1 Number Theory Basics

Transcription

1 ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his course on cryptography and computer security at Stanford (CS255). 1.1 Arithmetic Modulo Primes For a prime p let Z p = {0, 1,...p 1}. Elements of Z p can be added modulo p and multiplied modulo p. Fermat s theorem: g p 1 = 1 mod p, for any g 0 mod p. Invertible elements: The inverse of x Z p is an element a satisfying a x = 1 mod p. The inverse of x modulo p is denoted by x 1. All elements x Z p except for x = 0 are invertible. Let Z p be the set of invertible elements in Z p, that is, Z p = {1, 2,..., p 1}. Structure of Zp : Z p is a cyclic group. That is, there exists g Z p such that Zp = {1, g, g 2 mod p, g 3 mod p,..., g p 2 mod p}. Such a g is called a generator of Zp. Not every element of Z p is a generator. Order of Group Element: The order of g Z p (denoted ord p (g)) is the smallest positive integer a such that g a = 1 mod p. Lagrange s Theorem: ord p (g) divides p 1, for all g Z p. Computational Considerations: For our cryptographic applications, we are dealing with primes p on the order of 300 digits long (1024 bits). Since p is huge, it cannot be stored in a single register. Elements of Z p are stored in 32-bit or 64-bit long buckets (depending on the processor s chip size). Adding two elements x, y Z p can be done in linear time in the length of p. Multiplying two elements x, y Z p can be done in quadratic time in the length of p. If p is n bits long, more clever (and practical) algorithms work in time O(n 1.7 ) (rather than O(n 2 )). Inverting an element x Z p can be done in quadratic time in the length of p. Elements of Z p can be efficiently inverted using Euclid s algorithm. If gcd(x, p) = 1 then using Euclid s algorithm it is possible to efficiently construct two integers a, b Z such that ax + bp = 1. Reducing this relation modulo p leads to ax = 1 mod p. Hence a = x 1 mod p. Using the repeated squaring algorithm, x r mod p can be computed in time (log 2 r)o(n 2 ) where p is n bits long. Note that this algorithm for modular exponentiation takes linear time in the length of r. 1

2 Discrete Log Problem: Let p be a 1024-bit prime, and let g be a generator of Z p. Given x Z p, find an r such that x = g r mod p. This problem is believed to be hard. Computational Diffie-Hellman Problem: Let p be a 1024-bit prime, and let g be a generator of Z p. Given x, y Z p where x = gr1 and y = g r2, find z = g r1r2. This problem is believed to be hard. Decision Diffie-Hellman Problem: Let p be a 1024-bit prime, and let g be a generator of Zp. Given an instance of the Computational Diffie-Hellman Problem x, y Zp, and given z which is either the solution to the Computational Diffie-Hellman problem (with probability 1/2) or a random element of Zp (with probability 1/2), try to distinguish which is the case. This problem is not hard. Large Prime Order Subgroup: The Discrete Log, Computational Diffie- Hellman, and Decision Diffie-Hellman problems are believed to be hard when the order of g is a large prime factor of p 1. Note that g is not a generator of Zp in this case (in fact, we say that g generates a large prime order subgroup of Zp). 1.2 Arithmetic Modulo Composites Unless otherwise stated, we assume N is the product of two primes of roughly equal size. For a composite N let Z N = {0, 1, 2,..., N 1}. Elements of Z N can be added and multiplied modulo N. Invertible Elements: The inverse of x Z N is an element y Z N such that x y = 1 mod N. An element x Z N has an inverse if and only if x and N are relatively prime (that is, gcd(x, N) = 1). Let ZN denote the set of invertible elements in Z N. Euler s Phi Function: Let φ(n) denote the number of elements in Z N. When N = pq is the product of two primes, φ(n) = (p 1)(q 1). Euler s Theorem: For any a Z N we have that aφ(n) = 1 mod N. Chinese Remainder Theorem (special case): Let p, q be distinct primes and let N = pq. Given r 1 Z p and r 2 Z q there exists a unique element s Z N such that s = r 1 mod p and s = r 2 mod q. Furthermore, s can be computed efficiently. Structure of Z N : The CRT implies that each element s Z N can be viewed as a pair (s 1, s 2 ) where s 1 = s mod p and s 2 = s mod q. The uniqueness guarantee shows that each pair (s 1, s 2 ) Z p Z q corresponds to one element of Z N. The CRT also shows that an element s Z N is invertible if and only if s mod p is invertible in Z p and s mod q is invertible in Z q. This yields an alternative explanation for why φ(n) = (p 1)(q 1) when N is the product of two distinct primes. 2

3 Computational Considerations: For our cryptographic applications, we are dealing with integers N on the order of 300 digits long (1024 bits). All of the observations about computing in Z p for prime p carry over without change to the setting of computing in Z N. Here is one computational trick that is unique to the setting of Z N for composite N. If the factorization p, q of N is known, then the repeated squaring algorithm for modular exponentiation (mod N) can be speeded up by about a factor of four, by exploiting the Chinese Remainder Theorem (details omitted). RSA Problem: Let e be relatively prime to φ(n). Given N and e, and given y = x e mod N for some x ZN, find x. This is believed to be hard if the factorization of N is unknown, but becomes easy if the factorization of N is known. RSA Trapdoor: Given the factorization p, q of N, it is easy to compute φ(n) = (p 1)(q 1), and then it is easy to compute d = e 1 mod φ(n), and then it is easy to compute y d mod N, which is equal to x (by Euler s Theorem). The factorization p, q (or the value d) is called a trapdoor for the RSA problem. 2 Secret Sharing Basics This section has some basic facts about secret sharing schemes, mostly taken (or adapted) from CRC Handbook of Applied Cryptography (Chapt 12, pp ), Menezes et al. (eds), (t,t) Threshold Secret Sharing: Let S be a secret integer, 0 S m 1. Here is a way to divide S into t shares, such that all of them are required in order to recover it: Choose t 1 independent random numbers S i, 0 S i m 1, 1 i t 1. Compute S t = S t 1 i=1 S i mod m. The secret is recovered as S = t i=1 S i mod m. Note that modulo m operations may be replaced by exclusive-or, using data values S and S i of fixed bit-length log 2 (m). Shamir s (t, n) Threshold Secret Sharing: Let S be a secret integer 0 S m 1. Here is a way to divide S into n shares, such that any t of them are necessary and sufficient to recover it. Let p be an arbitrary prime number greater than m 1 and n. Sharing Phase: Select t 1 random, independent coefficients a 1,..., a t 1, 0 a j p 1. Let f(x) be the following polynomial of degree t 1 over Z p : f(x) = S + t 1 j=1 a jx j. Compute S i = (i, f(i) mod p), 1 i n. Reconstruction Phase: Any subset of t or more shares can be combined to recover the secret. The shares provide t distinct points of the form (i, f(i) mod p), allowing computation of the coefficients a j, 0 j t 1 of f(x) over Z p by Lagrange interpolation (see below). The secret is recovered by noting f(0) = a 0 = S. Lagrange Interpolation: The coefficients of an unknown polynomial f(x) of degree at most t 1, defined by distinct points (x i, y i ), 1 i t, are 3

4 given by the Lagrange interpolation formulae: f(x) = t i=1 y i 1 j t,j i (x x j )/(x i x j ). Since f(0) = a 0 = S, the shared secret may be expressed as S = t i=1 c iy i mod p, where c i = 1 j t,j i x j(x j x i ) 1 mod p. Note that the c i values are non-secret constants, which for a fixed subset of t shares may be pre-computed. 3 Cryptographic Primitives Basics This section has some basic information about cryptographic primitives, mostly taken (or adapted) from Introduction to Modern Cryptography, Katz and Lindell, Chapman & Hall/CRC, One-Way Primitives negligible: A function f is negligible if for every polynomial p(.) there exists an N such that for all integers n > N it holds that f(n) < 1/p(n). We typically denote an arbitrary negligible function by negl. One-Way Function: A function f : {0, 1} {0, 1} is one-way if the following two conditions hold: 1. (Easy to compute:) There exists a polynomial-time algorithm M f computing f; that is, M f (x) = f(x) for all x. 2. (Hard to invert:) For every probabilistic polynomial-time algorithm A, there exists a negligible function negl such that the the following inverting experiment succeeds with probability at most negl(n): Choose input x {0, 1} n ; Compute y = f(x); Give 1 n and y as input to A; The experiment succeeds if A outputs any x such that f(x ) = y. One-Way Function Family: The above definition of one-way function is very convenient in that it considers a single function over an infinite domain and range. However, most candidate one-way functions that we know of do not fit naturally into this framework. Rather, there is typically an algorithm that generates some parameters I which define some function f I ; the requirement is essentially that f I should be one-way with all but negligible probability over choice of I. Exponentiation Modulo a Prime: Let p be any prime, and let g be a generator of Z p. Let f p,g (x) = g x mod p, for x Z p. This family of functions is believed to be one-way (which is closely related to the belief that the Discrete Log problem is hard over Z p when p is a sufficiently large prime). In fact, this is believd to be a family of one-way permutations, since every f p,g is a one-to-one mapping on Z p. SHA: The SHA family includes cryptographically strong hash functions that seem hard to invert in practice. They fall outside of the asymptotic security framework developed here, since the output lengths are fixed. 4

5 3.2 Pseudorandom Primitives Pseudorandom generator: Let l(.) be a polynomial and let G be a deterministic polynomial-time algorithm such that for any input s {0, 1} n, algorithm G outputs a string of length l(n). We say that G is a pseudorandom generator if the following two conditions hold: 1. (expansion) For every n it holds that l(n) > n. 2. (pseudorandom) For all probabilistic polynomial-time distinguishers D, there exists a negligible function negl such that P r[d(r) = 1] P r[d(g(s)) = 1] negl(n), where r is chosen uniformly at random from {0, 1} l(n), the seed s is chosen uniformly at random from {0, 1} n, and the probabilities are taken over the random coins used by D and the choice of r and s. Pseudorandom function: A keyed function F is a two-input function F : {0, 1} {0, 1} {0, 1}, where the first input is called the key and denoted k, and the second input is just called the input. In general, the key k will be chosen and then fixed, and we will then be interested in the single-input function F k : {0, 1} {0, 1} defined by F k (x) = F(k, x). For simplicity, we will generally assume that F is length-preserving meaning that the key, input, and output lengths of F are all the same. That is, we assume that the function F is only defined when the key k and the input x have the same length, in which case F k (x) = x = k. Let F : {0, 1} {0, 1} be an efficiently computable, length-preserving, keyed function. We say that F is a pseudorandom function if for all probabilistic polynomial-time distinguishers D, there exists a negligible function negl such that Pr[D F k(.) (1 n ) = 1] Pr[D f(.) (1 n ) = 1] negl(n), where k is chosen uniformly at random from {0, 1} n, and where f is chosen uniformly at random from the set of functions mapping n-bit strings to n-bit strings. [Note that the definition of pseudorandom function] gives D oracle access to the function in question (either F k or f. D is allowed to query the oracle at any point x {0, 1} n, in response to which the oracle returns the value of the function evaluated at x. 3.3 Symmetric Key Primitives Message Authentication Codes: A message authentication code (or MAC) is a tuple of probabilistic polynomial-time algorithms (Gen, Mac, Vrfy) such that: 1. The key generation algorithm Gen takes as input the security parameter 1 n and outputs a key k with k n. 2. The tag-generation algorithm Mac takes as input a key k and a message m {0, 1}, and outputs a tag t. Since this algorithm may be randomized, we write this as t Mac k (m). 5

6 3. The verification algorithm Vrfy takes as input a key k, a message m, and a tag t. It outputs a bit b, with b = 1 meaning valid and b = 0 meaning invalid. We assume without loss of generallity that Vrfy is deterministic and so write this as b := Vrfy k (m, t). 4. (Consistency) For every n, every key k output by Gen(1 n ), and every m {0, 1}, it holds that Vrfy k (m, Mac k (m)) = 1. Security for Message Authentication Codes: A message authentication code (Gen, Mac, Vrfy) is existentially unforgeable under an adaptive chosenmessage attack, or just secure, if for all probabilistic polynomial-time adversaries A, there exists a negligible function negl such that the following forgery experiment succeeds with probability at most negl(n): 1. A random key k s generated by running Gen(1 n ). 2. The adversary A is given input 1 n and oracle access to Mac k (.). The adversary eventually outputs a pair (m, t). Let Q denote the set of all queries that A asked to its oracle. 3. The experiment succeeds if Vrfy k (m, t) = 1 and m Q. Private Key Encryption: A private key encryption scheme (sometimes called symmetric key or secret key or shared key in the literature), is a tuple of probabilistic polynomial-time algorithms (Gen, Enc, Dec) such that: 1. The key generation algorithm Gen takes as input the security parameter 1 n and outputs a key k; we write this as k Gen(1 n ) (thus emphasizing the fact that Gen is a randomized algorithm). We will assume without loss of generality that any key k output by Gen(1 n ) satisfies k n. 2. The encryption algorithm Enc takes as input a key k and a plaintext message m {0, 1}, and outputs a ciphertext c. Since Enc may be randomized, we write this as c Enc k (m). 3. The decryption algorithm Dec takes as input a key k and a ciphertext c and outputs a message m. We assume that Dec is deterministic, and so write this as m := Dec k (c). 4. (Consistency) For every n, every key k output by Gen(1 n ), and every m {0, 1}, it holds that Dec k (Enc k (m)) = m. CPA-Security for Private Key Encryption: A private key encryption scheme (Gen, Enc, Dec) has indistinguishable encryptions in the presence of a chosen-plaintext attack (or is CPA-secure) if for all probabilistic polynomialtime adversaries A there exists a negligible function negl such that the following distinguishing experiment succeeds with probability at most 1/2 + negl(n): 1. A key k is generated by running Gen(1 n ). 2. The adversary A is given input 1 n and oracle access to Enc k (.), and outputs a pair of messages m 0, m 1 of the same length. 6

7 3. A random bit b {0, 1} is chosen, and then a ciphertext c Enc k (m b ) is computed and given to A. We call c the challenge ciphertext. 4. The adversary A continues to have oracle access to Enc k (.), and outputs a bit b. 5. The experiment succeeds if b = b. CPA-Secure Private Key Encryption from PRF: If F is a pseudorandom function, then the following private key encryption scheme can be proven to be CPA-secure: Gen(1 n ) outputs a random n-bit key; Enc(k, m) chooses a random n-bit value r and outputs ciphertext (r, F k (r) m); Dec(k, (r, s)) outputs m = F k (r) s. CCA-Security for Private Key Encryption: A stronger security notion for private key encryption is indistinguishability of encryptions in the presence of a chosen-ciphertext attack (or CCA-security). The definition is the same as for CPA-security, except that the adversary A gets oracle access to both Enc k (.) and Dec k (.) in steps 2 and 4 of the distinguishability experiment (although forbidden from using the decryption oracle in step 4 to decrypt the challenge ciphertext itself). CCA-Secure Private Key Encryption from MAC: If (Gen E, Enc, Dec) is a CPA-secure encryption, and if (Gen M, Mac, V rfy) is a secure MAC, then the following private key encryption scheme can be proven to be CCA-secure: Gen (1 n ) runs Gen E (1 n ) and Gen M (1 n ) to get encryption key k 1 and MAC key k 2 ; Enc (k 1, k 2, m) computes c Enc k1 (m) and t MAC k2 (c) and outputs the ciphertext (c, t); Dec (k 1, k 2, c, t) outputs Dec k1 (c) if V rfy k2 (c, t) = 1 and otherwise outputs (reserved null element in the message space). 3.4 Public Key Primitives Key Exchange Protocol: Alice and Bob begin by holding the security parameter 1 n ; they then choose (independent) random coins and run the key exchange protocol. At the end of the protocol, Alice and Bob output keys k A, k B {0, 1} n, respectively. The basic correctness requirement is that it should always hold that k A = k B (i.e., for all choices of random coins by Alice and Bob). Since we only deal with protocols that satisfy this requirement, we will speak simply of the key k = k A = k B generated by an honest execution of the protocol. Passive Security for Key Exchange: A key exchange protocol is secure in the presence of an eavesdropper if for every probabilistic polynomial-time adversary A there exists a negligible function negl such that the following distinguishing experiment succeeds with probability at most negl(n): 1. Two parties holding 1 n execute the key exchange protocol. This execution results in a transcript trans containing all the messages sent by the parties, and the key k that is output by each of the parties. 7

8 2. A random bit b {0, 1} is chosen. If b = 0 then choose ˆk {0, 1} n uniformly at random, and if b = 1 set ˆk := k. 3. A is given trans and ˆk, and outputs bit b. 4. The experiment succeeds if b = b. Diffie-Hellman Key Exchange: The Diffie-Hellman Key Exchange protocol is secure in the presence of an eavesdropper, under the assumption that the (Large Prime-Order Subgroup) Decision Diffie-Hellman problem is hard. Alice and Bob agree on an element g Zp of order q, for suitably large primes p, q (where q is a divisor of p 1). Alice chooses a random α Zp and sends y = g α mod p. Bob chooses a random β Zp and sends z = gβ mod p. Alice computes k A = z α mod p. Bob computes K B = y β mod p. Public Key Encryption Scheme: A public key encryption scheme is a tuple of probabilistic polynomial-time algorithms (Gen, Enc, Dec) such that: 1. The key generation algorithm Gen takes as input the security parameter 1 n and outputs a pair of keys (pk, sk). We refer to the first of these as the public key and the second as the private key. We assume for convenience that pk and sk each have length at least n, and that n can be determined from pk, sk. 2. The encryption algorithm Enc takes as input a public key pk and a message m from some underlying plaintext space (that may depend on pk). It outputs a ciphertext c, and we write this as c Enc pk (m). 3. The decryption algorithm Dec takes as input a private key sk and a ciphertext c, and ouutputs a message m or a special symbol denoting failure. We assume without loss of generality that Dec is deterministic, and write this as m := Dec sk (c). 4. (Consistency) There exists a negligible function negl such that for every n, every (pk, sk) output by Gen(1 n ), and every message m in the appropriate underlying plaintext space, it holds that Pr[Dec sk (Enc pk (m)) m] negl(n). CPA Security for Public Key Encryption: A public key encryption scheme (Gen, Enc, Dec) has indistinguishable encryptions under a chosen-plaintext attack ( CPA-secure ; sometimes called IND-CPA-secure in the literature) if for all probabilistic polynomial-time adversaries A there exists a negligible function negl such that the following distinguishing experiment succeeds with probability at most negl(n): a. Gen(1 n ) is run to obtain keys (pk, sk). b. Adversary A is given pk as well as oracle access to Enc pk (.). The adversary outputs a pair of messages m 0, m 1 of the same length. (These messages must be in the plaintext space associated with pk.) c. A random bit b {0, 1} is chosen, and then a ciphertext c Enc pk (m b ) is computed and given to A. We call c the challenge ciphertext. 8

9 d. A continues to have access to Enc pk (.), and outputs bit b. e. The distinguishing experiment succeeds if b = b. ElGamal Public Key Encryption: The ElGamal public key encryption scheme is CPA-secure, under the assumption that the (Large Prime-Order Subgroup) Decision Diffie-Hellman Problem is hard. The keys are pk = (g, g x mod p), sk = x R Z q, where p is a large prime, q is a large prime factor of p 1, and ord p (g) = q. To encrypt a message M (in the subgroup generated by g) under public key (g, y), choose a random r Z p and compute the ciphertext (g r mod p, My r mod p). To decrypt ciphertext (u, v) with secret key x, compute M = v(u 1 ) x mod p. CCA Security for Public Key Encryption: A public key encryption scheme (Gen, Enc, Dec) has indistinguishable encryptions under a chosen-ciphertext attack ( CCA-secure ; sometimes called IND-CCA2-secure in the literature) if for all probabilistic polynomial-time adversaries A there exists a negligible function negl such that the following distinguishing experiment succeeds with probability at most negl(n): a. Gen(1 n ) is run to obtain keys (pk, sk). b. Adversary A is given pk as well as oracle access to Dec sk (.). The adversary outputs a pair of messages m 0, m 1 of the same length. (These messages must be in the plaintext space associated with pk.) c. A random bit b {0, 1} is chosen, and then a ciphertext c Enc pk (m b ) is computed and given to A. We call c the challenge ciphertext. d. A continues to interact with Dec sk (.), but may not request decryption of c itself. Finally, A outputs bit b. e. The distinguishing experiment succeeds if b = b. Homomorphic Publc Key Encryption: A public key encryption scheme is homomorphic if there is an easy way to combine ciphertexts to perform some arithmetic operation on the underlying encrypted values. For example, the ElGamal public key encryption scheme is multiplicatively homomorphic : If (u 1, v 1 ) and (u 2, v 2 ) are ElGamal encryptions of M 1 and M 2 (under the same public key), then (u 1 u 2 mod p, v 1 v 2 mod p) is an ElGamal encyrption of M 1 M 2 mod p. Digital Signature Scheme: A signature scheme is a tuple of three probabilistic polynomial-time algorithms (Gen, Sign, Vrfy) satisfying the following: 1. The key generation algorithm Gen takes as input a security parameter 1 n and outputs a pair of keys (pk, sk). These are called the public key and the private key respectively. We assume for convenience that pk and sk each have length at least n, and that n can be determined from pk, sk. 9

10 2. The signing algorithm Sign takes as input a private key sk and a message m {0, 1}. It outputs a signature σ, denoted as σ Sign sk (m). 3. The deterministic verification algorithm Vrfy takes as input a public key pk, a message m, and a signature σ. It outputs a bit b, with b = 1 meaning valid and b = 0 meaning invalid. We write this as b := Vrfy pk (m, σ). 4. (Consistency) For every n, every (pk, sk) output by Gen(1 n ), and every m {0, 1}, it holds that Vrfy pk (m, Sign sk (m)) = 1. Signature Scheme Security: A signature scheme (Gen, Sign, Vrfy) is existentially unforgeable under an adaptive chosen-message attack if for all probabilistic polynomial-time adversaries A, there exists a negligible function negl such that the following forging experiment succeeds with probability at most negl(n): 1. Gen(1 n ) is run to obtain keys (pk, sk). 2. Adversary A is given pk and oracle access to Sign sk (.). (This oracle returns a signature Sign sk (m) for any message m of the adversary s choice.) The adversary then outputs (m, σ). Let Q denote the set of messages whose signatures were requested by A during its execution. 3. The forging experiment succeeds if Vrfy pk (m, σ) = 1 and m Q. 10