The Foundations of Cryptography - Volume 1
Oded Goldreich
|
|
Cryptography is concerned with the construction of schemes that
should maintain a desired functionality, even under malicious
attempts aimed at making them deviate from it.
The design of cryptographic systems has to be based on firm foundations;
whereas ad-hoc approaches and heuristics are a very dangerous way to go.
This work is aimed at presenting firm foundations for cryptography.
The foundations of cryptography are the paradigms, approaches
and techniques used to conceptualize, define and provide solutions
to natural ``security concerns''.
The emphasis of the work is on the clarification of fundamental concepts
and on demonstrating the feasibility of solving several central
cryptographic problems.
The current book is the first volume of this work, and it focuses
on the main tools of Modern Cryptography: computational difficulty
(one-way functions), pseudorandomness and zero-knowledge proofs.
The next volume will focus on the main applications of Cryptography:
encryption schemes, signature schemes and secure protocols.
ISBN 0-521-79172-3
Published in US in June 2001.
See purchase information.
Publisher:
Cambridge University Press
(see
the
publisher's page for this volume). |
This volume is part of the two-volume work
Foundations of Cryptography
(see Volume 2).
For a brief introduction to the Foundations of Cryptography,
see surveys.
For further suggestions regarding teaching,
see notes.
A preliminary draft is available here.
This page includes the volume's preface,
Teaching Tips,
Table of Contents,
answers to Frequently Asked Questions,
and List of Corrections.
Preface
See preface to the entire work
Foundations of Cryptography.
We highlight the following points:
-
Cryptography is concerned with the construction of schemes
that should maintain a desired functionality, even under malicious
attempts aimed at making them deviate from it.
-
It makes little sense to make assumptions regarding
the specific strategy that the adversary may use.
The only assumptions that can be justified refer
to the computational abilities of the adversary.
-
The design of cryptographic systems has to be based on firm foundations;
whereas ad-hoc approaches and heuristics are a very dangerous way to go.
-
This work is aimed at presenting firm foundations for cryptography.
The foundations of cryptography are the paradigms,
approaches and techniques used to conceptualize,
define and provide solutions to natural ``security concerns''.
- We will present some of these paradigms, approaches and techniques
as well as some of the fundamental results obtained using them.
- Our emphasis is on the clarification of fundamental concepts
and on demonstrating the feasibility of solving several central
cryptographic problems.
This is done in a way independent of the particularities of
some popular number theoretic examples.
- The most relevant background for this work is provided by basic
knowledge of algorithms (including randomized ones),
computability and elementary probability theory.
Background on (computational) number theory,
which is required for specific implementations of certain
constructs, is not really required here.
-
Most of modern cryptography relies on the ability to generate
instances of hard problems. Such ability is captured in the
definition of one-way function.
Preface to the current volume
The current (first) volume consists of an introductory chapter
(Chapter 1), followed by
chapters on computational difficulty (one-way functions),
pseudorandomness and zero-knowledge proofs
(Chapters 2-4, respectively).
Also included are two appendices:
one of them providing a brief summary
of Volume 2.
The high-level structure of the current volume is as follows:
- Chapter 1: Introduction
Main Topics covered by the work (Sec. 1.1)
Background on Probability and Computation (Sec. 1.2 and 1.3)
Motivation to the Rigorous Treatment (Sec. 1.4)
- Chapter 2: Computational Difficulty (One-Way Functions)
Motivation and Definitions (Sec. 2.1 and 2.2)
One-Way functions: Weak implies Strong (Sec. 2.3)
Variants (Sec. 2.4) and advanced material (Sec. 2.6)
Hard-Core Predicates (Sec. 2.5)
- Chapter 3: Pseudorandom Generators
Motivation and Definitions (Sec. 3.1-3.3)
Constructions based on One-Way Permutations (Sec. 3.4)
Pseudorandom Functions (Sec. 3.6)
Advanced material (Sec. 3.5 and 3.7)
- Chapter 4: Zero-Knowledge Proofs
Motivation and Definitions (Sec. 4.1-4.3)
Zero-Knowledge Proofs for NP (Sec. 4.4)
Advanced material (Sec. 4.5-4.11)
- Appendix A: Brief Background on Computational Number Theory
- Appendix B: Brief Outline of Volume 2
- Bibliography and Index
Historical notes, suggestions for further reading,
some open problems and some exercises
are provided at the end of each chapter.
The exercises are mostly designed to help and test the basic
understanding of the main text, not to test or inspire creativity.
The open problems are fairly well-known,
still we recommend to check their current status
(e.g., in this website).
Using this work
The work is aimed to serve both as a textbook
and a reference text. That is, it is aimed at serving both
the beginner and the expert. In order to achieve this aim,
the presentation of the basic material is very detailed
so to allow a typical CS-undergraduate to follow it.
An advanced student (and certainly an expert)
will find the pace (in these parts) way too slow.
However, an attempt was made to allow the latter reader
to easily skip details obvious to him/her.
In particular, proofs are typically presented in a modular way.
We start with a high-level sketch of the main ideas,
and only later pass to the technical details.
Passage from high-level descriptions to lower level details is
typically marked by phrases such as details follow.
More advanced material is typically presented at a faster pace
and with less details.
Thus, we hope that the attempt to satisfy a wide range of readers
will not harm any of them.
Teaching
(See also Teaching Notes.)
The material presented in this work is, on one hand, way beyond what
one may want to cover in a course, and on the other hand falls very
short of what one may want to know about Cryptography in general.
To assist these conflicting needs we make a distinction between
basic and advanced material,
and provide suggestions for further reading
(in the last section of each chapter).
In particular, sections, subsections, and subsubsections
marked by an asterisk (*) are intended for advanced reading.
Volumes 1 and 2
of this work are supposed to provide all material
for a course on Foundations of Cryptography.
For a one-semester course,
the teacher will definitely need to skip all advanced material
(marked by an asterisk) and maybe even some basic material:
see suggestion below.
This should allow, depending on the class,
to cover the basic material at a reasonable level
(i.e., cover all material marked as ``main''
and some of the ``optional'').
Volumes 1 and 2
can also serve as textbook for a two-semester course.
Either way, the current volume only covers the first half
of the aforementioned material.
The second half is covered in Volume 2.
Following is our suggestion for
a one-semester course on Foundations of Cryptography.
Each lecture consists of one hour.
Lectures 1-15 are covered by the current volume.
Lectures 16-28 will be covered by
the second volume.
- Lecture 1: Introduction, Background, etc (depending on class)
- Lecture 2-5: Computational Difficulty (One-Way Functions)
Main: Definition (Sec. 2.2), Hard-Core Predicates (Sec. 2.5)
Optional: Weak implies Strong (Sec. 2.3), and Sec. 2.4.2-2.4.4
- Lecture 6-10: Pseudorandom Generators
Main: Definitional issues and a construction (Sec. 3.2-3.4)
Optional: Pseudorandom Functions (Sec. 3.6)
- Lecture 11-15: Zero-Knowledge Proofs
Main: Some definitions and a construction
(Sec. 4.2.1, 4.3.1, 4.4.1-4.4.3)
Optional: Sec. 4.2.2, 4.3.2, 4.3.3-4.3.4, 4.4.4
- Lecture 16-20: Encryption Schemes
- Lecture 21-24: Signature Schemes
- Lecture 25-28: General Cryptographic Protocols
The definitional approach and a general construction (sketches).
(Consult Apdx. B.3, see also our exposition.)
Giving a course solely based on the material that
appears in the current volume is indeed possible,
but such a course cannot be considered a stand-alone course in Cryptography
(for the reason that the current volume does not consider at all
the basic tasks of encryption and signatures).
Table of Contents
Preface
Chapter 1: Introduction
-
1.1 Cryptography - Main Topics
1.1.1 Encryption Schemes
1.1.2 Pseudorandom Generators
1.1.3 Digital Signatures
1.1.4 Fault-Tolerant Protocols and Zero-Knowledge Proofs
-
1.2 Some Background from Probability Theory
1.2.1 Notational Conventions
1.2.2 Three Inequalities
-
1.3 The Computational Model
1.3.1 P, NP, and NP-completeness
1.3.2 Probabilistic Polynomial-Time
1.3.3 Non-Uniform Polynomial-Time
1.3.4 Intractability Assumptions
1.3.5 Oracle Machines
-
1.4 Motivation to the Rigorous Treatment
1.4.1 The Need for a Rigorous Treatment
1.4.2 Practical Consequences of the Rigorous Treatment
1.4.3 The Tendency to be Conservative
-
1.5 Miscellaneous
1.5.1 Historical Notes
1.5.2 Suggestion for Further Reading
1.5.3 Open Problem
1.5.4 Exercises
Chapter 2: Computational Difficulty
-
2.1 One-Way Functions: Motivation
-
2.2 One-Way Functions: Definitions
2.2.1 Strong One-Way Functions
2.2.2 Weak One-Way Functions
2.2.3 Two Useful Length Conventions
2.2.4 Candidates for One-Way Functions
2.2.5 Non-Uniformly One-Way Functions
-
2.3 Weak One-Way Functions Imply Strong Ones
2.3.1 The Construction and its Analysis
2.3.2 Illustration by a toy example
2.3.3 Discussion
-
2.4 One-Way Functions: Variations
2.4.1* Universal One-Way Function
2.4.2 One-Way Functions as Collections
2.4.3 Examples of One-way Collections (RSA, Factoring, DLP)
2.4.4 Trapdoor one-way permutations
2.4.5* Claw-free Functions
2.4.6* On Proposing Candidates
-
2.5 Hard-Core Predicates
2.5.1 Definition
2.5.2 Hard-Core Predicates for any One-Way Function
2.5.3* Hard-Core Functions
-
2.6* Efficient Amplification of One-way Functions
-
2.7 Miscellaneous
2.7.1 Historical Notes
2.7.2 Suggestion for Further Reading
2.7.3 Open Problems
2.7.4 Exercises
Chapter 3: Pseudorandom Generators
-
3.1 Motivating Discussion
3.1.1 Computational Approaches to Randomness
3.1.2 A Rigorous Approach to Pseudorandom Generators
-
3.2 Computational Indistinguishability
3.2.1 Definition
3.2.2 Relation to Statistical Closeness
3.2.3 Indistinguishability by Repeated Experiments
3.2.4* Indistinguishability by Circuits
3.2.5 Pseudorandom Ensembles
-
3.3 Definitions of Pseudorandom Generators
3.3.1 Standard Definition of Pseudorandom Generators
3.3.2 Increasing the Expansion Factor
3.3.3* Variable-output pseudorandom generators
3.3.4 The Applicability of Pseudorandom Generators
3.3.5 Pseudorandomness and unpredictability
3.3.6 Pseudorandom Generators imply One-Way Functions
-
3.4 Constructions based on One-Way Permutations
3.4.1 Construction based on a Single Permutation
3.4.2 Construction based on Collections of Permutations
3.4.3* Using Hard-Core Functions rather than Predicates
-
3.5* Constructions based on One-Way Functions
3.5.1 Using 1-1 One-Way Functions
3.5.2 Using Regular One-Way Functions
3.5.3 Going beyond Regular One-Way Functions
-
3.6 Pseudorandom Functions
3.6.1 Definitions
3.6.2 Construction
3.6.3 Applications - A general methodology
3.6.4 Generalization
-
3.7* Pseudorandom Permutations
3.7.1 Definitions
3.7.2 Construction
-
3.8 Miscellaneous
3.8.1 Historical Notes
3.8.2 Suggestion for Further Reading
3.8.3 Open Problems
3.8.4 Exercises
Chapter 4: Zero-Knowledge Proof Systems
-
4.1 Zero-Knowledge Proofs: Motivation
4.1.1 The Notion of a Proof
4.1.2 Gaining Knowledge
-
4.2 Interactive Proof Systems
4.2.1 Definition
4.2.2 An Example (Graph Non-Isomorphism in IP)
4.2.3* The Structure of the Class IP
4.2.4 Augmentation to the Model
-
4.3 Zero-Knowledge Proofs: Definitions
4.3.1 Perfect and Computational Zero-Knowledge
4.3.2 An Example (Graph Isomorphism in PZK)
4.3.3 Zero-Knowledge w.r.t. Auxiliary Inputs
4.3.4 Sequential Composition of Zero-Knowledge Proofs
-
4.4 Zero-Knowledge Proofs for NP
4.4.1 Commitment Schemes
4.4.2 Zero-Knowledge Proof of Graph Coloring
4.4.3 The General Result and Some Applications
4.4.4 Second Level Considerations
-
4.5* Negative Results
4.5.1 On the importance of interaction and randomness
4.5.2 Limitations of unconditional results
4.5.3 Limitations of Statistical ZK proofs
4.5.4 Zero-Knowledge and Parallel Composition
-
4.6* Witness Indistinguishability and Hiding
4.6.1 Definitions
4.6.2 Parallel Composition
4.6.3 Constructions
4.6.4 Applications
-
4.7* Proofs of Knowledge
4.7.1 Definition
4.7.2 Reducing the knowledge error
4.7.3 Zero-Knowledge Proofs of Knowledge for NP
4.7.4 Applications
4.7.5 Proofs of Identity (Identification schemes)
4.7.6 Strong Proofs of Knowledge
-
4.8* Computationally-Sound Proofs (Arguments)
4.8.1 Definition
4.8.2 Perfectly-Hiding Commitment Schemes
4.8.3 Perfect Zero-Knowledge Arguments for NP
4.8.4 Arguments of Polylogarithmic Efficiency
-
4.9* Constant-Round Zero-Knowledge Proofs
4.9.1 Using commitment schemes with perfect secrecy
4.9.2 Bounding the power of cheating provers
-
4.10* Non-Interactive Zero-Knowledge Proofs
4.10.1 Basic Definitions
4.10.2 Constructions
4.10.3 Extensions
-
4.11* Multi-Prover Zero-Knowledge Proofs
4.11.1 Definitions
4.11.2 Two-Senders Commitment Schemes
4.11.3 Perfect Zero-Knowledge for NP
4.11.4 Applications
-
4.12 Miscellaneous
4.12.1 Historical Notes
4.12.2 Suggestion for Further Reading
4.12.3 Open Problems
4.12.4 Exercises
Appendix A: Background in Computational Number Theory
-
A.1 Prime Numbers
A.1.1 Quadratic residues modulo a prime
A.1.2 Extracting square roots modulo a prime
A.1.3 Primality testers
A.1.4 On uniform selection of primes
-
A.2 Composite Numbers
A.2.1 Quadratic residues modulo a composite
A.2.2 Extracting square roots modulo a composite
A.2.3 The Legendre and Jacobi Symbols
A.2.4 Blum Integers and their quadratic residue structure
Appendix B: Brief Outline of Volume 2
-
B.1 Encryption - Brief Summary
B.1.1 Definitions
B.1.2 Constructions
B.1.3 Beyond eavesdropping security
B.1.4 Some Suggestions
-
B.2 Signatures - Brief Summary
B.2.1 Definitions
B.2.2 Constructions
B.2.3 Some Suggestions
-
B.3 Cryptographic Protocols - Brief Summary
B.3.1 Definitions
B.3.2 Constructions
B.3.3 Some Suggestions
Bibliography (approximately 200 entries)
Index (approximately 500 entries)
Frequently Asked Questions
Is there a solution manual of this book?
Unfortunately, the answer is negative,
but we believe that the guidelines for the exercises
provide sufficient clues.
When will Volume 2 appear?
It has appeared, in Spring 2004.
Can Volume 1 (alone) be used for teaching?
Yes, see teaching tips above.
But this question seems less relevant today,
since Volume 2 is available.
How does this volume relate to the book
Modern Cryptography, Probabilistic
Proofs and Pseudorandomness?
The current volume is only remotely related to the former book,
published in 1999 as part (i.e., Vol. 17) of the
Algorithms and Combinatorics series of Springer:
Chapter 1 of the Springer book
provides a 30-page overview (or summary) to the entire work,
which holds 350 pages in its current (first) volume only.
Chapters 2 and 3 of the Springer book provide a wider perspective
on Probabilistic Proof systems and Pseudorandomness, respectively.
An extensive treatment of the Cryptographically-related aspects
of these areas is provided in the current volume,
but the interested reader may benefit from the wider
perspective offered in the Springer book.
See also
answers to other frequently asked questions.
List of Corrections
The following errors were corrected in Volume 2;
for further details see Appendix C (of Volume 2)
as well as a
draft of the said appendix, Feb. 2003.
- Unfortunately, we have to withdraw two claims regarding
strong witness indistinguishable proofs
as defined in Definition 4.6.2.
Specifically, in general, strong witness indistinguishability
is not closed under parallel composition (and so Lemma 4.6.7 is wrong).
Consequently, in contrary to what is stated in Theorem 4.6.8,
we do not know whether there exist constant-round
public-coin proofs with negligible error
that are strong witness indistinguishable for languages out of BPP.
We stress that the flaws pointed out here only refer to strong
witness indistinguishability and not to (regular) witness
indistinguishability. That is, as stated in Lemma 4.6.6,
(regular) witness indistinguishability is closed under parallel composition
and thus the part of Theorem 4.6.8 that refers to regular witness
indistinguishability is valid (i.e., providing constant-round
public-coin proofs with negligible error
that are witness indistinguishable for NP).
- Remark 4.10.6 as well as Theorems 4.10.10, 4.10.14 and 4.10.16,
seem to require trapdoor permutations in which the permutation's
domain coincides with the set of all strings of certain length.
This special case of Definition 2.4.5 can be implemented by modifying
the RSA or the Factoring Trapdoors (cf. Canetti et al (in STOC'96) and [5]).
(For further detail on Remark 4.10.6, the reader is referred to [23].)
Added comment (Nov. 2008):
Unfortunately, the correction that appeared in
Appendix C of Volume 2 is also incorrect.
For details see
note
(or better its
revision).
For a discussion of enhanced trapdoor permutations
see my paper with Ron Rothblum
titled Enhancements of Trapdoor Permutations.
- Not exactly an error, yet a recent result by Boaz Barak (see FOCS'01)
calls for re-evaluation of the significance of all negative
results regarding black-box zero-knowledge (cf. Definition 4.5.10).
In particular, relying on standard intractability assumptions,
Barak presents round-efficient public-coin
zero-knowledge arguments for NP (using non-black-box simulators),
whereas only BPP can have such black-box zero-knowledge arguments
(cf. comment following Theorem 4.5.11).
Interestingly, Barak's simulator works in strict (rather than expected)
probabilistic polynomial-time, addressing an open problem
mentioned in Section 4.12.3.
- In Definition 4.10.15 (adaptive NIZK),
the adaptive zero-knowledge condition (page 310) should relate
only to input-selecting functions $\Xi$
that are implementable by a family of polynomial-size circuits.
- Const. 4.10.7 and Prop. 4.10.9 (pp. 303-304):
The current description in terms of two mappings $\pi_1,\pi_2$
is confusing and even inaccurate. Instead one should
identify the row and columns of $H$ with $[n]$
and use one permuation/isomorphism $\pi$ of $G$ to $H$.
Alternatively, one may compose this $\pi$ with the $\psi_i$'s
(which results in $\pi_i$'s as in the text).
[Luis von Ahn]
- Definition 4.9.3 is carelessly written.
One should partition the commit phase into
two sub-phases, with the second sub-phase being a proof-of-knowledge
referring to the view of the first sub-phase, which in turn should
constitute a commitment scheme by itself.
Alternatively, a Non-Oblivious Commitment may be defined as
the sequential composition of an ordinary commitment scheme with
a corresponding proof-of-knowledge
such that the composed protocol is also a commitment scheme.
[Yehuda Lindell]
- The proof of Theorem 4.9.4 is wrong, since it relies
on the existence of constant-round strong witness indistinguishability
proofs of knowledge for NP (i.e., Theorem 4.6.8).
Fortunately, an alternative proof exists
(see Apdx C.3.3 in Volume 2).
- Addition to Section 4.12.2: In continuation to Sections 4.7 and 4.9.2,
we mention that the round-efficient argument system of [77] is
actually an ``argument of knowledge'' (with negligible error).
- Adding self-credits to Section 4.12.1:
the notions of strong witness indistinguishability (Section 4.6)
and strong proofs of knowledge (Section 4.7.6),
and the Hidden Bit Model (Section 4.10.2)
are due to (early versions of) this work.
The foregoing errors were corrected in Volume 2.
More recent corrections and additions follow
-
The specific expression given for Chernoff Bound
(in Sec 1.2.2, page 11) may be wrong.
The exponent should be either $-(\epsilon^2/(4p(1-p)))\cdot n$
(i.e., a factor of two smaller than stated)
or just $-2\epsilon^2\cdot n$.
(Both alternatives are correct, but one usually sees the latter.)
[Kivanc Mihcak]
- Typo on page 35, 2nd paragraph:
It should be $\nu(n) > 1/p(n)$.
[Eldad Zinger]
- There is a typo on page 46 (just before equation 2.7):
N0 should be N'.
- Formally speaking, Prop. 2.4.1 (as stated) is trivial.
The statement asserts that there exists a poly-time computable $f$
such that $f$ is a OWF iff OWF exist.
But, as pointed out by Claus Diem, if OWF exist then one may use $f$
as any of them, and otherwiose one may use any poly-time computable $f$.
Of course, what I meant was that one can specify a poly-time computable $f$
without knowing if OWF exist or not, but this is not captured by the
formal statement. Of course, one way out is to describe $f$ first,
and then make the claim about this $f$; but, for obvious reasons,
I did not want to do that.
- In continuation to Sec 2.4.2 and 2.4.4,
see clarifications
regarding one-way permutations, 2005.
- The lower bound (on the size of $S_n$) in Claim 2.5.2.1
can be improved to $\epsilon(n)\cdot 2^n$.
See details
HERE.
[Noam Livne]
- Section 2.5.3 does not provide the best analysis of the
security of hard-core functions. A better analysis is provided
HERE.
- At the end of Section 2.7.3, the question should refer to
returning a constant fraction of the bits of $x$
(rather than the first half of $x$).
- The presentation in Section 2.6.2 contains a (fix-able) error.
The graph $G_{f,n}$ defined on page 82 is a directed graph,
and the construction of the function $F$ (Construction 2.6.3)
refers to directed walks on it. But Lemma 2.6.5 refers to
undirected graphs and hence cannot be applied to it. [Qifu Hu]
Nevertheless, the weaker bound provided in the proof of
Lemma 2.6.5 holds also in this case. Specifically,
consider the stochastic process captured by the matrix $M_f$
such that $M_f =MR$, where $M$ is the normalized adjacency
matrix of the graph $G_n$ and $R$ is the permutation matrix
that corresponds to the mapping $x\mapsto f(x)$.
Now we want to bound $\|(PMR)^t z\|$
and we do it by bounding $\|PMR z\|$,
which reduces to bounding $\|PMz'\|$ for $z'=Rz$
(while noting that $Rz$ and $z$ have the same norm).
Hence, we obtain a bound of $1-(1-0.5\mu)^{t/2}$,
rather than $1-(1-0.5\mu)^{t}$,
and this is the bound we should use for $\beta(n)$
(with $t=k(n)/\ell$) when we invoke Lemma 2.6.6.
This means that we establish the corresponding
bound of with $\beta(n)=1-(1-0.5\alpha(n))^{k(n)/2\ell}$
also in Prop. 2.6.4 (i.e., we lose a factor of two in the exponent).
Note, however, that the above analysis presumes that
$\mu \geq 2\rho^2$, where $\rho$ is an upper bound
on the eigenvalue ratio. This is fine when applying
Lemma 2.6.6 with a constant value of $\alpha$,
but for smaller values we have to use an expander
of degree $d=\poly(1/\alpha)$ and a polynomially
related expansion bound (where such an expander
can be obtained by talking a walk of length $\log d$
on a constant-degree expander).
This in turn means that $\ell=O(\log(1/\alpha))$
and that we can only use $k(n)=O(n/\ell)$ in Prop 2.6.4
(in order to maintain $n+k(n)\log d = O(n)$).
This only means that in the first applications
of Prop 2.6.4 (within the proof of Thm 2.6.2),
we only increase the hardness parameter by
a factor of $n/\log n$ (rather than by $n$).
That is, starting with an $n^{-\delta}$-OWP,
for $i\in[\delta]$, after $i$ iterations
we derive an $(n^{-(\delta-i)}/(\log n)^i)$-OWP,
and in the last (i.e., $\delta+1$-st) iteration
we obtain a strong one-way function
(since $1-(1-(1/\poly\log n))^{n/\log n}$ is negligible).
I'm currently unsure if the original claim
(i.e., with Lemma 2.6.5 applied to the directed graph $G_{f,n}$)
is true, but it does not matter much.
- There is a typo in the guideline given for Exercise 9 of Chapter 2:
The suggestion should be $f(y,z)=(g(y),y\xor z)$.
- There is a typo in the guideline given for Exercise 17 of Chapter 2:
The statistical distance is stated at the end
should by $O(2^{-\ell} + 2^{2\ell+2\log n}\cdot\epsilon)$.
- Typo in page 99 line 3 (Exer 28 in Chap 2):
the reference should be to [204] not [203].
- Clarification for Exer 28 of Chap 2:
-
The notation $\ell(n)$ is abused;
in Item 2 it denotes the codeword length,
which is exponential in the length of the description
of a position in the codeword (as used in Item 3).
-
In Item 3, use a concatanation code in which symbols
of the Reed-Solomon code are encoded via the hadamard code.
- Prop. 3.3.8 (on page 124) can be extended to all pseudorandom
generators $G$ of arbitrary stretch $ell(n)$, yielding a strong OWF
if $\ell(n)-n=\omega(\log n))$ and a weak OWF otherwise.
This follows by observing that for any subset $S$ of the image of $G$
(or rather the image of $n$-bit long seeds under $G$),
it holds that $prob[G(U_n)\in S] \geq \frac{|S|}{2^n}$
whereas
$prob[U_{ell(n)}\in S] = \frac{|S|}(2^{ell(n)}} \leq \frac{|S|}(2^{n+1}}$.
[Guang Yang]
- The sampling procedure referred to at the end of Sec 3.4.2
is not as obvious; the $O(n^3)$ bound relies on the fact
that the expected number of candidates to be tried is $O(n)$.
[Qifu Hu]
- Sec. 3.5.1.2 (on page 138), right after Prop 3.5.3,
contains a typo: $k$ should be set to $O(p(n))$, not to $n$. [Qifu Hu]
- Typo on page 142 (last sentence of 2nd paragraph):
It should be $m$ not $i$. [Qifu Hu]
- Typo on page 143 (1st paragraph of the proof of Prop 3.5.9):
The 3rd sentence should have been
``Thus, for every $y$ and $\alpha$, it holds that
$\pr[|F^{-1}(y,\alpha,H_{n}^{m(n)-l(n)})| >2^{l(n)+1}] < 2^{-l(n)}$.''
and the rest of this paragraph should have referred to
$B_y=\{(\alpha,h):|F^{-1}(y,\alpha,h)| \!>\!2^{l(n)+1}\}$.
[Qifu Hu]
- Sec. 3.5.3 (on page 147) contains an error.
The number of copies should be $n^3$, not $n^2$.
In all expressions in Sec. 3.5.3, $n^2$ should be replaced by $n^3$,
and $n^3$ by $n^4$. [Yu Yu]
- Unfortunately, Theorem 3.5.12 (i.e., OWF implies PRGs)
still does not have an easy proof (i.e., one suitable for a textbook).
But proofs are getting easier and better.
Currently, the most reader-friendly proof can be found in
Efficiency Improvements in
Constructing Pseudorandom Generators from One-way Functions
(by Iftach Haitner, Omer Reingold, and Salil Vadhan).
- Typo on page 155 at the beginning of the proof of Claim 3.6.6.1.
The queries in the simple case should be the reverses of the
first $t$ strings in lex-order; that is, for $t=2^{k+1}$, we
use strings of the form $x'0^{n-k-1}$, where $x\in\{0,1\}^{k+1}$.
[Qifu Hu]
- Typo on page 156 line 12: The text should read
"In fact, g(p_i)=g(p_j)=v_i=v_j also in case p_i \neq p_j"
(i.e., inequality rather than equality). [Qifu Hu]
- Typo on Page 163, in the displaced definition of $f$:
In the otherwise-case, one should replace $G_{\sigma_{k+1}}$
by $P_{\sigma_{k+1}}$, where $P_0(s)$ (resp., $P_1(s)$) is defined
as the first $n$ bits of $s$ (resp., the next $n$ bits of $s$),
just as in the proof of Thm 3.6.6.
[Qifu Hu]
- The definitions in Sec 3.6.1 fail to require that
the function $\ell$ is upper bounded by a polynomial.
Furthermore, they also fair to require that $\ell$
is efficiently computible (i.e., $\ell(n)$ can be
compurted in $\poly(n)$-time when given $n$).
[Dima Kogan and Inbal Livni]
Both conditions are not used in the text,
but I agree that it is a good idea to impose them both.
I tend to insert these conditions into Def 3.6.1
and the preamble of Def 3.6.4.
Alternatively, it may be inserted into Def 3.6.3
and the first item of Def 3.6.4.
- There is a typo in Exercise 28 of Chapter 3:
The threshold value should be $2^ell \cdot ell$
(rather than $\ell^\ell$ as written).
- Regarding Footnote 7 in Sec 4.3.1.1 (page 201),
see a recent study of
Super-Perfect Zero-Knowledge Proofs (2014).
- In continuation to the definition of Proofs Of Knowledge (Sec 4.7.1),
see discussion of Probabilistic versus Deterministic
Provers in the Definition of Proofs Of Knowledge, 2006.
- Thm 4.4.11 fails to clarify that this result holds
for any NP-witness relation,
and not merely for any NP-set [Roei Tell].
Likewise, in Def 4.3.10,
it would have been better to define (efficient) zero-knowledge
interactive proofs for any relation $R$ rather than refer
to the set of strings $P_L(x)$ that satisfy completenss.
In such case, the completeness and zero-knowledge conditions
should hold for any $(x,y)\in R$
(rather than for every $x\in L$ and $y\in P_L(x)$),
for any $R$ such that $L$ contains all $x$'s
for which there exists a $y$ such that $(x,y)\in $R$.
- Remark 4.10.6 as well as Theorems 4.10.10, 4.10.14 and 4.10.16,
seem to require trapdoor permutations in which the permutation's
domain coincides with the set of all strings of certain length.
This special case of Definition 2.4.5 can be implemented by modifying
the RSA or the Factoring Trapdoors (cf. Canetti et al (in STOC'96) and [5]).
As stated above, the correction that appeared in
Appendix C of Volume 2 is also incorrect.
For details see
note.
- In Construction 4.10.12, it seems better to use the symbol $u'$
(in the definition of $L_2$) instead of $w'$.
The point is to streamline better with the proof of Proposition 4.10.13.
- A recent work of Nguyen, Ong, and Vadhan (see 47th FOCS, 2006) provides
statistical zero-knowledge arguments for NP from any one-way function.
This resolves a central open problem in the area
(also mentioned in Sec. 4.12.3).
See also a follow-up work by Haitner and Reingold (see 39th STOC, 2007)
providing statistical hiding commitment schemes.
- Exercise 4 of Chapter 4 (p. 324) is wrong.
The guideline establishes that
this "shared randomness interactive proof" model
is at most as powerful as AM, and in fact it coincides with AM,
where a set $S$ is in AM if there exists a set $S'$ in NP
and a polynomial $p$ such that
for every $x\in S$
it holds that $Prob_{r:|r|=p(|x|)}[(x,r)\in S'] \geq 2/3$,
and for every $x\in S$
it holds that $Prob_{r:|r|=p(|x|)}[(x,r)\not\in S'] \geq 2/3$.
[Ben Diamond]
Back to
the top or to
Oded Goldreich's homepage.