Introduction to Modern Cryptography. Benny Chor

Similar documents
Lecture 10: Zero-Knowledge Proofs

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 10

CPSC 467b: Cryptography and Computer Security

Lecture Notes, Week 10

CPSC 467: Cryptography and Computer Security

CPSC 467b: Cryptography and Computer Security

CPSC 467: Cryptography and Computer Security

CPSC 467: Cryptography and Computer Security

Introduction to Modern Cryptography Lecture 11

YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 9

Lecture 10. Public Key Cryptography: Encryption + Signatures. Identification

Lecture 38: Secure Multi-party Computation MPC

Introduction to Cryptography Lecture 13

Zero-Knowledge Proofs and Protocols

CPSC 467b: Cryptography and Computer Security

Lecture 15 - Zero Knowledge Proofs

Lecture 14: Secure Multiparty Computation

Privacy and Computer Science (ECI 2015) Day 4 - Zero Knowledge Proofs Mathematics

Lecture Notes 20: Zero-Knowledge Proofs

Theory of Computation Chapter 12: Cryptography

Introduction to Modern Cryptography. Benny Chor

Lecture 17: Constructions of Public-Key Encryption

Notes on Zero Knowledge

Lecture 18: Zero-Knowledge Proofs

Commitment Schemes and Zero-Knowledge Protocols (2011)

Lecture 24: Goldreich-Levin Hardcore Predicate. Goldreich-Levin Hardcore Predicate

Lecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography

ECS 189A Final Cryptography Spring 2011

Pseudorandom Generators

An Introduction to Probabilistic Encryption

Lecture th January 2009 Fall 2008 Scribes: D. Widder, E. Widder Today s lecture topics

Introduction to Modern Cryptography. Benny Chor

Zero-Knowledge Against Quantum Attacks

CPSC 467b: Cryptography and Computer Security

ASYMMETRIC ENCRYPTION

Oblivious Evaluation of Multivariate Polynomials. and Applications

Pseudorandom Generators

Lecture 1: Introduction to Public key cryptography

14 Diffie-Hellman Key Agreement

Lecture 15 & 16: Trapdoor Permutations, RSA, Signatures

Lecture 3: Interactive Proofs and Zero-Knowledge

Public-Key Encryption: ElGamal, RSA, Rabin

Foundations of Cryptography

The RSA public encryption scheme: How I learned to stop worrying and love buying stuff online

Lectures One Way Permutations, Goldreich Levin Theorem, Commitments

CHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 11 April 2017, 8:30-12:30

Great Theoretical Ideas in Computer Science

Lecture 22: RSA Encryption. RSA Encryption

L7. Diffie-Hellman (Key Exchange) Protocol. Rocky K. C. Chang, 5 March 2015

Fast Signature Generation with a. Fiat Shamir { Like Scheme. Fachbereich Mathematik / Informatik. Abstract

Lecture 28: Public-key Cryptography. Public-key Cryptography

Simple Math: Cryptography

Lecture 12: Interactive Proofs

1 Recap: Interactive Proofs

Notes on Complexity Theory Last updated: November, Lecture 10

PERFECT SECRECY AND ADVERSARIAL INDISTINGUISHABILITY

Zero-Knowledge Proofs 1

Lecture 5. 1 Review (Pairwise Independence and Derandomization)

Lecture 22. We first consider some constructions of standard commitment schemes. 2.1 Constructions Based on One-Way (Trapdoor) Permutations

Lecture 11: Hash Functions, Merkle-Damgaard, Random Oracle

Lecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography

Lectures 2+3: Provable Security

Computer Science A Cryptography and Data Security. Claude Crépeau

Lecture 9 and 10: Malicious Security - GMW Compiler and Cut and Choose, OT Extension

Notes for Lecture 17

CPSC 467b: Cryptography and Computer Security

Lecture 11: Key Agreement

Lecture 18 - Secret Sharing, Visual Cryptography, Distributed Signatures

Quantum Symmetrically-Private Information Retrieval

Winter 2011 Josh Benaloh Brian LaMacchia

1 Number Theory Basics

Lecture Notes, Week 6

RSA RSA public key cryptosystem

Learning to Impersonate

Winter 2008 Introduction to Modern Cryptography Benny Chor and Rani Hod. Assignment #2

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrosky. Lecture 4

THE CUBIC PUBLIC-KEY TRANSFORMATION*

Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security

Midterm 2. Your Exam Room: Name of Person Sitting on Your Left: Name of Person Sitting on Your Right: Name of Person Sitting in Front of You:

1 Recommended Reading 1. 2 Public Key/Private Key Cryptography Overview RSA Algorithm... 2

Discrete Mathematics and Probability Theory Spring 2016 Rao and Walrand Discussion 6A Solution

Lecture 11: Proofs, Games, and Alternation

A Note on Negligible Functions

Lecture 11: Non-Interactive Zero-Knowledge II. 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian problem

Lecture 3: Randomness in Computation

An Epistemic Characterization of Zero Knowledge

Lecture 16 Chiu Yuen Koo Nikolai Yakovenko. 1 Digital Signature Schemes. CMSC 858K Advanced Topics in Cryptography March 18, 2004

Lecture 26: Arthur-Merlin Games

Question 1. The Chinese University of Hong Kong, Spring 2018

Pseudorandom Generators

1 Indistinguishability for multiple encryptions

Lecture 7 Limits on inapproximability

March 19: Zero-Knowledge (cont.) and Signatures

CS151 Complexity Theory. Lecture 13 May 15, 2017

Impossibility Results for Universal Composability in Public-Key Models and with Fixed Inputs

Parallel Coin-Tossing and Constant-Round Secure Two-Party Computation

Lecture Notes 17. Randomness: The verifier can toss coins and is allowed to err with some (small) probability if it is unlucky in its coin tosses.

Revisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives

Quantum Simultaneous Contract Signing

Transcription:

Introduction to Modern Cryptography Benny Chor Hard Core Bits Coin Flipping Over the Phone Zero Knowledge Lecture 10 (version 1.1) Tel-Aviv University 18 March 2008. Slightly revised March 19.

Hard Core Bits for One Way Functions Let F : D D be a one-way, one-to-one function. Suppose B : D {0, 1} is an efficiently computable predicate on elements of D. We say that B is a hard core bit for F if it is computationally hard, given F (x), to determine B(x). This task cannot be harder than inverting F. We want to formalize this notion.

Hard Core Bits for One Way Functions (2) We want to formalize this notion. Definition: We say that B is a hard core bit for F if the following holds: There is an efficient (possibly randomized) procedure P, which gets the input z = F (y), for any algorithm A( ) that, on input F (x), outputs B(x), The procedure P can adaptively generate queries z 1 = F (y 1 ), z 2 = F (y 2 ),..., z k = F (y k ), and feed them to A( ). The response to the queries are the bits B(y 1 ), B(y 2 ),..., B(y k ). The running time of P and the number of queries it makes, k, are both polynomial in log D. Last but not least: The procedure P correctly inverts F, namely it outputs y = F 1 (z).

Hard Core Bits for One Way Functions: Intuition If B is a hard core bit for F then the ability to efficiently infer B(x) from F (x) enables to invert F. Any algorithm A( ) that, on input F (x), outputs B(x), enables the inversion of F (x) by employing the procedure P. Thus if F is indeed hard (we assumed it is one-way) then B(x) cannot be computed from F (x). Such hard core bit can serve as the basis for coin tossing over the phone.

Coin Tossing Over the Phone Two non trusting parties wish to toss coins over the phone. The parties do not deviate from the syntax of the protocol. They may try to cheat in different ways, provided the messages they send have the right format. For example, Alice could send the string 00000 whenever the protocol calls for five random bits. (There is no way Bob can convincingly argue she is cheating here.) For a different example, Alice could send a composite number where the protocol calls for a prime number. (This specific attempt is not very smart, since Bob will easily detect it.) For yet a third example, Alice could send a product of three numbers pqr, where the protocol calls for a product of two, pq. (It is not clear if Bob could detect this.) (Anton Shigur, the meanest coin tosser around.)

Coin Tossing Over the Phone: General Scheme Alice chooses an instance of a one-way, one-to-one function F : D D. Let B : D {0, 1} be a hard core predicate for F. Alice starts by sending a description of F and of B to Bob. Alice picks an x D, computes y = F (x) and b = B(x). She sends y to Bob. This is supposed to create a commitment to the value x. Bob send to Alice his guess for B(x), namely a bit c {0, 1}. The bit c could either be the result of a coin flip or the outcome of some efficient algorithm applied by Bob in an attempt to guess B(x). After receiving c, Alice sends x to Bob, who can now compute b = B(x) on his own. If c = b then Bob wins the coin toss. Else (c b) Alice wins.

Specific Examples (Good and Bad) D = Zp, F (x) = g x mod p where p is a prime number, and g is a primitive element in Zp. Let B(x) = Half p (x) (namely 0 if 1 x < (p 1)/2, and 1 if (p 1)/2 x p 1). Good, provided g is a primitive element. D = Zp, F (x) = g x mod p where p is a prime number, the factorization of p 1 is known, and g is a primitive element in Zp. Let B(x) = be the least significant bit of x. Bad. Let D = ZN, F (x) = xe mod N where N = pq, both p and q are prime numbers, and e is relatively prime to (p 1)(q 1). The numbers e and N are sent to Bob, but N s factorization is not given. Let B(x) = the least significant bit of x. Good, provided e is relatively prime to φ(n). Let F : D D be any one-way, one-to-one function, let n be the number of bits of elements in D. Define a new one to one, one way function G : D D D D by G(x, r) = (F (x), r). Define B(x, r) = n i=1 x i r i (mod 2). Good this is the generic hard core bit of Goldreich and Levin, 1989.

Coin Tossing Over the Phone and Hard Core Bits Question: Does it suffice that B is a hard core bit for F in order to guarantee a fair coin toss? Or should the definition be strengthened? In assignment 3 you are asked to think about this problem, and provide an educated answer.

Coin Tossing Over the Phone: Can Alice Cheat? Alice chooses an instance of a one-way, one-to-one function F : D D. Suppose Alice managed to choose a two-to-one function F : D D, but poor Bob could not tell the difference. Furthermore, suppose there are x 0, x 1 D such that F (x 0 ) = F (x 1 ) but B(x 0 ) = 0, B(x 1 ) = 1. In such case, Alice can win the coin toss with certainty. Bob is justified in being worried. But what can he do? He has neither time nor patience to go exhaustively over D and verify that F is one-to-one over it.

Coin Tossing Over the Phone: Can Alice Cheat? Bob is justified in being worried. But what can he do? He has neither time nor patience to go exhaustively over D and verify that F is one-to-one over it. In the specific examples we considered, there is a short proof that F is one-to-one. For example, D = Z N, F (x) = xe mod N where N = pq, both p and q are prime numbers, and e is relatively prime to φ(n). If e is not relatively prime to φ(n), then F (x) = x e mod N is k-to-one for some k 2. This means that for every y ZN in the range of F there are distinct x 1, x 2,..., x k ZN such that F (x 1 ) = F (x 2 ) =... = F (x k ) = y.

Coin Tossing Over the Phone: Calming Down Bob Bob is justified in being worried. But what can he do? He has neither time nor patience to go exhaustively over D and verify that F (x) = x e mod N is one-to-one over it. If F is not one-to-one, then for every y ZN in the range of F there are distinct z 1, z 2,..., z k ZN such that F (z 1 ) = F (z 2 ) =... = F (z k ) = y. Just after receiving the description of F, Bob picks one hundred elements in Z N at random, z 1, z 2,..., z 100. He computes y i = F (z i ) (i = 1,..., 100), and sends y 1, y 2,..., y 100 to Alice. Alice computes F 1 (y 1 ), F 1 (y 2 ),..., F 1 (y 100 ) and sends them to Bob. If for all of them F 1 (y i ) = z i, then Bob is convinced that F is one-to-one. Otherwise, he knows that Alice is cheating, and quits the game.

Some Observations on Verifying F Is One-To-One It was crucial that Bob makes his queries before Alice committed to x by sending F (x) (why?). The protocol for convincing Bob relied on two very specific properties of F (x) = x e mod N. First, we used the fact that this is a trapdoor function and Alice should have the trapdoor information. Second, the k-to-one property is very specific to exponentiation modulo N. In general, we may want to convince a suspicious verifier that a certain claim holds, without giving away any additional information. Leads to zero knowledge proofs (Goldwasser Micaly Rackoff 1985).

Zero Knowledge Proofs Can I convince you that some statement S holds, without giving you any hint about its proof? Not by authority or intimidation! By some proof system, possibly randomized, where If S is false, the probability that I convince you is smaller than ε (a small parameter). If S is true, the probability that I convince you is larger than 1 ε. The text of the conversations, assuming S is true, gives you nothing more you could have generated very similar text on your own. Will now demonstrate this non intuitive notion using two examples: A light one (Ali Baba) and a heavier one (3 coloring).

Zero Knowledge Proofs: Ali Baba s Secret Passage This zero knowledge version of the classic story is due to Quisquater and Guillou. It was taken (with the figures) from Wikipedia. Tectonic activity had created a cave in the shape of a closed circle under a mountain side near Bagdad. The cave forks to two paths, A and B, soon after the entrance. If one follows any of the paths and walks (in the dark!) for an hour, s/he reaches a solid wall and must return the same way s/he came. Rumor has it that the paths actually merge on the two sides of the solid wall, and that there is a secret passage through that wall, which can be opened after chanting a secret password.

Zero Knowledge Proofs: Ali Baba s Secret Passage (2) Ali Baba (in purple) claims he knows the secret password. Babar (in green) is willing to pay him a small fortune for that information (he plans to open a tour the cave startup, and must guarantee a steady, fast flow). First, he want to be convinced that indeed Ali Baba has the secret. Ali Baba suggests the following protocol: He will enter the cave and proceed a few hundred meters along a path he (Ali Baba) picks arbitrarily. Ali Baba is very careful about his own privacy and does not agree to Babar getting close to him at this stage. Babar then comes to the entrance and shouts either "A" or "B" (he picks one option at random).

Zero Knowledge Proofs: Ali Baba s Secret Passage (3) Ali Baba returns to the entrance through the requested path, and Babar, sitting at the fork, can verify that. What is Ali Baba s chance to succeed in case he does not hold the secret password? Exactly 1/2. This by itself is not good enough to convince Babar Ali Baba could just have been lucky in guessing what path Babar is going to call. But if they repeat this experiment for thirty days, and Ali Baba succeeds in each and every one of them, Babar is convinced that Ali Baba knows the secret password.

Zero Knowledge Proofs: Ali Baba s Secret Passage (4) What did Babar learn from this lengthy test? He did learn that, with very high probability, Ali Baba knows the password for the secret passage. But other than that, Babar learns nothing neither a single bit of the password, nor its quadratic residuocity, etc. This is a very simple example of a zero knowledge protocol. In such protocols there are two parties: The prover (Ali Baba in our case) and the verifier (Babar). They do not trust each other, yet engage in a protocol at the end of which the prover should convince the verifier that some statement is true without supplying any additional information. The formal definition takes a simulator that enables the verifier to generate a distribution of convincing conversations by himself. This seemingly contradictory notion was suggested by Goldwasser, Micaly, and Rackoff in 1985. It was met initially with much skepticism, but is now widely accepted.

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback