crash course on cryptography jesper buus nielsen ssorc 2008

Crash Course on Cryptography

Jesper Buus Nielsen

SSoRC 2008

Preliminaries

• Security parameter k– Specifies the security level, e.g. the key length of cryptosystems

and signature scheme• Probabilistic poly-time (PPT) algorithm

– Runs in time polynomial in k on all inputs and is allowed to flip random coins

• Zp = {0, …, p-1}– Group of residues modulo p

• N = {1, 2, 3, …}• R = the real numbers• e: N R is called negligible if for all cN there exists k’

such that |e(k)|<1/kc for all k>k’– Goes to 0 faster then any inverse polynomial

One-way Functions

• Key generator: K←gen(k) • For each key K a function fK: XY• Inverting game for an algorithm A:

– Sample random key K ← gen(k)– Sample uniformly random element xR X– Compute y = fK(x)– Compute x’ = A(K,y)

• f is called one-way if one can compute fK(x) in PPT and Pr[y = fK(x’)] is negligible in k for all PPT A

Discrete Logarithm Problem

• gen(k) (p,g)– Random k-bit prime p=2q+1 where q prime– g an element of Zp of order q

• f: {0,1,…,q-1}Zp • f(a) = ga mod p• Discrete logarithm (DL) problem:

– Given y = ga mod p (and p,g) compute a – Is believed to be hard, i.e., f is believed to be

a one-way function

Computational Indistinguishability

• Distribution ensemble X = {Xk}kN

– One random variable Xk for each value of the security parameter k

• We call X = {Xk}kN and Y = {Yk}kN computationally indistinguishable if

Pr[B(Xk)=1] - Pr[B(Yk)=1] is negligible for all PPT B

B

a=0: s←X

a=1: s←Ys

d

B cannot guess a with probability more than

negligibly better that ½

Decisional Diffie-Hellman Assumption

• p=2q+1 as for DL problem

• g,h: random elements of order q in Zp

• X: sample random r {0,1,…,q-1} and let X = (g,gr,hr)

• Y: sample random r,s {0,1,…,q-1} and let Y = (g,gr,hs)

• The DDH assumption is that these X and Y are computationally indistinguishable

Public-Key Encryption

• Key generator: (pk,sk) ← gen(k)– pk: public key , sk: secret key

• Encryption: C = Epk(m;r) for randomness r• Decryption: m = Dsk(C)• Indistinguishability game for algorithm A:

– Sample random (pk,sk) ← gen(k)– Run A on pk to produce messages (m0,m1)– Compute Cb←Epk(mb;r) for uniformly random r – Run A on Cb to produce a bit c

• We call the cryptosystem chosen plaintext attack (CPA) secure if Pr[c=1|b=1] - Pr[c=1|b=0] is negligible for all PPT A

A

(m0,m1)

pk

Epk(mb)

c

A cannot guess b with probability more than

negligibly better that ½

ElGamal Encryption

• pk = (p,g,h) as for DDH assumption• sk = x such that h = gx mod p• Messages m are from the group generated by h

• Epk(m;r) = (A, B) = (gr, mhr) mod p

• Dsk(A,B) = A-xB mod p= (gr)-x mhr mod p= (gx)-rhr m mod p= h-rhr m mod p= m

A Reduction Proof

• We prove CPA security of ElGamal assuming the DDH assumption

• We take any PPT A attacking ElGamal• We show how to massage it into a PPT B which

attacks the DDH assumptions with half the success rate of A

• Since the success rate of B is negligible under the DDH assumption, it follows that the success rate of A is negligible under the DDH assumption

B

a=0: (p,g,h,gr,hr)

a=1: (p,g,h,gr,hs)(p,g,h,G,H)

d

Pr[d=1|a=0]-Pr[d=1|a=1]

A

B uses A as sub-routine

(m0,m1)

(p,g,h)

(G,mbH)

bR{0,1}

cd=bc

= Pr[d=1|a=0] - ½

Pr[d=1|a=0] = ½Pr[c=1|a=0,b=0] + ½Pr[c=0|a=0,b=1] = ½Pr[A(E(m0))=1] + ½Pr[A(E(m1))=0]) = ½Pr[A(E(m0))=1] - ½Pr[A(E(m1))=1] + ½

Pr[d=1|a=0]-Pr[d=1|a=1] = ½(Pr[A(E(m0))=1] - Pr[A(E(m1))=1])

Half the success rate of A

The success rate of B

Coin-Flip

• Alice and Bob wants to flip a random bit c– Alice should be sure c is uniformly random even if

Bob cheats and vice versa

• Alice: Send uniformly random a to Bob• Bob: Send uniformly random b to Alice• Both: Let c = ab = a+b mod 2

– Idea is that a+b mod 2 is uniform no matter how b is chosen, as long as Alice picks a uniformly

– Bob can, however, cheat by waiting to see a and then pick b=c’-a mod 2 for his preferred choice c’ of c

Commitment Scheme

• Key generator: K ← gen(k)• Commitment to message m:

C = commitK(m;r) for randomness r• Binding: Computationally hard or impossible to

compute (m,r) and (m’,r’) with m≠m’ and commitK(m;r)=commitK(m’;r’) even given K

• Hiding: commitK(m0) and commitK(m1) are computationally of perfectly indistinguishable even given K

• CPA secure public-key encryption directly gives a perfect binding, computationally hiding commitment scheme

Commitment Scheme

• Computationally binding, perfect hiding• K=(p,g,h) , where h=gx mod p as for DL

– The committer does not know x

• commitK(m;r) = gmhr mod p

• Perfect hiding: – hr mod p is uniform in the group spanned by h– gx mod p is an element of this group– Therefore gxhr mod p is just a uniformly random

element of this group, which leaks no information

Computationally Binding

• commitK(m;r) = gmhr mod p , p=2q+1 , g,h ord q• Assume that some PPT A with high probability

can compute commitK(m;r) = commitK(m’;r’) for m’≠m. Then– gmhr = gm’hr’ (mod p)– gm-m’ = hr’-r (mod p)– g = h(r’-r)(m-m’)-1 mod q (mod p)– g = hx (mod p)

for x = (r’-r)(m-m’)-1 mod q

• This contradicts the DL assumption that no PPT A can compute such an x with high probability

Coin-Flip

• Alice: – Pick uniformly random a– Sample a random key K for a commitment scheme– Compute C=commitK(a;r) for uniformly random r– Send C to Bob

• Bob: Send uniformly random b to Alice• Alice: Send (a,r) to Bob who checks that C=commitK(a;r) • Both: Let c = ab = a+b mod 2• If the commitment is computationally hiding, then Bob

must pick b without knowing a• If it is perfect binding Alice cannot change her mind on a

after seeing b

Zero-Knowledge Proofs of Knowledge

• A prover P proves knowledge of a secret s to a verifier V

• P leaks no information about s

• Yet V accepts only if P knows s

ZK PoK of DL

• We look at a discrete logarithm (DL) example

• P and V both know p,g,h for DL problem • P knows s such that h=gs mod p• P wants to convince V that she knows x

but does not want to show x to V• If V trusts P she can just ask P to tell her

whether P knows x, but V must accept the proof even if P cheats (is corrupted)

ZK PoK of DL

• Completeness:– If P is honest then the proof must accept– Follows from: heH = (gs)egr = gse+r = gz

P: p,g,h,s , h=gs V: p,g,h

H=gr for random r HPick random eZq

z=se+r mod qe

zAccept if: heH=gz

challenge

response

ZK PoK of DL

• Soundness:– If P* makes the protocol accept with non-negligible

probability then P* know s – Should hold even for corrupted P*, i.e., no matter how

the prover’s messages are computed– “Knows” is defined to mean that P* could compute s

in polynomial time



z=se+r mod qe

zAccept if: heH=gz

???

???

P*: p,g,h

ZK PoK of DL

• All we know is that heH=gz

• But, since P* is a program we can record its state after it sent H and try running it on a new challenge e’ and hope to get a new good reply z’ for which he’H=gz’

• We can keep trying until both proofs accept

P*: p,g,h V: p,g,h

??? HPick random eZq

???e

zAccept if: heH=gz

Pick random e’Zq

???e’

z’Accept if: he’H=gz’

ZK PoK of DL

• We showed that P* can compute H, z, z’ s.t. heH=gz and he’H=gz’

– It can be seen that h=gx for x=(z-z’)(e-e’)-1 mod q• This gives a method, known as the extractor,

which computes the secret given access to some P* which makes the proof accept

P*: p,g,h V: p,g,h


???e

zAccept if: heH=gz

Pick random e’Zq

???e’


ZK PoK of DL

• The expected running time of the extractor must be polynomial in k and 1/p, where p is the probability that P* makes the verifier accept– This in particular gives an expected PPT algorithm for

computing the secret if p=1/kc

• In the above case the time is about poly(k)(1/p)2

P*: p,g,h V: p,g,h


???e

zAccept if: heH=gz

Pick random e’Zq

???e’


ZK PoK of DL

• Zero-knowledge:– Not even a corrupted verifier V* gets to know

any new information during the protocol– I.e., everything V* sees she could have

computed herself in poly-time• In the above case: H, e, z



z=se+r mod qe

zAccept if: heH=gz

???

V*: p,g,h

ZK PoK of DL

• Honest Verifier ZK:– Same as before, but only for honest V– We give the argument for an honest verifier only– Above this just means that V picks e uniformly at

random

P: p,g,h,s , h=gs V*: p,g,h


z=se+r mod qe

zH,e,z: heH=gz

ZK PoK of DL

• Here is how V* could compute (H,e,z) herself:– Pick e,zZq uniformly at random

– Let H=gz(he)-1 mod p– Then heH=gz mod p and (H,e,z) has the same

distribution as in the protocol (i.e., perfect ZK)

P: p,g,h,s , h=gs V*: p,g,h


z=se+r mod qe

zH,e,z: heH=gz

The method which computes the view of verifier without

the secret is called the simulator

By letting V only send 0,1 challenges the system becomes fully ZK (as opposed to honest

verifier ZK)

Possibility of ZK PoK

• Everything that can be proved can be proved in ZK with at most a polynomial blowup in running time

Person-in-the-Middle Attacks

• Non-malleable protocols:– Prevent that values in one execution of the

protocol can be misused in other executions of the protocol

– Non-trivial to construct, but possible

P: s V

H

e

z

H

e

zM

I M know s!

Prove it!I P know s!

Prove it!

M knows sNo!

Person-in-the-Middle Attacks

• Non-malleable protocols:– Non-trivial to construct, but possible– Must let the values sent by the prover depend

on the identity of the prover, e.g. her public key

P: s V

H

e

z

H

e

zM

I M know s!

Prove it!I P know s!

Prove it!

M knows sNo!

Threshold Secret Sharing

• Dealer D has a secret sZp

• Splits in shares (s1,…,sn)

• Gives si to party Pi

– And only Pi

• t-security:– Any t shares leak no information on s– Any t+1 shares allow to compute s

s1 s2 s3

P1 P2 P3D

s?

n=3, t=1


• Can be done for any n and any t<n• Pick uniformly random a1,…,atZp

• Let f(x) = s + a1X1 + a2X2 + … + atXt mod p• Let s1=f(1), …, sn=f(n)• Reconstruction: Given t+1 shares on a

polynomial f(X) of degree at most t one can compute f(X) by interpolation and then f(0)

• Privacy: Given only t points any possible secret s=f(0) acts as point number t+1, so there is exactly one polynomial which makes s possible


• Will show two example:

• n=3 and t=1– f(X) = a+a1X (a line)

• n=3 and t=2– f(X) = a+a1X+a2X2 (a parabola)

P1 P2 P3

Secret Sharing, t=1

5

6

7

4

s=7 f(X)=7-X

Security, t=1

5

3

7

1

4

6

3

P1 P2 P3

Reconstruction, t=1

5

P1 P2 P3

6

7

4

Security, t=2P1 P2 P3

1

3

1

3

-2

-5

Reconstruction, t=2P1 P2 P3

1

3 3

9

Secure Multiparty Computation

• n parties P1, …, Pn • Each party Pi has some secret inputs s• The parties want to learn some function y=F(s1,

…,sm) of their inputs• Secure MPC allows to compute y without

leaking any other information• t-security: Any set of t colluding parties learn

only y (and their own secret inputs) by taking part in the protocol– Formalized by requiring that everything else they

receive in the protocol can be computed from these values in PPT, as for ZK

Examples

• Many interesting tasks can be phrased as a secure MPC of an appropriate function, e.g.:

• Yes/no election:– Each Pi has an input vi{0,1}

– F(v1,…,vn) = ∑vi or F(v1,…,vn) = (∑vi >?n/2)

• Vickrey auction:– Each Pi has an input biN

– F(b1,…,bn) = (i,bj)

• i is the index of Pi with highest bid bi

• bj is the 2nd highest bid

Possibility of Secure MPC

• It is possible to t securely compute any function F among n parties as long as t<n/2

• The running time of the protocol is polynomial in the time to compute F (insecurely)

• Will sketch an approach based on secret sharing

MPC via Secret Sharing

• The first step is to write the function to be computed as an arithmetic circuit over Zp for a prime p>n– Need p>n to do secret sharing, as each party

needs its own point

• Can be done via well-known techniques– Would typically be handled by a compiler

Computing with Shared Values

• Input phase:– Each Pi secret shares each of its inputs s with degree

t and sends the shares to the other parties over secure channels

• Secure as long as at most t of the other parties collude

• Computation phase:– Now the parties securely compute the circuit by

iteratively computing t-sharings of additions and multiplications of other t-shared values

• Done without leaking the shared intermediary values

• Reconstruction phase: – In the end the desired results are reconstructed

• All parties send their share of the result to the other parties

Addition

3

5

7

1

4

56

2

1

0

-1

3

P1 P2 P3

Two secrets s=1 and t=2 secret shared using f(X)=1+2X and g(X)=2-X

Now s+t=3 is secret shared usingh(X)=3+X

(note: h(X)=f(X)+g(X))

All parties add their two sharesNo communication Perfect Security

Multiplication

2

3

4

1

6 6

44

3

2

1

4

Multiplication makes the degree of the sharing polynomial go up:

f(X) = 1 + Xg(X) = 4 - X

h(X) = f(X)g(X) = 4 + 3X - X2

P1 P2 P3

Degree Reduction

6 6

44

P1 P2 P3

3

2

1

4

Idea is now to securely generate at degree-t sharing of the value

shared by the degree-2t sharing and use that sharing as input to the rest of

the secure computation

Degree Reduction

6 6

44

P1 P2 P3

3

1

3

-5

1

3

0

-1

-2

1

3

5

9

1. By magic a uniformly random2t-sharing is dealt• No party knows anything but

its own share2. Along with a uniformly random

t-sharing of the same value as the 2t-sharing

The parties subtract the random 2t-sharing from the troublesome

one, make their shares public and compute the shared secret

(reconstruction is possible as 2t<n)

They now know the distance betweenthe troublesome 2t-sharing and the random 2t-sharing (on the y-axis)They all add this number to their

share of the random t-sharing

3

2

1

4

This gives a t-sharing of the same secret as the troublesome 2t-sharingSecure as only uniformly random

points were revealed

The Missing Piece

• Each Pi picks a uniformly random ri and deals both a t-sharing and a 2t-sharing of ri

• The parties sum their shares of the t-sharings, giving them a t-sharing of r=∑ri

• The parties sum their shares of the 2t-sharings, which gives them a 2t-sharing of r=∑ri

• Each party which uses a random sharing is guaranteed that the sums of the sharings are going to be uniformly random and unknown to all other parties

Active Security

• So far we only have passive security, i.e., against parties that follow the protocol but of which t might pool their view to learn more

• We often need active security, i.e., security against up to t parties which might deviate from the protocol in some evil coordinated manner

Forcing Honest Behavior (1/2)

• We can transform the passive secure protocol into an active secure one using a generic technique

• Use commitments to commit all parties to their secret inputs and all received values

• Uses ZK proofs to let the parties show that all shares they send are correctly computed from the values committed to

• The commitments are hiding and the proofs are ZK, so no new information is leaked

Forcing Honest Behavior (2/2)

• First all parties send commitments to their inputs to the other parties and give non-malleable zero-knowledge proof of knowledge of the committed values– Including commitments to the random values they are going to

use when sharing

• Whenever Pi should send a secret message m to Pj (in the passive protocol) it does:– Compute C=commit(m;r) for uniformly random r– Send (m,r) securely to Pj

– Send C to all other parties along with a ZK PoK of (m,r) for which C=commit(m;r) and for which m was computed as it should from the other values to which Pi is committed

• Maintains that all parties are committed to all internal values at all times, and that they are correct

Independence of Inputs

Non-malleability guarantees that it is not possible to “copy”

another party’s input commitment

Example: Sharing

• Passive secure protocol:– Pick uniformly random a1,…,atZp

– Let f(x) = s + a1X1 + a2X2 + … + atXt mod p– Securely send si=f(i) to Pi

• Active secure protocol (additional steps):– Send S = commit(s;r) to all parties– Send Aj = commit(ai;rj) for j=1,…,t to all parties– Send Sj = commit(si;uj) for i=1,…,n to all parties

• And send (si,ui) to Pi

– For each i=1,…,n prove in ZK to all parties that S contains a value s and Si contains a value si and A1,…,At contain values a1,…,at such

si = s + a1i1 + a2i2 + … + atit mod p

Example: Addition

• Passive secure protocol:– Pj has a share sj of s and a share tj of t

– Pj computes the share uj = sj+tj mod p of u=s+t mod p

• Active secure protocol (additional steps):– All parties know a commitment Sj to sj and a

commitment Tj to tj and Pj knows the openings

– Pj sends Ui = commit(ui;v) to all parties

– Pj proves in ZK to all parties that Sj contains a value sj and Tj contains a value tj and Uj contains a value uj such that uj = sj+tj mod p

Example: Opening

• Passive secure protocol:– Each Pj has a share yj of the output y – Pj sends yj to all other parties who reconstruct

y from the shares

• Active secure protocol (additional steps):– All parties know a commitment Yj to yj

– Pj proves in ZK to all parties that yj is what was committed to by Yj

– Since there are n-tt+1 honest parties all parties will receive at least t+1 good shares

Handling Errors (1/2)

• Now the only power of a corrupted party Pi is to refuse to send the required (m,r) to some Pj – A failed proof corresponds to not sending

• If this happens, then Pj sends a complaint message to all parties and Pi must then send (m,r) to all parties and prove that it is correct– Secure to reveal m as one of the parties are corrupted

• If Pi fails to do so, then all parties now know that Pi is corrupted

Handling Errors (2/2)

• Detection of a corrupted Pi can be handled in several ways:– Restart the computation without the cheating

party – All intermediary values can be shared at all

steps, and if a party refuses, then all her previously shared values are reconstructed and the other servers compute the withheld value themselves

Definition of Security (1/3)

• Security is defined by requiring that whatever t corrupted parties can obtain by attacking the protocol they could obtain by attacking an ideal world implementation


• The ideal world:– Each Pi securely sends its input xi to a

perfectly trusted party called the ideal functionality (IF)

– The IF computes y=F(x1,…,xn) and sends y to all parties

• In the ideal world the only power of corrupted parties is to send alternative inputs xi’ and that they see the output y


• Active t-security:– For any set of t PPT corrupted parties for the

real world there exists t PPT corrupted parties for the ideal world such that the outputs of the parties in the ideal world is computationally indistinguishable from the outputs of the parties in the real world

• This implies that in the real world any t corrupted parties only have inevitable powers, like giving alternative inputs

Sketch of Security Proof

• Our protocol is proved secure via a simulation proof:– For any t corrupted parties attacking the protocol we

show how we can simulate the attack in the ideal world

– We compute values xi’ which corresponds to the inputs the corrupted parties use in the protocol and input these to the IF which returns the result y

– Given only y and xi’ we then simulate the values that the corrupted parties would have seen in the protocol, show them these values, and output whatever values they output in the end

We run the corrupted parties to see their commitments to their inputs and

use the non-malleable proof of knowledge to extract the committed

values xi’Possible as the corrupted parties see

only t shares of sharings sent by honest parties, so these shares can be simulated by shares of a random value

Consensus Broadcast (1/3)

• During the active secure MPC protocol we several times asked a party to send a value V to all other parties

• A corrupted party can, however, cheat and send different V to different parties– Can be used to break the protocol

• A protocol ensuring that even a cheating party sends the same message to all parties is called a consensus broadcast protocol


• Input: The sender has some message m

• Output: Each Pi outputs some mi

• Validity: If the sender is honest, then all honest parties output mi=m

• Agreement: Two honest parties always output the same mi

– No matter which other parties are corrupted


• Consensus broadcast can be implemented for any t<n corrupted parties if the parties are able to sign and verify messages

• Example for n=3,t=1:– P1 signs m and send it to P2 and P3

– P2 and P3 relay the message from P1 to the other party

– P2 and P3 output m if they saw a signature on m and no signature on another value

Simultaneous Broadcast

• In a simultaneous broadcast all Pi broadcast a message mi at the same time

• No Pi can pick mi to depend on the message mj of another party

• Can be implemented in Internet like networks if and only if t<n/2

Possibility of Secure MPC (1/4)

• We showed above:

• If t<n/2 and the corrupted parties are restricted to poly-time computation then secure MPC is possible– Need that the corrupted parties are restricted

to poly-time so they cannot break the commitments and the signatures used by the broadcast protocol


• If t<n/3 and we assume that the parties are connected by perfectly secure channels, then perfectly secure MPC is possible– No information is leaked to t parties– The result is correct with probability 1– Tolerates corrupted parties with unbounded

computing power


• If t<n/2 and we assume that the parties are connected by perfectly secure channels and have a perfectly reliable broadcast channel, then statistically secure MPC is possible– Negligible information is leaked to t parties– The result is correct except with negligible

probability– Tolerates corrupted parties with unbounded

computing power


• If tn/2 then secure MPC of all functions is not possible

• It is, however, possible to get unfair secure MPC which tolerates poly-time corrupted parties

• In an unfair protocol the corrupted parties can cheat such that they learn the result and the honest parties do not

Unfair Coin-Flip

• An example of an unfair protocol is our coin-flip protocol, where Alice learns the result first and then can just stop:

• Alice: – Pick uniformly random a– Sample a random key K for a commitment scheme– Compute C=commitK(a;r) – Send C to Bob

• Bob: Send uniformly random b to Alice• Alice: Send (a,r) to Bob who checks that

C=commitK(a;r) • Both: Let c=ab

Fair coin-flip is provablyimpossible between two parties given only normal

point-to-point communication

Unfair MPC

• From the impossibility of fair coin-flip for two parties (n=2, t=1) it follows that fair coin-flip is impossible for any n when t=n/2

• From this it follows that many (most?) functions cannot be implemented fairly when t=n/2

• Since e.g. simultaneous broadcast easily allows to implement fair coin-flip we can conclude that simultaneous broadcast is impossible when t=n/2

Crash Course on Cryptography

Jesper Buus Nielsen

SSoRC 2008

crash course on cryptography jesper buus nielsen ssorc 2008

Documents

b h b r

g x r h r

h r h r

x b mod p

g r x mh r mod p

ppt b b

g random

g x mod p messages