Cryptography. Primitives and Protocols. Aggelos Kiayias

Transcription

1 P1 P2 P3 E E E IV C1 C2 C3 Aggelos Kiayias Cyptogaphy Pimitives and Potocols Based on notes by G. Panagiotakos, S. Pehlivanoglu, J. Todd, K. Samai, T. Zachaias and H.S. Zhou

2 CONTENTS 1 Contents 1 Intoduction Flipping a Coin ove a Telephone Oveview of Cyptogaphy Mathematical Review Algeba and Numbe Theoy Discete Pobability Conditional Pobability Random Vaiables Tails of Pobability Distibutions Statistical Distance Statistical Tests Pobabilistic Algoithms Constucting Commitment Schemes Syntax of a commitment scheme Secuity Popeties Implementation Poof of secuity Symmetic Cyptosystems Classical ciphes The Data Encyption Standad (DES) The Advanced Encyption Standad (AES) Modes of Opeation 29 6 Diffie-Hellman Key Exchange Potocol The Diffie-Hellman Potocol Related Numbe-Theoetical Poblems Goup Geneatos The Decisional Diffie-Hellman Assumption Modeling Secuity against Passive Advesaies Suitable Goup Geneatos fo the DDH Assumption Modified Diffie-Hellman Potocol Stonge Advesaies Digital Signatues Tapdoo One-Way-Functions Collision Resistant Hash Functions Random Oacles Digital Signatues The RSA Function: The eth Powe Map on Z n RSA Digital Signatues Zeo-Knowledge Poofs Examples of Zeo-Knowledge Poofs Thee Basic Popeties The Schno Potocol Non-Inteactive Zeo-Knowledge Poofs

3 CONTENTS Honest-Veifie Zeo-Knowledge fo all NP The Conjunction of Two Zeo-Knowledge Poofs The Disjunction of Two Zeo-Knowledge Poofs Public-Key Encyption AON-CPA Secuity IND-CPA Secuity ElGamal Encyption Stuctuing Secuity Poofs as Sequences of Games Game Basics The Fist Game-Playing Lemma The Second Game-Playing Lemma The Thid Game-Playing Lemma PRPs vesus PRFs The Came-Shoup Cyptosystem Step 1: Poving IND-CPA Secuity The Two-Geneato ElGamal Public-Key Cyptosystem Step 2: The IND-CCA1 Vesion, Lunch-Time Attacks The CCA1-CS Public-Key Cyptosystem Step 3: The IND-CCA2 Vesion The CS Public-Key Cyptosystem Pivacy Pimitives Blind Signatues Mix-Seves Distibuting Tust Secet shaing Shami s Secet Shaing Scheme Distibuting Decyption Capabilities Publicly Veifiable Secet Shaing Distibuting the Deale Boadcast Encyption Complete Binay Tees Elliptic Cuve Cyptogaphy Elliptic Cuves Bilinea Maps Bilinea Diffie-Hellman Assumption One-Round, 3-Pat Key Ageement Scheme Identity-Based Encyption Simulation Based Secuity The 2DH Key Exchange Potocol The 2mDH Key Exchange Potocol

4 CONTENTS 3 18 Pivate Infomation Retieval Infomation Theoetic PIR Computational PIR An instantiation of a XOR-homomophic asymmetic encyption scheme The bitcoin potocol The q-bounded synchonous setting The coe lemma

5 4 1 Intoduction To begin discussing the basic popeties of cyptogaphy and illustate the cuent state of the discipline we will conside a basic poblem of tust elated to coin tossing. 1.1 Flipping a Coin ove a Telephone Suppose Alice and Bob ae talking on the phone, debating whee they should go fo the evening. They agee to toss a coin to see who decides whee they go. If Alice and Bob wee in the same physical location, they could easily flip a coin and both could veify the esult. Since they want to do this ove the phone, they need a pocedue that enables both paties to veify the outcome and ensues that the outcome is unbiased. To undestand the solution, it is helpful to think conceptually how the poblem can be solved using a box. Alice tosses he coin and places it in the box. This foces Alice to be consistent and pevents he fom changing the esult. Hee the box constitutes a commitment mechanism. Although Bob still needs to open the box and check the outcome, by employing the box, both paties no longe need to be physically pesent simultaneously to toss a coin. What can be the digital equivalent of a box? Let us conside the following. Suppose thee is a pe-ageed upon mapping f that sends each of 0 and 1 to a set of objects at andom. The mapping f will play the ole of the box. To detemine the outcome of the coin toss, 1. Alice flips a coin and eceives a {0, 1}. She computes f(a). 2. Alice sends y = f(a) to Bob. 3. Bob flips a coin and eceives b {0, 1}. He sends b to Alice. 4. If a = b, Alice calls Heads; othewise Alice calls Tails. 5. Alice discloses the value of a and Bob veifies that y is a valid commitment to a. 6. Bob checks if a = b and confims the esult of Heads o Tails. In ode fo this potocol to effectively solve the poblem, f must satisfy the following popeties: 1. The hiding popety ensues f does not eveal any infomation about a. 2. The binding popety equies that it be impossible fo Alice to alte the value committed to y = f(a) and still convince Bob of the validity of the commitment. If both paties follow the potocol faithfully, the pobability distibution of Heads and Tails is unifom fo both playes; moeove, both paties each the same conclusion. Let us now examine what happens if a playe deviates fom the faithful execution of the potocol. Possible scenaios in which the secuity of the potocol may be affected include: 1. Afte obtaining b in Step 3, Alice substitutes a fo a such that y = f(a ). 2. Bob ties to guess a afte eceiving y and selects b accodingly. 3. One o both of the playes toss thei coin in a biased manne such that the pobability of Heads o Tails is no longe 1/2. If f is chosen accodingly, y is committing to a cetain a so the binding popety pohibits Alice fom cheating in the fist scenaio. Similaly, in the second instance Bob should not be able to effectively guess a because of the hiding popety. The last scenaio equies some calculation to detemine whethe o not diffeent pobabilities of a and b affect the pobability distibution of the playes chances. We have fou possibilities.

6 1.2 Oveview of Cyptogaphy 5 1. Alice selects a = 0 with pobability α, Bob selects b = 0 with pobability β, and the output is Heads; 2. Alice selects a = 0 with pobability α, Bob selects b = 1 with pobability 1 β, and the output is Tails; 3. Alice selects a = 1 with pobability 1 α, Bob selects b = 0 with pobability β, and the output is Tails; 4. Alice selects a = 1 with pobability 1 α, Bob selects b = 1 with pobability 1 β, and the output is Heads. Then Pob[Heads] = αβ + (1 α)(1 β) = 1 α β + 2αβ. If both playes ae dishonest, the potocol will not necessaily function coectly. If one of the paties is honest, so α o β = 1/2, then Pob[Heads] = 1/2. Based on the above, we may be able to ague that the potocol is secue against malicious behavio in the following sense: no matte the behavio of a malicious paty, assuming that the potocol is executed in its entiety, a unifomly distibuted pobability will be guaanteed to an honest paty. 1.2 Oveview of Cyptogaphy The pevious example illustates the eseach pocess of moden cyptogaphy which can be epitomized as follows. 1. Identify impotant poblems in need of cyptogaphic solutions. These ae typically poblems of tust between two o moe paties. As a ule of thumb, if the poblem can be solved by intoducing a tusted thid paty that is connected to all the paticipants then the poblem can be solved cyptogaphically. Fo instance, we will see that the coin tossing is an impotant poblem that accepts a cyptogaphic solution and has numeous applications in constucting secue systems. Obseve that it can be easily solved by employing a tusted thid paty that will flip a coin and announce it to both Alice and Bob. 2. Fomally defining secuity and coectness fo all involved paties. This some times is called the secuity model o theat model. It entails a fomal definition of what the advesay is allowed to do and what is the objective it has. 3. Specify what esouces ae available to the paties that ae engaged in the potocol. Fo instance in the solution above fo coin flipping it was assumed that Alice and Bob both have a coin and they can flip to poduce local andomness. 4. Design a candidate solution that is in the fom of a potocol o algoithm and syntactically is consistent with the poblem. 5. Detemine a set of assumptions that ae needed as peconditions fo the solution to satisfy the secuity model. In the above desciption we made two assumptions that wee infomally stated about the function f, the binding and hiding popeties. 6. Finally, povide a poof of secuity and coectness so as to convince that the system satisfies the secuity and coectness specifications as defined in the fomal secuity model. In shot, we will focus on the goals, designs, pimitives, models, and poofs associated with cyptogaphy. The fomal, o povable-secuity appoach to the study of cyptogaphy povides mathematical poofs that an advesay s objective is eithe impossible o violates an undelying assumption in a model. An effective solution should satisfy the secuity model as extensively as possible with the weakest possible assumptions. The povable-secuity paadigm typically entails two things:

7 6 1. Constucting a fomal secuity model and defining what it means fo a given cyptogaphic design to be secue; and 2. Demonstating that the existence of an advesay capable of efficiently beaking the design s secuity is eithe impossible in the model o it can be tansfomed into an algoithm solving a computationally had poblem, i.e., a poblem that we assume infeasible to be solved. The second item points to an aea of inteest fo us called computational complexity. This discipline aims to answe questions such as How many steps ae necessay to solve a poblem? o How much space is equied to find a solution to a poblem? One of the objectives of computational complexity is to calculate the time equied to find a solution to a poblem. Fo example, one of the fundamental open poblems in compute science and mathematics elates to the classes P and NP. P is the set of poblems that can be solved in polynomial-time and NP is the set of poblems fo which a candidate solution can be veified in polynomial-time. Although significant effot has been devoted to undestanding the elationship between these two classes, it is still unknown if P NP. It is known howeve, that many poofs of secuity would imply P NP. In ode to undestand this, obseve the N P -natue of cyptogaphy; namely that secet keys play the ole of the candidate solutions in a suitable N P poblem. Unfotunately, the fact that P N P is not helpful in cyptogaphic secuity poofs. Such applications ask fo aveage hadness; that is, a andom instance of a poblem should be computationally had, while N P poblems may be had only in the wost-case. An impotant tool that assists in the classification of computational poblems is the concept of eduction. Suppose thee ae two poblems A and B and an algoithm α that solves A with oacle access to B, witten α B. We can appopiately define a pe-ode 1 ove all poblems so A B if and only if thee is an algoithm α whee α B solves A. This is a eduction. Intuitively, A B implies that A cannot be substantially hade than B. Say, A is a well-known had poblem, such as the factoing poblem o the discete logaithm poblem (that we will define in the sequel), and B coesponds to beaking the secuity of ou cyptogaphic constuction. If A is acceptably had and we can poduce a eduction as is specified above, we can assume ou constuction is povably secue. Despite the fact that eductions povide little eal poof of secuity, they ae acceptable given ou geneal inability to constuct a lowe bound on the difficulty of computational poblems. 2 Mathematical Review Hee we give a quick eview of algeba, numbe theoy, and pobability. Futhe eviews will be povided as necessay in subsequent sections Algeba and Numbe Theoy Goups Definition A goup (G, ) is a set G togethe with a binay opeation satisfying the following conditions: G is closed unde : fo all g, h G, g h G; The opeation is associative: fo all g, h, l G, g (h l) = (g h) l G; G contains an identity element e such that g e = e g = g fo all g G; 1 A pe-ode is a eflexive, tansitive elation. 2 Fo moe mathematical eview, see [1].

8 2.1 Algeba and Numbe Theoy 7 G is closed unde invesion: fo all g G, thee exists g 1 G such that g g 1 = g 1 g = e. Fomally, a goup is denoted by an odeed pai (G, ). We will wite G when is undestood. Definition A goup G is called Abelian if fo all g, h G, g h = h g. Theoem If G is an Abelian goup unde, then G contains exactly one identity element and evey element of G has a unique invese. Definition In a finite goup G, the ode of G is the size o numbe of elements in the goup, denoted #G o G. Definition Fo a goup G and g G, define the ode of g to be the smallest positive intege i such that g i = e, o equivalently, g g g = e. We denote the ode of g by od(g). }{{} i times Theoem (Lagange). In a finite goup, the ode of any element divides the size of the goup. Definition If thee is some element g G such that od(g) = #G, then g geneates G and we call G a cyclic goup. We wite G = g. Example. Conside Z 5 = Z 5 {0}. This is a cyclic goup unde multiplication modulo 5. Ou goal is to find g Z 5 such that od(g) = #Z 5 = 4 and theefoe g = Z 5. Clealy 1 Z 5, so let us ty 2: mod 5, mod 5, mod 5, mod 5, and mod 5. Since 2 = {1, 2, 3, 4} and 2 has ode 4, 2 geneatos Z 5. It is possible fo multiple elements to geneate the goup, so let us now ty 3. By Lagange, od(3) 4. Fom ou pevious calculations, mod 5, so od(2 3 ) = od(3). Then 3 od(3) 2 3od(3) 1 mod 5 and 3od(3) od(2) mod 4. Since 3 and 4 ae elatively pime, od(3) = 4. Thus 3 is anothe geneato of Z 5. By the same agument, we can show 4 is not a geneato. Fom the above, mod 5, so od(2 2 ) = od(4). We know that 2 (the exponent in 2 2 ) divides 4, theefoe gcd(2, 4) divides 4. Moeove, od(4) = 4/ gcd(2, 4) = 2. This implies # 4 = 2, so 4 is not a geneato: 4 = {1, 4}. Rings and Fields Definition A (commutative) ing R is a set togethe with two binay opeations + and such that (R, +) is an Abelian goup; The opeation is associative: ( s) t = (s t) fo all, s, t R; The distibutive law holds in R: (s + t) = s + t and ( + s) t = t + s t fo all, s, t R; The opeation commutes: s = s fo all, s R; and R contains an identity if thee is an element 1 R such that 1 = 1 = fo all R. Simply put, a commutative ing is an Abelian goup without inveses. Not all ings contain 1, so the last condition is not absolute. Example. Z is a ing unde the usual addition and multiplication. Example. Z n is a ing unde addition and multiplication modulo n.

9 2.1 Algeba and Numbe Theoy 8 Definition A field F is a set togethe with two binay opeations + and such that (F, +) is an Abelian goup with identity 0; (F {0}, ) is an Abelian goup with identity 1 and the distibutive law holds. Example. Q, R, and C ae all fields unde the usual addition and multiplication. Example. Fo any pime p, Z p is a field unde addition and multiplication modulo p. Definition Let p be a pime. Then Z p is a finite field, denoted F p. Chinese Remainde Theoem Definition We denote conguence elationships ove the integes by a b mod n if and only if n (a b). Theoem (Chinese Remainde Theoem). Let m 1,..., m k be paiwise elatively pime positive integes and let c 1,..., c k be abitay integes. Then thee exists an intege x such that x c i mod m i fo all i = 1,..., k. Moeove, any intege x is also a solution to these conguences if and only if x x mod M whee M = m i fo i = 1,..., k. Poof. Let M = m i fo i = 1,..., k. Define m i = M/m i. All the m i s ae paiwise elatively pime, so gcd(m i, m i ) = 1 fo all i. Let u i = (m i ) 1 mod m i and w i = m i u i. By constuction then, w i 1 mod m i and w i 0 mod m j when i j. This gives us w i δ ij mod m j whee { 1, if i = j δ ij = 0, if i j. Letting x = w i c i fo i = 1,..., k, we see as desied. x k δ ij c i c j mod m j Remak. The Chinese Remainde Theoem implies the goup isomophism j=1 Z n = Z p e Z p em m, given by a mod n (a mod p e1 1,..., a mod pem m ), whee n = p e1 1 pem m pimes p i. fo integes e i and distinct Example. Histoically, the Chinese used this theoem to count soldies. Afte a battle, the soldies would line up in ows of (fo example) thee, then in ows of five, and then in ows of seven. By counting the emaining soldies afte each fomation, the commandes could quickly detemine the total numbe of men and theefoe detemine thei losses. Say thee ae fewe than 100 soldies. Afte lining up 3 soldies in each ow, 1 soldie emains. Afte standing 5 in a ow, 2 soldies emain, and afte standing 7 in a ow, 6 emain. We want to calculate the exact numbe of soldies.

10 2.2 Discete Pobability 9 Let x epesent the total. Then x 1 mod 3 x 2 mod 5 x 6 mod 7. We compute M = = 105, and m 1 = 35, m 2 = 21, m 3 = 15. Computing inveses now, we have u 1 = mod 3 u 2 = mod 5 u 3 = mod 7 Then w 1 = 70, w 2 = 21, w 3 = 15, making x = w 1 c 1 + w 2 c 2 + w 3 c 3 = 70(1) + 21(2) + 15(6) 97 mod 105. Thus thee ae 97 soldies. 2.2 Discete Pobability Definition A discete pobability distibution D ove a set [D] is specified as Pob D [u] [0, 1] fo all u [D] u D Pob D[u] = 1. The set [D] is called the suppot of D. Example (Succeeding by Repetition). Conside an expeiment whee the pobability of success is p. Suppose the expeiment is epeated n times; we want to bound the pobability that all n tials fail. Since each tial is independent of the next, the pobability of n failues is (1 p) n. Recall that 1 x e x fo all x. By letting x = p and aising both sides to the nth powe, we obtain the uppe bound (1 p) n e pn. Then Pob[At least 1 success] = 1 Pob[All fail] 1 e pn. If p is fixed, the pobability that all tials fail dops exponentially accoding to the numbe of epetitions n. Example (Balls and Boxes). Conside an expeiment with n boxes and k balls, each of a diffeent colo. Each ball is thown into a box at andom. We define a collision to be the event that 2 diffeent coloed balls land in the same box. We want to calculate the pobability of a collision. In a situation like this, it is often easie to calculate the pobability of the complementay event: Pob D [No collision] = n(n 1) (n k + 1) n k = Using again the fact that 1 x e x fo all x, we have k 1 j=0 ( ) n j = n k 1 j=1 Since Pob[Collision] = 1 Pob[No collision], ( 1 j ) k 1 n j=1 Pob D [Collision] 1 e k(k 1)/2n. k 1 j=0 ( n j n e j/n = e k(k 1)/2n. ).

11 2.3 Conditional Pobability 10 Example (The Bithday Paadox). The Bithday Paadox is a classic poblem utilizing the pevious scheme. We want to know how many people must be in a oom fo thee to be at least a 50% chance that two people have the same bithday (a collision). Let n = 365 and assume that people s bithdays ae unifomly distibuted ove the days of the yea. If we want Pob D [Collision] 1/2, then 1 e k(k 1)/2n 1 2 e k(k 1)/2n 1 2 e k(k 1)/2n 2 k(k 1) ln 2 2n k 2 2n ln 2 k 2n ln 2 So if thee ae moe than 23 people in a oom, thee is ove a 50% chance that two people shae the same bithday. This seems a bit counteintuitive; hence the name paadox. Example (Binomial Distibution). A binomial tial is an expeiment with only two possible outcomes: success and failue. Let [D] = {0, 1,..., n} and the pobability of one success be p, then the binomial distibution is the pobability of u successes in a sequence of n independent tials: ( ) n Pob D [u] = p u (1 p) n u. u Definition A subset A [D] denotes an event. The pobability of A is Pob D [A] = u A Pob D [u]. It is also possible to pove vaious statements about set theoetical opeations defined between events, such as unions and intesections. Fo example, if A, B [D], we have Pob D [A B] = Pob D [A] + Pob D [B] Pob D [A B]. This is called the inclusion-exclusion pincipal. 2.3 Conditional Pobability Definition Let A and B be two events. The pobability of A occuing, given that B has aleady occued is called a conditional pobability. This is given by Pob D [A B] = Pob D[A B]. Pob D [B] The following theoem is useful fo computing conditional pobabilities. Theoem (Bayes). Fo two events A and B, Pob D [B A] = Pob D[A B] Pob D [B]. Pob D [A] Moeove, if D 1,..., D n is a patition of disjoint events of [D] such that [D] = D i fo 1 i n, then fo any events A and B, Pob D [B A] = Pob D [A B] Pob D [B] n i=1 Pob D[A D i ] Pob D [D i ].

12 2.4 Random Vaiables 11 Let B denote the complement of an event: B = [D] \ B. Bayes theoem suggests Pob D [B A] = Pob D [A B] Pob D [B] Pob D [A B] Pob D [B] + Pob D [A B] Pob D [B]. Example. Hee we see an application of Bayes Theoem. Let D be a pobability distibution ove a given population and let the event S coespond to the subset of the population sick with a cetain disease. Suppose thee is a medical test that checks fo the disease and define T to be the event that an individual selected fom the population tests positive. The pevalence of the disease is Pob D [S] = 1%, the chances of a successful test ae Pob D [T S] = 99%, and the pobability of an inaccuate test is Pob D [T S] = 5%. We want to find the pobability that a cetain individual is sick, given that the test esult is positive. A common mistake is to claim that the pobability is 99%- the success ate of the test. This is false because it fails to take into account that we aleady know the peson tested positive. Using Bayes theoem, we can account fo this infomation and compute Pob D [T S] Pob D [S] Pob D [S T] = Pob D [T S] Pob D [S] + Pob D [T S] Pob D [S] (0.99)(0.01) = (0.99)(0.01) + (0.05)(1 0.01) = 1 6. This might seem uneasonable, but because the disease is so uncommon, a positive test is moe likely to occu fom an inaccuate test than fom the actual sickness. 2.4 Random Vaiables Definition Fo a pobability distibution D, we define a andom vaiable X to be a function X : [D] R. Fo any x R, we use the notation Pob[X = x] = Pob D [u]. X(u)=x We say that a andom vaiable X is distibuted accoding to D if X : [D] [D] is the identity function. We denote this by Pob[X = x] = Pob D [u]. X D X(u)=x Definition Fo any pobability distibution D with andom vaiable X, its expectation is E[X] = x R xpob[x = x]. Definition The vaiance of a discete andom vaiable X measues the spead, o vaiability of a distibution. It is defined by Va[X] = E[X 2 ] E[X] 2.

13 2.5 Tails of Pobability Distibutions Tails of Pobability Distibutions When analyzing andom pocedues, we often want to estimate the bounds on the tails of a pobability distibution. The tem tails efes to the extemities of the gaphical epesentation of a pobability distibution, whee the distibution deviates fom the mean. The following theoems will be helpful. Theoem (Makov s Inequality). Let X be a andom vaiable that takes only nonnegative eal values. Then fo any t > 0, Pob[X t] E[X]. t Theoem (Chebyshev s Inequality). Let X be a andom vaiable. Fo any t > 0 we have Pob[ X E(X) t] Va[X] t 2. Theoem (Chenoff s Bound). Let X 1,..., X n be independent andom vaiables taking values in {0, 1} with Pob[X i = 1] = p i. Then [ n ] [ n ] ( Pob X i (1 δ)µ e µδ2 /2 e δ ) µ and Pob X i (1 + δ)µ (1 + δ) 1+δ i=1 whee µ = p i and δ (0, 1]. Hee µ is the expectation and (1 δ)µ and (1 + δ)µ ae the tails. Example (Guessing with a Majoity). Suppose thee is an oacle that answes questions with Yes o No, and answes questions coectly with pobability 1/2 + α. Say we ask the oacle n questions and let X i be a andom vaiable accoding to { 1, oacle answes the i th quey coectly X i = 0, othewise. If we define a failue as eceiving fewe coect answes than incoect answes, the pobability of failing is [ [ Pob[Failue] = Pob # of coect answes n ] n ] = Pob X i n. 2 2 i=1 Hee we apply Chenoff s bound by setting n/2 = (1 δ)µ. Then [ n ] Pob X i (1 δ)µ e µδ2 /2. (1) i=1 Noting that µ = (1/2 + α)n, we can solve fo δ. n = (1 δ)µ 2 n = (1 δ) 2 δ = α 1/2 + α ( α i=1 ) n To estimate the pobability of a failue, we substitute this value of δ into (1). Pob[Failue] e α2 n/(1+2α).

14 2.6 Statistical Distance 13 This implies that if the oacle has bias α, we can typically expose the bias afte a sufficient numbe of epetitions n. Because of this, the pobability of failing dops exponentially depending on the degee of the bias and the numbe of tials. If we want the pobability of failing to fall below some ε, we can find a suitable lowe bound on n. e α2 n/(1+2α) < ε α 2 n (1 + 2α) < ln(ε) n > α 2 (1 + 2α) ln ( ) 1 ε So by taking n lage enough, we can guaantee that the pobability of failing is sufficiently low. 2.6 Statistical Distance Definition Let X and Y be andom vaiables distibuted accoding to D 1 and D 2 espectively and let V = X([D 1 ]) Y ([D 2 ]). We define the statistical distance by [X, Y ] = 1 2 Pob [X = u] Pob [Y = u] X D 1 Y D 2. u V Figue 1 illustates the statistical distance between two andom vaiables X and Y. The dotted cuve epesents the distibution of X ove D 1 and the black cuve coesponds to Y ove D 2. By definition, the sum of the pobabilities ove the suppot set is 1, so the aea below each cuve is 1. Half the sum of the shaded aeas epesents the statistical distance between X and Y. Because the stiped aea equals the gay aea, dividing the total shaded aea by 2 effectively establishes one of the two maked aeas as the statistical distance. [D 2] [D ] 1 Figue 1: Two pobability distibutions ove diffeent suppot sets [D 1 ] and [D 2 ]. egions distinguish the statistical distance between the andom vaiables. The shaded Execise: Show that fo any two suppot sets [D 1 ] and [D 2 ], the stiped aea equals the gay aea, so the statistical distance is equal to one of the two aeas. Definition Let ε > 0, then two andom vaiables X and Y ae said to be ε-close if [X, Y ] ε. Example. Let D 1 be the unifom distibution ove [0, A) whee 2 n A < 2 n+1 and let D 2 be the unifom distibution ove [0, 2 n ). We want to calculate the statistical distance of D 1 and D 2.

15 2.7 Statistical Tests 14 Since D 1 is unifom ove [0, A), we have Pob D1 [u] = 1/A fo all u [0, A). Similaly, we can extend D 2 ove the sample space [0, A) by defining { 1/2 n, u [0, 2 n ) Pob D2 [u] = 0, u [2 n, A). Suppose X and Y ae andom vaiables distibuted accoding to D 1 and D 2 espectively whee [D 1 ] = [D 2 ] = [0, A). Then [X, Y ] = 1 2 Pob [X = u] Pob [X = u] X D 1 X D 2 u [0,A) = A 1 2 n + 1 A 0 u [0,2 n ) u [2 n,a) = 1 ( n 1 ) + 1 A A u [0,2 n ) u [2 n,a) = 1 (( n 1 ) 2 n + 1 ) A A (A 2n ) = A 2n A. Letting d = A 2 n, we have [X, Y ] = d/(d + 2 n ). When A is elatively close to 2 n, [X, Y ] appoximates 0. Fo example, if d = 2 n/2 so that A = 2 n/2 + 2 n, the statistical distance dops exponentially: d d + 2 n = 2n/2 2 n/2 + 2 = 1 n n/2 2 n/2. Definition A function f is negligible if fo all c R thee exists n 0 N such that f(n) 1/n c fo all n n 0. Definition A (pobability) ensemble is a collection of distibutions D = {D n } n N. We now take the collection X ove an ensemble D to mean a collection of andom vaiables ove D n D. As an abuse of notation howeve, we will still efe to the collection X as a andom vaiable. Definition Let X and Y be andom vaiables ove ensembles D and D. We say D and D ae statistically indistinguishable if [X, Y ] is a negligible function in n. It needs to be stessed that [X, Y ] 0 fo two ensembles does not imply that the ensembles ae indistinguishable. Statistical indistinguishability implies that the statistical distance, when viewed as a function of n, should be smalle than any polynomial function of n fo sufficiently lage values of n. 2.7 Statistical Tests Definition A statistical test A fo an ensemble D = {D n } n N is an algoithm that takes input elements fom D n and outputs values in {0, 1} fo each n N. Theoem Conside the statistical test A as a function of n and let X and Y be andom vaiables following the ensembles D 1 and D 2 espectively. Define A [X, Y ] = Pob [A(X) = 1] Pob [A(Y ) = 1] X D 1 Y D 2

16 2.7 Statistical Tests 15 to be the statistical distance with espect to the test A. Then fo all A, [X, Y ] A [X, Y ] and thee exists some A such that [X, Y ] = A [X, Y ]. The fist pat of the theoem is agued as follows. Fo any A, A [X, Y ] = Pob D1 [a] Pob D2 [a] Pob D1 [a] Pob D2 [a] = df N 1 a A n a A n whee A n = {a D n : A(a) = 1}. Now conside the statistical test A that opeates exactly as A but flips the answe. It is immediate that A [X, Y ] = A [X, Y ] based on the definition of A [, ]. Based on a simila easoning as above we have that A [X, Y ] = A [X, Y ] a A n Pob D1 [a] Pob D2 [a] = df N 2 whee A n is the complement of A n in D n. Now we obseve that N 1 + N 2 = Pob D1 [a] Pob D2 [a] + Pob D1 [a] Pob D2 [a] a A n a A n = Pob D1 [a] Pob D2 [a] a D n = 2 [X, Y ]. Due to A [X, Y ] = A [X, Y ] and the fact that A [X, Y ] + A [X, Y ] 2 [X, Y ] the esult follows. Regading the second pat of the theoem, we define a distinguishe A as follows: { A 1, Pob D1 [a] Pob D2 [a] (a) = 0, othewise, it follows easily that [X, Y ] = A [X, Y ]. Indeed, fo A n = {a D n : A (a) = 1} D n, A [X, Y ] = Pob D1 [a] Pob D2 [a] = (Pob D1 [a] Pob D2 [a]) a A n a A n fom which the esult follows immediately. To visualize how [X, Y ] = A [X, Y ] fo this distinguishe, we etun to Figue 1. The stiped aea denotes whee Pob D1 [u] Pob D2 [u], which we have aleady seen is exactly the statistical distance. a A n Example. Conside the two pobability distibutions D 1 and D 2 whee b 1 b 0 D 1 D ε ε Let X and Y be andom vaiables following D 1 and D 2. The statistical distance is [X, Y ] = 1 ( (0.25 ε) ( ε) ) = ε. 2

17 2.8 Pobabilistic Algoithms 16 Take a set of statistical tests A 1,..., A 5 that distinguish the pevious pobability distibutions. Suppose we ae given two bits b 0 and b 1. Test A 1 outputs b 1. By the pevious infomation, it is clea that A1 [X, Y ] = ( ε) ( ) = ε. Test A 2 outputs b 0, so then A2 [X, Y ] = ( ) ( ) = 0. If Test A 3 outputs b 0 +b 1 mod 2, also denoted by the exclusive-o opeato b 0 b 1, its statistical distance is given by A3 [X, Y ] = ( ε) ( ) = ε. Test A 4 outputs b 0 b 1, so A4 [X, Y ] = ( ε) ( ) = ε. And finally, if Test A 5 outputs b 0 b 1, its statistical distance is A5 [X, Y ] = = 0. Based on this infomation, we can detemine that A 1, A 3, and A 4 ae good tests with espect to D 1 and D 2 because thei espective statistical distances ae pecisely [X, Y ]. Likewise, tests A 2 and A 5 ae consideed bad because they both have statistical distance Pobabilistic Algoithms Algoithms may use the additional instuction x {0, 1} fo a andom vaiable X unifom ove D = {0, 1}. Such algoithms ae called pobabilistic algoithms and we say that they flip coins. Fo any pobabilistic algoithm, the set of possible outputs fom the suppot set of a pobability distibution. In paticula, if a {0, 1} is a possible output fo a pobabilistic algoithm A with input x, we define Pob[A(x) = a] = # {b {0, 1}n : A flips b and outputs a} 2 n, whee n denotes the numbe of coin flips pefomed by A fo a given x. Depending on the specifications of the algoithm, detemining n can be cumbesome. We may assume without loss of geneality howeve, that a pobabilistic algoithm A makes the same numbe coin flips fo all inputs of the same length. This estiction does not affect the computational powe of ou undelying pobabilistic algoithm model. Example. Conside the following algoithm. Call it A 1. 1: Input 1 n 2: select x 0,, x n 1 {0, 1} 3: if n 1 2 i x i 2 n 1 i=0 4: then output 1 5: else output 0 Since 1 is a possible output, Pob[A 1 (1 n ) = 1] = # {b {0, 1}n : A flips b and outputs 1} 2 n = 2n 1 2 n = 1 2. Example. Call the following algoithm A 2. 1: Input 1 n 2: epeat n times 3: x {0, 1} 4: if x = 1, output 1 and halt 5: output Fail Then we have the following pobabilities Pob[A 2 (1 n ) = Fail] = 1 2 n Pob[A 2 (1 n ) = 1] = n.

18 17 Let A be a n-bit numbe. We call the left-most bit in the binay expansion of A the most significant bit. To avoid tivialities, we equie that the most significant bit of A be 1. Below ae thee pobabilistic algoithms that attempt to sample the unifom ove [0, A). To measue the quality of a sample, one must compute the statistical distance between the sample s output distibution and the unifom distibution ove the set {0, 1, 2,..., A 1}. Execise: Conside the following set of samples. Investigate the output pobability distibutions of each to detemine which has the most unifom distibution. Sample 1: 1: n := log 2 A 2: choose: x 0, x 1,..., x n 1 {0, 1} 3: y := n 1 i=0 2i x i 4: output y mod A Sample 2: 1: choose: x 0, x 1,..., x A 1 {0, 1} 2: y := A 1 i=0 x i 3: output y Sample 3: 1: n := log 2 A 2: epeat 3: choose: x 0, x 1,..., x n 1 {0, 1} 4: y := n 1 i=0 2i x i 5: if y < A output y and halt 6: else epeat 3 Constucting Commitment Schemes We now tun ou attention to the constuction of the fist cyptogaphic pimitive that we mentioned in the context of coin flipping. 3.1 Syntax of a commitment scheme Let λ be the secuity paamete; we can think of this value as the key length. Abstactly the commitment scheme can be divided in two stages: The commit stage and the open stage. Alice is the committe (o sende) and Bob is the eceive (o veifie). The commitment scheme may o may not be paameteized by a public paamete poduced by an algoithm Gen. We will focus on non-inteactive commitment schemes (i.e., schemes that equie no inteaction beyond a single message). The algoithms involved in a commitment scheme ae given below. Paamete geneation. A tusted execution of Paam(1 λ ) is ensued and the output b is povided to both paties. Note that in case Paam is deteministic a tusted execution of b can be tivially ensued by both paties by essentially epeating the computation wheneve b is needed. Commit Stage 1. Alice selects he message M and commits to it by calculating (, c) Commit(b, M) 2. Alice sends c to Bob Open Stage 4. Alice sends the decommitment infomation and the message M to Bob 5. Bob uns the veification algoithm to ensue the opening of Alice is appopiate. { 1 accept Veify(b, c,, M) = 0 eject

19 3.2 Secuity Popeties Secuity Popeties We next define the two secuity popeties of the commitment scheme. We conside fist the case that the paametes ae geneated by a tusted paty. Coectness: Fo evey message M we equie that: If b Paam(1 λ ) and (, c) Commit(b, M), then Veify(b, c,, M) = 1, whee b, c, ae chosen andomly. Binding: Intuitively, this popety equies that Alice should not be in position to change he message afte sending he commitment. Moe fomally let A be an algoithm that can commit two diffeent messages M 1, M 2 to the same commitment c, that is Algoithm 1 bindattack A (1 λ ) 1: Let b Paam(1 λ ) 2: (c, 1, M 1, 2, M 2 ) A(b) 3: if Veify(b, c, 1, M 1 ) = 1 and Veify(b, c, 2, M 2 ) = 1 and M 1 M 2 then 4: etun 1 5: else 6: etun 0 7: end if We equie that fo evey PPT A the following holds: Pob[bindattack A (1 λ ) = 1] = negl(1 λ ) Stengthening of the above attack allows the advesay to specify the commitment paamete b. In this case we modify lines 1-2 above so that (b, c, 1, M 1, 2, M 2 ) A(1 λ ). In this case we will say that we have a non-inteactive commitment scheme that satisfies hiding with advesaial paametes. Hiding: The sececy of Alice s message is peseved, meaning that Bob cannot extact any infomation about Alice s message Algoithm 2 hidingattack B (1 λ ) 1: b Paam(1 λ ) 2: Let (aux, M 0, M 1 ) B 1 (1 λ ) 3: d R {0, 1} 4: (, c) Commit(b, M d ) 5: d B 2 (c, aux) 6: if d = d and M 0 M 1 then 7: etun 1 8: else 9: etun 0 10: end if We equie that fo evey pai of PPT algoithms B = (B 1, B 2 ) Pob[hidingattack B (1 λ ) = 1] negl(1λ )

20 3.3 Implementation 19 As befoe stengthening of the above attack allows the advesay to specify the commitment paamete b. In this case we modify lines 1-2 above so that (b, aux, M 0, M 1 ) B 1 (1 λ ). In this case we will say that we have a non-inteactive commitment scheme that satisfies binding with advesaial paametes. 3.3 Implementation Now that we have specified what a commitment scheme is, it is time to see a way to implement it. We will descibe Pedesen s potocol using the discete logaithm assumption and pove its secuity. Befoe pesenting the potocol s desciption, we will fist define the Discete Logaithm Poblem. Suppose we have the goup sample that poduces the desciption of a goup G and of a cyclic subgoup of ode m within G called GGen. In this section we will conside only modula goups ove a pime numbe p; the desciption of G can be just the numbe p. We futhe conside only the case that m is a pime numbe. Based on this we define the following algoithm that samples discete-logaithm paametes. 1. p, m, g GGen(1 λ ) 2. t R Z m 3. h g t Fo an algoithm A, we say that it solves the Discete Log Poblem, if Pob[A(p, m, g, h) = t] is not negligible. Based on the above we can now define the DLog assumption, accoding to which: We now descibe Pedesen s potocol. PPT A Pob[A(p, m, g, h) = t] = negl(λ) 1. GGen(1 λ ), outputs (p, m, g) such that p is pime, g Z p, m = ode(g) (that is g m = 1), m is pime m = λ bits, m p 1 and h = g t, whee t R Z m. 2. Alice checks that p and m ae pimes, that m p 1 and that g m = h m = 1. She selects R Z m and he message M Z m. She commits to he message: c = g h M and sends he commitment. If any of the checks fails she outputs Bad paametes. 3. At the Opening/Veification stage, Alice sends the evelation and he message M and Bob veifies using the condition: if c = g h M then 1 else Poof of secuity The afoementioned potocol is secue, i.e. the Binding and Hiding popeties hold. Suppose that the Binding popety does not hold. Then thee exists an algoithm A, that is successful in the binding attack descibed ealie. We will use this advesay, to constuct an algoithm that beaks the discete-logaithm assumption and theefoe end up in a contadiction.

21 3.3 Implementation 20 The fact that A can pefom a successful binding attack, means that it can find two pais ( 1, m 1 ) and ( 2, m 2 ) such that } c = g 1 h m1 g 1 h m1 = g 2 h m2 c = g 2 h m2 which means that g 1 2 = h m2 m1 Using the extended Euclidean Algoithm it is easy to find k Z m such that k(m 2 m 1 ) = 1, which means that g (1 2)k = h and ( 1 2 )k = log g h mod m But this contadicts ou initial DLog assumption and theefoe we can conclude, that such an advesay does not exist and ou potocol peseves the binding popety. We will now show that the hiding popety holds even with advesaial paametes. Fo this let us define a function f : Z m Z m g Z m such that f(, M) = c The above defined function f is sujective and bijective 3 fo a fixed 4 M Z m. It suffices to show that fo 1, 2 R Zm and two messages M 1, M 2 the following holds: o equivalently that [f( 1, M 1 ), f( 2, M 2 )] = 0 [f(, M), U] = 0, whee U is the unifom distibution on Z m, which would evidently mean that c does not povide any infomation about M. Let z g, i.e. z = g l, whee l Z m. Then we have that: Which poves that Pob[g(, M) = z] = Pob[g h M = g l ] = Pob[g = g l h M = Pob[g = g l M ] = Pob[ = l M] = 1 m [f(, M), U] = 0, The emaining of the poof now goes in two steps: fist we modify line 4 of the hidingattack B (1 λ ) so that c is selected at andom fom g. Fo this modified attack game hidingattack B (1 λ ) it will hold that: 3 onto: Obseve that f(, M) = g h M = g (g t ) M = g +tm. So fo a Z m we have that thee exists an, such that f(, M) = a 1-1: Suppose thee exist 1 and 2 such that f( 1, M) = f( 2, M) Then we have that f( 1, M) = f( 2, M) g 1+T = g 2+T fo a T = tm 1 + T 2 + T mod m 1 2 mod m Obseve that we have used all the conditions, that Alice checks when she eceives the paametes fom Bob. 4 Obseve that if we allow M to vay, bijectivity beaks (take fo example (5, 0) and (2, 1) in Z 7 with g = 3)

22 21 Pob[hidingattack B (1 λ ) = 1] = Pob[hidingattack B (1 λ ) = 1] Futhemoe, if W b is the event d = b M 0 M 1, in the attack game hidingattack B (1 λ ) we have Pob[hidingattack B (1 λ ) = 1] = Pob[W 0 d = 0]Pob[d = 0] + Pob[W 1 d = 1]Pob[d = 1] We obseve that the andom vaiable d is independent fom W 0 and W 1 and thus Pob[hidingattack B (1 λ ) = 1] = (Pob[W 0 ] + Pob[W 1 ]) 1 2 = 1 2 This completes the poof. We note that in ode to achieve secuity against advesaial paametes the checks pefomed by Alice ae essential. Indeed if the advesay chooses paametes such that ode(h) = 2m (fo example h = ζg t and ζ such that ode(ζ) = 2 in Z p ), then by eceiving Alice s commitment c, he just needs to do the following in ode to compute one bit of M : { c m = (g ) m (h M ) m = (h m ) M = ζ M 1, M even = ζ, M odd This would constitute a hiding attack against a potocol that does not check that the ode of h is indeed m. The above show that the test h m = 1 is essential fo the hiding popety with advesaial paametes. What about the othe tests that Alice pefoms? can you find attacks if they ae omitted? 4 Symmetic Cyptosystems Although we will not discuss symmetic cyptosystems in class, hee we povide seveal inteesting examples, many of which ae of impotant histoical significance. In a symmetic cyptosystem, both ends of a communication channel shae a common secet key. This key is necessay fo both the encyption and decyption of messages. Definition A symmetic cyptosystem is composed of the the following elements: A plaintext message space M A ciphetext message space C A key space K An efficient encyption algoithm E : K M C An efficient decyption algoithm D : K C M An efficient key geneation algoithm G : N K In addition to the above, a symmetic cyptosystem must satisfy the coectness popety: Fo all m M and k K, D(k, E(k, m)) = m.

23 4.1 Classical ciphes Classical ciphes Substitution Ciphes One of the most basic symmetic cyptosystems is the substitution ciphe. In a substitution ciphe, the encyption algoithm eplaces each message m M with a coesponding ciphetext c C. Fo a given key, the substitution function is a mapping π : M C and the decyption algoithm pefoms the invese substitution π 1 : C M. Example (Affine Ciphe). Message Spaces: M, C = Z N Key Space: (a, b) Z N Z N with gcd(a, N) = 1 Encyption Algoithm: E((a, b), m) = am + b mod N Substitution ciphes, and in paticula affine ciphes have been used fo thousands of yeas. One famous affine ciphe, known as the Caesa ciphe o the shift ciphe was used by the Roman empeo Julius Caesa in about 50 BC. In the Caesa ciphe, a = 1 and b = 3, so afte assigning each lette of the alphabet to a numbe, the ciphe shifts each lette to the ight by 3 (mod 24). In moden times, such a technique cannot withstand fequency statistical analysis attacks. Due to the small numbe of liteate people at that time howeve, the method sufficed. Substitution ciphes in Z N can be viewed as pemutations on the set {0, 1,..., N 1}. Pehaps the simplest way to encode the English alphabet is to use Z 26, whee each lette is identified with a unique intege modulo 26. The key space is 26!. Unfotunately, this type of ciphe is vey vulneable to fequency statistical analysis attacks. Polyalphabetic Ciphes In a polyalphabetic ciphe, a plaintext element is epeated and substituted into diffeent ciphetext elements. Example (Vigenèe Ciphe). Key: gold Plaintext Message: poceed Encyption Algoithm: Chaacte-wise addition modulo 26 Decyption Algoithm: Chaacte-wise subtaction modulo 26 To encode poceed, p o c e e d g o l d g o l v f z f k s o Polyalphabetic ciphes povide moe secuity against fequency statistical analysis attacks than the pevious monoalphabetic ciphes. The polyalphabetic ciphe s main weakness lies instead in the epetitive use of the same key.

24 4.2 The Data Encyption Standad (DES) 23 Venam Ciphe and the One-Time Pad Gilbet Venam, an enginee fo Bell Labs poposed this ciphe in Message Spaces: M, C = {0, 1} n Key Space: K = {0, 1} n Encyption Algoithm: E(k, m) = k m Decyption Algoithm: D(k, c) = k c This ciphe encodes and decodes each element chaacte by chaacte using a peviously detemined, andomly geneated key. Since the key is neve eused o epeated, it became known as the one-time pad. The encyption and decyption algoithms ae identical, but the popeties of the exclusive-o (XOR) opeato guaantee that the coectness popety is satisfied. This cyptosystem is povably secue in the infomation-theoetical sense. Its main dawback lies in the fact that the key must be at least the length of the oiginal message. Tansposition Ciphes A tansposition ciphe eaanges the positions of each chaacte accoding to a pemutation π. The decyption algoithm ecoves the oiginal message by applying the invese pemutation π 1. Example (Tansposition Ciphe). Key: π = (2143) Plaintext Message: code Ciphetext Message: oced In this example, the invese pemutation π 1 is the same as the encyption pemutation. 4.2 The Data Encyption Standad (DES) The Data Encyption Standad (DES) is an algoithm that takes messages of a fixed length and divides them into blocks. The encyption and decyption opeations act on these blocks and etun outputs of the same length. The system is deteministic and consideed to be a polyalphabetic substitution ciphe. The plaintext and ciphetext message spaces ae 64-bit stings M, C = {0, 1} 64 and the key space is a 56-bit sting K = {0, 1} 56. To encode a message using DES, fist divide the message into the 32-bit left and ight sub-blocks L 0 and R 0. Take an initial pemutation IP to be a fixed pemutation, independent of the encyption key k. Then 1. (L 0, R 0 ) IP (input) 2. Take an S-box function f : {0, 1} 48 {0, 1} 32 {0, 1} 32 (we will fomally define f late in the section) and 48-bit sting keys k 1, k 2,..., k 16 deived fom the 56-bit key k. Repeat the following opeations 16 times: L i = R i 1 R i = L i 1 f(k i, R i 1 ) 3. Output IP 1 (R 16, L 16 ) The decyption algoithm follows in a simila fashion, with the key schedule evesed.

25 4.2 The Data Encyption Standad (DES) 24 Feistel Ciphe Hee we show that the iteative opeations above satisfy the coectness popeties fo the DES cyptosystem. Steps 1-3 ae collectively known as a Feistel ciphe. Let X L and X R epesent the left and ight 32-bit substings of the input. Mathematically, this ciphe is based on a ound function F k : {0, 1} 64 {0, 1} 64 given by F k (X) = X R X L f(k, X R ). Recall that the concatenation opeation has the lowest pecedence in opeations. In ode to expess DES as a Feistel ciphe, we fist define a tansposition function, T (X) = X R X L. It should be clea fom the above stuctue that the encyption opeation can be descibed by IP 1 T F k16 F k2 F k1 IP (X), whee denotes the usual function composition. Similaly, the decyption opeation of DES can be viewed as IP F k1 F k2 F k16 T IP 1 (X). Lemma Let F be the set of all functions F : {0, 1} 64 {0, 1} 64. It follows that fo all m > 0 and F 1, F 2,..., F m F, F 1 F 2 F m T F m F 2 F 1 (X) = T (X). Poof. We pove this by inducting on the numbe of functions m. When m = 1, we have one function F in F, so F T F (X) = F T (X R X L f(k, X R )) = F (X L f(k, X R ) X R ) = X R X L f(k, X R ) f(k, X R ) = X R X L = T (X). Assume the conclusion holds tue fo i functions in F: fo any F 1, F 2,..., F i F, it holds that F 1 F 2 F }{{} i T F i F 2 F 1 (X) = T (X). }{{} i functions i functions Suppose we have an opeation with i + 1 functions: F 1 F 2 F i F i+1 T F i+1 F i F 2 F 1 (X). Note that we inset the new function next to T because of the indexing, but we ae not inducting on the index; we ae inducting on the numbe of functions in the sequence. Using ou inductive hypothesis, ou expession educes to ou base case: F 1 F 2 F i F i+1 T F i+1 F i F 2 F 1 (X) = F 1 T F 1 (X) = T (X). }{{}}{{} i functions i functions Theoem The DES cyptosystem satisfies the coectness popety.