COS433/Math

 473:  
Cryptography
Mark  Zhandry
Princeton  University
Spring  2018
Secret  Sharing
Vault  should  only  open  if  both  Alice  and  Bob  are  present
Vault  should  only  open  if  Alice,  Bob,  and  Charlie  are  all  present
Vault  should  only  open  if  any  two  of  
Alice,  Bob,  and  Charlie  are  present
(Threshold)  Secret  Sharing
Syntax:
Share(k,t,n) outputs  (sh1,…,shn)
Recon( (shi) i∈S ) outputs  k’

Correctness:  ∀S s.t. |S|≥t

If  (shi) i=1,…,n ß Share(k,t,n), then
Pr[Recon( (shi) i∈S ) = k] = 1
(Threshold)  Secret  Sharing
Security:
For  any  S, |S|<t,  given  (shi) i∈S , should  be  
impossible  to  recover  k

(shi) i∈S: (shi) i=1,…,n ß Share(k0,t,n)

≈
(shi) i∈S: (shi) i=1,…,n ß Share(k1,t,n)
n-­‐out-­‐of-­‐n Secret  Sharing
Share  secret  k so  that  can  only  reconstruct  k if  all  n
users  get  together

Ideas?
Shamir  Secret  Sharing
Let  p be  a  prime > n, ≥#(k)

Share(k,t,n):
• Choose  a  random  polynomial  P of  degree  t-1
where  P(0) = k
• shi = P(i)

Recon( (shi) i∈S ): use  shares  to  interpolate  P, then  

evaluate  on  0
Shamir  Secret  Sharing
Correctness:
• t input/outputs  (shares)  are  enough  to  interpolate  
a  degree  t-1 polynomial

Security:
• Given  just  t-1 inputs/outputs,  P(0) is  equally  likely  
to  be  any  value
Multiparty  Computation
 Multiparty  Computation

b
a
f(a,b,c)
f(a,b,c)

c f(a,b,c)
Multiparty  Computation
Observation  1:  Shamir  secret  sharing  is  additively  
homomorphic:

Given  shares  sh1 of  x1 and  sh2 of  x2,  r×sh1+s×sh2 is  

a  share  of  r×x1+s×x2
• sh1 = P1(i), sh2 = P2(i), so  
r×sh1+s×sh2 = (r×P1+s×P2)(i)
• r×P1+s×P2 has  same  degree
MPC  for  linear  f

Secret  share  a

b
a

c
MPC  for  linear  f

Secret  share  b

b
a

c
MPC  for  linear  f

Secret  share  c b
a

c
MPC  for  linear  f

Locally  compute  
shares  of  f(a,b,c)
b
a

c
MPC  for  linear  f

Broadcast  shares,  
then  reconstruct
b
a

c
MPC  for  General  f
Observation  2:  Shamir  Secret  Sharing  is  sort  of  
multiplicatively  homomorphic

Given  shares  sh1 of  x1 and  sh2 of  x2,  sh1×sh2 is  a  

share  of  x1×x2,  but  with  a  different  threshold
• sh1 = P1(i), sh2 = P2(i), so  
sh1×sh2 = (P1×P2)(i)
• P1×P2 has  degree  2d

Idea:  can  do  multiplications  locally,  and  then  some  

additional  interaction  to  get  degree  back  to  d
 MPC  for  General  f
To  maintain  correctness,  need  threshold  to  stay  at  most  n
• But  multiplying  doubles  threshold,  so  need  t≤n/2
• This  means  scheme  broken  if  adversary  corrupts  n/2  
users.
• Known  to  be  optimal  for  “information-­‐theoretic”  MPC

Using  crypto  (e.g.  one-­‐way  functions),  can  get  threshold  

all  the  way  up  to  n
MPC  for  Malicious  Adversaries
So  far,  everything  assumes  players  act  honestly,  and  
just  want  to  learn  each  other’s  inputs

But  what  if  honest  players  deviate  from  protocol?

Idea:  use  ZK  proofs  to  prove  that  you  followed  

protocol  without  revealing  your  inputs
Cryptocurrency
Features  of  Physical  Cash
Essentially  anonymous

Hard  to  counterfeit

Easy  to  verify

Limitations  of  Physical  Cash
Cannot  be  used  online
• Instead,  need  to  involve  banks
• Banks  see  all  transactions
• Merchants  can  also  track  you

Requires  central  government  to  issue

• Ok  for  most  people,  but  maybe  you  don’t  trust  the  
government
Digital  Cash
Currency  is  now  1s  and  0s

Crypto  can  make  digital  currency  easy  to  verify,  hard  

to  mint

Major  challenge:  prevent  double  spending

(Also  decentralizing  minting  process)
✘
 Solution:  Public  Ledger
Bank  transfers  $$  to  Alice

Each  bill  has  unique  serial  number

 Solution:  Public  Ledger
Bank  transfers  $$  to  Alice

Alice  transfers  $$  to  Bob

 Solution:  Public  Ledger
Bank  transfers  $$  to  Alice

Alice  transfers  $$  to  Bob

✘
Solution:  Public  Ledger
Bank  maintain  ledger?
• But  then  bank  must  be  involved  in  every  
transaction
• How  does  bank  prevent  malicious  Bob  from  
claiming  Alice  transferred  money  to  him?

Anonymity  also  lost,  since  all  transactions  public

 Solution:  Use  Signatures
pkBank transfers  $$  to  pkA,  σ1 σ1 = Sign(skBank, “pkBank transfers  $$  to  pkA”)

pkBank pkA
 Solution:  Use  Signatures
pkBank transfers  $$  to  pkA,  σ1 σ2 = Sign(skA,  “pkA transfers  $$  to  pkB”)

pkA transfers  $$  to  pkB,  σ2

pkB
pkBank pkA
Solution:  Use  Signatures
By  using  public  key  as  identity,  transactions  not  
immediately  traced  to  individual
• Though  can  still  trace  sequences  of  transactions

By  signing,  prevents  Bob  from  claiming  Alice  gave  

him  money  when  she  didn’t
Decentralized  Currency
Removing  the  bank  is  hard:
• How  is  ledger  maintained?
• How  to  prevent  ledger  from  being  tampered  with
• Who  mints  new  currency?
• How  do  we  limit  supply?
Proofs  of  Work
Prove  that  some  amount  of  computation  has  been  
performed

Ex:
• Let  H be  a  hash  function  (modeled  as  a  RO)
• An  input  x such  that  H(x) = 0t ***** is  a  “proof”  
that  you  computed  approximately  2t hashes
Proofs  of  Work  and  Cryptocurrency

Idea:  currency  is  a  proof  of  work

• Limits  supply  of  money,  so  keeps  inflation  in  check
• Now,  anyone  can  mint  new  money
Blockchain
Immutable  public  ledger

Block:
pkA transfers  $$  to  pkB,  σ1

h1 τ1

Hashes  to  0t ****

 Blockchain
Immutable  public  ledger

Block:
pkE transfers  $$0 to  pkF,  σ0 pkA transfers  $$1 to  pkB,  σ1 pkC transfers  $$2 to  pkD,  σ2
H H
h0 τ0 h1 τ1 h2 τ2

Hashes  to  0t ****

Blockchain
By  making  each  block  a  proof  of  work,  hard  to  
modify  blockchain

So  proofs  of  work  used  to:

• Mint  new  money
• Add  transactions  to  blockchain

Why  would  anyone  go  through  the  effort  of  adding  

transactions  to  the  blockchain?
Blockchain
Idea:  combine  minting  and  adding  blocks

Block:
pkA transfers  $$1 to  pkB,  σ1

h1 τ1
pkM mined  $$M

Hashes  to  0t ****

Double  Spending

pkA transfers  $$1 to  pkB,  σ1

pkA transfers  $$1 to  pkC,  σ2

What  if  Alice  now  claims  
this  is  the  blockchain?
Double  Spending
To  prevent  double  spending,  everyone  always  uses  
longest  chain  as  the  blockchain

If  Alice  tries  to  double  spend,  she  will  need  to  create  
a  separate  chain  that  is  as  long  as  the  main  chain
• As  long  as  she  has  <<50%  of  computing  power  of  
mining  power,  will  not  be  possible
Beyond  COS  433
Elliptic  Curves
y2 = a x 3 + b x 2 + c x + d
Group  Law  on  ECs

P
Q
P+Q
ECs  for  Crypto
Consider  EC  over  finite  field

Set  of  solutions  form  a  group

Dlog in  group  appears  hard

• Given  aP = (P+P+…+P),  find  a
• Can  use  in  crypto  applications
Bilinear  Maps
On  some  Elliptic  curves,  additional  useful  structure

Map  e:G×GàG2
• e(ga ,gb) = e(g,g) ab
3-­‐party  Key  Exchange

a ga gb b

gc

c
Shared  key  =  e(g,g) abc
Bilinear  Maps
Extremely  powerful  tool,  many  applications  beyond  
those  in  COS  433
• 3  party  non-­‐interactive key  exchange
• Identity-­‐based  encryption
• Broadcast  encryption
Multilinear  Maps
Map  e:GnàG2
• e(ga ,gb, …) = e(g,g,…) ab…

Many  more  applications  that  bilinear  maps:

• n+1  party  non-­‐interactive  key  exchange
• Obfuscation
•…

Unfortunately,  don’t  know  how  to  construct  from  

elliptic  curves
• Recently,  constructions  based  on  other  math
Lattices
 Lattices

Basis:
• Linearly  independent
• Every  point  in  lattice  is  integer  
combination  of  basis  vectors
Lattices
Hard  problems  in  lattices:
• Given  a  basis,  find  the  shortest  vector  in  the  lattice
• Given  a  basis  an  a  point  not  in  the  lattice,  find  the  
closest  lattice  point

Can  base  much  crypto  on  approximation  versions  of  

these  problems
• Basically  everything  we’ve  seen  in  COS433,  then  some
Fully  Homomorphic  Encryption
In  homework,  you  saw  additively/multiplicatively  
homomorphic  encryption:
Enc(pk, x) + Enc(pk, y) = Enc(pk, x+y)
OR
Enc(pk, x) × Enc(pk, y) = Enc(pk, x×y)

What  if  you  could  do  both  simultaneously?

• Arbitrary  computations  on  encrypted  data
Delegation

Doesn’t  want  Amazon  to  learn  sensitive  data

Delegation

Now,  Alice  wants  Amazon  to  run  

expensive  computation  on  data
Delegation

Homomorphic  evaluation
Quantum  Computing
Computers  that  take  advantage  of  quantum  physics

Turns  out,  good  at  solving  certain  problems

• Dlog in  any  group  (ℤp*,  ECs)
• Factor  integers

Also  can  speed  up  brute  force  search:

• Invert  OWF  in  time  2n/2
• Find  collisions  in  time  2n/3
Quantum  Computing
To  protect  against  quantum  attacks,  must:
• Must  increase  key  size
• 256  bits  for  one-­‐way  functions
• 384  bits  for  collision  resistance
• Must  not  use  DDH/Factoring
• Lattices  instead

Quantum  computers  still  at  least  a  few  years  away,  

but  coming
Final  Exam  Details
Slightly  longer  than  homework,  but  slightly  shorter  
questions

Pick  any  48  hour  period  during  the  dates  May  16  –
May  21
• Will  send  out  more  comprehensive  instructions

Individual,  but  open  notes/slides/internet…

Example  exam  on  course  webpage

Reminders
HW  8  Due  May  8

Project  3  Due  Dean’s  date

No  more  Monday  OH  – Mark’s  OH  by  appointment