Post on 25-Sep-2020
Complexity 5:Protocols
Dusko Pavlovic
Introduction
IPS
Cryptography
MPC
Complexity Theory — Part 5:Interactions and protocols
Dusko Pavlovic
RHULSpring 2012
Complexity 5:Protocols
Dusko Pavlovic
Introduction
IPS
Cryptography
MPC
Outline
Introduction
Interactive Proof Systems
Cryptography and protocols
Multi-Party Computation
Complexity 5:Protocols
Dusko Pavlovic
Introduction
IPS
Cryptography
MPC
Outline
Introduction
Interactive Proof Systems
Cryptography and protocols
Multi-Party Computation
Complexity 5:Protocols
Dusko Pavlovic
Introduction
IPS
Cryptography
MPC
Time to close the door
Complexity 5:Protocols
Dusko Pavlovic
Introduction
IPS
Cryptography
MPC
Time to close the door Complexity 5:Protocols
Dusko Pavlovic
Introduction
IPS
Cryptography
MPC
. . . and study interactions
Complexity 5:Protocols
Dusko Pavlovic
Introduction
IPS
Cryptography
MPC
Questions
! What can computers compute through interaction?
! What can each computer compute from interaction?
! Separate private from public computation.
Complexity 5:Protocols
Dusko Pavlovic
Introduction
IPS
Cryptography
MPC
Questions
! What can computers compute through interaction?! Interactive Proof Systems
! What can each computer compute from interaction?! Cryptography and Protocols
! Separate private from public computation.! Secure (Multi-Party) Computation
Complexity 5:Protocols
Dusko Pavlovic
Introduction
IPS
Cryptography
MPC
Outline
Introduction
Interactive Proof Systems
Cryptography and protocols
Multi-Party Computation
Complexity 5:Protocols
Dusko Pavlovic
Introduction
IPS
Cryptography
MPC
Interactive Proof System (IPS)
Definition
An Interactive Proof System (IPS) consists of
! two sets of words! questions Q ! !", where {0, 1} ! Q,! answers A ! !"
! two functions! verifier v : A # (Q #A)" $ Q and! prover p : (A # Q)" $ A
Complexity 5:Protocols
Dusko Pavlovic
Introduction
IPS
Cryptography
MPC
Interactive Proof System (IPS)
Interaction
A k-round interaction of an IPS is a function%v , p&kQ : A$ {0, 1} defined as follows
A%id,v&''''$ A # Q
%id,p&''''$ A # Q #A
%id,v&''''$ (A # Q)2
%id,p&''''$
%id,p&''''$ A # (Q #A)2
%id,v&''''$ (A # Q)3
%id,p&''''$ · · ·
· · ·%id,v&''''$ (A # Q)i
%id,p&''''$ A # (Q #A)i
v'$ {0, 1}
where 2i < k
Complexity 5:Protocols
Dusko Pavlovic
Introduction
IPS
Cryptography
MPC
Interactive Proof System (IPS)
Computation
! v is computationally limiteddeterministic: implemented by a DPTprobabilistic: implemented by a PPT
! p is computationally unlimited
Complexity 5:Protocols
Dusko Pavlovic
Introduction
IPS
Cryptography
MPC
Interactively recognized languages
Deterministic Interactive Proofs
DDec(V ,P, f ,!) ()!(%V ,P&f (|!|)Q (!) ! 0) =) (! * L) =) (%V ,P&f (|!|)Q (!) = 1)
"
Complexity 5:Protocols
Dusko Pavlovic
Introduction
IPS
Cryptography
MPC
Interactively recognized languages
Deterministic Interactive Proofs
DIP(f (n)) =#L ! A | +%V ,P& * DIPS ,! * A.
DDec(V ,P, f ,!)}$
Complexity 5:Protocols
Dusko Pavlovic
Introduction
IPS
Cryptography
MPC
Interactively recognized languages
Deterministic Interactive Proofs
DIP =-%
c=0DIP(nc)
Complexity 5:Protocols
Dusko Pavlovic
Introduction
IPS
Cryptography
MPC
Interactively recognized languages
(Probabilistic) Interactive Proofs
PDec(V ,P, f ,!) ()&Pr
&%V ,P&f (|!|)Q (!) = 1) > 13
'=) (! * L)
.
(! * L) =) Pr(%V ,P&f (|!|)Q (!) = 1
)/23
'
Complexity 5:Protocols
Dusko Pavlovic
Introduction
IPS
Cryptography
MPC
Interactively recognized languages
(Probabilistic) Interactive Proofs
IP(f (n)) =#L ! A | +%V ,P& * IPS ,! * A.
PDec(V ,P, f ,!)$
Complexity 5:Protocols
Dusko Pavlovic
Introduction
IPS
Cryptography
MPC
Interactively recognized languages
(Probabilistic) Interactive Proofs
IP =-%
c=0IP(nc)
Complexity 5:Protocols
Dusko Pavlovic
Introduction
IPS
Cryptography
MPC
Interactively recognized languages
Proposition 1
DIP = NP
Complexity 5:Protocols
Dusko Pavlovic
Introduction
IPS
Cryptography
MPC
Interactively recognized languages
Proposition 2
IP = PSPACE
Complexity 5:Protocols
Dusko Pavlovic
Introduction
IPS
CryptographyCryptosystem
RSA
Refresher in arithmetic
RSA Assumption
Secrecy
El Gamal
MPC
OutlineIntroduction
Interactive Proof Systems
Cryptography and protocols
Cryptosystem
RSA
Secrecy
El Gamal
Multi-Party Computation
Complexity 5:Protocols
Dusko Pavlovic
Introduction
IPS
CryptographyCryptosystem
RSA
Refresher in arithmetic
RSA Assumption
Secrecy
El Gamal
MPC
Questions
! What can computers compute through interaction?! Interactive Proof Systems
! What can each computer compute from interaction?! Cryptography and Protocols
! Separate private from public computation.! Secure (Multi-Party) Computation
Complexity 5:Protocols
Dusko Pavlovic
Introduction
IPS
CryptographyCryptosystem
RSA
Refresher in arithmetic
RSA Assumption
Secrecy
El Gamal
MPC
Idea
Computational hardness can be used to controlinformation flows:
! to prevent information flows: secrecy
! to enable information flows: authenticity
Complexity 5:Protocols
Dusko Pavlovic
Introduction
IPS
CryptographyCryptosystem
RSA
Refresher in arithmetic
RSA Assumption
Secrecy
El Gamal
MPC
Example: Mental poker
Problem
! Alice and Bob want to play poker.
! They do not have cards.
! How can they deal imaginary cards without seeingthem?
Complexity 5:Protocols
Dusko Pavlovic
Introduction
IPS
CryptographyCryptosystem
RSA
Refresher in arithmetic
RSA Assumption
Secrecy
El Gamal
MPC
Example: Mental poker
Solution
! Suppose each X = Alice, Bob has a trapdoorfunction
fX = %eX , dX , tX &
i.e., such that
dX (eX (x), tX ) = xPr(e'1X eX (x)!h(e(x), u) | x , u! {0, 1}n) 0 0
Complexity 5:Protocols
Dusko Pavlovic
Introduction
IPS
CryptographyCryptosystem
RSA
Refresher in arithmetic
RSA Assumption
Secrecy
El Gamal
MPC
Example: Mental poker
Complexity 5:Protocols
Dusko Pavlovic
Introduction
IPS
CryptographyCryptosystem
RSA
Refresher in arithmetic
RSA Assumption
Secrecy
El Gamal
MPC
Crypto system
Definition
Given the types
! M of plaintexts! C of cyphertexts! K of keys
Complexity 5:Protocols
Dusko Pavlovic
Introduction
IPS
CryptographyCryptosystem
RSA
Refresher in arithmetic
RSA Assumption
Secrecy
El Gamal
MPC
Crypto system
Definition
. . . a crypto-system is a triple of PPTs:
! key generation " = %"e, "d & : N$ K #K ,! encryption e : K #M$ C, and! decryption d : K # C$M,
such that. . .
Complexity 5:Protocols
Dusko Pavlovic
Introduction
IPS
CryptographyCryptosystem
RSA
Refresher in arithmetic
RSA Assumption
Secrecy
El Gamal
MPC
Crypto system
Definition
%e, d , "d & is a trapdoor function.
unique decryption:
Pr!x!d
!ke, e(kd , x)
"| x!M, k!"n
"
0 1
trapdoor encryption:
Pr!x!h
!u, e(kd , x)
"| x!M, u!K , k!"n
"
0 0
Complexity 5:Protocols
Dusko Pavlovic
Introduction
IPS
CryptographyCryptosystem
RSA
Refresher in arithmetic
RSA Assumption
Secrecy
El Gamal
MPC
Example: RSA
! M = C = Zn, where n = pq, p, q prime! K = Z#(n), where #(n) = #
*k < n | gcd(n, k) = 1+
! "e = e! "d = e'1 mod #(n)! e(e,m) = me mod n! d(d , c) = cd mod n
Complexity 5:Protocols
Dusko Pavlovic
Introduction
IPS
CryptographyCryptosystem
RSA
Refresher in arithmetic
RSA Assumption
Secrecy
El Gamal
MPC
Example: RSA
! M = C = Zn, where n = pq, p, q prime! K = Z#(n), where #(n) = #
*k < n | gcd(n, k) = 1+
! "e = e " public key! "d = e'1 mod #(n) " private key! e(e,m) = me mod n! d(d , c) = cd mod n
Complexity 5:Protocols
Dusko Pavlovic
Introduction
IPS
CryptographyCryptosystem
RSA
Refresher in arithmetic
RSA Assumption
Secrecy
El Gamal
MPC
Example: RSA
Idea of public key cryptography
! "e is publicly announced! eveyone can encrypt
! "d is kept secret! only those who have it can decrypt
Complexity 5:Protocols
Dusko Pavlovic
Introduction
IPS
CryptographyCryptosystem
RSA
Refresher in arithmetic
RSA Assumption
Secrecy
El Gamal
MPC
Example: RSA
Idea of public key cryptography
! "e is publicly announced! eveyone can encrypt
! "d is kept secret! only those who have it can decrypt
It is important that "d cannot be derived from "e.
Complexity 5:Protocols
Dusko Pavlovic
Introduction
IPS
CryptographyCryptosystem
RSA
Refresher in arithmetic
RSA Assumption
Secrecy
El Gamal
MPC
Example: RSA
History of public key cryptography
! Whit Diffie and Marty Hellman proposedcomputational hardness as a new foundation forcryptography in 1976.
! Ron Rivest, Adi Shamir and Len Adleman (RSA)implemented that idea using exponentiation in 1978.
Complexity 5:Protocols
Dusko Pavlovic
Introduction
IPS
CryptographyCryptosystem
RSA
Refresher in arithmetic
RSA Assumption
Secrecy
El Gamal
MPC
Example: RSA
History of public key cryptography
! Whit Diffie and Marty Hellman proposedcomputational hardness as a new foundation forcryptography in 1976.
! Ron Rivest, Adi Shamir and Len Adleman (RSA)implemented that idea using exponentiation in 1978.
! The RSA patent became a base of a very profitablecompany.
Complexity 5:Protocols
Dusko Pavlovic
Introduction
IPS
CryptographyCryptosystem
RSA
Refresher in arithmetic
RSA Assumption
Secrecy
El Gamal
MPC
Example: RSA
History of public key cryptography
! Whit Diffie and Marty Hellman proposedcomputational hardness as a new foundation forcryptography in 1976.
! Ron Rivest, Adi Shamir and Len Adleman (RSA)implemented that idea using exponentiation in 1978.
! The RSA patent became a base of a very profitablecompany. All involved became rich and famous.
Complexity 5:Protocols
Dusko Pavlovic
Introduction
IPS
CryptographyCryptosystem
RSA
Refresher in arithmetic
RSA Assumption
Secrecy
El Gamal
MPC
Example: RSA
History of public key cryptography
! In December 1997, the British GovernmentCommunications Headquarters (GCHQ) releasedfive papers.
Complexity 5:Protocols
Dusko Pavlovic
Introduction
IPS
CryptographyCryptosystem
RSA
Refresher in arithmetic
RSA Assumption
Secrecy
El Gamal
MPC
Example: RSA
History of public key cryptography
! In December 1997, the British GovernmentCommunications Headquarters (GCHQ) releasedfive papers.
! James Ellis’ paper "The possibility of non-secretencryption" proposed computational hardness as afoundation for cryptography.
! Clifford Cocks’ paper "A note on non-secretencryption" implemented that idea usingexponentiation.
Complexity 5:Protocols
Dusko Pavlovic
Introduction
IPS
CryptographyCryptosystem
RSA
Refresher in arithmetic
RSA Assumption
Secrecy
El Gamal
MPC
Example: RSA
History of public key cryptography
! In December 1997, the British GovernmentCommunications Headquarters (GCHQ) releasedfive papers.
! James Ellis’ paper "The possibility of non-secretencryption" proposed computational hardness as afoundation for cryptography. " 1970
! Clifford Cocks’ paper "A note on non-secretencryption" implemented that idea usingexponentiation." 1973
Complexity 5:Protocols
Dusko Pavlovic
Introduction
IPS
CryptographyCryptosystem
RSA
Refresher in arithmetic
RSA Assumption
Secrecy
El Gamal
MPC
Example: RSA
History of public key cryptography
! James Ellis retired in 1986 and died in November1997.
! Clifford Cocks became the Chief Mathematician atGCHQ in 2007.
Complexity 5:Protocols
Dusko Pavlovic
Introduction
IPS
CryptographyCryptosystem
RSA
Refresher in arithmetic
RSA Assumption
Secrecy
El Gamal
MPC
Example: RSA
History of public key cryptography
! James Ellis retired in 1986 and died in November1997.
! Clifford Cocks became the Chief Mathematician atGCHQ in 2007.
! Public key cryptography was critical in arm treatycontrol as of 1986, but was not deployed earlier.
Complexity 5:Protocols
Dusko Pavlovic
Introduction
IPS
CryptographyCryptosystem
RSA
Refresher in arithmetic
RSA Assumption
Secrecy
El Gamal
MPC
Example: RSA
! Take p = 11 and q = 17.
Complexity 5:Protocols
Dusko Pavlovic
Introduction
IPS
CryptographyCryptosystem
RSA
Refresher in arithmetic
RSA Assumption
Secrecy
El Gamal
MPC
Example: RSA
! Take p = 11 and q = 17. Hence! n = pq = 187,
Complexity 5:Protocols
Dusko Pavlovic
Introduction
IPS
CryptographyCryptosystem
RSA
Refresher in arithmetic
RSA Assumption
Secrecy
El Gamal
MPC
Example: RSA
! Take p = 11 and q = 17. Hence! n = pq = 187, and! #(n) = (11 ' 1)(17 ' 1) = 160
Complexity 5:Protocols
Dusko Pavlovic
Introduction
IPS
CryptographyCryptosystem
RSA
Refresher in arithmetic
RSA Assumption
Secrecy
El Gamal
MPC
Example: RSA
! Take p = 11 and q = 17. Hence! n = pq = 187, and! #(n) = (11 ' 1)(17 ' 1) = 160
! Take "e = e = 3
Complexity 5:Protocols
Dusko Pavlovic
Introduction
IPS
CryptographyCryptosystem
RSA
Refresher in arithmetic
RSA Assumption
Secrecy
El Gamal
MPC
Example: RSA
! Take p = 11 and q = 17. Hence! n = pq = 187, and! #(n) = (11 ' 1)(17 ' 1) = 160
! Take "e = e = 3! Then "d = d = 3'1 = 107 mod 160
Complexity 5:Protocols
Dusko Pavlovic
Introduction
IPS
CryptographyCryptosystem
RSA
Refresher in arithmetic
RSA Assumption
Secrecy
El Gamal
MPC
Example: RSA
! Take p = 11 and q = 17. Hence! n = pq = 187, and! #(n) = (11 ' 1)(17 ' 1) = 160
! Take "e = e = 3! Then "d = d = 3'1 = 107 mod 160! e(3, p) = J because
! e(3, 15) = 153 = 3375 = 9 mod 187
Complexity 5:Protocols
Dusko Pavlovic
Introduction
IPS
CryptographyCryptosystem
RSA
Refresher in arithmetic
RSA Assumption
Secrecy
El Gamal
MPC
Example: RSA
! Take p = 11 and q = 17. Hence! n = pq = 187, and! #(n) = (11 ' 1)(17 ' 1) = 160
! Take "e = e = 3! Then "d = d = 3'1 = 107 mod 160! e(3, p) = J because
! e(3, 15) = 153 = 3375 = 9 mod 187! d(107, J) = p because
! d(107, 9) = 9107 = 15 mod 187
Complexity 5:Protocols
Dusko Pavlovic
Introduction
IPS
CryptographyCryptosystem
RSA
Refresher in arithmetic
RSA Assumption
Secrecy
El Gamal
MPC
Example: RSA
Homework
Prove that Euler’s totient function
# : N $ N
n 1'$ #*k < n | gcd(n, k) = 1+
has the following properties:
! #(pk) = (p ' 1)pk'1 if p is prime! #(mn) = #(m) · #(n) if gcd(m, n) = 1
Derive a general formula to compute #(n).
Complexity 5:Protocols
Dusko Pavlovic
Introduction
IPS
CryptographyCryptosystem
RSA
Refresher in arithmetic
RSA Assumption
Secrecy
El Gamal
MPC
Example: RSA
. . . is a crypto system because
! unique decryption holds by
ed = 1 mod #(n) =) (me)d = m mod n
Complexity 5:Protocols
Dusko Pavlovic
Introduction
IPS
CryptographyCryptosystem
RSA
Refresher in arithmetic
RSA Assumption
Secrecy
El Gamal
MPC
Example: RSA
. . . is a crypto system because
! unique decryption holds by
ed = 1 mod #(n) =) (me)d = m mod n
! trapdoor encryption holds since for every A
,m.A(me) = m mod n =) ,c.A(c) = cd mod n
where ed = 1 mod #(n)
Complexity 5:Protocols
Dusko Pavlovic
Introduction
IPS
CryptographyCryptosystem
RSA
Refresher in arithmetic
RSA Assumption
Secrecy
El Gamal
MPC
Example: RSA
To prove that the RSA satisfies these requirements,we need some basic arithmetic.
Complexity 5:Protocols
Dusko Pavlovic
Introduction
IPS
CryptographyCryptosystem
RSA
Refresher in arithmetic
RSA Assumption
Secrecy
El Gamal
MPC
Refresher in arithmetic
Definition
Let (G, ·, 1) be a finite group and g * G. We define
ord(G) = #G (the number of elements)
ord(g) = #%g& = min{$ | g$ = 1}
Theorem 3 (Lagrange)
For every g * G holds ord(g) | ord(G).
Complexity 5:Protocols
Dusko Pavlovic
Introduction
IPS
CryptographyCryptosystem
RSA
Refresher in arithmetic
RSA Assumption
Secrecy
El Gamal
MPC
Refresher in arithmetic
Definition
The multiplicative group of invertible elements of Zn is
Z"n = {x * Zn | +y . xy = 1 mod n}
Lemma 4
k * Zn is invertible iff it is mutually prime with n, i.e.
k * Z"n () gcd(n, k) = 1
Hence ord(Z"n) = #*k < n | gcd(n, k) = 1+ = #(n).
Complexity 5:Protocols
Dusko Pavlovic
Introduction
IPS
CryptographyCryptosystem
RSA
Refresher in arithmetic
RSA Assumption
Secrecy
El Gamal
MPC
Refresher in arithmetic
Corollary 5 (Euler)
For every invertible k * Z"n holds
k#(n) = 1 mod n
Complexity 5:Protocols
Dusko Pavlovic
Introduction
IPS
CryptographyCryptosystem
RSA
Refresher in arithmetic
RSA Assumption
Secrecy
El Gamal
MPC
Refresher in arithmetic
Corollary 5 (Euler)
For every invertible k * Z"n holds
k#(n) = 1 mod n
Proof.
By the Theorem, ord(k) | ord(Z"n).
By the Lemma, ord(Z"n) = #(n). "
Complexity 5:Protocols
Dusko Pavlovic
Introduction
IPS
CryptographyCryptosystem
RSA
Refresher in arithmetic
RSA Assumption
Secrecy
El Gamal
MPC
RSA unique decryption
Conclusion
Hence the unique decryption property of RSA
ed = 1 mod #(n) () +$. ed = 1+ $#(n)=) med = m1+$#(n) = m mod n
Complexity 5:Protocols
Dusko Pavlovic
Introduction
IPS
CryptographyCryptosystem
RSA
Refresher in arithmetic
RSA Assumption
Secrecy
El Gamal
MPC
RSA Assumption
RSA Problem
! input:! n = pq * N where p and q are prime! c * Z"n, i.e. gcd(c, n) = 1! e * Z#(n), i.e. gcd(e, p ' 1) = gcd(e, q ' 1) = 1
! output:! m = e2c mod n, i.e. me = c mod n
Complexity 5:Protocols
Dusko Pavlovic
Introduction
IPS
CryptographyCryptosystem
RSA
Refresher in arithmetic
RSA Assumption
Secrecy
El Gamal
MPC
RSA Assumption
RSA Problem
! input:! n = pq * N where p and q are prime! c * Z"n, i.e. gcd(c, n) = 1! e * Z#(n), i.e. gcd(e, p ' 1) = gcd(e, q ' 1) = 1
! output:! m = e2c mod n, i.e. me = c mod n
RSA Assumption
There is no feasible algorithm solving the RSA Problem.
Complexity 5:Protocols
Dusko Pavlovic
Introduction
IPS
CryptographyCryptosystem
RSA
Refresher in arithmetic
RSA Assumption
Secrecy
El Gamal
MPC
RSA trapdoor encryption
Conclusion
Hence the trapdoor encryption property of RSA
,m.A(me) = m mod n =) ,c.A(c) = cd mod n
where ed = 1 mod #(n)
Complexity 5:Protocols
Dusko Pavlovic
Introduction
IPS
CryptographyCryptosystem
RSA
Refresher in arithmetic
RSA Assumption
Secrecy
El Gamal
MPC
RSA trapdoor encryption
Remark
RSA problem can be solved by finding d = e'1 mod #(n)i.e. by finding d , $ such that de + $#(n) = 1.
Complexity 5:Protocols
Dusko Pavlovic
Introduction
IPS
CryptographyCryptosystem
RSA
Refresher in arithmetic
RSA Assumption
Secrecy
El Gamal
MPC
RSA trapdoor encryption
Remark
RSA problem can be solved by finding d = e'1 mod #(n)i.e. by finding d , $ such that de + $#(n) = 1.
But computing #(n) requires factoring n.
Complexity 5:Protocols
Dusko Pavlovic
Introduction
IPS
CryptographyCryptosystem
RSA
Refresher in arithmetic
RSA Assumption
Secrecy
El Gamal
MPC
RSA trapdoor encryption
Remark
RSA problem can be solved by finding d = e'1 mod #(n)i.e. by finding d , $ such that de + $#(n) = 1.
But computing #(n) requires factoring n.
It is believed that factoring is not feasible:if n has only large factors, they are hard to find.
Complexity 5:Protocols
Dusko Pavlovic
Introduction
IPS
CryptographyCryptosystem
RSA
Refresher in arithmetic
RSA Assumption
Secrecy
El Gamal
MPC
Notions of secrecyDefinition
Given the types
! M of plaintexts! C of cyphertexts! K of keys! R of random seeds
Complexity 5:Protocols
Dusko Pavlovic
Introduction
IPS
CryptographyCryptosystem
RSA
Refresher in arithmetic
RSA Assumption
Secrecy
El Gamal
MPC
Notions of secrecyDefinition
. . . a probabilistic crypto-system is a triple of algorithms:
! key generation %"e, "d & : R$ K #K ,! encryption e : R #K #M$ C, and! decryption d : K # C$M,
Complexity 5:Protocols
Dusko Pavlovic
Introduction
IPS
CryptographyCryptosystem
RSA
Refresher in arithmetic
RSA Assumption
Secrecy
El Gamal
MPC
Notions of secrecyDefinition
. . . that together provide
! unique decryption:
d("d , e("e,m)) = m
! secrecy (Shannon: unconditional, "perfect security"):
Pr (m!M | c!e(",m)) = Pr (m!M) (IT-SEC)
Complexity 5:Protocols
Dusko Pavlovic
Introduction
IPS
CryptographyCryptosystem
RSA
Refresher in arithmetic
RSA Assumption
Secrecy
El Gamal
MPC
Notions of secrecyDefinition
. . . that together provide
! unique decryption:
d("d , e("e,m)) = m
! secrecy:
Pr (m!A(c) | c!e(",m)) 0 Pr (m!A(0))(COM-SEC)
for every PPT A : C$M "
Complexity 5:Protocols
Dusko Pavlovic
Introduction
IPS
CryptographyCryptosystem
RSA
Refresher in arithmetic
RSA Assumption
Secrecy
El Gamal
MPC
Notions of secrecyDefinition
. . . that together provide
! unique decryption:
d("d , e("e,m)) = m
! secrecy:
Pr (b! {0, 1} | m0,m1!M, c!e(",mb)) =
Pr (b! {0, 1} | m0,m1!M) =12 (IT-IND)
Complexity 5:Protocols
Dusko Pavlovic
Introduction
IPS
CryptographyCryptosystem
RSA
Refresher in arithmetic
RSA Assumption
Secrecy
El Gamal
MPC
Notions of secrecyDefinition
. . . that together provide
! unique decryption:
d("d , e("e,m)) = m
! secrecy:
Pr (b!A(m0,m1, c) | m0,m1!M, c!e(mb)) 3
Pr (b!A(m0,m1, 0) | m0,m1!M) 312 (COM-IND)
for any feasible probabilistic A :M #M # C$ {0, 1}(with "e and the seed implicit)
Complexity 5:Protocols
Dusko Pavlovic
Introduction
IPS
CryptographyCryptosystem
RSA
Refresher in arithmetic
RSA Assumption
Secrecy
El Gamal
MPC
Notions of secrecyDefinition
. . . that together provide
! unique decryption:
d("d , e("e,m)) = m
! secrecy (Goldwasser-Micali: "semantic security")
Pr!b!A1(m0,m1, c)|
m0,m1!A0, c!e(mb)"3
12 (IND-CPA)
for any probabilistic algorithm A = %A0,A1&. . .
Complexity 5:Protocols
Dusko Pavlovic
Introduction
IPS
CryptographyCryptosystem
RSA
Refresher in arithmetic
RSA Assumption
Secrecy
El Gamal
MPC
Notions of secrecyDefinition
. . . that together provide
! unique decryption:
d("d , e("e,m)) = m
! secrecy (under chosen cyphertext attack):
Pr,-----.b!A2(c0,m, m0,m1, c) |
c0!A0, m!d(c0),m0,m1!A1(c0,m), c!e(mb)
/000001 3
12 (IND-CCA)
for any probabilistic algorithm A = %A0,A1,A2&. . .
Complexity 5:Protocols
Dusko Pavlovic
Introduction
IPS
CryptographyCryptosystem
RSA
Refresher in arithmetic
RSA Assumption
Secrecy
El Gamal
MPC
Notions of secrecyDefinition
. . . that together provide
! unique decryption:
d("d , e("e,m)) = m
! secrecy (under adaptive chosen cyphertext attack):
Pr,-----.b!A3(c0,m,m0,m1, c, c1, 2m) |c0!A0, m!d(c0),m0,m1!A1(c0,m), c!e(mb)
c1!A2(c0,m,m0,m1), 2m * d(c1 ! c)
/000001 3
12
(IND-CCA2)
Complexity 5:Protocols
Dusko Pavlovic
Introduction
IPS
CryptographyCryptosystem
RSA
Refresher in arithmetic
RSA Assumption
Secrecy
El Gamal
MPC
Taxonomy of secrecy properties
IND-CCA2
IT-SEC
COM-SECIT-IND
COM-IND
IND-CPA
IND-CCAIND-CCA1
Complexity 5:Protocols
Dusko Pavlovic
Introduction
IPS
CryptographyCryptosystem
RSA
Refresher in arithmetic
RSA Assumption
Secrecy
El Gamal
MPC
Example: El Gamal
Fix a finite field F and g * F".
M = R = F "e(a) = ga
C = F" # F "d (a) = aK = F" # F" e(r , k ,m) =
3gr , kr ·m
4
d!k , %c1, c2&
"=c2ck1
Complexity 5:Protocols
Dusko Pavlovic
Introduction
IPS
CryptographyCryptosystem
RSA
Refresher in arithmetic
RSA Assumption
Secrecy
El Gamal
MPC
Example: El Gamal
Fix a finite field F and g * F".
M = R = F "e(a) = ga
C = F" # F "d (a) = aK = F" # F" e(r , k ,m) =
3gr , kr ·m
4
d!k , %c1, c2&
"=c2ck1
Unique decryption
d ("d (a), e(r , "e(a),m)) = d (a, e(r , ga,m))
= d!a,
3gr , (ga)r ·m
4"
=gar ·m(gr )a
= m
Complexity 5:Protocols
Dusko Pavlovic
Introduction
IPS
CryptographyCryptosystem
RSA
Refresher in arithmetic
RSA Assumption
Secrecy
El Gamal
MPC
Security of El GamalComputational Diffie-Hellman Assumption (CDH)
There is no feasible probabilistic algorithm CDH : F2 $ Fsuch that for all a, b * F holds with a high probability
CDH(ga, gb) = gab
Complexity 5:Protocols
Dusko Pavlovic
Introduction
IPS
CryptographyCryptosystem
RSA
Refresher in arithmetic
RSA Assumption
Secrecy
El Gamal
MPC
Security of El GamalComputational Diffie-Hellman Assumption (CDH)
There is no feasible probabilistic algorithm CDH : F2 $ Fsuch that for all a, b * F holds with a high probability
CDH(ga, gb) = gab
Decision Diffie-Hellman Assumption (DDH)
There is no feasible prob. algorithm DDH : F3 $ {0, 1}such that for all a, b * F holds with a probability > 1
2
DDH(x , y , z) =
5666766681 if +uv . x = gu . y = gv . z = guv
0 otherwise
Complexity 5:Protocols
Dusko Pavlovic
Introduction
IPS
CryptographyCryptosystem
RSA
Refresher in arithmetic
RSA Assumption
Secrecy
El Gamal
MPC
Security of El Gamal
Proposition 6
El Gamal satisfies (IND-CPA) if and only if (DDH) holds.El Gamal does not safisty (IND-CCA).
Complexity 5:Protocols
Dusko Pavlovic
Introduction
IPS
CryptographyCryptosystem
RSA
Refresher in arithmetic
RSA Assumption
Secrecy
El Gamal
MPC
Security of El GamalRecall the definitions:
. . .
! unique decryption:
d("d , e("e,m)) = m
! secrecy (Goldwasser-Micali: "semantic security")
9m0,m1!A0, c!e(mb) 4
b!A1(m0,m1, c):3
12 (IND-CPA)
for any probabilistic algorithm A = %A0,A1&. . .
Complexity 5:Protocols
Dusko Pavlovic
Introduction
IPS
CryptographyCryptosystem
RSA
Refresher in arithmetic
RSA Assumption
Secrecy
El Gamal
MPC
Security of El GamalRecall the definitions:
. . .
! unique decryption:
d("d , e("e,m)) = m
! secrecy (under chosen cyphertext attack):
Pr(b!A2(c0,m, m0,m1, c) |
c0!A0, m!d(c0),m0,m1!A1(c0,m), c!e(mb)
)3
12 (IND-CCA)
for any probabilistic algorithm A = %A0,A1,A2&. . .
Complexity 5:Protocols
Dusko Pavlovic
Introduction
IPS
CryptographyCryptosystem
RSA
Refresher in arithmetic
RSA Assumption
Secrecy
El Gamal
MPC
Security of El GamalProof of (DDH))(IND-CPA)
Suppose ¬(IND-CPA).
Complexity 5:Protocols
Dusko Pavlovic
Introduction
IPS
CryptographyCryptosystem
RSA
Refresher in arithmetic
RSA Assumption
Secrecy
El Gamal
MPC
Security of El GamalProof of (DDH))(IND-CPA)
Suppose ¬(IND-CPA).This means that there is a feasible probabilistic algorithmA = %A0,A1& which! generates m0,m1!A0(k), and then! guesses b!A1(k ,m0,m1, cb) with a probability > 1
2! where cb = e(s, k ,mb) for b! {0, 1}.
Complexity 5:Protocols
Dusko Pavlovic
Introduction
IPS
CryptographyCryptosystem
RSA
Refresher in arithmetic
RSA Assumption
Secrecy
El Gamal
MPC
Security of El GamalProof of (DDH))(IND-CPA)
Suppose ¬(IND-CPA).This means that there is a feasible probabilistic algorithmA = %A0,A1& which! generates m0,m1!A0(k), and then! guesses b!A1(k ,m0,m1, cb) with a probability > 1
2! where cb = e(s, k ,mb) for b! {0, 1}.
We construct the algorithm DDH : F3 $ {0, 1} to decidewhether a triple %x , y , z& is in the form ;gu , gv , guv< forsome u, v * F.
Complexity 5:Protocols
Dusko Pavlovic
Introduction
IPS
CryptographyCryptosystem
RSA
Refresher in arithmetic
RSA Assumption
Secrecy
El Gamal
MPC
Security of El GamalProof (continued)
If the private key "d = u, then El Gamal encrypts
e(v , gu ,m) = %gv , guv ·m&
Complexity 5:Protocols
Dusko Pavlovic
Introduction
IPS
CryptographyCryptosystem
RSA
Refresher in arithmetic
RSA Assumption
Secrecy
El Gamal
MPC
Security of El GamalProof (continued)
If the private key "d = u, then El Gamal encrypts
e(v , gu ,m) = %gv , guv ·m&
This means that
DDH(x , y , z) = 1 () ,m.e(log y , x ,m) = %y , z ·m&
Complexity 5:Protocols
Dusko Pavlovic
Introduction
IPS
CryptographyCryptosystem
RSA
Refresher in arithmetic
RSA Assumption
Secrecy
El Gamal
MPC
Security of El GamalProof (continued)
If the private key "d = u, then El Gamal encrypts
e(v , gu ,m) = %gv , guv ·m&
This means that
DDH(x , y , z) = 1 () ,m.e(log y , x ,m) = %y , z ·m&
But ¬(IND-CPA) says that A = %A0,A1& can decide theright-hand side, so that m0,m1!A0(x) gives
DDH(x , y , z) =
566666676666668
1 if A1 (x ,m0,m1, %y , z ·m0&) = 0and A1 (x ,m0,m1, %y , z ·m1&) = 1
0 otherwise
Complexity 5:Protocols
Dusko Pavlovic
Introduction
IPS
CryptographyCryptosystem
RSA
Refresher in arithmetic
RSA Assumption
Secrecy
El Gamal
MPC
Security of El GamalProof of ¬(DDH)) ¬(IND-CPA)
Suppose ¬(DDH).
Complexity 5:Protocols
Dusko Pavlovic
Introduction
IPS
CryptographyCryptosystem
RSA
Refresher in arithmetic
RSA Assumption
Secrecy
El Gamal
MPC
Security of El GamalProof of ¬(DDH)) ¬(IND-CPA)
Suppose ¬(DDH).
This means that there is a a decision algorithm DDH.
Complexity 5:Protocols
Dusko Pavlovic
Introduction
IPS
CryptographyCryptosystem
RSA
Refresher in arithmetic
RSA Assumption
Secrecy
El Gamal
MPC
Security of El GamalProof of ¬(DDH)) ¬(IND-CPA)
Suppose ¬(DDH).
This means that there is a a decision algorithm DDH.
Then the attacker A1 can be constructed by setting
A1(k ,m0,m1, %c0, c1&) =
566666676666668
1 if DDH(k , c0, c1m1)
0 if DDH(k , c0, c1m0)
5 otherwise
Complexity 5:Protocols
Dusko Pavlovic
Introduction
IPS
CryptographyCryptosystem
RSA
Refresher in arithmetic
RSA Assumption
Secrecy
El Gamal
MPC
Security of El GamalProof of ¬(IND-CCA)
Given a cyphertext %c0, c1&, the (IND-CCA)-attackerrequests a decryption of the cyphertext %c̃0, c̃1& where
c̃0 = c0 · gr̃
c̃1 = c1 · k r̃ · m̃
where r̃ and m̃ are arbitrary, different from 0 and 1.
Complexity 5:Protocols
Dusko Pavlovic
Introduction
IPS
CryptographyCryptosystem
RSA
Refresher in arithmetic
RSA Assumption
Secrecy
El Gamal
MPC
Security of El GamalProof of ¬(IND-CCA)
The decryption algorithm will return
d(a, %c̃0, c̃1&) =c̃1c̃a0
=c1 · gar̃ m̃ca0 · gar̃
=garm · gar̃ m̃gar · gar̃
= m · m̃
which the attacker can divide by m̃ to extract m.
Complexity 5:Protocols
Dusko Pavlovic
Introduction
IPS
Cryptography
MPC
Outline
Introduction
Interactive Proof Systems
Cryptography and protocols
Multi-Party Computation
Complexity 5:Protocols
Dusko Pavlovic
Introduction
IPS
Cryptography
MPC
Questions
! What can computers compute through interaction?! Interactive Proof Systems
! What can each computer compute from interaction?! Cryptography and Protocols
! Separate private from public computation.! Secure (Multi-Party) Computation
Complexity 5:Protocols
Dusko Pavlovic
Introduction
IPS
Cryptography
MPC
Multi-Party Computation (MPC)
Problem
Alice and Bob want to evaluate a function
f : {0, 1}$(a) # {0, 1}$(b) $ {0, 1}
while satisfying
fairness: both get f (x , y)correctness: neither accepts a false value
privacy: whatever can be learned from participatingthe protocol can be learned from the outputand one private value.
Complexity 5:Protocols
Dusko Pavlovic
Introduction
IPS
Cryptography
MPC
Multi-Party Computation (MPC)
Example: Match making
Alice and Bob want to find out whether they agree.
! Alice has a bit a
! Bob has a bit b
! They need to evaluate f (a, b) = a · b! (i.e. the conjunction a . b.)
Complexity 5:Protocols
Dusko Pavlovic
Introduction
IPS
Cryptography
MPC
Multi-Party Computation (MPC)
Definition
An MPC protocol for f is secure if no PPT attacker canobtain from it more information than from and oracle (i.e.Trusted Third Party) computation of f .
Complexity 5:Protocols
Dusko Pavlovic
Introduction
IPS
Cryptography
MPC
Multi-Party Computation (MPC) Complexity 5:Protocols
Dusko Pavlovic
Introduction
IPS
Cryptography
MPC
Application: Implementing games
! state = hands of cards
! type = preferences
Complexity 5:Protocols
Dusko Pavlovic
Introduction
IPS
Cryptography
MPC
Application: Implementing games
! state = hands of cards! (im)perfect information
! type = preferences! (in)complete information
Complexity 5:Protocols
Dusko Pavlovic
Introduction
IPS
Cryptography
MPC
Oblivious Transfer Protocol (OT)
Complexity 5:Protocols
Dusko Pavlovic
Introduction
IPS
Cryptography
MPC
Match Making by Oblivious Transfer
Proposition 7
The Match Making protocol can be implemented usingOblivious Transfer.
Complexity 5:Protocols
Dusko Pavlovic
Introduction
IPS
Cryptography
MPC
Match Making by Oblivious Transfer
Proof.
OT (b0, b1, s) = (1 6 s)b0 6 sb1ab = OT (0, a, b)
"
Complexity 5:Protocols
Dusko Pavlovic
Introduction
IPS
Cryptography
MPC
Oblivious String Comparison Complexity 5:Protocols
Dusko Pavlovic
Introduction
IPS
Cryptography
MPC
Rabin’s Oblivious Transfer (Rabin-OT)
! Alice has a bit b
! Bob receives! b with probability 1
2! nothing with probability 1
2 .
! Alice does not know whether Bob has received b.
Complexity 5:Protocols
Dusko Pavlovic
Introduction
IPS
Cryptography
MPC
Rabin’s Oblivious Transfer (Rabin-OT)
Proposition 8
OT and Rabin-OT are equivalent.
Complexity 5:Protocols
Dusko Pavlovic
Introduction
IPS
Cryptography
MPC
Rabin’s Oblivious Transfer (Rabin-OT)
Proof of OT) Rabin-OT
! Alice randomly selects b0, b1 such that b0 6 b1 = b.
! Bob randomly selects s.
! They compute OT (b0, b1, s)
! Alice randomly selects t and sends %t , bt&
! If t ! s, then Bob has b0 6 b1 = b.
! If t = s, then Bob does not know b.
! Alice does not know whether Bob knows b.
Complexity 5:Protocols
Dusko Pavlovic
Introduction
IPS
Cryptography
MPC
Rabin’s Oblivious Transfer (Rabin-OT)Proof of Rabin-OT)OT
Complexity 5:Protocols
Dusko Pavlovic
Introduction
IPS
Cryptography
MPC
How to implement Rabin-OT! Alice and Bob agree to use ENCODE(x , y) where t is atrapdoor iff it divides y .
! Alice picks large primes p, q, and sends to BobENCODE(b, n) where n = pq.
! Bob picks x * Z#n and sends x2 mod n
! Alice picks i * {0, 1, 2, 3} and sends zi , wherez20 , z21 , z22 , z23 7 x2 mod n.
! If zi 7 ±x mod n, then Bob can factor n, invertENCODE(b, n), and get b.
! If zi # ±x mod n, then Bob cannot factor n and does notknow b.
! Alice does not know x and has no idea whether Bob got b.
Complexity 5:Protocols
Dusko Pavlovic
Introduction
IPS
Cryptography
MPC
How to implement Rabin-OT Complexity 5:Protocols
Dusko Pavlovic
Introduction
IPS
Cryptography
MPC
How to implement any protocol
Proposition 9
Any MPC problem can be solved using OT (or Rabin-OT).
I.e., fair, correct and private evaluation of any functionf : {0, 1}$(a) # {0, 1}$(b) $ {0, 1} can be reduced to OT.
Complexity 5:Protocols
Dusko Pavlovic
Introduction
IPS
Cryptography
MPC
How to implement any protocol
! Alice and Bob jointly evaluate a boolean circuit for f .
! The share the inputs for all gates.
! Neither of them knows the inputs of the internal gates inthe circuits.
! They reveal their shares to get the output.