a new crytoytem baed on the dea of Shmuley and roved t rovably ecure baed on ntractablty of factorng [Mc88] After that n 999 El Bham, Dan Boneh and Om

Transcription

1 Weak Comote Dffe-Hellman not Weaker than Factorng Koohar Azman, Javad Mohajer Mahmoud Salmazadeh Electronc Reearch Centre, Sharf Unverty of Technology Deartment of Comuter Engneerng, Sharf Unverty of Technology Abtract In985, Shmuley rooed a theorem about ntractablty of Comote Dffe-Hellman [Sh85] The Theorem of Shmuley may be arahraed a ayng that f there ext a robabltc olytme oracle machne whch olve the Dffe-Hellman modulo an RSA-number wth odd-order bae then there ext a robabltc algorthm whch factor the modulo In the other hand factorzaton of the module obtaned only f we can olve the Dffe-Hellman wth odd-order bae In th aer we how that even f there ext a robabltc oly-tme oracle machne whch olve the roblem only for even-order bae and abtan anwerng the roblem for odd-order bae tll a robabltc algorthm can be contructed whch factor the modulo n oly-tme for more than 98% of RSAnumber Keyword Crytograhy, Comutatonal Comlexty, Publc-Key Crytograhy, Dffe-Hellman, Factorng Introducton The frt ublc key crytoytem wa rooed by Dffe and Hellman n 976 [DH76] After that, lenty of ublc-key crytoytem have been rooed The motly ued ublc-key encryton cheme throughout the world RSA that nvented by Ronald Rvet, Ad Shamr and Leonard Adleman n 977 After that, many crytograher tred to combne thee two crytoytem to obtan more ecurty The man dea of Comote Dffe-Hellman wa frt rooed by Shmuley and McCurley [Sh85, Mc88] Shmuley roved that breakng Comote Dffe-Hellman wth odd-order bae at leat a hard a factorng In 988, KS McCurley rooed

2 a new crytoytem baed on the dea of Shmuley and roved t rovably ecure baed on ntractablty of factorng [Mc88] After that n 999 El Bham, Dan Boneh and Omer Rengold roved that breakng Generalze Dffe-Hellman alo at leat a hard a factorng [BBM99] A wll be dcued n more detal n Secton 3, both Shmuley and alo Bham, Boneh and Rengold only roved that breakng Comote Dffe-Hellman wth odd-order bae mled by factorng not breakng Comote Dffe-Hellman n general cae In th aer, we how that f we have a robabltc oly-tme oracle machne, whch olve the Comote Dffe-Hellman even only for even-order bae, e t abtan anwerng Comote Dffe-Hellman wth odd-order bae we tll can factor large nteger n oly-tme Paer lan: In Secton we lt defnton rereentng the varou tye of roblem we deal wth n th aer In Secton 3 we conder the theorem of Shmuley and that of Bham, Boneh and Rengold After that, we rove our two man theorem n Secton 4 and at the end, ome dea for future work wll be rooed Prelmnary Defnton We tate ome defnton and notaton that we ue n another ecton We ue the notaton of [BBM99] n th ecton Defnton (FIG The Factorng-ntance-generator, FIG a robabltc n olynomal tme algorthm uch that on nut t outut, q dtrbuted over n bt nteger, where and q are two n-bt rme (Such known a a RSAnumber Defnton (DH Let be any oble outut of FIG (, let g be any odd-order x y element n Z Defne the functon DH, g ( g, g wth doman D g g uch that, DH x y ( g, g xy g (mod, g Defnton 4 (ε-olvng the DH-Problem Let A be a robabltc Turng-machne and εε(n a real-valued functon A ε-olve the DH-Problem f for nfntely ' DH, Pr A g (, g DH ( D ε ( n ( Defnton 4 (ε-olvng the Weak DH-Problem Let A be a robabltc Turngmachne and εε(n a real-valued functon A ε-olve the DH-Problem f t ε-olve the DH-Problem for even-order bae and t abtan olvng DH-roblem for oddorder bae Defnton 5 (ε-olvng the Factorng-Problem Let A be a robabltc Turngmachne and εε( a real-valued functon A ε-olve the Factorng-Problem f for nfntely ' Pr( A(, c ε ( n 3 Prevou Work In 985, Shmuley roved that the DH-aumton mled by Factorngaumton In 988, KSMcCurley rooed a new key dtrbuton ytem baed on

3 the dea of Shmuley and roved that breakng that cheme at leat a hard a factorng [Mc88] In 999 El Bham, Dan Bone and Omer Rengold rooed a theorem lke that of Shmuley for Generalze Dffe-Hellman n the cae that a Blum-nteger [BBM99] The Shmuley' theorem retrcted n the cae where bae g an odd-order element n Z The theorem of Bham, Boneh and Rengold alo retrcted n the cae that a Blum-nteger and g a quadratc-redue It clear that g wll be odd-order element n that cae That theorem of Bham, Boneh and Rengold for two arte a ecal cae of that of Shmuley Conequently, o far, there not any theorem concernng ntractablty of breakng Comote Dffe-Hellman n the cae whch g an even-order element In the other hand, there no fact about ntractablty of Weak DH-Problem 4 Reducton In th ecton, we tate the two man theorem In the remander of th aer, we ue the followng notaton: ' x denote x not dvble by x denote x dvble by but not by gcd( x, y denote the greatet common dvor of x and y lcm [ x, y ] denote the leat common multle of x and y ord ( x denote the mallet otve nteger d uch that x d (mod Cyclc-Order( denote the order of maxmum-ze cyclc ubgrou of Z ote that accordng to [MOV96, Secton 4] for any RSA-number q, Cyclc Order( lcm[, q ] log(x denote the logarthm functon wth bae Lemma 4 If a comote number, a rme uch that Cyclc Order( and x y (mod for ome nteger y then ord (x not dvble by Lemma 4 Let be an RSA number, be any rme factor of Cyclc Order( and x and y be two nteger choen randomly from Z, uch that x y (mod then gcd( x y, yeld a non-trval factor of wth robablty -/ The generalzed form of th lemma wa rooed n [AM94] Theorem 4 If there ext a robabltc olynomal-tme oracle machne whch ε -olve the Weak DH-Problem module and there ext a rme le than log(, uch that cyclc order( then there ext a oly-tme algorthm whch ε - factor the module Proof Aume that A a robabltc oly-tme oracle machne, whch ε -olve the Dffe-Hellman module only for even-order bae Let < log( be an odd-rme uch that Cyclc Order( accordng to the aumton of the theorem uch a rme ext (ote that not a rme factor of Knowng one can do the followng for factorng the module :

4 Samle v unformly at random n Z and comute g v Select two random nteger a and b 3 a+ / b+ / Invoke A and et x DH ( g, g, g Let d ord ( g ote that by lemma 4 d not dvble by o ( / mod d ext and unque Therefore g wll ext and wll be unque In addton we know that ( v g and v g / o g v 4 x / Set u (mod We have u g ab + a+ b v 5 Comute X gcd( u v, It eay to ee that u v (mod o by lemma 4 gcd( u v, wll yeld a non-trval factor of wth robablty / In the other hand we can ay that nce u g but the robablty that v g / o the robablty of ucce equal to / ote that n general cae we do not know uch o we mut omehow fnd t For achevng that goal, we do the followng: Samle v unformly at random n Z Let P {,,, k} be the et of odd-rme le than log( w 3 Comute w t and g v (mod t k 4 For each k do the followng: 4 Comute w t t k & t 4 Let δ v w (mod and / σ δ (mod ote that δ g (mod ote that f d ord ( g dvble by then g / wll ext and a / dcued later g σ If d not dvble by the remander of ubrocedure ( not mortant for u 43 Select two random nteger a and b 44 Invoke A and let x DH, ( a σ, b g g g σ It clear that a+ / b+ / x DH, (, g g g x 45 Set u ab+ ( a + b δ 46 Comute X gcd( u δ, 47 If X & X return X A dcued n the frt art of roof f < log( an odd-rme uch that Cyclc Order( the algorthm yeld a non-trval factor of n the 'th teraton of te 4 wth robablty at leat ( / ε And n the theorem we uoe that uch ext o the algorthm ε ' -olve the factorng and ε ' > ε / Snce the number of teraton le than log( and each oeraton can be done n olytme o the algorthm can be accomlhed n oly-tme

5 Lemma 43 Let and > be two rme We have Pr ( / Proof ote that nce rme and > o Z Pr( Pr Pr ( ( ( Lemma 44 Let be a rme and q be an RSA number ( > We have ( Pr( Cyclc Order( + ( Proof From [MOV96, Sec 4] we know that Cyclc Order( lcm[, q ] In the followng roof x ' y denote y not dvble by x Pr Pr ( Cyclc Order( ( Cyclc Order( & ' Cyclc Order( (( & ( + Pr( & ' q + Pr( ' & q Pr q + After th we how Pr( Cyclc Order( + by ψ (,, and defne the functon ξ ( c, to be the robablty of Cyclc Order( for ome rme <c where > c Followng table how ome date collected by comutng functon ψ for ome value (uoe that large uffcent ψ (, Lemma 45 Let be the 'th and + be the +'th odd-rme and be a uffcent large RSA-number(> + We have ξ, ξ (, + ξ (, ψ ( ( ( Followng table how ome date collected by comutng the recurve functon ξ for ome value c (uoe that large uffcent: c ξ ( c, Theorem 4 If there ext a robabltc olynomal-tme oracle machne whch ε -olve the Weak DH-Problem modulo a n-bt (n>000 RSA-number, then

6 there ext a oly-tme algorthm whch ε -factor the module for at leat 98% of uch Snce n > 000 o log( > 000, Therefore ξ ( c, > ξ (000, It eay to ee that a n become larger, th robablty wll become more than 98% 5 Concluon and Future Work In th aer, we howed that not only Comote Dffe-Hellman wth odd-order bae yeld factorng but alo olvng that roblem for even-order bae wll yeld factorng A a future work, the followng conjecture can be hown: Conjecture 5 If there ext a robabltc olynomal-tme oracle machne whch ε -olve the Weak DH-Problem module and there ext a rme le than log(, uch that ϕ( not necearly ϕ ( then tll there ext a oly-tme algorthm whch ε -factor the module A oble lne for further reearch the tudy of the theorem n the cae where ord ( g Cyclc Order( It clear that both the new theorem and that of Shmuley doe not ay anythng about th That f g a maxmum-order element we cannot ay anythng about ntractablty of Comote Dffe-Hellman wth bae g Reference: [AM94] Leonard M Adleman, Kevn S McCurley: Oen roblem n number theoretc comlexty, II Proc of ATS-I, LCS 877, Srnger-Verlag, 9-3 (995 [DH76] W Dffe and M Hellman: ew drecton n crytograhy, IEEE Tran Inf Theory, IT-, 976, [Mc88] Kevn S McCurley: A key dtrbuton ytem equvalent to factorng, Journal of Crytology, vol, 85-05, 988 [MOV96] Alfred J Meneze, Paul C Van Oorchot, and Scott A Vantone: Handbook of Aled Crytograhy CRC Pre, 996 [R79] M O Rabn, Dgtalzed gnature and ublc-key functon a ntractable a factorzaton: Techncal Reort, TR-, MIT Laboratory for Comuter Scence, 979 [SH85] Z Shmuely: Comote Dffe-Hellman ublc-key generatng ytem are hard to break, Techncal Reort o 356, Comuter Scence Deartment, Technon, Irael, 985