≈c {g a , g b , g r }. The same holds for any other m0 . By the transitivity
of computational indistinguishability, we are done.
Therefore, the proposed scheme is a valid commitment scheme.

Blum Commitment Scheme


The DDH assumption is considered to be a relatively strong assumption. It would be
nice to have a commitment scheme that uses weaker assumptions. In particular, the Blum
commitment scheme only uses 1-1 OWFs:
Suppose we are given a 1-1 OWF f . Then, the commitment scheme works as follows:
1. Commit phase: Given m ∈ {0, 1}, the committerL samples s uniformly at random
from the domain of f and sends c = (f (s), m h(s)) to the receiver, with h being a
hardcore predicate of f .
2. Decommit L phase: The committer sends (m, s) and the receiver verifies that
(f (s), m h(s)) is indeed the same as c.
To show binding, we observe that given the first element of c, which is f (s), s must be
fixed because f is a 1-1 OWF. Thus, Lintuitively h(s) is fixed because h is a deterministic
function. Therefore, given (f (s), m h(s)), m is fixed.
To show hiding, we use the property of hardcore predicates that given
L f (s), h(s) is com-
putationally indistinguishable from a uniformly sampled bit. Thus, m h(s) is effectively
a one-time pad.
Remark 23. The scheme can be easily extended for the multibit case: simply run this
procedure for eachL bit. In more detail, for each bit mi a new si is sampled, and then
ci = (f (si ), mi h(si )) is computed. The committer then sends all of c0i s to the receiver.
During the decommitment L phase, the committer sends all (mi , si ) pairs, and the receiver
verifies that (f (si ), mi h(si )) is indeed the same as ci for all indices i.

12.6 Z ERO -K NOWLEDGE FOR G RAPH 3-C OLORING

We now return to designing a zero-knowledge protocol for the graph 3-coloring problem.
ZERO-KNOWLEDGE PROOFS 92

12.6.1 Graph n-Coloring Problem


In general, the n-coloring problem is an NP-complete problem that asks whether all verti-
cies of a graph can be colored using only n distinct colors, such that no two verticies that
form an edge have the same colors. Although there are polynomial time algorithms to de-
termine whether a graph is 1 and 2 colorable, there are no known algorithms to determine
whether a graph is n colorable for n ≥ 3.
In particular, a graph is 3-colorable if it can be colored using only 3 distinct colors.
There are two important facts that we will use in subsequent sections.
1. Suppose we are given some graph and its 3-coloring. By permuting the colors, we
obtain a new valid 3-coloring. Note that there are 3! = 6 possible permutations.
2. Suppose we are given some graph that is not 3-colorable. In that case, any 3-coloring
must contain at least one edge such that the two verticies that define the edge have
the same colors.

12.6.2 Construction
In the zero-knowledge proof for the graph 3-coloring problem, the prover wants to prove
that some graph G is 3-colorable (that is, there exists a witness w that 3-colors G). Of
course, this has to be done without revealing any information about the coloring w; the
prover merely wants to prove that some valid coloring exists. The protocol works as fol-
lows:
1. Given a coloring of G, the prover permutes the colors randomly to obtain a new
(valid) coloring of G. For each vertex vi in G, the prover sends ci = Com(colori , si )
to the verifier, where colori is the (new) coloring of the vertex i and si is a random
string.
2. Verifier selects a random edge (i, j) and then asks the prover to decommit the colors
on vi and vj .
3. Upon receiving the decommitments from the prover, if the received decommitments
are valid and the colors are different, the verifier accepts. Otherwise, the verifier
rejects.
Now we show that this is a valid zero-knowledge protocol:
1. Completeness: This follows from the previously established fact 1 in that permut-
ing colors in a valid 3-coloring of a graph will still yield a valid 3-coloring. Thus,
regardless of the choice of (i, j), the colors of vi and vj will be different.
2. Soundness: From fact 2, we see that there is at least one edge where the coloring
between two connected vertices will be the same if the graph is not 3-colorable (or if
the prover provides a fake-coloring). Thus, because the verifier chooses an edge at
random, and the prover is not able to change the committed colors due to the binding
property of the commitment scheme, the verifier will reject with probability at least
1
|E| .
3. Zero Knowledge: This is the most difficult part of the proof, and we will prove it
below.
To show the zero-knowledge property, we design an EPPT simulator S that has G and the
code of the verifier V ∗ . Let colors be {1, 2, 3}. Then, the simulator S works as follows:
ZERO-KNOWLEDGE PROOFS 93

1. S picks a random edge (i0 , j 0 ) and colors ki0 , kj 0 ∈ {1, 2, 3} at random such that
ki0 6= kj 0 . S then generates commitments ci for all vertices in G: if i = i0 or i = j 0 , S
commits according to the protocol; else, S simply commits zero.
2. Invoke V ∗ and provide it with the commitments for all vertices in G.
3. Upon receiving an edge (i, j) from V ∗ , S does the following: If (i, j) = (i0 , j 0 ), S
reveals the colors by decommitting ci0 and cj 0 . Otherwise, restart, and goto step 1.
First, note that S is indeed an EPPT algorithm. This is because S picks i0 , j 0 at random, and
so for any V ∗ , the probability that (i, j) = (i0 , j 0 ) is roughly |E|
1
. Therefore, S is expected to
abort roughly |E| times. The rest of the operations are in polynomial time, so the expected
runtime is |E|poly(n), which is still polynomial. Of course, this is assuming that V ∗ cannot
purposefully select i, j such that (i, j) 6= (i0 , j 0 ); we will briefly sketch a proof of this below.
Because of the hiding property of the commitment scheme, we are guaranteed that no
PPT V ∗ can tell apart ci0 and cj 0 from any of the other ck . This means that V ∗ cannot
distinguish i0 , j 0 from any other vertex just from ci for all i, meaning it cannot query S for
a particular i, j to forcibly abort S. Formally, if we are given a V ∗ such that

1
P r[(i0 , j 0 ) = (i, j)] ≥ + notice(n)
|E|

it is possible to construct a PPT A that breaks the hiding property of the commitment
scheme. Thus, S is EPPT. Now, we prove that τsim =c τreal via a hybrid argument.
• H0 : In this hybrid, the algorithm S has a valid witness w and a code of V ∗ . S runs
V ∗ , and in its interaction with V ∗ , S behaves like an honest prover: S commits to the
colors of the vertices using (permutation of) the witness w, and opens commitments
ci , cj upon receiving an edge (i, j) from V ∗ . In the end, S outputs its transcript of the
interaction with V ∗ .
• H1 : In this hybrid, the algorithm S has a valid witness w and a code of V ∗ . S runs
V ∗ , and in its interaction with V ∗ , S picks random indices i0 , j 0 and then commits
honestly to the colors of the vertices using (permutation of) the witness w. When
S receives an edge (i, j) from V ∗ , and it restarts (including restarting V ∗ ) if (i, j) 6=
(i0 , j 0 ). Otherwise, S outputs its transcript of the (last) interaction with V ∗ .
• H2 : In this hybrid, S behaves the same as H1 , except that for each vertex i such that
i 6= i0 and i 6= j 0 , S now commits zero instead of the actual vertex color.
• H3 : In this hybrid, instead of using a valid witness, S now samples two colors for i0
and j 0 such that these two colors are different, and uses these colors in the commit-
ments ci0 , cj 0 instead of the (permutation of the) actual vertex colors of vertices i and
j. Note that S does not use the witness at all anymore.
First, note that H0 = τreal and H3 = τsim . Next, we see that H0 = H1 because i0 , j 0 are
chosen at random and once (i0 , j 0 ) are equal to (i, j), the generated transcript is exactly
the same as the one in H0 . H1 =c H2 because of the hiding property of the commitment
scheme. Finally, H2 =c H3 : note that in Step 1 of the protocol, we permute the colors.
Thus, in H3 , the distribution of colors under the commitments ci0 , cj 0 does not change.
Thus, H2 =c H3 , and therefore H0 =c H3 and τsim =c τreal .
ZERO-KNOWLEDGE PROOFS 94

P V
∀i : ci [1] : =com(colori [1]) ∀i : ci [k] : =com(colori [k])

(i[1], j[1]) ... (i[k], j[k])

open (ci [1], cj [1]) open (ci [k], cj [k])

Figure 6: Protocol PcZK

12.7 A MPLIFYING S OUNDNESS - PART 2

Above, we constructed a zero-knowledge protocol for the graph 3-coloring problem with
1
the soundness parameter |E| . However, what we actually want is to get a protocol with the
soundness property close to 1. To reach this soundness, one option is to repeat the protocol
we have multiple times sequentially. This way, after repeating the protocol k times, we
1 k
achieve a soundness parameter 1 − (1 − |E| ) . However, this improvement comes at a
cost. Now, instead of a 3-round protocol, we actually have a 3k-round protocol. For the
1 k
expression 1 − (1 − |E| ) to get close to 1 in a graph with many edges, we would have
to use a very high k. Thus, we end up with a not very efficient protocol with a very high
number of rounds. So, the question is how we can change the protocol to make it more
efficient.
Idea: use parallel repetition instead of the sequential repetition!

12.7.1 Candidate protocol for Graph 3-Coloring using parallel repetition


In the parallel repetition version of the protocol, instead of computing only one permuta-
tion in the beginning, the prover computes k permutations. In the first round, the prover
commits to these k permutations. Next, the verifier sends k challenges to the prover. Fi-
nally, the prover opens the chosen k commitment pairs and the verifier accepts iff he would
have accepted in each of the k individual cases. The protocol (we will call it PcZK in the
following) is pictured in Figure 6.
We will not discuss the Soundness and the Completeness properties of the protocol.
Rather, we will directly consider the Zero Knowledge property. Interestingly, it is not
trivial to see whether or not this protocol satisfies the Zero Knowledge property. In fact, it
is still an open problem. In the following, we will try to adapt the proof of the ZK property
for the sequential composition and see where this proof fails for the parallel composition.

Attempt to design a simulator.


1. For all t, the simulator makes a guess (i0 [t], j 0 [t]) and commits to two random but
different colors in (ci0 [t], cj 0 [t]). In all other commitments, simulator puts 0.
2. For all t, the simulator gets i[t] and j[t] from V ∗ .
3. If for all t holds that (i0 [t], j 0 [t]) = (i[t], j[t]), the simulator opens all selected commit-
ments. Else, go to step 1.
ZERO-KNOWLEDGE PROOFS 95

P V
M1

M2 = H(M1 )

M3

Figure 7: Protocol PZK-FS

Note that this is almost exactly the simulator designed for the sequential version, except
that now we consider k instances of the problem in each step. The problem with this
construction is the following: it is not a PPT construction. If there are k parallel repetitions,
the probability that the simulator correctly guesses the edge in each of these repetitions is
1 k
only ( |E| ) . Thus, if k is big, this probability is very small and the simulator has to go to
step 1 very often.
Now, it is possible that for some of the k instances, the simulator guessed the edge
correctly. So, one might wonder whether the simulator could “keep" the correctly guessed
edges and only change his guess where he did not guess correctly. Let us change Step 3 of
our protocol as follows:
3. If for all t it holds that (i0 [t], j 0 [t]) = (i[t], j[t]), the simulator opens all selected com-
mitments. Else, go to step 1 and obtain a fresh guess for instances where the simula-
tor was wrong.
The hope with this idea is that after each iteration, the number of unsuccessful guesses will
be reduced and thus eventually become zero. However, this logic is incorrect: the verifier
might be computing his challenge depending on how the prover’s entire message looks
like and thus there is no guarantee that all the “correct" guesses of the prover will remain
correct after correcting one “incorrect" guess. For example, changing the first message in
the t-th iteration could result in verifier message changing in t0 6= t-th session. Thus, this
approach also does not work.

12.7.2 Fiat-Shamir-Heuristic
While it is not known whether or not the protocol we defined above is secure, this protocol
has been known for many decades now and still no one came up with an attack for it. The
general assumption is that this construction is indeed secure, and it is exactly what is used
in the Fiat-Shamir-Heuristic we will now introduce.
Observe that PcZK is a public coin protocol. This means that in the second round the
verifier is essentially simply sampling and sending a random string to the prover.
Now, if the verifier is just sending some random string, we could instead just use an
“appropriate" hash function H to do the verifier’s job for him. Here, by “appropriate" we
mean that the hash function behaves like a random oracle. This is exactly the assumption
of a so-called random oracle model. Now we are able to construct a one-round protocol in
this model. This protocol is presented in Figure 7.
ZERO-KNOWLEDGE PROOFS 96

Bulletin Board

c1 = com(s1 , r1 )
c1 = com(s2 , r2 )
..
.
ci = com(si , ri )

Figure 8: Zerocoin∗ Bulletin Board

Note that the prover “knows" that the verifier will send M2 = H(M1 ) and can just send
both M1 and M3 (according to M2 = H(M1 )) in the first message.
The completeness of this protocol is easy to see. The soundness relies on the fact that
M2 = H(M1 ) is indeed random. Zero-knowledge can be proven in the random oracle
model, but it is beyond the scope of this course.

12.7.3 NIZKs
Such protocols are known as NIZKs (non-interactive zero knowledge) in the random oracle
model. NIZKs are very useful: imagine for example a blockchain, where you want to prove
some statement to the entire world. You can not communicate with each party individually
(there are too many of them, and some are possibly not even online at the moment, but will
want to verify the statement in the future). In this setting, NIZKs are really the only option.
As mentioned in the previous lecture, Graph 3-Coloring is an NP-complete problem.
Thus, each problem in NP can be reduced to Graph 3-Coloring and hence we already have
a way to construct a non-interactive zero-knowledge proof for such problems. Note that
this may not be the most efficient solution - if you are given some problem it might be
better to design a protocol specifically for this problem rather than taking the detour using
the Graph 3-Coloring. Still, the fact that we have a solution for each problem in NP makes
the introduced solution very powerful.

12.7.4 ZK in the Context of Blockchains


We will now see an example of how zero-knowledge proofs can be used in the context of
blockchains. In the following, we will consider a simplified version of the Zerocoin system
(denoted by Zerocoin∗ ). The main goal of this system is to make all the transactions un-
linkable. In Zerocoin∗ , the participants are communicating through a bulletin board. The
idea is that since there are a lot of communication happening at the same time, it is difficult
to notice when some particular participant A is talking to some particular participant B.
We will now look into this in more detail.
In Zerocoin∗ , each coin is a commitment to some serial number si (which is just some
random number) and is depicted on the bulletin board (see Figure 8). The coins can be
spent at most once and there exists a list of the spent coins (see Figure 9). If Alice wants to
send some coin A to Bob, coin A gets destroyed and Bob receives a completely new coin
B.
ZERO-KNOWLEDGE PROOFS 97

Bulletin Board

s1
s5
..
.
sj

Figure 9: Zerocoin∗ spent coins

To initially obtain a coin in the Zerocoin∗ system, a user has to burn a Bitcoin. This
gives him the right to write one entry on the bulletin board. We will now discuss the most
interesting part: how exactly can some user (Alice) send a Zerocoin∗ ci to some other user
(Bob).
Attempt 1
1. Alice sends decommitment of ci (including si and randomness ri ) to Bob.
2. Bob creates cj .
3. Bob broadcasts cj , ci , decommitment of ci .
4. Everyone can verify that si is not on the spent coin list and that ci is a commitment
to si . If so, ci is put on the spent list and cj on the bulletin board.
Now ci has been destroyed and Bob has a new coin cj . Bob can spend cj by sending its
decommitment to another party.
The obvious problem with this approach is that everyone sees the relationship between
ci and cj and we thus do not get the desired unlinkability property – everyone is able to
track the whole movement of money.
Idea: use zero-knowledge proofs!
Attempt 2
1. Alice sends decommitment of ci (including si and ri ) to Bob.
2. Bob creates cj .
3. Bob broadcasts cj , si (but not ci , ri ) along with the following NIZK statement (de-
noted as σ in the following): ∃ci s.t. ci is a part of the bulletin board and si is the
value inside ci .
4. Everyone can verify that si is not on the spent coin list and that σ is a valid proof. If
so, si is put on the spent list and cj on the bulletin board.
Note that ci is hidden in Attempt 2 (because of the zero-knowledge property of the
used proof). Furthermore, note that the statement in Step 3 is indeed an NP statement (can
be proved by giving a short witness). In our case, we could prove the statement by giving
the witness w = (ci , si , ri ), where ri denotes the randomness used in the computation of ci .
The verifier could then check that ci is on the bulletin board and ci is indeed a commitment
to si when using the randomness ri .
One possible attack on Attempt 2 is the following: one can easily change (cj , si , σ) to
(c0j , si , σ) after Bob’s broadcast in Step 3, as the NIZK σ is completely disconnected from cj .
ZERO-KNOWLEDGE PROOFS 98

Thus, an adversary could use si , σ to create a coin c0j for himself (prior to everyone putting
si on the spent list and cj on the board). One possible solution to this problem is to put cj
in the NIZK statement as well. Such modified NIZK could look as following:
• ∃ci s.t. ci is a part of the bulletin board, si is the value inside ci and cj is a valid
commitment to some string.
This is still an NP statement, the witness consists of the witnesses of each of the two
parts of the AND-statement. Now, if one would try to change cj without changing σ, the
proof would not be valid anymore. However, there is still a minor problem with Attempt
2 – the NIZK can actually be malleable, so one might be able to change σ so that it accounts
for the change in cj . To get around this issue, one has to use the so-called non-malleable zero
knowledge, which roughly guarantees the following:
• Given a NIZK σ for a statement x no PPT adversary can construct σ 0 for a related
statement x0 (unless this adversary already knows the witness to x0 ).
For completeness purposes, we give the final version of the protocol.
Attempt 3 (final)
1. Alice sends decommitment of ci (including si and ri ) to Bob.
2. Bob creates cj .
3. Bob broadcasts cj , si along with the following non-malleable NIZK statement: ∃ci s.t.
ci is a part of the bulletin board, si is the value inside ci and cj is a valid commitment
to some string.
4. Everyone can verify that si is not on the spent coin list and that the given proof is
valid. If so, si is put on the spent list and cj on the bulletin board.
Note that this construction has the following nice property: nobody knows that Alice
and Bob are transacting with each other because ci is not revealed.
Secure Multi-Party Computation

13.1 I NTRODUCTION

Intuitively, Secure Multi-Party Computation allows multiple mutually distrusting parties


P1 , P2 , . . . , Pn compute the result of some function f when applied to the inputs of the
parties: f (x1 , x2 , . . . , xn ) (here, xi is the input of party Pi ). This interaction must reveal
nothing except the function result.
Secure multi-party computation was first introduced in 1982 in the paper Protocols for
secure computations, where Yao’s millionaire problem was famously introduced. In this
hypothetical problem, two millionaires, Alice and Bob, want to know who of them is richer,
but they want to do so without revealing their actual wealth.

13.1.1 Applications
There are many applications of Secure Multi-Party Computation.
• Privacy Preserving Data Mining: Privacy Preserving Data Mining is one such ap-
plication. It would be beneficial to have multiple hospitals run data mining on the
combined inputs of their data, but due to regulations like HIPAA, none of the hospi-
tals can share their data with the others. Here, secure multi-party computation can
be used to run the data mining algorithm.
• Information exchange between Intelligence Agencies: Another application could
be between Intelligence agencies of Allied countries to share some information only
if there was some information to be gained in return. In this case a secure multi-party
computation can be run to verify if there is some valid information on both sides.
Note. For the remainder of the class we will be focusing on Secure 2-Party Computation (in the
following, 2PC). The formal definition for Secure Multi-Party Computation can be generalized from
the Secure 2-Party Computation.

13.2 F ORMAL D EFINITION

Consider parties P1 , P2 holding inputs x1 , x2 respectively, and trying to compute f (x1 , x2 ).


We say that a protocol π is a secure 2PC for the function f (·, ·) if there exists an EPPT
simulator S = (S1 , S2 ) such that

{V iew of corrupt Pi∗ in π}=c {Output of Si }

Recall that in Zero-Knowledge proofs we had a simulator which could produce a view
indistinguishable from the real view without knowing the witness. Thus we were able to

99
SECURE MULTI-PARTY COMPUTATION 100

Figure 10: Simulators S1 and S2

conclude that no knowledge has been gained during the execution of the protocol. The
current definition has a similar flavor: we define a simulator which produces a view in-
distinguishable from the real view, knowing only f (x1 , x2 ). Thus we conclude that no
knowledge except for f (x1 , x2 ) has been gained during the execution of the protocol.
Note that we still need to formally define the inputs that the Simulator gets.
First Attempt Consider the following: Si is given as input f (x1 , x2 ) and code of Pi∗ .
Unfortunately, this does not work because f (x1 , x2 ) is not defined before the protocol – if
some party is malicious, it can use an input different from x1 /x2 .
Correct Definition Si is given a one time access to an output Oracle, the so-called ideal
functionality F (see Figure 12). Intuitively, this means that the simulator can choose an
input, and query the oracle to find the corresponding output. The simulator can do so
only once during the execution of the protocol.
Note. This definition is a basic definition of 2PC. It does not capture all the properties such as
correctness etc.

Note. MPC can be defined analogously by having n parties, n inputs and n Simulators.

13.3 T YPES OF A DVERSARIES

Note that there are multiple kinds of adversaries:


• Semi-Honest adversary: such adversaries faithfully follow the protocol instructions,
but analyze transcript in order to gain some secret information. In other words, this
adversary behaves honestly during the execution of the protocol, but is corrupted
afterwards.
• Fully malicious: These adversaries are corrupted throughout the execution of the
protocol. They can deviate from the protocol arbitrarily.
SECURE MULTI-PARTY COMPUTATION 101

Alice Bob
a0 , a1 b

ab

Figure 11: Oblivious Transfer

We can see that semi-honest adversary is weaker than fully malicious adversary, thus
any protocol which is secure against fully malicious adversaries is secure against semi-
honest adversaries. As we will see later there is a way to convert a protocol secure against
semi-honest adversaries to a protocol secure against fully malicious adversaries using
Zero-Knowledge proofs of Honesty.

13.4 O BLIVIOUS T RANSFER

We will now consider the first example of secure multi-party computation: oblivious trans-
fer (OT). As shown in Figure 11, in the OT setting two parties participate: Alice has inputs
a0 , a1 , and Bob has an input bit b. The goal of OT is for Alice to communicate ab to Bob
without gaining any knowledge about the value of b, and without Bob gaining any knowl-
edge about the value of a1−b .
Note that this scenario can be represented as a generalized MPC where the functions
learned by each of the parties differ. The definition of the generalized MPC is the fol-
lowing: Parties P1 , P2 hold inputs x1 , x2 , and wish to compute f1 (x1 , x2 ) and f2 (x1 , x2 ),
respectively. We say that, a protocol π is a secure 2PC for the functions f1 (·, ·), f2 (·, ·) if
there exist EPPT simulators S1 and S2 such that

{V iew of corrupt Pi∗ in π}=c {Output of Si },

where Si is given a one time access to an oracle for fi (·, ·).

13.4.1 Protocol against Semi-Honest Adversaries


We will now discuss an OT protocol that is secure against semi-honest adversaries. Let
the sender A have input bits (a0 , a1 ), and the receiver B have input b Given a family of
trapdoor one-way permutations {fi }, we define the following protocol:
• A samples (fi , t), where t is the trapdoor associated with fi , and sends fi to B.
• B samples x from the domain of fi uniformly at random, computes y0 , y1 s.t. yb =
f (x), and y1−b is a random value chosen from the range of fi . B sends (y0 , y1 ) to A.
• A computes v0 = fi−1 (y0 ) as well as v1 = fi−1 (y1 ) using t, and then computes
c0 = a0 ⊕ h(v0 ) and c1 = a1 ⊕ h(v1 ), and sends the computed values to B.
SECURE MULTI-PARTY COMPUTATION 102

Figure 12: Simulators S1 and S2

Alice Bob
a0 , a1 b

$
yb = f (x), yb ←
−U

a0 ⊕ h(f −1 (y0 ))
ab
a1 ⊕ h(f −1 (y1 ))

Figure 13: Oblivious Transfer Protocol

• B recover ab as cb ⊕ h(fi−1 (yb )) = cb ⊕ h(x).


Security Intuition
Since B does not know trapdoor, B cannot compute the preimage. Since h is a hard-
core predicate, h(f −1 (y1−b )) is a uniform bit to B behaving like a OTP and making a1−b
uniform to B. Since B has the preimage of yb , it can correctly compute ab . From A’s point
of view, y0 , y1 have the same distribution and thus no information can be learned from
them.
SECURE MULTI-PARTY COMPUTATION 103

Formal Proof of Security


First, consider the case where B is corrupt. Then, the simulator S2 that has input b works
as follows:
• S2 samples (fi , t) honestly.
• S2 uses b to compute (y0 , y1 ) as specified by the protocol.
• S2 queries F and gets ab . Then, S2 chooses a1−b at random and computes c0 , c1 based
on ab and a1−b .
• S2 outputs the recorded transcript τS2 .
Lemma 6. Distribution of output of S2 =c real world transcript.
Proof. Note that τS2 and τreal differ only in a1−b . Because h is a hard-core predicate, no ad-
versary is able to predict h(f −1 (y1−b )) with probability noticeably better than 12 . Therefore,
bit a1−b cannot be distinguished from random. Thus, the transcripts are indistinguishable.

Now, consider the case where A is corrupt. Then, the simulator S1 that has input a0 , a1
works as follows:
• S1 samples (fi , t) to compute the first message honestly.
• S1 samples (y0 , y1 ) uniformly at random from the range of fi .
• S1 uses t to invert y0 , y1 and then uses (a0 , a1 ) to compute c0 , c1 honestly.
• S1 outputs the recorded transcript τS1 .
Lemma 7. Distribution of output of S1 =c real world transcript.
Proof. Note that τS1 and τreal differ only in yb . B chooses x from the domain of fi and
then computes yb , while S1 chooses yb directly from the range of fi . However, since fi is
a permutation, the distribution of yb is the same in both cases. Since the same distribution
did not change, we know the transcripts are indistinguishable.

Note. This protocol is insecure against Fully malicious adversary. For example, A could choose
fi such that it is not a permutation and thus it can distinguish between y0 , y1 . B could choose y0 ,
y1 such that it knows both the preimages.

13.5 GMW C OMPILER

The GMW compiler is a general conversion technique which converts a protocol secure
against semi-honest adversaries into a protocol secure against fully malicious adversaries.
The basic idea is that at each step the party sends a zero knowledge proof of honestly
computing the messages. Before we introduce the correct compiler, we briefly discuss a
naive, but unfortunately insecure, construction.
Attempt 1
Take any protocol π and convert it as in Figure 13.4.1, where r1 and r2 are the random-
ness used by Alice and Bob to execute π. Note that the statement “m1 is consistent with
values in c1 " is in NP since given the opening of c1 the verification is easy.
SECURE MULTI-PARTY COMPUTATION 104

Alice Bob
x1 x2
com(x1 ||r1 , ra )

com(x2 ||r2 , rb )

m1 , ZKP: “m1 is consistent


with values in c1 "
m2 , ZKP: “m2 is consistent
with values in c1 & m1 "

···

···

Figure 14: GMW Compiler

Note. After this commitment, π becomes deterministic.


Unfortunately, this attempt fails because r1 and r2 can be bad randomnesses which
could lead to more information to the corresponding parties. For example in the previous
−1
example Bob can choose the randomness for y1−b such that y1−b is already known to Bob.
Attempt 2 – Correct Construction To solve the problem in the previous attempt, we
establish the randomness for both parties in a way that even if one of them is cheating,
both parties are still forced to use the same uniform randomness. First, we define a simple
protocol for the coin flipping problem that allows Alice and Bob to jointly flip a coin over a
telephone:
1. A generates r1 uniformly at random and sends com(r1 , ra ) to B.
2. B generates r2 uniformly at random and sends r2 to A.
3. A sends (r, ra ) to B.
4. A and B both output r = r1 ⊕ r2 as their agreed uniform randomness.
Lemma 8. At the end of this coin flipping protocol, r = r1 ⊕ r2 is uniformly random.
Proof. First, suppose A is dishonest and B is honest. Then there are two cases:
1. A does not generate r1 uniformly. In this case we still have r = r1 ⊕ r2 is uniformly
random, since r2 is independently random with respect to r1 and acts like a one-time
pad.
2. A changes r1 to some other string r10 after it learns r2 sent by B. However, A cannot
do this due to the binding property of the commitment scheme. Since com(r1 , ra )
is bound to r1 , after decommitting, B must have r1 as the string received from A,
otherwise it notices that A is malicious.
SECURE MULTI-PARTY COMPUTATION 105

Now suppose A is honest and B is dishonest. Since com(r1 , ra ) hides r1 , B intuitively has
zero knowledge of r1 before it generates r2 , and it follows that r2 is generated indepen-
dently from r1 . Since r1 is generated by A uniformly at random and is independent with
r2 , it follows that r = r1 ⊕ r2 is still random in this case.
Using the idea of the above coin flipping protocol, we can modify the protocol defined in
our first attempt and construct a fully working GMW compiler which takes any oblivious
transfer protocols that are secure against semi-honest adversaries and converts them into
protocols that are secure against malicious adversaries. This compiler is defined as follows
(let A’s message be ma , and B’s message be mb ):
1. A generates r1 uniformly and sends com(ma ||r1 , ra ) to B. Note that r1 is neither
the randomness used in the commitment scheme nor the entire randomness used by
A in the full new protocol (for example, ra is not part of r1 ). Instead, it is just the
randomness used by A in the underlying protocol.
2. B generates r10 uniformly at random and sends r10 to A.
3. B generates r2 uniformly and sends com(mb ||r2 ) to A. Note that r2 is neither the
randomness used in the commitment scheme, nor the random tape of B. Instead, it
is just a random string used for generating B’s randomness.
4. A generates r20 uniformly and sends r20 to B.
5. A sets its randomness to be rA = r1 ⊕ r10 , B sets its randomness to berB = r2 ⊕ r20 .
6. For any mA j in the transcript that A sends to B in the original protocol, A also sends
mAj to B, followed by running a ZKP protocol to prove the following NP statement:
mAj is consistent with (1) the transcript so far, and (2) (ma , rA ). Note that the tran-
script so far also contains messages sent from B to A.
7. For any mB j in the transcript that B sends to A in the original protocol, B also sends
B
mj to A, followed by running a ZKP protocol to prove the following NP statement:
mBj is consistent with (1) the transcript so far, and (2) (mb , rB ). Note that the tran-
script so far also contains messages sent from A to B.
The intuition is still the same: by leveraging the power of ZKP, we not only ensure both
parties learn nothing more than if we were simply running an oblivious transfer protocol,
but also prevent malicious parties from cheating because of the ZKP’s soundness. One
side note is that although this compiler is correct and can be used for all OT protocols,
it is actually very inefficient since the ZKP involved require reductions to NP-complete
problems.

13.6 M ORE G ENERAL V ERSIONS OF O BLIVIOUS T RANSFER

In the following, we introduce a few notions that generalize the Oblivious Transfer prob-
lem.

13.6.1 1-out-of-n Oblivious Transfer


In this version, instead of only two, the sender now has n items. The 1-out-of-n OT can be
constructed fairly simple based on our previous construction of 1-out-of-2 OT protocol:
1. A samples (f, t) from the trapdoor permutation family Fn and sends f to B.
SECURE MULTI-PARTY COMPUTATION 106

2. B samples k ∈ [n] and x from the domain of f . B then sets yk = f (x) and samples
each yi6=k uniformly at random. B then sends (y1 , y2 , . . . , yn ) to A.
3. A computes xi = f −1 (yi ) using t, and then computes zi = h(xi ) ⊕ ai for all i and
sends (z1 , z2 , . . . , zn ) to B.
4. B can get ak by computing zk ⊕ h(x) = ak .

13.6.2 1-out-of-n String Oblivious Transfer


Ideally, we do not want to restrict ourselves to only being able to send bits, and it turns out
that we can utilize the above 1-out-of-n Oblivious Transfer protocol to construct a 1-out-
of-n string Oblivious Transfer protocol. We assume that |ai | = l for all i, and we denote by
ai [j] the j-th bit of ai . The protocol is defined as follows:
• Run the 1-out-of-n bit OT protocol for l times.
– In the j-th run of the protocol, the input of A will be (a1 [j], a2 [j], . . . , an [j]), and
the input of B is k.
The correctness of this protocol is easy to see: in the j-th run of the 1-out-of-n bit OT
protocol B correctly and securely gets ak [j]. Therefore, after l runs of the above protocol B
will get the whole string ak .

13.6.3 General Secure 2PC for Small Input Size


We can further generalize our OT protocol. In fact, as long as one of the parties has poly-
nomial many inputs, then 1-out-of-n string OT gives a secure 2-party communication pro-
tocol. Suppose that A has input x1 , B has x2 , where x2 ∈ [n], and A and B want to
collaboratively compute a function f (x1 , x2 ). The secure 2-party communication protocol
is defined as follows:
• ∀i, 1 ≤ i ≤ n, A sets ai = f (x1 , i).
• B sets k = x2 .
• A and B run 1-out-of-n string OT. B gets ak = f (x1 , k) = f (x1 , x2 ). If at the end of
the protocol A also wants the result, B can simply send the result back.
Note that the above protocol already solves Yao’s millionaire problem. A millionaire can
only have finite amount of money in his pocket. It can be millions or billions of dollars,
but no matter how much it is, it is still of polynomial size. Hence, we can simply define
f (x1 , x2 ) such that it returns the larger one of x1 and x2 , and run the above protocol to
get f (x1 , x2 ) without revealing how much money the two millionaires have. Note further
that this protocol works even when x1 is of exponential size. As long as B has polynomial
many inputs, the protocol will still run in probabilistic polynomial time.

13.7 P RECURSOR TO YAO ’ S G ARBLED C IRCUITS

Recall that in the previous section we have shown how to construct an 1-out-of-n OT based
on a 1-out-of-2 construction. Unfortunately, the scheme we defined was not very efficient.
Now, we will use a 1-out-of-2 OT in combination with a symmetric encryption scheme to
provide an improved construction. Note that symmetric encryption requires only a very
weak assumption – that of the existence of a OWF.
Construction Suppose party A has input (a1 , a2 , . . . , an ) and party B has input k ∈ [n].
Then, the scheme works as follows:
SECURE MULTI-PARTY COMPUTATION 107

1. Set m = dlog ne. Generate m pairs of random keys (k01 , k11 ), (k02 , k12 ), . . . , (k0m , k1m ) for
the given symmetric encryption scheme. Define sets S1 , S2 , . . . , Sn such that for all i
holds that |Si | = m.
j
• Denote i as an m bit string. Let Si contains exactly ki[j] for all j ∈ [m], where
i[j] denotes the j-th bit in the binary representation of i. For example, if m = 3
and i = 2 (010 in binary), then S2 = {k00 , k11 , k02 }. Note that by this construction,
if i 6= j we must have Si 6= Sj since i and j must have different bit string
representation.
2. A encrypts ai using all keys from set Si , Denote the resulting ciphertext as ci . This is
done for all i ∈ [n]. Then, A then sends (c1 , c2 , . . . , cn ) to B.
3. A and B execute m instances of 1-out-of-2 OT protocol. In the i-th execution of the
protocol, input of A is (k0i , k1i ), and input of B is k[i].
4. After m executions of 1-out-of-2 OT protocol, it is clear that B has all the keys used
to encrypt ak . Since the keys are symmetric encryption keys, B can then decrypt ck
using these keys.
Note that in terms of performance, this construction is much better than the 1-out-of-n
scheme we defined in the previous section. In the previous scheme we had to make n calls
of trapdoor permutation (which are very expensive), but now we only need to make 2m
calls of trapdoor permutation in Step 3, and m is logarithmic in n. Of course, we have to
consider the cost of encrypting, but typically symmetric encryption is much cheaper than
trapdoor permutation, so the protocol above still has a much better performance.
Note that above, we made significant progress towards Secure 2 Party Computation by
giving solutions for functions that operate on domains of polynomial size. At FOCS’86,
Yao gave a solution for general circuits. This construction was cited as having contributed
to the decision to grant Yao the prestigious Turing Award in the year 2000. It is, in some
sense, a generalization of the construction we presented above. We will now present Yao’s
construction.

13.8 YAO ’ S G ARBLED C IRCUITS

The following construction applies to boolean circuits that take two inputs x1 and x2 and
compute f (x1 , x2 ). For clarity we restrict ourselves to the case where f (x1 , x2 ) is a single
bit. An example of such a circuit is given by Figure 15. The circuits can be built with any
gates that have two input wires and one output wire.
The high level idea is as follows: the sender will send the encrypted (in some sense)
circuit to the receiver. The receiver will then use Oblivious Transfer to evaluate the circuit
on its input, with the help of the sender. In the following we denote by P1 the sender and
by P2 the receiver:
1. For every wire w in the circuit, sender P1 will generate two random keys: (K0w , K1w ).
Kbw represents the idea of the wire having value b.
2. P2 will eventually need to receive the keys corresponding to the input x1 ||x2 .
3. P1 will create "gate tables" that enable P2 , given keys for the input wires to the gate, to
recover the key for output wire. Consider a gate that has input wires i, j and output
`, and which implements functionality g(·, ·). Given keys K0i , K0j , P2 can recover
SECURE MULTI-PARTY COMPUTATION 108

x1,0
x1,1

x1,2
x1,3

f (x1 , x2 )
x2,0
x2,1

x2,2
x2,3

Figure 15: An example of a boolean circuit that could be securely evaluted using Yao’s
Garbled Circuits.

`
Kg(0,0) . Similarly given keys for K0i , K1j , P2 can recover Kg(0,1)
`
and so on. The natural
` i j
way to do this is to encrypt the Kg(b,b0 ) under Kb , Kb0 . Formally, the gate table for a

gate (i, j, `) has 4 doubly-encrypted entries:

E(Kbi , E(Kbj0 , Kg(b,b


` 0
0 ) ||0 . . . 0)), ∀b, b ∈ {0, 1}

Note that we actually appended a number of zeroes after the value g(b, b0 ) before
encrypting. This is because when P2 does try to evaluate that gate, it will need some
way to know that it succeeded. This can be done by checking that the λ last bits of
the decryption are zeros, where λ is the security parameter, which would otherwise
happen with negligible probability.
Additionally, note that if we were to send the gate table as such it would be easy for
P2 to tell what bits were being input to the gate by simply looking at the row where
the matching with the zeros happened. P1 will thus have to shuffle the rows. P1 thus
randomly permutes the 4 entries and sends all gate tables to P2 .
4. Given keys for the inputs wires and the gate tables, P2 can compute a key for the
output wire. But P2 wants the output, not the key corresponding to the output.
5. Say wout is the output wire. P1 sends a mapping of keys to bits for wout . More pre-
cisely, P1 sends (K0wout , 0), (K1wout , 1), where Kbwout represents the idea of the output
wire having value b. As the protocol executes P2 will learn one of those values.
We have described how the circuit gets garbled and how it can then be evaluated given
the input keys. All that remains to be clarified is how P2 acquires the input keys in the first
place. For value x1 , P1 , knowing x1 , can simply send the right keys to P2 directly. The rest
of the keys will be obtained via 1-out-of-2 OT. Recall that we are in the semi-honest setting
SECURE MULTI-PARTY COMPUTATION 109

(the malicious setting can be solved using the compiler we studied during last lecture). If
we want P1 to also learn the output, then P2 should also send it to P1 at the end.

Secure 2PC
P1 P2
Construct garbled circuit
Garbled Circuit

Gate table for every gate

Output mapping table

Wire keys for x1

1-out-of-2 OT for each wire w that is an input of P2


Input (K0w , K1w ) Input bw = x2,w

message

message

...

message

message

Recover Kbww

Compute f (x1 , x2 )

This protocol is highly efficient, in fact it is one of the most practical ideas for secure
2PC even to date. In the semi-honest setting it mostly relies on symmetric encryption.
There are optimizations that make it possible to go to the malicious setting without relying
on expensive Zero Knowledge techniques. One such optimization is based on an idea
called Cut-and-Choose. P1 creates a large number of circuits. P2 asks P1 to reveal the secrets
of about half of them chosen at random to check that P1 generated them honestly. Then,
they evaluate the rest of the circuits and P1 bases the value of f (x1 , x2 ) on plurality voting.
There are also fairly efficient constructions for OT based on the DDH hardness assumption
that are directly secure again malicious adversaries.

13.9 C ONSTRUCTION FOR MPC

We now give a construction that enables multiple parties P1 , P2 , . . . , Pn with inputs


x1 , x2 , . . . , xn to compute a function f (x1 , . . . , xn ). Assume any two parties Pi , Pj have
SECURE MULTI-PARTY COMPUTATION 110

a private channel between them. Again we only give a solution in the semi-honest setting,
and we additionally assume that the parties do not collude.
1. P1 creates a garbled circuit for f and sends it to Pn ;
2. P1 sends keys corresponding to x1 to Pn ;
3. Pn gets the keys corresponding to xn from P1 via 1-out-of-2 OT.
4. ∀i such that 2 ≤ i ≤ n − 1, Pi gets the keys corresponding to xi from P1 via 1-out-of-2
OT. Pi then sends these keys to Pn .
5. Pn evaluates the circuit and announces its output f (x1 , . . . , xn ).
Theorem 20. This protocol is secure as long as the parties don’t collude with each other.
Notice that if P1 colludes with Pn they can recover every other party’s input.
Goldreich, Micali and Wigderson (1987) also give a solution that remains secure even
if n − 1 parties collude with each other.
Additional Topics

In this last chapter, we would like to briefly explore the areas of cryptography we haven’t
touched upon yet.

14.1 P UBLIC - KEY I NFRASTRUCTURE

Assume Alice wants to send a message to Bob, but they do not have a shared key. Alice will
first need to securely recover Bob’s public key. We know that key exchange protocols exist,
but they are not secure under Man-In-The-Middle Attacks, and on the internet, it might
be difficult for Alice to know that she’s actually exchanging a key with Bob (e.g. think of
Bob as a website). Certificate Authorities (CA) exist to address this problem. At a high level
they work as follows: Web browsers have the CA’s public key hardcoded. Websites must
go to the CA and get a certificate: a signed statement (from the CA’s private key) that a
given public key (the website’s public key) is the valid public key of the site (identified by
its domain name). That certificate lets the browser check the validity of the public key so
long as the certificate authority remains trustworthy.

14.2 F ULLY-H OMMORPHIC E NCRYPTION

Assume a situation involving a client and a server. The client (say, a hospital) wants to up-
load encrypted records (e.g., patient records) to the server (e.g., a cloud provider). Later on,
the client decides it wants to perform computations on records (e.g., compute some statis-
tics to help it do a better job at detecting or treating certain pathologies). Downloading
the entire dataset on hospital servers is cumbersome and somewhat defeats the purpose
of cloud computing. Sending the key to the server so it decrypts the data and performs
the computations is harmful to the privacy of the patients, and in some cases might even
be illegal. Instead, using Fully Homomorphic Encryption, the client can send a function f
to the server and the server can compute and return Enc(f (x)), where x denotes the set
of records. Fully Homomorphic Encryption was first envisionned in the late 70s, but no
solution was available. The existence of a solution remained unknown until Craig Gentry,
then one of Dan Boneh’s PhD students at Stanford, gave a scheme based on lattices in 2008.
Note that schemes for simple homomorphisms had been known for a long time. ElGa-
mal encryption is multiplicatively homomorphic. There are also additively homomorphic
schemes. Some schemes are even additively homomorphic and allow one multiplication
computation. Achieving additive and multiplicative homomorphism at the same time is
the key to enabling the computation of any circuit.

111
ADDITIONAL TOPICS 112

14.3 N ON - MALLEABLE C RYPTOGRAPHY

Consider a closed bid (first-price) auction. The bidders want to keep the values of their
bids private. A natural thing to do might be to have every participant commit to their bid,
send the commitment to the seller, and then, after the auction closes, reveal their bid. Not
that encryption is clearly not good enough for this use case because it doesn’t have any
binding property. But commitments may not be good enough either: there is nothing in
the definition of commitment schemes that says it shouldn’t be possible for a bidder to
intercept some other bidder’s commitment and to compute Com(b1 + 1) from Com(b1 ).
This justifies introducing a new primitive called non-malleable commitments, that
would provide such a guarantee.
Similarly, there are non-malleable encryption schemes and non-malleable Zero Knowl-
edge proof systems (which roughly means that a verifier can’t use a proof from some
prover to prove a related statement).

14.4 ATTRIBUTE B ASED E NCRYPTION

In many situations, organizations are interested in implementing Access Control on their


data, so that whether one of their members can access the data or not depends on certain
permissions that may or may not be granted to them. Often, this is done using software
checks, but Attribute Based Encryption provides a cryptographic solution. An authority is
charged with distributing keys according to every party’s status within the organization.
The cryptographic primitive ensures that you will only be able to decrypt data you have
been granted access to. This means it’s now theoretically possible to allow parties to down-
load whatever data they want to, because they will not be able to decrypt anything they
are not supposed to see.

14.5 P ROGRAM O BFUSCATION

Program Obfuscation is an old problem in computer science. A typical use case would
be that of a software vendor who would like to distribute software in such a way that it
can’t be modified or analyzed. Many heuristics have been proposed, but all have eventu-
ally been broken. In fact, in 2001, Barak et al. showed that an ideal definition of Software
Obfuscation they termed Black Box Obfuscation was in fact impossible to achieve. They
suggested that Indistinguishibility Obfuscation, a relaxed definition, might be a more rea-
sonable goal. In 2013, Garg et al. gave a candidate solution for Indistinguishibility Ob-
fuscation, and the problem has been an important area of cryptographic research in recent
years. All solutions so far have been based on novel assumptions on which the commu-
nity’s confidence is limited, but one may hope that a satisfactory solution will appear in
the next decade.

14.6 P OSITION B ASED C RYPTOGRAPHY

The cryptographic schemes we studied in this class were mostly based on keys. But some-
times, where you are physically might be a more important factor. For instance, the US
Army in the Pentagon, near Washington DC, might want to send a message that could
only be read by parties physically located in some US military base in Afghanistan. This is
ADDITIONAL TOPICS 113

a high level description of Position Based Encryption, but one may also think about Posi-
tion Based Signatures, Position Based Key Exchange, or more generally about the area of
Position Based Cryptography. An important problem is that of secure positioning: a prover
is trying to prove his physical coordinates to some verifier, and solutions exist that do not
rely on a trusted third party.
Last but not Least

Figure 16: Comic from https://xkcd.com/538/

114

You might also like