The Secret-Key Agreement Problem
• Exchanging messages securely using a private-key cryptosystem requires Alice and Bob possessing the same key (p. 568).
• How can they agree on the same secret key when the channel is insecure?
• This is called the secret-key agreement problem.
• It was solved by Diffie and Hellman (1976) using one-way functions.
The Diffie-Hellman Secret-Key Agreement Protocol
1: Alice and Bob agree on a large prime p and a primitive root g of p; {p and g are public.}
2: Alice chooses a large number a at random;
3: Alice computes α = ga mod p;
4: Bob chooses a large number b at random;
5: Bob computes β = gb mod p;
6: Alice sends α to Bob, and Bob sends β to Alice;
7: Alice computes her key βa mod p;
8: Bob computes his key αb mod p;
Analysis
• The keys computed by Alice and Bob are identical:
βa = gba = gab = αb mod p.
• To compute the common key from p, g, α, β is known as the Diffie-Hellman problem.
• It is conjectured to be hard.
• If discrete logarithm is easy, then one can solve the Diffie-Hellman problem.
– Because a and b can then be obtained by Eve.
• But the other direction is still open.
A Parallel History
• Diffie and Hellman’s solution to the secret-key
agreement problem led to public-key cryptography.
• At around the same time (or earlier) in Britain, the RSA public-key cryptosystem was invented first before the Diffie-Hellman secret-key agreement scheme was.
– Ellis, Cocks, and Williamson of the Communications Electronics Security Group of the British Government Communications Head Quarters (GCHQ).
Digital Signatures
a• Alice wants to send Bob a signed document x.
• The signature must unmistakably identifies the sender.
• Both Alice and Bob have public and private keys eAlice, eBob, dAlice, dBob.
• Assume the cryptosystem satisfies the commutative property E(e, D(d, x)) = D(d, E(e, x)). (9)
– As (xd)e = (xe)d, the RSA system satisfies it.
– Every cryptosystem guarantees D(d, E(e, x)) = x.
aDiffie and Hellman (1976).
Digital Signatures Based on Public-Key Systems
• Alice signs x as
(x, D(dAlice, x)).
• Bob receives (x, y) and verifies the signature by checking E(eAlice, y) = E(eAlice, D(dAlice, x)) = x
based on Eq. (9).
• The claim of authenticity is founded on the difficulty of inverting EAlice without knowing the key dAlice.
• Warning: If Alice signs anything presented to her, she
Probabilistic Encryption
a• A deterministic cryptosystem can be broken if the
plaintext has a distribution that favors the “easy” cases.
• The ability to forge signatures on even a vanishingly small fraction of strings of some length is a security weakness if those strings were the probable ones!
• A scheme may also “leak” partial information.
– Parity of the plaintext, e.g.
• The first solution to the problems of skewed distribution and partial information was based on the QRA.
aGoldwasser and Micali (1982).
Shafi Goldwasser (1958–)
Silvio Micali (1954–)
The Setup
• Bob publishes n = pq, a product of two distinct primes, and a quadratic nonresidue y with Jacobi symbol 1.
• Bob keeps secret the factorization of n.
• Alice wants to send bit string b1b2 · · · bk to Bob.
• Alice encrypts the bits by choosing a random quadratic residue modulo n if bi is 1 and a random quadratic
nonresidue (with Jacobi symbol 1) otherwise.
• A sequence of residues and nonresidues are sent.
• Knowing the factorization of n, Bob can efficiently test
A Useful Lemma
Lemma 78 Let n = pq be a product of two distinct primes.
Then a number y ∈ Zn∗ is a quadratic residue modulo n if and only if (y | p) = (y | q) = 1.
• The “only if” part:
– Let x be a solution to x2 = y mod pq.
– Then x2 = y mod p and x2 = y mod q also hold.
– Hence y is a quadratic modulo p and a quadratic residue modulo q.
The Proof (concluded)
• The “if” part:
– Let a21 = y mod p and a22 = y mod q.
– Solve
x = a1 mod p, x = a2 mod q,
for x with the Chinese remainder theorem.
– As x2 = y mod p, x2 = y mod q, and gcd(p, q) = 1, we must have x2 = y mod pq.
The Jacobi Symbol and Quadratic Residuacity Test
• The Legendre symbol can be used as a test for quadratic residuacity by Lemma 66 (p. 483).
• Lemma 78 (p. 595) says this is not the case with the Jacobi symbol in general.
• Suppose n = pq is a product of two distinct primes.
• A number y ∈ Zn∗ with Jacobi symbol (y | pq) = 1 may be a quadratic nonresidue modulo n when
(y | p) = (y | q) = −1, because (y | pq) = (y | p)(y | q).
The Protocol for Alice
1: for i = 1, 2, . . . , k do
2: Pick r ∈ Zn∗ randomly;
3: if bi = 1 then
4: Send r2 mod n; {Jacobi symbol is 1.}
5: else
6: Send r2y mod n; {Jacobi symbol is still 1.}
7: end if
8: end for
The Protocol for Bob
1: for i = 1, 2, . . . , k do
2: Receive r;
3: if (r | p) = 1 and (r | q) = 1 then
4: bi := 1;
5: else
6: bi := 0;
7: end if
8: end for
Semantic Security
• This encryption scheme is probabilistic.
• There are a large number of different encryptions of a given message.
• One is chosen at random by the sender to represent the message.
• This scheme is both polynomially secure and semantically secure.
What Is a Proof?
• A proof convinces a party of a certain claim.
– “xn + yn 6= zn for all x, y, z ∈ Z+ and n > 2.”
– “Graph G is Hamiltonian.”
– “xp = x mod p for prime p and p 6 |x.”
• In mathematics, a proof is a fixed sequence of theorems.
– Think of it as a written examination.
• We will extend a proof to cover a proof process by which the validity of the assertion is established.
– Recall a job interview or an oral examination.
Prover and Verifier
• There are two parties to a proof.
– The prover (Peggy).
– The verifier (Victor).
• Given an assertion, the prover’s goal is to convince the verifier of its validity (completeness).
• The verifier’s objective is to accept only correct assertions (soundness).
• The verifier usually has an easier job than the prover.
• The setup is very much like the Turing test.a
Interactive Proof Systems
• An interactive proof for a language L is a sequence of questions and answers between the two parties.
• At the end of the interaction, the verifier decides whether the claim is true or false.
• The verifier must be a probabilistic polynomial-time algorithm.
• The prover runs an exponential-time algorithm.
– If the prover is not more powerful than the verifier, no interaction is needed.
Interactive Proof Systems (concluded)
• The system decides L if the following two conditions hold for any common input x.
– If x ∈ L, then the probability that x is accepted by the verifier is at least 1 − 2−| x |.
– If x 6∈ L, then the probability that x is accepted by the verifier with any prover replacing the original prover is at most 2−| x |.
• Neither the number of rounds nor the lengths of the messages can be more than a polynomial of | x |.
An Interactive Proof
3
3
3
3
3
9
9
9
9
9
IP
a• IP is the class of all languages decided by an interactive proof system.
• When x ∈ L, the completeness condition can be modified to require that the verifier accepts with certainty without affecting IP.b
• Similar things cannot be said of the soundness condition when x 6∈ L.
• Verifier’s coin flips can be public.c
aGoldwasser, Micali, and Rackoff (1985).
bGoldreich, Mansour, and Sipser (1987).
The Relations of IP with Other Classes
• NP ⊆ IP.
– IP becomes NP when the verifier is deterministic.
• BPP ⊆ IP.
– IP becomes BPP when the verifier ignores the prover’s messages.
• IP actually coincides with PSPACE.a
aShamir (1990).
Graph Isomorphism
• V1 = V2 = {1, 2, . . . , n}.
• Graphs G1 = (V1, E1) and G2 = (V2, E2) are isomorphic if there exists a permutation π on
{1, 2, . . . , n} so that (u, v) ∈ E1 ⇔ (π(u), π(v)) ∈ E2.
• The task is to answer if G1 ∼= G2.
• No known polynomial-time algorithms.
• The problem is in NP (hence IP).
• It is not likely to be NP-complete.a
graph nonisomorphism
• V1 = V2 = {1, 2, . . . , n}.
• Graphs G1 = (V1, E1) and G2 = (V2, E2) are
nonisomorphic if there exist no permutations π on {1, 2, . . . , n} so that (u, v) ∈ E1 ⇔ (π(u), π(v)) ∈ E2.
• The task is to answer if G1 6∼= G2.
• Again, no known polynomial-time algorithms.
– It is in coNP, but how about NP or BPP?
– It is not likely to be coNP-complete.
• Surprisingly, graph nonisomorphism ∈ IP.a
aGoldreich, Micali, and Wigderson (1986).
A 2-Round Algorithm
1: Victor selects a random i ∈ { 1, 2 };
2: Victor selects a random permutation π on { 1, 2, . . . , n };
3: Victor applies π on graph Gi to obtain graph H;
4: Victor sends (G1, H) to Peggy;
5: if G1 ∼= H then
6: Peggy sends j = 1 to Victor;
7: else
8: Peggy sends j = 2 to Victor;
9: end if
10: if j = i then
11: Victor accepts;
12: else
Analysis
• Victor runs in probabilistic polynomial time.
• Suppose G1 6∼= G2.
– Peggy is able to tell which Gi is isomorphic to H.
– So Victor always accepts.
• Suppose G1 ∼= G2.
– No matter which i is picked by Victor, Peggy or any prover sees 2 identical graphs.
– Peggy or any prover with exponential power has only probability one half of guessing i correctly.
– So Victor erroneously accepts with probability 1/2.
• Repeat the algorithm to obtain the desired probabilities.
Knowledge in Proofs
• Suppose I know a satisfying assignment to a satisfiable boolean expression.
• I can convince Alice of this by giving her the assignment.
• But then I give her more knowledge than necessary.
– Alice can claim that she found the assignment!
– Login authentication faces essentially the same issue.
– See
www.wired.com/wired/archive/1.05/atm pr.html for a famous ATM fraud in the U.S.
Knowledge in Proofs (concluded)
• Digital signatures authenticate documents but not individuals.
• They hence do not solve the problem.
• Suppose I always give Alice random bits.
• Alice extracts no knowledge from me by any measure, but I prove nothing.
• Question 1: Can we design a protocol to convince Alice (the knowledge) of a secret without revealing anything extra?
• Question 2: How to define this idea rigorously?
Zero Knowledge Proofs
aAn interactive proof protocol (P, V ) for language L has the perfect zero-knowledge property if:
• For every verifier V 0, there is an algorithm M with expected polynomial running time.
• M on any input x ∈ L generates the same probability distribution as the one that can be observed on the communication channel of (P, V 0) on input x.
aGoldwasser, Micali, and Rackoff (1985).
Comments
• Zero knowledge is a property of the prover.
– It is the robustness of the prover against attempts of the verifier to extract knowledge via interaction.
– The verifier may deviate arbitrarily (but in
polynomial time) from the predetermined program.
– A verifier cannot use the transcript of the interaction to convince a third-party of the validity of the claim.
– The proof is hence not transferable.
Comments (continued)
• Whatever a verifier can “learn” from the specified prover P via the communication channel could as well be
computed from the verifier alone.
• The verifier does not learn anything except “x ∈ L.”
• Zero-knowledge proofs yield no knowledge in the sense that they can be constructed by the verifier who believes the statement, and yet these proofs do convince him.
Comments (continued)
• The “paradox” is resolved by noting that it is not the transcript of the conversation that convinces the verifier.
• But the fact that this conversation was held “on line.”
• There is no zero-knowledge requirement when x 6∈ L.
• Computational zero-knowledge proofs are based on complexity assumptions.
– M only needs to generate a distribution that is
computationally indistinguishable from the verifier’s view of the interaction.
Comments (concluded)
• It is known that if one-way functions exist, then
zero-knowledge proofs exist for every problem in NP.a
• The verifier can be restricted to the honest one (i.e., it follows the protocol).b
• The coins can be public.c
aGoldreich, Micali, and Wigderson (1986).
bVadhan (2006).
cVadhan (2006).
Are You Convinced?
• A newspaper commercial for hair-growing products for men.
– A (for all practical purposes) bald man has a full head of hair after 3 months.
• A TV commercial for weight-loss products.
– A (by any reasonable measure) overweight woman loses 10 kilograms in 10 weeks.
Quadratic Residuacity
• Let n be a product of two distinct primes.
• Assume extracting the square root of a quadratic residue modulo n is hard without knowing the factors.
• We next present a zero-knowledge proof for x ∈ Zn∗ being a quadratic residue.
Zero-Knowledge Proof of Quadratic Residuacity
1: for m = 1, 2, . . . , log2 n do
2: Peggy chooses a random v ∈ Zn∗ and sends y = v2 mod n to Victor;
3: Victor chooses a random bit i and sends it to Peggy;
4: Peggy sends z = uiv mod n, where u is a square root of x; {u2 ≡ x mod n.}
5: Victor checks if z2 ≡ xiy mod n;
6: end for
7: Victor accepts x if Line 5 is confirmed every time;
A Useful Corollary
Corollary 79 Let n = pq be a product of two distinct
primes. (1) If x and y are both quadratic residues modulo n, then xy ∈ Zn∗ is a quadratic residue modulo n. (2) If x is a quadratic residue modulo n and y is a quadratic nonresidue modulo n, then xy ∈ Zn∗ is a quadratic nonresidue modulo n.
• Suppose x and y are both quadratic residues modulo n.
• Let x ≡ a2 mod n and y ≡ b2 mod n.
• Now xy is a quadratic residue as xy ≡ (ab)2 mod n.
The Proof (concluded)
• Suppose x is a quadratic residue modulo n and y is a quadratic nonresidue modulo n.
• By Lemma 78 (p. 595), (x | p) = (x | q) = 1 but, say, (y | p) = −1.
• Now xy is a quadratic nonresidue as (xy | p) = −1, again by Lemma 78 (p. 595).
Analysis
• Suppose x is a quadratic nonresidue.
– Peggy can answer only one of the two possible challenges.
∗ If a is a quadratic residue, then xa is a quadratic nonresidue by Corollary 79 (p. 622).
∗ So xiy can be a quadratic residue (see Line 5) only when i = 0.
– So Peggy will be caught in any given round with probability one half.
Analysis (continued)
• Suppose x is a quadratic residue.
– Peggy can answer all challenges.
– So Victor will accept x.
• How about the claim of zero knowledge?
• The transcript between Peggy and Victor when x is a quadratic residue can be generated without Peggy!
– So interaction with Peggy is useless.
• Here is how.
Analysis (continued)
• Suppose x is a quadratic residue.a
• In each round of interaction with Peggy, the transcript is a triplet (y, i, z).
• We present an efficient Bob that generates (y, i, z) with the same probability without accessing Peggy.
aBy definition, we do not need to consider the other case.
Analysis (concluded)
1: Bob chooses a random z ∈ Zn∗;
2: Bob chooses a random bit i;
3: Bob calculates y = z2x−i mod n;
4: Bob writes (y, i, z) into the transcript;
Comments
• Assume x is a quadratic residue.
• In both cases, for (y, i, z), y is a random quadratic residue, i is a random bit, and z is a random number.
• Bob cheats because (y, i, z) is not generated in the same order as in the original transcript.
– Bob picks Victor’s challenge first.
– Bob then picks Peggy’s answer.
– Bob finally patches the transcript.
Comments (concluded)
• So it is not the transcript that convinces Victor, but that conversation with Peggy is held “on line.”
• The same holds even if the transcript was generated by a cheating Victor’s interaction with (honest) Peggy.
• But we skip the details.
Does the Following Work, Too?
a1: for m = 1, 2, . . . , log2 n do
2: Peggy chooses a random v ∈ Zn∗ and sends y = v2 mod n to Victor;
3: Peggy sends z = uv mod n, where u is a square root of x; {u2 ≡ x mod n.}
4: Victor checks if z2 ≡ xy mod n;
5: end for
6: Victor accepts x if Line 4 is confirmed every time;
aContributed by Mr. Chih-Duo Hong (R95922079) on December 13, 2006. It is like always choosing i = 1 in the original protocol.
Does the Following Work, Too?
a(concluded)
• Suppose x is a quadratic nonresidue.
• But Peggy can mislead Victor into accepting x as a quadratic residue.
• She simply sends y = x and z = x to Victor.
• This pair will satisfy z2 ≡ xy mod n by construction.
• The protocol is hence not even an IP protocol!
aContributed by Mr. Chin-Luei Chang (D95922007) on June 16, 2008.