CPSC 467b Lecture Notes, Week 11

[Course home page] [Course lectures] YALE UNIVERSITY
DEPARTMENT OF COMPUTER SCIENCE

CPSC 467b: Cryptography and Computer Security

Week 11 (rev. 3)

Professor M. J. Fischer

April 5 & 7, 2005

Lecture Notes, Week 11

1 Feige-Fiat-Shamir Signatures

A signature scheme has a lot in common with the "non-interactive interactive" proofs introduced in lecture notes week 10. In both cases, there is only a one-way communication from Alice to Bob. Alice signs a message and sends it to Bob. Bob then verifies it without further interaction with Alice. If Bob hands the message to Carol, then Carol can also verify that it was signed by Alice.

Not surprisingly, the "non-interactive interactive proof" ideas can be used to turn the Feige-Fiat-Shamir authentication protocol of lecture notes week 10 into a signature scheme. The signature scheme we present here is based on a slightly simplified version of the aforementioned protocol in which all of the v_i's in the public key are quadratic residues, and n is not required to be a Blum integer, only a product of two distinct odd primes. The public verification key is (n, v₁, …,v_k), and the private signing key is (n, s₁, …, s_k), where v_j = s_j⁻² mod n ( 1 ≤ j ≤ k).

To sign a message m, Alice simulates t rounds of the protocol in parallel. She first chooses random r₁, …, r_t ∈ Z_n − {0} and computes

x_i = r_i² mod n (1 ≤ i ≤ t).

Next she computes u = H(m x₁ …x_t), where H is a suitable cryptographic hash function. She chooses b_1,1,…, b_t,k according to the first tk bits of u, that is,

b_i,j = u_(i−1)*k+j (1 ≤ i ≤ t, 1 ≤ j ≤ k).

Finally, she computes

y_i = r s₁^b_i,1 …s_k^b_i,k mod n (1 ≤ i ≤ t).

The signature is

s = (b_1,1, …, b_t,k, y₁, …, y_t).

To verify the signed message (m,s), Bob computes

z_i = y_i² v₁^b_i,1 …v_k^b_i,k mod n (1 ≤ i ≤ t).

Bob checks that each z_i ≠ 0 and that b_1,1, …, b_t,k are equal to the first tk bits of H(m z₁ …z_t).

When both Alice and Bob are honest, it is easily verified that z_i = x_i (1 ≤ i ≤ t). In that case, Bob's checks all succeed since x_i ≠ 0 and H(m z₁ …z_t) = H(m x₁ …x_t).

To forge Alice's signature, an impostor must find b_i,j's and y_i's that satisfy the equation

b_1,1…b_t,k \preceq H(m (y₁² v₁^b_1,1 …v_k^b_1,k mod n) …(y_t² v₁^b_t,1 …v_k^b_t,k mod n)).

where "\preceq" means string prefix. It is not obvious how to solve such an equation without knowing a square root of each of the v_i⁻¹'s and following essentially Alice's procedure.

2 Secret Splitting

2.1 Simple two-part secret splitting

There are many situations in which one wants to grant access to a resource only if a sufficiently large group of agents cooperate. For example, a store safe might require both the manager's key and the armored car driver's key in order to be opened. This protects the store against a dishonest manager or armored car driver, and it also prevents an armed robber from coercing the manager into opening the safe. A similar 2-key system is used for safe deposit boxes in banks.

We might like to achieve the same properties for cryptographic keys or other secrets. For example, if k is the secret decryption key for a cryptosystem, one might wish to split k into two shares k₁ and k₂. By themselves, neither k₁ nor k₂ reveals any information about k, but when suitably combined, k can be recovered. A simple way to do this is to choose k₁ uniformly at random and then let k₂ = k ⊕k₁. Both k₁ and k₂ are uniformly distributed over the key space and hence give no information about k. However, combined with XOR, they reveal k, since k = k₁ ⊕k₂.

Indeed, the one-time pad cryptosystem of lecture notes week 1 can be viewed as an instance of secret splitting. Here, Alice's secret is her message m. The two shares are the ciphertext c and the key k. Neither by themselves gives any information about m, but together they reveal m = k ⊕c.

2.2 Multiple shares

Secret splitting generalizes to more than two shares. Imagine a large company that restricts access to important company secrets to only its five top executives, say the president, vice-president, treasurer, CEO, and CIO. They don't want any executive to be able to access the data alone since they are concerned that an executive might be blackmailed into giving confidential data to a competitor. On the other hand, they also don't want to require that all five executives get together to access their data, both because this would be cumbersome and also because they worry about the death or incapacitation of any single individual. They decide as a compromise that any three of them should be able to access the secret data, but not one or two of them operating alone.

A (τ, k) threshold secret splitting scheme splits a secret s into shares s₁, …, s_k. Any subset of τ or more shares allows s to be recovered, but no subset of shares of size less than τ gives any information about s.

Shamir's scheme

Shamir proposed a threshold scheme based on polynomials. A polynomial of degree d is an expression

f(x) = a₀ + a₁ x + a₂ x² + …+ a_d x^d.

where a_d ≠ 0. The numbers a₀, …, a_d are called the coefficients of f. A polynomial can be simultaneously regarded as a function and as an object determined by its vector of coefficients.

Interpolation is the process of finding a polynomial that goes through a given set of points. Let (x₁, y₁), …, (x_k, y_k) be points, where all of the x_i's are distinct. There is a unique polynomial f(x) of degree at most k−1 that passes through all k points, that is, for which f(x_i) = y_i (1 ≤ 1 ≤ k). f can be found using Lagrangian interpolation. This statement generalizes the familiar statement from high school geometry that two points determine a line.

Interpolation also works over finite fields, for example, Z_p for prime p. That is, any k points with distinct x coordinates determine a unique polynomial of degree at most k−1 over Z_p. Of course, we must have k ≤ p since Z_p has only p distinct coordinate values in all.

Here's how Shamir's (τ, k) secret splitting scheme works. Let Alice (also called the dealer) have secret s. She constructs a polynomial of degree at most τ−1 as follows: She sets a₀ = s, and she chooses a₁, …, a_τ−1 ∈ Z_p at random. Share s_i is the point (x_i, y_i), where x_i = i and y_i = f(i) (1 ≤ i ≤ k)¹.

s can be reconstructed from any set T of τ or more shares.

Suppose s_i₁, …, s_{i_τ} are τ distinct shares in T. By interpolation, there is a unique polynomial g(x) of degree d ≤ τ−1 that passes through these shares. By construction of the shares, f(x) also passes through these same shares; hence g=f as polynomials. In particular, g(0) = f(0) = s is the secret.

Any set T′ of fewer than τ shares gives no information about s.

Let T′ = { s_i₁, …, s_{i_r}} be a set of r < τ shares. There are in general many polynomials of degree ≤ τ−1 that interpolate the points in T′. In particular, for each s′ ∈ Z_p, there is a polynomial g_s′ that interpolates the shares in T′∪{(0, s′)}. Each of these polynomials passes through all of the shares in T′, so each is a plausible candidate for f. Moreover, g_s′(0) = s′, so each s′ is a plausible candidate for the secret s. One can show further that the number of polynomials that interpolate T′∪{(0, s′)} is the same for each s′ ∈ Z_p, so each possible candidate s′ is equally likely to be s. Hence, the shares in T′ give no information at all about s.

2.3 Extensions

Several variations on secret sharing have been studied. I mention two briefly but do not go into details.

Verifiable secret sharing. A dealer has a secret s which she wishes to share with a number of players. The dealer can of course always lie about the true value of her secret, but, as with bit commitment, the players want assurance that their shares do in fact code a unique secret. That is, whenever sufficiently many shares are assembled to reconstruct the secret, the same secret s is recovered, no matter which shares are used. In Shamir's (τ,k) threshold scheme, this will be true only if all of the shares lie on a single polynomial of degree at most k−1. However, if the dealer is dishonest and gives bad shares to some of the players, the resulting shares might not lie on any polynomial of degree k−1 or smaller. The players have no way to discover this until later when they try to reconstruct s.

In verifiable secret sharing, the sharing phase is an active protocol involving the dealer and all of the players. At the end of this phase, either the dealer is exposed as being dishonest, or all of the players end up with shares that are consistent with a single secret. Needless to say, protocols for verifiable secret sharing are quite complicated.

Fault tolerance. Even if the dealer is assumed to be honest, there is still the problem of actively dishonest players. With Shamir's scheme, a share that just disappears does not prevent the secret from being reconstructed, as long as enough valid shares remain. But if a player lies about his share and presents a corrupted share, then that share might be used by the other players in reconstructing an incorrect value for the secret. A fault-tolerant secret sharing scheme should allow the secret to be correctly reconstructed, even in the face of a certain number of corrupted shares.

Of course, it may be desirable to have schemes that can tolerate dishonesty in both dealer and a certain number of players. The interested reader is encouraged to explore the extensive literature on this subject.

3 Bit-Commitment Problem

Alice and Bob want to play a game over the internet. Alice says, "I'm thinking of a bit. If you guess my bit correctly, I'll give you $10. If you guess wrong, you give me $10." Bob says, "Ok, I guess zero." Alice replies, "Sorry, you lose. I was thinking of one."

While this game may seem fair on the surface, there is nothing to prevent Alice from changing her mind after Bob makes his guess. Even if Alice and Bob play the game face to face, they still must do something to commit Alice to her bit before Bob makes his guess. For example, Alice might be required to write her bit down on a piece of paper and seal it in an envelope. After Bob makes his guess, he opens the envelope and knows whether he has won or lost. The act of writing down the bit commits Alice to that bit, even though Bob doesn't learn its value until later.

The bit-commitment problem is to implement an electronic form of sealed envelope called a commitment or blob or cryptographic envelope. Intuitively, a blob has two properties: (1) It is not possible to see the bit inside the blob without opening it. (2) It is not possible to change the bit inside the blob, that is, the blob cannot be opened in two different ways to reveal two different bits.

A blob is produced by a protocol commit(b) between Alice and Bob. We assume that b is initially private to Alice. At the end of the commit protocol, Bob has a blob c containing Alice's bit b, but he should have no information about b's value. Later, Alice and Bob can run a protocol open(c) to reveal the bit contained in c.

Alice and Bob do not trust each other, so each wants protection from cheating by the other. Alice wants to be sure that Bob cannot learn b after running commit(b), even if he misbehaves during the protocol. Bob wants to be sure that any successful run of open(c) reveals the same bit b′, so no matter what Alice does. Note that we do not require that Alice tell the truth about her private bit b. A dishonest Alice can always pretend her bit was b′ ≠ b when producing c. But if she does, c can only be opened to b′, not to b.

These ideas should become clearer in the protocols below.

3.1 Commitment using symmetric cryptography

A naïve way to use a symmetric cryptosystem for bit commitment is for Alice to commit b by encrypting it with a private key k to get a blob c = E_k(b). She later opens it using the decryption function D_k(c). Unfortunately, Alice can easily cheat if she can find a "colliding triple" (c, k₀, k₁) with the properties that D_k₀(c) = 0 and D_k₀(c) = 1. She just "commits" by sending c to Bob. Later, she can choose whether to open it to 0 or to 1 by sending Bob k₀ or k₁. This isn't just a hypothetical problem. Suppose Alice uses the most secure cryptosystem of all, a one-time pad, so D_k(c) = c⊕k. Then she can easily find a colliding triple by choosing k₀ = c and k₁ = c ⊕1.

The protocol of Figure 1 tries to make it harder for Alice to cheat by making it possible for Bob to detect most bad keys.

	Alice		Bob
	To commit(b):
1.		← ^r.	Choose random string r.
2.	Choose random key k.
	Compute c = E_k(r·b).	→ ^c	c is commitment.
	To open(c):
3.	Send k.	→ ^k	Let r′·b′ = D_k(c).
			Check r′ = r.
			b′ is revealed bit.

Figure 1: Bit commitment using cryptosystem.

For many cryptosystems (e.g., DES), this protocol does indeed prevent Alice from cheating, for she will have difficulty finding any two keys k₀ and k₁ such that E_k₀(r·0) = E_k₁(r·1). However, for the one-time pad cryptosystem, she can cheat as before: She just takes c to be random and lets k₀ = c ⊕(r·0) and k₁ = c ⊕(r·1). Then D_{k_b}(c) = r·b for b ∈ {0,1}, so the revealed bit is 0 or 1 depending on whether Alice sends k₀ or k₁ in step 3.

We see that not all secure cryptosystems have the properties we need in order to make the protocol of Figure 1 secure. We need a property analogous to the strong collision-free property for hash functions.

3.2 Commitment using hash functions

The analogy between bit commitment and hash functions described above suggests a bit-commitment scheme based on hash functions, as shown in Figure 2.

	Alice		Bob
	To commit(b):
1.		← ^r₁	Choose random string r₁.
2.	Choose random string r₂.
	Compute c = H(r₁ r₂ b).	→ ^c	c is commitment.
	To open(c):
3.	Send r₂.	→ ^r₂	Find b′ ∈ {0, 1} such that c = H(r₁ r₂ b′).
			If no such b′, then fail.
			Otherwise, b′ is revealed bit.

Figure 2: Bit commitment using hash function.

The purpose of r₂ is to protect Alice's secret bit b. To find b before Alice opens the commitment, Bob would have to find r′₂ and b′ such that H(r₁ r′₂ b′) = c. This is akin to the problem of inverting H and is likely to be hard, although the one-way property for H is not strong enough to imply this. On the one hand, if Bob succeeds in finding such r′₂ and b′, he has indeed inverted H, but he does so only with the help of r₁-information that is not generally available when attempting to invert H.

The purpose of r₁ is to strengthen the protection that Bob gets from the hash properties of H. Even without r₁, the strong collision-free property of H would imply that Alice cannot find c, r₂, and r′₂ such that H(r₂ 0) = c = H(r′₂ 1). But by using r₁, Alice would have to find a new colliding pair for each run of the protocol. This protects Bob by preventing Alice from exploiting a few colliding pairs for H that she might happen to discover.

3.3 Commitment using pseudorandom sequence generators

A pseudorandom sequence generator (PRSG) maps a "short" random seed to a "long" pseudorandom bit string. For a PRSG to be cryptographically strong, it must be difficult to correctly predict any generated bit, even knowing all of the other bits of the output sequence. In particular, it must also be difficult to find the seed given the output sequence, since if one knows the seed, then the whole sequence can be generated. Thus, a PRSG is a one-way function and more. While a hash function might generate hash values of the form yy and still be strongly collision-free, such a function could not be a PRSG since it would be possible to predict the second half of the output knowing the first half.

I am being intentionally vague at this stage about what "short" and "long" mean, but intuitively, "short" is a length like we use for cryptographic keys-long enough to prevent brute-force attacks, but generally much shorter than the data we want to deal with. Think of "short"=128 or =256 and you'll be in the right ballpark. By "long", we mean much larger sizes, perhaps thousands or even millions of bits. In practice, we usually thing of the output length as being variable, so that we can request as many output bits from the generator as we like and it will deliver them. Also, in practice, the bits are generally delivered a block at a time rather than all at once, so we don't even need to announce in advance how many bits we want but can go back as needed to get more.

There are many ways to use a PRSG G for bit commitment. One such way is shown in Figure 3. Here, ρ is a security parameter that controls the probability that a cheating Alice can fool Bob. We let G_ρ(s) denote the first ρ bits of G(s).

	Alice		Bob
	To commit(b):
1.		← ^r	Choose random string r ∈ {0,1}^ρ.
2.	Choose random seed s.
	Let y = G_ρ(s).
	If b=0 let c = y.
	If b=1 let c = y ⊕r.	→ ^c	c is commitment.
	To open(c):
3.	Send s.	→ ^s	Let y = G_ρ(s).
			If c = y then reveal 0.
			If c = y ⊕r then reveal 1.
			Otherwise, fail.

Figure 3: Bit commitment using PRSG.

Assuming G is cryptographically strong, then c will look random to Bob, regardless of the value of b, so he will be unable to get any information about b.

The purpose of r is to protect Bob against a cheating Alice. Alice can cheat if she can find a triple (c, s₀, s₁) such that s₀ opens c to reveal 0 and s₁ opens c to reveal 1. Such a triple must satisfy the following pair of equations:

G_ρ(s₀)

G_ρ(s₁) ⊕r.







(1)

It is sufficient for her to solve the equation

r = G_ρ(s₀) ⊕G_ρ(s₁)

(2)

for s₀ and s₁ and then choose c = G_ρ(s₀).

One might ask why Bob needs to choose r? Why can't Alice choose r, or why can't r be fixed to some constant? If Alice chooses r, then she can easily solve (2) and cheat. If r is fixed to a constant, then if Alice ever finds a triple (c,s₀, s₁) satisfying (1), she can fool Bob every time. While finding such a pair would be difficult if G_ρ were a truly random function, any specific PRSG might have special properties, at least for a few seeds, that would make this possible. For example, suppose r = 1^ρ and G_ρ(¬s₀) = ¬G_ρ(s₀) for some s₀. Then (2) could be solved by taking s₁ = ¬s₀. By having Bob choose r at random, r will be different each time (with very high probability), and a successful cheating Alice would be forced to solve (1) in general, not just for one special case.

4 Bit-Commitment Schemes

The three bit-commitment protocols of the previous section all have the same form. We abstract from these protocols a cryptographic primitive, called a bit-commitment scheme, which consists of a pair of key spaces K_A and K_B, a blob space B, a commitment function

enclose: K_A ×K_B ×{0, 1} → B,

and an opening function

reveal: K_A ×K_B ×B → {0, 1, φ},

where φ means "failure". We say that a blob c ∈ B contains b ∈ {0,1} if reveal(k_A, k_B, c) = b for some k_A ∈ K_A and k_B ∈ K_B.

These functions have three properties:

∀k_A ∈ K_A, ∀k_B ∈ K_B, ∀b ∈ {0,1}, reveal(k_A, k_B, enclose(k_A, k_B, b)) = b;
∀k_B ∈ K_B, ∀c ∈ B, ∃b ∈ {0,1},∀k_A ∈ K_A, reveal(k_A, k_B, c) ∈ {b, φ}.
No feasible probabilistic algorithm that attempts to distinguish blobs containing 0 from those containing 1, given k_B and c, is correct with probability significantly greater than 1/2.

The intention is that k_A is chosen by Alice and k_B by Bob. Intuitively, these conditions say:

Any bit b can be committed using any key pair k_A, k_B, and the same key pair will open the blob to reveal b.
For each k_B, all k_A that successfully open c reveal the same bit.
Without knowing k_A, the blob does not reveal any significant amount of information about the bit it contains, even when k_B is known.

A bit-commitment scheme looks a lot like a symmetric cryptosystem, with enclose(k_A, k_B, b) playing the role of the encryption function and reveal(k_A, k_B, c) the role of the decryption function. However, they differ both in their properties and in the environments in which they are used. Conventional cryptosystems do not require condition 2, nor do they necessarily satisfy it. In a conventional cryptosystem, it is assumed that Alice and Bob trust each other and both share a secret key k. The cryptosystem is designed to protect Alice's secret message from a passive eavesdropper Eve. In a bit-commitment scheme, Alice and Bob cooperate in the protocol but do not trust each other to choose the key. Rather, the key is split into two pieces, k_A and k_B, with each participant controlling one piece.

A bit-commitment scheme can be turned into a bit-commitment protocol by plugging it into the generic protocol given in Figure 4.

	Alice		Bob
	To commit(b):
1.		← ^k_B	Choose random k_B ∈ K_B.
2.	Choose random k_A ∈ K_A.
	Compute c = enclose(k_A, k_B, b).	→ ^c	c is commitment.
	To open(c):
3.	Send k_A.	→ ^k_A	Compute b = reveal(k_A, k_B, c).
			If b = φ, then fail.
			If b ≠ φ, then b is revealed bit.

Figure 4: A generic bit commitment protocol.

Each of the protocols of section 4 can be regarded as in instance of the generic protocol. For example, we get the protocol of Figure 1 by taking

enclose(k_A, k_B,b) = E_{k_A}(k_B ·b),

and

reveal(k_A, k_B, c) =







if k_B·b = D_{k_A}(c)

otherwise.

Footnotes:

¹f(i) is the result of evaluating the polynomial f at the value x=i. Here we assume all arithmetic is over the field Z_p, so we omit explicit mention of mod p.

File translated from T_EX by T_TH, version 3.66.
On 17 Apr 2005, 15:54.