mirror of
https://github.com/calofmijuck/blog.git
synced 2025-12-06 14:53:50 +00:00
chore: fix all broken links
This commit is contained in:
@@ -191,7 +191,7 @@ Let $m \in \left\lbrace 0, 1 \right\rbrace^n$ be the message to encrypt. Then ch
|
|||||||
- Encryption: $E(k, m) = k \oplus m$.
|
- Encryption: $E(k, m) = k \oplus m$.
|
||||||
- Decryption: $D(k, c) = k \oplus c$.
|
- Decryption: $D(k, c) = k \oplus c$.
|
||||||
|
|
||||||
This scheme is **provably secure**. See also [one-time pad (Modern Cryptography)](../modern-cryptography/2023-09-07-otp-stream-cipher-prgs.md#one-time-pad-(otp)).
|
This scheme is **provably secure**. See also [one-time pad (Modern Cryptography)](../../modern-cryptography/2023-09-07-otp-stream-cipher-prgs/#one-time-pad-(otp)).
|
||||||
|
|
||||||
## Perfect Secrecy
|
## Perfect Secrecy
|
||||||
|
|
||||||
@@ -225,7 +225,7 @@ since for each $m$ and $c$, $k$ is determined uniquely.
|
|||||||
|
|
||||||
*Proof*. Assume not, then we can find some message $m_0 \in \mathcal{M}$ such that $m_0$ is not a decryption of some $c \in \mathcal{C}$. This is because the decryption algorithm $D$ is deterministic and $\lvert \mathcal{K} \rvert < \lvert \mathcal{M} \rvert$.
|
*Proof*. Assume not, then we can find some message $m_0 \in \mathcal{M}$ such that $m_0$ is not a decryption of some $c \in \mathcal{C}$. This is because the decryption algorithm $D$ is deterministic and $\lvert \mathcal{K} \rvert < \lvert \mathcal{M} \rvert$.
|
||||||
|
|
||||||
For the proof in detail, check [Shannon's Theorem (Modern Cryptography)](../modern-cryptography/2023-09-07-otp-stream-cipher-prgs.md#shannon's-theorem).
|
For the proof in detail, check [Shannon's Theorem (Modern Cryptography)](../../modern-cryptography/2023-09-07-otp-stream-cipher-prgs/#shannon's-theorem).
|
||||||
|
|
||||||
### Two-Time Pad is Insecure
|
### Two-Time Pad is Insecure
|
||||||
|
|
||||||
|
|||||||
@@ -140,7 +140,7 @@ This is an inverse problem of exponentiation. The inverse of exponentials is log
|
|||||||
|
|
||||||
Given $y \equiv g^x \pmod p$ for some prime $p$, we want to find $x = \log_g y$. We set $g$ to be a generator of the group $\mathbb{Z}_p$ or $\mathbb{Z}_p^*$, since if $g$ is the generator, a solution always exists.
|
Given $y \equiv g^x \pmod p$ for some prime $p$, we want to find $x = \log_g y$. We set $g$ to be a generator of the group $\mathbb{Z}_p$ or $\mathbb{Z}_p^*$, since if $g$ is the generator, a solution always exists.
|
||||||
|
|
||||||
Read more in [discrete logarithm problem (Modern Cryptography)](../modern-cryptography/2023-10-03-key-exchange.md#discrete-logarithm-problem-(dl)).
|
Read more in [discrete logarithm problem (Modern Cryptography)](../../modern-cryptography/2023-10-03-key-exchange/#discrete-logarithm-problem-(dl)).
|
||||||
|
|
||||||
## ElGamal Encryption
|
## ElGamal Encryption
|
||||||
|
|
||||||
|
|||||||
@@ -15,7 +15,7 @@ date: 2023-10-09
|
|||||||
github_title: 2023-10-09-public-key-cryptography
|
github_title: 2023-10-09-public-key-cryptography
|
||||||
---
|
---
|
||||||
|
|
||||||
In symmetric key cryptography, we have a problem with key sharing and management. More info in the first few paragraphs of [Key Exchange (Modern Cryptography)](../modern-cryptography/2023-10-03-key-exchange.md).
|
In symmetric key cryptography, we have a problem with key sharing and management. More info in the first few paragraphs of [Key Exchange (Modern Cryptography)](../../modern-cryptography/2023-10-03-key-exchange).
|
||||||
|
|
||||||
## Public Key Cryptography
|
## Public Key Cryptography
|
||||||
|
|
||||||
@@ -32,7 +32,7 @@ These keys are created to be used in **trapdoor one-way functions**.
|
|||||||
|
|
||||||
A **one-way function** is a function that is easy to compute, but hard to compute the pre-image of any output. Here are some common examples.
|
A **one-way function** is a function that is easy to compute, but hard to compute the pre-image of any output. Here are some common examples.
|
||||||
|
|
||||||
- *Cryptographic hash functions*: [Hash Functions (Modern Cryptography)](../modern-cryptography/2023-09-28-hash-functions.md#collision-resistance).
|
- *Cryptographic hash functions*: [Hash Functions (Modern Cryptography)](../../modern-cryptography/2023-09-28-hash-functions/#collision-resistance).
|
||||||
- *Factoring a large integer*: It is easy to multiply to integers even if they're large, but factoring is very hard.
|
- *Factoring a large integer*: It is easy to multiply to integers even if they're large, but factoring is very hard.
|
||||||
- *Discrete logarithm problem*: It is easy to exponentiate a number, but it is hard to find the discrete logarithm.
|
- *Discrete logarithm problem*: It is easy to exponentiate a number, but it is hard to find the discrete logarithm.
|
||||||
|
|
||||||
@@ -87,7 +87,7 @@ Choose a large prime $p$ and a generator $g$ of $\mathbb{Z}_p^{ * }$. The descri
|
|||||||
> 3. Alice and Bob calculate $g^{xy} \bmod p$ separately.
|
> 3. Alice and Bob calculate $g^{xy} \bmod p$ separately.
|
||||||
> 4. Eve can see $g^x \bmod p$, $g^y \bmod p$ but cannot calculate $g^{xy} \bmod p$.
|
> 4. Eve can see $g^x \bmod p$, $g^y \bmod p$ but cannot calculate $g^{xy} \bmod p$.
|
||||||
|
|
||||||
Refer to [Diffie-Hellman Key Exchange (Modern Cryptography)](../modern-cryptography/2023-10-03-key-exchange.md#diffie-hellman-key-exchange-(dhke)).
|
Refer to [Diffie-Hellman Key Exchange (Modern Cryptography)](../../modern-cryptography/2023-10-03-key-exchange/#diffie-hellman-key-exchange-(dhke)).
|
||||||
|
|
||||||
## Message Integrity
|
## Message Integrity
|
||||||
|
|
||||||
|
|||||||
@@ -62,13 +62,13 @@ You can check if TLS is used on your browser. The address should begin with `htt
|
|||||||
|
|
||||||
## CBC Padding Oracle Attack
|
## CBC Padding Oracle Attack
|
||||||
|
|
||||||
Recall [CBC Mode (Internet Security)](./2023-09-18-symmetric-key-cryptography-2.md#cipher-block-chaining-mode-(cbc)) .
|
Recall [CBC Mode (Internet Security)](../2023-09-18-symmetric-key-cryptography-2/#cipher-block-chaining-mode-(cbc)) .
|
||||||
|
|
||||||
Suppose that each block has $8$ bytes. If the message size is not a multiple of the block size, we pad the message. If we need to pad $b$ bytes, we pad $b$ bytes with $b$, encoded in binary.
|
Suppose that each block has $8$ bytes. If the message size is not a multiple of the block size, we pad the message. If we need to pad $b$ bytes, we pad $b$ bytes with $b$, encoded in binary.
|
||||||
|
|
||||||
If the padding is not valid, the decryption algorithm outputs a *padding error* during the decryption process. The attacker can observe if a padding error has occurred, and use this information to recover the plaintext.
|
If the padding is not valid, the decryption algorithm outputs a *padding error* during the decryption process. The attacker can observe if a padding error has occurred, and use this information to recover the plaintext.
|
||||||
|
|
||||||
To defend this attack, we can use [encrypt-then-MAC (Modern Cryptography)](../modern-cryptography/2023-09-26-cca-security-authenticated-encryption.md#encrypt-then-mac-(etm)), or hide the padding error.
|
To defend this attack, we can use [encrypt-then-MAC (Modern Cryptography)](../../modern-cryptography/2023-09-26-cca-security-authenticated-encryption/#encrypt-then-mac-(etm)), or hide the padding error.
|
||||||
|
|
||||||
### Attack in Detail
|
### Attack in Detail
|
||||||
|
|
||||||
@@ -114,7 +114,7 @@ $$
|
|||||||
|
|
||||||
## Hashed MAC (HMAC)
|
## Hashed MAC (HMAC)
|
||||||
|
|
||||||
Let $H$ be a has function. We defined MAC as $H(k \parallel m)$ where $k$ is a key and $m$ is a message. This MAC is insecure if $H$ has [Merkle-Damgård construction](../modern-cryptography/2023-09-28-hash-functions.md#merkle-damgård-transform), since it is vulnerable to length extension attacks. See [prepending the key in MAC is insecure (Modern Cryptography)](../modern-cryptography/2023-09-28-hash-functions.md#prepending-the-key).
|
Let $H$ be a has function. We defined MAC as $H(k \parallel m)$ where $k$ is a key and $m$ is a message. This MAC is insecure if $H$ has [Merkle-Damgård construction](../../modern-cryptography/2023-09-28-hash-functions/#merkle-damgård-transform), since it is vulnerable to length extension attacks. See [prepending the key in MAC is insecure (Modern Cryptography)](../../modern-cryptography/2023-09-28-hash-functions/#prepending-the-key).
|
||||||
|
|
||||||
Choose a key $k \leftarrow \mathcal{K}$, and set
|
Choose a key $k \leftarrow \mathcal{K}$, and set
|
||||||
|
|
||||||
|
|||||||
@@ -128,7 +128,7 @@ We learned how to encrypt a single block. How do we encrypt longer messages with
|
|||||||
|
|
||||||
There are many ways of processing multiple blocks, this is called the **mode of operation**.
|
There are many ways of processing multiple blocks, this is called the **mode of operation**.
|
||||||
|
|
||||||
Additional explanation available in [Modes of Operations (Internet Security)](../internet-security/2023-09-18-symmetric-key-cryptography-2.md#modes-of-operations).
|
Additional explanation available in [Modes of Operations (Internet Security)](../../internet-security/2023-09-18-symmetric-key-cryptography-2/#modes-of-operations).
|
||||||
|
|
||||||
### Electronic Codebook Mode (ECB)
|
### Electronic Codebook Mode (ECB)
|
||||||
|
|
||||||
|
|||||||
@@ -54,7 +54,7 @@ Now we define a stronger notion of security against **chosen ciphertext attacks*
|
|||||||
|
|
||||||
None of the encryption schemes already seen thus far is CCA secure.
|
None of the encryption schemes already seen thus far is CCA secure.
|
||||||
|
|
||||||
Recall a [CPA secure construction from PRF](./2023-09-19-symmetric-key-encryption.md#secure-construction-from-prf). This scheme is not CCA secure. Suppose that the adversary is given $c^* = (r, F(k, r) \oplus m_b)$. Then it can request a decryption for $c' = (r, s')$ for some $s'$ and receive $m' = s' \oplus F(k, r)$. Then $F(k, r) = m' \oplus s'$, so the adversary can successfully recover $m_b$.
|
Recall a [CPA secure construction from PRF](../2023-09-19-symmetric-key-encryption/#secure-construction-from-prf). This scheme is not CCA secure. Suppose that the adversary is given $c^* = (r, F(k, r) \oplus m_b)$. Then it can request a decryption for $c' = (r, s')$ for some $s'$ and receive $m' = s' \oplus F(k, r)$. Then $F(k, r) = m' \oplus s'$, so the adversary can successfully recover $m_b$.
|
||||||
|
|
||||||
In general, any encryption scheme that allows ciphertexts to be *manipulated* in a controlled way cannot be CCA secure.
|
In general, any encryption scheme that allows ciphertexts to be *manipulated* in a controlled way cannot be CCA secure.
|
||||||
|
|
||||||
|
|||||||
@@ -150,7 +150,7 @@ See Joux's attack.[^2]
|
|||||||
|
|
||||||
Now we only have to build a collision resistant compression function. We can build these functions from either a block cipher, or by using number theoretic primitives.
|
Now we only have to build a collision resistant compression function. We can build these functions from either a block cipher, or by using number theoretic primitives.
|
||||||
|
|
||||||
Number theoretic primitives will be shown after we learn some number theory.[^3] An example is shown in [collision resistance using DL problem (Modern Cryptography)](./2023-10-03-key-exchange.md#collision-resistance-based-on-dl-problem).
|
Number theoretic primitives will be shown after we learn some number theory.[^3] An example is shown in [collision resistance using DL problem (Modern Cryptography)](../2023-10-03-key-exchange/#collision-resistance-based-on-dl-problem).
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
@@ -195,7 +195,7 @@ We needed a complicated construction for MACs that work on long messages. We mig
|
|||||||
|
|
||||||
Here are a few approaches. Suppose that a compression function $h$ is given and $H$ is a Merkle-Damgård function derived from $h$.
|
Here are a few approaches. Suppose that a compression function $h$ is given and $H$ is a Merkle-Damgård function derived from $h$.
|
||||||
|
|
||||||
Recall that [we can construct a MAC scheme from a PRF](./2023-09-21-macs.md#mac-constructions-from-prfs), so either we want a secure PRF or a secure MAC scheme.
|
Recall that [we can construct a MAC scheme from a PRF](../2023-09-21-macs/#mac-constructions-from-prfs), so either we want a secure PRF or a secure MAC scheme.
|
||||||
|
|
||||||
#### Prepending the Key
|
#### Prepending the Key
|
||||||
|
|
||||||
|
|||||||
@@ -69,7 +69,7 @@ Note that $pk$ is sent to the adversary, and adversary can encrypt any message!
|
|||||||
|
|
||||||
For symmetric ciphers, semantic security (one-time) did not guarantee CPA security (many-time). But in public key encryption, semantic security implies CPA security. This is because *the attacker can encrypt any message using the public key*.
|
For symmetric ciphers, semantic security (one-time) did not guarantee CPA security (many-time). But in public key encryption, semantic security implies CPA security. This is because *the attacker can encrypt any message using the public key*.
|
||||||
|
|
||||||
First, we check the definition of CPA security for public key encryption. It is similar to that of symmetric ciphers, compare with [CPA Security for symmetric key encryption (Modern Cryptography)](./2023-09-19-symmetric-key-encryption.md#cpa-security).
|
First, we check the definition of CPA security for public key encryption. It is similar to that of symmetric ciphers, compare with [CPA Security for symmetric key encryption (Modern Cryptography)](../2023-09-19-symmetric-key-encryption/#cpa-security).
|
||||||
|
|
||||||
> **Definition.** For a given public-key encryption scheme $\mc{E} = (G, E, D)$ defined over $(\mc{M}, \mc{C})$ and given an adversary $\mc{A}$, define experiments 0 and 1.
|
> **Definition.** For a given public-key encryption scheme $\mc{E} = (G, E, D)$ defined over $(\mc{M}, \mc{C})$ and given an adversary $\mc{A}$, define experiments 0 and 1.
|
||||||
>
|
>
|
||||||
@@ -141,7 +141,7 @@ $$
|
|||||||
|
|
||||||
## CCA Security for Public Key Encryption
|
## CCA Security for Public Key Encryption
|
||||||
|
|
||||||
We also define CCA security for public key encryption, which models a wide spectrum of real-world attacks. The definition is also very similar to that of symmetric ciphers, compare with [CCA security for symmetric ciphers (Modern Cryptography)](./2023-09-26-cca-security-authenticated-encryption.md#cca-security).
|
We also define CCA security for public key encryption, which models a wide spectrum of real-world attacks. The definition is also very similar to that of symmetric ciphers, compare with [CCA security for symmetric ciphers (Modern Cryptography)](../2023-09-26-cca-security-authenticated-encryption/#cca-security).
|
||||||
|
|
||||||
> **Definition.** Let $\mc{E} = (G, E, D)$ be a public-key encryption scheme over $(\mc{M}, \mc{C})$. Given an adversary $\mc{A}$, define experiments $0$ and $1$.
|
> **Definition.** Let $\mc{E} = (G, E, D)$ be a public-key encryption scheme over $(\mc{M}, \mc{C})$. Given an adversary $\mc{A}$, define experiments $0$ and $1$.
|
||||||
>
|
>
|
||||||
@@ -176,7 +176,7 @@ Similarly, 1CCA security implies CCA security, as in the above theorem. So to sh
|
|||||||
|
|
||||||
### Active Adversaries in Symmetric vs Public Key
|
### Active Adversaries in Symmetric vs Public Key
|
||||||
|
|
||||||
In symmetric key encryption, we studied [authenticated encryption (AE)](./2023-09-26-cca-security-authenticated-encryption.md#authenticated-encryption-(ae)), which required the scheme to be CPA secure and provide ciphertext integrity. In symmetric key settings, AE implied CCA.
|
In symmetric key encryption, we studied [authenticated encryption (AE)](../2023-09-26-cca-security-authenticated-encryption/#authenticated-encryption-(ae)), which required the scheme to be CPA secure and provide ciphertext integrity. In symmetric key settings, AE implied CCA.
|
||||||
|
|
||||||
However in public-key schemes, adversaries can always create new ciphertexts using the public key, which makes the original definition of ciphertext integrity unusable. Thus we directly require CCA security.
|
However in public-key schemes, adversaries can always create new ciphertexts using the public key, which makes the original definition of ciphertext integrity unusable. Thus we directly require CCA security.
|
||||||
|
|
||||||
|
|||||||
@@ -55,7 +55,7 @@ $$
|
|||||||
|
|
||||||
## Secure Digital Signatures
|
## Secure Digital Signatures
|
||||||
|
|
||||||
The definition is similar to the [secure MAC](./2023-09-21-macs.md#secure-mac-unforgeability). The adversary can perform a **chosen message attack**, but cannot create an **existential forgery**.
|
The definition is similar to the [secure MAC](../2023-09-21-macs/#secure-mac-unforgeability). The adversary can perform a **chosen message attack**, but cannot create an **existential forgery**.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
@@ -97,7 +97,7 @@ Any signature scheme can be made strongly binding by appending a collision resis
|
|||||||
|
|
||||||
## Extending the Message Space
|
## Extending the Message Space
|
||||||
|
|
||||||
We can extend the message space of a secure digital signature scheme, [as we did for MACs](./2023-09-28-hash-functions.md#mac-domain-extension). Let $\mc{S} = (G, S, V)$ be a signature scheme defined over $(\mc{M}, \Sigma)$ and let $H : \mc{M}' \ra \mc{M}$ be a hash function with $\left\lvert \mc{M}' \right\lvert \geq \left\lvert \mc{M} \right\lvert$.
|
We can extend the message space of a secure digital signature scheme, [as we did for MACs](../2023-09-28-hash-functions/#mac-domain-extension). Let $\mc{S} = (G, S, V)$ be a signature scheme defined over $(\mc{M}, \Sigma)$ and let $H : \mc{M}' \ra \mc{M}$ be a hash function with $\left\lvert \mc{M}' \right\lvert \geq \left\lvert \mc{M} \right\lvert$.
|
||||||
|
|
||||||
Define a new signature scheme $\mc{S}' = (G, S', V')$ over $(\mc{M}', \Sigma)$ as
|
Define a new signature scheme $\mc{S}' = (G, S', V')$ over $(\mc{M}', \Sigma)$ as
|
||||||
|
|
||||||
@@ -206,7 +206,7 @@ We must check a few things.
|
|||||||
- We can repeat this many times then the probability of reject is $1 - \frac{1}{q^n} \ra 1$.
|
- We can repeat this many times then the probability of reject is $1 - \frac{1}{q^n} \ra 1$.
|
||||||
- Thus $q$ (the size of the challenge space) must be large.
|
- Thus $q$ (the size of the challenge space) must be large.
|
||||||
- **Zero-knowledge**: $V$ learns no information about $x$ from the conversation.
|
- **Zero-knowledge**: $V$ learns no information about $x$ from the conversation.
|
||||||
- This will be revisited later. See [here](./2023-11-07-sigma-protocols.md#the-schnorr-identification-protocol-revisited).
|
- This will be revisited later. See [here](../2023-11-07-sigma-protocols/#the-schnorr-identification-protocol-revisited).
|
||||||
|
|
||||||
> **Theorem.** The Schnorr identification protocol is secure if the DL problem is hard, and the challenge space $\mc{C}$ is large.
|
> **Theorem.** The Schnorr identification protocol is secure if the DL problem is hard, and the challenge space $\mc{C}$ is large.
|
||||||
|
|
||||||
@@ -239,7 +239,7 @@ Schnorr's scheme was protected by a patent, so NIST opted for a ad-hoc signature
|
|||||||
|
|
||||||
How would you trust public keys? We introduce **digital certificates** for this.
|
How would you trust public keys? We introduce **digital certificates** for this.
|
||||||
|
|
||||||
Read in [public key infrastructure (Internet Security)](../internet-security/2023-10-16-pki.md).
|
Read in [public key infrastructure (Internet Security)](../../internet-security/2023-10-16-pki).
|
||||||
|
|
||||||
[^1]: A Graduate Course in Applied Cryptography
|
[^1]: A Graduate Course in Applied Cryptography
|
||||||
[^2]: By using the [Fiat-Shamir transform](./2023-11-07-sigma-protocols.md#the-fiat-shamir-transform).
|
[^2]: By using the [Fiat-Shamir transform](../2023-11-07-sigma-protocols/#the-fiat-shamir-transform).
|
||||||
|
|||||||
@@ -19,7 +19,7 @@ attachment:
|
|||||||
folder: assets/img/posts/lecture-notes/modern-cryptography
|
folder: assets/img/posts/lecture-notes/modern-cryptography
|
||||||
---
|
---
|
||||||
|
|
||||||
The previous [3-coloring example](./2023-11-02-zkp-intro.md#example-3-coloring) certainly works as a zero knowledge proof, but is quite slow, and requires a lot of interaction. There are efficient protocols for interactive proofs, we will study sigma protocols.
|
The previous [3-coloring example](../2023-11-02-zkp-intro/#example-3-coloring) certainly works as a zero knowledge proof, but is quite slow, and requires a lot of interaction. There are efficient protocols for interactive proofs, we will study sigma protocols.
|
||||||
|
|
||||||
## Sigma Protocols
|
## Sigma Protocols
|
||||||
|
|
||||||
@@ -105,7 +105,7 @@ Also note that **the simulator is free to generate the messages in any convenien
|
|||||||
|
|
||||||
## The Schnorr Identification Protocol Revisited
|
## The Schnorr Identification Protocol Revisited
|
||||||
|
|
||||||
The Schnorr identification protocol is actually a sigma protocol. Refer to [Schnorr identification protocol (Modern Cryptography)](./2023-10-26-digital-signatures.md#the-schnorr-identification-protocol) for the full description.
|
The Schnorr identification protocol is actually a sigma protocol. Refer to [Schnorr identification protocol (Modern Cryptography)](../2023-10-26-digital-signatures/#the-schnorr-identification-protocol) for the full description.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
@@ -425,7 +425,7 @@ Omitted. Works...
|
|||||||
|
|
||||||
### The Fiat-Shamir Signature Scheme
|
### The Fiat-Shamir Signature Scheme
|
||||||
|
|
||||||
Now we understand why the [Schnorr signature scheme](./2023-10-26-digital-signatures.md#schnorr-digital-signature-scheme) used hash functions. In general, the Fiat-Shamir transform can be used to convert sigma protocols into signature schemes.
|
Now we understand why the [Schnorr signature scheme](../2023-10-26-digital-signatures/#schnorr-digital-signature-scheme) used hash functions. In general, the Fiat-Shamir transform can be used to convert sigma protocols into signature schemes.
|
||||||
|
|
||||||
We need $3$ building blocks.
|
We need $3$ building blocks.
|
||||||
|
|
||||||
@@ -450,7 +450,7 @@ If an adversary can come up with a forgery, then the underlying sigma protocol i
|
|||||||
|
|
||||||
$n$ voters are casting a vote, either $0$ or $1$. At the end, all voters learn the sum of the votes, but we want to keep the votes secret for each party.
|
$n$ voters are casting a vote, either $0$ or $1$. At the end, all voters learn the sum of the votes, but we want to keep the votes secret for each party.
|
||||||
|
|
||||||
We can use the [multiplicative ElGamal encryption](./2023-10-19-public-key-encryption.md#the-elgamal-encryption) scheme in this case. Assume that a trusted vote tallying center generates a key pair, keeps $sk = \alpha$ to itself and publishes $pk = g^\alpha$.
|
We can use the [multiplicative ElGamal encryption](../2023-10-19-public-key-encryption/#the-elgamal-encryption) scheme in this case. Assume that a trusted vote tallying center generates a key pair, keeps $sk = \alpha$ to itself and publishes $pk = g^\alpha$.
|
||||||
|
|
||||||
Each voter encrypts the vote $b_i$ and the ciphertext is
|
Each voter encrypts the vote $b_i$ and the ciphertext is
|
||||||
|
|
||||||
@@ -468,7 +468,7 @@ where $\beta^{\ast} = \sum_{i=1}^n \beta_i$ and $b^{\ast} = \sum_{i=1}^n b_i$. N
|
|||||||
|
|
||||||
Since the ElGamal scheme is semantically secure, the protocol is also secure if all voters follow the protocol. But a dishonest voter can encrypt $b_i = -100$ or some arbitrary value.
|
Since the ElGamal scheme is semantically secure, the protocol is also secure if all voters follow the protocol. But a dishonest voter can encrypt $b_i = -100$ or some arbitrary value.
|
||||||
|
|
||||||
To fix this, we can make each voter prove that the vote is valid. Using the [Chaum-Pedersen protocol for DH-triples](2023-11-07-sigma-protocols.md#the-chaum-pedersen-protocol-for-dh-triples) and the [OR-proof construction](2023-11-07-sigma-protocols.md#or-proof-construction), the voter can submit a proof that the ciphertext is either a encryption of $b_i = 0$ or $1$. We can also apply the Fiat-Shamir transform here for efficient protocols, resulting in non-interactive proofs.
|
To fix this, we can make each voter prove that the vote is valid. Using the [Chaum-Pedersen protocol for DH-triples](../2023-11-07-sigma-protocols/#the-chaum-pedersen-protocol-for-dh-triples) and the [OR-proof construction](../2023-11-07-sigma-protocols/#or-proof-construction), the voter can submit a proof that the ciphertext is either a encryption of $b_i = 0$ or $1$. We can also apply the Fiat-Shamir transform here for efficient protocols, resulting in non-interactive proofs.
|
||||||
|
|
||||||
[^1]: The message flows in a shape that resembles the greek letter $\Sigma$, hence the name *sigma protocol*.
|
[^1]: The message flows in a shape that resembles the greek letter $\Sigma$, hence the name *sigma protocol*.
|
||||||
[^2]: A Graduate Course in Applied Cryptography.
|
[^2]: A Graduate Course in Applied Cryptography.
|
||||||
|
|||||||
@@ -15,7 +15,7 @@ date: 2023-11-14
|
|||||||
github_title: 2023-11-14-garbled-circuits
|
github_title: 2023-11-14-garbled-circuits
|
||||||
---
|
---
|
||||||
|
|
||||||
A simple solution for two party computation would be to use oblivious transfers as noted [here](./2023-11-09-secure-mpc.md#ot-for-computing-14.-secure-multiparty-computation#ot-for-computing-$2$-ary-function-with-finite-domain$-ary-function-with-finite-domain). However, this method is inefficient. We will look at **Yao's protocol**, presented in 1986, for secure two-party computation.
|
A simple solution for two party computation would be to use oblivious transfers as noted [here](../2023-11-09-secure-mpc/#ot-for-computing-14.-secure-multiparty-computation#ot-for-computing-$2$-ary-function-with-finite-domain$-ary-function-with-finite-domain). However, this method is inefficient. We will look at **Yao's protocol**, presented in 1986, for secure two-party computation.
|
||||||
|
|
||||||
The term **garbled circuit** was used by Beaver-Micali-Rogaway (BMR), presenting a multiparty protocol using a similar approach to Yao's protocol.
|
The term **garbled circuit** was used by Beaver-Micali-Rogaway (BMR), presenting a multiparty protocol using a similar approach to Yao's protocol.
|
||||||
|
|
||||||
|
|||||||
@@ -19,7 +19,7 @@ attachment:
|
|||||||
folder: assets/img/posts/lecture-notes/modern-cryptography
|
folder: assets/img/posts/lecture-notes/modern-cryptography
|
||||||
---
|
---
|
||||||
|
|
||||||
There are two types of MPC protocols, **generic** and **specific**. Generic protocols can compute arbitrary functions. [Garbled circuits](./2023-11-14-garbled-circuits.md#garbled-circuits) were generic protocols, since it can be used to compute any boolean circuits. In contrast, the [summation protocol](./2023-11-09-secure-mpc.md#example-secure-summation) is a specific protocol that can only be used to compute a specific function. Note that generic protocols are not necessarily better, since specific protocols are much more efficient.
|
There are two types of MPC protocols, **generic** and **specific**. Generic protocols can compute arbitrary functions. [Garbled circuits](../2023-11-14-garbled-circuits/#garbled-circuits) were generic protocols, since it can be used to compute any boolean circuits. In contrast, the [summation protocol](../2023-11-09-secure-mpc/#example-secure-summation) is a specific protocol that can only be used to compute a specific function. Note that generic protocols are not necessarily better, since specific protocols are much more efficient.
|
||||||
|
|
||||||
## GMW Protocol
|
## GMW Protocol
|
||||||
|
|
||||||
@@ -193,7 +193,7 @@ Also note that $u_i, v_i$ does not reveal any information about $x_i, y_i$. Esse
|
|||||||
|
|
||||||
**Beaver triples are to be used only once!** If $u_1 = a_1 + x_1$ and $u_1' = a_1' + x_1$, then $u_1 + u_1' = a_1 + a_1'$, revealing information about $a_1 + a_1'$.
|
**Beaver triples are to be used only once!** If $u_1 = a_1 + x_1$ and $u_1' = a_1' + x_1$, then $u_1 + u_1' = a_1 + a_1'$, revealing information about $a_1 + a_1'$.
|
||||||
|
|
||||||
Thus, before the online phase, a huge amount of Beaver triples are shared to speed up the computation. This can be done efficiently using [OT extension](2023-11-16-gmw-protocol.md#ot-extension) described below.
|
Thus, before the online phase, a huge amount of Beaver triples are shared to speed up the computation. This can be done efficiently using [OT extension](../2023-11-16-gmw-protocol/#ot-extension) described below.
|
||||||
|
|
||||||
## Comparison of Yao and GMW
|
## Comparison of Yao and GMW
|
||||||
|
|
||||||
@@ -281,7 +281,7 @@ As for the receiver, the values $(x_j^0, x_j^1)$ are masked by a hash function,
|
|||||||
|
|
||||||
The extension technique allows us to run $n$ base OT instances to obtain $m$ OT instances. For each of the $m$ OT transfers, only a few hash operations are required, resulting in very efficient OT.
|
The extension technique allows us to run $n$ base OT instances to obtain $m$ OT instances. For each of the $m$ OT transfers, only a few hash operations are required, resulting in very efficient OT.
|
||||||
|
|
||||||
One may concern that we have to send a lot of information for each of the $n$ OT instances, since we have to send $m$ bit data for each OT. But this of not much concern. For example, if we used [OT based on ElGamal](./2023-11-09-secure-mpc.md#1-out-of-2-ot-construction-from-elgamal-encryption), we can choose primes large enough $> 2^m$ to handle $m$-bit data.
|
One may concern that we have to send a lot of information for each of the $n$ OT instances, since we have to send $m$ bit data for each OT. But this of not much concern. For example, if we used [OT based on ElGamal](../2023-11-09-secure-mpc/#1-out-of-2-ot-construction-from-elgamal-encryption), we can choose primes large enough $> 2^m$ to handle $m$-bit data.
|
||||||
|
|
||||||
Hence, with OT extensions, we can perform millions of OTs efficiently, which can be used especially for computing many Beaver triples during preprocessing.
|
Hence, with OT extensions, we can perform millions of OTs efficiently, which can be used especially for computing many Beaver triples during preprocessing.
|
||||||
|
|
||||||
|
|||||||
@@ -512,7 +512,7 @@ $$
|
|||||||
N^{L+1} \ra N^L \ra \cdots \ra N.
|
N^{L+1} \ra N^L \ra \cdots \ra N.
|
||||||
$$
|
$$
|
||||||
|
|
||||||
When we perform $L$ levels of computation and reach modulus $q_0 = N$, we cannot perform any multiplications. We must apply [bootstrapping](./2023-12-08-bootstrapping-ckks.md#bootstrapping).
|
When we perform $L$ levels of computation and reach modulus $q_0 = N$, we cannot perform any multiplications. We must apply [bootstrapping](../2023-12-08-bootstrapping-ckks/#bootstrapping).
|
||||||
|
|
||||||
Note that without modulus switching, we need $q_L > N^{2^L}$ for $L$ levels of computation, which is very large. Since we want $q$ to be small (for the hardness of the LWE problem), modulus switching is necessary. We now only require $q_L > N^{L+1}$.
|
Note that without modulus switching, we need $q_L > N^{2^L}$ for $L$ levels of computation, which is very large. Since we want $q$ to be small (for the hardness of the LWE problem), modulus switching is necessary. We now only require $q_L > N^{L+1}$.
|
||||||
|
|
||||||
|
|||||||
@@ -117,7 +117,7 @@ Designing an FHE scheme without the circular security assumption is currently an
|
|||||||
|
|
||||||
## CKKS Scheme
|
## CKKS Scheme
|
||||||
|
|
||||||
The [BGV scheme](./2023-11-23-bgv-scheme.md#the-bgv-scheme) operates on $\Z_p$, so it doesn't work on real numbers. **Cheon-Kim-Kim-Song** (CKKS) scheme works on real numbers using approximate computation.
|
The [BGV scheme](../2023-11-23-bgv-scheme/#the-bgv-scheme) operates on $\Z_p$, so it doesn't work on real numbers. **Cheon-Kim-Kim-Song** (CKKS) scheme works on real numbers using approximate computation.
|
||||||
|
|
||||||
### Approximate Computation
|
### Approximate Computation
|
||||||
|
|
||||||
@@ -209,7 +209,7 @@ so the decryption results in $\Delta\inv \cdot (\mu + \mu') \approx m + m'$.
|
|||||||
|
|
||||||
### Multiplication in CKKS
|
### Multiplication in CKKS
|
||||||
|
|
||||||
We also use [tensor products](./2023-11-23-bgv-scheme.md#tensor-product), and their properties.
|
We also use [tensor products](../2023-11-23-bgv-scheme/#tensor-product), and their properties.
|
||||||
|
|
||||||
> Let $\bf{c} = (b, \bf{a})$ and $\bf{c}' = (b', \bf{a}')$ be encryptions of $m, m' \in \R$. Then,
|
> Let $\bf{c} = (b, \bf{a})$ and $\bf{c}' = (b', \bf{a}')$ be encryptions of $m, m' \in \R$. Then,
|
||||||
>
|
>
|
||||||
@@ -244,7 +244,7 @@ We have issues with multiplication, as we did in BGV.
|
|||||||
|
|
||||||
### Dimension Reduction
|
### Dimension Reduction
|
||||||
|
|
||||||
The relinearization procedure is almost the same as in [BGV relinearization](./2023-11-23-bgv-scheme.md#relinearization).
|
The relinearization procedure is almost the same as in [BGV relinearization](../2023-11-23-bgv-scheme/#relinearization).
|
||||||
|
|
||||||
For convenience, let $a_{i, j} = a_i a_j'$.
|
For convenience, let $a_{i, j} = a_i a_j'$.
|
||||||
|
|
||||||
@@ -288,7 +288,7 @@ Note that the proof is identical to that of BGV linearization, except for missin
|
|||||||
|
|
||||||
### Scaling Factor Reduction
|
### Scaling Factor Reduction
|
||||||
|
|
||||||
In BGV, we used modulus switching for [noise reduction](./2023-11-23-bgv-scheme.md#noise-reduction). It was for reducing the error and preserving the message. We also use modulus switching here, but for a different purpose. The message can have small numerical errors, we just want to reduce the scaling factor. This operation is called **rescaling**.
|
In BGV, we used modulus switching for [noise reduction](../2023-11-23-bgv-scheme/#noise-reduction). It was for reducing the error and preserving the message. We also use modulus switching here, but for a different purpose. The message can have small numerical errors, we just want to reduce the scaling factor. This operation is called **rescaling**.
|
||||||
|
|
||||||
Given $\bf{c} = (b, \bf{a}) \in \Z_q^{n+1}$ such that $b + \span{\bf{a}, \bf{s}} = \mu \pmod q$ and $\mu \approx \Delta^2 \cdot m$, we want to generate a new ciphertext of $m' \approx m$ that has a scaling factor reduced to $\Delta$. This can be done by dividing the ciphertext by $\Delta$ and then rounding it appropriately.
|
Given $\bf{c} = (b, \bf{a}) \in \Z_q^{n+1}$ such that $b + \span{\bf{a}, \bf{s}} = \mu \pmod q$ and $\mu \approx \Delta^2 \cdot m$, we want to generate a new ciphertext of $m' \approx m$ that has a scaling factor reduced to $\Delta$. This can be done by dividing the ciphertext by $\Delta$ and then rounding it appropriately.
|
||||||
|
|
||||||
@@ -330,7 +330,7 @@ $$
|
|||||||
\Delta^{L+1} \ra \Delta^L \ra \cdots \ra \Delta.
|
\Delta^{L+1} \ra \Delta^L \ra \cdots \ra \Delta.
|
||||||
$$
|
$$
|
||||||
|
|
||||||
When we reach $q_0 = \Delta$, we cannot perform any multiplications, so we apply [bootstrapping](2023-12-08-bootstrapping-ckks.md#bootstrapping) here.
|
When we reach $q_0 = \Delta$, we cannot perform any multiplications, so we apply [bootstrapping](../2023-12-08-bootstrapping-ckks/#bootstrapping) here.
|
||||||
|
|
||||||
### Multiplication in CKKS (Summary)
|
### Multiplication in CKKS (Summary)
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user