MTAT.07.014 Cryptographic Protocols - ut · PDF fileIn Fomin, F. V., Kwiatkowska, M., and Peleg, D., editors, ICALP 2013, volume 7966 of LNCS, pages 645{656, Riga, ... (Crypto I or

MTAT.07.014 Cryptographic Protocols

Helger Lipmaa

University of Tartu

MTAT.07.014 Cryptographic ProtocolsLast modified: October 21, 2013

Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 1 / 218

Short Syllabus

Protocol: algorithm that includes communication between 2 ormore partiesCryptographic protocol: protocol with some securityrequirementsGoal:

learn to design secure and efficient cryptographic protocolsfoundations: understand how this is done

Efficiency:different methods of protocol construction

Security:definitions and proofs of securityintuition on how to design secure protocols

At the end of the course, students should be able tounderstand security definitionsdesign efficient and efficient cryptographic protocolsprove their security (according to security definitions)


Example: Study Goal

Goal: design a simple e-voting protocolProtocol main idea:

Prover encrypts her ballot by using cryptosystem X, andsigns it by using some standard signature scheme Y

Tasks:Construct a protocol secure against a malicious voter

and malicious voting server

What does it mean for to be secure (define)Prove it’s secureEfficiency: choose correct X, Y etc


For Muggles. . .

Many cryptographic protocols are used in the wild

Widely standardized: SSL/TLS, IPSec, SSH, . . .

Less common: e-voting, bitcoin, . . .Muggle may expect we are just going to describethem in this course

Not!

Just describing = boringeverybody can read an RFC

Goal: understand why something is secure

Real protocols are too complex or not really secure

Pedagogical trick: start from basics!


Evolution of the Course

Third time (2011, 2012, and now).2011: initial version2012: new topics

elliptic curves, pairingspairing-based NIZK, latticesHad 14 lectures out of 16, so there is space for more material

2013: new topicsgarbled circuits, more lattices, (may be:) multi-partycomputation, more NIZKMay remove some topics

Removed to supplementary materials: intro to elliptic curves

Vast area. Will focus on aspects that are related to myown researchEmphasis on area called secure computation


Practice Sessions

Practice sessions given by Prastudy Fauzi — who willhave completely free hands50% of the grade is homework2011/2012 homework was mostly about implementingthis year: also proofs and attacks

To make it sure that the main study outcomes (*) are satisfied(*): to learn how to construct protocols and prove theirsecurity

Practice sessions also sometimes give supplementarymaterial that is not part of the “cryptographicprotocols” but needed as a background


Outline1 Lecture 1: Introduction2 Lecture 2: Assumptions. Discrete Logarithm, CDH3 Lecture 3: DDH. Elgamal4 Lecture 4: Lifted Elgamal. MH Protocols5 Lecture 5. E-Voting. AH. Paillier6 Lecture 6. AH with Recursion: Nontrivial CPIR7 Lecture 7. BDD and Multi-Round


References I

Barbulescu, R., Gaudry, P., Joux, A., and Thome, E. (2013).

A quasi-polynomial algorithm for discrete logarithm in finite fields of small characteristic.Technical Report 2013/400, International Association for Cryptologic Research.Available at http://eprint.iacr.org/2013/400.

Cobham, A. (1966).

The Recognition Problem for the Set of Perfect Squares.In FOCS 1966, pages 78–87, Berkeley, California. IEEE Computer Society.

Cramer, R., Gennaro, R., and Schoenmakers, B. (1997).

A Secure and Optimally Efficient Multi-Authority Election Scheme.In Fumy, W., editor, EUROCRYPT 1997, volume 1233 of LNCS, pages 103–118, Konstanz, Germany. Springer,Heidelberg.

Damgard, I. and Jurik, M. (2001).

A Generalisation, a Simplification and Some Applications of Paillier’s Probabilistic Public-Key System.In Kim, K., editor, PKC 2001, volume 1992 of LNCS, pages 119–136, Cheju Island, Korea. Springer, Heidelberg.

Damgard, I. B., Jurik, M. J., and Nielsen, J. B. (2010).

A Generalization of Paillier’s Public-key System with Applications to Electronic Voting.International Journal of Information Security, 9(6):371–385.

Diffie, W. and Hellman, M. E. (1976).

New Directions in Cryptography.IEEE Transactions on Information Theory, IT-22:644–654.


References II

Elgamal, T. (1985).

A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms.IEEE Transactions on Information Theory, 31(4):469–472.

Gentry, C. and Ramzan, Z. (2005).

Single-Database Private Information Retrieval with Constant Communication Rate.In Caires, L., Italiano, G. F., Monteiro, L., Palamidessi, C., and Yung, M., editors, ICALP 2005, volume 3580 ofLNCS, pages 803–815, Lisboa, Portugal. Springer, Heidelberg.

Goldreich, O. (2001).

Foundations of Cryptography: Basic Tools.Cambridge University Press.ISBN 0521791723.

Ishai, Y. and Paskin, A. (2007).

Evaluating Branching Programs on Encrypted Data.In Vadhan, S. P., editor, TCC 2007, volume 4392 of LNCS, pages 575–594, Amsterdam, The Netherlands. Springer,Heidelberg.

Joux, A. and Pierrot, C. (2013).

The Special Number Field Sieve in Fpn , Application to Pairing-Friendly Constructions.

Technical Report 2013/582, International Association for Cryptologic Research.Available at http://eprint.iacr.org/2013/582.


References III

Koblitz, N. (1994).

A Course in Number Theory and Cryptography.Number 114 in Graduate Texts in Mathematics. Springer-Verlag, 2 edition.ISBN: 0387942939.

Koblitz, N. (1998).

Algebraic Aspects of Cryptography.Springer-Verlag.

Kushilevitz, E. and Ostrovsky, R. (1997).

Replication is Not Needed: Single Database, Computationally-Private Information Retrieval.In FOCS 1997, pages 364–373, Miami Beach, Florida. IEEE Computer Society.

Lang, S. (2005).

Algebra.Graduate Texts in Mathematics. Springer, 3 edition.

Lipmaa, H. (2005).

An Oblivious Transfer Protocol with Log-Squared Communication.In Zhou, J. and Lopez, J., editors, ISC 2005, volume 3650 of LNCS, pages 314–328, Singapore. Springer, Heidelberg.

Lipmaa, H. (2009).

First CPIR Protocol with Data-Dependent Computation.In Lee, D. and Hong, S., editors, ICISC 2009, volume 5984 of LNCS, pages 193–210, Seoul, Korea. Springer,Heidelberg.


References IV

Lipmaa, H. and Toft, T. (2013).

Secure Equality and Greater-Than Tests with Sublinear Online Complexity.In Fomin, F. V., Kwiatkowska, M., and Peleg, D., editors, ICALP 2013, volume 7966 of LNCS, pages 645–656, Riga,Latvia. Springer, Heidelberg.

Menezes, A., Okamoto, T., and Vanstone, S. (1993).

Reducing Elliptic Curve Logarithms to Logarithms in a Finite Field.IEEE Transactions on Information Theory, 39:1639–1646.

Micciancio, D. and Goldwasser, S. (2002).

Complexity of Lattice Problems: A Cryptographic Perspective, volume 671 of The Springer International Series inEngineering and Computer Science.Springer.

Paillier, P. (1999).

Public-Key Cryptosystems Based on Composite Degree Residuosity Classes.In Stern, J., editor, EUROCRYPT 1999, volume 1592 of LNCS, pages 223–238, Prague, Czech Republic. Springer,Heidelberg.

Shor, P. W. (1994).

Algorithms for Quantum Computation: Discrete Logarithms and Factoring.In Goldwasser, S., editor, FOCS 1994, pages 124–134, Santa Fe, New Mexico,, USA. IEEE, IEEE Computer SocietyPress.


References V

Toft, T. (2011).

Sub-linear, Secure Comparison with Two Non-colluding Parties.In Catalano, D., Fazio, N., Gennaro, R., and Nicolosi, A., editors, PKC 2011, volume 6571 of LNCS, pages 174–191,Taormina, Italy. Springer, Heidelberg.

Wegener, I. (2000).

Branching Programs and Binary Decision Diagrams: Theory and Applications.Monographs on Discrete Mathematics and Applications. Society for Industrial Mathematics.

Wegener, I. and Woelfel, P. (2007).

New Results on the Complexity of the Middle Bit of Multiplication.Computational Complexity, 16(3):298–323.


Lecture 1: Introduction




Preliminaries

I assume you have seen different primitivesBlock ciphers, stream ciphersHash functionsPublic-key cryptosystemsSignature schemes

(Crypto I or an equivalent course. . . )

For every type of primitive, you have hopefully seensome representatives, a security definition, andsometimes an attack showing that therepresentatives are not secure

Note: we will not use all mentioned primitives. They were just

mentioned since they are “standard”



Goal of Cryptographic Protocols

More and more activities are done onlineExamples (in Estonia): e-voting, digital signatures

Some activities are completely new/on a completelynew scale

Example: (privacy-preserving) data mining

In all such cases, one should get security/correctnessand privacy in the presence of malicious parties



Def. of Cryptographic Protocols

Cryptographic protocol: a two/multi-party protocolthat achieves its goals and protects privacy even inthe presence of realistically malicious parties



Why It May Be Hard: CPIR

Computationally-Private InformationRetrieval:

Server has database~f = (f1, . . . , fn), |fi | = `

Client has index x ∈ 1, . . . , nClient should obtain fx (and maybe more)

Server should obtain no newinformation

Nothing about x!

Alice x Bob ~f

(q, state)← Query(x)

q

r ← Reply(~f , q)

r

f ∗x ← Answer(x , r , state)




If no privacy needed:|x | = dlog2 ne bits|fx | = ` bitsTotal communication:dlog2 ne+ ` bitsVery small constant Θ(1)computation on moderncomputer

What if privacy is required?

Alice x Bob ~f

x

fx

f ∗x ← fx




Trivial protocol:1 server sends ~f to client2 client picks f (x)

Good: Clearly private for client

Bad: `n bits, too expensive inpractice

Task: improve communication

Alice x Bob ~f

“Empty string”

~f

f ∗x ← fx




First non-trivial CPIR introducedin [Kushilevitz and Ostrovsky, 1997]Communication can be cut down toΘ(log n + ` + κ) [Gentry and Ramzan, 2005] or to2` + Θ(κ log2 n) [Lipmaa, 2009]

κ is security parameter (e.g., key length)

What about computation?Folk “Theorem”:

since server does not know which index client obtains,server has to “touch” all database elements. Θ(n) comp.It was thought a few years ago that this is it




[Lipmaa, 2009]:Θ(n) server computation can be done in preprocessing phase(once per database),online server computation can be decreased to worst-caseO(n/ log n) (once per query); considerably less when thedatabase is not randomIdea: server represents the database as a more efficient datastructureO(n/ log n) comes from the known bounds on this datastructure(We will tackle it in a later lecture)

Preprocessing is still Θ(n) as compared to Θ(1) innon-private case /

It takes Θ(n) time to construct this data structure from thedatabase



Why Often Simpler Than Assumed I

In e-voting, server receives ciphertexts of individualballots, and outputs a plaintext tally

Goal: tally is correct but server does not knowanything extra about individual ballotsSounds impossible?

CPIR had inefficient trivial protocolCan you think of a trivial protocol here?

Can be done if one can do arithmetics onciphertexts:

one server “adds up” encrypted ballots andsecond server decrypts “sum”



Why Often Simpler Than Assumed II

In e-voting, server must prove that his actions werecorrect, without revealing any extra information

Sounds impossible?

Can be done by using zero-knowledge and provenwith simulation-based proofs



Simple Example: Veto

Vetoing:Assume Alice and Bob vote on some issueDecision taken only if both support it

Privacy: minimal amount of information aboutvotes will be leaked

If Alice votes for then the result will be equal to Bob’svote ⇒ Bob’s privacy cannot be protectedIf Alice votes against then result will be “no”independently of Bob’s input ⇒ Alice should get noinformation



Mathematical Formulation: Veto = AND

Assume the private inputs are a, b ∈ 0, 1The common output is f (a, b) := a ∧ b

Alice/Bob should not get to know more thaninferred from her/his private input and f (a, b)

In general case, every party can have a differentprivate output fi(x1, . . . , xn)Then the task is:

given private inputs bi , party i should learn fi(b1, . . . , bn)and nothing else



Example 2: Scalar Product

Alice’s input: ~a = (a1, . . . , an)

Bob’s input: ~b = (b1, . . . , bn)

Alice’s output: f (~a,~b) =∑n

i=1 ai · bi

Bob’s output: ⊥ (nothing)

Alice should be convinced that her output is correct



Example 3: E-voting

n voters vi , m candidates cjSimple case: All voters cast vi their ballots for somecandidate cj , bi = cjBallots are sent to voting servers who output thetally: for each j ∈ 1, . . . ,m,Tj = |i ∈ [n] : bi = cj|Everybody should learn Tj : j ∈ 1, . . . ,mNobody should learn anything else

Voters should be convinced the result is correct



Definitions of Security

Will be postponed — we will first see some naturalprotocols

Security definitions are important — we should first havean idea of what we are aiming forThere are whole books aboutdefinitions [Goldreich, 2001]

Semihonest model: parties behave honestly, but arecurious

Security = privacy (in semihonest model)

Malicious model: parties behave adversariallySecurity = privacy + correctnessWill study later



Efficient Protocols Based on Algebra

Many efficient protocols are based on algebraicstructuresCommon example: a finite cyclic group (G, ) wherethe exponentiation φ : Zq → G is both one-way (hardto invert) and an isomorphism (linear map):

g 0 = 1 , g−a = 1/g a , g ag b ≡ g a+b .

Using a one-way exponentiation, one can designefficient protocols for many problems.

However, there is a limit — and one often needs even morealgebraic structureE.g., bilinear or multilinear maps



Background in Algebra/Number Theory

The rest of this lecture consists of some backgroundin algebra / number theory that every “workingcryptographer” must have

My opinion: everybody who gets a BSc in computerscience must also have it(Except the part about elliptic curves and quantumcomputing, may be)

Some of the background is given on cryptographic(as opposed to algebraic) languageStandard reference in algebra: [Lang, 2005]Books that combine algebra andcryptography: [Koblitz, 1994, Koblitz, 1998] etc



Reminder: Groups

(G, ) is a group if:

G is set, : G×G→ G is binary operation(associative) g1 (g2 g3) = (g1 g2) g3

(unit element) Exists 1 ∈ G, s.t. for all g ,1 g = g 1 = g(inverse) ∀g∃g−1 ∈ G, s.t. g g−1 = g−1 g = 1

(G, ) is abelian if additionally

(commutative) g1 g2 = g2 g1 for all g1, g2

Multiplicative group: ·, 1, g−1

Additive group: +, 0, −g



Reminder: Cyclic groups

Let (G, ) be a groupg x = g · g · · · · · g (x times)g−x = g−1 · g−1 · · · · · g−1

For g ∈ G, let 〈g〉 := g x : x ∈ Zg is a generator of 〈g〉If G = 〈g〉 then G is cyclicExample:

(Z,+) is cyclic with generator 1(Zq = 0, 1, . . . , q − 1,+) is cyclic with gen. 1



Reminder: Cyclic groups

Intuition:if G is cyclic then an arbitrary element of G can beobtained from arbitrary other element of G viaexponentiationE.g.: for fixed m, g 6= 1 and random r , mg r is random ina cyclic group G

g r masks perfectly the element m

If G is not cyclic, g r belongs to the subgroup of Ggenerated by g



Egyptian Exponentiation Algorithm

input : Integers x , youtput: Integer z = xy

1 while y is even do2 x ← x · x ; /* log2 n to 2 log2 n mult */

3 y ← by/2c; /* in average 1.5 log2 n */

4 end5 z ← x ;6 y ← by/2c;7 while y > 0 do8 x ← x · x ;9 if y is odd then z ← z · x ;

10 ;11 y ← by/2c;12 end13 return z



Brauer’s Algorithm

Similar, but instead of 2 uses basis 2k

1 for i = 0 to 2k − 1 do ai ← g i ;

2 g x ←∑

ai · g 2k i ;

Takes ≈ log2 x + log2 x/ log2 log2 x multiplicationsfor the optimal value of k

(Proposed by Brauer in 1939)http://en.wikipedia.org/wiki/Exponentiation_by_squaring


http://en.wikipedia.org/wiki/Exponentiation_by_squaring


Reminder: Group Order

Element g ∈ G has order q = ord(g) if g q = 1 andg i 6= 1 for 0 < i < q

Group G has order q, q = ord(G) ifq = maxg∈G ord(g)

If G is cyclic of order q, then for every generatorg , h ∈ G, there exists a unique i ∈ Zq, such thath = g i

Note that if q = ord(G), then ∀i : g i = g i mod q



Reminder: Divisibility Etc

For a, b ∈ Z, a | b if there exists c ∈ Z such thatb = caFor a, b > 1, gcd(a, b) is the greatest commondivisor of a and b

gcd(a, b) | a, gcd(a, b) | bIf c | a and c | b, then c ≤ gcd(a, b)

gcd(a, b) can be computed efficiently by using theEuclidean Algorithm

If gcd(a, b) = 1, then a and b are coprime



Cryptographic Groups

Algebraic properties:Group properties (associativity etc) are all useful, but itdepends on concrete context

Both for functionality and efficiency

Cyclic groups are desirable but not necessary — givessome convenience and efficiency

Efficiency:short representations of group elementsgroup operations, and testing group membership shouldbe easy

Security:Some problem must be hardTypical such assumption: exponentiation should be aone-way function



Instantiation 1 of G

For n > 1,Z∗n := i ∈ 1, . . . , n − 1 : gcd(n, i) = 1Fact: i is reversible in (Zn, ·) iff gcd(n, i) = 1

(Z∗n, ·) is a group

ϕ(n) := |Z∗n| is Euler’s totient functionIf p is prime, then ϕ(p) = p − 1

Z∗p = Zp \ 0Lagrange’s theorem: If G is finite and G′ ⊆ G issubgroup, then ord(G′) | ord(G)Sylow’s theorems: if q is prime and q | |G|, therewill always be a (unique) subgroup of G of order q.



Instantiation 1 of G

Example

Let p, q be two large primes s.t. q | (p − 1). Let G bethe unique subgroup of Zp∗ of order q. Let g be thegenerator of G.

Explanation: |Z∗p| = p − 1, thus there exists (unique)subgroup G of Z∗p of order q.In practical instantiations, log2 p ≥ 3248 andlog2 q ≥ 256. We need ≥ 3248 bits to represent anelement of G. Exponentiation in G takes ≥ 256multiplications by using Brauer’s algorithm.(See http://www.keylength.com/en/3/ for recommended “key lengths”)


http://www.keylength.com/en/3/


Instantiation 2 of GThe most popular alternative involves elliptic curvegroups, where log2 q = 256 and G can be represented byusing ≈ log2 q bits. Much more efficient than theprevious case, though also much more complicatedmathematics.Fineprint: The elliptic curve groups must be chosen carefully. For

example, in some elliptic curve groups, one can efficiently solve DDH

problem (see Lectures 2, 3). But such groups are useful otherwise

(hint: bilinear pairings, introduced later).


Lecture 2: Assumptions. Discrete Logarithm, CDH

Lecture 2: Assumptions. DiscreteLogarithm, CDH

See also supplementary notes 1 (about elliptic curves) onthe course webpage.



Security Assumptions

In general: unknown how to constructunconditionally secure efficient protocols

∃exceptions: one-time pad, multi-party computation, . . .

Security of efficient protocols is thus usually basedon some assumption

XY Assumption: given inputs X with size κ, outputtingY is f (κ) difficult

It is not known how to prove such assumptionsRequires major advances in complexity theory

Thus we just need to trust underlying assumption




One can always construct a new protocol that issecure under a tautological assumption

Assumption: Protocol X is secureTheorem: Protocol X is secure iff protocol X is secureProof: straightforward

However, that would mean that researchers have tospend years of effort trying to cryptanalyze theconcrete protocol




More reasonable: amortize cryptanalytic costs, reuseassumptions

XY assumption (from year current − 10): given input Z , outputtingY is difficultTheorem: If XY holds, then protocol Z is secureProof: by reduction. Assume Z is insecure. Then show that XY doesnot holdOften complicated proofs, esp when the assumption is verystandard/weak, and the protocol is efficient. . .

There is a tradeoff between efficiency of protocols andstandardness of assumptions

If XY is very well known: can trust the protocol is secure, but theprotocol may be less efficientIf XY is less well known: trust in security may be not so well-founded,but can design more efficient protocols

Quest of protocol designer: find optimal balance



Protocols: Assumptions vs Efficiency

Common practice in cryptography:

Have a goal (we need e-voting!)Design a protocol (propose an e-voting protocol)Prove security based on an well-known assumptionIf the assumption is not well-known:

prove it is related to some known assumption

Iterate: try to make it either more efficient or base it on amore standard assumption

The goals may be contradictory: often need a trade-off“The weakest assumption, under which we can implement taskX efficiently”

Weak assumption needed to gain trust in a protocolWe do not need to trust the protocol, but the assumption

Efficiency needed ... for the protocol to be deployedHelger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 46 / 218


Standard Assumptions

Discrete logarithm: it is difficult to invertexponentiation in certain groups

Related assumptions: CDH, DDH, differentpairing-based assumptions, . . .DDH/some pairing-based assumptions: well-known andusually result in good protocols

Factoring: it is difficult to factor integersRelated assumptions: RSA, Strong-RSA, . . .Strong-RSA: (relatively) well-known and usually result ingood protocols

The rest: lattice-based assumptions, . . .

This lecture: DL, CDH



Abstracting GIn the following, we will abstract away the concretegroup and assume that G is a multiplicative cyclicgroup of order q (with some hardness assumptions).See the supplementary notes for a short overview ofelliptic curves

This will be needed to understand simple group-basedcryptography.Moreover, elliptic curves have pairings (bilinear maps)that are a powerful tool in designing efficientcryptographic protocols.



Reminder: group isomorphisms

Let (G1,+) and (G2, ·) be groupsFunction f : G1 → G2 is group isomorphism, if

f (g1 + g2) = f (g1) · f (g2)f (0) = 1f (−g) = f (g)−1



Assumption: Sampleability

Efficient sampleability:it is easy to pick a random element from G

For cyclic groups, follows from isomorphism:sample a← Zq (easy) and compute b ← g a

since a is a random element of Zq, then b is a randomelement of G



Discrete Logarithm Problem

Let G be cyclic group of prime order qExponentiation:

efficiently computable isomorphism f (a) : Zq → GGiven a generator g , a 7→ g a =: f (a).f is an isomorphism:

f (a) · f (b) = g agb = g a+b = f (a + b),f (0) = g 0 = 1,f (−a) = g−a = 1/g a = f (a)−1



Discrete Logarithm Problem

Discrete Logarithm Assumption:f −1 is intractable to compute in group GI.e., given (g , g a), it is difficult to find a.Or: f : a 7→ g a is easy to compute but difficult to invert(one-way function)

More precisely: computing a from g a is inefficient,given a randomly chosen a

g 6= 1 might be any fixed element of G



Reminder: Basic Complexity Theory

Security parameter: input size κ, say κ ≥ 80poly(κ) = κO(1):

polynomial in κ, exists polynomial f such that |poly(κ)| ≤ |f (κ)|negl(κ) = κ−ω(1):

negligible in κ, for every polynomial f , |negl(κ)| < |f −1(κ)|Polynomial-time/“efficient” algorithm:

works in time poly(κ)

Probabilistic algorithm:can use a random string

Non-uniform algorithm:there may be a separate algorithm for every input sizeconstruction of algorithm for concrete input size can be inefficient,but algorithm itself will be efficient



DL Assumption, More Formally

DefinitionLet G be a cyclic group of prime order q, letκ := dlog2 qe. Fix a generator g ∈ G. Let

Adv dlG (A) := Pr [a← Zq : A(g , g a) = a] .

G is (τ, ε)-DL group if for any non-uniform probabilisticadversary A that works in time ≤ τ , Adv dl

G (A) ≤ ε.

G is DL group if it is (poly(κ), negl(κ))-DL group.

Exercise: show that this probability does not depend on g .



Difficulty of Discrete Logarithm, I

In any group of order n, discrete logarithm can befound in time O(

√n) — Giant-Step-Baby-Step and

Pohlig-Hellman algorithmsThey should be taught in the “‘Mathematics forCryptography” course

Discrete logarithm in a group of order n, nnon-prime, is not essentially harder than in thesubgroup of this group that has orderp := smallestprimefactorof(n).

(Also in the MfC course)Since arithmetic in the last group is more efficient, onenever uses non-prime order groups unless they offer somefunctionality that cannot be achieved by prime ordergroups



Difficulty of Discrete Logarithm, II

Let G be an order q subgroup of Z∗p. Then by usingthe index calculus algorithm, one can solvediscrete logarithm in time O(e

√2 ln p ln ln p).

Since discrete logarithm in G can be solved in timeO(√

q), one usually chooses q ≥ 256 and p ≥ 3248.Arithmetic in such groups is very slow:

By using the square-and-multiply algorithm, oneexponentiation of a ∈ G by a random element r ∈ Zq

takes in average 1.5 · 256 = 384.0 multiplications of3248-bit numbers.Brauer’s algorithm: ≈ 256 + log2 256 = 264.0multiplications



Recent Advances in computing DL

There are a number of very recent advances in computingDL in finite fields

Finite fields are used in elliptic curve cryptography, seesupplementary notes

Since the results are really recent, it is yet unknown whatinfluence they will have

Will describe very briefly

Remedy: increase key sizes (in certain cryptographicprotocols)

Efficiency of attacks depends on key sizeIn protocols we assume only that DL/some other problems arehardThus: increase in key size is the universal remedy

Remember: key size can change







Given a finite field Fq of order q = pk , with specificrelations between the size of p and k , one cancompute DL in Fq faster than known previously[Barbulescu et al., 2013]: for well chosen k , cancompute DL in time Θ((log q)log log q) = Θ(κlog κ).

Those fields not relevant (?) in cryptography

[Joux and Pierrot, 2013] (Sep 9, 2013): for k = 12,can somewhat speed-up the index calculus attack

Pairing-based cryptosystems with certain curvesE.g.: the most efficient pairing-friendly curves,Barreto-Naehrig curves, useFp12



On Quantum Computers

Using quantum computers — if they are ever built—, discrete logarithm will be easy in arbitrarygroup [Shor, 1994]Moreover factoring will be easy

Cf: “Quantum Cryptography” by Dominique Unruh

Thus, quantum-secure cryptosystems have to bebased on different primitives, likelattices [Micciancio and Goldwasser, 2002]

We will mostly talk about “conventional” (notquantum-safe!) public-key crypto

Lattice-based crypto: 1 or 2 lectures



Diffie-Hellman Key Exchange Protocol I

Establish common secret key xAlice (ska, pkb) Bob (skb, pka)

Alice and Bob have both secret keys ska and skb andpublic keys pka and pkbOnly Alice knows ska, while everybody knows pka. Samefor BobAlice and Bob generate a new common secret key x suchthat only Alice and Bob know itx is later used to encrypt other messagesAll messages are sent on authenticated channels

Alice’s/Bob’s messages are known to come from Alice/Bob



Diffie-Hellman Key Exchange Protocol II

Fix prime q, s.t. log2 q ≈ 2 · κ, and cyclic group G of orderq. Let g be generator of G

2 · κ to be secure against small-step-giant-step andPohlig’s % attacks

Clearlyxa = (g skb)ska = g ska·skb

= (g ska)skb = xbThus, Alice and Bob haveestablished a secret key

Alice Bob

ska ← Zq,pka ← g ska

pka

skb ← Zq,pkb ← g skb

pkb

xa ← pkskab xb ← pkskb

a



Security of DH Key Exchange

Goal of adversary (try 1):given (g , g ska , g skb) for random ska, skb ← Zq, outputx = g ska·skb

This is not known to be hard under DL assumption,and thus there is separate assumption (CDH) forthis problem

Computational Diffie-Hellman

In 1970s, this looked like a tautological assumptionIf DH key exchange is secure, then DH key exchange issecure

After 35+ years of cryptanalysis, cryptographersconsider CDH to be very standard



CDH Assumption, Formally

Let G be a cyclic group of prime order q, letκ := dlog2 qe. Fix generator g ∈ Z∗q. Let

Adv cdhG (A) := Pr

[a, b ← Zq : A(g , g a, g b) = g ab

]Definition

G is (τ, ε)-CDH group if for any non-uniform probabilisticadversary A that works in time ≤ τ , Adv cdh

G (A) ≤ ε.G is CDH group if it is (poly(κ), negl(κ))-CDH group.

As in the case of DL, this probability does not depend on g



Relation between DL and CDH

If CDH is hard, then clearly DL is hard (will prove)

There are some contrived groups where DL is hardbut CDH is not

For cryptographically relevant groups, the onlyknown way to break CDH is to break DL



If CDH is hard, then DL is hard

Theorem

Assume G is an (ε, τ)-CDH group. Then it is an(ε, τ − small)-DL group.

Intuition: if we can break DL, then we can recover thesecret key of one party, which is sufficient to break the keyexchange.Main idea of the formal proof:Acdh participates in CDH “game” with challenger. Since Adl

can break DL, Acdh can use “help” from Adl . Help consistsin interacting with Adl in conversation that looks like DLgame to Adl . Thus, Adl will “break” DL inside that gamewith probability ε.



If CDH is hard, then DL is hard

Construction of Acdh:

Acdh(g , g1, g2)

1 Send (g , g1) to Adl ;2 Obtain a∗ ← Adl ; /* Secret key of one party */

3 if g1 6= g a∗ then abort;

4 return g a∗2 ;



If CDH is hard, then DL is hardProof. Assume Adl is an adversary that canbreak DL. We construct adversary Acdh (see =⇒)who can break CDH.

Acdh gets as input (g , g1 = g a, g2 = gb), where(a, b) have been generated randomly. Her task isto output g ab.

Analysis. Assume Adl is successful withprobability ε, i.e., with this probability Acdh

outputs g a∗2 . Since then g1 = g a∗ , a∗ = a, and

g a∗2 = g a

2 = g ab.Thus, Acdh succeeds with probability ε, andworks in time tAdl

+ small .

Note that Acdh aborts with probability 1− ε. Wecould also let Acdh to output garbage in thiscase.

Acdh(g , g1, g2)

1 Send (g , g1) to Adl ;2 Obtain a∗ ← Adl ;

3 if g1 6= g a∗ then abort;

4 return g a∗2 ;



Study Outcomes

The security of cryptographic protocols is reducedto more basic assumptions

Security of Diffie-Hellman key exchange (intuitive)

Discrete logarithm: basic algebraic assumptionMore reasonable: CDH

(For efficiency reasons)

There is a tradeoff between strength of assumptionsand efficiency

There can be a sudden advance in solving some ofthe basic assumptions. However, then it usually justsuffices to take a longer key in the final protocol


Lecture 3: DDH. Elgamal


See [Elgamal, 1985] for original paper on Elgamalcryptosystem.



Security of DHKE, Try 1

Goal of adversary (try 1):given (g , g ska , g skb) for random ska, skb ← Zq, outputx ← g ska·skb

Not sufficient in practice!Application: x is used to encrypt further messagesIt is bad if even one bit of x leaks

Goal:adversary should not get to know anything about xWhat does it mean?not anything: x should look to her completely random



Security of DHKE, Try 2

Goal of adversary (try 2):the adversary should not be able to distinguish:(g , g ska , g skb , g skaskb) for random ska, skb ← Zq, from(g , g ska , g skb , g z), where z is completely random

Idea:even if we see the key, we have no way to decide whetherit is correct or not

DHKE not known to be hard under CDHassumption

Alternative KE protocols secure under CDH are muchslower

. . . thus separate assumption for this problemDecisional Diffie-HellmanTautological assumption for DHKE



DDH Assumption, Formally

DDH Game

// Challenger does:

5

1 β ← 0, 1;2 (a, b, c)← Z3

q;

3 if β = 0 then g4 ← g ab;4 else g4 ← g c ;

5 ~g ← (g , g a, g b, g4);6 β′ ← A(~g);7 if β′ = β then return 1;8 else return 0;



DDH Assumption, Formally

Let G be cyclic, prime order q,κ := dlog qe. Fix gen. g ∈ Z∗q.

AdvddhG (A) := |2 Pr[DDH-game with A returns 1]− 1|.

G is (τ, ε)-DDH group if for anynon-uniform probabilistic adversary A thatworks in time ≤ τ , Advddh

G (A) ≤ ε.

G is DDH group ⇔(poly(κ), negl(κ))-DDH group.

DDH Game

// Challenger does:

9

1 β ← 0, 1;2 (a, b, c)← Z3

q;

3 if β = 0 then g4 ← g ab;4 else g4 ← g c ;5 ~g ← (g , g a, gb, g4);6 β′ ← A(~g);7 if β′ = β then return 1;8 else return 0;



Notes

Question: why |2 Pr[guesses correctly]− 1|?If A just outputs random bit β′, she guessescorrectly with probability 1

2

Advantage: |2 · 12− 1| = 0

If she guesses always correctly:Advantage: |2− 1| = 1

If she guesses always wrongly:Advantage: |0− 1| = 1Then we can build another adversary that reverses theoutput of A and thus guesses always correctly



If DDH is Hard, then CDH is Hard

Straightforward exercise (do it at home)Idea is clear:

if you are able to compute the common key with highprobability, you can be sure that it’s not randoom

But try to formalize!



Usefulness of DDH

Trust: DDH is well known (and trusted)Related to the security of the first public-key protocol,DHKE [Diffie and Hellman, 1976]Most groups that are believed to be CDH groups are alsobelieved to be DDH groupsGap groups: believed-to-be CDH groups, DDHweak [Menezes et al., 1993]Gap groups are widely used in pairing-based crypto

Efficiency/usability:DH key exchange is secure under DDHMany known efficient primitives and protocols aresecure under DDH

Large fraction of this course:We introduce efficient DDH-based PKCs/protocols



Further Modularization

Assumption

Assumption

Primitive

Primitive

Protocol



Public-Key Cryptosystem

Definition

PKC is a triple of efficient algorithms Π = (G ,E ,D), s.t.

κ is security parameter (e.g., key length)(sk, pk)← G (1κ) is key generation algorithmEpk(m; r) = c is randomized encryption algorithmDsk(c) = m is decryption algorithm

Correctness: Dsk(Epk(m; r)) = m for all m, r and(sk, pk) ∈ G (1κ)

Security goal: confidentiality

Recall: 1κ = 1 . . . 1 (κ times)



Need for Homomorphism

To construct efficient protocols, it would be nice tobe able to be able to apply some algebraicoperations on plaintexts, without decryptionE.g.:

given Epk(m1) and Epk(m2), construct Epk(m1 + m2)

We will see abundant examples why this is usefulThe simplest way:

assume encryption “agrees” with algebraic operations

E.g.: Epk(m1) · Epk(m2) = Epk(m1 ·m2)



Multiplicatively Homomorphic PKC

A PKC is multiplicatively homomorphic if:1 The plaintext set (M, ·) is a multiplicative group,

the randomizer set (R, ) is a group, and theciphertext set (C, ·) is a multiplicative group.

All three sets depend on κ and may depend on (sk, pk).2 Epk(m1; r1) · Epk(m2; r2) = Epk(m1 ·m2; r1 r2)

Thus, Dsk(Epk(m1; r1) · Epk(m2; r2)) = m1 ·m2 for everym1,m2, r1, r2.

3 Discrete logarithm problem is hard in group M

Note: we will see in future lectures what happens if (3)does not hold



MH Encryption: Basic Properties

Dsk(Epk(m1; r1) · Epk(m2; r2)) = m1 ·m2

Computation of encryption of m1 ·m2 does not need knowledgeof m1 or m2

For m ∈M and α ∈ Z|M|,Dsk(Epk(m; r)α) = Dsk(Epk(m; r) . . .Epk(m; r)) = mα

by definition of exponentiation

Given x and Epk(g fi ) for i ∈ 0, . . . , t:

Epk(g f (x)) =t∏

i=0

Epk(g fi )xi

.

where f (X ) :=∑t

i=0 fiXi

We write Epk(m) when the precise value of r is not importantHelger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 82 / 218


Reminder: One-Time Pad

One-time pad is a symmetric cryptosystem such that:

The key is as long as the plaintext, completelyrandom, and only used once

Encryption: EK (m) = K ⊕m

Decryption: DK (c) = K ⊕ c = K ⊕ (K ⊕m) = m

One can replace ⊕ with arbitrary group operation:

Encryption: EK (m) = K ·mDecryption: DK (c) = K−1 · c = K−1 · (K ·m) = m

Clearly homomorphic:

(K1 ·m1) · (K2 ·m2) = (K1 · K2) · (m1 ·m2)



Elgamal Encryption: Idea

Intuition:DHKE’s shared key = new OTP keyOTP key has to be new: the sender uses new sk everytimeEncrypt as in OTPElgamal ciphertext = ciphertext of OTP + new publickey for DHKE

Cor. (from DHKE): Elgamal is secure if DDHholds

Cor. (from OTP): Elgamal is homomorphicpublic-key cryptosystem



Elgamal Encryption

Assume a cyclic group G = 〈g〉 of prime order q.

G (1κ): let sk← Zq and pk← h = g sk.Encryption of m ∈ G:

generate random r ← Zq

Epk(m; r)← (mhr , g r )

Decryption of c = (c1, c2) ∈ G2:Dsk(c1, c2)← c1/c sk

2 .

Alice (g , pk = h,m) Bob (g , sk)

r ← Zq

(c1, c2) = (mhr , g r)

m← c1/c sk2

Intuition: r = sk2, h = pk1, g r = pk2, hr = pksk2

1 = pksk1

2 = g rsk

Correctness:

Dsk(Epk(m; r)) =Dsk(mhr , g r) = m · hr/(g r)sk

=m · (g sk)r/(g sk)r = m .



Elgamal Encryption is MH

Plaintext group: cyclic group G of order q, where DL is assumedto be hard.Ciphertext group: G2 with (g1, g

′1) · (g2, g

′2) := (g1g2, g

′1g ′2)

Epk(m1; r1) · Epk(m2; r2) =(m1hr1, g r1) · (m2hr2, g r2)

=(m1m2hr1+r2, g r1+r2)

=Epk(m1 ·m2; r1 + r2) .

Also, if α ∈ Zq is a known value, one can compute

Epk(m; r)α = (mαhαr , gαr) = Epk(mα;αr) .

Exercise: if G is a group then G2 is a groupHelger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 86 / 218


IND-CPA Security: Informally

It does not suffice when it is difficult to recover thesecret key or the plaintextIn practically all applications, the adversary shouldnot obtain any information about the plaintext —even if she has a lot of preknowledge about it

Recall: same discussion as in the case of DHKE

For example:adversary knows plaintext is yes/no. Has to guess whichone is true.

Security notion:(IND-)CPA: indistinguishability under chosen plaintextattacks



CPA Security

Definition

Letδ(A) := Pr[CPA game with A returns 1]

Let Adv cpaΠ (A) := |2δ(A)− 1|

Π is (τ, ε)-CPA secure if notime-≤ τ A has Adv cpa

Π (A) > ε.

CPA game

// Challenger does:

1 (sk, pk)← G (1κ);2 (m0,m1)← A(pk);3 β ← 0, 1;4 r ← R;5 c ← Epk(mβ; r);6 β′ ← A(pk, c);7 if β′ = β then return 1;8 else return 0;



Notes on Definition

IND-CPA security is defined only if r is uniformlyrandom

Thus: if a protocol uses an IND-CPA securecryptosystem, we must guarantee that transferredciphertexts use uniformly random r

Fixing g as a system parameter (permanent) orhaving it a part of the public key (temporary) doesnot matter for security



Elgamal Is IND-CPA Secure

Theorem

Assume that G is an (τ, ε)-DDH group. Then Elgamal inG is (τ − small , 2ε)-IND-CPA secure.



Proof Intuition

For proof, we note that

If (g1, g2, g3, g4) = (g , g a, g b, g ab) then(g4, g3) = (1 · g ab, g b) is encryption of 1 underpublic key pk = g2 = g a.

OTOH, if (g1, g2, g3, g4) = (g , g a, g b, g c) forrandom c , then (g4, g3) = (g c , g b) = (g c−abg ab, g b)is encryption of random plaintext g c−ab under publickey pk = g2 = g a.

Intuition: breaking DDH is tautologically as hard asdistinguishing Elgamal encryptions of any fixed plaintextfrom Elgamal encryptions of a random plaintext.



Elgamal Is IND-CPA Secure: Proof I

Assume that A can break IND-CPA security withprobability 2ε. Construct the next DDH distinguisher Dthat will break DDH with probability ε. (This shows thatif DDH is hard, then Elgamal in G is IND-CPA secure.)

Intuition behind 2ε:

we get slight security loss (reduction is imprecise)since inside the proof we are with probability 1

2dealing with a situation where A has no advantageover random coin toss.

It practice it means that in Elgamal one might want touse slightly larger key



Elgamal Is IND-CPA Secure: Proof II

Main idea of the proof:

D participates in DDH “game” with challenger.

Since A can break IND-CPA of Elgamal, D can use“help” from A.

Help consists in interacting with A in conversationthat looks like IND-CPA game to A.

Thus, A will “break” IND-CPA of Elgamal insidethat game with probability ε.

Very typical cryptographic proof.



Elgamal Is IND-CPA Secure: Proof III

Challenger D A

βddh ← 0, 1,g1 ← G, (a, b, c)← Z3

q,

g2 ← g a1 , g3 ← g b

1 ,g4 ← (βddh = 0) ? g ab

1 : g c1

(g1, g2, g3, g4)

Message 1

Messages

Message s

β′ddh

β′ddh?= βddh



Elgamal Is IND-CPA Secure: Proof IV

AD(g1, g2, g3, g4)

g ← g1, pk← g2

(m0,m1)← A(g , pk)

(m0,m1)

βcpa ← 0, 1,(c1, c2)← (mβcpa · g4, g3)

(c1, c2)

β′cpa ← A(g , pk, (c1, c2))

β′cpa

β′ddh ← (β′cpa = βcpa) ? 0 : 1



Elgamal is IND-CPA Secure: Proof V

βddh = 0:(g1, g2; g4, g3) = (g , pk ; Epk(1;R))(mβcpa · g4, g3) = Epk(mβcpa ;R)(c1, c2) corresponds to what A expects as an input inIND-CPA game, A has advantageAdv cpa

Π (A) = |2 Pr[β′cpa = βcpa]− 1|βddh = 1:

(g1, g2; g4, g3) = (g , pk ; Epk(M;R))(mβcpa · g4, g3) = Epk(M;R)(c1, c2) does not depend at all on m0 / m1, A hasadvantage |2 · 1

2− 1| = 0

In what follows, Epk(M; ·) means Epk(m; ·) for auniformly random m←M.



Elgamal is IND-CPA Secure: Proof VI

Pr[β′ddh =βddh]

= Pr[β′ddh = βddh|βddh = 0] Pr[βddh = 0]︸︷︷︸1/2

+

Pr[β′ddh = βddh|βddh = 1]︸︷︷︸1/2

Pr[βddh = 1]︸︷︷︸1/2

= Pr[β′ddh = βddh|βddh = 0] · 1

2+

1

4.

Basic probability theory: Pr[A] = Pr[A|B] Pr[B] + Pr[A|¬B] Pr[¬B]



Elgamal is IND-CPA Secure: Proof VII

Trivially

Pr[β′ddh = βddh|βddh = 0] =Pr[β′ddh = 0|βddh = 0]

=Pr[β′cpa = βcpa|IND-CPA game] =: ε′ .

Since 2ε = Adv cpaΠ (A) = |2ε′ − 1|, we have

ε′ =

12 + ε , ε′ ≥ 1

212 − ε , ε′ < 1

2 ,and

Pr[βddh = β′ddh] =

(1

2 + ε)/2 + 14 = 1

2 + ε2 , ε′ ≥ 1

2

(12 − ε)/2 + 1

4 = 12 −

ε2 , ε′ < 1

2 .

Thus Adv ddhG (D) = |2 Pr[βddh = β′ddh]− 1| = ε. QED



Learning Outcomes

DDH security, and understanding why this notion“makes sense”

Modular design of protocols

PKC, homomorphism and its necessity

Elgamal and how it is related to DHKE and OTP

CPA-security

Examples of simple security proofs


Lecture 4: Lifted Elgamal. MH Protocols




Blinding Property

From homomorphism:Epk(m; r1) · Epk(1; r2) = Epk(m; r1 + r2)Interpretation:

If r2 is uniformly random, then r1 + r2 is uniformlyrandom

Corollary: for any m and r1, Epk(m; r1 + r2) is arandom encryption of m independently of whetherr1 is random or notUseful on getting privacy in protocolsExample:

Assume c = Epk(m; r). Then the randomness incb = Epk(mb; br) is related to r , and one could try to use(r , br) to recover b



Example Protocol: Asymmetric Veto

Alice (G, g ; a) Bob (G, g ; b)

(sk, pk)← G (1κ),ra ← R

(pk, c ← Epk(g a; ra))

rb ← Zb

c ′ ← cb · Epk(1; rb)= Epk(g ab; bra + rb)

c ′

m← logg(Dsk(c ′))

= logg(g ab) = ab

Correctness: Alice learnsf (a, b) := a ∧ b, Bob learnsnothing

Comp. DL of g ab is easy ifa, b ∈ 0, 1Privacy: In semihonest model,Alice learns nothing excepta ∧ b, if Elgamal is “secure”

We will formally define privacyand prove it in the next lecture



Remarks

ab leaks something on bIf Alice’s input is 1, she’ll get to know bBut this is the desired functionality

If not desired: implement differentfunctionality

Protocol just implements desiredfunctionalityFunctionality (goal): what do we need?Cryptography (tool): design a protocolfor the functionality

a b a ∧ b0 0 00 1 01 0 01 1 1

We encrypt g a, not ag a ∈ g 0, g 1 = 1, g

Semihonest model:Alice creates her message as required but just tries to be nosy



Lifted MH Encryption

Elgamal = additively homomorphic in exponentssalternative interpretation

Lifted MH Encryption:like MH, but the plaintext space isZq

E ↑pk(x ; r) := Epk(g x ; r)

D↑pk(c) := logg Dsk(c)

Lifted Elgamal:Elgamal in “another domain”

Zq

G

G2

exp

E↑pk

Epk

Using lifted Elgamal allows us to simplify notationwe also just denote it by E

Next lecture: truly AH cryptosystemswhere decryption does not require to compute DL

Commutative diagram is for illustrative purposes. (It ignores the randomness.)



Lifted Elgamal: Definition

Let G be cyclic multiplicative group of prime order q,generator g ∈ G

Key generation G :sk← Zq, pk← h← g sk

Encryption E :r ← Zq, (c1, c2) =Epk(m; r)← (gmhr , g r )

Alice (g , h,m) Bob (g , sk)

r ← Zq

(c1, c2) = (gmhr , g r)

m← logg(c1/c sk2 )

Decryption D:Dpk(c1, c2) = logg (c1/c sk

2 )

Correctness:Dpk(Epk(m; r)) = logg(gmhr/(g r)sk) = logg gm = m



Lifted Elgamal: Properties

Additive homomorphism:Epk(m1; r1) · Epk(m2; r2) = (gm1+m2hr1+r2, g r1+r2)= Epk(m1 + m2; r1 + r2)

IND-CPA proof worksDecryption is efficient only if the plaintext space issmall

Say, |M| < 240

Thus, not truly AH cryptosystem

In the following we use lifted Elgamal explicitly



2-Message Homomorphic Protocols

a, b: anything (e.g., acomplex number)

mi = mi(a) ∈ Zq dependon a

Reply : computes a linearfunction of plaintexts(since we have hom.PKC)

Answer : usually justseveral decryptions

Alice (a) Bob (b)

// Query(1κ, a):(sk, pk)← G (1κ),For i ∈ 1, . . . , t,

ri ← R,ci ← Epk(mi , ri)

(pk; c1, . . . , ct)

r← Reply(1κ, b, pk, c1, . . . , ct)

r

a← Answer(1κ, a, sk, r)

Bob’s actions are restricted “linearly”Output has to be small (need DL)



Example Protocol: Scalar Product I

Alice’s input: ~a = (a1, . . . , at) ∈ Ztq

Bob’s input: ~b = (b1, . . . , bt) ∈ Ztq

Alice’s output: 〈~a,~b〉 =∑t

i=1 aibi mod q ∈ Zq

Idea of protocol:Bob computes linear function (a1, . . . , at) 7→

∑biai

More precisely: (Epk(a1), . . . ,Epk(at);~b) 7→ Epk(∑

biai)

Decrypting possible if:if ai , bi are Boolean:

∑aibi ≤ t

if 0 ≤ ai , bi < 2d :∑

aibi ≤ t22d

E.g.: d = 8, t = 64:∑

aibi ≤ 64 · 216 = 224

DL takes time ≈ 212



Example Protocol: Scalar Product IIAlice (a1, . . . , at) Bob (b1, . . . , bt)

(sk, pk)← G (1κ),(r1, . . . , rt)← Rt ,ci ← Epk(ai ; ri)

(pk, (c1, . . . , ct))

r ← R,c ←

∏ti=1 cbi

i · Epk(0; r)

c

m← Dsk(c)

c =∏t

i=1 cbii · Epk(0; r) =

∏ti=1 Epk(ai ; ri)

bi · Epk(0; r) =Epk

(∑ti=1 aibi ; · · ·+ r

)Note: Answer(. . . ) = Dsk(c) computes a DL



Example Protocol: Hamming Distance I

Define wh(~a,~b) := |i ∈ 1, . . . , t : ai 6= bi|Alice’s input: ~a := (a1, . . . , at) ∈ Zt

2

Bob’s input: ~b := (b1, . . . , bt) ∈ Zt2

Alice’s output: wh(~a,~b)Does not look algebraic, but:wh(~a,~b) :=

∑ti=1(ai ⊕ bi) =

∑ti=1(bi + (1− 2bi)ai), since

bi + (1− 2bi)ai =

0 + (1− 0)ai = ai = ai ⊕ 0 , bi = 0 ,

1 + (1− 2)ai = 1− ai = ai ⊕ 1 , bi = 1 .

Linear function!wh(~a,~b) ≤ t, DL can be computed efficiently if t is small



Example Protocol: Hamming Distance II

Alice (a1, . . . , at) Bob (b1, . . . , bt)


(pk, (c1, . . . , ct))

r ← R,c ← Epk(

∑ti=1 bi ; r) ·

∏ti=1 c1−2bi

i

c

m← Dsk(c)

Correctness:c = Epk(

∑ti=1(bi + (1− 2bi)ai); · · ·+ r) =

Epk(wh(~a,~b); · · ·+ r).



Example Protocol: (2, 1)-CPIR

Computationally-Private Information Retrieval:

Bob’s input: (f0, f1) ∈ Z2q

Alice’s input: x ∈ 0, 1Alice’s output: f (x) := fx ∈ Zq

Extremely important protocolmany applications

Does not look algebraic, but:Idea of protocol:

Bob computes linear function x(f1 − f0) + f0 = fxMore precisely,(Epk(x); (f0, f1)) 7→ Epk(x(f1 − f0) + f0) = Epk(fx)

Decrypting is easy if fx is small



Example Protocol: (2, 1)-CPIRAlice (G, g ; x) Bob (G, g ; (f0, f1))

(sk, pk)← G (1κ),ra ← R

(pk, c ← Epk(x ; ra))

rb ← Zb

c ′ ← c f1−f0 · Epk(f0; rb)

c ′

m← Dsk(c ′)

Correctness:

c f1−f0 · Epk(f0; rb) = Epk(x(f1 − f0) + f0; · · ·+ rb).



Remarks

Task of protocol designer: come up with a goodrewording of the task

Bob’s task must be linearoutputs must be small

Protocol should be secureNow: security in semihonest model

Parties are nosy but follow the protocol

Alice’s security: should follow from PKC’s securityBob’s security: protocol designer must take careof this

In all example protocols, Alice only receives a randomencryption c = Epk(a) of the intended output ac does not give more information than a



2-Message Protocols: CPA-Security

Alice (a) Bob (b)

(q, state)← Query(1κ, a)

q

r← Reply(1κ, b, q)

r

a = Answer(1κ, a, state, r)

2-pessage protocol isIND-CPA secure ifBob cannotdistinguish betweenQuery(1κ, a0) andQuery(1κ, a1)

Similar to IND-CPAof PKC



IND-CPA Security of 2-Message Protocols

Assume Γ = (Query ,Reply ,Answer). Let A be efficientadversary

IND-CPA game for Protocols

1 (a0, a1)← A(1κ);2 β ← 0, 1;3 q← Query(aβ);4 β′ ← A(q);5 return (β′ = β) ? 1 : 0;

Adv cpaΓ (A) := |2 · Pr[IND-CPA game returns 1]− 1|

Γ is (τ, ε)-IND-CPA secure if no time-≤ τ A hasAdv cpa

Γ (A) > ε.Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 116 / 218


Theorem: 2MHP are IND-CPA Secure

Theorem

Let Π = (G ,E ,D) be a PKC. AssumeΓ = (Query ,Reply ,Answer) is such that during the firstround Alice sends to Bob only a new public key of Π andt ciphertexts encrypted by this public key. If Π isIND-CPA secure, then Γ is IND-CPA secure.

Assume A can break Γ with time τ and probability ε.Construct adversary B that breaks Π with sameprobability and time τ + t · (τexp + τE ) + small as follows.(τexp/τE is time for one exp/E .)



Proof: 2MHP are IND-CPA Secure I

Challenger B A

(sk, pk)← G (1κ) pk

(0, 1)

βΠ ← 0, 1, r ← R,c ← Epk(βΠ; r)

c IND-CPA game of Γ

Message 1

Messages

Message s

β′Π

[β′Π?= βΠ]



Proof: 2MHP are IND-CPA Secure II

B has c = Epk(βΠ), needs to guess βΠ

Bob gets inputs a0 and a1 from ATo use A’s help, B must send Query(1κ, aβΠ

) to A, withoutknowing βΠ

Recall: Query(1κ, ai) = (pk, ~mi) := (pk; mi1, . . . ,mit)E.g.: mij is the jth coefficient of vector ~aiThus: Query(1κ, aβΠ

) = (pk; mβΠ,1, . . . ,mβΠ,t)

Without privacy:B computes (βΠ, (m0i ,m1i)) 7→ mβΠ,i , for i ∈ 1, . . . , tLinear function: mβΠ,i = (mi1 −m0i)βΠ + m0i

With privacy:B computes (Epk(βΠ), (m0i ,m1i)) 7→ Epk(mβΠ,i), for i ∈ 1, . . . , tThis is exactly our protocol for (2, 1)-CPIR!B = Bob in CPIR, A = Alice in CPIR



Proof: 2MHP are IND-CPA Secure IIIB(pk; c = Epk(βΠ)) A(a0, a1)

(a0, a1)

For j ∈ 1, . . . , t:Compute m0j , m1j as in the protocol;cj ← cm1j−m0j · Epk(m0j ;R)

(pk; c1, . . . , ct)

β′Γ ← A(pk; c1, . . . , ct)

β′Γ

β′Π ← β′Γ



Proof: 2MHP are IND-CPA Secure IV

By previous discussion, B’s input to Γ is equal to hishonest input corresponding to aβΠ

even if he does notknow βΠ.Since A’s input = what A expects, by assumption A issuccessful with probability ε.Thus

Pr[β′Π = βΠ] = Pr[β′Γ = βΓ] ,

and thus both algorithms have the same advantage.B’s time is dominated by the execution of A, tciphertext exponentiations, and t encryptions. QED



Conclusions

All 2MH protocols are IND-CPA secure given PKCis IND-CPA secureCorollary: all Elgamal-based 2MH protocols areIND-CPA secure, if DDH is secureNo need for individual proofs: just cite thismetatheorem

E.g.: if PKC is IND-CPA secure, then Hamming distanceprotocol is IND-CPA secure

No significant security loss in ε or τSurprising: we intuitively expect that since attacker of Γsees more than 1 ciphertext, he gains more advantagethan when seeing just one

Reduction relies on homomorphic properties of PKCHelger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 122 / 218


Learning Outcomes

Elgamal: additively homomorphic cryptosystem (inexponents)

Intuition: which two-message protocols one canbuild given a MH PKCSome example protocols

CPIR: important protocol

IND-CPA for securities

Formalizing simple security proofs

Somewhat more difficult proofs


Lecture 5. E-Voting. AH. Paillier


One classical paper on e-voting: [Cramer et al., 1997]Paillier’s original paper: [Paillier, 1999]



Other Kind of Hom Protocols

We saw two-message two-party protocols:Alice → Bob → Alice

Often, either the number of messages and thenumber of participants is significantly higherExample: e-voting

Every voter votes for some candidateVoting servers collect the ballots. . . and output the tallyPrivacy and correctness

Need > 1 voting server

Clearly more than 2 partiesAlso different message flowBut main idea is similar. . .



Different Hom Protocol: E-Voting

OutputTallier (sk)Vote collector (pk)

Voter v1: (pk, c1)

C1 ←

Epk (c

1 ;R)

. . .

Voter vi : (pk, ci )

Ci ← Epk(ci ;R)

. . .

Voter vV : (pk, cV )

CV←

E pk(cV

;R)

C ← Epk(0;R) ·∏V

i=1 Ci w ← (Dsk(C) > V2

)?1 : 0

Two-candidate electionCandidates: 0 and 1

Voter vi , i ∈ 1, . . . ,V votes for ciVC/Tallier are two servers

Only tallier knows skOnly tallier knows sk

Dsk(C) =∑

ci = ]i : ci = 1CPA-security straightforward

Note: semihonest model!See [Cramer et al., 1997]



E-Voting: Efficiency

Efficient if the number of voters is smallRecall: DL of a number from 0, . . . , 2n − 1 can befound in time 2n/2 =

√2n

Baby-step-giant-step, Pohlig-Hellman algorithms

Viable say for n ≤ 50

World population: < 233

Next:what if > 2 candidates?



Multiple Candidate E-Voting

OutputTallier (sk)Vote collector (pk)

Voter v1: (pk, c1)C1 ←

Epk ((V

+1) c

1;R)

. . .

Voter vi : (pk, ci )

Ci ← Epk((V + 1)ci ;R)

. . .

Voter vV : (pk, cV )

CV←

E pk((V

+1)c V ;R

)

C ← Epk(0;R) ·∏V

i=1 Ci t ← Dsk(C)

Multiple-candidate electionCandidates: 0, 1, . . . , γ − 1

Voter vi , i ∈ 1, . . . ,V votes for ciVC/Tallier are two servers

Only tallier knows skOnly tallier knows sk

Dsk(C) =∑

(V + 1)ci =∑γ−1

j=0 (V + 1)j · ]i : ci = jCPA-security straightforward

Note: semihonest model!See [Cramer et al., 1997, Damgard and Jurik, 2001]



Multiple-Candidate E-Voting: Example

Example

c1 = 0, c2 = 2, c3 = 1, c4 = 1, c5 = 2.V = 5, thus basis V + 1 = 6.For example, v2 encrypts 62.ThusDsk(C ) = 60 +62 +61 +61 +62 = 2·62 +2·61 +60 = 2216,from which we see that candidates 1 and 2 got 2 votes,and candidate 0 got 1 vote.

Basis V + 1 is chosen to avoid overflows: if all votersvote for i , then the sum is V (V + 1)i < (V + 1)i+1.



Multi-Candidate Elections: Efficiency

Maximum value for “sum”: ≈ (V + 1)γ

Assume V = 219 − 1 (≈ 500 000), γ = 23 = 8usual Estonian parliamentary election, voting for parties)

(V + 1)γ = 219·8 = 2152

Computing DL: intractable276 steps!

In Estonia, we vote directly for a person,not for a party: 8 candidates

Consider larger countries. . .



What Went Wrong?

At the end, one party had to compute DL

By assumption of MH PKC, DL is hard!

MH PKC is mostly useful when the final resultcomes from small set



Additively Homomorphic Cryptosystems

Lifted Elgamal: AH for small plaintext setReal AH: AH with efficient decryption

formally: polynomial-time decryptionAH PKC with large plaintext group

Solution 1: no need to compute DLRecall: Epk(m1; r1) · Epk(m2; r2) = Epk(m1 + m2; r1 r2)Logical to have gm somewhere: gm1 · gm2 = gm1+m2

Without DL: Epk(m1; r1) + Epk(m2; r2) = Epk(m1 + m2; r1 r2)

Solution 2: a group where DL is easyRequires some other problem to be hard. . .Not a trivial task — but doable!

Solution 3: non-algebraic solutionsE.g.: implement group operations based bit operations



AH: Options

Solution 1: without DLLattice-based cryptosystems: future lecturesCan do both multiplications and additions: FHEBut much more complicated. . .

Solution 2: computing DL is easyTrapdoor DL cryptosystems: this lecture

Paillier [Paillier, 1999]: M = Zn with n > 23248

Damgard-Jurik [Damgard and Jurik, 2001]:M = Zns with n > 23248 and integer s ≥ 1

Solution 3: non-algebraic solutionsGarbled circuits

Unknown how to base AH encryption on DL/DDHneed much more complicated assumptionsand much more complicated schemes



Background: Factoring Assumption

Let ` = `(κ) bitlength, A = A` a non-uniform adversary.Let P` be the set of all `-bit primes. Define

Adv fact` (A) := Pr[(p, q)← P2

` , n← p ·q : A(n) = (p, q)]

Factoring 2`-bit RSA moduli is hard if for anynon-uniform probabilistic adversary A = A` that worksin time ≤ τ , Adv fact

` (A) ≤ ε.



Background: Factoring Assumption

Fact: Best known factorization algorithm (GNFS):

e( 3√

64/9+o(1))(log n)1/3(log log n)2/3

, where n is the integer tobe factored



Corollaries of Factoring Assumption

Lemma

If factoring is hard, then computing ϕ(n) for randomRSA modulus n is hard

ϕ(n) = ϕ(pq) = (p − 1)(q − 1) = pq − p − q + 1Given n = pq and ϕ(n), computes = n − ϕ(n) + 1 = p + qn = pq = p(s − p) = sp − p2, thus p2 − sp + n = 0— quadratic equationRecover p ← (s ±

√s2 − 4n)/2



Corollaries of Factoring Assumption

A lot of other things are hard if factoring is hard.Usually computations in the group Z∗n, where n is anRSA-modulus.

Related to factoring like DDH is related to DL:not known to be as hard, but still believed to be hard.



Binomial Theorem and Trapdoor DL

Binomial theorem: (a + b)x =∑x

i=0

(xi

)aibx−i

For example:(n + 1)x =

∑xi=0

(xi

)ni =

1 + xn +(x2

)n2 + higher powers of n

Corollary: (n + 1)x ≡ xn + 1 (mod n2)Certain DL easy: Remember solution 2!

If y = (n + 1)x mod n2,then y = xn + 1 mod n2

Thus x = logn+1 y = (y − 1)/n mod n2

Denote L(y) := y−1n

integer, not modular, division

Thus: L((n + 1)x mod n2) = x



Background: Basic Number Theory

lcm(a, b) — least common multipliera | lcm(a, b), b | lcm(a, b)If a | c and b | c , then lcm(a, b) ≤ c

a · b = gcd(a, b) · lcm(a, b)Example: a = 4, b = 6gcd(4, 6) = 2, lcm(4, 6) = 124 · 6 = 24 = 2 · 12



Background: Carmichael Function

Define the Carmichael function λ(n) as follows.λ(pk) = pk−1(p − 1) if p ≥ 3 or k ≤ 2 (= ϕ(pk)),λ(2k) = 2k−2 for k ≥ 3, andλ(pk1

1 . . . pktt ) = lcm(λ(pk1

1 ), . . . , λ(pktt ))

Theorem (Carmichael Theorem)

For positive integer n, λ(n) is the smallest positive integerm such that am ≡ 1 (mod n) for every integer a coprimeto n.Full proof is 6+ pages.

We could use ϕ(n) instead of λ(n), but λ(n) is more efficient.



Paillier’s Cryptosystem: Main Idea

Additive cryptosystem with large plaintext space

Solution 2: DL is easy

Uses the described properties of binomial coefficients

(1 + n)m = 1 + mn is masked with randomness rOnly the secret key holder can remove r

Similar to Elgamal in this sense

Security is “related” to hardness of factoring

Devil is in the details. . .



Paillier’s Cryptosystem: Key Generation

1 p, q ← P≥1624;2 n← p · q;3 λ← λ(n) = lcm(p − 1, q − 1);4 µ← λ−1 mod n; /* Efficient if p, q are known */

5 pk = n;6 sk = (λ, µ);7 return (sk, pk);/* Knowledge of p, q not needed any more */



Paillier’s Cryptosystem

Encryption of m ∈ Zn with pk = n:1 r ← Z∗n;2 c ← (mn + 1)r n mod n2;3 return c;

Note: r has order ϕ(n) = (p − 1)(q − 1).Decryption of c ∈ Z∗n2 with sk = (λ, µ):

1 m← L(cλ mod n2) · µ mod n;2 return m;

Correctness:Dsk(Epk(m; r)) ≡ Dsk((mn + 1)r n

mod n2) ≡ L((λmn + 1)rλn mod n2) · µ (mod n)



Correctness of Paillier Decryption

Now,

λ(n2) =λ(p2q2) = lcm(λ(p2), λ(q2))

=lcm(p(p − 1), q(q − 1))

=pq · lcm(p − 1, q − 1) = λn .

By Carmichael theorem, rλn ≡ rλ(n2) ≡ 1 mod n2, thusalso rλn ≡ 1 mod n.Thus

Dsk(Epk(m; r)) ≡L(λmn + 1) · µ≡λm · λ−1

≡m (mod n) .



Paillier: Additive Homomorphism

Clearly,

Epk(m1; r1)·Epk(m2; r2)

≡(n + 1)m1r n1 · (n + 1)m2 · r n2≡(n + 1)m1+m2(r1r2)n

≡Epk(m1 + m2; r1 · r2) (mod n2) .

Thus the Paillier cryptosystem is additively homomorphicin M = Zn.



Security of Paillier

x is n-th residue modulo n2 iff there exists y such thaty n ≡ x (mod n2)

DefinitionDecisional Composite Residuosity Assumption:Distinguish a random n-th residue from a random n-thnon-residue modulo n2.

Equivalent (with small error): Distinguish a random n-thresidue from a random element of C = Zn2.Fact: If factoring is easy, then DCRA is easy. Oppositeis not known.



Security of Paillier

TheoremAssume that DCRA is true. Then Paillier is IND-CPAsecure.

Sketch.Idea: random encryption of 0 is a random n-th residue;random encryption of a random element in M is arandom element of C. Proof goes along the same lines asthe security proof of Elgamal.



2-Message AH Protocols

a — anything (e.g., acomplex number)

mi ∈M arefunctions of a

mi = mi(a)

Except this sentence, this

is copy of a previous slide!

Alice (a) Bob (b)

// Query(1κ, a):(sk, pk)← G (1κ),For i ∈ 1, . . . , t,

ri ← R,ci ← Epk(mi , ri)

(pk; c1, . . . , ct)

r← Reply(1κ, b, pk, c1, . . . , ct)

r

a← Answer(1κ, a, sk, r)



Theorem: 2AHP are IND-CPA Secure

Theorem

Assume Γ = (Query ,Reply ,Answer) is such that duringthe first message, Alice only sends a fresh public key anda number of ciphertexts. If additively homomorphic PKCΠ = (G ,E ,D) is IND-CPA secure, then Γ is IND-CPAsecure.

Proof.Simple modification of the MH case.



Efficiency

While efficiency of cryptographic protocols is veryimportant, we have not talked about it much (yet)Several measures:

Communication complexityComputational complexity (of Alice/Bob)Round complexity

Up to now all protocols have had 2 roundsAlice → Bob → AliceVoter → vote collector → tallierWe will see later protocols with more rounds. . .



HD: Communication ComplexityAlice (a1, . . . , at) Bob (b1, . . . , bt)


(pk, (c1, . . . , ct))

r ← R,c ← Epk(

∑ti=1 bi ; r) ·

∏ti=1 c1−2bi

i

c

m← Dsk(c)

Comm.: 1 PK + t + 1 ciphertextsLifted Elgamal Paillier

Group elements 2t + 3 t + 1.5Length of 1 g.e. 256 6496

Comm: bits 512(t + 1.5) 6496(t + 1.5)Helger Lipmaa (University of Tartu) MTAT.07.014 Cryptographic Protocols MTAT.07.014 151 / 218


Elgamal vs Paillier: Computation

n: input lengthExp: Θ(n1+log2 3) = Θ(n2.58496) bit ops

1 mult = Θ(n1.58496) bit ops by using Karatsuba1 exp ≈ n mults by using BrauerFor sake of simplicity: assume n1+log2 3

Elgamal Paillier|group element| 256 6496

Exp ≈ 256 mult-s ≈ 6496 mult-sMult 6591 bit ops 1.10383× 106 bit opsDL? yes no

Caveat: n-bit e.c. * is more costly than * in Z≈2n

To really compare the cost of Elgamal and Paillier:need to implement



HD: Alice’s ComputationAlice (a1, . . . , at) Bob (b1, . . . , bt)


(pk, (c1, . . . , ct))

r ← R,c ← Epk(

∑ti=1 bi ; r) ·

∏ti=1 c1−2bi

i

c

m← Dsk(c)10 20 30 40 50 60

2 ´ 1011

4 ´ 1011

6 ´ 1011

8 ´ 1011

Alice’s comp: t encryptions, 1 decryption

Lifted Elgamal PaillierIn big ops (3t + 1) exp + 1 DL t + 1 expIn mults 256(3t + 1) + 2t/2 ≈ 6496(t + 1)In bitops ≈ 6561(768t + 256 + 2t/2) ≈ 7.17046 · 109(1 + t)Remark DL time dominates for t > 28 No DL



HD: Alice’s Computation

10 20 30 40 50 60

1000

2000

3000

4000

55 60 65 70

0.2

0.4

0.6

0.8

1.0

Paillier/Elgamal: 7.17046·109(1+t)6561(256+2t/2+768t)

Initially: the constant term xMiddle: the term xtEnd: the term x2t/2



Efficiency of HD with Lifted ElgamalAlice (a1, . . . , at) Bob (b1, . . . , bt)


(pk, (c1, . . . , ct))

r ← R,c ← Epk(

∑ti=1 bi ; r) ·

∏ti=1 c1−2bi

i

c

m← Dsk(c)0 10 20 30 40 50 60

1300

1350

1400

Lifted Elgamal PaillierEpk(

∑bi ; r) (exps) 3 1

c1−2bii either ci or c−1

i (no exp)Everything but E ≤ t inver-s (≈ t mults), t mult

Total (mults) ≤ 2t + 3 log q = 2t + 768 ≤ 2t + log q = 6496 + 2tTotal (ops) 13122(384 + t) 2.20765 · 106(3248 + t)

Graph: Paillier cost/Elgamal cost. Theoretical estimate.



Computation: General

Alice:

Assume Alice needs to decrypt s times, n-bit plaintextsLifted Elgamal: ≈ 3t log q + s(log q + 2n/2) multsPaillier: ≈ t log q + s log q multsPaillier mult lifted Elgamal multInherit lower bound (for fixed s, t, n)Goal:

design the protocol so that t, s and n minimize the totalcomputation

Bob:

Depends heavily on the protocolGoal: design protocol that minimizes Bob’s computation



Elgamal or Paillier: Summary

If decrypted values not too big (DL efficient):use (lifted) Elgamal

If decrypted values of average size, dependsAlice’s ops are 10x faster but Bob’s ops 50x slower —what is more important?E.g.: homomorphic e-voting, Alice = voter, Bob = server

If decrypted values are large (DL intractable):use Paillier

Important:implement both, if unsure

Which choice is better in the general context?Security assumption, availability of libraries, . . .



Learning Outcomes

Homomorphic protocols with more than 2 parties

Simple e-voting

Inefficient decryption of (lifted) Elgamal issometimes very bad

True additively homomorphic cryptography

Paillier: details

Efficiency: Important issues

Elgamal or Paillier: when to use what?


Lecture 6. AH with Recursion: Nontrivial CPIR

Lecture 6. AH with Recursion: NontrivialCPIR

See:

Kushilevitz-Ostrovsky square-root(n, 1)-CPIR [Kushilevitz and Ostrovsky, 1997],

Damgard-Jurikcryptosystem [Damgard and Jurik, 2001],

Lipmaa’s (2, 1)-CPIR [Lipmaa, 2005],

Log-squared(n, 1)-CPIR [Lipmaa, 2005, Lipmaa, 2009]



Recap: 2-Message AH Protocols

a — anything (e.g., acomplex number)

ai = fi(a) ∈M arefunctions of a

Alice’s privacy followsfrom IND-CPA ofPKC

Alice (a) Bob (b)

(sk, pk)← G (1κ),For i ∈ 1, . . . , t,

ci ← Epk(ai , ri)

(pk; c1, . . . , ct)

r← Reply(1κ, b, pk, c1, . . . , ct)

r

a← Answer(1κ, a, sk, pk, r)



Recap: What Can Be Done with 2MAH

Alice can encrypt arbitrary functions mi of aMulti-candidate elections: (V + 1)a,Hamming distance protocol: bit(a, i) : i

Bob can compute affine functions of encryptedvalues for some functions bi , b

′ of b:∏i Epk(ai)

bi · Epk(b′) = Epk(∑

i biai + b′)Quite limited:

most freedom is in choosing ai , bi , b′

We saw some simple examples. Can we do more?



Composition/Recursion

Programming language:primitive operations (+) not so powerfulcompositions: much more powerful

Cryptographic protocols:same

In the case of AH:clever self-composition of + might already giveinteresting resultssometimes similar to recursion

This lecture:AH + Recursion: log2 n-communication (n, 1)-CPIR



Recall: (n, 1)-CPIR

Computationally-Private Information Retrieval:

Bob’s input: a database (f0, . . . , fn−1)

Alice’s input: index x ∈ 0, . . . , n − 1Alice’s output: fx .

Bob’s output: ⊥ (no output)

Security: IND-CPA security to protect Alice



Recall: (2, 1)-CPIR

Alice x ∈ 0, 1 Bob (f0, f1) ∈M2

(sk, pk)← G (1κ),r ← R,c ← Epk(x ; r)

q← (pk, c)

r ′ ← Rc ′ ← c f1−f0 · Epk(f0; r ′)

r← c ′

a← Dsk(c ′)

Correctness: c ′ = Epk((1− x)f0 + xf1;R) But(1− x)f0 + xf1 = fx for x ∈ 0, 1. Thus Dsk(c ′) = fx .



Kushilevitz-Ostrovsky (n, 1)-CPIR

Alice obtains 1 element out of nUses AH cryptosystemTotal communication: Θ(

√nκ)

Basic idea:execute in parallel many CPIRs to smaller databasesAlice interested in only one small CPIRThus: her message in different CPIRs can be the same,she ignores other CPIR outputs

Shows that (n, 1)-CPIR with o(n) comm. is possible



KO (n, 1)-CPIR: Basic Idea

Data representation:n database =

√n ×√

n matrix (fij)√n

i ,j=1

Alice’s output: fxy , x , y ∈ [√

n] = 1, . . . ,√

nParallelization and data reuse:

Execute√

n linear-communication (√

n, 1)-CPIRs inparallel to

√n rows of the matrix

Retrieve element only from the y th rowOnly one small CPIR relevant: share Alice’s first messagebetween

√n small CPIRs

Denote:[P(x)] = 1 if P(x) is true, and 0 if P(x) is falseE.g.: [x = y ] is 1 if x = y , and 0 if x 6= y



KO (n, 1)-CPIR: Basic Idea

Bob’s answer to qwith (f1i)i





Alice’s query

q← (Epk([i = 2]))5i=1

Alice decrypts



Kushilevitz-Ostrovsky (n, 1)-CPIR

Alice x , y ∈ [√

n] Bob fij√n

i ,j=1, fij ∈M

(sk, pk)← G (1κ),∀i ∈ [

√n] : ci ← E s

pk([x = i ];R)

q← (pk, c1, . . . , c√n)

r ′ ← R∀j ∈ [

√n] :

c ′j ←∏√n

i=1 cfiji · E s

pk(0;R)

r← (c ′1, . . . , c′√n)

a← Dssk(c ′y)

Correctness:c ′j = E s

pk(∑

i [x = i ]fij ;R) = E spk(fxj ;R)

Thus c ′y = E spk(fxy ;R)



KO (n, 1)-CPIR: Efficiency


n] Bob fij√n

i ,j=1, fij ∈M(sk, pk)← G (1κ),∀i ∈ [

√n] : ci ← E s

pk([x = i ];R)

q← (pk, c1, . . . , c√n)

r ′ ← R∀j ∈ [

√n] :

c ′j ←∏√n

i=1 cfiji · E s

pk(0;R)

r← (c ′1, . . . , c′√n)

a← Dssk(c ′y)

Alice’s comp.:√n encryptions

1 decryption

Bob’s comp.:n exponentiations√

n encryptionsFirst lecture: Θ(n)“lower bound”

Communication:PK + 2

√n ciphertexts



How to Improve Communication Further?


n] Bob fij√n

i ,j=1, fij ∈M

(sk, pk)← G (1κ),∀i ∈ [

√n] : ci ← E s

pk([x = i ];R)

q← (pk, c1, . . . , c√n)

r ′ ← R∀j ∈ [

√n] :

c ′j ←∏√n

i=1 cfiji · E s

pk(0;R)

r← (c ′1, . . . , c′√n)

a← Dssk(c ′y)

Note: Only need c ′y . Other elements c ′j redundantIdea:

Do not transfer redundant elementsUse (

√n, 1)-CPIR to obtain c ′y from Bob’s database (c ′1, . . . , c

′√n)

√n +√

n→√

n + n1/4 + n1/4

Use (n1/4, 1)-CPIR to obtain only one of those elements, etcNB: devil is in the details. Difficult to optimize



How to Improve Communication Further?

Alice’s query

q← (Epk([i = 3]))3i=1










Alice performs another CPIR to get this



Length-Flexible AH Cryptosystems

Additively homomorphicLength-flexible:

One can encrypt every m ∈ Z in ciphertext of≤ |m|+ f (κ) bits, where f is a “small” function[Damgard and Jurik, 2001]: |c | < |m|+ 2κCiphertexts of short and long plaintexts have differentlength

Next: Damgard-Jurik and what one can do with it



Damgard-Jurik

G (1κ):Generate two random large prime numbers p and qSet N = pqpk = N , sk = (p, q, . . . )

Encryption of m ∈ Z with pk = N:1 let s be minimal such that m < N s

2 Select random r ← Z∗N3 Compute c ← (N + 1)mrN

smod N s+1

Decryption:can be done efficiently [Damgard and Jurik, 2001,Damgard et al., 2010]

Generalization of Paillier



Damgard-Jurik: Optimal Rate

m ∈ ZNs , c ∈ ZNs+1

Thus:|c |/|m| ≈ (s + 1)/s = 1 + 1/s and|c | < |m|+ 2 log2 N

Optimal rate:

the number of useful bits

the number of transfered bits=|m||c |

= 1− o(1) .

One of the very few known optimal-ratecryptosystems



DJ: Homomorphism And Beyond

Let κ := dlog2 Ne // key length

∀s ≥ 1: encrypts plaintext of s · κ bits to aciphertext of (s + 1)κ bits.

This ciphertext is plaintext for parameter s + 1

E spk(m1)E s

pk(m2) = E spk(m1 + m2), thus also

E s+1pk

(m1︸︷︷︸

(s+1)κ

)(s+1)κ︷︸︸︷

E spk(

s·κ︷︸︸︷m2 )

=

(s+2)κ︷︸︸︷E s+1

pk

(m1E s

pk(m2)︸︷︷︸(s+1)κ

).



“Reusing” (2, 1)-CPIR

Alice x ∈ 0, 1 Bob (f0, f1) ∈M2

(sk, pk)← G (1κ),r ← R,c ← E s

pk(x ; r)

q← (pk, c)

r ′ ← Rc ′ ← c f1−f0 · E s

pk(f0; r ′)

r← c ′

a← Dssk(c ′)

Alice sendsq = (pk,E s

pk(x)) to BobBob replies withrpk(E s

pk(x),~f ) := E spk(fx)

Master ideas:

Reuse Alice’s message to execute many small CPIRsInstead of sending r back to Alice, Bob uses itrecursively in subsequent CPIRs



(4, 1)-CPIR: Non-Private version

x =∑

2ixi =2x1 + x0

Fetch elementf2x1+x0

= fx1x0

x1

x0 x0

f00 f01 f10 f11

0 1 0 10 1



(4, 1)-CPIR: Private version

r2

r0 r1

f00 f01 f10 f11

0 1 0 1

0 1

Alice sends to Bob c0 ← E spk(x0;R),

c1 ← E s+1pk (x1;R)

r0 ← rpk(c0, (f00, f01))

r1 ← rpk(c0, (f10, f11))

r2 ← rpk(c1, (r0, r1))

Bob sends to Alice r2




r2

r0 r1

f00 f01 f10 f11

0 1 0 1

0 1

Alice sends to Bob c0 ← E spk(x0;R), c1 ← E s+1

pk (x1;R)

r0 ← c f01−f000 · E s

pk(f00;R) ∈ ZNs+1

r1 ← c f11−f100 · E s

pk(f10;R) ∈ ZNs+1

r2 ← c r1−r01 · E s+1

pk (r0;R) ∈ ZNs+2

Bob sends to Alice r2 ∈ ZNs+2




r2

r0 r1

f00 f01 f10 f11

0 1 0 1

0 1

Alice sends to Bob c0 ← E spk(x0;R), c1 ← E s+1

pk (x1;R)

r0 = E spk(f(0,x0);R) ∈ ZNs+1

r1 = E spk(f(1,x0);R) ∈ ZNs+1

r2 = E s+1pk (E s

pk(f(x1,x0);R);R) ∈ ZNs+2

Bob sends to Alice r2 ∈ ZNs+2



(8, 1)-CPIR

x2

x1

x0

f000 f001

x0

f010 f011

x1

x0

f100 f101

x0

f110 f111



(8, 1)-CPIR: Private Version

r

r0

r00

f000 f001

r01

f010 f011

r1

r10

f100 f101

r11

f110 f111

1 Alice sends ci ← E s+ipk (xi ;R) for i ∈ 0, 1, 2;

2 Bob computes recursively all values ri ;/* For example, r0 ← rpk(c1; (r00, r01)) */

3 Bob sends back r ∈ ZNs+3;

r = E s+2pk (E s+1

pk (E spk(fx2x1x0

)))



(2m, 1)-CPIR: General Construction

Alice x0, . . . , xm−1 ∈ 0, 1 Bob (f0, . . . , f2m−1) ∈M2m

(sk, pk)← G (1κ),r0, . . . , rm−1 ← R,ci ← E s+i

pk (xi ; ri)

q← (pk, c0, . . . , cm−1)

For every node v of comp bin tree:Recursively compute rv by using (2, 1)-CPIR.

Let r correspond to root node.r

a← Ds+m−1sk (Ds+m−2(. . .Ds

sk(r) . . . ))

See [Lipmaa, 2005, Lipmaa, 2009]



(2m, 1)-CPIR: Communication

`-bit strings, κ is modulus length.For modulus N = pq, |N s | = s log N = sκE s

pk has plaintext from ZNs (sκ bits) and ciphertext fromZNs+1 ((s + 1)κ bits)

Alice sends ≤ m · (s + m)κ bitsBob sends ≤ (s + m + 1)κ bitss · κ ≈ `, thus in total Θ(`m + κm2) bitsIn general, replacing 2m with any n:

Θ(` log n + κ log2 n) bits

Can be minimized as function of ` [Lipmaa, 2009]:(1 + o(1))` + (1 + o(1))κ log2 n · log log n

Important in applications where ` is extremely largeE.g.: database of movies



(2m, 1)-CPIR: Computation

Alice encrypts m items and does m-times decryption

Efficient, m is logarithmic in database size

Bob executes (2, 1)-CPIR per every internal node2m − 1 (linear) nodes, expensive1 PKC operation is also expensive!2m expensive operations /

Until 2009: was thought this is the best possible. . .Next time:

Better computation for (2m, 1)-CPIRGeneralization to many other functionalities. . . essentially by employing a suitable data structure(BDD)



Learning Outcomes

General technique:Combining AH with recursion

Concrete application:Nontrivial CPIR

Damgard-Jurik cryptosystem


Lecture 7. BDD and Multi-Round


secure BDD [Ishai and Paskin, 2007],

sublinear-computation CPIR [Lipmaa, 2009],

multi-round, multiparty computations: too manycitations to give



Reminder

AH + recursion:Can do certain nontrivial things

(n, 1) CPIR:with decision treesone round

This time:trees → arbitrary DAGs

Plus: multi-round



Generalizing

CPIR by itself is interesting but can we do more?Easy remark:

Let f : A→ B be any functionDefine database ~f by fx := f (x) ∈ B for x ∈ ADatabase: “truth table” of fPerform (|A|, 1)-CPIR to obtain fx = f (x)

Result:can privately compute any function

Drawback: computation Θ(|A|)Can we improve on it?

Yes, by using a good data structureGiven f is not random. . .



Binary Decision Diagram

BDD: directed acyclic graphEvery internal node is labeledby some xiEvery terminal is labeled bysome fjEvery internal node has0-child and 1-childSize of BDD:

number of internal nodes

Length of BDD:length of longest path toterminal node

x2

x0

1

x0

=0

x 2=

0

x1

x0

x2

1

x 2=

0

0

x2

=0

x 0=

0

0

x0

=1

x 1=

0

0

x1 =

1

x2 =

1x

0 =1



Binary Decision Diagram

Computation process forsome assignment of xi:

Start from root nodeFor current internal nodelabeled with some xi , ifxi = 0, move to 0-child,otherwise move to 1-childIf reached terminal nodelabeled by fj : return fj asvalue

Time: length of BDDSpace: size of BDD

x2

1 x1

x0

1 0

0



Example BDD: Comparison

Assume Bob returns 1 if his input f = 4f2 + 2f1 + f0 is larger than

x = 4x2 + 2x1 + x0. While constructing BDD he already knows f so

he can optimize BDD. Assume for example that f = 5, thus Bob

returns 1 if x < 5, f (x) := [x < 5].

x2

1 x1

x0

1 0

0



Example BDD: Private Version


x = 4x2 + 2x1 + x0. While constructing BDD he already knows f so

he can optimize BDD. Assume for example that f = 5, thus Bob

returns 1 if x < 5, f (x) := [x < 5].

r3

1 r2

r1

1 0

0



Example BDD: Threshold


x = x2 + x1 + x0. Assume for example that f = 2, thus Bob returns

1 if x < 5, f (x) := [x < 2].

x2

x1

x0

1 1

x0

1 1

x1

x0 x0

0 0

size(P) = (m + 1)m/2 = Θ(m2)Can be done more efficiently for large m [Wegener, 2000]



PrivateBDD Protocol for Function f

Alice x0, . . . , xm−1 ∈ 0, 1 Bob (P : efficient BDD for f )

(sk, pk)← G (1κ),r0, . . . , rm−1 ← R,

ci ← Es+length(P)pk (xi ; ri)

q← (pk, c0, . . . , cm−1)

For every node v of P :Recursively compute rv by using (2, 1)-CPIR.

Let r correspond to root node.r

a← Ds+length(P)sk (Ds+length(P)−1(. . .Ds

sk(r) . . . ))



PrivateBDD: Complexity

Let κ – length of modulus, m – number of Alice’svariables, ` — bitlength of terminal node labels

Communication:

κ + (m + 1)(` + (length(P) + 2)κ)



PrivateBDD: Complexity

Bob’s computation: size(P) PKC operationsComputation is “efficient” if size(P) is polynomialFact. Boolean function has polynomial-size BDD iff it iscomputable by log-space non-uniform Turingmachine [Cobham, 1966]

Simply put: practically all “efficient” Boolean functions you everneedMost probably not P− complete functions like linear programminghttp://en.wikipedia.org/wiki/P-complete

If f is not Boolean:Can still do efficiently for many interesting functionsConcrete complexity class not so well understood

See [Wegener, 2000, Ishai and Paskin, 2007, Lipmaa, 2009]


http://en.wikipedia.org/wiki/P-complete


(n, 1)-CPIR: Recap

Alice’s input: (x0, . . . , xm−1)

Bob’s input: ~f = (f0, . . . , f2m−1)Alice’s output: fxReformulate: evaluating function f , f (x) := fxDesign efficient BDD for fixed f , apply PrivateBDDFact: any function f : 0, 1m → 0, 1` can beimplemented by BDD of size2m`/ log2(2m`) [Lipmaa, 2009]Corollary: (n, 1)-CPIR can be implemented inworst-case ≤ (n`)/ log2(n`) public keyoperations [Lipmaa, 2009]

Better “than lower bound” n for small `



Links about BDDAlso known as branching programs

Used widely in circuit/program verification

http://en.wikipedia.org/wiki/Binary_decision_diagram

http://myvideos.stanford.edu/player/slplayer.aspx?coll=ea60314a-53b3-4be2-8552-dcf190ca0c0b&co=

18bcd3a8-965a-4a63-a516-a1ad74af1119&o=true Fun with Binary Decision Diagrams (video lecture by Knuth)

http://www.cs.cmu.edu/afs/cs/academic/class/15213-f06/www/lectures/class08-bdd.pdf — Verifyingprograms with BDDs, lecture notes, CMU


http://en.wikipedia.org/wiki/Binary_decision_diagram

http://myvideos.stanford.edu/player/slplayer.aspx?coll=ea60314a-53b3-4be2-8552-dcf190ca0c0b&co=18bcd3a8-965a-4a63-a516-a1ad74af1119&o=true

http://myvideos.stanford.edu/player/slplayer.aspx?coll=ea60314a-53b3-4be2-8552-dcf190ca0c0b&co=18bcd3a8-965a-4a63-a516-a1ad74af1119&o=true

http://www.cs.cmu.edu/afs/cs/academic/class/15213-f06/www/lectures/class08-bdd.pdf


Recap

Up to now:1-round (= 2-message) protocols

Used algebraic properties and beyondBDD: recursion

Pure additive homomorphism does not give us muchWith recursion BDD-homomorphism:

2-message protocols for all problems that have polysizeBDD

However:BDD-protocols are computationally quite expensive



Recap: Inefficiency of BDD

One public-key operation per BDD size

All BDD-s are at least logarithmic in size

x3

1 x2

x1

1 0

0

Comparison x > y of two `-bit numbers takes at least `PKC operations



Simple Example: Multiplication

Just 2MAH: impossibleCan only compute affine functionsIf we can compute at least one multiplication, we can doquadratic polynomials

AH + recursion: doable but expensiveLet inputs be m-bit longCan be done with BDD size Ω(m2/ log m)[Wegener and Woelfel, 2007]: BDD size to computemiddle bit of multiplication at least Ω(m3/2/ log m).

The result of multiplication should stay hidden(E (x),E (y))→ E (xy)Can be recursively to be used more complex protocolsAkin to recursive CPIR, but. . . adds more rounds



Interactive Multiplication: Brief Idea

Alice’s input: skBob’s input: pk, Epk(m1), Epk(m2)Bob’s output: Epk(m1m2)Alice’s output: none

can’t send Epk(mi) to Alice who knows sk

We know:Bob can evaluate product of m1 and m2 if at most oneof them is encrypted

Bob needs to evaluate m1m2 where both m1, m2 areencrypted



Interactive Multiplication: Brief Idea

General Idea:Secret share inputs mi between Alice and Bobm′i random (Bob can see them)mi + m′i random (Alice can see them)

Secret shared multiplication:(m1 + m′1)(m2 + m′2) = m1m2 + m1m′2 + m′1m2 + m′1m′2

Alice computes (m1 + m′1)(m2 + m′2) on plaintextsSends back encryption to Bob

Knowing Epk((m1 + m′1)(m2 + m′2)), Epk(mi), m′i ,Bob can compute Epk(m1m2) by using AH



Interactive Multiplication with AH

Alice pk, sk Bob (pk, ci = Epk(mi ; ri))

m′1,m′2 ←M,

r1, r2 ← R,d1 ← c1 · Epk(m′1; r1),d2 ← c2 · Epk(m′2; r2)(d1, d2)

Let m′′1 ← Dsk(d1), m′′2 ← Dsk(d2), ra ← R,d× ← Epk(m′′1m′′2 ; ra)

d×

rb ← R,

c× ← d× · c−m′2

1 · c−m′1

2 · Epk(−m′1m′2; rb)

c× = Epk(m1m2 + m1m′2 + m′1m2 + m′1m′2) · Epk(−m1m′2) ·Epk(−m′1m2) · Epk(−m′1m′2; rb) = Epk(m1m2; · · · rb)



Interactive Multiplication: Privacy

Alice’s privacy:Bob only sees ciphertexts, thus CPA-secure according to“metatheorem”, given cryptosystem is CPA-secure

Bob’s privacy:Alice sees completely random values mi + m′i , obtains noinformation



Tradeoff: Rounds vs Computation

Interactive multiplication can be used inside anycomplex protocolCan do many times:

Bob obtains iteratively Epk(f (~x)) for polynomial f]messages increases by 2 per every “sequential”multiplication

Computation: only 3 encryptions and 2 exp (byBob) and 2 decryptions and 1 encryption (by Alice)Corollary:

can compute any multivariate polynomial in Θ(]mult)computation and (if not parallelized) rounds



More on Rounds vs Computation

Rounds:2-message protocols are “non-interactive”: Alice sendssome data to cloud, cloud computes some output andforwards it later to Alice. Alice can be offline/lazyIn multiround protocols, Alice has to participate incomputing every multiplicationEvery round also takes some time

Computation:2-message protocols are often computationally tooexpensiveMultiround protocols offer potentially much bettercomputation

Tradeoff: what is more important in yourapplication?



Multi-Party Computation

n > 2 parties P1, . . . , Pn

Every party has input xi , and output yiOtherwise security requirements as beforeSecret share all inputs between parties, so that

A coalition of majority of parties can obtain secretsAny smaller coalition obtains no information

Use secret sharing instead of encryptionUse of encryption also possible: then parties share thesecret key (can decrypt only if majority participate)

If secret sharing:can do without computational assumptions but we haveto assume majority of parties are honest



Elgamal (2, 2)-Threshold Encryption

(m, n): n parties, any m together can decrypt, anym − 1 can’tWill explain (2, 2) for ElgamalOne can generalize to Paillier and to many parties



Elgamal (2, 2)-Threshold Encryption

Pi , i ∈ 1, 2, chooses ski , and publishes pki = g ski

sk =∑

ski , pk =∏

pki = g∑

ski = g sk

Encrypt m: Epk(m; r) = (gmpkr ; g r)Decrypt: (player order not important)

1 c ′1 := gDsk1(gmpkr ;g r ) = gmpkr/g r ·sk1 =

gmg r(sk1+sk2)/g r ·sk1 = gmg r ·sk2 = gmpkr2

2 Dsk2(c ′1, gr ) = logg (gmg r ·sk2/g r ·sk2) = m

Security:(c ′1, g

r ) = Epk2(m; r), thus P1 cannot decrypt without

knowing sk2



Examples: Other Functionalities

Denote: [[x ]] = threshold encryption of x

Secure polynomial evaluation

Other applications include (not explaining):

Equality test: [[x ]], [[y ]]→ [[[x = y ]]][Toft, 2011]: first o(m) protocol with o(|x |) PKC ops(Recall BDD requires Θ(m))[Lipmaa and Toft, 2013]: some improvement

Comparison (GT): [[x ]], [[y ]]→ [[[x > y ]]]Easy to construct from EQ [Toft, 2011]

Secure sort:Can be constructed by applying Θ(n log n) GT operations



Example: Why MULT and EQ

// Nonprivate:

1 if x = y then2 x ← z ;3 else4 y ← z ;5 end

// Private:

1 [[[x = y ]]]← EQ([[x ]], [[y ]]);2 [[[x 6= y ]]]← [[1]]− [[[x = y ]]];3 [[x ]]← [[[x = y ]]]·[[z ]]+[[[x 6= y ]]]·[[x ]];4 [[y ]]← [[[x 6= y ]]]·[[z ]]+[[[x = y ]]]·[[y ]];



Example: Vector Scan (Prefix-Sum)

Input: x1, . . . , xn, associative operator Output: y1, . . . , yn, where yi = x1 · · · xi−1Polynomial evaluation:

Given polynomial f and [[x ]], compute [[f (x)]][[f (x)]] =

∑fi [[x

i ]](x , x , . . . , x)→ (1, x , x2, . . . , xn−1) is prefix-sum

Straightforward computation:Compute [[y1]]← [[1]]For i ← 1 to n do: compute [[yi ]]← [[yi−1]] [[xi ]]Total: Θ(n) roundsCorollary: [[f (x)]] in Θ(n) rounds

Round Reduction Idea:Parallelize: execute several multiplications in parallel]mults: increases by a constant factor]rounds: decreases from Θ(n) to Θ(log n)



Efficient n = 2m-Vector Scan

(1) Upsweep:

m rounds, 2m − 1 = n − 1 semigroup operations



Efficient n = 2m-Vector Scan

(2) Downsweep:

m rounds, 2m − 1 = n − 1 semigroup operationsSee http://http.developer.nvidia.com/GPUGems3/gpugems3_ch39.html


http://http.developer.nvidia.com/GPUGems3/gpugems3_ch39.html


Learning Outcomes

BDD/branching program:Relatively large class of functionalities can be securelycomputed in polynomial time in 1 roundEvery function f : 0, 1m → 0, 1 can be securelycomputed in time O(2m/m) in 1 round

Everything interesting can be computed in manyrounds

Real efficiency takes still considerable effort

In reality, one needs to optimize both rounds andcomputation

Decide based on application

NB! You need to know your algorithms and datastructures

Crypto often adds a privacy-preserving layer to them



Learning Outcomes (up to now)

We walked from very basics to ways of constructingquite complex protocolsCommon denominator:

security in semihonest model

It is easy to see that most of the previous protocolsare insecure if parties do not follow the protocolFollowing n lectures:

security in malicious model


MTAT.07.014 Cryptographic Protocols - ut · PDF fileIn Fomin, F. V., Kwiatkowska, M., and Peleg, D., editors, ICALP 2013, volume 7966 of LNCS, pages 645{656, Riga, ... (Crypto I or

Documents