Randomness Extraction in finite fields F p

Transcription

1 Randomness Extraction in finite fields F n Abdoul Aziz Ciss École doctorale de Mathématiques et d Informatique, Université Cheikh Anta Dio de Dakar, Sénégal BP: 5005, Dakar Fann abdoul.ciss@ucad.edu.sn, Abstract. Many technics for randomness extraction over finite fields was roosed by various authors such as Fouque et al. and Carneti et al.. At eurocryt 09, these revious works was imroved by Chevalier et al., over a finite field F, where is a rime. But their aers don t study the case where the field is not rime such as binary fields. In this aer, we resent a deterministic extractor for a multilicative subgrou of F n, where is a rime. In articular, we show that the k-first F -coefficients of a random element in a subgrou of F n are indistinguishable from a random bit-string of the same length. Hence, under the Decisional Diffie- Hellman assumtion over binary fields, one can deterministically derive a uniformly random bit-string from a Diffie-Hellman key exchange in the standard model. Over F, Chevalier et al. use the Polya-Vinogradov inequality to bound incomlete character sums but over F n we use Winterhof inequality to bound incomlete character sums. Our roosition is a good deterministic extractor even if the length of its outut is less than those one can have with the leftover hash lemma and universal hash functions. Our extractor can be used in any crytograhic rotocol or encrytion schemes. Keywords: Finite fields, Polya-Vinogradov inequality, Winterhof inequality, exonential sums, incomlete character sums, Deterministic extractor, Decisional Diffie-Hellman, random bit-string, key exchange, leftover hash lemma. 1 Introduction In many crytograhic rotocols and crytograhic schemes, it is necessary to be able to derive a random bit-string from a random element in a grou. This is the case for Diffie-Hellman key exchange [8] which is the most famous rotocol that allows arties to agree on a common random element in a cyclic subgrou H of a grou G, generated by an element g of rime order q. The security of the Diffie-Hellman exchange relies on the Diffie-Hellman assumtion (DDH) [], which states that there is no efficient algorithm that can distinguish the two distributions (g a, g b, g ab ) and (g a, g b, g c ) in G 3, where 1 a, b, c q are chosen at random. Under the DDH assumtion, one can agree on a random rivate element. Hence, one has to derive a random-looking bit-string from this random element. Different aroaches were roosed to solve this roblem.

2 Abdoul Aziz ciss One classical way to transform a random grou-element to a random-looking bit-string is to aly a hash function to the Diffie-Hellman grou-element but the indistinguishability is roved under the random oracle model [1]. An alternative method to hash functions, secure under the standard model, is to use a randomness extractor. In 1998, Boneh et al. roose in [4], to extract the least or the most significant bits of the Diffie-Hellman element. In 1999, Håstad et al., [1], via the Leftover Hash Lemma, roose a robabilistic randomness extractor that can extract entroy from any random source which has sufficient min-entroy. This technic, with its variants [10, 1], requires the use of hash or seudorandom functions and an extra erfect randomness, which is a lack for ractical use. In 000, Carneti et al. [5] show that, in a statistical sense, the k most significant bits of g xy is indistinguishable from a random bit-string of length k, given the k most significant bits of g x and g y. But, in 001, Boneh et al. observe that this technic cannot be used in ractice because in most rotocols, the adversary learns all of g x and g y. In 008, Fouque et al. show in [9], under the DDH assumtion that k least significant bits or the most significant bits of a random element in a subgrou of Z are indistinguishable from a random bit-string of the same length. To rove this, the authors bound the statistical distance by evaluating the L 1 norm, using exonential sums. In 009, at Eurocryt, Chevalier et al. [6] study a quite simle deterministic extractor from random Diffie-Hellman elements defined over a rime order multilicative subgrou G of Z and over the grou of oints of an ellitic curve. They uer-bound the L norm and use some classical results on exonential sums to rove their results. They imrove at the same time the results in [9]. But their works include only rime fields. In this aer, we extend the above result of Chevalier et al. to non rime finite fields: F n, with a rime and a ositive integer n greater than 1. The extension of the work of Chevalier et al. on ellitic curves over non rime finite fields was already done in [7]. Here, we resent a quite simle deterministic extractor, denoted Ext k for a multilicative subgrou G of a finite field F n. In articular for binary finite fields F n, we show under the DDH assumtion that the k-first F -coefficients (the k least significant bits) of a random grou-element in a subgrou of F n, are indistinguishable from a random bit-string of the same length. This aroach is somewhat similar to those of [7] for deterministic randomness extractor in ellitic curves. Over F, Chevalier et al. use the Polya- Vinogradov inequality to bound incomlete character sums [14] but over F n we use Winterhof inequality to bound incomlete character sums [0]. The aer is organized as follows : In section 1, we recall some definitions and results about randomness extraction and character sums. In section, we resent and give an analysis of our extractor. We finish by giving a natural alication of our extractor to the Diffie-Hellman key exchange in F n.

3 Randomness Extraction in finite fields F n 3 Preliminaries In this section, we introduce some definitions and results about entroy and randomness extraction..1 Deterministic extractor Definition 1 (Collision robability). Let S be a finite set and X be an S- valued random variable. The collision robability of X, denoted by Col(X), is the robability Col(X) = s S Pr[X = s]. If X and X are identically distributed random variables on S, the collision robability of X is interreted as Col(X) = Pr[X = X ]. Definition (Statistical distance). Let S be a finite set. If X and Y are S-valued random variables, then the statistical distance (X, Y ) between X and Y is defined as (X, Y ) = 1 Pr[X = s] Pr[Y = s]. s S Definition 3. Let U S be a random variable uniformly distributed on S and δ 1 a ositive real number. Then a random variable X on S is said to be δ-uniform if (X, U S ) δ Lemma 1. Let S be a finite set and let (α x ) be a sequence of real numbers. Then, ( α x ) α S x. (1) Proof. This inequality is a direct consequence of Cauchy-Schwartz inequality: α x = 1. α x αx S αx. The result can be deduced easily. 1 Corollary 1. If X is an S-valued random variable then 1 Col(X), () S Lemma. Let X be a random variable over a finite set S of size S and ϵ = (X, U S ) be the statistical distance between X and U S, where U S is a uniformly distributed random variable over S. Then, Col(X) 1 + 4ϵ. S

4 4 Abdoul Aziz ciss Proof. If ϵ = 0, then the result is an easy consequence of Equation. Let suose that ϵ 0 and define q x = Pr[X = x] 1/ S /ϵ. Then x q x = 1 and by Equation 1, we have 1 S qx = 1 (Col(X) 1/ S ). 4ϵ The lemma can be deduced easily. ( ) (Pr[X = x] 1/ S ) 4ϵ = 1 4ϵ Pr[X = x] 1/ S Definition 4. Let S and T be two finite sets. Let Ext be a function Ext : S T. We say that Ext is a deterministic (T, δ)-extractor for S if Ext(U S ) is δ- uniform on T. That is (Ext(U S ), U T ) δ. For more information on extractors, see [16, 18].. Character sums In the following, we recall some fundamental results on character sums. We denote by e the character on F such that, for all y F, e (y) = e iπy C, and by ψ the additive character in F n such that for all x F n, ψ(x) = e (Tr(x)) where Tr(x) = x + x x n 1 is the trace of x F n to F. Lemma 3. Let ψ be an additive character of F n and let G be a multilicative subgrou of F n. Consider the following Gauss sum T (a, G) = x G ψ(ax). Then, max T (a, G) n. a F n Proof. See [14] or [17]. Lemma 4. Let V be an additive subgrou of F n et let ψ be an additive character of F n. Then, ψ(yz) n. Proof. See [0] for the roof. y F n z V For more details on character sums see [14, 15].

5 Randomness Extraction in finite fields F n 5.3 Leftover Hash Lemma In this subsection, we recall the Leftover Hash Lemma [13, 1]. It is the most famous randomness extractor but it requires the use of universal hash functions. Definition 5 (Guessing robability). Let X be a random variable taking values on a set V of size N, the guessing robability γ(x) of X is defined to be γ(x) = max{p [X = v] : v V}. Definition 6 (Universal hash function families). Let H = {h i } i be a family of efficiently comutable hash functions h i : {0, 1} n {0, 1} k, for i {0, 1} d. We say that H is a universal hash function family if for every x y in {0, 1} n, Pr i {0,1} d[h i (x) = h i (y)] 1/ k. Theorem 1 (Leftover Hash Lemma). Let H be a universal hash function family from {0, 1} n to {0, 1} k, keyed by i {0, 1} d. Let i denote a random variable with uniform distribution over {0, 1} d, let U k be a random variable uniformly distributed in {0, 1} k, and let A be a random variable taking values in {0, 1} n, with i and A mutually indeendent. Let γ = γ(a), then Proof. See [19] k γ ( i, h i (A), i, U k ). The Leftover Hash Lemma extracts nearly all of the entroy available whatever the randomness sources are, but it needs to invest few additional truly random bits. To circumvent this roblem, we roose a deterministic extractor which is not otimal. 3 Randomness extraction in F n In this section, we roose and rove the security of a simle deterministic randomness extractor for a subgrou G of F n. The main theorem of this section states that the k-first coefficients of a random element in G are close to a truly random grou-element in F k. Our aroach is somewhat similar to those in [7] related to randomness extraction in ellitic curves defined over F n. In fact, we use the Gaussian exonential sums to bound the statistical distance. Consider the finite field F n, where is rime and n is a ositive integer. Then F n is a n-dimensional vector sace over F. Let {α 1, α,..., α n } be a basis of F n over F. That means, every element x in F n can be reresented in the form x = x 1 α 1 + x α x n α n, where x i F n. Let G be a subgrou of F n. The extractor Ext k, for a given random element x of G, oututs the k-first F -coefficients of x.

6 6 Abdoul Aziz ciss Definition 7. Let G F be a multilicative subgrou of order q and let k be n a ositive integer less than n. The extractor Ext k is defined as a function Ext k : G F k x (x 1, x,..., x k ), where x is reresented as x = x 1 α 1 + x α x n α n. The following theorem shows that Ext k is a good randomness extractor. Theorem. Let G F n be a multilicative subgrou of order q. Then (n+k) (Ext k (U G ), U F k q ), q where 1 < k < n is a ositive integer, U G is a random variable uniformly distributed in G and U F k is the uniform distribution in F k. Proof. Let us define the sets M = {(x k+1 α k+1 + x k+ α k x n α n ), x i F } F n, and A = {(x, y) G / m M, x y = m}. Let us construct the characteristic function 1 (x,y,m) = 1 n a F q ψ(a(x y m)), which is equal to 1 if x y = m and 0 otherwise. Then the size of the set A is given by A = 1 n x G y G m M a F n ψ(a(x y m)).

7 Randomness Extraction in finite fields F n 7 Therefore, Col(Ext k (U G )) = A G = A q 1 = q n ψ(a(x y m)) x G y G m M a F n = 1 k + 1 q n ψ(a(x y m)) x G y G m M a F n = 1 k + 1 q n ( ) ψ(ax) ψ( ay) ψ( am) m M a F n = 1 k + 1 q n x G 1 k + 1 q n R where R = max a F T (a, G).. n Since y G T (a, G).T ( a, G) ψ( am) a F n m M ψ( am), a F n m M R n, by Lemma 3, and a F n m M ψ( am) n, by Lemma 4, we have the following inequalities: Therefore, Hence, Col(Ext k (U G )) 1 k + n q (Ext k (U G ), U F k ) k 1 k + n q. (n+k) (Ext k (U G ), U F k ). q For non binary field, we have the following corollary. Corollary. Let > be a rime and let G F be a multilicative subgrou n of order q with q = r and = m. If e > 1 is a ositive integer and k > 1 is a ositive integer such that r e mn k, m then Ext k is a (U G, 1 e ) deterministic randomness extractor.

8 8 Abdoul Aziz ciss Proof. Since k r e mn m, we have m(n + k) r e m(n+k) r e m(n+k) r 1 e Hence (ext k (U G ), U F k ) e. For binary fields, we obtain the following lemma. (n+k) q e. Lemma 5. Let G F be a multilicative subgrou of order q with q = r. If n e > 1 is a ositive integer and and k > 1 is a ositive integer such that k r e n, then Ext k is a (U G, 1 e ) deterministic randomness extractor. Proof. We have k t e n (n+k) r e. Since = and r 1 q < r, we deduce that (n+k) r n+k r 1 1 e n+k q 1 e. e. Therefore, Remark 1. We have the same results as above if the extractor Ext k oututs the k-last F -coefficients of a given random element in a multilicative subgrou G of F n. 4 Alications Our extractor can extract entroy from any random element in a grou G. Hence, an obvious alication of the extractor Ext k is key derivation from a random Diffie-Hellman element in a DDH grou G F n. After a Diffie-Hellman key exchange, arties agree on a common random element in G which is indistinguishable from a uniformly distributed element in G, under the DDH assumtion. However, it does not suffice since they want a uniformly distributed bit-string for symmetric schemes. Thus, one have to extract the entroy from this random Diffie-Hellman element by means of a randomness extractor. For examle, suose that we want a 56-bits symmetric key from a random Diffie-Hellman key exchange is a subgrou G of F n with a security bound of e = 80 as in the Leftover Hash Lemma. Then, one has to take the rime n = 811 and consider a subgrou G of rime order q with q = r = 615. We obtain exactly a erfectly random 56-bit string with the security bound 80. Note that the subgrou G has only q elements with 615 q < 616. As in [10] for rime field, the large q is the main drawback here for non rime field because q is greater than n. In the following table we give the size of q = G,( with = and e = 80) knowing the size n(= rime) of the field F n and k (the length of the outut of the extractor).

9 Conclusion Randomness Extraction in finite fields F n 9 k (key)\\n (rime) q = 404 q = 549 q = 654 q = q = 43 q = 581 q = 686 q = 75 4 q = 448 q = 597 q = 70 q = q = 468 q = 615 q = 718 q = 783 This aer extends the study of the existence of randomness extractors for a subgrou G of a finite rime field Z to a field of the form F n where is a rime and n > 1 an integer. The extractor denoted by Ext k, for a given random element in a subgrou G of F n, oututs k-first (res. k-last) F -coefficients of this element. Our extractor works for any finite field F n where the DDH assumtion holds. Hence, we show that if q is large we can derive random bitstring. In general, they can be used in any crytograhic rotocol which requires to extract a random bit-string from a random grou-element. As in Fouque et al. [10] for rime field, the large q is the main drawback here for non rime field because q is grater than n. Hence, as further work it will be interesting to imrove the bound roosed in this aer. References 1. M. Bellare and P. Rogaway. Random oracles are ractical : A Paradigm for designing efficient rotocols. In V. Ashby, editor, ACM CCS 93, ages ACM Press, Nov D. Boneh. The decision Diffie-Hellman roblem. In Third Algorithmic Number Theory Symosium (ANTS), vol.143 of LNCS. Sringer, D. Boneh and I. Sharlinski. On the unredictability of bits of the ellitic curve Diffie-Hellman scheme. In J. Kilian, editor, CRYPTO 001, vol. 139 of LNCS, ages Sringer, Aug D. Boneh and R. Venkatesan. Hardness of comuting the most significant bits of secret keys in Diffie-Hellman and related schemes. In N. Koblitz, editor, CRYPTO 96, vol of LNCS, ages Sringer, Aug R. Carneti, J. Friedlander, S. Koyagin, M. Larsen, D. Lieman and I. Sharlinski. On the Statistical Proerties of Diffie-Hellman Distributions. Israel Journal of Mathematics, vol. 10, ages 3-46, C. Chevalier, P. Fouque, D. Pointcheval and S. Zimmer, Otimal Randomness Extraction from a Diffie-Hellman Element, Advances in Crytology - Eurocryt 09, vol of LNCS, ages , Sringer-Verlag, A. A. Ciss and D. Sow. On Randomness Extraction in Ellitic Curves. In A. Nitaj and D. Pointcheval, editors. Africacryt 011, vol of LNCS, ages Sringer-Verlag, W. Diffie, M. Hellman, New Directions in Crytograhy, IEEE Transactions On Information Theory, vol., no.6, , P.A. Fouque, D. Pointcheval, J. Stern, and S. Zimmer. Hardness of distinguishing the MSB or the LSB of secret keys in Diffie-Hellman schemes. In M. Bugliesi, B. Preneel, V. Sassone, and I. Wegener, editors, ICALP 006, Part II, vol. 405 of LNCS, ages ACM, 008.

10 10 Abdoul Aziz ciss 10. P. A. Fouque, D. Pointcheval, S. Zimmer. HMAC is a good randomness extractor and alications to TLS. In M. Abe and V. D. Gligor, editors, ASIACCS, ages 1-3. ACM, Y. Dodis, R. Gennaro, J. Håstad, H. Krawczyk, and T. Rabin, Randomness extraction and key derivation using the CBC, cascade and HMAC modes. In Matthew K. Franklin, editor, Advances in Crytology - CRYPTO 004, volume 3150 of LNCS, ages Sringer R. Genaro, H. Krawczyk, and T. Rabin. Secure Hashed Diffie-Hellman on non- DDH grous. In C. Cachin and J. Camenisch, editors, Eurocryt 004, volume 307 of LNCS, ages Sringer, May J. Håstad, R. Imagliazzo, L. Levin, and M. Luby, A seudorandom generator from any one-way function, SIAM Journal on Comuting, Vol. 8, no.4, , S. V. Koyagin and I. Sharlinski. Character Sums With Exonential Functions and Their Alications. Cambridge University Press, Cambridge, R. Lidl and H. Niederreiter. Finite Fields. Cambridge University Press, R. Shaltiel, Recent Develoments in Exlicit Constructions of Extractors, Bulletin of the EATCS 77 (00), 67 95; I. Sharlinski. Bounds of Gauss Sums in Finite Fields. Proceedings of the American Mathmatical Society, vol 13, ages AMS L. Trevisan and S. Vadhan, Extracting Randomness from Samlable Distributions, IEEE Symosium on Foundations of Comuter Science, 3 4, V. Shou A Comutational Introduction to Number Theory and Algebra Cambridge University Press, Cambridge A. Winterhof. Incomlete Additive Character Sums and Alications. In D. Jungnickel and H. Niederreiter, editors. Finite Fields and Alications, ages Sringer-Velag 001.