COMS W4995 Introduction to Cryptography October 12, Lecture 12: RSA, and a summary of One Way Function Candidates.

Transcription

1 COMS W4995 Introduction to Cryptography October 12, 2005 Lecture 12: RSA, and a summary of One Way Function Candidates. Lecturer: Tal Malkin Scribes: Justin Cranshaw and Mike Verbalis 1 Introduction In this lecture we conclude the introduction to one-way functions by reviewing the candidate functions we have studied thus far, introducing two new OWF candidates, and presenting various standards by which one-way functions are compared. We will introduce the concept of a universal one-way function. Finally, we consider the topic of leakage, whereby despite our hardness assumptions for a OWF, information can be leaked about the message content. 2 OWF Candidate Review Up to this point we have seen 4 candidate one-way functions: Product: f(p, q) = p q for primes p, q with p = q. Exponentiation: f g,p (x) = g x mod p, for prime p and generator g of Z p. Rabin/Squaring: f n (x) = x 2 p = q. mod n, for n = p q where p, q are primes with RSA: f n,e (x) = x e mod n, for n = p q for primes p, q and e Z ϕ(n). Note: In the RSA function as presented, primes p, q are chosen at random, then an exponent e is chosen randomly from Z ϕ(n). Some presentations of RSA are defined for a fixed exponent e, for which primes p and q are chosen such that ϕ(n) is relatively prime to e. 2.1 Properties of these OWF Candidates Since the existence of one-way functions is an open problem, each of these candidate functions is one-way under varying cryptographic assumptions. Furthermore, it is often desirable for a one-way function to be a permutation of the input. Both the necessary cryptographic assumptions and the permutation status of the above functions are summarized 1

2 Name Function Assumption Permutation? Product f(p, q) = p q FA NO Exponentiation f g,p (x) = g x mod p DLA YES Rabin f n (x) = x 2 mod n FA varies 1 RSA f n,e (x) = x e mod n RSA YES Figure 1: The above table lists the security assumptions that each of the candidate OWF s that we ve studied relies on. In addition, the permutation status of each function is given. in figure 1. 3 Other Candidate One-Way Functions Subset-Sum: f(x 1,..., x k, S) = (x 1,..., x k, i S x i) where x 1,..., x k are k-bit numbers (chosen randomly in implementation) and S is a subset of indices and S {1,..., k}. Clearly f is easy to compute. Thus to show that f is a OWF we need to show that it is hard to invert. That is, given a random set of x i s and the sum i S x i, can we find the subset S. The decision version of this problem is known to be NP-complete. Of course this does not mean that we have devised a cryptographic scheme based on NP-completeness, since we require average case hardness for computational security, and NP-completeness only categorizes the worst case complexity of a problem. Nevertheless, it is widely conjectured that Subset-Sum is hard on average. Block Ciphers: Additional candidate one-way functions can be derived from block ciphers and hash tables. Block ciphers are not defined asymptotically as a function of the key size as were all the other candidates we have seen. Rather, each block cipher is a specific function defined for a specific key length. For such functions we have to slightly modify our notion of computational hardness of the scheme to be more concrete. Hardness is treated in a very specific way for each such block cipher using statements such as for every algorithm A that takes t steps, A cannot break the scheme with probability greater than g(t) for some function g. One such block cipher (that we will see in more detail in subsequent lectures) is the Advanced Encryption Standard or AES. The AES function is defined such that f(k) = AES k (0 128 ). 1 In general, the Rabin function is not a OWP, however if you work over QR n and restrict p 3 mod 4, then Rabin will yield a one-way permutation. 2

3 The function f given above accepts a 128 bit message and gives back another 128 bit message based on the definition of AES. We will see more on how to analyze schemes using block ciphers when we see pseudo-random permutations. 4 Comparing One-Way-Functions We d like to have a methodology of comparing cryptographic protocols based on different one-way-functions, so that we might understand the benefits of using a given one-wayfunction in a given scenario. 1. Efficiency. (What is the efficiency of E? D? any potential adversary?) 2. Security. (What is the success probability of breaking the system?) 3. How much is assumed? (The weaker the assumption the better.) Note that there is a relationship between efficiency and success probability of an adversary. Based on known adversary algorithms, a sufficiently large security parameter must be chosen so that the scheme cannot be broken. For example, suppose that there is a particular time bound you feel that an adversary cannot achieve, say time T = Assume also that you know an attack to a given assumption that can be broken in time 2 k1/3. If the cryptographic scheme chooses k = 100, then an adversary can break the scheme in time /3 which is less than the un-achievable time T. Thus in this scenario, we must choose k > to guarantee security given our assumptions about T. 4.1 Comparing Rabin and RSA Security: Rabin is superior to RSA in terms of the security assumptions. The Rabin function is a OWF based on the factoring assumption and that the RSA function is a OWF is based on the RSA assumption. We have show previously that the factoring assumption is strictly weaker than the RSA assumption. That is, it is plausible that RSA is false, but Rabin is still secure. However if Rabin is not secure then RSA is not secure because factoring is possible. Efficiency: The Rabin function computes x 2 mod n, whereas RSA computes x e mod n for a random e. Using repeated squaring to exponentiate, each of these functions can be computed efficiently. However, clearly it is more efficient to take x to the power 2, than to the arbitrary random power e. 3

4 Even though the Rabin function is superior to RSA on both efficiency and the security assumptions involved, we will see in subsequent lectures that the Rabin function is vulnerable to specific types of attacks. 4.2 Comparing AES and Exponentiation Efficiency: In general it is more efficient to apply AES than it is to exponentiate. The AES function was chosen specifically for its efficiency, and as such it is much more efficient than exponentiation. Security: With regards to the security assumptions made, in a very rough sense, exponentiation is superior to AES since the discrete log assumption is highly studied and still has yet to be broken. AES on the other hand is not as universally analyzed, and is a much younger scheme. 5 Universal One Way Function Claim 1 If any OWF exists, then this is a OWF. Thus in some sense, it is the best OWF. Note: This can only be shown to be a weak OWF, but as we ve seen, a strong OWF can be constructed from it. { (< M >, M(x)) if M halts on x in less than x f univ (< M >, x) = 2 steps x otherwise Where < M > is a description of a Turing Machine. Essentially, M is any algorithm. 5.1 Efficiency Algorithm: Parse input into turing machine and x Run M on x for at most x 2 steps if halts, output < M > and output if not, output x 4

5 Thus, it can run in polynomial time with respect to < M >, x. 5.2 Hardness It is harder to prove that it s hard to invert, but in outline: Start with the assumption that there exists a OWF. When chosen at random, there is a significant (non-negligible) number of inputs that will halt in x 2 steps. Since M can be any algorithm, M could be a OWF, and if so, it is hard to get the original input for many x, by definition. However, the Universal OWF is very inefficient and impractical. 6 Leakage The main problem with using OWFs for encryption is that they can leak a lot of information. All the definition of OWF states is that the entire input cannot be leaked. For example: Subset-sum or f univ leak a whole portion of the input. Exponentiation also leaks some information. Specifically whether x is even or odd since that corresponds exactly with whether g x QR r which is easy to check for prime p. Even RSA can possibly leak some bits of x. So next time, we ll show how to find, for any OWF, a Hard-core bit, which we can be assured of not being leaked. This will then lead to creation of pseudo-random generators. 5