1. Lecturer: Moni Naor Weizmann Institute of Science
Cryptography and Privacy Preserving Operations Lecture 3: one of us is malicious
Lecturer: Moni Naor
Weizmann Institute of Science
Give the handouts (course web page)

2. Commitments Define Construct Applications: Coin-flipping
Zero-Knowledge

3. String Commitment Protocols
Sender - Input X0,1n
Receiver -
Two Phases
Commit
Reveal
At the end of protocol:
Receiver obtains X
decides valid or not

4. Receiver can verify X was the value in the box
Commitment Protocol
Commit Phase X
Sender
Receiver
Sender is bound to X
Reveal Phase
Sender X
Receiver
Receiver can verify X was the value in the box

5. Following Commit Phase
Receiver should not have gained any information about X
Information theoretic?
Computationally?
Sender should be bound to X
No two different and valid openings exist
It is computationally infeasible to find two different valid openings

6. Both worlds? Cannot have best of both worlds:
Information theoretic secrecy following commit
Distribution of conversation independent of X
Perfect binding
No two different and valid openings exist whp

7. Security Parameter Want A family of protocols
Indexed by a security parameter
Relationship between security parameter and
size of hard problem

8. Definition: Computational Secrecy
Indistinguishability of committed strings:
Adversary A chooses X1 , X2 0,1n
receives commit phase to Xb for bR0,1
has to decide whether b  1 or b  2.
For any pptm A for X1 , X2 0,1n
 PrA ‘1’  b  1 - PrA ‘1’  b  2  
is negligible

9. ...Computational Secrecy
Equivalent to semantic security of committed strings:
Whatever Adversary A can compute on committed string X 0,1n so can A’ that does not participate in commit phase
A selects:
Distribution Dn on 0,1n
Relation R(X,Y) - computable by ppt

10.  PrR(X,A(commit)) - Pr R(X,A’())  
…Semantic Security
 pptm A  R  A’ for XR Dn
 PrR(X,A(commit)) - Pr R(X,A’())  
is negligible

11. Definition: Perfect Binding
For all Adversary A controlling the Sender, following commit phase
With high probability over random choices of Receiver
There are no two different and valid openings to X and X’

12. Protocol Show a string commitment protocol with
Indistinguishability of committed strings
Perfect Binding

13. Tool: Pseudo-Random Sequence Generator
G4n:0,1n 0,14n
A cryptographically strong pseudo-random sequence generator

14. The Protocol - Commit Receiver: chooses PR0,14n
Sender: Input X0,1n .
Chooses SR0,1n
Computes and sends
Y  XP G4n(S)
Computation is done in GF[24n]

15. The Protocol - Reveal Sender: sends S0,1n Receiver: computes
X  (Y- G4n(S)) P-1
Computation is done in GF[24n]

16. Y  X1P G4n(S1)  X2P G4n(S2)
Binding
Claim: the probability of a Sender being able to open equivocally is at most 2-n
Sender can cheat given P iff
 S1 , S2 , X1 , X2 0,1n and X1 X2 s.t.
Y  X1P G4n(S1)  X2P G4n(S2) 
P (X1 - X2 )  G4n(S2) - G4n(S1)

17. ...Binding There are 23n -1 possibilities for S1 , S2 and X1 - X2 .
Probability that P validates such a triple is 2-4n
Probability that P validates any triple is 2-n
There exists a universal P. Don’t know how to find it so Receiver chooses at random.

18. Cryptographic Reductions
Show how to use an adversary for breaking primitive 1 in order to break primitive 2
Important
Run time: how does T1 relate to T2
Probability of success: how does 1 relate to 2
Access to the system 1 vs. 2

19. Secrecy
Suppose Adversary A controlling the Receiver can distinguish whether (Y,P) corresponds to X1 or X2
   PrA(Y,P)  ‘1’  X1 
-PrA(Y,P)  ‘1’  X2  
Probability is over random choice of S
and random coins of A.

20. ...Secrecy Can use A to distinguish whether a given string Z is or
G4n(S) or
random
Given P send Receiver Y  X1 P Z
If Z is random so is Y!
Let
p1  PrA(Y,P)  ‘1’  X1 
p2  PrA(Y,P)  ‘1’  X2 
p3  PrA(Y,P)  ‘1’  Z is random 

21. …secrecy By assumption  p1 - p2    Either  p1 - p3  /2
or  p2 - p3  /2
In either case can construct a distinguisher for Z
If p1 - p3  /2 give Receiver Y  X1 PZ
If p2 - p3  /2 give Receiver Y  X2 PZ
Provide as the answer A(Y,P)

22. An existential clump One-way functions  Pseudo-random generators
String commitment protocol
Also: String commitment  one-way function

23. Applications
Coin Flipping
Auctions
Zero Knowledge

24. Coin Flipping Two parties want to agree on a random value R 0,1
Should be random even if one party cheats
Potential Problem: one party knows the value before the other. Early Stopping. A B

25. ...Coin Flipping Specification
Result of the protocol could be 0,1,
For every PPTM Adversary controlling A (B),
 b 0,1
Pr result of protocol is b ]  1/2  
 is negligible in security parameter

26. Coin Flipping Protocol
A selects rA R 0,1;
Commits to rA
B sends bit rB R 0,1
Coin is rA  rB
If A doesn’t open - result is 
If A’s opening is invalid - result is 

27. Coin flipping security
 adversary controlling A,  b 0,1
Pr result of protocol is b ]  1/2  2-n
For all PPTM adversary controlling B
 b 0,1
Pr result of protocol is b ]  1/2  
 is the advantage of distinguishing a commitment to 0 fro ma commitment to 1 in the commitment protocol

28. Dealing with early stopping
Suppose  is not acceptable
To limit the influence of one party:
Gradual release of the result
Commit to many bits
release one by one
Take majority of bits, substitute random values for early stopping values
However: for r rounds one party can influence result by 1/r

29. Definition: Computational Binding
For all PPTM Adversary A controlling the Sender following commit phase
With high probability over random choices of Receiver
The Sender cannot find no two different and valid openings to X and X’

30. Interactive Proof System
Let L µ {0,1}* be a language
One party, the Prover P, want to convince the other party, Verifier V that X L
In our case: both parties are PPTM;
exchange messages and flip coins
Prover P may have some extra information W
At the end of the protocol Verifier V state {accept, reject}
For a given W the interaction between V and P induces a distribution of the transcripts
Prover P
Verifier V

31. Witness Protection Programs
A witness indistinguishable proof system for XL
Prover p  Verifier V
Completeness: if prover P has witness W - can construct effective proof that makes verifier V accept.
Soundness: if XL no prover P* can succeed with high probability to make verifier V accept.
Witness Indistinguishability: for every V* and any witnesses W1 and W2: distributions on transcripts are computationally indistinguishable.
No polynomial time test can distinguish the two

32. Example: Hamiltonicity
Common input graph G=(V,E)
L is the language of graphs with Hamiltonian cycles
G=(V,E) L if and only if there is a cycle C=(i1,i2,  in) covering all nodes of V once and (ij,ij+1 )  E

33. Example: Hamiltonicity
Common input graph G=(V,E)
L is the language of graphs with Hamiltonian cycles
Witness W – a Hamiltonian Cycle C=(i1,i2,  in)
Protocol:
Prover P selects a random permutation  of the nodes
Commits to the adjacency matrix of (G)=((V), (E))
for each entry separately
Verifier V selects and sends a bit r R 0,1
If r=0 P opens all the commitments and sends 
If r=1 P opens only the commitments corresponding to C
entries ( (ij),  (ij+1 ))
Verifier V accepts if: r=0 and committed graph isomorphic to G
r=1 and all opened slots are ’1’

34. Analysis of Protocol Completeness: √
Soundness: if there no cycle in G=(V,E), then
from binding property of the commitment scheme following commitment there is unique graph G’
either P*
Commits to graph G’ non-isomorphic to G
Verifier V rejects if r=0
Commits to graph G’ isomorphic to G
Verifier V rejects if r=1
Probability V accepts is bounded by ½
Can reduce the error by repetition
Sequential
Parallel

35. Analysis of Protocol Witness Indistinguishability:
Let G=(V,E), with two Hamiltonian cycles C1 and C2 e
If there is a verifier V* that can distinguish between the case C1 and C2 are used, then can use V* to distinguish between commitments to 1(G) and to 2(G) for some permutations 1 and 2
Witness Indistinguishability remains so under parallel execution
Hybrid argument
But what if there is a unique witness?

36. Zero Knowledge
Each (cheating) verifier V* induces a distribution on transcripts on interaction with P
Zero-Knowledge Requirement: for all verifiers V* there exists a simulator S such that:
simulator S is a pptm (does not get witness W )
for all XL the distributions on transcripts that V* ’ induces and that S produces are computationally indistinguishable.

37. Simulation Zero-Knowledge:
Simulator S plays P role in interaction with V*
guess r’ R 0,1
If r’=0
Selects a random permutation  of the nodes
Commits to the adjacency matrix of (G)=((V), (E))
If r’=1
Selects a random cycle C
Commits to the adjacency matrix of C
Receive r0,1 from V*
If r’=r proceed as planed
Otherwise rewind V* and start from scratch
Claim: Simulator stops in expected constant number of trials
Proof: if not can distinguish between commitment to G and C
Claim: Distributions of (S, V*) and (P, V*) are indistinguishable

38. Motivation for Zero-knowledge
Can turn any protocol that works well when the parties are benign (but curious) into one that works well when the parties are malicious
Need further property: proof of knowledge
Possible to extract the witness from a successful prover

39. Secure Function Evaluation (SFE)
Major and exciting topic of research in last two decades
How to distributively compute a function f(X1, X2 , …,Xn),
where Xj known to party j.
Parties learn only the final output

40. The Millionaires Problem
Alice x
Bob y
Whose value is greater?
Leak no other information!

41. Ideal Solution for the Millionaires Problemx y
Alice
Bob y x
TrustMe
Well ...

42. Secure Function Evaluation (Informal) Definition
A protocol is secure if it emulates the ideal solution Or
For any adversary there is a comparable one working in the Ideal Model with similar output

43. Major Result [Yao,GMW] “Any f that can be evaluated
using polynomial resources can
be securely evaluated using
polynomial resources” (under some cryptographic assumption)

44. SFE Many results depending on Number of players Means of communication
the power and model of the adversary
how the function is represented

45. Simulation A protocol is considered secure if:
For every adversary (of a certain type)
There exists a simulator that outputs an indistinguishable ``transcript” .
Example:
Encryption
Zero-knowledge
Next: secure function evaluation

46. Simulating the ideal model
A protocol is considered secure if:
For every adversary there exists a simulator operating in the ``ideal (trusted party) model that outputs an indistinguishable ``transcript” .

47. 1-out-of 2 Oblivious Transfer
Y0, Y1 j
Alice
Bob
Learns
nothing Yj

48. Implementations of OT12 Can be based on most public-key systems
There are implementations with two rounds of communication

49. Secret Sharing
Threshold Secret Sharing - how to split a secret S into N shares so that
No k-1 shares yield any information about the secret S
Any k shares sufficient to reconstruct the secret
Best known example: Shamir’s polynomials based scheme.
Simplest example 2 out-of 2: choose random
S1 and let S2 = S © S1

50. Two party Computation Two party protocol Input: Output:
Sender: Function P (some representation)
Receiver: X 20,1n
Output:
Receiver: F(x) and nothing else about F
Sender: nothing about x

51. Representations of P Boolean circuits [Yao,GMW,…]
Algebraic circuits [BGW,…]
Low deg polynomials [BFKR]
Matrices product over a large field [FKN,IK]
Randomizing polynomials [IK]
Communication Complexity Protocol [NN]

52. Garbling P Input: description of P as a Boolean circuit C over basis B
Output:
Garbled circuit C - tables
Pairs of garbled inputs
 I10 , I11 ,  I20 , I21  , …,  In0 , In1 
Pairs of Garbled outputs
 Z10 , Z11 ,  Z20 , Z21 , …,  Zn0 , Zn1 

53. Garbling Requirements
For X 2 0,1n and Y=P(x) Given
C - tables
Selection by X of garbled inputs
I1 , I2 , … , In 
Possible to compute selection by y
 Z1 , Z2 , … , Zn 
Impossible to deduce anything about x or y
Sender and Receiver share the output

54. Garbling We construct the garbled circuit gate by gate
Some topological sort (from inputs to outputs)
Start by choosing random values for inputs
 I10 , I11 ,  I20 , I21 , …  In0 , In1 

55. Garbled Circuits Original circuitj l m G1 G2 k n G3
out

56. Garbled Circuits Garbled values for wires
Wi0,Wi1
Wj0,Wj1
Wl0,Wl1
Wm0,Wm1 i j l m G1 G2 k
Wk0,Wk1 n
Wn0,Wn1 G3
Assign
random pairs for
each wire
out
Wout0,Wout1
Assign random “permutation”
: 0,1  0,1 for each gate

57. Tables for a Gate bi bj be true values ci cj permutated bk =G(bi bj )
If we know (ci, Wibi) and (cj, Wjbj)
want to know (ck, Wkbk) i j k
Wi0,Wi1
Wj0,Wj1
Wk0,Wk1 G
Typical entry: [(ck, WkG(bi,bj) ) +FWibi(cj) + FWjbj(ci)]

58. Translation table for an OR gate
Wi0,Wi1
Wj0,Wj1
Sender constructs a translation table from input values to output values i j G k
Wk0,Wk1
Encrypt ( k (bi,bj), WkG(bi,bj) ) with Wibi, Wjbj

59. The protocol Initialization:
For every wire, Sender assigns random (garbled) values to the 0/1 values
For every gate, Sender constructs a table, s.t.
given garbled values of input wires enables to compute garbled values of output wire and nothing else
Computation: receiver obtains garbled values of input wires of circuit, and propagates them to the output wires

60. Choosing the garbled Inputs
For each 1  j  n run a 1-out-of-2 OT where
Sender:  I10 , I11 j
Receiver : Xj
Sender provides the receiver
The gates tables,
A translation table from garbled output values.
Receiver computes result of P(x)

61. Oblivious Transfer 1-out-of-N OT
Chooser
Sender
Input:
m0,…,mN-1
 {0,1,…,N-1} m
Output:
Oblivious transfer was introduced by Rabin, and 1-out-of-2 OT by Even Goldreich and Lempel.
This slide describes 1-out-of-2 OT. We will also use 1-out-of-N OT.
The sender (Bob) has two inputs, and the chooser (Alice) wants to learn one of them. At the end of the protocol she learns this input and nothing else, and the Bob should not learn which input this was.
The parties learn nothing else:
Indistinguishable to Sender which  is used
Chooser learns no other value of m0,…,mN-1
Precise definition?

62. The EGL paradigm for OT12  {0,1} m0,m1 Sender Chooser
PK0,PK1 and proof that she
knows only one private key
It is interesting to examine the basic implementation of OT, in order to compare its efficiency to our construction.
In the basic protocol (suggested by Even, Goldreich and Lempel) the chooser sends two public keys to the sender, together with a proof that she knows the private key of only one of them. She should choose to make sure that she knows the private key of PKb.
The sender encrypts each input with the corresponding public key. The chooser can only decrypt mb .
EPK0(m0), EPK1(m1)

63. The Bellare-Micali Protocol
Chooser
Sender
Random C
 {0,1}
m0,m1
Picks a private key k, sends
PK =gk, PK1- =C/PK
E (m0)=(gr0,H[(PK0) r0] m0 )
E (m1)=(gr1,H[(PK1) r1] m1 )
Overhead: sender computes four exponentiations (two can be precomputed)
Security:
Chooser: since she sends a random value
Sender: 1. If the chooser knows the discrete logs of both PK0 and PK1 she can compute the discrete log of C
2. DDH assumption -> chooser cannot learn both (PK0)^r0 and (PK1)^r1
3. H is a random oracle
Decrypts m
using k

64. Idea
Chooser gives two ciphertexts - a good and a bad one - and proves consistency
Dwork & Naor: use zaps for proof - expensive
Here: make it trivial to verify
Sender randomizes ciphertexts
Good ciphertext remains consistent
Bad ciphertext - maps to random value
Based on random self-reducibility of DDH
Known OT protocols provide computation security for the sender, and information theoretic security for the chooser.

65. The OT protocol Chooser defines x=ga, y=gb, z =gab and z1-  z
Sends (x,y,z0, z1 ) to sender.
note that z =xb and y=gb
Sender
Chooses random (r0 ,s0 ), (r1,s1 ).
Computes w0 = xs0 .gr0 and w1 = xs1.gr1
encrypts m0 with z0s0.yr0 and m1 with z1s1 . yr1
Sends w0,w1 and encryptions.
Chooser recovers key as (w )b, decrypts m .

66. The OT protocol: Properties
Security:
Chooser: DDH assumption implies that sender cannot distinguish between z =gab and z1-.
Sender: If z1-  gab given (m1- , w1- ) then z1- s1- .yr1- is uniformly distributed.
Overhead: O(1) exponentiations.
Generalization to OT1N without increasing chooser’s complexity.

67. Cryptography at the Weizmann Institute
Faculty Members Involved with Cryptography
Oded Goldreich
Shafi Goldwasser
Moni Naor
Omer Reingold
Adi Shamir

68. Foundations of CS at the Weizmann Institute
Uri Feige
Oded Goldreich
Shafi Goldwasser
David Harel
Moni Naor
David Peleg
Amir Pnueli
Ran Raz
Omer Reingold
Adi Shamir
All students receive a fellowship!
Language of instruction English