Cryptographic protocols 2015, Lecture 1 Introduction Helger Lipmaa University of Tartu, Estonia

Short syllabus Protocol: any computation that includes more than one participant Cryptographic protocol: protocol that must work even if the parties do not trust each other Examples: e-voting privacy-preserving data mining (Sharemind @Cybernetica) e-cash (Bitcoin, ...) ... TLS, ...

short syllabus Mantra: Each cryptographic protocol must be designed with security-first approach For this one needs to understand: what is security how to construct secure protocols how to construct secure and efficient protocols Very much depends on application, but there are clear principles on security and a lot of ongoing research on efficiency

Goal of the course Basic understanding of cryptographic protocol design general principles, and many concrete examples Basic understanding of how to check security of existing protocols, and may be design something new Remember mantra: security first Hence definitions of security are very important

history of course Started to teach in 2011 MSc level course, each autumn (up to now) 15-16 lectures each year something new - the are changes my own active research area!

this time Plan to give 16 lectures I will use corrected/improved slides from 2014 Two new lectures: Garbled circuits, multi-party computation 2014 was 14 lectures

this time Practice sessions given by Prastudy Fauzi (free hands) Grade: 50% exam, 50% homeworks Homeworks: coding + theory (constructing, attacking protocols, proving security) Exam: theory

Lecture 1: introduction

protocol Easy if both are honest! Inputs a b a b A(a,b) B(a,b) Outputs

protocol Inputs a b a b A(a,b) B(a,b) Outputs I do not trust Bob! I do not trust Alice! Inputs a b a b A(a,b) B(a,b) Outputs

Quiz: what can go wrong? Inputs can be leaked a b a b A(a,b) B(a,b) Outputs can be wrong

protocol in "ideal world" Bank, president, police, ... a b Trusted third party a b A(a,b) B(a,b) A(a,b) B(a,b)

protocol in "Real world" a b M₁ (a) M₂ (b, M₁) Mr (a, M₁, ..., Mr-1) Trusted third party M₂ (b, M₁) Mr (a, M₁, ..., Mr-1) A(a,b) B(a,b) Goal: security should be the samesimilar to what can be achieved in the ideal world

"information retrieval" Example: CPIR "information retrieval" f = (f₁, ..., fn) fᵢ∈{0, 1}ᴸ x ∈{1, ..., n} x fₓ fₓ

CPIR without privacy Computation: Alice and Bob perform none Communication: Alice sends log n bits, Bob sends L bits Messages: 1 by Alice, 1 by Bob

Computationally-private information retrieval: ideal model Example: CPIR Computationally-private information retrieval: ideal model f = (f₁, ..., fn) fᵢ∈{0, 1}ᴸ x ∈{1, ..., n} Trusted third party x f fₓ fₓ

exponential blowup from log n CPIR: ideal model Computation: Alice, Bob, TTP perform none Communication: Alice sends log n bits, Bob sends Ln bits, TTP sends L bits Messages: 1 by Alice, 1 by Bob, 1 by TTP exponential blowup from log n

why real CPIR is hard Bob should get no information about index x Hence: Bob should do "equal amount of computation" with each fᵢ So at least n (potentially complicated) computational steps Non-cryptographic protocol: no computation, and communication ≈ log n bits Ideal model: no computation, comm. ≈ Ln bits "Computational blow-up" from "no" to n Comp. blowup matters: many databases have n ≥ 2³² (4 GB) there exist "real" CPIR protocol with almost optimal communication log n + L + "small"

CPIR: hardness For long time it was conjectured that n "complicated" operations is the actual lower bound [Lipmaa 2009]: not exactly Bob can do n "cheap" operations off-line (before protocol starts) "On-line" work is ≈ n / log n "complicated" operations and even less if the database is well-structured

How security is achieved? "Map" every function F computed by Alice/Bob to cryptographically secure version Takes long-long time to research every possible F! Easier to do when we consider F as consisting of simple constituent parts and handle parts separately

arithmetic circuits + + · + · + 2 y z Standard computation model Inputs are variables or constants Every node multiplies or adds its inputs Output of circuit: top value We consider arithmetic modulo some large prime q Otherwise the top element can grow too long + + · + · + 2 y z

arithmetic circuits Gate implements a function f: ℤq² → ℤq Circuit implements a function C: ℤqⁿ → ℤq + + · + · + 2 y z

arithmetic circuits Fix values of input gates Each wire w obtains recursively a value V[w]∈ℤq Circuit outputs the value of the output wire V[output] + + · + · + 2 y z

arithmetic circuits Fix values of input gates Each wire w obtains recursively a value V[w]∈ℤq Circuit outputs the value of the output wire V[output] + + · + · + 2 2 3 2 y z

arithmetic circuits Fix values of input gates Each wire w obtains recursively a value V[w]∈ℤq Circuit outputs the value of the output wire V[output] + + · 6 5 4 + · + 2 2 3 2 y z

arithmetic circuits Fix values of input gates Each wire w obtains recursively a value V[w]∈ℤq Circuit outputs the value of the output wire V[output] + 10 30 + · 6 5 4 + · + 2 2 3 2 y z

arithmetic circuits 40 Let wᵢ (m) be the value of wᵢ, given input assignment m Thus for m = (3,2), C (m) = 40 + 10 30 + · 6 5 4 + · + 2 2 3 2 y z

Universality of arithmetic circuits Fact: everything useful can be computed by arithmetic circuits In particular, it can be computed efficiently

Will explain later (mapping depends a lot on concrete situation!) Achieving security We need to map F to cryptographic version First, we decompose F as an arithmetic circuit ... and then map · and + to "cryptographic" versions ⊙ and⊕ One also usually needs to "decode" the answer of the cryptographic version For original circuit C, let Enc (C) be the cryptographic version, and let Dec be decoder, s.t. Dec (Enc (C) (m)) = C (m) Will explain later (mapping depends a lot on concrete situation!)

Sensible mappings It'd be nice if this mapping "made sense" In particular: D₁ (m) = D₂ (m) iff Dec (Enc (D₁) (m)) = Dec (Enc (D₂) (m)) Example: (a + b) · c = a · c + b · c Thus we need (a ⊕ b) ⊙ c = (a ⊙ c) ⊕ (b ⊙ c) I.e., crypto protocol returns the same value, independently of how we compute the function For simplicity, assume Dec (x) = x Quiz: which other relations have to be satisfied?

welcome to algebra Both ℤ and ℤq, for prime q, are rings Ring: a set with well-defined operations + and · that satisfy certain requirements Thus also the encoded values with ⊕ and ⊙ have to be members of (another) ring For those who do not remember (or never knew), we will now explain some simple algebra

Group Group G is a set with an operation · that satisfies: (associativity) for each a, b, c ∈ G, (a · b) · c = a · (b · c) (existence of unit element) there exists 1 ∈ G such that for each a ∈ G, 1 · a = a · 1 = a (existence of inverse): for each a ∈ G, there exists a⁻¹ ∈ G such that a · a⁻¹ = a⁻¹ · a = 1

examples Examples: (ℤn, +), n integer (ℤ, +) // unit element = 0, inverse element of a = -a (ℤn, +), n integer (ℤ × ℤ = {(a, b): a, b ∈ℤ}, +), (a, b) + (c, d) = (a + c, b + d)

QUIZ Recall: ℤn = {0, ..., n - 1} Quiz: is ℤn a group w.r.t ·? Answer: no 0 is never invertible, 0 · a = 0 ≠ 1

example about ℤn Consider ℤ₄ = {0, 1, 2, 3} Consider ℤ₄ = {0, 1, 2, 3} For example, 1 · 1 = 1, 3 · 3 = 9 ≡ 1 (mod 4) Thus 1 and 3 are invertible, but 0 and 2 are not This means ℤ₄* := {1, 3} consists of invertible elements Since ℤ₄* ⊂ ℤ₄ then ℤ₄* is a group

Reminder: gcd For positive integers a, b, and c, gcd (a, b) = c iff (c divides both a and b) c | a, c | b (it is greatest to do so) if d | a and d | b then d ≤ c Example: gcd (9, 6) = 3 a and b are coprime iff gcd (a, b) = 1 Example: gcd (4, 7) = 1 a is prime iff gcd (a, b) = 1 for each positive integer b ≠ a greatest common divisor gcd can be computed by using Euclidean algorithm

proof not explained in lecture but try to grok more about ℤn Recall ℤ₄* = {1, 3}. Thus ℤ₄* = {a ∈ ℤ₄: gcd (a, 4) = 1} Lemma. ℤn* = {a ∈ ℤn: gcd (a, n) = 1} is the set of invertible elements modulo n in general Proof: Let b = gcd (a, n). If b = 1, then one can use the Extended Euclidean Algorithm to find integers c and k, such that ca + kn = 1, and thus ca ≡ 1 (mod n) If b ≠ 1 then a = a₁b and n = n₁b for some integers a₁ and n₁. For any c, ca ≡ ca₁b (mod n₁b) and thus ca = ca₁b + kn₁b = b(ca₁ + kn₁) for some integer k. But then b | ca. Since b does not divide 1, ca ≠ 1 proof not explained in lecture but try to grok

additive/multiplicative notation We established (ℤq, +) is a group and (ℤq*, ·) is a group Unless we work with integers / rational / real / complex numbers, it does not matter how we denote the group operations, but there are some well-established conventions Additive notation: group operation +, unit element 0, and inverse element of a is -a Multiplicative notation: group operation ·, unit element 1, and inverse element of a is a⁻¹.

Last words about ℤn Euler's totient function: φ (n) := |ℤn*| For example φ (4) = 2 For prime q, φ (q) = q - 1 Fact. If p and q are primes, then φ (pq) = (p - 1) (q - 1) A lot of "classical" crypto is done in ℤn so the given facts are very useful

exponentiation Let G be a multiplicative group Define gˢ := g · g ... · g = exponentiation Also g⁰ = 1, and g⁻ˢ = (g⁻¹)ˢ

Facts about groups For group G, its order ord (G) = |G| For g ∈ G, let its order ord (g) = smallest positive s ∈ ℤ such that gˢ = 1 ord (g) is well defined for finite groups: gˢ can take up to |G| different values. If gˢ = gᵗ and s > t then gˢ⁻ᵗ = 1, and thus ord (g) ≤ s - t

Facts about groups For g∈ G, <g> = {h ∈ G: ∃s such that h = gˢ} = {gˢ: s ∈ ℤ} <g> is group generated by g, g is generator of <g> (smallest) s is the discrete logarithm of h on basis g G is cyclic iff for some g ∈ G, G = <g> In a cyclic group, every element has a unique discrete logarithm on basis a generator g

Subgroup A subset H of G is a subgroup of G iff it is closed with respect to group operations 1 ∈ H For all a ∈ H, a⁻¹ ∈ H For all a, b ∈ H: ab ∈ H Fact. For each g ∈ G, <g> is a subgroup of G

basic facts about subgroups Fact 1 (Lagrange). If H is a subgroup of G, then ord (H) | ord (G). => for each g ∈ G, ord (g) | ord (G). Fact 2 (Cauchy). Given a prime q | ord (G), there exists an element g ∈ G of order q.

commutativity Abelian group G is a group that also has the following property: (commutativity) for all a, b ∈ G, ab = ba Most groups in crypto are commutative: ℤ, ℤn, ... Example of non-commutative group: group of permutations of ℤn for n > 2

abstraction In the next lecture, we talk about two possible cryptographically interesting instantiations of groups However, after that we just abstract details away and assume that we have a finite (mostly) cyclic group

Ring A ring is a set R with two operations, + and · that satisfy the following requirements (R, +) is an (additive) group (R, ·) is a monoid: it is associative, has unit element 1 but every element is not required to have an inverse distributivity: a(b + c) = ab + ac, and (a + b)c = ac + bc

Examples of rings (ℤ, ·, +) (ℤn, ·, +) All univariate polynomials f (x) = f₀ + f₁x + ... + fd (xᵈ) with coefficients from either ℤ or ℤn etc, etc In all rings we encounter, both · and + are commutative

Crypto in rings/groups Crypto in groups is much less useful than in rings Basic reason: we can only compute additions (and multiplications with scalars), so only implement affine functions / degree-1 polynomials f (x) = ax + b However, group-based crypto is much better known, so we mostly talk about this ... and it actually allows to do a lot of things

Next lecture Assumptions, reductions More about exponentiation "good groups" and discrete logarithm