Digital Signatures Based on Public-Key Systems

Full text

(1)

Is a forged signature the same sort of thing as a genuine signature, or is it a diﬀerent sort of thing?

— Gilbert Ryle (1900–1976), The Concept of Mind (1949)

“Katherine, I gave him the code.

He veriﬁed the code.”

“But did you verify him?”

— The Numbers Station (2013)

(2)

Digital Signatures

a

• Alice wants to send Bob a signed document x.

• The signature must unmistakably identifies the sender.

• Both Alice and Bob have public and private keys eAlice, eBob, dAlice, dBob.

• Every cryptosystem guarantees D(d, E(e, x)) = x.

• Assume the cryptosystem also satisfies the commutative property

E(e, D(d, x)) = D(d, E(e, x)). (15) – E.g., the RSA system satisfies it as (xd)e = (xe)d.

(3)

Digital Signatures Based on Public-Key Systems

• Alice signs x as

(x, D(dAlice, x)).

• Bob receives (x, y) and veriﬁes the signature by checking E(eAlice, y) = E(eAlice, D(dAlice, x)) = x

based on Eq. (15).

• The claim of authenticity is founded on the diﬃculty of inverting EAlice without knowing the key dAlice.

(4)

Probabilistic Encryption

a

• A deterministic cryptosystem can be broken if the

plaintext has a distribution that favors the “easy” cases.

• The ability to forge signatures on even a vanishingly small fraction of strings of some length is a security weakness if those strings were the probable ones!

• A scheme may also “leak” partial information.

– Parity of the plaintext, e.g.

• The ﬁrst solution to the problems of skewed distribution and partial information was based on the QRA.

aGoldwasser and Micali (1982). This paper “laid the framework for modern cryptography” (2013).

(5)

a

(1958–)

aTuring Award (2013).

(6)

a

(1954–)

aTuring Award (2013).

(7)

(8)

A Useful Lemma

Lemma 77 Let n = pq be a product of two distinct primes.

Then a number y ∈ Zn is a quadratic residue modulo n if and only if (y | p) = (y | q) = 1.

• The “only if” part:

– Let x be a solution to x2 = y mod pq.

– Then x2 = y mod p and x2 = y mod q also hold.

– Hence y is a quadratic modulo p and a quadratic residue modulo q.

(9)

The Proof (concluded)

• The “if” part:

– Let a21 = y mod p and a22 = y mod q.

– Solve

x = a1 mod p, x = a2 mod q,

for x with the Chinese remainder theorem.

– As x2 = y mod p, x2 = y mod q, and gcd(p, q) = 1, we must have x2 = y mod pq.

(10)

The Jacobi Symbol and Quadratic Residuacity Test

• The Legendre symbol can be used as a test for quadratic residuacity by Lemma 64 (p. 538).

• Lemma 77 (p. 651) says this is not the case with the Jacobi symbol in general.

• Suppose n = pq is a product of two distinct primes.

• A number y ∈ Zn with Jacobi symbol (y | pq) = 1 is a quadratic nonresidue modulo n when

(y | p) = (y | q) = −1, because (y | pq) = (y | p)(y | q).

(11)

The Setup

• Bob publishes n = pq, a product of two distinct primes, and a quadratic nonresidue y with Jacobi symbol 1.

• Bob keeps secret the factorization of n.

• Alice wants to send bit string b1b2 · · · bk to Bob.

• Alice encrypts the bits by choosing a random quadratic residue modulo n if bi is 1 and a random quadratic

nonresidue (with Jacobi symbol 1) otherwise.

• So a sequence of residues and nonresidues are sent.

• Knowing the factorization of n, Bob can eﬃciently test quadratic residuacity and thus read the message.

(12)

The Protocol for Alice

1: for i = 1, 2, . . . , k do

2: Pick r ∈ Zn randomly;

3: if bi = 1 then

4: Send r2 mod n; {Jacobi symbol is 1.}

5: else

6: Send r2y mod n; {Jacobi symbol is still 1.}

7: end if

8: end for

(13)

The Protocol for Bob

1: for i = 1, 2, . . . , k do

3: if (r | p) = 1 and (r | q) = 1 then

4: bi := 1;

5: else

6: bi := 0;

7: end if

8: end for

(14)

Semantic Security

• This encryption scheme is probabilistic.

• There are a large number of diﬀerent encryptions of a given message.

• One is chosen at random by the sender to represent the message.

– Encryption is a one-to-many mapping.

• This scheme is both polynomially secure and semantically secure.

(15)

What Is a Proof?

a

• A proof convinces a party of a certain claim.

– “xn + yn = zn for all x, y, z ∈ Z+ and n > 2.”

– “Graph G is Hamiltonian.”

– “xp = x mod p for prime p and p  |x.”

• In mathematics, a proof is a ﬁxed sequence of theorems.

– Think of it as a written examination.

• We will extend a proof to cover a proof process by which the validity of the assertion is established.

– Recall a job interview or an oral examination.

a“What then do you call proof?” Henry James (1902), The Wings of the Dove.

(16)

Prover and Verifier

• There are two parties to a proof.

– The prover (Peggy).

– The verifier (Victor).

• Given an assertion, the prover’s goal is to convince the veriﬁer of its validity (completeness).

• The veriﬁer’s objective is to accept only correct assertions (soundness).

• The veriﬁer usually has an easier job than the prover.

• The setup is very much like the Turing test.a

aTuring (1950).

(17)

Interactive Proof Systems

• An interactive proof for a language L is a sequence of questions and answers between the two parties.

• At the end of the interaction, the veriﬁer decides whether the claim is true or false.

• The veriﬁer must be a probabilistic polynomial-time algorithm.

• The prover runs an exponential-time algorithm.a

– If the prover is not more powerful than the veriﬁer, no interaction is needed!

aSee the problem to Note 12.3.7 on p. 296 and Proposition 19.1 on p. 475, both of the textbook, about alternative complexity assumptions without aﬀecting the deﬁnition. Contributed by Mr. Young-San Lin (B97902055) and Mr. Chao-Fu Yang (B97902052) on December 18, 2012.

(18)

Interactive Proof Systems (concluded)

• The system decides L if the following two conditions hold for any common input x.

– If x ∈ L, then the probability that x is accepted by the veriﬁer is at least 1 − 2−| x |.

– If x ∈ L, then the probability that x is accepted by the veriﬁer with any prover replacing the original prover is at most 2−| x |.

• Neither the number of rounds nor the lengths of the messages can be more than a polynomial of | x |.

(19)

!

!

!

!

!

' ' ' ' '

(20)

IP

a

• IP is the class of all languages decided by an interactive proof system.

• When x ∈ L, the completeness condition can be modiﬁed to require that the veriﬁer accept with certainty without aﬀecting IP.b

• Similar things cannot be said of the soundness condition when x ∈ L.

• Veriﬁer’s coin ﬂips can be public.c

aGoldwasser, Micali, & Rackoﬀ (1985).

bGoldreich, Mansour, & Sipser (1987).

cGoldwasser & Sipser (1989).

(21)

The Relations of IP with Other Classes

• NP ⊆ IP.

– IP becomes NP when the veriﬁer is deterministic and there is only one round of interaction.a

• BPP ⊆ IP.

– IP becomes BPP when the veriﬁer ignores the prover’s messages.

• IP = PSPACE.b

aRecall Proposition 36 on p. 312.

bShamir (1990).

(22)

Graph Isomorphism

• V1 = V2 = { 1, 2, . . . , n }.

• Graphs G1 = (V1, E1) and G2 = (V2, E2) are isomorphic if there exists a permutation π on

{ 1, 2, . . . , n } so that (u, v) ∈ E1 ⇔ (π(u), π(v)) ∈ E2.

• No known polynomial-time algorithms.a

• The problem is in NP (hence IP).

• It is not likely to be NP-complete.b

aThe recent bound of Babai (2015) is 2O(logc n) for some constant c.

bSch¨oning (1987).

(23)

graph nonisomorphism

• V1 = V2 = { 1, 2, . . . , n }.

• Graphs G1 = (V1, E1) and G2 = (V2, E2) are

nonisomorphic if there exist no permutations π on { 1, 2, . . . , n } so that (u, v) ∈ E1 ⇔ (π(u), π(v)) ∈ E2.

• Again, no known polynomial-time algorithms.

– It is in coNP, but how about NP or BPP?

– It is not likely to be coNP-complete.a

• Surprisingly, graph nonisomorphism ∈ IP.b

aSch¨oning (1987).

bGoldreich, Micali, & Wigderson (1986).

(24)

A 2-Round Algorithm

1: Victor selects a random i ∈ { 1, 2 };

2: Victor selects a random permutation π on { 1, 2, . . . , n };

3: Victor applies π on graph Gi to obtain graph H;

4: Victor sends (G1, H) to Peggy;

5: if G1 = H then

6: Peggy sends j = 1 to Victor;

7: else

8: Peggy sends j = 2 to Victor;

9: end if

10: if j = i then

11: Victor accepts; {G1 ∼= G2.}

12: else

13: Victor rejects; {G1 = G2.}

14: end if

(25)

Analysis

• Victor runs in probabilistic polynomial time.

• Suppose G1 ∼= G2.

– Peggy is able to tell which Gi is isomorphic to H, so j = i.

– So Victor always accepts.

• Suppose G1 = G2.

– No matter which i is picked by Victor, Peggy or any prover sees 2 identical copies.

– Peggy or any prover with exponential power has only probability one half of guessing i correctly.

– So Victor erroneously accepts with probability 1/2.

• Repeat the algorithm to obtain the desired probabilities.

(26)

Knowledge in Proofs

• Suppose I know a satisfying assignment to a satisﬁable boolean expression.

• I can convince Alice of this by giving her the assignment.

• But then I give her more knowledge than is necessary.

– Alice can claim that she found the assignment!

– Login authentication faces essentially the same issue.

– See

www.wired.com/wired/archive/1.05/atm pr.html for a famous ATM fraud in the U.S.

(27)

Knowledge in Proofs (concluded)

• Suppose I always give Alice random bits.

• Alice extracts no knowledge from me by any measure, but I prove nothing.

• Question 1: Can we design a protocol to convince Alice (the knowledge) of a secret without revealing anything extra?

• Question 2: How to deﬁne this idea rigorously?

(28)

Zero Knowledge Proofs

a

An interactive proof protocol (P, V ) for language L has the perfect zero-knowledge property if:

• For every veriﬁer V , there is an algorithm M with expected polynomial running time.

• M on any input x ∈ L generates the same probability distribution as the one that can be observed on the communication channel of (P, V ) on input x.

aGoldwasser, Micali, & Rackoﬀ (1985).

(29)

• Zero knowledge is a property of the prover.

– It is the robustness of the prover against attempts of the veriﬁer to extract knowledge via interaction.

– The veriﬁer may deviate arbitrarily (but in

polynomial time) from the predetermined program.

– A veriﬁer cannot use the transcript of the interaction to convince a third-party of the validity of the claim.

– The proof is hence not transferable.

(30)

• Whatever a veriﬁer can “learn” from the speciﬁed prover P via the communication channel could as well be

computed from the veriﬁer alone.

• The veriﬁer does not learn anything except “x ∈ L.”

• Zero-knowledge proofs yield no knowledge in the sense that they can be constructed by the veriﬁer who believes the statement, and yet these proofs do convince him.

(31)

• The “paradox” is resolved by noting that it is not the transcript of the conversation that convinces the veriﬁer.

• But the fact that this conversation was held “on line.”

• Computational zero-knowledge proofs are based on complexity assumptions.

– M only needs to generate a distribution that is

computationally indistinguishable from the veriﬁer’s view of the interaction.

(32)

• If one-way functions exist, then zero-knowledge proofs exist for every problem in NP.a

• If one-way functions exist, then zero-knowledge proofs exist for every problem in PSPACE.b

• The veriﬁer can be restricted to the honest one (i.e., it follows the protocol).c

• The coins can be public.d

• The digital money Zcash (2016) is based on zero-knowledge proofs.

aGoldreich, Micali, & Wigderson (1986).

bOstrovsky & Wigderson (1993).

(33)

• Let n be a product of two distinct primes.

• Assume extracting the square root of a quadratic residue modulo n is hard without knowing the factors.

• We next present a zero-knowledge proof for the input x ∈ Zn

(34)

1: for m = 1, 2, . . . , log2 n do

2: Peggy chooses a random v ∈ Zn and sends y = v2 mod n to Victor;

3: Victor chooses a random bit i and sends it to Peggy;

4: Peggy sends z = uiv mod n, where u is a square root of x; {u2 ≡ x mod n.}

5: Victor checks if z2 ≡ xiy mod n;

6: end for

7: Victor accepts x if Line 5 is conﬁrmed every time;

(35)

A Useful Corollary of Lemma 77 (p. 651)

Corollary 78 Let n = pq be a product of two distinct

primes. (1) If x and y are both quadratic residues modulo n, then xy ∈ Zn is a quadratic residue modulo n. (2) If x is a quadratic residue modulo n and y is a quadratic nonresidue modulo n, then xy ∈ Zn is a quadratic nonresidue modulo n.

• Suppose x and y are both quadratic residues modulo n.

• Let x ≡ a2 mod n and y ≡ b2 mod n.

• Now xy is a quadratic residue as xy ≡ (ab)2 mod n.

(36)

The Proof (concluded)

• Suppose x is a quadratic residue modulo n and y is a quadratic nonresidue modulo n.

• By Lemma 77 (p. 651), (x | p) = (x | q) = 1 but, say, (y | p) = −1.

• Now xy is a quadratic nonresidue as (xy | p) = −1, again by Lemma 77 (p. 651).

(37)

Analysis

• Suppose x is a quadratic residue.

– Then x’s square root u can be computed by Peggy.

– Peggy can answer all challenges.

– Now,

z2 

ui2

v2 

u2i

v2 ≡ xiy mod n.

– So Victor will accept x.

(38)

Analysis (continued)

• Suppose x is a quadratic nonresidue.

– Corollary 78 (p. 678) says if a is a quadratic residue, then xa is a quadratic nonresidue.

– As y is a quadratic residue, xiy can be a quadratic residue (see Line 5) only when i = 0.

– Peggy can answer only one of the two possible challenges, when i = 0.a

– So Peggy will be caught in any given round with probability one half.

aLine 5 (z2 ≡ xiy mod n) cannot equate a quadratic residue z2 with a quadratic nonresidue xiy when i = 1.

(39)

Analysis (continued)

• How about the claim of zero knowledge?

• The transcript between Peggy and Victor when x is a quadratic residue can be generated without Peggy!

• Here is how.

• Suppose x is a quadratic residue.a

• In each round of interaction with Peggy, the transcript is a triplet (y, i, z).

• We present an eﬃcient Bob that generates (y, i, z) with the same probability without accessing Peggy’s power.

aThere is no zero-knowledge requirement when x ∈ L.

(40)

Analysis (concluded)

1: Bob chooses a random z ∈ Zn;

2: Bob chooses a random bit i;

3: Bob calculates y = z2x−i mod n;a

4: Bob writes (y, i, z) into the transcript;

aRecall Line 5 on p. 677: Victor checks if z2 ≡ xiy mod n.

(41)

• Assume x is a quadratic residue.

• For (y, i, z), y is a random quadratic residue, i is a random bit, and z is a random number.

• Bob cheats because (y, i, z) is not generated in the same order as in the original transcript.

– Bob picks Peggy’s answer z ﬁrst.

– Bob then picks Victor’s challenge i.

– Bob ﬁnally patches the transcript.

(42)

• So it is not the transcript that convinces Victor, but that conversation with Peggy is held “on line.”

• The same holds even if the transcript was generated by a cheating Victor’s interaction with (honest) Peggy.

• But we skip the details.a

(43)

Zero-Knowledge Proof of 3 Colorability

a

1: for i = 1, 2, . . . , | E |2 do

2: Peggy chooses a random permutation π of the 3-coloring φ;

3: Peggy samples encryption schemes randomly, commitsb them, and sends π(φ(1)), π(φ(2)), . . . , π(φ(| V |)) encrypted to Victor;

4: Victor chooses at random an edge e ∈ E and sends it to Peggy for the coloring of the endpoints of e;

5: if e = (u, v) ∈ E then

6: Peggy reveals the colors π(φ(u)) and π(φ(v)) and “proves”

that they correspond to their encryptions;

7: else

8: Peggy stops;

9: end if

aGoldreich, Micali, & Wigderson (1986).

bContributed by Mr. Ren-Shuo Liu (D98922016) on December 22, 2009.

(44)

10: if the “proof” provided in Line 6 is not valid then 11: Victor rejects and stops;

12: end if

13: if π(φ(u)) = π(φ(v)) or π(φ(u)), π(φ(v)) ∈ { 1, 2, 3 } then 14: Victor rejects and stops;

15: end if 16: end for

17: Victor accepts;

(45)

Analysis

• If the graph is 3-colorable and both Peggy and Victor follow the protocol, then Victor always accepts.

• Suppose the graph is not 3-colorable and Victor follows the protocol.

• Let e be an edge that is not colored legally.

• Victor will pick it with probability 1/m per round, where m = | E |.

• Then however Peggy plays, Victor will reject with probability at least 1/m per round.

(46)

Analysis (concluded)

• So Victor will accept with probability at most

1 − m−1m2

≤ e−m.

• Thus the protocol is a valid IP protocol.

• This protocol yields no knowledge to Victor as all he gets is a bunch of random pairs.

• The proof that the protocol is zero-knowledge to any veriﬁer is intricate.a

aBut no longer necessary because of Vadhan (2006).

(47)

• Each π(φ(i)) is encrypted by a diﬀerent cryptosystem in Line 3.a

– Otherwise, all the colors will be revealed in Line 6.

• Each edge e must be picked randomly.b

– Otherwise, Peggy will know Victor’s game plan and plot accordingly.

aContributed by Ms. Yui-Huei Chang (R96922060) on May 22, 2008

bContributed by Mr. Chang-Rong Hung (R96922028) on May 22, 2008

(48)

Approximability

(49)

All science is dominated by the idea of approximation.

— Bertrand Russell (1872–1970)

(50)

Just because the problem is NP-complete does not mean that you should not try to solve it.

— Stephen Cook (2002)

(51)

Tackling Intractable Problems

• Many important problems are NP-complete or worse.

• Heuristics have been developed to attack them.

• They are approximation algorithms.

• How good are the approximations?

– We are looking for theoretically guaranteed bounds, not “empirical” bounds.

• Are there NP problems that cannot be approximated well (assuming NP = P)?

• Are there NP problems that cannot be approximated at all (assuming NP = P)?

(52)

Some Definitions

• Given an optimization problem, each problem instance x has a set of feasible solutions F (x).

• Each feasible solution s ∈ F (x) has a cost c(s) ∈ Z+. – Here, cost refers to the quality of the feasible

solution, not the time required to obtain it.

– It is our objective function: total distance, number of satisﬁed clauses, cut size, etc.

(53)

Some Definitions (concluded)

• The optimum cost is

opt(x) = min

s∈F (x)c(s) for a minimization problem.

• It is

opt(x) = max

s∈F (x)c(s) for a maximization problem.

(54)

Approximation Algorithms

• Let (polynomial-time) algorithm M on x returns a feasible solution.

• M is an -approximation algorithm, where  ≥ 0, if for all x,

| c(M(x)) − opt(x) |

max(opt(x), c(M (x))) ≤ .

– For a minimization problem,

c(M (x)) − mins∈F (x) c(s)

c(M (x)) ≤ .

– For a maximization problem,

maxs∈F (x) c(s) − c(M (x))

maxs∈F (x) c(s) ≤ . (16)

(55)

Lower and Upper Bounds

• For a minimization problem,

s∈F (x)min c(s) ≤ c(M (x)) ≤ mins∈F (x) c(s) 1 −  .

• For a maximization problem, (1 − ) × max

s∈F (x)c(s) ≤ c(M (x)) ≤ max

s∈F (x)c(s). (17)

(56)

Lower and Upper Bounds (concluded)

•  ranges between 0 (best) and 1 (worst).

• For minimization problems, an -approximation algorithm returns solutions within



opt, opt 1 − 

 .

• For maximization problems, an -approximation algorithm returns solutions within

[ (1 − ) × opt, opt ].

(57)

Approximation Thresholds

• For each NP-complete optimization problem, we shall be interested in determining the smallest  for which there is a polynomial-time -approximation algorithm.

• But sometimes  has no minimum value.

• The approximation threshold is the greatest lower bound of all  ≥ 0 such that there is a polynomial-time

-approximation algorithm.

• By a standard theorem in real analysis, such a threshold exists.a

aBauldry (2009).

(58)

Approximation Thresholds (concluded)

• The approximation threshold of an optimization

problem is anywhere between 0 (approximation to any desired degree) and 1 (no approximation is possible).

• If P = NP, then all optimization problems in NP have an approximation threshold of 0.

• So assume P = NP for the rest of the discussion.

(59)

Approximation Ratio

• -approximation algorithms can also be measured via the approximation ratio:a

c(M (x)) opt(x) .

• For a minimization problem, the approximation ratio is 1 c(M (x))

mins∈F (x) c(s) 1

1 − . (18)

• For a maximization problem, the approximation ratio is 1 −  ≤ c(M (x))

maxs∈F (x) c(s) ≤ 1. (19)

aWilliamson and Shmoys (2011).

(60)

Approximation Ratio (concluded)

• Suppose there is an approximation algorithm that achieves an approximation ratio of θ.

– For a minimization problem, it implies a

(1 − θ−1)-approximation algorithm by Eq. (18).

– For a maximization problem, it implies a

(1 − θ)-approximation algorithm by Eq. (19).

(61)

node cover

• node cover seeks the smallest C ⊆ V in graph

G = (V, E) such that for each edge in E, at least one of its endpoints is in C.

• A heuristic to obtain a good node cover is to iteratively move a node with the highest degree to the cover.

• This turns out to produce an approximation ratio ofa c(M (x))

opt(x) = Θ(log n).

• So it is not an -approximation algorithm for any constant  < 1 according to Eq. (18) on p. 702.

aChv´atal (1979).

(62)

A 0.5-Approximation Algorithm

a

1: C := ∅;

2: while E = ∅ do

3: Delete an arbitrary edge [ u, v ] from E;

4: Add u and v to C; {Add 2 nodes to C each time.}

5: Delete edges incident with u or v from E;

6: end while

7: return C;

aGavril (1974).

(63)

Analysis

• It is easy to see that C is a node cover.

• C contains | C |/2 edges.a

• No two edges of C share a node.b

• Any node cover C must contain at least one node from each of the edges of C.

– If there is an edge in C both of whose ends are outside C, then C will not be a cover.

aThe edges deleted in Line 3.

bIn fact, C as a set of edges is a maximal matching.

(64)

(65)

Analysis (concluded)

• This means that opt(G) ≥ | C |/2.

• The approximation ratio is hence

| C |

opt(G) ≤ 2.

• So we have a 0.5-approximation algorithm.a

• And the approximation threshold is therefore ≤ 0.5.

aRecall p. 703.

(66)

The 0.5 Bound Is Tight for the Algorithm

a

Optimal cover

aContributed by Mr. Jenq-Chung Li (R92922087) on December 20, 2003. Recall that K¨onig’s theorem says the size of a maximum matching

(67)

Remarks

• The approximation threshold is at leasta 1 

10

5 − 21−1

≈ 0.2651.

• The approximation threshold is 0.5 if one assumes the unique games conjecture (ugc).b

• This ratio 0.5 is also the lower bound for any “greedy”

algorithms.c