1. Cryptographic protocols 2015, Lecture 1 Introduction
Helger Lipmaa
University of Tartu, Estonia

2. Short syllabus Protocol:
any computation that includes more than one participant
Cryptographic protocol:
protocol that must work even if the parties do not trust each other
Examples:
e-voting
privacy-preserving data mining
e-cash (Bitcoin, ...)
... TLS, ...

3. short syllabus Mantra:
Each cryptographic protocol must be designed with security-first approach
For this one needs to understand:
what is security
how to construct secure protocols
how to construct secure and efficient protocols
Very much depends on application, but there are clear principles on security and a lot of ongoing research on efficiency

4. Goal of the course
Basic understanding of cryptographic protocol design
general principles, and
many concrete examples
Basic understanding of how to check security of existing protocols, and may be design something new
Remember mantra: security first
Hence definitions of security are very important

5. history of course Started to teach in 2011
MSc level course, each autumn (up to now)
15-16 lectures
each year something new - the are changes
my own active research area!

6. this time Plan to give 16 lectures
I will use corrected/improved slides from 2014
Two new lectures:
Garbled circuits, multi-party computation
2014 was 14 lectures

7. this time Practice sessions given by Prastudy Fauzi (free hands)
Grade: 50% exam, 50% homeworks
Homeworks: coding + theory (constructing, attacking protocols, proving security)
Exam: theory

8. Lecture 1: introduction

9. protocol
Easy if both are honest!
Inputs a b a b
A(a,b)
B(a,b)
Outputs

10. protocol Inputs a b a b A(a,b) B(a,b) Outputs I do not trust Bob!
I do not trust Alice!
Inputs a b a b
A(a,b)
B(a,b)
Outputs

11. Quiz: what can go wrong? Inputs can be leaked a b a b A(a,b) B(a,b)
Outputs can be wrong

12. protocol in "ideal world"
Bank, president, police, ... a b
Trusted third party a b
A(a,b)
B(a,b)
A(a,b)
B(a,b)

13. protocol in "Real world" a b M₁ (a) M₂ (b, M₁) Mr (a, M₁, ..., Mr-1)
Trusted third party
M₂ (b, M₁)
Mr (a, M₁, ..., Mr-1)
A(a,b)
B(a,b)
Goal: security should be the samesimilar to what can be achieved in the ideal world

14. "information retrieval"
Example: CPIR
"information retrieval"
f = (f₁, ..., fn)
fᵢ∈{0, 1}ᴸ
x ∈{1, ..., n} x fₓ fₓ

15. CPIR without privacy Computation: Alice and Bob perform none
Communication:
Alice sends log n bits, Bob sends L bits
Messages: 1 by Alice, 1 by Bob

16. Computationally-private information retrieval: ideal model
Example: CPIR
Computationally-private information retrieval: ideal model
f = (f₁, ..., fn)
fᵢ∈{0, 1}ᴸ
x ∈{1, ..., n}
Trusted third party x f fₓ fₓ

17. exponential blowup from log n
CPIR: ideal model
Computation: Alice, Bob, TTP perform none
Communication:
Alice sends log n bits, Bob sends Ln bits, TTP sends L bits
Messages: 1 by Alice, 1 by Bob, 1 by TTP
exponential blowup from log n

18. why real CPIR is hard Bob should get no information about index x
Hence:
Bob should do "equal amount of computation" with each fᵢ
So at least n (potentially complicated) computational steps
Non-cryptographic protocol:
no computation, and communication ≈ log n bits
Ideal model: no computation, comm. ≈ Ln bits
"Computational blow-up" from "no" to n
Comp. blowup matters: many databases have n ≥ 2³² (4 GB)
there exist "real" CPIR protocol with almost optimal communication log n + L + "small"

19. CPIR: hardness
For long time it was conjectured that n "complicated" operations is the actual lower bound
[Lipmaa 2009]: not exactly
Bob can do n "cheap" operations off-line (before protocol starts)
"On-line" work is ≈ n / log n "complicated" operations
and even less if the database is well-structured

20. How security is achieved?
"Map" every function F computed by Alice/Bob to cryptographically secure version
Takes long-long time to research every possible F!
Easier to do when we consider F as consisting of simple constituent parts
and handle parts separately

21. arithmetic circuits + + · + · + 2 y z Standard computation model
Inputs are variables or constants
Every node multiplies or adds its inputs
Output of circuit: top value
We consider arithmetic modulo some large prime q
Otherwise the top element can grow too long + + + + 2 y z

22. arithmetic circuits Gate implements a function f: ℤq² → ℤq
Circuit implements a function C: ℤqⁿ → ℤq + + + + 2 y z

23. arithmetic circuits Fix values of input gates
Each wire w obtains recursively a value V[w]∈ℤq
Circuit outputs the value of the output wire V[output] + + + + 2 y z

24. arithmetic circuits Fix values of input gates
Each wire w obtains recursively a value V[w]∈ℤq
Circuit outputs the value of the output wire V[output] + + + + 2 2 3 2 y z

25. arithmetic circuits Fix values of input gates
Each wire w obtains recursively a value V[w]∈ℤq
Circuit outputs the value of the output wire V[output] + + 6 5 4 + + 2 2 3 2 y z

26. arithmetic circuits Fix values of input gates
Each wire w obtains recursively a value V[w]∈ℤq
Circuit outputs the value of the output wire V[output] + 10 30 + 6 5 4 + + 2 2 3 2 y z

27. arithmetic circuits 40
Let wᵢ (m) be the value of wᵢ, given input assignment m
Thus for m = (3,2),
C (m) = 40 + 10 30 + 6 5 4 + + 2 2 3 2 y z

28. Universality of arithmetic circuits
Fact: everything useful can be computed by arithmetic circuits
In particular, it can be computed efficiently

29. Will explain later (mapping depends a lot on concrete situation!)
Achieving security
We need to map F to cryptographic version
First, we decompose F as an arithmetic circuit
... and then map · and + to "cryptographic" versions ⊙ and⊕
One also usually needs to "decode" the answer of the cryptographic version
For original circuit C, let Enc (C) be the cryptographic version, and let Dec be decoder, s.t. Dec (Enc (C) (m)) = C (m)
Will explain later (mapping depends a lot on concrete situation!)

30. Sensible mappings It'd be nice if this mapping "made sense"
In particular:
D₁ (m) = D₂ (m) iff Dec (Enc (D₁) (m)) = Dec (Enc (D₂) (m))
Example: (a + b) · c = a · c + b · c
Thus we need (a ⊕ b) ⊙ c = (a ⊙ c) ⊕ (b ⊙ c)
I.e., crypto protocol returns the same value, independently of how we compute the function
For simplicity, assume Dec (x) = x
Quiz: which other relations have to be satisfied?

31. welcome to algebra Both ℤ and ℤq, for prime q, are rings
Ring: a set with well-defined operations + and · that satisfy certain requirements
Thus also the encoded values with ⊕ and ⊙ have to be members of (another) ring
For those who do not remember (or never knew), we will now explain some simple algebra

32. Group Group G is a set with an operation · that satisfies:
(associativity) for each a, b, c ∈ G, (a · b) · c = a · (b · c)
(existence of unit element) there exists 1 ∈ G such that for each a ∈ G, 1 · a = a · 1 = a
(existence of inverse): for each a ∈ G, there exists a⁻¹ ∈ G such that a · a⁻¹ = a⁻¹ · a = 1

33. examples Examples: (ℤn, +), n integer
(ℤ, +) // unit element = 0, inverse element of a = -a
(ℤn, +), n integer
(ℤ × ℤ = {(a, b): a, b ∈ℤ}, +), (a, b) + (c, d) = (a + c, b + d)

34. QUIZ Recall: ℤn = {0, ..., n - 1} Quiz: is ℤn a group w.r.t ·?
Answer: no
0 is never invertible, 0 · a = 0 ≠ 1

35. example about ℤn Consider ℤ₄ = {0, 1, 2, 3}
Consider ℤ₄ = {0, 1, 2, 3}
For example, 1 · 1 = 1, 3 · 3 = 9 ≡ 1 (mod 4)
Thus 1 and 3 are invertible, but 0 and 2 are not
This means ℤ₄* := {1, 3} consists of invertible elements
Since ℤ₄* ⊂ ℤ₄ then ℤ₄* is a group

36. Reminder: gcd For positive integers a, b, and c, gcd (a, b) = c iff
(c divides both a and b) c | a, c | b
(it is greatest to do so) if d | a and d | b then d ≤ c
Example: gcd (9, 6) = 3
a and b are coprime iff gcd (a, b) = 1
Example: gcd (4, 7) = 1
a is prime iff gcd (a, b) = 1 for each positive integer b ≠ a
greatest common divisor
gcd can be computed by using Euclidean algorithm

37. proof not explained in lecture but try to grok
more about ℤn
Recall ℤ₄* = {1, 3}. Thus ℤ₄* = {a ∈ ℤ₄: gcd (a, 4) = 1}
Lemma. ℤn* = {a ∈ ℤn: gcd (a, n) = 1} is the set of invertible elements modulo n in general
Proof: Let b = gcd (a, n). If b = 1, then one can use the Extended Euclidean Algorithm to find integers c and k, such that ca + kn = 1, and thus ca ≡ 1 (mod n)
If b ≠ 1 then a = a₁b and n = n₁b for some integers a₁ and n₁. For any c, ca ≡ ca₁b (mod n₁b) and thus ca = ca₁b + kn₁b = b(ca₁ + kn₁) for some integer k. But then b | ca. Since b does not divide 1, ca ≠ 1
proof not explained in lecture but try to grok

38. additive/multiplicative notation
We established (ℤq, +) is a group and (ℤq*, ·) is a group
Unless we work with integers / rational / real / complex numbers, it does not matter how we denote the group operations, but there are some well-established conventions
Additive notation:
group operation +, unit element 0, and inverse element of a is -a
Multiplicative notation:
group operation ·, unit element 1, and inverse element of a is a⁻¹.

39. Last words about ℤn Euler's totient function: φ (n) := |ℤn*|
For example φ (4) = 2
For prime q, φ (q) = q - 1
Fact. If p and q are primes, then φ (pq) = (p - 1) (q - 1)
A lot of "classical" crypto is done in ℤn so the given facts are very useful

40. exponentiation Let G be a multiplicative group
Define gˢ := g · g ... · g
= exponentiation
Also g⁰ = 1, and g⁻ˢ = (g⁻¹)ˢ

41. Facts about groups For group G, its order ord (G) = |G|
For g ∈ G, let its order ord (g) = smallest positive s ∈ ℤ such that gˢ = 1
ord (g) is well defined for finite groups:
gˢ can take up to |G| different values.
If gˢ = gᵗ and s > t then gˢ⁻ᵗ = 1, and thus ord (g) ≤ s - t

42. Facts about groups
For g∈ G, <g> = {h ∈ G: ∃s such that h = gˢ} = {gˢ: s ∈ ℤ}
<g> is group generated by g, g is generator of <g>
(smallest) s is the discrete logarithm of h on basis g
G is cyclic iff for some g ∈ G, G = <g>
In a cyclic group, every element has a unique discrete logarithm on basis a generator g

43. Subgroup
A subset H of G is a subgroup of G iff it is closed with respect to group operations
1 ∈ H
For all a ∈ H, a⁻¹ ∈ H
For all a, b ∈ H: ab ∈ H
Fact. For each g ∈ G, <g> is a subgroup of G

44. basic facts about subgroups
Fact 1 (Lagrange). If H is a subgroup of G, then ord (H) | ord (G).
=> for each g ∈ G, ord (g) | ord (G).
Fact 2 (Cauchy). Given a prime q | ord (G), there exists an element g ∈ G of order q.

45. commutativity
Abelian group G is a group that also has the following property:
(commutativity) for all a, b ∈ G, ab = ba
Most groups in crypto are commutative: ℤ, ℤn, ...
Example of non-commutative group:
group of permutations of ℤn for n > 2

46. abstraction
In the next lecture, we talk about two possible cryptographically interesting instantiations of groups
However, after that we just abstract details away and assume that we have a finite (mostly) cyclic group

47. Ring
A ring is a set R with two operations, + and · that satisfy the following requirements
(R, +) is an (additive) group
(R, ·) is a monoid: it is associative, has unit element 1
but every element is not required to have an inverse
distributivity: a(b + c) = ab + ac, and (a + b)c = ac + bc

48. Examples of rings (ℤ, ·, +) (ℤn, ·, +)
All univariate polynomials f (x) = f₀ + f₁x fd (xᵈ) with coefficients from either ℤ or ℤn
etc, etc
In all rings we encounter, both · and + are commutative

49. Crypto in rings/groups
Crypto in groups is much less useful than in rings
Basic reason: we can only compute additions (and multiplications with scalars), so only implement affine functions / degree-1 polynomials f (x) = ax + b
However, group-based crypto is much better known, so we mostly talk about this
... and it actually allows to do a lot of things

50. Next lecture Assumptions, reductions More about exponentiation
"good groups" and discrete logarithm