COMS6830-CryptographyOctober16,2009Lecture14:TrapdoorpermutationsandZe - PDF document

COMS6830-CryptographyOctober16,2009Lecture14:TrapdoorpermutationsandZero-knowledgeintroductionInstructor:RafaelPassScribe:SrivatsanRavi 1Publickeyencryption-ReviewDenition1.(Publickeyencryptionscheme){Gen,Enc,Dec}isapublickeyencryptionschemeifthefollowinghold1.GenisaPPTalgorithm:pk,sk Gen(1k)2.EncisaPPTalgorithm:c Encpk(m)3.DecisaPPTalgorithm:m Decsk(c)4.8m{0,1},Pr[pk,sk Gen(1jmj:Decsk(Encpk(m))=m]=1Denition2.(SecurePublickeyencryptionscheme){Gen,Enc,Dec}issaidtobesinglemessagesecureif8non-uniformPPTmachinesD,thereexistsanegligiblefunction"suchthat8nNandm0,m1{0,1}n,Ddistinguishesthefollowingdistributionswithprobability6"(n){pk,sk Gen(1n):(pk,Encpk(m0))}{pk,sk Gen(1n):(pk,Encpk(m0))}ThedenitionsofCPA/CCA1/CCA2securitycanextendedtopublickeycryptosystemsIfanencryptionschemeissingle-messagesecure,thenitisalsomulti-messagesecureAnencryptionschemewithadeterministicalgorithm(evenwithstate)wouldnotbesecurebecauseanadversarycansimplyencryptthemessagem0withpkandcomparetheencryptionofm0withthechallengeciphertext(whichistheencryptionofeitherm0orm1).2RSAExampleDenition3.(RSACollection)DenetheRSAcryptosystemasfollows1.G(1k)correspondstothefollowingalgorithm:(p,q)PRIMESandarek-bitseach.Letn=pq,e Z'(n),d=e1mod'(n),Mk=Zn.pk=(n,e),sk=(d,n)'(n)isEuler'sTotientfunctiondenedasthenumberofpositiveintegerslessthannthatarecoprimeton2.c=Epk(m)=memodn3.Dsk(c)=cdmodn2.1WhatisRSA?Considerthescenarioiffactoringwaseasyi.e(p,q)canbeeasilyobtainedandknowingthat'(n)=(p-1)(q-1)whenn=pq,invertingtheRSAfunctionbecomeseasy.Assumingfactoringishard,theRSAfunctionisone-way.WecangeneralizethisasRSAbelongingtoacollectionofone-waypermutationswiththeadditionalpropertythattheinverseiseasytoobtainwiththeknowledgeofthisfunction(atrapdoor)whichallowsitspossesortoecientlyinvertitatanypointinthedomainofitschoosing.2.2RSAassumptionDenition4.Letn=pq;(p,q)PRIMESandjpj=jqj=k.ThenforeveryPPTmachineAandnegligiblefunction",Pr[A(n,e,RSAn;e(x))=x](k)RSAExample1 UndertheRSAassumption,theRSAfamilyoftrapdoorpermutationsformsasecurepublickeyencryptionschemewithsecurityparameterksinceinvertingEncishardforanadversarythatknowsthepublickey,butnotthesecretkey.3TrapdoorfunctionsandcollectionsAcollectionofone-waypermutationswiththeadditionalpropertythattheinverseiseasytoobtainwithsomespecialinformationiscalledacollectionoftrapdoorpermutations.Denition5.AcollectionoftrapdoorpermutationsisasetF={fi:Di!Di}iIwhereIisasetofniteindicesandfiisapermutation8iIs.t1.(Easytosamplefunction):ThereexistsaPPTGenwhichoninput1noutputs(i,ti)wheretiisthetrapdoorofi2.(Easytosampledomain):ThereexistsaPPTwhichoninputiIoutputsxDi3.(Easytoevaluatefunction):ThereexistsaPPTAwhichoninputsiIandxDi,computesA(i,x)=fi(x)4.(Hardtoinvert):ForeveryPPTAandlargeenoughk,9negligiblefunction"s.tPr[fi(z)=y:i I:x Di:y fi(x);z A(i,y)]6"(k)5.(Easytoinvertwhentrapdoorisknown):ThereexistsaPPTBs.tB(i,ti,fi(x))=xItiseasytoseethatRSAdenesacollectiontrapdoorpermutationswithindexset(n,e);tbeing(n,d)overthedomainZns.ted=1mod'(n)Lemma6.(Trapdoorpredicate)FortheRSAscheme,thereexistsaPPTalgorithmAandaneg-ligiblefunction"suchthatPr[A(n,e,xemodn)=LSB(xemodn)]61/2+"(k)i.egivenn,e,xemodn;itishardtoguessthehardcorebitwithnon-negligiblylargerprobabilitythan1/2Denition7.PickarandomX{0,1}nandb{0,1}.Then{Gen,Enc0={Xemodn,bP(X)},Dec0={cP(cdmodn)}}issinglebitsecureencryptionschemewherePisthetrapdoorpredicateforRSA(TheLSBbit)Proofoutline:Assumethisencryptionschemeisnotsecure.ThenforsomePPTalgorithmAandanegligiblefunction",PthetrapdoorpredicateforRSA,Prbf0;1g[A(Encpk(x),bP(x),pk)=b]�1/2+"(n)ConsiderthealgorithmA0(y,pk)whichforrandomc{0,1}returnscA(y,c,pk)Pr[A0(Encpk(x),pk)=P(x,pk)]=Pr[A(Encpk(x),c,pk)=cP(x,pk)]=Prbf0;1g[A(Encpk(x),bP(x,pk),pk)=b]�1/2+"(n)whichisacontradiction)Theencryptionschememustbesecure4Zeroknowledge4.1IntroductionGoalofthistopicistoredeneencryptionschemesusingknowledgebasedapproachesWhatisknowledge?Itisabehavioralapproach,knowingistheabilitytoperformataskDenition8.Zeroknowledge(Informal):ConsideraProverwhoknowstheproofforaproblemPandaVerierwhoneedstobeconvincedoftheproof.AZKproofconvincestheVerieroftheexistenceoftheproof,butdoesnotrevealanynewinformationabouttheproof2Section4 Considerthefollowingexample:AJournalistwantstoknowmoreinformationaboutamurderthatwascommited.AllthePolicerevealisthatsomeonehasbeenmurderedwhenthejournalistqueriesthePolice.Thus,nonewinformationhasbeenrevealedtothejournalist,butthePolicehasconrmedthatamurderhasoccured.AvariantofthesamewouldbewhenajournalistcallsupthePolicetoqueryaboutthemurder.Thepoliceipsafaircoinandhangsuporsays'someonehasbeenmurdered'withequalprobability.Again,thejournalisthasobtainednonewinformationthathehimselfcouldnothaveinferredbyippingacoinAxiom9.Knowledgeassumptions:1.Randomnessisfree2.PolytimecomputationisfreeDenition10.(ZKencryption){Gen,Enc,Dec}issaidtobe(comp)ZKencryptionif9PPTsimulatorSand8nuPPT'sD,thereexistsanegligiblefunction"s.tDdistinguishes{Enck(m):k Gen(1n)}andS(1n)withutmost"(n)probabilityTheorem11.(equivalenceofsecureandZKencryption){Gen,Enc,Dec}isasecureencryptionschemeiitisaZKencryptionaswellZeroknowledge3