### The Secret-Key Agreement Problem

*•* Exchanging messages securely using a private-key
cryptosystem requires Alice and Bob possessing the
same key (p. 568).

*•* How can they agree on the same secret key when the
channel is insecure?

*•* This is called the secret-key agreement problem.

*•* It was solved by Diffie and Hellman (1976) using
one-way functions.

### The Diffie-Hellman Secret-Key Agreement Protocol

1: *Alice and Bob agree on a large prime p and a primitive*
*root g of p; {p and g are public.}*

2: *Alice chooses a large number a at random;*

3: *Alice computes α = g*^{a}*mod p;*

4: *Bob chooses a large number b at random;*

5: *Bob computes β = g*^{b}*mod p;*

6: *Alice sends α to Bob, and Bob sends β to Alice;*

7: *Alice computes her key β*^{a}*mod p;*

8: *Bob computes his key α*^{b}*mod p;*

### Analysis

*•* The keys computed by Alice and Bob are identical:

*β*^{a}*= g*^{ba}*= g*^{ab}*= α*^{b}*mod p.*

*•* *To compute the common key from p, g, α, β is known as*
the Diffie-Hellman problem.

*•* It is conjectured to be hard.

*•* If discrete logarithm is easy, then one can solve the
Diffie-Hellman problem.

– *Because a and b can then be obtained by Eve.*

*•* But the other direction is still open.

### A Parallel History

*•* Diffie and Hellman’s solution to the secret-key

agreement problem led to public-key cryptography.

*•* At around the same time (or earlier) in Britain, the
RSA public-key cryptosystem was invented first before
the Diffie-Hellman secret-key agreement scheme was.

– Ellis, Cocks, and Williamson of the Communications Electronics Security Group of the British Government Communications Head Quarters (GCHQ).

### Digital Signatures

^{a}

*•* *Alice wants to send Bob a signed document x.*

*•* The signature must unmistakably identifies the sender.

*•* Both Alice and Bob have public and private keys
*e*_{Alice}*, e*_{Bob}*, d*_{Alice}*, d*_{Bob}*.*

*•* Assume the cryptosystem satisfies the commutative property
*E(e, D(d, x)) = D(d, E(e, x)).* (9)

– *As (x** ^{d}*)

^{e}*= (x*

*)*

^{e}*, the RSA system satisfies it.*

^{d}– *Every cryptosystem guarantees D(d, E(e, x)) = x.*

aDiffie and Hellman (1976).

### Digital Signatures Based on Public-Key Systems

*•* *Alice signs x as*

*(x, D(d*_{Alice}*, x)).*

*•* *Bob receives (x, y) and verifies the signature by checking*
*E(e*_{Alice}*, y) = E(e*_{Alice}*, D(d*_{Alice}*, x)) = x*

based on Eq. (9).

*•* The claim of authenticity is founded on the difficulty of
*inverting E*_{Alice} *without knowing the key d*_{Alice}.

*•* Warning: If Alice signs anything presented to her, she

### Probabilistic Encryption

^{a}

*•* A deterministic cryptosystem can be broken if the

plaintext has a distribution that favors the “easy” cases.

*•* The ability to forge signatures on even a vanishingly
small fraction of strings of some length is a security
weakness if those strings were the probable ones!

*•* *A scheme may also “leak” partial information.*

– Parity of the plaintext, e.g.

*•* The first solution to the problems of skewed distribution
and partial information was based on the QRA.

aGoldwasser and Micali (1982).

### Shafi Goldwasser (1958–)

### Silvio Micali (1954–)

### The Setup

*•* *Bob publishes n = pq, a product of two distinct primes,*
*and a quadratic nonresidue y with Jacobi symbol 1.*

*•* *Bob keeps secret the factorization of n.*

*•* *Alice wants to send bit string b*_{1}*b*_{2} *· · · b** _{k}* to Bob.

*•* Alice encrypts the bits by choosing a random quadratic
*residue modulo n if b** _{i}* is 1 and a random quadratic

nonresidue (with Jacobi symbol 1) otherwise.

*•* A sequence of residues and nonresidues are sent.

*•* *Knowing the factorization of n, Bob can efficiently test*

### A Useful Lemma

Lemma 78 *Let n = pq be a product of two distinct primes.*

*Then a number y ∈ Z*_{n}^{∗}*is a quadratic residue modulo n if*
*and only if (y | p) = (y | q) = 1.*

*•* The “only if” part:

– *Let x be a solution to x*^{2} *= y mod pq.*

– *Then x*^{2} *= y mod p and x*^{2} *= y mod q also hold.*

– *Hence y is a quadratic modulo p and a quadratic*
*residue modulo q.*

### The Proof (concluded)

*•* The “if” part:

– *Let a*^{2}_{1} *= y mod p and a*^{2}_{2} *= y mod q.*

– Solve

*x = a*_{1} *mod p,*
*x = a*_{2} *mod q,*

*for x with the Chinese remainder theorem.*

– *As x*^{2} *= y mod p, x*^{2} *= y mod q, and gcd(p, q) = 1,*
*we must have x*^{2} *= y mod pq.*

### The Jacobi Symbol and Quadratic Residuacity Test

*•* The Legendre symbol can be used as a test for quadratic
residuacity by Lemma 66 (p. 483).

*•* Lemma 78 (p. 595) says this is not the case with the
Jacobi symbol in general.

*•* *Suppose n = pq is a product of two distinct primes.*

*•* *A number y ∈ Z*_{n}^{∗}*with Jacobi symbol (y | pq) = 1 may*
*be a quadratic nonresidue modulo n when*

*(y | p) = (y | q) = −1,*
*because (y | pq) = (y | p)(y | q).*

### The Protocol for Alice

1: *for i = 1, 2, . . . , k do*

2: *Pick r ∈ Z*_{n}* ^{∗}* randomly;

3: *if b** _{i}* = 1 then

4: *Send r*^{2} *mod n; {Jacobi symbol is 1.}*

5: else

6: *Send r*^{2}*y mod n; {Jacobi symbol is still 1.}*

7: end if

8: end for

### The Protocol for Bob

1: *for i = 1, 2, . . . , k do*

2: *Receive r;*

3: *if (r | p) = 1 and (r | q) = 1 then*

4: *b** _{i}* := 1;

5: else

6: *b** _{i}* := 0;

7: end if

8: end for

### Semantic Security

*•* This encryption scheme is probabilistic.

*•* There are a large number of different encryptions of a
given message.

*•* One is chosen at random by the sender to represent the
message.

*•* This scheme is both polynomially secure and
semantically secure.

### What Is a Proof?

*•* A proof convinces a party of a certain claim.

– *“x*^{n}*+ y*^{n}*6= z*^{n}*for all x, y, z ∈ Z*^{+} *and n > 2.”*

– *“Graph G is Hamiltonian.”*

– *“x*^{p}*= x mod p for prime p and p 6 |x.”*

*•* In mathematics, a proof is a fixed sequence of theorems.

– Think of it as a written examination.

*•* *We will extend a proof to cover a proof process by which*
the validity of the assertion is established.

– Recall a job interview or an oral examination.

### Prover and Verifier

*•* There are two parties to a proof.

– The prover (Peggy).

– The verifier (Victor).

*•* Given an assertion, the prover’s goal is to convince the
verifier of its validity (completeness).

*•* The verifier’s objective is to accept only correct
assertions (soundness).

*•* The verifier usually has an easier job than the prover.

*•* The setup is very much like the Turing test.^{a}

### Interactive Proof Systems

*•* *An interactive proof for a language L is a sequence of*
questions and answers between the two parties.

*•* At the end of the interaction, the verifier decides
whether the claim is true or false.

*•* The verifier must be a probabilistic polynomial-time
algorithm.

*•* The prover runs an exponential-time algorithm.

– If the prover is not more powerful than the verifier, no interaction is needed.

### Interactive Proof Systems (concluded)

*•* *The system decides L if the following two conditions*
*hold for any common input x.*

– *If x ∈ L, then the probability that x is accepted by*
*the verifier is at least 1 − 2** ^{−| x |}*.

– *If x 6∈ L, then the probability that x is accepted by*
*the verifier with any prover replacing the original*
prover is at most 2* ^{−| x |}*.

*•* Neither the number of rounds nor the lengths of the
*messages can be more than a polynomial of | x |.*

### An Interactive Proof

3

3

3

3

3

9

9

9

9

9

### IP

^{a}

*•* IP is the class of all languages decided by an interactive
proof system.

*•* *When x ∈ L, the completeness condition can be*
modified to require that the verifier accepts with
certainty without affecting IP.^{b}

*•* Similar things cannot be said of the soundness condition
*when x 6∈ L.*

*•* Verifier’s coin flips can be public.^{c}

aGoldwasser, Micali, and Rackoff (1985).

bGoldreich, Mansour, and Sipser (1987).

### The Relations of IP with Other Classes

*•* *NP ⊆ IP.*

– IP becomes NP when the verifier is deterministic.

*•* *BPP ⊆ IP.*

– IP becomes BPP when the verifier ignores the prover’s messages.

*•* IP actually coincides with PSPACE.^{a}

aShamir (1990).

### Graph Isomorphism

*•* *V*_{1} *= V*_{2} *= {1, 2, . . . , n}.*

*•* *Graphs G*_{1} *= (V*_{1}*, E*_{1}*) and G*_{2} *= (V*_{2}*, E*_{2}) are
*isomorphic if there exists a permutation π on*

*{1, 2, . . . , n} so that (u, v) ∈ E*_{1} *⇔ (π(u), π(v)) ∈ E*_{2}.

*•* *The task is to answer if G*_{1} *∼= G*2.

*•* No known polynomial-time algorithms.

*•* The problem is in NP (hence IP).

*•* It is not likely to be NP-complete.^{a}

### graph nonisomorphism

*•* *V*_{1} *= V*_{2} *= {1, 2, . . . , n}.*

*•* *Graphs G*_{1} *= (V*_{1}*, E*_{1}*) and G*_{2} *= (V*_{2}*, E*_{2}) are

*nonisomorphic if there exist no permutations π on*
*{1, 2, . . . , n} so that (u, v) ∈ E*_{1} *⇔ (π(u), π(v)) ∈ E*_{2}.

*•* *The task is to answer if G*_{1} *6∼= G*2.

*•* Again, no known polynomial-time algorithms.

– It is in coNP, but how about NP or BPP?

– It is not likely to be coNP-complete.

*•* *Surprisingly, graph nonisomorphism ∈ IP.*^{a}

aGoldreich, Micali, and Wigderson (1986).

### A 2-Round Algorithm

1: *Victor selects a random i ∈ { 1, 2 };*

2: *Victor selects a random permutation π on { 1, 2, . . . , n };*

3: *Victor applies π on graph G*_{i}*to obtain graph H;*

4: *Victor sends (G*1*, H) to Peggy;*

5: *if G*_{1} *∼**= H then*

6: *Peggy sends j = 1 to Victor;*

7: else

8: *Peggy sends j = 2 to Victor;*

9: end if

10: *if j = i then*

11: Victor accepts;

12: else

### Analysis

*•* Victor runs in probabilistic polynomial time.

*•* *Suppose G*_{1} *6∼**= G*2.

– *Peggy is able to tell which G*_{i}*is isomorphic to H.*

– So Victor always accepts.

*•* *Suppose G*_{1} *∼**= G*2.

– *No matter which i is picked by Victor, Peggy or any*
prover sees 2 identical graphs.

– Peggy or any prover with exponential power has only
*probability one half of guessing i correctly.*

– *So Victor erroneously accepts with probability 1/2.*

*•* Repeat the algorithm to obtain the desired probabilities.

### Knowledge in Proofs

*•* Suppose I know a satisfying assignment to a satisfiable
boolean expression.

*•* I can convince Alice of this by giving her the assignment.

*•* But then I give her more knowledge than necessary.

– Alice can claim that she found the assignment!

– Login authentication faces essentially the same issue.

– See

www.wired.com/wired/archive/1.05/atm pr.html for a famous ATM fraud in the U.S.

### Knowledge in Proofs (concluded)

*•* *Digital signatures authenticate documents but not*
*individuals.*

*•* They hence do not solve the problem.

*•* Suppose I always give Alice random bits.

*•* Alice extracts no knowledge from me by any measure,
but I prove nothing.

*•* Question 1: Can we design a protocol to convince Alice
(the knowledge) of a secret without revealing anything
extra?

*•* Question 2: How to define this idea rigorously?

### Zero Knowledge Proofs

^{a}

*An interactive proof protocol (P, V ) for language L has the*
perfect zero-knowledge property if:

*•* *For every verifier V* ^{0}*, there is an algorithm M with*
expected polynomial running time.

*•* *M on any input x ∈ L generates the same probability*
distribution as the one that can be observed on the
*communication channel of (P, V* ^{0}*) on input x.*

aGoldwasser, Micali, and Rackoff (1985).

### Comments

*•* Zero knowledge is a property of the prover.

– It is the robustness of the prover against attempts of the verifier to extract knowledge via interaction.

– The verifier may deviate arbitrarily (but in

polynomial time) from the predetermined program.

– A verifier cannot use the transcript of the interaction to convince a third-party of the validity of the claim.

– The proof is hence not transferable.

### Comments (continued)

*•* Whatever a verifier can “learn” from the specified prover
*P via the communication channel could as well be*

computed from the verifier alone.

*•* *The verifier does not learn anything except “x ∈ L.”*

*•* Zero-knowledge proofs yield no knowledge in the sense
that they can be constructed by the verifier who believes
the statement, and yet these proofs do convince him.

### Comments (continued)

*•* The “paradox” is resolved by noting that it is not the
transcript of the conversation that convinces the verifier.

*•* But the fact that this conversation was held “on line.”

*•* *There is no zero-knowledge requirement when x 6∈ L.*

*•* *Computational zero-knowledge proofs are based on*
complexity assumptions.

– *M only needs to generate a distribution that is*

computationally indistinguishable from the verifier’s view of the interaction.

### Comments (concluded)

*•* It is known that if one-way functions exist, then

zero-knowledge proofs exist for every problem in NP.^{a}

*•* The verifier can be restricted to the honest one (i.e., it
follows the protocol).^{b}

*•* The coins can be public.^{c}

aGoldreich, Micali, and Wigderson (1986).

bVadhan (2006).

cVadhan (2006).

### Are You Convinced?

*•* A newspaper commercial for hair-growing products for
men.

– A (for all practical purposes) bald man has a full head of hair after 3 months.

*•* A TV commercial for weight-loss products.

– A (by any reasonable measure) overweight woman loses 10 kilograms in 10 weeks.

### Quadratic Residuacity

*•* *Let n be a product of two distinct primes.*

*•* Assume extracting the square root of a quadratic residue
*modulo n is hard without knowing the factors.*

*•* *We next present a zero-knowledge proof for x ∈ Z*_{n}* ^{∗}*
being a quadratic residue.

### Zero-Knowledge Proof of Quadratic Residuacity

1: *for m = 1, 2, . . . , log*_{2} *n do*

2: *Peggy chooses a random v ∈ Z*_{n}* ^{∗}* and sends

*y = v*

^{2}

*mod n to Victor;*

3: *Victor chooses a random bit i and sends it to Peggy;*

4: *Peggy sends z = u*^{i}*v mod n, where u is a square root*
*of x; {u*^{2} *≡ x mod n.}*

5: *Victor checks if z*^{2} *≡ x*^{i}*y mod n;*

6: end for

7: *Victor accepts x if Line 5 is confirmed every time;*

### A Useful Corollary

Corollary 79 *Let n = pq be a product of two distinct*

*primes. (1) If x and y are both quadratic residues modulo n,*
*then xy ∈ Z*_{n}^{∗}*is a quadratic residue modulo n. (2) If x is a*
*quadratic residue modulo n and y is a quadratic nonresidue*
*modulo n, then xy ∈ Z*_{n}^{∗}*is a quadratic nonresidue modulo n.*

*•* *Suppose x and y are both quadratic residues modulo n.*

*•* *Let x ≡ a*^{2} *mod n and y ≡ b*^{2} *mod n.*

*•* *Now xy is a quadratic residue as xy ≡ (ab)*^{2} *mod n.*

### The Proof (concluded)

*•* *Suppose x is a quadratic residue modulo n and y is a*
*quadratic nonresidue modulo n.*

*•* *By Lemma 78 (p. 595), (x | p) = (x | q) = 1 but, say,*
*(y | p) = −1.*

*•* *Now xy is a quadratic nonresidue as (xy | p) = −1, again*
by Lemma 78 (p. 595).

### Analysis

*•* *Suppose x is a quadratic nonresidue.*

– Peggy can answer only one of the two possible challenges.

*∗* *If a is a quadratic residue, then xa is a quadratic*
nonresidue by Corollary 79 (p. 622).

*∗* *So x*^{i}*y can be a quadratic residue (see Line 5) only*
*when i = 0.*

– So Peggy will be caught in any given round with probability one half.

### Analysis (continued)

*•* *Suppose x is a quadratic residue.*

– Peggy can answer all challenges.

– *So Victor will accept x.*

*•* How about the claim of zero knowledge?

*•* *The transcript between Peggy and Victor when x is a*
quadratic residue can be generated without Peggy!

– So interaction with Peggy is useless.

*•* Here is how.

### Analysis (continued)

*•* *Suppose x is a quadratic residue.*^{a}

*•* In each round of interaction with Peggy, the transcript is
*a triplet (y, i, z).*

*•* *We present an efficient Bob that generates (y, i, z) with*
*the same probability without accessing Peggy.*

aBy definition, we do not need to consider the other case.

### Analysis (concluded)

1: *Bob chooses a random z ∈ Z*_{n}* ^{∗}*;

2: *Bob chooses a random bit i;*

3: *Bob calculates y = z*^{2}*x*^{−i}*mod n;*

4: *Bob writes (y, i, z) into the transcript;*

### Comments

*•* *Assume x is a quadratic residue.*

*•* *In both cases, for (y, i, z), y is a random quadratic*
*residue, i is a random bit, and z is a random number.*

*•* *Bob cheats because (y, i, z) is not generated in the same*
order as in the original transcript.

– Bob picks Victor’s challenge first.

– Bob then picks Peggy’s answer.

– Bob finally patches the transcript.

### Comments (concluded)

*•* So it is not the transcript that convinces Victor, but
that conversation with Peggy is held “on line.”

*•* The same holds even if the transcript was generated by
a cheating Victor’s interaction with (honest) Peggy.

*•* But we skip the details.

### Does the Following Work, Too?

^{a}

1: *for m = 1, 2, . . . , log*_{2} *n do*

2: *Peggy chooses a random v ∈ Z*_{n}* ^{∗}* and sends

*y = v*

^{2}

*mod n to Victor;*

3: *Peggy sends z = uv mod n, where u is a square root of*
*x; {u*^{2} *≡ x mod n.}*

4: *Victor checks if z*^{2} *≡ xy mod n;*

5: end for

6: *Victor accepts x if Line 4 is confirmed every time;*

aContributed by Mr. Chih-Duo Hong (R95922079) on December 13,
*2006. It is like always choosing i = 1 in the original protocol.*

### Does the Following Work, Too?

^{a}

### (concluded)

*•* *Suppose x is a quadratic nonresidue.*

*•* *But Peggy can mislead Victor into accepting x as a*
quadratic residue.

*•* *She simply sends y = x and z = x to Victor.*

*•* *This pair will satisfy z*^{2} *≡ xy mod n by construction.*

*•* The protocol is hence not even an IP protocol!

aContributed by Mr. Chin-Luei Chang (D95922007) on June 16, 2008.