E E E. Aggelos Kiayias. Cryptography. Primitives and Protocols. Notes by S. Pehlivanoglu, J. Todd, and H.S. Zhou

Transcription

1 P1 P2 P3 E E E IV C1 C2 C3 Aggelos Kiayias Cyptogaphy Pimitives and Potocols Notes by S. Pehlivanoglu, J. Todd, and H.S. Zhou

2 CONTENTS 1 Contents

3 2 1 Intoduction To begin discussing the basic popeties of cyptogaphy, we conside a simple example. 1.1 Flipping a Coin ove a Telephone Suppose Alice and Bob ae talking on the phone, debating whee they should go fo the evening. They agee to toss a coin to see who decides whee they go. If Alice and Bob wee in the same physical location, they could easily flip a coin and both could veify the esult. Since they want to do this ove the phone, they need a poceedue that enables both paties to veify the outcome and ensues that the outcome is unbiased. One solution is fo Alice to toss a coin into a deep well. This foces Alice to be consistent and pevents he fom changing the esult. Hee the well constitutes a commitment. Although Bob still needs to go to the well to check the outcome, by employing the well, both paties no longe need to be physically pesent to faily toss a coin. Since the availability of open wells has deceased in ecent yeas, let us conside a diffeent technique. Assign the value of 1 to Heads and 0 to Tails. Suppose thee is a pe-ageed upon mapping f that sends each of 0 and 1 to a set of objects. In this case, f plays the ole of the well. To detemine the outcome of the coin toss, 1. Alice flips a coin and eceives a {0, 1}. She computes f(a). 2. Alice sends y = f(a) to Bob. 3. Bob flips a coin and eceives b {0, 1}. He sends b to Alice. 4. If a = b, Alice calls Heads; othewise Alice calls Tails. 5. Alice discloses the value of a and Bob veifies that y is a valid commitment to a. 6. Bob checks if a = b and confims the esult of Heads o Tails In ode fo this potocol to effectively solve the poblem, f must satisfy the following popeties: 1. The hiding popety ensues f does not eveal any infomation about a. 2. The binding popety equies that it be impossible fo Alice to alte the value committed to y = f(a) and still convince Bob of the validity of the commitment. If both paties follow the potocol faithfully, the pobability distibution of Heads and Tails is unifom fo both playes; moeove, both paties each the same conclusion. Let us now examine what happens if a playe deviates fom the faithful execution of the potocol. Possible scenaios in which the secuity of the potocol may be affected include: 1. Afte obtaining b in Step 3, Alice substitutes a fo a such that y = f(a ). 2. Bob ties to guess a afte eceiving y and selects b accodingly. 3. One o both of the playes toss thei coin in a biased manne such that the pobability of Heads o Tails is no longe 1/2. If f is chosen accodingly, y is committed to a cetain a so the binding popety pohibits Alice fom cheating in the fist scenaio. Similaly, in the second instance Bob should not be able to effectively guess a because of the hiding popety. The last scenaio equies some calculation to detemine whethe o not diffeent pobabilities of a and b affect the pobability distibution of the playes chances. We have fou possibilities.

4 1.2 Oveview of Cyptogaphy 3 1. Alice selects a = 0 with pobability α, Bob selects b = 0 with pobability β, and the output is Heads; 2. Alice selects a = 0 with pobability α, Bob selects b = 1 with pobability 1 β, and the output is Tails; 3. Alice selects a = 1 with pobability 1 α, Bob selects b = 0 with pobability β, and the output is Tails; 4. Alice selects a = 1 with pobability 1 α, Bob selects b = 1 with pobability 1 β, and the output is Heads. Then Pob[Heads] = αβ + (1 α)(1 β) = 1 α β + 2αβ. If both playes ae dishonest, the potocol will not necessaily function coectly. If one of the paties is honest, so α o β = 1/2, then Pob[Heads] = 1/2. Based on the above, we can say that the potocol is secue against malicious behavio; it guaantees a unifomly distibuted pobability to any honest paty. 1.2 Oveview of Cyptogaphy The pevious example illustates one pupose fo cyptogaphy- the need to develop effective commitment schemes. In this class, we will focus on accomplishing five things: 1. Identifying impotant poblems in need of solutions. Hee we will see that the pevious coin tossing concept is a vey impotant cyptogaphic potocol with numeous applications in constucting secue systems. 2. Designing solutions fo such poblems (potocols, algoithms, etc.) 3. Examining the independent components (o pimitives) upon which ou solutions ely. In Section 1.1 we identified an impotant pimitive in tems of the mapping f, called a bit commitment scheme. 4. Fomally defining secuity and coectness fo all involved paties. 5. Poviding poof of secuity and coectness so as to convince a use that the system satisfies the secuity and coectness specifications. In shot, we will focus on the goals, designs, pimitives, models, and poofs associated with cyptogaphy. The fomal, o povable-secuity appoach to the study of cyptogaphy povides mathematical poof that an advesay s objective is eithe impossible o violates an undelying assumption in a model. An effective solution should satisfy the secuity model as extensively as possible with the weakest possible assumptions. Those assumptions howeve, must be plausible. The povable-secuity paadigm focuses on two things: 1. Constucting a fomal secuity model and defining what it means fo a given cyptogaphic design to be secue; and 2. Demonstating that the existence of an advesay capable of efficiently beaking the design s secuity can be tansfomed into an algoithm solving a computationally had poblem. The second item intoduces an aea of inteest called computational complexity. This discipline aims to answe questions such as How many steps ae necessay to solve a poblem? o How much space is equied to find a solution to a poblem? One of the objectives of computational complexity is to calculate the time equied to find a solution to a poblem. Fo example, one of the fundamental open poblems in compute science and mathematics elates to the classes P and NP. P is the set of poblems that can be solved in polynomial-time and NP is the set of poblems fo

5 4 which a candidate solution can be veified in polynomial-time. Although significant effot has been devoted to undestanding the elationship between these two classes, it is still unknown if P NP. It is known howeve, that a poof of secuity would imply P NP. In ode to undestand this, obseve the NP -natue of cyptogaphy; namely that secet keys play the ole of the candidate solutions in a suitable NP poblem. Unfotunately, the fact that P NP is not helpful in cyptogaphic secuity poofs. Such applications ask fo aveage hadness; that is, a andom instance of a poblem should be computationally had. An impotant tool that assists in the classification of computational poblems is the concept of eduction. Suppose thee ae two poblems A and B and an algoithm α that solves A with oacle access to B, witten α B. We can appopiately define a pe-ode 1 ove all poblems so A B if and only if thee is an α whee α B solves A. This is a eduction. Intuitively, A B implies that A cannot be substantially hade than B. Say A is a well-known had poblem, such as the factoing poblem o the discete logaithm poblem, and B coesponds to beaking the secuity of ou cyptogaphic constuction. If A is acceptably had and we can poduce a eduction as is specified above, we can assume ou constuction is povably secue. Despite the fact that eductions povide little eal poof of secuity, they ae acceptable given ou geneal inability to constuct a lowe bound on the difficulty of computational poblems. 2 Mathematical Review Hee we give a quick eview of algeba, numbe theoy, and pobability. Futhe eviews will be povided as necessay in subsequent sections Algeba and Numbe Theoy Goups Definition A goup (G, ) is a set G togethe with a binay opeation satisfying the following conditions: G is closed unde : fo all g, h G, g h G; The opeation is associative: fo all g, h, l G, g (h l) = (g h) l G; G contains an identity element e such that g e = e g = g fo all g G; G is closed unde invesion: fo all g G, thee exists g 1 G such that g g 1 = g 1 g = e. Fomally, a goup is denoted by an odeed pai (G, ). We will wite G when is undestood. Definition A goup G is called Abelian if fo all g, h G, g h = h g. Theoem If G is an Abelian goup unde, then G contains exactly one identity element and evey element of G has a unique invese. Definition In a finite goup G, the ode of G is the size o numbe of elements in the goup, denoted #G o G. Definition Fo a goup G and g G, define the ode of g to be the smallest positive intege i such that g i = e, o equivalently, g g g = e. We denote the ode of g by od(g). }{{} i times 1 A pe-ode is a eflexive, tansitive elation. 2 Fo moe mathematical eview, see [?].

6 2.1 Algeba and Numbe Theoy 5 Theoem (Lagange). In a finite goup, the ode of any element divides the size of the goup. Definition If thee is some element g G such that od(g) = #G, then g geneates G and we call G a cyclic goup. We wite G = g. Example. Conside Z 5 = Z 5 {0}. This is a cyclic goup unde multiplication modulo 5. Ou goal is to find g Z 5 such that od(g) = #Z 5 = 4 and theefoe g = Z 5. Clealy 1 Z 5, so let us ty 2: mod 5, mod 5, mod 5, mod 5, and mod 5. Since 2 = {1, 2, 3, 4} and 2 has ode 4, 2 geneatos Z 5. It is possible fo multiple elements to geneate the goup, so let us now ty 3. By Lagange, od(3) 4. Fom ou pevious calculations, mod 5, so od(2 3 ) = od(3). Then 3 od(3) 2 3od(3) 1 mod 5 and 3od(3) od(2) mod 4. Since 3 and 4 ae elatively pime, od(3) = 4. Thus 3 is anothe geneato of Z 5. By the same agument, we can show 4 is not a geneato. Fom the above, mod 5, so od(2 2 ) = od(4). We know that 2 (the exponent in 2 2 ) divides 4, theefoe gcd(2, 4) divides 4. Moeove, od(4) = 4/ gcd(2, 4) = 2. This implies # 4 = 2, so 4 is not a geneato: 4 = {1, 4}. Rings and Fields Definition A (commutative) ing R is a set togethe with two binay opeations + and such that (R, +) is an Abelian goup; The opeation is associative: ( s) t = (s t) fo all, s, t R; The distibutive law holds in R: (s + t) = s + t and ( + s) t = t + s t fo all, s, t R; The opeation commutes: s = s fo all, s R; and R contains an identity if thee is an element 1 R such that 1 = 1 = fo all R. Simply put, a commutative ing is an Abelian goup without inveses. Not all ings contain 1, so the last condition is not absolute. Example. Z is a ing unde the usual addition and multiplication. Example. Z n is a ing unde addition and multiplication modulo n. Definition A field F is a set togethe with two binay opeations + and such that (F, +) is an Abelian goup with identity 0; (F {0}, ) is an Abelian goup with identity 1 and the distibutive law holds. Example. Q, R, and C ae all fields unde the usual addition and multiplication. Example. Fo any pime p, Z p is a field unde addition and multiplication modulo p. Definition Let p be a pime. Then Z p is a finite field, denoted F p.

7 2.1 Algeba and Numbe Theoy 6 Chinese Remainde Theoem Definition We denote conguence elationships ove the integes by a b mod n if and only if n (a b). Theoem (Chinese Remainde Theoem). Let m 1,..., m k be paiwise elatively pime positive integes and let c 1,..., c k be abitay integes. Then thee exists an intege x such that x c i mod m i fo all i = 1,..., k. Moeove, any intege x is also a solution to these conguences if and only if x x mod M whee M = m i fo i = 1,..., k. Poof. Let M = m i fo i = 1,..., k. Define m i = M/m i. All the m i s ae paiwise elatively pime, so gcd(m i, m i ) = 1 fo all i. Let u i = (m i ) 1 mod m i and w i = m i u i. By constuction then, w i 1 mod m i and w i 0 mod m j when i j. This gives us w i δ ij mod m j whee { 1, if i = j δ ij = 0, if i j. Letting x = w i c i fo i = 1,..., k, we see as desied. k x δ ij c i c j mod m j j=1 Remak. The Chinese Remainde Theoem implies the goup isomophism Z n = Z p e Z p em m, given by a mod n (a mod p e1 1,..., a mod pem m ), whee n = p e1 1 pem m pimes p i. fo integes e i and distinct Example. Histoically, the Chinese used this theoem to count soldies. Afte a battle, the soldies would line up in ows of (fo example) thee, then in ows of five, and then in ows of seven. By counting the emaining soldies afte each fomation, the commandes could quickly detemine the total numbe of men and theefoe detemine thei losses. Say thee ae fewe than 100 soldies. Afte lining up 3 soldies in each ow, 1 soldie emains. Afte standing 5 in a ow, 2 soldies emain, and afte standing 7 in a ow, 6 emain. We want to calculate the exact numbe of soldies. Let x epesent the total. Then x 1 mod 3 x 2 mod 5 x 6 mod 7. We compute M = = 105, and m 1 = 35, m 2 = 21, m 3 = 15. Computing inveses now, we have u 1 = mod 3 u 2 = mod 5 u 3 = mod 7 Then w 1 = 70, w 2 = 21, w 3 = 15, making x = w 1 c 1 + w 2 c 2 + w 3 c 3 = 70(1) + 21(2) + 15(6) 97 mod 105. Thus thee ae 97 soldies.

8 2.2 Discete Pobability Discete Pobability Definition A discete pobability distibution D ove a set [D] is specified as Pob D [u] [0, 1] fo all u [D] u D Pob D[u] = 1. The set [D] is called the suppot of D. Example (Succeeding by Repetition). Conside an expeiment whee the pobability of success is p. Suppose the expeiment is epeated n times; we want to bound the pobability that all n tials fail. Since each tial is independent of the next, the pobability of n failues is (1 p) n. Recall that 1 x e x fo all x. By letting x = p and aising both sides to the nth powe, we obtain the uppe bound (1 p) n e pn. Then Pob[At least 1 success] = 1 Pob[All fail] 1 e pn. If p is fixed, the pobability that all tials fail dops exponentially accoding to the numbe of epetitions n. Example (Balls and Boxes). Conside an expeiment with n boxes and k balls, each of a diffeent colo. Each ball is thown into a box at andom. We define a collision to be the event that 2 diffeent coloed balls land in the same box. We want to calculate the pobability of a collision. In a situation like this, it is often easie to calculate the pobability of the complementay event: Pob D [No collision] = n(n 1) (n k + 1) n k = Using again the fact that 1 x e x fo all x, we have k 1 j=0 ( ) n j = n k 1 j=1 Since Pob[Collision] = 1 Pob[No collision], ( 1 j ) k 1 n j=1 Pob D [Collision] 1 e k(k 1)/2n. k 1 j=0 ( n j n e j/n = e k(k 1)/2n. Example (The Bithday Paadox). The Bithday Paadox is a classic poblem utilizing the pevious scheme. We want to know how many people must be in a oom fo thee to be at least a 50% chance that two people have the same bithday (a collision). Let n = 365 and assume that people s bithdays ae unifomly distibuted ove the days of the yea. If we want Pob D [Collision] 1/2, then ). 1 e k(k 1)/2n 1 2 e k(k 1)/2n 1 2 e k(k 1)/2n 2 k(k 1) ln 2 2n k 2 2n ln 2 k 2n ln 2

9 2.3 Conditional Pobability 8 So if thee ae moe than 23 people in a oom, thee is ove a 50% chance that two people shae the same bithday. This seems a bit counteintuitive; hence the name paadox. Example (Binomial Distibution). A binomial tial is an expeiment with only two possible outcomes: success and failue. Let [D] = {0, 1,..., n} and the pobability of one success be p, then the binomial distibution is the pobability of u successes in a sequence of n independent tials: ( ) n Pob D [u] = p u (1 p) n u. u Definition A subset A [D] denotes an event. The pobability of A is Pob D [A] = u A Pob D [u]. It is also possible to pove vaious statements about set theoetical opeations defined between events, such as unions and intesections. Fo example, if A, B [D], we have Pob D [A B] = Pob D [A] + Pob D [B] Pob D [A B]. This is called the inclusion-exclusion pincipal. 2.3 Conditional Pobability Definition Let A and B be two events. The pobability of A occuing, given that B has aleady occued is called a conditional pobability. This is given by Pob D [A B] = Pob D[A B]. Pob D [B] The following theoem is useful fo computing conditional pobabilities. Theoem (Bayes). Fo two events A and B, Pob D [B A] = Pob D[A B] Pob D [B]. Pob D [A] Moeove, if D 1,..., D n is a patition of disjoint events of [D] such that [D] = D i fo 1 i n, then fo any events A and B, Pob D [B A] = Pob D [A B] Pob D [B] n i=1 Pob D[A D i ] Pob D [D i ]. Let B denote the complement of an event: B = [D] \ B. Bayes theoem suggests Pob D [B A] = Pob D [A B] Pob D [B] Pob D [A B] Pob D [B] + Pob D [A B] Pob D [B]. Example. Hee we see an application of Bayes Theoem. Let D be a pobability distibution ove a given population and let the event S coespond to the subset of the population sick with a cetain disease. Suppose thee is a medical test that checks fo the disease and define T to be the event that an individual selected fom the population tests positive. The pevalence of the disease is Pob D [S] = 1%, the chances of a successful test ae Pob D [T S] = 99%, and the pobability of an inaccuate test is Pob D [T S] = 5%. We want to find the pobability that a cetain individual is sick, given that the test esult is positive. A common

10 2.4 Random Vaiables 9 mistake is to claim that the pobability is 99%- the success ate of the test. This is false because it fails to take into account that we aleady know the peson tested positive. Using Bayes theoem, we can account fo this infomation and compute Pob D [T S] Pob D [S] Pob D [S T] = Pob D [T S] Pob D [S] + Pob D [T S] Pob D [S] (0.99)(0.01) = (0.99)(0.01) + (0.05)(1 0.01) = 1 6. This might seem uneasonable, but because the disease is so uncommon, a positive test is moe likely to occu fom an inaccuate test than fom the actual sickness. 2.4 Random Vaiables Definition Fo a pobability distibution D, we define a andom vaiable X to be a function X : [D] R. Fo any x R, we use the notation Pob[X = x] = Pob D [u]. X(u)=x We say that a andom vaiable X is distibuted accoding to D if X : [D] [D] is the identity function. We denote this by Pob[X = x] = Pob D [u]. X D X(u)=x Definition Fo any pobability distibution D with andom vaiable X, its expectation is E[X] = x R xpob[x = x]. Definition The vaiance of a discete andom vaiable X measues the spead, o vaiability of a distibution. It is defined by Va[X] = E[X 2 ] E[X] Tails of Pobability Distibutions When analyzing andom pocedues, we often want to estimate the bounds on the tails of a pobability distibution. The tem tails efes to the extemities of the gaphical epesentation of a pobability distibution, whee the distibution deviates fom the mean. The following theoems will be helpful. Theoem (Makov s Inequality). Let X be a andom vaiable that takes only nonnegative eal values. Then fo any t > 0, Pob[X t] E[X]. t Theoem (Chebyshev s Inequality). Let X be a andom vaiable. Fo any t > 0 we have Pob[ X E(X) t] Va[X] t 2.

11 2.5 Tails of Pobability Distibutions 10 Theoem (Chenoff s Bound). Let X 1,..., X n be independent andom vaiables taking values in {0, 1} with Pob[X i = 1] = p i. Then [ n ] [ n ] ( Pob X i (1 δ)µ e µδ2 /2 e δ ) µ and Pob X i (1 + δ)µ (1 + δ) 1+δ i=1 whee µ = p i and δ (0, 1]. Hee µ is the expectation and (1 δ)µ and (1 + δ)µ ae the tails. Example (Guessing with a Majoity). Suppose thee is an oacle that answes questions with Yes o No, and answes questions coectly with pobability 1/2 + α. Say we ask the oacle n questions and let X i be a andom vaiable accoding to { 1, oacle answes the ith quey coectly X i = 0, othewise. If we define a failue as eceiving fewe coect answes than incoect answes, the pobability of failing is [ [ Pob[Failue] = Pob # of coect answes n ] n ] = Pob X i n. 2 2 i=1 Hee we apply Chenoff s bound by setting n/2 = (1 δ)µ. Then [ n ] Pob X i (1 δ)µ e µδ2 /2. (1) i=1 Noting that µ = (1/2 + α)n, we can solve fo δ. n = (1 δ)µ 2 n = (1 δ) 2 δ = α 1/2 + α ( α i=1 ) n To estimate the pobability of a failue, we substitute this value of δ into (1). Pob[Failue] e α2 n/(1+2α). This implies that if the oacle has bias α, we can typically expose the bias afte a sufficient numbe of epetitions n. Because of this, the pobability of failing dops exponentially depending on the degee of the bias and the numbe of tials. If we want the pobability of failing to fall below some ε, we can find a suitable lowe bound on n. e α2 n/(1+2α) < ε α 2 n (1 + 2α) < ln(ε) n > α 2 (1 + 2α) ln ( ) 1 ε So by taking n lage enough, we can guaantee that the pobability of failing is sufficiently low.

12 2.6 Statistical Distance Statistical Distance Definition Let X and Y be andom vaiables distibuted accoding to D 1 and D 2 espectively and let V = X([D 1 ]) Y ([D 2 ]). We define the statistical distance by [X, Y ] = 1 2 Pob [X = u] Pob [Y = u] X D 1 Y D 2. u V Figue 1 illustates the statistical distance between two andom vaiables X and Y. The dotted cuve epesents the distibution of X ove D 1 and the black cuve coesponds to Y ove D 2. By definition, the sum of the pobabilities ove the suppot set is 1, so the aea below each cuve is 1. Half the sum of the shaded aeas epesents the statistical distance between X and Y. Because the stiped aea equals the gay aea, dividing the total shaded aea by 2 effectively establishes one of the two maked aeas as the statistical distance. [D 2] [D ] 1 Figue 1: Two pobability distibutions ove diffeent suppot sets [D 1 ] and [D 2 ]. egions distinguish the statistical distance between the andom vaiables. The shaded Execise: Show that fo any two suppot sets [D 1 ] and [D 2 ], the stiped aea equals the gay aea, so the statistical distance is equal to one of the two aeas. Definition Let ε > 0, then two andom vaiables X and Y ae said to be ε-close if [X, Y ] ε. Example. Let D 1 be the unifom distibution ove [0, A) whee 2 n A < 2 n+1 and let D 2 be the unifom distibution ove [0, 2 n ). We want to calculate the statistical distance of D 1 and D 2. Since D 1 is unifom ove [0, A), we have Pob D1 [u] = 1/A fo all u [0, A). Similaly, we can extend D 2 ove the sample space [0, A) by defining { 1/2 n, u [0, 2 n ) Pob D2 [u] = 0, u [2 n, A). Suppose X and Y ae andom vaiables distibuted accoding to D 1 and D 2 espectively whee

13 2.7 An Altenate Definition of Statistical Distance 12 [D 1 ] = [D 2 ] = [0, A). Then [X, Y ] = 1 2 = 1 2 = 1 2 = 1 2 u [0,A) u [0,2 n ) u [0,2 n ) (( 1 2 n 1 A = A 2n A. Pob [X = u] Pob [X = u] X D 1 X D 2 1 A 1 2 n + ( 1 2 n 1 A u [2 n,a) ) + u [2 n,a) ) 2 n + 1 A (A 2n ) 1 A 0 1 A ) Letting d = A 2 n, we have [X, Y ] = d/(d + 2 n ). When A is elatively close to 2 n, [X, Y ] appoximates 0. Fo example, if d = 2 n/2 so that A = 2 n/2 + 2 n, the statistical distance dops exponentially: d d + 2 n = 2n/2 2 n/2 + 2 = 1 n n/2 2 n/2. Definition A function f is negligible if fo all c R thee exists n 0 N such that f(n) 1/n c fo all n n 0. Definition A (pobability) ensemble is a collection of distibutions D = {D n } n N. We now take the collection X ove an ensemble D to mean a collection of andom vaiables ove D n D. As an abuse of notation howeve, we will still efe to the collection X as a andom vaiable. Definition Let X and Y be andom vaiables ove ensembles D and D. We say D and D ae statistically indistinguishable if [X, Y ] is a negligible function in n. It needs to be stessed that [X, Y ] 0 fo two ensembles does not imply that the ensembles ae indistinguishable. Statistical indistinguishability implies that the statistical distance, when viewed as a function of n, should be smalle than any polynomial function of n fo sufficiently lage values of n. 2.7 An Altenate Definition of Statistical Distance Definition A statistical test A fo an ensemble D = {D n } n N is an algoithm that takes input elements fom D n and outputs values in {0, 1} fo each n N. Theoem Conside the statistical test A as a function of n and let X and Y be andom vaiables following the ensembles D 1 and D 2 espectively. Define A [X, Y ] = Pob [A(X) = 1] Pob [A(Y ) = 1] X D 1 Y D 2 to be the statistical distance with espect to the test A. Then fo all A, [X, Y ] A [X, Y ] and thee exists some A such that [X, Y ] = A [X, Y ]. The fist pat of the theoem is agued as follows. Fo any A, A [X, Y ] = Pob D1 [a] Pob D2 [a] Pob D1 [a] Pob D2 [a] = df N 1 a A n a A n

14 2.7 An Altenate Definition of Statistical Distance 13 whee A n = {a D n : A(a) = 1}. Now conside the statistical test A that opeates exactly as A but flips the answe. It immediate that A [X, Y ] = A [X, Y ] based on the definition of A [, ]. Based on a simila easoning as above we have that A [X, Y ] = A [X, Y ] a A n Pob D1 [a] Pob D2 [a] = df N 2 whee A n is the complement of A n in D n. Now we obseve that N 1 + N 2 = [X, Y ] and given that N 1, N 2 [0, 1] it holds that one of them is at most 1 2 [X, Y ]. The esult follows. Regading the second pat of the theoem, we define a distinguishe A as follows: { A 1, Pob D1 [a] Pob D2 [a] (a) = 0, othewise, it follows easily that [X, Y ] = A [X, Y ]. Indeed, fo A n = {a D n : A (a) = 1} D n, A [X, Y ] = Pob D1 [a] Pob D2 [a] = (Pob D1 [a] Pob D2 [a]) a A n a A n fom which the esult follows immediately. To visualize how [X, Y ] = A [X, Y ] fo this distinguishe, we etun to Figue 1. The stiped aea denotes whee Pob D1 [u] Pob D2 [u], which we have aleady seen is exactly the statistical distance. a A n Example. Conside the two pobability distibutions D 1 and D 2 whee b 1 b 0 D 1 D ε ε Let X and Y be andom vaiables following D 1 and D 2. The statistical distance is [X, Y ] = 1 ( (0.25 ε) ( ε) ) = ε. 2 Take a set of statistical tests A 1,..., A 5 that distinguish the pevious pobability distibutions. Suppose we ae given two bits b 0 and b 1. Test A 1 outputs b 1. By the pevious infomation, it is clea that A1 [X, Y ] = ( ε) = ε. Test A 2 outputs b 0, so then A2 [X, Y ] = = 0. If Test A 3 outputs b 0 + b 1 mod 2, also denoted by the exclusive-o opeato b 0 b 1, its statistical distance is given by A3 [X, Y ] = ( ε) 0.25 = ε. Test A 4 outputs b 0 b 1, so A4 [X, Y ] = ( ε) = ε. And finally, if Test A 5 outputs b 0 b 1, its statistical distance is A5 [X, Y ] = = 0. Based on this infomation, we can detemine that A 1, A 3, and A 4 ae good tests with espect to D 1 and D 2 because thei espective statistical distances ae pecisely [X, Y ]. Likewise, tests A 2 and A 5 ae consideed bad because they both have statistical distance 0.

15 2.8 Pobabilistic Algoithms Pobabilistic Algoithms Algoithms may use the additional instuction x {0, 1} fo a andom vaiable X unifom ove D = {0, 1}. Such algoithms ae called pobabilistic algoithms and we say that they flip coins. Fo any pobabilistic algoithm, the set of possible outputs fom the suppot set of a pobability distibution. In paticula, if a {0, 1} is a possible output fo a pobabilistic algoithm A with input x, we define Pob[A(x) = a] = # {b {0, 1}n : A flips b and outputs a} 2 n, whee n denotes the numbe of coin flips pefomed by A fo a given x. Depending on the specifications of the algoithm, detemining n can be cumbesome. We may assume without loss of geneality howeve, that a pobabilistic algoithm A makes the same numbe coin flips fo all inputs of the same length. This estiction does not affect the computational powe of ou undelying pobabilistic algoithm model. Example. Conside the following algoithm. Call it A 1. 1: Input 1 n 2: select x 0,, x n 1 {0, 1} 3: if n 1 2 i x i 2 n 1 i=0 4: then output 1 5: else output 0 Since 1 is a possible output, Pob[A 1 (1 n ) = 1] = # {b {0, 1}n : A flips b and outputs 1} 2 n = 2n 1 2 n = 1 2. Example. Call the following algoithm A 2. 1: Input 1 n 2: epeat n times 3: x {0, 1} 4: if x = 1, output 1 and halt 5: output Fail Then we have the following pobabilities Pob[A 2 (1 n ) = Fail] = 1 2 n Pob[A 2 (1 n ) = 1] = n. Let A be a n-bit numbe. We call the left-most bit in the binay expansion of A the most significant bit. To avoid tivialities, we equie that the most significant bit of A be 1. Below ae thee pobabilistic algoithms that attempt to sample the unifom ove [0, A). To measue the quality of a sample, one must compute the statistical distance between the sample s output distibution and the unifom distibution ove the set {0, 1, 2,..., A 1}. Execise: Conside the following set of samples. Investigate the output pobability distibutions of each to detemine which has the most unifom distibution. Sample 1:

16 15 1: n := log 2 A 2: choose: x 0, x 1,..., x n 1 {0, 1} 3: y := n 1 i=0 2i x i 4: output y mod A Sample 2: 1: choose: x 0, x 1,..., x A 1 {0, 1} 2: y := A 1 i=0 x i 3: output y Sample 3: 1: n := log 2 A 2: epeat 3: choose: x 0, x 1,..., x n 1 {0, 1} 4: y := n 1 i=0 2i x i 5: if y < A output y and halt 6: else epeat 3 Symmetic Cyptosystems Although we will not discuss symmetic cyptosystems in class, hee we povide seveal inteesting examples, many of which ae of impotant histoical significance. In a symmetic cyptosystem, both ends of a communication channel shae a common secet key. This key is necessay fo both the encyption and decyption of messages. Definition A symmetic cyptosystem is composed of the the following elements: A plaintext message space M A ciphetext message space C A key space K An efficient encyption algoithm E : K M C An efficient decyption algoithm D : K C M An efficient key geneation algoithm G : N K In addition to the above, a symmetic cyptosystem must satisfy the coectness popety: Fo all m M and k K, D(k, E(k, m)) = m. 3.1 Classical ciphes Substitution Ciphes One of the most basic symmetic cyptosystems is the substitution ciphe. In a substitution ciphe, the encyption algoithm eplaces each message m M with a coesponding ciphetext c C. Fo a given key, the substitution function is a mapping π : M C and the decyption algoithm pefoms the invese substitution π 1 : C M. Example (Affine Ciphe). Message Spaces: M, C = Z N

17 3.1 Classical ciphes 16 Key Space: (a, b) Z N Z N with gcd(a, N) = 1 Encyption Algoithm: E((a, b), m) = am + b mod N Substitution ciphes, and in paticula affine ciphes have been used fo thousands of yeas. One famous affine ciphe, known as the Caesa ciphe o the shift ciphe was used by the Roman empeo Julius Caesa in about 50 BC. In the Caesa ciphe, a = 1 and b = 3, so afte assigning each lette of the alphabet to a numbe, the ciphe shifts each lette to the ight by 3 (mod 24). In moden times, such a technique cannot withstand fequency statistical analysis attacks. Due to the small numbe of liteate people at that time howeve, the method sufficed. Substitution ciphes in Z N can be viewed as pemutations on the set {0, 1,..., N 1}. Pehaps the simplest way to encode the English alphabet is to use Z 26, whee each lette is identified with a unique intege modulo 26. The key space is 26!. Unfotunately, this type of ciphe is vey vulneable to fequency statistical analysis attacks. Polyalphabetic Ciphes In a polyalphabetic ciphe, a plaintext element is epeated and substituted into diffeent ciphetext elements. Example (Vigenèe Ciphe). Key: gold Plaintext Message: poceed Encyption Algoithm: Chaacte-wise addition modulo 26 Decyption Algoithm: Chaacte-wise subtaction modulo 26 To encode poceed, p o c e e d g o l d g o l v f z f k s o Polyalphabetic ciphes povide moe secuity against fequency statistical analysis attacks than the pevious monoalphabetic ciphes. The polyalphabetic ciphe s main weakness lies instead in the epetitive use of the same key. Venam Ciphe and the One-Time Pad Gilbet Venam, an enginee fo Bell Labs poposed this ciphe in Message Spaces: M, C = {0, 1} n Key Space: K = {0, 1} n Encyption Algoithm: E(k, m) = k m Decyption Algoithm: D(k, c) = k c This ciphe encodes and decodes each element chaacte by chaacte using a peviously detemined, andomly geneated key. Since the key is neve eused o epeated, it became known as the one-time pad. The encyption and decyption algoithms ae identical, but the popeties of the exclusive-o (XOR) opeato guaantee that the coectness popety is satisfied. This cyptosystem is povably secue in the infomation-theoetical sense. Its main dawback lies in the fact that the key must be at least the length of the oiginal message.

18 3.2 The Data Encyption Standad (DES) 17 Tansposition Ciphes A tansposition ciphe eaanges the positions of each chaacte accoding to a pemutation π. The decyption algoithm ecoves the oiginal message by applying the invese pemutation π 1. Example (Tansposition Ciphe). Key: π = (2143) Plaintext Message: code Ciphetext Message: oced In this example, the invese pemutation π 1 is the same as the encyption pemutation. 3.2 The Data Encyption Standad (DES) The Data Encyption Standad (DES) is an algoithm that takes messages of a fixed length and divides them into blocks. The encyption and decyption opeations act on these blocks and etun outputs of the same length. The system is deteministic and consideed to be a polyalphabetic substitution ciphe. The plaintext and ciphetext message spaces ae 64-bit stings M, C = {0, 1} 64 and the key space is a 56-bit sting K = {0, 1} 56. To encode a message using DES, fist divide the message into the 32-bit left and ight sub-blocks L 0 and R 0. Take an initial pemutation IP to be a fixed pemutation, independent of the encyption key k. Then 1. (L 0, R 0 ) IP (input) 2. Take an S-box function f : {0, 1} 48 {0, 1} 32 {0, 1} 32 (we will fomally define f late in the section) and 48-bit sting keys k 1, k 2,..., k 16 deived fom the 56-bit key k. Repeat the following opeations 16 times: L i = R i 1 R i = L i 1 f(k i, R i 1 ) 3. Output IP 1 (R 16, L 16 ) The decyption algoithm follows in a simila fashion, with the key schedule evesed. Feistel Ciphe Hee we show that the iteative opeations above satisfy the coectness popeties fo the DES cyptosystem. Steps 1-3 ae collectively known as a Feistel ciphe. Let X L and X R epesent the left and ight 32-bit substings of the input. Mathematically, this ciphe is based on a ound function F k : {0, 1} 64 {0, 1} 64 given by F k (X) = X R X L f(k, X R ). Recall that the concatenation opeation has the lowest pecedence in opeations. In ode to expess DES as a Feistel ciphe, we fist define a tansposition function, T (X) = X R X L. It should be clea fom the above stuctue that the encyption opeation can be descibed by IP 1 T F k16 F k2 F k1 IP (X),

19 3.2 The Data Encyption Standad (DES) 18 whee denotes the usual function composition. Similaly, the decyption opeation of DES can be viewed as IP F k1 F k2 F k16 T IP 1 (X). Lemma Let F be the set of all functions F : {0, 1} 64 {0, 1} 64. It follows that fo all m > 0 and F 1, F 2,..., F m F, F 1 F 2 F m T F m F 2 F 1 (X) = T (X). Poof. We pove this by inducting on the numbe of functions m. When m = 1, we have one function F in F, so F T F (X) = F T (X R X L f(k, X R )) = F (X L f(k, X R ) X R ) = X R X L f(k, X R ) f(k, X R ) = X R X L = T (X). Assume the conclusion holds tue fo i functions in F: fo any F 1, F 2,..., F i F, it holds that F 1 F 2 F }{{} i T F i F 2 F 1 (X) = T (X). }{{} i functions i functions Suppose we have an opeation with i + 1 functions: F 1 F 2 F i F i+1 T F i+1 F i F 2 F 1 (X). Note that we inset the new function next to T because of the indexing, but we ae not inducting on the index; we ae inducting on the numbe of functions in the sequence. Using ou inductive hypothesis, ou expession educes to ou base case: F 1 F 2 F i F i+1 T F i+1 F i F 2 F 1 (X) = F 1 T F 1 (X) = T (X). }{{}}{{} i functions i functions Theoem The DES cyptosystem satisfies the coectness popety. Poof. We pove this fo a two-ound DES scheme. Using Lemma 3.2.1, the poof easily genealizes fo a lage numbe of ounds. Take any plaintext message X. The coesponding ciphetext message is IP 1 T F 2 F 1 IP (X). Ou goal is to show that we can ecove X by applying the same function with the key schedule evesed; that is, IP 1 T F 1 F 2 IP (X) invets IP 1 T F 2 F 1 IP (X). Noting that IP and IP 1 ae inveses and T is its own invese, we have IP 1 T F 1 F 2 IP IP 1 T F 2 F 1 IP (X) = IP 1 T F 1 F 2 T F 2 F 1 IP (X) by Lemma = IP 1 T T IP (X) = IP 1 IP (X) = X This holds tue independent of how f is implemented within each F i.

20 3.3 The Advanced Encyption Standad (AES) 19 S-Box Function In DES, the S-box function f is used to poduce a andom, non-linea distibution of plaintext messages ove the ciphetext message space. Specifically, f : {0, 1} 48 {0, 1} 32 {0, 1} 32 by computing f(k, A) accoding to seveal pedetemined components: 1. Expand A fom 32 to 48 bits accoding to a fixed table. 2. Compute k A. 3. Output 8-bit sting B 1, B 2,..., B 8, whee each B i is a 6-bit block. 4. Detemine [S 1 (B 1 ),..., S 8 (B 8 )], whee S i : {0, 1} 6 {0, 1} 4 is a fixed substitution map fo each i. 5. Apply a final fixed pemutation. The key schedule k 1, k 2,..., k 16 is obtained fom the oiginal 56-bit encyption key k, whee k is padded to a 64-bit key k by adding a paity bit afte evey seventh bit of k. Each k i is the substing of k used in the ith iteation. The Secuity of DES The secuity of the DES cyptosystem has long been subject to debate. The main citicism focused on the length of the key, which made it vulneable to bute foce attacks. In ode to incease the key size, the algoithm could be un multiple times, each time with a diffeent key. Although the key size was consideably lage, may pominent cyptogaphes maintained that the NSA could beak the DES encyption by bute foce. 3.3 The Advanced Encyption Standad (AES) The cuent encyption standad fo the National Institute of Standads and Technology (NIST) is the Advanced Encyption Standad (AES), also known as Rijndael. Rijndael, ponounced Ran-dahl, was designed by the two Belgian cyptogaphes Vincent Rijmen and Joan Daeman and was adopted as a standad in 2001 afte an extensive five yea competition between fifteen designs. Rijndael is a symmetic block ciphe that uses keys of 128, 192, o 256 bits to encypt and decypt 128-bit blocks. Hee we focus only on a 128-bit key. To encypt o decypt a message, a 128-bit block of plaintext, o espectively ciphetext is divided into 16 bytes, InputBlock = m 0, m 1,..., m 15. The key is divided in a simila fashion, KeyBlock = k 0, k 1,..., k 15. Rijndael opeates on the 4 4 matix epesentations of the InputBlock and KeyBlock: m 0 m 4 m 8 m 12 k 0 k 4 k 8 k 12 InputBlock = m 1 m 5 m 9 m 13 m 2 m 6 m 10 m 14, KeyBlock= k 1 k 5 k 9 k 13 k 2 k 6 k 10 k 14. m 3 m 7 m 11 m 15 k 3 k 7 k 11 k 15 This algoithm, like DES, opeates though a numbe of ounds. In the simplest case, a 128-bit message block and 128-bit key block equie 10 ounds. A ound tansfomation is denoted by Round(State,RoundKey), whee State is the 4 4 matix etuned by the pevious tansfomation and RoundKey is a matix deived fom the InputKey by

21 3.3 The Advanced Encyption Standad (AES) 20 some mapping known as the key schedule. When encypting, the initial State is the InputBlock of plaintext and the final State outputs the encypted message. When decypting, the fist State is the InputBlock of ciphetext, and the final ound etuns the oiginal message. Specifically, fo any byte B = {0, 1} 8, Round: B 4 4 B 4 4 B 4 4, whee Round(State, RoundKey) = newstate. With the exception of the final ound, fou intenal tansfomations compose each ound tansfomation: Round(State, RoundKey){ SubBytes(State); ShiftRows(State); MixColumns(State); AddRoundKey(State, RoundKey); } The final ound, denoted FinalRound(State, RoundKey), diffes fom the peceding ounds in that it omits the MixColumns opeation. Each ound tansfomation invets to decypt. The invese is denoted using the usual invese function notation Round 1 and FinalRound 1. The Intenal Functions of the Rijndael Ciphe Rijndael s intenal functions ae defined ove a binay extension of a finite field. This extension is geneated by the ing of all polynomials modulo f(x) = X 8 + X 4 + X 3 + X + 1 ove F 2. It is necessay to note that f(x) is ieducible. Any element in the field can be viewed as a polynomial ove F 2 of degee less than 8, and all opeations ae pefomed modulo f(x). Each element B = {0, 1} 8 can theefoe be witten as whee b i F 2 is the ith bit of B. b 7 X 7 + b 6 X 6 + b 5 X 5 + b 4 X 4 + b 3 X 3 + b 2 X 2 + b 1 X + b 0, Example (Addition). Conside the polynomials g(x) = X 5 +X 3 +X+1 and h(x) = X 3 +X 2 +X. To compute g(x) + h(x) mod (f(x), 2), (X 5 + X 3 + X + 1) + (X 3 + X 2 + X) = X 5 + 2X 3 + X 2 + 2X + 1 X 5 + X mod (f(x), 2). Because these opeations ae pefomed ove F 2, we can also view addition as exoneating the bit values. Witing g(x) = and h(x) = , we have = Example (Multiplication). Take the polynomials X 3 + X and X 6 + X + 1. Then (X 3 + X)(X 6 + X + 1) = X 9 + X 7 + X 4 + X 3 + X 2 + X Ove F 2 we see Xf(X) = X 9 +X 5 +X 4 +X 2 +X, so X 9 = Xf(X)+X 5 +X 4 +X 2 +X. Substituting this in above, we obtain = Xf(X) + X 7 + X 5 + 2X 4 + X 3 + 2X 2 + 2X X 7 + X 5 + X 3 mod (f(x), 2).

22 3.3 The Advanced Encyption Standad (AES) 21 The SubBytes(State) Function The fist intenal tansfomation of the Rijndael ciphe pefoms a nonlinea substitution on each byte of State accoding to an 8 8 lookup table A. Let s ij F 2 8 be a 1-byte element fom State fo 0 i, j 3. Afte completing the SubBytes step, the newstate matix is s 00 s 01 s 02 s 03 newstate = s 10 s 11 s 12 s 13 s 20 s 21 s 22 s, 23 s 30 s 31 s 32 s 33 whee fo a fixed constant b. s ij = { A s 1 ij b, s ij 0 b, othewise The ShiftRows(State) Function The ShiftRows opeation pemutes each ow of State. If s 00 s 01 s 02 s 03 s 00 s 01 s 02 s 03 State = s 10 s 11 s 12 s 13 s 20 s 21 s 22 s 23, then newstate = s 11 s 12 s 13 s 10 s 22 s 23 s 20 s 21. s 30 s 31 s 32 s 33 s 33 s 30 s 31 s 32 The MixColumns(State) Function The MixColumns opeation acts on each column of State. Let s 0 s = s 1 s 2 s 3 be any column. We wite this as a polynomial of degee 3 ove F 2 8[X], Define the fixed cubic polynomial s(x) = s 3 X 3 + s 2 X 2 + s 1 X + s 0. c(x) = c 3 X 3 + c 2 X 2 + c 1 X + c 0 = 03X X X + 02, whee 03, 02, 01 F 2 8. The MixColumns tansfomation multiplies s(x) by c(x) in F 2 8[X] modulo the polynomial X 4 + 1: d(x) = c(x)s(x) mod (X 4 + 1, 2 8 ). The esulting polynomial d(x) eplaces the column s(x) in the newstate matix. Lemma X i X i mod 4 mod X Lemma d(x) = d 3 X 3 + d 2 X 2 + d 1 X + d 0 whee d i = c k s j fo 0 k, j 3. k+j i mod 4

23 22 Example. The coefficient of X 2 in the poduct c(x)s(x) mod (X 4 + 1, 2 8 ) is d 2 = c 2 s 0 + c 1 s 1 + c 0 s 2 + c 3 s 3. Since we ae adding and multiplying in F 2 8, these esults can epesented though matix multiplication in F 2 8, d 0 c 0 c 3 c 2 c 1 s 0 d 1 d 2 d 3 The AddRoundKey(State) Function = c 1 c 0 c 3 c 2 c 2 c 1 c 0 c 3 c 3 c 2 c 1 c 0 In this final tansfomation, we add the elements of State to those of RoundKey byte by byte in F 2 8. Decyption Because each of the fou intenal functions is invetible, a message is decypted by applying the invese encyption opeations in evese ode. s 1 s 2 s 3. Round 1 (State, RoundKey){ AddRoundKey 1 (State, RoundKey); MixColumns 1 (State); ShiftRows 1 (State); SubBytes 1 (State); } The SubBytes function is the cucial step, since it povides the necessay nonlinea element fo the ciphe. The ShiftRows and MixColumns opeations ae then used to spead the entopy of the input. While AES does take seveal steps to complete an encyption, its oveall simplicity adds to its appeal. It is to be noted that Rijndael should use diffeent codes and hadwae cicuits fo encyption and decyption. 4 Modes of Opeation Block ciphes pocess messages of a fixed length by beaking them into fixed-size pieces and opeating on each piece. In pactice, messages have vaying lengths. Diffeent modes of opeation allow us to cicumvent this issue by adding nondeteminism and padding plaintext to a fixed length invaiant. Hee we discuss fou modes. The following notation will be helpful: P: Plaintext Message C: Ciphetext Message E: Encyption Algoithm D: Decyption Algoithm IV: Initial Vecto Electonic Codebook Mode The electonic codebook mode (ECB) is the simplest mode of opeation. A plaintext message is divided into blocks of an appopiate length and each is encypted individually.

24 23 P1 P2 E E... C1 C2 Figue 2: Electonic Codebook Mode The Ciphe Block Chaining Mode The ciphe block chaining mode (CBC) outputs a sequence of ciphe blocks, each dependent on all peceding blocks. The oiginal plaintext is segmented into blocks P 1, P 2,.... The fist block P 1 is exoneated with a andom n-bit initial vecto befoe being encypted as C 1. C 1 is then exoneated with P 2. In geneal, C i is the vecto used when encypting P i+1. One benefit of CBC is that the initial vecto need not be kept secet. P1 P2 P3 E E E IV C1 C2 C3 Figue 3: Ciphe Block Chaining Mode The Counte Mode The counte mode (CTR) fist feeds the encyption algoithm a counte-value. The encypted counte-value is exoneated with the fist block of plaintext P 1 to obtain the cipheblock C 1. A diffeent counte-value is used fo each P i, so evey cipheblock is independent. Because of this, CTR has the ability to encode all blocks simultaneously o in no paticula ode.

25 24 The Output Feedback Mode The output feedback mode (OFB) fist encypts a fixed, andom n-bit initial vecto, which it then exoneates with P 1. When P 2 is added, the encypted initial vecto is again un though the encyption algoithm. In this manne, the encyption algoithm only acts on the initial vecto. By epeatedly encypting IV, a steam of code is ceated that inteacts with the plaintext. Unlike the counte mode howeve, the ode of the cipheblocks mattes. P1 P2 P3 E E E IV C1 C2 C3 Figue 4: Output Feedback Mode 5 Diffie-Hellman Key Exchange Potocol In 1976, Whitefield Diffie and Matin Hellman published thei pape New Diections in Cyptogaphy, evolutionizing moden cyptogaphy. Pio to this publication, all significant cyptogaphic techniques elied on some pe-ageed upon key. In thei pape howeve, Diffie and Hellman poposed a potocol that enabled two paties, having no pio communication, to jointly establish a secet key ove an insecue channel. Hee we will intoduce the concete key exchange potocol and examine its secuity in the pesence of both passive and active advesaies. 5.1 The Diffie-Hellman Potocol Figue 5 illustates the concete Diffie-Hellman key exchange potocol. To begin, two paties, Alice and Bob, choose the values x A and x B espectively. These can be detemined using the coin flipping techniques discussed in Section 2.8. Neithe paty discloses thei value to the othe. The notation x Z m means that x is sampled accoding to the unifom ove Z m. Obseve that y x A B = y x B A mod p, so k A = k B and both paties compute the same value in Z p. In Section 1.1 we mentioned ou inteest in the goals, designs, pimitives, models, and poofs of cyptogaphy. The goal of a key exchange potocol is to establish a key in the pesence of an eavesdoppe. Ou design of inteest is the Diffie-Hellman potocol, whose pimitives ely on the potocols fo sampling andom elements. Continuing with this theme, we now natually want to know how to model the secuity of the key exchange potocol and investigate the undelying assumptions equied fo the Diffie-Hellman key exchange to be povably secue.

26 5.2 Related Numbe-Theoetical Poblems 25 Alice Common Input: p, m, g x A Z m x B Bob Z m y A g x A mod p y B g x B mod p y A y B k A y x A B mod p k B y x B A mod p Output k A Output k B Figue 5: The Diffie-Hellman key exchange potocol, whee p is a lage pime and g is a geneato of the goup Z p of ode m. 5.2 Related Numbe-Theoetical Poblems Hee we intoduce seveal potentially had numbe theoy poblems that allow the Diffie-Hellman potocol to educe. In the following sections, we examine the pope secuity definition and educe the secuity of the potocol to an appopiate numbe-theoetical assumption. Definition Fo a suitable cyclic goup G = g, take y G of ode m. The discete logaithm poblem (DL) is to find an intege x Z m such that g x = y. We have no poof that this poblem is had. To the best of ou knowledge, the numbe of steps necessay to find a solution is supe-polynomial in the size of the goup element, assuming the goup is chosen appopiately. Definition Given a cyclic goup G = g of ode m, g a and g b whee a, b Z m, the computational Diffie-Hellman poblem (CDH) is to compute g ab. An advesay attacking the Diffie-Hellman potocol does not specifically cae about DL. His objective is to solve CDH. It is clea howeve, that if an advesay could solve DL and deive x fom g x, he could solve CDH with a single exponentiation. This theefoe establishes a eduction between the discete logaithm poblem and the computational Diffie-Hellman poblem: CDH DL. Lemma The computational Diffie-Hellman poblem is no hade than the discete logaithm poblem. It is unknown if the convese holds. Definition The decisional Diffie-Hellman poblem (DDH) is as follows: given a goup G = g of ode m and g a, g b, g c, whee a, b, c Z m, decide if c = ab o c Z m. This is a vey weak poblem since it only asks an advesay to detemine whethe o not c is andomly geneated. If an advesay could solve CDH, he could solve DDH by computing g ab and compaing it to g c ; thus, DDH CDH. Lemma The decisional Diffie-Hellman poblem is no hade than the computational Diffie- Hellman poblem. Moeove, this last poblem is no hade than the discete logaithm poblem. In the sequel we will show that the Diffie Hellman potocol is secue unde an assumption that elates to the DDH poblem. So fa we have been conveniently vague in ou choice of a goup; in fact, we have caefully chosen ou paametes to ensue that the undelying poblems ae indeed had. The next example

27 5.3 Goup Geneatos 26 demonstates this by showing that the discete logaithm poblem is solvable in polynomial-time when we choose an inappopiate goup. Example. Conside Z p fo a lage pime p. By a theoem of Eule, Z p has ode p 1. Fo this example, conside the case whee p 1 factos into small pimes q i : p 1 = q 1 q 2 q s. Then thee is a subgoup G i of ode q i. 3 Define the goup homomophism f i : Z p G i by x x p 1/qi and let g i = g p 1/qi fo some fixed geneato g of Z p. Note that g i has ode q i. Take some y = g x mod p. Raising both sides to the p 1/q i powe, we have y p 1/qi (g p 1/qi ) x x mod qi gi mod p whee 1 i s. Because q i is a small pime, we can use bute foce to solve the discete logaithm poblem; that is, we can pefom an exhaustive seach to find the set of conguences x i x mod q i. We can then compute x using the Chinese Remainde Theoem. To avoid this type of attack, we can select Z p such that it contains a lage subgoup. Fo example, if p = 2q + 1 and q is pime, thee is a subgoup of size q, called the quadatic esidue of Z p. Definition The quadatic esidue of G is the subgoup of all y G such that thee is an x G with x 2 = y. When G = Z n, we wite the quadatic esidue as QR(n). In the paticula case G = Z p fo a pime p, QR(p) = g 2 fo a geneato g of G. QR(p) is exactly half the elements of G. This is the lagest pope subgoup of Z p. The mapping x x p 1 2 is paticulaly useful in this context. It is easy to see that the image of the map is {1, 1}. We pove the following useful esult egading quadatic esidues. Lemma Conside some a Z and p 3 mod 4. It holds that a p 1 2 = 1 mod p if and only if a QR(p). Poof. Fo the fowad diection, suppose that a p 1 2 = 1 mod p. Let y = a p+1 4 mod p. Then we have y 2 = a p+1 2 = a p 1 2 a = a mod p Given that y 2 = a mod p we obtain a QR(p). Fo the othe diection, if a QR(p), i.e., we have y 2 = a mod p we have that a p 1 2 = y p 1 = 1 mod p. Obseve that the poof of the lemma povides a way to constuct the oots of a quadatic esidue modulo p. Indeed, given a the two oots of a modulo p ae calculated as ±a p+1 4 mod p. 5.3 Goup Geneatos Definition A goup geneato GGen is a pobabilistic algoithm that poduces a desciption of a finite goup G when given a length λ. At a minimum, the desciption contains a goup element, the goup opeation, and a goup membeship test. Example. Take Z p to be ou goup fo some pime p of length λ. GGen etuns an element g of ode m, whee m is some function of λ and p. The goup opeation is multiplication modulo p, and if an intege is between 0 and p 1, it passes the goup membeship test. Fo example the algoithm GGen on input 1 λ can calculate a andom numbe p of the fom 3k +4 that has λ bits, and then check if p is a pime numbe. If not, it chooses anothe p othewise it checks whethe (p 1)/2 is pime, if not it chooses anothe p. When the ight p is found, it chooses a numbe a {2,..., p 2} and andom and computes a (p 1)/2 mod p. If this value is 1 then it chooses anothe a. Othewise it sets g = a 2 mod p. The output of the algoithm GGen ae the values (p, g, m = (p 1)/2). 3 The existence of such a subgoup is guaanteed by Cauchy s Theoem.