Cryptography - SJTUyuxi/teaching... · Synopsis 1. Computationally Secure Encryption 2....

Cryptography

Modern cryptography was born in 1970’s when computationally easy-to-verify but‘hard-to-solve’ problems were discovered.

Computational Complexity, by Fu Yuxi Cryptography 1 / 75

Cryptography is closely related to some advanced topics in computational complexity.


Synopsis

1. Computationally Secure Encryption

2. Pseudorandom Generator

3. Pseudorandom Function

4. One-Way Function

5. Zero Knowledge Proof

6. Remark


Computationally Secure Encryption


An encryption scheme is a pair (E, D) of algorithms such that

Dk(Ek(x)) = x

for all key k and plaintext x . Obviously Ek is one-one for every k .


Shannon’s Perfect Secrecy

(E, D) is perfectly secret if for every pair x , x ′ ∈ {0, 1}m, the distributions EUn(x) andEUn(x ′) are identical.

I n is the key length.

I Un is the uniform distribution over {0, 1}n.


One Time Pad Encryption Scheme, Vernan 1917

Encryption:

I Plaintext x ∈ {0, 1}n.

I Generate a key k ∈R {0, 1}n, encrypt x by x ⊕ k .

Decryption:

I Ciphertext y ∈ {0, 1}n.

I The plaintext is recovered by y ⊕ k .

If a key k is used twice, useful information can be derived.


One Time Pad Encryption Scheme

Fact. The one time pad encryption scheme is perfectly secure.

It is crucial that the key is as long as the message.


Shannon Theorem. Suppose (E, D) is an encryption scheme. If n < m, then thereexist x , x ′ such that EUn(x) and EUn(x ′) differ.

Proof.A proof can be read off from the proof of Lemma.

I Perfectly secret encryption scheme is not a practical scenario.

I Modern cryptography offers a solution.


Negligible Functions

A function ε : N→ [0, 1] is negligible if

∀c .∃N.∀n ≥ N.ε(n) <1

nc.

In other words ε is negligible if it tends to 0 faster than 1p(n) for every polynomial p(n).

I Events with negligible probability can be practically ignored.

I ε is not negligible if ∃c . ε(n) ≥ 1nc for infinitely many n.


Computationally Secure Encryption Scheme

An encryption scheme (E, D) for keys of length n and messages of length m iscomputationally secure if for every P-time PTM A there is a negligible functionε : N→ [0, 1] such that∣∣∣∣Prk∈R{0,1}n,x∈R{0,1}m [A(Ek(x)) = (i , b) ∧ xi = b]− 1

2

∣∣∣∣ ≤ ε(n).


Is there a computationally secure encryption scheme? The answer is conditional.


Lemma. Suppose P = NP. Let (E, D) be a P-time encryption scheme with key shorterthan message. A P-time algorithm A exists such that for every message length m,there is a pair x0, x1 ∈ {0, 1}m satisfying

Prb∈R{0,1},k∈R{0,1}n [A(Ek(xb)) = b] ≥ 3/4

where n is the key length and n<m.

1. Let S be defined as follows:

y ∈ S iff ∃k .y = Ek(x0), where x0 = 0m.

2. If P = NP then S is P-time decidable by some algorithm A.

I A(x) = 0 iff x ∈ S .

3. Let Dx = distribution EUn(x). Then Pr[A(Dx0)=0] = 1.


If Pr[Dx∈S ] > 12 for all x then one would have

1

2< Prx [Pr[Dx∈S ]] = Prk [Prx [Ek(x)∈S ]] ≤ 1

2,

where ≤ holds because |S | ≤ 2n ≤ 2m−1 by the definition of S and Ek is injective.

It follows that Pr[Dx1∈S ] ≤ 12 for some x1 ∈ {0, 1}m. According to the definition of A,

one has Pr[A(Dx1)=0] ≤ 12 . Hence

Prb,k [A(Ek(xb))=b] =1

2Pr[A(Dx0)=0] +

1

2Pr[A(Dx1)=1]

=1

2+

1

2Pr[A(Dx1)=1]

≥ 3

4.


P 6= NP is necessary for modern cryptography. We do not know if it is sufficient.


Pseudorandom Generator


Modern cryptography addresses the long key issue by studying how to generate longkeys from short ones.

I An observer cannot detect efficiently any useful difference between apseudorandom key and a truly random key.


What is a pseudorandom string? How do we characterize pseudorandom strings?

I For modern cryptography it suffices that encrypted messages are distributed in away that looks random to all efficient observers.


Pseudorandom Generator

Let G : {0, 1}∗ → {0, 1}∗ and ` : N→ N be P-time computable such that `(n) > n forall n and |G (x)| = `(|x |) for all x ∈ {0, 1}∗.

G is a computationally secure pseudorandom generator of stretch `(n) if, for everyP-time PTM A, there exists a negligible function ε : N→ [0, 1] such that∣∣Pr[A(G (Un)) = 1]− Pr[A(U`(n)) = 1]

∣∣ ≤ ε(n).

1. Yao. Theory and Applications of Trapdoor Functions. FOCS 1982.


A pseudorandom generator says nothing about how it is constructed.


Unpredictability

Let G : {0, 1}∗ → {0, 1}∗ be P-time computable with stretch `(n), where ` : N→ N isP-time computable such that ∀n.`(n) > n.

We say that G is unpredictable if for every P-time PTM B there is a negligible functionε : N→ [0, 1] such that∣∣∣∣Prx∈R{0,1}n,y=G(x),i∈R[`(n)][B(1n, y1, . . . , yi−1) = yi ]−

1

2

∣∣∣∣ ≤ ε(n).

1. M. Blum, S. Micali. How to Generate Cryptographically Strong Sequences of Pseudorandom Bits. FOCS 1982.


Unpredictability ⇐ Pseudorandomness

Suppose G is a pseudorandom generator. If it is not unpredictable then there is some csuch that ∣∣∣∣Prx∈R{0,1}n,y=G(x),i∈R[`(n)][B(1n, y1, . . . , yi−1) = yi ]−

1

2

∣∣∣∣ ≥ 1

nc

holds for a P-time PTM B for infinitely many n. Some i exists such that∣∣∣∣Prx∈R{0,1}n,y=G(x)[B(1n, y1, . . . , yi−1) = yi ]−1

2

∣∣∣∣ ≥ 1

nc`(n)

for infinitely many n. It follows from Pr[B(U`(n)) = 1] = 12 that

Pr[B(G (Un)) = 1]− Pr[B(U`(n)) = 1] ≥ 1

nc`(n)

for infinitely many n, which is a contradiction.


Unpredictability ⇒ Pseudorandomness

Theorem (Yao, 1982). If G is unpredictable, then it is a pseudorandom generator.

1. Yao. Theory and Applications of Trapdoor Functions. FOCS 1982.



Let ` : N→ N be P-time computable such that `(n) ≥ n.Let G : {0, 1}∗ → {0, 1}∗ be P-time computable unpredictable function with stretch `.

Suppose G is not a pseudorandom generator. Then there is some constant c and someP-time PTM A such that, wlog,

Pr[A(G (Un)) = 1]− Pr[A(U`(n)) = 1] ≥ 1

nc

for infinitely many n.



For i ≤ `(n), the hybrid distribution Di is defined as follows:

1. choose x ∈R {0, 1}n and compute y = G (x);

2. output y1, . . . , yi , zi+1, . . . , z`(n) with zi+1, . . . , z`(n) ∈R {0, 1}.

We notice that D0 = U`(n) and D`(n) = G (Un).

Let pi = Pr[A(Di ) = 1]. By assumption for infinitely many n,

p`(n) − p0 = (p`(n) − p`(n)−1) + (p`(n)−1 − p`(n)−2) + . . .+ (p1 − p0) ≥ 1

nc.



Algorithm B asserts that everything A says is correct.

I Input 1n, i ∈ [`(n)] and y1, . . . , yi−1.

1. randomly generate zi , . . . , z`(n);2. compute a = A(y1, . . . , yi−1, zi , . . . , z`(n));3. output zi if a = 1 and 1− zi if a = 0.

We are done if we can prove the following inequality

Prx∈R{0,1}n,y=G(x),i∈R[`(n)][B(1n, y1, . . . , yi−1) = yi ]−1

2≥ 1

nc`(n),

which can be derived if the following holds for every i ∈ [`(n)]:

Prx∈R{0,1}n,y=G(x)[B(1n, y1, . . . , yi−1) = yi ] =1

2+ (pi − pi−1).



B predicts yi correctly if a = 1 ∧ zi = yi or a = 0 ∧ zi = 1− yi . This event happenswith probability

1

2Prx,y=G(x)[a = 1|zi = yi ] +

1

2

(1− Prx,y=G(x)[a = 1|zi = 1− yi ]

).

Now Prx∈R{0,1}n,y=G(x)[a = 1|zi = yi ] = pi . On the other hand,

pi−1 = Pr[A(Di−1) = 1]

= Pr[a = 1|zi = yi ]/2 + Pr[a = 1|zi = 1− yi ]/2

= pi/2 + Pr[a = 1|zi = 1− yi ]/2. (1)

We get Pr[a = 1|zi = 1− yi ] = 2pi−1 − pi from (1).


Theorem Given a pseudorandom generator with stretch nc , one can design acomputationally secure encryption scheme (E, D) using n-length keys for nc -lengthmessages.

Given a random key of length n, generate a key of length nc using the pseudorandomgenerator, and then apply the one-time pad encryption scheme.


Application: Derandomization

If pseudorandom generator exists, then we can construct subexponential deterministicalgorithms for problems in BPP.

I This is the derandomization of BPP.

The basic idea:

I Let L be decided by an nd -time PTM P with bounded error.

I For every small ε let c be such that 0 < dc < ε < 1.

I Apply to all strings of length ndc the pseudorandom generator with stretch nc and

then execute P by following the choices prescribed by the produced pseudorandomstrings of length nd .

I The algorithm runs in time O(2nε)


Pseudorandom Function


Let Fn denote the set of all functions of type {0, 1}n → {0, 1}n.

1. Generally n2n bits are necessary to specify a function in Fn.

2. Consequently its computation is not efficient.

We look for an efficient subset Gn of Fn that appears random.

1. Every element of Gn is specified by n bits.

2. Every element of Gn is P-time computable.

3. Yet no P-time PTM can detect noticeable difference between a random elementof Gn and a random element of Fn.

I There are 2n2n elements in Fn.

I There are only 2n elements in Gn.


Pseudorandom functions are pseudorandom generators with exponential stretch.

I A pseudofunction is a blackbox, a distinguisher can only ask for the values of thefunction at a small number of inputs.


Pseudorandom Function

Let {fk}k∈{0,1}∗ be a family of functions such that

I fk : {0, 1}|k| → {0, 1}|k| for every k ∈ {0, 1}∗, and

I fk(x) is P-time computable from k , x .

The family {fk}k∈{0,1}∗ is pseudorandom if for every P-time probabilistic OTM A thereis a negligible function ε : N→ [0, 1] such that for all n,∣∣∣Prk∈R{0,1}n [Afk (1n) = 1]− Prg∈RFn [Ag (1n) = 1]

∣∣∣ ≤ ε(n).

A needs no input. The string 1n marks the input length.


Pseudorandom Generator ⇐ Pseudorandom Function

Suppose {fk}k∈{0,1}∗ is a pseudorandom family of functions. It follows from definition

I that for every polynomial `(n), the map G defined by

k ∈ {0, 1}n 7→ fk(1), . . . , fk(`(n)) ∈ {0, 1}n`(n)

is a pseudorandom generator.


Goldreich-Goldwasser-Micali Theorem.

Suppose that there exists a pseudorandom generator G with stretch `(n) = 2n. Thenthere exists a pseudorandom function family.

1. O. Goldreich, S. Goldwasser, S. Micali. How to Construct Random Functions. FOCS 1984.


Pseudorandom Generator ⇒ Pseudorandom Function

Let G be a pseudorandom generator with stretch 2n.

I G0(x) is the first n bits of G (x);

I G1(x) is the last n bits of G (x).

For each seed k ∈ {0, 1}n the function fk is defined by

fk(x) = Gxn(Gxn−1(. . .Gx1(k) . . .)).

We will prove that {fk}k∈{0,1}∗ is a pseudorandom function family.


x1= 0 x

1 = 1

x2=0 x

2 =1 x2

=0 x

2 =1

......

......

......

......

k

G0(k) G1(k)

G0(G0(k)) G1(G0(k)) G0(G1(k)) G1(G1(k))

Figure: The Algorithm that Calculates fk(x).



Let A be a T -time PTM that distinguishes {fk}k∈{0,1}n and Fn. Ie. some c exists suchthat the following inequality holds for infinitely many n,

Prg∈RFn [Ag (1n) = 1]− Prk∈R{0,1}n [Afk (1n) = 1] ≥ 1

nc.

We construct a P-time PTM B that distinguishes U2n and G (Un) with 1nT ·

1nc bias.

I Define a random implementation O of the oracles fUn in terms of G .

1. generate a seed k ∈R {0, 1}n randomly;2. run the algorithm that calculates fk on all queries.

I We then modify O to get {Oi}i≤nT using hybrid approach.



For i ≤ nT the random oracle Oi is defined as follows:

1. In the first i-th steps generate children randomly.

2. After the first i-steps generate children pseudo-randomly using G .

3. The random answers must be consistent!

Clearly O0 is O, and OnT is a random function.

Let pi = Pr[AOi (1n) = 1]. Observe that

I p0 = Prk∈R{0,1}n [Afk (1n) = 1] and pnT = Prg∈RFn [Ag (1n) = 1].

By assumption pnT − p0 ≥ 1nc .


Algorithm B.

1. Input k ∈ {0, 1}2n.

2. Generate i ∈R [nT ].

3. Run AOi (1n), with the modification of Oi that in the i-th invocation the twochildren are the first respectively the last n bits of k.

The following can be easily verified.

I If k ∈R U2n, then B’s output is distributed as AOi (1n).

I If k ∈R G (Un), then B’s output is distributed as AOi−1(1n).

Using hybrid argument, Pr[B(U2n) = 1]− Pr[B(G (Un)) = 1] is

∑i∈[nT ]

Pr[AOi (1n) = 1]

nT−∑

i∈[nT ]

Pr[AOi−1 (1n) = 1]

nT=

pnTnT− p0

nT≥ 1

nT· 1

nc.


Application: One Key for Many Messages

By Goldreich-Goldwasser-Micali Theorem and Yao’s Theorem, the string

fk(r1)fk(r2)fk(r3) . . . fk(r`(k))

is unpredictable.

1. Alice encrypts a message x ∈ {0, 1}n by choosing r ∈R {0, 1}n and sends(r , fk(r)⊕ x) to Bob, where k ∈ {0, 1}n is the key.

2. Bob receives (r , y) and calculates fk(r)⊕ y to recover x .


Application: Message Authentication Code

For the same reason the following protocol is secure.

1. Alice sends x to Bob.

2. Bob sends (x , fk(x)) to Alice.

3. Alice receives (x , y) and checks if y = fk(x) to verify that the message has notbeen corrupted.


Application: Lower Bound for Machine Learning

In machine learning the goal is to learn a function f from a sequence of examples(r1, f (r1)), . . . , (rk , f (rk)).

I The existence of pseudorandom function implies that even if f is P-timecomputable, there is no way to learn it in P-time.


One-Way Function


Suppose G : {0, 1}∗ → {0, 1}∗ is a pseudorandom generator.

For every P-time PTM A there must be a negligible function ε : N→ [0, 1] such thatthe following holds for every n,

Prx∈R{0,1}n [A(1n,G (x)) = x ′ ∧ G (x ′) = G (x)] ≤ ε(n).


One-Way Function

A P-time function f : {0, 1}∗ → {0, 1}∗ is a one-way function if for every P-time PTMA there is a negligible function ε : N→ [0, 1] such that for every n,

Prx∈R{0,1}n,y=f (x)[A(1n, y) = x ′ ∧ f (x ′) = y ] ≤ ε(n).


Let f : {0, 1}∗ → {0, 1}∗ be a P-time computable function such that ∀x .|x | ≤ |f (x)|.I If P = NP then {(l , u, y) | ∃x .f (x) = y ∧ l ≤ x ≤ u} ∈ P.

I By divide-and-conquer one can compute f −1 in P-time.

The existence of one way function implies P 6= NP.


Integer multiplication is believed to be one-way.


Theorem. If one-way permutations exist, then for every c ∈ N, there exists apseudorandom generator with stretch S(n) = nc .

1. Q. Yao. Theory and Applications of Trapdoor Functions. FOCS 1982.

Theorem. If one-way functions exist, then for every c ∈ N, there exists apseudorandom generator with stretch S(n) = nc .

1. J. Hastad, R. Impagliazzo, L. Levin and M. Luby. A Pseudorandom Generator from any One-way Function. SIAM Journal on Computing,28:1364-1396, 1999.


The crucial step is to obtain a pseudorandom generator that extends input by one bit.

I If f is a one-way permutation, then G (x , r) = f (x), r , x � r is a pseudorandomgenerator. Intuitively r is random, f (x) is pseudorandom, and the (2n+1)-th bitcannot be predicted with probability noticeably larger than 1/2.

We shall prove Theorem using Goldreich-Levin Theorem.


Goldreich-Levin Theorem. Suppose f : {0, 1}∗ → {0, 1}∗ is a one-way permutation.Then for every P-time PTM A there is a negligible function ε : N→ [0, 1] such that∣∣∣∣Prx ,r∈R{0,1}n [A(f (x), r) = x � r ]− 1

2

∣∣∣∣ ≤ ε(n),

where x � r =∑n

i=1 xi ri (mod 2).

1. O. Goldreich, L. Levin. A Hard-Core Predicate for All One-Way Functions. STOC 1989.

We call x � r the hard core bit of the function xr 7→ f (x)r .


Scenario:

I We know f (x) and that A(f (x), r) approximates x � r to some extent.

I We hope to recover x .

1. If A(f (x), r) = x � r for all r , then it is easy to recover x by the following algorithm:

I Run A(f (x), e1), . . . , A(f (x), en).

I Paste the resulting n bits to get x .


2. Suppose Prr∈R{0,1}n [A(f (x), r) = x � r ] ≥ 0.9.

Now x � r is uniformly distributed if r is uniformly distributed. So by union bound

Prr∈R{0,1}n [(A(f (x), r) 6= x � r) ∨ (A(f (x), r ⊕ e i ) 6= x � (r ⊕ e i ))] ≤ 0.2.

The equality (x � r)⊕ (x � (r ⊕ e i )) = x � (r ⊕ r ⊕ e i ) = x � e i = xi implies that

Prr∈R{0,1}n [A(f (x), r)⊕ A(f (x), r ⊕ e i ) = xi ] ≥ 0.8, (2)

which can be amplified to 1− 1/10n by majority vote.

I If we decrease 0.9 to 0.75, then 0.8 goes down to 0.5, rendering the lower boundin (2) utterly useless.


Algorithm B: The input is y = f (x).

1. m := 200n.

2. Choose r1, . . . , rm ∈R {0, 1}n.

3. For i from 1 to n do

3.1 z1 := A(f (x), r1), z ′1 := A(f (x), r1 ⊕ e i ),. . . ,zm := A(f (x), rm), z ′m := A(f (x), rm ⊕ e i ).

3.2 guess that xi is the majority value of {zj ⊕ z ′j }j∈[m].


Analysis of B:

1. Let the indicator random variable Zj be defined by

Zj(rj) =

{1, if A(f (x), r j) = x � r j and A(y , r j ⊕ e i ) = x � (r j ⊕ e i ),0, otherwise.

2. Clearly Z1, . . . ,Zm are independent. Let Z = Z1 + . . .+ Zm.

3. E[Zj ] ≥ 0.8 and E[Z ] ≥ 0.8m.

4. Pr[|Z−E[Z ]| ≥ 0.3m] ≤ 1/(0.3√m)2 by Chebychev inequality.

5. It follows from m = 200n that Pr[Z ≤ 0.5m] ≤ 1/10n.

I Chebychev inequality: Pr[|Z−E[Z ]| ≥ k

√Var(Z )

]≤ 1/k2.

I Var(Z ) =∑m

j=1 Var(Zj) ≤ m since Var(Zj) ≤ 1 for all j .


3. Suppose there are constant c ∈ N and P-time PTM A such that

Prx ,r∈R{0,1}n [A(f (x), r) = x � r ]− 1

2≥ 1

nc

for infinitely many n. There is at least a 12nc fragment of x ’s, the good x ’s, such that

Prr∈R{0,1}n [A(f (x), r) = x � r ]− 1

2≥ 1

2nc

for infinitely many n.

Lemma. Suppose a1, a2, . . . , an ∈ [0, 1] and ρ = (∑

i∈[n] ai )/n. There is at least ρ2

fraction of ai ’s such that ai ≥ ρ2 .


The point is that we cannot afford to applying A twice for probabilistic reason.

Instead of calculating A(f (x), r1), . . . , A(f (x), rm), we guess x � r1, . . . , x � rm.Because we are guessing the values of these expressions, we do not need to know x .

I Choose randomly distinct seeds s1, . . . , sk ∈R {0, 1}n.

I {⊕

R}R⊆{s1,...,sk} are random and pairwise independent.

I {x �⊕

R}R⊆{s1,...,sk} are completely determined by x � s1, . . . , x � sk .

We can afford exhaustive guessing if k = logm.


Algorithm C: The input is y = f (x).

1. Input y ∈ {0, 1}n. Think of y as f (x) for some x .

2. m := 10n2c+1;

3. k := log(m);

4. Generate s1, . . . , sk ∈R {0, 1}n;

5. Let R1, . . . ,Rm be subsets of {s1, . . . , sk} in a canonical way;

6. For each guess w ∈ {0, 1}k do

6.1 for each i ∈ [n] do

6.1.1 x � s1 := w1, . . . , x � sk := wk ;

z1 :=⊕

t∈R1

(x � s t

), . . . , zm :=

⊕t∈Rm

(x � s t

);

z ′1 := A(y ,⊕

R1 ⊕ e i), . . . , z ′m := A

(y ,⊕

Rm ⊕ e i);

6.1.2 guess that xi is the majority value of {zj ⊕ z ′j }j∈[m].

6.2 x := x1 . . . xn;

6.3 if f (x) = y , output x and halt.


Analysis of C:

1. Let the indicator random variable Zj be defined by

Zj(rj) =

{1, if A(y , r j ⊕ e i ) = x � (r j ⊕ e i ),0, otherwise.

2. Z1, . . . ,Zm are pairwise independent and E[Zj ] ≥ 1/2 + 1/nc .

3. Hence E[Z ] ≥ m/2 + m/nc , where Z = Z1 + . . .+ Zm.

4. Using Var(Z ) =∑m

j=1 Var(Zj) ≤ m, we derive

Pr[|Z−E[Z ]| ≥ m/nc ] ≤ Pr[|Z−E[Z ]| ≥√m

nc

√Var(Z )]

≤ n2c

m=

n2c

10n2c+1=

1

10n.

5. Now Pr[Z ≤ m/2] ≤ 110n follows from 3 and 4.


Theorem. Let f be a one-way permutation. The function mapping x , r ∈ {0, 1}n onto

r , f nc(x)� r , f n

c−1(x)� r , . . . , f 1(x)� r

is a pseudorandom generator of stretch n + nc for every c ∈ N.

Let A be a P-time PTM such that for x , r ∈R {0, 1}n and i ∈R [nc ],

Pr[A(r , f nc

(x)� r , f nc−1(x)� r , . . . , f i+1(x)� r) = f i (x)� r ]− 1

2≥ 1

nd

for some d ∈ N and infinitely many n.

continued on the next slide.


B(y , r), where y , r ∈ {0, 1}n, is designed as follows:

1. Generate i ∈R [nc ];

2. Output A(r , f nc−i (y)� r , . . . , f 1(y)� r , y � r).

The probability that B(f (x), r) outputs x � r is the same as

Pr[A(r , f nc

(x)� r , f nc−1(x)� r , . . . , f i+1(x)� r) = f i (x)� r ].

Hence

Prx,r∈R{0,1}n [B(f (x), r) = x � r ]− 1

2≥ 1

nd,

contradicting to Goldreich-Levin Theorem.

Since f is a permutation r , f nc−i (x)� r , . . . , f 1(x)� r , x � r is the same distribution

as r , f nc(x)� r , . . . , f i+1(x)� r , f i (x)� r .


one-way function ⇔ pseudorandom generator ⇔ unpredictability


Application: Tossing Coin Over Phone

Suppose A and B want to toss a coin over phone. We can apply the following protocol.

1. A chooses x , r ∈R {0, 1}n and sends (fn(x), r) to B, where fn is a one-way permutationknown to both parties.

2. B chooses b ∈R {0, 1} and sends it to A.

3. A sends x to B.

4. A and B agree to use b ⊕ (x � r).

A cannot manipulate the result because it cannot change x .

B cannot manipulate the result because it did not know x .

A can make sure that the result is random as long as x is.

B can make sure that the result is random as long as b is.


Zero Knowledge Proof


In an interactive proof for an NP problem, say GI, a certificate usually reveals morethan the mere fact that a statement is true.


It turns out that it is possible to design an interactive proof system such that a verifierdoes not learn anything from interaction apart from the fact that a statement is true.

I In the following definition, Perfect Zero Knowledge requires that no matter what averifier learns after participating a proof for a statement x , it could have derivedthe same thing by itself without participating in any interaction.

1. S. Goldwasser, S. Micali and C. Rackoff The Knowledge Complexity of Interactive Proof Systems. STOC, 186-208, 1985.


Zero Knowledge Proof of NP Language

Suppose L ∈ NP and M is a P-time TM such that x ∈ L if and only if

∃u ∈ {0, 1}p(|x |).M(x , u) = 1

for some polynomial p.


Zero Knowledge Proof of NP Language

A pair P,V of interactive P-time PTM’s is called a zero knowledge proof for L if theyenjoy the following properties.

I Completeness. If M(x , u) = 1, then Pr[outV(P(x , u),V(x))] ≥ 23 .

I Soundness. If x /∈ L, then Pr[outV(P∗(x , u),V(x))] ≤ 13 for all P∗ and u.

I Perfect Zero Knowledge. For every P-time interactive PTM V∗ there is anexpected P-time PTM S∗, called a simulator, such that for every x ∈ L and acertificate u for x ∈ L, the following holds:

outV∗(P(x , u),V∗(x)) ≡ S∗(x),

meaning that the two random variables are identical even though S∗ does nothave any access to u.


The idea of simulation to demonstrate security is central to many aspects ofcryptography.


Zero Knowledge Proof for Graph Isomorphism

Public Input: G0,G1 with n vertices.

P knows: A permutation π ∈ [n]→ [n] such that G1 = π(G0).

P sends H = π′(G1) with a random permutation π′ ∈R [n]→ [n].

V sends a random bit b ∈R {0, 1}.

P sends π′′ =

{π′, if b = 1,π′π, if b = 0.

V checks if H = π′′(Gb).

If G0 ' G1, V accepts with probability one.

If G0 6' G1, V rejects with probability 12 .


Zero Knowledge Proof for Graph Isomorphism

Let V∗ be some verifier’s strategy.

I If G0 ' G1, then P’s first message has the same distribution as the message sentby the following simulator S∗:

I Generate b′ ∈R {0, 1} and π′ ∈R [n]→ [n];

I Send H = π′(Gb′) to V∗;I Get some b from V∗;I If b = b′ then send π′ to V∗ and output whatever V∗ outputs, otherwise restart S∗.

I The key point is that H reveals nothing about b′ if G0 ' G1.

If V∗ runs in P-time, then S∗ runs in expected P-time.


Secure Multiparty Computation

Ten people working in a firm want to calculate their average salaries without revealingthe salary of any of them.


Remark


Cryptography on weaker assumption (say P 6= NP) ?


Modern cryptography is founded on something not provable.


Cryptography - SJTUyuxi/teaching... · Synopsis 1. Computationally Secure Encryption 2....

Documents

Transcript of Cryptography - SJTUyuxi/teaching... · Synopsis 1. Computationally Secure Encryption 2....