The Foundations of Cryptography - Volume 2
Oded Goldreich
|
|
Cryptography is concerned with the construction of schemes that
should maintain a desired functionality, even under malicious
attempts aimed at making them deviate from it.
The design of cryptographic systems has to be based on firm foundations;
whereas ad-hoc approaches and heuristics are a very dangerous way to go.
This work is aimed at presenting firm foundations for cryptography.
The foundations of cryptography are the paradigms, approaches
and techniques used to conceptualize, define and provide solutions
to natural ``security concerns''.
The emphasis of the work is on the clarification of fundamental concepts
and on demonstrating the feasibility of solving several central
cryptographic problems.
The current book is the second volume of this work, and it focuses
on the main applications of Cryptography:
encryption schemes, signature schemes and secure protocols.
The first volume focused on the main tools of Modern Cryptography:
computational difficulty (one-way functions),
pseudorandomness and zero-knowledge proofs.
ISBN 0-521-83084-2
Published in US in May 2004.
See purchase information.
Publisher:
Cambridge University Press
(see
the
publisher's page for this volume). |
This volume is part of the two-volume work
Foundations of Cryptography
(see Volume 1).
For a brief introduction to the Foundations of Cryptography,
see surveys.
Preliminary drafts are also available here.
For further suggestions regarding teaching,
see notes.
This page includes the volume's preface,
Teaching Tips,
Table of Contents,
answers to frequently asked questions,
and List of Corrections.
Preface
See preface to the entire work
Foundations of Cryptography.
We highlight the following points:
-
Cryptography is concerned with the construction of schemes
that should maintain a desired functionality, even under malicious
attempts aimed at making them deviate from it.
-
It makes little sense to make assumptions regarding
the specific strategy that the adversary may use.
The only assumptions that can be justified refer
to the computational abilities of the adversary.
-
The design of cryptographic systems has to be based on firm foundations;
whereas ad-hoc approaches and heuristics are a very dangerous way to go.
-
This work is aimed at presenting firm foundations for cryptography.
The foundations of cryptography are the paradigms,
approaches and techniques used to conceptualize,
define and provide solutions to natural security concerns.
- We will present some of these paradigms, approaches and techniques
as well as some of the fundamental results obtained using them.
- Our emphasis is on the clarification of fundamental concepts
and on demonstrating the feasibility of solving several central
cryptographic problems.
This is done in a way independent of the particularities of
some popular number theoretic examples.
- The most relevant background for this work is provided by basic
knowledge of algorithms (including randomized ones),
computability and elementary probability theory.
Background on (computational) number theory,
which is required for specific implementations of certain
constructs, is not really required here.
-
Most of modern cryptography relies on the ability to generate
instances of hard problems. Such ability is captured in the
definition of one-way function
(see Volume 1).
Preface to the current volume
The current volume is the second part (or volume) of the two-volume work
Foundations
of Cryptography. The first part (i.e.,
Volume 1)
consists of an introductory chapter [Chapter 1],
followed by chapters on computational difficulty (one-way functions),
pseudorandomness and zero-knowledge proofs [Chapters 2-4, respectively].
The current volume consists of three chapters,
which treat encryption schemes [Chapter 5],
signature schemes [Chapter 6],
and general cryptographic protocols [Chapter 7], respectively.
Also included is an appendix that provides corrections and additions
to Volume 1.
The high-level structure of the current volume is as follows:
- Chapter 5: Encryption Schemes
The Basic Setting and Definitions of Security (Sec. 5.1 and 5.2)
Constructions of Secure Encryption Schemes (Sec. 5.3)
Advanced material (Sec. 5.4 and 5.5.1--5.5.3)
- Chapter 6: Digital Signature and Message Authentication
Definitional Issues (Sec. 6.1)
Length-restricted signature scheme (Sec. 6.2)
Basic Constructions (Sec. 6.3 and 6.4)
Advanced material (Sec. 6.5 and 6.6.1--6.6.3)
- Chapter 7: General Cryptographic Protocols
A detailed overview (Sec. 7.1)
Advanced material (all the rest):
The two-party case (Sec. 7.2-7.4)
The multi-party case (Sec. 7.5 and 7.6)
- Appendix C: Corrections and Additions to Volume 1
- Bibliography and Index
Historical notes, suggestions for further reading,
some open problems and some exercises
are provided at the end of each chapter.
The exercises are mostly designed to help and test the basic
understanding of the main text, not to test or inspire creativity.
The open problems are fairly well-known,
still we recommend to check their current status
(e.g., in this website).
Using this work
The work is aimed to serve both as a textbook
and a reference text. That is, it is aimed at serving both
the beginner and the expert. In order to achieve this aim,
the presentation of the basic material is very detailed
so to allow a typical CS-undergraduate to follow it.
An advanced student (and certainly an expert)
will find the pace (in these parts) way too slow.
However, an attempt was made to allow the latter reader
to easily skip details obvious to him/her.
In particular, proofs are typically presented in a modular way.
We start with a high-level sketch of the main ideas,
and only later pass to the technical details.
Passage from high-level descriptions to lower level details is
typically marked by phrases such as details follow.
More advanced material is typically presented at a faster pace
and with less details.
Thus, we hope that the attempt to satisfy a wide range of readers
will not harm any of them.
Teaching
(See also Teaching Notes.)
The material presented in this work is, on one hand, way beyond what
one may want to cover in a course, and on the other hand falls very
short of what one may want to know about Cryptography in general.
To assist these conflicting needs we make a distinction between
basic and advanced material,
and provide suggestions for further reading
(in the last section of each chapter).
In particular, sections, subsections, and subsubsections
marked by an asterisk (*) are intended for advanced reading.
This work are supposed to provide all material
for a course on Foundations of Cryptography.
For a one-semester course,
the teacher will definitely need to skip all advanced material
(marked by an asterisk) and maybe even some basic material:
see suggestion below.
This should allow, depending on the class,
to cover the basic material at a reasonable level
(i.e., cover all material marked as ``main''
and some of the ``optional'').
This work can also serve as textbook for a two-semester course.
Either way, the current volume only covers the second half of the material
mentioned above. The first half is covered
in Volume 1.
Following is our suggestion for
a one-semester course on Foundations of Cryptography.
Depending on the class, each lecture consists of 50-90 minutes.
Lectures 1-15 are covered by Volume 1,
whereas Lectures 16-28 are covered by the current (second) volume.
- Lecture 1: Introduction, Background, etc (depending on class)
- Lecture 2-5: Computational Difficulty (One-Way Functions)
Main: Definition (Sec. 2.2), Hard-Core Predicates (Sec. 2.5)
Optional: Weak implies Strong (Sec. 2.3), and Sec. 2.4.2-2.4.4
- Lecture 6-10: Pseudorandom Generators
Main: Definitional issues and a construction (Sec. 3.2-3.4)
Optional: Pseudorandom Functions (Sec. 3.6)
- Lecture 11-15: Zero-Knowledge Proofs
Main: Some definitions and a construction (Sec. 4.2.1, 4.3.1, 4.4.1-4.4.3)
Optional: Sec. 4.2.2, 4.3.2, 4.3.3-4.3.4, 4.4.4
- Lecture 16-20: Encryption Schemes
Main: Definitions and constructions (Sec. 5.1, 5.2.1-5.2.4, 5.3.2-5.3.4)
Optional: Beyond passive notions of security (overview, Sec. 5.4.1)
- Lecture 21-24: Signature Schemes
Definitions and constructions (Sec. 6.1, 6.2.1-6.2.2, 6.3.1.1, 6.4.1-6.4.2)
- Lecture 25-28: General Cryptographic Protocols
The definitional approach and a general construction (overview, Sec. 7.1).
A comment regarding the current volume
Writing the first volume was fun.
In comparison to the current volume,
the definitions, constructions and proofs in the first volume
are relatively simple and easy to write.
Furthermore, in most cases,
the presentation could safely follow existing texts.
Consequently, the writing effort was confined to re-organizing
the material, revising existing texts,
and augmenting them by additional explanations and motivations.
Things were quite different with respect to the current volume.
Even the simplest notions defined in the current volume
are more complex than most notions treated in the first volume
(e.g., contrast secure encryption with one-way functions
or secure protocols with zero-knowledge proofs).
Consequently, the definitions are more complex,
and many of the constructions and proofs are more complex.
Furthermore, in most cases,
the presentation could not follow existing texts.
Indeed, most effort had to be (and was) devoted
to the actual design of constructions and proofs,
which were only inspired by existing texts.
It seems that the fact that writing this volume required
so much effort implies that this volume may be very valuable:
Even experts may be happy to be spared the hardship of trying
to understand this material based on the original research manuscripts.
Table of Contents
Preface
Chapter 5: Encryption Schemes
-
5.1 The Basic Setting
5.1.1 Private-Key versus Public-Key Schemes
5.1.2 The Syntax of Encryption Schemes
-
5.2 Definitions of Security
5.2.1 Semantic Security
5.2.2 Indistinguishability of Encryptions
5.2.3 Equivalence of the Security Definitions
5.2.4 Multiple Messages
5.2.5* A uniform-complexity treatment
-
5.3 Constructions of Secure Encryption Schemes
5.3.1* Stream--Ciphers
5.3.2 Preliminaries: Block--Ciphers
5.3.3 Private-key encryption schemes
5.3.4 Public-key encryption schemes
-
5.4* Beyond eavesdropping security
5.4.1 Overview
5.4.2 Key-dependent passive attacks
5.4.3 Chosen plaintext attack
5.4.4 Chosen ciphertext attack
5.4.5 Non-malleable encryption schemes
-
5.5 Miscellaneous
5.5.1 On Using Encryption Schemes
5.5.2 On Information Theoretic Security
5.5.3 On Some Popular Schemes
5.5.4 Historical Notes
5.5.5 Suggestion for Further Reading
5.5.6 Open Problems
5.5.7 Exercises
Chapter 6: Digital Signatures and Message Authentication
-
6.1 The Setting and Definitional Issues
6.1.1 The two types of schemes: a brief overview
6.1.2 Introduction to the unified treatment
6.1.3 Basic mechanism
6.1.4 Attacks and security
6.1.5* Variants
-
6.2 Length-restricted signature scheme
6.2.1 Definition
6.2.2 The power of length-restricted signature schemes
6.2.3* Constructing collision-free hashing functions
-
6.3 Constructions of Message Authentication Schemes
6.3.1 Applying a pseudorandom function to the document
6.3.2* More on Hash-and-Hide and state-based MACs
-
6.4 Constructions of Signature Schemes
6.4.1 One-time signature schemes
6.4.2 From one-time signature schemes to general ones
6.4.3* Universal One-Way Hash Functions and using them
-
6.5* Some Additional Properties
6.5.1 Unique signatures
6.5.2 Super-secure signature schemes
6.5.3 Off-line/on-line signing
6.5.4 Incremental signatures
6.5.5 Fail-stop signatures
-
6.6 Miscellaneous
6.6.1 On Using Signature Schemes
6.6.2 On Information Theoretic Security
6.6.3 On Some Popular Schemes
6.6.4 Historical Notes
6.6.5 Suggestion for Further Reading
6.6.6 Open Problems
6.6.7 Exercises
Chapter 7: General Cryptographic Protocols
-
7.1 Overview
7.1.1 The Definitional Approach and Some Models
7.1.2 Some Known Results
7.1.3 Construction Paradigms
-
7.2* The Two-Party Case: Definitions
7.2.1 The syntactic framework
7.2.2 The semi-honest model
7.2.3 The malicious model
-
7.3* Privately Computing (2-Party) Functionalities
7.3.1 Privacy reductions and a composition theorem
7.3.2 The 1-out-of-k OT protocol - definition and construction
7.3.3 Privately computing a multiplication-gate
7.3.4 The circuit evaluation protocol
-
7.4* Forcing (2-party) Semi-Honest Behavior
7.4.1 The protocol compiler - motivation and overview
7.4.2 Security reductions and a composition theorem
7.4.3 The compiler - functionalities in use
7.4.4 The compiler itself
-
7.5* Extension to the Multi-Party Case
7.5.1 Definitions
7.5.2 Security in the Semi-Honest Model
7.5.3 The Malicious Models - Overview and Preliminaries
7.5.4 The first compiler - Forcing Semi-Honest Behavior
7.5.5 The second compiler - Effectively Preventing Abort
-
7.6* Perfect Security in the Private Channel Model
7.6.1 Definitions
7.6.2 Security in the Semi-Honest Model
7.6.3 Security in the Malicious Model
-
7.7 Miscellaneous
7.7.1* Three deferred issues
7.7.2* Concurrent Executions
7.7.3 Concluding Remarks
7.7.4 Historical Notes
7.7.5 Suggestion for Further Reading
7.7.6 Open Problems
7.7.7 Exercises
Appendix C: Corrections and Additions to Volume 1
-
C.1 Enhanced Trapdoor Permutations
-
C.2 On Variants of Pseudorandom Functions
-
C.3 On Strong Witness Indistinguishability
C.3.1 On parallel composition
C.3.2 On Theorem 4.6.8 and an afterthought
C.3.3 Consequences
-
C.4 On Non-Interactive Zero-Knowledge
C.4.1 On NIZKs with efficient prover strategies
C.4.2 On Unbounded NIZKs
C.4.3 On Adaptive NIZKs
-
C.5 Some developments regarding zero-knowledge
C.5.1 Composing zero-knowledge protocols
C.5.2 Using the adversary's program in the proof of security
-
C.6 Additional Corrections and Comments
-
C.7 Additional Mottoes
Bibliography (approximately 200 entries)
Index (approximately 200 entries)
Frequently Asked Questions
Is there a solution manual of this book?
Unfortunately, the answer is negative,
but we believe that the guidelines for the exercises
provide sufficient clues.
When will this volume 2 appear?
It has already appeared (in Spring 2004).
See also
answers to other Frequently Asked Questions.
List of Corrections
- On page 436, Item 1, the descryption fits the private-key case.
In the public-key case, $A_1$ should be given input $(e,z)$,
rather than $(1^n,z)$. The same holds for Item 1 on page 443.
[Rupeng Yang]
- On page 443, Item 1: See page 436, Item 1.
- On page 475: All mentions of the authenticated key-exchange
should be unauthenticated key-exchange, and vice verse. [Haiyang Xue]
- On page 481, Footnote 58, the Decisional Diffie Hellman problem
is wrongly stated. One should require instead that $P=2P'+1$,
with $P'$ being a prime, and that $g$ is a generator
of the set of quadratic residues mod $P$.
[Luca Trevisan; for further details, see
Luca's email.]
- Addendum to the guideline of Exer 5.2 (on page 482):
To show that the two distributions are statistically far apart,
consider the event $S$ such that $(r,s)\in S$ if and only if
there exists an $n$-bit string $K$ such that $D_K(s)=r$.
- In the first item of Section 7.1.2.2 (p. 608),
in contrast to what is said after item 2,
the result regarding adaptive adversaries
is known to hold only in the non-adaptive case.
See On adaptive vs.
non-adaptive security of multiparty protocols.
- On top of page 622,
the simulator constructed to demonstrate the point
should only output the view $s$, rather than the view
coupled with the output $(s,F(s))$. [Carmit Hazay]
- On constructing 1-out-of-k OT (Const. 7.3.5 and Prop 7.3.6).
The current description is fine if $k=2$,
which actually suffices via additional reductions.
For $k>2$ one should either modify Construction 7.3.5
or make stringer assumptions about the trapdoor permutation used.
The simplest modification is to let the sender select $k$
indices of permutations (rather than a single one), and have
the parties use the $i$th index for $x_i$ and $y_i$. [Ron Rothblum]
- On top of page 698, item 1 (in the discussion of
the (first) malicious model)
refers to a convention made in Sec. 7.2.3
(which can be found in Footnote 17 on page 628).
As pointed out by Yuval Ishai, in the multi-party context,
it seems that the special abort-symbol convention
(including a modified functionality) has to be used.
In retrospect, we prefer this convention also in the two-party case.
- Regarding the issue of fairness (cf. Sec. 7.2.3 and 7.7.1.1):
See an important revisiting of this issue in
Complete
Fairness in Secure Two-Party Computation
by D. Gordon, C. Hazay, J. Katz, and Y. Lindell (STOC'08, pp. 413-422).
- Errata regarding the paragraph following Thm 7.5.14 (on p. 708)
and the 2nd paragraph on the 1st item on page 709:
This assertion is correct only if each output bit in the circuit
is a non-linear function of each of the input bits,
which means that a multiplication gate appears on each input-output path.
This can be enforced by augmenting the circuit with gates that multiply
each input bit by itself
(or multiply each bit output by itself before outputting it).
[Peter Scholl]
- Regarding Section 7.6:
See a full proof of the BGW Protocol
for perfectly-secure multiparty computation,
provided by Gilad Asharov and Yehuda Lindell, 2011.
- Regarding NIZK and enhanced trapdoor permutations
(see Appendices C.1 and C.4.1): Jonathan Katz has pointed out that
although the notion of enhanced trapdoor permutations (Def. C.1.1)
suffices for constructing Oblivious Transfer (see Sec. 7.3.2),
it does not seem to suffice for constructing a NIZK
(as outlined in Remark 4.10.6 and patched in Apdx C.4.1).
A seemingly stronger notion that does suffice (for constructing a NIZK)
may be called a doubly enhanced trapdoor permutation
and is defined as an enhanced trapdoor permutation for which
given an $n$-bit long description of a permutation it is feasible
to generate a random pair $(x,r)$ such that $x$ is the preimage
under the permutation of the domain element generated by
the domain-sampling algorithm on coins $r$.
For further details, see
note [Nov. 2008 (rev'ed Oct. 2009)].
More about enhanced trapdoor permutations:
See Ron Rothblum's
Taxonomy
of Enhanced Trapdoor Permutations, 2010.
Actually, it may be best to start with a later paper by Ron any myself,
titled Enhancements of Trapdoor Permutations.
Material available on-line (see Copyright notice below):
Permission is granted for (non-commercial)
use of the following drafts:
Also available (older related material, superseeded by the above):
Copyright (C symbol) 2003 by Oded Goldreich.
Permission to make digital or
hard copies of part or all of the material posted here
is currently granted without fee provided that copies
are made only for personal or classroom use,
are not distributed for profit or commercial advantage,
and that new copies bear this notice and the full
citation on the first page.
Abstracting with credit is permitted.
This work will be published in 2004 by Cambridge University Press,
and the relevant copyrights have been transferred to it.
Once published, permission to make digital or
hard copies of part or all of the material posted here
will be granted without fee provided that copies are made
only for personal use and are not distributed in any way.
Back to
the top or to
Oded Goldreich's homepage.