6.8 KiB
Lecture 24
Continue on zero-knowledge proof
Let X=(G_0,G_1) and y=\sigma permutation. \sigma(G_0)=G_1.
P is a random \Pi permutation and H=\Pi(G_0).
P sends H to V.
V sends a random b\in\{0,1\} to P.
P sends \phi=\Pi if b=0 and \phi=\Pi\phi^{-1} if b=1.
V outputs accept if \phi(G_0)=G_1 and reject otherwise.
Message transfer protocol
The message transfer protocol is defined as follow.
Construct a simulator S(x,z) based on V^*(x,z).
Pick b'\gets\{0,1\}.
\Pi\gets \mathbb{P}_n and H\gets \Pi(G_0).
If V^* sends b=b', we send $\Pi$/ output $V^*$'s output
Otherwise, we start over. Go back to the beginning state. Do this until "n" successive accept.'
Zero-knowledge definition (Cont.)
In zero-knowledge definition. We need the simulator S to have expected running time polynomial in n.
Expected two trials for each "success"
2*n running time (one interaction)
\{Out_{V^*}[S(x,z)\leftrightarrow V^*(x,z)]\}=\{Out_{V^*}[P(x,y)\leftrightarrow V^*(x,z)]\}
If G_0 and G_1 are indistinguishable, H_s=\Pi(G_{b'}) same distribution as H_p=\Pi(G_0). (random permutation of G_1 is a random permutation of G_0)
Review
Assumptions used in cryptography (this course)
Diffie-Hellman assumption
The Diffie-Hellman assumption is that the following problem is hard.
\text{Given } g,g^a,g^b\text{, it is hard to compute } g^{ab}.
More formally,
If p is a randomly sampled safe prime.
Denote safe prime as \tilde{\Pi}_n=\{p\in \Pi_n:q=\frac{p-1}{2}\in \Pi_{n-1}\}
Then
P\left[p\gets \tilde{\Pi_n};a\gets\mathbb{Z}_p^*;g=a^2\neq 1;x\gets \mathbb{Z}_q;y=g^x\mod p:\mathcal{A}(y)=x\right]\leq \varepsilon(n)
p\gets \tilde{\Pi_n};a\gets\mathbb{Z}_p^*;g=a^2\neq 1 is the function condition when we do the encryption on cyclic groups.
Discrete logarithm assumption
If Diffie-Hellman assumption holds, then discrete logarithm assumption holds.
This is a corollary of the Diffie-Hellman assumption, it states as follows.
This is collection of one-way functions
p\gets \tilde\Pi_n(\textup{ safe primes }), p=2q+1
a\gets \mathbb{Z}*_{p};g=a^2(\textup{ make sure }g\neq 1)
f_{g,p}(x)=g^x\mod p
f:\mathbb{Z}_q\to \mathbb{Z}^*_p
RSA assumption
The RSA assumption is that it is hard to factorize a product of two large primes. (no polynomial time algorithm for factorization product of two large primes with n bits)
Let e be the exponents
P[p,q\gets \Pi_n;N\gets p\cdot q;e\gets \mathbb{Z}_{\phi(N)}^*;y\gets \mathbb{N}_n;x\gets \mathcal{A}(N,e,y);x^e=y\mod N]<\varepsilon(n)
Factoring assumption
If RSA assumption holds, then factoring assumption holds.
The only way to efficiently factorize the product of prime is to iterate all the primes.
Fancy product of these assumptions
Trapdoor permutation
RSA assumption
\impliesTrapdoor permutation exists.
Idea: f:D\to R is a one-way permutation.
y\gets R.
- Finding
xsuch thatf(x)=yis hard. - With some secret info about
f, findingxis easy.
\mathcal{F}=\{f_i:D_i\to R_i\}_{i\in I}
\forall i,f_iis a permutation(i,t)\gets Gen(1^n)efficient. (i\in Ipaired witht),tis the "trapdoor info"\forall i,D_ican be sampled efficiently.\forall i,\forall x,f_i(x)can be computed in polynomial time.P[(i,t)\gets Gen(1^n);y\gets R_i:f_i(\mathcal{A}(1^n,i,y))=y]<\varepsilon(n)(note:\mathcal{A}is not givent)- (trapdoor) There is a p.p.t.
Bsuch that giveni,y,t, B always finds x such thatf_i(x)=y.tis the "trapdoor info"
There is one bit of trapdoor info that without it, finding x is hard.
Collision resistance hash function
If discrete logarithm assumption holds, then collision resistance hash function exists.
Let h: \{0, 1\}^{n+1} \to \{0, 1\}^n be a CRHF.
Base on the discrete log assumption, we can construct a CRHF H: \{0, 1\}^{n+1} \to \{0, 1\}^n as follows:
Gen(1^n):(g,p,y)
p\in \tilde{\Pi}_n(p=2q+1)
g generator for group of sequence \mod p (G_q)
y is a random element in G_q
h_{g,p,y}(x,b)=y^bg^x\mod p, y^bg^x\mod p \in \{0,1\}^n
g^x\mod p if b=0, y\cdot g^x\mod p if b=1.
Under the discrete log assumption, H is a CRHF.
- It is easy to sample
(g,p,y) - It is easy to compute
- Compressing by 1 bit
One-way permutation
If trapdoor permutation exists, then one-way permutation exists.
A one-way permutation is a function that is one-way and returns a permutation of the input.
One-way function
If one-way permutation exists, then one-way function exists.
One-way function is a class of functions that are easy to compute but hard to invert.
Weak one-way function
A weak one-way function is
f:\{0,1\}^n\to \{0,1\}^*
\existsa P.P.T. that computesf(x),\forall x\in\{0,1\}^n\forall aadversaries,\exists \varepsilon(n),\forall n.
P[x\gets \{0,1\}^n;y=f(x):f(a(y,1^n))=y]<1-\frac{1}{p(n)}
The probability of success should not be too close to 1
Strong one-way function
If weak one-way function exists, then strong one-way function exists.
A strong one-way function is
f:\{0,1\}^n\to \{0,1\}^*(n\to \infty)
There is a negligible function \varepsilon (n) such that for any adversary a (n.u.p.p.t)
P[x\gets\{0,1\}^n;y=f(x):f(a(y))=y,a(y)=x']\leq\varepsilon(n)
Probability of guessing correct message is negligible
Hard-core bits
Strong one-way function
\iffhard-core bits exists.
A hard-core bit is a bit that is hard to predict given the output of a one-way function.
Pseudorandom generator
If one-way permutation exists, then pseudorandom generator exists.
We can also use pseudorandom generator to construct one-way function.
And hard-core bits can be used to construct pseudorandom generator.
Pseudorandom function
If pseudorandom generator exists, then pseudorandom function exists.
A pseudorandom function is a function that is indistinguishable from a true random function.
Multi-message secure private-key encryption
If pseudorandom function exists, then multi-message secure private-key encryption exists.
A multi-message secure private-key encryption is a function that is secure against an adversary who can see multiple messages.
Single message secure private-key encryption
If multi-message secure private-key encryption exists, then single message secure private-key encryption exists.
Message-authentication code
If pseudorandom function exists, then message-authentication code exists.
Public-key encryption
If Diffie-Hellman assumption holds, and Trapdoor permutation exists, then public-key encryption exists.
Digital signature
One-time secure digital signature
Fixed-length one-time secure digital signature
If one-way function exists, then fixed-length one-time secure digital signature exists.