Download presentation
Presentation is loading. Please wait.
1
B504/I538: Introduction to Cryptography
Spring • Lecture 20 (2017—03—23)
2
Recall: Modular eth roots
Defn: Let n and e be positive integers and let a∈℥n. Then b∈℥n is called an eth root of a modulo n if We write b≡a1/e mod n to indicate that b is an eth root of a modulo n. a≡be mod n. ??? Q: When does a unique solution for a1/e mod n exist? A: If gcd(e,φ(n))=1, then a1/e≡ad mod n where d≔e-1 mod φ(n) If gcd(e,φ(n))≠1, then a1/e may or may not exist; if it does exist, it is not unique
3
Recall: The eth root problem
Defn: The eth root problem (aka the RSA problem) is: Given (n,e,a) such that n=pq for distinct s-bit primes p and q, a∈℥n, and gcd(e,φ(n))=1, compute a1/e mod n. One possible solution: compute d≔e-1 mod φ(n) and output ad mod n Fact: Computing d≔e-1 mod φ(n) is equivalent to factoring n!
4
Recall: Discrete logarithms
Defn: Let G be a group with |G|=n and let g,h∈G. A discrete logarithm (DL) of h to the base g in G is a number x∈ℤn such that We write x=logg h to indicate that x is a DL of h to the base g ??? h=gx in G. Q: Does the DL of h to the base g always exist? A: No! But it does always exists if g is a generator of G. Q: If the DL of h to the base g exists, is it unique? A: Sort of… If x1 and x2 are DLs of h to the base g, then x1≡x2 mod |g| (i.e., the DL is unique in ℤ|g|).
5
Recall: The DL problem Defn: The DL problem is:
Given (G,q,g,h) such that (G,•) is a cyclic group of s-bit prime order q, g is a generator of G, and h is an arbitrary element of G, compute x≡logg h. If (G,+) is an additive group, then the DL problem is, given (G,q,g,h) as above, to compute k such that k·g=h in G.
6
Intractable problems Intuitively, a problem is intractable if no PPT algorithm can solve a uniform random instance the problem, except with negligible probability Q: How do we formalize the notion of intractability for problems defined in a finite group? A: Very carefully… Algorithm must be PPT in what parameter? Success probability must be negligible in what parameter? Instance must be uniform random instance from what sample space?
7
Group generating algorithm
The DL problem is both defined in a finite group ⇒ no parameter to grow large! Problem may be easy in some groups and hard in others Defn: A group generating algorithm G is a PPT algorithm that, on input a security parameter 1s∈1ℕ, outputs a description of a finite group (G,•) with s-bit prime order q and a fixed generator g∈G. We write (G,q,g)← G(1s) to indicate that (G,•) is a group with s-bit prime order q and generator g, sampled from the output of G.
8
Group generating algorithm
Idea: Don’t consider problem instances in a particular fixed group (G,•); rather, consider instances in groups (G,q,g)←G(1s) sampled from a fixed group generating algorithm G! Q: How do we formalize the notion of intractability for problems defined in a finite group? Q1: Algorithm must be PPT in what parameter? A1: The security parameter s such that (G,q,g)←G(1s) Q2: Success probability must be negligible in what parameter? A2: The security parameter s such that (G,q,g)←G(1s) Q3: Instance must be uniform random instance from what sample space? A3: The set of problem instances in (G,•)
9
The DL assumption Challenger (C) Attacker (A) 1 s 1 s (G,q,g)←G(1 s) x∊℥q h≔gx (G,q,g,h) x’ Let E be the event that x≡x’ mod q Define A’s advantage to be AdvDL,G(A)≔Pr[E] Defn: Let G be a fixed group generating algorithm. The discrete logarithm (DL) assumption holds with respect to G if, for every PPT algorithm A, there exists a negligible function ε:ℕ→ℝ+ such that AdvDL,G(A)≤ε(s).
10
Average-case hardness of DL
Thm (informal): Let (G,•) be a group with prime order q. If the DL problem in is hard for some instance, then it is hard for almost every instance! Proof (sketch): Assume that it is hard to compute x≡logg h in (G,•) Idea: Reduce hardness of computing x≡logg h to hardness of solving a uniform random instance in (G,•) Randomize g: (G,q,g,h)→(G,q,gr,h) for r∊℥q ⇒ logg h≡(loggr h)•r mod q Randomize h: (G,q,g,h)→(G,q,g,hs) for s∊℥q ⇒ logg h≡(logg hs)•s-1 mod q ☐
11
RSA instance generating algorithm
Defn: An RSA instance generating algorithm G is a PPT algorithm that, on input a security parameter 1s∈1ℕ, outputs a pair of distinct s-bit primes (p,q) and e∊℥φ(pq). We write (p,q,e)← G(1s) to indicate that s-bit primes (p,q) and e∈℥φ(pq) are sampled from the output of G.
12
The eth root assumption
Challenger (C) Attacker (A) 1 s (p,q,e)←G(1 s) N≔p·q a∊℥N b≔ae mod N 1 s (N,e,b) a’ Let E be the event that a≡a’ mod N Define A’s advantage to be AdvRSA,G(A)≔Pr[E] Defn: Let G be a fixed RSA instance generating algorithm. The eth root (RSA) assumption holds with respect to G if, for every PPT algorithm A, there exists a negligible function ε:ℕ→ℝ+ such that AdvRSA,G(A)≤ε(s).
13
The RSA trapdoor permutation
Observation: The eth root assumption is qualitatively different from the DL assumption In DL assumption, attacker gets complete output of G In eth root assumption, attacker learns N=p·q but not p and q; if attacker knows (p,q) the eth root problem is easy! This is our first example of a trapdoor permutation with (p,q) being the trapdoor More on this later…
14
Diffie-Hellman key exchange protocol
What if Alice and Bob don’t already share a secret ket? Enc (m) Alice Bob Eve m =?
15
Diffie-Hellman key exchange protocol
a∊℥q b∊℥q ≔h((gb)a) ≔h((ga)b) ga gb Enc (m) Alice Bob Eve =? m=? Suppose (G,q,g)←G(1s) for some group generating algorithm G
16
Security of Diffie-Hellman key exchange
Q: Suppose the DL assumption holds with respect to G Is the Diffie-Hellman protocol “secure” in the presence of an eavesdroppers? A: Errr…well, probably? DL assumption implies that it is hard for an eavesdropper to compute a from ga or b from gb But, is it hard to compute gab from ga and gb?
17
Diffie-Hellman assumption
Challenger (C) Attacker (A) 1 s 1 s (G,q,g)←G(1 s) a,b∊℥q h1≔ga, h2≔gb (G,q,g,h1,h2) h Let E be the event that h=gab Define A’s advantage to be AdvCDH,G(A)≔Pr[E] Defn: Let G be a group generating algorithm. The (computational) Diffie-Hellman (CDH) assumption holds with respect to G if, for every PPT algorithm A, there exists a negligible function ε:ℕ→ℝ+ such that AdvCDH,G(A)≤ε(s).
18
Decision Diffie-Hellman assumption
A tuple (G,q,g,ga,gb,h) is a DH tuple if and only if h=gab Game 0: (input to A is a DH tuple) 1s∈1ℕ 1s∈1ℕ Challenger Distinguisher (D) (G,q,g)←G(1 s) a,b∊℥q (G,q,g,ga,gb,gab) b’∈{0,1} Game 1: (input to A is not a DH tuple) 1s∈1ℕ Challenger Distinguisher (D) 1s∈1ℕ (G,q,g)←G(1 s) a,b,c∊℥q (G,q,g,ga,gb,gc) b’∈{0,1} Let E be the event that b’=0 in Game 0 or b’=1 in Game 1 17 Defn: AdvDDH,G(D)≔|Pr[E]- ½|
19
Decision Diffie-Hellman assumption
Defn: Let G be a group generating algorithm. The Decision Diffie-Hellman (DDH) assumption holds with respect to G if, for every PPT algorithm A, there exists a negligible function ε:ℕ→ℝ+ such that AdvDDH,G(A)≤ε(s).
20
The DL, CDH, and DDH assumptions
Thm: Let G be a group generating algorithm. Fact 1: If the DDH assumption holds with respect to G, then the CDH assumption also holds with respect to G. The converse is believed to be false. Fact 2: If the CDH assumption holds with respect to G, then the DL assumption also holds with respect to G. The converse is not known to be true.
21
Public-key encryption schemes
Defn: A public-key encryption scheme is a triple of algorithms (Gen, Enc, Dec) such that Gen:1ℕ→Ke×Kd is a randomized “keypair generation” algorithm; Enc:Ke×M→C is an (often randomized) “encryption” algorithm; Dec:Kd×C→M is a deterministic “decryption” algorithm. Usually write Encke(m) and Deckd(m) instead of Enc(ke,m) and Dec(kd,m) Ke is the encryption key space Kd is the decryption key space M is the message space C is the ciphertext space (set of possible encryption keys) (set of possible decryption keys) (set of possible messages) (set of possible ciphertexts)
22
Pr[Deckd(Encke(m))=m|(ke,kd)←Gen(1s)]≥1-ε(s)
Correctness Intuitively: Correctness is the property of being able to decrypt (given the appropriate decryption key) Defn: A public-key encryption scheme (Gen, Enc, Dec) with message space M is correct if there exists a negligible function ε:ℕ→ℝ+ such that, ∀s∈ℕ and ∀m∈M, Pr[Deckd(Encke(m))=m|(ke,kd)←Gen(1s)]≥1-ε(s)
23
That’s all for today, folks!
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.