The intention of these suggestions isnotto provide a scholarly account of the
due credits but rather to provide sources for further reading. Thus, our main criteria is the readability of the text (not its novelty). The recommendations are arranged by subjects.
One-Way Functions, Pseudorandom Generators and Zero-Knowledge: For these, our favorite source is our own text [171].
Encryption Schemes: A good motivating discussion appears in [201]. For a definitional treatment of eavesdropping security, the reader is referred to the revised version of [171]. Further details on the constructions of public-key encryption schemes (sketched above) can be found in [201, 168] and [69, 8], respectively. For discussion of Non-Malleable Cryptography, which actually transcends the domain of encryption, see [123].
Signature Schemes: For a definitional treatment of signature schemes
the reader is referred to [203] and [305]. Easy to understand constructions appear in [49, 132, 128, 111]. Variants on the basic model are discussed in [305] and in [97, 157, 306, 227]. For discussion ofmessage authentication schemes(macs) the reader in referred to [34].
General Cryptographic Protocols: This area is both most complex and most lacking of good expositions. For the least of all evil, we refer the reader to [174] which provides an exposition of the basic definitions and results, as well as detailed proofs for the latter. More advanced treatment can be found in [82, 84].
New Directions: These include Realizing the Random Oracle Model [83, 89, 90], Session-Key Problems [51, 52, 35], Incremental Cryptography [39, 40], Coercibility [88, 85], sharing of cryptographic objects [121, 119, 161], Private Information Retrieval [106, 103, 242], Cryptanalysis by induced faults [73], and many others.
Acknowledgments
I am most grateful to Hugo Krawczyk for carefully reading and commenting on an early draft of this chapter.
1.11. SOME SUGGESTIONS FOR FURTHER READING 39
Thanks also to Mihir Bellare, Gilles Brassard, Christian Cachin, Ran Canetti, Ronald Cramer, Cynthia Dwork, Shafi Goldwasser, Moni Naor and Birgit Pfitzmann for comments and corrections regarding previous versions of this chapter.
Chapter 2
Probabilistic Proof
Systems
A proof is whatever convinces me.
Shimon Even, answering a student’s question in his Graph Algorithms class (1978)
Summary – Various types ofprobabilistic proof systems have played a central role in the development of computer science in the last decade. In this chapter, we concentrate on three such proof systems — interactive proofs, zero-knowledge proofs, and
probabilistic checkable proofs— stressing the essential role of ran- domness in each of them.
2.1
Introduction
The glory attached to the creativity involved in finding proofs, makes us forget that it is the less glorified procedure of verification which gives proofs their value. Philosophically speaking, proofs are secondary to the verification procedure; whereas technically speaking, proof systems are defined in terms of their verification procedures.
The notion of a verification procedure assumes the notion of computation and furthermore the notion of efficient computation. This implicit assump- tion is made explicit in the definition ofN P, in which efficient computation is associated with (deterministic) polynomial-time algorithms.
Definition 2.1 (NP-proof systems): Let S ⊆ {0,1}∗ and ν : {0,1}∗×
{0,1}∗ 7→ {0,1} be a function so that x ∈ S if and only if there exists a
w∈ {0,1}∗ such that ν(x, w) = 1. If ν is computable in time bounded by a polynomial in the length of its first argument then we say thatS is anNP-set
and thatν defines anNP-proof system.
Traditionally, NP is defined as the class of NP-sets. Yet, each such NP-set can be viewed as a proof system. For example, consider the set of satisfi- able Boolean formulae. Clearly, a satisfying assignment π for a formula φ
constitutes an NP-proof for the assertion “φis satisfiable” (the verification procedure consists of substituting the variables ofφ by the values assigned byπand computing the value of the resulting Boolean expression).
The formulation of NP-proofs restricts the “effective” length of proofs to be polynomial in length of the corresponding assertions (since the running- time of the verification procedure is restricted to be polynomial in the length of the assertion). However, longer proofs may be allowed by padding the assertion with sufficiently many blank symbols. So it seems that NP gives a satisfactory formulation of proof systems (with efficient verification pro- cedures). This is indeed the case if one associates efficient procedures with
deterministicpolynomial-time algorithms. However, we can gain a lot if we are willing to take a somewhat non-traditional step and allowprobabilistic
verification procedures. In particular,
• Randomized and interactive verification procedures, giving rise to in- teractive proof systems, seem much more powerful (i.e., “expressive”) than their deterministic counterparts.
• Such randomized procedures allow the introduction of zero-knowledge proofswhich are of great theoretical and practical interest.
• NP-proofs can be efficiently transformed into a (redundant) form which offers a trade-off between the number of locations examined in the NP- proof and the confidence in its validity (see probabilistically checkable proofs).
In all the abovementioned types of probabilistic proof systems, explicit bounds are imposed on the computational complexity of the verification procedure, which in turn is personified by the notion of a verifier. Furthermore, in all these proof systems, the verifier is allowed to toss coins and rule by statisti- cal evidence. Thus, all these proof systems carry a probability of error; yet, this probability is explicitly bounded and, furthermore, can be reduced by successive application of the proof system.
Notational Conventions. When presenting a proof system, we state all complexity bounds in terms of the length of the assertion to be proven (which is viewed as an input to the verifier). Namely, polynomial-time means time