calofmijuck/blog
1
0
Fork 0
mirror of https://github.com/calofmijuck/blog.git synced 2025-12-06 22:53:51 +00:00
Code Issues Packages Projects Releases Wiki Activity

[PUBLISHER] upload files #157

Browse Source 
* PUSH NOTE : 9. Public Key Encryption.md

* PUSH NOTE : 8. Number Theory.md

* PUSH NOTE : 7. Key Exchange.md

* PUSH NOTE : 6. Hash Functions.md

* PUSH NOTE : 5. CCA-Security and Authenticated Encryption.md

* PUSH NOTE : 4. Message Authentication Codes.md

* PUSH NOTE : 3. Symmetric Key Encryption.md

* PUSH NOTE : 2. PRFs, PRPs and Block Ciphers.md

* PUSH NOTE : 18. Bootstrapping & CKKS.md

* PUSH NOTE : 17. BGV Scheme.md

* PUSH NOTE : 16. The GMW Protocol.md

* PUSH NOTE : 15. Garbled Circuits.md

* PUSH NOTE : 14. Secure Multiparty Computation.md

* PUSH NOTE : 13. Sigma Protocols.md

* PUSH NOTE : 12. Zero-Knowledge Proofs (Introduction).md

* PUSH NOTE : 11. Advanced Topics.md

* PUSH NOTE : 10. Digital Signatures.md

* PUSH NOTE : 0. Introduction.md

* DELETE FILE : _posts/Lecture Notes/Modern Cryptography/2023-09-05-introduction.md

* DELETE FILE : _posts/Lecture Notes/Modern Cryptography/2023-09-12-prfs-prps-block-ciphers.md

* DELETE FILE : _posts/Lecture Notes/Modern Cryptography/2023-09-19-symmetric-key-encryption.md

* DELETE FILE : _posts/Lecture Notes/Modern Cryptography/2023-09-21-macs.md

* DELETE FILE : _posts/Lecture Notes/Modern Cryptography/2023-09-26-cca-security-authenticated-encryption.md

* DELETE FILE : _posts/Lecture Notes/Modern Cryptography/2023-09-28-hash-functions.md

* DELETE FILE : _posts/Lecture Notes/Modern Cryptography/2023-10-03-key-exchange.md

* DELETE FILE : _posts/Lecture Notes/Modern Cryptography/2023-10-05-number-theory.md

* DELETE FILE : _posts/Lecture Notes/Modern Cryptography/2023-10-19-public-key-encryption.md

* DELETE FILE : _posts/Lecture Notes/Modern Cryptography/2023-10-26-digital-signatures.md

* DELETE FILE : _posts/Lecture Notes/Modern Cryptography/2023-10-31-advanced-topics.md

* DELETE FILE : _posts/Lecture Notes/Modern Cryptography/2023-11-02-zkp-intro.md

* DELETE FILE : _posts/Lecture Notes/Modern Cryptography/2023-11-07-sigma-protocols.md

* DELETE FILE : _posts/Lecture Notes/Modern Cryptography/2023-11-09-secure-mpc.md

* DELETE FILE : _posts/Lecture Notes/Modern Cryptography/2023-11-14-garbled-circuits.md

* DELETE FILE : _posts/Lecture Notes/Modern Cryptography/2023-11-16-gmw-protocol.md

* DELETE FILE : _posts/Lecture Notes/Modern Cryptography/2023-11-23-bgv-scheme.md

* DELETE FILE : _posts/Lecture Notes/Modern Cryptography/2023-12-08-bootstrapping-ckks.md
This commit is contained in:
Sungchan Yi
2024-11-12 20:41:08 +09:00
committed by GitHub
parent d55c927a9d
commit 68fcbab46c
18 changed files with 51 additions and 495 deletions
Download Patch File Download Diff File Expand all files Collapse all files

128
_posts/lecture-notes/modern-cryptography/2023-09-05-introduction.md Normal file
View File

@@ -0,0 +1,128 @@
---
share: true
toc: true
math: true
categories:
- Lecture Notes
- Modern Cryptography
path: _posts/lecture-notes/modern-cryptography
tags:
- lecture-note
- security
- cryptography
title: 0. Introduction
date: 2023-09-05
github_title: 2023-09-05-introduction
---
## Classical Cryptography
> The "art" of writing or solving codes - Oxford
- *Art* focusing on ensuring private communication between two parties.
- Two parties share secret information in advance. (symmetric key encryption)
## Symmetric Ciphers
Some notations first:
- $\mathcal{M}$ is the plaintext space (messages)
- $\mathcal{K}$ is the key space
- $\mathcal{C}$ is the ciphertext space
- $E: \mathcal{K} \times \mathcal{M} \rightarrow \mathcal{C}$ is the encryption algorithm (sometimes $\mathsf{Enc}_k$)
- $D:\mathcal{K} \times \mathcal{C} \rightarrow \mathcal{M}$ is the decryption algorithm (sometimes $\mathsf{Dec}_k$)
In a **symmetric cipher**, a key $k \in \mathcal{K}$ is used both for encryption and decryption, giving the following correctness requirement.
$$\forall k \in \mathcal{K},\, \forall m \in \mathcal{M},\, D(k, E(k, m)) = m$$
### Caesar Cipher (ROT)
Let $\Sigma$ be the set of lowercase english alphabets.
- $\mathcal{M} = \mathcal{C} = \Sigma^\ast$, where $\Sigma^\ast$ is the [Kleene star](https://en.wikipedia.org/wiki/Kleene_star).
- $\mathcal{K} = \mathbb{Z}_{26}$ (Caesar used $3 \in \mathcal{K}$)
- $E(k, x) = x + k \pmod{26}$ for each letter $x$ of $m \in \mathcal{M}$.
- $D(k, y) = y - k \pmod{26}$ for each letter $y$ of $c \in \mathcal{C}$.
This scheme is not safe since we can try all $26$ keys and find the sentence that makes sense.
#### An Improved Attack Method
Guessing the key and checking the plaintext is hard to automate, since computers don't know what sentences make sense.[^1] In some cases, the message may be invalid in normal English, while the plaintext characters follow the same distribution.
Let $p_i \in [0, 1]$ be the frequency of the $i$-th letter in normal English text. Then it is known that
$$ \sum_{i=0}^{25} p_i^2 \approx 0.065$$
Now, let $q_i \in [0, 1]$ be the frequency of the $i$-th letter in the given ciphertext. For the key $k \in \mathcal{K}$, $p_i \approx q_{i+k}$ for all $i$, since the $i$-th letter is mapped to the $(i + k)$-th letter. (Addition is done modulo $26$). So for each index $j \in [0, 25]$, we compute
$$\sum_{i=0}^{25} p_i q_{i+j}$$
and choose $j$ that gives the closest value to $0.065$.
### Substitution Cipher
Let $\Sigma$ be the set of lowercase english alphabets.
- $\mathcal{M} = \mathcal{C} = \Sigma^\ast$
- $\mathcal{K}$ is the set of all permutations on $\Sigma$.
- $E(k, x) = k(x)$ for each letter $x$ of $m \in \mathcal{M}$.
- $D(k, y) = k^{-1}(y)$ for each letter $y$ of $c \in \mathcal{C}$.
Note that $\lvert \mathcal{K} \rvert = 26! \approx 10^{26.6} \approx 2^{88.4}$, so it is a bit hard to try all cases. To attack this scheme, we use **frequency analysis** on the ciphertext. The frequency of letters in the ciphertext will be similar to the actual distribution of letters in the English language.[^2] For example, if $\texttt{w}$ appears the most in the ciphertext, we can guess that this would have been an $\texttt{e}$.
Also, we could try $n$-letter frequency analysis. For $2$, $3$-letter frequency analysis, we can easily spot prepositions that are used very often, such as $\texttt{the}$. Sometimes, we can guess words from the context. If the message is a letter or an email, the message will probably start with a greeting.
### Vigenère Cipher
A stronger version of Caesar cipher, where the key is a string of length $n$.
- [Wikipedia](https://en.wikipedia.org/wiki/Vigen%C3%A8re_cipher)
We can guess the key length $n$, and perform frequency analysis on every $mn$-th letter ($m \in \mathbb{N}$) of the ciphertext. If $n$ is very large, we won't have enough letters to perform frequency analysis.
## Modern Cryptography
> **Cryptography** is the practice and study of techniques for secure communication in the presence of adversarial behavior.[^3]
- Modern cryptography developed into more of a science.
- Schemes are developed and analyzed rigorously and systematically.
- Goal is to give a rigorous proof that some scheme is secure.
- Formally define concepts and make appropriate assumptions.
- Covers much broader scope than just encryption/decryption.
- Data integrity, authentication, zero-knowledge proofs, etc.
### Principles of Modern Cryptography
#### Formal Definitions
For the proper design and analysis of cryptographic primitives, we must formally define what security is. Through a formal definition, we can understand what threats are possible and how much security is desired. Also, definitions enable us to evaluate and analyze the schemes, according to the definitions.
#### Precise Assumptions
Proofs of security are built on precise assumptions, such as the questions in computational complexity theory. For example, many proofs require that $\mathcal{P} ≠ \mathcal{NP}$. We must make such assumptions explicit and precise, so that we can validate the assumptions and compare them. This allows us to modularize the assumptions, which enables us to replace any assumptions if they turn out to be false in the future.
#### Proof of Security
We must provide rigorous proof that the scheme is indeed secure under the assumptions made. With a rigorous proof, we can be sure that some scheme is secure.
### Goals
- **Data privacy**: Messages should be read only by the sender and the receiver.
- **Data integrity**: Messages should not be modified by any adversaries.
- **Data authenticity**: Messages should really be from the sender.
## Advanced Cryptography
- Cryptography beyond encryption and signatures, that also protect the computation itself, not just data.
- Several techniques such as
- Zero-knowledge proofs
- Secure multi-party computation
- Homomorphic encryption
- Differential privacy
We need advanced cryptography since our private information is being used in return for services, such as maps, health services. These data should be protected!
[^1]: The computer can look up a dictionary to check if some English word exists. Or maybe LLMs can do the job...
[^2]: We assume that this distribution is already known.
[^3]: Rivest, Ronald L. (1990). "Cryptography". In J. Van Leeuwen (ed.). Handbook of Theoretical Computer Science. Vol. 1. Elsevier.

301
_posts/lecture-notes/modern-cryptography/2023-09-12-prfs-prps-block-ciphers.md Normal file
View File

@@ -0,0 +1,301 @@
---
share: true
toc: true
math: true
categories:
- Lecture Notes
- Modern Cryptography
path: _posts/lecture-notes/modern-cryptography
tags:
- lecture-note
- cryptography
- security
title: 2. PRFs, PRPs and Block Ciphers
date: 2023-09-12
github_title: 2023-09-12-prfs-prps-block-ciphers
image:
path: assets/img/posts/Lecture Notes/Modern Cryptography/mc-02-block-cipher.png
attachment:
folder: assets/img/posts/Lecture Notes/Modern Cryptography
---
## Pseudorandom Functions (PRF)
> **Definition.** A **pseudorandom function** $F$ over $(\mathcal{K}, X, Y)$ is an efficiently computable algorithm $F : \mathcal{K} \times X \rightarrow Y$.
We consider a *keyed function* $F : \mathcal{K} \times X \rightarrow Y$ where $\mathcal{K}$ denotes the key space. For $k \in \mathcal{K}$, $F_k(x) := F(k, x)$ is a function from $X$ to $Y$. Thus each key $k$ induces a distribution on functions $X \rightarrow Y$.
Note that $\left\lvert \mathcal{F}[X, Y] \right\lvert = \left\lvert Y \right\lvert^{\left\lvert X \right\lvert}$, but the number of PRFs is at most $\left\lvert K \right\lvert$. In practice, $\left\lvert K \right\lvert$ is very small compared to $\left\lvert Y \right\lvert^{\left\lvert X \right\lvert}$. So PRFs are chosen from a smaller space, but they should behave in the same way a (truly) random function does.
Let $\mathcal{F}[X, Y]$ denote the set of all functions from $X$ to $Y$. A PRF $F$ would be **secure** if it is **indistinguishable from a random function in $\mathcal{F}[X, Y]$**. This notion is formalized as a security game.
> **Definition.** Let $F$ be a PRF defined over $(\mathcal{K}, X, Y)$. For an adversary $\mathcal{A}$, define two experiments 0 and 1.
>
> **Experiment $b$**.
> 1. The challenger selects $f \in \mathcal{F}[X, Y]$ as follows
> - If $b = 0$, choose $k \leftarrow \mathcal{K}$ and set $f = F_k = F(k, \cdot)$.
> - If $b = 1$, choose $f \leftarrow \mathcal{F}[X, Y]$.
> 2. The adversary sends a sequence of queries to the challenger.
> - For $i = 1, \dots, q$, send $x_i \in X$ and receive $y_i = f(x_i) \in Y$.
> 3. The adversary computes and outputs a bit $b' \in \left\lbrace 0, 1 \right\rbrace$.
>
> Let $W_b$ be the event that $\mathcal{A}$ outputs 1 in experiment $b$. Then the **PRF-advantage** of $\mathcal{A}$ with respect to $F$ is defined as
>
> $$
> \mathrm{Adv}_{\mathrm{PRF}}^q[\mathcal{A}, F] = \left\lvert \Pr[W_0] - \Pr[W_1] \right\lvert.
> $$
>
> A PRF $F$ is **secure** if $\mathrm{Adv}_{\mathrm{PRF}}^q[\mathcal{A}, F]$ is negligible for any efficient $\mathcal{A}$.
In experiment $0$ above, the challenger returns $y_i = f(x_i)$. To answer the query $x_i$, the challenger would have to keep a lookup table for a random function $f \in \mathcal{F}[X, Y]$. Since $X$ and $Y$ are very large in practice, it is nearly impossible to create and manage such lookup tables.[^1] As a workaround, we can choose $y_i$ uniformly on each query $x_i$, assuming that $x_i$ wasn't queried before. This is possible since for any different inputs $x_i, x_j \in X$, $f(x_i)$ and $f(x_j)$ are random and independent.
Also, there are two ways that the adversary can query the challenger. The first method is the **adaptive** method, where the adversary queries each $x_i$ one by one. In this method, the adversary can *adaptively* choose the next query $x_{i+1}$ after receiving the result from the challenger.
The second method is querying all $x_i$ at once. We will consider the first method, since the adaptive method assumes greater attack power on the adversary.
### OTP as a PRF
As an example, consider the one-time pad function $F(k, x) = k \oplus x$. This function satisfies the definitions of PRFs, but it is not a secure PRF. Consider an adversary $\mathcal{A}$ that outputs $1$ if and only if $y_1 \oplus y_2 = x_1 \oplus x_2$. In experiment $0$, $\mathcal{A}$ will always output $1$, but in experiment $1$, $\mathcal{A}$ will output $1$ with probability $2^{-n}$. Thus the advantage is $1 - 2^{-n}$, which is not negligible.
### PRFs and PRGs
It is easy to construct PRGs from PRFs. We can simply evaluate $F$ on some distinct inputs. For example, given a seed $s$, we evaluate $F_s$ and obtain
$$
G(s) = F_s(1) \parallel F_s(2) \parallel \cdots \parallel F_s(n)
$$
for any $n \in \mathbb{N}$.[^2] In fact, we can show that $G$ is secure PRG if $F$ is a secure PRF.
> **Theorem.** If $F$ is a secure length preserving PRF, then $G$ in the above definition is a secure PRG.
*Proof*. Suppose that $\mathcal{A}$ is an efficient PRG adversary against $G$. We construct an efficient $n$-query PRF adversary $\mathcal{B}$, that queries the challenger at $1, \dots, n$ and receives $f(1), \dots, f(n)$. $\mathcal{B}$ passes $f(1) \parallel \cdots \parallel f(n)$ to $\mathcal{A}$, and $\mathcal{B}$ outputs the output of $\mathcal{A}$. Then we see that $\mathrm{Adv}_{\mathrm{PRG}}[\mathcal{A}, G] = \mathrm{Adv}_{\mathrm{PRF}}[\mathcal{B}, F]$. So if $F$ is secure, then $G$ is secure.
As for the converse, a PRG $G$ gives a PRF $F$ with small input length. If $G : \left\lbrace 0, 1 \right\rbrace^n \rightarrow \left\lbrace 0, 1 \right\rbrace^{n 2^m}$, we can define a PRF $F : \left\lbrace 0, 1 \right\rbrace^n \times \left\lbrace 0, 1 \right\rbrace^m \rightarrow \left\lbrace 0, 1 \right\rbrace^n$ as follows: for a seed $s \in \left\lbrace 0, 1 \right\rbrace^n$, consider $G(s)$ as a $2^m \times n$ table and set $F(s, i)$ as the $i$-th row of $G(s)$.[^3] If $G$ is a secure PRG, then PRF $F$ is also secure.
## Pseudorandom Permutations (PRP)
> **Definition.** A **pseudorandom permutation** $E$ over $(\mathcal{K}, X)$ is an efficiently computable algorithm $E : \mathcal{K} \times X \rightarrow X$ that has an efficient inversion algorithm $D$ such that $D(k, E(k, x)) =x$.
Permutations defined on a set $X$ are bijections on $X$, so a PRP $E(k, \cdot)$ is one-to-one for all $k \in \mathcal{K}$, and also has an inverse function.
Similarly, a PRP $E$ is **secure** if it is **indistinguishable from a random permutation on $X$**. Let $\mathcal{P}[X]$ denote the set of all permutations on $X$.
> **Definition.** Let $E$ be a PRP defined over $(\mathcal{K}, X)$. For an adversary $\mathcal{A}$, define two experiments $0$ and $1$.
>
> **Experiment $b$**.
> 1. The challenger selects $f \in \mathcal{P}[X]$ as follows
> - If $b = 0$, choose $k \leftarrow \mathcal{K}$ and set $f = E_k = E(k, \cdot)$.
> - If $b = 1$, choose $f \leftarrow \mathcal{P}[X]$.
> 2. The adversary sends a sequence of queries to the challenger.
> - For $i = 1, \dots, q$, send $x_i \in X$ and receive $y_i = f(x_i) \in Y$.
> 3. The adversary computes and outputs a bit $b' \in \left\lbrace 0, 1 \right\rbrace$.
>
> Let $W_b$ be the event that $\mathcal{A}$ outputs 1 in experiment $b$. Then the **PRP-advantage** of $\mathcal{A}$ with respect to $E$ is defined as
>
> $$
> \mathrm{Adv}_{\mathrm{PRP}}^q[\mathcal{A}, E] = \left\lvert \Pr[W_0] - \Pr[W_1] \right\lvert.
> $$
>
> A PRP $E$ is **secure** if $\mathrm{Adv}_{\mathrm{PRP}}^q[\mathcal{A}, E]$ is negligible for any efficient $\mathcal{A}$.
### PRF Switching Lemma
Suppose that $\left\lvert X \right\lvert$ is sufficiently large. Then for $q$ queries of any adversary $\mathcal{A}$, it is highly probable that $f(x_i)$ are all distinct, regardless of whether $f$ is a PRF or a PRP. Thus we have the following property of PRPs.
> **Lemma.** If $E: \mathcal{K} \times X \rightarrow X$ is a secure PRP and $\left\lvert X \right\lvert$ is sufficiently large, then $E$ is also a secure PRF.
>
> For any $q$-query adversary $\mathcal{A}$,
>
> $$
> \left\lvert \mathrm{Adv}_{\mathrm{PRF}}[\mathcal{A}, E] - \mathrm{Adv}_{\mathrm{PRP}}[\mathcal{A}, E] \right\lvert \leq \frac{q^2}{2\left\lvert X \right\lvert}.
> $$
This is a matter of *collisions* of $f(x_i)$, so we use the facts from the birthday problem.
*Proof*. Appendix A.4.
## Block Ciphers
A **block cipher** is actually a different name for PRPs. Since a PRP $E$ is a keyed function, applying $E(k, x)$ is in fact encryption, and applying its inverse is decryption.
![mc-02-block-cipher.png](../../../assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-02-block-cipher.png)
Block ciphers commonly have the following form.
- A key $k$ is chosen uniformly from $\left\lbrace 0, 1 \right\rbrace^s$.
- The key $k$ goes through *key expansion* and generates $k_1, \dots, k_n$. These are called **round keys**, where $n$ is the number of rounds.
- The plaintext goes through $n$ rounds, where in each round, a round function and the round key is applied to the input.
- After $n$ rounds, the ciphertext is obtained.
## Data Encryption Standard (DES)
### Brief History
- 1972: NIST calls for a block cipher standard (proposal).
- 1974: Horst Feistel (IBM) designs *Lucifer*, which evolves into DES.
- 1976: DES is standardized and widely implemented.
- 1997: DES is broken by exhaustive search.
- 2001: DES is replaced by AES.
### Feistel Network
Since block ciphers are PRPs, we have to build an invertible function. Suppose we are given **any** functions $F_1, \dots, F_d : \left\lbrace 0, 1 \right\rbrace^n \rightarrow \left\lbrace 0, 1 \right\rbrace^n$. Can we build an **invertible** function $F : \left\lbrace 0, 1 \right\rbrace^{2n} \rightarrow \left\lbrace 0, 1 \right\rbrace^{2n}$?
![mc-02-feistel-network.png](../../../assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-02-feistel-network.png)
It turns out the answer is yes. Given an $2n$-bit long input, $L_0$ and $R_0$ denote the left and right halves ($n$ bits) of the input, respectively. Define
$$
L_i = R_{i-1}, \qquad R_i = F_i(R_{i-1}) \oplus L_{i-1}
$$
for $i = 1, \dots, d$. Then we can restore $L_0$ and $R_0$ from $L_d$ and $R_d$ by applying the same operations in **reverse order**. It is easy to see that $R_{i-1}$ can be restored from $L_i$. As for $L_{i-1}$, we need a swap. Observe that
$$
F_i(L_i) \oplus R_i = F_i(R_{i-1}) \oplus (F_i(R_{i-1}) \oplus L_{i-1}) = L_{i-1}.
$$
Note that we did not require $F_i$ to be invertible. We can build invertible functions from arbitrary functions! These are called **Feistel networks**.
> **Theorem.** (Luby-Rackoff'85) If $F : K \times \left\lbrace 0, 1 \right\rbrace^n \rightarrow \left\lbrace 0, 1 \right\rbrace^n$ is a secure PRF, then the $3$-round Feistel using the functions $F_i= F(k_i, \cdot)$ is a secure PRP.
In DES, the function $F_i$ is the DES round function.
![mc-02-des-round.png](../../../assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-02-des-round.png)
The Feistel function takes $32$ bit data and divides it into eight $4$ bit chunks. Each chunk is expanded to $6$ bits using $E$. Now, we have 48 bits of data, so apply XOR with the key for this round. Next, each $6$-bit block is compressed back to $4$ bits using a S-box. Finally, there is a permutation $P$ at the end, resulting in $32$ bit data.
### DES Algorithm
DES uses $56$ bit keys that generate $16$ rounds keys. The diagram below shows that DES has 16-round Feistel networks.
![mc-02-DES.png](../../../assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-02-DES.png)
The input goes through initial/final permutation, which are inverses of each other. These have no cryptographic significance, and just for engineering.
## Advanced Encryption Standard (AES)
DES is not secure, since key space and block length is too small. Thankfully, we have a replacement called the **advanced encryption standard** (AES).
![mc-02-aes-128.png](../../../assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-02-aes-128.png)
- DES key only had $56$ bits, so DES was broken in the 1990s
- NIST standardized AES in 2001, based on Rijndael cipher
- AES has $3$ different key lengths: $128$, $192$, $256$
- Different number of rounds for different key lengths
- $10$, $12$, $14$ rounds respectively
- Input data block is $128$ bits, so viewed as $4\times 4$ table of bytes
- This table is called the **current state**.
Each round consists of the following:
- **SubBytes**: byte substitution, 1 S-box on every byte
- **ShiftRows**: permutes bytes between groups and columns
- **MixColumns**: mix columns by using matrix multiplication in $\mathrm{GF}(2^8)$.
- **AddRoundKey**: XOR with round key
### Modules
#### SubBytes
- A simple substitution of each byte using $16 \times 16$ lookup table.
- Each byte is split into two $4$ bit *nibbles*
- Left half is used as row index
- Right half is used as column index
#### ShiftRows
- A circular bytes shift for each row, so it is a permutation
- $i$-th row is shifted $i$ times to the left. ($i = 0, 1, 2, 3$)
#### MixColumns
- For each column, each byte is replaced by a value
- The value depends on all 4 bytes of the column
- Each column is processed separately
- Thus effectively, it is a matrix multiplication (Hill cipher)
#### AddRoundKey
- XOR the input with $128$ bits of the round key
- The round key is different for each round
These 4 modules are all invertible!
## Attacks on Block Ciphers
### DES S-box
For DES, the S-box is the non-linear part. If the S-box is linear, then the entire DES cipher would be linear.
Specifically, there would be a fixed binary matrix $B _ 1 \in \mathbb{Z} _ 2^{64 \times 64}$ and $B _ 2 \in \mathbb{Z} _ 2^{64 \times (48 \times 16)}$ such that
$$
\mathrm{DES}(k, m) = B_1 m \oplus B_2 \mathbf{k}
$$
where $\mathbf{k} \in \mathbb{Z}_2^{48 \times 16}$ is a vector of round keys.
Then we can attack DES with the same idea as OTP. If $c_i = B_1 m_i \oplus B_2 \mathbf{k}$, then $c_1 \oplus c_2 = B_1 (m_1 \oplus m_2)$.
Choosing the S-boxes at random results in a insecure block cipher, with high probability.
### Strengthening Ciphers Against Exhaustive Search
For DES (and AES-128), it is known that *three pairs of plaintext, ciphertext blocks* are enough to ensure that there is a *unique* key mapping the given plaintext to the ciphertext, with high probability. We assume here that we are given plaintext, ciphertext block pairs.
If we were to find the key by brute force, DES is easy. We can strengthen the DES algorithm by using **nested ciphers**. The tradeoff here is that these are slower than the original DES.
> Define
> - (**2DES**) $2E: \mathcal{K}^2 \times \mathcal{M} \rightarrow \mathcal{M}$ as $2E((k_1, k_2), m) = E(k_1, E(k_2, m))$.
> - (**3DES**) $3E: \mathcal{K}^3 \times \mathcal{M} \rightarrow \mathcal{M}$ as $3E((k_1, k_2, k_3), m) = E(k_1, D(k_2, E(k_3, m)))$.[^4]
Then the key space has increased (exponentially). As for 2DES, the key space is now $2^{112}$, so maybe nested ciphers increase the level of security.
#### $2E$ is Insecure: Meet in the Middle
Unfortunately, 2DES is only secure as DES, with the attack strategy called **meet in the middle**. The idea is that if $c = E(k_1, E(k_2, m))$, then $D(k_1, c) = E(k_2, m)$.
![mc-02-2des-mitm.png](../../../assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-02-2des-mitm.png)
Since we have the plaintext and the ciphertext, we first build a table of $(k, E(k_2, m))$ over $k_2 \in \mathcal{K}$ and sort by $E(k_2, m)$. Next, we check if $D(k_1, c)$ is in the table for all $k_1 \in \mathcal{K}$.
The complexity of this attack is shown as follows:
- Space complexity: We must store $\left\lvert \mathcal{K} \right\lvert$ entries with approximately $\log \left\lvert \mathcal{M} \right\lvert$ bits. Thus we need $\left\lvert \mathcal{K} \right\lvert \log \left\lvert \mathcal{M} \right\lvert$ bits in total.
- Time complexity: We run $E$ for $\left\lvert \mathcal{K} \right\lvert$ times and sorting takes $\left\lvert \mathcal{K} \right\lvert \log \left\lvert \mathcal{K} \right\lvert$. Searching the decrypted messages will also take $\left\lvert \mathcal{K} \right\lvert \log \left\lvert \mathcal{K} \right\lvert$.[^5]
Considering DES, $\left\lvert \mathcal{K} \right\lvert = 2^{56}$ and $\left\lvert \mathcal{M} \right\lvert = 2^{64}$, the search space for the key is far less than $2^{112}$. Moreover, one would need a huge amount of memory to perform this attack, but time and space can be traded off.
3DES can be attacked in a similar manner, so the search space for the key is less than $2^{168}$, around $2^{112}$. It is currently infeasible to brute force this, so 3DES is used in practice.
The above argument can be generalized for any scheme $(E, D)$. Thus, the $2E$ construction is not secure.
#### $EX$ Construction and DESX
There is another method called the **$EX$ construction** for block cipher $(E, D)$ defined over $(\mathcal{K}, \mathcal{X})$. The $EX$ construction uses a new block cipher defined as follows. Intuitively, it can be thought of as applying OTP before and after encryption.
> Let $k_1 \in \mathcal{K}$ and $k_2, k_3 \in \mathcal{X}$.
> - Encryption: $EX\left((k_1, k_2, k_3), m\right) = E(k_1, m \oplus k_2) \oplus k_3$.
> - Decryption: $DX((k_1, k_2, k_3), c) = D(k_1, c \oplus k_3) \oplus k_2$.
Then the new cipher $(EX, DX)$ has a key space $\mathcal{K} \times \mathcal{X}^2$, which is much larger than $\mathcal{K}$. Specifically for DESX, the key length would be $56 + 2 \times 64 = 184$ bits.
As a side note, using $E(k_1, m) \oplus k_2$ or $E(k_1, m \oplus k_2)$ does not improve security, since it can be attacked with meet in the middle method. Similarly, DESX also has $184$ bit key space, but actual search space is about $56 + 64 = 120$ bits.
### Attacks on AES
The best known attack on AES is almost a brute force attack.
- AES-128 requires $2^{126.1}$ evaluations of AES.[^6]
- AES-192 requires $2^{189.74}$ evaluations of AES.
- AES-256 requires $2^{254.42}$ evaluations of AES.
These are about $4$ times better than exhaustive search, so they have little impact on the security of AES.
There are also attacks with quantum computers, which uses an algorithm that can recover the key in time $\mathcal{O}(\sqrt{\left\lvert \mathcal{K} \right\lvert})$.[^7] We might need to use AES-256 when quantum computers are widely used.
[^1]: The size of the lookup table is at least $\left\lvert X \right\lvert \log \left\lvert Y \right\lvert$ bits. The table should have at least $\left\lvert X \right\lvert$ rows, and each row must contain $\log \left\lvert Y \right\lvert$ bits of information.
[^2]: This method is even *parallelizable*!
[^3]: Note that $m$ has to be $\mathcal{O}(\log n)$ for $F$ to be efficient.
[^4]: We could also encrypt $3$ times.
[^5]: The running times of $E$ and $D$ were not considered here.
[^6]: A. Bogdanov, D. Khovratovich, and C. Rechberger. Biclique cryptanalysis of the full AES. In ASIACRYPT 2011, pages 344371. 2011.
[^7]: L. K. Grover. A fast quantum mechanical algorithm for database search. In Proceedings of the twenty-eighth annual ACM symposium on Theory of computing, pages 212219. ACM, 1996.

245
_posts/lecture-notes/modern-cryptography/2023-09-19-symmetric-key-encryption.md Normal file
View File

@@ -0,0 +1,245 @@
---
share: true
toc: true
math: true
categories:
- Lecture Notes
- Modern Cryptography
path: _posts/lecture-notes/modern-cryptography
tags:
- lecture-note
- cryptography
- security
title: 3. Symmetric Key Encryption
date: 2023-09-19
github_title: 2023-09-19-symmetric-key-encryption
---
## CPA Security
Secret keys are hard to manage and it would be efficient if we could use the same key multiple times. So we need a stronger notion of security, that the adversary is given several ciphertexts under the same key but the scheme is still secure.
We strengthen the adversary's power, and assume that the adversary can obtain encryptions of any plaintext. This attack model is called **chosen plaintext attack** (CPA).
This notion can be formalized as a security game. The difference here is that we must guarantee security for multiple encryptions.
> **Definition.** For a given cipher $\mathcal{E} = (E, D)$ defined over $(\mathcal{K}, \mathcal{M}, \mathcal{C})$ and given an adversary $\mathcal{A}$, define experiments 0 and 1.
>
> **Experiment $b$.**
> 1. The challenger fixes a key $k \leftarrow \mathcal{K}$.
> 2. The adversary submits a sequence of queries to the challenger:
> - The $i$-th query is a pair of messages $m_{i, 0}, m_{i, 1} \in \mathcal{M}$ of the same length.
> 3. The challenger computes $c_i = E(k, m_{i, b})$ and sends $c_i$ to the adversary.
> 4. The adversary computes and outputs a bit $b' \in \left\lbrace 0, 1 \right\rbrace$.
>
> Let $W_b$ be the event that $\mathcal{A}$ outputs $1$ in experiment $b$. Then the **CPA advantage with respect to $\mathcal{E}$** is defined as
>
> $$
> \mathrm{Adv}_{\mathrm{CPA}}[\mathcal{A}, \mathcal{E}] = \left\lvert \Pr[W_0] - \Pr[W_1] \right\lvert
> $$
>
> If the CPA advantage is negligible for all efficient adversaries $\mathcal{A}$, then the cipher $\mathcal{E}$ is **semantically secure against chosen plaintext attack**, or simply **CPA secure**.
The above security game is indeed a *chosen* plaintext attack since if the attacker sends two identical messages $(m, m)$ as a query, it can surely obtain an encryption of $m$.
The assumption that the adversary can choose any message of its choice may seem too strong, but there are cases in the real world. Also, cryptographers use strong models to show proof of security even for strong attackers.
### Deterministic Cipher is not CPA Secure
Suppose that $E$ is deterministic. Then we can construct an adversary that breaks CPA security. For example, the adversary can send $(m_0, m_1)$ and $(m_0, m_2)$. Then if $b = 0$, the received ciphertext would be same, so the adversary can output $0$ and win the CPA security game.
Therefore, for *indistinguishability under chosen plaintext attack* (IND-CPA), encryption must produce different outputs even for the same plaintext.
Another corollary is that PRPs are deterministic, so PRPs are not CPA secure.
## Nonce-based Encryption
Since deterministic cipher is not CPA secure, we need non-deterministic encryption. There are two ways to construct such encryptions.
In **probabilistic** (randomized) encryption, encrypting the same message twice gives difference ciphertexts with high probability.
The second method is **stateful** encryption, where both algorithms $E$ and $D$ maintain some state that changes with each invocation of the algorithm. A typical example of stateful encryption is **nonce-based encryption**.
A **nonce** is a value that changes from message to message, such as a counter or a random value. Both encryption and decryption algorithm take the nonce as an additional input, so that the resulting ciphertext will be different for the same plaintext. Thus, it is natural that we require all nonces to be *distinct*.
The syntax for nonce-based encryption is $c = E(k, m, n)$ where $n \in \mathcal{N}$ is the nonce, and the algorithm $E$ is required to be deterministic. Similarly, nonce-based decryption becomes $m = D(k, c, n)$. The nonce that was used to encrypt $m$ should be used for decrypting $c$.
We also formalize security for nonce-based encryption. It is basically the same as CPA security definition. The difference is that the adversary chooses a nonce for each query, with the constraint that they should be unique for every query.
> **Definition.** For a given **nonce-based** cipher $\mathcal{E} = (E, D)$ defined over $(\mathcal{K}, \mathcal{M}, \mathcal{C}, \mathcal{N})$ and given an adversary $\mathcal{A}$, define experiments 0 and 1.
>
> **Experiment $b$**.
> 1. The challenger fixes a key $k \leftarrow \mathcal{K}$.
> 2. The adversary submits a sequence of queries to the challenger.
> - The $i$-th query is a pair of messages $m_{i, 0}, m_{i, 1} \in \mathcal{M}$ of the same length, and a nonce $n_i \in \mathcal{N} \setminus \left\lbrace n_1, \dots, n_{i-1} \right\rbrace$.
> - Nonces should be unique.
> 3. The challenger computes $c_i = E(k, m_{i, b}, n_i)$ and sends $c_i$ to the adversary.
> 4. The adversary computes and outputs a bit $b' \in \left\lbrace 0, 1 \right\rbrace$.
>
> Let $W_b$ be the event that $\mathcal{A}$ outputs $1$ in experiment $b$. Then the **CPA advantage with respect to $\mathcal{E}$** is defined as
>
> $$
> \mathrm{Adv}_{\mathrm{nCPA}}[\mathcal{A}, \mathcal{E}] = \left\lvert \Pr[W_0] - \Pr[W_1] \right\lvert
> $$
>
> If the CPA advantage is negligible for all efficient adversaries $\mathcal{A}$, then the nonce-based cipher $\mathcal{E}$ is **semantically secure against chosen plaintext attack**, or simply **CPA secure**.
### Secure Construction from PRF
Suppose we want to construct a secure encryption scheme from a pseudorandom function. A simple approach would be to use $E(k, m) = F(k, m)$, but this would result in deterministic encryption, which is not CPA-secure.
Therefore, we need randomized encryption. We achieve randomness by drawing a random value $r \leftarrow \left\lbrace 0, 1 \right\rbrace^n$ and evaluate $F(k, r)$ and then XOR it with the plaintext.
Here is the construction in detail.
> Let $F : \mathcal{K} \times \left\lbrace 0, 1 \right\rbrace^n \rightarrow \left\lbrace 0, 1 \right\rbrace^n$ be a PRF.
> - Encryption $E : \mathcal{K} \times \left\lbrace 0, 1 \right\rbrace^n \rightarrow \left\lbrace 0, 1 \right\rbrace^{2n}$
> - Sample $r \leftarrow \left\lbrace 0, 1 \right\rbrace^n$ and return $c = (r, F(k, r) \oplus m)$.
> - Decryption $D : \mathcal{K} \times \left\lbrace 0, 1 \right\rbrace^{2n} \rightarrow \left\lbrace 0, 1 \right\rbrace^n$
> - Extract $(r, s)$ from $c$ and output $m = F(k, r) \oplus s$.
A few notes:
- Since we have randomized encryption,
- $E$ is a one-to-many function.
- $D$ is a many-to-one function.
- The above construction maps $n$ bit messages to $2n$ bit messages.
- The ciphertext is $2$ times longer than the plaintext.
- We call this the **expansion ratio**.
- If the value $F(k, r)$ is duplicated in the above construction, then this scheme is insecure, just like in the one-time pad.
- Thus the probability of duplication must be negligible.
Since the duplication probability is negligible, we have the following theorem.
> **Theorem.** Let $F$ be a secure PRF. Then $(E, D)$ in the above construction is CPA-secure.
*Proof*. Check the proof of Theorem 3.29.[^1]
#### Notes on the Proof
There is a common proof template for constructions based on PRFs.
1. Consider a hypothetical version of the construction, where the PRF is replaced by a truly random function.
2. Argue that the adversary learns almost nothing. i.e, replacing with a random function only has a negligible effect on the adversary.
3. Now that we have a random function, the remaining argument proceeds with probabilistic analysis, etc.
## Modes of Operation
We learned how to encrypt a single block. How do we encrypt longer messages with a block cipher $E : \left\lbrace 0, 1 \right\rbrace^s \times \left\lbrace 0, 1 \right\rbrace^n \rightarrow \left\lbrace 0, 1 \right\rbrace^n$?
There are many ways of processing multiple blocks, this is called the **mode of operation**.
Additional explanation available in [Modes of Operations (Internet Security)](../../Lecture%20Notes/Internet%20Security/2023-09-18-symmetric-key-cryptography-2.md#modes-of-operations).
### Electronic Codebook Mode (ECB)
![is-03-ecb-encryption.png](../../../assets/img/posts/is-03-ecb-encryption.png)
- ECB mode encrypts each block with the same key.
- Blocks are independent of each other.
- ECB is deterministic, so not CPA-secure.
### Ciphertext Block Chain Mode (CBC)
![is-03-cbc-encryption.png](../../../assets/img/posts/is-03-cbc-encryption.png)
Let $X = \left\lbrace 0, 1 \right\rbrace^n$ and $E : \mathcal{K} \times X \rightarrow X$ be a **PRP**.
- In CBC mode, a random **initial vector** (IV) is chosen and outputs the ciphertext.
- Expansion ratio is $\frac{n+1}{n}$ where $n$ is the number of blocks.
- If the message size is not a multiple of the block size, we need **padding**.
There is a security proof for CBC mode.
> **Theorem.** Let $E : \mathcal{K} \times X \rightarrow X$ be a secure PRP. Then CBC mode encryption $E : \mathcal{K} \times X^L \rightarrow X^{L+1}$ is CPA-secure for any $L > 0$.
>
> For any $q$-query adversary $\mathcal{A}$, there exists a PRP adversary $\mathcal{B}$ such that
>
> $$
> \mathrm{Adv}_{\mathrm{CPA}}[\mathcal{A}, E] \leq 2 \cdot \mathrm{Adv}_{\mathrm{PRP}}[\mathcal{B}, E] + \frac{2q^2L^2}{\left\lvert X \right\lvert}.
> $$
*Proof*. See Theorem 5.4.[^2]
From the above theorem, note that CBC is only secure as long as $q^2L^2 \ll \left\lvert X \right\lvert$.
Also, CBC mode is not secure if the adversary can predict the IV of the next message. Proceed as follows:
> 1. Query the challenger for an encryption of $m_0$ and $m_1$.
> 2. Receive $\mathrm{IV}_0, E(k, \mathrm{IV}_0 \oplus m_0)$ and $\mathrm{IV}_1, E(k, \mathrm{IV}_1 \oplus m_1)$.
> 3. Predict the next IV as $\mathrm{IV}_2$, and set the new query pair as
>
> $$
> m_0' = \mathrm{IV}_2 \oplus \mathrm{IV}_0 \oplus m_0, \quad m_1' = \mathrm{IV}_2 \oplus \mathrm{IV}_1 \oplus m_1
> $$
>
> and send it to the challenger.
> 4. In experiment $b$, the adversary will receive $E(k, \mathrm{IV}_b \oplus m_b)$. Compare this with the result of the query from (2). The adversary wins with advantage $1$.
(More on this to be added)
#### Nonce-based CBC Mode
We can also use a **unique** nonce to generate the IV. Specifically,
$$
\mathrm{IV} = E(k_1, n)
$$
where $k_1$ is the new key and $n$ is a nonce. The ciphertext starts with $n$ instead of the $\mathrm{IV}$.
Note that if $k_1$ is the same as the key used for encrypting messages, then this scheme is insecure. See Exercise 5.14.[^2]
### Counter Mode (CTR)
![is-03-ctr-encryption.png](../../../assets/img/posts/is-03-ctr-encryption.png)
Let $F : \mathcal{K} \times X \rightarrow X$ be a secure **PRF**.
- CTR mode also chooses a random IV and increments the IV for every encrypted block.
- IVs should not be reused.
- CTR mode is parallelizable, so it is very efficient.
- If a part of the message changes, only that part has to be recalculated.
There is also a security proof for CTR mode.
> **Theorem.** If $F : \mathcal{K} \times X \rightarrow X$ is a secure PRF, then CTR mode encryption $E : \mathcal{K} \times X^L \rightarrow X^{L+1}$ is CPA-secure.
>
> For any $q$-query adversary $\mathcal{A}$ against $E$, there exists a PRF adversary $\mathcal{B}$ such that
>
> $$
> \mathrm{Adv}_{\mathrm{CPA}}[\mathcal{A}, E] \leq 2\cdot\mathrm{Adv}_{\mathrm{PRF}}[\mathcal{B}, F] + \frac{4q^2L}{\left\lvert X \right\lvert}.
> $$
*Proof.* Refer to Theorem 5.3.[^2]
From the above theorem, we see that CTR mode is only secure for $q^2L \ll \left\lvert X \right\lvert$. This is a better bound than CBC.
#### Nonce-based CTR Mode
We can also use a nonce and a counter to generate the IV. Since it is important to keep IVs distinct, set
$$
\mathrm{IV} = (n, ctr) \in \left\lbrace 0, 1 \right\rbrace^{64} \times \left\lbrace 0, 1 \right\rbrace^{64}
$$
where $ctr$ starts at $0$ for every message and $n \in \mathcal{N}$ is chosen randomly as a nonce.
### Comparison of CTR and CBC
CTR is a lot better in general, but CBC is widely implemented.
|-|CBC|CTR|
|:-:|:-:|:-:|
|Primitive|PRP|PRF|
|Parallelizable|No|Yes|
|Security|$q^2L^2 \ll \left\lvert X \right\lvert$|$q^2L \ll \left\lvert X \right\lvert$|
|Dummy Padding|Yes|No|
|1-byte Message|$16 \times$ expansion|No expansion|
- PRP is a PRF, so PRF is a weaker condition.
- The difference of $q^2L^2$ and $q^2L$ comes from the probability that consecutive IVs overlap, and also the birthday paradox.
- CBC needs dummy padding block, but this can be avoided using *ciphertext stealing*. (See Exercise 5.16.[^2])
- CTR mode does not require padding by construction.
[^1]: Introduction to Modern Cryptography
[^2]: A Graduate Course in Applied Cryptography

271
_posts/lecture-notes/modern-cryptography/2023-09-21-macs.md Normal file
View File

@@ -0,0 +1,271 @@
---
share: true
toc: true
math: true
categories:
- Lecture Notes
- Modern Cryptography
path: _posts/lecture-notes/modern-cryptography
tags:
- lecture-note
- cryptography
- security
title: 4. Message Authentication Codes
date: 2023-09-21
github_title: 2023-09-21-macs
image:
path: assets/img/posts/Lecture Notes/Modern Cryptography/mc-04-mac-security.png
attachment:
folder: assets/img/posts/Lecture Notes/Modern Cryptography
---
Message authentication codes (MAC) were designed to provide message integrity. Bob receives a message from Alice and wants to know if this message was not modified during transmission. For MACs, the message itself does not have to be secret. For example, when we download a file the file itself does not have to be protected, but we need a way to verify that the file was not modified.
Note that MAC is different from error correcting codes (ECC). ECC fixes accidental errors. For example, the Ethernet protocol uses CRC32, which is *keyless*. Keyless integrity mechanisms are designed to detect and fix random transmission errors, and the adversary can easily modify the data since there is no key and the algorithm is publicly known.
On the other hand, MAC fixes data that is tampered in purpose. We will also require a key so that the adversary cannot easily modify the message. We assume that the secret key is shared between two parties, in advance.
## Message Authentication Code
![mc-04-mac.png](../../../assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-04-mac.png)
> **Definition.** A **MAC** system $\Pi = (S, V)$ defined over $(\mathcal{K}, \mathcal{M}, \mathcal{T})$ is a pair of efficient algorithms $S$ and $V$ where $S$ is a **signing algorithm** and $V$ is a **verification algorithm**.
>
> - $S : \mathcal{K} \times \mathcal{M} \rightarrow \mathcal{T}$ is a probabilistic algorithm that outputs $t \leftarrow S(k, m)$ for some key $k \in \mathcal{K}$ and message $m \in \mathcal{M}$. The output $t$ is called a **tag**, and $\mathcal{T}$ is the tag space.
> - $V: \mathcal{K} \times \mathcal{M} \times \mathcal{T} \rightarrow \left\lbrace 0, 1 \right\rbrace$ is a deterministic algorithm that computes $V(k, m, t)$ and outputs $1$ ($\texttt{accept}$) or $0$ ($\texttt{reject}$) .
> - It is required that $V(k, m, S(k, m)) = 1$.
When $V$ accepts $(m, t)$, then $t$ is called a **valid tag**. Since $(m, t)$ is the transmitted data, we want $t$ to be short as possible.
### Canonical Verification
$V$ can be replaced with an invocation of $S$ if *$S$ is deterministic*. The receiver can recompute the tag and check equality.
$$
V(k, m, t) = 1 \iff t = S(k, m)
$$
This is called **canonical verification**. All real-world MACs use canonical verification.
## Secure MAC: Unforgeability
In the security definition of MACs, we allow the attacker to request tags for arbitrary messages of its choice, called **chosen-message attacks**. This assumption will allow the attacker to collect a bunch of valid $(m, t)$ pairs. In this setting, we require the attacker to forge a **new** valid message-tag pair, which is different from what the attacker has. Also, it is not required that the forged message $m$ have any meaning. This is called **existential forgery**. A MAC system is secure if an existential forgery is almost impossible. Note that we are giving the adversary much power in the definition, to be conservative.
- Attacker is given $t_i \leftarrow S(k, m_i)$ for $m_1, \dots, m_q$ of his choice.
- Attacker has a *signing oracle*.
- Attacker's goal is **existential forgery**.
- **MAC**: generate a *new* valid message-tag pair $(m, t)$ such that $V(k, m, t) = 1$ and $m \notin \left\lbrace m_1, \dots, m_q \right\rbrace$.
- **Strong MAC**: generate a *new* valid message-tag pair $(m, t)$ $V(k, m, t) = 1$ and $(m, t) \notin \left\lbrace (m_1, t_1), \dots, (m_q, t_q) \right\rbrace$.
For strong MACs, the attacker only has to change the tag for the attack to succeed.
![mc-04-mac-security.png](../../../assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-04-mac-security.png)
> **Definition.** Let $\Pi = (S, V)$ be a MAC system defined over $(\mathcal{K}, \mathcal{M}, \mathcal{T})$. Given an adversary $\mathcal{A}$, the security game goes as follows.
>
> 1. The challenger picks a random $k \leftarrow \mathcal{K}$.
> 2. $\mathcal{A}$ queries the challenger $q$ times.
> - The $i$-th signing query is a message $m_i$, and receives $t_i \leftarrow S(k, m_i)$.
> 3. $\mathcal{A}$ outputs a new forged pair $(m, t)$ that is not among the queried pairs.
> - $m \notin \left\lbrace m_1, \dots,m_q \right\rbrace$
> - $(m, t) \notin \left\lbrace (m_1, t_1), \dots, (m_q, t_q) \right\rbrace$ (for strong MAC)
>
> $\mathcal{A}$ wins if $(m, t)$ is a valid pair under $k$. Let this event be $W$. The **MAC advantage** with respect to $\Pi$ is defined as
>
> $$
> \mathrm{Adv}_{\mathrm{MAC}}[\mathcal{A}, \Pi] = \Pr[W]
> $$
>
> and a MAC $\Pi$ is secure if the advantage is negligible for any efficient $\mathcal{A}$. In this case, we say that $\Pi$ is **existentially unforgeable under a chosen message attack**.
If a MAC is secure, the attacker learns almost nothing from the $q$ queries. i.e, the tags for the previous $q$ messages gives no useful information for producing a tag for some other message $m$, even in cases where messages are almost identical.
### MAC Security with Verification Queries
The above definition can be modified to include **verification queries**, where the adversary $\mathcal{A}$ queries $(m_j, t_j) \in \mathcal{M} \times \mathcal{T}$ and the challenger responds with $V(k, m_j, t_j)$. $\mathcal{A}$ wins if any verification query is returned with $1$ ($\texttt{accept}$).
It can be shown that for **strong MACs**, these two definitions are equivalent. See Theorem 6.1.[^1] For (just) MACs, these are not equivalent. See Exercise 6.7.[^1]
Since these two definition are equivalent, security proofs are easier when we use the definition without verification queries.
## Notes on the Security Definition
### Replay Attacks
The definition requires that the adversary generate a **new** message-tag pair. In the real world, there are **replay attacks** that send the same message multiple times. For example, intercepting a bank transaction message and sending it several times can be critical. Replay attacks should be handled differently, by using sequence numbers in messages or by appending a timestamp.
### Secure MAC with Canonical Verification
**A secure MAC with canonical verification is strongly secure**, since $S$ is deterministic, so for every message $m \in \mathcal{M}$, there is a *unique* tag $t \in \mathcal{T}$. Thus it is impossible to only modify the tag.
## MAC Constructions from PRFs
Block ciphers were actually PRPs, but we have a large message space, so by the **PRF switching lemma**, we can use block ciphers as PRFs and construct other systems!
> Let $F : \mathcal{K} \times X \rightarrow Y$ be a PRF. Define a MAC scheme $\Pi = (S, V)$ over $(\mathcal{K}, X, Y)$ as
> - $S(k, m) = F(k, m)$
> - $V(k, m, t) = 1$ if $t = F(k, m)$ and $0$ otherwise.
This MAC is **derived from $F$**, and is deterministic. This scheme is secure as long as $\left\lvert Y \right\lvert$ is sufficiently large. This is necessary since if $\left\lvert Y \right\lvert$ is small, then an adversary can randomly guess the tag with non-negligible probability.
> **Theorem.** Let $F : \mathcal{K} \times X \rightarrow Y$ be a secure PRF. If $\left\lvert Y \right\lvert$ is sufficiently large, then $\Pi$ is a secure MAC.
>
> For every efficient MAC adversary $\mathcal{A}$ against $\Pi$, there exists an efficient PRF adversary $\mathcal{B}$ such that
>
> $$
> \mathrm{Adv}_{\mathrm{MAC}}[\mathcal{A}, \Pi] \leq \mathrm{Adv}_{\mathrm{PRF}}[\mathcal{B}, F] + \frac{1}{\left\lvert Y \right\lvert}.
> $$
*Proof*. See Theorem 6.2.[^1]
The above construction uses a PRF, so it is restricted to messages of fixed size. We also need a MAC for longer messages.
## MAC Constructions for Fixed Length Messages
### CBC-MAC
![mc-04-cbc-mac.png](../../../assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-04-cbc-mac.png)
> **Definition.** For any message $m = (m_0, m_1, \dots, m_{l-1}) \in \left\lbrace 0, 1 \right\rbrace^{nl}$, let $F_k := F(k, \cdot)$.
>
> $$
> S_\mathrm{CBC}(m) = F_k(F_k(\cdots F_k(F_k(m_0) \oplus m_1) \oplus \cdots) \oplus m_{l-1}).
> $$
$S_\mathrm{CBC}$ is similar to CBC mode encryption, but there is no intermediate output, and the IV is fixed as $0^n$.
> **Theorem.** If $F : \mathcal{K} \times \left\lbrace 0, 1 \right\rbrace^n \rightarrow \left\lbrace 0, 1 \right\rbrace^n$ is a secure PRF, then **for a fixed $l$**, CBC-MAC is secure for messages $\mathcal{M} = \left\lbrace 0, 1 \right\rbrace^{nl}$.
The following modifications show some of the ways that CBC-MAC could become insecure.
#### Using Shorter Messages is Insecure (Extension Attack)
For any messages *shorter than* $nl$, CBC-MAC is not secure. So the length of the messages should be fixed in advance by the sender and the receiver.
To see this, consider the following **extension attack**.
1. Pick an arbitrary $m_0 \in \left\lbrace 0, 1 \right\rbrace^n$.
2. Request the tag $t = F(k, m_0)$.
3. Set $m_1 = t \oplus m_0$ and output $(m_0, m_1) \in \left\lbrace 0, 1 \right\rbrace^{2n}$ and $t$ as the tag.
Then the verification works since
$$
S_\mathrm{CBC}(k, (m_0, t\oplus m_0)) = F(k, F(k, m_0) \oplus (t \oplus m_0)) = F(k, m_0) = t.
$$
#### Random IV is Insecure
If we use random IV instead of $0^n$, CBC-MAC is insecure. Suppose a random IV was chosen from $\left\lbrace 0, 1 \right\rbrace^n$ and the final output was $(\mathrm{IV}, t)$. Then the following attack is possible.
1. Pick an arbitrary $m \in \left\lbrace 0, 1 \right\rbrace^n$.
2. Request the tag $(\mathrm{IV}, t)$. ($t = F(k, m)$)
3. Send $m' = \mathrm{IV} \oplus m$ and tag $(\mathrm{IV}, t)$.
Then the verification works since
$$
S_\mathrm{CBC}(k, \mathrm{IV} \oplus m) = F(k, (\mathrm{IV} \oplus m) \oplus \mathrm{IV}) = F(k, m) = t.
$$
#### Disclosing Intermediate Values is Insecure
If CBC-MAC outputs all intermediate values of $F(k, \cdot)$, then CBC-MAC is insecure. Consider the following attack.
1. Pick an arbitrary $(m_0, m_1) \in \left\lbrace 0, 1 \right\rbrace^{2n}$.
2. Request the computed values $(t_0, t)$, where $t_0 = F(k, m_0)$ and $t = F(k, m_1 \oplus t_0)$.
3. Send $(m_0, m_0 \oplus t_0) \in \left\lbrace 0, 1 \right\rbrace^{2n}$ and tag $t_0$.
Then the verification works since
$$
S_\mathrm{CBC}(k, (m_0, m_0 \oplus t_0)) = F(k, F(k, m_0) \oplus (m_0 \oplus t_0)) = F(k, m_0) = t_0.
$$
The lesson is that *cryptographic constructions should be implemented exactly as it was specified, without any unproven variations*.
## CBC-MAC for Messages of Arbitrary Length
We can extend CBC-MAC for arbitrary length messages. First, assume that all messages have lengths divisible by $n$.
### Length Prepending
We can prepend the length of message $\left\lvert m \right\lvert$, encoded as an $n$-bit string. The computation of CBC-MAC is the same. It can be shown that this MAC scheme is secure.
However, this cannot be used if the length of the message is not known in advance. Also, only *prepending* works since *appending* the length is not secure. See Exercise 6.8.[^1]
> **Proposition.** Appending the length of the message in CBC-MAC is insecure.
*Proof*. Let $n$ be the length of a block. Query $m_1, m_2, m_1 \parallel n \parallel m_3$ and receive $3$ tags, $t_1 = E_k(E_k(m_1) \oplus n)$, $t_2 = E_k(E_k(m_2) \oplus n)$, $t_3 = E_k(E_k(t_1 \oplus m_3) \oplus 3n)$.
Now forge a message-tag pair $(m_2 \parallel n \parallel (m_3 \oplus t_1 \oplus t_2), t_3)$. Then the tag is
$$
E_k(E_k(\overbrace{E_k(E_k(m_2) \oplus n)}^{t_2} \oplus m_3 \oplus t_1 \oplus t_2) \oplus 3n) = E_k(E_k(t_1 \oplus m_3) \oplus 3n)
$$
which equals $t_3$. Note that the same logic works if the length is *anywhere* in the message, except for the beginning.
### Encrypt Last Block (ECBC-MAC)
Since CBC-MAC is vulnerable to extension attacks, we encrypt the last block again. Choose a second key $k' \in \mathcal{K}$ to encrypt the tag, so $t' = F(k', t)$. This method is called **encrypt-last-block CBC-MAC** (ECBC-MAC).
ECBC-MAC doesn't require us to know the message length in advance, but it is relatively expensive in practice, since a block cipher has to be initialized with a new key.
![mc-04-ecbc-mac.png](../../../assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-04-ecbc-mac.png)
> **Theorem.** Let $F : \mathcal{K} \times X \rightarrow X$ be a secure PRF. Then for any $l \geq 0$, $F_\mathrm{ECBC} : \mathcal{K}^2 \times X^{\leq l} \rightarrow X$ is a secure PRF.
>
> For any efficient $q$-query PRF adversary $\mathcal{A}$ against $F_\mathrm{ECBC}$, there exists an efficient PRF adversary $\mathcal{B}$ such that
>
> $$
> \mathrm{Adv}_{\mathrm{PRF}}[\mathcal{A}, F_\mathrm{ECBC}] \leq \mathrm{Adv}_{\mathrm{PRF}}[\mathcal{B}, F] + \frac{2q^2l^2}{\left\lvert X \right\lvert}.
> $$
>
> [^2]
Thus ECBC-MAC is secure as long as $ql \ll \sqrt{\left\lvert X \right\lvert}$.
#### Extendable PRF
> **Definition.** Let $PF$ be a PRF defined over $(\mathcal{K}, X^{\leq l}, Y)$. $PF$ is **extendable** if for all $k \in \mathcal{K}$, $x, y \in X^{\leq l}$ and $a \in X$,
>
> $$
> PF(k, x) = PF(k, y) \implies PF(k, x \parallel a) = PF(k, y \parallel a).
> $$
It is easy to see that (E)CBC is an extendable PRF.
#### Attacking ECBC with $\sqrt{\left\lvert X \right\lvert}$ Messages
1. Make $q = \sqrt{\left\lvert X \right\lvert}$ queries using random messages $m_i \in X$ and obtain $t_i = F_\mathrm{ECBC}(k, m_i)$.
2. With a high probability, there is a collision $t_i = t_j$ for $i \neq j$.
3. Query for $m_i \parallel m$ and receive the tag $t$.
4. Return a forged pair $(m_j \parallel m, t)$.
This works because ECBC is an extendable PRF. $t$ also works as a valid tag for $m_j \parallel m$.
So ECBC becomes insecure after signing $\sqrt{\left\lvert X \right\lvert}$ messages.
### Bit-wise PRF Using Block-wise PRF
Now we construct a bitwise PRF, that enables us to sign messages of arbitrary length. We pad the messages so that they can be signed block-wise.
Specifically, pad with $1000\dots0$. If the message length is already a multiple of $n$, then add a dummy block and pad with $1000\dots0$. It is easy to see that this padding is injective, so using this padding gives us a secure PRF for bit-wise operations.
### Other Constructions
- CMAC (OMAC)
- Simplified version of ECBC-MAC
- Uses only one key
- NIST standard
- **Parallelizable MAC** (PMAC)
- Uses two keys.
- Better than ECBC, since it is parallelizable.
- Each message block is XORed with a easy-to-compute function, then it is encrypted.
- All encrypted blocks are XORed, and finally encrypted again.
- PMAC is incremental: the tag can be easily updated when a message block changes.
- Hash-MAC (HMAC)
[^1]: A Graduate Course in Applied Cryptography
[^2]: Need to check if this is correct. Check Theorem 6.6.[^1]

208
_posts/lecture-notes/modern-cryptography/2023-09-26-cca-security-authenticated-encryption.md Normal file
View File

@@ -0,0 +1,208 @@
---
share: true
toc: true
math: true
categories:
- Lecture Notes
- Modern Cryptography
path: _posts/lecture-notes/modern-cryptography
tags:
- lecture-note
- cryptography
- security
title: 5. CCA-Security and Authenticated Encryption
date: 2023-09-26
github_title: 2023-09-26-cca-security-authenticated-encryption
image:
path: assets/img/posts/Lecture Notes/Modern Cryptography/mc-05-ci.png
attachment:
folder: assets/img/posts/Lecture Notes/Modern Cryptography
---
Previously, we focused on semantic security against **passive adversaries**, that only eavesdrop on the ciphertext. But in the real world, there are **active adversaries** that interfere with the communication, or even modify them.
We need to develop security notions for these cases. For example, suppose a sender encrypts a message $m$ and sends $c$. The attacker can read $c$ and generate another ciphertext $c'$, which will be decrypted by the receiver. If the decrypted message does not match $m$, this is a violation of message integrity.
Also, there are cases where some information about $m$ is leaked when the attacker learns about $m'$, from the behavior of the receiver. Such an attack exists in the real world called *padding oracle attacks*, where the attacker can completely recover the original message of any ciphertext just from the behavior of the server.
## CCA Security
Now we define a stronger notion of security against **chosen ciphertext attacks**, where the adversary can also obtain the decryption of any ciphertext it wants. As always, the notion is formalized as a security game.
> **Definition.** Let $\mathcal{E} = (E, D)$ be a cipher over $(\mathcal{K}, \mathcal{M}, \mathcal{C})$. Given an adversary $\mathcal{A}$, define experiments $0$ and $1$.
>
> **Experiment $b$.**
> 1. The challenger fixes a key $k \leftarrow \mathcal{K}$.
> 2. $\mathcal{A}$ makes a series of queries to the challenger, which is one of the following two types.
> - *Encryption*: Send $m_i$ and receive $c'_i = E(k, m_i)$.
> - *Decryption*: Send $c_i$ and receive $m'_i = D(k, c_i)$.
> - Note that $\mathcal{A}$ is not allowed to make a decryption query for any $c_i'$.
> 3. $\mathcal{A}$ outputs a pair of messages $(m_0^ * , m_1^*)$.
> 4. The challenger generates $c^* \leftarrow E(k, m_b^*)$ and gives it to $\mathcal{A}$.
> 5. $\mathcal{A}$ is allowed to keep making queries, but not allowed to make a decryption query for $c^*$.
> 6. The adversary computes and outputs a bit $b' \in \left\lbrace 0, 1 \right\rbrace$.
>
> Let $W_b$ be the event that $\mathcal{A}$ outputs $1$ in experiment $b$. Then the **CCA advantage with respect to $\mathcal{E}$** is defined as
>
> $$
> \mathrm{Adv}_{\mathrm{CCA}}[\mathcal{A}, \mathcal{E}] = \left\lvert \Pr[W_0] - \Pr[W_1] \right\lvert.
> $$
>
> If the CCA advantage is negligible for all efficient adversaries $\mathcal{A}$, then $\mathcal{E}$ is **semantically secure against a chosen ciphertext attack**, or simply **CCA secure**.
### CCA is a Strong Notion
None of the encryption schemes already seen thus far is CCA secure.
Recall a [CPA secure construction from PRF](./2023-09-19-symmetric-key-encryption.md#secure-construction-from-prf). This scheme is not CCA secure. Suppose that the adversary is given $c^* = (r, F(k, r) \oplus m_b)$. Then it can request a decryption for $c' = (r, s')$ for some $s'$ and receive $m' = s' \oplus F(k, r)$. Then $F(k, r) = m' \oplus s'$, so the adversary can successfully recover $m_b$.
In general, any encryption scheme that allows ciphertexts to be *manipulated* in a controlled way cannot be CCA secure.
We need a way to prevent manipulation of ciphertexts and provide ciphertext integrity.
### Example: Modifying Data Encrypted in CBC Mode
Suppose that there is a proxy server in the middle, that forwards the message to some destination included in the message. The messages begin with $\texttt{dest = N}$ where $\texttt{N}$ is the destination port.
An adversary at destination 25 wants to receive the message sent to destination $80$. This can be done by modifying the destination to $\texttt{25}$.
Suppose we used CBC mode encryption. Then the first block of the ciphertext would contain the IV, the next block would contain $E(k, \mathrm{IV} \oplus m_0)$.
The adversary can generate a new ciphertext $c'$ without knowing the actual key. Set the new IV as $\mathrm{IV}' =\mathrm{IV} \oplus m^ *$ where $m^ *$ contains a payload that can change $\texttt{80}$ to $\texttt{25}$. (This can be calculated)
Then the decryption works as normal,
$$
D(k, c_0) \oplus \mathrm{IV}' = (m_0 \oplus \mathrm{IV}) \oplus \mathrm{IV}' = m_0 \oplus m^*.
$$
The destination of the original message has been changed, even though the adversary had no information of the key.
## Ciphertext Integrity (CI)
The attacker shouldn't be able to create a new ciphertext that decrypts properly.
In this case, we fix the decryption algorithm so that $D : \mathcal{K} \times \mathcal{C} \rightarrow \mathcal{M} \cup \left\lbrace \bot \right\rbrace$, where $\bot$ means that the ciphertext was rejected.
![mc-05-ci.png](../../../assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-05-ci.png)
> **Definition.** Let $\mathcal{E} = (E, D)$ be a cipher defined over $(\mathcal{K}, \mathcal{M}, \mathcal{C})$. Given an adversary $\mathcal{A}$, the security game goes as follows.
>
> 1. The challenger picks a random $k \leftarrow \mathcal{K}$.
> 2. $\mathcal{A}$ queries the challenger $q$ times.
> - The $i$-th query is a message $m_i$, and receives $c_i \leftarrow E(k, m_i)$.
> 3. $\mathcal{A}$ outputs a candidate ciphertext $c \in \mathcal{C}$ that is not among the ciphertexts it was given by querying.
>
> $\mathcal{A}$ wins if $c$ is a valid ciphertext under $k$. i.e, $D(k, c) \neq \bot$.
>
> The **CI advantage** with respect to $\mathcal{E}$ $\mathrm{Adv}_{\mathrm{CI}}[\mathcal{A}, \mathcal{E}]$ is defined as the probability that $\mathcal{A}$ wins the game. If the advantage is negligible for any efficient $\mathcal{A}$, we say that $\mathcal{E}$ provides **ciphertext integrity**. (CI)
If a scheme provides ciphertext integrity, then it will almost surely receive $\bot$ for some randomly generated ciphertext, and also for a valid ciphertext that was changed a little bit.
Previously seen schemes also do not provide ciphertext integrity.
As a bad example, randomized CBC mode does not provide ciphertext integrity, since decryption never outputs $\bot$.
## Authenticated Encryption (AE)
The goal of this definition is to provide *privacy* and *integrity* from a single primitive.
> **Definition.** A cipher $\mathcal{E} = (E, D)$ provides **authenticated encryption**, or is **AE-secure** if it is CPA secure and provides ciphertext integrity.
Thus, if we use a cipher that is AE secure, the adversary cannot distinguish encryption of real messages from encryption of random messages. Also, ciphertexts cannot be forged, so ciphertexts not encrypted by he sender will not be accepted.
However, AE secure schemes are vulnerable to replay attacks. These attacks should be handled in a different way.
### AE Implies CCA Security
This theorem enables us to use AE secure schemes as a CCA secure scheme.
> **Theorem.** Let $\mathcal{E} = (E, D)$ be a cipher. If $\mathcal{E}$ is AE-secure, then it is CCA-secure.
>
> For any efficient $q$-query CCA adversary $\mathcal{A}$, there exists efficient adversaries $\mathcal{B} _ \mathrm{CPA}$ and $\mathcal{B} _ \mathrm{CI}$ such that
>
> $$
> \mathrm{Adv}_{\mathrm{CCA}}[\mathcal{A}, \mathcal{E}] \leq \mathrm{Adv}_{\mathrm{CPA}}[\mathcal{B}_\mathrm{CPA}, \mathcal{E}] + 2q \cdot \mathrm{Adv}_{\mathrm{CI}}[\mathcal{B}_\mathrm{CI}, \mathcal{E}].
> $$
*Proof*. Check Theorem 9.1.[^1]
Intuitively, $\mathcal{A}$ is a CCA adversary, so it will make both encryption and decryption queries. Since $\mathcal{E}$ is AE secure, all of its decryption queries will return $\bot$, and by definition of CI, the adversary will learn nothing from the decryption queries. So if we remove the decryption queries, the CCA game becomes a CPA game. But $\mathcal{E}$ is also CPA secure, so $\mathcal{A}$ cannot win with non-negligible probability.
Note that the converse is not true. There are constructions that are CCA secure but not AE secure. Check Exercise 9.12.[^1]
Also, if a cipher is CCA secure and provides *plaintext* integrity, it is AE secure. Check Exercise 9.15.[^1]
Most natural constructions of CCA secure schemes satisfy AE, so we don't need to worry to much.
## AE Constructions by Generic Composition
We want to combine CPA secure scheme and strongly secure MAC to get AE. Rather than focusing on the internal structure of the scheme, we want a general method to compose these two secure schemes so that we can get a AE secure scheme. We will see 3 examples.
![mc-05-etm-mte.png](../../../assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-05-etm-mte.png)
### Encrypt-and-MAC (E&M)
In **Encrypt-and-MAC**, encryption and authentication is done in parallel.
> Given a message $m$, the sender outputs $(c, t)$ where
>
> $$
> c \leftarrow E(k_1, m), \quad t \leftarrow S(k_2, m).
> $$
This approach does not provide AE. In general, the tag may leak some information about the original message. This is because MACs do not care about the privacy of messages.
As a counterexample, consider a strongly secure MAC where the first bit of the tag is always equal to the first bit of the message.[^2]
### MAC-then-Encrypt (MtE)
In **MAC-then-Encrypt**, the tag is computed and the message-tag pair is encrypted.
> Given a message $m$, the sender outputs $c$ where
>
> $$
> t \leftarrow S(k_2, m), \quad c \leftarrow E(k_1, m\parallel t).
> $$
>
> Decryption is done by $(m, t) \leftarrow D(k_1, c)$ and then verifying the tag with $V(k_2, m, t)$.
This is not secure either. It is known that the attacker can decrypt all traffic using a chosen ciphertext attack. (padding oracle attacks) Check Section 9.4.2.[^1]
### Encrypt-then-MAC (EtM)
In **Encrypt-then-MAC**, the encrypted message is signed, and is known to be secure in general.
> Given a message $m$, the sender outputs $(c, t)$ where
>
> $$
> c \leftarrow E(k_1, m), \quad t \leftarrow S(k_2, c).
> $$
>
> Decryption is done by returning $D(k_1, c)$ only if verification $V(k_2, c, t)$ succeeds.
> **Theorem.** Let $\mathcal{E} = (E, D)$ be a cipher and let $\Pi = (S, V)$ be a MAC system. If $\mathcal{E}$ is CPA secure cipher and $\Pi$ is a strongly secure MAC, then $\mathcal{E}_\mathrm{EtM}$ is AE secure.
>
> For every efficient CI adversary $\mathcal{A} _ \mathrm{CI}$ attacking $\mathcal{E} _ \mathrm{EtM}$, there exists an efficient MAC adversary $\mathcal{B} _ \mathrm{MAC}$ attacking $\Pi$ such that
>
> $$
> \mathrm{Adv}_{\mathrm{CI}}[\mathcal{A}_\mathrm{CI}, \mathcal{E}_\mathrm{EtM}] = \mathrm{Adv}_{\mathrm{MAC}}[\mathcal{B}_\mathrm{MAC}, \Pi].
> $$
>
> For every efficient CPA adversary $\mathcal{A} _ \mathrm{CPA}$ attacking $\mathcal{E} _ \mathrm{EtM}$, there exists an efficient CPA adversary $\mathcal{B} _ \mathrm{MAC}$ attacking $\mathcal{E}$ such that
>
> $$
> \mathrm{Adv}_{\mathrm{CPA}}[\mathcal{A}_\mathrm{CPA}, \mathcal{E}_\mathrm{EtM}] = \mathrm{Adv}_{\mathrm{CPA}}[\mathcal{B}_\mathrm{CPA}, \mathcal{E}].
> $$
*Proof*. See Theorem 9.2.[^1]
**Remark.** In the definition of strongly secure MACs, forging a new tag with the same ciphertext is admitted as a successful attack. Considering EtM construction, the attacker could construct a new valid tag and win the CI game if it was not for the *strongly* secure MAC definition.
#### Common Mistakes in EtM Implementation
- Do not use the same key for $\mathcal{E}$ and $\Pi$. The security proof above relies on the fact that the two keys $k_1, k_2 \in \mathcal{K}$ were chosen independently. See Exercise 9.8.[^1]
- MAC must be applied to the full ciphertext. For example, if IV is not protected by the MAC, the attacker can create a new valid ciphertext by changing the IV.
[^1]: A Graduate Course in Applied Cryptography
[^2]: Since we are looking for a general construction, it suffices to show a counterexample.

262
_posts/lecture-notes/modern-cryptography/2023-09-28-hash-functions.md Normal file
View File

@@ -0,0 +1,262 @@
---
share: true
toc: true
math: true
categories:
- Lecture Notes
- Modern Cryptography
path: _posts/lecture-notes/modern-cryptography
tags:
- lecture-note
- cryptography
- security
title: 6. Hash Functions
date: 2023-09-28
github_title: 2023-09-28-hash-functions
image:
path: assets/img/posts/Lecture Notes/Modern Cryptography/mc-06-merkle-damgard.png
attachment:
folder: assets/img/posts/Lecture Notes/Modern Cryptography
---
Hash functions are functions that take some input an compress them to produce an output of fixed size, usually just called *hash* or *digest*. A desired property of hash function is **collision resistance**.
Hash functions are also used in hash table data structures, and for data structures, it isn't a huge problem if there is a collision. Although the search time may be affected, there are ways to handle conflicting hashes for each data structure.
But *cryptographic hash functions* are different. They should *avoid* collisions, since some adversary will attack in order to find collisions and break the system. Thus cryptographic hash functions are much harder to design.
## Collision Resistance
Intuitively, a function $H$ is collision resistant if it is computationally infeasible to find a collision for $H$. Formally, this can be defined also in the form of a security game.
> **Definition.** Let $H$ be a hash function defined over $(\mathcal{M}, \mathcal{T})$. Given an adversary $\mathcal{A}$, the adversary outputs two messages $m_0, m_1 \in \mathcal{M}$.
>
> $\mathcal{A}$ wins the game if $H(m_0) = H(m_1)$ and $m_0 \neq m_1$. The **advantage** of $\mathcal{A}$ with respect to $H$ is defined as the probability that $\mathcal{A}$ wins the game.
>
> $$
> \mathrm{Adv}_{\mathrm{CR}}[\mathcal{A}, H] = \Pr[H(m_0) = H(m_1) \wedge m_0 \neq m_1].
> $$
>
> If the advantage is negligible for any efficient adversary $\mathcal{A}$, then the hash function $H$ is **collision resistant**.
With a collision resistant hash function, we can do many things. For example, password hashing is a very common example. Instead of storing the plaintext password, the plaintext is hashed, and the hash is stored. One of the reasons for doing this is for privacy. Even the developers who can access the database shouldn't be able to obtain the plaintext password, and the plaintext password will be safe even if the database is leaked.
When the user logins, the password user entered will be hashed to compare with the stored hash in the server. It is obvious that we need collision resistant hashes, since if not, a malicious user can login using the collision.
Another desirable property would be the **one-wayness** of $H$, that it should be hard to find the preimage of any hash. It can be shown that collision resistance implies one-wayness.[^1]
## MAC Domain Extension
One possible use of hash function is for extending the domain of MACs. A MAC scheme is usually defined for a fixed block size, so for longer messages, we need other constructions. This is where hash functions can come in.
Let $\Pi = (S, V)$ be a MAC scheme defined over $(\mathcal{K}, \mathcal{M}, \mathcal{T})$, and let $H : \mathcal{M}' \rightarrow \mathcal{M}$ be a hash function, where $\mathcal{M}'$ is usually larger than $\mathcal{M}$. A naive way to construct a MAC would be to apply the hash first to compress the message and then sign it. It turns out that this new construction is a secure MAC if $\Pi$ is secure and $H$ is collision resistant.
> **Theorem.** Let $\Pi' = (S', V')$ be a MAC defined over $(\mathcal{K}, \mathcal{M}', \mathcal{T})$. Let
>
> $$
> S'(k, m) = S(k, H(m)), \quad V'(k, m, t) = V(k, H(m), t).
> $$
>
> If $\Pi$ is a secure MAC and $H$ is collision resistant, then $\Pi'$ is a secure MAC.
>
> For any efficient adversary $\mathcal{A}$ attacking $\Pi'$, there exist a MAC adversary $\mathcal{B} _ \mathrm{MAC}$ attacking $\Pi$ and an adversary $\mathcal{B} _ \mathrm{CR}$ attacking $H$ such that
>
> $$
> \mathrm{Adv}_{\mathrm{MAC}}[\mathcal{A}, \Pi'] \leq \mathrm{Adv}_{\mathrm{MAC}}[\mathcal{B}_\mathrm{MAC}, \Pi] + \mathrm{Adv}_{\mathrm{CR}}[\mathcal{B}_\mathrm{CR}, H].
> $$
*Proof*. See Theorem 8.1.[^2]
Intuitively, suppose that the MAC scheme $\Pi'$ is insecure. During the MAC security game, $\mathcal{A}$ can either find or not find a collision for $H$. If $\mathcal{A}$ found a collision, $H$ is not collision resistant. If $\mathcal{A}$ didn't find a collision, then $\Pi$ must be broken. Thus we have a contradiction.
But in reality, this construction is not used very often. We need a *secure* MAC *and* a *collision resistant* hash function, so it is hard to implement.
## Attacks on Hash Functions
There are specific attacks that exploit the internal mechanism of some specific hash function, but we only cover generic attacks that work for any given hash function.
A very simple attack would be the brute force attack. If the hash is $n$ bits, then the attacker can hash $2^n+1$ arbitrary messages to get a collision, by the pigeonhole principle. But usually $n$ is large enough that performing this computation is infeasible.
### Birthday Attacks
Actually, the attacker doesn't have to hash that many messages. This is because of the birthday paradox.
Let $N$ be the size of the hash space. (If the hash is $n$ bits, then $N = 2^n$)
> 1. Sample $s$ uniform random messages $m_1, \dots, m_s \in \mathcal{M}$.
> 2. Compute $x_i \leftarrow H(m_i)$.
> 3. Find and output a collision if it exists.
> **Lemma.** The above algorithm will output a collision with probability at least $1/2$ when $s \geq 1.2\sqrt{N}$.
*Proof*. We show that the probability of no collisions is less than $1/2$. The probability that there is no collision is
$$
\prod_{i=1}^{s-1}\left( 1-\frac{i}{N} \right) \leq \prod_{i=1}^{s-1} \exp\left( -\frac{i}{N} \right) = \exp\left( -\frac{s(s-1)}{2N} \right).
$$
So solving $\exp\left( -s(s-1)/2N \right) < 1/2$ for $s$ gives approximately $s \geq \sqrt{(2\log2)N} \approx 1.17 \sqrt{N}$.
In the above proof, we assume that $H$ is uniform. But in reality, $H$ might be biased, but it can be shown that collision probability is minimized when $H$ is uniform, so the above argument holds.
Note that birthday attacks can be done entirely *offline*. The adversary doesn't have to interact with any users of the system, so adversaries can invest huge computing resources to find a collision, without anybody noticing. Thus, offline attacks are considered more dangerous than *online* attacks that require many interactions.
## Merkle-Damgård Transform
Now we want to construct collision resistant hash functions that work for arbitrary input length. Thanks to the **Merkle-Damgård transform**, we can start from a collision resistant hash function that works for short messages.
The Merkle-Damgård transform gives as a way to extend our input domain of the hash function by iterating the function.
![mc-06-merkle-damgard.png](../../../assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-06-merkle-damgard.png)
> **Definition.** Let $h : \left\lbrace 0, 1 \right\rbrace^n \times \left\lbrace 0, 1 \right\rbrace^l \rightarrow \left\lbrace 0, 1 \right\rbrace^n$ be a hash function. The **Merkle-Damgård function derived from $h$** is a function $H$ that works as follows.
>
> 1. Given an input $m \in \left\lbrace 0, 1 \right\rbrace^{\leq L}$, pad $m$ so that the length of $m$ is a multiple of $l$.
> - The padding block $\mathrm{PB}$ must contain an encoding of the input message length. i.e, it is of the form $100\dots00\parallel\left\lvert m \right\lvert$.
> 2. Then partition the input into $l$-bit blocks so that $m' = m_1 \parallel m_2 \parallel \cdots \parallel m_s$.
> 3. Set $t_0 \leftarrow \mathrm{IV} \in \left\lbrace 0, 1 \right\rbrace^n$.
> 4. For $i = 1, \dots, s$, calculate $t_i \leftarrow h(t_{i-1}, m_i)$.
> 5. Return $t_s$.
- The function $h$ is called the **compression function**.
- The $t_i$ values are called **chaining values**.
- Note that because of the padding block can be at most $l$-bits, the maximum message length is $2^l$, but usually $l = 64$, so it is enough.
- $\mathrm{IV}$ is fixed to some value, and is usually set to some complicated string.
- We included the length of the message in the padding. This will be used in the security proof.
The Merkle-Damgård construction is secure.
> **Theorem.** If $h$ is a collision resistant hash function, then so is $H$.
*Proof*. We show by contradiction. Suppose that an adversary $\mathcal{A}$ of $H$ found a collision for $H$. Let $H(m) = H(m')$ for $m \neq m'$. Now we construct an adversary $\mathcal{B}$ of $h$. $\mathcal{B}$ will examine $m$ and $m'$ and work its way backwards.
Suppose that $m = m_1\cdots m_u$ and $m' = m_1'\cdots m_v'$. Let the chaining values be $t_i = h(t_{i-1},m_i)$ and $t_i' = h(t_{i-1}', m_i')$. Then since $H(m) = H(m')$, the very last iteration should give the same output.
$$
h(t_{u-1},m_u) = h(t_{v-1}', m_v').
$$
Suppose that $t_{u-1} \neq t_{v-1}'$ and $m_u \neq m_v'$. Then this is a collision for $h$, so $\mathcal{B}$ returns this collision, and we are done. So suppose otherwise. Then $t_{u-1} = t_{v-1}'$ and $m_u = m_v'$. But because the last block contains the padding, the padding values must be the same, which means that the length of these two messages must have been the same, so $u = v$.
Now we have $t_{u-1} = t_{u-1}'$, which implies $h(t_{u-2}, m_{u-1}) = h(t_{u-2}', m_{u-1}')$. We can now repeat the same process until the first block. If $\mathcal{B}$ did not find any collision then it means that $m_i = m_i'$ for all $i$, so $m = m'$. This is a contradiction, so $\mathcal{B}$ must have found a collision.
By the above argument, we see that $\mathrm{Adv} _ {\mathrm{CR}}[\mathcal{A}, H] = \mathrm{Adv} _ {\mathrm{CR}}[\mathcal{B}, h]$.
### Attacking Merkle-Damgård Hash Functions
See Joux's attack.[^2]
## Davies-Meyer Compression Functions
Now we only have to build a collision resistant compression function. We can build these functions from either a block cipher, or by using number theoretic primitives.
Number theoretic primitives will be shown after we learn some number theory.[^3] An example is shown in [collision resistance using DL problem (Modern Cryptography)](./2023-10-03-key-exchange.md#collision-resistance-based-on-dl-problem).
![mc-06-davies-meyer.png](../../../assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-06-davies-meyer.png)
> **Definition.** Let $\mathcal{E} = (E, D)$ be a block cipher over $(\mathcal{K}, X, X)$ where $X = \left\lbrace 0, 1 \right\rbrace^n$. The **Davies-Meyer compression function derived from $E$** maps inputs in $X \times \mathcal{K}$ to outputs in $X$, defined as follows.
>
> $$
> h(x, y) = E(y, x) \oplus x.
> $$
> **Theorem.** Suppose $\mathcal{E}$ is an ideal cipher.[^4] Then finding a collision for $h$ takes $\mathcal{O}(2^{n/2})$ evaluations of $(E, D)$.
*Proof*. Check Theorem 8.4.[^2]
Due to the birthday attack, we see that this bound is the best possible.
There are other constructions of $h$ using the block cipher. But some of them are totally insecure. These are some insecure functions.
$$
h_1(x, y) = E(y, x) \oplus y, \quad h_2(x, y) = E(x, x \oplus y) \oplus x.
$$
Also, just using $E(y, x)$ is insecure.
## Secure Hash Algorithm (SHA)
This is a family of hash functions published by NIST.
- 1993: SHA0
- 1995: SHA1
- 2001: **SHA2-256** and **SHA2-512** (most widely used)
- 2015: SHA3-256 and SHA3-512
There are known attacks for SHA0 and SHA1, so use at least SHA2.
SHA1 and SHA2 uses Merkle-Damgård and Davies-Meyer compression function. But if we use just AES, then the block size is $128$ bits, meaning that birthday attacks take $\mathcal{O}(2^{64})$, which is a bit small. So SHA2 uses a different block cipher called SHACAL-2 that uses $256$ bit blocks.
## HMAC
We needed a complicated construction for MACs that work on long messages. We might be able to use the collision resistance of hash functions and build a MAC with it.
### Some Approaches
Here are a few approaches. Suppose that a compression function $h$ is given and $H$ is a Merkle-Damgård function derived from $h$.
Recall that [we can construct a MAC scheme from a PRF](./2023-09-21-macs.md#mac-constructions-from-prfs), so either we want a secure PRF or a secure MAC scheme.
#### Prepending the Key
Define $S(k, m) = H(k \parallel m)$. This is insecure by length extension attacks. Given $H(k \parallel m)$, one can compute $H(k \parallel m \parallel m')$ for any $m'$, resulting in forgery.
#### Appending the Key
Define $S(k, m) = H(m \parallel k)$. This is vulnerable to an offline attack on $h$. If there is a collision on $h$, then $h(\mathrm{IV}, m) = h(\mathrm{IV}, m')$ for some $m \neq m'$. Then $S(k, m) = S(k, m')$ which results in forgery.
#### Envelope Method
Define $S(k, m) = H(k \parallel M \parallel k)$. This can be proven to be a secure PRF under reasonable assumptions. See Exercise 8.17.[^2]
#### Two-Key Nest
Define $S((k_1,k_2), m) = H(k_2 \parallel H(k_1 \parallel m))$. This can also be proven to be a secure PRF under reasonable assumptions. See Section 8.7.1.[^2]
This can be thought of as blocking the length extension attack from prepending the key method.
### HMAC Definition
![mc-06-hmac.png](../../../assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-06-hmac.png)
This is a variant of the two-key nest, but the difference is that the keys $k_1', k_2'$ are not independent. Choose a key $k \leftarrow \mathcal{K}$, and set
$$
k_1 = k \oplus \texttt{ipad}, \quad k_2 = k\oplus \texttt{opad}
$$
where $\texttt{ipad} = \texttt{0x363636}...$ and $\texttt{opad} = \texttt{0x5C5C5C}...$. Then
$$
\mathrm{HMAC}(k, m) = H(k_2 \parallel H(k_1 \parallel m)).
$$
The security proof given for two-key nest does not apply here, since $k_1$ and $k_2$ are not independent. With stronger assumptions on $h$, then we almost get an optimal security bound.
## The Random Oracle Model
### Motivation
Some constructions using cryptographic hash functions cannot be proven secure only using the collision resistance assumption.
A conservative way to solve this problem would be to construct schemes that can be proven secure, using reasonable assumptions about the hash function. But it may be hard to find such schemes and they may be less efficient than existing approaches that haven't been formally proven. On the other hand, it is unacceptable to use a cryptosystem without a security proof, even though attackers have been unsuccessful.
Introducing an *idealized model* offers a middle ground to this. The model is not real, and reality is far from ideal. But as long as the model is *reasonable*, proofs under the idealized model is better than nothing. Proof with idealized model lets us understand the scheme better.
### Random Oracle Model
The **random oracle model** is a model that treats a cryptographic hash function as a truly random function. In this model, there is a public, random function $H$, that can be evaluated *only* by querying the oracle.
The random oracle model also provides a formal method that can be used to design and validate cryptosystems using the following approach.
1. Design a scheme and prove that it is secure in the random oracle model.
2. During implementation, replace the random oracle with a cryptographic hash function.
We hope that the cryptographic hash function used in step 2 is good enough to mimic a random oracle. Then the proof of security in the random oracle model would be still valid in the real world.
But there are schemes that can be proven insecure when instantiated with hash functions, even if they were proven secure in the random oracle model. Also, any hash function cannot behave like a random oracle/function. So a security proof in the random oracle model suggests that some scheme has no internal design flaws, but it is not enough to claim security of the scheme in the real world.
[^1]: There is a subtle detail here, refer to [this question](https://crypto.stackexchange.com/questions/17924/does-collision-resistance-imply-or-not-second-preimage-resistance) on cryptography SE.
[^2]: A Graduate Course in Applied Cryptography
[^3]: These are rarely used since they rely on prime numbers, and prime numbers are expensive. Also block ciphers are blazingly fast compared to computing integers.
[^4]: We treat the block cipher as a family of random permutations. i.e, for each $k \in \mathcal{K}$, $E(k, \cdot)$ is a random permutation.

245
_posts/lecture-notes/modern-cryptography/2023-10-03-key-exchange.md Normal file
View File

@@ -0,0 +1,245 @@
---
share: true
toc: true
math: true
categories:
- Lecture Notes
- Modern Cryptography
path: _posts/lecture-notes/modern-cryptography
tags:
- lecture-note
- cryptography
- security
title: 7. Key Exchange
date: 2023-10-03
github_title: 2023-10-03-key-exchange
image:
path: assets/img/posts/Lecture Notes/Modern Cryptography/mc-07-dhke.png
attachment:
folder: assets/img/posts/Lecture Notes/Modern Cryptography
---
In symmetric key encryption, we assumed that the two parties already share the same key. We will see how this can be done.
In symmetric key settings, a user has to agree and store every key for every other user, so if there are $N$ users in the system, $\mathcal{O}(N^2)$ keys are to be stored in the system. But these keys are secret information, so they have to be handled with care. With so many keys, it is hard to store and manage them securely.
Distributing a key requires a lot of care. The two parties need a secure channel beforehand, or have to meet physically in person to safely exchange keys. But for open systems, physical meetings cannot be arranged and users are not aware of each other before communicating.
In summary, symmetric key cryptography has at least three problems.
1. It is hard to distribute keys securely.
2. It is hard to storing and managing many secret keys securely.
3. Symmetric key cryptography cannot be applied to open systems.
Problems 1 and 2 can be solved partially using **trusted third parties** (TTP), but such TTPs become a single point of failure, and is usually used only in a single organization.
## Diffie-Hellman Key Exchange (DHKE)
We need a method to share a secret key. For now, assume that the adversary only eavesdrops, and does not tamper with the message.
### Generic Description and Requirements
**Diffie-Hellman key exchange** protocol allows two parties to generate a shared secret key, without establishing a physical meeting. Here is a generic description of the protocol.
> We have two functions $E(\cdot)$ and $F(\cdot, \cdot)$.
> 1. Alice chooses a random secret $\alpha$ and computes $E(\alpha)$.
> 2. Bob chooses a random secret $\beta$ and computes $E(\beta)$.
> 3. Alice and Bob exchange $E(\alpha), E(\beta)$ over an *insecure channel*.
> 4. Using the given information, Alice and Bob both compute a shared key $F(\alpha, \beta)$.
Alice only knows $\alpha, E(\beta)$, and Bob only knows $\beta, E(\alpha)$. With the given information for each party, they compute $F(\alpha, \beta)$ and use it as a shared key. Also, since Alice and Bob are currently exchanging keys, $E(\alpha)$ and $E(\beta)$ are sent over an insecure channel. Then the eavesdropper can see $E(\alpha), E(\beta)$.
Overall, for this protocol to be secure, $E$ and $F$ should at least satisfy the following.
- $E$ is easy to compute.
- Given $\alpha$ and $E(\beta)$, it is easy to compute $F(\alpha, \beta)$.
- Given $E(\alpha)$ and $\beta$, it is easy to compute $F(\alpha, \beta)$.
- Given $E(\alpha)$ and $E(\beta)$, it is **hard** to compute $F(\alpha, \beta)$.
- $E$ must be a one way function.
The first three conditions are for the communicating parties, and is sort of a correctness condition that Alice and Bob can agree on the same key efficiently. The last two conditions are a security condition. It should be hard for the eavesdropping adversary to compute the secret, and that it must be hard to recover $x$ from the value of $E(x)$. Otherwise, the adversary will find $\alpha$ or $\beta$ and compute $F(\alpha, \beta)$.
To implement the above protocol, we need two functions $E$ and $F$ that satisfy the above properties. We rely on the hardness of number theoretic problems to implement this.
### DHKE Protocol in Detail
Let $p$ be a large prime, and let $q$ be another large prime dividing $p - 1$. We typically use very large random primes, $p$ is about $2048$ bits long, and $q$ is about $256$ bits long.
All arithmetic will be done in $\mathbb{Z}_p$. We also consider $\mathbb{Z} _ p^ *$ , the **unit group** of $\mathbb{Z} _ p$. Since $\mathbb{Z} _ p$ is a field, $\mathbb{Z} _ p^ * = \mathbb{Z} _ p \setminus \left\lbrace 0 \right\rbrace$, meaning that $\mathbb{Z} _ p^ *$ has order $p-1$.
Since $q$ is a prime dividing $p - 1$, $\mathbb{Z}_p^*$ has an element $g$ of order $q$.[^1] Let
$$
G = \left\langle g \right\rangle = \left\lbrace 1, g, g^2, \dots, g^{q-1} \right\rbrace \leq \mathbb{Z}_p^*.
$$
We assume that the description of $p$, $q$ and $g$ are generated at the setup and shared by all parties. Now the actual protocol goes like this.
![mc-07-dhke.png](../../../assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-07-dhke.png)
> 1. Alice chooses $\alpha \leftarrow \mathbb{Z}_q$ and computes $g^\alpha$.
> 2. Bob chooses $\beta \leftarrow \mathbb{Z}_q$ and computes $g^\beta$.
> 3. Alice and Bob exchange $g^\alpha$ and $g^\beta$ over an insecure channel.
> 4. Using $\alpha$ and $g^\beta$, Alice computes $g^{\alpha\beta}$.
> 5. Using $\beta$ and $g^\alpha$, Bob computes $g^{\alpha\beta}$.
> 6. The secret key shared by Alice and Bob is $g^{\alpha\beta}$.
It works!
### Security of the DHKE Protocol
The protocol is secure if and only if the following holds.
> Let $\alpha, \beta \leftarrow \mathbb{Z}_q$. Given $g^\alpha, g^\beta \in G$, it is hard to compute $g^{\alpha\beta} \in G$.
This is called the **computational Diffie-Hellman assumption**. As we will see below, this is not as strong as the discrete logarithm assumption. But in the real world, CDH assumption is reasonable enough for groups where the DL assumption holds.
## Discrete Logarithm and Related Assumptions
We have used $E(x) = g^x$ in the above implementation. This function is called the **discrete exponentiation function**. This function is actually a *group isomorphism*, so it has an inverse function called the **discrete logarithm function**. The name comes from the fact that if $u = g^x$, then it can be written as '$x = \log_g u$'.
We required that $E$ must be a one-way function for the protocol to work. So it must be hard to compute the discrete logarithm function. There are some problems related to the discrete logarithm, which are used as assumptions in the security proof. They are formalized as a security game, as usual.
$G = \left\langle g \right\rangle \leq \mathbb{Z} _ p^{ * }$ will be a *cyclic group* of order $q$ and $g$ is given as a generator. Note that $g$ and $q$ are also given to the adversary.
### Discrete Logarithm Problem (DL)
> **Definition.** Let $\mathcal{A}$ be a given adversary.
>
> 1. The challenger chooses $\alpha \leftarrow \mathbb{Z}_q$ and sends $u = g^\alpha$ to the adversary.
> 2. The adversary calculates and outputs some $\alpha' \in \mathbb{Z}_q$.
>
> We define the **advantage in solving the discrete logarithm problem for $G$** as
>
> $$
> \mathrm{Adv}_{\mathrm{DL}}[\mathcal{A}, G] = \Pr[\alpha = \alpha'].
> $$
>
> We say that the **discrete logarithm (DL) assumption** holds for $G$ if for any efficient adversary $\mathcal{A}$, $\mathrm{Adv}_{\mathrm{DL}}[\mathcal{A}, G]$ is negligible.
So if we assume the DL assumption, it means that DL problem is **hard**. i.e, no efficient adversary can effectively solve the DL problem for $G$.
### Computational Diffie-Hellman Problem (CDH)
> **Definition.** Let $\mathcal{A}$ be a given adversary.
>
> 1. The challenger chooses $\alpha, \beta \leftarrow \mathbb{Z}_q$ and sends $g^\alpha, g^\beta$ to the adversary.
> 2. The adversary calculates and outputs some $w \in G$.
>
> We define the **advantage in solving the computational Diffie-Hellman problem for $G$** as
>
> $$
> \mathrm{Adv}_{\mathrm{CDH}}[\mathcal{A}, G] = \Pr[w = g^{\alpha\beta}].
> $$
>
> We say that the **computational Diffie-Hellman (CDH) assumption** holds for $G$ if for any efficient adversary $\mathcal{A}$, $\mathrm{Adv}_{\mathrm{CDH}}[\mathcal{A}, G]$ is negligible.
An interesting property here is that given $(g^\alpha, g^\beta)$, it is hard to determine if $w$ is a solution to the problem. ($w \overset{?}{=} g^{\alpha\beta}$)
### Decisional Diffie-Hellman Problem (DDH)
Since recognizing a solution to the CDH problem is hard, we have another assumption that it is hard to distinguish a solution to the CDH problem and a random element from $G$.
> **Definition.** Let $\mathcal{A}$ be a given adversary. We define two experiments 0 and 1.
>
> **Experiment $b$**.
> 1. The challenger chooses $\alpha, \beta, \gamma \leftarrow \mathbb{Z}_q$ and computes the following.
>
> $$
> u = g^\alpha, \quad v = g^\beta, \quad w_0 = g^{\alpha\beta}, \quad w_1 = g^\gamma.
> $$
>
> 2. The challenger sends the triple $(u, v, w_b)$ to the adversary.
> 3. The adversary calculates and outputs a bit $b' \in \left\lbrace 0, 1 \right\rbrace$.
>
> Let $W_b$ be the event that $\mathcal{A}$ outputs $1$ in experiment $b$. We define the **advantage in solving the decisional Diffie-Hellman problem for $G$** as
>
> $$
> \mathrm{Adv}_{\mathrm{DDH}}[\mathcal{A}, G] = \left\lvert \Pr[W_0] - \Pr[W_1] \right\lvert.
> $$
>
> We say that the **decisional Diffie-Hellman (DDH) assumption** holds for $G$ if for any efficient adversary $\mathcal{A}$, $\mathrm{Adv}_{\mathrm{DDH}}[\mathcal{A}, G]$ is negligible.
For $\alpha, \beta, \gamma \in \mathbb{Z}_q$, the triple $(g^\alpha, g^\beta, g^\gamma)$ is called a **DH-triple** if $\gamma = \alpha\beta$. So the assumption is saying that no efficient adversary can distinguish DH-triples from non DH-triples.
### Relations Between Problems
It is easy to see that the following holds.
> In the order of hardness, DL problem $\gt$ CDH problem $\gt$ DDH problem.
If an adversary can solve the DL problem, it can solve CDH and DDH, so DL problem is harder. It is known that strict inequality holds.
If we assume that an easier problem is hard, we have a strong assumption. That is, it is easier to be broken in the future, because we assumed too much.
> DDH assumption $\implies$ CDH assumption $\implies$ DL assumption
Suppose we used the DDH assumption in the proof. If the DDH assumption turns out to be false, proofs using the CDH or DL assumption remain valid.
If we used the DL assumption and it turns out to be false, there will be an efficient algorithm solving the DL problem. Then CDH, DDH problems can also be solved, so proofs using the DDH or CDH assumption will be invalidated. Thus DL assumption is the weakest assumption, since breaking DL will break both CDH and DDH.
## Multi-Party Diffie-Hellman
Suppose we want something like a secret group chat, where there are $N$ ($\geq 3$) people and they need to generate a shared secret key. It is known that $N$-party Diffie-Hellman is possible in $N-1$ rounds. Here's how it goes. The indices are all in modulo $N$.
Each party $i$ chooses $\alpha _ i \leftarrow \mathbb{Z} _ q$, and computes $g^{\alpha _ i}$. The parties communicate in a circular form, and passes the computed value to the $(i+1)$-th party. In the next round, the $i$-th party receives $g^{\alpha _ {i-1}}$ and computes $g^{\alpha _ {i-1}\alpha _ i}$ and passes it to the next party. After $N-1$ rounds, all parties have the shared key $g^{\alpha _ 1\cdots\alpha _ N}$.
Taking $\mathcal{O}(N)$ steps is impractical in the real world, due to many communications that the above algorithm requires. Researchers are looking for methods to generate a shared key in a single round. It has been solved for $N=3$ using bilinear pairings, but for $N \geq 4$ it is an open problem.
## Attacking Anonymous Diffie-Hellman Protocol
We assumed that the adversary only eavesdrops, but if the adversary carries out active attacks, then DHKE is not enough. The major problem is the lack of **authentication**. Alice and Bob are exchanging keys, but they both cannot be sure that there are in fact communicating with the other. An attacker can intercept messages and impersonate Alice or Bob. This attack is called a **man in the middle attack**, and this attack works on any key exchange protocol that lacks authentication.
![mc-07-dhke-mitm.png](../../../assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-07-dhke-mitm.png)
The adversary will impersonate Bob when communicating with Alice, and will do the same for Bob by pretending to be Alice. The values of $\alpha, \beta$ that Alice and Bob chose are not leaked, but the adversary can decrypt anything in the middle and obtain the plaintext.
## Collision Resistance Based on DL Problem
Suppose that the DL problem is hard on the group $G = \left\langle g \right\rangle$, with prime order $q$. Choose an element $h \in G$, and define a hash function $H : \mathbb{Z}_q \times \mathbb{Z}_q \rightarrow G$ as
$$
H(\alpha, \beta) = g^\alpha h^\beta.
$$
If an adversary were to find a collision, then $H(\alpha, \beta) = H(\alpha', \beta')$, which implies $g^\alpha h^\beta = g^{\alpha'}h^{\beta'}$, thus $h = g^{(\alpha - \alpha') / (\beta' - \beta)}$, calculating the discrete logarithm.
Thus under the DL assumption, the hash function $H$ is collision resistant.
## Merkle Puzzles (1974)
Before Diffie-Hellman, Merkle proposed an idea for secure key exchange protocol using symmetric key cryptography.
The idea was to use *puzzles*, which are problems that can be solved with some effort.
![mc-07-merkle-puzzles.png](../../../assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-07-merkle-puzzles.png)
> Let $\mathcal{E} = (E, D)$ be a block cipher defined over $(\mathcal{K}, \mathcal{M})$.
> 1. Alice chooses random pairs $(k_i, s_i) \leftarrow \mathcal{K} \times \mathcal{M}$ for $i = 1, \dots, L$.
> 2. Alice constructs $L$ puzzles, defined as a triple $(E(k_i, s_i), E(k_i, i), E(k_i, 0))$.
> 3. Alice randomly shuffles these puzzles and sends them to Bob.
> 4. Bob picks a random puzzle $(c_1, c_2, c_3)$ and solves the puzzle by **brute force**, trying all $k \in \mathcal{K}$ until some $D(k, c_3) = 0$ is found.
> - If Bob finds two different keys, he indicates Alice that the protocol failed and they start over.
> 5. Bob computes $l = D(k, c_2)$ and $s = D(k, c_1)$, sends $l$ to Alice.
> 6. Alice will locate the $l$-th puzzle and set $s = s_l$.
If successful, Alice and Bob can agree on a secret message $s \in \mathcal{M}$. It can be seen that Alice has to do $\mathcal{O}(L)$, Bob has to do $\mathcal{O}(\left\lvert \mathcal{K} \right\lvert)$ amount of work.
For block ciphers, we commonly set $\mathcal{K}$ large enough so that brute force attacks are infeasible. So for Merkle puzzles, we reduce the key space. For example, if we were to use AES-128 as $\mathcal{E}$, then we can set the first $96$ bits of the key as $0$. Then the search space would be reduced to $2^{32}$, which is feasible for Bob.
Now consider the adversary who obtains all puzzles $P_i$ and the value $l$. To obtain the secret message $s_l$, adversary has to locate the puzzle $P_l$. But since the puzzles are in random order, the adversary has to solve all puzzles until he finds $P_l$. Thus, the adversary must spend time $\mathcal{O}(L\left\lvert \mathcal{K} \right\lvert)$ to obtain $s$. So we have a quadratic gap here.
### Performance Issues
Suppose we set $L \approx \left\lvert \mathcal{K} \right\lvert$. Then first of all, Alice has to create that many puzzles and send all of them to Bob.
Next, the adversary must spend time $\mathcal{O}(L^2)$, but this doesn't satisfy our definitions of security, since the adversary has advantage about $1/L^2$ with constant work, which is non-negligible. Also, $L$ must be large enough in practice, which raises the first problem again.
### Impossibility Results
It is unknown whether we can get a better gap (than quadratic) using a general symmetric cipher. A partial result was given that quadratic gap is the best possible if we only use block ciphers.[^2]
To get exponential gaps, we need number theory.
[^1]: By Cauchy's theorem, or use the fact that $\mathbb{Z}_p^*$ is commutative. Finite commutative groups have a subgroup of every order that divides the order of the group.
[^2]: R. Impagliazzo and S. Rudich. Limits on the provable consequences of one-way permutations. In Proceedings of the Symposium on Theory of Computing (STOC), pages 4461, 1989.

257
_posts/lecture-notes/modern-cryptography/2023-10-05-number-theory.md Normal file
View File

@@ -0,0 +1,257 @@
---
share: true
toc: true
math: true
categories:
- Lecture Notes
- Modern Cryptography
path: _posts/lecture-notes/modern-cryptography
tags:
- lecture-note
- cryptography
- number-theory
- security
title: 8. Number Theory
date: 2023-10-05
github_title: 2023-10-05-number-theory
---
## Background
### Number Theory
Let $n$ be a positive integer and let $p$ be prime.
> **Notation.** Let $\mathbb{Z}$ denote the set of integers. We will write $\mathbb{Z}_n = \left\lbrace 0, 1, \dots, n - 1 \right\rbrace$.
> **Definition.** Let $x, y \in \mathbb{Z}$. $\gcd(x, y)$ is the **greatest common divisor** of $x, y$. $x$ and $y$ are relatively prime if $\gcd(x, y) = 1$.
> **Definition.** The **multiplicative inverse** of $x \in \mathbb{Z}_n$ is an element $y \in \mathbb{Z}_n$ such that $xy = 1$ in $\mathbb{Z}_n$.
> **Lemma.** $x \in \mathbb{Z}_n$ has a multiplicative inverse if and only if $\gcd(x, n) = 1$.
> **Definition.** $\mathbb{Z}_n^\ast$ is the set of invertible elements in $\mathbb{Z}_n$. i.e, $\mathbb{Z}_n^\ast = \left\lbrace x \in \mathbb{Z}_n : \gcd(x, n) = 1 \right\rbrace$.
> **Lemma.** (Extended Euclidean Algorithm) For $x, y \in \mathbb{Z}$, there exists $a, b \in \mathbb{Z}$ such that $ax + by = \gcd(x, y)$.
### Group Theory
> **Definition.** A **group** is a set $G$ with a binary operation $* : G \times G \rightarrow G$, satisfying the following properties.
>
> - $(\mathsf{G1})$ (Associative) $(a * b) * c = a * (b * c)$ for all $a, b, c \in G$.
> - $(\mathsf{G2})$ (Identity) $\exists e \in G$ such that for all $a\in G$, $e * a = a * e = a$.
> - $(\mathsf{G3})$ (Inverse) For each $a \in G$, $\exists x \in G$ such that $a * x = x * a = e$. In this case, $x = a^{-1}$.
> **Definition.** A group is **commutative** if $a * b = b * a$ for all $a, b \in G$.
> **Definition.** The **order** of a group is the number of elements in $G$, denoted as $\left\lvert G \right\lvert$.
> **Definition.** A set $H \subseteq G$ is a **subgroup** of $G$ if $H$ is itself a group under the operation of $G$. We write $H \leq G$.
> **Theorem.** (Lagrange) Let $G$ be a finite group and $H \leq G$. Then $\left\lvert H \right\lvert \mid \left\lvert G \right\lvert$.
*Proof*. All left cosets of $H$ have the same number of elements. A bijection between any two coset can be constructed. Cosets partition $G$, so $\left\lvert G \right\lvert$ is equal to the number of left cosets multiplied by $\left\lvert H \right\lvert$.
Let $G$ be a group.
> **Definition.** Let $g \in G$. The set $\left\langle g \right\rangle = \left\lbrace g^n : n \in \mathbb{Z} \right\rbrace$ is called the **cyclic subgroup generated by $g$**. The **order** of $g$ is the number of elements in $\left\langle g \right\rangle$, denoted as $\left\lvert g \right\lvert$.
> **Definition.** $G$ is **cyclic** if there exists $g \in G$ such that $G = \left\langle g \right\rangle$.
> **Theorem.** $\mathbb{Z}_p^\ast$ is cyclic.
*Proof*. $\mathbb{Z}_p$ is a finite field, so $\mathbb{Z}_p^\ast = \mathbb{Z}_p \setminus \left\lbrace 0 \right\rbrace$ is cyclic.
> **Theorem.** If $G$ is a finite group, then $g^{\left\lvert G \right\lvert} = 1$ for all $g \in G$. i.e, $\left\lvert g \right\lvert \mid \left\lvert G \right\lvert$.
*Proof*. Consider $\left\langle g \right\rangle \leq G$, then the result follows from Lagrange's theorem.
> **Corollary.** (Fermat's Little Theorem) If $x \in \mathbb{Z}_p^\ast$, $x^{p-1} = 1$.
*Proof*. $\mathbb{Z}_p^\ast$ has $p-1$ elements.
> **Corollary.** (Euler's Generalization) If $x \in \mathbb{Z}_n^\ast$, $x^{\phi(n)} = 1$.
*Proof*. $\mathbb{Z}_n^\ast$ has $\phi(n)$ elements, where $\phi(n)$ is the Euler's totient function.
---
Schemes such as Diffie-Hellman rely on the hardness of the DLP. So, *how hard is it*? How does one compute the discrete logarithm?
There are group-specific algorithms that exploit the algebraic features of the group, but we only cover generic algorithms, that works on any cyclic group. A trivial example would be the exhaustive search, where if $\left\lvert G \right\lvert = n$ and given a generator $g \in G$, find the discrete logarithm of $h \in G$ by computing $g^i$ for all $i = 1, \dots, n - 1$. Obviously, it has running time $\mathcal{O}(n)$. We can do better than this.
## Baby Step Giant Step Method (BSGS)
Let $G = \left\langle g \right\rangle$, where $g \in G$ has order $q$. $q$ need not be prime for this method. We are given $u = g^\alpha$, $g$, and $q$. Our task is to find $\alpha \in \mathbb{Z}_q$.
Set $m = \left\lceil \sqrt{q} \right\rceil$. $\alpha$ is currently unknown, but by the division algorithm, there exists integers $i,j$ such that $\alpha = i \cdot m + j$ and $0\leq i, j < m$. Then $u = g^\alpha = g^{i\cdot m + j} = g^{im} \cdot g^j$. Therefore,
$$
u(g^{-m})^i = g^j.
$$
Now, we compute the values of $g^j$ for $j = 0, 1,\dots, m - 1$ and keep a table of $(j, g^j)$ pairs. Next, compute $g^{-m}$ and for each $i$, compute $u(g^{-m})^{i}$ and check if this value is in the table. If a value is found, then we found $(i, j)$ such that $i \cdot m + j = \alpha$.
We see that this algorithm takes $2\sqrt{q}$ group operations on $G$ in the worst case, so the time complexity is $\mathcal{O}(\sqrt{q})$. However, to store the values of $(j, g^j)$ pairs, a lot of memory is required. The table must be large enough to contain $\sqrt{q}$ group elements, so the space complexity is also $\mathcal{O}(\sqrt{q})$.
To get around this, we can build a smaller table by choosing a smaller $m$. But then $0 \leq j < m$ but $i$ must be checked for around $q/m$ values.
There is actually an algorithm using constant space. **Pollard's Rho** algorithm takes $\mathcal{O}(\sqrt{q})$ times and $\mathcal{O}(1)$ space.
## Groups of Composite Order
In Diffie-Hellman, we only used large primes. There is a reason for using groups with prime order. We study what would happen if we used composite numbers.
Let $G$ be a cyclic group of composite order $n$. First, we start with a simple case.
### Prime Power Case: Order $n = q^e$
Let $G = \left\langle g \right\rangle$ be a cyclic group of order $q^e$.[^1] ($q > 1$, $e \geq 1$) We are given $g,q, e$ and $u = g^\alpha$ and we will find $\alpha$. ($0 \leq \alpha < q^e)$
For each $f = 0, \dots, e$, define $g_f = g^{(q^f)}$. Then
$$
(g_f)^{(q^{e-f})} = g^{(q^f) \cdot (q^{e-f})} = g^{(q^e)} = 1.
$$
So $g_f$ generates a cyclic subgroup of order $q^{e-f}$. In particular, $g_{e-1}$ generates a cyclic subgroup of order $q$. Using this fact, we will reduce the given problem into a discrete logarithm problem on a group having smaller order $q$.
We proceed with recursion on $e$. If $e = 1$, then $\alpha \in \mathbb{Z}_q$, so we have nothing to do. Suppose $e > 1$. Choose $f$ so that $1 \leq f \leq e-1$. We can write $\alpha = i\cdot q^f + j$, where $0 \leq i < q^{e-f}$ and $0 \leq j < g^f$. Then
$$
u = g^\alpha = g^{i \cdot q^f + j} = (g_f)^i \cdot g^j.
$$
Since $g_f$ has order $q^{e-f}$, exponentiate both sides by $q^{e-f}$ to get
$$
u^{(q^{e-f})} = (g_f)^{q^{e-f} \cdot i} \cdot g^{q^{e-f} \cdot j} = (g_{e-f})^j.
$$
Now the problem has been reduced to a discrete logarithm problem with base $g_{e-f}$, which has order $q^f$. We can compute $j$ using algorithms for discrete logarithms.
After finding $j$, we have
$$
u/g^j = (g_f)^i
$$
which is also a discrete logarithm problem with base $g_f$, which has order $q^{e-f}$. We can compute $i$ that satisfies this equation. Finally, we can compute $\alpha = i \cdot q^f + j$. We have reduced a discrete logarithm problem into two smaller discrete logarithm problems.
To get the best running time, choose $f \approx e/2$. Let $T(e)$ be the running time, then
$$
T(e) = 2T\left( \frac{e}{2} \right) + \mathcal{O}(e\log q).
$$
The $\mathcal{O}(e\log q)$ term comes from exponentiating both sides by $q^{e-f}$. Solving this recurrence gives
$$
T(e) = \mathcal{O}(e \cdot T_{\mathrm{base}} + e\log e \log q),
$$
where $T_\mathrm{base}$ is the complexity of the algorithm for the base case $e = 1$. $T_\mathrm{base}$ is usually the dominant term, since the best known algorithm takes $\mathcal{O}(\sqrt{q})$.
Thus, computing the discrete logarithm in $G$ is only as hard as computing it in the subgroup of prime order.
### General Case: Pohlig-Hellman Algorithm
Let $G = \left\langle g \right\rangle$ be a cyclic group of order $n = q_1^{e_1}\cdots q_r^{e_r}$, where the factorization of $n$ into distinct primes $q_i$ is given. We want to find $\alpha$ such that $g^\alpha = u$.
For $i = 1, \dots, r$, define $q_i^\ast = n / q_i^{e_i}$. Then $u^{q_i^\ast} = (g^{q_i^\ast})^\alpha$, where $g^{q_i^\ast}$ will have order $q_i^{e_i}$ in $G$. Now compute $\alpha_i$ using the algorithm for the prime power case.
Then for all $i$, we have $\alpha \equiv \alpha_i \pmod{q_i^{e_i}}$. We can now use the Chinese remainder theorem to recover $\alpha$. Let $q_r$ be the largest prime, then the running time is bounded by
$$
\sum_{i=1}^r \mathcal{O}(e_i T(q_i) + e_i \log e_i \log q_i) = \mathcal{O}(T(q_r) \log n + \log n \log \log n)
$$
group operations. Thus, we can conclude the following.
> The difficulty of computing discrete logarithms in a cyclic group of order $n$ is determined by the size of the largest prime factor.
### Consequences
- For a group with order $n = 2^k$, the Pohlig-Hellman algorithm will easily compute the discrete logarithm, since the largest prime factor is $2$. The DL assumption is false for this group.
- For primes of the form $p = 2^k + 1$, the group $\mathbb{Z}_p^\ast$ has order $2^k$, so the DL assumption is also false for these primes.
- In general, $G$ must have at least one large prime factor for the DL assumption to be true.
- By the Pohlig-Hellman algorithm, discrete logarithms in groups of composite order is a little harder than groups of prime order. So we often use a prime order group.
## Information Leakage in Groups of Composite Order
Let $G = \left\langle g \right\rangle$ be a cyclic group of composite order $n$. We suppose that $n = n_1n_2$, where $n_1$ is a small prime factor.
By the Pohlig-Hellman algorithm, the adversary can compute $\alpha_1 \equiv \alpha \pmod {n_1}$ by computing the discrete logarithm of $u^{n_2}$ with base $g^{n_2}$.
Consider $n_1 = 2$. Then the adversary knows whether $\alpha$ is even or not.
> **Lemma.** $\alpha$ is even if and only if $u^{n/2} = 1$.
*Proof*. If $\alpha$ is even, then $u^{n/2} = g^{\alpha n/2} = (g^{\alpha/2})^n = 1$, since the group has order $n$. Conversely, if $u^{n/2} = g^{\alpha n/2} = 1$, then the order of $g$ must divide $\alpha n/2$, so $n \mid (\alpha n /2)$ and $\alpha$ is even.
This lemma can be used to break the DDH assumption.
> **Lemma.** Given $u = g^\alpha$ and $v = g^\beta$, $\alpha\beta \in \mathbb{Z}_n$ is even if and only if $u^{n/2} = 1$ or $v^{n/2} = 1$.
*Proof*. $\alpha\beta$ is even if and only if either $\alpha$ or $\beta$ is even. By the above lemma, this is equivalent to $u^{n/2} = 1$ or $v^{n/2} = 1$.
Now we describe an attack for the DDH problem.
> 1. The adversary is given $(g^\alpha, g^\beta, g^\gamma)$.
> 2. The adversary computes the parity of $\gamma$ and $\alpha\beta$ and compares them.
> 3. The adversary outputs $\texttt{accept}$ if the parities match, otherwise output $\texttt{reject}$.
If $\gamma$ was chosen uniformly, then the adversary wins with probability $1/2$. But if $\gamma = \alpha\beta$, the adversary always wins, so the adversary has DDH advantage $1/2$.
The above process can be generalized to any groups with small prime factor. See Exercise 16.2[^2] Thus, this is another reason we use groups of prime order.
- DDH assumption does not hold in $\mathbb{Z}_p^\ast$, since its order $p-1$ is always even.
- Instead, we use a prime order subgroup of $\mathbb{Z}_p^\ast$ or prime order elliptic curve group.
## Summary of Discrete Logarithm Algorithms
|Name|Time Complexity|Space Complexity|
|:-:|:-:|:-:|
|BSGS|$\mathcal{O}(\sqrt{q})$|$\mathcal{O}(\sqrt{q})$|
|Pohlig-Hellman|$\mathcal{O}(\sqrt{q_\mathrm{max}}$|$\mathcal{O}(1)$|
|Pollard's Rho|$\mathcal{O}(\sqrt{q})$|$\mathcal{O}(1)$|
- In generic groups, solving the DLP requires $\Omega(\sqrt{q})$ operations.
- By *generic groups*, we mean that only group operations and equality checks are allowed. Algebraic properties are not used.
- Thus, we use a large prime $q$ such that $\sqrt{q}$ is large enough.
## Candidates of Discrete Logarithm Groups
We need groups of order prime, and we cannot use $\mathbb{Z}_p^\ast$ as itself. We have two candidates.
- Use a subgroup of $\mathbb{Z}_p^\ast$ having prime order $q$ such that $q \mid (p-1)$ as in Diffie-Hellman.
- Elliptic curve group modulo $p$.
### Reduced Residue Class $\mathbb{Z}_p^\ast$
There are many specific algorithms for discrete logarithms on $\mathbb{Z}_p^\ast$.
- Index-calculus
- Elliptic-curve method
- Special number-field sieve (SNFS)
- **General number-field sieve** (GNFS)
GNFS running time is dominated by the term $\exp(\sqrt[3]{\ln p})$. If we let $p$ to be an $n$-bit prime, then the complexity is $\exp(\sqrt[3]{n})$. Suppose that GNFS runs in time $T$ for prime $p$. Since $\sqrt[3]{2} \approx 1.26$, doubling the number of bits will increase the running time of GNFS to $T^{1,26}$.
Compare this with symmetric ciphers such as AES, where doubling the key size squares the amount of work required.[^3] NIST and Lenstra recommends the size of primes that gives a similar level of security to that of symmetric ciphers.
|Symmetric key length|Size of prime (NIST)|Size of prime (Lenstra)|
|:-:|:-:|:-:|
|80|1024|1329|
|128|3072|4440|
|256|15360|26268|
All sizes are in bits. Thus we need a very large prime, for example $p > 2^{2048}$, for security these days.
### Elliptic Curve Group over $\mathbb{Z}_p$
Currently, the best-known attacks are generic attacks, so we can use much smaller parameters than $\mathbb{Z}_p^\ast$. Often the groups have sizes about $2^{256}$, $2^{384}$, $2^{512}$.
[^1]: We didn't require $q$ to be prime!
[^2]: A Graduate Course in Applied Cryptography
[^3]: Recall that the best known attack was only 4 times faster than brute-force search.

245
_posts/lecture-notes/modern-cryptography/2023-10-26-digital-signatures.md Normal file
View File

@@ -0,0 +1,245 @@
---
share: true
toc: true
math: true
categories:
- Lecture Notes
- Modern Cryptography
path: _posts/lecture-notes/modern-cryptography
tags:
- lecture-note
- cryptography
- security
title: 10. Digital Signatures
date: 2023-10-26
github_title: 2023-10-26-digital-signatures
image:
path: assets/img/posts/Lecture Notes/Modern Cryptography/mc-10-dsig-security.png
attachment:
folder: assets/img/posts/Lecture Notes/Modern Cryptography
---
## Digital Signatures
> **Definition.** A **signature scheme** $\mc{S} = (G, S, V)$ is a triple of efficient algorithms, where $G$ is a **key generation** algorithm, $S$ is a **signing** algorithm, and $V$ is a **verification** algorithm.
>
> - A probabilistic algorithm $G$ outputs a pair $(pk, sk)$, where $sk$ is called a secret **signing key**, and $pk$ is a public **verification key**.
> - Given $sk$ and a message $m$, a probabilistic algorithm $S$ outputs a **signature** $\sigma \la S(sk, m)$.
> - $V$ is a deterministic algorithm that outputs either $\texttt{{accept}}$ or $\texttt{reject}$ for $V(pk, m, \sigma)$.
The correctness property requires that all signatures generated by $S$ is always accepted by $V$. For all $(pk, sk) \la G$ and $m \in \mc{M}$,
$$
\Pr[V(pk, m, S(sk, m)) = \texttt{{accept}}] = 1.
$$
### Properties of Digital Signatures
- Digital signatures can be verified by anyone, whereas MACs can be verified by the parties sharing the same key.
- No need to share a key for digital signatures.
- **Non-repudiation**: cannot deny having created the signature.
- Signatures can only be created by people having the secret key.
- In cases where the secret key is leaked, then we don't have non-repudiation.
- In MACs, the secret key is shared by two parties, so we don't have non-repudiation.
- Must trust the identity of the public key.
- How do you trust that this public key is Alice's?
- We need **public key infrastructure** (PKI).
### Applications
- Electronic document signing
- HTTPS/TLS certificates
- Software installation
- Authenticated email (DKIM)
- Bitcoins
## Secure Digital Signatures
The definition is similar to the [secure MAC](./2023-09-21-macs.md#secure-mac-unforgeability). The adversary can perform a **chosen message attack**, but cannot create an **existential forgery**.
![mc-10-dsig-security.png](../../../assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-10-dsig-security.png)
> **Definition.** Let $\mc{S} = (G, S, V)$ be a signature scheme defined over $(\mc{M}, \Sigma)$. Given an adversary $\mc{A}$, the game goes as follows.
>
> 1. The challenger generates $(pk, sk) \la G()$ and sends $pk$ to $\mc{A}$.
> 2. $\mc{A}$ makes a series of *signing queries* to the challenger.
> - Each query is a message $m_i \in \mc{M}$, the challenger responds with $\sigma_i \la S(sk, m_i)$.
> 3. $\mc{A}$ computes and outputs a candidate forgery pair $(m, \sigma) \in \mc{M} \times \Sigma$.
> - $m \notin \left\lbrace m_1, \dots, m_q \right\rbrace$.
> - $(m, \sigma) \notin \left\lbrace (m_1, \sigma_1), \dots, (m_q, \sigma_q) \right\rbrace$. (strong)
>
> $\mc{A}$ wins if $V(pk, m, \sigma) = \texttt{accept}$, let this event be $W$. The advantage of $\mc{A}$ with respect to $\mc{S}$ is defined as
>
> $$
> \rm{Adv}_{\rm{SIG}}[\mc{A}, \mc{S}] = \Pr[W].
> $$
>
> If the advantage is negligible for all efficient adversaries $\mc{A}$, the signature scheme $S$ is (strongly) **secure**. $\mc{S}$ is **existentially unforgeable under a chosen message attack**.
- We do not make verification queries, since the adversary can always check any signature.
- The normal definition of security is sufficient. Secure signature schemes can be converted into strongly secure signature schemes. See Exercise 14.10.[^1]
### Message Confusion
Two different messages $m, m'$ can produce the same signature $\sigma$. In this case, the scheme is vulnerable to **message confusion**. See Exercise 13.3.[^1]
In common implementations, we consider $m$, $m'$ both to be valid. But there may be situations that this is undesirable. For those cases, a signature is would be a *binding commitment* to the message, and there will be no confusion.
### Signer Confusion
Suppose that $(m, \sigma)$ is a valid pair with $pk$, i.e, $V(pk, m, \sigma) = \texttt{accept}$. But an attacker can generate $pk'$ different from $pk$ such that $V(pk', m, \sigma) = \tt{accept}$. In this cases, we have **signer confusion** since both can claim to have signed $m$. See Exercise 13.4.[^1]
### Strongly Binding Signatures
**Strongly binding signatures** prevent both message confusion and signer confusion.
Any signature scheme can be made strongly binding by appending a collision resistant hash of $(pk, m)$ to the signature. See Exercise 13.5.[^1]
## Extending the Message Space
We can extend the message space of a secure digital signature scheme, [as we did for MACs](./2023-09-28-hash-functions.md#mac-domain-extension). Let $\mc{S} = (G, S, V)$ be a signature scheme defined over $(\mc{M}, \Sigma)$ and let $H : \mc{M}' \ra \mc{M}$ be a hash function with $\left\lvert \mc{M}' \right\lvert \geq \left\lvert \mc{M} \right\lvert$.
Define a new signature scheme $\mc{S}' = (G, S', V')$ over $(\mc{M}', \Sigma)$ as
$$
S'(sk, m) = S(sk, H(m)), \qquad V'(pk, m, \sigma) = V(pk, H(m), \sigma).
$$
This is often called the **hash-and-sign paradigm**, and the new signature scheme is also secure.
> **Theorem.** Suppose that $\mc{S}$ is a secure signature scheme and $H$ is a collision resistant hash function. Then $\mc{S}'$ is a secure signature.
>
> If $\mc{A}$ is an adversary attacking $\mc{S}'$, then there exist an adversary $\mc{B}_\mc{S}$ attacking $\mc{S}$ and an adversary $\mc{B}_H$ attacking $H$ such that
>
> $$
> \rm{Adv}_{\rm{SIG}}[A, \mc{S}'] \leq \rm{Adv}_{\rm{SIG}}[\mc{B}_\mc{S}, \mc{S}] + \rm{Adv}_{\rm{CR}}[\mc{B}_H, H].
> $$
*Proof*. The proof is identical to the theorem for MACs.
## Digital Signature Constructions
We can build secure signature schemes from hash functions, trapdoor permutations, or from discrete logarithms.
### Textbook RSA Signatures
This is the signature scheme based on the textbook RSA. It is also insecure.
- Key generation: $pk = (N, e)$ and $sk = (N, d)$ are chosen to satisfy $d = e^{-1} \bmod \phi(N)$ for $N = pq$.
- Sign: $S(sk, m) = m^d \bmod N$.
- Verify: $V(pk, m, \sigma)$ returns $\texttt{accept}$ if and only if $\sigma^e = m \bmod N$.
Here are some possible attacks.
- No message attack
- Just return $(\sigma^e, \sigma)$ for some $\sigma$. Then it passes verification.
- Attack using the homomorphic property.
- Suppose we want to forge a message $m$.
- Pick $m_1 \in \Z_N^{\ast}$ and set $m_2 = m\cdot m_1^{-1} \bmod N$.
- Query signatures for both messages and multiply the responses.
- $\sigma = \sigma_1 \cdot \sigma_2 = m_1^e \cdot m^e \cdot m_1^{-e} = m^e \bmod N$.
- Then $(m, \sigma)$ is a valid pair.
Because of the second attack, the textbook RSA signature is **universally forgeable**. This property is used to create **blind signatures**, where the signer creates a signature without any knowledge about the message. See Exercise 13.15.[^1]
### RSA Full Domain Hash Signature Scheme
Given a hash function $H : \mc{M} \ra \mc{Y}$, the **RSA full domain hash** signature scheme $\mc{S}_\rm{RSA-FDH}$ is defined as follows.
- Key generation: $pk = (N, e)$ and $sk = (N, d)$ are chosen to satisfy $d = e^{-1} \bmod \phi(N)$ for $N = pq$.
- Sign: $S(sk, m) = H(m)^d \bmod N$.
- Verify: $V(pk, m, \sigma)$ returns $\texttt{accept}$ if and only if $\sigma^d = H(m) \bmod N$.
This scheme is now secure.
> **Theorem.** If the hash function $H$ is modeled as a random oracle, and the RSA assumptions holds, then $\mc{S}_\rm{RSA-FDH}$ is a secure signature scheme.
>
> For any $q$-query adversary $\mc{A}$ against hashed RSA, there exists an adversary $\mc{B}$ solving the RSA problem such that
>
> $$
> \rm{Adv}_{\rm{SIG}}[\mc{A}, \mc{S}_\rm{RSA-FDH}] \leq q \cdot \rm{Adv}_{\rm{RSA}}[\mc{B}].
> $$
### Full Domain Hash Signature Scheme
The following is a description of a **full domain hash** scheme $\mc{S}_\rm{FDH}$, constructed from trapdoor permutation scheme $\mc{T} = (G, F, I)$.
- Key generation: $(pk, sk) \la G()$.
- Sign: $S(sk, m)$ returns $\sigma \la I(sk, H(m))$.
- Verify: $V(pk, m, \sigma)$ returns $\texttt{accept}$ if and only if $F(pk, \sigma) = H(m)$.
This scheme $\mc{S}_\rm{FDH} = (G, S, V)$ is secure if $\mc{T}$ is a **one-way trapdoor permutation** and $H$ is a random oracle.
> **Theorem.** Let $\mc{T} = (G,F,I)$ be a one-way trapdoor permutation defined over $\mc{X}$. Let $H : \mc{M} \ra \mc{X}$ be a hash function, modeled as a random oracle. Then the derived FDH signature scheme $\mc{S}_\rm{FDH}$ is a secure signature scheme.
*Proof*. See Theorem 13.3.[^1]
## Schnorr Digital Signature Scheme
This one uses discrete logarithms.
### The Schnorr Identification Protocol
This scheme is originally from the **Schnorr identification protocol**.
Let $G = \left\langle g \right\rangle$ be a cyclic group of prime order $q$. We consider an interaction between two parties, prover $P$ and a verifier $V$. The prover has a secret $\alpha \in \Z_q$ and the verification key is $u = g^\alpha$. **$P$ wants to convince $V$ that he knows $\alpha$, but does not want to reveal $\alpha$**.
![mc-10-schnorr-identification.png](../../../assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-10-schnorr-identification.png)
The protocol $\mc{I}_\rm{sch} = (G, P, V)$ works as follows.
> 1. A **secret key** $\alpha \la \Z_q$ and **verification key** $u \la g^\alpha$ is generated. The prover $P$ has $\alpha$ and the verifier $V$ has $u$.
> 2. $P$ computes a random $\alpha_t \la \Z_q$, and sends $u_t \la g^{\alpha_t}$ to $V$.
> 3. $V$ chooses a random $c \la \Z_q$ and sends it to $P$.
> 4. $P$ computes $\alpha_z \la \alpha_t + \alpha c \in \Z_q$ and sends it to $V$.
> 5. $V$ checks if $g^{\alpha_z} = u_t \cdot u^c$. Accept if and only if it is equal.
- $u_t$ is the **commitment** sent to the verifier.
- $c$ is the **challenge** sent to the prover.
- If $P$ can predict the challenge, $P$ can choose $\alpha_t$ and $\alpha_z$ so that verifier accepts it.
- $\alpha_z$ is the **response** sent to the verifier.
We must check a few things.
- **Correctness**: If $P$ has the correct $\alpha$, then $g^{\alpha_z} = g^{\alpha_t} \cdot (g^\alpha)^c = u_t \cdot u^c$.
- **Soundness**: If $P$ does not have the correct $\alpha$, it is reject with probability $1 - \frac{1}{q}$.
- We can repeat this many times then the probability of reject is $1 - \frac{1}{q^n} \ra 1$.
- Thus $q$ (the size of the challenge space) must be large.
- **Zero-knowledge**: $V$ learns no information about $x$ from the conversation.
- This will be revisited later. See [here](./2023-11-07-sigma-protocols.md#the-schnorr-identification-protocol-revisited).
> **Theorem.** The Schnorr identification protocol is secure if the DL problem is hard, and the challenge space $\mc{C}$ is large.
### Schnorr Digital Signature Scheme
We *transform* the above protocol to a signature scheme.[^2] We need a hash function $H : \mc{M} \times G \ra \mc{C}$, modeled as a random oracle. The protocol originally involves interaction between two parties, but a signature is computed by a single party. Intuitively, $H$ will play the role of the verifier.
The **Schnorr signature scheme** $\mc{S}_\rm{sch} = (G, S, V)$ is defined as follows.
- Key generation: a **secret key** $sk = \alpha \la \Z_q$ and **public key** $pk = u \la g^\alpha$ is generated.
- Sign: $S(sk, m)$ outputs $\sigma = (u_t, \alpha_z)$ where
- Choose random $\alpha_t \la \Z_q$ and set $u_t \la g^{\alpha_t}$.
- **Compute $c \la H(m, u_t)$** and set $\alpha_z \la \alpha_t + \alpha c$.
- Verify: $V(pk, m, \sigma)$ outputs $\texttt{accept}$ if and only if $g^{\alpha_z} = u_t \cdot u^c$.
- $c \la H(m, u_t)$ can be computed and $u$ is known.
Since $H$ is being modeled as a random oracle, the signer cannot predict the value of the challenge $c$. Also, $c$ must take both $m$ and $u_t$ as input, since without $m$, the signature is not related to $m$ (the signature has no $m$ term inside it). On the other hand, without $u_t$, then the scheme is insecure since the Schnorr identification protocol is HVZK. See Exercise 19.12.[^1]
> **Theorem.** If $H$ is modeled as a random oracle and Schnorr's identification protocol is secure, then Schnorr's signature scheme is also secure.
*Proof*. See Theorem 19.7.[^1]
Note that $\alpha \la \Z_q$ must be chosen randomly every time.
## Digital Signature Algorithm
Schnorr's scheme was protected by a patent, so NIST opted for a ad-hoc signature scheme based on a prime order subgroup of $\Z_p^{\ast}$. This algorithm eventually became the **Digital Signature Algorithm** (DSA). The standard was updated to support elliptic curve groups over a finite field, resulting in **ECDSA**.
## Public Key Infrastructure
How would you trust public keys? We introduce **digital certificates** for this.
Read in [public key infrastructure (Internet Security)](../../Lecture%20Notes/Internet%20Security/2023-10-16-pki.md).
[^1]: A Graduate Course in Applied Cryptography
[^2]: By using the [Fiat-Shamir transform](./2023-11-07-sigma-protocols.md#the-fiat-shamir-transform).

222
_posts/lecture-notes/modern-cryptography/2023-10-31-advanced-topics.md Normal file
View File

@@ -0,0 +1,222 @@
---
share: true
toc: true
math: true
categories:
- Lecture Notes
- Modern Cryptography
path: _posts/lecture-notes/modern-cryptography
tags:
- lecture-note
- cryptography
- security
title: 11. Advanced Topics
date: 2023-10-31
github_title: 2023-10-31-advanced-topics
---
## Ciphertext Indistinguishability
- By **Shafi Goldwasser** and **Silvio Micali**
- Turing Award in 2012
An adversary should not be able to...
- **(Semantic Security)** gain any partial information about a secret.
- **(Ciphertext Indistinguishability)** distinguish pairs of ciphertexts based on the chosen messages.
They showed that
- These two definitions are equivalent under chosen-plaintext attack.
- Encryption schemes must be randomized.
> **Definition.** A symmetric key encryption scheme $E$ is **semantically secure** if for any efficient adversary $\mc{A}$, there exists an efficient $\mc{A}'$ such that for any efficiently computable functions $f$ and $h$,
>
> $$
> \bigg\lvert \Pr\left[ \mc{A}\big( E(k, m), h(m) \big) = f(m) \right] - \Pr\left[ \mc{A}'\big( h(m) \big) = f(m) \right] \bigg\lvert
> $$
>
> is negligible.
## Commitment Schemes
A commitment scheme is for committing a value, and opening it later. The committed value cannot be forged.
> **Definition.** A **commitment scheme** for a finite message space $\mc{M}$ is a pair of efficient algorithms $\mc{C} = (C, V)$ satisfying the following.
>
> - For a message $m \in \mc{M}$ to be committed, $(c, o) \la C(m)$, where $c$ is the **commitment string**, and $o$ is an **opening string**.
> - $V$ is a deterministic algorithm that $V(m, c, o)$ is either $\texttt{accept}$ or $\texttt{reject}$.
> - **Correctness**: for all $m \in \mc{M}$, if $(c, o) \la C(m)$ then $V(m, c, o) = \texttt{accept}$.
Suppose Alice wants to commit a message $m$. She computes $(c, o) \la C(m)$, and sends the commitment string $c$ to Bob, and keeps the opening string $o$ to herself. After some time, Alice sends the opening string $o$ to open the commitment, then Bob will verify the commitment by computing $V(m, c, o)$.
### Secure Commitment Schemes
The scheme must satisfy the following properties. First, the commitment must open to a single message. This is called the **binding** property. Next, the commitment must not reveal any information about the message. This is called the **hiding** property.
> **Definition.** A commitment scheme $\mc{C} = (C, V)$ is **binding** if for every efficient adversary $\mc{A}$ that outputs a $5$-tuple $(c, m_1, o_1, m_2, o_2)$, the probability
>
> $$
> \Pr[m_1 \neq m_2 \land V(m_1, c, o_1) = V(m_2, c, o_2) = \texttt{{accept}}]
> $$
>
> is negligible.
The hiding property is defined as a security game.
> **Definition.** Let $\mc{C} = (C, V)$ be a commitment scheme. Given an adversary $\mc{A}$, define two experiments.
>
> **Experiment $b$**.
> 1. $\mc{A}$ sends $m_0, m_1 \in \mc{M}$ to the challenger.
> 2. The challenger computes $(c, o) \la C(m_b)$ and sends $c$ to $\mc{A}$.
> 3. $\mc{A}$ computes and outputs $b' \in \braces{0, 1}$.
>
> Let $W_b$ be the event that $\mc{A}$ outputs $1$ in experiment $b$. The **advantage** of $\mc{A}$ with respect to $\mc{C}$ is defined as
>
> $$
> \Adv{\mc{A}, \mc{C}} = \abs{\Pr[W_0] - \Pr[W_1]}.
> $$
>
> If the advantage is negligible for all efficient adversaries $\mc{A}$, then the commitment scheme $\mc{C}$ has the **hiding** property.
Next, the definition of secure commitment schemes.
> **Definition.** A commitment scheme $\mc{C} = (C, V)$ is **secure** if it is both hiding and binding.
### Non-binding Encryption Schemes
A semantically secure cipher does not always yield a secure commitment scheme. One might be tempted to use a secure cipher $(E, D)$ as follows.
- For $m \in \mc{M}$, choose $k \la \mc{K}$ and set $\big( E(k, m), k \big) \la C(m)$.
- $V(m, c, k)$ accepts if and only if $D(k, c) = m$.
However, it may be feasible to find another $k' \in \mc{K}'$ such that $D(k, c) \neq D(k', c)$. As an example, consider the one-time pad. It is easy for the committer to manipulate the message. $c = m \oplus k$, so later set $k' = k \oplus m \oplus m'$ as the opening string, then $c \oplus k' = m'$, resulting in a different message.
## Constructions of Commitment Schemes
### Commitment from Secure PRGs
To commit a bit, we can use a secure PRG. The following is due to Naor.
> Let $G : \mc{S} \ra \mc{R}$ be a secure PRG where $\left\lvert \mc{R} \right\lvert \geq \left\lvert \mc{S} \right\lvert^3$ and $\mc{R} = \braces{0, 1}^n$. Suppose that Bob wants to commit a bit $b_0 \in \braces{0, 1}$.
>
> 1. Alice chooses a random $r \in \mc{R}$ and sends it to Bob.
> 2. Bob chooses a random $s \in \mc{S}$ and computes $c \la C(s, r, b_0)$, where
>
> $$
> C(s, r, b_0) = \begin{cases} G(s) & (b_0 = 0) \\ G(s) \oplus r & (b_0 = 1). \end{cases}
> $$
>
> Then Bob outputs $(c, s)$ as the commitment and the opening string.
> 3. During opening, Bob sends $(b_0, s)$ to Alice.
> 4. Alice accepts if and only if $C(s, r, b_0) = c$.
Correctness is obvious, since Alice recomputes $C(s, r, b_0)$.
The hiding property follows since $G(s)$ and $G(s) \oplus r$ are indistinguishable if $G$ is a secure PRG.
The binding property follows if $1 / \left\lvert \mc{S} \right\lvert$ is negligible. For Bob to open $c$ as both $0$ and $1$, he must find two seeds $s_0, s_1 \in \mc{S}$ such that $c = G(s_0) = G(s_1) \oplus r$. Then $r = G(s_0) \oplus G(s_1)$. There are at most $\left\lvert \mc{S} \right\lvert^2$ possible $r \in \mc{R}$ values that this can happen. The probability that Alice chooses such $r$ is
$$
\left\lvert \mc{S} \right\lvert^2 / \left\lvert \mc{R} \right\lvert \leq \left\lvert \mc{S} \right\lvert^2 / \left\lvert \mc{S} \right\lvert^3 = 1 / \left\lvert \mc{S} \right\lvert
$$
by assumption.
The downside of the above protocol is that it has to be interactive.
#### Coin Flipping Protocol
A bit commitment scheme can be used for a **coin flipping protocol**. Suppose that Alice and Bob are flipping coins, when they are physically distant from each other.
> 1. Bob chooses a random bit $b_0 \la \braces{0, 1}$.
> 2. Execute the commitment protocol.
> - Alice obtains a commitment string $c$ of $b_0$.
> - Bob keeps an opening string $o$.
> 3. Alice chooses a random bit $b_1 \la \braces{0, 1}$, and sends it to Bob.
> 4. Bob reveals $b_0$ and $s$ to Alice, she verifies that $c$ is valid.
> 5. The final outcome is $b = b_0 \oplus b_1$.
After step $2$, Alice has no information about $b_0$ because of the hiding property. Her choice of $b_1$ is unbiased, and cannot affect the final outcome. Next, in step $4$, $b_0$ cannot be manipulated by the binding property.
Thus, $b_0$ and $b_1$ are both random, so $b$ is either $0$ or $1$ each with probability $1/2$.[^1]
### Commitment Scheme from Hashing
> Let $H : \mc{X} \ra \mc{Y}$ be a collision resistant hash function, where $\mc{X} = \mc{M} \times \mc{R}$. $\mc{M}$ is the message space, and $\mc{R}$ is a finite nonce space. For $m \in \mc{M}$, the derived commitment scheme $\mc{C}_H = (C, V)$ is defined as follows.
>
> - $C(m)$: choose random $o \la \mc{R}$, set $c = H(m, o)$ and output $(c, o)$.
> - $V(m, c, o)$: output $\texttt{accept}$ if and only if $c = H(m, o)$.
Correctness is obvious.
The binding property follows since $H$ is collision resistant. If it is easy to find a $5$-tuple $(c, m_1, o_1, m_2, o_2)$ such that $c = H(m_1, o_1) = H(m_2, o_2)$, $H$ is not collision resistant.
The hiding property follows if $H$ is modeled as a random oracle, or has a property called **input hiding**. For adversarially chosen $m_1, m_2 \in \mc{M}$ and random $o \la \mc{R}$, the distributions of $H(m_1, o)$ and $H(m_2, o)$ are computationally indistinguishable.
Additionally, this scheme is **non-malleable** if $H$ is modeled as a random oracle and $\mc{Y}$ is sufficiently large.[^2]
### Commitment Scheme from Discrete Logarithms
> Let $G = \left\langle g \right\rangle$ be a cyclic group of prime order $q$. Let $h$ be chosen randomly from $G$.
>
> - $C(m)$: choose random $o \la \mathbb{Z}_q$ and $c \la g^m h^o$ and return $(c, o)$.
> - $V(m, c, o)$: output $\texttt{accept}$ if and only if $c = g^m h^o$.
Correctness is obvious.
The binding property follows from the DL assumption. If an adversary finds $m_1, m_2$, $o_1, o_2$ such that $c = g^{m_1} h^{o_1} = g^{m_2} h^{o_2}$, then $h = g^{(m_2 - m_1)/(o_1 - o_2)}$, solving the discrete logarithm problem for $h$.
The hiding property follows since $h$ is uniform in $G$ and $o$ is also uniform in $\mathbb{Z}_q$. Then $g^m h^o$ is uniform in $G$, not revealing any information.
## Post Quantum Cryptography
Quantum computers use **qubits** and **quantum gates** for computation. A **qubit** is a *quantum bit*, a **superposition** of two states $\ket{0}$ and $\ket{1}$.
$$
\ket{\psi} = \alpha \ket{0} + \beta \ket{1}
$$
where $\alpha, \beta \in \mathbb{C}$ and $\left\lvert \alpha \right\lvert^2 + \left\lvert \beta \right\lvert^2 = 1$. The quantum gates are usually orthogonal matrices.
The *superposition* may give the false impression that a quantum computer tries all possible solutions in parallel, but the actual magic comes from **complex amplitudes**.
Quantum computers use **quantum interference**, carefully choreograph computations so that wrong answers *cancel out* their amplitudes, while correct answers combine. This process increases the probability of measuring correct results. Naturally, only a few special problems allow this choreograph.
A scheme is **post-quantum secure** if it is secure against an adversary who has access to a quantum computer. Post-quantum cryptography is about classical algorithms that are believed to withstand quantum attacks.
AES is probably safe, since it still takes $\mc{O}(2^{n/2})$ to solve it. (Grover's algorithm) Also, lattice-based cryptography is another candidate.
## Shor's Algorithm
But factorization and discrete logarithms are not safe. The core idea is that a quantum computer is very good at detecting periodicity. This is done by using the **quantum Fourier transform** (QFT).
### Quantum Factorization
Let $n \in \mathbb{Z}$ and $0\neq g \in \mathbb{Z}_n$. Let $\gamma_g : \mathbb{Z} \ra \mathbb{Z}_n$ be defined as $\gamma_g(\alpha) = g^\alpha$. This function is periodic, since $g^{\phi(n)} = 1$ by Euler's generalization. Also, the order of $g$ will certainly divide the period.
Thus, find a period $p$, and let $t$ be the smallest positive integer such that $g^{p/2^t} \neq 1$. Then $\gcd(n, g^{p/2^t} - 1)$ is a non-trivial factor of $n$ with probability about $1/2$ over the choice of $g$. See Exercise 16.10.[^3]
Shor's algorithm factors $n$ in $\mc{O}(\log^3 n)$ time. RSA is not a secure one-way trapdoor function for quantum computers.
### Quantum Discrete Logarithms
Let $G = \left\langle g \right\rangle$ be a cyclic group of prime order $q$. Let $u = g^\alpha$. Consider the function $f : \mathbb{Z}^2 \ra G$ defined as
$$
f(\gamma, \delta) = g^\gamma \cdot u^\delta.
$$
The period of this function is $(\alpha, -1)$, since for all $(\gamma, \delta) \in \mathbb{Z}^2$,
$$
f(\gamma + \alpha, \delta - 1) = g^{\gamma} \cdot g^\alpha \cdot u^\delta \cdot u^{-1} = g^\gamma \cdot u^\delta = f(\gamma, \delta).
$$
This period can be found in $\mc{O}(\log^3 q)$ time. The DL assumption is false for quantum computers.
(Detailed explanation to be added...)
[^1]: There is one caveat. Bob gets to know the final result before Alice. If the outcome is not what he desired, he could abort the protocol in some way, like sending an invalid $c$, and go over the whole process again.
[^2]: A commitment scheme is **malleable** if a commitment $c = (c_1, c_2)$ of a message $m$ can be transformed into a commitment $c' = (c_1, c_2 + \delta)$ of a message $m + \delta$.
[^3]: A Graduate Course in Applied Cryptography.

113
_posts/lecture-notes/modern-cryptography/2023-11-02-zkp-intro.md Normal file
View File

@@ -0,0 +1,113 @@
---
share: true
toc: true
math: true
categories:
- Lecture Notes
- Modern Cryptography
path: _posts/lecture-notes/modern-cryptography
tags:
- lecture-note
- cryptography
- security
title: 12. Zero-Knowledge Proof (Introduction)
date: 2023-11-02
github_title: 2023-11-02-zkp-intro
image:
path: assets/img/posts/Lecture Notes/Modern Cryptography/mc-12-id-protocol.png
attachment:
folder: assets/img/posts/Lecture Notes/Modern Cryptography
---
- In 1980s, the notion of *zero knowledge* was proposed by Shafi Goldwasser, Silvio micali and Charles Rackoff.
- **Interactive proof systems**: a **prover** tries to convince the **verifier** that some statement is true, by exchanging messages.
- What if the prover is trying to trick the verifier?
- What if the verifier is an adversary that tries to obtain more information?
- These proof systems are harder to build in the digital world.
- This is because it is easy to copy data in the digital world.
## Identification Protocol
![mc-12-id-protocol.png](../../../assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-12-id-protocol.png)
> **Definition.** An **identification protocol** is a triple of algorithms $\mc{I} = (G, P, V)$ satisfying the following.
>
> - $G$ is a probabilistic **key generation** algorithm that outputs $(vk, sk) \leftarrow G()$. $vk$ is the **verification key** and $sk$ is the **secret key**.
> - $P$ is an interactive protocol algorithm called the **prover**, which takes the secret key $sk$ as an input.
> - $V$ is an interactive protocol algorithm called the **verifier**, which takes the verification key $vk$ as an input and outputs $\texttt{accept}$ or $\texttt{reject}$.
>
> For all possible outputs $(vk, sk)$ of $G$, at the end of the interaction between $P(sk)$ and $V(vk)$, $V$ outputs $\texttt{accept}$ with probability $1$.
### Password Authentication
A client is trying to log in, must prove its identity to the server. But the client cannot trust the server (verifier), so the client must prove itself without revealing the secret. The password is the secret in this case. The login is a *proof* that the client is who it claims to be. What should be the verification key? Setting $vk = sk$ certainly works, but the server learns the password, so this should not be used.
Instead, we could set $vk = H(sk)$ by using a hash function $H$. Then the client sends the password, server computes the hash and checks if it is equal. This method still reveals the plaintext password to the server.
## Example: 3-Coloring
Suppose we are given a graph $G = (V, E)$, which we want to color the vertices with at most $3$ colors, so that no two adjacent vertices have the same color. This is an NP-complete problem.
Bob has a graph $G$ and he is trying to $3$-color the graph. Alice shows up and claims that there is a way to $3$-color $G$. If the coloring is valid, Bob is willing to buy the solution, but he cannot trust Alice. Bob won't pay until he is convinced that Alice has a solution, and Alice won't give the solution until she receives the money. How can Alice and Bob settle this problem?
### Protocol
> 1. Bob gives Alice the graph $G = (V, E)$.
> 2. Alice shuffles the colors and colors the graph. The coloring is hidden to Bob.
> 3. Bob randomly picks a single edge $(u, v) \in E$ of this graph.
> 4. Alice reveals the colors of $u$ and $v$.
- If $u$ and $v$ have the same color, Alice is lying to Bob.
- If they have different colors, Alice *might be* telling the truth.
- What if Alice just sends two random colors in step $4$?
- We can use **commitment schemes** so that Alice cannot manipulate the colors after Bob's query.
- Specifically, send the colors of each $v$ using a commitment scheme.
- For Bob's query $(u, v)$, send the opening strings of $u$ and $v$.
- What if Alice doesn't have a solution, but Bob picks an edge with different colors just by luck?
- We can repeat the protocol many times.
- For each protocol instance, an invalid solution can pass with probability $p = \frac{1}{\abs{E}}$.
- Repeat this many times, then $p^n \rightarrow 0$, so invalid solutions will pass with negligible probability.
- Does Bob's query reveal anything about the solution?
- No, Alice randomizes colors for every protocol instance.
- Need formal definition and proof for this.[^1]
## Zero Knowledge Proof (ZKP)
We need three properties for a **zero-knowledge proof** (ZKP).
- (**Completeness**) If the statement is true, an honest verifier must accept the fact by an honest prover.
- (**Soundness**) If the statement is false, no cheating prover can convince an honest verifier, except with some small probability.
- (**Zero Knowledge**) If the statement is true, no verifier (including honest and cheating) learns anything other than the truth of the statement. The statement does not reveal anything about the prover's secret.
We define these formally.
> **Definition.** Let $\mc{R} \subset \mc{X} \times \mc{Y}$ be a relation. A statement $y \in \mc{Y}$ is **true** if $(x, y) \in \mc{R}$ for some $x \in \mc{X}$. The set of true statements
>
> $$
> L_\mc{R} = \braces{y \in \mc{Y} : \exists x \in \mc{X},\; (x, y) \in \mc{R}}
> $$
>
> is called the **language** defined by $\mc{R}$.
> **Definition.** A **zero-knowledge proof** is a protocol between a prover $P(x, y)$ and a verifier $V(x)$. At the end of the protocol, the verifier either accepts or rejects.
In the above definition, $y$ is the statement to prove, and $x$ is the proof of that statement, which the prover wants to hide. The prover and the verifier exchanges messages for the protocol, and this collection of interactions is called the **view** (or conversation, transcript).
> **Definition.**
>
> - (**Completeness**) If $(x, y) \in R$, then an honest verifier accepts with very high probability.
> - (**Soundness**) If $y \notin L$, an honest verifier accepts with a negligible probability.
But how do we define *zero knowledge*? What is *knowledge*? If the verifier learns something, the verifier obtains something that he couldn't have computed without interacting with the prover. Thus, we define zero knowledge as the following.
> **Definition.** We say that a protocol is **honest verifier zero knowledge** (HVZK) if there exists an efficient algorithm $\rm{Sim}$ (simulator) on input $x$ such that the output distribution of $\rm{Sim}(x)$ is indistinguishable from the distribution of the verifier's view.
>
> $$
> \rm{Sim}(x) \approx \rm{View}_V[P(x, y) \lra V(x)]
> $$
For every verifier $V^{\ast}$, possibly dishonest, there exists a simulator $\rm{Sim}$ such that $\rm{Sim}(x)$ is indistinguishable from the verifier's view $\rm{View}_{V^{\ast}}[P(x, y) \leftrightarrow V^{\ast}(x)]$.
If the proof is *zero knowledge*, the adversary can simulate conversations on his own without knowing the secret. Meaning that the adversary learns nothing from the conversation.
[^1]: How to give a formal proof for HVZK...?

476
_posts/lecture-notes/modern-cryptography/2023-11-07-sigma-protocols.md Normal file
View File

@@ -0,0 +1,476 @@
---
share: true
toc: true
math: true
categories:
- Lecture Notes
- Modern Cryptography
path: _posts/lecture-notes/modern-cryptography
tags:
- lecture-note
- cryptography
- security
title: 13. Sigma Protocols
date: 2023-11-07
github_title: 2023-11-07-sigma-protocols
image:
path: assets/img/posts/Lecture Notes/Modern Cryptography/mc-13-sigma-protocol.png
attachment:
folder: assets/img/posts/Lecture Notes/Modern Cryptography
---
The previous [3-coloring example](./2023-11-02-zkp-intro.md#example-3-coloring) certainly works as a zero knowledge proof, but is quite slow, and requires a lot of interaction. There are efficient protocols for interactive proofs, we will study sigma protocols.
## Sigma Protocols
### Definition
> **Definition.** An **effective relation** is a binary relation $\mc{R} \subset \mc{X} \times \mc{Y}$, where $\mc{X}$, $\mc{Y}$, $\mc{R}$ are efficiently recognizable finite sets. Elements of $\mc{Y}$ are called **statements**. If $(x, y) \in \mc{R}$, then $x$ is called a **witness for** $y$.
![mc-13-sigma-protocol.png](../../../assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-13-sigma-protocol.png)
> **Definition.** Let $\mc{R} \subset \mc{X} \times \mc{Y}$ be an effective relation. A **sigma protocol** for $\mc{R}$ is a pair of algorithms $(P, V)$ satisfying the following.
>
> - The **prover** $P$ is an interactive protocol algorithm, which takes $(x, y) \in \mc{R}$ as input.
> - The **verifier** $V$ is an interactive protocol algorithm, which takes $y \in \mc{Y}$ as input, and outputs $\texttt{accept}$ or $\texttt{reject}$.
>
> The interaction goes as follows.[^1]
>
> 1. $P$ computes a **commitment** message $t$ and sends it to $V$.
> 2. $V$ chooses a random **challenge** $c \la \mc{C}$ from a **challenge space** and sends it to $P$.
> 3. $P$ computes a **response** $z$ and sends it to $V$.
> 4. $V$ outputs either $\texttt{accept}$ or $\texttt{reject}$, computed strictly as a function of the statement $y$ and the **conversation** $(t, c, z)$.
>
> For all $(x, y) \in \mc{R}$, at the end of the interaction between $P(x, y)$ and $V(y)$, $V(y)$ always outputs $\texttt{accept}$.
- The verifier is deterministic except for choosing a random challenge $c \la \mc{C}$.
- If the output is $\texttt{accept}$, then the conversation $(t, c, z)$ is an **accepting conversation for** $y$.
- In most cases, the challenge space has to be super-poly. We say that the protocol has a **large challenge space**.
## Soundness
The **soundness** property says that it is infeasible for any prover to make the verifier accept a statement that is false.
> **Definition.** Let $\Pi = (P, V)$ be a sigma protocol for $\mc{R} \subset \mc{X}\times \mc{Y}$. For a given adversary $\mc{A}$, the security game goes as follows.
>
> 1. The adversary chooses a statement $y^{\ast} \in \mc{Y}$ and gives it to the challenger.
> 2. The adversary interacts with the verifier $V(y^{\ast})$, where the challenger plays the role of verifier, and the adversary is a possibly *cheating* prover.
>
> The adversary wins if $V(y^{\ast})$ outputs $\texttt{accept}$ but $y^{\ast} \notin L_\mc{R}$. The advantage of $\mc{A}$ with respect to $\Pi$ is denoted $\rm{Adv}_{\rm{Snd}}[\mc{A}, \Pi]$ and defined as the probability that $\mc{A}$ wins the game.
>
> If the advantage is negligible for all efficient adversaries $\mc{A}$, then $\Pi$ is **sound**.
### Special Soundness
For sigma protocols, it suffices to require **special soundness**.
> **Definition.** Let $(P, V)$ be a sigma protocol for $\mc{R} \subset \mc{X} \times \mc{Y}$. $(P, V)$ provides **special soundness** if there is an efficient deterministic algorithm $\rm{Ext}$, called a **knowledge extractor** with the following property.
>
> Given a statement $y \in \mc{Y}$ and two accepting conversations $(t, c, z)$ and $(t, c', z')$ with $c \neq c'$, $\rm{Ext}$ outputs a **witness** (proof) $x \in \mc{X}$ such that $(x, y) \in \mc{R}$.
The extractor efficiently finds a proof $x$ for $y \in \mc{Y}$. This means, if a possibly cheating prover $P^{\ast}$ makes $V$ accept $y$ with non-negligible probability, then $P^{\ast}$ must have known a proof $x$ for $y$. **Thus $P^{\ast}$ isn't actually a dishonest prover, he already has a proof.**
Note that the commitment $t$ is the same for the two accepting conversations. The challenge $c$ and $c'$ are chosen after the commitment, so if the prover can come up with $z$ and $z'$ so that $(t, c, z)$ and $(t, c', z')$ are accepting conversations for $y$, then the prover must have known $x$.
We also require that the challenge space is large, the challenger shouldn't be accepted by luck.
### Special Soundness $\implies$ Soundness
> **Theorem.** Let $\Pi$ be a sigma protocol with a large challenge space. If $\Pi$ provides special soundness, then $\Pi$ is sound.
>
> For every efficient adversary $\mc{A}$,
>
> $$
> \rm{Adv}_{\rm{Snd}}[\mc{A}, \Pi] \leq \frac{1}{N}
> $$
>
> where $N$ is the size of the challenge space.
*Proof*. Suppose that $\mc{A}$ chooses a false statement $y^{\ast}$ and a commitment $t^{\ast}$. It suffices to show that there exists at most one challenge $c$ such that $(t^{\ast}, c, z)$ is an accepting conversation for some response $z$.
If there were two such challenges $c, c'$, then there would be two accepting conversations for $y^{\ast}$, which are $(t^{\ast}, c, z)$ and $(t^{\ast}, c', z')$. Now by special soundness, there exists a witness $x$ for $y^{\ast}$, which is a contradiction.
## Special Honest Verifier Zero Knowledge
The conversation between $P$ and $V$ must not reveal anything.
> **Definition.** Let $(P, V)$ be a sigma protocol for $\mc{R} \subset \mc{X} \times \mc{Y}$. $(P, V)$ is **special honest verifier zero knowledge** (special HVZK) if there exists an efficient probabilistic algorithm $\rm{Sim}$ (**simulator**) that satisfies the following.
>
> - For all inputs $(y, c) \in \mc{Y} \times \mc{C}$, $\rm{Sim}(y, c)$ outputs a pair $(t, z)$ such that $(t, c, z)$ is always an accepting conversation for $y$.
> - For all $(x, y) \in \mc{R}$, let $c \la \mc{C}$ and $(t, z) \la \rm{Sim}(y, c)$. Then $(t, c, z)$ has the same distribution as the conversation between $P(x, y)$ and $V(y)$.
The difference is that the simulator takes an additional input $c$. Also, the simulator produces an accepting conversation even if the statement $y$ does not have a proof.
Also note that **the simulator is free to generate the messages in any convenient order**.
## The Schnorr Identification Protocol Revisited
The Schnorr identification protocol is actually a sigma protocol. Refer to [Schnorr identification protocol (Modern Cryptography)](./2023-10-26-digital-signatures.md#the-schnorr-identification-protocol) for the full description.
![mc-10-schnorr-identification.png](../../../assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-10-schnorr-identification.png)
> The pair $(P, V)$ is a sigma protocol for the relation $\mc{R} \subset \mc{X} \times \mc{Y}$ where
>
> $$
> \mc{X} = \bb{Z}_q, \quad \mc{Y} = G, \quad \mc{R} = \left\lbrace (\alpha, u) \in \bb{Z}_q \times G : g^\alpha = u \right\rbrace.
> $$
>
> The challenge space $\mc{C}$ is a subset of $\bb{Z}_q$.
The protocol provides **special soundness**. If $(u_t, c, \alpha_z)$ and $(u_t, c', \alpha_z')$ are two accepting conversations with $c \neq c'$, then we have
$$
g^{\alpha_z} = u_t \cdot u^c, \quad g^{\alpha_z'} = u_t \cdot u^{c'},
$$
so we have $g^{\alpha_z - \alpha_z'} = u^{c - c'}$. Setting $\alpha^{\ast} = (\alpha_z - \alpha_z') /(c - c')$ satisfies $g^{\alpha^{\ast}} = u$, solving the discrete logarithm and $\alpha^{\ast}$ is a proof.
As for HVZK, the simulator chooses $\alpha_z \la \bb{Z}_q$, $c \la \mc{C}$ randomly and sets $u_t = g^{\alpha_z} \cdot u^{-c}$. Then $(u_t, c, \alpha_z)$ will be accepted. *Note that the order doesn't matter.* Also, the distribution is same, since $c$ and $\alpha_z$ are uniform over $\mc{C}$ and $\bb{Z}_q$ and the choice of $c$ and $\alpha_z$ determines $u_t$ uniquely. This is identical to the distribution in the actual protocol.
### Dishonest Verifier
In case of dishonest verifiers, $V$ may not follow the protocol. For example, $V$ may choose non-uniform $c \in \mc{C}$ depending on the commitment $u_t$. In this case, the conversation from the actual protocol and the conversation generated by the simulator will have different distributions.
We need a different distribution. The simulator must also take the verifier's actions as input, to properly simulate the dishonest verifier.
### Modified Schnorr Protocol
The original protocol can be modified so that the challenge space $\mc{C}$ is smaller. Completeness property is obvious, and the soundness error grows, but we can always repeat the protocol.
As for zero knowledge, the simulator $\rm{Sim}_{V^{\ast}}(u)$ generates a verifier's view $(u, c, z)$ as follows.
- Guess $c' \la \mc{C}$. Sample $z' \la \bb{Z}_q$ and set $u' = g^{z'}\cdot u^{-c'}$. Send $u'$ to $V^{\ast}$.
- If the response from the verifier $V^{\ast}(u')$ is $c$ and $c \neq c'$, restart.
- $c = c'$ holds with probability $1 / \left\lvert \mc{C} \right\lvert$, since $c'$ is uniform.
- Otherwise, output $(u, c, z) = (u', c', z')$.
Sending $u'$ to $V^{\ast}$ is possible because the simulator also takes the actions of $V^{\ast}$ as input. The final output conversation has distribution identical to the real protocol execution.
Overall, this modified protocol works for dishonest verifiers, at the cost of efficiency because of the increased soundness error. We have a security-efficiency tradeoff.
But in most cases, it is enough to assume honest verifiers, as we will see soon.
## Other Sigma Protocol Examples
### Okamoto's Protocol
This one is similar to Schnorr protocol. This is used for proving the representation of a group element.
Let $G = \left\langle g \right\rangle$ be a cyclic group of prime order $q$, let $h \in G$ be some arbitrary group element, fixed as a system parameter. A **representation** of $u$ relative to $g$ and $h$ is a pair $(\alpha, \beta) \in \bb{Z}_q^2$ such that $g^\alpha h^\beta = u$.
**Okamoto's protocol** for the relation
$$
\mc{R} = \bigg\lbrace \big( (\alpha, \beta), u \big) \in \bb{Z}_q^2 \times G : g^\alpha h^\beta = u \bigg\rbrace
$$
goes as follows.
![mc-13-okamoto.png](../../../assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-13-okamoto.png)
> 1. $P$ computes random $\alpha_t, \beta_t \la \bb{Z}_q$ and sends commitment $u_t \la g^{\alpha_t}h^{\beta_t}$ to $V$.
> 2. $V$ computes challenge $c \la \mc{C}$ and sends it to $P$.
> 3. $P$ computes $\alpha_z \la \alpha_t + \alpha c$, $\beta_z \la \beta_t + \beta c$ and sends $(\alpha_z, \beta_z)$ to $V$.
> 4. $V$ outputs $\texttt{accept}$ if and only if $g^{\alpha_z} h^{\beta_z} = u_t \cdot u^c$.
Completeness is obvious.
> **Theorem**. Okamoto's protocol provides special soundness and is special HVZK.
*Proof*. Very similar to the proof of Schnorr. Refer to Theorem 19.9.[^2]
### The Chaum-Pedersen Protocol for DH-Triples
The **Chaum-Pederson protocol** is for convincing a verifier that a given triple is a DH-triple.
Let $G = \left\langle g \right\rangle$ be a cyclic group of prime order $q$. $(g^\alpha, g^\beta, g^\gamma)$ is a DH-triple if $\gamma = \alpha\beta$. Then, the triple $(u, v, w)$ is a DH-triple if and only if $v = g^\beta$ and $w = u^\beta$ for some $\beta \in \bb{Z}_q$.
The Chaum-Pederson protocol for the relation
$$
\mc{R} = \bigg\lbrace \big( \beta, (u, v, w) \big) \in \bb{Z}_q \times G^3 : v = g^\beta \land w = u^\beta \bigg\rbrace
$$
goes as follows.
![mc-13-chaum-pedersen.png](../../../assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-13-chaum-pedersen.png)
> 1. $P$ computes random $\beta_t \la \bb{Z}_q$ and sends commitment $v_t \la g^{\beta_t}$, $w_t \la u^{\beta_t}$ to $V$.
> 2. $V$ computes challenge $c \la \mc{C}$ and sends it to $P$.
> 3. $P$ computes $\beta_z \la \beta_t + \beta c$, and sends it to $V$.
> 4. $V$ outputs $\texttt{accept}$ if and only if $g^{\beta_z} = v_t \cdot v^c$ and $u^{\beta_z} = w_t \cdot w^c$.
Completeness is obvious.
> **Theorem.** The Chaum-Pedersen protocol provides special soundness and is special HVZK.
*Proof*. Also similar. See Theorem 19.10.[^2]
This can be used to prove that an ElGamal ciphertext $c = (u, v) = (g^k, h^k \cdot m)$ is an encryption of $m$ with public key $h = g^\alpha$, without revealing the private key or the ephemeral key $k$. If $(g^k, h^k \cdot m)$ is a valid ciphertext, then $(h, u, vm^{-1}) = (g^\alpha, g^k, g^{\alpha k})$ is a valid DH-triple.
### Sigma Protocol for Arbitrary Linear Relations
Schnorr, Okamoto, Chaum-Pedersen protocols look similar. They are special cases of a generic sigma protocol for proving a linear relation among group elements. Read more in Section 19.5.3.[^2]
### Sigma Protocol for RSA
Let $(n, e)$ be an RSA public key, where $e$ is prime. The **Guillou-Quisquater** (GQ) protocol is used to convince a verifier that he knows an $e$-th root of $y \in \bb{Z}_n^{\ast}$.
The Guillou-Quisquater protocol for the relation
$$
\mc{R} = \bigg\lbrace (x, y) \in \big( \bb{Z}_n^{\ast} \big)^2 : x^e = y \bigg\rbrace
$$
goes as follows.
![mc-13-gq-protocol.png](../../../assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-13-gq-protocol.png)
> 1. $P$ computes random $x_t \la \bb{Z}_n^{\ast}$ and sends commitment $y_t \la x_t^e$ to $V$.
> 2. $V$ computes challenge $c \la \mc{C}$ and sends it to $P$.
> 3. $P$ computes $x_z \la x_t \cdot x^c$ and sends it to $V$.
> 4. $V$ outputs $\texttt{accept}$ if and only if $x_z^e = y_t \cdot y^c$.
Completeness is obvious.
> **Theorem.** The GQ protocol provides special soundness and is special HVZK.
*Proof*. Also similar. See Theorem 19.13.[^2]
## Combining Sigma Protocols
Using the basic sigma protocols, we can build sigma protocols for complex statements.
### AND-Proof Construction
The construction is straightforward, since we can just prove both statements.
Given two sigma protocols $(P_0, V_0)$ for $\mc{R}_0 \subset \mc{X}_0 \times \mc{Y}_0$ and $(P_1, V_1)$ for $\mc{R}_1 \subset \mc{X}_1 \times \mc{Y}_1$, we construct a sigma protocol for the relation $\mc{R}_\rm{AND}$ defined on $(\mc{X}_0 \times \mc{X}_1) \times (\mc{Y}_0 \times \mc{Y}_1)$ as
$$
\mc{R}_\rm{AND} = \bigg\lbrace \big( (x_0, x_1), (y_0, y_1) \big) : (x_0, y_0) \in \mc{R}_0 \land (x_1, y_1) \in \mc{R}_1 \bigg\rbrace.
$$
Given a pair of statements $(y_0, y_1) \in \mc{Y}_0 \times \mc{Y}_1$, the prover tries to convince the verifier that he knows a proof $(x_0, x_1) \in \mc{X}_0 \times \mc{X}_1$. This is equivalent to proving the AND of both statements.
> 1. $P$ runs $P_i(x_i, y_i)$ to get a commitment $t_i$. $(t_0, t_1)$ is sent to $V$.
> 2. $V$ computes challenge $c \la C$ and sends it to $P$.
> 3. $P$ uses the challenge for both $P_0, P_1$, obtains response $z_0$, $z_1$, which is sent to $V$.
> 4. $V$ outputs $\texttt{accept}$ if and only if $(t_i, c, z_i)$ is an accepting conversation for $y_i$.
Completeness is clear.
> **Theorem.** If $(P_0, V_0)$ and $(P_1, V_1)$ provide special soundness and are special HVZK, then the AND protocol $(P, V)$ defined above also provides special soundness and is special HVZK.
*Proof*. For special soundness, let $\rm{Ext}_0$, $\rm{Ext}_1$ be the knowledge extractor for $(P_0, V_0)$ and $(P_1, V_1)$, respectively. Then the knowledge extractor $\rm{Ext}$ for $(P, V)$ can be constructed straightforward. For statements $(y_0, y_1)$, suppose that $\big( (t_0, t_1), c, (z_0, z_1) \big)$ and $\big( (t_0, t_1), c', (z_0', z_1') \big)$ are two accepting conversations. Feed $\big( y_0, (t_0, c, z_0), (t_0, c', z_0') \big)$ to $\rm{Ext}_0$, and feed $\big( y_1, (t_1, c, z_1), (t_1, c', z_1') \big)$ to $\rm{Ext}_1$.
For special HVZK, let $\rm{Sim}_0$ and $\rm{Sim}_1$ be simulators for each protocol. Then the simulator $\rm{Sim}$ for $(P, V)$ is built by using $(t_0, z_0) \la \rm{Sim}_0(y_0, c)$ and $(t_1, z_1) \la \rm{Sim}_1(y_1, c)$. Set
$$
\big( (t_0, t_1), (z_0, z_1) \big) \la \rm{Sim}\big( (y_0, y_1), c \big).
$$
We have used the fact that the challenge is used for both protocols.
### OR-Proof Construction
However, OR-proof construction is difficult. The prover must convince the verifier that either one of the statement is true, but **should not reveal which one is true.**
If the challenge is known in advance, the prover can cheat. We exploit this fact. For the proof of $y_0 \lor y_1$, do the real proof for $y_b$ and cheat for $y_{1-b}$.
Suppose we are given two sigma protocols $(P_0, V_0)$ for $\mc{R}_0 \subset \mc{X}_0 \times \mc{Y}_0$ and $(P_1, V_1)$ for $\mc{R}_1 \subset \mc{X}_1 \times \mc{Y}_1$. We assume that these both use the same challenge space, and both are special HVZK with simulators $\rm{Sim}_0$ and $\rm{Sim}_1$.
We combine the protocols to form a sigma protocol for the relation $\mc{R}_\rm{OR}$ defined on $\big( \braces{0, 1} \times (\mc{X}_0 \cup \mc{X}_1) \big) \times (\mc{Y}_0\times \mc{Y}_1)$ as
$$
\mc{R}_\rm{OR} = \bigg\lbrace \big( (b, x), (y_0, y_1) \big): (x, y_b) \in \mc{R}_b\bigg\rbrace.
$$
Here, $b$ denotes the actual statement $y_b$ to prove. For $y_{1-b}$, we cheat.
> $P$ is initialized with $\big( (b, x), (y_0, y_1) \big) \in \mc{R}_\rm{OR}$ and $V$ is initialized with $(y_0, y_1) \in \mc{Y}_0 \times \mc{Y}_1$. Let $d = 1 - b$.
>
> 1. $P$ computes $c_d \la \mc{C}$ and $(t_d, z_d) \la \rm{Sim}_d(y_d, c_d)$.
> 2. $P$ runs $P_b(x, y_b)$ to get a real commitment $t_b$ and sends $(t_0, t_1)$ to $V$.
> 3. $V$ computes challenge $c \la C$ and sends it to $P$.
> 4. $P$ computes $c_b \la c \oplus c_d$, feeds it to $P_b(x, y_b)$ obtains a response $z_b$.
> 5. $P$ sends $(c_0, z_0, z_1)$ to $V$.
> 6. $V$ computes $c_1 \la c \oplus c_0$, and outputs $\texttt{accept}$ if and only if $(t_0, c_0, z_0)$ is an accepting conversation for $y_0$ and $(t_1, c_1, z_1)$ is an accepting conversation for $y_1$.
Step $1$ is the cheating part, where the prover chooses a challenge, and generates a commitment and a response from the simulator.
Completeness follows from the following.
- $c_b = c \oplus c_{1-b}$, so $c_1 = c \oplus c_0$ always holds.
- Both conversations $(t_0, c_0, z_0)$ and $(t_1, c_1, z_1)$ are accepted.
- An actual proof is done for statement $y_b$.
- For statement $y_{1-b}$, the simulator always outputs an accepting conversation.
$c_b = c \oplus c_d$ is random, so $P$ cannot manipulate the challenge. Also, $V$ checks $c_1 = c \oplus c_0$.
> **Theorem.** If $(P_0, V_0)$ and $(P_1, V_1)$ provide special soundness and are special HVZK, then the OR protocol $(P, V)$ defined above also provides special soundness and is special HVZK.
*Proof*. For special soundness, suppose that $\rm{Ext}_0$ and $\rm{Ext}_1$ are knowledge extractors. Let
$$
\big( (t_0, t_1), c, (c_0, z_0, z_1) \big), \qquad \big( (t_0, t_1), c', (c_0', z_0', z_1') \big)
$$
be two accepting conversations with $c \neq c'$. Define $c_1 = c \oplus c_0$ and $c_1' = c' \oplus c_0'$. Since $c \neq c'$, it must be the case that either $c_0 \neq c_0'$ or $c_1 \neq c_1'$. Now $\rm{Ext}$ will work as follows.
- If $c_0 \neq c_0'$, output $\bigg( 0, \rm{Ext}_0\big( y_0, (t_0, c_0, z_0), (t_0, c_0', z_0') \big) \bigg)$.
- If $c_1 \neq c_1'$, output $\bigg( 1, \rm{Ext}_1\big( y_1, (t_1, c_1, z_1), (t_1, c_1', z_1') \big) \bigg)$.
Then $\rm{Ext}$ will extract the knowledge.
For special HVZK, define $c_0 \la \mc{C}$, $c_1 \la c \oplus c_0$. Then run each simulator to get
$$
(t_0, z_0) \la \rm{Sim}_0(y_0, c_0), \quad (t_1, z_1) \la \rm{Sim}_1(y_1, c_1).
$$
Then the simulator for $(P, V)$ outputs
$$
\big( (t_0, t_1), (c_0, z_0, z_1) \big) \la \rm{Sim}\big( (y_0, y_1), c \big).
$$
The simulator just simulates for both of the statements and returns the messages as in the protocol. $c_b$ is random, and the remaining values have the same distribution since the original two protocols were special HVZK.
### Example: OR of Sigma Protocols with Schnorr Protocol
Let $G = \left\langle g \right\rangle$ be a cyclic group of prime order $q$. The prover wants to convince the verifier that he knows the discrete logarithm of either $h_0$ or $h_1$ in $G$.
Suppose that the prover knows $x_b \in \bb{Z}_q$ such that $g^{x_b} = h_b$.
> 1. Choose $c_{1-b} \la \mc{C}$ and call simulator of $1-b$ to obtain $(u_{1-b}, z_{1-b}) \la \rm{Sim}_{1-b}$.
> 2. $P$ sends two commitments $u_0, u_1$.
> - For $u_b$, choose random $y \la \bb{Z}_q$ and set $u_b = g^y$.
> - For $u_{1-b}$, use the value from the simulator.
> 3. $V$ sends a single challenge $c \la \mc{C}$.
> 4. Using $c_{1-b}$, split the challenge into $c_0$, $c_1$ so that they satisfy $c_0 \oplus c_1 = c$. Then send $(c_0, c_1, z_0, z_1)$ to $V$.
> - For $z_b$, calculate $z_b \la y + c_b x$.
> - For $z_{1-b}$, use the value from the simulator.
> 5. $V$ checks if $c = c_0 \oplus c_1$. $V$ accepts if and only if $(u_0, c_0, z_0)$ and $(u_1, c_1, z_1)$ are both accepting conversations.
- Since $c, c_{1-b}$ are random, $c_b$ is random. Thus one of the proofs must be valid.
### Generalized Constructions
See Exercise 19.26 and 19.28.[^2]
## Non-interactive Proof Systems
Sigma protocols are interactive proof systems, but we can convert them into **non-interactive proof systems** using the **Fiat-Shamir transform**.
First, the definition of non-interactive proof systems.
> **Definition.** Let $\mc{R} \subset \mc{X} \times \mc{Y}$ be an effective relation. A **non-interactive proof system** for $\mc{R}$ is a pair of algorithms $(G, V)$ satisfying the following.
>
> - $G$ is an efficient probabilistic algorithm that generates the proof as $\pi \la G(x, y)$ for $(x, y) \in \mc{R}$. $\pi$ belongs to some proof space $\mc{PS}$.
> - $V$ is an efficient deterministic algorithm that verifies the proof as $V(y, \pi)$ where $y \in \mc{Y}$ and $\pi \in \mc{PS}$. $V$ outputs either $\texttt{accept}$ or $\texttt{reject}$. If $V$ outputs $\texttt{accept}$, $\pi$ is a **valid proof** for $y$.
>
> For all $(x, y) \in \mc{R}$, the output of $G(x, y)$ must be a valid proof for $y$.
### Non-interactive Soundness
Intuitively, it is hard to create a valid proof of a false statement.
> **Definition.** Let $\Phi = (G, V)$ be a non-interactive proof system for $\mc{R} \subset \mc{X} \times \mc{Y}$ with proof space $\mc{PS}$. An adversary $\mc{A}$ outputs a statement $y^{\ast} \in \mc{Y}$ and a proof $\pi^{\ast} \in \mc{PS}$ to attack $\Phi$.
>
> The adversary wins if $V(y^{\ast}, \pi^{\ast}) = \texttt{accept}$ and $y^{\ast} \notin L_\mc{R}$. The advantage of $\mc{A}$ with respect to $\Phi$ is defined as the probability that $\mc{A}$ wins, and is denoted as $\rm{Adv}_{\rm{niSnd}}[\mc{A}, \Phi]$.
>
> If the advantage is negligible for all efficient adversaries $\mc{A}$, $\Phi$ is **sound**.
### Non-interactive Zero Knowledge
Omitted.
## The Fiat-Shamir Transform
The basic idea is **using a hash function to derive a challenge**, instead of a verifier. Now the only job of the verifier is checking the proof, requiring no interaction for the proof.
> **Definition.** Let $\Pi = (P, V)$ be a sigma protocol for a relation $\mc{R} \subset \mc{X} \times \mc{Y}$. Suppose that conversations $(t, c, z) \in \mc{T} \times \mc{C} \times \mc{Z}$. Let $H : \mc{Y} \times \mc{T} \rightarrow \mc{C}$ be a hash function.
>
> Define the **Fiat-Shamir non-interactive proof system** $\Pi_\rm{FS} = (G_\rm{FS}, V_\rm{FS})$ with proof space $\mc{PS} = \mc{T} \times \mc{Z}$ as follows.
>
> - For input $(x, y) \in \mc{R}$, $G_\rm{FS}$ runs $P(x, y)$ to obtain a commitment $t \in \mc{T}$. Then computes the challenge $c = H(y, t)$, which is fed to $P(x, y)$, obtaining a response $z \in \mc{Z}$. $G_\rm{FS}$ outputs $(t, z) \in \mc{T} \times \mc{Z}$.
> - For input $\big( y, (t, z) \big) \in \mc{Y} \times (\mc{T} \times \mc{Z})$, $V_\rm{FS}$ verifies that $(t, c, z)$ is an accepting conversation for $y$, where $c = H(y, t)$.
Any sigma protocol can be converted into a non-interactive proof system. Its completeness is automatically given by the completeness of the sigma protocol.
By modeling the hash function as a random oracle, we can show that:
- If the sigma protocol is sound, then so is the non-interactive proof system.[^3]
- If the sigma protocol is special HVZK, then running the non-interactive proof system does not reveal any information about the secret.
### Implications
- No interactions are required, resulting in efficient protocols with lower round complexity.
- No need to consider dishonest verifiers, since prover chooses the challenge. The verifier only verifies.
- In distributed systems, a single proof can be used multiple times.
### Soundness of the Fiat-Shamir Transform
> **Theorem.** Let $\Pi$ be a sigma protocol for a relation $\mc{R} \subset \mc{X} \times \mc{Y}$, and let $\Pi_\rm{FS}$ be the Fiat-Shamir non-interactive proof system derived from $\Pi$ with hash function $H$. If $\Pi$ is sound and $H$ is modeled as a random oracle, then $\Pi_\rm{FS}$ is also sound.
>
> Let $\mc{A}$ be a $q$-query adversary attacking the soundness of $\Pi_\rm{FS}$. There exists an adversary $\mc{B}$ attacking the soundness of $\Pi$ such that
>
> $$
> \rm{Adv}_{\rm{niSnd^{ro}}}[\mc{A}, \Pi_\rm{FS}] \leq (q + 1) \rm{Adv}_{\rm{Snd}}[\mc{B}, \Pi].
> $$
*Proof Idea*. Suppose that $\mc{A}$ produces a valid proof $(t^{\ast}, z^{\ast})$ on a false statement $y^{\ast}$. Without loss of generality, $\mc{A}$ queries the random oracle at $(y^{\ast}, t^{\ast})$ within $q+1$ queries. Then $\mc{B}$ guesses which of the $q+1$ queries is the relevant one. If $\mc{B}$ guesses the correct query, the conversation $(t^{\ast}, c, z^{\ast})$ will be accepted and $\mc{B}$ succeeds. The factor $q+1$ comes from the choice of $\mc{B}$.
### Zero Knowledge of the Fiat-Shamir Transform
Omitted. Works...
### The Fiat-Shamir Signature Scheme
Now we understand why the [Schnorr signature scheme](./2023-10-26-digital-signatures.md#schnorr-digital-signature-scheme) used hash functions. In general, the Fiat-Shamir transform can be used to convert sigma protocols into signature schemes.
We need $3$ building blocks.
- A sigma protocol $(P, V)$ with conversations of the form $(t, c, z)$.
- A key generation algorithm $G$ for $\mc{R}$, that outputs $pk = y$, $sk = (x, y) \in \mc{R}$.
- A hash function $H : \mc{M} \times \mc{T} \rightarrow \mc{C}$, modeled as a random oracle.
> **Definition.** The **Fiat-Shamir signature scheme** derived from $G$ and $(P, V)$ works as follows.
>
> - Key generation: invoke $G$ so that $(pk, sk) \la G()$.
> - $pk = y \in \mc{Y}$ and $sk = (x, y) \in \mc{R}$.
> - Sign: for message $m \in \mc{M}$
> 1. Start the prover $P(x, y)$ and obtain the commitment $t \in \mc{T}$.
> 2. Compute the challenge $c \la H(m, t)$.
> 3. $c$ is fed to the prover, which outputs a response $z$.
> 4. Output the signature $\sigma = (t, z) \in \mc{T} \times \mc{Z}$.
> - Verify: with the public key $pk = y$, compute $c \la H(m, t)$ and check that $(t, c, z)$ is an accepting conversation for $y$ using $V(y)$.
If an adversary can come up with a forgery, then the underlying sigma protocol is not secure.
### Example: Voting Protocol
$n$ voters are casting a vote, either $0$ or $1$. At the end, all voters learn the sum of the votes, but we want to keep the votes secret for each party.
We can use the [multiplicative ElGamal encryption](./2023-10-19-public-key-encryption.md#the-elgamal-encryption) scheme in this case. Assume that a trusted vote tallying center generates a key pair, keeps $sk = \alpha$ to itself and publishes $pk = g^\alpha$.
Each voter encrypts the vote $b_i$ and the ciphertext is
$$
(u_i, v_i) = (g^{\beta_i}, h^{\beta_i} \cdot g^{b_i})
$$
where $\beta_i \la\bb{Z}_q$. The vote tallying center aggregates all ciphertexts my multiplying everything. No need to decrypt yet. Then
$$
(u^{\ast}, v^{\ast}) = \left( \prod_{i=1}^n g^{\beta_i}, \prod_{i=1}^n h^{\beta_i} \cdot g^{b_i} \right) = \big( g^{\beta^{\ast}}, h^{\beta^{\ast}} \cdot g^{b^{\ast}} \big),
$$
where $\beta^{\ast} = \sum_{i=1}^n \beta_i$ and $b^{\ast} = \sum_{i=1}^n b_i$. Now decrypt $(u^{\ast}, v^{\ast})$ and publish the result $b^{\ast}$.[^4]
Since the ElGamal scheme is semantically secure, the protocol is also secure if all voters follow the protocol. But a dishonest voter can encrypt $b_i = -100$ or some arbitrary value.
To fix this, we can make each voter prove that the vote is valid. Using the [Chaum-Pedersen protocol for DH-triples](2023-11-07-sigma-protocols.md#the-chaum-pedersen-protocol-for-dh-triples) and the [OR-proof construction](2023-11-07-sigma-protocols.md#or-proof-construction), the voter can submit a proof that the ciphertext is either a encryption of $b_i = 0$ or $1$. We can also apply the Fiat-Shamir transform here for efficient protocols, resulting in non-interactive proofs.
[^1]: The message flows in a shape that resembles the greek letter $\Sigma$, hence the name *sigma protocol*.
[^2]: A Graduate Course in Applied Cryptography.
[^3]: The challenge is chosen after the commitment, making it random.
[^4]: To find $b^{\ast}$, one has to solve the discrete logarithm, but for realistic $n$, we can brute force this.

188
_posts/lecture-notes/modern-cryptography/2023-11-09-secure-mpc.md Normal file
View File

@@ -0,0 +1,188 @@
---
share: true
toc: true
math: true
categories:
- Lecture Notes
- Modern Cryptography
path: _posts/lecture-notes/modern-cryptography
tags:
- lecture-note
- cryptography
- security
title: 14. Secure Multiparty Computation
date: 2023-11-09
github_title: 2023-11-09-secure-mpc
---
## Secure Multiparty Computation (MPC)
Suppose we have a function $f$ that takes $n$ inputs and produces $m$ outputs.
$$
(y_1, \dots, y_m) = f(x_1, \dots, x_n).
$$
$N$ parties $P_1, \dots, P_N$ are trying to evaluate this function with a protocol. Each $x_i$ is submitted by one of the parties, and each output $y_j$ will be given to one or more parties.
In **secure multiparty computation** (MPC), we wish to achieve some security functionalities.
- **Privacy**: no party learns anything about any other party's inputs, except for the information in the output.
- **Soundness**: honest parties compute correct outputs.
- **Input independence**: all parties must choose their inputs independently of other parties' inputs.
Security must hold even if there is any adversarial behavior in the party.
### Example: Secure Summation
Suppose we have $n$ parties $P_1, \dots, P_n$ with private values $x_1, \dots, x_n$. We would like to *securely* compute the sum $s = x_1 + \cdots + x_n$.
> 1. Choose $M$ large enough so that $M > s$.
> 2. $P_1$ samples $r \la \Z_M$ and computes $s_1 = r + x_1 \pmod M$ and sends it to $P_2$.
> 3. In the same manner, $P_i$ computes $s_i = s_{i-1} + x_i \pmod M$ and sends it to $P_{i+1}$.
> 4. As the final step, $s_n$ is returned to $P_1$, where he outputs $s = s_n - r \pmod M$.
This protocol seems secure since $r$ is a random noise added to the actual partial sum. But the security actually depends on how we model adversarial behavior.
Consider the case where parties $P_2$ and $P_4$ team up (collusion). These two can share information between them. They have the following:
- $P_2$ has $s_1$, $s_2$, $x_2$.
- $P_4$ has $s_3$, $s_4$, $x_4$.
Using $s_2$ and $s_3$, they can compute $x_3 = s_3 - s_2$ and obtain the input of $P_3$. This violates privacy. Similarly, if $P_i$ and $P_j$ team up, the can compute the partial sum
$$
s_{j - 1} - s_{i} = x_{i+1} + \cdots + x_{j-1}
$$
which leaks information about the inputs of $P_{i+1}, \dots, P_{j-1}$.
## Modeling Adversaries for Multiparty Computation
The adversary can decide not to follow the protocol and perform arbitrarily.
- **Semi-honest** adversaries follows the protocol and tries to learn more information by inspecting the communication.
- **Malicious** adversaries can behave in any way, unknown to us.
Semi-honest adversaries are similar to *passive* adversaries, whereas malicious adversaries are similar to *active* adversaries.
We can also model the **corruption strategy**. Some parties can turn into an adversary during the protocol.
- In **static** corruptions, the set of adversarial parties is fixed throughout the execution.
- In **adaptive** corruptions, the adversary corrupts parties during the execution, based on the information gained from the protocol execution.
We can decide how much computational power to give to the adversary. For *computational security*, an adversary must be efficient, only polynomial time strategies are allowed. For *information-theoretic security*, an adversary has unbounded computational power.
We will only consider **semi-honest** adversaries with **static** corruptions.
## Defining Security for Multiparty Computation
The idea is the following.
> An attack on the protocol in the **real world** is equivalent to some attack on the protocol in an **ideal world** in which no damage can be done.
In the **ideal world**, we use a trusted party to implement a protocol. All parties, both honest and corrupted, submit their input to the trusted party. Since the trusted party is not corrupted, the protocol is safe.
In the **real world**, there is no trusted party and parties must communicate with each other using a protocol.
Thus, a secure protocol must provide security in the real world that is equivalent to that in the ideal world. The definition is saying the following: **there is no possible attack in the ideal world, so there is no possible attack in the real world**. This kind of definition implies privacy, soundness and input independence.
> For every efficient adversary $\mc{A}$ in the real world, there exists an *equivalent* efficient adversary $\mc{S}$ (usually called a **simulator**) in the ideal world.
### Semi-Honest & Static Corruption
- The *view* of a party consists of its input, random tape and the list of messages obtained from the protocol.
- The view of an adversary is the union of views of corrupted parties.
- If an adversary learned anything from the protocol, it must be efficiently computable from its view.
- If a protocol is secure, it must be possible in the ideal world to generate something indistinguishable from the real world adversary's view.
- In the ideal world, the adversary's view consists of inputs/outputs to and from the trusted party.
- An adversary in the ideal world must be able to generate a view equivalent to the real world view. We call this ideal world adversary a **simulator**.
- If we show the existence of a simulator, a real world adversary's ability is the same as an adversary in the ideal world.
> **Definition.** Let $\mc{A}$ be the set of parties that are corrupted, and let $\rm{Sim}$ be a simulator algorithm.
> - $\rm{Real}(\mc{A}; x_1, \dots, x_n)$: each party $P_i$ runs the protocol with private input $x_i$. Let $V_i$ be the final view of $P_i$. Output $\braces{V_i : i \in \mc{A}}$.
> - $\rm{Ideal}_\rm{Sim}(x_1, \dots, x_n)$: output $\rm{Sim}(\mc{A}; \braces{(x_i, y_i) : i \in \mc{A}})$.
>
> A protocol is **secure against semi-honest adversaries** if there exists a simulator such that for every subset of corrupted parties $\mc{A}$, its views in the real and ideal worlds are indistinguishable.
## Oblivious Transfer (OT)
This is a building block for building any MPC.
Suppose that the sender has data $m_1, \dots, m_n \in \mc{M}$, and the receiver has an index $i \in \braces{1, \dots, n}$. The sender wants to send exactly one message and hide others. Also, the receiver wants to hide which message he received.
This problem is called 1-out-of-$n$ **oblivious transfer** (OT).
### 1-out-of-2 OT Construction from ElGamal Encryption
We show an example of 1-out-of-2 OT using the ElGamal encryptions scheme. We use a variant where a hash function is used in encryption.
It is known that $k$-out-of-$n$ OT is constructible from 1-out-of-2 OTs.
> Suppose that the sender Alice has messages $x_0, x_1 \in \braces{0, 1}\conj$, and the receiver Bob has a choice $\sigma \in \braces{0, 1}$.
>
> 1. Bob chooses $sk = \alpha \la \Z_q$ and computes $h = g^\alpha$, and chooses $h' \la G$.
> 2. Bob sets $pk_\sigma = h$ and $pk_{1-\sigma} = h'$ and sends $(pk_0, pk_1)$ to Alice.
> 3. Alice encrypts each $x_i$ using $pk_i$, obtains two ciphertexts.
> - $\beta_0, \beta_1 \la \Z_q$.
> - $c_0 = \big( g^{\beta_0}, H(pk_0^{\beta_0}) \oplus x_0 \big)$, $c_1 = \big( g^{\beta_1}, H(pk_1^{\beta_1}) \oplus x_1 \big)$.
> 4. Alice sends $(c_0, c_1)$ to Bob.
> 5. Bob decrypts $c_\sigma$ with $sk$ to get $x_\sigma$.
Correctness is obvious.
Alice's view contains the following: $x_0, x_1, pk_0, pk_1, c_0, c_1$. Among these, $pk_0, pk_1$ are the received values from Bob. But these are random group elements, so she learns nothing about $\sigma$. The simulator can choose two random group elements to simulate Alice.
Bob's view contains the following: $\sigma, \alpha, g^\alpha, h', c_0, c_1, x_\sigma$. He only knows one private key, so he only learns $x_\sigma$, under the DL assumption. (He doesn't have the discrete logarithm for $h'$) The simulator must simulate $c_0, c_1$, so it encrypts $x_\sigma$ with $pk_\sigma$, and as for $x_{1-\sigma}$, a random message is encrypted with $pk_{1-\sigma}$. This works because the encryption scheme is semantically secure, meaning that it doesn't reveal any information about the underlying message.
The above works for **semi-honest** parties. To prevent malicious behavior, we fix the protocol a bit.
> 1. Alice sends a random $w \la G$ first.
> 2. Bob must choose $h$ and $h'$ so that $hh' = w$. $h$ is chosen the same way, and $h' = wh\inv$ is computed.
>
> The remaining steps are the same, except that Alice checks if $pk_0 \cdot pk_1 = w$.
Bob must choose $h, h'$ such that $hh' = w$. If not, Bob can choose $\alpha' \la \Z_q$ and set $h' = g^{\alpha'}$, enabling him to decrypt both $c_0, c_1$, revealing $x_0, x_1$. Under the DL assumption, Bob cannot find the discrete logarithm of $h'$, which prevents malicious behavior.
### 1-out-of-$n$ OT Construction from ElGamal Encryption
Let $m_1, \dots, m_n \in \mc{M}$ be the messages to send, and let $i$ be an index. We will use ElGamal encryption on a cyclic group $G = \span{g}$ of prime order, with a hash function and a semantically secure symmetric cipher $(E_S, D_S)$.
> 1. Alice chooses $\beta \la \Z_q$, computes $v \la g^\beta$ and sends $v$ to Bob.
> 2. Bob chooses $\alpha \la \Z_q$, computes $u \la g^\alpha v^{-i}$ and sends $u$ to Alice.
> 3. For $j = 1, \dots, n$, Alice computes the following.
> - Compute $u_j \la u \cdot v^j = g^\alpha v^{j-i}$ as the public key for the $j$-th message.
> - Encrypt $m_j$ as $(g^\beta, c_j)$, where $c_j \la E_S\big( H(g^\beta, u_j^\beta), m_j \big)$.
> 4. Alice sends $(c_1, \dots, c_n)$ to Bob.
> 5. Bob decrypts $c_i$ as follows.
> - Compute symmetric key $k \la H(v, v^\alpha)$ where $v = g^\beta$ from step $1$.
> - $m_i \la D_S(k, c_i)$.
Note that all ciphertexts $c_j$ were created from the same ephemeral key $\beta \in \Z_q$.
For correctness, we check that Bob indeed receives $m_i$ from the above protocol. Check that $u_i = u\cdot v^i = g^\alpha v^0 = g^\alpha$, then $u_i^\beta = g^{\alpha\beta} = v^\alpha$. Since $c_i = E_S\big( H(g^\beta, u_i^\beta), m_i \big) = E_S\big( H(v, v^\alpha), m_i \big)$, the decryption gives $m_i$.
Now is this oblivious? All that Alice sees is $u = g^\alpha v^{-i}$ from Bob. Since $\alpha \la \Z_q$, $u$ is uniformly distributed over elements of $G$. Alice learns no information about $i$.
As for Bob, we need the **CDH assumption**. Suppose that Bob can query $H$ on two different ciphertexts $c_{j_1}, c_{j_2}$. Then he knows
$$
u_{j_1}^\beta/u_{j_2}^\beta = v^{\beta(j_1 - j_2)},
$$
and by raising both to the $(j_1 - j_2)\inv$ power (inverse in $\Z_q$), he can compute $v^\beta = g^{\beta^2}$. Thus, Bob has computed $g^{\beta^2}$ from $g^\beta$, and this breaks the CDH assumption.[^1] Thus Bob cannot query $H$ on two points, and is unable to decrypt two ciphertexts. He only learns $m_i$.
### OT for Computing $2$-ary Function with Finite Domain
We can use an OT for computing a $2$-ary function with finite domain.
Let $f : X_1 \times X_2 \ra Y$ be a deterministic function with $X_1$, $X_2$ both finite. There are two parties $P_1, P_2$ with inputs $x_1, x_2$, and they want to compute $f(x_1, x_2)$ without revealing their input.
Then we can use $1$-out-of-$\abs{X_2}$ OT to securely compute $f(x_1, x_2)$. Without loss of generality, suppose that $P_1$ is the sender.
$P_1$ computes $y_x =f(x_1, x)$ for all $x \in X_2$, resulting in $\abs{X_2}$ messages. Then $P_1$ performs 1-out-of-$\abs{X_2}$ OT with $P_2$. The value of $x_2$ will be used as the choice of $P_2$, which will be oblivious to $P_1$.[^2]
This method is inefficient, so we have better methods!
[^1]: Given $g^\alpha, g^\beta$, compute $g^{\alpha + \beta}$. Then compute $g^{\alpha^2}, g^{\beta^2}, g^{(\alpha+\beta)^2}$, and obtain $g^{2\alpha\beta}$. Exponentiate by $2\inv \in \Z_q$ to find $g^{\alpha\beta}$.
[^2]: Can $P_1$ learn the value of $x_2$ from the final output $y_{x_2} = f(x_1, x_2)$?

157
_posts/lecture-notes/modern-cryptography/2023-11-14-garbled-circuits.md Normal file
View File

@@ -0,0 +1,157 @@
---
share: true
toc: true
math: true
categories:
- Lecture Notes
- Modern Cryptography
path: _posts/lecture-notes/modern-cryptography
tags:
- lecture-note
- cryptography
- security
title: 15. Garbled Circuits
date: 2023-11-14
github_title: 2023-11-14-garbled-circuits
---
A simple solution for two party computation would be to use oblivious transfers as noted [here](./2023-11-09-secure-mpc.md#ot-for-computing-14.-secure-multiparty-computation#ot-for-computing-$2$-ary-function-with-finite-domain$-ary-function-with-finite-domain). However, this method is inefficient. We will look at **Yao's protocol**, presented in 1986, for secure two-party computation.
The term **garbled circuit** was used by Beaver-Micali-Rogaway (BMR), presenting a multiparty protocol using a similar approach to Yao's protocol.
## Yao's Protocol
This protocol is for **general secure two party computation**. By general, it means that the protocol can securely compute any functionality. The protocol works on boolean circuits using AND/OR gates, which can be extended to arbitrary circuits, such as addition, multiplication, etc. This protocol takes **constant number of rounds**, and is secure for semi-honest parties.
A plain circuit would be evaluated by giving raw values $0/1$ to the input wires. These inputs will be evaluated through the gates, and the output is fed to another gate, and so on. But for *secure computation*, we require that **no party learns the values of any internal wires**.
**Yao's protocol** is a compiler which transforms a circuit so that all information is hidden except for the final output.
## Garbled Circuits
A **garbled circuit** is an *encrypted circuit*, with a pair of keys for each wire. For each gate, a key is given for each of the input wires. Using the keys, it is possible to compute the key of the gate output, but nothing else can be learned. For this process, we will use **oblivious transfer**.
### Constructing a Garbled Circuit
The garbler first encrypts the circuit. First, assign two keys, called **garbled values**, to each wire of the circuit.
Suppose we have an AND gate, where $C = \rm{AND}(A, B)$. For the wire $A$, the garbler assigns $A_0, A_1$, each for representing the bit $0$ and $1$. Note that this mapping is known only to the garbler. Similar process is done for wires $B$ and $C$.
Then we have the following garbled values, as in columns 1 to 3. Now, encrypt the values of $C$ with a semantically secure scheme $E$, and obtain the $4$th column. Then, permute the rows in random order so that it is indistinguishable.
|$A$|$B$|$C$|$C = \rm{AND}(A, B)$|
|:-:|:-:|:-:|:-:|
|$A_0$|$B_0$|$C_0$|$E(A_0 \parallel B_0, C_0)$|
|$A_0$|$B_1$|$C_0$|$E(A_0 \parallel B_1, C_0)$|
|$A_1$|$B_0$|$C_0$|$E(A_1 \parallel B_0, C_0)$|
|$A_1$|$B_1$|$C_1$|$E(A_1 \parallel B_1, C_1)$|
For evaluation, the **last column** will be given to the other party as the representation of the **garbled gate**. The inputs will be given as $A_x$ and $B_y$, but the evaluator will have no idea about the actual value of $x$ and $y$, hiding the actual input value. Although he doesn't know the underlying bit values, the evaluator is able to compute $C_z$ where $z = x \land y$. Similarly, the evaluator will not know whether $z$ is $0$ or $1$, hiding the output or intermediate values.
The above *garbling* process is done for all gates. For the last output gate, the garbler keeps a **output translation table** to himself, that maps $0$ to $C_0$ and $1$ to $C_1$. This is used for recovering the bit, when the evaluation is done and the evaluator sends the final garbled value.
> In summary, given a boolean circuit,
> 1. Assign garbled values to all wires in the circuit.
> 2. Construct garbled gates using the garbled values.
Note that the evaluator learns nothing during the evaluation.
### Evaluating a Garbled Circuit
There is a slight problem here. In some encryption schemes, a ciphertext can be decrypted by an incorrect key. If the above encryptions are in arbitrary order, how does the evaluator know if he decrypted the correct one?
One method is to add **redundant zeros** to the $C_k$. Then the last column would contain $E\big( A_i \pll B_j, C_k \pll 0^n \big)$. Then when the evaluator decrypts these ciphertexts, the probability of getting redundant zeros with an incorrect key would be negligible. But with this method, all four ciphertexts have to be decrypted in the worst case.
Another method is adding a bit to signal which ciphertext to decrypt. This method is called **point-and-permute**. The garbler chooses a random bit $b_A$ for each wire $A$. Then when drawing $A_0, A_1$, set the first bit (MSB) to $b_A$ and $1 - b_A$, respectively. Next, the ciphertexts are sorted in the order of $b_A$ and $b_B$. Then the evaluator can exploit this information during evaluation.
For example, if the evaluator has $X$ and $Y$ such that $\rm{MSB}(X) = 0$ and $\rm{MSB}(Y) = 1$, then choose the second ($01$ in binary) ciphertext entry to decrypt.
This method does not reduce security, since the bits $b_A$, $b_B$ are random. Also, now the evaluator doesn't have to decrypt all four ciphertexts, reducing the evaluation load.
## Protocol Description
> Suppose we have garbler Alice and evaluator Bob.
>
> 1. Alice garbles the circuit, generating garbled values and gates.
> 2. Garbled gate tables and the garbled values of Alice's inputs are sent to Bob.
> 3. For Bob's input wire $B$, Alice and Bob run an 1-out-of-2 OT protocol.
> - Alice provides $B_0$ and $B_1$ to the OT.
> - Bob inputs his input bit $b$ to the OT, and Bob now has $B_b$.
> 4. Bob has garbled values for all input wires, so evaluates the circuit.
> 5. Bob sends the final garbled output to Alice.
> 6. Alices uses the output translation table to recover the final result bit.
Note that OT can be done in *parallel*, reducing the round complexity.
### Why is OT Necessary?
Suppose Alice gave both $B_0$ and $B_1$ to Bob. Bob doesn't know which one represents $0$ or $1$, but he can just run the evaluation for both inputs.
Suppose we have a $2$-input AND gate $C = \rm{AND}(A, B)$. Bob already has $A_x$ from Alice, so he evaluates for both $B_0$ and $B_1$, obtaining $C_{x\land 0}$ and $C_{x \land 1}$. If these are the same, Bob learns that $x = 0$. If different, $x = 1$.
So we need an OT to make sure that Bob only learns one of the garbled values.
### Performance
- We need about $2$ to $4$ rounds.
- Depends on the implementation of the OT.
- Need additional rounds if the final output should be sent to a party.
- Anyways, takes constant number of rounds.
- Need $m$ oblivious transfers, where $m$ is the number of inputs of Bob.
- These can be carried out in parallel.
- Suppose that there are $N$ gates.[^1]
- $8N$ symmetric encryptions are required to build a garbled circuit.
- $2N$ decryptions are required to compute the circuit.
- We need to communicate the data of $\mc{O}(N)$ gates.
## Summary of Yao's Protocol
Let $f$ be a given public function that Alice and Bob want to compute, in circuit representation. Let $(x_1, \dots, x_n)$ and $(y_1, \dots, y_m)$ be inputs provided by Alice and Bob, respectively.
Alice generates a garbled circuit $G(f)$ by assigning garbled values for each wire. Then gives Bob $G(f)$ and the garbled values of her inputs. Then Alice and Bob run several OTs in parallel for the garbled values of Bob's inputs.
Bob computes $G(f)$ and obtains a key of $f(x_1, \dots, x_n, y_1, \dots, y_m)$, which is sent to Alice and Alice recovers the final result.
## Proof of Security (Semi-honest)
We show that if the underlying OT is secure, then Yao's protocol is secure. If both parties are honest or corrupted, there is nothing to show, so we only show for the cases where one party is corrupted.
### Alice is Corrupted
Alice's view only consists of the messages it receives during the oblivious transfers. Since the OT is secure, OT will have its own simulator $\mc{S}$ for the sender of the OT. To simulate Alice, we can use the same simulator $\mc{S}$.
In the OT-hybrid model, we assume an ideal OT. In this case, Alice receives no messages during the oblivious transfers. Then to simulate Alice, an empty transcript will be sufficient.
### Bob is Corrupted
This case is harder to show. The simulator must construct a fake garbled circuit that is indistinguishable to the real one. But the simulator doesn't know the inputs of Alice, so it cannot generate a real circuit.
Bob's view contains his inputs $(y_1, \dots, y_m)$ and the final output $z = (z_1, \dots, z_k)$. Thus, the simulator generates a fake garbled circuit that **always** outputs $z$. To do this, the garbled values for the wires can be chosen randomly, and use them for encryption keys. But the encrypted message is fixed to the (intermediate) output. For instance, make the gate table consists of $E\big( A_i \pll B_j, C_0 \big)$ for fixed $C_0$. In this way, the simulator can control the values of output wires and get $z$ for the final output.
The output translation tables can be generated using this method. An entry of the table would be $(z_i, C_0)$ where $C_0$ is the garbled value used for generating the gate table. As for $1-z_i$, any random garbled value can be used.
Lastly for communicating garbled values, Alice's input wires can be set to any two garbled values of the wire. Bob's input wires should be simulated by the simulator of the OT, which will result in any one of the two values on the wire.
## The BMR Protocol
This is a multiparty variant of Yao's protocol.
For each wire of the circuit, two random *super-seeds* (garbled values) are used. Each party generates a seed, and the super-seed of the wire is the concatenation of all seeds generated by the parties.
For example, for input wire $A$, let
$$
A_0 = a_0^1 \pll \cdots \pll a_0^n, \quad A_1 = a_1^1 \pll \cdots \pll a_1^n,
$$
where $a_0^k, a_1^k$ are seeds generated by party $P_k$.
Then for garbling gates, the super-seeds of the output wire is encrypted by the super-seeds of the input wires. As an example, suppose that we use $A_b = a_b^1 \pll \cdots \pll a_b^n$ to encrypt an output value $B$. Then we could use a secure PRG $G$ and set
$$
B \oplus G(a_b^1) \oplus \cdots \oplus G(a_b^n)
$$
as the garbled value.
[^1]: Why???

290
_posts/lecture-notes/modern-cryptography/2023-11-16-gmw-protocol.md Normal file
View File

@@ -0,0 +1,290 @@
---
share: true
toc: true
math: true
categories:
- Lecture Notes
- Modern Cryptography
path: _posts/lecture-notes/modern-cryptography
tags:
- lecture-note
- cryptography
- security
title: 16. The GMW Protocol
date: 2023-11-16
github_title: 2023-11-16-gmw-protocol
image:
path: assets/img/posts/Lecture Notes/Modern Cryptography/mc-16-beaver-triple.png
attachment:
folder: assets/img/posts/Lecture Notes/Modern Cryptography
---
There are two types of MPC protocols, **generic** and **specific**. Generic protocols can compute arbitrary functions. [Garbled circuits](./2023-11-14-garbled-circuits.md#garbled-circuits) were generic protocols, since it can be used to compute any boolean circuits. In contrast, the [summation protocol](./2023-11-09-secure-mpc.md#example-secure-summation) is a specific protocol that can only be used to compute a specific function. Note that generic protocols are not necessarily better, since specific protocols are much more efficient.
## GMW Protocol
The **Goldreich-Micali-Wigderson** (GMW) **protocol** is a designed for evaluating boolean circuits. In particular, it can be used for XOR and AND gates, which corresponds to addition and multiplication in $\Z_2$. Thus, the protocol can be generalized for evaluating arbitrary arithmetic circuits.
We assume semi-honest adversaries and static corruption. The GMW protocol is known to be secure against any number of corrupted parties. We also assume that any two parties have private channels for communication.
The idea is **secret sharing**, where each party shares its input with other parties. The actual input is not revealed, and after the computation, each party holds a *share* of the final result.
The protocol can be broken down into $3$ phases.
- **Input phase**: each party shares its input with the other parties.
- **Evaluation phase**: each party computes gate by gate, using the shared values.
- **Output phase**: each party publishes their output.
### Input Phase
Suppose that we have $n$ parties $P_1, \dots, P_n$ with inputs $x_1, \dots, x_n \in \braces{0, 1}$. The inputs are bits but they can be generalized to inputs over $\Z_q$ where $q$ is prime.
> Each party $P_i$ shares its input with other parties as follows.
>
> 1. Choose random $r_{i, j} \la \braces{0, 1}$ for all $j \neq i$ and send $r_{i, j}$ to $P_j$.
> 2. Set $r_{i, i} = x_i + \sum_{i \neq j} r_{i, j}$.
Then we see that $x_i = \sum_{j = 1}^n r_{i, j}$. Each party has a **share** of $x_i$, which is $r_{i, j}$. We have a notation for this,
$$
[x_i] = (r_{i, 1}, \dots, r_{i, n}).
$$
It means that $r_{i, 1}, \dots, r_{i, n}$ are shares of $x_i$.
After this phase, each party $P_j$ has $n$ shares $r_{1, j}, \dots, r_{n,j}$, where each is a share of $x_i$.
### Evaluation Phase
Now, each party computes each gate using the shares received from other parties. We describe how the XOR and AND gate are computed.
#### Evaluating XOR Gates
Suppose we want to compute a share of $c = a + b$. Then, since
$$
[c] = [a] + [b],
$$
each party can simply add all the input shares.
If $y = x_1 + \cdots + x_n$, then party $P_j$ will compute $y_j = \sum_{i=1}^n r_{i, j}$, which is a share of $y$, $[y] = (y_1, \dots, y_n)$. It can be checked that
$$
y = \sum_{j=1}^n y_j = \sum_{j=1}^n \sum_{i=1}^n r_{i, j}.
$$
#### Evaluating AND Gates
AND gates are not as simple as XOR gates. If $c = ab$,
$$
c = \paren{\sum_{i=1}^n a_i} \paren{\sum_{j=1}^n b_j} = \sum_{i=1}^n a_ib_i + \sum_{1 \leq i < j \leq n} (a_ib_j + a_j b_i).
$$
The first term can be computed internally by each party. The problem is the second term. $P_i$ doesn't know the values of $a_j$ and $b_j$. Therefore, we need some kind of interaction between $P_i$ and $P_j$, but no information should be revealed. We can use an OT for this.
> For every pair of parties $(P_i, P_j)$, perform the following.
>
> 1. $P_i$ chooses a random bit $s_{i, j}$ and computes all possible values of $a_ib_j + a_jb_i + s_{i, j}$. These values are used in the OT.
> 2. $P_i$ and $P_j$ run a $1$-out-of-$4$ OT.
> 3. $P_i$ keeps $s_{i, j}$ and $P_j$ receives $a_ib_j + a_jb_i + s_{i, j}$.
- If $a_ib_j + a_jb_i$ is exposed to any party, it reveals information about other party's share.
- These are bits, so $P_i$ and $P_j$ get to keep a share of $a_ib_j + a_jb_i$. If these aren't bits, then $s_{i, j} - a_ib_j - a_jb_i$ must be computed for inputs to the OT.
- Since $a_j, b_j \in \braces{0, 1}$, it is possible to compute all possible values, and use them in the OT. $(a_j, b_j)$ will be used as the choice of $P_j$.
### Output Phase
After evaluation, each party has a share of the final output, so the share is sent to the parties that will learn the output. These shares can be summed to obtain the final output value.
### Performance
Addition is easy, but multiplication gates require $n \choose 2$ OTs. Thus the protocol requires a communication round among the parties for every multiplication gate. Also, the multiplication gates on the same level can be processed in parallel.
Overall, the round complexity is $\mc{O}(d)$, where $d$ is the depth of the circuit, including only the multiplication gates.
A shallow circuit is better for GMW protocols. However, shallow circuits may end up using more gates depending on the function.
## Security Proof
We show the case when there are $n-1$ corrupted parties.[^1] Let $P_i$ be the honest party and assume that all others are corrupted. We will construct a simulator.
Let $(x_1, \dots, x_n)$ be inputs to the function, and let $[y] = (y_1, \dots, y_n)$ be output shares. The adversary's view contains $y$, and all $x_j$, $y_j$ values except for $x_i$ and $y_i$.
To simulate the input phase, choose random shares to be communicated, both for $P_i \ra P_j$ and $P_j \ra P_i$. The shares were chosen randomly, so they are indistinguishable to the real protocol execution.
For the evaluation phase, XOR gates can be computed internally, so we only consider AND gates.
- When $P_j$ is the receiver, choose a random bit as the value learned from the OT. Since the OT contains possible values of $a_ib_j + a_jb_i + s_{i, j}$ and they are random, the random bit is equivalent.
- When $P_j$ is the sender, choose $s_{i, j}$ randomly and compute all $4$ possible values following the protocol.
Lastly, for the output phase, the simulator has to simulate the message $y_i$ from $P_i$. Since the final output $y$ is known and $y_j$ ($j \neq i$) is known, $y_i$ can be computed from the simulator.
We see that the distribution of the values inside the simulator is identical to the view in the real protocol execution.
## Beaver Triples
**Beaver triple sharing** is an offline optimization method for multiplication (AND) gates in the GMW protocol. Before actual computation, Beaver triples can be shared to speed up multiplication gates, reducing the running time in the online phase. Note that the overall complexity is the same.
> **Definition.** A **Beaver triple** is a triple $(x, y, z)$ such that $z = xy$.
### Beaver Triple Sharing
When Beaver triples are shared, $[x] = (x_1, x_2)$ and $[y] = (y_1, y_2)$ are chosen so that
$$
\tag{$\ast$}
z = z_1 + z _2 = (x_1 + x_2)(y_1 + y_2) = x_1y_1 + x_1y_2 + x_2y_1 + x_2y_2.
$$
> 1. Each party $P_i$ chooses random bits $x_i, y_i$. Now they must generate $z_1, z_2$ so that the values satisfy equation $(\ast)$ above.
> 2. $P_1$ chooses a random bit $s$ and computes all $4$ possible values of $s + x_1y_2 + x_2y_1$.
> 3. $P_1$ and $P_2$ run a $1$-out-of-$4$ OT.
> 4. $P_1$ keeps $z_1 = s + x_1y_1$, $P_2$ keeps $z_2 = (s + x_1y_2 + x_2y_1) + x_2y_2$.
Indeed, $z_1, z_2$ are shares of $z$.[^2] See also Exercise 23.5.[^3]
### Evaluating AND Gates with Beaver Triples
Now, in the actual computation of AND gates, proceed as follows.
![mc-16-beaver-triple.png](../../../assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-16-beaver-triple.png)
> Each $P_i$ has a share of inputs $a_i, b_i$ and a Beaver triple $(x_i, y_i, z_i)$.
> 1. Each $P_i$ computes $u_i = a_i + x_i$, $v_i = b_i + y_i$.
> 2. $P_i$ shares $u_i, v_i$ to $P_{3-i}$ and receives $u_{3-i}, v_{3-i}$ from $P_{3-i}$.
> 3. Each party now can compute $u = u_1 + u_2$, $v = v_1 + v_2$.
> 4. $P_1$ computes $c_1 = uv + uy_1 + vx_1 + z_1$, $P_2$ computes $c_2 = uy_2 + vx_2 + z_2$.
Note that
$$
\begin{aligned}
c = c_1 + c_2 &= uv + u(y_1 + y_2) + v(x_1 + x_2) + (z_1 + z_2) \\
&= uv + uy + vx + xy \qquad (\because z = xy) \\
&= u(v + y) + x(v + y) \\
&= (u + x)(v + y) = ab
\end{aligned}
$$
The last equality comes from the fact that $u = a + x$ and $v = b+y$ from step $1$. The equation was derived from the following observation.
$$
c = ab = (a + x)(b + y) - x(b + y) - y(a + x) + xy.
$$
Substitute $u = a +x$ and $v = b + y$, since $z = xy$, we have
$$
c = uv - xv - yu + z.
$$
Thus
$$
[c] = uv - [x]v - [y]u + [z],
$$
and $uv$ is public, so any party can include it in its share.
Also note that $u_i, v_i$ does not reveal any information about $x_i, y_i$. Essentially, they are *one-time pad* encryptions of $x_i$ and $y_i$ since $a_i, b_i$ were chosen randomly. No need for OTs during actual computation.
### Reusing Beaver Triples?
**Beaver triples are to be used only once!** If $u_1 = a_1 + x_1$ and $u_1' = a_1' + x_1$, then $u_1 + u_1' = a_1 + a_1'$, revealing information about $a_1 + a_1'$.
Thus, before the online phase, a huge amount of Beaver triples are shared to speed up the computation. This can be done efficiently using [OT extension](2023-11-16-gmw-protocol.md#ot-extension) described below.
## Comparison of Yao and GMW
|Protocol|Yao|GMW|
|:-:|:-:|:-:|
|Metaphor|Apple: bite-by-bite|Orange: peel and eat|
|Pros|Constant round complexity|Circuit evaluation is simple|
|Cons|Requires symmetric cipher in the online phase|High overhead in AND gates|
|Good In|High latency networks|Low latency networks|
|Round Complexity|$\mc{O}(1)$|Depends on circuit depth. $n$ OTs per AND gates per party.|
Yao's protocol computes gates bite-by-bite, whereas GMW protocol is peel-and-eat. Most of the effort is required in the preprocessing phase, by sharing many Beaver triples, but the evaluation phase is easy.
## OT Extension
Both Yao's and GMW protocol use OTs. Depending on the computation, one may end up performing thousands of OTs, which can be inefficient.
There is a technique called **OT extension**, that allows us to obtain many OT instances from a small number of OT instances. OT extension only uses small number of base OTs, and uses symmetric cipher to extend it to many OTs.
### Protocol Description
This protocol will extend $n$ OTs to $m$ OTs, where $m \gg n$.
- Sender has inputs $\paren{x_i^0, x_i^1}$ for $i = 1, \dots, m$.
- Receiver has choice vector $\sigma = (\sigma_1, \dots, \sigma_m) \in \braces{0, 1}^m$.
- After the protocol, the receiver will get $x_i^{\sigma_i}$ for $i = 1, \dots, m$.
> **First phase.**
>
> 1. The receiver samples $n$ random strings $T_1, \dots, T_n \la \braces{0, 1}^m$ of length $m$.
> 2. The receiver prepares pairs $\paren{T_i, T_i \oplus \sigma}$ for $i = 1, \dots, n$ and plays *sender in base OT*.
> 3. The sender chooses random $s = (s_1, \dots, s_n) \in \braces{0, 1}^n$.
> 4. The sender plays *receiver in base OT* with input $s_i$ for $i = 1, \dots, n$.
In the first phase, the roles are temporarily switched.
- The receiver chose $n$ random $m$-bit vectors, now has a $m\times n$ bit matrix $T$.
- For the $i$-th base OT, the receiver inputs $T_i$ or $T_i \oplus \sigma$. Therefore, if $s_i = 0$, the sender gets $T_i$. If $s_i = 1$, then sender gets $T_i \oplus \sigma$.
- Suppose that the sender gets $Q_i \in \braces{0, 1}^m$ in the $i$-th base OT. The sender will also have a $m \times n$ bit matrix $Q$.
$$
Q_i = \begin{cases} T_i & (s_i = 0) \\
T_i \oplus \sigma & (s_i = 1).
\end{cases}
$$
**Now consider each row separately!** Let $A[k]$ be the $k$-th row of matrix $A$.
If $\sigma_j = 0$, the XOR operation in $T_i \oplus \sigma$ has no effect on the $j$-th element (row), so the $j$-th element of $T_i \oplus \sigma$ and $T_i$ are the same. Thus, we have $Q[j] = T[j]$.
On the other hand, suppose that $\sigma_j = 1$ and consider each element of $Q[j]$. The $i$-th element is the $j$-th element of $Q_i$. If $s_i = 0$, then $Q_i = T_i$, so the $j$-th element (row) is the same as the $j$-th element of $T_i$. If $s_i = 1$, then $Q_i = T_i \oplus \sigma$, so the $j$-th element is flipped. Thus, $Q[j] = T[j] \oplus s$.
$$
Q[j] = \begin{cases} T[j] & (\sigma_j = 0) \\
T[j] \oplus s & (\sigma_j = 1).
\end{cases}
$$
> **Second phase.** To perform the $j$-th transfer $(j = 1, \dots, m)$,
>
> 1. The sender sends $y_j^0 = H(j, Q[j]) \oplus x_j^0$ and $y_j^1 = H(j, Q[j] \oplus s) \oplus x_j^1$.
> 2. The receiver computes $H(j, T[j]) \oplus y_j^{\sigma_j}$.
If $\sigma_j = 0$, then the sender gets
$$
H(j, T[j]) \oplus y_j^0 = H(j, T[j]) \oplus H(j, Q[j]) \oplus x_j^0 = x_j^0.
$$
If $\sigma_j = 1$,
$$
H(j, T[j]) \oplus y_j^1 = H(j, T[j]) \oplus H(j, Q[j] \oplus s) \oplus x_j^1 = x_j^1.
$$
We have just shown correctness.
### Security Proof of OT Extension
Intuitively, the sender receives either $T_i$ or $T_i \oplus \sigma$. But $T_i$ are chosen randomly, so it hides $\sigma$, revealing no information.
As for the receiver, the values $(x_j^0, x_j^1)$ are masked by a hash function, namely $H(j, Q[j])$ and $H(j, Q[j] \oplus s)$. The receiver can compute $H(j, T[j])$, which equals *only one of them* but since receiver has no information about $s$, prohibiting the receiver from computing the other mask.
### Performance of OT Extension
The extension technique allows us to run $n$ base OT instances to obtain $m$ OT instances. For each of the $m$ OT transfers, only a few hash operations are required, resulting in very efficient OT.
One may concern that we have to send a lot of information for each of the $n$ OT instances, since we have to send $m$ bit data for each OT. But this of not much concern. For example, if we used [OT based on ElGamal](./2023-11-09-secure-mpc.md#1-out-of-2-ot-construction-from-elgamal-encryption), we can choose primes large enough $> 2^m$ to handle $m$-bit data.
Hence, with OT extensions, we can perform millions of OTs efficiently, which can be used especially for computing many Beaver triples during preprocessing.
[^1]: Intuitively, it may seem that proving security for $n-1$ corrupted parties would be the hardest. However, security for $n-1$ corrupted parties does not imply security for $n-2$ corrupted parties, in general.
[^2]: There is a variant of sharing Beaver triples, where a dealer generates all $x_i, y_i, z_i$ and gives them to each party.
[^3]: A Graduate Course in Applied Cryptography.

563
_posts/lecture-notes/modern-cryptography/2023-11-23-bgv-scheme.md Normal file
View File

@@ -0,0 +1,563 @@
---
share: true
toc: true
math: true
categories:
- Lecture Notes
- Modern Cryptography
path: _posts/lecture-notes/modern-cryptography
tags:
- lecture-note
- cryptography
- security
title: 17. BGV Scheme
date: 2023-11-23
github_title: 2023-11-23-bgv-scheme
---
## Homomorphisms
> **Definition.** Let $(X, \ast), (Y, \ast')$ be sets equipped with binary operations $\ast$, $\ast'$. A map $\varphi : X \ra Y$ is said to be a **homomorphism** if
>
> $$
> \varphi(a \ast b) = \varphi(a) \ast' \varphi(b)
> $$
>
> for all $a, b \in X$.
A homomorphism *sort of* preserves the structure between two sets.[^1]
We will mainly consider **additive homomorphisms** where
$$
\varphi(a + b) = \varphi(a) + \varphi(b),
$$
and **multiplicative homomorphisms** where
$$
\varphi(ab) = \varphi(a)\varphi(b).
$$
## Homomorphic Encryption
> **Definition.** A **homomorphic encryption scheme** defined over $\mc{M}$ consists of an encryption algorithm $E$ and a decryption algorithm $D$ such that
>
> $$
> D\big( E(x) + E(y) \big) = x + y
> $$
>
> or
>
> $$
> D\big( E(x) \cdot E(y) \big) = x \cdot y.
> $$
The **decryption $D$ is a homomorphism**. From ciphertexts of $x$ and $y$, this scheme can compute the ciphertext of $x + y$ or $x \cdot y$.
There are mainly $3$ categories of homomorphic encryption.
- **Partial** Homomorphic Encryption
- These schemes can evaluate *some* functions on encrypted data.
- Textbook RSA had a *homomorphic property*.
- **Somewhat** Homomorphic Encryption (SHE)
- Both addition and multiplication are supported.
- But there is a limit on the number of operations.
- **Fully** Homomorphic Encryption (FHE)
- Any function can be evaluated on encrypted data.
- There is a method called *bootstrapping* that compiles SHE into FHE.
### A Warm-up Scheme
This is a sample scheme, which is insecure.
> Choose parameters $n$ and $q$ as security parameters.
>
> 1. Set secret key $\bf{s} = (s_1, \dots, s_n) \in \Z^n$.
> 2. For message $m \in \Z_q$, encrypt it as follows.
> - Randomly choose $\bf{a} = (a_1, \dots, a_n) \la \Z_q^n$.
> - Compute $b = -\span{\bf{a}, \bf{s}} + m \pmod q$.
> - Output ciphertext $\bf{c} = (b, \bf{a}) \in \Z_q^{n+1}$.
> 3. To decrypt $\bf{c}$, compute $m = b + \span{\bf{a}, \bf{s}} \pmod q$.
Correctness is trivial. Also, this encryption algorithm has the *additive homomorphism* property. If $b_1, b_2$ are encryptions of $m_1, m_2$, then
$$
b_1 = -\span{\bf{a}_1, \bf{s}} + m_1, \quad b_2 = -\span{\bf{a}_2, \bf{s}} + m_2
$$
in $\Z_q$. Thus,
$$
b_1 + b_2 = -\span{\bf{a}_1 + \bf{a}_2, \bf{s}} + m_1 + m_2.
$$
Decrypting the ciphertext $(b_1 + b_2, \bf{a}_1 + \bf{a}_2)$ will surely give $m_1 + m_2$.
But this scheme is not secure. After $n$ queries, the plaintext-ciphertext pairs can be transformed into a linear system of equations
$$
\bf{b} = -A \bf{s} + \bf{m},
$$
where $\bf{a}_i$ are in the rows of $A$. This system can be solved for $\bf{s}$ with non-negligible probability.[^2]
## Lattice Cryptography
Recall that schemes like RSA and ElGamal rely on the hardness of computational problems. The hardness of those problems make the schemes secure. There are other (known to be) *hard* problems using **lattices**, and recent homomorphic encryption schemes use **lattice-based** cryptography.
> **Definition.** For $\bf{b}_i \in \Z^n$ for $i = 1, \dots, n$, let $B = \braces{\bf{b}_1, \dots, \bf{b}_n}$ be a basis. The set
>
> $$
> L = \braces{\sum_{i=1}^n a_i\bf{b}_i : a_i \in \Z}
> $$
>
> is called a **lattice**. The set $B$ is a basis over $L$.
It is essentially a linear combination of basis elements, with *integer coefficients*.
### Bounded Distance Decoding Problem (BDD)
Let $L$ be a lattice with basis $B$. Given
$$
\bf{t} = B\bf{u} + \bf{e} \notin L
$$
for a small error $\bf{e}$, the problem is to find the closest lattice point $B\bf{u} \in L$.
It is known that all (including quantum) algorithms for solving BDD have costs $2^{\Omega(n)}$.
This problem is easy when we have a *short* basis, where the angles between vectors are closer to $\pi/2$. For example, given $\bf{t}$, find $a_i \in \R$ such that
$$
\bf{t} = a_1 \bf{b}_1 + \cdots a_n \bf{b}_n
$$
and return $B\bf{u}$ as
$$
B\bf{u} = \sum_{i=1}^n \lfloor a_i \rceil \bf{b}_i.
$$
Then this $B\bf{u} \in L$ is pretty close to $\bf{t} \notin L$.
## Learning with Errors Problem (LWE)
This is the problem we will mainly use for homomorphic schemes.
Let $\rm{LWE}_{n, q, \sigma}(\bf{s})$ denote the LWE distribution, where
- $n$ is the number of dimensions,
- $q$ is the modulus,
- $\sigma$ is the standard deviation of error.
Also $D_\sigma$ denotes the discrete gaussian distribution with standard deviation $\sigma$.
> Let $\bf{s} = (s_1, \dots, s_n) \in \Z_q^n$ be a secret.
>
> - Sample $\bf{a} = (a_1, \dots, a_n) \la \Z_q^n$ and $e \la D_\sigma$.
> - Compute $b = \span{\bf{a}, \bf{s}} + e \pmod q$.
> - Output $(b, \bf{a}) \in \Z_q^{n+1}$.
>
> This is called a **LWE instance**.
### Search LWE Problem
> Given many samples from $\rm{LWE}_{n, q, \sigma}(\bf{s})$, find $\bf{s}$.
### Decisional LWE Problem (DLWE)
> Distinguish two distributions $\rm{LWE}_{n, q, \sigma}(\bf{s})$ and $U(\Z_q^{n+1})$.
It is known that the two versions of LWE problem are **equivalent** when $q$ is a prime bounded by some polynomial in $n$.
LWE problem can be turned into **assumptions**, just like the DL and RSA problems. As in DL and RSA, the LWE problem is not hard for any parameters $n, q$. The problem is harder if $n$ is large and $q$ is small.
## The BGV Scheme
**BGV scheme** is by Brakerski-Gentry-Vaikuntanathan (2012). The scheme is defined over the finite field $\Z_p$ and can perform arithmetic in $\Z_p$.
> Choose security parameters $n$, $q$ and $\sigma$. It is important that $q$ is chosen as an **odd** integer.
>
> **Key Generation**
> - Set secret key $\bf{s} = (s_1, \dots, s_n) \in \Z^n$.
>
> **Encryption**
> - Sample $\bf{a} \la \Z_q^n$ and $e \la D_\sigma$.
> - Compute $b = -\span{\bf{a}, \bf{s}} + m + 2e \pmod q$.
> - Output ciphertext $\bf{c} = (b, \bf{a}) \in \Z_q^{n+1}$.
>
> **Decryption**
> - Compute $r = b + \span{\bf{a}, \bf{s}} \pmod q$.
> - Output $m = r \pmod 2$.
Here, it can be seen that
$$
r = m + 2e \pmod q.
$$
For correctness, $e \ll q$, and
$$
\abs{r} = \abs{m + 2e} < \frac{1}{2}q.
$$
Under the LWE assumption, it can be proven that the scheme is semantically secure, i.e,
$$
E(\bf{s}, 0) \approx_c E(\bf{s}, 1).
$$
### Addition in BGV
Addition is easy!
> Let $\bf{c} = (b, \bf{a})$ and $\bf{c}' = (b', \bf{a}')$ be encryptions of $m, m' \in \braces{0, 1}$. Then, $\bf{c}_\rm{add} = \bf{c} + \bf{c}'$ is an encryption of $m + m'$.
*Proof*. Decrypt $\bf{c}_\rm{add} = (b + b', \bf{a} + \bf{a}')$. If
$$
r = b + \span{\bf{a}, \bf{s}} = m + 2e \pmod q
$$
and
$$
r' = b' + \span{\bf{a}', \bf{s}} = m' + 2e' \pmod q,
$$
then we have
$$
r_\rm{add} = b + b' + \span{\bf{a} + \bf{a}', \bf{s}} = r + r' = m + m' + 2(e + e') \pmod q.
$$
If $\abs{r + r'} < q/2$, then $m + m' = r_\rm{add} \pmod 2$.
### Multiplication in BGV
#### Tensor Product
For multiplication, we need **tensor products**.
> **Definition.** Let $\bf{a} = (a_1, \dots, a_n)^\top, \bf{b} = (b_1, \dots, b_n)^\top$ be vectors. Then the **tensor product** $\bf{a} \otimes \bf{b}$ is a vector with $n^2$ dimensions such that
>
> $$
> \bf{a} \otimes \bf{b} = \big( a_i \cdot b_j \big)_{1 \leq i, j \leq n}.
> $$
We will use the following property.
> **Lemma.** Let $\bf{a}, \bf{b}, \bf{c}, \bf{d}$ be $n$-dimensional vectors. Then,
>
> $$
> \span{\bf{a}, \bf{b}} \cdot \span{\bf{c}, \bf{d}} = \span{\bf{a} \otimes \bf{c}, \bf{b} \otimes \bf{d}}.
> $$
*Proof*. Denote the components as $a_i, b_i, c_i, d_i$.
$$
\begin{aligned}
\span{\bf{a} \otimes \bf{c}, \bf{b} \otimes \bf{d}} &= \sum_{i=1}^n\sum_{j=1}^n a_ic_j \cdot b_id_j \\
&= \paren{\sum_{i=1}^n a_ib_i} \paren{\sum_{j=1}^n c_j d_j} = \span{\bf{a}, \bf{b}} \cdot \span{\bf{c}, \bf{d}}.
\end{aligned}
$$
#### Multiplication
Let $\bf{c} = (b, \bf{a})$ and $\bf{c}' = (b', \bf{a}')$ be encryptions of $m, m' \in \braces{0, 1}$. Since
$$
r = b + \span{\bf{a}, \bf{s}} = m + 2e \pmod q
$$
and
$$
r' = b' + \span{\bf{a}', \bf{s}} = m' + 2e' \pmod q,
$$
we have that
$$
r_\rm{mul} = rr' = (m + 2e)(m' + 2e') = mm' + 2e\conj \pmod q.
$$
So $mm' = r_\rm{mul} \pmod 2$ if $e\conj$ is small.
However, to compute $r_\rm{mul} = rr'$ from the ciphertext,
$$
\begin{aligned}
r_\rm{mul} &= rr' = (b + \span{\bf{a}, \bf{s}})(b' + \span{\bf{a}', \bf{s}}) \\
&= bb' + \span{b\bf{a}' + b' \bf{a}, \bf{s}} + \span{\bf{a} \otimes \bf{a}', \bf{s} \otimes \bf{s}'}.
\end{aligned}
$$
Thus we define $\bf{c}_\rm{mul} = (bb', b\bf{a}' + b' \bf{a}, \bf{a} \otimes \bf{a}')$, then this can be decrypted with $(1, \bf{s}, \bf{s} \otimes \bf{s})$ by the above equation.
> Let $\bf{c} = (b, \bf{a})$ and $\bf{c}' = (b', \bf{a}')$ be encryptions of $m, m'$. Then,
>
> $$
> \bf{c}_\rm{mul} = \bf{c} \otimes \bf{c}' = (bb', b\bf{a}' + b' \bf{a}, \bf{a} \otimes \bf{a}')
> $$
>
> is an encryption of $mm'$ with $(1, \bf{s}, \bf{s} \otimes \bf{s})$.
Not so simple as addition, we need $\bf{s} \otimes \bf{s}$.
#### Problems with Multiplication
The multiplication described above has two major problems.
- The dimension of the ciphertext has increased to $n^2$.
- At this rate, multiplications get inefficient very fast.
- The *noise* $e\conj$ grows too fast.
- For correctness, $e\conj$ must be small compared to $q$, but it grows exponentially.
- We can only perform $\mc{O}(\log q)$ multiplications.
### Dimension Reduction
First, we reduce the ciphertext dimension. In the ciphertext $\bf{c}_\rm{mul} = (bb', b\bf{a}' + b' \bf{a}, \bf{a} \otimes \bf{a}')$, $\bf{a} \otimes \bf{a}'$ is causing the problem, since it must be decrypted with $\bf{s} \otimes \bf{s}'$.
Observe that the following dot product is calculated during decryption.
$$
\tag{1} \span{\bf{a} \otimes \bf{a}', \bf{s} \otimes \bf{s}'} = \sum_{i = 1}^n \sum_{j=1}^n a_i a_j' s_i s_j.
$$
The above expression has $n^2$ terms, so they have to be manipulated. The idea is to switch these terms as encryptions of $\bf{s}$, instead of $\bf{s} \otimes \bf{s}'$.
Thus we use encryptions of $s_is_j$ by $\bf{s}$. If we have ciphertexts of $s_is_j$, we can calculate the expression in $(1)$ since this scheme is *homomorphic*. Then the ciphertext can be decrypted only with $\bf{s}$, as usual. This process is called **relinearization**, and the ciphertexts of $s_i s_j$ are called **relinearization keys**.
#### First Attempt
> **Relinearization Keys**: for $1 \leq i, j \leq n$, perform the following.
> - Sample $\bf{u}_{i, j} \la \Z_q^{n}$ and $e_{i, j} \la D_\sigma$.
> - Compute $v_{i, j} = -\span{\bf{u}_{i, j}, \bf{s}} + s_i s_j + 2e_{i, j} \pmod q$.
> - Output $\bf{w}_{i, j} = (v_{i, j}, \bf{u}_{i, j})$.
>
> **Linearization**: given $\bf{c}_\rm{mul} = (bb', b\bf{a}' + b' \bf{a}, \bf{a} \otimes \bf{a}')$ and $\bf{w}_{i, j}$ for $1 \leq i, j \leq n$, output the following.
>
> $$
> \bf{c}_\rm{mul}^\ast = (b_\rm{mul}^\ast, \bf{a}_\rm{mul}^\ast) = (bb', b\bf{a}' + b'\bf{a}) + \sum_{i=1}^n \sum_{j=1}^n a_i a_j' \bf{w}_{i, j} \pmod q.
> $$
Note that the addition $+$ is the addition of two $(n+1)$-dimensional vectors. By plugging in $\bf{w}_{i, j} = (v_{i, j}, \bf{u}_{i, j})$, we actually have
$$
b_\rm{mul}^\ast = bb' + \sum_{i=1}^n \sum_{j=1}^n a_i a_j' v_{i, j}
$$
and
$$
\bf{a}_\rm{mul}^\ast = b\bf{a}' + b'\bf{a} + \sum_{i=1}^n \sum_{j=1}^n a_i a_j' \bf{u}_{i, j}.
$$
Now we check correctness. $\bf{c}_\rm{mul}^\ast$ should decrypt to $mm'$ with only $\bf{s}$.
$$
\begin{aligned}
b_\rm{mul}^\ast + \span{\bf{a}_\rm{mul}^\ast, \bf{s}} &= bb' + \sum_{i=1}^n \sum_{j=1}^n a_i a_j' v_{i, j} + \span{b\bf{a}' + b'\bf{a}, \bf{s}} + \sum_{i=1}^n \sum_{j=1}^n a_i a_j' \span{\bf{u}_{i, j}, \bf{s}} \\
&= bb' + \span{b\bf{a}' + b'\bf{a}, \bf{s}} + \sum_{i=1}^n \sum_{j=1}^n a_i a_j' \paren{v_{i, j} + \span{\bf{u}_{i, j}, \bf{s}}}.
\end{aligned}
$$
Since $v_{i, j} + \span{\bf{u}_{i, j}, \bf{s}} = s_i s_j + 2e_{i, j} \pmod q$, the above expression further reduces to
$$
\begin{aligned}
&= bb' + \span{b\bf{a}' + b'\bf{a}, \bf{s}} + \sum_{i=1}^n \sum_{j=1}^n a_i a_j' \paren{s_i s_j + 2e_{i, j}} \\
&= bb' + \span{b\bf{a}' + b'\bf{a}, \bf{s}} + \span{\bf{a} \otimes \bf{a}', \bf{s} \otimes \bf{s}'} + 2\sum_{i=1}^n\sum_{j=1}^n a_i a_j' e_{i, j} \\
&= rr' + 2e\conj \pmod q,
\end{aligned}
$$
and we have an encryption of $mm'$.
However, we require that
$$
e\conj = \sum_{i=1}^n \sum_{j=1}^n a_i a_j' e_{i, j} \ll q
$$
for correctness. It is highly unlikely that this relation holds, since $a_i a_j'$ will be large. They are random elements of $\Z_q$ after all, so the size is about $\mc{O}(n^2 q)$.
#### Relinearization
We use a method to make $a_i a_j'$ smaller. The idea is to use the binary representation.
Let $a[k] \in \braces{0, 1}$ denote the $k$-th least significant bit of $a \in \Z_q$. Then we can write
$$
a = \sum_{0\leq k<l} 2^k \cdot a[k]
$$
where $l = \ceil{\log q}$. Then we have
$$
a_i a_j' s_i s_j = \sum_{0\leq k <l} (a_i a_j')[k] \cdot 2^k s_i s_j,
$$
so instead of encryptions of $s_i s_j$, we use encryptions of $2^k s_i s_j$.
For convenience, let $a_{i, j} = a_i a_j'$. Now we have triple indices including $k$.
> **Relinearization Keys**: for $1 \leq i, j \leq n$ and $0 \leq k < \ceil{\log q}$, perform the following.
> - Sample $\bf{u}_{i, j, k} \la \Z_q^{n}$ and $e_{i, j, k} \la D_\sigma$.
> - Compute $v_{i, j, k} = -\span{\bf{u}_{i, j, k}, \bf{s}} + 2^k \cdot s_i s_j + 2e_{i, j, k} \pmod q$.
> - Output $\bf{w}_{i, j, k} = (v_{i, j, k}, \bf{u}_{i, j, k})$.
>
> **Linearization**: given $\bf{c}_\rm{mul} = (bb', b\bf{a}' + b' \bf{a}, \bf{a} \otimes \bf{a}')$, $\bf{w}_{i, j, k}$ for $1 \leq i, j \leq n$ and $0 \leq k < \ceil{\log q}$, output the following.
>
> $$
> \bf{c}_\rm{mul}^\ast = (b_\rm{mul}^\ast, \bf{a}_\rm{mul}^\ast) = (bb', b\bf{a}' + b'\bf{a}) + \sum_{i=1}^n \sum_{j=1}^n \sum_{k=0}^{\ceil{\log q}} a_{i, j}[k] \bf{w}_{i, j, k} \pmod q.
> $$
Correctness can be checked similarly. The bounds for summations are omitted for brevity. They range from $1 \leq i, j \leq n$ and $0 \leq k < \ceil{\log q}$.
$$
\begin{aligned}
b_\rm{mul}^\ast + \span{\bf{a}_\rm{mul}^\ast, \bf{s}} &= bb' + \sum_{i, j, k} a_{i, j}[k] \cdot v_{i, j, k} + \span{b\bf{a}' + b'\bf{a}, \bf{s}} + \sum_{i, j, k} a_{i, j}[k] \cdot \span{\bf{u}_{i, j, k}, \bf{s}} \\
&= bb' + \span{b\bf{a}' + b'\bf{a}, \bf{s}} + \sum_{i, j, k} a_{i, j}[k] \paren{v_{i, j, k} + \span{\bf{u}_{i, j, k}, \bf{s}}}.
\end{aligned}
$$
Since $v_{i, j, k} + \span{\bf{u}_{i, j, k}, \bf{s}} = 2^k \cdot s_i s_j + 2e_{i, j, k} \pmod q$, the above expression further reduces to
$$
\begin{aligned}
&= bb' + \span{b\bf{a}' + b'\bf{a}, \bf{s}} + \sum_{i, j, k} a_{i, j}[k] \paren{2^k \cdot s_i s_j + 2e_{i, j, k}} \\
&= bb' + \span{b\bf{a}' + b'\bf{a}, \bf{s}} + \sum_{i, j} a_{i, j}s_i s_j + 2\sum_{i, j, k} a_{i, j}[k] \cdot e_{i, j, k} \\
&= bb' + \span{b\bf{a}' + b'\bf{a}, \bf{s}} + \span{\bf{a} \otimes \bf{a}', \bf{s} \otimes \bf{s}'} + 2e\conj \\
&= rr' + 2e\conj \pmod q,
\end{aligned}
$$
and we have an encryption of $mm'$. In this case,
$$
e\conj = 2\sum_{i=1}^n\sum_{j=1}^n \sum_{k=0}^{\ceil{\log q}} a_{i, j}[k] \cdot e_{i, j, k}
$$
is small enough to use, since $a_{i, j}[k] \in \braces{0, 1}$. The size is about $\mc{O}(n^2 \log q)$, which is a lot smaller than $q$ for practical uses. We have reduced $n^2 q$ to $n^2 \log q$ with this method.
### Noise Reduction
Now we handle the noise growth. For correctness, we required that
$$
\abs{r} = \abs{m + 2e} < \frac{1}{2}q.
$$
But for multiplication, $\abs{r_\rm{mul}} = \abs{rr' + 2e\conj}$, so the noise grows very fast. If the initial noise size was $N$, then after $L$ levels of multiplication, the noise is now $N^{2^L}$.[^3] To reduce noise, we use **modulus switching**.
Given $\bf{c} = (b, \bf{a}) \in \Z_q^{n+1}$, we reduce the modulus to $q' < q$ which results in a smaller noise $e'$. This can be done by scaling $\bf{c}$ by $q'/q$ and rounding it.
> **Modulus Switching**: let $\bf{c} = (b, \bf{a}) \in \Z_q^{n+1}$ be given.
>
> - Find $b'$ closest to $b \cdot (q' /q)$ such that $b' = b \pmod 2$.
> - Find $a_i'$ closest to $a_i \cdot (q'/q)$ such that $a_i' = a_i \pmod 2$.
> - Output $\bf{c}' = (b', \bf{a}') \in \Z_{q'}^{n+1}$.
In summary, $\bf{c}' \approx \bf{c} \cdot (q'/q)$, and $\bf{c}' = \bf{c} \pmod 2$ component-wise.
We check if the noise has been reduced, and decryption results in the same message $m$. Decryption of $\bf{c}'$ is done by $r' = b' + \span{\bf{a}', \bf{s}} \pmod{q'}$, so we must prove that $r' \approx r \cdot (q'/q)$ and $r' = r \pmod 2$. Then the noise is scaled down by $q'/q$ and the message is preserved.
Let $k \in \Z$ such that $b + \span{\bf{a}, \bf{s}} = r + kq$. By the choice of $b'$ and $a_i'$,
$$
b' = b \cdot (q'/q) + \epsilon_0, \quad a_i' = a_i \cdot (q'/q) + \epsilon_i
$$
for $\epsilon_i \in\braces{0, 1}$. Then
$$
\begin{aligned}
b' + \span{\bf{a}', \bf{s}} &= b' + \sum_{i=1}^n a_i's_i \\
&= b \cdot (q'/q) + \epsilon_0 + \sum_{i=1}^n \paren{a_i \cdot (q'/q) + \epsilon_i} s_i \\
&= (q'/q) \paren{b + \sum_{i=1}^n a_i s_i} + \epsilon_0 + \sum_{i=1}^n \epsilon_i s_i \\
&= (q'/q) \cdot (r + kq) + \epsilon_0 + \sum_{i=1}^n \epsilon_i s_i \\
&= r \cdot (q'/q) + \epsilon_0 + \sum_{i=1}^n \epsilon_i s_i + kq'.
\end{aligned}
$$
We additionally assume that $\bf{s} \in \Z_2^n$, then the error term is bounded by $n+1$, and $n \ll q$.[^4] Set
$$
r' = r \cdot (q'/q) + \epsilon_0 + \sum_{i=1}^n \epsilon_i s_i,
$$
then we have $r' \approx r \cdot (q'/q)$.
Next, $b + \span{\bf{a}, \bf{s}} = b' + \span{\bf{a}', \bf{s}} \pmod 2$ component-wise. Then
$$
r + kq = b + \span{\bf{a}, \bf{s}} = b' + \span{\bf{a}', \bf{s}} = r' + kq' \pmod 2.
$$
Since $q, q'$ are odd, $r = r' \pmod 2$.
### Modulus Chain
Let the initial noise be $\abs{r} \approx N$. Set the maximal level $L$ for multiplication, and set $q_{L} = N^{L+1}$. Then after each multiplication, switch the modulus to $q_{k-1} = q_k/N$ using the above method.
Multiplication increases the noise to $N^2$, and then modulus switching decreases the noise back to $N$, allowing further computation.
So we have a modulus chain,
$$
N^{L+1} \ra N^L \ra \cdots \ra N.
$$
When we perform $L$ levels of computation and reach modulus $q_0 = N$, we cannot perform any multiplications. We must apply [bootstrapping](./2023-12-08-bootstrapping-ckks.md#bootstrapping).
Note that without modulus switching, we need $q_L > N^{2^L}$ for $L$ levels of computation, which is very large. Since we want $q$ to be small (for the hardness of the LWE problem), modulus switching is necessary. We now only require $q_L > N^{L+1}$.
### Multiplication in BGV (Summary)
- Set up a modulus chain $q_k = N^{k+1}$ for $k = 0, \dots, L$.
- Given two ciphertexts $\bf{c} = (b, \bf{a}) \in \Z_{q_k}^{n+1}$ and $\bf{c}' = (b', \bf{a}') \in \Z_{q_k}^{n+1}$ with modulus $q_k$ and noise $N$.
- (**Tensor Product**) $\bf{c}_\rm{mul} = \bf{c} \otimes \bf{c}' \pmod{q_k}$.
- Now we have $n^2$ dimensions and noise $N^2$.
- (**Relinearization**)
- Back to $n$ dimensions and noise $N^2$.
- (**Modulus Switching**)
- Modulus is switched to $q_{k-1}$ and noise is back to $N$.
## BGV Generalizations and Optimizations
### From $\Z_2$ to $\Z_p$
The above description is for messages $m \in \braces{0, 1} = \Z_2$. This can be extend to any finite field $\Z_p$. Replace $2$ with $p$ in the scheme. Then encryption of $m \in \Z_p$ is done as
$$
b = -\span{\bf{a}, \bf{s}} + m + pe \pmod q,
$$
and we have $r = b + \span{\bf{a}, \bf{s}} = m + pe$, $m = r \pmod p$.
### Packing Technique
Based on the Ring LWE problem, plaintext space can be extended from $\Z_p$ to $\Z_p^n$ by using **polynomials**.
With this technique, the number of linearization keys is reduced from $n^2 \log q$ to $\mc{O}(1)$.
## Security and Performance of BGV
- Security depends on $n$ and $q$.
- $(n, \log q) = (2^{10}, 30), (2^{13}, 240), (2^{16}, 960)$.
- $q$ is much larger than $n$.
- We want $n$ small and $q$ large enough to be correct.
- BGV is a **somewhat** homomorphic encryption.
- The number of multiplications is limited.
- Multiplication is expensive, especially linearization.
- Parallelization is effective for optimization, since multiplication is basically performing the same operations on different data.
[^1]: A homomorphism is a *confused name changer*. It can map different elements to the same name.
[^2]: The columns $\bf{a}_i$ are chosen random, so $A$ is invertible with high probability.
[^3]: Noise: $N \ra N^2 \ra N^4 \ra \cdots \ra N^{2^L}$.
[^4]: This is how $\bf{s}$ is chosen in practice.

348
_posts/lecture-notes/modern-cryptography/2023-12-08-bootstrapping-ckks.md Normal file
View File

@@ -0,0 +1,348 @@
---
share: true
toc: true
math: true
categories:
- Lecture Notes
- Modern Cryptography
path: _posts/lecture-notes/modern-cryptography
tags:
- lecture-note
- cryptography
- security
title: 18. Bootstrapping & CKKS
date: 2023-12-08
github_title: 2023-12-08-bootstrapping-ckks
---
## Bootstrapping
Recall that BGV has a limit on the number of operations, so it cannot evaluate a circuit with a large depth. This was because of the growing noise, so we need a way to remove the noise.
An easy answer is decrypting the ciphertext and encrypting it again, but we want to do it without using the secret key.
**Bootstrapping** is a method to convert SHE into FHE.
### Key Idea
The main idea is to *homomorphically evaluate the decryption circuit over encrypted $\bf{s}$*.
Let $\bf{c}$ be an encryption of $m \in \braces{0, 1}$, at the lowest level $0$. (Cannot perform multiplications anymore) The decryption algorithm, with a secret $\bf{s}$ fixed, is a function of $\bf{c}$.
Change the perspective and view it as a function of $\bf{s}$.
$$
f(\bf{s}) = D(\bf{s}, \bf{c}) : \braces{0, 1}^n \ra \braces{0, 1}
$$
Then $f(\bf{s}) = m$.
Let $\bf{s}' \in \braces{0, 1}^n$ be a new secret key. Generate the **bootstrapping keys**
$$
BK = \braces{\bf{k}_i}_{i=1}^n, \qquad \bf{k}_i = E(\bf{s}', s_i).
$$
Then by the homomorphic property of $f$,
$$
f(\bf{k_1}, \bf{k}_2, \dots, \bf{k}_n) = f\big( E(\bf{s}', s_1), \dots, E(\bf{s}', s_n) \big) = E\big( \bf{s}', f(s_1, \dots, s_n) \big) = E(\bf{s}', m).
$$
#### Example with BGV
Technically, the expression $f(\bf{k_1}, \bf{k}_2, \dots, \bf{k}_n)$ doesn't make sense, but it works. Consider a message $m$ encrypted with secret $\bf{s}$ in the BGV scheme.
$$
\bf{c} = (b, \bf{a}), \quad b = -\span{\bf{a}, \bf{s}} + m + 2e \pmod q.
$$
The decryption is $r = b + \span{\bf{a}, \bf{s}} \pmod q$, and then taking the least significant bit. Consider it as a function
$$
f(\bf{s}) = b + \span{\bf{a}, \bf{s}} = b + \sum_{i=1}^n a_is_i.
$$
For a new key $\bf{s}' = (s_1', \dots, s_n')$, generate bootstrapping keys $\bf{k}_i = E(\bf{s}', s_i)$ and plugging it in forcefully gives
$$
\begin{aligned}
f(\bf{k}_1, \dots, \bf{k}_n) &= b + \sum_{i=1}^n a_i E(\bf{s}', s_i) = b + \sum_{i=1}^n E(\bf{s}', a_is_i) \\
&=b + E\paren{\bf{s}', \sum_{i=1}^n a_is_i} = b + E\paren{\bf{s}', \span{\bf{a}, \bf{s}}}.
\end{aligned}
$$
Since an encryption of $\span{\bf{a}, \bf{s}}$ with $\bf{s}'$ is $-\span{\bf{a}', \bf{s}'} + \span{\bf{a}, \bf{s}} + 2e' \pmod q$, the above equation equals
$$
\begin{aligned}
b' &=b -\span{\bf{a}', \bf{s}'} + \span{\bf{a}, \bf{s}} + 2e' \\
&= -\span{\bf{a}', \bf{s}'} + m + 2(e + e') \pmod q.
\end{aligned}
$$
Indeed, decrypting $b'$ will give $m$. So we have $E(\bf{s}', m)$ from $f(\bf{k}_1, \dots, \bf{k}_n)$.[^1]
### Bootstrapping Procedure
> Given an encryption $\bf{c}$ of $m$ at level $0$, perform the following procedure.
>
> **Bootstrapping Key Generation**
> - Choose a new secret key $\bf{s}' \in \braces{0, 1}^n$.
> - Generate *bootstrapping key* $BK = \braces{\bf{k}_i}_{i=1}^n$ where $\bf{k}_i = E(\bf{s}', s_i)$.
>
> **Bootstrapping**
> - Generate a circuit representation $f : \braces{0, 1}^n \ra \braces{0, 1}$ of the decryption function $D(\cdot, \bf{c})$.
> - Compute and output $\bf{c}' = f(\bf{k}_1, \dots, \bf{k}_n)$.
The bootstrapping procedure returns an encryption of $m$ under $\bf{s}'$, as shown above. The key idea here is that $\bf{k}_i$ are *fresh* ciphertexts at level $L$. Even though a few levels are consumed during the evaluation of $f$, the resulting ciphertext $\bf{c}'$ is not at level $0$ anymore, allowing us to do more computation.
> Suppose that the homomorphic evaluation of $f$ requires depth $d$, consuming $d$ levels. Then we say that the BGV scheme is **bootstrappable** if $d < L$. The output ciphertext $\bf{c}'$ will have level $l = L - d > 0$, which we call **remaining level**.
Thus, we need to set $L$ large enough in the BGV scheme so that it is bootstrappable. But larger $L$ results in larger $q$, reducing the security of the scheme. This is another reason we must use **modulus switching**. Without it, we wouldn't have been able to set $L$ large enough for bootstrapping.
### Fully Homomorphic Encryption
Thus, if BGV is bootstrappable, then we can apply bootstrapping on the ciphertext whenever its level reaches $0$. Now we can evaluate *any* circuit of finite depth.
There is a slight catch here. For every bootstrapping procedure, we need a bootstrapping key. This must be generated by the owner of the original secret. As a result, lots of secret keys are required to homomorphically evaluate a circuit.
$$
\bf{s} \ra \bf{s}' \ra \bf{s}'' \ra \cdots
$$
Currently, we set $\bf{s}' = \bf{s}$ and make the chain **circular**, so the bootstrapping keys are $E(\bf{s}, s_i)$. $\bf{s}$ is being encrypted by itself. We wonder if this is secure, but there is no known proof for this. This is used as an assumption called the **circular security assumption**.
Designing an FHE scheme without the circular security assumption is currently an open problem.
## CKKS Scheme
The [BGV scheme](./2023-11-23-bgv-scheme.md#the-bgv-scheme) operates on $\Z_p$, so it doesn't work on real numbers. **Cheon-Kim-Kim-Song** (CKKS) scheme works on real numbers using approximate computation.
### Approximate Computation
Computers use floating point representations for real numbers.
$$
2.9979 \times 10^8
$$
Here, $2.9979$ is the **significand**, $10$ is the base and $8$ is the exponent. We also call $10^8$ the **scaling factor**.
Floating point operations involve **rounding**, but rounding is not easy in homomorphic encryption. Using the BGV scheme on $\Z_p$, there are $2$ methods to do this.
- Bit-wise Encryption
- $32$-bit integer results in $32$ ciphertexts.
- Binary multiplier circuits can be used for multiplication.
- Rounding is easy if done this way.
- But this is *extremely* inefficient. Huge number of gates are required, consumes a lot of levels.
- Integer Encryption
- To encrypt the significant, use a modulus large enough, such as $p > 2^{32}$.
- For multiplication, use $p > 2^{64}$.
- But rounding is hard in $\Z_p$.
So our wish is to design an HE scheme that natively supports rounding operation!
### CKKS Description
In the LWE problem, error was added for security. This can be exploited, since computing floating points allows some rounding errors.
> Let $n, q, \sigma$ be parameters for LWE and set a scaling factor $\Delta > 0$.
>
> **Key Generation**
> - A secret key is chosen as $\bf{s} = (s_1, \dots, s_n) \in \braces{0, 1}^n$, with its linearization gadget.
>
> **Encryption**: message $m \in \R$.
> - Randomly sample $\bf{a} = (a_1, \dots, a_n) \la \Z_q^n$ and $e \la D_\sigma$.
> - Compute $b = -\span{\bf{a}, \bf{s}} + \round{\Delta \cdot m} + e \pmod q$.
> - Output ciphertext $\bf{c} = (b, \bf{a}) \in \Z_q^{n+1}$.
>
> **Decryption**
> - Compute $\mu = b + \span{\bf{a}, \bf{s}} \pmod q$.
> - Output $m' = \Delta\inv \cdot \mu \in \R$.
Note that the decrypted output is $m'$, which is **not equal to $m$**. We have
$$
\mu = \round{\Delta \cdot m} + e
$$
if $\mu$ is small. (ex. $\abs{\mu} < q/2$) But $m' = \Delta\inv \cdot \mu \neq m$. The traditional *correctness* does not apply here, since $D(\bf{s}, \bf{c}) \neq m$.
Instead, CKKS is an **approximate encryption**. The exact $m$ is not recovered, but we get an approximation $m'$ with bounded error,
$$
\abs{m - m'} \leq \frac{1}{\Delta} (0.5 + \abs{e}).
$$
This is okay, since small numerical errors are allowed in floating-point operations. Also, it can be seen from this inequality that $\Delta$ is sort of a *precision*.
Also, CKKS is secure under the LWE assumption.
## Operations on Ciphertexts in CKKS
The overall process is similar to that of BGV, with some additional changes.
Remember that if $\bf{c} = (b, \bf{a})$ is an encryption of $m \in \R$, then
$$
\mu = b + \span{\bf{a}, \bf{s}} \pmod q, \quad \mu \approx \Delta \cdot m.
$$
### Addition in CKKS
> Let $\bf{c} = (b, \bf{a})$ and $\bf{c}' = (b', \bf{a}')$ be encryptions of $m, m' \in \R$. Then, $\bf{c}_\rm{add} = \bf{c} + \bf{c}'$ is an encryption of $m + m'$.
*Proof*. Decrypt $\bf{c}_\rm{add} = (b + b', \bf{a} + \bf{a}')$.
$$
\mu_\rm{add} = \mu + \mu' = (b + b') + \span{\bf{a} + \bf{a}', \bf{s}} \pmod q.
$$
If $\abs{\mu + \mu'} < q/2$, then
$$
\mu_\rm{add} = \mu + \mu' = \Delta \cdot (m + m'),
$$
so the decryption results in $\Delta\inv \cdot (\mu + \mu') \approx m + m'$.
### Multiplication in CKKS
We also use [tensor products](./2023-11-23-bgv-scheme.md#tensor-product), and their properties.
> Let $\bf{c} = (b, \bf{a})$ and $\bf{c}' = (b', \bf{a}')$ be encryptions of $m, m' \in \R$. Then,
>
> $$
> \bf{c}_\rm{mul} = \bf{c} \otimes \bf{c}' = (bb', b\bf{a}' + b' \bf{a}, \bf{a} \otimes \bf{a}')
> $$
>
> is an encryption of $mm'$ with $(1, \bf{s}, \bf{s} \otimes \bf{s})$.
*Proof*. It can be checked that
$$
\begin{aligned}
\mu_\rm{mul} &= \mu\mu' = (b + \span{\bf{a}, \bf{s}})(b' + \span{\bf{a}', \bf{s}}) \\
&= bb' + \span{b\bf{a}' + b' \bf{a}, \bf{s}} + \span{\bf{a} \otimes \bf{a}', \bf{s} \otimes \bf{s}'} \pmod q
\end{aligned}
$$
if $\abs{\mu\mu'} < q/2$. Then
$$
\mu_\rm{mul} = \mu\mu' \approx (\Delta \cdot m) \cdot (\Delta \cdot m') = \Delta^2 \cdot mm'.
$$
So $mm' \approx \Delta^{-2} \cdot \mu_\rm{mul}$.
We have issues with multiplication, as we did in BGV.
- The dimension of the ciphertext has increased to $n^2$.
- The scaling factor has increased to $\Delta^2$.
- A larger scaling factor means more significant digits to calculate.
### Dimension Reduction
The relinearization procedure is almost the same as in [BGV relinearization](./2023-11-23-bgv-scheme.md#relinearization).
For convenience, let $a_{i, j} = a_i a_j'$.
> **Relinearization Keys**: for $1 \leq i, j \leq n$ and $0 \leq k < \ceil{\log q}$, perform the following.
> - Sample $\bf{u}_{i, j, k} \la \Z_q^{n}$ and $e_{i, j, k} \la D_\sigma$.
> - Compute $v_{i, j, k} = -\span{\bf{u}_{i, j, k}, \bf{s}} + 2^k \cdot s_i s_j + e_{i, j, k} \pmod q$.
> - Output $\bf{w}_{i, j, k} = (v_{i, j, k}, \bf{u}_{i, j, k})$.
>
> **Linearization**: given $\bf{c}_\rm{mul} = (bb', b\bf{a}' + b' \bf{a}, \bf{a} \otimes \bf{a}')$, $\bf{w}_{i, j, k}$ for $1 \leq i, j \leq n$ and $0 \leq k < \ceil{\log q}$, output the following.
>
> $$
> \bf{c}_\rm{mul}^\ast = (b_\rm{mul}^\ast, \bf{a}_\rm{mul}^\ast) = (bb', b\bf{a}' + b'\bf{a}) + \sum_{i=1}^n \sum_{j=1}^n \sum_{k=0}^{\ceil{\log q}} a_{i, j}[k] \bf{w}_{i, j, k} \pmod q.
> $$
Correctness can be checked. The bounds for summations are omitted for brevity. They range from $1 \leq i, j \leq n$ and $0 \leq k < \ceil{\log q}$.
$$
\begin{aligned}
b_\rm{mul}^\ast + \span{\bf{a}_\rm{mul}^\ast, \bf{s}} &= bb' + \sum_{i, j, k} a_{i, j}[k] \cdot v_{i, j, k} + \span{b\bf{a}' + b'\bf{a}, \bf{s}} + \sum_{i, j, k} a_{i, j}[k] \cdot \span{\bf{u}_{i, j, k}, \bf{s}} \\
&= bb' + \span{b\bf{a}' + b'\bf{a}, \bf{s}} + \sum_{i, j, k} a_{i, j}[k] \cdot \paren{v_{i, j, k} + \span{\bf{u}_{i, j, k}, \bf{s}}} \\
&= bb' + \span{b\bf{a}' + b'\bf{a}, \bf{s}} + \sum_{i, j, k} a_{i, j}[k] \paren{2^k \cdot s_is_j + e_{i, j, k}} \\
&= bb' + \span{b\bf{a}' + b'\bf{a}, \bf{s}} + \sum_{i, j} a_{i, j}s_i s_j + \sum_{i, j, k} a_{i, j}[k] \cdot e_{i, j, k} \\
&= bb' + \span{b\bf{a}' + b'\bf{a}, \bf{s}} + \span{\bf{a} \otimes \bf{a}', \bf{s} \otimes \bf{s}} + e\conj \\
&= \mu_\rm{mul} + e\conj\pmod q.
\end{aligned}
$$
Since
$$
e\conj = \sum_{i, j, k} a_{i, j}[k] \cdot e_{i, j, k} \ll q,
$$
we have
$$
\mu_\rm{mul}^\ast = \mu_\rm{mul} + e\conj \approx \mu\mu' \approx \Delta^2 \cdot mm'.
$$
Note that the proof is identical to that of BGV linearization, except for missing constant factor $2$ in the error.
### Scaling Factor Reduction
In BGV, we used modulus switching for [noise reduction](./2023-11-23-bgv-scheme.md#noise-reduction). It was for reducing the error and preserving the message. We also use modulus switching here, but for a different purpose. The message can have small numerical errors, we just want to reduce the scaling factor. This operation is called **rescaling**.
Given $\bf{c} = (b, \bf{a}) \in \Z_q^{n+1}$ such that $b + \span{\bf{a}, \bf{s}} = \mu \pmod q$ and $\mu \approx \Delta^2 \cdot m$, we want to generate a new ciphertext of $m' \approx m$ that has a scaling factor reduced to $\Delta$. This can be done by dividing the ciphertext by $\Delta$ and then rounding it appropriately.
> **Modulus Switching**: let $\bf{c} = (b, \bf{a}) \in \Z_q^{n+1}$ be given.
>
> - Let $q' = \Delta \inv \cdot q$.[^2]
> - Output $\bf{c}' = \round{\Delta\inv \cdot \bf{c}} \in \Z_{q'}^{n+1}$.
Note that the modulus has been switched to $q'$. Constant multiplication and rounding is done component-wise on $\bf{c}$.
We check that $\bf{c}'$ has scaling factor $\Delta$. We know that $\mu' = b' + \span{\bf{a}', \bf{s}} \pmod{q'}$.
Let $k \in \Z$ such that $b + \span{\bf{a}, \bf{s}} = \mu + kq$. By the choice of $b'$ and $\bf{a}'$, we have
$$
b' = \Delta\inv \cdot b + \epsilon_0, \quad a_i' = \Delta\inv \cdot a_i + \epsilon_i
$$
for some $\epsilon_i$ such that $\abs{\epsilon_i} \leq 0.5$. So we have
$$
\begin{aligned}
\mu' &= \Delta\inv \cdot \paren{b + \sum_{i=1}^n a_i s_i} + \epsilon_0 + \sum_{i=1}^n \epsilon_i s_i \\
&= \Delta\inv \cdot (\mu + kq) + \epsilon \approx \Delta \inv \cdot (\Delta^2 \cdot m) + kq' = \Delta \cdot m \pmod{q'},
\end{aligned}
$$
since $\epsilon = \epsilon_0 + \sum_{i=1}^n \epsilon_i s_i$ is small.
### Modulus Chain
Using modulus switching, we can set $q_L = \Delta^{L+1}$ where $L$ is the maximal level for multiplication. After each multiplication, the modulus is switched to $q_{k-1} = q_k / \Delta$.
Multiplication increases the scaling factor to $\Delta^2$, and then rescaling operation reduces the scaling factor back to $\Delta$.
So we have a modulus chain,
$$
\Delta^{L+1} \ra \Delta^L \ra \cdots \ra \Delta.
$$
When we reach $q_0 = \Delta$, we cannot perform any multiplications, so we apply [bootstrapping](2023-12-08-bootstrapping-ckks.md#bootstrapping) here.
### Multiplication in CKKS (Summary)
- Set up a modulus chain $q_k = \Delta^{k+1}$ for $k = 0, \dots, L$.
- Given two ciphertexts $\bf{c} = (b, \bf{a}) \in \Z_{q_k}^{n+1}$ and $\bf{c}' = (b', \bf{a}') \in \Z_{q_k}^{n+1}$ with modulus $q_k$ and **scaling factor** $\Delta$.
- (**Tensor Product**) $\bf{c}_\rm{mul} = \bf{c} \otimes \bf{c}' \pmod{q_k}$.
- Now we have $n^2$ dimensions and scaling factor $\Delta^2$.
- (**Relinearization**)
- Back to $n$ dimensions and scaling factor $\Delta^2$.
- (**Modulus Switching**; **Rescaling**)
- Modulus is switched to $q_{k-1}$ and scaling factor is back to $\Delta$.
[^1]: The noise hasn't gone away since we didn't *fully evaluate* the decryption circuit, which takes the remainders from dividing by $q$ and $2$.
[^2]: No rounding...?