Professional Documents
Culture Documents
Cryptography Notes Sapienza
Cryptography Notes Sapienza
Lesson 1 4
1.1 Problems in Cryptography . . . . . . . . . . . . . . . . . . . . . . 4
1.2 One Time Pad (OTP) . . . . . . . . . . . . . . . . . . . . . . . . 5
Lesson 2 7
2.1 Message Authentication . . . . . . . . . . . . . . . . . . . . . . . 7
2.1.1 Message Authentication Code (MAC or Tag) . . . . . . . 7
Lesson 3 9
3.1 Randomness Extraction . . . . . . . . . . . . . . . . . . . . . . . 9
3.1.1 Von Neumann Extractor . . . . . . . . . . . . . . . . . . . 9
Lesson 4 12
4.1 Negligible function . . . . . . . . . . . . . . . . . . . . . . . . . . 12
4.2 One-Way Functions . . . . . . . . . . . . . . . . . . . . . . . . . . 13
4.2.1 Impagliazzo’s Worlds . . . . . . . . . . . . . . . . . . . . . 14
4.3 Computational Indistinguishability . . . . . . . . . . . . . . . . . 15
4.4 Pseudorandom Generators . . . . . . . . . . . . . . . . . . . . . . 17
Lesson 5 18
5.1 Stretching a prg . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
5.2 Hardcore predicate . . . . . . . . . . . . . . . . . . . . . . . . . . 21
5.3 One Way Permutation . . . . . . . . . . . . . . . . . . . . . . . . 22
Lesson 6 23
6.1 Computationally secure encryption . . . . . . . . . . . . . . . . . 23
6.2 Pseudorandom functions . . . . . . . . . . . . . . . . . . . . . . . 26
6.2.1 Ggm-tree . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Lesson 7 29
7.1 Cpa-security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Lesson 8 36
8.1 Domain extension . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
8.1.1 Electronic Codebook mode . . . . . . . . . . . . . . . . . 36
8.1.2 Cipher block chaining mode (cbc) . . . . . . . . . . . . . 37
8.1.3 Counter mode . . . . . . . . . . . . . . . . . . . . . . . . 37
1
Lesson 9 40
9.1 Message Authentication Codes and unforgeability . . . . . . . . . 40
9.2 Domain extension for mac schemes . . . . . . . . . . . . . . . . . 42
9.2.1 Universal hash functions . . . . . . . . . . . . . . . . . . . 43
9.2.2 Hash function families from finite fields . . . . . . . . . . 46
Lesson 10 48
10.1 Domain extension for prf-based mac schemes . . . . . . . . . . . 48
10.1.1 Hash function families from prfs . . . . . . . . . . . . . . 48
10.1.2 xor-mode . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
10.1.3 cbc-mode mac scheme . . . . . . . . . . . . . . . . . . . 49
10.1.4 XOR MAC . . . . . . . . . . . . . . . . . . . . . . . . . . 49
10.2 Cca-security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
10.3 Authenticated encryption . . . . . . . . . . . . . . . . . . . . . . 52
10.3.1 Combining ske & mac schemes . . . . . . . . . . . . . . . 53
Lesson 11 56
11.1 Authenticated encryption (continued) . . . . . . . . . . . . . . . 56
11.2 Pseudorandom permutations . . . . . . . . . . . . . . . . . . . . 57
11.2.1 Feistel network . . . . . . . . . . . . . . . . . . . . . . . . 57
Lesson 12 60
12.1 Hashing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
12.1.1 Merkle-Damgård construction . . . . . . . . . . . . . . . . 60
12.1.2 Domain extension . . . . . . . . . . . . . . . . . . . . . . 60
12.1.3 Compression functions . . . . . . . . . . . . . . . . . . . . 60
Lesson 13 61
13.1 Number theory . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
13.2 Standard model assumptions . . . . . . . . . . . . . . . . . . . . 61
Lesson 14 62
14.0.1 Decisional Diffie-Hellman assumption . . . . . . . . . . . 62
14.0.2 Naor-Reingold encryption scheme . . . . . . . . . . . . . . 62
14.1 Public key encryption schemes . . . . . . . . . . . . . . . . . . . 62
Lesson 15 63
15.1 Public key encryption recap . . . . . . . . . . . . . . . . . . . . . 63
15.1.1 Trapdoor permutation . . . . . . . . . . . . . . . . . . . . 64
15.1.2 TDP examples . . . . . . . . . . . . . . . . . . . . . . . . 64
15.2 Textbook RSA . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
15.2.1 Trapdoor Permutation from Factoring . . . . . . . . . . . 66
15.2.2 Rabin’s Trapdoor permutation . . . . . . . . . . . . . . . 67
Lesson 16 70
16.1 Pke schemes over ddh assumption . . . . . . . . . . . . . . . . . 70
16.1.1 El Gamal scheme . . . . . . . . . . . . . . . . . . . . . . . 70
16.1.2 Cramer-Shoup pke scheme . . . . . . . . . . . . . . . . . 73
2
Lesson 17 76
17.1 Construction of a cca-secure pke . . . . . . . . . . . . . . . . . 76
17.1.1 Instantiation of U-HPS (Universal Hash Proof System) . 80
Lesson 18 83
18.1 Digital signatures . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
18.1.1 Public Key Infrastructure . . . . . . . . . . . . . . . . . . 84
Lesson 19 86
19.1 Bilinear Map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
19.2 Waters signatures . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Lesson 20 89
20.1 Random Oracle Model (ROM) . . . . . . . . . . . . . . . . . . . 89
20.2 ID Scheme . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
20.3 Honest Verifier Zero Knowledge (HVZK) and Special Soundness
(SS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Lesson 21 90
21.1 Full domain hashing . . . . . . . . . . . . . . . . . . . . . . . . . 90
Lesson 22 91
22.1 Examples of ID schemes . . . . . . . . . . . . . . . . . . . . . . . 91
Lesson 23 92
23.1 Bilinear DDH assumption . . . . . . . . . . . . . . . . . . . . . . 92
Lesson 24 93
24.1 CCA proof for ??? . . . . . . . . . . . . . . . . . . . . . . . . . . 93
3
Lesson 1
• K = Key Space
• M = Message Space
• C = Ciphertext Space
• Enc : K × M → C
• Dec : K × C → M
Correctness:
∀m ∈ M, ∀k ∈ K : Dec(k, Enc(k, m)) = m
4
Proof. (I) =⇒ (II)
(III) =⇒ (I)
X
P r[C = c] = P r[C = c ∧ M = m0 ] =
m0
X
= P r[Enc(K, M ) = c ∧ M = m0 ] =
m0
X
= P r[Enc(K, M ) = c|M = m0 ]P r[M = m0 ] =
m0
X
= P r[Enc(K, m0 ) = c]P r[M = m0 ] = (Using III)
m0
X
= P r[Enc(K, m) = c] P r[M = m0 ] =
m0
| {z }
=1
= P r[Enc(K, m) = c] = P r[Enc(K, M ) = c|M = m] =
= P r[C = c|M = m] =⇒ P r[M = m]P r[C = c|M = m] =⇒
| {z }
The proof ends here
but we want (I)
P r[Enc(k, m) = c] = P r[k ⊕ m = c] =
= P r[k = c ⊕ m] = 2−l (because k is uniform)
= P r[Enc(k, m0 ) = c]∀m0
5
Problems:
1. |k| = |m| (the key must have the same length of the message)
2. There must be one different key for each message (One Time).
Otherwise:
c1 = k ⊕ m1 ; c2 = k ⊕ m2 =⇒ c1 ⊕ c2 = m1 ⊕ m2
Not independent! (OTP is malleable1 )
Theorem 3. In any perfectly secret SKE we must have |K| ≥ |M|
=⇒ |M 0 | ≤ |K| ≤ |M |
=⇒ ∃m ∈ M \ M 0
1
NowP r[M = m] =
|M|
By assumption all the c ”creates” M’
z }| {
P r[ M = m}
| {z | C=c ]=∅
m is not inside M0
M
M0 m
another ciphertext which decrypts to a related plaintext. That is, given an encryption c of
a plaintext m, it is possible to generate another valid ciphertext c0 , for a known Enc, Dec,
without necessarily knowing or learning m.
6
Lesson 2
• K is uniform over K
• Tag: K × M → Φ
• Verify: K × M × Φ → {0, 1}
Correctness:
∀m ∈ M, ∀k ∈ K
Verify(k, m, Tag(k, m)) = 1
7
Definition 2. A family of (Hash) functions H = {hs : M → Φ}s∈S is Pairwise Independent
if ∀m, m0 ∈ Ms.tm 6= m0 we have that (hs (m), hs (m0 )) is uniform over Φ2 for
random choice of seed s ∈ S. Meaning that:
∀m, m0 s.t.m 6= m0 , ∀φ, φ0 ∈ Φ
1
P r[hs (m) = φ ∧ hs (m0 ) = φ0 ] =
|Φ|2
Construction: Let p be a prime number.
Define h(a,b) (x) = ax + b mod p now S = Zp2 , M = Φ = Zp = {0, 1, ..., p − 1}
Thus the following group will be defined (Zp , +)
Theorem 4. Above H is Pairwise Independent
Proof.
Fixm, m0 ∈ Zp s.t.m 6= m0 , φ, φ0 ∈ Zp
P r(a,b) [ha,b (m) = φ ∧ ha,b (m0 ) = φ0 ] =
= P r(a,b) [am + b = φ ∧ am0 + b = φ0 ] =
m 1 a φ
= P r(a,b) [ · = ]=
m0 1 b φ0
−1
a m 1 φ
= P r(a,b) [ = · ]=
b m0 1 φ0
1 1
= = 2
|Zp |2 p
Where P r(a,b) denotes the probability over (a,b) random in Zp
Theorem 5. Let M ac(K, m) = hk (m) for H = {hk : M → Φ}k be Pairwise
1
Independent. The Mac is |Φ| -statistical one-time secure.
Proof.
∀m ∈ M, φ ∈ Φ
1
P r[M ac(K, m) = φ] = P rk [hk (m) = φ] =
|Φ|
For any m 6= m0 , φ, φ0 ∈ Φ
1
P r[M ac(K, m) = φ ∧ M ac(K, m0 ) = φ0 ] =
|Φ|2
=⇒ P r[M ac(K, m0 ) = φ0 |M ac(K, m) = φ] =
Pr[M ac(K, m) = φ ∧ M ac(K, m0 ) = φ0 ]
= =
P r[M ac(K, m) = φ]
1 1 1
= 2
/ =
|Φ| |Φ| |Φ|
Theorem 6. Any t-time(ε = 2−λ )-statistical secure MAC has a key of size
(t + 1)λ for any λ > 0.
No proof
8
Lesson 3
1
Suppose to have a biased coin Bs.t.P r[B = 0] = p 6= 2 and
P r[B = 1] = 1 − p.
Can you make it uniform?
Considerations:
• The probability of both cases in 3. is p(p − 1)
• The probability to reach 3. is 2p(p − 1)
• P r[Fail n-times] = (1 − 2p(1 − p))n which is very small
Goal: Let X be a Random Variable, I want to design an Extractor such
that Ext(X) is uniform. PROBLEM: Impossible as stated. What if X is
constant? =⇒ Add the requirement that X has uncertainty (ENTROPY)
Definition 3. MIN-ENTROPY of X (written as H∞ ) is:
9
2. X ≡ Un =⇒ H∞ (x) = n (since X is uniform P r[X = x] = 2−n )
Question: We want Ext : {0, 1}n → {0, 1} working ∀Xs.t.H∞ (X) ≥ k
Claim: Impossible even for k = n − 1
Proof. Let Ext be any candidate extractor, Let b be any binary value s.t.
|Ext− 1(b)| is maximal (Ext− 1 : {0, 1} → {0, 1}n )
2
=⇒ |Ext− 1(b)| ≥ 2n−1 = 22
x=0
x=1
{0, 1}n
Define X to be uniform over Ext− 1(b) so H∞ (x) = n − 1 but Ext(X) = b
CONSTANT.
Definition 4. We say that Ext : {0, 1}d × {0, 1}n → {0, 1}l is a (k, ε)-extractor
(”good”) if ∀xs.t.H∞ (X) ≥ k we have:
10
Definition 5. Statistical Distance: a distance between two random vari-
ables.
Say that X, X 0Pare Random Variables over X .
SD(x, x0 ) = 12 x∈X |P r[X = x] − P r[X 0 = x]|
11
Lesson 4
12
Definition
Let ν : N → [0, 1] be a function. Then it is deemed negligible iff:
1
∀p(λ) ∈ poly(λ) =⇒ ν(λ) ∈ o( )
p(λ)
Exercise 8. Let p(λ), p0 (λ) ∈ poly(λ) and ν(λ), ν 0 (λ) ∈ negl (λ). Then prove
the following:
We need to show that for any c ∈ N, then there is n0 such that ∀n > n0 =⇒
h(n) ≤ n−c .
So, consider an arbitrary c ∈ N. Then, since c + 1 ∈ N, and both f and g
are negligible, there exists nf and ng such that:
∀n ≥ nf =⇒ f (n) ≤ n−(c+1)
∀n ≥ ng =⇒ g(n) ≤ n−(c+1)
13
A Cowf
y x ←$ {0, 1}n
y = f (x)
x0
Output 1 iff f (x0 ) = y
Exercise 9.
1. Show that there exists an inefficient adversary that wins Gameowf with
probability 1
2. Show that there exists an efficient adversary that wins Gameowf with
probability 2−n
One-Way puzzles
A one-way function can be thought as a function which is very efficient in gen-
erating puzzles that are very hard to solve. Furthermore, the person generating
the puzzle can efficiently verify the validity of a solution when one is given.
For a given couple (Pgen , Pver ) of a puzzle generator and a puzzle verifier,
we have:
A Cpuzzle
y
(x, y) ←$ Pgen
x0
Output Pver (x0 , y)
So, we can say that one-way puzzle is a problem in np, because the verifier
enables efficient solution verification, but not in p because finding a solution
from scratch is impractical by definition.
14
The professor can try as hard as possible to create a hard scheme, but
he won’t succeed because Gauss will always be able to efficiently break it
using the verification procedure to compute the solution
• Heuristica: NP problems are hard to solve in the worst case but easy on
average.
The professor, with some effort, can create a game difficult enough, but
Gauss will solve it anyway; here there are some problems that the professor
cannot find a solution to
15
Proof. We want to show that f (x) ≈c f (y). So, let’s suppose this property is
not true.
Assume ∃ ppt f, A and some p0 (λ) ∈ poly(λ) such that
1
|Pr[D0 (f (x)) = 1] − Pr[D0 (f (y)) = 1]| ≥ (4.2)
p0 (λ)
.
A Cf -dist
f (zb ) z0 ←$ X
z1 ←$ Y
b ←$ {0, 1}
b0
Output 1 iff b0 = b
In the game depicted by figure 4.3, the adversary can make use of f , because
it is ppt. Thus, if such a distinguisher exists, then it can be used to distinguish X
from Y , as shown in figure 4.4. So, if A could efficiently distinguish between f (x)
and f (y), then D can efficiently distinguish between x and y. This contradicts
the hypothesis X ≈c Y , which in turn means f (X) ≈c f (Y ).
D A Cdist
zb z0 ←$ X
z1 ←$ Y
f (zb ) b ←$ {0, 1}
b0
b0
Output 1 iff b0 = b
16
4.4 Pseudorandom Generators
A deterministic function G : {0, 1}λ → {0, 1}λ+l(λ) is called a PseudoRandom
Generator, or prg iff:
• G runs in polinomial time
• |G(s)| = λ + l(λ)
• G(Uλ ) ≈c Uλ+l(λ)
A Cprg
x0 ←$ G(Uλ )
xb
x1 ←$ Uλ+l(λ)
b ←$ {0, 1}
b0
Output 1 iff b = b0
17
Lesson 5
b1 b2 bi+1 bl(λ)
To prove that this construct is a valid prg, we will make use of a known
technique for proving many other results, which relies heavily on reductions,
and is called the hybrid argument.
Lemma 2. (Hybrid Argument) Let X = {Xn }, Y = {Yn }, Z = {Zn } : X ≈c
Y ∧ Y ≈c Z. Then X ≈c Z.
Proof. ∀ ppt D, by using the triangle inequality:
| Pr[D(Xn ) = 1] − Pr[D(Zn ) = 1]|
= |(Pr[D(Xn ) = 1] − Pr[D(Yn ) = 1]) + (Pr[D(Yn ) = 1] − Pr[D(Zn ) = 1])|
≤ | Pr[D(Xn ) = 1] − P r[D(Yn ) = 1]| + | Pr[D(Yn ) = 1] − Pr[D(Zn ) = 1]|
≤ negl(n) + negl(n)
= negl(n)
In essence, the hybrid argument proves that computational indistinguisha-
bility is transitive across a “hybrid” game, or by extension more than one. This
property will be very useful in all future proofs.
Theorem 10. If there exists a prg G(λ) with one bit stretch, then there exists
a prg Gl(λ) with polynomial stretch relative to its input length:
G : {0, 1}λ → {0, 1}λ+1 =⇒ ∀l(λ) ∈ polyλ ∃Gl : {0, 1}λ → {0, 1}λ+l(λ)
18
Proof. First off, do observe that, since both G and l are polynomial in λ, then
Gl(λ) , which combines G l-many times is polynomial in λ too. To prove that
Gl(λ) is indeed a prg, we will apply the hybrid argument. The hybrids are
defined as:
• Hλ0 := Gl(λ) (Uλ ), which is the original construct
b1 , ..., bi ←$ {0, 1}
i
• Hλ := si ← {0, 1}λ+i
(bi+1 , ..., bl(λ) , sl(λ) ) := Gl(λ)−i (si )
l(λ)
• Hλ := Uλ+l
Focusing on two subsequent generic hybrids, as shown in figures 5.7 and 5.8,
it can be observed that the only difference between the two resides in how bi+1
is generated: in H i it comes from an instance of G, whereas in H i+1 is chosen
at random. Hλ0 is the starting point where all bits are pseudorandom, which
l(λ)
coincides with the Gl(λ) , and Hλ will generate a totally random string.
So let’s fix a step i in the gradual substitution, and consider the following
function fi :
19
Proof. (Contradiction): This is an alternate proof that, instead of looking for a
function f to model hybrid transitioning, aims for a contradiction.
Suppose Gl is not a prg; then there must be a point in the hybrid chain
Hλ0 ≈c . . . ≈c Hλl where Hλi 6≈c Hλi+1 . Thus there exists a distinguisher D0 able
to tell apart Hλi from Hλi+1 , as shown in figure 5.9:
1
∃i ∈ [0, l], ∃ ppt D0 : |Pr[D0 (Hλi ) = 1] − Pr[D0 (Hλi+l ) = 1]| ≥
poly(λ)
A Ci-dist
Di-dist A Cprg
s ←$ Uλ
za = (b, s) z0 = G(s)
z1 ←$ Uλ+1
a ←$ {0, 1}
(β, b, σ) β ←$ Ui
σ = Gl(λ)−i+1 (s)
a0
a0
Output 1 iff a0 = a
20
5.2 Hardcore predicate
We’ve seen how to reuse a prg in order to obtain an arbitrary length of pseu-
dorandom bits starting from a prg with one bit stretch. How to construct a
1-bit prg?
Consider a typical one-way function f , s.t. f (x) = y.
Question 1. Which bits of the input x are hard to compute given y = f (x)?
Is it always true that, given f , the first bit of f (x) is hard to compute ∀x?
Example 2. Given an OWF f , then f 0 (x) = x0 ||f (x) is a OWF.
Definition 1. A polynomial time function hc : {0, 1}n → {0, 1} is hard core
for a given function f : {0, 1}n → {0, 1}n if, ∀ ppt A:
A Chc(1)
f (x)
x ←$ {0, 1}n
b
Output 1 iff b = hc(x)
A Chc(2)
x ←$ {0, 1}n
(f (x), zb ) z0 = hc(x)
z1 ←$ {0, 1}
b ←$ {0, 1}
b0
Output 1 iff b0 = b
21
Proof. Suppose there exists such a predicate HC. Let f 0 (x) = HC(x)||f (x) for a
given function f . Then HC cannot be a hardcore predicate of f 0 , because any
image obtained by f reveals the predicate image itself. This contradicts the
universailty assumption.
Nevertheless, it has been proven always possible to construct a hardcore
predicate for a owf, given another owf:
Theorem 11 (Goldreich-Levin, ’99). Let f be a owf and consider g(x, r) =
(f (x), r) for r ∈ {0, 1}n . Then g is a owf and:
n
X n
M
h(x, r) =< x, r >= xi ri mod 2 = xi ri
i=1 i=1
Corollary 1. If f : {0, 1}n → {0, 1}n is a OWP, then for g(), h() as in the GL
theorem,
G(s) = (g(s), h(s))
is a PRG.
We are stretching just 1 bit, but we know we can stretch more than one.
22
Lesson 6
A Cind
m0 , m ∈ M
k ←$ K
c b ←$ {0, 1}
c ←$ Enc(k, mb )
b0
Output 1 iff b = b0
23
or, alternatively ∀ ppt A:
|Pr[Gameind ind
Π,A (λ, 0) = 1] − Pr[GameΠ,A (λ, 1) = 1]| ∈ negl (λ)
This last definition is compliant with the three properties exposed before-
hand. In particular, if a scheme is one time secure, then it has each one of
these 3 properties:
• k ←$ {0, 1}λ = K
• Enc(k, m) = G(k) ⊕ m, m ∈ {0, 1}l
• Dec(k, c) = c ⊕ G(k) = m
c̄ = G(k) ⊕ m = c ⊕ m ⊕ m̄ ⇒ c ⊕ c̄ = m ⊕ m̄
and thus, by XORing the result with m̄, obtain the entire unknown message5 .
Nevertheless, this scheme is still one time secure:
Theorem 13. If G is a prg, then Π⊕ is computationally one time secure
Proof. We need to show that, ∀ ppt A:
Gameind ind
Π⊕ ,A (λ, 0) ≈c GameΠ⊕ ,A (λ, 1)
Consider the hybrid game in figure 6.14, where the original encryption rou-
tine is changed to use a random value instead of G(k)6 . Compare with the
24
A Cind
m0 , m1
r ←$ {0, 1}l
c
b ←$ {0, 1}
c = r ⊕ mb
b0
Output 1 iff b0 = b
original one time secure definition in figure 6.13 to observe that it perfectly
matches.
Lemma 3. HybΠ⊕ ,A (λ, 0) ≡ HybΠ⊕ ,A (λ, 1)
Proof. This is true because distribution of c does not depend on b ∈ {0, 1}.
Dind A Cprg
xb x0 ←$ G(Uλ )
x1 ←$ Ul
m0 , m1 b ←$ {0, 1}
c
c = xb ⊕ m0
b0
(
00 0 iff b0 = 0 b00
b = Output 1 iff b00 = b
1 else
25
Do observe that the adversary always encrypts m0 , but this game can be
modified for m1 by switching b00 ’s assignments without loss of generality; the
crucial point is to see if the distinguisher guesses which message the adversary
has encrypted:
• if Dind is wrong, then A can deduce with high probability that the value
given by Cprg is in fact truly random;
• if Dind is right, then A has a sensibly greater probability of having received
a pseudorandom value from Cprg .
Either way, by the existence of Dind , A gains an edge in efficiently breaking
a prg, which is absurd.
Finally, by the two above lemmas, the proof can be concluded by transitivity:
Gameind ind
Π⊕ ,A (λ, 0) ≈c HybΠ⊕ ,A (λ, 0) ≡ HybΠ⊕ ,A (λ, 1) ≈c GameΠ⊕ ,A (λ, 1)
It sholud be noted that such functions occupy too much space, if we were
to memorize it anywhere: supposing all the possible outputs of R have been
generated and stored as an array in memory, its size in bits will be 2n l.
So we look for a kind of function which is “random”, but does not require
to be memorized as a whole map, while still being efficiently computable. This
is where pseudorandomness comes in: a function is deemed pseudorandom (a
prf) when it is (computationally) indistinguishable from a truly random one.
7 this property is also called lazy sampling
26
Usually, prfs come as function families Fk , where k is a key that identifies
a single function inside the family itself8 .
With this in mind, let F = {Fk : {0, 1}n(λ) → {0, 1}l(λ) }k∈{0,1}λ be the
keyed function family that defines a prf. Consider the two games in figure 6.16,
each one involving respectively F and a random function R, where R = {R :
{0, 1}n → {0, 1}l }, also written as R(λ, n, l) is the set of all random functions
from n-bit strings to l-bit strings.
A C A C
x x
z k ←$ {0, 1}λ z R ←$ R(λ, n, l)
b 0 z = Fk (x) b 0 z = R(x)
Exercise 14. Show that no prg is secure against unbounded attackers.
Exercise 15. Show the same as above, but for any prf instead.
8 Those unfamiliar with the “currying” technique may see the key as an additional argument
27
6.2.1 Ggm-tree
In this section, it is described how to construct a prf starting from a given
prg, using a technique devised form Goldreich, Goldwasser and Micali, called
the ggm-tree.
Construction 1. Let G : {0, 1}λ → {0, 1}2λ be a prg such that it doubles the
length of its input, and splits ithe images in halves, effectively returning string
couples:
G(k) = (G0 (k), G1 (k))
Consider the ggm-tree depicted in figure 6.17, which describes how G will
be used to craft a prf. To lighten up the notation, a function composition
Ga (Gb (Gc (k))) will be contracted to Gabc (k). So let F = {Fk : {0, 1}n →
{0, 1}λ } be a family of functions such that:
G0 (k) G1 (k)
G000 (k) G001 (k) G010 (k) G011 (k) G100 (k) G101 (k) G110 (k) G111 (k)
.. .. .. .. .. .. .. ..
. . . . . . . .
An example, with a string value of 001 for r would evaluate as Fk (001) =
G0 (G0 (G1 (k))).
28
Lesson 7
Recall the ggm-tree construct used to define a function family F := {Fk } from
a prg G. From now on we will refer to this function family as Fk , implicitly
stating that k represents a uniform probability distribution. Our wish is that
Fk is indeed a prf.
Theorem 16. If G is a prg, then Fk is a prf.
Proof. Concerning Fk ’s efficiency, one can observe that it involves computing G
a polynomial number of times, and G itself is efficient, thus Fk is indeed easy
to compute.
The rest of the proof, regarding Fk ’s hardness, will proceed by induction
over Fk ’s domain length n, which indirectly defines its ggm-tree’s height.
Base case (n = 1): Fk ’s domain is restricted to {0, 1}, meaning that its
images will be respectively the two halves on a single iteration of G(k), which
are pseudorandom by G’s definition:
A C
r = (r0 , r1...n )
z k ←$ {0, 1}λ
z = Fk (r) = Gr0 (Fk0 (r1...n ))
29
A C
r = (r0 , r1...n )
z R ←$ R(λ, n − 1, λ)
z = H(r) = Gr0 (R(r1...n ))
1
Figure 7.19: HybR,A (λ)
A C
r = (r0 , r1...n )
z R ←$ R(λ, n, λ)
z = R(r)
D A C
k ←$ Uλ
(r0 , r1...n ) R ←$ R(λ, n − 1, λ)
r1...n
z0 = Fk0 (r1...n )
zb
z1 = R(r1...n )
Gr0 (zb )
b ←$ {0, 1}
b0
b0
Output 1 iff b0 = b
Figure 7.21
30
Before tackling the reduction from the last two hybrids, it is best to introduce
another lemma:
Lemma 6. If G : {0, 1}λ → {0, 1}2λ is a PRG, then for any t(λ) ∈ polyλ:
Proof. T0D0 12: Idea: all values are independent and pseudorandom on their
own, hybridize progressively...
Proof. T0D0 13: Bad proof: the idea is to reduce to a distinguishing game for
the previous lemma)
Consider the distinguishing game for H and R in figure 7.22. The random
functions R and R are entirely independant, and G transforms randomness in
pseudorandomness, so this game boils down into distinguishing pseudorandom
values from random ones, which is possible only with negligible probability.
A C
R ←$ R(λ, n, λ)
R ←$ R(λ, n − 1, λ)
(r0 , r1...n )
zb z0 = Gr0 (R(r1...n ))
z1 = R(r)
b ←$ {0, 1}
b0
Output 1 iff b0 = b
31
7.1 Cpa-security
Now it’s time to define a stronger notion of security, which is widely used in cryp-
tology for first assessments on cryptographic schemes. Let Π := (Enc, Dec) be
a ske scheme, and consider the game depicted in figure 7.23. Observe that this
time, the adversary can “query” the challenger for the ciphertexts of any mes-
sages of his choice, with the only reasonable restriction that the query amount
must be polynomially bound by λ. This kind of game/attack is called the Chosen
Plaintext Attack, because of the adversary’s capability of obtaining ciphertexts
from messages. The usual victory conditions found in n-time security games,
which are based on ciphertext distinguishability, apply.
A Ccpa
k ←$ {0, 1}λ
m
c
c ←$ Enc(k, m)
m∗0 , m∗1
c∗ b ←$ {0, 1}
c∗ ←$ Enc(k, m∗b )
m
c
c ←$ Enc(k, m)
b0
Output 1 iff b0 = b
32
Consider the following ske scheme ΠF , with F = {Fk : {0, 1}n → {0, 1}l }
being a prf:
• Enc(k, m) = (c1 , c2 ) = (r, Fk (r) ⊕ m), where k ←$ {0, 1}λ and r ←$ {0, 1}n
• Dec(k, (c1 , c2 )) = Fk (c1 ) ⊕ c2
Observe that the random value r is part of the ciphertext, making it long
n + l bits; also more importantly, the adversary can and will always see r. The
key k though, which gives a flavour to the prf, is still secret.
• r ←$ {0, 1}n
• R ←$ R(λ, n, l)
• c = (r, R(r) ⊕ m), where m is the plaintext to be encrypted
and then the last hybrid Hyb2Π,A will simply output (r1 , r2 ) ←$ Un+l .
Lemma 8. ∀b ∈ {0, 1} =⇒ Hyb0Π,A (λ, b) ≈c Hyb1Π,A (λ, b).
Proof. As usual, the proof is by reduction: suppose there exists a distinguisher
D capable of telling the two hybrids apart; then D can be used to break F’s
property of being a prf. The way to use D is to make it play a cpa-like game,
as shown in figure 7.249 , where the adversary attempting to break F decides
which message to encrypt between m0 and m1 beforehand, and checks whether
D guesses which message has been encrypted. Either way, the adversary can get
a sensible probability gain in guessing if the received values from the challenger
were random, or generated by F. Thus, assuming such D exists, A can efficiently
break F, which is absurd.
9 An observant student may notice a striking similarity with a previously exposed reduction
in figure 6.15
33
D A Cprf
k ←$ {0, 1}λ
m b ←$ {0, 1}
r
r ←$ {0, 1}n
zb z0 ←$ Fk (r)
c z1 ←$ R(r)
c = (r, zb ⊕ m)
m∗0 , m∗1
r∗
r∗ ←$ {0, 1}n
zb∗ z0∗ ←$ Fk (r)
c∗ z1∗ ←$ R(r)
c∗ = (r∗ , zb∗ ⊕ m∗0 )
m
r
r ←$ {0, 1}n
zb z0 ←$ Fk (r)
c z1 ←$ R(r)
c = (r, zb ⊕ m)
b0
(
0 iff b0 = 0 b00
b00 = Output 1 iff b00 = b
1 else
34
Lemma 9. ∀b ∈ {0, 1} =⇒ Hyb1Π,A (λ, b) ≈c Hyb2Π,A (λ, b).
Proof. Firstly, it can be safely assumed that any ciphertext (ri , R(ri ) ⊕ mb )
distributes equivalently with its own sub-value R(ri ), because of R’s true ran-
domness, and independency from mb .
Having said that, the two hybrids apparently distribute uniformly, making
them perfectly equivalent; however there is a caveat: if both games are run and
one value r is queried twice in both runs, then on the second query the adversary
will receive the same image in Hyb1Π,A , but almost certainly a different one in
Hyb2Π,A . This is because the first hybrid uses a function, which is deterministic
by its nature, whereas the image in the second hybrid is picked completely
randomly from the codomain. Nevertheless, this sneaky issue about ”collisions”
can be proven to happen with negligible probability.
Call Repeat this collision event on r between 2 consecutive games. Then:
= Col(Un )
X X
= Pr[r1 = r2 = e]
i6=j e∈{0,1}n
X X
= Pr[r = e]2
i6=j e∈{0,1}n
q n 1
= 2 2n
2 2
q −n
= 2
2
≤ q 2 2−n ∈ negl (λ)
which proves that the Repeat influences negligibly on the two hybrids’
equivalence. Thus Hyb1Π,A (λ, b) ≈c Hyb2Π,A (λ, b)10 .
With the above lemmas, and observing that Hyb2Π,A (λ, 0) ≡ Hyb2Π,A (λ, 1),
we can reach the conclusion that Hyb0Π,A (λ, 0) ≈c Hyb0Π,A (λ, 1), which is what
we wanted to demonstrate.
10 Do note that the hybrids lose their originally supposed perfect equivalence (Hyb1Π,A (λ, b) ≡
Hyb2Π,A (λ, b)) because of the Repeat event. The lemma, though, is still proven.
35
Lesson 8
r r ... r
Fk Fk ... Fk
m1 ⊕ m2 ⊕ ... mt ⊕
c1 c2 ... ct
36
within a single plaintext. It is sufficient to choose an all-0 or all-1 message to
realize that all its blocks would encrypt to the same ciphered block.
m1 m2 ... mt
r ⊕ ⊕ ... ⊕
Pk Pk ... Pk
c0 c1 c2 ... ct
Fk Fk ... Fk
m1 ⊕ m2 ⊕ ... mt ⊕
c0 c1 c2 ... ct
37
This apparently innocuous change to ebc is enough to ensure cpa-security,
at the cost of perfect parallelization.
Theorem 18. Assume Fk is a prf, then the counter-mode block cipher ( ctr)
is cpa-secure for variable length messages11 .
A Ccpa
m = (m1 , . . . , mt )
c = (c0 , c1 , . . . , ct ) r = c0 ←$ {0, 1}n
ci = Fk (r + i − 1) ⊕ mi ∀i
µ0 , µ1
|µ0 | = |µ1 | ∈ M ρ = γ0 ←$ {0, 1}n
γb = (γ0 , γ1 , . . . , γt )
b ←$ {0, 1}
(γb )i = Fk (ρ + i − 1) ⊕ (µb )i ∀i
m = (m1 , . . . , mt )
c = (c0 , c1 , . . . , ct ) r = c0 ←$ {0, 1}n
ci = Fk (r + i − 1) ⊕ mi ∀i
b0
Output 1 iff b0 = b
Define the two hybrid games from the original cpa game as follows:
• Hyb1ctr,A (λ, b): A random function R is chosen uar from R(λ, n, n) at the
beginning of the game, and is used in place of Fk in all block encryptions;
• Hyb2ctr,A (λ, b): The challenger will pick random values from {0, 1}n as
ciphered blocks, disregarding any encryption routine.
38
Proof. Since mi doesn’t affect the distribution of the result at all, for any i,
if R(r∗ ) behaves like a true random extractor, then the two hybrids are indis-
tinguishable in the general case (R(r + i) ⊕ mi ≈ R(r + i)). However, there
is a sneaky issue: if in both games it happens that a given nonce ri is used in
both one query encryption and the challenge mesage encryption at any step,
the subsequent encrypted blocks will be completely random in the second hy-
brid, whereas in the first hybrid the function’s images, albeit random, become
predictable, enabling a cpa.
Nevertheless, it can be proved that these “collisions” happen with negligible
probability within Hyb1ctr,A . Let:
• q = number of encryption queries in a game run
• ti = number of blocks for the i-th query
• τ = number of blocks for the challenge ciphertext
• Overlap event: ∃i, j, ι : ri + j = ρ + ι
The Overlap event exaclty models our problematic scenario. Now it suffices
to show that it occurs negligibly. For simplicity, assume the involved messages
are of same length, that is ti = τ =: t. Denote with Overlapi to be the event
that the i-th query overlaps the challenge sequence as specified above.
Fix some ρ. One can see that Overlapi happens if:
ρ − t + 1 ≤ ri ≤ ρ + t − 1
which means that ri should be chosen at least in a way that:
• the sequence ρ, . . . , ρ + t − 1 comes before the sequence ri , . . . , ri + t − 1,
and they overlap just for the last element ρ + t − 1 = ri or
• the sequence ri , . . . , ri + t − 1 comes before the sequence the sequence
ρ, . . . , ρ + t − 1, and they overlap just for the last element ri + t − 1 = ρ.
Then:
(ρ + t − 1) − (ρ − t + 1) + 1
Pr[Overlapi ] =
2n
2t − 1
=
2n
Xt
Pr[Overlap] ≤ Pr[Overlapi ]
i=1
2
t
≤2 ∈ negl (λ)
2n
which proves that our collision scenario happens with negligible pobability,
thus the two hybrids are indistinguishable.
39
Lesson 9
∀ ppt A =⇒ Pr[Gameufcma
Π,A (λ) = 1] ∈ negl (λ)
A Cufcma
k ←$ K
mi ∈ M
φi
φi = T agk (mi )
(m∗ , φ∗ )
∗
m ∈
/M Output 1 iff T agk (m∗ ) = φ∗
40
Having defined a good notion of security in the mac scheme domain, we
turn our attention to a somewhat trivial scheme, and find out that it is indeed
secure:
Theorem 19. Let Π be a mac scheme such that Tagk = Verifyk = Fk , where
Fk is a prf. Then Π is ufcma-secure.
Proof. The usual proof by randomic hybridization entails. The original game is
identical to the ufcma game, where the tagging function is the prf, whereas
the hybrid game will have it replaced with a truly random function, as shown
in figure 9.30.
A C
R ←$ R(λ, n, l)
mi ∈ M
φi
φi = R(mi )
(m∗ , φ∗ )
m∗ ∈
/M Output 1 iff Tagk (m∗ ) = φ∗
41
Dufcma A Cprf
k ←$ {0, 1}λ
R ←$ R(λ, n, l)
m∈M b ←$ {0, 1}
m
φb φ0 ←$ Fk (r)
φb φ1 ←$ R(r)
(m∗ , φ∗ )
∗
m ∈
/M
m∗
ϕb ϕ0 ←$ Fk (r)
ϕ1 ←$ R(r)
(
0 0 iff ϕb = φ∗ b0
b = Output 1 iff b0 = b
1 else
42
9.2.1 Universal hash functions
A devised solution which has been proven to be secure relies on the following
definition: a function family H which can be used to “shrink” variable length
messages and then composed with a prf:
• assume collisions are hard to find given s ∈ {0, 1}λ publicly, and we have
a collision resistant hashing;
• let s be secret, and assume collisions are hard to find because it is hard to
know how hs works.
Definition 13. A function family H is deemed ε-universal iff:
If ε = 2−n , meaning the collision probability is minimized, then the family
is also called perfectly universal ; in the case where ε ∈ negl (λ) isntead, it is
defined as almost universal (au). Take care abotu telling the difference between
universality and pairwise independence, which states:
Lemma 14. Show that any pairwise independent hash function is perfectly uni-
versal.
Proof. The proof is left as exercise. (should I use Col for solving this? What is
the difference and when I should use Col instead of one-shot-probability?) ASK
FOR SOLVING PROPERLY (Thoughts: when I ask what’s the probability
that, chosen 2 distinct x-es, their hashes are the same on a certain value?,
maybe I have to use one-shot, because one-shot refers to the prob. that the two
inputs collide on a specific value, even if not specified.
Instead, if I consider what’s the prob. that , chosen 2 distinct x-es, their
hashes are the same?, maybe I have to calculate all the possible collisions, be-
cause I want to know if the 2 inputs can collide in general. )
Theorem 20. Assuming F is a prf with n-bit domain and H is au, then
F 0 = F(H) is a prf on (n · t)− bit domain, for t ≥ 1.
43
A C
k ←$ {0, 1}λ
x s ←$ {0, 1}λ
y
y = Fk (hs (x))
A C
R ←$ R(λ, n, l)
x s ←$ {0, 1}λ
y
y = R(hs (x))
A C
R ←$ R(λ, n, l)
x
y
y = R(x)
44
Proof. This proof too will proceed by hybridizing the original game up to the
ideal random one. Consider the three sequences depicted in figures 9.32, 9.33
and 9.34:
Lemma 15.
RealF ,A (λ) ≈c HYBR,A (λ)
Proof. The proof is left as exercise.
Lemma 16.
HYBR,A (λ) ≈c RandR0 ,A (λ)
Proof. Again, collisions come into play there, but in a much sneakier way. Given
two queries with arguments x1 , x2 returning the same image y, the random game
can model two scenarios:
• the arguments are equal, but with negligible probability
• the arguments are distinct
while the hybrid can model three of them:
• the arguments are equal, again with negligible probability
• the arguments are distinct, and so are their hashes
• the arguments are distinct, but not their hashes
We want to show that the collision at hash level is negligible: as long as
they don’t happen, the random function R is run over a sequence of distinct
points, and behaves just as the random game’s function R does. So let bad be
the event:
∃i 6= j ∈ [q] : hs (xi ) = hs (xj )
where q denotes the adversary’s query count. It suffices to show that Pr[Bad] ∈
negl (λ).
Since we don’t care what happens after a collision, we can alternatively
consider a mental experiment where we answer all queries at random, and only
at the end sample s ←$ {0, 1}λ and check ofr collisions: this does not change the
value of Pr(Bad). Now queries are independent of s, and this eases our proof:
Pr[Bad] = Pr[∃xi 6= xj , hs (xi ) = hs (xj )]
s
X
≤ Pr[hs (xi ) = hs (xj )] hs is au by definition
s
i6=j
q
≤ negl (λ) ∈ negl (λ)
2
By ruling out this event, the lemma is proven.
So now we have Real ≈c HYB ≈c Rand
Corollary 1. Let Π = (Tag, Verify) be a variable length message mac scheme
where, given a prf Fk and an au hash funcion family hs , the tagging function
is defined as Fk (hs ). Then Π is ufcma-secure.
45
9.2.2 Hash function families from finite fields
A generic 2n -order finite field has very useful properties: adding two of its
elements is equal to xor-ing their binary representations, while multiplying
them is done modulo 2n . It is possible to define a hash function family that
makes good use of these properties, and is suitable for a ufcma-secure mac
scheme.
Construction 2. Let F = GF (2n ) be a finite field (or “Galois field”) of 2n
elements, and let m = (m1 , . . . , mt ) ∈ Ft and s = (s1 , . . . , st ) ∈ Ft . The desired
hash function family will have this form:
t
X
hs (m) = si mi = hs, mi = qm (s)
i=1
Lemma 17. The above function family hs is almost universal.
Proof. In order for hs to be almost universal, collisions must happen negligibly.
Suppose we have a collision with two distinct messages m and m0 :
t
X t
X
mi si = m0i si
i=1 i=1
Let δi = mi − m0i
and assume, without loss of generality, that δ 6= 0. Then,
by using the previous equation, when a collision happens:
t
X t
X t
X
0= mi si − m0i si = δi si
i=1 i=1 i=1
Since the messages are different from each other, there is at least some i-th
block that contains some of the differences. Assume, without loss of generality,
that some of the differences are contained in the first block (i = 1); the sum can
then be split between the first block itself δ1 s1 and the rest:
t
X t
X
δi si = δ1 s1 + δi si = 0
i=1 i=2
t
X
δ1 s1 = − δi si
i=2
Pt
− i=2 δi si
s1 =
δ1
which means when a collision happens, s1 must be exactly equal to the sum
of the other blocks, which is another element of F. But since every seed is
chosen at random among F, the probability of picking the element s1 satisfying
−1
the above equation is just |F| = 2−n ∈ negl (λ). By repeating this reasoning
for every difference-block, a sum of negligible probabilities is obtained, which is
in turn negligible; therefore the hash function family hs is almost universal.
46
H with Galois fields elements and polynomials
Construction 3. Take F = GF (2n ), a Galois field of 2n elements.
Let m = (m1 , ..., mt ) ∈ Ft and s ←$ Ft . We state that
t
X
hs (m) = si−1 mi
i=1
Exercise 21. Prove that this construction is almost universal.
(possible proof: to be almost universal, looking at the definition, collisions
with m 6= m0 must be negligible.
So consider a collision as above: it must be true that
t
X t
X t
X t
X
mi si−1 = m0i si−1 ⇔ mi si−1 − m0i si−1 = 0 ⇔ qm−m0 (s) = 0
i=1 i=1 i=1 i=1
How can we make a polynomial equal to 0? We have to find the roots of the
polynomial, which we know are at most the grade of the polynomial. So, the
grade of this polynomial is t − 1, and the probability of picking a root from F
as seed of hs (.) is
t−1
P[s = root] = n ∈ negl (λ)
2
)
47
Lesson 10
10.1.2 xor-mode
Assume that we have this function
for each i ∈ [1, t]. But α is one unique random number chosen over 2n possible
candidates, so the collision probability is negligible.
48
10.1.3 cbc-mode mac scheme
This is part of the standard, used in TLS. It’s used with a prf Fs , setting the
starting vector as iv = 0n = c0 and running this prf as part of cbc. The last
block otained by the whole process is the message’s signature:
hs (m) = Fs (mt ⊕ Fs (mt−1 ⊕ Fs (. . . Fs (m2 ⊕ Fs (m1 ⊕ iv)) . . . )))
Lemma 20. XOR mode gives computational AXU (Almost Xor Universal)
Proof. (not proven)
Theorem 23. If F is a PRF and H is computational AXU, then XOR-MAC
is a MAC.
Proof. (not proven)
49
Summary
• E-CBC is secure.
50
10.2 Cca-security
Going back to the encryption realm, a new definition of attack to a ske scheme
will be introduced. Now the adversary can query a decryption oracle, along
with the cpa-related encryption oracle, for polynomially many queries. This
attack is called the Chosen Ciphertext Attack 14 , and schemes that are proven
to be cca-secure are also defined as non-malleable, on the reasoning that an
attacker cannot craft fresh valid ciphertexts from other valid ones.
A Ccca
k ←$ K
m
c r chosen uar
c = Enck (m, r)
c
m
m = Deck (c)
m∗0 , m∗1
c∗b r∗ chosen uar
b ←$ {0, 1}
c∗ = Enck (m∗b , r∗ )
m
c r chosen uar
c = Enck (m, r)
c
m
m = Deck (c)
b0
Output 1 iff b0 = b
Exercise 24. Show that the scheme ΠF defined in theorem 17, while cpa-
secure, is not cca-secure.
Proof. Let m0 and m1 be the messages the adversary sends to the challenger as
the challenge plaintexts; on receiving the ciphertext cb = (r, Fk (r ⊕ mb ) : b ←$
{0, 1}, the adversary crafts another ciphertext with an arbitrary value α:
51
and queries the decryption oracle on it. The latter will decrypt the new cipher-
text and return a plaintext, which can be easily manipulated by the adversary
to reveal exactly which message was encrypted during the challenge:
Therefore, the adversary certainly wins after just one decryption query, prov-
ing the scheme’s vulnerability to cca attacks.
Dec : K ∗ C → M ∪ {⊥}
A Cauth
k ←$ K
m
c r chosen uar
c∈C c = Enck (m, r)
c0
c0 ∈
/C Output 1 iff Deck (c0 ) 6=⊥
Theorem 25. Let Π be a ske scheme. If it is cpa-secure, and has the auth
property, then it is also cca-secure.
Proof. The proof is left as an exercise.
Hint: consider the experiment where Dec(k, c):
52
• else output ⊥
The approach would be to reduce cca to cpa; given Dcca , we can build
D . Dcca will ask decryption queries, but Dcpa can answer just with these
cpa
two properties shown above, so it can reply just if he asked these (c, m) before
to its challenger C.
Of the three options, only the last one is proven to be cca-secure for arbi-
trary scheme choices; the other approaches are not secure “a-priori”, with some
couples proven to be secure by themselves. Notable examples are the Trans-
port Layer Security (tls) protocol, which employs the second strategy, and has
been proven to be secure because of the chosen ecnryption scheme; Secure SHell
(ssh) instead uses the first strategy.
Theorem 26. If an authenticated encryption scheme Π is made by combining
a cpa-secure ske scheme Π1 with a strongly unforgeable mac scheme Π2 in
the Encrypt-then-tag method. Then Π is cpa-secure and auth-secure.
Proof. Assume that Π is not cpa-secure; then an adversary can use the resulting
distinguisher Dcpa to direct a succesful cpa against Π1 , as shown in figure 10.37:
the point is to run the two components of Π separately.
T0D0 16: Professor says that we have to show that Gamecpa (λ, 0) ≈c
Gamecpa (λ, 1) , but why??? Isn’t this proof enough?
53
Dcpa A Ccpa1
k1 ←$ K1
k2 ←$ K2
m
m
c
c ←$ Enck (m)
(c, φ)
φ ←$ T agk (c)
m∗0 , m∗1
m∗0 , m∗1
c∗ b ←$ {0, 1}
(c, φ ) ∗ c∗ ←$ Enck (mb )
φ∗ ←$ T agk (c∗ )
m
m
c
c ←$ Enck (m)
(c, φ)
φ ←$ T agk (c)
b0
b0
Output 1 iff b0 = b
Figure 10.37
54
Proved for the cpa-security property, now we have to prove, in a similar way,
that the auth property must be holded by Π if Π2 is an auth-secure scheme.
55
Lesson 11
with the additional restriction that the tag φ∗ of the forged message must be
“fresh” itself.
Note the small difference in security between ufcma and eufcma.
Theorem 28. Let Π = (Enc, Dec, T ag, V erif y) be an authenticated encryption
scheme, composed by a ske scheme Π1 and a mac scheme Π2 . If Π2 is eufcma,
then Π has the auth property.
Proof. The proof is analogous to the previous proof regarding the scheme’s cpa
security. Suppose that Π has not the auth property; then an adversary can use
the distinguisher Dauth to successfully forge authenticated messages with fresh
signatures against Π2 , as depicted in figure 11.38.
From Aauth perspective, all the couples (ci , φi ) received are made with the
following schema:
ci ∈ Enc(k1 , m ∈ M) ∧ φi ← $Enc(k2 , ci )
Since Aauth wins Gameauth , the challenge couple (c∗, φ∗ ) which breaks
Gameauth will be produced to be decrypted as
56
Dauth A Ceufcma2
m
c
c ←$ Enc(k1 , m)
φ
φ ←$ T ag(k2 , c)
c∈C (c, φ)
φ∈Φ
c∗ ∈
/C (c∗ , φ∗ )
φ∗ ∈
/Φ (c∗ , φ∗ ) Output 1 iff
Verifyk (c∗ , φ∗ ) = 1
T0D0 17: Luby-Rackoff is cited here, but it’s related to both prfs-prps and
the Feistel network analysis
A C
k ←$ {0, 1}λ
x
y
y = Fk (x)
b0
57
A C
P ←$ P(λ, n)
x
y
y = P (x)
b0
Fk
y ⊕
However, this example with additional restrictions will be useful very soon,
so it is reworded as the following lemma:
Lemma 21. For any unbounded adversary making q ∈ poly(λ) queries, the
following games in figure 11.42 are statistically close as long as y1 , . . . , yq are
mutually distinct.
Proof. T0D0 18: Idea: Hybridize over the queries before the challenge, from
PR to random; prove that the stat distance between i and i+1 is negligible
58
A C
x, y
2
ψF,F 0 (x, y)
F, F 0 ←$ R(λ, n, n)
A C
x, y
R(x, y)
R ←$ R(λ, 2n, 2n)
Figure 11.42
Going back to the Feistel networks in general, it should be easy to see that
they can be made of an arbitrary number of rounds, by simply chaining output
with input. The l-th iteration is denoted as:
l
ψΦ (x, y) = ψF (ψF 00 (. . . ψF (l) (x, y) . . .))
where Φ is the sequence of prfs used at each single step. It can be shown
that the rounds neeed to obtain a network that is indeed pseudorandom is just
3; also, the same prf can be used, it is sufficient to change the seed on each
iteration15 :
3
Theorem 29. Let Fi , Fj , Fk be a prf over three seeds. Then ψi,j,k is a prp.
Proof. T0D0 19: Idea: Four total games: original, swap prfs with random
functions, swap the three functions with a single one (use previous lemma),
swap random function with random permutation (avoid bad events generated
by injection property)
59
Lesson 12
12.1 Hashing
12.1.1 Merkle-Damgård construction
12.1.2 Domain extension
12.1.3 Compression functions
60
Lesson 13
61
Lesson 14
62
Lesson 15
A C pke-cca
pk
(pk, sk) ←$ KGen(1λ )
c0
m0
m0 , m1
c b ←$ {0, 1}
c ←$ Enc(pk, mb )
c0
m0
b0
Output 1 iff b0 = b
(Reminder): Encryptions are made like this: Enc(k, m) = (r, Fk (r)⊕m), r '
Unif ({0, 1}λ ).
Every time an encryption is made, a fresh value r is picked UAR.
63
15.1.1 Trapdoor permutation
A TDP(TrapDoor Permutation) is a OWP family structured has these features:
T0D0 20: Apparently, the reduction here is not easy at all. Some hints are
needed to solve this exercise.
• Zn ' Zp × Zq
• Z× × ×
n ' Zp × Zq
Note that the theorem is more general, and holds for any p, q that are co-
prime.
64
How to use this theorem for constructing a PKE scheme:
Reminder (Euler’s theorem):
A C rsa
m0
Output 1 iff m0 = m
Enc(Pk , m) = me (mod n)
Dec(Sk , c) = cd (mod n)
65
Since the output of Enc is deterministic this is not CPA secure! However
it can be used with HARD-CORE Predicate.
Preprocess the message to add randomness:
REVIEW:
2. If m ∈ {0, 1} then I can prove it CPA secure under RSA (just use standard
TDP)
REVIEW:
p−1 (p−1)
Zp∗ = {g 0 , g 1 , g 2 , . . . , g 2 −1 ,g 2 , . . . , g p−2 }
p−1
−1
g 2 inZp∗
z}|{
QRp = {g 0 , g 2 , g 4 , . . . , g p−3 , g 0 , . . .}
|{z}
p−1
g 2 inZp∗
p−1
|QRp | =
2
p−1 p−1 p−1
Moreover, since (g 2 )2 ≡ 1 (mod p) and g 2 cannot be 1 (since g 0 6= g 2 6=
p−1
g p−1 ) but must be one of the p − 1 elements of Zp∗ , then g 2 ≡ −1 (mod p).
66
Now it’s possible to show that f : QRp → QRp is a permutation, and we are
going to show a method to invert it, aka f −1 .
=⇒ x = ±y t+1
But only 1 among the above ±y t+1 is a square, in particular only the positive
one.
Since we have that
p−1 4k + 2
p = k4 + 3 ⇒ = = 2k + 1
2 2
p−1
so 2 is odd.
y = x2 ⇔ y = (g z )2 = g 2z
0
So, y = g z ∈ QRp ⇔ z 0 is even. If z 0 is odd, then y ∈ / QRp .
p−1
Since p−1
2 is odd, then g 2 ∈
6 QR p , and since it is possible to generate all
of the other numbers with odd exponents
p−1 p−1
g odd = g 2 ±even =g 2 g ±even ⇒ −1(g ±even )
f (x) = x2 mod n
We can observe that the image of this function is QRn , a subset of Z∗n .
For Chinese remainder theorem it is possible to state that f maps as
follows
x = (xp , xq ) 7→ (x2p , x2q )
67
since each element of Zn has always two different forms , in Zp and in Zq .
So
y ∈ QRn ⇔ yp ∈ QRp ∧ yq ∈ QRq
As before, the image of f is exactly
QRn = {y : ∃x : y = x2 mod n}
If we try to invert the function f , even without applying the previous inver-
sion algorithm, we easily note that among the 4 possible values
only 1 is a quadratic residue since we said, in the last lemma, that only one
out of −xk , xk is a quadratic residue for k = q, p.
Therefore, we have that the Rabin’s TDP is a permutation in QRn , and that
|Z∗ |
the cardinality of QRn is 4n .
Furthermore, with the following claim we can state that the Rabin cryp-
tosystem is OWF thanks to the hardness of factoring.
Claim 1. Given x, z such that x2 modn ≡ z 2 mod n ≡ y mod n,
x 6= ±z ⇒ we can factor n
Proof. Since f −1 (y) has only one value out of four, x 6= ±z and z ∈ {(xp , xq ), (−xp , −xq )}
, then x ∈ {(xp , −xq ), (−xp , xq )} and
Now assume x + z = (2xp , 0) without loss of generality, since the proof for
the other case is the same.
We have that x + z ≡ 0 mod q and x + z 6≡ 0 mod p.
But then gcd(x + z, n) = q, and we obtain q.
Theorem 32. Squaring mod n (where n is a bloom integer16 ) is a trapdoor
permutation under factoring.
Since we have already shown tha Rabin’s function is a permutation since it
is invertible, we have to show that Rabin’s function is also OWF.
In other words
68
ARabin Af act C(p,q,n)←$Genbloom∧p,q≡3 mod 4
n = pq
n, y x ← $Z∗n
y = x2 mod n
z
f (z) = f (x)
69
Lesson 16
• Compute m̂ = c−sk
1 · c2
Correctness of this scheme follows from some algebric steps:
70
H0 (λ, b) :
A C pke
pk x ←$ Zq
pk = g x
(m0 , m1 ) ∈ G
c = (c1 , c2 ) r ←$ Zq
b ←$ {0, 1}
(c1 , c2 ) = (g r , (g x )r mb )
b0
Output 1 iff b = b0
H1 (λ, b) :
A C pke
pk x ←$ Zq
pk = g x
(m0 , m1 ) ∈ G
c = (c1 , c2 ) r ←$ Zq
z ←$ Zq
(c1 , c2 ) = (g r , g z mb )
b0
Output 1 iff b = b0
=⇒ H0 (λ, 0) ≈c H1 (λ, 1)
71
0
D DDDH CDDH
(X, Y, Z) X = gx , Y = gy
Z = g xr or Z = g z
h=X
(m0 , m1 )
(Y, Zmb )
b0
b0
72
So this is not CCA-Secure!
These properties of the El Gamal scheme can be desirable in some use cases,
where a message must be kept secret to the second party. In fact, there are
some pke schemes which are designed to be fully homomorphic, i.e. they are
homomorphic for any kind of function.
Consider the following use case: a client C has an object x and wants to
apply a function f over it, but it lacks the computational power to execute it.
There is another subject S, which is able to efficiently compute f , so the goal
is to let it compute f (x) but the client wishes to keep x secret from him. This
can be achieved using a fh-pke scheme as follows:
C S
Object: x
Function: f f, c
(pk, sk) ←$ KGen
c ←$ Enc(pk, x)
f (c)
f (x) = Dec(sk, f (c))
However one important consideration must be made: All these useful char-
acteristics expose an inherent malleability of any fully homomorphic scheme:
any attacker can manipulate ciphertexts efficiently, and with some predictable
results. This compromises even cpa security of such schemes.
Proof systems
Let L be a Turing-recognizable language in N P , and a predicate R ∈ X × Y →
{0, 1} such that:
L := {y ∈ Y : ∃x ∈ X R(x, y) = 1}
where x is called a “witness” of y.
In our instance, let y = pq, x = (p, q)
Π = (Setup, Prove, Verif y)
(ω, τ ) ←$ Setup(1λ ), where ω is the Common Reference String, and τ is
the trapdoor.
Additional notes:
• ω is public (= pk)
73
• τ is part of the secret key
• τ = (x, y) : R(x, y) = 1
A B
ω π = Prove(ω, y, x) τ, y 0 ∈ L
(x, y) s.t. R(x, y) = 1 V er(τ, y) = π̃ ∈ P
check if π = π̃
Properties
• (implicit, against malicious Bob) Zero-knowledge: Proof for x can be
simulated without knowing x itself
• (stronger, against malicious ALice) Soundness: It is hard to produce a
valid proof for any y ∈
/L
• honest people Completeness: ∀y ∈ L, ∀(ω, τ ) ←$ Setup(1λ ) :
Prove(ω, x, y) = Verif y(τ, y)
t-universality
Definition 15. Let Π be DV-NIKZ19 .
We say it is t-universal if for any distinct
we have
(ω, V er(τ, y1 ), . . . , V er(τ, yt )) = (ω, v1 , . . . , vt )
where (ω, τ ) ← $Setup(1λ ) and v1 , . . . , vt ← $P where P should be the proofs’
space.
19 Designated verifier non-interactive zero-knowledge
74
Enriching DV-NIKZ
Can we enrich DV-NIKZ with labels l ∈ {0, 1}∗ ?
Then our scheme changes : P rove(ω, (y, l), x) = Π; V er(τ, (y, l)) and , for t-
universality , now we can consider 2 distinct (yi , li ).
R(y, x) = 1
75
Lesson 17
76
• The message space of the second prover is the range of the first prover.
• The message space of the first prover is a multiplicative group
• The message space of the second prover is a polylogarithmic language in
(λ)
Theorem 34. Assuming π1 is 1-universal, π2 is 2-universal and L is Membership-
hard, then the above scheme is cca-secure.
Proof. Five different games will be defined, from Game0Π,A up to Game4Π,A ;
the first game will be an analogous formalization of how the above pke scheme
works. It shall be proven that, for either fixed b in {0, 1}:
Game0Π,A (λ, b) = Game1Π,A (λ, b) ≈C Game2Π,A (λ, b) ≈S Game3Π,A (λ, b) = Game4Π,A (λ, b)
and finally that Game4Π,A (λ, 0) = Game4Π,A (λ, 1), therefore concluding that
Game0Π,A (λ, 0) ≈C Game0Π,A (λ, 1), and proving this scheme is cca-secure.
T0D0 22: Non sono per niente sicuro riguardo all’origine di x ed y, né
tantomeno dove sia definito il sampler per essi
A Cpke-cca
(ω1 , ω2 )
((ω1 , ω2 ), (τ1 , τ2 )) ←$ KGen(1λ )
m0 , m1
(x, y) ←$ Sample1
c = ((y, (π1 · mb )), π2 ) π1 ←$ P rove1 (ω1 , y, x)
b ←$ {0, 1}
π2 ←$ P rove2 (ω2 , (y, (π1 · mb )), x)
b0
Output 1 iff b = b0
Lemma 26.
∀b, G0 (λ, b) ≡ G1 (λ, b)
77
A C1
m0 , m1
(x, y) ←$ Sample1
c = ((y, (π1 · mb )), π2 ) π1 ←$ V erif y1 (τ1 , y)
b ←$ {0, 1}
π2 ←$ V erif y2 (τ2 , (y, (π1 · mb )))
b0
Output 1 iff b = b0
A C2
m0 , m1
(x, y) ←$ Sample1
c = ((y, (π1 · mb )), π2 ) π1 ←$ V erif y1 (τ1 , y)
b ←$ {0, 1}
π2 ←$ V erif y2 (τ2 , (y, (π1 · mb )))
b0
Output 1 iff b = b0
A C3
m0 , m1
(x, y) ←$ Sample1
c = ((y, (π1 · mb )), π2 ) π1 ←$ V erif y1 (τ1 , y)
b ←$ {0, 1}
π2 ←$ V erif y2 (τ2 , (y, (π1 · mb )))
b0
Output 1 iff b = b0
78
A C4
m0 , m1
c = ((y, (π1 · mb )), π2 ) π1 ←$ Im(P rove1 )
b ←$ {0, 1}
π2 ←$ P rove2 (ω2 , (y, (π1 · mb )), x)
b0
Output 1 iff b = b0
Lemma 27.
∀b, G1 (λ, b) ≈c G2 (λ, b)
Proof. Straight forward reduction from membership hardness.
Lemma 28.
∀b, G2 (λ, b) ≈c G3 (λ, b)
T0D0 24: I’m not completely sure the next proof is complete
79
(i) (i)
1. if (y (i) , l(i) ) = (y, l) and Π̃2 = Π2 , it outputs ⊥ if in the decryption
(i) (i)
scheme (Π2 6= Π̃2 ) it outputs ⊥.
20 (i)
2. otherwise (y (i) , l(i) ) 6= (y, l) if y (i) 6∈ L we want that Π2 doesn’t output
exactly V er2 (τ, (y (i) , l(i) )), but it should output ⊥.
EVENT BAD: If we look at the view of A, the only information he knows
is
(ω2 , Π̃2 = V er2 (τ2 , y))
for y 6∈ L.
The value
V er2 (τ2 , (y (i) , x(i) ))
for y (i) ∈ L and (y (i) , l(i) ) 6= (y, l) is random.
So,
P[BAD] = 2−|P2 |
Lemma 29.
∀b, G3 (λ, b) ≡ G4 (λ, b)
Proof. If we look at the view of A, the only information known about τ1 is ω1 ,
since the decryption oracle only computes for y (i) ∈ L
80
• Setup(1λ ): Pick x1 , x2 ← $Zq and define:
ω = h1 = (g1x1 , g2x2 ), τ = (x1 , x2 )
e = cx1 cx2
• V erif y(τ, (c1 , c2 )) output Π 1 2
| {z }
y
z 1 α x1
µ0 (x1 , x2 ) = 1 = ·
z2 r1 r2 α x2
1 α
Since Det = α(r2 − r1 ) 6= 0 the map is injective.
r1 r2 α
• Setup(1λ ):
– Pick x3 , x4 , x5 , x6 ← $Zq and define:
∗ ω = (h2 , h3 , s) = (g1x3 , g2x4 , g1x5 , g2x6 , s) where s is a seed for a
CRH→ H = {Hs }
– Compute β = Hs (c1 , c2 , l) ∈ Zq
e = cx3 +βx5 cx4 +βx6
– Output Π 1 2
Correctness:
Π = hr2 hrβ x3 x4 r x5 x6 r x3 x4 βx5 βx6
3 = (g1 g2 ) (g1 g2 ) = c1 c2 c1 c2 = c1x3 +βx5 c2x4 +βx6 = Π
e
Theorem 36. The above construction define a 2-universal DVNIZK for LDDH
81
Proof. Same goal and procedure as before
- Take any (c1 , c2 ) ∈ / LDDH
- Fix (c1 , c2 , l) 6= (c01 , c02 , l0 ) s.t. (c1 , c2 ), (c01 , c02 ) ∈
/ LDDH which means:
. . . .
IFF:
for construction
z }| {
r2 6= r1 , r20 6= r10 , β 6= β 0 → this last condition is true because we picked Hs
collision resistant.
Otherwise Hs computed on different elements((c1 , c2 , l) and (c01 , c02 , l0 )) will
have to output the same β(= β 0 ).
82
Lesson 18
sk pk
m (m, σ) b
Alice Bob
83
• In a vaguely similar manner to how an attacker could encrypt messages
by itself in the asimmetric scenario, because the public key is known to
everyone, any attacker can verify any signed messages, for free
Nevertheless, proving that a ds scheme is secure is largely defined in the
same way as in the symmetric scenario, with the uf-cma property:
A Cuf-cma
pk
(pk, sk) ←$ KGen(1λ )
m
m∈M
σ
σ ←$ Sign(sk, m)
(m , σ ∗ )
∗
m∗ ∈
/M Output Verify(pk, m∗ , σ ∗ )
84
CA Alice Bob
pkBOB , pkCA
V rf y(pkCA , ”Alice”kpkA , certaA )
85
Lesson 19
• Then output:
– Pk = (params, g1 , g2 , u0 , ..., uk )
86
– Sk = g2a = g ab
Sign(Sk , m):
• Divide the message m of length k in bits and not it as follows: m =
(m[1], ..., m[k])
Qk m[i]
• Now define α(m) = u0 i=1 ui
• Pick r ← Zq and output the signature σ = ( g2a ·α(m)r , g r ) = (σ1 , σ2 )
|{z}
Sk
Vrf(Pk , m, (σ1 , σ2 ))
• Check ê(g, σ1 ) = ê(σ2 , α(m)) = ê(g1 , g2 )
Correctness: ”Just move the exponents”
I can separate the second part for bilinearity
z }| {
ê(g, σ1 ) = ê(g, g2a · α(m)a ) = ê(g, g2a ) · ê(g, α(m)r ) =
a r
ê( g , g2 ) · ê( g , α(m)) = ê(g1 , g2 ) · ê(σ2 , α(m))
|{z} |{z}
g1 σ2
We can say that we are moving the exponents from the ”private domain” to the
”public domain”.
The following describes how the Waters’ challenger constructs the u string.
The main idea is, given k as the message length, to choose each single bit of u
from 1 up to k such that:
k k
β(m) γ(m)
X X
α(m) = g2 g , β(m) = x0 + mi xi , γ(m) = y0 + mi yi
i=1 i=1
k
x + k
P Pk
i=1 mi xi y0 + β(m) γ(m)
Y
α(m) = g2x0 g y0 (g2xi g yi )mi = g2 0 i=1 mi yi
g = g2 g
i=1
87
A Cwds Ccdh
“params”=
(“params”, g a , g b ) = (G, Gt , g, q, ê)
←$ BilGen(1λ )
a, b ←$ Zq
(“params”, g a , g b , u)
Construct u string
m
m∈M
σ
σ = Sign()
(m∗ , σ ∗ )
m∗ ∈
/M
T0D0 29: Partizioni, doppi if.... qui non ci ho capito ’na mazza
σ1 = g2a α(m)r̄
−1
= g2a α(m)r−aβ
β(m) γ(m) r−aβ −1
= g2a (g2 g )
β(m)r−a γ(m)r−γ(m)aβ −1
= g2a g2 g
β(m)r γ(m)r −γ(m)β −1
= g2 g g
88
Lesson 20
20.2 ID Scheme
20.3 Honest Verifier Zero Knowledge (HVZK)
and Special Soundness (SS)
89
Lesson 21
90
Lesson 22
91
Lesson 23
92
Lesson 24
93