The Secret-Key Agreement Problem

The Secret-Key Agreement Problem

• Exchanging messages securely using a private-key cryptosystem requires Alice and Bob possessing the same key (p. 568).

• How can they agree on the same secret key when the channel is insecure?

• This is called the secret-key agreement problem.

• It was solved by Diffie and Hellman (1976) using one-way functions.

The Diffie-Hellman Secret-Key Agreement Protocol

1: Alice and Bob agree on a large prime p and a primitive root g of p; {p and g are public.}

2: Alice chooses a large number a at random;

3: Alice computes α = g^a mod p;

4: Bob chooses a large number b at random;

5: Bob computes β = g^b mod p;

6: Alice sends α to Bob, and Bob sends β to Alice;

7: Alice computes her key β^a mod p;

8: Bob computes his key α^b mod p;

Analysis

• The keys computed by Alice and Bob are identical:

β^a = g^ba = g^ab = α^b mod p.

• To compute the common key from p, g, α, β is known as the Diffie-Hellman problem.

• It is conjectured to be hard.

• If discrete logarithm is easy, then one can solve the Diffie-Hellman problem.

– Because a and b can then be obtained by Eve.

• But the other direction is still open.

A Parallel History

• Diffie and Hellman’s solution to the secret-key

agreement problem led to public-key cryptography.

• At around the same time (or earlier) in Britain, the RSA public-key cryptosystem was invented first before the Diffie-Hellman secret-key agreement scheme was.

– Ellis, Cocks, and Williamson of the Communications Electronics Security Group of the British Government Communications Head Quarters (GCHQ).

Digital Signatures

• Alice wants to send Bob a signed document x.

• The signature must unmistakably identifies the sender.

• Both Alice and Bob have public and private keys e_Alice, e_Bob, d_Alice, d_Bob.

• Assume the cryptosystem satisfies the commutative property E(e, D(d, x)) = D(d, E(e, x)). (9)

– As (x^d)^e = (x^e)^d, the RSA system satisfies it.

– Every cryptosystem guarantees D(d, E(e, x)) = x.

aDiffie and Hellman (1976).

Digital Signatures Based on Public-Key Systems

• Alice signs x as

(x, D(d_Alice, x)).

• Bob receives (x, y) and verifies the signature by checking E(e_Alice, y) = E(e_Alice, D(d_Alice, x)) = x

based on Eq. (9).

• The claim of authenticity is founded on the difficulty of inverting E_Alice without knowing the key d_Alice.

• Warning: If Alice signs anything presented to her, she

Probabilistic Encryption

• A deterministic cryptosystem can be broken if the

plaintext has a distribution that favors the “easy” cases.

• The ability to forge signatures on even a vanishingly small fraction of strings of some length is a security weakness if those strings were the probable ones!

• A scheme may also “leak” partial information.

– Parity of the plaintext, e.g.

• The first solution to the problems of skewed distribution and partial information was based on the QRA.

aGoldwasser and Micali (1982).

Shafi Goldwasser (1958–)

Silvio Micali (1954–)

The Setup

• Bob publishes n = pq, a product of two distinct primes, and a quadratic nonresidue y with Jacobi symbol 1.

• Bob keeps secret the factorization of n.

• Alice wants to send bit string b₁b₂ · · · b_k to Bob.

• Alice encrypts the bits by choosing a random quadratic residue modulo n if b_i is 1 and a random quadratic

nonresidue (with Jacobi symbol 1) otherwise.

• A sequence of residues and nonresidues are sent.

• Knowing the factorization of n, Bob can efficiently test

A Useful Lemma

Lemma 78 Let n = pq be a product of two distinct primes.

Then a number y ∈ Z_n^∗ is a quadratic residue modulo n if and only if (y | p) = (y | q) = 1.

• The “only if” part:

– Let x be a solution to x² = y mod pq.

– Then x² = y mod p and x² = y mod q also hold.

– Hence y is a quadratic modulo p and a quadratic residue modulo q.

The Proof (concluded)

• The “if” part:

– Let a²₁ = y mod p and a²₂ = y mod q.

– Solve

x = a₁ mod p, x = a₂ mod q,

for x with the Chinese remainder theorem.

– As x² = y mod p, x² = y mod q, and gcd(p, q) = 1, we must have x² = y mod pq.

The Jacobi Symbol and Quadratic Residuacity Test

• The Legendre symbol can be used as a test for quadratic residuacity by Lemma 66 (p. 483).

• Lemma 78 (p. 595) says this is not the case with the Jacobi symbol in general.

• Suppose n = pq is a product of two distinct primes.

• A number y ∈ Z_n^∗ with Jacobi symbol (y | pq) = 1 may be a quadratic nonresidue modulo n when

(y | p) = (y | q) = −1, because (y | pq) = (y | p)(y | q).

The Protocol for Alice

1: for i = 1, 2, . . . , k do

2: Pick r ∈ Z_n^∗ randomly;

3: if b_i = 1 then

4: Send r² mod n; {Jacobi symbol is 1.}

5: else

6: Send r²y mod n; {Jacobi symbol is still 1.}

7: end if

8: end for

The Protocol for Bob

1: for i = 1, 2, . . . , k do

2: Receive r;

3: if (r | p) = 1 and (r | q) = 1 then

4: b_i := 1;

5: else

6: b_i := 0;

7: end if

8: end for

Semantic Security

• This encryption scheme is probabilistic.

• There are a large number of different encryptions of a given message.

• One is chosen at random by the sender to represent the message.

• This scheme is both polynomially secure and semantically secure.

What Is a Proof?

• A proof convinces a party of a certain claim.

– “xⁿ + yⁿ 6= zⁿ for all x, y, z ∈ Z⁺ and n > 2.”

– “Graph G is Hamiltonian.”

– “x^p = x mod p for prime p and p 6 |x.”

• In mathematics, a proof is a fixed sequence of theorems.

– Think of it as a written examination.

• We will extend a proof to cover a proof process by which the validity of the assertion is established.

– Recall a job interview or an oral examination.

Prover and Verifier

• There are two parties to a proof.

– The prover (Peggy).

– The verifier (Victor).

• Given an assertion, the prover’s goal is to convince the verifier of its validity (completeness).

• The verifier’s objective is to accept only correct assertions (soundness).

• The verifier usually has an easier job than the prover.

• The setup is very much like the Turing test.^a

Interactive Proof Systems

• An interactive proof for a language L is a sequence of questions and answers between the two parties.

• At the end of the interaction, the verifier decides whether the claim is true or false.

• The verifier must be a probabilistic polynomial-time algorithm.

• The prover runs an exponential-time algorithm.

– If the prover is not more powerful than the verifier, no interaction is needed.

Interactive Proof Systems (concluded)

• The system decides L if the following two conditions hold for any common input x.

– If x ∈ L, then the probability that x is accepted by the verifier is at least 1 − 2^{−| x |}.

– If x 6∈ L, then the probability that x is accepted by the verifier with any prover replacing the original prover is at most 2^{−| x |}.

• Neither the number of rounds nor the lengths of the messages can be more than a polynomial of | x |.

An Interactive Proof

3

3

3

3

3

9

9

9

9

9

IP

• IP is the class of all languages decided by an interactive proof system.

• When x ∈ L, the completeness condition can be modified to require that the verifier accepts with certainty without affecting IP.^b

• Similar things cannot be said of the soundness condition when x 6∈ L.

• Verifier’s coin flips can be public.^c

aGoldwasser, Micali, and Rackoff (1985).

bGoldreich, Mansour, and Sipser (1987).

The Relations of IP with Other Classes

• NP ⊆ IP.

– IP becomes NP when the verifier is deterministic.

• BPP ⊆ IP.

– IP becomes BPP when the verifier ignores the prover’s messages.

• IP actually coincides with PSPACE.^a

aShamir (1990).

Graph Isomorphism

• V₁ = V₂ = {1, 2, . . . , n}.

• Graphs G₁ = (V₁, E₁) and G₂ = (V₂, E₂) are isomorphic if there exists a permutation π on

{1, 2, . . . , n} so that (u, v) ∈ E₁ ⇔ (π(u), π(v)) ∈ E₂.

• The task is to answer if G₁ ∼= G2.

• No known polynomial-time algorithms.

• The problem is in NP (hence IP).

• It is not likely to be NP-complete.^a

graph nonisomorphism

• V₁ = V₂ = {1, 2, . . . , n}.

• Graphs G₁ = (V₁, E₁) and G₂ = (V₂, E₂) are

nonisomorphic if there exist no permutations π on {1, 2, . . . , n} so that (u, v) ∈ E₁ ⇔ (π(u), π(v)) ∈ E₂.

• The task is to answer if G₁ 6∼= G2.

• Again, no known polynomial-time algorithms.

– It is in coNP, but how about NP or BPP?

– It is not likely to be coNP-complete.

• Surprisingly, graph nonisomorphism ∈ IP.^a

aGoldreich, Micali, and Wigderson (1986).

A 2-Round Algorithm

1: Victor selects a random i ∈ { 1, 2 };

2: Victor selects a random permutation π on { 1, 2, . . . , n };

3: Victor applies π on graph G_i to obtain graph H;

4: Victor sends (G1, H) to Peggy;

5: if G₁ ∼= H then

6: Peggy sends j = 1 to Victor;

7: else

8: Peggy sends j = 2 to Victor;

9: end if

10: if j = i then

11: Victor accepts;

12: else

Analysis

• Victor runs in probabilistic polynomial time.

• Suppose G₁ 6∼= G2.

– Peggy is able to tell which G_i is isomorphic to H.

– So Victor always accepts.

• Suppose G₁ ∼= G2.

– No matter which i is picked by Victor, Peggy or any prover sees 2 identical graphs.

– Peggy or any prover with exponential power has only probability one half of guessing i correctly.

– So Victor erroneously accepts with probability 1/2.

• Repeat the algorithm to obtain the desired probabilities.

Knowledge in Proofs

• Suppose I know a satisfying assignment to a satisfiable boolean expression.

• I can convince Alice of this by giving her the assignment.

• But then I give her more knowledge than necessary.

– Alice can claim that she found the assignment!

– Login authentication faces essentially the same issue.

– See

www.wired.com/wired/archive/1.05/atm pr.html for a famous ATM fraud in the U.S.

Knowledge in Proofs (concluded)

• Digital signatures authenticate documents but not individuals.

• They hence do not solve the problem.

• Suppose I always give Alice random bits.

• Alice extracts no knowledge from me by any measure, but I prove nothing.

• Question 1: Can we design a protocol to convince Alice (the knowledge) of a secret without revealing anything extra?

• Question 2: How to define this idea rigorously?

Zero Knowledge Proofs

An interactive proof protocol (P, V ) for language L has the perfect zero-knowledge property if:

• For every verifier V ⁰, there is an algorithm M with expected polynomial running time.

• M on any input x ∈ L generates the same probability distribution as the one that can be observed on the communication channel of (P, V ⁰) on input x.

aGoldwasser, Micali, and Rackoff (1985).

Comments

• Zero knowledge is a property of the prover.

– It is the robustness of the prover against attempts of the verifier to extract knowledge via interaction.

– The verifier may deviate arbitrarily (but in

polynomial time) from the predetermined program.

– A verifier cannot use the transcript of the interaction to convince a third-party of the validity of the claim.

– The proof is hence not transferable.

Comments (continued)

• Whatever a verifier can “learn” from the specified prover P via the communication channel could as well be

computed from the verifier alone.

• The verifier does not learn anything except “x ∈ L.”

• Zero-knowledge proofs yield no knowledge in the sense that they can be constructed by the verifier who believes the statement, and yet these proofs do convince him.

Comments (continued)

• The “paradox” is resolved by noting that it is not the transcript of the conversation that convinces the verifier.

• But the fact that this conversation was held “on line.”

• There is no zero-knowledge requirement when x 6∈ L.

• Computational zero-knowledge proofs are based on complexity assumptions.

– M only needs to generate a distribution that is

computationally indistinguishable from the verifier’s view of the interaction.

Comments (concluded)

• It is known that if one-way functions exist, then

zero-knowledge proofs exist for every problem in NP.^a

• The verifier can be restricted to the honest one (i.e., it follows the protocol).^b

• The coins can be public.^c

aGoldreich, Micali, and Wigderson (1986).

bVadhan (2006).

cVadhan (2006).

Are You Convinced?

• A newspaper commercial for hair-growing products for men.

– A (for all practical purposes) bald man has a full head of hair after 3 months.

• A TV commercial for weight-loss products.

– A (by any reasonable measure) overweight woman loses 10 kilograms in 10 weeks.

Quadratic Residuacity

• Let n be a product of two distinct primes.

• Assume extracting the square root of a quadratic residue modulo n is hard without knowing the factors.

• We next present a zero-knowledge proof for x ∈ Z_n^∗ being a quadratic residue.

Zero-Knowledge Proof of Quadratic Residuacity

1: for m = 1, 2, . . . , log₂ n do

2: Peggy chooses a random v ∈ Z_n^∗ and sends y = v² mod n to Victor;

3: Victor chooses a random bit i and sends it to Peggy;

4: Peggy sends z = uⁱv mod n, where u is a square root of x; {u² ≡ x mod n.}

5: Victor checks if z² ≡ xⁱy mod n;

6: end for

7: Victor accepts x if Line 5 is confirmed every time;

A Useful Corollary

Corollary 79 Let n = pq be a product of two distinct

primes. (1) If x and y are both quadratic residues modulo n, then xy ∈ Z_n^∗ is a quadratic residue modulo n. (2) If x is a quadratic residue modulo n and y is a quadratic nonresidue modulo n, then xy ∈ Z_n^∗ is a quadratic nonresidue modulo n.

• Suppose x and y are both quadratic residues modulo n.

• Let x ≡ a² mod n and y ≡ b² mod n.

• Now xy is a quadratic residue as xy ≡ (ab)² mod n.

The Proof (concluded)

• Suppose x is a quadratic residue modulo n and y is a quadratic nonresidue modulo n.

• By Lemma 78 (p. 595), (x | p) = (x | q) = 1 but, say, (y | p) = −1.

• Now xy is a quadratic nonresidue as (xy | p) = −1, again by Lemma 78 (p. 595).

Analysis

• Suppose x is a quadratic nonresidue.

– Peggy can answer only one of the two possible challenges.

∗ If a is a quadratic residue, then xa is a quadratic nonresidue by Corollary 79 (p. 622).

∗ So xⁱy can be a quadratic residue (see Line 5) only when i = 0.

– So Peggy will be caught in any given round with probability one half.

Analysis (continued)

• Suppose x is a quadratic residue.

– Peggy can answer all challenges.

– So Victor will accept x.

• How about the claim of zero knowledge?

• The transcript between Peggy and Victor when x is a quadratic residue can be generated without Peggy!

– So interaction with Peggy is useless.

• Here is how.

Analysis (continued)

• Suppose x is a quadratic residue.^a

• In each round of interaction with Peggy, the transcript is a triplet (y, i, z).

• We present an efficient Bob that generates (y, i, z) with the same probability without accessing Peggy.

aBy definition, we do not need to consider the other case.

Analysis (concluded)

1: Bob chooses a random z ∈ Z_n^∗;

2: Bob chooses a random bit i;

3: Bob calculates y = z²x⁻ⁱ mod n;

4: Bob writes (y, i, z) into the transcript;

Comments

• Assume x is a quadratic residue.

• In both cases, for (y, i, z), y is a random quadratic residue, i is a random bit, and z is a random number.

• Bob cheats because (y, i, z) is not generated in the same order as in the original transcript.

– Bob picks Victor’s challenge first.

– Bob then picks Peggy’s answer.

– Bob finally patches the transcript.

Comments (concluded)

• So it is not the transcript that convinces Victor, but that conversation with Peggy is held “on line.”

• The same holds even if the transcript was generated by a cheating Victor’s interaction with (honest) Peggy.

• But we skip the details.

Does the Following Work, Too?

1: for m = 1, 2, . . . , log₂ n do

2: Peggy chooses a random v ∈ Z_n^∗ and sends y = v² mod n to Victor;

3: Peggy sends z = uv mod n, where u is a square root of x; {u² ≡ x mod n.}

4: Victor checks if z² ≡ xy mod n;

5: end for

6: Victor accepts x if Line 4 is confirmed every time;

aContributed by Mr. Chih-Duo Hong (R95922079) on December 13, 2006. It is like always choosing i = 1 in the original protocol.

Does the Following Work, Too?

(concluded)

• Suppose x is a quadratic nonresidue.

• But Peggy can mislead Victor into accepting x as a quadratic residue.

• She simply sends y = x and z = x to Victor.

• This pair will satisfy z² ≡ xy mod n by construction.

• The protocol is hence not even an IP protocol!

aContributed by Mr. Chin-Luei Chang (D95922007) on June 16, 2008.