Introduction to Modern Cryptography Recitation 3. Orit Moskovich Tel Aviv University November 16, 2016

Transcription

1 Introduction to Modern Cryptography Recitation 3 Orit Moskovich Tel Aviv University November 16, 2016

2 The group: Z N Let N 2 be an integer The set Z N = a 1,, N 1 gcd a, N = 1 with respect to multiplication modulo N is an abelian group Identity: 1 Inverse of a exists Closure? Z p = {1,, p 1}

3 Cyclic Groups and Generators Definition. Let G be a finite group of order G = m. If there exist an element g G of order m, then G is called a cyclic group and g is a generator of G = {g 0, g 1,, g m 1 }. If g is a generator of G, then for every element h G there exist x {0,, m 1} such that h = g x

4 The Discrete Logarithm If g is a generator of G, then for every element h G there exist x {0,, m 1} such that h = g x x is the discrete logarithm of h with respect to g Definition. The discrete logarithm problem: Let G be a cyclic group of order G = m and a generator g G. Given: h = g x for x Z m = {0,, m 1} Output: x such that g x = h Definition. The discrete logarithm assumption: There exists a cyclic group G for which the DL problem is hard

5 Diffie-Hellman Assumptions Definition. The computational Diffie-Hellman (CDH) problem: Let G be a cyclic group of order G = m and a generator g G. Given: g x, g y for x, y Z m = {0,, m 1} Output: g xy (Informal) Definition. The decisional Diffie-Hellman (DDH) problem: Let G be a cyclic group of order G = m and a generator g G. Goal: To distinguish between 2 distributions: - D 0 = {g x, g y, g xy (x, y) Z m Z m } - D 1 = {g x, g y, g z (x, y, z) Z m Z m Z m }

6 Diffie-Hellman Assumptions The DL problem is believed to be hard in cyclic groups of prime order The DL problem is believed to be hard in Z p, for p prime The CDH problem is believed to be hard in Z p The DDH problem is not hard in Z p For q = 2p + 1, the DDH problem is believed to be hard in a subgroup of Z q of order p (quadratic residues)

7 Indistinguishability Definition. Let D 0, D 1 be two probability distributions over 0,1 n. Then, D 0, D 1 are ε-indistinguishable for an adversary A Pr A d 0 = 1 Pr A d 1 = 1 ε d 0 D 0 d 1 D 1 1) If D 0, D 1 are ε-indistinguishable for any unbounded adversary A, we say that D 0, D 1 are statistically indistinguishable, denoted by D 0 s,ε D 1 2) If D 0, D 1 are ε-indistinguishable for any polynomial adversary A, we say that D 0, D 1 are computationally indistinguishable, denoted by D 0 c,ε D 1

8 Indistinguishability Symmetric: D 0 ε D 1 D 1 ε D 0 Transitive: D 0 ε D 1 and D 1 ε D 2 D 0 2ε D 2

9 Pseudo-Randomness Motivation: OTP r PRG Want to extract from a short, random seed a longer pseudorandom key A pseudorandom string looks like a uniformly distributed string Definition. A function G: 0,1 n 0,1 n+s (s > 0) is a ε-pseudorandom generator (ε-prg) G U n c,ε U n+s Meaning, we can t distinguish between the output of the PRG and true randomness R

10 Pseudo-Randomness Definition. A function G: 0,1 n 0,1 n+s (s > 0) is a ε-pseudorandom generator (ε-prg) G U n c,ε U n+s Claim. There exists an unbounded adversary A such that: Pr A G u 0 = 1 Pr A u 1 = n = 1 u 0 U n u 1 U n+s 2s 2 n+s 0,1 n G 0,1 n 2 n+s

11 Pseudo-Randomness 0,1 n G 0,1 n 2 n+s Claim. There exists an unbounded adversary A such that: Pr A G u 0 = 1 Pr A u 1 = u 0 U n u 1 U n+s 2 s = 1 = 2n 2 n+s 1. The adversary A is given u 2. A computes the set S = G s s 0,1 n 3. A outputs 1 u S

12 Back to Diffie-Hellman (Informal) Definition. The decisional Diffie-Hellman (DDH) problem: Let G be a cyclic group of order G = m and a generator g G. Goal: To distinguish between 2 distributions: - D 0 = {g x, g y, g xy (x, y) Z m Z m } - D 1 = {g x, g y, g z (x, y, z) Z m Z m Z m } Definition. Let G be a cyclic group of order G = m and a generator g G. Define - D 0 = {g x, g y, g xy (x, y) Z m Z m } - D 1 = {g x, g y, g z (x, y, z) Z m Z m Z m } Then, we say that The DDH problem is hard in G D 0 c,ε D 1

13 DDH PRG Let G be a cyclic group of order G = m and a generator g G in which DDH is hard Define the PRG: Z m Z m G G G PRG x, y = g x, g y, g xy

14 PRG Expansion Assume we have a PRG G 1 : 0,1 n 0,1 n+1 We want to construct a PRG G 2 : 0,1 n 0,1 n+2 x 1 x n G 1 y 1 y n y n+1 G 1 z 1 z n z n+1 G 2 x = G 1 G 1 x 1,,n G 1 x n+1 = y 1 y n = y n+1

15 PRG Expansion G 2 x = G 1 G 1 x 1,,n G 1 x n+1 How do we prove that this is a PRG? We need to show G 2 U n c,2ε U n+2 We know G 1 U n c,ε U n+1 x 1 x n G 1 y 1 y n y n+1 G 1 z 1 z n z n+1 We will prove two claims: 1) G 1 G 1 U n 1,,n G 1 U n n+1 c,ε G 1 U n U 1 2) G 1 U n U 1 c,ε U n+2

16 PRG Expansion x 1 x n G 1 1) G 1 G 1 U n 1,,n G 1 U n n+1 c,ε G 1 U n U 1 : y 1 y n y n+1 G 1 z 1 z n z n+1 Assume that there exists an adversary A 2 such that Pr A 2 d 0 = 1 Pr A 2 d 1 = 1 ε d 0 d 1 G 1 U n U 1 Then, construct the following adversary A 1 that distinguish between G 1 (U n ) and U n+1 1. The adversary A 1 is given u (either from G 1 (U n ) or U n+1 ) 2. Denote x = u 1,,n and y = u n+1 3. A 1 runs A 2 (G 1 (x) y) and returns the same output

17 PRG Expansion 2) G 1 U n U 1 c,ε U n+2 : x 1 x n G 1 y 1 y n y n+1 G 1 Assume that there exists an adversary A 2 such that Pr A 2 d 0 = 1 Pr A 2 d 1 = 1 ε d 0 G 1 U n U 1 d 1 U n+2 Then, construct the following adversary A 1 that distinguish between G 1 (U n ) and U n+1 1. The adversary A 1 is given u (either from G 1 (U n ) or U n+1 ) 2. A 1 chooses at random u U 1 3. A 1 runs A 2 (u u ) and returns the same output z 1 z n z n+1

18 One Way Function (OWF) Definition. A function f: 0,1 n 0,1 m is a ε-one way function (ε-owf) if for any polynomial time adversary A: A f x = x < ε n Pr x 0,1 What if f is not one-to-one? What is ε?

19 DL OWF Let p be a prime and a generator g Z p (in which DL is hard) Define the OWF: f x = g x mod p

20