sign in sign up
<<
Home , Oded Goldreich

Foundations of Teaching Notes

Oded Goldreich

Department of Computer Science

Weizmann Institute of Science

Email odedwisdomweizmannaci l

Fall

I

c

Copyright by Oded Goldreich

Permission to make copies of part or all of this work for p ersonal or classro om use is granted without fee

provided that copies are not made or distributed for prot or commercial advantage and that new copies

b ear this notice and the full citation on the rst page Abstracting with credit is p ermitted II

Preface

These teaching notes were initially intended for myself as an aid for preparing the lectures in

the course Foundations of Cryptography given at Weizmann Institute at the Fall of It then

o ccurred to me that these notes may also serve as suggestions to others as to how such a course

can b e taught and the notes were slightly adapted accordingly

The course was based on the rst two volumes of my work Foundations of Cryptography The

rst volume entitled Foundations of Cryptography Basic Tools has app eared with Cambridge

University Press in June The second volume entitled Foundations of Cryptography Basic

Applications will hop efully b e completed in a couple of years Preliminary versions of the chapters

of the second volume are available from the webpage

httpwwwwisdomweizmannacilodedfocbookhtml

You may want to check this website for various up dates and notices concerning the entire work

These teaching notes refer to the ab ove work Sp ecically they merely summarize and annotate

the parts of the work that was taught in class The detailed material is to b e found in the b o ok

itself and the b oxes ushed to the right as the example b elow refer to the sections in the b o ok

in which the relevant material is to b e found

Example

State and usage of these notes Unfortunately Ive stopp ed writing these notes at the middle

of the semester Thus the current notes only cover the rst lectures out of the planned

lectures I hop e to complete the missing notes next time I teach this course which may b e next

year

Unlike the ab ovementioned work these teaching notes were not carefully pro ofread I ap ologize

for the various errors that they may contain and hop e that nevertheless these notes will b e useful

Needless to say the teaching pace should and do es dep end on the sp ecic class In fact I often

pro ceeded in pace dierent than the one I have originally planned omitting or adding material

onthey III IV

From the preface of Volume

It is p ossible to build a cabin with no foundations

but not a lasting building

Eng Isidor Goldreich

Cryptography is concerned with the construction of schemes that withstand any abuse Such

schemes are constructed so to maintain a desired functionality even under malicious attempts

aimed at making them deviate from their prescrib ed functionality

The design of cryptographic schemes is a very dicult task One cannot rely on intuitions

regarding the typical state of the environment in which the system op erates For sure the adversary

attacking the system will try to manipulate the environment into untypical states Nor can one b e

content with countermeasures designed to withstand sp ecic attacks since the adversary which

acts after the design of the system is completed will try to attack the schemes in ways that are

typically dierent from the ones the designer had envisioned The validity of the ab ove assertions

seems selfevident still some p eople hop e that in practice ignoring these tautologies will not result

in actual damage Exp erience shows that these hop es rarely come true cryptographic schemes

based on makebelieve are broken typically so oner than later

In view of the ab ove we b elieve that it makes little sense to make assumptions regarding the

sp ecic strategy that the adversary may use The only assumptions that can b e justied refer

to the computational abilities of the adversary Furthermore it is our opinion that the design

of cryptographic systems has to b e based on rm foundations whereas adho c approaches and

heuristics are a very dangerous way to go A heuristic may make sense when the designer has a

very go o d idea ab out the environment in which a scheme is to op erate yet a cryptographic scheme

has to op erate in a maliciously selected environment which typically transcends the designers view

This b o ok is aimed at presenting rm foundations for cryptography The foundations of cryp

tography are the paradigms approaches and techniques used to conceptualize dene and provide

solutions to natural security concerns We will present some of these paradigms approaches and

techniques as well as some of the fundamental results obtained using them Our emphasis is on the

clarication of fundamental concepts and on demonstrating the feasibility of solving several central

cryptographic problems

Solving a cryptographic problem or addressing a security concern is a twostage pro cess con

sisting of a denitional stage and a constructive stage First in the denitional stage the function

ality underlying the natural concern is to b e identied and an adequate cryptographic problem has

to b e dened Trying to list all undesired situations is infeasible and prone to error Instead one

should dene the functionality in terms of op eration in an imaginary ideal mo del and require a

candidate solution to emulate this op eration in the real clearly dened mo del which sp ecies the

adversarys abilities Once the denitional stage is completed one pro ceeds to construct a system V

VI

that satises the denition Such a construction may use some simpler to ols and its security is

proven relying on the features of these to ols In practice of course such a scheme may need to

satisfy also some sp ecic eciency requirements

This b o ok fo cuses on several archetypical cryptographic problems eg encryption and signature

schemes and on several central to ols eg computational diculty pseudorandomness and zero

knowledge pro ofs For each of these problems resp to ols we start by presenting the natural

concern underlying it resp its intuitive ob jective then dene the problem resp to ol and nally

demonstrate that the problem may b e solved resp the to ol can b e constructed In the latter step

our fo cus is on demonstrating the feasibility of solving the problem not on providing a practical

solution As a secondary concern we typically discuss the level of practicality or impracticality

of the given or known solution

Computational Diculty

The sp ecic constructs mentioned ab ove as well as most constructs in this area can exist only

if some sort of computational hardness exists Sp ecically all these problems and to ols require

either explicitly or implicitly the ability to generate instances of hard problems Such ability is

captured in the denition of oneway functions see further discussion in Section Thus one

way functions is the very minimum needed for doing most sorts of cryptography As we shall see

they actually suce for doing much of cryptography and the rest can b e done by augmentations

and extensions of the assumption that oneway functions exist

Our current state of understanding of ecient computation do es not allow us to prove that

oneway functions exist In particular the existence of oneway functions implies that NP is not

contained in BPP P not even on the average which would resolve the most famous op en

problem of computer science Thus we have no choice at this stage of history but to assume

that oneway functions exist As justication to this assumption we may only oer the combined

b elieves of hundreds or thousands of researchers Furthermore these b elieves concern a simply

stated assumption and their validity is supp orted by several widely b elieved conjectures which are

central to some elds eg the conjecture that factoring integers is hard is central to computational

number theory

As we need assumptions anyhow why not just assume what we want ie the existence of

a solution to some natural cryptographic problem Well rst we need to know what we want

as stated ab ove we must rst clarify what exactly do we want that is go through the typically

complex denitional stage But once this stage is completed can we just assume that the denition

derived can b e met Not really the mere fact that a denition was derived do es not mean that

it can b e met and one can easily dene ob jects that cannot exist without this fact b eing obvious

in the denition The way to demonstrate that a denition is viable and so the intuitive security

concern can b e satised at all is to construct a solution based on a better understood assumption

ie one that is more common and widely b elieved For example lo oking at the denition of zero

knowledge pro ofs it is not apriori clear that such pro ofs exist at all in a nontrivial sense The

nontriviality of the notion was rst demonstrated by presenting a zeroknowledge pro of system for

statements regarding Quadratic Residuosity which are b elieved to b e hard to verify without extra

information Furthermore in contrary to prior b eliefs it was later shown in that the existence of

oneway functions implies that any NPstatement can b e proven in zeroknowledge Thus facts that

were not known at all to hold and even b elieved to b e false were shown to hold by reduction to

widely b elieved assumptions without which most of mo dern cryptography collapses anyhow To

summarize not all assumptions are equal and so reducing a complex new and doubtful assumption

VI I

to a widelyb elieved simple or even merely simpler assumption is of great value Furthermore

reducing the solution of a new task to the assumed security of a wellknown primitive typically

means providing a construction that using the known primitive solves the new task This means

that we do not only know or assume that the new task is solvable but rather have a solution

based on a primitive that b eing wellknown typically has several candidate implementations

Structure and Prerequisites

Our aim is to present the basic concepts techniques and results in cryptography As stated ab ove

our emphasis is on the clarication of fundamental concepts and the relationship among them This

is done in a way indep endent of the particularities of some p opular number theoretic examples

These particular examples played a central role in the development of the eld and still oer the

most practical implementations of all cryptographic primitives but this do es not mean that the

presentation has to b e linked to them On the contrary we b elieve that concepts are b est claried

when presented at an abstract level decoupled from sp ecic implementations Thus the most rele

vant background for this b o ok is provided by basic knowledge of algorithms including randomized

ones computability and elementary probability theory Background on computational number

theory which is required for sp ecic implementations of certain constructs is not really required

here yet a short app endix presenting the most relevant facts is included in this volume so to

supp ort the few examples of implementations presented here

Volume Introduction and Basic Tools

Chapter Introduction

Chapter Computational Diculty OneWay Functions

Chapter Pseudorandom Generators

Chapter ZeroKnowledge Pro ofs

Volume Basic Applications

Chapter Encryption Schemes

Chapter Signature Schemes

Chapter General Cryptographic Proto cols

Volume Beyond the Basics

Figure Organization of this b o ok

Organization of the b o ok The b o ok is organized in three parts see Figure Basic Tools

Basic Applications and Beyond the Basics The current rst volume contains an introductory

chapter as well as the rst part Basic Tools This part contains chapters on computational

diculty oneway functions pseudorandomness and zeroknowledge pro ofs These basic to ols

will b e used for the Basic Applications of the second part which consist of Encryption Signatures

and General Cryptographic Proto cols

The partition of the b o ok into three parts is a logical one Furthermore it oers the advantage

of publishing the rst part without waiting for the completion of the other parts Similarly we

hop e to complete the second part within a couple years and publish it without waiting for the

third part

VI I I

Teaching The material presented in this b o ok is on one hand way b eyond what one may want

to cover in a course and on the other hand falls very short of what one may want to know ab out

Cryptography in general To assist these conicting needs we make a distinction b etween basic and

advanced material and provide suggestions for further reading in the last section of each chapter

In particular sections subsections and subsubsections marked by an asterisk are intended for

advanced reading

Each lecture consists of one hour Lectures are covered by the

current volume Lectures will b e covered by the second volume

Lecture Introduction Background etc

dep ending on class

Lecture Computational Diculty OneWay Functions

Main Denition Sec HardCore Predicates Sec

Optional Weak implies Strong Sec and Sec

Lecture Pseudorandom Generators

Main Denitional issues and a construction Sec

Optional Pseudorandom Functions Sec

Lecture ZeroKnowledge Proofs

Main Some denitions and a construction Sec

Optional Sec

Lecture Encryption Schemes

Denitions and a construction consult Ap dx BB

See also fragments of a draft for the encryption chapter

Lecture Signature Schemes

Denition and a construction consult Ap dx B

See also fragments of a draft for the signatures chapter

Lecture General Cryptographic Protocols

The denitional approach and a general construction sketches

Consult Ap dx B see also our exp osition

Figure Plan for onesemester course on Foundations of Cryptography

Volumes and of this b o ok are supp osed to provide all material for a course on Foundations

of Cryptography For a onesemester course the teacher will denitely need to skip all advanced

material marked by an asterisk and maybe even some basic material see suggestion in Figure

This should allow dep ending on the class to cover the basic material at a reasonable level ie

cover all material marked as main and some of the optional Volumes and can also serve

as textb o ok for a twosemester course Either way the current volume only covers the rst half of

the material mentioned ab ove The second half will b e covered in Volume In the meanwhile we

suggest to use other sources for the second half A brief summary of Volume and recommendations

for alternative sources are given in App endix B In addition fragments andor preliminary drafts

for the three missing chapters are available from and resp ectively

Giving a course solely based on the material that app ears in the current volume is indeed

p ossible but such a course cannot b e considered a standalone course in Cryptography for the

reason that the current volume do es not consider at all the basic tasks of encryption and signatures

IX

Practice The aim of this b o ok is to provide sound theoretical foundations for cryptography

As argued ab ove such foundations are necessary for sound practice of cryptography Indeed

practice requires more than theoretical foundations whereas the current b o ok makes no attempt to

provide anything b eyond the latter However given sound foundations one can learn and evaluate

various practical suggestions that app ear elsewhere eg in On the other hand lack of sound

foundations results in inability to critically evaluate practical suggestions which in turn leads to

unsound decisions Nothing could b e more harmful to the design of schemes that need to withstand

adversarial attacks than misconceptions ab out such attacks

Relation to another b o ok by the author

A frequently asked question refers to the relation of the current b o ok to our text Modern Cryp

tography Probabilistic Proofs and Pseudorandomness The latter text consists of three brief

introductions to the related topics in the title Sp ecically Chapter of provides a brief ie

page summary of the current b o ok The other two chapters of provide a wider p ersp ective

on two topics mentioned in the current b o ok ie Probabilistic Pro ofs and Pseudorandomness

Further comments on the latter asp ect are provided in the relevant chapters of the current b o ok X

Lecture Summaries

Lecture Getting Started This is an introductory lecture a bit of motivation what is the

course ab out a bit of background on computation and a taste of the real material oneway

functions Sp ecically

Introduce the topics of the course

Introduce the basic computational notions underlying the course

Discuss computational diculty as captured by oneway functions

Present the rst result and its pro of stressing the pro of technique

Lecture Working with Intractability Assumptions The bulk of this lecture is devoted

to proving that if there exist weakly oneway functions then there exists strongly oneway functions

The construction itself is simple but again the fo cus should b e on the pro of technique In addition

we introduce the notion of a collection of oneway functions and the notion of a hardcore predicate

of a oneway function

Lecture HardCore Predicates and Pseudorandom Generators This lecture consists

of two indep endent parts In the rst and main part we present a pro of of the existence of a

generic hardcore predicate In the second part we provide a short introduction to the notion of

pseudorandom generators which will b e the fo cus of subsequent lectures

Lecture Computational Indistinguishability The fo cus of this lecture is on the concept

of computational indistinguishability which is a key concept in the area and in particular underlies

the notion of pseudorandomness Sp ecically we present the basic denition discuss its relation

to statistical indistinguishability consider its preservation under rep eated sampling and present

the hybrid technique which is often used towards proving computational indistinguishability We

then recall the denition of and prove that a construction with any given

stretching factor yields constructions for any desired stretching factor

Lecture Constructing Pseudorandom Generators and Functions In the rst part of

this lecture we show how to construct pseudorandom generators using any oneway function

ie oneway p ermutation In the second part we dene pseudorandom functions and show how

they can b e constructed using any pseudorandom generator

Lecture ZeroKnowledge Interactive Pro ofs We rst motivate the notion of zero

knowledge Next we dene illustrate and discuss the natural notion of interactive pro of systems

which is the adequate framework for the introduction of zeroknowledge pro ofs Next we use this

framework to dene and illustrate the notion of zeroknowledge The illustrative examples used are

the Graph NonIsomorphism and Graph Isomorphism proto cols resp ectively XI

XI I

Lecture Constructing ZeroKnowledge Pro ofs We recall the basic conditions underly

ing the denitional framework of zeroknowledge pro ofs and present the actual denition that is

typically used We claim and sketch a pro of that this denition is preserved under sequential

comp osition We dene and show how to construct commitment schemes and using the latter we

show how to construct zeroknowledge pro of systems for every language in NP

Lecture Dening Security of Encryption Schemes After presenting the basic syntax

we dene two equivalent notions of security semantic security and the technical denition of

indistinguishability of encryptions We prove the equivalence of the two denitions and consider

their generalization to the encryption of several plaintexts under the same key We discuss the

inherent role of probabilistic encryption algorithms for satisfying the denitions

Contents

Preface III

From the preface of Volume V

Lecture Summaries XI

Getting Started

Introduction

The topics

Basic computational notions

OneWay Functions

Motivation

Denitions

Historical Notes

Working with Intractability Assumptions

Weak oneway functions imply strong ones

Collections of oneway functions

Hardcore predicates of oneway functions

Historical Notes

HardCore Predicates and Pseudorandom Generators

Existence of a Generic Hardcore predicate

Introduction to Pseudorandom Generators

Historical Notes

Computational Indistinguishability

The basic notion and some basic prop erties

The actual denition

Rep eated samples

Back to the denition of pseudorandom generators

Historical Notes

Constructing Pseudorandom Generators and Functions

Constructing Pseudorandom Generator

Pseudorandom Functions

Historical Notes XI I I

XIV CONTENTS

ZeroKnowledge Interactive Pro ofs

Motivation

Interactive Pro of Systems

ZeroKnowledge

Historical Notes

Constructing ZeroKnowledge Pro ofs

Computational Zeroknowledge

How to construct zeroknowledge pro ofs for NP

Historical Notes

Dening Security of Encryption Schemes

The Basic Setting

Denitions of Security

Semantic Security and Indistinguishability of Encryptions

Equivalence of the two denitions

Probabilistic Encryption

Security of Multiple Encryptions

Historical Notes

Bibliography

Lecture

Getting Started

Summary

This is an introductory lecture a bit of motivation what is the course ab out a bit

of background on computation and a taste of the real material oneway functions

Sp ecically

Introduce the topics of the course

Introduce the basic computational notions underlying the course

Discuss computational diculty as captured by oneway functions

Present the rst result and its pro of stressing the pro of technique

Introduction

Just give a vague feeling of what this course is ab out Make sure the students are comfortable with

randomized algorithms and with the notions of ecient and infeasible

The topics

Sec

The most basic topics of cryptography are

Encryption Providing secret communication

Signatures Providing authentic communication

Comment here we mean communication in a broad sense Nowadays we asso ciate communication

with electronic communication of computers over the Internet or humans over phone lines that

is communication is asso ciated with realtime interaction However a century ago communica

tion was asso ciated with the written letter or b o ok which are far from o ccurring in realtime

But nonimmediate communication exists also nowadays eg stored data and by referring to

communication we refer to such nonimmediate communication as well

We will also discuss general cryptographic protocols These are proto cols that are abuseresilient

that is they maintain their designated functionality also under attacks of malicious adversaries In

fact maintaining a desired functionality under malicious attacks may b e used as the denition of

the entire area of cryptography

But b efore embarking on the study of the ab ove topics we will present to ols and attitudes

LECTURE GETTING STARTED

Basic computational notions

Sec

Secrets are inherent to cryptography What is a secret It is something selected by one party

and unknown to others If the others would know all determining factors eecting the selection

then theyd know the secret as well Thus the selection must include random factors That is

randomization is essential to cryptography

Randomized algorithms a natural extention of the notion of an algorithm should b e contrasted

with the cticious notion of nondeterministic machines introduced as a technical to ol This key

distinction should have b een made in a course on computability andor complexity however often

things that should b e done are not done or are done wrongly which is even worse Make sure the

students understand it right

Next we confront the following

Ecient means computable in probabilistic p olynomialtime That is there exists a p olyno

mial b ounding the runningtime such that an algorithm satisfying the time b ound succeeds

Infeasible means not computable in probabilistic p olynomialtime That is for any p olyno

mial b ounding the runningtime an algorithm satisfying the time b ound fails

In the context of randomized algorithms success and failure are probabilistic events Furthermore

we often consider input distributions ie inputs drawn according to some probability distribu

tions Corresp onding notions of rareness of success and failure are

Noticeable will indicate probability that is b ounded b elow by a recip o cal of some p ositive

p olynomial That is there exists a p ositive p olynomial such that its recip o cal lower bounds

the said probability

Negligible will indicate probability that is b ounded ab ove by the recip o cal of any p olynomial

That is for any p ositive p olynomial its recip o cal upper bounds the said probability

Comment There is nothing holy is using p olynomials as the distinction b etween ecient resp

noticeable and infeasible resp negligible Any other nicelyb ehaved classes of timeb ounds will

do p olynomials are just the simplest and most natural choice

OneWay Functions

Computational diculty in the sense we need it is captured by the notion of oneway functions

When proving Prop osition or whenever preseting the rst pro of of such avor stress the

diculty of arguing ab out computational diculty as contrasted to the related triviality of the

combinatorics

Motivation

Sec

ONEWAY FUNCTIONS

Mo dern Cryptography is based on computational diculty eciency of prop er b ehavior versus

infeasibility of causing harm by improp er b ehavior

Typically the honest user holds a secret enabling it to eciently take actions that are infeasible

to the adversary who do es not know the secret Furthermore the secret is typically veriable via

some public information Thus nding the secret is an NPproblem and we assume that it is not

solveable in probabilistic p olynomialtime Thus at the very least we assume that P NP But

worstcase hardness as provided by P NP is not enough we want the secret to b e hard to nd

almost always not merely in the worstcase Thus we actually need problems in NP that are hard

on the average Furthermore these hardontheaverage problems should b e easy to generate with

their corresp onding solutions ie the secrets This leads to the denition of oneway functions

Denitions

Sec

The basic denition is of length preserving functions that are eciently computable but are

infeasible to invert in the averagecase sense That is every probabilistic p olynomialtime algorithm

will fail to invert the function on a random image except for with negligible probability taken on

the invertors coins as well as on the random image By a random image we mean one generated

by applying the function to a uniformly chosen preimage of any xed length

A weaker denition requires every probabilistic p olynomialtime to fail only with noticeable

probability rather than succeed with at most negligible probability The probability space is

again taken over the invertors coins as well as on the random image We call the former type of

functions strongly oneway or just oneway and call the latter weakly oneway

In light of the motivating discussion the students may wonder or you can challenge them with

the question of what are weakly oneway functions good for Jumping ahead we mention that

weak oneway functions can b e transformed into strong ones cf Theorem On the other hand

it is sometimes easier to construct candidate weak oneway functions that strong ones

An example of a candidate weak oneway function integer mutiplication ie breaking the

input into the binary representation of two equallength integers output the binary representation

of their pro duct This seems hard to invert at least in case the preimage enco des two primes

We could have presented a strong oneway function based on the corresp onding intractability

assumption by using a randomized algorithms for generating random primes but this is more

complicated in fact we give no details

Sec

Prop osition Assuming the existence of oneway functions there exists a weakly oneway func

tion that is not strongly oneway

def def

log jxj

2

Given any oneway function f construct f x f x if and f x x other

wise The length of should not b e more than logarithmic in the length of x and we let it b e

logarithmic rather than in order to maximize the dramatic eect

Proving the prop osition Clearly f is not strongly oneway The less obvious thing is to prove

that f is weakly oneway Just feeling that this is right do es not suce We need to show that

any algorithm that contradicts the weak oneway prop erty of f can b e converted into an algorithm

LECTURE GETTING STARTED

that contradicts the hypothesis that f is strongly oneway Sp ecially prove that on inputs of

length n the function f is hard to invert with success probability greater than Given

n

an f inverter A construct an f inverted denoted A that on input y f x invokes A on the

log jy j

2

input y and outputs the jy jbit long sux of the answer In the analysis consider rst the

log jy j

2

success probability of A on inputs of the form y using the fact that such inputs o ccur with

probability jy j as images of f

Preview Although there may exists weak oneway functions that are not strongly oneway we

can transform any weak oneway function into a strong oneway function That is

Theorem If there exist weakly oneway functions then there exists strongly oneway functions

The pro of will b e given in the next lecture Challenge the students to try to guess the construction

Historical Notes

The notion of oneway functions was introduced by Die and Hellman in their seminal work New

Directions in Cryptography which set the direction of the eld for many years The conjecture

that factoring integers is intracatable was put forward by Rivest Shamir and Adleman in their

inuential design of the RSA scheme Jumping ahead Id like to mention a third seminal

pap er that has actually set the tone for the entire approach followed in this course I refer to the

pap er Probabilistic Encryption of Goldwasser and Micali

Lecture

Working with Intractability

Assumptions

Summary

The bulk of this lecture is devoted to proving that if there exist weakly oneway functions

then there exists strongly oneway functions The construction itself is simple but again

the fo cus should b e on the pro of technique

In addition we introduce the notion of a collection of oneway functions and the notion

of a hardcore predicate of a oneway function

The title of the lecture emphasizes the nontriviality of deriving intractability results such as the

existence of strong oneway functions based on intracatbility assumptions

Weak oneway functions imply strong ones

Sec

Recall the theorem stated at the end of last lecture

Theorem If there exist weakly oneway functions then there exists strongly oneway functions

Supp ose that f is hard to invert in probabilistic p olynomialtime on at least a p oly n

fraction of its probability space Dene F by partitioning the t nbit long input string into

def

t n equallength parts and applying f to each of them We claim that F is a strongly oneway

function

The pro of does not amount to saying that the probability of t successes in t trials each

t

succeeding with probability at most is expn Such an argument assumes that

the F invertor op erates indep endently on each of the t parts of the image One may say that such

an assumption is reasonable but what can b e called reasonable when it comes to adversaries

Anyhow we know of no way to justify this reasonable assumption and we do not want any

additional illformed assumption but rather a pro of The real pro of pro ceeds by showing how any

F inverter that is to o go o d can b e transformed into an f inverter that is to o go o d

LECTURE WORKING WITH INTRACTABILITY ASSUMPTIONS

Supp ose towards the contradiction that F is easy to invert on at least an p oly n fraction

of the probability space We will show that this yields that f is easy to invert on fraction of

the probability space which contradicts the hypothesis

Sp ecically we x an inverting algorithm A for F and pro ceed as follows For i t call

an f preimage x igo o d or go o d in direction i if the probability that A inverts F on the image

F r r x r r is at least t where the probability is taken over all p ossible choices

i i t

n

of r r r r f g and over As coin tosses Note that x and i is xed and the

i i t

r s are random

i

Claim There exists an i such that at least fraction of the f preimages are igood

The pro of is an easy counting argument Assuming on the contrary that in all directions there are

less than a fraction of go o d preimages we upp erb ound the success probability of A by

noting that nongo o d preimages contribute at most a probability mass of t in each direction

whereas the intersection of the go o d regions is exp onentially vanishing Thats the combinatorial

part

We turn to the algorithmic part The p oint is that given y f x we may try to invert

f on y as follows For every i t using the F invertor A we try nt times to invert F

on f r f r y f r f r where r r r r are selected at random by us

i i t i i t

If x happ ens to b e igo o d for any i then each of the corresp onding trials has a probability of

at least t to succeed Trying nt times the probability that we fail in all trials is at most

nt

t expn Combining this with Claim and letting i b e as guaranteed by the

claim we conclude that for a random x our f inverying algorithm succeeds with probability at

least

Pr x is igo o d Pr we fail to invert f on f x j x is igo o d

expn

and contradiction follows

Digest The crux of the entire pro of is neither the pro of of Claim nor the analysis of the

f inverter presented ab ove It is rather the f inverter itself Put in other words the crux of the

pro of is in the way an F inverter which succeeds only with probability can b e used to derive

an f inverter which succeeds with probability It should not b e surprising that we have to

invoke the former ie F invertor many ie nt times b ecause we are amplifying the success

probability

More thoughts Emphasize the nontriviality of deriving intractability results such as the ex

istence of strong oneway functions based on intracatbility assumptions such as the existence of

weak oneway functions Indeed proving such implications is easier than proving the corresp onding

intractability results without making assumptions currently way b eyond our reach but still the

fact that we use assumptions means that we dont really understand the context or else we would

not have needed to assume anything Thus we should b e sup ercareful in deriving implications

The only implications allowed are those that we can formally prove and not merely conjecture

or consider reasonable Typically implications of the ab ove type are proven by counterpositive

Given an algorithm that violates the conclusion thats nice we are given something alas this thing

COLLECTIONS OF ONEWAY FUNCTIONS

is generic we derive an algorithm that violates the hypothesis and thus derive a contradiction

We construct the latter algorithm while using the former one as a subroutine b ecause this algo

rithm is generic and since the context is probabilitic it is imp ortant to invoke the subroutine

on input distributions ab out which we can make meaningful claims regarding the subroutine

b ehaviour

Collections of oneway functions

Sec

The more cumbersome formulation is motivated in two ways Firstly it is more suitable for dis

cussion of most p opular candidates of oneway functions Secondly it allows a natural introduction

of the notion of trap do or oneway functions

The basic formulation refers to collections of nite functions ff D R g where

I

I f g To b e able to use such a collection we need ecient uniform for the collection

n n

algorithms for selecting indices in I ie given generate an element of I f g for selecting

domain elements ie given I generate an element of D and for evaluating the function

ie given I and x D output f x The oneway prop erty has to b e stated with resp ect

to the distribution induced by the index and domain sampling algorithms

Example the RSA collection We view it as a collection of oneway functions not as an

encryption andor signature scheme The reasons for this p ersp ective will b ecome clear when we

dene encryption and signature schemes

Additional prop erties enjoyed by the RSA collection include the functions b eing p ermutations

over the corresp onding domains the sampling algorithms generating almost uniform samples

from the corresp onding sets and most imp ortantly having trap do ors that allow ecient inver

sion

Trapdo or collections The indexsampling algorithm is required to output a pair where the

rst element is an index as b efore and the second is a corresp onding trap do or In addition an

ecient algorithm is presented for inverting the function when given also the trap do or Inverting

remains infeasible when not given the trap do or but rather given the index of the function which

do es allow ecient evaluation of the function

Hardcore predicates of oneway functions

Sec

We turn back to the less cumbersome formulation in which there is a single innite function

rather than an innite collection of nite functions

We have seen or show now that a oneway function may leak many bits of its preimage eg

given a oneway function f consider the function f x y x f y where jxj jy j Going to the

other extreme we say that a simple ie eciently computable predicate is a hardcore of a function

if given a random image it is infeasible to guess with nonnegligible advantage the predicates

value on the corresp onding preimage The interesting case is when the function is otherwise

LECTURE WORKING WITH INTRACTABILITY ASSUMPTIONS

hardcore may exists in a trivial ie informationtheoretic manner eg f x f x has

the hardcore predicate b x regardless if f is hard to invert or not In case the function is

and eciently computable if it has a hardcore then it must b e oneway ie otherwise the

hardcore is computed by inverting the function and computing the hardcore on the resulting

preimage In constrast any strongly oneway function can b e slightly mo died to have a hardcore

predicate Sp ecically

Theorem Suppose that f is a oneway function Let f x r f x r and bx r be the

innerproduct mod of x and r Then b is a hardcore predicate of f

The theorem will b e proven in the next lecture Note that f preserves many prop erties of f eg

b eing evaluation time etc

Historical Notes

Theorem is due to Yao and its pro of has rst app eared in Theorem is due to

Goldreich and Levin and improves over a more complicated construction due to Yao The

latter construction is analyzed using the socalled Yaos XORLemma which is of indep endent

interest A pro of of Yaos XORLemma has rst app eared in Levins pap er but the interested

reader is referred to other sources eg a go o d place to start is

Lecture

HardCore Predicates and

Pseudorandom Generators

Summary

This lecture consists of two indep endent parts In the rst and main part we present

a pro of of the existence of a generic hardcore predicate In the second part we provide

a short introduction to the notion of pseudorandom generators which will b e the fo cus

of subsequent lectures

The two parts are not unrelated in a lecture or two we will see how to use hardcore predicates

to construct pseudorandom generators

Existence of a Generic Hardcore predicate

Sec

Recall the denitions of strong oneway functions and hardcore predicate as well as the following

result stated in previous lecture and to b e proven now

Theorem Theorem restated Suppose that f is a oneway function Let f x r

f x r and bx r be the innerproduct mod of x and r Then b is a hardcore predicate of f

def

Let A b e any probabilistic p olynomialtime algorithm and n Pr Af X R bX R

n n n n

n

where X and R are indep endently and uniformly distributed over f g That is represents

n n

As advantage over a random guess

def def

Dene sx Pr Af x R bx R so EsX n Dene S fx sx

n n n n

ng to b e the set of xs for which A has a relatively signicant advantage and prove

n

that jS j n Focus on an arbitrary xed x in S and let n

n n

The easy alas unrealistic case Supp ose that sx rather than sx

Then

h i

i ni i ni

Af x r Af x r bx r bx r Pr

r

LECTURE HARDCORE PREDICATES AND PSEUDORANDOM GENERATORS

On the other hand for if i j and otherwise

ij ij

n n

X X

i ni

x r x mo d x r bx r bx r

j j ij i j j

j j

Thus a sample of n pairwise indep endent random r s will give us x with probability at

i

least n Thus with probability at least we correctly recover all bits of x and so invert

f on f x

The real case We only have sx The doubling of error in the ab ove pro cedure

makes it inadequate for the case sx To avoid the error doubling phenumena let us dream

Supp ose that someb o dy gave us the values of bx r s for suciently ie n many random

i ni

r s Then it would suce to query A on the corresp onding f x r s so to obtain

i ni

guesses for bx r Thus with probability sx each such random r

i ni

yields the value of x by Af x r bx r and ruling by ma jority we are again correct

i

def

with probability at least n But how do we get the values of bx r s for m n

random r s The answer is that we are going to guess them Certainly if the r s were totally

m

indep endent then we would b e correct with probability which is way to o low Instead we

use a sp ecic construction of m pairwiseindep endent random r s such that the probability that

we correctly guess all bx r s is p oly m which we can aord Note that the ma jority rule

works also for pairwiseindep endent random r s

We construct m pairwise indep endent r s based on dlog m e indep endent random

n

strings in f g Sp ecically we uniformly and indep endently select s s f g and set

I i I

r s for every nonempty I Thus we obtain m pairwise indep endent r s We obtain

iI

I i

a guess for all bx r s by merely guessing all bx s s at random and using

n n

X X X X X

I i i i i

bx r bx s x x s s bx s mo d

iI j j

j j

j j

iI iI iI

Thus if our initial guesses are correct which happ ens with probability m then the

I

values obtained for all bx r s are correct

Introduction to Pseudorandom Generators

Sec

Lo osely sp eaking a pseudorandom generator is an ecient program or algorithm that stretches

short random strings into long pseudorandom sequences Thus a pseudorandom generator do es

not generate randomness from scratch but rather expands small amounts of true randomness

present in the seed into bigger ob jects that are not truly random but do app ear as if they are

Emphasize the three fundamental asp ects in the notion of a pseudorandom generator

1 I n

To see that the r s are pairwise indep endent consider any I J and any f g We need to prove that

I J n 2

Pr r r Supp ose wlog that k I n J and write

I J J I J

Pr r r Pr r Pr r j r

J j n j k I J

Clearly Pr r Pr s By xing all s s except for s that is kept random we have Pr r j r

j J

k i n

Pr s s

iI nfk g

INTRODUCTION TO PSEUDORANDOM GENERATORS

Eciency of the generator

Stretching Short seeds are stretched into longer output sequences Sp ecically nbit long

seeds are stretched into nbit long outputs where n n and typically n n

Pseudorandomness The longer nbit long outputs pro duced based on uniformly dis

tributed nbit seeds are computationally indistinguishable from uniformly distributed se

quences of the same length ie of length n

Indeed the notion of computationally indistinguishable is the heart of the denition and will b e

discussed extensively in the next lecture

Pseudorandom generators allow to generate communicate and store nbit long random se

quences at the cost of actually generating communicating and storing only n random bits

Historical Notes

Theorem is due to Goldreich and Levin but their original pro of see generalization in

is dierent that the pro of presented ab ove The pro of presented ab ove which follows ideas that

originate in was discovered later and indep endently by Levin and Racko

Although pseudorandom generators have b een used and referred to implicitly and explicitly

from the early days of computer science a rigorous denition of the notion was rst put forward

by Blum and Micali

LECTURE HARDCORE PREDICATES AND PSEUDORANDOM GENERATORS

Lecture

Computational Indistinguishability

Summary

The fo cus of this lecture is on the concept of computational indistinguishability which

is a key concept in the area and in particular underlies the notion of pseudorandomness

Sp ecically we present the basic denition discuss its relation to statistical indistin

guishability consider its preservation under rep eated sampling and present the hybrid

technique which is often used towards proving computational indistinguishability We

then recall the denition of pseudorandom generator and prove that a construction with

any given stretching factor yields constructions for any desired stretching factor

The basic notion and some basic prop erties

Sec

The actual denition

The intuition An ecient pro cedure or observer is given either a sample from one distribution

or a sample from the other Can heshe distinguish the two cases

The formalism We cannot talk ab out a nite distribution b ecause an ecient machine can

incorp orate it but rather of distribution ensembles that is innite sequences fZ g where each

n

nN

n pn

Z is nite random variable or distribution Typically Z ranges over f g or over f g

n n

for some p olynomial p that is xed for the entire ensemble

def

For an observer A consider the sequence of p Pr AX versus the sequence of

n n

def

q Pr AY Sp ell out what these probabilities mean that is write Pr AX

n n n

P

Pr X x Pr Ax students often have problems with this If jp q j is negligible as

n n n

x

a function of n we say that A do es not distinguish b etween fX g and fY g

n n

nN nN

We say that X fX g and Y fY g are computationally indistinguishable if no proba

n n

nN nN

bilistic p olynomialtime distinguishes them

Computational indistinguishability is a relaxation of statistical indistinguishability dened as hav

ing negligible variation distance Exercise Show that statistical indistinguishability implies com

putational indistinguishability Comment the relaxation is strict if and only if oneway functions

exist More ab out this at a later stage

LECTURE COMPUTATIONAL INDISTINGUISHABILITY

Comment Distinguishing xed ob jects rather than distributions is a sp ecial case

Rep eated samples

Supp ose that X fX g and Y fY g are computationally indistinguishable Do es this

n n

nN nN

means that an ecient observer cannot distinguish two indep endently selected samples of X from

two indep endently selected samples of Y

In general the answer is NO but for the sp ecial case we care ab out in which b oth ensembles are

eciently sampleable the answer is YES An ensemble Z fZ g is eciently sampleable if

n

nN

n

there exists an a probabilistic p olynomialtime S such that S is distributed identically to Z

n

The negative part should teach us a lesson not to rush to conclusions regarding complex

notions

The p ositive part is proven next The pro of utilizes a central new technique to b e called a

hybrid argument Let us restate our claim for X and Y as ab ove For every p olynomial t

consider the tproduct of Z fZ g

n

nN

tn

fZ Z Z g

n n n

nN

i

where the Z s are indep endent copies of Z We claim that if X and Y are computationally

n

n

indistinguishable then so are their tpro ducts for every p olynomial t Supp ose that A distinguishes

the tpro ducts that is there exists a p olynomial p and innitely many ns such that

tn tn

Pr AX X X Pr AY Y Y

n n n n n n

pn

Verify that this is the negation and that we may drop the absolute value Consider such a generic

n Then there exists an i f tn g such that

i

i i tn

Pr AX X X Y Y

n

n n n n

i

i tn i

Y Y Y Pr AX X

n

n n n n

tn pn

That is for every j we consider a hybrid distribution comp osed of j copies of X followed by

n

tn j copies of Y The ab ove inequality asserts that A distinguishes the i st hybrid from the

n

th

ith hybrid It follows by observing that the tpro duct of X coincides with the last ie tn

hybrid whereas the tpro duct of Y coincides with the hybrid In fact the exp ected gap for a

random pair of neighboring hybrids is also tn pn Using the sampleability of both ensembles

we convert A into an observer that distinguishes a single copy of X from a single copy of Y in

contradiction to the hypothesis

Comment Some students may wonder as to why should A which is supposed to run on product

distributions agree or b ehave nicely on intermediate hybrids Address the issue explicitly saying

that A b eing merely an algorithm is not asked to agree but is rather b eing run on arbitrary inputs

and its b ehavior on various distribution is welldened In fact if it b ehave nonnicely on some

hybrids then even b etter

BACK TO THE DEFINITION OF PSEUDORANDOM GENERATORS

Hybrid technique digest The key features are dening a polynomiallybounded number of

hybrids such that the extreme hybrids correspond to the conclusion whereas neighboring hybrids

correspond to the hypothesis Elab orate on each of these three asp ects

Back to the denition of pseudorandom generators

Sec

Recall that a pseudorandom generator is an ecient deterministic program or algorithm

that stretches short random strings into long pseudorandom sequences where pseudorandom n

bit long sequences are dened as computationally indistinguishable from uniformly distributed

sequences of the same length ie of length n

Stretching It is required that short seeds are stretched into longer output sequences Sp ecically

nbit long seeds are stretched into nbit long outputs where n n for some p olynomial

Indeed typically we want n n but in the denition we only required n n This gap is

addressed by the following result

Theorem Suppose that G is a pseudorandom generator stretching seeds of length n to outputs

of length n Then for every polynomial such that n n there exists a pseudorandom

generator G stretching seeds of length n to outputs of length n

def

n

The desired G is constructed as follows On input s f g we pro ceed in n iterations

def

starting with s s and outputting one bit in each iteration In the ith iteration we output the

rst bit of Gs and set s to equal the other n bits of Gs Draw a picture

i i i

To prove the pseudorandomness of G we consider the following hybrids For i n

the ith hybrid outputs a uniformly distributed ibit long string followed by the n ibit prex

of G U Clearly the hybrid coincides with G U whereas the nhybrid coincides with

n n

U To utilize p otential gaps b etween neighboring hybrids we review the structure of the i

n

n

hybrid versus the i hybrid Draw a picture For x f g let leadx denote the rst

leading bit of x and restx denote the following n bits that is x leadx rest x View the

ihybrid as starting with a uniformly distributed ibit long string followed by leadGU followed

n

by the n i bit prex of G restGU Likewise view i hybrid as starting with

n

a uniformly distributed ibit long string followed by leadU followed by the n i bit

n

prex of G restU Thus distinguishing these two neighboring hybrids allows to distinguish

n

GU from U

n n

Historical Notes

The notion of computational indistinguishability was introduced in the work of Goldwasser and

Micali within the sp ecial context of indistinguishability of ciphertexts as a denition of security

for encryption schemes The general notion of computational indistinguishability has rst app eared

in Yaos work where it was used to dene pseudorandom sequences as b eing computationally

indistinguishable from truly random sequences Yao also proved that this notion of pseudorandom

sequences is equivalent to the notion of unpredictable sequences which was used as the notion of

pseudorandomness in the work of Blum and Micali

LECTURE COMPUTATIONAL INDISTINGUISHABILITY

Lecture

Constructing Pseudorandom

Generators and Functions

Summary

In the rst part of this lecture we show how to construct pseudorandom generators us

ing any oneway function ie oneway p ermutation In the second part we dene

pseudorandom functions and show how they can b e constructed using any pseudoran

dom generator

Constructing Pseudorandom Generator

Sec

Recall the denition of a pseudorandom generator and that pseudorandom generators with minimal

stretch suce for constructing pseudorandom generators with arbitrary p olynomial stretch

Letting f b e a oneway function and b b e a corresp onding hardcore predicate we prove

def

that Gs f sbs is a pseudorandom generator That is we prove

Lemma fGU g and fU g are computationally indistinguishable

n n

nN nN

def def

Dene G s f s equals bs where bs bs The key observation is that U f U U

n n

GU f U bU with probability and equals G U f U bU otherwise Thus for

n n n n n n

every algorithm D

Pr D GU Pr D G U

n n

Pr D GU Pr D U

n n

and it suces to show that fGU g and fG U g are computationally indistinguishable

n n

nN nN

The latter is proven by contradiction that is wlog supp ose that

def

n Pr D GU Pr D G U

n n

then given y f x we predict bx by uniformly selecting f g and outputting if D y

otherwise Intuitively D y is more likely to b e if bx Formally we just evaluate and

the success probability of this prediction rule and conclude that it is correct with probability

n

LECTURE CONSTRUCTING PSEUDORANDOM GENERATORS AND FUNCTIONS

An alternative construction By combining the ab ove construction with the transformation

shown in the previous lecture and mentioned ab ove we obtain

Theorem If oneway functions exist then for every polynomial such that n n n

there exist a pseudorandom generator with stretch function

A direct construction which is in fact equivalent to the one obtained by combining the two ab ove

mentioned constructions follows Let f b e a oneway function and b b e a corresp onding hard

def

n

core then Gs bsbf sbf s bf s is a pseudorandom generator The pro of

is obtained by combining the pro of ideas used to establish the validity of the two corresp onding

constructions

Getting rid of the condition In fact pseudorandom generators can b e constructed using

any oneway function rather than only oneway functions alas the construction and more

so its analysis is to o complex to b e presented here One the other hand it is easy to show

that the existence of pseudorandom generators implies the existence of oneway functions eg if

n n

G f g f g is a pseudorandom generator then for jxj jy j the function f xy Gx

is oneway hint U is unlikely to have a preimage under f Thus

n

Theorem Pseudorandom generators exist if and only if oneway functions exist

Pseudorandom Functions

Sec

n

Pseudorandom generators yield distributions with supp ort size of at most that are computation

p oly n

ally indistinguishable from the uniform distribution on ob jects Pseudorandom functions

n

dened b elow yield distributions with supp ort size of at most that are computationally in

n

ob jects For example a distribution of upto distinguishable from the uniform distribution on

n n

many functions f g f g is computationally indistinguishable from a random function

n

f g f g where computational indistinguishability means failure of any ecient test that

may obtain the value of the function at inputs of its choice to distinguish the two cases

Formalism Here the distinguisher is an oracle machine given oracle access to a function For

jsj jsj

example we may consider collections ff f g f g g satisfying the following two

s

sfg

conditions

Ecient evaluation There exist an ecient algorithm that given a function description s and

an argument x returns f x

s

Pseudorandomness For every probabilistic p olynomialtime oracle machine M

n n F f

n

U

n

j Pr M jPr M

n n

is negligible where F f g f g denotes a random function

n

Clearly pseudorandom functions yields pseudorandom generators eg Gs f f f t

s s s

We show a construction establishing the converse

PSEUDORANDOM FUNCTIONS

Theorem Pseudorandom functions exist if and only if pseudorandom generators exist

n n

Let G f g f g b e a pseudorandom generator and let G s resp G s denote the

n

rst resp last jsj bits of Gs For s x f g consider

def def

f x s G G G s

s x x x x

n

2 1

def

where x x x x Draw a picture of a binary tree where the ro ot is lab eled by s s and

n

def def

the children of the no de lab eled s are lab eled s G s and s G s resp ectively

th

Prove the validity of the construction using a hybrid argument where the i hybrid corresp onds

i

to a tree with random lab els at the vertices of level i and their ancestors b eing lab eled as ab ove

Hint use the fact that for any p olynomial t the tpro duct of fGU g and the tpro duct of

n

nN

fU g are indistinguishable and use samples from either fGU g or fU g to construct

n n n

nN nN nN

th st

either the i or i hybrid on the y

Applications Pseudorandom functions enable to share a randomlo oking function at the cost

of selecting communicating and storing a short seed The seed is shared by the legitimate parties

and a random b ehavior of the function is guaranteed even if an adversary can obtain values of

the function at arguments of its choice Immediate applications include

Privatekey encryption schemes

Message Authentication Co des

Identify Friend Or Foe schemes

The rst two applications will b e discussed in subsequent lectures The third application refers to

challengeresponse identication proto cols where the challenger selects a random challenge and the

resp ond should b e the value of the agreed pseudorandom function at this challenge p oint Only

legitimate group members know the agreed secret function Note that an ecient adversary cannot

pass such a test even if prior to attempting the adversary may play the role of the challenger wrt

a legitimate member in p olynomiallymany instances of the proto col and so obtain the value of

the function at p olynomiallymany arguments of its choice

Historical Notes

Theorem is due to Yao The alternative pro of of Theorem coincides with the original

construction of Blum and Micali Theorem is due to Hastad Impagliazzo Levin and

Luby

Pseudorandom functions were dened and constructed as in Theorem by Goldreich Gold

wasser and Micali

LECTURE CONSTRUCTING PSEUDORANDOM GENERATORS AND FUNCTIONS

Lecture

ZeroKnowledge Interactive Pro ofs

Summary

We rst motivate the notion of zeroknowledge Next we dene illustrate and discuss

the natural notion of interactive pro of systems which is the adequate framework for

the introduction of zeroknowledge pro ofs Next we use this framework to dene and

illustrate the notion of zeroknowledge The illustrative examples used are the Graph

NonIsomorphism and Graph Isomorphism proto cols resp ectively

Motivation

Sec

Discuss with or without examples the archetypical cryptographic problem of forcing prop er

b ehavior of a party without requiring it to loss anything in case it is honest Note that the

partys b ehavior dep ends on its secrets which may b e at least partially veriable via previous

actions taken by the party If the party was to reveal its secret which is of course out of the

question then one could easily verify that this party acts prop erly We want to b e able to verify

the latter fact without making the party reveal its secret nor even partial information ab out the

secret That is the verier should learn nothing from the pro of b eyond the fact that the claim of

prop er b ehavior is valid

The issues at hand are

Presenting a rich framework for pro ofs of prop er or secretconsistent b ehavior

This will lead us to the denition of interactive pro of systems

Formulating what it means to learn nothing from such pro ofs

This will lead us to the denition of zeroknowledge

Interactive Pro of Systems

Sec

LECTURE ZEROKNOWLEDGE INTERACTIVE PROOFS

The original motivation to the denition of interactive pro of systems is that the traditional notion

of written pro ofs as captured by the class NP do es not allow zeroknowledge pro ofs However

in retrosp ect since pro ofs are going to b e used inside bigger cryptographic proto cols there seems to

b e no reason to insist that they b e unidirectional since bidirectional communication may anyhow

o ccur and deterministicallyveriable since all cryptography is anyhow randomized

Interactive pro of systems capture the most general way in which a probabilistic p olynomial

time party may b e convinced of the validity of some assertion Present the denition while relying

on the intuitive notion of strategies rather than on the cumbersome formulations of interactive

Turing machines just as one needs not dene Turing machines to discuss algorithms Indeed

unidirectional deterministicallyveriable pro ofs ie NPtype pro ofs are a sp ecial case

Issues to b e discussed include the completeness and soundness requirements stated with resp ect

to negligible error probability errorreduction easily established via sequential rep etition but do es

hold here also via parallel rep etition and the discrepancy in computational p ower of the prover

versus the verier Stress that we will fo cus eg in the course on prover strategies for the

completeness condition that are implementable in probabilistic p olynomialtime when given an

adequate auxiliary input eg typically an NPwitness

To illustrate the notion present the Graph NonIsomorphism GNI proto col but avoid a

detailed analysis which refers to the automorphism group of the graphs Stress that you show

an interactive pro of for a language not known to b e in NP ie not known to have an NPtype

pro of You may further refer to the ab ove issues in light of that proto col

ZeroKnowledge

Sec

The simulation paradigm is the way we capture the notion of gaining nothing b eyond some

thing It amounts to saying that whatever can b e eciently done with the alleged gain can also

b e eciently done with the original something which is claimed to b e the upp er b ound of gain

This is a general paradigm In our context it says that whatever can b e eciently computed after

eciently interacting with a zeroknowledge prover can b e eciently computed from the asser

tion itself provided it is valid Thus the only gain from the interaction is building condence in

the validity of the assertion and nothing b eyond is gained

Discuss the oversimplied formulation of p erfect zeroknowledge and its minor relaxation

that allows the simulator to have no output with negligible probability Show that languages in

BPP have a trivial zeroknowledge pro of in which the prover remains silent A nontrivial

illustration of zeroknowledge can b e given by presenting the Graph Isomorphism GI proto col

showing b oth the proto col and its simulator but avoiding a detailed analysis Stress that you

show an interactive pro of for a language in NP but that this p eculiar pro of system unlike the

NPtype pro of can b e shown to b e zeroknowledge

You may comment that the formulation of interactive pro ofs is essential to the nontriviality

of zeroknowledge ie only languages in BPP have unidirectional zeroknowledge pro ofs The

pro of may b e left as an exercise see Theorem in the b o ok

Historical Notes

Interactive pro ofs and zeroknowledge were introduced in the seminal work of Goldwasser Micali

and Racko We stress that their motivation for introducing interactive pro ofs was to formulate

ZEROKNOWLEDGE

the most general notion of what can b e eciently veriable In contrast Babais motivation for

introducing ArthurMerlin games which turned out to b e as p owerful as interactive pro ofs was

to slightly extend the class NP such that it includes a sp ecic computational problem that was

known to b e in NP only under a reasonable grouptheoretic conjecture

The proto cols for GNI and GI illustrating the notions of interactive pro ofs and zeroknowledge

pro ofs are taken from the work of Goldreich Micali and Wigderson

LECTURE ZEROKNOWLEDGE INTERACTIVE PROOFS

Lecture

Constructing ZeroKnowledge Pro ofs

Summary

We recall the basic conditions underlying the denitional framework of zeroknowledge

pro ofs and present the actual denition that is typically used We claim and sketch

a pro of that this denition is preserved under sequential comp osition We dene and

show how to construct commitment schemes and using the latter we show how to

construct zeroknowledge pro of systems for every language in NP

Computational Zeroknowledge

Sec

Recall the basic three requirements from a zeroknowledge interactive pro of

Completeness is a viability condition referring to what happ ens if everybo dy b ehaves prop erly

In such a case the prover only claims a valid statement and succeeds to make the verier

accept it

Soundness protects the verier from attempts of a cheating prover to prove false assertions

In such a case the verier will reject with high probability no matter what the prover do es

in order to cheat

Zeroknowledge protects the prover from attempts of a cheating verier to learn more than

the validity of an assertions No matter what a feasible verier do es in order to gain extra

knowledge it can only obtain what it could obtain by itself when assuming or b elieving

that the assertion is indeed valid

The set of valid assertions is asso ciated with a language L f g

The actual denition rst issue We will refer to a naturally relaxed denition of zero

knowledge which suces for typical cryptographic purp oses Rather than asking that the simu

lation is p erfect ie distributed identically to the real interaction we only require that the two

probability ensembles b e computational indistinguishable Stress that the ensembles are indexed

by strings typically members of L as ab ove

LECTURE CONSTRUCTING ZEROKNOWLEDGE PROOFS

The actual denition second issue On the other hand we strengthen the denition by

requiring that zeroknowledge holds with resp ect to any apriori information which is captured

by an auxiliary input to the prover This strengthening is imp ortant b ecause it allows to use

zeroknowledge pro ofs inside larger proto cols ie the original motivation where auxiliary input

captures information obtained b efore the zeroknowledge pro of is invoked In particular auxiliary

inputs are imp ortant for sequential comp osition of zeroknowledge Stress that so far typical zero

knowledge pro ofs were also zeroknowledge with resp ect to auxiliary input but this may change in

the future following Baraks recent result

Lemma lo osely stated Zeroknowledge with respect to auxiliary input is preserved under

sequential composition

Postpone the pro of of this lemma to the end of the lecture and sketch it only if time p ermits

Stress that closure under parallel comp osition do es not necessarily hold which may b e a warning

to those happy to rely on unsound intuitions

How to construct zeroknowledge pro ofs for NP

Sec

Start with an abstract description ie referring to lo cked b oxes of the colorability pro of system

You may actually play the proto col in class using slides if you are oldfashioned like me or

a p owerpoint Establish p erfect completeness and pitiful yet noticeable soundness Present

and analyze the abstract simulator

The proto col is to b e sequentially rep eated to obtain a reasonable soundness b ound stress

that each rep etition calls for indep endent coin tosses and so although there are only p ossible

relab ellings of the colors a random one is selected indep endently at each rep etition

Actual digital implementation This calls for a digital implementation of lo cked b oxes

which leads to the notion of commitment schemes Dene this notion referring to hiding and

binding after the commit phase and present a simple construction based on oneway func

tions State and discuss as time p ermits the pro of of the following

Theorem lo osely stated Assuming the existence of commitment schemes there exists a

zeroknowledge proof system for Colorability

Imp ortant comments

The prop er prover in the ab ove pro of system can b e implemented in probabilistic p olynomial

time provided it is given a coloring as an auxiliary input

Zeroknowledge holds also with resp ect to auxiliary input given to the verier

1

Draw the graph on the rst slide and cover the vertices drawn as small cycles by small removable pieces of

nontransparent material The extra slides show random colorings obtained from one canonical partition of the

graph into indep endent sets Select one of these slides at random and place it b ehind the master slide inviting the

students to sp ecify an edge and revealing the colors of its endp oints by removing the corresp onding pieces

HOW TO CONSTRUCT ZEROKNOWLEDGE PROOFS FOR NP

The fact that colorability has a zeroknowledge pro of do es imply that so do es every language

in NP but there are minor subtleties in this implication ie one has to rely either on the

fact that zeroknowledge holds also with resp ect to auxiliary input or on prop erties of several

relevant reductions

The ab ove three comments are essential to the wide applicability of the construction Stress that

a typical claim regarding prop er b ehavior of one party wrt veriable secrets is an NPassertion

and that the acting party knows the relevant NPwitness and thus can play the prover role in

probabilistic p olynomialtime

Historical Notes

Zeroknowledge was introduced and dened by Goldwasser Micali and Racko The original

denition was augmented with auxiliary inputs in where the Sequential Comp osition Lemma

ie Lemma was proven

Theorem implying that using commitment schemes zeroknowledge pro ofs can b e con

structed for any language in NP was proved by Goldreich Micali and Wigderson Our

presentation follows theirs

LECTURE CONSTRUCTING ZEROKNOWLEDGE PROOFS

Lecture

Dening Security of Encryption

Schemes

Summary

After presenting the basic syntax we dene two equivalent notions of security semantic

security and the technical denition of indistinguishability of encryptions We prove the

equivalence of the two denitions and consider their generalization to the encryption

of several plaintexts under the same key We discuss the inherent role of probabilistic

encryption algorithms for satisfying the denitions

The Basic Setting

Sec

Dep ending on the background of the student and on what was done in the introductory lecture

describ e andor recall the basic setting an insecure communication channel tapp ed by an adversary

and two parties that wish nevertheless to communicate in secrecy using that channel Argue that

the receiver must know something that the adversary do es not know and call this thing a key The

key is used to decrypt encryptedmessages called ciphertexts using a metho d that without loss of

generality may b e assumed to b e universal ie known to all Argue that the encryption metho d

must use a corresp onding key and conclude by mentioning a metho d of generating keypairs

Together these three metho ds or randomized algorithms constitute an encryption scheme with

a minimal syntactic requirement that decryption works

Point out that the ab ove discussion do es not mandate that the encryptionkey equals the

decryptionkey although in traditional schemes this is the case In such a case the key dis

tribution problem arises and is traditionally solved via an exp ensive secret channel Introduce

the notion of publickey encryption schemes and show how it trivially solves the key distribution

problem Stress that the dierence b etween privatekey and publickey is reected in the denition

of security which is the main sub ject of the current lecture

Denitions of Security

Sec

LECTURE DEFINING SECURITY OF ENCRYPTION SCHEMES

Semantic Security and Indistinguishability of Encryptions

Introduce the denition of semantic security rst emphasizing its natural app eal Comment that

the denition ts into the simulation paradigm Stress that it requires much more than merely the

infeasibility of recovering the entire plaintext and justify why the latter do es not suce Stress

that the dierence b etween the publickey and the privatekey mo del amounts to whether or not

the real adversary gets the encryptionkey as input

Note that unrestricted partial information function h provides you with all the nonuniformity

you need for the rest of the presentation and there is no need to consider nonuniform circuits

in this denition The letter h stands for history but some may prefer to use for leak

Advanced comment Actually talking in terms of nonuniform circuits will only complicate

things b ecause you may need to require that the description of the b enign adversaries also rep

resented by nonuniform circuits should b e eciently computable from the description of the real

adversaries Not making this requirement yields a denition that do es not seem satisfactory b e

cause it may take much more eort to nd a b enign adversary than to nd a real one The same

issue may arise also in case the adversaries are represented by uniform algorithms but seem much

less acute in the latter case

Turning to indistinguishability of encryptions stress that this is a technical denition which

is useful b ecause it is equivalent to semantic security while b eing easier to work with Here we

explicitly use nonuniformity in the formulation ie the distinguishing circuits are nonuniform

Refer again to the dierence b etween the publickey and the privatekey mo dels

Equivalence of the two denitions

The interesting ie useful direction is the fact that indistinguishability of encryptions implies

semantic security This is shown by explicitly constructing the b enign adversary which merely

invokes the real adversary on an encryption of a dummy value Stress that the b enign adversary

generates a keypair by itself and thus can work as stated also in the privatekey mo del Next show

that the b enign adversary p erforms essentially as well as the real one b ecause indistinguishability

of encryptions essentially guarantees that the real adversary cannot distinguish the real situation

when it gets an encryption of the plaintext from the simulated one when it gets an encryption

of a dummy value Extensive use of nonuniformity makes the implementation of this pro of idea

quite easy

The other direction is essentially easier b ecause in a sense indistinguishability of encryptions is a

sp ecial case of semantic security in which the message distribution is uniform over two strings The

pro of is slightly complicated by the fact that we have to accommo date nonuniform distinguishers

as in indistinguishability of encryptions by uniform distinguishers provide by semantic secu

rity here is where the nonuniformity of h comes to our rescue ie we dene hx to provide the

circuit used to distinguish b etween the encryptions of the sp ecic pair of jxjlong bit plaintexts

Probabilistic Encryption

Show that in the publickey mo del a secure encryption scheme must employ a probabilistic en

cryption algorithm Use the technical denition of indistinguishability of encryption

DEFINITIONS OF SECURITY

Security of Multiple Encryptions

Discuss the extension of the two denitions to multiple messages using the same key and suggest

the following three exercises

Providing a formulation of b oth extensions and proving their equivalence

Proving that in the publickey mo del the singlemessage formulation implies the multiple

message one

Hint use the technical denition of indistinguishability of encryption Note that it may

b e dreadful to prove this implication while using the semantic security formulation without

passing through the technical denition

Show that in the privatekey mo del the singlemessage formulation is strictly weaker than the

multiplemessage one

Hint Show that deterministic encryption algorithm suces for secure privatekey encryp

tion of a single message but cannot provide security for encryption of two messages

Well discuss the third exercise in the next lecture

Historical Notes

The central role of complexity theory in cryptography can b e traced to Shannons seminal work

Demonstrating the inherent limitations of the information theoretic notion of security Shannon

concluded that one should settle for a computational relaxation of the secrecy condition That is

rather than requiring that the ciphertext yields no information on the plaintext one has to require

that such information cannot b e eciently computed from the ciphertext

The notion of publickey encryption scheme was introduced by Die and Hellman First

concrete candidates were suggested by Rivest Shamir and Adleman and by Merkle and Hell

man However satisfactory denitions of security were presented only a few years afterwards

by Goldwasser and Micali Indeed the latter work is the basis of the entire rigorous approach to

cryptography presented in the current b o ok The pap ers title Probabilistic Encryption is due

to the authors realization that publickey encryption schemes in which the encryption algorithm

is deterministic cannot b e secure in the sense dened in their pap er

Technically sp eaking the two denitions we presented are somewhat dierent from the two cor

resp onding denitions in although all these variants are equivalent Sp ecically our formula

tion of semantic security follows the later formulations of the simulation paradigm by Goldwasser

Micali and Racko The adaptation has rst app eared in

LECTURE DEFINING SECURITY OF ENCRYPTION SCHEMES

Bibliography

W Alexi B Chor O Goldreich and CP Schnorr RSARabin Functions Certain Parts are

As Hard As the Whole SIAM J on Comput Vol April pages

L Babai Trading Group Theory for Randomness In th STOC pages

B Barak How to Go Beyond the BlackBox Simulation Barrier In nd FOCS pages

M Blum and S Goldwasser An Ecient Probabilistic PublicKey Encryption Scheme which

hides all partial information In Crypto LNCS SpringerVerlag pages

M Blum and S Micali How to Generate Cryptographically Strong Sequences of Pseudo

Random Bits SIAM J on Comput Vol pages

Preliminary version in rd FOCS

W Die and ME Hellman New Directions in Cryptography IEEE Trans on Info Theory

IT Nov pages

O Goldreich Foundation of Cryptography Class Notes Preprint Spring

Sup erseded by the combination of and

O Goldreich A Uniform Complexity Treatment of Encryption and ZeroKnowledge Journal

of Cryptology Vol No pages

O Goldreich Foundation of Cryptography Fragments of a Book February Available

from httptheorylcsmiteduodedfraghtml

Sup erseded by the combination of and

O Goldreich Modern Cryptography Probabilistic Proofs and Pseudorandomness Algorithms

and Combinatorics series Vol Springer

O Goldreich Secure MultiParty Computation In preparation Working draft available

from httptheorylcsmiteduodedgmwhtml

O Goldreich Encryption Schemes fragments of a chapter December Available from

httpwwwwisdomweizmannacilodedfocbookhtml

O Goldreich Signature Schemes fragments of a chapter May Available from

httpwwwwisdomweizmannacilodedfocbookhtml

BIBLIOGRAPHY

O Goldreich Foundation of Cryptography Basic Tools Cambridge University Press

Fragments of this b o ok have app eared as

O Goldreich S Goldwasser and S Micali How to Construct Random Functions JACM

Vol No pages

O Goldreich and LA Levin Hardcore Predicates for any OneWay Function In st STOC

pages

O Goldreich S Micali and A Wigderson Pro ofs that Yield Nothing but their Validity or

All Languages in NP Have ZeroKnowledge Pro of Systems JACM Vol No pages

Preliminary version in th FOCS

O Goldreich S Micali and A Wigderson How to Play any Mental Game A Completeness

Theorem for Proto cols with Honest Ma jority In th STOC pages

O Goldreich N Nisan and A Wigderson On Yaos XORLemma ECCC TR

O Goldreich and Y Oren Denitions and Prop erties of ZeroKnowledge Pro of Systems

Jour of Crypto Vol No pages

O Goldreich R Rubinfeld and M Sudan Learning p olynomials with queries the highly

noisy case SIAM J on Disc Math Vol pages

S Goldwasser and S Micali Probabilistic Encryption JCSS Vol No pages

Preliminary version in th STOC

S Goldwasser S Micali and C Racko The Knowledge Complexity of Interactive Pro of

Systems SIAM J on Comput Vol pages

Preliminary version in th STOC

J Hastad R Impagliazzo LA Levin and M Luby A Pseudorandom Generator from any

Oneway Function SIAM J on Comput Vol pages

Preliminary versions by Impagliazzo et al in st STOC and Hastad in nd STOC

LA Levin OneWay Function and Pseudorandom Generators Combinatorica Vol pages

AJ Menezes PC van Oorschot and SA Vanstone Handbook of Applied Cryptography

CRC Press

RC Merkle and ME Hellman Hiding Information and Signatures in Trapdo or Knapsacks

IEEE Trans Inform Theory Vol pages

R Rivest A Shamir and L Adleman A Metho d for Obtaining Digital Signatures and

PublicKey Cryptosystems CACM Vol Feb pages

BIBLIOGRAPHY

CE Shannon Communication Theory of Secrecy Systems Bel l Sys Tech J Vol pages

AC Yao Theory and Application of Trapdo or Functions In rd FOCS pages