Introduction to Modern Cryptography Sharif University Spring 2015 Data and Network Security Lab Sharif University of Technology Department of Computer Engineering Simulation-based Definitions Author & Instructor: Mohammad Sadeq Dousti 1 / 31
Introduction to Modern Cryptography Sharif University Spring 2015 These set of slides are licensed under Creative Commons Attribution-NonCommercial- ShareAlike (CC BY-NC-SA) 4.0. Basically, this license allows others to use the slides verbatim, and even modify and incorporate them into their own work, as long as: 1. They credit the original author(s); 2. Their work is used non-commercially; 3. They license their work under CC BY-NC-SA 4.0. For further information, please consult: o o sa/4.0/legalcode sa/4.0/legalcode Copyright Notice 2 / 31
Introduction to Modern Cryptography Sharif University Spring 2015 Simulation-based vs. Game-based Definitions o Semantic Security Zero-Knowledge (ZK) Proofs o Interactive Protocols o Interactive Proof Systems (IPS) o ZK Proofs Outline 3 / 31
Introduction to Modern Cryptography Sharif University Spring 2015 Simulation-based vs. Game- based Definitions 4 / 31
Introduction to Modern Cryptography Sharif University Spring 2015 Semantics is often stated in one of two flavors: o Game based o Simulation based Game-based definitions are discussed in the first half of this course. We will pertain to simulation-based definitions in the second half of the course. Remember: A slide from the beginning of the course 5 / 31
Introduction to Modern Cryptography Sharif University Spring 2015 The security model describes the abilities of the adversary. A game is defined based on these abilities. The advantage of the adversary is then defined. Security definition: The scheme is secure if the advantage of any PPT adversary is negligible. Game-based definitions: A template 6 / 31
Introduction to Modern Cryptography Sharif University Spring 2015 Threat model: The adversary can eavesdrop on the encryption of a single message. The model allows the adversary to confine the message space to two messages of her choice. o The messages should be of equal length. o The length of message cannot be hidden. o Proof: Exercise 3.2 of [KL14, p. 102]. The adversary has no knowledge whatsoever about the key. Example: IND-CPA security for private key encryption 7 / 31
Introduction to Modern Cryptography Sharif University Spring 2015 Game: Advantage: Example: IND-CPA security for private key encryption [KL14, p.54] 8 / 31
Introduction to Modern Cryptography Sharif University Spring 2015 In defining secure encryption, we reached at the following intuition: Any PPT adversary, given the ciphertext, should not learn anything about the plaintext. Equivalently: Any information which can be extracted by a PPT adversary about the plaintext given the ciphertext, can be extracted without the ciphertext. The above notion is called “semantic security.” How to formalize the semantic security? o Simulation-based definitions! Simulation-based definitions: Motivation 9 / 31
Introduction to Modern Cryptography Sharif University Spring 2015 Two security models are defined o A real model: Describes the abilities of the adversary in the real-life world. o An ideal model: Describes the abilities of the adversary in a very idealized model, where the adversary can do almost nothing! Here, the scheme is trivially secure. Two games are defined based on each model. The advantage of the adversary in each game is defined. Security definition: The scheme Π is secure if for any PPT adversary in the real model, there exists a PPT adversary in the ideal model, such that: Simulation-based definitions: A template is often called the simulator, as it should simulate the actions of in the ideal world. 10 / 31
Introduction to Modern Cryptography Sharif University Spring 2015 In each game, the advantage of or is defined as the probability that the game outputs 1. Example: Semantic security for private key encryption Samp( ⋅ ) models a distribution over the message space. h models adversary’s a priori information about m. f models any information about m which might leak. 11 / 31
Introduction to Modern Cryptography Sharif University Spring 2015 A private-key encryption scheme (E, D) is semantically secure in the presence of an eavesdropper if for every PPT adversary there exists a PPT adversary such that for any PPT algorithm Samp, every poly-time computable functions f and h, every positive polynomial p and all sufficiently large n: Example: Semantic security for private key encryption 12 / 31
Introduction to Modern Cryptography Sharif University Spring 2015 Let’s write the definition succinctly as follows: There are 8 quantifiers! Try to internalize: o Why each quantifier is needed. o Why the order of quantifiers is stated as above. Semantic security: How many quantifiers? 13 / 31
Introduction to Modern Cryptography Sharif University Spring 2015 Semantic security was the first definition proposed for secure encryption. o This is natural, as sematic security closely mimics the perfect security of Shannon with respect to PPT adversaries. In general, simulation-based definitions are extremely more powerful than game-based ones. o Therefore, any semantically secure encryption is IND-CPA, too. However, secure encryption is an exception. o It is proven that any IND-CPA encryption is semantically secure, too. When working with secure encryptions: o Semantic security is more naturally described. o IND-CPA encryption is easier to work with. A bit more explanation 14 / 31
Introduction to Modern Cryptography Sharif University Spring 2015 Zero-Knowledge (ZK) 15 / 31
Introduction to Modern Cryptography Sharif University Spring 2015 In many cryptographic situations, it is desirable to prove a fact, without revealing further knowledge. Example: o In some cryptographic protocol, party P should choose a random Blum integer n, yet keep the factors of n secret. o The other party V is reluctant whether P acted honestly. o P should prove to V his honesty, without revealing any knowledge about the factors of n. o A zero-knowledge proof is the solution! ZK is invented by Goldwasser, Micali, and Rackoff (GMR) in The ZK definition is simulation based. The idea behind ZK 16 / 31
Introduction to Modern Cryptography Sharif University Spring 2015 GMR generalized the notion of proofs. Classically, a proof is identical to an NP witness. o When you prove something, it is a short witness which can be verified in time polynomial in the size of the problem. GMR proofs differ from classical proofs in two respects: o Interactivity: The prover (P) and verifier (V) interact for a number of rounds. o Probabilism: Both parties may toss coin. At the end of the proof, the verifier should be convinced with high probability (recall completeness & soundness). Both interactivity & probabilism are crucial for ZK. A word on the notion of proofs 17 / 31
Introduction to Modern Cryptography Sharif University Spring 2015 GMR introduced the notion of interactive Turing machines (ITM). An ITM is a probabilistic Turing machine, endowed with one read-only (RO) and one write-only (WO) communication tape. An interactive protocol is two ITMs, paired as follows: o The ITMs share the input tape. Moreover, the RO tape of one ITM becomes the WO tape of another, and vice versa. o The ITMs take turns in computation. o The turn finishes when one machine writes something on its WO tape. o If one ITM halts, the other ITM activates for the last turn. GMR model for ZK 18 / 31
Introduction to Modern Cryptography Sharif University Spring 2015 A pair of ITMs P P V V Random tape of PRandom tape of V Common input tape Work tape of PWork tape of V WO tape of P RO tape of V RO tape of P WO tape of V read read/write write 19 / 31
Introduction to Modern Cryptography Sharif University Spring 2015 Prover P has unlimited computational power. Verifier V is PPT. The common input is x {0,1} *. P intends to prove to V that x belongs to some set L. At the end of interaction, V halts in either accepting or rejecting state. o {V, P}(x) = 1 if V accepts. o {V, P}(x) = 0 if V rejects. Notation 20 / 31
Introduction to Modern Cryptography Sharif University Spring 2015 Interactive proofs 21 / 31
Introduction to Modern Cryptography Sharif University Spring 2015 Example: Graph isomorphism No PPT algorithm is known to decide whether two graphs are isomorphic. [Wikipedia, user Chris Martin] 22 / 31
Introduction to Modern Cryptography Sharif University Spring 2015 Interactive proof for graph isomorphism 23 / 31
Introduction to Modern Cryptography Sharif University Spring 2015 Informally, an interactive protocol (V, P)(x) is ZK for x L if anything that any verifier V * sees during the protocol can be computed without the help of P. Whatever V * sees during the protocol is called the view of V *. o Common input (x) o Random tape of V * (r) o RO communication tape of V * (incoming messages from P) View of V * is a random variable, denoted (x). ZK: Informal definition 24 / 31
Introduction to Modern Cryptography Sharif University Spring 2015 The real world is modeled as a pair of ITMs (P, V * ), having access to the common input x. The ideal world is modeled by a probabilistic (expected) polynomial-time algorithm S (the simulator), having access to the common input x. o S cannot interact with P. As simple as that! o The models are so simple that they are often embedded within the security definition of ZK. ZK: Real and ideal models 25 / 31
Introduction to Modern Cryptography Sharif University Spring 2015 The advantage in each game is defined as the probability that D outputs 1. An interactive protocol (P,V) is called ZK on L if for any PPT adversary V *, there exists a probabilistic (expected) polynomial-time algorithm S, such that for all PPT distinguisher D, any positive polynomial q, and all sufficiently large x L: ZK: Real and ideal games Like other simulation- based definitions, S can depend on the adversary V *. 26 / 31
Introduction to Modern Cryptography Sharif University Spring 2015 The view of V * is: o Common input x = (G 0, G 1 ). o A random tape (r). o Messages received from the prover: (H, f ) or (H, ⊥ ). How can the simulator succeed?! o The simulator can depend on V *. o It can run the code of V * internally (as a subroutine). o It can re-run and try various inputs for V *. Simulating the IPS for GI 27 / 31
Introduction to Modern Cryptography Sharif University Spring 2015 Simulating the IPS for GI (Cont’d) 28 / 31 Assignment: (1)Prove that S runs in expected polynomial time. (2)Prove that the output of S and the view of V * are identically distributed. Assignment: (1)Prove that S runs in expected polynomial time. (2)Prove that the output of S and the view of V * are identically distributed.
Introduction to Modern Cryptography Sharif University Spring 2015 THEOREM 1: Anything provable can be proven in zero-knowledge. o In other words, every IPS can be re-written as an IPS with ZK property. o In particular, any NP statement has a ZK proof. THEOREM 2: Interaction and randomness are essential to have ZK proofs for non-trivial languages [GO94, GK96]. o However, non-interactive ZK (NIZK) is possible if we change the model [FLS99]. Two theorems 29 / 31
Introduction to Modern Cryptography Sharif University Spring 2015 Some observations 30 / 31
Introduction to Modern Cryptography Sharif University Spring 2015 [FLS99] U. Feige, D. Lapidot, and A. Shamir. Multiple Noninteractive Zero Knowledge Proofs Under General Assumptions, SIAM J. COMPUT., [GK96] O. Goldreich and H. Krawczyk. On the Composition of Zero-Knowledge Proof Systems, SIAM J. COMPUT., [GO94] O. Goldreich and Y. Oren. Definitions and Properties of Zero-Knowledge Proof Systems, J. Cryptology, [Gol01] O. Goldreich. Foundations of Cryptography, Volume 1: Basic Tools. Cambridge University Press, [Gol04] O. Goldreich. Foundations of Cryptography, Volume 2: Basic Applications. Cambridge University Press, [KL14] J. Katz and Y. Lindell. Introduction to Modern Cryptography: Principles and Protocols. 2 nd Edition, CRC Press, References 31 / 31