Feige and Shamir propose an alternative privacy criteria: witness indistinguishability and witness hiding [88]. Both notions seem weaker than zero-knowledge, yet they suffice for several practical applications. Moreover, they have the advantage over zero knowledge in that they are preserved under parallel compositions, provided that the prover is probabilistic polynomial-time.
A variation of witness indistinguishability from Goldreich is witness independence [108]. Roughly speaking, an interactive proof of knowledge for an NP relation is witness-indistinguishable (resp. witness-independent) if the verifier’s view of the in-teraction with the prover is computationally independent (resp. statistically indepen-dent) of the private input of the prover. Intuitively, this implies that the verifier cannot tell which witness the prover is using even if the verifier knows all witnesses.
Definition 2.7.1 (Witness Indistinguishability/Independence). Let (P, V ) be a proof of knowledge for an NP relation R. We say that (P, V ) is witness-indistinguishable
for R if for every probabilistic polynomial-time verifier V∗, all sufficiently long x ∈ LR, any two sequences W = {wx}x∈LR and W0 = {wx0}x∈LR such that wx, w0x ∈ R(x), and all auxiliary inputs z ∈ {0, 1}∗, the following two ensembles are computationally in-distinguishable:
• {hP (wx), V∗(z)i(x)}x∈LR.
• {hP (wx0), V∗(z)i(x)}x∈LR.
We say that (P, V ) is witness-independent for R if the random variables hP (wx), V∗(z)i(x) and hP (w0x), V∗(z)i(x)
are identically distributed.
An alternative, but equivalent, definition is to require two V∗’s views rather than two V∗’s outputs to be computationally indistinguishable (or identically distributed).
Feige and Shamir prove that witness indistinguishability is preserved under poly-nomial composition of protocols [88]. Furthermore, any zero-knowledge (resp. perfect zero-knowledge) protocol is witness-indistinguishable (resp. witness-independent). On the other hand, witness indistinguishability does not imply zero knowledge. In par-ticular, any proof system for an instance having only a single witness is trivially witness-indistinguishable, but may not be zero-knowledge.
Intuitively, a proof of knowledge for an NP relation is witness-hiding if interacting with the prover does not help a (dishonest) verifier to find a witness for the common input which he does not know at the beginning of the protocol. Because each NP language has instances for which witness-finding is easy, we must consider the task of finding for specially selected hard instance. Before defining what a witness-hiding proof is, we need the definition of distribution of hard instances.
Definition 2.7.2 (Distribution of Hard Instances). Let R be an NP relation and LR be the language defined by R. Let X = {Xn}n∈N be a probabilistic ensemble such that Xn ranges over LR∩ {0, 1}n. We say that X is hard for R if for every probabilistic polynomial-time (witness-finding) algorithm F , every polynomial Q, all sufficiently large n, and all z ∈ {0, 1}poly(n),
Pr[F (Xn, z) ∈ R(Xn)] < 1 Q(n).
Definition 2.7.3 (Witness Hiding). Let (P, V ) be a proof of knowledge for a NP relation R. Let X = {Xn}n∈N be a hard-instance ensemble for R. We say that (P, V ) is witness-hiding for the relation R under the instance ensemble X if for every probabilistic polynomial-time algorithm V∗, every polynomial Q, all sufficiently large n’s, and all z ∈ {0, 1}∗,
Pr[hP (Wn), V∗(z)i(Xn) ∈ R(Xn)] < 1 Q(n), where Wn is arbitrary distributed over R(Xn).
Witness hiding guarantees only that witnesses are not disclosed completely. In contrast to zero knowledge, partial information may be leaked. For example, a digital signature cannot be zero-knowledge (or deniable zero-knowledge in the random oracle model), but they can be witness-hiding (e.g., fail-stop signatures [119, 217]).
A witness indistinguishability proof is not necessarily witness-hiding. For example, any proof system for an instance having only a single witness is trivially witness-indistinguishable, but may not be witness-hiding. However, as shown in [88], if each instance has at least two computationally independent witnesses, then a witness-indistinguishable proof of knowledge is also witness-hiding.
Elementary Cryptographic Tools
This chapter presents several elementary cryptographic tools that can be used as building blocks for complex cryptographic applications. These tools include encryp-tion schemes, signature schemes, and basic cryptographic protocols. There are nu-merous books devoted to theory and practice of cryptography. We refer the reader to [33, 73, 108, 157, 202, 210, 214].
3.1 Public-Key Encryption Schemes
Encryption schemes allow one party to send messages to another party securely. To deliver data confidentially, the sender applies an encryption function to a message (called plaintext) to obtain ciphertext, which is then sent. Only the intended receiver is able to retrieve the original plaintext from the ciphertext through the corresponding decryption function.
Encryption schemes can be divided into two types: secret-key (or symmetric) schemes and public-key (or asymmetric) schemes. In a secret-key scheme, the same key is used for encryption and decryption. Hence, when two parties want to securely communicate with symmetric encryption scheme, they need to exchange a secret key in advance. In a public-key scheme, different keys are used for encryption and decryption. The public key used for encryption can be published, while the secret key used for decryption must be kept secret.
Work on public-key encryption schemes begins with Diffie and Hellman’s paper
51
“New Directions in Cryptography” [78] in 1976. They invent public-key cryptography and propose a concrete scheme for obtaining a common secret key over an insecure channel. The notion of a trapdoor one-way function is put forth. This is a func-tion that is easy to compute but hard to invert—unless a trapdoor is known. In 1978, Rivest, shamir, and Adleman propose the RSA scheme that depends on the intractability of factoring large integers [195]. They are the first to present a con-crete realization of a trapdoor one-way function. In 1984, ElGamal discovers another scheme that is based on the trapdoor Diffie-Hellman problem [84, 85].
A public-key encryption scheme is a triple of algorithms (gen, enc, dec).
• Key generation algorithm gen: This is a probabilistic polynomial-time algorithm gen(1k) = (sk, pk), where 1kis a secure parameter, sk and pk are a pair of secret and public keys, each of size O(ka) for a ∈ N a constant.
• Encryption algorithm enc: This is often a probabilistic algorithm enc(pk, m) = c, where m is a message in the message space M, and c is the corresponding ciphertext in the ciphertext space C.
• Decryption algorithm dec: This is a deterministic algorithm dec(sk, c) = m (i.e., dec(sk, enc(pk, m)) = m) for every m ∈ M, where sk and pk are a pair of secret and public keys.
If the algorithm enc is probabilistic, the encryption scheme is called probabilistic.
Often we would like to tell how secure an encryption scheme is. A way to define secure encryption is by considering separately the various goals of encryptions and the possible attack models of adversaries. Then, a particular goal and a attack model are combined to obtain the desired definition.
In the literature two different goals have been considered: indistinguishability of encryptions (IND) [111] and non-malleability (NM) [81]. IND is also called polynomial security. IND requires that it be infeasible for an adversary to distinguish between the ciphertexts of any two messages, even if the original messages are given. In terms of protecting the data that is encrypted, the most basic is privacy, which requires that an adversary should not be able to learn any useful information about the plaintext from the ciphertext. Semantical security captures in the most direct way the notions of privacy: Whatever can be efficiently computed about a message
given the ciphertext can be computed without the ciphertext [111]. Assume that an adversary A consists of two sub-algorithms A1 and A2. In addition A1 can output some useful state information s that will be passed to A2. We make polynomial security and semantical security precise in the following definitions.
Definition 3.1.1 (Polynomial Security). A public-key encryption scheme (gen, enc, dec) is polynomially secure if for every probabilistic polynomial-time adversary A, every positive polynomial P , and all sufficiently large k, it holds that
Pr[b0 = b : (sk, pk) ← gen(1k), (s, m0, m1) ← A1(pk) where |m0| = |m1|, b ← {0, 1}, c ← enc(pk, mb), b0 ← A2(s, m0, m1, pk, c)] < 1
P (k).
Definition 3.1.2 (Semantical Security). Let M be a message space and let R be any polynomially-bounded relation that is recognizable in probabilistic polynomial time. A public-key encryption scheme (gen, enc, dec) is semantically secure if for every probabilistic polynomial-time adversary A, every positive polynomial P , and all sufficiently large k, there is a probabilistic polynomial-time simulator S such that
|p0(k) − p1(k)| < 1 P (k), where
p0(k) = Pr[R(m, z) : (sk, pk) ← gen(1k), (s, M, R) ← A1(pk) where all m0, m1 ∈ M, |m0| = |m1|, m ← M, c ← enc(pk, m),
z ← A2(s, M, R, pk, c)]
p1(k) = Pr[R(m, z) : (sk, pk) ← gen(1k), (s, M, R) ← A1(pk) where all m0, m1 ∈ M, |m0| = |m1|, m ← M, z ← S(s, M, R, pk)].
It can be proved that a cryptosystem (gen, enc, dec) is semantically secure if and only if it is polynomially secure [111, 162]. Because semantic security is subtle and is not easy to use, IND is often used when one analyzes the security of encryption schemes.
A second goal NM requires that an adversary given a challenge ciphertext be unable to obtain a different ciphertext such that the plaintexts underlying these two ciphertexts are “meaningfully related.” This is made precise as follows.
Definition 3.1.3 (Non-Malleability). Let M be a message space and let R be any polynomially-bounded relation that is recognizable in probabilistic polynomial time. A public-key encryption scheme (gen, enc, dec) is non-malleable if for every probabilistic polynomial-time adversary A, there is a probabilistic polynomial-time simulator S such that for every positive polynomial P , and all sufficiently large k, it holds that
|p0(k) − p1(k)| < 1 P (k), where
p0(k) = Pr[R(m, dec(z)) : (sk, pk) ← gen(1k), (s, M, R) ← A1(pk) where all m0, m1 ∈ M, |m0| = |m1|, m ← M, c ← enc(pk, m),
z ← A2(s, M, R, pk, c)]
p1(k) = Pr[R(m, dec(z)) : (sk, pk) ← gen(1k), (s, M, R) ← A1(pk) where all m0, m1 ∈ M, |m0| = |m1|, m ← M, z ← S(s, M, R, pk)],
The adversaries may be passive or active. A passive adversary is a probabilis-tic polynomial-time algorithm that has pairs of plaintext and ciphertext. An active adversary is a probabilistic polynomitime algorithm that accesses the encryption al-gorithm or even the decryption oracle in an adaptive way. Both these two goals (IND and NM) can be considered under three different active attacks: chosen-plaintext attack (CPA), non-adaptive chosen-ciphertext attack (CCA1) [171], and adaptive chosen-ciphertext attack (CCA2) [191]. Under CPA the adversary can obtain cipher-text of any plaincipher-text. Public-key encryption schemes have to be safe against the attack. Under CCA1 the adversary can get access to an oracle for the decryption function only for the period of time preceding his being given the challenge cipher-text. In other words, adversary’s queries to the decryption oracle cannot depend on the challenge ciphertext. However, under CCA2 the adversary can continue getting access to an oracle for the decryption function even after obtaining the challenge ciphertext. The only restriction is that the adversary cannot make the decryption or-acle decrypt the challenge ciphertext. A public-key encryption scheme is more secure if it can withstand the attack from more capable adversaries.
One can combine the goals with the attack models to get six basic notions of security: IND-CPA [111], IND-CCA1 [171], IND-CCA2 [191], NM-CPA, NM-CCA1, and NM-CCA2 [81, 82].
3.1.1 The Diffie-Hellman Key Agreement
Suppose Alice and Bob wish to use a symmetric encryption system to keep their communication over an insecure channel secret. Initially, Alice and Bob must agree on a secret key. The Diffie-Hellman key-agreement system [78] enables Alice and Bob to use their insecure channel for this key agreement. The protocol is a milestone in public-key cryptography.
The Diffie-Hellman protocol works as follows. Alice and Bob wish to agree on a common secret key. First, they agree on a large prime number p and a primitive root g modulo p with 2 ≤ g ≤ p − 2. The prime p and the primitive root g can be publicly known. Now Alice chooses an integer a ∈ Zp−1 randomly. She computes A = gamod p and sends the result A to Bob. She keeps the exponent a secret. Bob chooses an integer b ∈ Zp−1 randomly. He computes B = gb mod p and sends the result to Alice. He keeps his exponent b secret. To obtain the common secret key, Alice computes Bamod p = gab mod p and Bob computes Ab mod p = gab mod p. The common key is gab mod p. Hence, Alice and Bob can use an insecure communication channel for this agreement.
The security of the scheme is based on the Diffie-Hellman assumption. It is this scheme that gives the assumption its name. In addition, a secure and efficient Diffie-Hellman key-agreement protocol can be implemented in all cyclic groups in which the Diffie-Hellman problem is difficult to solve and for which the group operations can be efficiently implemented.
3.1.2 The RSA Encryption Scheme
The encryption scheme is proposed by Rivest, Shamir, and Adleman [195]. It is the first concrete realization of a trapdoor one-way function as introduced by Diffie-Hellman [78].
This encryption scheme works as follows. Assume Alice wants to send a message
0 ≤ m < n to Bob.
• Key generation: gen(1k) = ((n, d), (n, e)).
Bob picks randomly and independently two large primes p and q, and computes n = pq. He also chooses an integer e such that 1 < e < (p − 1)(q − 1) and gcd(e, (p − 1)(q − 1)) = 1. Then Bob computes an integer d such that 1 < d <
(p−1)(q−1) and de ≡ 1 (mod (p−1)(q−1)). Because gcd(e, (p−1)(q−1)) = 1, such a number d exits. Bob’s public key is (n, e) and secret key is (n, d).
• Encryption: enc(m, (n, e)) = c.
Alice encrypts the plaintext m by computing c = me mod n. The ciphertext is c.
• Decryption: dec(c, (n, d)) = m.
Bob can reconstruct the plaintext as m = cdmod n.
The security of RSA is related to the intractability of factoring integers; however, it is not known if breaking RSA is as difficult as factoring integers. But it has been shown that computing d from the public key (n, e) is as difficult as finding the prime factors p and q of n. If e = 2, the scheme is called the Rabin encryption scheme [189].
In contrast with RSA, it can be shown that breaking the Rabin encryption scheme efficiently is equivalent to efficiently factoring integers.
3.1.3 The ElGamal Encryption Scheme
The encryption scheme is proposed by ElGamal [84, 85]. It can be seen as a special application of the Diffie-Hellman key-agreement protocol.
The encryption scheme works as follows. Assume Alice wants to send a message m ∈ {0, 1, . . . , p − 1} to Bob.
• Key generation: gen(1k) = ((g, p, α), (g, p, β)).
Bob picks a prime p and a primitive root g modulo p. He also chooses a random exponent α ∈ {0, . . . , p − 2} and computes β = gα mod p. Bob’s public key is (g, p, β) and secret key is (g, p, α).
• Encryption: enc(m, (g, p, β)) = (c1, c2).
Alice chooses a random exponent r ∈ {1, . . . , p−2}, and computes c1 = gr mod p and c2 = βrm mod p. The ciphertext is (c1, c2)
• Decryption: dec((c1, c2), (g, p, α)) = m.
Bob can reconstructed the plaintext as m = c−α1 c2 mod p
The ElGamal encryption scheme is a probabilistic encryption scheme [111]. In ad-dition, it can be proved that the semantical security of the ElGamal encryption is equivalent to the decision Diffie-Hellman problem [216].