1 Basic Number Theory

Transcription

1 ECS 228 (Franklin), Winter 2013, Crypto Review 1 Basic Number Theory This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his course on cryptography and computer security at Stanford (CS255). 1.1 Arithmetic Modulo Primes For a prime p let Z p = {0,1,...p 1}. Elements of Z p can be added modulo p and multiplied modulo p. Fermat s theorem: g p 1 = 1 mod p, for any g 0 mod p. Invertible elements: The inverse of x Z p is an element a satisfying a x = 1 mod p. The inverse of x modulo p is denoted by x 1. All elements x Z p except for x = 0 are invertible. Let Zp be the set of invertible elements in Z p, that is, Zp = {1,2,...,p 1}. Structure of Z p: Z p is a cyclic group. That is, there exists g Z p such that Z p = {1,g,g 2 mod p,g 3 mod p,...,g p 2 mod p}. Such a g is called a generator of Z p. Not every element of Z p is a generator. Order of Group Element: The order of g Z p (denoted ord p(g)) is the smallest positive integer a such that g a = 1 mod p. Lagrange s Theorem: ord p (g) divides p 1, for all g Z p. Computational Considerations: For our cryptographic applications, we are dealing with primes p on the order of 300 digits long (1024 bits). Since p is huge, it cannot be stored in a single register. Elements of Z p are stored in 32-bit or 64-bit long buckets (depending on the processor s chip size). Adding two elements x,y Z p can be done in linear time in the length of p. Multiplying two elements x,y Z p can be done in quadratic time in the length of p. If p is n bits long, more clever (and practical) algorithms work in time O(n 1.7 ) (rather than O(n 2 )). Inverting an element x Zp can be done in quadratic time in the length of p. Elements of Zp can be efficiently inverted using Euclid s algorithm. If gcd(x,p) = 1 then using Euclid s algorithm it is possible to efficiently construct two integers a,b Z such that ax + bp = 1. Reducing this relation modulo p leads to ax = 1 mod p. Hence a = x 1 mod p. 1

2 Using the repeated squaring algorithm, x r mod p can be computed in time (log 2 r)o(n 2 ) where p is n bits long. Note that this algorithm for modular exponentiation takes linear time in the length of r. Discrete Log Problem: Let p be a 1024-bit prime, and let g be a generator of Z p. Given x Z p, find an r such that x = g r mod p. This problem is believed to be hard. Computational Diffie-Hellman Problem: Let p be a 1024-bit prime, and let g be a generator of Z p. Given x,y Z p where x = gr 1 and y = g r 2, find z = g r 1r 2. This problem is believed to be hard. Decision Diffie-Hellman Problem: Let p be a 1024-bit prime, and let g be a generator of Zp. Given an instance of the Computational Diffie- Hellman Problem x,y Zp, and given z which is either the solution to the Computational Diffie-Hellman problem (with probability 1/2) or a random element of Zp (with probability 1/2), try to distinguish which is the case. This problem is not hard: Given g r 1 and g r 2, one can efficiently compute the Legendre Symbol of g r 1r 2, and this can be used to help distinguish g r 1r 2 from random z Zp (details omitted). Large Prime Order Subgroup: The Discrete Log, Computational Diffie- Hellman, and Decision Diffie-Hellman problems are believed to be hard when the order of g is a large prime factor of p 1. Note that g is not a generator of Zp in this case (in fact, we say that g generates a large prime order subgroup of Zp ). 1.2 Arithmetic Modulo Composites Unless otherwise stated, we assume N is the product of two primes of roughly equal size. For a composite N let Z N = {0,1,2,...,N 1}. Elements of Z N can be added and multiplied modulo N. Invertible Elements: The inverse of x Z N is an element y Z N such that x y = 1 mod N. An element x Z N has an inverse if and only if x and N are relatively prime (that is, gcd(x,n) = 1). Let ZN denote the set of invertible elements in Z N. Euler s Phi Function: Let φ(n) denote the number of elements in Z N. When N = pq is the product of two primes, φ(n) = (p 1)(q 1). Euler s Theorem: For any a Z N we have that aφ(n) = 1 mod N. Chinese Remainder Theorem (special case): Let p,q be distinct primes and let N = pq. Given r 1 Z p and r 2 Z q there exists a unique element 2

3 s Z N such that s = r 1 mod p and s = r 2 mod q. Furthermore, s can be computed efficiently. Structure of Z N : The CRT implies that each element s Z N can be viewed as a pair (s 1,s 2 ) where s 1 = s mod p and s 2 = s mod q. The uniqueness guarantee shows that each pair (s 1,s 2 ) Z p Z q corresponds to one element of Z N. The CRT also shows that an element s Z N is invertible if and only if s mod p is invertible in Z p and s mod q is invertible in Z q. This yields an alternative explanation for why φ(n) = (p 1)(q 1) when N is the product of two distinct primes. Computational Considerations: For our cryptographic applications, we are dealing with integers N on the order of 300 digits long (1024 bits). All of the observations about computing in Z p for prime p carry over without change to the setting of computing in Z N. Here is one computational trick that is unique to the setting of Z N for composite N. If the factorization p,q of N is known, then the repeated squaring algorithm for modular exponentiation (mod N) can be speeded up by about a factor of four, by exploiting the Chinese Remainder Theorem (details omitted). RSA Problem: Let e be relatively prime to φ(n). Given N and e, and given y = x e mod N for some x ZN, find x. This is believed to be hard if the factorization of N is unknown, but becomes easy if the factorization of N is known. RSA Trapdoor: Given the factorization p,q of N, it is easy to compute φ(n) = (p 1)(q 1), and then it is easy to compute d = e 1 mod φ(n), and then it is easy to compute y d mod N, which is equal to x (by Euler s Theorem). The factorization p,q (or the value d) is called a trapdoor for the RSA problem. 2 Basic Secret Sharing This section has some basic facts about secret sharing schemes, mostly taken (or adapted) from CRC Handbook of Applied Cryptography (Chapt 12, pp ), Menezes et al. (eds), (t,t) Threshold Secret Sharing: Let S be a secret integer, 0 S m 1. Here is a way to divide S into t shares, such that all of them are 3

4 required in order to recover it: Choose t 1 independent random numbers S i, 0 S i m 1, 1 i t 1. Compute S t = S t 1 i=1 S i mod m. The secret is recovered as S = t i=1 S i mod m. A similar idea works when S is a bitstring of length l: Choose t 1 independent random bitstrings S 1,...,S t 1 of length l. Compute S t = S S 1... S t 1. The secret is recovered as S = S 1... S t. Shamir s (t, n) Threshold Secret Sharing: Let S be a secret integer 0 S m 1. Here is a way to divide S into n shares, such that any t of them are necessary and sufficient to recover it. Let p be an arbitrary prime number greater than m 1 and n. Sharing Phase: Select t 1 random, independent coefficients a 1,...,a t 1, 0 a j p 1. Let f(x) be the following polynomial of degree t 1 over Z p : f(x) = S + t 1 j=1 a jx j. Compute S i = (i,f(i) mod p), 1 i n. Reconstruction Phase: Any subset of t or more shares can be combined to recover the secret. The shares provide t distinct points of the form (i,f(i) mod p), allowing computation of the coefficients a j, 0 j t 1 of f(x) over Z p by Lagrange interpolation (see below). The secret is recovered by noting f(0) = a 0 = S. Lagrange Interpolation: The coefficients of an unknown polynomial f(x) of degree at most t 1, defined by distinct points (x i,y i ), 1 i t, are given by the Lagrange interpolation formulae: f(x) = t i=1 y i 1 j t,j i (x x j )/(x i x j ). Since f(0) = a 0 = S, the shared secret may be expressed as S = t i=1 c i y i mod p, where c i = 1 j t,j i x j(x j x i ) 1 mod p. Note that the c i values are non-secret constants, which for a fixed subset of t shares may be pre-computed. 3 Basic Cryptographic Primitives This section has some information about basic cryptographic primitives, mostly taken (or adapted) from Introduction to Modern Cryptography, Katz and Lindell, Chapman & Hall/CRC, Basic One-Way Primitives negligible: A function f is negligible if for every polynomial p(.) there exists an N such that for all integers n > N it holds that f(n) < 1/p(n). We typically denote an arbitrary negligible function by negl. 4

5 One-Way Function: A function f : {0,1} {0,1} is one-way if the following two conditions hold: 1. (Easy to compute:) There exists a polynomial-time algorithm M f computing f; that is, M f (x) = f(x) for all x. 2. (Hard to invert:) For every probabilistic polynomial-time algorithm A, there exists a negligible function negl such that the the following inverting experiment succeeds with probability at most negl(n): Choose input x {0,1} n ; Compute y = f(x); Give 1 n and y as input to A; The experiment succeeds if A outputs any x such that f(x ) = y. One-Way Function Family: The above definition of one-way function is very convenient in that it considers a single function over an infinite domain and range. However, most candidate one-way functions that we know of do not fit naturally into this framework. Rather, there is typically an algorithm that generates some parameters I which define some function f I ; the requirement is essentially that f I should be one-way with all but negligible probability over choice of I. Exponentiation Modulo a Prime: Let p be any prime, and let g be a generator of Z p. Let f p,g (x) = g x mod p, for x Z p. This family of functions is believed to be one-way (which is closely related to the belief that the Discrete Log problem is hard over Z p when p is a sufficiently large prime). In fact, this is believd to be a family of one-way permutations, since every f p,g is a one-to-one mapping on Z p. SHA: The SHA family includes cryptographically strong hash functions that seem hard to invert in practice. They fall outside of the asymptotic security framework developed here, since the output lengths are fixed. 3.2 Basic Pseudorandom Primitives Pseudorandom generator: Let l(.) be a polynomial and let G be a deterministic polynomial-time algorithm such that for any input s {0,1} n, algorithm G outputs a string of length l(n) (for simplicity, assume G is defined for all positive integers n). We say that G is a pseudorandom generator if the following two conditions hold: 1. (expansion) For every n it holds that l(n) > n. 2. (pseudorandom) For all probabilistic polynomial-time distinguishers D, there exists a negligible function negl such that Pr[D(r) = 1] Pr[D(G(s)) = 1] negl(n), where r is chosen uniformly at random from {0,1} l(n), the 5

6 seed s is chosen uniformly at random from {0,1} n, and the probabilities are taken over the random coins used by D and the choice of r and s. Stated another way, for all p.p.t. algorithms D, for all polynomials p, there exists a positive integer N such that, for all n > N, prob[d(r) = 1] prob[d(g(s)) = 1] < 1/p(n). Pseudorandom function: A keyed function F is a two-input function F : {0,1} {0,1} {0,1}, where the first input is called the key and denoted k, and the second input is just called the input. In general, the key k will be chosen and then fixed, and we will then be interested in the single-input function F k : {0,1} {0,1} defined by F k (x) = F(k,x). For simplicity, we will generally assume that F is length-preserving meaning that the key, input, and output lengths of F are all the same. That is, we assume that the function F is only defined when the key k and the input x have the same length, in which case F k (x) = x = k. Let F : {0,1} {0,1} be an efficiently computable, length-preserving, keyed function. We say that F is a pseudorandom function if for all probabilistic polynomial-time distinguishers D, there exists a negligible function negl such that Pr[D F k(.) (1 n ) = 1] Pr[D f(.) (1 n ) = 1] negl(n), where k is chosen uniformly at random from {0,1} n, and where f is chosen uniformly at random from the set of functions mapping n-bit strings to n-bit strings. [Note that the definition of pseudorandom function] gives D oracle access to the function in question (either F k or f). D is allowed to query the oracle at any point x {0,1} n, in response to which the oracle returns the value of the function evaluated at x. 3.3 Basic Symmetric Key Primitives Message Authentication Codes: A message authentication code (or MAC) is a tuple of probabilistic polynomial-time algorithms (Gen, Mac, Vrfy) such that: 1. The key generation algorithm Gen takes as input the security parameter 1 n and outputs a key k with k n. 2. The tag-generation algorithm Mac takes as input a key k and a message m {0,1}, and outputs a tag t. Since this algorithm may be randomized, we write this as t Mac k (m). 3. The verification algorithm Vrfy takes as input a key k, a message m, and a tag t. It outputs a bit b, with b = 1 meaning valid and b = 0 meaning 6

7 invalid. We assume without loss of generallity that Vrfy is deterministic and so write this as b := Vrfy k (m,t). 4. (Consistency) For every n, every key k output by Gen(1 n ), and every m {0,1}, it holds that Vrfy k (m,mac k (m)) = 1. Security for Message Authentication Codes: A message authentication code (Gen, Mac, Vrfy) is existentially unforgeable under an adaptive chosen-message attack, or just secure, if for all probabilistic polynomialtime adversaries A, there exists a negligible function negl such that the following forgery experiment succeeds with probability at most negl(n): 1. A random key k s generated by running Gen(1 n ). 2. The adversary A is given input 1 n and oracle access to Mac k (.). The adversary eventually outputs a pair (m,t). Let Q denote the set of all queries that A asked to its oracle. 3. The experiment succeeds if Vrfy k (m,t) = 1 and m Q. Symmetric Key Encryption: A symmetric key encryption scheme (sometimes called private key or secret key or shared key in the literature), is a tuple of probabilistic polynomial-time algorithms (Gen, Enc, Dec) such that: 1. The key generation algorithm Gen takes as input the security parameter 1 n and outputs a key k; we write this as k Gen(1 n ) (thus emphasizing the fact that Gen is a randomized algorithm). We will assume without loss of generality that any key k output by Gen(1 n ) satisfies k n. 2. The encryption algorithm Enc takes as input a key k and a plaintext message m {0,1}, and outputs a ciphertext c. Since Enc may be randomized, we write this as c Enc k (m). 3. The decryption algorithm Dec takes as input a key k and a ciphertext c and outputs a message m. We assume that Dec is deterministic, and so write this as m := Dec k (c). 4. (Consistency) For every n, every key k output by Gen(1 n ), and every m {0,1}, it holds that Dec k (Enc k (m)) = m. CPA-Security for Symmetric Key Encryption: A symmetric key encryption scheme (Gen, Enc, Dec) has indistinguishable encryptions in the presence of a chosen-plaintext attack (or is CPA-secure) if for all probabilistic polynomial-time adversaries A there exists a negligible function negl 7

8 such that the following distinguishing experiment succeeds with probability at most 1/2 + negl(n): 1. A key k is generated by running Gen(1 n ). 2. The adversary A is given input 1 n and oracle access to Enc k (.), and outputs a pair of messages m 0,m 1 of the same length. 3. A random bit b {0,1} is chosen, and then a ciphertext c Enc k (m b ) is computed and given to A. We call c the challenge ciphertext. 4. The adversary A continues to have oracle access to Enc k (.), and outputs a bit b. 5. The experiment succeeds if b = b. CPA-Secure Symmetric Key Encryption from PRF: If F is a pseudorandom function, then the following symmetric key encryption scheme can be proven to be CPA-secure: Gen(1 n ) outputs a random n-bit key; Enc(k,m) chooses a random n-bit value r and outputs ciphertext (r,f k (r) m); Dec(k,(r,s)) outputs m = F k (r) s. CCA-Security for Symmetric Key Encryption: A stronger security notion for symmetric key encryption is indistinguishability of encryptions in the presence of a chosen-ciphertext attack (or CCA-security). The definition is the same as for CPA-security, except that the adversary A gets oracle access to both Enc k (.) and Dec k (.) in steps 2 and 4 of the distinguishability experiment (although forbidden from using the decryption oracle in step 4 to decrypt the challenge ciphertext itself). CCA-Secure Symmetric Key Encryption from MAC: If (Gen E,Enc,Dec) is a CPA-secure encryption, and if (Gen M,Mac,V rfy) is a secure MAC, then the following symmetric key encryption scheme can be proven to be CCA-secure: Gen (1 n ) runs Gen E (1 n ) and Gen M (1 n ) to get encryption key k 1 and MAC key k 2 ; Enc (k 1,k 2,m) computes c Enc k1 (m) and t MAC k2 (c) and outputs the ciphertext (c,t); Dec (k 1,k 2,c,t) outputs Dec k1 (c) if V rfy k2 (c,t) = 1 and otherwise outputs (reserved null element in the message space). 3.4 Basic Public Key Primitives Key Exchange Protocol: Alice and Bob begin by holding the security parameter 1 n ; they then choose (independent) random coins and run the 8

9 key exchange protocol. At the end of the protocol, Alice and Bob output keys k A,k B {0,1} n, respectively. The basic correctness requirement is that it should always hold that k A = k B (i.e., for all choices of random coins by Alice and Bob). Since we only deal with protocols that satisfy this requirement, we will speak simply of the key k = k A = k B generated by an honest execution of the protocol. Passive Security for Key Exchange: A key exchange protocol is secure in the presence of an eavesdropper if for every probabilistic polynomial-time adversary A there exists a negligible function negl such that the following distinguishing experiment succeeds with probability at most negl(n): 1. Two parties holding 1 n execute the key exchange protocol. This execution results in a transcript trans containing all the messages sent by the parties, and the key k that is output by each of the parties. 2. A random bit b {0,1} is chosen. If b = 0 then choose ˆk {0,1} n uniformly at random, and if b = 1 set ˆk := k. 3. A is given trans and ˆk, and outputs bit b. 4. The experiment succeeds if b = b. Diffie-Hellman Key Exchange: The Diffie-Hellman Key Exchange protocol is secure in the presence of an eavesdropper, under the assumption that the (Large Prime-Order Subgroup) Decision Diffie-Hellman problem is hard. Alice and Bob agree on an element g Z p of order q, for suitably large primes p,q (where q is a divisor of p 1). Alice chooses a random α Z q and sends y = g α mod p. Bob chooses a random β Z q and sends z = gβ mod p. Alice computes k A = z α mod p. Bob computes K B = y β mod p. Public Key Encryption Scheme: A public key encryption scheme is a tuple of probabilistic polynomial-time algorithms (Gen, Enc, Dec) such that: 1. The key generation algorithm Gen takes as input the security parameter 1 n and outputs a pair of keys (pk,sk). We refer to the first of these as the public key and the second as the private key. We assume for convenience that pk and sk each have length at least n, and that n can be determined from pk,sk. 2. The encryption algorithm Enc takes as input a public key pk and a message m from some underlying plaintext space (that may depend on pk). It outputs a ciphertext c, and we write this as c Enc pk (m). 9

10 3. The decryption algorithm Dec takes as input a private key sk and a ciphertext c, and ouutputs a message m or a special symbol denoting failure. We assume without loss of generality that Dec is deterministic, and write this as m := Dec sk (c). 4. (Consistency) There exists a negligible function negl such that for every n, every (pk,sk) output by Gen(1 n ), and every message m in the appropriate underlying plaintext space, it holds that Pr[Dec sk (Enc pk (m)) m] negl(n). CPA Security for Public Key Encryption: A public key encryption scheme (Gen, Enc, Dec) has indistinguishable encryptions under a chosenplaintext attack ( CPA-secure ; sometimes called IND-CPA-secure in the literature) if for all probabilistic polynomial-time adversaries A there exists a negligible function negl such that the following distinguishing experiment succeeds with probability at most negl(n): a. Gen(1 n ) is run to obtain keys (pk,sk). b. Adversary A is given pk as well as oracle access to Enc pk (.). The adversary outputs a pair of messages m 0,m 1 of the same length. (These messages must be in the plaintext space associated with pk.) c. A random bit b {0,1} is chosen, and then a ciphertext c Enc pk (m b ) is computed and given to A. We call c the challenge ciphertext. d. A continues to have access to Enc pk (.), and outputs bit b. e. The distinguishing experiment succeeds if b = b. ElGamal Public Key Encryption: The ElGamal public key encryption scheme is CPA-secure, under the assumption that the (Large Prime- Order Subgroup) Decision Diffie-Hellman Problem is hard. The keys are pk = (g,g x mod p), sk = x R Z q, where p is a large prime, q is a large prime factor of p 1, and ord p (g) = q. To encrypt a message M (in the subgroup generated by g) under public key (g,y), choose a random r Z q and compute the ciphertext (g r mod p,my r mod p). To decrypt ciphertext (u,v) with secret key x, compute M = v(u 1 ) x mod p. CCA Security for Public Key Encryption: A public key encryption scheme (Gen, Enc, Dec) has indistinguishable encryptions under a chosenciphertext attack ( CCA-secure ; sometimes called IND-CCA2-secure in the literature) if for all probabilistic polynomial-time adversaries A there 10

11 exists a negligible function negl such that the following distinguishing experiment succeeds with probability at most negl(n): a. Gen(1 n ) is run to obtain keys (pk,sk). b. Adversary A is given pk as well as oracle access to Dec sk (.). The adversary outputs a pair of messages m 0,m 1 of the same length. (These messages must be in the plaintext space associated with pk.) c. A random bit b {0,1} is chosen, and then a ciphertext c Enc pk (m b ) is computed and given to A. We call c the challenge ciphertext. d. A continues to interact with Dec sk (.), but may not request decryption of c itself. Finally, A outputs bit b. e. The distinguishing experiment succeeds if b = b. Homomorphic Publc Key Encryption: A public key encryption scheme is homomorphic if there is an easy way to combine ciphertexts to perform some arithmetic operation on the underlying encrypted values. The ElGamal public key encryption scheme is multiplicatively homomorphic : If (u 1,v 1 ) and (u 2,v 2 ) are ElGamal encryptions of M 1 and M 2 (under the same public key), then (u 1 u 2 mod p,v 1 v 2 mod p) is an ElGamal encyrption of M 1 M 2 mod p. Paillier constructed an efficient public key encryption scheme that is additively homomorphic (details omitted). Digital Signature Scheme: A signature scheme is a tuple of three probabilistic polynomial-time algorithms (Gen, Sign, Vrfy) satisfying the following: 1. The key generation algorithm Gen takes as input a security parameter 1 n and outputs a pair of keys (pk, sk). These are called the public key and the private key respectively. We assume for convenience that pk and sk each have length at least n, and that n can be determined from pk,sk. 2. The signing algorithm Sign takes as input a private key sk and a message m {0,1}. It outputs a signature σ, denoted as σ Sign sk (m). 3. The deterministic verification algorithm Vrfy takes as input a public key pk, a message m, and a signature σ. It outputs a bit b, with b = 1 meaning valid and b = 0 meaning invalid. We write this as b := Vrfy pk (m,σ). 4. (Consistency) For every n, every (pk,sk) output by Gen(1 n ), and every m {0,1}, it holds that Vrfy pk (m,sign sk (m)) = 1. 11

12 Signature Scheme Security: A signature scheme (Gen, Sign, Vrfy) is existentially unforgeable under an adaptive chosen-message attack if for all probabilistic polynomial-time adversaries A, there exists a negligible function negl such that the following forging experiment succeeds with probability at most negl(n): 1. Gen(1 n ) is run to obtain keys (pk,sk). 2. Adversary A is given pk and oracle access to Sign sk (.). (This oracle returns a signature Sign sk (m) for any message m of the adversary s choice.) The adversary then outputs (m,σ). Let Q denote the set of messages whose signatures were requested by A during its execution. 3. The forging experiment succeeds if Vrfy pk (m,σ) = 1 and m Q. 4 Other Cryptographic Protocols 4.1 Proofs of Knowledge Schnorr Protocol: At the start of the Schnorr protocol, the Prover holds a pair g,y of elements in Z p where g has large prime order q. The protocol enables the Prover to convince the Verifier that he knows the discrete log of y with respect to the base g, i.e., that g r = y for some r Z q known to the Prover. The Prover chooses random s Z q and sends a = g s to the Prover. The Verifier chooses random c Z q and sends c to the Prover. The Prover sends t = s + cr mod q to the Verifier. The Verifier accepts if g t = ay c. Chaum-Pedersen Protocol: At the start of the Chaum-Pedersen protocol, the Prover holds a tuple (g,x,y,z) of elements in Zp where g has large prime order q. The protocol enables the Prover to convince the Verifier that he knows the discrete log of y with respect to the base g, and the discrete log of z with respect to the base x, and furthermore that these discrete logs are equal. Note that this convinces the Verifier that (g,x,y,z) is a valid DDH-tuple, i.e., that (g,x,y,z) = (g,g r 1,g r 2,g r 1r 2 ) for some r 1,r 2 Z q (where the Prover knows r 2 ). Note that this can also serve as a proof that an ElGamal ciphertext has been decrypted correctly, since (u, v) is an ElGamal encryption of M under pubic key (g,g x ) if and only if (g,g x,u,m 1 v) is a valid DDH-tuple. The Prover chooses random s Z q, and sends (a,b) to the Verifier, where a = g s and b = y s. The Verifier chooses random c Z q and sends c to the 12

13 Prover. The Prover sends t = s + cr 2 mod q to the Verifier. The Verifier accepts if g t = ay c and x t = bz c. Note: For both the Schnorr protocol and the Chaum-Pedersen protocol, if the Prover and Verifier follow the protocol honestly, then the Verifier is convinced of the claim without revealing any additional information to the Verifier. This is called an honest verifier zero-knowledge proof of knowledge. There is a nice tutorial on this topic available at Ivan Damgard s website ( On Σ-protocols ). Here are some key ideas from the security analysis of the Schnorr protocol. From two Schnorr transcripts with the same first message (a,c,t) and (a,c,t ) it is easy to compute the secret exponent r, which suggests that a cheating Prover cannot anticipate more than one challenge successfully without knowing r. If a Schnorr transcript is computed backwards, then it can be shown to be drawn from the same distribution as real transcripts that arise from a real interaction between an honest Prover and honest Verifier: Choose random t Zq, then choose random c Z q, and then compute a = g t y c. This suggests that no information is leaked by the Schnorr protocol to an honest Verifier. 4.2 Oblivious Transfer 1-out-of-2 Oblivious Transfer (1-2-OT): At the start of a 1-2-OT protocol, the sender decides on input messages M 0,M 1 and the receiver decies on an input bit σ {0,1}. Then both parties are assumed to follow the protocol honestly. At the end of the protocol, Receiver learns M σ while learning nothing about M 1 σ, and Sender learns nothing about σ. Here is a very efficient 1-2-OT protocol (Naor-Pinkas, SODA 2001), based on the assumption that the (large prime order subgroup) Decision Diffie- Hellman Problem is hard. It also relies on the security of a pseudorandom generator. The protocol works in a group of large prime order q. Recever chooses random a,b,c Z q, and sends x,y,z 0,z 1, where x = g a, y = g b, z σ = g ab, and z 1 σ = g c. Sender verifies that z 0 z 1. Sender chooses random r 0,s 0,r 1,s 1 Zq, and sends w 0,C 0,w 1,C 1, where w 0 = x s 0 g r 0, k 0 = z s 0 0 yr 0, C 0 = G(k 0 ) M 0, w 1 = x s 1 g r 1, k 1 = z s 1 1 yr 1, and C 1 = G(k 1 ) M 1. Receiver computes M σ = G(k σ ) C σ, where k σ = (w σ ) b. 13

14 Beaver s Pre-Processing Trick: Here is a way to speed up any 1-2-OT protocol in the situation where the Receiver decides on the selection bit σ before the Sender decides on the input messages M 0,M 1. The Sender and Receiver execute the 1-2-OT protocol ahead of time, with the Sender using randomly chosen messages R 0,R 1, and the Receiver using selection bit σ to learn R σ. Later on, after the Sender has decided on the input messages M 0,M 1, the Sender simply sends M 0 R 0 and M 1 R 1. The Receiver can use R σ to recover M σ, but learns nothing about M 1 σ. Extending Oblivious Transfer Efficiently: Here is a very efficient protocol (Ishai et al., Crypto 2003) for reducing m 1-2-OT protocols on l-bit messages to k 1-2-OT protocols on m-bit messages, where m > k (and may be l k as well). The Naor-Pinkas 1-2-OT can then be called k times to achieve many more than k OT s. Sender begins with m pairs (x j,0,x j,1 ) of l-bit strings, 1 j m. Receiver begins with m selection bits r 1,...,r m. Sender chooses random s i {0,1}, 1 i k. Receiver choosses random t i,j {0,1}, 1 i m, 1 j k. Sender and Receiver perform k 1-2-0T protocols on m-bit messages, reversing roles. In the ith 1-2-OT protocol, sender acts as receiver with selection bit s i, while receiver acts as sender with messages t 1i...t mi, and t 1i...t mi r 1...r m. Let Q denote the m by k matrix of values received by sender, where the ith column of Q has the output of the ith 1-2-OT protocol. For 1 i m, sender sends y i,0,y i,1, where y i,0 = x i,0 H(i,q i1...q ik ) and y i,1 = x i,1 H(i,q i1... q ik s 1...s k ). The hash function H : {1,...,m} {0,1} k {0,1} l is modeled as a random oracle in the security analysis. For 1 i m, receiver outputs z i = y i,r H(i,t i1...t ik ). 4.3 Two-Party Secure Computation Yao s Garbled Circuit Protocol: This is a two-party protocol for privately computing a function f(x,y). At the start of the protocol, Alice decides on input x, and Bob decides on input y. Then both parties are assumed to follow the protocol honestly. At the end of the protocol, both parties know the output f(x,y). Neither party can infer anything about the other party s input, beyond what is already revealed through learning the output. See the 2009 J. Cryptology article by Lindell and Pinkas for details on security models and proofs. 14

15 The protocol will use a double-lock symmetric key encryption scheme (E 2,D 2 ), for which two keys are needed to encrypt and decrypt. Here is a simple example of such a scheme, built from a pseudorandom generator G: E 2 K 1,K 2 (M) = R G(K 1 ),M R G(K 2 ). D 2 K 1,K 2 (C 1,C 2 ) = C 1 C 2 G(K 1 ) G(K 2 ). We will assume that messages are formatted before decryption (say prepended with k zeros, where k is a security parameter) so that unsuccessful decryption will be detected with all but negligible probability. Bob begins the protocol by constructing a garbled circuit from a boolean circuit C that computes the function f. For each wire i of the circuit C, Bob randomly chooses two keys: Wi 0 (corresponding to value 0 on that wire when the circuit is evaluated) and Wi 1 (corresponding to value 1). For every gate of C with input wires i,j and output wire k computing boolean function g, Bob computes a garbled gate, consisting of four double-encryptions in randomly permuted order: E 2 Wi 0,W (W g(0,0) j 0 k ), E 2 W 0 i,w 1 j (W g(0,1) k ), E 2 Wi 1,W j 0 (W g(1,0) k ), E 2 Wi 1,W (W g(1,1) j 1 k ). Bob sends to Alice all of the garbled gates. For every output wire i, Bob sends to Alice (i,(0,wi 0),(1,W i 1 )) ( output table ). For every input wire i that corresponds to a bit of Bob s input, Bob sends to Alice (i,w y i i ), where y i is the corresponding bit of Bob s input y. For every input wire i that corresponds to a bit of Alice s input, Bob uses 1-2-OT to send W x i i to Alice, where x i is the corresponding bit of Alice s input x. That is, Bob plays the role of the sender in the 1-2-OT protocol with messages Wi 0,W i 1, and Alice plays the role of the receiver with selection bit x i. Alice now performs the following procedure repeatedly: Choose a gate such that she knows some keys Wi a and Wj b for the gate s input wires i,j. Find the corresponding garbled gate, and attempt to decrypt the four ciphertexts using the keys Wi a,w i b. From the one successful decryption, Alice learns W g(a,b) k, where k is the gate s output wire, and where the gate computes the boolean function g. This procedure maintains the following invariant: Every key learned by Alice corresponds to the value on a wire in the computation of the circuit for the inputs of Bob and Alice. At the end of the procedure, Alice knows one key corresponding to the value on each of the circuit s output wires. Alice can now find the actual output values by looking up those keys in the output 15

16 table sent by Bob. She can then send the actual output values to Bob to end the protocol. One Decryption per Gate: There is a standard method to modify the garbled circuit construction so that Alice only needs to perform one decryption per garbled gate (and message formatting is unnecessary). The idea is to associate a random bit (permutation) p i with each wire i in the circuit. Each wire key Wi a is concatenated with its masked value: Wi a p i a. These concatenated keys replace the wire keys throughout the garbled circuit construction. In particular, for a gate g with input wires i,j and output wire k, and for a,b {0,1}, W g(a,b) k g(a,b) p k is double-encrypted with Wi a a p i and Wj b p j. The entries in a garbled gate no longer need to be randomly permuted, but can rather be given in standard order according to the masked input values (e.g,. (a,b) first if a p i = 0 and b p j = 0, etc.). As soon as Alice knows a key and masked value for each input wire, she can look up the appropriate ciphertext in the garbled gate, and doubledecrypt that one ciphertext to learn a key and masked value for the output wire. The method can be generalized to garbled look-up tables that have many input bits and output bits. See the article on Fairplay [Malkhi et al., Usenix Security 2004] for details. Free-XOR Trick: The free-xor trick is a way to modify the garbled circuit construction so that no communication is needed for any of the xor gates in the circuit. That is, Bob does not need to construct garbled gates for the xor gates in the circuit. The basic idea is for Bob to carefully choose wire keys so that, for every xor gate with input wires i,j and output wire k, Wi a W j b = W k a b for all a,b {0,1}. See the paper by Koleshnikov and Schneider [ICALP 2008] for details. 4.4 Multi-Party Secure Computation BGW/CCD Protocol: This is a protocol for privately computing a function f among n 3 parties connected by a complete network of private channels. For simplicity of presentation, we assume that each party s input is a single element of Z p (where p > n), and that the output is a single element of Z p. The function f can be represented as an arithmetic circuit, with n input wires and one output wire, consisting of the following types of gates: addition gate: If the values on its two incoming wires are a,b Z p, then the value on its outgoing wire is a + b mod p. multiply-by-constant gate: If the value on its one incoming wire is a Z p, 16

17 then the value on its outgoing wire is ac mod p. Note that there are multiplyby-constant gates for every c Z p. multiply gate: If the values on its two incoming wires are a,b Z p, then the value on its outgoing wire is ab mod p. At the start of the protocol, each party i decides on input a i Z p. Then all n parties are assumed to follow the protocol honestly. At the end of the protocol, all parties know the output f(a 1,...,a n ). If n 2t + 1, then no coalition of t parties can infer anything about the other parties inputs beyond what is already revealed through learning the output. See Secure Multiparty Computation Goes Live, Bogetoft et al., Financial Crypto for more details on security models and proofs. The protocol, which exploits nice algebraic properties of Shamir s secret sharing scheme, proceeds as follows: Input Phase: All parties create shares of their inputs using Shamir s (t + 1, n) threshold secret sharing scheme (using the same p that the function f is being computed over), that is, the inputs are shared with degree t polynomials. Each party i sends its jth share to party j, for all i,j [1... n]. Addition Gate: Assume that each party holds valid shares of the values a, b on the incoming wires of an addition gate. Then each party can add its two shares (modulo p) to create a valid share of the value a + b mod p on the outgoing wire. Multiply-by-constant gate: Assume that each party holds valid shares of the value a on the incoming wire of a multiply-by-constant gate (for a fixed known constant c Z p ). Then each party can multiply its share by c (modulo p) to create a valid share of the value ac mod p on the outgoing wire. Multiply gate: Assume that each party holds valid shares of the values a,b on the incoming wires of a multiply gate. Then each party can multiply its two shares (modulo p) to create an *invalid* share of the value ab mod p on the outgoing wire. It is invalid because the n shares lie on a degree 2t polynomial passing through (0,ab mod p), instead of a degree t polynomial. There is also a randomness problem. The parties can participate in a simple oneround protocol to fix these imperfections: Each server shares its invalid share of ab mod p with the other servers. Then each server locally computes a linear combination of the shares of invalid shares that it received, using appropriate Lagrange coefficients for interpolating a degree two polynomial at zero. Output Phase: After all gates are processed, the parties hold valid shares 17

18 of the value on the arithmetic circuit s output wire. The parties perform the Reconstruction Phase of Shamir s secret sharing scheme to recover the output. 18