-
Notifications
You must be signed in to change notification settings - Fork 13
/
lec11-F24.tex
170 lines (140 loc) · 15.6 KB
/
lec11-F24.tex
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
% !TEX root = collection.tex
\section{BLS Signatures}
\paragraph{Bilinear Pairings.} Recall that we used prime order groups $\mathbb{G}$ to build the Schnorr signature scheme. Today we will introduce another mathematical object, pairing friendly groups, which support a new ``bilinear pairing'' operation defined as follows. Let $\mathbb{G}_1$, $\mathbb{G}_2$ and $\mathbb{G}_T$ be groups of prime order $p$. We define a bilinear pairing $e: G_1 \times G_2 \rightarrow \mathbb{G}_T$ to be an \emph{efficiently} computable map that satisfies the following properties:
\begin{itemize}
\item Bilinearity: For all $a, b \in \mathbb{Z}_p$ and $g_1 \in G_1, g_2 \in G_2$, we have $e(g_1^a, g_2^b) = e(g_1, g_2)^{ab}$.
\item Non-degenerate: $e(g_1, g_2) \neq 1_{\mathbb{G}_T}$.
\end{itemize}
Observe that in any group, by using the group operation, one can compute ``additions'' of the scalar exponents, but in pairing friendly groups one can additionally compute \emph{one} ``multiplication'' of the scalar exponents.
Note that while a pairing provides us with additional \emph{functionality}, it also means that we need to reevaluate any hardness assumptions that we have made. Consider for instance the decisional Diffie-Hellman (DDH) assumption which states that it is hard to distinguish between $(g, g^a, g^b, g^{ab})$ and $(g, g^a, g^b, g^c)$ for random $a, b, c \in \mathbb{Z}_p$. In the presence of a bilinear pairing, natural variants of the DDH assumption are no longer hard such as distinguishing between $(g_1, g_2, g_1^a, g_2^b, g_1^{ab})$ and $(g_1, g_2, g_1^a, g_2^b, g_1^{c})$. Instead, we will define new assumptions that are conjectured to be hard even given a bilinear pairing.
\paragraph{co-CDH assumption.} Let $\mathbb{G}_1$, $\mathbb{G}_2$ be groups of prime order with generators $g_1$ and $g_2$ and let $e: \mathbb{G}_1 \times \mathbb{G}_2 \rightarrow \mathbb{G}_T$ be an efficiently computable bilinear pairing. The co-CDH assumption states that for all non-uniform PPT adversaries $\adv$:
\begin{align*}
\Pr\left[ \adv(g_1, g_2, g_1^a, g_1^b, g_2^b) \to g_1^{ab} \mid a,b \sample \mathbb{Z}_p \right] \leq \negl
\end{align*}
\paragraph{BLS Signature scheme.} We are now ready to describe the BLS signature scheme~\cite{AC:BonLynSha01}.
\begin{itemize}
\item $\Gen(1^\lambda)$: Sample $\sk \sample \mathbb{Z}_p$ and set $\vk \gets g_2^\sk$. Output $(\vk, \sk)$.
\item $\Sign(\sk, m)$: Given a message $m \in \{0,1\}^*$, output $\sigma \gets H(m)^{\sk}$, where $H: \{0,1\}^* \to \mathbb{G}_1$ is a hash function that maps arbitrary strings to elements in $\mathbb{G}_1$.
\item $\Verify(\vk, m, \sigma)$: Output $e(\sigma, g_2) \stackrel{?}{=} e(H(m), \vk)$.
\end{itemize}
\paragraph{Correctness.} Correctness is easy to see by plugging in explicit expressions for the signature and verification key -- $e(\sigma=H(m)^\sk, g_2) \stackrel{?}{=} e(H(m), \vk=g_2^\sk)$.
\paragraph{Security.} If $H$ is modelled as a random oracle, we will show that if there exists an adversary $\adv$ that can forge a signature with non-negligible probability, then we can use $\adv$ to build $\advb$ that can solve the co-CDH problem with non-negligible probability.
\begin{theorem}
The BLS signature scheme is is existentially unforgeable under chosen message attacks assuming the co-CDH problem is hard in the random oracle model.
\end{theorem}
\begin{proof}
We will use a similar strategy as in the proof of RSA full domain hash. Let $\adv$ be a non-uniform PPT adversary that can forge a signature with non-negligible probability. We will use $\adv$ to build a non-uniform PPT adversary $\advb$ that can solve the co-CDH problem with non-negligible probability.
$\advb$ works as follows:
\begin{itemize}
\item $\advb$ receives $(g_1, g_2, g_1^a, g_1^b, g_2^b)$ as input and is tasked with computing $g_1^{ab}$.
\item $\advb$ now runs the EUF-CMA game with $\adv$ where $\adv$ makes signing queries and in the end outputs a forgery $(m^*, \sigma^*)$, where $m^*$ has not been previously queried.
\item At the start of the protocol, $\advb$ sets $\vk = g_1^b$ and sends it to $\adv$. For all random oracle queries $H(m)$, $\adv$ samples $r \sample \mathbb{Z}_p$ and sets $H(m) = g_1^r$. When $\adv$ asks for a signature on $m_i$, $\advb$ samples $r_i \sample \mathbb{Z}_p$ and sets $H(m_i) = g_1^{r_i}$ (if the query has not been previously made). It then responds with $\sigma_i = H(m_i)^b = (g_1^b)^{r_i}$. However, for a randomly chosen index $i^*$ (out of the maximum number of queries $\adv$ can make), $\advb$ sets $H(m_{i^*}) = g_1^a$. Now, if $\adv$ asks for a signature on the chosen $m_{i^*}$, $\advb$ aborts and restarts the EUF-CMA game. In the ends, $\adv$ outputs a forgery with non-negligible probability. And since there are only a polynomial number of queries, $\adv$ outputs a forgery on $m_{i^*}$ with non-negligible probability. In which case $\advb$ outputs $\sigma_{i^*}$ as its output in the co-CDH game.
\end{itemize}
We now analyze the probability that $\advb$ solves the co-CDH problem.
\begin{align*}
\Pr[\advb \to g_1^{ab}] & = \Pr[\adv \text{ outputs forgery} \wedge m_{i^*} \text{ was not queried} \wedge \text{forgery on } m_{i^*}] \\
& \geq \epsilon \times \left( 1 -\frac{1}{q_h}\right)^{q_s} \times \frac{1}{q_h}
\end{align*}
which is non-negligible.
Thus, by contradiction, the BLS signature scheme is existentially unforgeable under chosen message attacks assuming the co-CDH problem is hard in the random oracle model.
\end{proof}
\section*{Exercises}
\begin{exercise}
\textbf{Digital signature schemes can be made deterministic.} Given a digital signature scheme $(\mathsf{Gen}, \mathsf{Sign}, \mathsf{Verify})$ for which $\mathsf{Sign}$ is probabilistic, provide a construction of a digital signature scheme $(\mathsf{Gen}', \mathsf{Sign}', \mathsf{Verify}')$ where $\mathsf{Sign}'$ is deterministic.
\end{exercise}
\chapter{Public Key Encryption}
Public key encryption allows two parties
to communicate with each other with the guarantees of privacy for their messages against an eavesdropper who monitors all communication between the two parties. Recall that we were able to build Digital Signatures and Symmetric Key Encryption, from the weakest building block in cryptography -- one-way functions. However, there are lower bounds
~\cite{STOC:ImpRud89}
suggesting that public key encryption cannot be built from one-way functions alone. Instead, we will build public key encryption from more structured assumptions (which are a \emph{stronger} assumption in the sense that they imply one-way functions).
\section{Definitions}
\begin{definition}[Public Key Encryption]
A public key encryption scheme is a tuple of three algorithms $(\gen$, $\enc, \dec)$ defined as follows:
\begin{itemize}
\item $\gen(1^\secpar) \to (\pk, \sk)$: outputs a public key and secret key $(\pk, \sk)$.
\item $\enc(\pk, m) \to c$: Takes as input the public key and a message $m$ and outputs a ciphertext $c$.
\item $\dec(\sk, c) \to m$: Takes as input a secret key $\sk$ and ciphertext $c$, and output a message $m$.
\end{itemize}
\end{definition}
\begin{definition}[Perfect Correctness]
A public key encryption scheme $(\gen$, $\enc, \dec)$ is said to be correct if for all $\secpar \in \mathbb{N}$, $(\pk, \sk) \gets \gen(1^\secpar)$, $m \in \{0,1\}^*$, it holds that
\[\Pr[\dec(\sk, \enc(\pk, m)) = m] = 1\]
\end{definition}
The above definition can be relaxed to allow for a negligible probability of error during decryption and still remain meaningful.
We now define two different notions of security for public key encryption schemes -- IND-CPA and IND-CCA security.
\begin{definition}[IND-CPA Security]
A public key encryption scheme $(\gen$, $\enc, \dec)$ is said to be IND-CPA-secure if for all non-uniform PPT $\adv$,
\[\left|\Pr[\mathsf{Exp}_{\adv}^{\mathsf{CPA}(\secpar)} = 1] - \frac{1}{2}\right| \leq \negl,\]
where $\mathsf{Exp}_{\adv}^{\mathsf{CPA}(\secpar)}$ is defined as follows:
\begin{itemize}
\item $(\pk, \sk) \gets \gen(1^\secpar)$.
\item $b \sample \{0,1\}$.
\item $\adv(\pk) \to (m_0, m_1, \mathsf{st})$.
\item $c^* \gets \enc(\pk, m_b)$.
\item $\adv(c^*, \mathsf{st}) \to b'$.
\item Output $1$ if $b = b'$ and $0$ otherwise.
\end{itemize}
\end{definition}
\begin{definition}[IND-CCA Security]
A public key encryption scheme $(\gen$, $\enc, \dec)$ is said to be IND-CCA-secure if for all non-uniform PPT $\adv$,
\[\left|\Pr[\mathsf{Exp}_{\adv}^{\mathsf{CCA}(\secpar)} = 1] - \frac{1}{2}\right| \leq \negl,\]
where $\mathsf{Exp}_{\adv}^{\mathsf{CCA}(\secpar)}$ is defined as follows:
\begin{itemize}
\item $(\pk, \sk) \gets \gen(1^\secpar)$.
\item $b \sample \{0,1\}$.
\item $\adv^{\Dec(\sk)}(\pk) \to (m_0, m_1, \mathsf{st})$.
\item $c^* \gets \enc(\pk, m_b)$.
\item $\adv^{\Dec(\sk)}(c^*, \mathsf{st}) \to b'$, where the decryption oracle now returns $\bot$ when queried on $c^*$.
\item Output $1$ if $b = b'$ and $0$ otherwise.
\end{itemize}
\end{definition}
\section{Trapdoor Functions}
\begin{definition}[Trapdoor Function]
A trapdoor function is a tuple of four algorithms $(\gen, f, f^{-1}, D)$ defined as follows:
\begin{itemize}
\item $\gen(1^\secpar) \to (s,t)$: outputs an index $s$ and corresponding trapdoor $t$.
\item $D(s)$: Outputs a description of the domain of the trapdoor function.
\item $f(s, x) \to y$: Takes as input an index $s$ and a element $x$ from the domain of the trapdoor function and outputs an element $y$.
\item $f^{-1}(t, y) \to x$: Takes as input a trapdoor $t$ and an element $y$ from the range of the trapdoor function and outputs an element $x$.
\end{itemize}
We require the following properties:
\begin{itemize}
\item \textbf{Correctness:} For all $\secpar \in \mathbb{N}$, $(s,t) \gets \gen(1^\secpar)$, $x \in D(s)$, it holds that $\Pr[f^{-1}(t, f(s, x)) \neq x] = \negl$. Note that if we demand that $f$ is injective, then this property is automatically satisfied.
\item \textbf{One-wayness:} For all non-uniform PPT $\adv$, we have $\Pr[\adv(s, y) \to x \mid (s,t) \gets \gen(1^\secpar), x \sample D(s), y \gets f(s, x)] = \negl$.
\end{itemize}
\end{definition}
\section{Public Key Encryption from Trapdoor Functions}
Given a trapdoor function, we can build a public key encryption scheme as follows:
\begin{itemize}
\item $\gen(1^\secpar)$: Run $\mathsf{TDF}.\gen(1^\secpar)$ to obtain $(s,t)$. Set $\pk = s$ and $\sk = t$.
\item $\enc(\pk, m)$: Sample $x \sample D(s)$ and compute $y \gets f(s, x)$. Sample $r \sample \{0,1\}^{|x|}$ and output $c = (y, r, m \oplus \mathsf{HC}(x,r))$, where $\mathsf{HC}$ is the hardness concentration bit, as defined in~Section~\ref{sec:levin-owf}.
\item $\dec(\sk, c)$: Parse $c = (y, r, z)$ and output $m = z \oplus \mathsf{HC}(f^{-1}(t, y), r)$.
\end{itemize}
\paragraph{Proof Sketch.} To show that the above scheme is CPA secure, observe that the message space $\{0,1\}$. So the only two messages the distinguisher can pick are $m_0=0$ and $m_1=1$. Now if the distinguisher can indeed distinguish between encryptions of $m_0$ and $m_1$, then the same distinguisher can be used to identify the hardness concentration bit. By using a similar strategy as in the proof of~Theorem~\ref{thm:hard-concentrate-bit}, we can recover the pre-image $x$ of the trapdoor function. Thus, violating the one-wayness of the trapdoor function.
\section{Public Key Encryption from Computational Diffie-Hellman}
Although we have a construction of public key encryption from trapdoor functions, we did not know how to build trapdoor functions from some very natural assumptions such as CDH for quite some time. It was only recently that Garg and Hajiabadi~\cite{C:GarHaj18}
showed that this was indeed possible. Given the non-trivial nature of the construction, we will not cover it in this course and instead provide a \emph{direct} construction of public key encryption from the Computational Diffie-Hellman (CDH) assumption.
Let $\mathbb{G}$ be a prime order group of order $p$ with generator $g$, where the CDH problem is assumed to be hard.
\begin{itemize}
\item $\gen(1^\secpar)$: Sample $\sk \sample \mathbb{Z}_p$ and set $\pk \gets g^\sk$. Output $(\pk, \sk)$.
\item $\enc(\pk, m)$: Sample $\alpha \sample \mathbb{Z}_p$, and set $y \gets g^\alpha$, $k \gets \pk^\alpha$. Now sample $r \sample \{0,1\}^{|B|}$ and output $c = (y, r, m \oplus \mathsf{HC}(k, r))$.
\item $\dec(\sk, c)$: Parse $c = (y, r, z)$ and compute $k \gets y^\sk$. Output $m = z \oplus \mathsf{HC}(k, r)$.
\end{itemize}
\paragraph{Proof Sketch.} The proof of security is similar to the proof of security for the trapdoor function based public key encryption scheme. The only difference is that we now we reduce the hardness of the CDH problem.
\section{Improving Efficiency.}
The above construction can only be used to encrypt a single bit and results in a ciphertext of size $O(\poly)$. Encrypting a message with $M$ bits, results in a ciphertext of size $O(M \cdot \poly)$. Encryption and decryption also requires $O(M)$ public-key operations (evaluating the TDF/group operations) and we would like to bring this down to $O(1)$. The idea is to extract a symmetric key instead of a single bit by replacing the hardness concentration function with a random oracle. We can then use the symmetric key to encrypt long message with constant rate.
The construction is almost identical except that we replace the hardness concentration bit with a random oracle to extract a symmetric key that can be used to encrypt a long message. Given a trapdoor function the construction works as follows:
\begin{itemize}
\item $\gen(1^\secpar)$: Run $\mathsf{TDF}.\gen(1^\secpar)$ to obtain $(s,t)$. Set $\pk = s$ and $\sk = t$.
\item $\enc(\pk, m)$: Sample $x \sample D(s)$ and compute $y \gets f(s, x)$. Encrypt $m$ using a symmetric encryption scheme with key $H(x)$ as $z \gets \mathsf{Sym}.\enc(H(x), m)$. Output $c = (y, z)$.
\item $\dec(\sk, c)$: Parse $c = (y, z)$ and compute $x \gets f^{-1}(t, y)$. Decrypt $z$ using the symmetric encryption scheme with key $H(x)$ as $m \gets z \oplus \mathsf{Sym}.\dec(H(x), z)$. Output $m$.
\end{itemize}
The same idea can be extended to the CDH based public key encryption scheme.
\begin{theorem}
The construction above is IND-CPA secure in the random oracle model assuming $f$ is a trapdoor function.
\end{theorem}
\begin{proof}
Given an adversary $\adv$ that can win the IND-CPA game, with non-negligible advantage, we construct an adversary $\advb$ that can break either the one-wayness of the trapdoor function or the security of the with non-negligible advantage.
Let $s, y^*$ be the challenge given to $\advb()$. $\advb$ provides $\adv$ with $\pk \coloneq s$. $\adv$ outputs $(m_0, m_1)$ and in response $\advb$ computes a challenge ciphertext as follows: Sample $b \sample \{0,1\}$, a random key $k^* \sample \{0,1\}^{|B|}$ and set $z^* \gets \mathsf{Sym}.\enc(k^*, m_b)$. $\advb$ also lazily samples responses to random oracle queries except if a query $q$ satisfies $f(s, q) = y^*$, then $\advb$ sets $H(q) = k^*$, and outputs $q$ as the inverse image of $y^*$ under $f$.
We now argue that $\adv$ queries the random oracle on an element $q$ such that $f(s, q) = y^*$, with non-negligible probability. If this never occurs, then $\adv$ never receives receive $k^*$ but is able to distinguish symmetric-key encryptions of $m_0$ from encryptions of $m_1$ with non-negligible probability. This violates the security of the symmetric encryption scheme. Thus, $\adv$ must query the random oracle on an element $q$ such that $f(s, q) = y^*$ with non-negligible probability and hence $\advb$ succeeds with non-negligible probability.
\end{proof}