1. Foundations of Cryptography Lecture 14: Malleability, Chosen Ciphertext Attacks, Cramer-Shoup Cryptosystem
Lecturer: Moni Naor

2. Recap of last week’s lecture
Black-box zero-knowledge
Perfect and Statistical Zero-knowledge
Limitations and relaxations
Proofs of knowledge
Public-key identification
Random oracles
Interactive Authentication

3. Interactive Authentication
P wants to convince V that he is approving message m
P has a public key KP of an encryption scheme E.
To authenticate a message m:
V  P: Choose r 2R {0,1}n.
Send c=E(m ° r, KP)
P  V: Receiving c
Decrypt c using KS
Verify that prefix of plaintext is m.
If yes - send r.
V is satisfied if he receives the same r he chose

4. Is it Safe?
security: Existential unforgeability against adaptive chosen message attack
Adversary can ask to authenticate any sequence of messages m1, m2, …
Has to succeed in making V accept a message m not authenticated
Has complete control over the channels
Intuition of security: if E does not leak information about plaintext
Nothing is leaked about r
if E is semantically secure against chosen plaintext attacks:
Adversary might change c=E(m ° r, KP) into c’=E(m’ ° r, KP)
Malleability
not sufficient to verify correct form of ciphertext in simulation
Closer to a chosen ciphertext attack
“just”

5. Encryption - Attacks Chosen Plaintext
Minimal attack relevant to PKCs. Assumes decrypted messages remain secret.
CCA1: Chosen Ciphertext - preprocessing mode (Lunch-break)
Challenge ciphertext is given after adversary relinquishes control of decryption device.
Good model for membership queries in computational learning.
CCA2: Chosen Ciphertext - postprocessing mode
Challenge ciphertext is known when the attacks takes place
but cannot submit it!

6. Encryption - Notions of Breaking
Semantic Security: whatever is computable about the plaintext given the ciphertext is computable without it.
Minimal notion of security for single encrypter.
Non-malleable security - whatever is computable in an encrypted form about the plaintext given the ciphertext is computable without it.
Important for achieving independence of messages.

7. Application: auctions
Bidders submit their bids
Highest one should win
Want to keep values secret until all bids submitted
independent

8. Example: Auctions Different requirements - different notions.
Semantic security is not sufficient for guaranteeing the independence of bids.
If key is used for a Single auction and secrecy is not required after the auction is over –
Non-malleable security against chosen plaintext attacks.
If key is used for many auctions and secrecy is not required after the auction is over –
Non-malleable security against
Chosen Ciphertext Attack in the preprocessing mode.
If key is used for many auctions and secrecy is required after the auction is over
Chosen Ciphertext Attacks in the postprocessing mode.

9.  PrR(X,A(E(X)) - PrR(X,A’())  
Semantic Security
Whatever Adversary A can compute on encrypted string X 0,1n, so can A’ that does not see the encryption of X,
A selects:
Distribution Dn on 0,1n
Relation R(X,Y) - computable in probabilistic polynomial time
For every pptm A choosing a distribution Dn on 0,1n there is an pptm A’ so that for all pptm relation R
for XR Dn
 PrR(X,A(E(X)) - PrR(X,A’())  
is negligible
In other words:
The outputs of A and A’ are indistinguishable even for a tester who is aware of X

10. A: Dn
A’: Dn
X 2R Dn
E(X) . A A’ X Y X Y R R

11. Non-Malleable Security
Whatever Adversary A can compute on encrypted string X 0,1n, so can A’ that does not see the encryption of X
A selects:
Distribution Dn on 0,1n
Relation R(X,Y) - computable in probabilistic polynomial time
For every pptm A choosing a distribution Dn on 0,1n there is an pptm A’ so that for all pptm relation R
for XR Dn
 PrR(X,D(A(E(X))) - PrR(X, D(A’()))  
is negligible
In other words:
The outputs of A and A’ are indistinguishable even for a tester who gets the decryptions of what they output.
Encrypt

12. ¼ A: Dn A’: Dn X 2R Dn E(X) . A A’ Y Y X D X D R R
Deal with invalid ciphertext Y Y X D X D R R

13. Combinations All combinations are useful in some circumstances CPA
CCA1
(lunch-time)
CCA2
(post-processing)
Attack
Breaking
Semantic
Security
Non-
Malleability
All implications are proper

14. Principles for Increasing Security
Essentially all constructions achieving better than se-
mantic security against chosen plaintext attacks use:
Redundancy in the encryption.
Validation that ciphertext is of the right form.
Validation is the trickiest part.
Relatively simple in:
Private-key Encryption
Random Oracles

15. Private-key World
Preventing CCA in the postprocing mode: add private-key authentication.
Shared key: S1 and S2, seeds to a pseudo-random function F
To encrypt m
Choose random r. Let Y=FS1(r) © m and let Z= FS2(r ◦Y)
Send (r,Y,Z)
To decrypt (r,Y,Z):
let Z’ = FS2(r ◦Y) .
If Z’ = Z let m = FS1(r) © Y
If Z’ ≠ Z output invalid
Claim: scheme is NM-secure against CCA2
No adversary can generate another ciphertext that is not labeled invalid.
No information from rejection!

16. DDN Lite: The Idea Start with a Semantic secure PKC against CPA.
Have many different instances of the original scheme
Each encryption should use a different subset of the keys –
enforce by one-time signatures.
Before decryption - verify consistency.
Properties: If the original scheme is SS against chosen plaintext attack the result is NM-secure against chosen plaintext attacks.
If the original scheme is S-secure against CCA in the preprocessing mode, the result is NM-secure against CCA in the preprocessing mode.

17. DDN Lite Public-Key: hK10, K11i, hK20, K21i, … hKn0, Kn1i
Each is the public key of a SS PKC
DDN Lite
Public-Key: hK10, K11i, hK20, K21i, … hKn0, Kn1i
A function h:{0,1}*  {0,1}n - UOHWF
Private-Key: Decryption keys of {Kib}.
Encryption of a message m:
Choose at random KOS, the public-key of a one-time signature scheme
Let b1, b2, … bn = h(K).
Encrypt m using keys Kibi to obtain C1, C2, …, Cn.
Sign hC1, C2, … Cni using KOS-1 and h;
Ciphertext is: KOS, hC1, …, Cni, S.
Decryption of ciphertext KOS, C1, … Cn, S
Verify the signature S on hC1, C2, … ,Cni using KOS.
Verify the consistency (equality) of all the plaintexts.
Decrypt using any one of the keys.
hard to find collision with target input
Let S be the result

18. Ideas for achieving resistance to CCA
Add redundancy - hard to generate frivolous ciphertexts
Add methods to check consistency
This is the trickiest part:
Non interactive zero-knowledge
Specific schemes
Decrypt only if given ciphertext passes the consistency checks
Important point: may decrypt with several different private keys C1 C2
Proof of consistency
If we have consistency than can decrypt with either key

19. Proofs of consistency
How to have a proof of consistency that does not leak the plaintext
Non-Interactive Zero-Knowledge (NIZK)
How to make the proof itself non-malleable
Ow can change it and get a different ciphertext with the same plaintext

20. Approaches for obtaining CCA/NM
General NIZK
Specific NIZK
Cramer-Shoup: special verifier
Through IBE – Identity Based Encryption

21. x is called the discrete log of y to base g.
Discrete Log Problem
Let G be a group and g an element in G.
Let y=gz and x the minimal non negative
integer satisfying the equation.
x is called the discrete log of y to base g.
Example: y=gx mod p in the multiplicative group of Zp
In general: easy to exponentiate via repeated squaring
Consider binary representation
What about discrete log?
If difficult, f(g,x) = (g, gx) is a one-way function
DL Assumption for group G:
No efficient algorithm can solve for XR[0..n-1] whp the DL problem for Y=ga

22. Discrete Log Problem Very useful group for DL:
P and Q: Large primes, s.t. Q | P-1
g: an element of order Q in ZP*.
Best known algorithms -
Q or
subexponential in log P
Randomized reduction:
given Y generate Y’ = Ygr for rR [Q]

23. Diffie-Hellman The Diffie-Hellman assumption
Let G be a group and g an element in G.
Given g, X=ga and Y=gb it is hard to find Z=gab
for random a and b the probability of a poly-time machine outputting gab is negligible
More accurately: a sequence of groups
Don’t know how to verify whether given Z’ is equal to gab

24. Decisional Diffie-Hellman Problem
For for generator g of a group of size Q and a,b [Q]
Given g, Y=ga, X=gb and Z decide whether Z =gab or Z  gab
Equivalent: is logg Y = logX Z
DDH-Assumption:
The DDH-Problem is hard in the worst case.

25. Average DDH For a,bR [Q] and c which is either Given decide whether
c= ab
cR [Q]
Given
Y=ga and X=gb and Z =gc
decide whether
Z =gab or Z gab
DDH-Assumption average case:
The DDH-Problem is hard for above distribution

26. Worst to Average case reduction
Theorem:The average case and worst case of the DDH-Assumption are equivalent.
Given ga and gb and gc (and P, Q)
Sample r,s1,s2R [Q]
compute
ga’ = (ga)r gs1
gb’ = (gb) gs2
gc’ = (gc)r (ga)rs2 (gb)s1 gs1s2
c is either ab or not
a’ = ras1 mod Q
b’ = bs2 mod Q
a’b’=rab+ras2+bs1+s1s2

27. …Worst to average If c = abe mod Q then
a’ = ras1 mod Q
b’ = bs2 mod Q
c'= a'b'+ e r mod Q
Always: a’ and b' are uniformly distributed.
If e =0, then c' = a'b'.
Otherwise c' is uniform and independent in [Q]
a’ = ras1 mod Q
b’ = bs2 mod Q
a’b’=rab+ras2+bs1+s1s2

28. Evidence to Validity of DDH
Endured extensive research for DH search
DH-search related to discrete log
Hard for generic algorithms
that work in a black-box group)
Computing the most significant bits of gab is hard
Random-self-reducibility.

29. El-Gamal Cryptosystem variant:
Subgroup of size Q
Private key a R [Q]
Public key Y=ga and P, Q and h
To encrypt M
choose rR [Q] compute X=gr and Yr
send hX , h(Yr)Mi
To decrypt hX, Wi:
compute Xa = Yr and
output h(Xa)  W h
{0,1}k ZP
How is h chosen?
Pair-wise independence suffices

30. El-Gamal Security
Under the DDH assumption cryptosystem is semantically secure against chosen plaintext
but...
Scheme is malleable
To change M to M’=MC :
change hX, Wi to hX, WCi

31. Proving consistency of exponentiations
generators
Given g1, g2, X1 , X2
Is there is an r where X1=g1r and X2=g2r
Honest verifier zero-knowledge proof:
Verifier sends Z = g1b1 g2b2 for random b1, b2
Prover sends V = Zr
Verifier accepts iff X1b1X2b2 = V
Simulator: choose random b1, b2 and output
(g1b1 g2b2 , X1b1 X2b2 )
Leaks only a linear equation for b1 and b2

32. Proving consistency of exponentiations
Given g1, g2, X1 , X2
Is there is an r where X1=g1r and X2=g2r
Honest verifier zero-knowledge proof:
Verifier sends Z = g1b1 g2b2 for random b1, b2
Prover sends V = Zr
Verifier accepts iff X1b1X2b2 = V
Soundness: if X1=g1r and X2=g2r+e then
X1b1X2b2 = g1rb1  g2(r+e)b2 = g1rb1  g2rb2  g2eb2
= Zr  (g2e ) b2
Z can be known when X1 and X2 are chosen!
Leaks only a linear equation for b1 and b2
Random in the group

33. Cramer-Shoup Lite Private key: a, b1, b2 R [Q] Public key:
g1, g2, Y=g1a and Z=g1b1 g2b2
To encrypt M
choose rR [Q]
compute Yr, X1=g1r, X2=g2r and Zr
send hX1, X2, h(Yr)M, Zri
To decrypt hX1, X2, W, Vi
check validity: X1b1  X2b2 =  V and if yes
compute X1a = Yr. Output h(Yr)W

34. Cramer-Shoup Complexity
Encryption: 4 modular exponentiations
Decryption: 3 modular exponentiations

35. Cramer Shoup Security
Under the DDH assumption cryptosystem is semantically secure against chosen plaintext
Show that the scheme secure against chosen ciphertext attacks (preprocessing)
but...
Scheme is malleable
To change M to M’=MC
change hX, Wi to hX,WCi

36. Chosen Ciphertext Attacks - Lunchtime
Adversary T has temporary access to decryption oracle.
Then it is given a challenge
Semantic security - adversary chooses two message hM0, M1i
For dR0,1 it is given E(Md) and has to guess d.
Let pd  PrT(E(Md )) ‘1’  d 
T Wins if p1 - p0  

37. Proof of security
Show how to use an adversary that can break CS scheme for breaking DDH
Given hg1, g2, X1, X2i want to distinguish
X1=g1r , X2=g2r for rR [Q] and random g1, g2 or
X1=g1r1, X2=g2r2 for r1, r1 R [Q] and random g1, g2

38. ...Proof of security - simulation
Given hg1, g2, X1, X2 i generate
Private key a1, a2, b1, b2 R [Q] and
Public key
hg1, g2, Y = g1a1 g2a2, Z=g1b1g2b2 i
To decrypt hX’1, X’2 , W, V i
check X’1b1X’2b2 =  V and if pass
compute X’1a 1  X’2a2 = Yr . Output h(Yr)W
Normal operation, independent of X1, X2

39. ...Proof of security - simulation
When adversary chooses hM0 , M1i:
Generate For dR0,1 the ciphertext
hX1, X2 , h(X1a1  X2a2 )  Md , V = X1b1  X2b2i
Claim:
If logg1X1 = logg2X2 then ciphertext is valid
If logg1X1  logg2X2 then ciphertext is inconsistent and independent of d

40. Important property of scheme
For both real and simulated scheme:
no (even powerful) adversary can find an inconsistent ciphertext that is considered `valid’.
Key point:
b1 and b2 are random in [Q]. Z=g1b1g2b2 reveals one linear equation
still Q possibilities for (b1, b2 ).

41. Inconsistent = Invalid
Each candidate ciphertext hX’1, X’2,W’,V’i such that logg1X1  logg2X2
can be viewed as a query on value (b1, b2 ).
With probability 1-1/Q the answer is invalid
Whp (1-q/Q) adversary never gets decryption on invalid ciphertext
No ``information” from rejection!

42. No decryption of consistent ciphertext reveals information regarding a1, a2
Y=g1a1g2a2 reveals one linear equation
decryptions do not reveal more equations
The only inconsistent ciphertext that adversary sees is the challenge ciphertext.
 If logg1X1  logg2X2 then ciphertext is invalid and independent of d

43. p’  PrT ‘1’  ciphertext is invalid   p1 - p0    either
Let
p0  PrT(E(M0 )) ‘1’  d  0 
p1  PrT(E(M1 )) ‘1’  d  1 
p’  PrT ‘1’  ciphertext is invalid 
 p1 - p0    either
 p1 - p’ /2 or
 p0 - p’ /2
 Can distinguish DDH with advantage /2

44. Cramer-Shoup: Full Strength
Private key: a, b1, b2, c1, c2 R [Q]
Public key:
g1, g2, Y=g1a, Z=g1b1 g2b2, Z’=g1c1 g2c2 and H
To encrypt M, choose rR [Q] and
compute Yr, X1=g1r, X2=g2r, W = h(Yr)M  =H(W, X1 , X2 )
send hX1, X2 ,W, Zr Z’ri
To decrypt hX1, X2, W, Vi
check validity: X1b1 + c1  X1b2 + c2 =  V and if pass
compute X1a = Yr. Output h(Yr)W
A UOWHF
One-way hash

45. Cramer Shoup (full strength) Security
Under the DDH assumption cryptosystem is
non-malleable
against
chosen ciphertext attacks in postprocessing mode

46. Conclusions
The CS scheme is within a multiplicative constant of ``vanilla” Diffie-Hellman, yet enjoys provable resistance to CCA
Authentication: given CCA resistance - the only known Diffie-Hellman based public-key authentication -
can be used for deniable authentication

47. Interactive Authentication
P wants to convince V that he is approving message m
P has a public key KP of an encryption scheme E.
To authenticate a message m:
V  P: Choose r 2R {0,1}n.
Send c=E(m ° r, KP)
P  V: Receiving c
Decrypt c using KS
Verify that prefix of plaintext is m.
If yes - send r.
V is satisfied if he receives the same r he choose

48. Is it Safe?
Want: Existential unforgeability against adaptive chosen message attack
Adversary can ask to authenticate any sequence m1, m2, …
Has to succeed in making V accept a message m not authenticated
Has complete control over the channels
Intuition of security: if E does not leak information about plaintext
Nothing is leaked about r
Several problems: if E is “just” semantically secure against chosen plaintext attacks:
Adversary might change c=E(m ° r, KP) into c’=E(m’ ° r, KP)
Malleability
not sufficient to verify correct form of ciphertext in simulation
Closer to a chosen ciphertext attack

49. No receipts
Can the verifier convince third party that the prover approved a certain message?

50. Authentication and Non-Repudiation
Key idea of modern cryptography [Diffie-Hellman]:
can make authentication (signatures) transferable to third party - Non-repudiation.
Essential to contract signing, e-commerce…
Digital Signatures: last 25 years major effort in
Research
Notions of security
Computationally efficient constructions
Technology, Infrastructure (PKI), Commerce, Legal

51. Is non-repudiation always desirable?
Not necessarily so:
Privacy of conversation, no (verifiable) record.
Do you want everything you ever said to be held against you?
If Bob pays for the authentication, shouldn't be able to transfer it for free
Perhaps can gain efficiency
Alternative: (Plausible) Deniability
If the recipient (or any recipient) could have generated the conversation himself
or an indistinguishable one

52. Deniable Authentication
Setting:
Sender has a public key known to receiver
Want to an authentication scheme such that the receiver keeps no receipt of conversation.
This means:
Any receiver could have generated the conversation itself.
There is a simulator that for any message m and verifier V* generates an indistinguishable conversation.
Exactly as in Zero-Knowledge!
An example where zero-knowledge is the ends, not the means!
Proof of security consists of Unforgeability and Deniability

53. Ring Signatures and Authentication
Can we keep the sender anonymous?
Idea: prove that the signer is a member of an ad hoc set
Other members do not cooperate
Use their `regular’ public-keys
Encryption
Should be indistinguishable which member of the set is actually doing the authentication
Bob
Alice?
Eve

54. A Public Key Authentication Protocol
P has a public key PK of an encryption scheme E.
To authenticate a message m:
V  P : Choose r R {0,1}n and random bits 2{0,1}*
Send Y=E(PK, m°r, )
P  V : Verify that prefix of plaintext is indeed m.
If yes - send r.
V accepts iff the received r’=r
Is it Unforgeable? Is it Deniable

55. We saw an encryption scheme satisfying the desired requirements
Security of the scheme
Unforgeability: depends on the strength of E
Sensitive to malleability:
if given E(PK, m°r, ) can generate E(PK, m’°r’, ’) where m’ is related to m and r’ is related to x then can forge.
The protocol allows a chosen ciphertext attack on E.
Even of the post-processing kind!
Can prove that any strategy for existential forgery can be translated into a CCA strategy on E
Works even against concurrent executions.
Deniability: does V retain a receipt??
It does not retain one for an honest V
Need to prove knowledge of r
We saw an encryption scheme satisfying the desired requirements

56. Simulator for honest receiver
Choose r R {0,1}n.
Output: hY=E(PK, m°r, ), x,  i
Has exactly the same distribution as a real conversation when the verifier is following the protocol
Statistical indistinguishability
Verifier might cheat by checking whether certain ciphertext have as a prefix m
No known concrete way of doing harm this way

57. Encryption as Commitment
When the public key PK is fixed and known Y=E(PK, x, ) can be seen as commitment to x
To open x: reveal , the random bits used to create Y
Perfect binding: from unique decryption
For any Y there are no two different x and x’ and  and ’ s.t.
Y=E(PK, x, ) =E(PK, x’, ’)
Secrecy: no information about x is leaked to those not knowing private key PS

58. Does not want to reveal it yet
Deniable Protocol
P has a public key PK of an encryption scheme E.
To authenticate message m:
V  P: Choose xR{0,1}n.
Send Y=E(PK, m°x , )
P  V: Send E(PK, x, )
V  P: Send x and  - opening Y=E(PK, m°x, )
P  V: Open E(PK, x, ) by sending .
P commits to the value x.
Does not want to reveal it yet

59. Security of the scheme
Unforgeability: as before - depends on the strength of E
can simulate previous scheme (with access to D(PK , . ))
Important property: E(PK, x, ) is a non-malleable commitment (wrt the encryption) to x.
Deniability: can run simulator:
Extract x by running with E(PK, garbage, ) and rewinding
Expected polynomial time
Need the semantic security of E - it acts as a commitment scheme

60. Ring Signatures and Authentication
Want to keep the sender anonymous by proving that the signer is a member of an ad hoc set
Other members do not cooperate
Use their `regular’ public-keys
Should be indistinguishable which member of the set is actually doing the authentication
Bob
Alice?
Eve

61. Ring Authentication Setting
A ring is an arbitrary set of participants including the authenticator
Each member i of the ring has a public encryption key PKi
Only i knows the corresponding secret key PSi
To run a ring authentication protocol both sides need to know PK1, PK2, …, PKn
the public keys of the ring members
...

62. An almost Good Ring Authentication Protocol
Ring has public keys PK1, PK2, …, PKn of encryption scheme E
To authenticate message m with jth decryption key PSj:
V  P: Choose x {0,1}n.
Send E(PK1, m°x, r1), E(PK2, m°x, r2), …, E(PKn, m°x, rn)
P  V: Decrypt E(PKj, m°x, rj), using PSj and
Send E(PK1, x,  1), E(PK2, x, 2), …, E(PKn, x, n)
V  P: open all the E(PKi, m°x, ri) by
Send x and r1, r2 ,… rn
P  V: Verify consistency and open all E(PKi, x, ti) by
Send t  1, 2 ,… n
Problem: what if not all suffixes (x‘s) are equal

63. The Ring Authentication Protocol
Ring has public keys PK1, PK2, …, PKn of encryption scheme E
To authenticate message m with jth decryption key PSj:
V  P: Choose x {0,1}n.
Send E(PK1, m°x, r1), E(PK2, m°x, r2), …, E(PK1, m°x, rn)
P  V: Decrypt E(PKj, m°x, rj), using PSj and
Send E(PK1, x1, t1), E(PK2, x2, t2), …, E(PKn, xn, tn)
Where x=x1+x2 +  xn
V  P: open all the E(PKi, m°x, ri) by
Send x and r1, r2 ,… rn
P  V: Verify consistency and open all E(PKi, x, ti) by
Send t1, t2 ,… tn and x1, x2 ,…, xn

64. Complexity of the scheme
Sender: single decryption, n encryptions and n encryption verifications
Receiver: n encryptions and n encryption verifications
Communication Complexity: O(n) public-key encryptions

65. E(PK1, x1, t1), E(PK2, x2, t2),…,E(PK1, xn, tn)
Security of the scheme
Unforgeability: as before (assuming all keys are well chosen) since
E(PK1, x1, t1), E(PK2, x2, t2),…,E(PK1, xn, tn)
where x=x1+x2 + L xn
is a non-malleable commitment to x
Source Hiding: which key was used (among well chosen keys) is
Computationally indistinguishable during protocol
Statistically indistinguishable after protocol
If ends successfully
Deniability: Can run simulator `as before’

66. Properties of the Scheme
Works with any good encryption scheme - members of the ring are unwilling participants.
Fairly efficient scheme:
Need n encryptions n verifications and one decryption
Can extend the scheme so that convince a verifier that At least k members confirm the message.
What are the social implications of the existence of ring authentication?

67. Sources
Dolev, Dwork and Naor: Non Malleable Cryptography, Siam J. computing also Siam Review 2003
Cramer and Shoup: Design and analysis of practical public-key encryption schemes secure against adaptive chosen ciphertext attack (see
Lindell: A Simpler Construction of CCA2-Secure Public-Key Encryption Under General Assumptions. In Eurocrypt 2003,

68. Question: zero-knowledge protocol for subset sum
Give a direct protocol (i.e. not through a reduction to hamiltoncity) for the subset sum problem
Subset sum problem: given
n numbers 0 ≤ a1, a2 ,…, an < 2m
Target sum T
Is there a subset S⊆ {1,...,n} such that
∑ i S ai,=T mod 2m

69. Inner product over GF[2]
Question: statistically hiding, computationally biding commitments from collision intractable hash functions
Goal: construct a commitment scheme where
the induced distribution of the transcript is (nearly independent of the string committed to
No PPT sender can with probability (1-negligible) reveal two different strings following the commit phase.
Protocol for committing to a bit b. Let H be a family of collision intractable hash functions
Commit:
Receiver: choose h 2 H and give to sender
Sender: choose random z and r. Send h(z),r and hz¢ri©b
Reveal: publish z
Prove that the protocol satisfies the above requirements
Inner product over GF[2]

70. h,KP,E(KP,x),h(x ◦ E(Kp,x))
Find the error
Let E be an public-key encryption scheme which is errorless.
Let H be a family of collision intractable hash functions
Commit:
Sender chooses
Key for E(KP,KS) and h 2 H and sends
h,KP,E(KP,x),h(x ◦ E(Kp,x))
Reveal: publish KS
Show that there exists a family H be a family of collision intractable hash functions such that the scheme is insecure for any E.
Assuming collision intractable hash functions exists