MTAT.07.014 Cryptographic Protocols Helger Lipmaa University of Tartu MTAT.07.014 Cryptographic Protocols Last modified: October 21, 2013 Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 1 / 218
MTAT.07.014 Cryptographic Protocols
Helger Lipmaa
University of Tartu
MTAT.07.014 Cryptographic ProtocolsLast modified: October 21, 2013
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 1 / 218
Short Syllabus
Protocol: algorithm that includes communication between 2 ormore partiesCryptographic protocol: protocol with some securityrequirementsGoal:
learn to design secure and efficient cryptographic protocolsfoundations: understand how this is done
Efficiency:different methods of protocol construction
Security:definitions and proofs of securityintuition on how to design secure protocols
At the end of the course, students should be able tounderstand security definitionsdesign efficient and efficient cryptographic protocolsprove their security (according to security definitions)
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 2 / 218
Example: Study Goal
Goal: design a simple e-voting protocolProtocol main idea:
Prover encrypts her ballot by using cryptosystem X, andsigns it by using some standard signature scheme Y
Tasks:Construct a protocol secure against a malicious voter
and malicious voting server
What does it mean for to be secure (define)Prove it’s secureEfficiency: choose correct X, Y etc
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 3 / 218
For Muggles. . .
Many cryptographic protocols are used in the wild
Widely standardized: SSL/TLS, IPSec, SSH, . . .
Less common: e-voting, bitcoin, . . .Muggle may expect we are just going to describethem in this course
Not!
Just describing = boringeverybody can read an RFC
Goal: understand why something is secure
Real protocols are too complex or not really secure
Pedagogical trick: start from basics!
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 4 / 218
Evolution of the Course
Third time (2011, 2012, and now).2011: initial version2012: new topics
elliptic curves, pairingspairing-based NIZK, latticesHad 14 lectures out of 16, so there is space for more material
2013: new topicsgarbled circuits, more lattices, (may be:) multi-partycomputation, more NIZKMay remove some topics
Removed to supplementary materials: intro to elliptic curves
Vast area. Will focus on aspects that are related to myown researchEmphasis on area called secure computation
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 5 / 218
Practice Sessions
Practice sessions given by Prastudy Fauzi — who willhave completely free hands50% of the grade is homework2011/2012 homework was mostly about implementingthis year: also proofs and attacks
To make it sure that the main study outcomes (*) are satisfied(*): to learn how to construct protocols and prove theirsecurity
Practice sessions also sometimes give supplementarymaterial that is not part of the “cryptographicprotocols” but needed as a background
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 6 / 218
Outline1 Lecture 1: Introduction2 Lecture 2: Assumptions. Discrete Logarithm, CDH3 Lecture 3: DDH. Elgamal4 Lecture 4: Lifted Elgamal. MH Protocols5 Lecture 5. E-Voting. AH. Paillier6 Lecture 6. AH with Recursion: Nontrivial CPIR7 Lecture 7. BDD and Multi-Round
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 7 / 218
References I
Barbulescu, R., Gaudry, P., Joux, A., and Thome, E. (2013).
A quasi-polynomial algorithm for discrete logarithm in finite fields of small characteristic.Technical Report 2013/400, International Association for Cryptologic Research.Available at http://eprint.iacr.org/2013/400.
Cobham, A. (1966).
The Recognition Problem for the Set of Perfect Squares.In FOCS 1966, pages 78–87, Berkeley, California. IEEE Computer Society.
Cramer, R., Gennaro, R., and Schoenmakers, B. (1997).
A Secure and Optimally Efficient Multi-Authority Election Scheme.In Fumy, W., editor, EUROCRYPT 1997, volume 1233 of LNCS, pages 103–118, Konstanz, Germany. Springer,Heidelberg.
Damgard, I. and Jurik, M. (2001).
A Generalisation, a Simplification and Some Applications of Paillier’s Probabilistic Public-Key System.In Kim, K., editor, PKC 2001, volume 1992 of LNCS, pages 119–136, Cheju Island, Korea. Springer, Heidelberg.
Damgard, I. B., Jurik, M. J., and Nielsen, J. B. (2010).
A Generalization of Paillier’s Public-key System with Applications to Electronic Voting.International Journal of Information Security, 9(6):371–385.
Diffie, W. and Hellman, M. E. (1976).
New Directions in Cryptography.IEEE Transactions on Information Theory, IT-22:644–654.
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 8 / 218
References II
Elgamal, T. (1985).
A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms.IEEE Transactions on Information Theory, 31(4):469–472.
Gentry, C. and Ramzan, Z. (2005).
Single-Database Private Information Retrieval with Constant Communication Rate.In Caires, L., Italiano, G. F., Monteiro, L., Palamidessi, C., and Yung, M., editors, ICALP 2005, volume 3580 ofLNCS, pages 803–815, Lisboa, Portugal. Springer, Heidelberg.
Goldreich, O. (2001).
Foundations of Cryptography: Basic Tools.Cambridge University Press.ISBN 0521791723.
Ishai, Y. and Paskin, A. (2007).
Evaluating Branching Programs on Encrypted Data.In Vadhan, S. P., editor, TCC 2007, volume 4392 of LNCS, pages 575–594, Amsterdam, The Netherlands. Springer,Heidelberg.
Joux, A. and Pierrot, C. (2013).
The Special Number Field Sieve in Fpn , Application to Pairing-Friendly Constructions.
Technical Report 2013/582, International Association for Cryptologic Research.Available at http://eprint.iacr.org/2013/582.
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 9 / 218
References III
Koblitz, N. (1994).
A Course in Number Theory and Cryptography.Number 114 in Graduate Texts in Mathematics. Springer-Verlag, 2 edition.ISBN: 0387942939.
Koblitz, N. (1998).
Algebraic Aspects of Cryptography.Springer-Verlag.
Kushilevitz, E. and Ostrovsky, R. (1997).
Replication is Not Needed: Single Database, Computationally-Private Information Retrieval.In FOCS 1997, pages 364–373, Miami Beach, Florida. IEEE Computer Society.
Lang, S. (2005).
Algebra.Graduate Texts in Mathematics. Springer, 3 edition.
Lipmaa, H. (2005).
An Oblivious Transfer Protocol with Log-Squared Communication.In Zhou, J. and Lopez, J., editors, ISC 2005, volume 3650 of LNCS, pages 314–328, Singapore. Springer, Heidelberg.
Lipmaa, H. (2009).
First CPIR Protocol with Data-Dependent Computation.In Lee, D. and Hong, S., editors, ICISC 2009, volume 5984 of LNCS, pages 193–210, Seoul, Korea. Springer,Heidelberg.
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 10 / 218
References IV
Lipmaa, H. and Toft, T. (2013).
Secure Equality and Greater-Than Tests with Sublinear Online Complexity.In Fomin, F. V., Kwiatkowska, M., and Peleg, D., editors, ICALP 2013, volume 7966 of LNCS, pages 645–656, Riga,Latvia. Springer, Heidelberg.
Menezes, A., Okamoto, T., and Vanstone, S. (1993).
Reducing Elliptic Curve Logarithms to Logarithms in a Finite Field.IEEE Transactions on Information Theory, 39:1639–1646.
Micciancio, D. and Goldwasser, S. (2002).
Complexity of Lattice Problems: A Cryptographic Perspective, volume 671 of The Springer International Series inEngineering and Computer Science.Springer.
Paillier, P. (1999).
Public-Key Cryptosystems Based on Composite Degree Residuosity Classes.In Stern, J., editor, EUROCRYPT 1999, volume 1592 of LNCS, pages 223–238, Prague, Czech Republic. Springer,Heidelberg.
Shor, P. W. (1994).
Algorithms for Quantum Computation: Discrete Logarithms and Factoring.In Goldwasser, S., editor, FOCS 1994, pages 124–134, Santa Fe, New Mexico,, USA. IEEE, IEEE Computer SocietyPress.
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 11 / 218
References V
Toft, T. (2011).
Sub-linear, Secure Comparison with Two Non-colluding Parties.In Catalano, D., Fazio, N., Gennaro, R., and Nicolosi, A., editors, PKC 2011, volume 6571 of LNCS, pages 174–191,Taormina, Italy. Springer, Heidelberg.
Wegener, I. (2000).
Branching Programs and Binary Decision Diagrams: Theory and Applications.Monographs on Discrete Mathematics and Applications. Society for Industrial Mathematics.
Wegener, I. and Woelfel, P. (2007).
New Results on the Complexity of the Middle Bit of Multiplication.Computational Complexity, 16(3):298–323.
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 12 / 218
Lecture 1: Introduction
Lecture 1: Introduction
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 13 / 218
Lecture 1: Introduction
Preliminaries
I assume you have seen different primitivesBlock ciphers, stream ciphersHash functionsPublic-key cryptosystemsSignature schemes
(Crypto I or an equivalent course. . . )
For every type of primitive, you have hopefully seensome representatives, a security definition, andsometimes an attack showing that therepresentatives are not secure
Note: we will not use all mentioned primitives. They were just
mentioned since they are “standard”
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 14 / 218
Lecture 1: Introduction
Goal of Cryptographic Protocols
More and more activities are done onlineExamples (in Estonia): e-voting, digital signatures
Some activities are completely new/on a completelynew scale
Example: (privacy-preserving) data mining
In all such cases, one should get security/correctnessand privacy in the presence of malicious parties
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 15 / 218
Lecture 1: Introduction
Def. of Cryptographic Protocols
Cryptographic protocol: a two/multi-party protocolthat achieves its goals and protects privacy even inthe presence of realistically malicious parties
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 16 / 218
Lecture 1: Introduction
Why It May Be Hard: CPIR
Computationally-Private InformationRetrieval:
Server has database~f = (f1, . . . , fn), |fi | = `
Client has index x ∈ 1, . . . , nClient should obtain fx (and maybe more)
Server should obtain no newinformation
Nothing about x!
Alice x Bob ~f
(q, state)← Query(x)
q
r ← Reply(~f , q)
r
f ∗x ← Answer(x , r , state)
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 17 / 218
Lecture 1: Introduction
Why It May Be Hard: CPIR
If no privacy needed:|x | = dlog2 ne bits|fx | = ` bitsTotal communication:dlog2 ne+ ` bitsVery small constant Θ(1)computation on moderncomputer
What if privacy is required?
Alice x Bob ~f
x
fx
f ∗x ← fx
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 18 / 218
Lecture 1: Introduction
Why It May Be Hard: CPIR
Trivial protocol:1 server sends ~f to client2 client picks f (x)
Good: Clearly private for client
Bad: `n bits, too expensive inpractice
Task: improve communication
Alice x Bob ~f
“Empty string”
~f
f ∗x ← fx
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 19 / 218
Lecture 1: Introduction
Why It May Be Hard: CPIR
First non-trivial CPIR introducedin [Kushilevitz and Ostrovsky, 1997]Communication can be cut down toΘ(log n + ` + κ) [Gentry and Ramzan, 2005] or to2` + Θ(κ log2 n) [Lipmaa, 2009]
κ is security parameter (e.g., key length)
What about computation?Folk “Theorem”:
since server does not know which index client obtains,server has to “touch” all database elements. Θ(n) comp.It was thought a few years ago that this is it
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 20 / 218
Lecture 1: Introduction
Why It May Be Hard: CPIR
[Lipmaa, 2009]:Θ(n) server computation can be done in preprocessing phase(once per database),online server computation can be decreased to worst-caseO(n/ log n) (once per query); considerably less when thedatabase is not randomIdea: server represents the database as a more efficient datastructureO(n/ log n) comes from the known bounds on this datastructure(We will tackle it in a later lecture)
Preprocessing is still Θ(n) as compared to Θ(1) innon-private case /
It takes Θ(n) time to construct this data structure from thedatabase
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 21 / 218
Lecture 1: Introduction
Why Often Simpler Than Assumed I
In e-voting, server receives ciphertexts of individualballots, and outputs a plaintext tally
Goal: tally is correct but server does not knowanything extra about individual ballotsSounds impossible?
CPIR had inefficient trivial protocolCan you think of a trivial protocol here?
Can be done if one can do arithmetics onciphertexts:
one server “adds up” encrypted ballots andsecond server decrypts “sum”
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 22 / 218
Lecture 1: Introduction
Why Often Simpler Than Assumed II
In e-voting, server must prove that his actions werecorrect, without revealing any extra information
Sounds impossible?
Can be done by using zero-knowledge and provenwith simulation-based proofs
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 23 / 218
Lecture 1: Introduction
Simple Example: Veto
Vetoing:Assume Alice and Bob vote on some issueDecision taken only if both support it
Privacy: minimal amount of information aboutvotes will be leaked
If Alice votes for then the result will be equal to Bob’svote ⇒ Bob’s privacy cannot be protectedIf Alice votes against then result will be “no”independently of Bob’s input ⇒ Alice should get noinformation
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 24 / 218
Lecture 1: Introduction
Mathematical Formulation: Veto = AND
Assume the private inputs are a, b ∈ 0, 1The common output is f (a, b) := a ∧ b
Alice/Bob should not get to know more thaninferred from her/his private input and f (a, b)
In general case, every party can have a differentprivate output fi(x1, . . . , xn)Then the task is:
given private inputs bi , party i should learn fi(b1, . . . , bn)and nothing else
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 25 / 218
Lecture 1: Introduction
Example 2: Scalar Product
Alice’s input: ~a = (a1, . . . , an)
Bob’s input: ~b = (b1, . . . , bn)
Alice’s output: f (~a,~b) =∑n
i=1 ai · bi
Bob’s output: ⊥ (nothing)
Alice should be convinced that her output is correct
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 26 / 218
Lecture 1: Introduction
Example 3: E-voting
n voters vi , m candidates cjSimple case: All voters cast vi their ballots for somecandidate cj , bi = cjBallots are sent to voting servers who output thetally: for each j ∈ 1, . . . ,m,Tj = |i ∈ [n] : bi = cj|Everybody should learn Tj : j ∈ 1, . . . ,mNobody should learn anything else
Voters should be convinced the result is correct
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 27 / 218
Lecture 1: Introduction
Definitions of Security
Will be postponed — we will first see some naturalprotocols
Security definitions are important — we should first havean idea of what we are aiming forThere are whole books aboutdefinitions [Goldreich, 2001]
Semihonest model: parties behave honestly, but arecurious
Security = privacy (in semihonest model)
Malicious model: parties behave adversariallySecurity = privacy + correctnessWill study later
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 28 / 218
Lecture 1: Introduction
Efficient Protocols Based on Algebra
Many efficient protocols are based on algebraicstructuresCommon example: a finite cyclic group (G, ) wherethe exponentiation φ : Zq → G is both one-way (hardto invert) and an isomorphism (linear map):
g 0 = 1 , g−a = 1/g a , g ag b ≡ g a+b .
Using a one-way exponentiation, one can designefficient protocols for many problems.
However, there is a limit — and one often needs even morealgebraic structureE.g., bilinear or multilinear maps
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 29 / 218
Lecture 1: Introduction
Background in Algebra/Number Theory
The rest of this lecture consists of some backgroundin algebra / number theory that every “workingcryptographer” must have
My opinion: everybody who gets a BSc in computerscience must also have it(Except the part about elliptic curves and quantumcomputing, may be)
Some of the background is given on cryptographic(as opposed to algebraic) languageStandard reference in algebra: [Lang, 2005]Books that combine algebra andcryptography: [Koblitz, 1994, Koblitz, 1998] etc
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 30 / 218
Lecture 1: Introduction
Reminder: Groups
(G, ) is a group if:
G is set, : G×G→ G is binary operation(associative) g1 (g2 g3) = (g1 g2) g3
(unit element) Exists 1 ∈ G, s.t. for all g ,1 g = g 1 = g(inverse) ∀g∃g−1 ∈ G, s.t. g g−1 = g−1 g = 1
(G, ) is abelian if additionally
(commutative) g1 g2 = g2 g1 for all g1, g2
Multiplicative group: ·, 1, g−1
Additive group: +, 0, −g
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 31 / 218
Lecture 1: Introduction
Reminder: Cyclic groups
Let (G, ) be a groupg x = g · g · · · · · g (x times)g−x = g−1 · g−1 · · · · · g−1
For g ∈ G, let 〈g〉 := g x : x ∈ Zg is a generator of 〈g〉If G = 〈g〉 then G is cyclicExample:
(Z,+) is cyclic with generator 1(Zq = 0, 1, . . . , q − 1,+) is cyclic with gen. 1
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 32 / 218
Lecture 1: Introduction
Reminder: Cyclic groups
Intuition:if G is cyclic then an arbitrary element of G can beobtained from arbitrary other element of G viaexponentiationE.g.: for fixed m, g 6= 1 and random r , mg r is random ina cyclic group G
g r masks perfectly the element m
If G is not cyclic, g r belongs to the subgroup of Ggenerated by g
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 33 / 218
Lecture 1: Introduction
Egyptian Exponentiation Algorithm
input : Integers x , youtput: Integer z = xy
1 while y is even do2 x ← x · x ; /* log2 n to 2 log2 n mult */
3 y ← by/2c; /* in average 1.5 log2 n */
4 end5 z ← x ;6 y ← by/2c;7 while y > 0 do8 x ← x · x ;9 if y is odd then z ← z · x ;
10 ;11 y ← by/2c;12 end13 return z
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 34 / 218
Lecture 1: Introduction
Brauer’s Algorithm
Similar, but instead of 2 uses basis 2k
1 for i = 0 to 2k − 1 do ai ← g i ;
2 g x ←∑
ai · g 2k i ;
Takes ≈ log2 x + log2 x/ log2 log2 x multiplicationsfor the optimal value of k
(Proposed by Brauer in 1939)http://en.wikipedia.org/wiki/Exponentiation_by_squaring
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 35 / 218
Lecture 1: Introduction
Reminder: Group Order
Element g ∈ G has order q = ord(g) if g q = 1 andg i 6= 1 for 0 < i < q
Group G has order q, q = ord(G) ifq = maxg∈G ord(g)
If G is cyclic of order q, then for every generatorg , h ∈ G, there exists a unique i ∈ Zq, such thath = g i
Note that if q = ord(G), then ∀i : g i = g i mod q
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 36 / 218
Lecture 1: Introduction
Reminder: Divisibility Etc
For a, b ∈ Z, a | b if there exists c ∈ Z such thatb = caFor a, b > 1, gcd(a, b) is the greatest commondivisor of a and b
gcd(a, b) | a, gcd(a, b) | bIf c | a and c | b, then c ≤ gcd(a, b)
gcd(a, b) can be computed efficiently by using theEuclidean Algorithm
If gcd(a, b) = 1, then a and b are coprime
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 37 / 218
Lecture 1: Introduction
Cryptographic Groups
Algebraic properties:Group properties (associativity etc) are all useful, but itdepends on concrete context
Both for functionality and efficiency
Cyclic groups are desirable but not necessary — givessome convenience and efficiency
Efficiency:short representations of group elementsgroup operations, and testing group membership shouldbe easy
Security:Some problem must be hardTypical such assumption: exponentiation should be aone-way function
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 38 / 218
Lecture 1: Introduction
Instantiation 1 of G
For n > 1,Z∗n := i ∈ 1, . . . , n − 1 : gcd(n, i) = 1Fact: i is reversible in (Zn, ·) iff gcd(n, i) = 1
(Z∗n, ·) is a group
ϕ(n) := |Z∗n| is Euler’s totient functionIf p is prime, then ϕ(p) = p − 1
Z∗p = Zp \ 0Lagrange’s theorem: If G is finite and G′ ⊆ G issubgroup, then ord(G′) | ord(G)Sylow’s theorems: if q is prime and q | |G|, therewill always be a (unique) subgroup of G of order q.
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 39 / 218
Lecture 1: Introduction
Instantiation 1 of G
Example
Let p, q be two large primes s.t. q | (p − 1). Let G bethe unique subgroup of Zp∗ of order q. Let g be thegenerator of G.
Explanation: |Z∗p| = p − 1, thus there exists (unique)subgroup G of Z∗p of order q.In practical instantiations, log2 p ≥ 3248 andlog2 q ≥ 256. We need ≥ 3248 bits to represent anelement of G. Exponentiation in G takes ≥ 256multiplications by using Brauer’s algorithm.(See http://www.keylength.com/en/3/ for recommended “key lengths”)
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 40 / 218
Lecture 1: Introduction
Instantiation 2 of GThe most popular alternative involves elliptic curvegroups, where log2 q = 256 and G can be represented byusing ≈ log2 q bits. Much more efficient than theprevious case, though also much more complicatedmathematics.Fineprint: The elliptic curve groups must be chosen carefully. For
example, in some elliptic curve groups, one can efficiently solve DDH
problem (see Lectures 2, 3). But such groups are useful otherwise
(hint: bilinear pairings, introduced later).
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 41 / 218
Lecture 2: Assumptions. Discrete Logarithm, CDH
Lecture 2: Assumptions. DiscreteLogarithm, CDH
See also supplementary notes 1 (about elliptic curves) onthe course webpage.
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 42 / 218
Lecture 2: Assumptions. Discrete Logarithm, CDH
Security Assumptions
In general: unknown how to constructunconditionally secure efficient protocols
∃exceptions: one-time pad, multi-party computation, . . .
Security of efficient protocols is thus usually basedon some assumption
XY Assumption: given inputs X with size κ, outputtingY is f (κ) difficult
It is not known how to prove such assumptionsRequires major advances in complexity theory
Thus we just need to trust underlying assumption
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 43 / 218
Lecture 2: Assumptions. Discrete Logarithm, CDH
Security Assumptions
One can always construct a new protocol that issecure under a tautological assumption
Assumption: Protocol X is secureTheorem: Protocol X is secure iff protocol X is secureProof: straightforward
However, that would mean that researchers have tospend years of effort trying to cryptanalyze theconcrete protocol
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 44 / 218
Lecture 2: Assumptions. Discrete Logarithm, CDH
Security Assumptions
More reasonable: amortize cryptanalytic costs, reuseassumptions
XY assumption (from year current − 10): given input Z , outputtingY is difficultTheorem: If XY holds, then protocol Z is secureProof: by reduction. Assume Z is insecure. Then show that XY doesnot holdOften complicated proofs, esp when the assumption is verystandard/weak, and the protocol is efficient. . .
There is a tradeoff between efficiency of protocols andstandardness of assumptions
If XY is very well known: can trust the protocol is secure, but theprotocol may be less efficientIf XY is less well known: trust in security may be not so well-founded,but can design more efficient protocols
Quest of protocol designer: find optimal balance
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 45 / 218
Lecture 2: Assumptions. Discrete Logarithm, CDH
Protocols: Assumptions vs Efficiency
Common practice in cryptography:
Have a goal (we need e-voting!)Design a protocol (propose an e-voting protocol)Prove security based on an well-known assumptionIf the assumption is not well-known:
prove it is related to some known assumption
Iterate: try to make it either more efficient or base it on amore standard assumption
The goals may be contradictory: often need a trade-off“The weakest assumption, under which we can implement taskX efficiently”
Weak assumption needed to gain trust in a protocolWe do not need to trust the protocol, but the assumption
Efficiency needed ... for the protocol to be deployedHelger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 46 / 218
Lecture 2: Assumptions. Discrete Logarithm, CDH
Standard Assumptions
Discrete logarithm: it is difficult to invertexponentiation in certain groups
Related assumptions: CDH, DDH, differentpairing-based assumptions, . . .DDH/some pairing-based assumptions: well-known andusually result in good protocols
Factoring: it is difficult to factor integersRelated assumptions: RSA, Strong-RSA, . . .Strong-RSA: (relatively) well-known and usually result ingood protocols
The rest: lattice-based assumptions, . . .
This lecture: DL, CDH
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 47 / 218
Lecture 2: Assumptions. Discrete Logarithm, CDH
Abstracting GIn the following, we will abstract away the concretegroup and assume that G is a multiplicative cyclicgroup of order q (with some hardness assumptions).See the supplementary notes for a short overview ofelliptic curves
This will be needed to understand simple group-basedcryptography.Moreover, elliptic curves have pairings (bilinear maps)that are a powerful tool in designing efficientcryptographic protocols.
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 48 / 218
Lecture 2: Assumptions. Discrete Logarithm, CDH
Reminder: group isomorphisms
Let (G1,+) and (G2, ·) be groupsFunction f : G1 → G2 is group isomorphism, if
f (g1 + g2) = f (g1) · f (g2)f (0) = 1f (−g) = f (g)−1
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 49 / 218
Lecture 2: Assumptions. Discrete Logarithm, CDH
Assumption: Sampleability
Efficient sampleability:it is easy to pick a random element from G
For cyclic groups, follows from isomorphism:sample a← Zq (easy) and compute b ← g a
since a is a random element of Zq, then b is a randomelement of G
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 50 / 218
Lecture 2: Assumptions. Discrete Logarithm, CDH
Discrete Logarithm Problem
Let G be cyclic group of prime order qExponentiation:
efficiently computable isomorphism f (a) : Zq → GGiven a generator g , a 7→ g a =: f (a).f is an isomorphism:
f (a) · f (b) = g agb = g a+b = f (a + b),f (0) = g 0 = 1,f (−a) = g−a = 1/g a = f (a)−1
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 51 / 218
Lecture 2: Assumptions. Discrete Logarithm, CDH
Discrete Logarithm Problem
Discrete Logarithm Assumption:f −1 is intractable to compute in group GI.e., given (g , g a), it is difficult to find a.Or: f : a 7→ g a is easy to compute but difficult to invert(one-way function)
More precisely: computing a from g a is inefficient,given a randomly chosen a
g 6= 1 might be any fixed element of G
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 52 / 218
Lecture 2: Assumptions. Discrete Logarithm, CDH
Reminder: Basic Complexity Theory
Security parameter: input size κ, say κ ≥ 80poly(κ) = κO(1):
polynomial in κ, exists polynomial f such that |poly(κ)| ≤ |f (κ)|negl(κ) = κ−ω(1):
negligible in κ, for every polynomial f , |negl(κ)| < |f −1(κ)|Polynomial-time/“efficient” algorithm:
works in time poly(κ)
Probabilistic algorithm:can use a random string
Non-uniform algorithm:there may be a separate algorithm for every input sizeconstruction of algorithm for concrete input size can be inefficient,but algorithm itself will be efficient
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 53 / 218
Lecture 2: Assumptions. Discrete Logarithm, CDH
DL Assumption, More Formally
DefinitionLet G be a cyclic group of prime order q, letκ := dlog2 qe. Fix a generator g ∈ G. Let
Adv dlG (A) := Pr [a← Zq : A(g , g a) = a] .
G is (τ, ε)-DL group if for any non-uniform probabilisticadversary A that works in time ≤ τ , Adv dl
G (A) ≤ ε.
G is DL group if it is (poly(κ), negl(κ))-DL group.
Exercise: show that this probability does not depend on g .
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 54 / 218
Lecture 2: Assumptions. Discrete Logarithm, CDH
Difficulty of Discrete Logarithm, I
In any group of order n, discrete logarithm can befound in time O(
√n) — Giant-Step-Baby-Step and
Pohlig-Hellman algorithmsThey should be taught in the “‘Mathematics forCryptography” course
Discrete logarithm in a group of order n, nnon-prime, is not essentially harder than in thesubgroup of this group that has orderp := smallestprimefactorof(n).
(Also in the MfC course)Since arithmetic in the last group is more efficient, onenever uses non-prime order groups unless they offer somefunctionality that cannot be achieved by prime ordergroups
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 55 / 218
Lecture 2: Assumptions. Discrete Logarithm, CDH
Difficulty of Discrete Logarithm, II
Let G be an order q subgroup of Z∗p. Then by usingthe index calculus algorithm, one can solvediscrete logarithm in time O(e
√2 ln p ln ln p).
Since discrete logarithm in G can be solved in timeO(√
q), one usually chooses q ≥ 256 and p ≥ 3248.Arithmetic in such groups is very slow:
By using the square-and-multiply algorithm, oneexponentiation of a ∈ G by a random element r ∈ Zq
takes in average 1.5 · 256 = 384.0 multiplications of3248-bit numbers.Brauer’s algorithm: ≈ 256 + log2 256 = 264.0multiplications
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 56 / 218
Lecture 2: Assumptions. Discrete Logarithm, CDH
Recent Advances in computing DL
There are a number of very recent advances in computingDL in finite fields
Finite fields are used in elliptic curve cryptography, seesupplementary notes
Since the results are really recent, it is yet unknown whatinfluence they will have
Will describe very briefly
Remedy: increase key sizes (in certain cryptographicprotocols)
Efficiency of attacks depends on key sizeIn protocols we assume only that DL/some other problems arehardThus: increase in key size is the universal remedy
Remember: key size can change
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 57 / 218
Lecture 2: Assumptions. Discrete Logarithm, CDH
Recent Advances in computing DL
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 58 / 218
Lecture 2: Assumptions. Discrete Logarithm, CDH
Recent Advances in computing DL
Given a finite field Fq of order q = pk , with specificrelations between the size of p and k , one cancompute DL in Fq faster than known previously[Barbulescu et al., 2013]: for well chosen k , cancompute DL in time Θ((log q)log log q) = Θ(κlog κ).
Those fields not relevant (?) in cryptography
[Joux and Pierrot, 2013] (Sep 9, 2013): for k = 12,can somewhat speed-up the index calculus attack
Pairing-based cryptosystems with certain curvesE.g.: the most efficient pairing-friendly curves,Barreto-Naehrig curves, useFp12
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 59 / 218
Lecture 2: Assumptions. Discrete Logarithm, CDH
On Quantum Computers
Using quantum computers — if they are ever built—, discrete logarithm will be easy in arbitrarygroup [Shor, 1994]Moreover factoring will be easy
Cf: “Quantum Cryptography” by Dominique Unruh
Thus, quantum-secure cryptosystems have to bebased on different primitives, likelattices [Micciancio and Goldwasser, 2002]
We will mostly talk about “conventional” (notquantum-safe!) public-key crypto
Lattice-based crypto: 1 or 2 lectures
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 60 / 218
Lecture 2: Assumptions. Discrete Logarithm, CDH
Diffie-Hellman Key Exchange Protocol I
Establish common secret key xAlice (ska, pkb) Bob (skb, pka)
Alice and Bob have both secret keys ska and skb andpublic keys pka and pkbOnly Alice knows ska, while everybody knows pka. Samefor BobAlice and Bob generate a new common secret key x suchthat only Alice and Bob know itx is later used to encrypt other messagesAll messages are sent on authenticated channels
Alice’s/Bob’s messages are known to come from Alice/Bob
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 61 / 218
Lecture 2: Assumptions. Discrete Logarithm, CDH
Diffie-Hellman Key Exchange Protocol II
Fix prime q, s.t. log2 q ≈ 2 · κ, and cyclic group G of orderq. Let g be generator of G
2 · κ to be secure against small-step-giant-step andPohlig’s % attacks
Clearlyxa = (g skb)ska = g ska·skb
= (g ska)skb = xbThus, Alice and Bob haveestablished a secret key
Alice Bob
ska ← Zq,pka ← g ska
pka
skb ← Zq,pkb ← g skb
pkb
xa ← pkskab xb ← pkskb
a
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 62 / 218
Lecture 2: Assumptions. Discrete Logarithm, CDH
Security of DH Key Exchange
Goal of adversary (try 1):given (g , g ska , g skb) for random ska, skb ← Zq, outputx = g ska·skb
This is not known to be hard under DL assumption,and thus there is separate assumption (CDH) forthis problem
Computational Diffie-Hellman
In 1970s, this looked like a tautological assumptionIf DH key exchange is secure, then DH key exchange issecure
After 35+ years of cryptanalysis, cryptographersconsider CDH to be very standard
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 63 / 218
Lecture 2: Assumptions. Discrete Logarithm, CDH
CDH Assumption, Formally
Let G be a cyclic group of prime order q, letκ := dlog2 qe. Fix generator g ∈ Z∗q. Let
Adv cdhG (A) := Pr
[a, b ← Zq : A(g , g a, g b) = g ab
]Definition
G is (τ, ε)-CDH group if for any non-uniform probabilisticadversary A that works in time ≤ τ , Adv cdh
G (A) ≤ ε.G is CDH group if it is (poly(κ), negl(κ))-CDH group.
As in the case of DL, this probability does not depend on g
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 64 / 218
Lecture 2: Assumptions. Discrete Logarithm, CDH
Relation between DL and CDH
If CDH is hard, then clearly DL is hard (will prove)
There are some contrived groups where DL is hardbut CDH is not
For cryptographically relevant groups, the onlyknown way to break CDH is to break DL
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 65 / 218
Lecture 2: Assumptions. Discrete Logarithm, CDH
If CDH is hard, then DL is hard
Theorem
Assume G is an (ε, τ)-CDH group. Then it is an(ε, τ − small)-DL group.
Intuition: if we can break DL, then we can recover thesecret key of one party, which is sufficient to break the keyexchange.Main idea of the formal proof:Acdh participates in CDH “game” with challenger. Since Adl
can break DL, Acdh can use “help” from Adl . Help consistsin interacting with Adl in conversation that looks like DLgame to Adl . Thus, Adl will “break” DL inside that gamewith probability ε.
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 66 / 218
Lecture 2: Assumptions. Discrete Logarithm, CDH
If CDH is hard, then DL is hard
Construction of Acdh:
Acdh(g , g1, g2)
1 Send (g , g1) to Adl ;2 Obtain a∗ ← Adl ; /* Secret key of one party */
3 if g1 6= g a∗ then abort;
4 return g a∗2 ;
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 67 / 218
Lecture 2: Assumptions. Discrete Logarithm, CDH
If CDH is hard, then DL is hardProof. Assume Adl is an adversary that canbreak DL. We construct adversary Acdh (see =⇒)who can break CDH.
Acdh gets as input (g , g1 = g a, g2 = gb), where(a, b) have been generated randomly. Her task isto output g ab.
Analysis. Assume Adl is successful withprobability ε, i.e., with this probability Acdh
outputs g a∗2 . Since then g1 = g a∗ , a∗ = a, and
g a∗2 = g a
2 = g ab.Thus, Acdh succeeds with probability ε, andworks in time tAdl
+ small .
Note that Acdh aborts with probability 1− ε. Wecould also let Acdh to output garbage in thiscase.
Acdh(g , g1, g2)
1 Send (g , g1) to Adl ;2 Obtain a∗ ← Adl ;
3 if g1 6= g a∗ then abort;
4 return g a∗2 ;
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 68 / 218
Lecture 2: Assumptions. Discrete Logarithm, CDH
Study Outcomes
The security of cryptographic protocols is reducedto more basic assumptions
Security of Diffie-Hellman key exchange (intuitive)
Discrete logarithm: basic algebraic assumptionMore reasonable: CDH
(For efficiency reasons)
There is a tradeoff between strength of assumptionsand efficiency
There can be a sudden advance in solving some ofthe basic assumptions. However, then it usually justsuffices to take a longer key in the final protocol
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 69 / 218
Lecture 3: DDH. Elgamal
Lecture 3: DDH. Elgamal
See [Elgamal, 1985] for original paper on Elgamalcryptosystem.
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 70 / 218
Lecture 3: DDH. Elgamal
Security of DHKE, Try 1
Goal of adversary (try 1):given (g , g ska , g skb) for random ska, skb ← Zq, outputx ← g ska·skb
Not sufficient in practice!Application: x is used to encrypt further messagesIt is bad if even one bit of x leaks
Goal:adversary should not get to know anything about xWhat does it mean?not anything: x should look to her completely random
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 71 / 218
Lecture 3: DDH. Elgamal
Security of DHKE, Try 2
Goal of adversary (try 2):the adversary should not be able to distinguish:(g , g ska , g skb , g skaskb) for random ska, skb ← Zq, from(g , g ska , g skb , g z), where z is completely random
Idea:even if we see the key, we have no way to decide whetherit is correct or not
DHKE not known to be hard under CDHassumption
Alternative KE protocols secure under CDH are muchslower
. . . thus separate assumption for this problemDecisional Diffie-HellmanTautological assumption for DHKE
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 72 / 218
Lecture 3: DDH. Elgamal
DDH Assumption, Formally
DDH Game
// Challenger does:
5
1 β ← 0, 1;2 (a, b, c)← Z3
q;
3 if β = 0 then g4 ← g ab;4 else g4 ← g c ;
5 ~g ← (g , g a, g b, g4);6 β′ ← A(~g);7 if β′ = β then return 1;8 else return 0;
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 73 / 218
Lecture 3: DDH. Elgamal
DDH Assumption, Formally
Let G be cyclic, prime order q,κ := dlog qe. Fix gen. g ∈ Z∗q.
AdvddhG (A) := |2 Pr[DDH-game with A returns 1]− 1|.
G is (τ, ε)-DDH group if for anynon-uniform probabilistic adversary A thatworks in time ≤ τ , Advddh
G (A) ≤ ε.
G is DDH group ⇔(poly(κ), negl(κ))-DDH group.
DDH Game
// Challenger does:
9
1 β ← 0, 1;2 (a, b, c)← Z3
q;
3 if β = 0 then g4 ← g ab;4 else g4 ← g c ;5 ~g ← (g , g a, gb, g4);6 β′ ← A(~g);7 if β′ = β then return 1;8 else return 0;
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 74 / 218
Lecture 3: DDH. Elgamal
Notes
Question: why |2 Pr[guesses correctly]− 1|?If A just outputs random bit β′, she guessescorrectly with probability 1
2
Advantage: |2 · 12− 1| = 0
If she guesses always correctly:Advantage: |2− 1| = 1
If she guesses always wrongly:Advantage: |0− 1| = 1Then we can build another adversary that reverses theoutput of A and thus guesses always correctly
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 75 / 218
Lecture 3: DDH. Elgamal
If DDH is Hard, then CDH is Hard
Straightforward exercise (do it at home)Idea is clear:
if you are able to compute the common key with highprobability, you can be sure that it’s not randoom
But try to formalize!
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 76 / 218
Lecture 3: DDH. Elgamal
Usefulness of DDH
Trust: DDH is well known (and trusted)Related to the security of the first public-key protocol,DHKE [Diffie and Hellman, 1976]Most groups that are believed to be CDH groups are alsobelieved to be DDH groupsGap groups: believed-to-be CDH groups, DDHweak [Menezes et al., 1993]Gap groups are widely used in pairing-based crypto
Efficiency/usability:DH key exchange is secure under DDHMany known efficient primitives and protocols aresecure under DDH
Large fraction of this course:We introduce efficient DDH-based PKCs/protocols
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 77 / 218
Lecture 3: DDH. Elgamal
Further Modularization
Assumption
Assumption
Primitive
Primitive
Protocol
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 78 / 218
Lecture 3: DDH. Elgamal
Public-Key Cryptosystem
Definition
PKC is a triple of efficient algorithms Π = (G ,E ,D), s.t.
κ is security parameter (e.g., key length)(sk, pk)← G (1κ) is key generation algorithmEpk(m; r) = c is randomized encryption algorithmDsk(c) = m is decryption algorithm
Correctness: Dsk(Epk(m; r)) = m for all m, r and(sk, pk) ∈ G (1κ)
Security goal: confidentiality
Recall: 1κ = 1 . . . 1 (κ times)
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 79 / 218
Lecture 3: DDH. Elgamal
Need for Homomorphism
To construct efficient protocols, it would be nice tobe able to be able to apply some algebraicoperations on plaintexts, without decryptionE.g.:
given Epk(m1) and Epk(m2), construct Epk(m1 + m2)
We will see abundant examples why this is usefulThe simplest way:
assume encryption “agrees” with algebraic operations
E.g.: Epk(m1) · Epk(m2) = Epk(m1 ·m2)
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 80 / 218
Lecture 3: DDH. Elgamal
Multiplicatively Homomorphic PKC
A PKC is multiplicatively homomorphic if:1 The plaintext set (M, ·) is a multiplicative group,
the randomizer set (R, ) is a group, and theciphertext set (C, ·) is a multiplicative group.
All three sets depend on κ and may depend on (sk, pk).2 Epk(m1; r1) · Epk(m2; r2) = Epk(m1 ·m2; r1 r2)
Thus, Dsk(Epk(m1; r1) · Epk(m2; r2)) = m1 ·m2 for everym1,m2, r1, r2.
3 Discrete logarithm problem is hard in group M
Note: we will see in future lectures what happens if (3)does not hold
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 81 / 218
Lecture 3: DDH. Elgamal
MH Encryption: Basic Properties
Dsk(Epk(m1; r1) · Epk(m2; r2)) = m1 ·m2
Computation of encryption of m1 ·m2 does not need knowledgeof m1 or m2
For m ∈M and α ∈ Z|M|,Dsk(Epk(m; r)α) = Dsk(Epk(m; r) . . .Epk(m; r)) = mα
by definition of exponentiation
Given x and Epk(g fi ) for i ∈ 0, . . . , t:
Epk(g f (x)) =t∏
i=0
Epk(g fi )xi
.
where f (X ) :=∑t
i=0 fiXi
We write Epk(m) when the precise value of r is not importantHelger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 82 / 218
Lecture 3: DDH. Elgamal
Reminder: One-Time Pad
One-time pad is a symmetric cryptosystem such that:
The key is as long as the plaintext, completelyrandom, and only used once
Encryption: EK (m) = K ⊕m
Decryption: DK (c) = K ⊕ c = K ⊕ (K ⊕m) = m
One can replace ⊕ with arbitrary group operation:
Encryption: EK (m) = K ·mDecryption: DK (c) = K−1 · c = K−1 · (K ·m) = m
Clearly homomorphic:
(K1 ·m1) · (K2 ·m2) = (K1 · K2) · (m1 ·m2)
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 83 / 218
Lecture 3: DDH. Elgamal
Elgamal Encryption: Idea
Intuition:DHKE’s shared key = new OTP keyOTP key has to be new: the sender uses new sk everytimeEncrypt as in OTPElgamal ciphertext = ciphertext of OTP + new publickey for DHKE
Cor. (from DHKE): Elgamal is secure if DDHholds
Cor. (from OTP): Elgamal is homomorphicpublic-key cryptosystem
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 84 / 218
Lecture 3: DDH. Elgamal
Elgamal Encryption
Assume a cyclic group G = 〈g〉 of prime order q.
G (1κ): let sk← Zq and pk← h = g sk.Encryption of m ∈ G:
generate random r ← Zq
Epk(m; r)← (mhr , g r )
Decryption of c = (c1, c2) ∈ G2:Dsk(c1, c2)← c1/c sk
2 .
Alice (g , pk = h,m) Bob (g , sk)
r ← Zq
(c1, c2) = (mhr , g r)
m← c1/c sk2
Intuition: r = sk2, h = pk1, g r = pk2, hr = pksk2
1 = pksk1
2 = g rsk
Correctness:
Dsk(Epk(m; r)) =Dsk(mhr , g r) = m · hr/(g r)sk
=m · (g sk)r/(g sk)r = m .
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 85 / 218
Lecture 3: DDH. Elgamal
Elgamal Encryption is MH
Plaintext group: cyclic group G of order q, where DL is assumedto be hard.Ciphertext group: G2 with (g1, g
′1) · (g2, g
′2) := (g1g2, g
′1g ′2)
Epk(m1; r1) · Epk(m2; r2) =(m1hr1, g r1) · (m2hr2, g r2)
=(m1m2hr1+r2, g r1+r2)
=Epk(m1 ·m2; r1 + r2) .
Also, if α ∈ Zq is a known value, one can compute
Epk(m; r)α = (mαhαr , gαr) = Epk(mα;αr) .
Exercise: if G is a group then G2 is a groupHelger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 86 / 218
Lecture 3: DDH. Elgamal
IND-CPA Security: Informally
It does not suffice when it is difficult to recover thesecret key or the plaintextIn practically all applications, the adversary shouldnot obtain any information about the plaintext —even if she has a lot of preknowledge about it
Recall: same discussion as in the case of DHKE
For example:adversary knows plaintext is yes/no. Has to guess whichone is true.
Security notion:(IND-)CPA: indistinguishability under chosen plaintextattacks
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 87 / 218
Lecture 3: DDH. Elgamal
CPA Security
Definition
Letδ(A) := Pr[CPA game with A returns 1]
Let Adv cpaΠ (A) := |2δ(A)− 1|
Π is (τ, ε)-CPA secure if notime-≤ τ A has Adv cpa
Π (A) > ε.
CPA game
// Challenger does:
1 (sk, pk)← G (1κ);2 (m0,m1)← A(pk);3 β ← 0, 1;4 r ← R;5 c ← Epk(mβ; r);6 β′ ← A(pk, c);7 if β′ = β then return 1;8 else return 0;
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 88 / 218
Lecture 3: DDH. Elgamal
Notes on Definition
IND-CPA security is defined only if r is uniformlyrandom
Thus: if a protocol uses an IND-CPA securecryptosystem, we must guarantee that transferredciphertexts use uniformly random r
Fixing g as a system parameter (permanent) orhaving it a part of the public key (temporary) doesnot matter for security
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 89 / 218
Lecture 3: DDH. Elgamal
Elgamal Is IND-CPA Secure
Theorem
Assume that G is an (τ, ε)-DDH group. Then Elgamal inG is (τ − small , 2ε)-IND-CPA secure.
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 90 / 218
Lecture 3: DDH. Elgamal
Proof Intuition
For proof, we note that
If (g1, g2, g3, g4) = (g , g a, g b, g ab) then(g4, g3) = (1 · g ab, g b) is encryption of 1 underpublic key pk = g2 = g a.
OTOH, if (g1, g2, g3, g4) = (g , g a, g b, g c) forrandom c , then (g4, g3) = (g c , g b) = (g c−abg ab, g b)is encryption of random plaintext g c−ab under publickey pk = g2 = g a.
Intuition: breaking DDH is tautologically as hard asdistinguishing Elgamal encryptions of any fixed plaintextfrom Elgamal encryptions of a random plaintext.
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 91 / 218
Lecture 3: DDH. Elgamal
Elgamal Is IND-CPA Secure: Proof I
Assume that A can break IND-CPA security withprobability 2ε. Construct the next DDH distinguisher Dthat will break DDH with probability ε. (This shows thatif DDH is hard, then Elgamal in G is IND-CPA secure.)
Intuition behind 2ε:
we get slight security loss (reduction is imprecise)since inside the proof we are with probability 1
2dealing with a situation where A has no advantageover random coin toss.
It practice it means that in Elgamal one might want touse slightly larger key
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 92 / 218
Lecture 3: DDH. Elgamal
Elgamal Is IND-CPA Secure: Proof II
Main idea of the proof:
D participates in DDH “game” with challenger.
Since A can break IND-CPA of Elgamal, D can use“help” from A.
Help consists in interacting with A in conversationthat looks like IND-CPA game to A.
Thus, A will “break” IND-CPA of Elgamal insidethat game with probability ε.
Very typical cryptographic proof.
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 93 / 218
Lecture 3: DDH. Elgamal
Elgamal Is IND-CPA Secure: Proof III
Challenger D A
βddh ← 0, 1,g1 ← G, (a, b, c)← Z3
q,
g2 ← g a1 , g3 ← g b
1 ,g4 ← (βddh = 0) ? g ab
1 : g c1
(g1, g2, g3, g4)
Message 1
Messages
Message s
β′ddh
β′ddh?= βddh
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 94 / 218
Lecture 3: DDH. Elgamal
Elgamal Is IND-CPA Secure: Proof IV
AD(g1, g2, g3, g4)
g ← g1, pk← g2
(m0,m1)← A(g , pk)
(m0,m1)
βcpa ← 0, 1,(c1, c2)← (mβcpa · g4, g3)
(c1, c2)
β′cpa ← A(g , pk, (c1, c2))
β′cpa
β′ddh ← (β′cpa = βcpa) ? 0 : 1
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 95 / 218
Lecture 3: DDH. Elgamal
Elgamal is IND-CPA Secure: Proof V
βddh = 0:(g1, g2; g4, g3) = (g , pk ; Epk(1;R))(mβcpa · g4, g3) = Epk(mβcpa ;R)(c1, c2) corresponds to what A expects as an input inIND-CPA game, A has advantageAdv cpa
Π (A) = |2 Pr[β′cpa = βcpa]− 1|βddh = 1:
(g1, g2; g4, g3) = (g , pk ; Epk(M;R))(mβcpa · g4, g3) = Epk(M;R)(c1, c2) does not depend at all on m0 / m1, A hasadvantage |2 · 1
2− 1| = 0
In what follows, Epk(M; ·) means Epk(m; ·) for auniformly random m←M.
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 96 / 218
Lecture 3: DDH. Elgamal
Elgamal is IND-CPA Secure: Proof VI
Pr[β′ddh =βddh]
= Pr[β′ddh = βddh|βddh = 0] Pr[βddh = 0]︸ ︷︷ ︸1/2
+
Pr[β′ddh = βddh|βddh = 1]︸ ︷︷ ︸1/2
Pr[βddh = 1]︸ ︷︷ ︸1/2
= Pr[β′ddh = βddh|βddh = 0] · 1
2+
1
4.
Basic probability theory: Pr[A] = Pr[A|B] Pr[B] + Pr[A|¬B] Pr[¬B]
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 97 / 218
Lecture 3: DDH. Elgamal
Elgamal is IND-CPA Secure: Proof VII
Trivially
Pr[β′ddh = βddh|βddh = 0] =Pr[β′ddh = 0|βddh = 0]
=Pr[β′cpa = βcpa|IND-CPA game] =: ε′ .
Since 2ε = Adv cpaΠ (A) = |2ε′ − 1|, we have
ε′ =
12 + ε , ε′ ≥ 1
212 − ε , ε′ < 1
2 ,and
Pr[βddh = β′ddh] =
(1
2 + ε)/2 + 14 = 1
2 + ε2 , ε′ ≥ 1
2
(12 − ε)/2 + 1
4 = 12 −
ε2 , ε′ < 1
2 .
Thus Adv ddhG (D) = |2 Pr[βddh = β′ddh]− 1| = ε. QED
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 98 / 218
Lecture 3: DDH. Elgamal
Learning Outcomes
DDH security, and understanding why this notion“makes sense”
Modular design of protocols
PKC, homomorphism and its necessity
Elgamal and how it is related to DHKE and OTP
CPA-security
Examples of simple security proofs
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 99 / 218
Lecture 4: Lifted Elgamal. MH Protocols
Lecture 4: Lifted Elgamal. MH Protocols
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 100 / 218
Lecture 4: Lifted Elgamal. MH Protocols
Blinding Property
From homomorphism:Epk(m; r1) · Epk(1; r2) = Epk(m; r1 + r2)Interpretation:
If r2 is uniformly random, then r1 + r2 is uniformlyrandom
Corollary: for any m and r1, Epk(m; r1 + r2) is arandom encryption of m independently of whetherr1 is random or notUseful on getting privacy in protocolsExample:
Assume c = Epk(m; r). Then the randomness incb = Epk(mb; br) is related to r , and one could try to use(r , br) to recover b
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 101 / 218
Lecture 4: Lifted Elgamal. MH Protocols
Example Protocol: Asymmetric Veto
Alice (G, g ; a) Bob (G, g ; b)
(sk, pk)← G (1κ),ra ← R
(pk, c ← Epk(g a; ra))
rb ← Zb
c ′ ← cb · Epk(1; rb)= Epk(g ab; bra + rb)
c ′
m← logg(Dsk(c ′))
= logg(g ab) = ab
Correctness: Alice learnsf (a, b) := a ∧ b, Bob learnsnothing
Comp. DL of g ab is easy ifa, b ∈ 0, 1Privacy: In semihonest model,Alice learns nothing excepta ∧ b, if Elgamal is “secure”
We will formally define privacyand prove it in the next lecture
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 102 / 218
Lecture 4: Lifted Elgamal. MH Protocols
Remarks
ab leaks something on bIf Alice’s input is 1, she’ll get to know bBut this is the desired functionality
If not desired: implement differentfunctionality
Protocol just implements desiredfunctionalityFunctionality (goal): what do we need?Cryptography (tool): design a protocolfor the functionality
a b a ∧ b0 0 00 1 01 0 01 1 1
We encrypt g a, not ag a ∈ g 0, g 1 = 1, g
Semihonest model:Alice creates her message as required but just tries to be nosy
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 103 / 218
Lecture 4: Lifted Elgamal. MH Protocols
Lifted MH Encryption
Elgamal = additively homomorphic in exponentssalternative interpretation
Lifted MH Encryption:like MH, but the plaintext space isZq
E ↑pk(x ; r) := Epk(g x ; r)
D↑pk(c) := logg Dsk(c)
Lifted Elgamal:Elgamal in “another domain”
Zq
G
G2
exp
E↑pk
Epk
Using lifted Elgamal allows us to simplify notationwe also just denote it by E
Next lecture: truly AH cryptosystemswhere decryption does not require to compute DL
Commutative diagram is for illustrative purposes. (It ignores the randomness.)
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 104 / 218
Lecture 4: Lifted Elgamal. MH Protocols
Lifted Elgamal: Definition
Let G be cyclic multiplicative group of prime order q,generator g ∈ G
Key generation G :sk← Zq, pk← h← g sk
Encryption E :r ← Zq, (c1, c2) =Epk(m; r)← (gmhr , g r )
Alice (g , h,m) Bob (g , sk)
r ← Zq
(c1, c2) = (gmhr , g r)
m← logg(c1/c sk2 )
Decryption D:Dpk(c1, c2) = logg (c1/c sk
2 )
Correctness:Dpk(Epk(m; r)) = logg(gmhr/(g r)sk) = logg gm = m
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 105 / 218
Lecture 4: Lifted Elgamal. MH Protocols
Lifted Elgamal: Properties
Additive homomorphism:Epk(m1; r1) · Epk(m2; r2) = (gm1+m2hr1+r2, g r1+r2)= Epk(m1 + m2; r1 + r2)
IND-CPA proof worksDecryption is efficient only if the plaintext space issmall
Say, |M| < 240
Thus, not truly AH cryptosystem
In the following we use lifted Elgamal explicitly
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 106 / 218
Lecture 4: Lifted Elgamal. MH Protocols
2-Message Homomorphic Protocols
a, b: anything (e.g., acomplex number)
mi = mi(a) ∈ Zq dependon a
Reply : computes a linearfunction of plaintexts(since we have hom.PKC)
Answer : usually justseveral decryptions
Alice (a) Bob (b)
// Query(1κ, a):(sk, pk)← G (1κ),For i ∈ 1, . . . , t,
ri ← R,ci ← Epk(mi , ri)
(pk; c1, . . . , ct)
r← Reply(1κ, b, pk, c1, . . . , ct)
r
a← Answer(1κ, a, sk, r)
Bob’s actions are restricted “linearly”Output has to be small (need DL)
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 107 / 218
Lecture 4: Lifted Elgamal. MH Protocols
Example Protocol: Scalar Product I
Alice’s input: ~a = (a1, . . . , at) ∈ Ztq
Bob’s input: ~b = (b1, . . . , bt) ∈ Ztq
Alice’s output: 〈~a,~b〉 =∑t
i=1 aibi mod q ∈ Zq
Idea of protocol:Bob computes linear function (a1, . . . , at) 7→
∑biai
More precisely: (Epk(a1), . . . ,Epk(at);~b) 7→ Epk(∑
biai)
Decrypting possible if:if ai , bi are Boolean:
∑aibi ≤ t
if 0 ≤ ai , bi < 2d :∑
aibi ≤ t22d
E.g.: d = 8, t = 64:∑
aibi ≤ 64 · 216 = 224
DL takes time ≈ 212
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 108 / 218
Lecture 4: Lifted Elgamal. MH Protocols
Example Protocol: Scalar Product IIAlice (a1, . . . , at) Bob (b1, . . . , bt)
(sk, pk)← G (1κ),(r1, . . . , rt)← Rt ,ci ← Epk(ai ; ri)
(pk, (c1, . . . , ct))
r ← R,c ←
∏ti=1 cbi
i · Epk(0; r)
c
m← Dsk(c)
c =∏t
i=1 cbii · Epk(0; r) =
∏ti=1 Epk(ai ; ri)
bi · Epk(0; r) =Epk
(∑ti=1 aibi ; · · ·+ r
)Note: Answer(. . . ) = Dsk(c) computes a DL
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 109 / 218
Lecture 4: Lifted Elgamal. MH Protocols
Example Protocol: Hamming Distance I
Define wh(~a,~b) := |i ∈ 1, . . . , t : ai 6= bi|Alice’s input: ~a := (a1, . . . , at) ∈ Zt
2
Bob’s input: ~b := (b1, . . . , bt) ∈ Zt2
Alice’s output: wh(~a,~b)Does not look algebraic, but:wh(~a,~b) :=
∑ti=1(ai ⊕ bi) =
∑ti=1(bi + (1− 2bi)ai), since
bi + (1− 2bi)ai =
0 + (1− 0)ai = ai = ai ⊕ 0 , bi = 0 ,
1 + (1− 2)ai = 1− ai = ai ⊕ 1 , bi = 1 .
Linear function!wh(~a,~b) ≤ t, DL can be computed efficiently if t is small
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 110 / 218
Lecture 4: Lifted Elgamal. MH Protocols
Example Protocol: Hamming Distance II
Alice (a1, . . . , at) Bob (b1, . . . , bt)
(sk, pk)← G (1κ),(r1, . . . , rt)← Rt ,ci ← Epk(ai ; ri)
(pk, (c1, . . . , ct))
r ← R,c ← Epk(
∑ti=1 bi ; r) ·
∏ti=1 c1−2bi
i
c
m← Dsk(c)
Correctness:c = Epk(
∑ti=1(bi + (1− 2bi)ai); · · ·+ r) =
Epk(wh(~a,~b); · · ·+ r).
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 111 / 218
Lecture 4: Lifted Elgamal. MH Protocols
Example Protocol: (2, 1)-CPIR
Computationally-Private Information Retrieval:
Bob’s input: (f0, f1) ∈ Z2q
Alice’s input: x ∈ 0, 1Alice’s output: f (x) := fx ∈ Zq
Extremely important protocolmany applications
Does not look algebraic, but:Idea of protocol:
Bob computes linear function x(f1 − f0) + f0 = fxMore precisely,(Epk(x); (f0, f1)) 7→ Epk(x(f1 − f0) + f0) = Epk(fx)
Decrypting is easy if fx is small
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 112 / 218
Lecture 4: Lifted Elgamal. MH Protocols
Example Protocol: (2, 1)-CPIRAlice (G, g ; x) Bob (G, g ; (f0, f1))
(sk, pk)← G (1κ),ra ← R
(pk, c ← Epk(x ; ra))
rb ← Zb
c ′ ← c f1−f0 · Epk(f0; rb)
c ′
m← Dsk(c ′)
Correctness:
c f1−f0 · Epk(f0; rb) = Epk(x(f1 − f0) + f0; · · ·+ rb).
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 113 / 218
Lecture 4: Lifted Elgamal. MH Protocols
Remarks
Task of protocol designer: come up with a goodrewording of the task
Bob’s task must be linearoutputs must be small
Protocol should be secureNow: security in semihonest model
Parties are nosy but follow the protocol
Alice’s security: should follow from PKC’s securityBob’s security: protocol designer must take careof this
In all example protocols, Alice only receives a randomencryption c = Epk(a) of the intended output ac does not give more information than a
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 114 / 218
Lecture 4: Lifted Elgamal. MH Protocols
2-Message Protocols: CPA-Security
Alice (a) Bob (b)
(q, state)← Query(1κ, a)
q
r← Reply(1κ, b, q)
r
a = Answer(1κ, a, state, r)
2-pessage protocol isIND-CPA secure ifBob cannotdistinguish betweenQuery(1κ, a0) andQuery(1κ, a1)
Similar to IND-CPAof PKC
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 115 / 218
Lecture 4: Lifted Elgamal. MH Protocols
IND-CPA Security of 2-Message Protocols
Assume Γ = (Query ,Reply ,Answer). Let A be efficientadversary
IND-CPA game for Protocols
1 (a0, a1)← A(1κ);2 β ← 0, 1;3 q← Query(aβ);4 β′ ← A(q);5 return (β′ = β) ? 1 : 0;
Adv cpaΓ (A) := |2 · Pr[IND-CPA game returns 1]− 1|
Γ is (τ, ε)-IND-CPA secure if no time-≤ τ A hasAdv cpa
Γ (A) > ε.Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 116 / 218
Lecture 4: Lifted Elgamal. MH Protocols
Theorem: 2MHP are IND-CPA Secure
Theorem
Let Π = (G ,E ,D) be a PKC. AssumeΓ = (Query ,Reply ,Answer) is such that during the firstround Alice sends to Bob only a new public key of Π andt ciphertexts encrypted by this public key. If Π isIND-CPA secure, then Γ is IND-CPA secure.
Assume A can break Γ with time τ and probability ε.Construct adversary B that breaks Π with sameprobability and time τ + t · (τexp + τE ) + small as follows.(τexp/τE is time for one exp/E .)
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 117 / 218
Lecture 4: Lifted Elgamal. MH Protocols
Proof: 2MHP are IND-CPA Secure I
Challenger B A
(sk, pk)← G (1κ) pk
(0, 1)
βΠ ← 0, 1, r ← R,c ← Epk(βΠ; r)
c IND-CPA game of Γ
Message 1
Messages
Message s
β′Π
[β′Π?= βΠ]
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 118 / 218
Lecture 4: Lifted Elgamal. MH Protocols
Proof: 2MHP are IND-CPA Secure II
B has c = Epk(βΠ), needs to guess βΠ
Bob gets inputs a0 and a1 from ATo use A’s help, B must send Query(1κ, aβΠ
) to A, withoutknowing βΠ
Recall: Query(1κ, ai) = (pk, ~mi) := (pk; mi1, . . . ,mit)E.g.: mij is the jth coefficient of vector ~aiThus: Query(1κ, aβΠ
) = (pk; mβΠ,1, . . . ,mβΠ,t)
Without privacy:B computes (βΠ, (m0i ,m1i)) 7→ mβΠ,i , for i ∈ 1, . . . , tLinear function: mβΠ,i = (mi1 −m0i)βΠ + m0i
With privacy:B computes (Epk(βΠ), (m0i ,m1i)) 7→ Epk(mβΠ,i), for i ∈ 1, . . . , tThis is exactly our protocol for (2, 1)-CPIR!B = Bob in CPIR, A = Alice in CPIR
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 119 / 218
Lecture 4: Lifted Elgamal. MH Protocols
Proof: 2MHP are IND-CPA Secure IIIB(pk; c = Epk(βΠ)) A(a0, a1)
(a0, a1)
For j ∈ 1, . . . , t:Compute m0j , m1j as in the protocol;cj ← cm1j−m0j · Epk(m0j ;R)
(pk; c1, . . . , ct)
β′Γ ← A(pk; c1, . . . , ct)
β′Γ
β′Π ← β′Γ
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 120 / 218
Lecture 4: Lifted Elgamal. MH Protocols
Proof: 2MHP are IND-CPA Secure IV
By previous discussion, B’s input to Γ is equal to hishonest input corresponding to aβΠ
even if he does notknow βΠ.Since A’s input = what A expects, by assumption A issuccessful with probability ε.Thus
Pr[β′Π = βΠ] = Pr[β′Γ = βΓ] ,
and thus both algorithms have the same advantage.B’s time is dominated by the execution of A, tciphertext exponentiations, and t encryptions. QED
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 121 / 218
Lecture 4: Lifted Elgamal. MH Protocols
Conclusions
All 2MH protocols are IND-CPA secure given PKCis IND-CPA secureCorollary: all Elgamal-based 2MH protocols areIND-CPA secure, if DDH is secureNo need for individual proofs: just cite thismetatheorem
E.g.: if PKC is IND-CPA secure, then Hamming distanceprotocol is IND-CPA secure
No significant security loss in ε or τSurprising: we intuitively expect that since attacker of Γsees more than 1 ciphertext, he gains more advantagethan when seeing just one
Reduction relies on homomorphic properties of PKCHelger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 122 / 218
Lecture 4: Lifted Elgamal. MH Protocols
Learning Outcomes
Elgamal: additively homomorphic cryptosystem (inexponents)
Intuition: which two-message protocols one canbuild given a MH PKCSome example protocols
CPIR: important protocol
IND-CPA for securities
Formalizing simple security proofs
Somewhat more difficult proofs
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 123 / 218
Lecture 5. E-Voting. AH. Paillier
Lecture 5. E-Voting. AH. Paillier
One classical paper on e-voting: [Cramer et al., 1997]Paillier’s original paper: [Paillier, 1999]
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 124 / 218
Lecture 5. E-Voting. AH. Paillier
Other Kind of Hom Protocols
We saw two-message two-party protocols:Alice → Bob → Alice
Often, either the number of messages and thenumber of participants is significantly higherExample: e-voting
Every voter votes for some candidateVoting servers collect the ballots. . . and output the tallyPrivacy and correctness
Need > 1 voting server
Clearly more than 2 partiesAlso different message flowBut main idea is similar. . .
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 125 / 218
Lecture 5. E-Voting. AH. Paillier
Different Hom Protocol: E-Voting
OutputTallier (sk)Vote collector (pk)
Voter v1: (pk, c1)
C1 ←
Epk (c
1 ;R)
. . .
Voter vi : (pk, ci )
Ci ← Epk(ci ;R)
. . .
Voter vV : (pk, cV )
CV←
E pk(cV
;R)
C ← Epk(0;R) ·∏V
i=1 Ci w ← (Dsk(C) > V2
)?1 : 0
Two-candidate electionCandidates: 0 and 1
Voter vi , i ∈ 1, . . . ,V votes for ciVC/Tallier are two servers
Only tallier knows skOnly tallier knows sk
Dsk(C) =∑
ci = ]i : ci = 1CPA-security straightforward
Note: semihonest model!See [Cramer et al., 1997]
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 126 / 218
Lecture 5. E-Voting. AH. Paillier
E-Voting: Efficiency
Efficient if the number of voters is smallRecall: DL of a number from 0, . . . , 2n − 1 can befound in time 2n/2 =
√2n
Baby-step-giant-step, Pohlig-Hellman algorithms
Viable say for n ≤ 50
World population: < 233
Next:what if > 2 candidates?
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 127 / 218
Lecture 5. E-Voting. AH. Paillier
Multiple Candidate E-Voting
OutputTallier (sk)Vote collector (pk)
Voter v1: (pk, c1)C1 ←
Epk ((V
+1) c
1;R)
. . .
Voter vi : (pk, ci )
Ci ← Epk((V + 1)ci ;R)
. . .
Voter vV : (pk, cV )
CV←
E pk((V
+1)c V ;R
)
C ← Epk(0;R) ·∏V
i=1 Ci t ← Dsk(C)
Multiple-candidate electionCandidates: 0, 1, . . . , γ − 1
Voter vi , i ∈ 1, . . . ,V votes for ciVC/Tallier are two servers
Only tallier knows skOnly tallier knows sk
Dsk(C) =∑
(V + 1)ci =∑γ−1
j=0 (V + 1)j · ]i : ci = jCPA-security straightforward
Note: semihonest model!See [Cramer et al., 1997, Damgard and Jurik, 2001]
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 128 / 218
Lecture 5. E-Voting. AH. Paillier
Multiple-Candidate E-Voting: Example
Example
c1 = 0, c2 = 2, c3 = 1, c4 = 1, c5 = 2.V = 5, thus basis V + 1 = 6.For example, v2 encrypts 62.ThusDsk(C ) = 60 +62 +61 +61 +62 = 2·62 +2·61 +60 = 2216,from which we see that candidates 1 and 2 got 2 votes,and candidate 0 got 1 vote.
Basis V + 1 is chosen to avoid overflows: if all votersvote for i , then the sum is V (V + 1)i < (V + 1)i+1.
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 129 / 218
Lecture 5. E-Voting. AH. Paillier
Multi-Candidate Elections: Efficiency
Maximum value for “sum”: ≈ (V + 1)γ
Assume V = 219 − 1 (≈ 500 000), γ = 23 = 8usual Estonian parliamentary election, voting for parties)
(V + 1)γ = 219·8 = 2152
Computing DL: intractable276 steps!
In Estonia, we vote directly for a person,not for a party: 8 candidates
Consider larger countries. . .
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 130 / 218
Lecture 5. E-Voting. AH. Paillier
What Went Wrong?
At the end, one party had to compute DL
By assumption of MH PKC, DL is hard!
MH PKC is mostly useful when the final resultcomes from small set
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 131 / 218
Lecture 5. E-Voting. AH. Paillier
Additively Homomorphic Cryptosystems
Lifted Elgamal: AH for small plaintext setReal AH: AH with efficient decryption
formally: polynomial-time decryptionAH PKC with large plaintext group
Solution 1: no need to compute DLRecall: Epk(m1; r1) · Epk(m2; r2) = Epk(m1 + m2; r1 r2)Logical to have gm somewhere: gm1 · gm2 = gm1+m2
Without DL: Epk(m1; r1) + Epk(m2; r2) = Epk(m1 + m2; r1 r2)
Solution 2: a group where DL is easyRequires some other problem to be hard. . .Not a trivial task — but doable!
Solution 3: non-algebraic solutionsE.g.: implement group operations based bit operations
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 132 / 218
Lecture 5. E-Voting. AH. Paillier
AH: Options
Solution 1: without DLLattice-based cryptosystems: future lecturesCan do both multiplications and additions: FHEBut much more complicated. . .
Solution 2: computing DL is easyTrapdoor DL cryptosystems: this lecture
Paillier [Paillier, 1999]: M = Zn with n > 23248
Damgard-Jurik [Damgard and Jurik, 2001]:M = Zns with n > 23248 and integer s ≥ 1
Solution 3: non-algebraic solutionsGarbled circuits
Unknown how to base AH encryption on DL/DDHneed much more complicated assumptionsand much more complicated schemes
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 133 / 218
Lecture 5. E-Voting. AH. Paillier
Background: Factoring Assumption
Let ` = `(κ) bitlength, A = A` a non-uniform adversary.Let P` be the set of all `-bit primes. Define
Adv fact` (A) := Pr[(p, q)← P2
` , n← p ·q : A(n) = (p, q)]
Factoring 2`-bit RSA moduli is hard if for anynon-uniform probabilistic adversary A = A` that worksin time ≤ τ , Adv fact
` (A) ≤ ε.
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 134 / 218
Lecture 5. E-Voting. AH. Paillier
Background: Factoring Assumption
Fact: Best known factorization algorithm (GNFS):
e( 3√
64/9+o(1))(log n)1/3(log log n)2/3
, where n is the integer tobe factored
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 135 / 218
Lecture 5. E-Voting. AH. Paillier
Corollaries of Factoring Assumption
Lemma
If factoring is hard, then computing ϕ(n) for randomRSA modulus n is hard
ϕ(n) = ϕ(pq) = (p − 1)(q − 1) = pq − p − q + 1Given n = pq and ϕ(n), computes = n − ϕ(n) + 1 = p + qn = pq = p(s − p) = sp − p2, thus p2 − sp + n = 0— quadratic equationRecover p ← (s ±
√s2 − 4n)/2
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 136 / 218
Lecture 5. E-Voting. AH. Paillier
Corollaries of Factoring Assumption
A lot of other things are hard if factoring is hard.Usually computations in the group Z∗n, where n is anRSA-modulus.
Related to factoring like DDH is related to DL:not known to be as hard, but still believed to be hard.
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 137 / 218
Lecture 5. E-Voting. AH. Paillier
Binomial Theorem and Trapdoor DL
Binomial theorem: (a + b)x =∑x
i=0
(xi
)aibx−i
For example:(n + 1)x =
∑xi=0
(xi
)ni =
1 + xn +(x2
)n2 + higher powers of n
Corollary: (n + 1)x ≡ xn + 1 (mod n2)Certain DL easy: Remember solution 2!
If y = (n + 1)x mod n2,then y = xn + 1 mod n2
Thus x = logn+1 y = (y − 1)/n mod n2
Denote L(y) := y−1n
integer, not modular, division
Thus: L((n + 1)x mod n2) = x
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 138 / 218
Lecture 5. E-Voting. AH. Paillier
Background: Basic Number Theory
lcm(a, b) — least common multipliera | lcm(a, b), b | lcm(a, b)If a | c and b | c , then lcm(a, b) ≤ c
a · b = gcd(a, b) · lcm(a, b)Example: a = 4, b = 6gcd(4, 6) = 2, lcm(4, 6) = 124 · 6 = 24 = 2 · 12
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 139 / 218
Lecture 5. E-Voting. AH. Paillier
Background: Carmichael Function
Define the Carmichael function λ(n) as follows.λ(pk) = pk−1(p − 1) if p ≥ 3 or k ≤ 2 (= ϕ(pk)),λ(2k) = 2k−2 for k ≥ 3, andλ(pk1
1 . . . pktt ) = lcm(λ(pk1
1 ), . . . , λ(pktt ))
Theorem (Carmichael Theorem)
For positive integer n, λ(n) is the smallest positive integerm such that am ≡ 1 (mod n) for every integer a coprimeto n.Full proof is 6+ pages.
We could use ϕ(n) instead of λ(n), but λ(n) is more efficient.
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 140 / 218
Lecture 5. E-Voting. AH. Paillier
Paillier’s Cryptosystem: Main Idea
Additive cryptosystem with large plaintext space
Solution 2: DL is easy
Uses the described properties of binomial coefficients
(1 + n)m = 1 + mn is masked with randomness rOnly the secret key holder can remove r
Similar to Elgamal in this sense
Security is “related” to hardness of factoring
Devil is in the details. . .
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 141 / 218
Lecture 5. E-Voting. AH. Paillier
Paillier’s Cryptosystem: Key Generation
1 p, q ← P≥1624;2 n← p · q;3 λ← λ(n) = lcm(p − 1, q − 1);4 µ← λ−1 mod n; /* Efficient if p, q are known */
5 pk = n;6 sk = (λ, µ);7 return (sk, pk);/* Knowledge of p, q not needed any more */
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 142 / 218
Lecture 5. E-Voting. AH. Paillier
Paillier’s Cryptosystem
Encryption of m ∈ Zn with pk = n:1 r ← Z∗n;2 c ← (mn + 1)r n mod n2;3 return c;
Note: r has order ϕ(n) = (p − 1)(q − 1).Decryption of c ∈ Z∗n2 with sk = (λ, µ):
1 m← L(cλ mod n2) · µ mod n;2 return m;
Correctness:Dsk(Epk(m; r)) ≡ Dsk((mn + 1)r n
mod n2) ≡ L((λmn + 1)rλn mod n2) · µ (mod n)
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 143 / 218
Lecture 5. E-Voting. AH. Paillier
Correctness of Paillier Decryption
Now,
λ(n2) =λ(p2q2) = lcm(λ(p2), λ(q2))
=lcm(p(p − 1), q(q − 1))
=pq · lcm(p − 1, q − 1) = λn .
By Carmichael theorem, rλn ≡ rλ(n2) ≡ 1 mod n2, thusalso rλn ≡ 1 mod n.Thus
Dsk(Epk(m; r)) ≡L(λmn + 1) · µ≡λm · λ−1
≡m (mod n) .
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 144 / 218
Lecture 5. E-Voting. AH. Paillier
Paillier: Additive Homomorphism
Clearly,
Epk(m1; r1)·Epk(m2; r2)
≡(n + 1)m1r n1 · (n + 1)m2 · r n2≡(n + 1)m1+m2(r1r2)n
≡Epk(m1 + m2; r1 · r2) (mod n2) .
Thus the Paillier cryptosystem is additively homomorphicin M = Zn.
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 145 / 218
Lecture 5. E-Voting. AH. Paillier
Security of Paillier
x is n-th residue modulo n2 iff there exists y such thaty n ≡ x (mod n2)
DefinitionDecisional Composite Residuosity Assumption:Distinguish a random n-th residue from a random n-thnon-residue modulo n2.
Equivalent (with small error): Distinguish a random n-thresidue from a random element of C = Zn2.Fact: If factoring is easy, then DCRA is easy. Oppositeis not known.
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 146 / 218
Lecture 5. E-Voting. AH. Paillier
Security of Paillier
TheoremAssume that DCRA is true. Then Paillier is IND-CPAsecure.
Sketch.Idea: random encryption of 0 is a random n-th residue;random encryption of a random element in M is arandom element of C. Proof goes along the same lines asthe security proof of Elgamal.
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 147 / 218
Lecture 5. E-Voting. AH. Paillier
2-Message AH Protocols
a — anything (e.g., acomplex number)
mi ∈M arefunctions of a
mi = mi(a)
Except this sentence, this
is copy of a previous slide!
Alice (a) Bob (b)
// Query(1κ, a):(sk, pk)← G (1κ),For i ∈ 1, . . . , t,
ri ← R,ci ← Epk(mi , ri)
(pk; c1, . . . , ct)
r← Reply(1κ, b, pk, c1, . . . , ct)
r
a← Answer(1κ, a, sk, r)
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 148 / 218
Lecture 5. E-Voting. AH. Paillier
Theorem: 2AHP are IND-CPA Secure
Theorem
Assume Γ = (Query ,Reply ,Answer) is such that duringthe first message, Alice only sends a fresh public key anda number of ciphertexts. If additively homomorphic PKCΠ = (G ,E ,D) is IND-CPA secure, then Γ is IND-CPAsecure.
Proof.Simple modification of the MH case.
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 149 / 218
Lecture 5. E-Voting. AH. Paillier
Efficiency
While efficiency of cryptographic protocols is veryimportant, we have not talked about it much (yet)Several measures:
Communication complexityComputational complexity (of Alice/Bob)Round complexity
Up to now all protocols have had 2 roundsAlice → Bob → AliceVoter → vote collector → tallierWe will see later protocols with more rounds. . .
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 150 / 218
Lecture 5. E-Voting. AH. Paillier
HD: Communication ComplexityAlice (a1, . . . , at) Bob (b1, . . . , bt)
(sk, pk)← G (1κ),(r1, . . . , rt)← Rt ,ci ← Epk(ai ; ri)
(pk, (c1, . . . , ct))
r ← R,c ← Epk(
∑ti=1 bi ; r) ·
∏ti=1 c1−2bi
i
c
m← Dsk(c)
Comm.: 1 PK + t + 1 ciphertextsLifted Elgamal Paillier
Group elements 2t + 3 t + 1.5Length of 1 g.e. 256 6496
Comm: bits 512(t + 1.5) 6496(t + 1.5)Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 151 / 218
Lecture 5. E-Voting. AH. Paillier
Elgamal vs Paillier: Computation
n: input lengthExp: Θ(n1+log2 3) = Θ(n2.58496) bit ops
1 mult = Θ(n1.58496) bit ops by using Karatsuba1 exp ≈ n mults by using BrauerFor sake of simplicity: assume n1+log2 3
Elgamal Paillier|group element| 256 6496
Exp ≈ 256 mult-s ≈ 6496 mult-sMult 6591 bit ops 1.10383× 106 bit opsDL? yes no
Caveat: n-bit e.c. * is more costly than * in Z≈2n
To really compare the cost of Elgamal and Paillier:need to implement
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 152 / 218
Lecture 5. E-Voting. AH. Paillier
HD: Alice’s ComputationAlice (a1, . . . , at) Bob (b1, . . . , bt)
(sk, pk)← G (1κ),(r1, . . . , rt)← Rt ,ci ← Epk(ai ; ri)
(pk, (c1, . . . , ct))
r ← R,c ← Epk(
∑ti=1 bi ; r) ·
∏ti=1 c1−2bi
i
c
m← Dsk(c)10 20 30 40 50 60
2 ´ 1011
4 ´ 1011
6 ´ 1011
8 ´ 1011
Alice’s comp: t encryptions, 1 decryption
Lifted Elgamal PaillierIn big ops (3t + 1) exp + 1 DL t + 1 expIn mults 256(3t + 1) + 2t/2 ≈ 6496(t + 1)In bitops ≈ 6561(768t + 256 + 2t/2) ≈ 7.17046 · 109(1 + t)Remark DL time dominates for t > 28 No DL
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 153 / 218
Lecture 5. E-Voting. AH. Paillier
HD: Alice’s Computation
10 20 30 40 50 60
1000
2000
3000
4000
55 60 65 70
0.2
0.4
0.6
0.8
1.0
Paillier/Elgamal: 7.17046·109(1+t)6561(256+2t/2+768t)
Initially: the constant term xMiddle: the term xtEnd: the term x2t/2
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 154 / 218
Lecture 5. E-Voting. AH. Paillier
Efficiency of HD with Lifted ElgamalAlice (a1, . . . , at) Bob (b1, . . . , bt)
(sk, pk)← G (1κ),(r1, . . . , rt)← Rt ,ci ← Epk(ai ; ri)
(pk, (c1, . . . , ct))
r ← R,c ← Epk(
∑ti=1 bi ; r) ·
∏ti=1 c1−2bi
i
c
m← Dsk(c)0 10 20 30 40 50 60
1300
1350
1400
Lifted Elgamal PaillierEpk(
∑bi ; r) (exps) 3 1
c1−2bii either ci or c−1
i (no exp)Everything but E ≤ t inver-s (≈ t mults), t mult
Total (mults) ≤ 2t + 3 log q = 2t + 768 ≤ 2t + log q = 6496 + 2tTotal (ops) 13122(384 + t) 2.20765 · 106(3248 + t)
Graph: Paillier cost/Elgamal cost. Theoretical estimate.
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 155 / 218
Lecture 5. E-Voting. AH. Paillier
Computation: General
Alice:
Assume Alice needs to decrypt s times, n-bit plaintextsLifted Elgamal: ≈ 3t log q + s(log q + 2n/2) multsPaillier: ≈ t log q + s log q multsPaillier mult lifted Elgamal multInherit lower bound (for fixed s, t, n)Goal:
design the protocol so that t, s and n minimize the totalcomputation
Bob:
Depends heavily on the protocolGoal: design protocol that minimizes Bob’s computation
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 156 / 218
Lecture 5. E-Voting. AH. Paillier
Elgamal or Paillier: Summary
If decrypted values not too big (DL efficient):use (lifted) Elgamal
If decrypted values of average size, dependsAlice’s ops are 10x faster but Bob’s ops 50x slower —what is more important?E.g.: homomorphic e-voting, Alice = voter, Bob = server
If decrypted values are large (DL intractable):use Paillier
Important:implement both, if unsure
Which choice is better in the general context?Security assumption, availability of libraries, . . .
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 157 / 218
Lecture 5. E-Voting. AH. Paillier
Learning Outcomes
Homomorphic protocols with more than 2 parties
Simple e-voting
Inefficient decryption of (lifted) Elgamal issometimes very bad
True additively homomorphic cryptography
Paillier: details
Efficiency: Important issues
Elgamal or Paillier: when to use what?
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 158 / 218
Lecture 6. AH with Recursion: Nontrivial CPIR
Lecture 6. AH with Recursion: NontrivialCPIR
See:
Kushilevitz-Ostrovsky square-root(n, 1)-CPIR [Kushilevitz and Ostrovsky, 1997],
Damgard-Jurikcryptosystem [Damgard and Jurik, 2001],
Lipmaa’s (2, 1)-CPIR [Lipmaa, 2005],
Log-squared(n, 1)-CPIR [Lipmaa, 2005, Lipmaa, 2009]
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 159 / 218
Lecture 6. AH with Recursion: Nontrivial CPIR
Recap: 2-Message AH Protocols
a — anything (e.g., acomplex number)
ai = fi(a) ∈M arefunctions of a
Alice’s privacy followsfrom IND-CPA ofPKC
Alice (a) Bob (b)
(sk, pk)← G (1κ),For i ∈ 1, . . . , t,
ci ← Epk(ai , ri)
(pk; c1, . . . , ct)
r← Reply(1κ, b, pk, c1, . . . , ct)
r
a← Answer(1κ, a, sk, pk, r)
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 160 / 218
Lecture 6. AH with Recursion: Nontrivial CPIR
Recap: What Can Be Done with 2MAH
Alice can encrypt arbitrary functions mi of aMulti-candidate elections: (V + 1)a,Hamming distance protocol: bit(a, i) : i
Bob can compute affine functions of encryptedvalues for some functions bi , b
′ of b:∏i Epk(ai)
bi · Epk(b′) = Epk(∑
i biai + b′)Quite limited:
most freedom is in choosing ai , bi , b′
We saw some simple examples. Can we do more?
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 161 / 218
Lecture 6. AH with Recursion: Nontrivial CPIR
Composition/Recursion
Programming language:primitive operations (+) not so powerfulcompositions: much more powerful
Cryptographic protocols:same
In the case of AH:clever self-composition of + might already giveinteresting resultssometimes similar to recursion
This lecture:AH + Recursion: log2 n-communication (n, 1)-CPIR
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 162 / 218
Lecture 6. AH with Recursion: Nontrivial CPIR
Recall: (n, 1)-CPIR
Computationally-Private Information Retrieval:
Bob’s input: a database (f0, . . . , fn−1)
Alice’s input: index x ∈ 0, . . . , n − 1Alice’s output: fx .
Bob’s output: ⊥ (no output)
Security: IND-CPA security to protect Alice
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 163 / 218
Lecture 6. AH with Recursion: Nontrivial CPIR
Recall: (2, 1)-CPIR
Alice x ∈ 0, 1 Bob (f0, f1) ∈M2
(sk, pk)← G (1κ),r ← R,c ← Epk(x ; r)
q← (pk, c)
r ′ ← Rc ′ ← c f1−f0 · Epk(f0; r ′)
r← c ′
a← Dsk(c ′)
Correctness: c ′ = Epk((1− x)f0 + xf1;R) But(1− x)f0 + xf1 = fx for x ∈ 0, 1. Thus Dsk(c ′) = fx .
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 164 / 218
Lecture 6. AH with Recursion: Nontrivial CPIR
Kushilevitz-Ostrovsky (n, 1)-CPIR
Alice obtains 1 element out of nUses AH cryptosystemTotal communication: Θ(
√nκ)
Basic idea:execute in parallel many CPIRs to smaller databasesAlice interested in only one small CPIRThus: her message in different CPIRs can be the same,she ignores other CPIR outputs
Shows that (n, 1)-CPIR with o(n) comm. is possible
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 165 / 218
Lecture 6. AH with Recursion: Nontrivial CPIR
KO (n, 1)-CPIR: Basic Idea
Data representation:n database =
√n ×√
n matrix (fij)√n
i ,j=1
Alice’s output: fxy , x , y ∈ [√
n] = 1, . . . ,√
nParallelization and data reuse:
Execute√
n linear-communication (√
n, 1)-CPIRs inparallel to
√n rows of the matrix
Retrieve element only from the y th rowOnly one small CPIR relevant: share Alice’s first messagebetween
√n small CPIRs
Denote:[P(x)] = 1 if P(x) is true, and 0 if P(x) is falseE.g.: [x = y ] is 1 if x = y , and 0 if x 6= y
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 166 / 218
Lecture 6. AH with Recursion: Nontrivial CPIR
KO (n, 1)-CPIR: Basic Idea
Bob’s answer to qwith (f1i)i
Bob’s answer to qwith (f2i)i
Bob’s answer to qwith (f3i)i
Bob’s answer to qwith (f4i)i
Bob’s answer to qwith (f5i)i
Alice’s query
q← (Epk([i = 2]))5i=1
Alice decrypts
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 167 / 218
Lecture 6. AH with Recursion: Nontrivial CPIR
Kushilevitz-Ostrovsky (n, 1)-CPIR
Alice x , y ∈ [√
n] Bob fij√n
i ,j=1, fij ∈M
(sk, pk)← G (1κ),∀i ∈ [
√n] : ci ← E s
pk([x = i ];R)
q← (pk, c1, . . . , c√n)
r ′ ← R∀j ∈ [
√n] :
c ′j ←∏√n
i=1 cfiji · E s
pk(0;R)
r← (c ′1, . . . , c′√n)
a← Dssk(c ′y)
Correctness:c ′j = E s
pk(∑
i [x = i ]fij ;R) = E spk(fxj ;R)
Thus c ′y = E spk(fxy ;R)
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 168 / 218
Lecture 6. AH with Recursion: Nontrivial CPIR
KO (n, 1)-CPIR: Efficiency
Alice x , y ∈ [√
n] Bob fij√n
i ,j=1, fij ∈M(sk, pk)← G (1κ),∀i ∈ [
√n] : ci ← E s
pk([x = i ];R)
q← (pk, c1, . . . , c√n)
r ′ ← R∀j ∈ [
√n] :
c ′j ←∏√n
i=1 cfiji · E s
pk(0;R)
r← (c ′1, . . . , c′√n)
a← Dssk(c ′y)
Alice’s comp.:√n encryptions
1 decryption
Bob’s comp.:n exponentiations√
n encryptionsFirst lecture: Θ(n)“lower bound”
Communication:PK + 2
√n ciphertexts
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 169 / 218
Lecture 6. AH with Recursion: Nontrivial CPIR
How to Improve Communication Further?
Alice x , y ∈ [√
n] Bob fij√n
i ,j=1, fij ∈M
(sk, pk)← G (1κ),∀i ∈ [
√n] : ci ← E s
pk([x = i ];R)
q← (pk, c1, . . . , c√n)
r ′ ← R∀j ∈ [
√n] :
c ′j ←∏√n
i=1 cfiji · E s
pk(0;R)
r← (c ′1, . . . , c′√n)
a← Dssk(c ′y)
Note: Only need c ′y . Other elements c ′j redundantIdea:
Do not transfer redundant elementsUse (
√n, 1)-CPIR to obtain c ′y from Bob’s database (c ′1, . . . , c
′√n)
√n +√
n→√
n + n1/4 + n1/4
Use (n1/4, 1)-CPIR to obtain only one of those elements, etcNB: devil is in the details. Difficult to optimize
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 170 / 218
Lecture 6. AH with Recursion: Nontrivial CPIR
How to Improve Communication Further?
Alice’s query
q← (Epk([i = 3]))3i=1
Bob’s answer to qwith (f1i)i
Bob’s answer to qwith (f2i)i
Bob’s answer to qwith (f3i)i
Bob’s answer to qwith (f4i)i
Bob’s answer to qwith (f5i)i
Bob’s answer to qwith (f6i)i
Bob’s answer to qwith (f7i)i
Bob’s answer to qwith (f8i)i
Bob’s answer to qwith (f9i)i
Alice performs another CPIR to get this
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 171 / 218
Lecture 6. AH with Recursion: Nontrivial CPIR
Length-Flexible AH Cryptosystems
Additively homomorphicLength-flexible:
One can encrypt every m ∈ Z in ciphertext of≤ |m|+ f (κ) bits, where f is a “small” function[Damgard and Jurik, 2001]: |c | < |m|+ 2κCiphertexts of short and long plaintexts have differentlength
Next: Damgard-Jurik and what one can do with it
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 172 / 218
Lecture 6. AH with Recursion: Nontrivial CPIR
Damgard-Jurik
G (1κ):Generate two random large prime numbers p and qSet N = pqpk = N , sk = (p, q, . . . )
Encryption of m ∈ Z with pk = N:1 let s be minimal such that m < N s
2 Select random r ← Z∗N3 Compute c ← (N + 1)mrN
smod N s+1
Decryption:can be done efficiently [Damgard and Jurik, 2001,Damgard et al., 2010]
Generalization of Paillier
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 173 / 218
Lecture 6. AH with Recursion: Nontrivial CPIR
Damgard-Jurik: Optimal Rate
m ∈ ZNs , c ∈ ZNs+1
Thus:|c |/|m| ≈ (s + 1)/s = 1 + 1/s and|c | < |m|+ 2 log2 N
Optimal rate:
the number of useful bits
the number of transfered bits=|m||c |
= 1− o(1) .
One of the very few known optimal-ratecryptosystems
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 174 / 218
Lecture 6. AH with Recursion: Nontrivial CPIR
DJ: Homomorphism And Beyond
Let κ := dlog2 Ne // key length
∀s ≥ 1: encrypts plaintext of s · κ bits to aciphertext of (s + 1)κ bits.
This ciphertext is plaintext for parameter s + 1
E spk(m1)E s
pk(m2) = E spk(m1 + m2), thus also
E s+1pk
(m1︸︷︷︸
(s+1)κ
)(s+1)κ︷ ︸︸ ︷
E spk(
s·κ︷︸︸︷m2 )
=
(s+2)κ︷ ︸︸ ︷E s+1
pk
(m1E s
pk(m2)︸ ︷︷ ︸(s+1)κ
).
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 175 / 218
Lecture 6. AH with Recursion: Nontrivial CPIR
“Reusing” (2, 1)-CPIR
Alice x ∈ 0, 1 Bob (f0, f1) ∈M2
(sk, pk)← G (1κ),r ← R,c ← E s
pk(x ; r)
q← (pk, c)
r ′ ← Rc ′ ← c f1−f0 · E s
pk(f0; r ′)
r← c ′
a← Dssk(c ′)
Alice sendsq = (pk,E s
pk(x)) to BobBob replies withrpk(E s
pk(x),~f ) := E spk(fx)
Master ideas:
Reuse Alice’s message to execute many small CPIRsInstead of sending r back to Alice, Bob uses itrecursively in subsequent CPIRs
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 176 / 218
Lecture 6. AH with Recursion: Nontrivial CPIR
(4, 1)-CPIR: Non-Private version
x =∑
2ixi =2x1 + x0
Fetch elementf2x1+x0
= fx1x0
x1
x0 x0
f00 f01 f10 f11
0 1 0 10 1
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 177 / 218
Lecture 6. AH with Recursion: Nontrivial CPIR
(4, 1)-CPIR: Private version
r2
r0 r1
f00 f01 f10 f11
0 1 0 1
0 1
Alice sends to Bob c0 ← E spk(x0;R),
c1 ← E s+1pk (x1;R)
r0 ← rpk(c0, (f00, f01))
r1 ← rpk(c0, (f10, f11))
r2 ← rpk(c1, (r0, r1))
Bob sends to Alice r2
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 178 / 218
Lecture 6. AH with Recursion: Nontrivial CPIR
(4, 1)-CPIR: Private version
r2
r0 r1
f00 f01 f10 f11
0 1 0 1
0 1
Alice sends to Bob c0 ← E spk(x0;R), c1 ← E s+1
pk (x1;R)
r0 ← c f01−f000 · E s
pk(f00;R) ∈ ZNs+1
r1 ← c f11−f100 · E s
pk(f10;R) ∈ ZNs+1
r2 ← c r1−r01 · E s+1
pk (r0;R) ∈ ZNs+2
Bob sends to Alice r2 ∈ ZNs+2
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 179 / 218
Lecture 6. AH with Recursion: Nontrivial CPIR
(4, 1)-CPIR: Private version
r2
r0 r1
f00 f01 f10 f11
0 1 0 1
0 1
Alice sends to Bob c0 ← E spk(x0;R), c1 ← E s+1
pk (x1;R)
r0 = E spk(f(0,x0);R) ∈ ZNs+1
r1 = E spk(f(1,x0);R) ∈ ZNs+1
r2 = E s+1pk (E s
pk(f(x1,x0);R);R) ∈ ZNs+2
Bob sends to Alice r2 ∈ ZNs+2
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 180 / 218
Lecture 6. AH with Recursion: Nontrivial CPIR
(8, 1)-CPIR
x2
x1
x0
f000 f001
x0
f010 f011
x1
x0
f100 f101
x0
f110 f111
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 181 / 218
Lecture 6. AH with Recursion: Nontrivial CPIR
(8, 1)-CPIR: Private Version
r
r0
r00
f000 f001
r01
f010 f011
r1
r10
f100 f101
r11
f110 f111
1 Alice sends ci ← E s+ipk (xi ;R) for i ∈ 0, 1, 2;
2 Bob computes recursively all values ri ;/* For example, r0 ← rpk(c1; (r00, r01)) */
3 Bob sends back r ∈ ZNs+3;
r = E s+2pk (E s+1
pk (E spk(fx2x1x0
)))
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 182 / 218
Lecture 6. AH with Recursion: Nontrivial CPIR
(2m, 1)-CPIR: General Construction
Alice x0, . . . , xm−1 ∈ 0, 1 Bob (f0, . . . , f2m−1) ∈M2m
(sk, pk)← G (1κ),r0, . . . , rm−1 ← R,ci ← E s+i
pk (xi ; ri)
q← (pk, c0, . . . , cm−1)
For every node v of comp bin tree:Recursively compute rv by using (2, 1)-CPIR.
Let r correspond to root node.r
a← Ds+m−1sk (Ds+m−2(. . .Ds
sk(r) . . . ))
See [Lipmaa, 2005, Lipmaa, 2009]
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 183 / 218
Lecture 6. AH with Recursion: Nontrivial CPIR
(2m, 1)-CPIR: Communication
`-bit strings, κ is modulus length.For modulus N = pq, |N s | = s log N = sκE s
pk has plaintext from ZNs (sκ bits) and ciphertext fromZNs+1 ((s + 1)κ bits)
Alice sends ≤ m · (s + m)κ bitsBob sends ≤ (s + m + 1)κ bitss · κ ≈ `, thus in total Θ(`m + κm2) bitsIn general, replacing 2m with any n:
Θ(` log n + κ log2 n) bits
Can be minimized as function of ` [Lipmaa, 2009]:(1 + o(1))` + (1 + o(1))κ log2 n · log log n
Important in applications where ` is extremely largeE.g.: database of movies
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 184 / 218
Lecture 6. AH with Recursion: Nontrivial CPIR
(2m, 1)-CPIR: Computation
Alice encrypts m items and does m-times decryption
Efficient, m is logarithmic in database size
Bob executes (2, 1)-CPIR per every internal node2m − 1 (linear) nodes, expensive1 PKC operation is also expensive!2m expensive operations /
Until 2009: was thought this is the best possible. . .Next time:
Better computation for (2m, 1)-CPIRGeneralization to many other functionalities. . . essentially by employing a suitable data structure(BDD)
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 185 / 218
Lecture 6. AH with Recursion: Nontrivial CPIR
Learning Outcomes
General technique:Combining AH with recursion
Concrete application:Nontrivial CPIR
Damgard-Jurik cryptosystem
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 186 / 218
Lecture 7. BDD and Multi-Round
Lecture 7. BDD and Multi-Round
secure BDD [Ishai and Paskin, 2007],
sublinear-computation CPIR [Lipmaa, 2009],
multi-round, multiparty computations: too manycitations to give
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 187 / 218
Lecture 7. BDD and Multi-Round
Reminder
AH + recursion:Can do certain nontrivial things
(n, 1) CPIR:with decision treesone round
This time:trees → arbitrary DAGs
Plus: multi-round
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 188 / 218
Lecture 7. BDD and Multi-Round
Generalizing
CPIR by itself is interesting but can we do more?Easy remark:
Let f : A→ B be any functionDefine database ~f by fx := f (x) ∈ B for x ∈ ADatabase: “truth table” of fPerform (|A|, 1)-CPIR to obtain fx = f (x)
Result:can privately compute any function
Drawback: computation Θ(|A|)Can we improve on it?
Yes, by using a good data structureGiven f is not random. . .
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 189 / 218
Lecture 7. BDD and Multi-Round
Binary Decision Diagram
BDD: directed acyclic graphEvery internal node is labeledby some xiEvery terminal is labeled bysome fjEvery internal node has0-child and 1-childSize of BDD:
number of internal nodes
Length of BDD:length of longest path toterminal node
x2
x0
1
x0
=0
x 2=
0
x1
x0
x2
1
x 2=
0
0
x2
=0
x 0=
0
0
x0
=1
x 1=
0
0
x1 =
1
x2 =
1x
0 =1
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 190 / 218
Lecture 7. BDD and Multi-Round
Binary Decision Diagram
Computation process forsome assignment of xi:
Start from root nodeFor current internal nodelabeled with some xi , ifxi = 0, move to 0-child,otherwise move to 1-childIf reached terminal nodelabeled by fj : return fj asvalue
Time: length of BDDSpace: size of BDD
x2
1 x1
x0
1 0
0
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 191 / 218
Lecture 7. BDD and Multi-Round
Example BDD: Comparison
Assume Bob returns 1 if his input f = 4f2 + 2f1 + f0 is larger than
x = 4x2 + 2x1 + x0. While constructing BDD he already knows f so
he can optimize BDD. Assume for example that f = 5, thus Bob
returns 1 if x < 5, f (x) := [x < 5].
x2
1 x1
x0
1 0
0
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 192 / 218
Lecture 7. BDD and Multi-Round
Example BDD: Private Version
Assume Bob returns 1 if his input f = 4f2 + 2f1 + f0 is larger than
x = 4x2 + 2x1 + x0. While constructing BDD he already knows f so
he can optimize BDD. Assume for example that f = 5, thus Bob
returns 1 if x < 5, f (x) := [x < 5].
r3
1 r2
r1
1 0
0
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 193 / 218
Lecture 7. BDD and Multi-Round
Example BDD: Threshold
Assume Bob returns 1 if his input f = 4f2 + 2f1 + f0 is larger than
x = x2 + x1 + x0. Assume for example that f = 2, thus Bob returns
1 if x < 5, f (x) := [x < 2].
x2
x1
x0
1 1
x0
1 1
x1
x0 x0
0 0
size(P) = (m + 1)m/2 = Θ(m2)Can be done more efficiently for large m [Wegener, 2000]
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 194 / 218
Lecture 7. BDD and Multi-Round
PrivateBDD Protocol for Function f
Alice x0, . . . , xm−1 ∈ 0, 1 Bob (P : efficient BDD for f )
(sk, pk)← G (1κ),r0, . . . , rm−1 ← R,
ci ← Es+length(P)pk (xi ; ri)
q← (pk, c0, . . . , cm−1)
For every node v of P :Recursively compute rv by using (2, 1)-CPIR.
Let r correspond to root node.r
a← Ds+length(P)sk (Ds+length(P)−1(. . .Ds
sk(r) . . . ))
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 195 / 218
Lecture 7. BDD and Multi-Round
PrivateBDD: Complexity
Let κ – length of modulus, m – number of Alice’svariables, ` — bitlength of terminal node labels
Communication:
κ + (m + 1)(` + (length(P) + 2)κ)
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 196 / 218
Lecture 7. BDD and Multi-Round
PrivateBDD: Complexity
Bob’s computation: size(P) PKC operationsComputation is “efficient” if size(P) is polynomialFact. Boolean function has polynomial-size BDD iff it iscomputable by log-space non-uniform Turingmachine [Cobham, 1966]
Simply put: practically all “efficient” Boolean functions you everneedMost probably not P− complete functions like linear programminghttp://en.wikipedia.org/wiki/P-complete
If f is not Boolean:Can still do efficiently for many interesting functionsConcrete complexity class not so well understood
See [Wegener, 2000, Ishai and Paskin, 2007, Lipmaa, 2009]
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 197 / 218
Lecture 7. BDD and Multi-Round
(n, 1)-CPIR: Recap
Alice’s input: (x0, . . . , xm−1)
Bob’s input: ~f = (f0, . . . , f2m−1)Alice’s output: fxReformulate: evaluating function f , f (x) := fxDesign efficient BDD for fixed f , apply PrivateBDDFact: any function f : 0, 1m → 0, 1` can beimplemented by BDD of size2m`/ log2(2m`) [Lipmaa, 2009]Corollary: (n, 1)-CPIR can be implemented inworst-case ≤ (n`)/ log2(n`) public keyoperations [Lipmaa, 2009]
Better “than lower bound” n for small `
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 198 / 218
Lecture 7. BDD and Multi-Round
Links about BDDAlso known as branching programs
Used widely in circuit/program verification
http://en.wikipedia.org/wiki/Binary_decision_diagram
http://myvideos.stanford.edu/player/slplayer.aspx?coll=ea60314a-53b3-4be2-8552-dcf190ca0c0b&co=
18bcd3a8-965a-4a63-a516-a1ad74af1119&o=true Fun with Binary Decision Diagrams (video lecture by Knuth)
http://www.cs.cmu.edu/afs/cs/academic/class/15213-f06/www/lectures/class08-bdd.pdf — Verifyingprograms with BDDs, lecture notes, CMU
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 199 / 218
Lecture 7. BDD and Multi-Round
Recap
Up to now:1-round (= 2-message) protocols
Used algebraic properties and beyondBDD: recursion
Pure additive homomorphism does not give us muchWith recursion BDD-homomorphism:
2-message protocols for all problems that have polysizeBDD
However:BDD-protocols are computationally quite expensive
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 200 / 218
Lecture 7. BDD and Multi-Round
Recap: Inefficiency of BDD
One public-key operation per BDD size
All BDD-s are at least logarithmic in size
x3
1 x2
x1
1 0
0
Comparison x > y of two `-bit numbers takes at least `PKC operations
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 201 / 218
Lecture 7. BDD and Multi-Round
Simple Example: Multiplication
Just 2MAH: impossibleCan only compute affine functionsIf we can compute at least one multiplication, we can doquadratic polynomials
AH + recursion: doable but expensiveLet inputs be m-bit longCan be done with BDD size Ω(m2/ log m)[Wegener and Woelfel, 2007]: BDD size to computemiddle bit of multiplication at least Ω(m3/2/ log m).
The result of multiplication should stay hidden(E (x),E (y))→ E (xy)Can be recursively to be used more complex protocolsAkin to recursive CPIR, but. . . adds more rounds
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 202 / 218
Lecture 7. BDD and Multi-Round
Interactive Multiplication: Brief Idea
Alice’s input: skBob’s input: pk, Epk(m1), Epk(m2)Bob’s output: Epk(m1m2)Alice’s output: none
can’t send Epk(mi) to Alice who knows sk
We know:Bob can evaluate product of m1 and m2 if at most oneof them is encrypted
Bob needs to evaluate m1m2 where both m1, m2 areencrypted
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 203 / 218
Lecture 7. BDD and Multi-Round
Interactive Multiplication: Brief Idea
General Idea:Secret share inputs mi between Alice and Bobm′i random (Bob can see them)mi + m′i random (Alice can see them)
Secret shared multiplication:(m1 + m′1)(m2 + m′2) = m1m2 + m1m′2 + m′1m2 + m′1m′2
Alice computes (m1 + m′1)(m2 + m′2) on plaintextsSends back encryption to Bob
Knowing Epk((m1 + m′1)(m2 + m′2)), Epk(mi), m′i ,Bob can compute Epk(m1m2) by using AH
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 204 / 218
Lecture 7. BDD and Multi-Round
Interactive Multiplication with AH
Alice pk, sk Bob (pk, ci = Epk(mi ; ri))
m′1,m′2 ←M,
r1, r2 ← R,d1 ← c1 · Epk(m′1; r1),d2 ← c2 · Epk(m′2; r2)(d1, d2)
Let m′′1 ← Dsk(d1), m′′2 ← Dsk(d2), ra ← R,d× ← Epk(m′′1m′′2 ; ra)
d×
rb ← R,
c× ← d× · c−m′2
1 · c−m′1
2 · Epk(−m′1m′2; rb)
c× = Epk(m1m2 + m1m′2 + m′1m2 + m′1m′2) · Epk(−m1m′2) ·Epk(−m′1m2) · Epk(−m′1m′2; rb) = Epk(m1m2; · · · rb)
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 205 / 218
Lecture 7. BDD and Multi-Round
Interactive Multiplication: Privacy
Alice’s privacy:Bob only sees ciphertexts, thus CPA-secure according to“metatheorem”, given cryptosystem is CPA-secure
Bob’s privacy:Alice sees completely random values mi + m′i , obtains noinformation
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 206 / 218
Lecture 7. BDD and Multi-Round
Tradeoff: Rounds vs Computation
Interactive multiplication can be used inside anycomplex protocolCan do many times:
Bob obtains iteratively Epk(f (~x)) for polynomial f]messages increases by 2 per every “sequential”multiplication
Computation: only 3 encryptions and 2 exp (byBob) and 2 decryptions and 1 encryption (by Alice)Corollary:
can compute any multivariate polynomial in Θ(]mult)computation and (if not parallelized) rounds
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 207 / 218
Lecture 7. BDD and Multi-Round
More on Rounds vs Computation
Rounds:2-message protocols are “non-interactive”: Alice sendssome data to cloud, cloud computes some output andforwards it later to Alice. Alice can be offline/lazyIn multiround protocols, Alice has to participate incomputing every multiplicationEvery round also takes some time
Computation:2-message protocols are often computationally tooexpensiveMultiround protocols offer potentially much bettercomputation
Tradeoff: what is more important in yourapplication?
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 208 / 218
Lecture 7. BDD and Multi-Round
Multi-Party Computation
n > 2 parties P1, . . . , Pn
Every party has input xi , and output yiOtherwise security requirements as beforeSecret share all inputs between parties, so that
A coalition of majority of parties can obtain secretsAny smaller coalition obtains no information
Use secret sharing instead of encryptionUse of encryption also possible: then parties share thesecret key (can decrypt only if majority participate)
If secret sharing:can do without computational assumptions but we haveto assume majority of parties are honest
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 209 / 218
Lecture 7. BDD and Multi-Round
Elgamal (2, 2)-Threshold Encryption
(m, n): n parties, any m together can decrypt, anym − 1 can’tWill explain (2, 2) for ElgamalOne can generalize to Paillier and to many parties
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 210 / 218
Lecture 7. BDD and Multi-Round
Elgamal (2, 2)-Threshold Encryption
Pi , i ∈ 1, 2, chooses ski , and publishes pki = g ski
sk =∑
ski , pk =∏
pki = g∑
ski = g sk
Encrypt m: Epk(m; r) = (gmpkr ; g r)Decrypt: (player order not important)
1 c ′1 := gDsk1(gmpkr ;g r ) = gmpkr/g r ·sk1 =
gmg r(sk1+sk2)/g r ·sk1 = gmg r ·sk2 = gmpkr2
2 Dsk2(c ′1, gr ) = logg (gmg r ·sk2/g r ·sk2) = m
Security:(c ′1, g
r ) = Epk2(m; r), thus P1 cannot decrypt without
knowing sk2
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 211 / 218
Lecture 7. BDD and Multi-Round
Examples: Other Functionalities
Denote: [[x ]] = threshold encryption of x
Secure polynomial evaluation
Other applications include (not explaining):
Equality test: [[x ]], [[y ]]→ [[[x = y ]]][Toft, 2011]: first o(m) protocol with o(|x |) PKC ops(Recall BDD requires Θ(m))[Lipmaa and Toft, 2013]: some improvement
Comparison (GT): [[x ]], [[y ]]→ [[[x > y ]]]Easy to construct from EQ [Toft, 2011]
Secure sort:Can be constructed by applying Θ(n log n) GT operations
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 212 / 218
Lecture 7. BDD and Multi-Round
Example: Why MULT and EQ
// Nonprivate:
1 if x = y then2 x ← z ;3 else4 y ← z ;5 end
// Private:
1 [[[x = y ]]]← EQ([[x ]], [[y ]]);2 [[[x 6= y ]]]← [[1]]− [[[x = y ]]];3 [[x ]]← [[[x = y ]]]·[[z ]]+[[[x 6= y ]]]·[[x ]];4 [[y ]]← [[[x 6= y ]]]·[[z ]]+[[[x = y ]]]·[[y ]];
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 213 / 218
Lecture 7. BDD and Multi-Round
Example: Vector Scan (Prefix-Sum)
Input: x1, . . . , xn, associative operator Output: y1, . . . , yn, where yi = x1 · · · xi−1Polynomial evaluation:
Given polynomial f and [[x ]], compute [[f (x)]][[f (x)]] =
∑fi [[x
i ]](x , x , . . . , x)→ (1, x , x2, . . . , xn−1) is prefix-sum
Straightforward computation:Compute [[y1]]← [[1]]For i ← 1 to n do: compute [[yi ]]← [[yi−1]] [[xi ]]Total: Θ(n) roundsCorollary: [[f (x)]] in Θ(n) rounds
Round Reduction Idea:Parallelize: execute several multiplications in parallel]mults: increases by a constant factor]rounds: decreases from Θ(n) to Θ(log n)
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 214 / 218
Lecture 7. BDD and Multi-Round
Efficient n = 2m-Vector Scan
(1) Upsweep:
m rounds, 2m − 1 = n − 1 semigroup operations
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 215 / 218
Lecture 7. BDD and Multi-Round
Efficient n = 2m-Vector Scan
(2) Downsweep:
m rounds, 2m − 1 = n − 1 semigroup operationsSee http://http.developer.nvidia.com/GPUGems3/gpugems3_ch39.html
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 216 / 218
Lecture 7. BDD and Multi-Round
Learning Outcomes
BDD/branching program:Relatively large class of functionalities can be securelycomputed in polynomial time in 1 roundEvery function f : 0, 1m → 0, 1 can be securelycomputed in time O(2m/m) in 1 round
Everything interesting can be computed in manyrounds
Real efficiency takes still considerable effort
In reality, one needs to optimize both rounds andcomputation
Decide based on application
NB! You need to know your algorithms and datastructures
Crypto often adds a privacy-preserving layer to them
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 217 / 218
Lecture 7. BDD and Multi-Round
Learning Outcomes (up to now)
We walked from very basics to ways of constructingquite complex protocolsCommon denominator:
security in semihonest model
It is easy to see that most of the previous protocolsare insecure if parties do not follow the protocolFollowing n lectures:
security in malicious model
Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 218 / 218