![Page 1: Introduction to Modern Cryptography: Revision=1The slides ... · Introduction to Modern Cryptography: Revision1 Giorgos Panagiotakos Course Organizer: Prof. Aggelos Kiayias May 18,](https://reader035.vdocuments.mx/reader035/viewer/2022070723/5f02072a7e708231d40237f9/html5/thumbnails/1.jpg)
Introduction to Modern Cryptography: Revision1
Giorgos Panagiotakos
Course Organizer: Prof. Aggelos Kiayias
May 18, 2018
1The slides are based on the course notes.
![Page 2: Introduction to Modern Cryptography: Revision=1The slides ... · Introduction to Modern Cryptography: Revision1 Giorgos Panagiotakos Course Organizer: Prof. Aggelos Kiayias May 18,](https://reader035.vdocuments.mx/reader035/viewer/2022070723/5f02072a7e708231d40237f9/html5/thumbnails/2.jpg)
Commitments
Syntax
I b ← Param(1λ);
I (r , c)← Commit(b,M);
I True/False ← Verify(b, c , r ,M)
Security Properties
I Correctness;
I Binding;
I Hiding
Correctness: For every message M:
Pr
[b ← Param(1λ); (r , c)← Commit(b,M) :
Verify(b, c , r ,M) = True
]= 1
![Page 3: Introduction to Modern Cryptography: Revision=1The slides ... · Introduction to Modern Cryptography: Revision1 Giorgos Panagiotakos Course Organizer: Prof. Aggelos Kiayias May 18,](https://reader035.vdocuments.mx/reader035/viewer/2022070723/5f02072a7e708231d40237f9/html5/thumbnails/3.jpg)
Commitments
Syntax
I b ← Param(1λ);
I (r , c)← Commit(b,M);
I True/False ← Verify(b, c , r ,M)
Security Properties
I Correctness;
I Binding;
I Hiding
Correctness: For every message M:
Pr
[b ← Param(1λ); (r , c)← Commit(b,M) :
Verify(b, c , r ,M) = True
]= 1
![Page 4: Introduction to Modern Cryptography: Revision=1The slides ... · Introduction to Modern Cryptography: Revision1 Giorgos Panagiotakos Course Organizer: Prof. Aggelos Kiayias May 18,](https://reader035.vdocuments.mx/reader035/viewer/2022070723/5f02072a7e708231d40237f9/html5/thumbnails/4.jpg)
Commitments
Syntax
I b ← Param(1λ);
I (r , c)← Commit(b,M);
I True/False ← Verify(b, c , r ,M)
Security Properties
I Correctness;
I Binding;
I Hiding
Correctness: For every message M:
Pr
[b ← Param(1λ); (r , c)← Commit(b,M) :
Verify(b, c , r ,M) = True
]= 1
![Page 5: Introduction to Modern Cryptography: Revision=1The slides ... · Introduction to Modern Cryptography: Revision1 Giorgos Panagiotakos Course Organizer: Prof. Aggelos Kiayias May 18,](https://reader035.vdocuments.mx/reader035/viewer/2022070723/5f02072a7e708231d40237f9/html5/thumbnails/5.jpg)
Binding
The committer should not be able to de-commit to a valuedifferent from the one she committed.
Algorithm 1 bindattackA(1λ)
1: Let b ← Param(1λ)2: (c , r1,M1, r2,M2)← A(1λ, b)3: if M1 6= M2 and Ver(b, c , r1,M1) = 1 and Ver(b, c , r2,M2) = 1
then4: return 15: else6: return 07: end if
∀ PPT A : Pr[bindattackA(1λ) = 1] = negl(λ)
![Page 6: Introduction to Modern Cryptography: Revision=1The slides ... · Introduction to Modern Cryptography: Revision1 Giorgos Panagiotakos Course Organizer: Prof. Aggelos Kiayias May 18,](https://reader035.vdocuments.mx/reader035/viewer/2022070723/5f02072a7e708231d40237f9/html5/thumbnails/6.jpg)
Binding
The committer should not be able to de-commit to a valuedifferent from the one she committed.
Algorithm 2 bindattackA(1λ)
1: Let b ← Param(1λ)2: (c , r1,M1, r2,M2)← A(1λ, b)3: if M1 6= M2 and Ver(b, c , r1,M1) = 1 and Ver(b, c , r2,M2) = 1
then4: return 15: else6: return 07: end if
∀ PPT A : Pr[bindattackA(1λ) = 1] = negl(λ)
![Page 7: Introduction to Modern Cryptography: Revision=1The slides ... · Introduction to Modern Cryptography: Revision1 Giorgos Panagiotakos Course Organizer: Prof. Aggelos Kiayias May 18,](https://reader035.vdocuments.mx/reader035/viewer/2022070723/5f02072a7e708231d40237f9/html5/thumbnails/7.jpg)
Hiding
No information is leaked about the message beforede-commitment.
Algorithm 3 hidingattackA(1λ)
1: b ← Param(1λ)2: (aux ,M0,M1)← A1(1λ, b)
3: dR← {0, 1}
4: (r , c)← Commit(b,Md)5: d∗ ← A2(c , b, aux)6: if d∗ = d and M0 6= M1 then7: return 18: else9: return 0
10: end if
∀ PPT A = (A1,A2) : Pr[hidingattackA(1λ) = 1] ≤ 1
2+ negl(λ)
![Page 8: Introduction to Modern Cryptography: Revision=1The slides ... · Introduction to Modern Cryptography: Revision1 Giorgos Panagiotakos Course Organizer: Prof. Aggelos Kiayias May 18,](https://reader035.vdocuments.mx/reader035/viewer/2022070723/5f02072a7e708231d40237f9/html5/thumbnails/8.jpg)
Hiding
No information is leaked about the message beforede-commitment.
Algorithm 4 hidingattackA(1λ)
1: b ← Param(1λ)2: (aux ,M0,M1)← A1(1λ, b)
3: dR← {0, 1}
4: (r , c)← Commit(b,Md)5: d∗ ← A2(c , b, aux)6: if d∗ = d and M0 6= M1 then7: return 18: else9: return 0
10: end if
∀ PPT A = (A1,A2) : Pr[hidingattackA(1λ) = 1] ≤ 1
2+ negl(λ)
![Page 9: Introduction to Modern Cryptography: Revision=1The slides ... · Introduction to Modern Cryptography: Revision1 Giorgos Panagiotakos Course Organizer: Prof. Aggelos Kiayias May 18,](https://reader035.vdocuments.mx/reader035/viewer/2022070723/5f02072a7e708231d40237f9/html5/thumbnails/9.jpg)
Key Exchange
Syntax
For parties A,B:
I transA,B(1λ);
I key(τ)
Security Definition
Let V be some PT predicate such that
δ = Prτ←transA,B(1λ)
[V (key(τ)) = 1]
For any PPT A it holds that:
Prτ←transA,B(1λ)
[A(τ) = V (key(τ)] ≤ max{δ, 1− δ}+ negl(λ)
![Page 10: Introduction to Modern Cryptography: Revision=1The slides ... · Introduction to Modern Cryptography: Revision1 Giorgos Panagiotakos Course Organizer: Prof. Aggelos Kiayias May 18,](https://reader035.vdocuments.mx/reader035/viewer/2022070723/5f02072a7e708231d40237f9/html5/thumbnails/10.jpg)
Key Exchange
Syntax
For parties A,B:
I transA,B(1λ);
I key(τ)
Security Definition
Let V be some PT predicate such that
δ = Prτ←transA,B(1λ)
[V (key(τ)) = 1]
For any PPT A it holds that:
Prτ←transA,B(1λ)
[A(τ) = V (key(τ)] ≤ max{δ, 1− δ}+ negl(λ)
![Page 11: Introduction to Modern Cryptography: Revision=1The slides ... · Introduction to Modern Cryptography: Revision1 Giorgos Panagiotakos Course Organizer: Prof. Aggelos Kiayias May 18,](https://reader035.vdocuments.mx/reader035/viewer/2022070723/5f02072a7e708231d40237f9/html5/thumbnails/11.jpg)
Key Exchange
Syntax
For parties A,B:
I transA,B(1λ);
I key(τ)
Security Definition
Let V be some PT predicate such that
δ = Prτ←transA,B(1λ)
[V (key(τ)) = 1]
For any PPT A it holds that:
Prτ←transA,B(1λ)
[A(τ) = V (key(τ)] ≤ max{δ, 1− δ}+ negl(λ)
![Page 12: Introduction to Modern Cryptography: Revision=1The slides ... · Introduction to Modern Cryptography: Revision1 Giorgos Panagiotakos Course Organizer: Prof. Aggelos Kiayias May 18,](https://reader035.vdocuments.mx/reader035/viewer/2022070723/5f02072a7e708231d40237f9/html5/thumbnails/12.jpg)
Zero Knowledge Proofs
Syntax
For interactive programs 〈P,V 〉:I language L ∈ NP, R polynomial time predicate such that
L = {x : R(x ,w) = 1 for some w}
I outPP,V (x ,w , z)
Security Properties
I Completeness;
I Soundness;
I Zero-Knowledge
Completeness: If x ∈ L and R(x ,w) = 1 for some w , then for allstrings z : Pr[outVP,V (x ,w , z) = 1] ≥ 1− negl(λ)
![Page 13: Introduction to Modern Cryptography: Revision=1The slides ... · Introduction to Modern Cryptography: Revision1 Giorgos Panagiotakos Course Organizer: Prof. Aggelos Kiayias May 18,](https://reader035.vdocuments.mx/reader035/viewer/2022070723/5f02072a7e708231d40237f9/html5/thumbnails/13.jpg)
Zero Knowledge Proofs
Syntax
For interactive programs 〈P,V 〉:I language L ∈ NP, R polynomial time predicate such that
L = {x : R(x ,w) = 1 for some w}
I outPP,V (x ,w , z)
Security Properties
I Completeness;
I Soundness;
I Zero-Knowledge
Completeness: If x ∈ L and R(x ,w) = 1 for some w , then for allstrings z : Pr[outVP,V (x ,w , z) = 1] ≥ 1− negl(λ)
![Page 14: Introduction to Modern Cryptography: Revision=1The slides ... · Introduction to Modern Cryptography: Revision1 Giorgos Panagiotakos Course Organizer: Prof. Aggelos Kiayias May 18,](https://reader035.vdocuments.mx/reader035/viewer/2022070723/5f02072a7e708231d40237f9/html5/thumbnails/14.jpg)
Zero Knowledge Proofs
Syntax
For interactive programs 〈P,V 〉:I language L ∈ NP, R polynomial time predicate such that
L = {x : R(x ,w) = 1 for some w}
I outPP,V (x ,w , z)
Security Properties
I Completeness;
I Soundness;
I Zero-Knowledge
Completeness: If x ∈ L and R(x ,w) = 1 for some w , then for allstrings z : Pr[outVP,V (x ,w , z) = 1] ≥ 1− negl(λ)
![Page 15: Introduction to Modern Cryptography: Revision=1The slides ... · Introduction to Modern Cryptography: Revision1 Giorgos Panagiotakos Course Organizer: Prof. Aggelos Kiayias May 18,](https://reader035.vdocuments.mx/reader035/viewer/2022070723/5f02072a7e708231d40237f9/html5/thumbnails/15.jpg)
Soundness
If the verifier is convinced, then we can efficiently extract a witnessfor x .
DefinitionFor any PPT P∗ and arbitrary x ,w , z let
πx ,w ,z = Pr[outVP∗,V(x ,w , z) = 1].
〈P,V 〉 is sound iff there exists non-negligible s(λ), q(λ) such that∀ PPT P∗, ∃ PPT K such that if
π̃x ,w ,z = Pr[K (x ,w , z) = w ′ : R(x ,w ′) = 1]
then πx ,w ,z ≥ s(λ) implies π̃x ,w ,z ≥ q(λ).
![Page 16: Introduction to Modern Cryptography: Revision=1The slides ... · Introduction to Modern Cryptography: Revision1 Giorgos Panagiotakos Course Organizer: Prof. Aggelos Kiayias May 18,](https://reader035.vdocuments.mx/reader035/viewer/2022070723/5f02072a7e708231d40237f9/html5/thumbnails/16.jpg)
(Statistical) Zero-knowledge
The verifier can simulate the whole transcript on his own.
Definition∀ PPT V∗, ∃ PPT S, such that for all x ,w with R(x ,w) = 1:
∀A|Pr[A(S(x , z)) = 1]− Pr[A(outV∗P,V∗(x ,w , z)]| ≤ ε
![Page 17: Introduction to Modern Cryptography: Revision=1The slides ... · Introduction to Modern Cryptography: Revision1 Giorgos Panagiotakos Course Organizer: Prof. Aggelos Kiayias May 18,](https://reader035.vdocuments.mx/reader035/viewer/2022070723/5f02072a7e708231d40237f9/html5/thumbnails/17.jpg)
Digital Signatures
Syntax
I (vk , sk)← Gen(1λ);
I σ ← Sign(sk ,M);
I True/False ← Verify(vk ,M, σ)
Security Properties
I Correctness;
I Unforgeability
Correctness: For every (vk , sk) ∈ Gen(1λ), every M ∈ {0, 1}∗:
Pr[Verify(vk ,M,Sign(sk ,M)) = True
]= 1
![Page 18: Introduction to Modern Cryptography: Revision=1The slides ... · Introduction to Modern Cryptography: Revision1 Giorgos Panagiotakos Course Organizer: Prof. Aggelos Kiayias May 18,](https://reader035.vdocuments.mx/reader035/viewer/2022070723/5f02072a7e708231d40237f9/html5/thumbnails/18.jpg)
Digital Signatures
Syntax
I (vk , sk)← Gen(1λ);
I σ ← Sign(sk ,M);
I True/False ← Verify(vk ,M, σ)
Security Properties
I Correctness;
I Unforgeability
Correctness: For every (vk , sk) ∈ Gen(1λ), every M ∈ {0, 1}∗:
Pr[Verify(vk ,M,Sign(sk ,M)) = True
]= 1
![Page 19: Introduction to Modern Cryptography: Revision=1The slides ... · Introduction to Modern Cryptography: Revision1 Giorgos Panagiotakos Course Organizer: Prof. Aggelos Kiayias May 18,](https://reader035.vdocuments.mx/reader035/viewer/2022070723/5f02072a7e708231d40237f9/html5/thumbnails/19.jpg)
Digital Signatures
Syntax
I (vk , sk)← Gen(1λ);
I σ ← Sign(sk ,M);
I True/False ← Verify(vk ,M, σ)
Security Properties
I Correctness;
I Unforgeability
Correctness: For every (vk , sk) ∈ Gen(1λ), every M ∈ {0, 1}∗:
Pr[Verify(vk ,M,Sign(sk ,M)) = True
]= 1
![Page 20: Introduction to Modern Cryptography: Revision=1The slides ... · Introduction to Modern Cryptography: Revision1 Giorgos Panagiotakos Course Organizer: Prof. Aggelos Kiayias May 18,](https://reader035.vdocuments.mx/reader035/viewer/2022070723/5f02072a7e708231d40237f9/html5/thumbnails/20.jpg)
Unforgeability (UF-CMA)
ASign(sk, ·)
(m∗, σ∗)
(m∗ 6∈ Q) ∧ (Ver(vk,m∗, σ∗) = True)
vksk
mi
σi
Gen(1λ)
∀ PPT A : Pr[ExpUFA (1λ) = 1] ≤ negl(λ)
![Page 21: Introduction to Modern Cryptography: Revision=1The slides ... · Introduction to Modern Cryptography: Revision1 Giorgos Panagiotakos Course Organizer: Prof. Aggelos Kiayias May 18,](https://reader035.vdocuments.mx/reader035/viewer/2022070723/5f02072a7e708231d40237f9/html5/thumbnails/21.jpg)
Unforgeability (UF-CMA)
ASign(sk, ·)
(m∗, σ∗)
(m∗ 6∈ Q) ∧ (Ver(vk,m∗, σ∗) = True)
vksk
mi
σi
Gen(1λ)
∀ PPT A : Pr[ExpUFA (1λ) = 1] ≤ negl(λ)
![Page 22: Introduction to Modern Cryptography: Revision=1The slides ... · Introduction to Modern Cryptography: Revision1 Giorgos Panagiotakos Course Organizer: Prof. Aggelos Kiayias May 18,](https://reader035.vdocuments.mx/reader035/viewer/2022070723/5f02072a7e708231d40237f9/html5/thumbnails/22.jpg)
Public-key Encryption
Syntax
I (pk, sk)← Gen(1λ);
I c ← Enc(pk,M);
I m← Dec(sk, c)
Security Properties
I Correctness;
I IND-CPA
Correctness: For every (pk, sk) ∈ Gen(1λ), every M ∈ {0, 1}∗:
Pr[Dec(sk,Enc(pk,M)) = M
]= 1
![Page 23: Introduction to Modern Cryptography: Revision=1The slides ... · Introduction to Modern Cryptography: Revision1 Giorgos Panagiotakos Course Organizer: Prof. Aggelos Kiayias May 18,](https://reader035.vdocuments.mx/reader035/viewer/2022070723/5f02072a7e708231d40237f9/html5/thumbnails/23.jpg)
Public-key Encryption
Syntax
I (pk, sk)← Gen(1λ);
I c ← Enc(pk,M);
I m← Dec(sk, c)
Security Properties
I Correctness;
I IND-CPA
Correctness: For every (pk, sk) ∈ Gen(1λ), every M ∈ {0, 1}∗:
Pr[Dec(sk,Enc(pk,M)) = M
]= 1
![Page 24: Introduction to Modern Cryptography: Revision=1The slides ... · Introduction to Modern Cryptography: Revision1 Giorgos Panagiotakos Course Organizer: Prof. Aggelos Kiayias May 18,](https://reader035.vdocuments.mx/reader035/viewer/2022070723/5f02072a7e708231d40237f9/html5/thumbnails/24.jpg)
Public-key Encryption
Syntax
I (pk, sk)← Gen(1λ);
I c ← Enc(pk,M);
I m← Dec(sk, c)
Security Properties
I Correctness;
I IND-CPA
Correctness: For every (pk, sk) ∈ Gen(1λ), every M ∈ {0, 1}∗:
Pr[Dec(sk,Enc(pk,M)) = M
]= 1
![Page 25: Introduction to Modern Cryptography: Revision=1The slides ... · Introduction to Modern Cryptography: Revision1 Giorgos Panagiotakos Course Organizer: Prof. Aggelos Kiayias May 18,](https://reader035.vdocuments.mx/reader035/viewer/2022070723/5f02072a7e708231d40237f9/html5/thumbnails/25.jpg)
IND-CPA
A
m0,m1
b← {0, 1}cb = Encpk(mb)cb
b′
b ?= b′
pk
∀ PPT A : Pr[ExpIND−CPAA (1λ) = 1] ≤ 1/2 + negl(λ)
![Page 26: Introduction to Modern Cryptography: Revision=1The slides ... · Introduction to Modern Cryptography: Revision1 Giorgos Panagiotakos Course Organizer: Prof. Aggelos Kiayias May 18,](https://reader035.vdocuments.mx/reader035/viewer/2022070723/5f02072a7e708231d40237f9/html5/thumbnails/26.jpg)
IND-CPA
A
m0,m1
b← {0, 1}cb = Encpk(mb)cb
b′
b ?= b′
pk
∀ PPT A : Pr[ExpIND−CPAA (1λ) = 1] ≤ 1/2 + negl(λ)
![Page 27: Introduction to Modern Cryptography: Revision=1The slides ... · Introduction to Modern Cryptography: Revision1 Giorgos Panagiotakos Course Organizer: Prof. Aggelos Kiayias May 18,](https://reader035.vdocuments.mx/reader035/viewer/2022070723/5f02072a7e708231d40237f9/html5/thumbnails/27.jpg)
Questions?