Encryption Schemes and Digital Signatures: Indistinguishability and Security Definitions, Study notes of Cryptography and System Security

Encryption schemes, their security definitions, and the concept of indistinguishability in the context of public-key encryption. It also introduces the definitions of security for encryption schemes and the difference between private-key and public-key encryption. The document further explains the concept of message authentication and its relation to encryption schemes.

Typology: Study notes

2011/2012

Uploaded on 04/26/2012

king-ben111
king-ben111 🇮🇱

5

(1)

5 documents

1 / 449

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23
pf24
pf25
pf26
pf27
pf28
pf29
pf2a
pf2b
pf2c
pf2d
pf2e
pf2f
pf30
pf31
pf32
pf33
pf34
pf35
pf36
pf37
pf38
pf39
pf3a
pf3b
pf3c
pf3d
pf3e
pf3f
pf40
pf41
pf42
pf43
pf44
pf45
pf46
pf47
pf48
pf49
pf4a
pf4b
pf4c
pf4d
pf4e
pf4f
pf50
pf51
pf52
pf53
pf54
pf55
pf56
pf57
pf58
pf59
pf5a
pf5b
pf5c
pf5d
pf5e
pf5f
pf60
pf61
pf62
pf63
pf64

Partial preview of the text

Download Encryption Schemes and Digital Signatures: Indistinguishability and Security Definitions and more Study notes Cryptography and System Security in PDF only on Docsity!

Foundations of Cryptography

Cryptography is concerned with the conceptualization, definition, and construction of computing systems that address security concerns. The design of cryptographic systems must be based on firm foundations. Foundations of Cryptography presents a rigorous and systematic treatment of foundational issues: defining cryptographic tasks and solving new cryptographic problems using existing tools. The emphasis is on the clarification of fundamental concepts and on demonstrating the feasibility of solving several central cryptographic problems, as opposed to describing ad hoc approaches. This second volume contains a rigorous treatment of three basic applications: en- cryption, signatures, and general cryptographic protocols. It builds on the previous volume, which provides a treatment of one-way functions, pseudorandomness, and zero-knowledge proofs. It is suitable for use in a graduate course on cryptography and as a reference book for experts. The author assumes basic familiarity with the design and analysis of algorithms; some knowledge of complexity theory and probability is also useful.

Oded Goldreich is Professor of Computer Science at the Weizmann Institute of Science and incumbent of the Meyer W. Weisgal Professorial Chair. An active researcher, he has written numerous papers on cryptography and is widely considered to be one of the world experts in the area. He is an editor of Journal of Cryptology and SIAM Journal on Computing and the author of Modern Cryptography, Probabilistic Proofs and Pseudorandomness.

Foundations of Cryptography

II Basic Applications

Oded Goldreich

Weizmann Institute of Science

CAMBRIDGE UNIVERSITY PRESS Cambridge, New York, Melbourne, Madrid, Cape Town, Singapore, São Paulo, Delhi

Cambridge University Press The Edinburgh Building, Cambridge CB2 8RU, UK

Published in the United States of America by Cambridge University Press, New York

www.cambridge.org Information on this title: www.cambridge.org/

© Oded Goldreich 2004

This publication is in copyright. Subject to statutory exception and to the provisions of relevant collective licensing agreements, no reproduction of any part may take place without the written permission of Cambridge University Press.

First published 2004 This digitally printed version 2009

A catalogue record for this publication is available from the British Library

ISBN 978-0-521-83084-3 hardback ISBN 978-0-521-11991-7 paperback

Contents

II Basic Applications

List of Figures page xi Preface xiii

  • 5 Encryption Schemes Acknowledgments xxi
    • 5.1. The Basic Setting
      • 5.1.1. Private-Key Versus Public-Key Schemes
      • 5.1.2. The Syntax of Encryption Schemes
    • 5.2. Definitions of Security
      • 5.2.1. Semantic Security
      • 5.2.2. Indistinguishability of Encryptions
      • 5.2.3. Equivalence of the Security Definitions
      • 5.2.4. Multiple Messages
      • 5.2.5.* A Uniform-Complexity Treatment
    • 5.3. Constructions of Secure Encryption Schemes
      • 5.3.1.* Stream-Ciphers
      • 5.3.2. Preliminaries: Block-Ciphers
      • 5.3.3. Private-Key Encryption Schemes
      • 5.3.4. Public-Key Encryption Schemes
    • 5.4.* Beyond Eavesdropping Security
      • 5.4.1. Overview
      • 5.4.2. Key-Dependent Passive Attacks
      • 5.4.3. Chosen Plaintext Attack
      • 5.4.4. Chosen Ciphertext Attack
      • 5.4.5. Non-Malleable Encryption Schemes
    • 5.5. Miscellaneous
      • 5.5.1. On Using Encryption Schemes
      • 5.5.2. On Information-Theoretic Security
      • 5.5.3. On Some Popular Schemes
      • 5.5.4. Historical Notes CONTENTS
      • 5.5.5. Suggestions for Further Reading
      • 5.5.6. Open Problems
      • 5.5.7. Exercises
  • 6 Digital Signatures and Message Authentication
    • 6.1. The Setting and Definitional Issues
      • 6.1.1. The Two Types of Schemes: A Brief Overview
      • 6.1.2. Introduction to the Unified Treatment
      • 6.1.3. Basic Mechanism
      • 6.1.4. Attacks and Security
      • 6.1.5.* Variants
    • 6.2. Length-Restricted Signature Scheme
      • 6.2.1. Definition
      • 6.2.2. The Power of Length-Restricted Signature Schemes
      • 6.2.3.* Constructing Collision-Free Hashing Functions
    • 6.3. Constructions of Message-Authentication Schemes
      • 6.3.1. Applying a Pseudorandom Function to the Document
      • 6.3.2.* More on Hash-and-Hide and State-Based MACs
    • 6.4. Constructions of Signature Schemes
      • 6.4.1. One-Time Signature Schemes
      • 6.4.2. From One-Time Signature Schemes to General Ones
      • 6.4.3.* Universal One-Way Hash Functions and Using Them
    • 6.5.* Some Additional Properties
      • 6.5.1. Unique Signatures
      • 6.5.2. Super-Secure Signature Schemes
      • 6.5.3. Off-Line/On-Line Signing
      • 6.5.4. Incremental Signatures
      • 6.5.5. Fail-Stop Signatures
    • 6.6. Miscellaneous
      • 6.6.1. On Using Signature Schemes
      • 6.6.2. On Information-Theoretic Security
      • 6.6.3. On Some Popular Schemes
      • 6.6.4. Historical Notes
      • 6.6.5. Suggestions for Further Reading
      • 6.6.6. Open Problems
      • 6.6.7. Exercises
  • 7 General Cryptographic Protocols
    • 7.1. Overview
      • 7.1.1. The Definitional Approach and Some Models
      • 7.1.2. Some Known Results
      • 7.1.3. Construction Paradigms
    • 7.2.* The Two-Party Case: Definitions CONTENTS
      • 7.2.1. The Syntactic Framework
      • 7.2.2. The Semi-Honest Model
      • 7.2.3. The Malicious Model
    • 7.3.* Privately Computing (Two-Party) Functionalities
      • 7.3.1. Privacy Reductions and a Composition Theorem
      • 7.3.2. The OT k 1 Protocol: Definition and Construction
      • 7.3.3. Privately Computing c 1 + c 2 = ( a 1 + a 2 ) · ( b 1 + b 2 )
      • 7.3.4. The Circuit Evaluation Protocol
    • 7.4.* Forcing (Two-Party) Semi-Honest Behavior
      • 7.4.1. The Protocol Compiler: Motivation and Overview
      • 7.4.2. Security Reductions and a Composition Theorem
      • 7.4.3. The Compiler: Functionalities in Use
      • 7.4.4. The Compiler Itself
    • 7.5.* Extension to the Multi-Party Case
      • 7.5.1. Definitions
      • 7.5.2. Security in the Semi-Honest Model
      • 7.5.3. The Malicious Models: Overview and Preliminaries
      • 7.5.4. The First Compiler: Forcing Semi-Honest Behavior
      • 7.5.5. The Second Compiler: Effectively Preventing Abort
    • 7.6.* Perfect Security in the Private Channel Model
      • 7.6.1. Definitions
      • 7.6.2. Security in the Semi-Honest Model
      • 7.6.3. Security in the Malicious Model
    • 7.7. Miscellaneous
      • 7.7.1.* Three Deferred Issues
      • 7.7.2.* Concurrent Executions
      • 7.7.3. Concluding Remarks
      • 7.7.4. Historical Notes
      • 7.7.5. Suggestions for Further Reading
      • 7.7.6. Open Problems
      • 7.7.7. Exercises
  • Appendix C: Corrections and Additions to Volume
    • C.1. Enhanced Trapdoor Permutations
    • C.2. On Variants of Pseudorandom Functions
    • C.3. On Strong Witness Indistinguishability - C.3.1. On Parallel Composition - C.3.2. On Theorem 4.6.8 and an Afterthought - C.3.3. Consequences
    • C.4. On Non-Interactive Zero-Knowledge - C.4.1. On NIZKs with Efficient Prover Strategies - C.4.2. On Unbounded NIZKs - C.4.3. On Adaptive NIZKs

CONTENTS

C.5. Some Developments Regarding Zero-Knowledge 775 C.5.1. Composing Zero-Knowledge Protocols 775 C.5.2. Using the Adversary’s Program in the Proof of Security 780 C.6. Additional Corrections and Comments 783 C.7. Additional Mottoes 784

Bibliography 785 Index 795

Note: Asterisks indicate advanced material.

x

Preface

It is possible to build a cabin with no foundations,

but not a lasting building.

Eng. Isidor Goldreich (1906–1995)

Cryptography is concerned with the construction of schemes that withstand any abuse. Such schemes are constructed so as to maintain a desired functionality, even under malicious attempts aimed at making them deviate from their prescribed functionality. The design of cryptographic schemes is a very difficult task. One cannot rely on intuitions regarding the typical state of the environment in which the system operates. For sure, the adversary attacking the system will try to manipulate the environment into untypical states. Nor can one be content with countermeasures designed to withstand specific attacks because the adversary (which acts after the design of the system is completed) will try to attack the schemes in ways that are typically different from the ones envisioned by the designer. The validity of the foregoing assertions seems self- evident; still, some people hope that in practice, ignoring these tautologies will not result in actual damage. Experience shows that these hopes rarely come true; cryptographic schemes based on make-believe are broken, typically sooner than later. In view of these assertions, we believe that it makes little sense to make assumptions regarding the specific strategy that the adversary may use. The only assumptions that can be justified refer to the computational abilities of the adversary. Furthermore, it is our opinion that the design of cryptographic systems has to be based on firm foundations, whereas ad hoc approaches and heuristics are a very dangerous way to go. A heuristic may make sense when the designer has a very good idea about the environment in which a scheme is to operate, yet a cryptographic scheme has to operate in a maliciously selected environment that typically transcends the designer’s view. This work is aimed at presenting firm foundations for cryptography. The foundations of cryptography are the paradigms, approaches, and techniques used to conceptualize, define, and provide solutions to natural “security concerns.” We will present some of these paradigms, approaches, and techniques, as well as some of the fundamental results

xiii

PREFACE

to know what we want: As stated earlier, we must first clarify what exactly we want; that is, we must go through the typically complex definitional stage. But once this stage is completed, can we just assume that the definition derived can be met? Not really. Once a definition is derived, how can we know that it can be met at all? The way to demonstrate that a definition is viable (and so the intuitive security concern can be satisfied at all) is to construct a solution based on a better-understood assumption (i.e., one that is more common and widely believed). For example, looking at the definition of zero-knowledge proofs, it is not a priori clear that such proofs exist at all (in a non-trivial sense). The non-triviality of the notion was first demonstrated by presenting a zero-knowledge proof system for statements regarding Quadratic Residuosity that are believed to be hard to verify (without extra information). Furthermore, contrary to prior beliefs, it was later shown that the existence of one-way functions implies that any NP-statement can be proven in zero-knowledge. Thus, facts that were not at all known to hold (and were even believed to be false) were shown to hold by reduction to widely believed assumptions (without which most of modern cryptography collapses anyhow). To summarize, not all assumptions are equal, and so reducing a complex, new, and doubtful assumption to a widely believed simple (or even merely simpler) assumption is of great value. Furthermore, reducing the solution of a new task to the assumed security of a well-known primitive typically means providing a construction that, using the known primitive, solves the new task. This means that we not only know (or assume) that the new task is solvable but also have a solution based on a primitive that, being well known, typically has several candidate implementations.

Structure and Prerequisites

Our aim is to present the basic concepts, techniques, and results in cryptography. As stated earlier, our emphasis is on the clarification of fundamental concepts and the rela- tionship among them. This is done in a way independent of the particularities of some popular number-theoretic examples. These particular examples played a central role in the development of the field and still offer the most practical implementations of all cryptographic primitives, but this does not mean that the presentation has to be linked to them. On the contrary, we believe that concepts are best clarified when presented at an abstract level, decoupled from specific implementations. Thus, the most relevant background for this work is provided by basic knowledge of algorithms (including randomized ones), computability, and elementary probability theory. Background on (computational) number theory, which is required for specific implementations of cer- tain constructs, is not really required here (yet a short appendix presenting the most relevant facts is included in the first volume so as to support the few examples of implementations presented here).

Organization of the Work. This work is organized in two parts (see Figure 0.1): Basic Tools and Basic Applications. The first volume (i.e., [108]) contains an introductory chapter as well as the first part (Basic Tools), which consists of chapters on computa- tional difficulty (one-way functions), pseudorandomness, and zero-knowledge proofs. These basic tools are used for the Basic Applications of the second part (i.e., the current

xv

PREFACE

Volume 1: Introduction and Basic Tools Chapter 1: Introduction Chapter 2: Computational Difficulty (One-Way Functions) Chapter 3: Pseudorandom Generators Chapter 4: Zero-Knowledge Proof Systems Volume 2: Basic Applications Chapter 5: Encryption Schemes Chapter 6: Digital Signatures and Message Authentication Chapter 7: General Cryptographic Protocols

Figure 0.1: Organization of this work.

volume), which consists of chapters on Encryption Schemes, Digital Signatures and Message Authentication, and General Cryptographic Protocols. The partition of the work into two parts is a logical one. Furthermore, it has offered us the advantage of publishing the first part before the completion of the second part. Originally, a third part, entitled Beyond the Basics, was planned. That part was to have discussed the effect of Cryptography on the rest of Computer Science (and, in particular, complexity theory), as well as to have provided a treatment of a variety of more advanced security concerns. In retrospect, we feel that the first direction is addressed in [106], whereas the second direction is more adequate for a collection of surveys.

Organization of the Current Volume. The current (second) volume consists of three chapters that treat encryption schemes, digital signatures and message authentication, and general cryptographic protocols, respectively. Also included is an appendix that pro- vides corrections and additions to Volume 1. Figure 0.2 depicts the high-level structure of the current volume. Inasmuch as this volume is a continuation of the first (i.e., [108]), one numbering system is used for both volumes (and so the first chapter of the cur- rent volume is referred to as Chapter 5). This allows a simple referencing of sections, definitions, and theorems that appear in the first volume (e.g., Section 1.3 presents the computational model used throughout the entire work). The only exception to this rule is the use of different bibliographies (and consequently a different numbering of bibliographic entries) in the two volumes. Historical notes, suggestions for further reading, some open problems, and some exercises are provided at the end of each chapter. The exercises are mostly designed to help and test the basic understanding of the main text, not to test or inspire creativity. The open problems are fairly well known; still, we recommend a check on their current status (e.g., in our updated notices web site).

Web Site for Notices Regarding This Work. We intend to maintain a web site listing corrections of various types. The location of the site is

http://www.wisdom.weizmann.ac.il/∼oded/foc-book.html

xvi

PREFACE

Depending on the class, each lecture consists of 50–90 minutes. Lectures 1–15 are covered by the first volume. Lectures 16–28 are covered by the current (second) volume.

Lecture 1: Introduction, Background, etc. (depending on class) Lectures 2–5: Computational Difficulty ( One-Way Functions ) Main: Definition (Sec. 2.2), Hard-Core Predicates (Sec. 2.5) Optional: Weak Implies Strong (Sec. 2.3), and Secs. 2.4.2–2.4.

Lectures 6–10: Pseudorandom Generators Main: Definitional Issues and a Construction (Secs. 3.2–3.4) Optional: Pseudorandom Functions (Sec. 3.6)

Lectures 11–15: Zero-Knowledge Proofs Main: Some Definitions and a Construction (Secs. 4.2.1, 4.3.1, 4.4.1–4.4.3) Optional: Secs. 4.2.2, 4.3.2, 4.3.3–4.3.4, 4.4. Lectures 16–20: Encryption Schemes Main: Definitions and Constructions (Secs. 5.1, 5.2.1–5.2.4, 5.3.2–5.3.4) Optional: Beyond Passive Notions of Security (Overview, Sec. 5.4.1)

Lectures 21–24: Signature Schemes Definitions and Constructions (Secs. 6.1, 6.2.1–6.2.2, 6.3.1.1, 6.4.1–6.4.2)

Lectures 25–28: General Cryptographic Protocols The Definitional Approach and a General Construction (Overview, Sec. 7.1).

Figure 0.3: Plan for one-semester course on Foundations of Cryptography.

This work is intended to provide all material required for a course on Foundations of Cryptography. For a one-semester course, the teacher will definitely need to skip all advanced material (marked by an asterisk) and perhaps even some basic material; see the suggestions in Figure 0.3. Depending on the class, this should allow coverage of the basic material at a reasonable level (i.e., all material marked as “main” and some of the “optional”). This work can also serve as a textbook for a two-semester course. In such a course, one should be able to cover the entire basic material suggested in Figure 0.3, and even some of the advanced material.

Practice. The aim of this work is to provide sound theoretical foundations for cryp- tography. As argued earlier, such foundations are necessary for any sound practice of cryptography. Indeed, practice requires more than theoretical foundations, whereas the current work makes no attempt to provide anything beyond the latter. However, given a sound foundation, one can learn and evaluate various practical suggestions that appear elsewhere (e.g., in [149]). On the other hand, lack of sound foundations results in an inability to critically evaluate practical suggestions, which in turn leads to unsound

xviii

PREFACE

decisions. Nothing could be more harmful to the design of schemes that need to with- stand adversarial attacks than misconceptions about such attacks.

Relationship to Another Book by the Author

A frequently asked question refers to the relationship of the current work to my text Modern Cryptography, Probabilistic Proofs and Pseudorandomness [106]. That text consists of three brief introductions to the related topics in its title. Specifically, Chapter 1 of [106] provides a brief (i.e., 30-page) summary of the current work. The other two chapters of [106] provide a wider perspective on two topics mentioned in the current work (i.e., Probabilistic Proofs and Pseudorandomness). Further comments on the latter aspect are provided in the relevant chapters of the first volume of the current work (i.e., [108]).

A Comment Regarding the Current Volume

There are no privileges without duties.

Adv. Klara Goldreich-Ingwer (1912–2004)

Writing the first volume was fun. In comparison to the current volume, the definitions, constructions, and proofs in the first volume were relatively simple and easy to write. Furthermore, in most cases, the presentation could safely follow existing texts. Conse- quently, the writing effort was confined to reorganizing the material, revising existing texts, and augmenting them with additional explanations and motivations. Things were quite different with respect to the current volume. Even the simplest notions defined in the current volume are more complex than most notions treated in the first volume (e.g., contrast secure encryption with one-way functions or secure protocols with zero-knowledge proofs). Consequently, the definitions are more complex, and many of the constructions and proofs are more complex. Furthermore, in most cases, the presentation could not follow existing texts. Indeed, most effort had to be (and was) devoted to the actual design of constructions and proofs, which were only inspired by existing texts. The mere fact that writing this volume required so much effort may imply that this volume will be very valuable: Even experts may be happy to be spared the hardship of trying to understand this material based on the original research manuscripts.

xix