Lecture 14: Hardness Assumptions

Similar documents
Number Theory. CSS322: Security and Cryptography. Sirindhorn International Institute of Technology Thammasat University CSS322. Number Theory.

Introduction to Modern Cryptography Recitation 3. Orit Moskovich Tel Aviv University November 16, 2016

CSC 5930/9010 Modern Cryptography: Number Theory

Lecture 11: Number Theoretic Assumptions

Topics in Cryptography. Lecture 5: Basic Number Theory

Number Theory. Modular Arithmetic

Chapter 8 Public-key Cryptography and Digital Signatures

Lecture 17: Constructions of Public-Key Encryption

Introduction to Cryptology. Lecture 20

NUMBER THEORY AND CODES. Álvaro Pelayo WUSTL

Number Theory and Group Theoryfor Public-Key Cryptography

CIS 551 / TCOM 401 Computer and Network Security

Introduction to Cybersecurity Cryptography (Part 4)

Introduction to Cybersecurity Cryptography (Part 4)

Lecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004

Elementary Number Theory Review. Franz Luef

Introduction to Cryptography. Lecture 6

Public Key Cryptography

Lecture 11: Key Agreement

Introduction to Cryptography. Lecture 8

Practice Number Theory Problems

Lemma 1.2. (1) If p is prime, then ϕ(p) = p 1. (2) If p q are two primes, then ϕ(pq) = (p 1)(q 1).

Lecture 16: Public Key Encryption:II

Katz, Lindell Introduction to Modern Cryptrography

Cryptography IV: Asymmetric Ciphers

Chapter 8. Introduction to Number Theory

Lecture 3.1: Public Key Cryptography I

Number Theory & Modern Cryptography

Lecture notes: Algorithms for integers, polynomials (Thorsten Theobald)

Mathematics for Cryptography

INTEGERS. In this section we aim to show the following: Goal. Every natural number can be written uniquely as a product of primes.

RSA Algorithm. Factoring, EulerPhi, Breaking RSA. Çetin Kaya Koç Spring / 14

CPSC 467b: Cryptography and Computer Security

Congruence of Integers

Applied Cryptography and Computer Security CSE 664 Spring 2018

Lecture 1: Introduction to Public key cryptography

Public Key Algorithms

CPSC 467: Cryptography and Computer Security

Numbers. Çetin Kaya Koç Winter / 18

Chapter 4 Asymmetric Cryptography

Mathematics of Cryptography

Asymmetric Cryptography

LECTURE 5: APPLICATIONS TO CRYPTOGRAPHY AND COMPUTATIONS

Computational Number Theory. Adam O Neill Based on

Overview. Background / Context. CSC 580 Cryptography and Computer Security. March 21, 2017

Mathematical Foundations of Public-Key Cryptography

14 Diffie-Hellman Key Agreement

Chapter 5. Modular arithmetic. 5.1 The modular ring

Elementary Number Theory and Cryptography, 2014

Lecture V : Public Key Cryptography

1 Number Theory Basics

Public-Key Cryptography. Lecture 10 DDH Assumption El Gamal Encryption Public-Key Encryption from Trapdoor OWP

Encryption: The RSA Public Key Cipher

Introduction to Elliptic Curve Cryptography. Anupam Datta

during transmission safeguard information Cryptography: used to CRYPTOGRAPHY BACKGROUND OF THE MATHEMATICAL

Number Theory A focused introduction

COMS W4995 Introduction to Cryptography September 29, Lecture 8: Number Theory

LECTURE NOTES IN CRYPTOGRAPHY

Number Theory and Algebra: A Brief Introduction

Introduction to Cybersecurity Cryptography (Part 5)

Lecture 5: Arithmetic Modulo m, Primes and Greatest Common Divisors Lecturer: Lale Özkahya

Cryptography and RSA. Group (1854, Cayley) Upcoming Interview? Outline. Commutative or Abelian Groups

CS483 Design and Analysis of Algorithms

Discrete mathematics I - Number theory

Course MA2C02, Hilary Term 2013 Section 9: Introduction to Number Theory and Cryptography

CPE 776:DATA SECURITY & CRYPTOGRAPHY. Some Number Theory and Classical Crypto Systems

Lecture 15 & 16: Trapdoor Permutations, RSA, Signatures

Lecture 22. We first consider some constructions of standard commitment schemes. 2.1 Constructions Based on One-Way (Trapdoor) Permutations

YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE

Outline. Number Theory and Modular Arithmetic. p-1. Definition: Modular equivalence a b [mod n] (a mod n) = (b mod n) n (a-b)

Basic elements of number theory

Basic elements of number theory

1 Rabin Squaring Function and the Factoring Assumption

ECEN 5022 Cryptography

My brief introduction to cryptography

Course 2BA1: Trinity 2006 Section 9: Introduction to Number Theory and Cryptography

4 Powers of an Element; Cyclic Groups

CRYPTOGRAPHY AND NUMBER THEORY

Factoring Algorithms Pollard s p 1 Method. This method discovers a prime factor p of an integer n whenever p 1 has only small prime factors.

Public-Key Encryption: ElGamal, RSA, Rabin

ENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange

Chuck Garner, Ph.D. May 25, 2009 / Georgia ARML Practice

CHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 11 April 2017, 8:30-12:30

Definition: For a positive integer n, if 0<a<n and gcd(a,n)=1, a is relatively prime to n. Ahmet Burak Can Hacettepe University

Addition. Ch1 - Algorithms with numbers. Multiplication. al-khwārizmī. al-khwārizmī. Division 53+35=88. Cost? (n number of bits) 13x11=143. Cost?

Notes for Lecture Decision Diffie Hellman and Quadratic Residues

Provable Security for Public-Key Schemes. Outline. I Basics. Secrecy of Communications. Outline. David Pointcheval

Basic Algorithms in Number Theory

2.3 In modular arithmetic, all arithmetic operations are performed modulo some integer.

Public Key 9/17/2018. Symmetric Cryptography Review. Symmetric Cryptography: Shortcomings (1) Symmetric Cryptography: Analogy

Public Key Cryptography

Powers in Modular Arithmetic, and RSA Public Key Cryptography

Lecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography

2x 1 7. A linear congruence in modular arithmetic is an equation of the form. Why is the solution a set of integers rather than a unique integer?

CS 290G (Fall 2014) Introduction to Cryptography Oct 21st, Lecture 5: RSA OWFs

Outline. Some Review: Divisors. Common Divisors. Primes and Factors. b divides a (or b is a divisor of a) if a = mb for some m

Outline. AIT 682: Network and Systems Security. GCD and Euclid s Algorithm Modulo Arithmetic Modular Exponentiation Discrete Logarithms

Mathematical Foundations of Cryptography

Lecture Notes, Week 6

Transcription:

CSE 594 : Modern Cryptography 03/23/2017 Lecture 14: Hardness Assumptions Instructor: Omkant Pandey Scribe: Hyungjoon Koo, Parkavi Sundaresan 1 Modular Arithmetic Let N and R be set of natural and real numbers respectively. Let Z be set of integers. Z + and Z represent positive and negative integers. For n N, Z N denotes set of integers modulo N as following: Z N := {0, 1, 2,..., N 1} In this setting, we can perform arithmetic in Z N - addition, mulplication and division: (a + b) mod N = (a mod N) + (b mod N) mod N (a b) mod N = (a mod N) (b mod N) mod N r = a mod N when integer a is divided by N and r is the remainder in Z N We say that a is congruent to b modulo N if a, b have the same remainder and write: a b mod N Thus a 0 mod N if and only if N a, where N divides a. 2 Greatest Common Divisor (GCD) If a, b are two integers, gcd(a, b) denotes their GCD, greatest common divisor. If two integers a, b are non-zero and have no common factors (i.e., gcd(a, b) = 1), a, b are relatively prime. It is easy to compute gcd for any two integers a, b using Extended Euclidean: a, b Z x, y Z such that ax + by = gcd(a, b) If a, b are relatively prime, we can write it as following: ax + by = 1 ax 1 mod b Now let Z N be set of integers mod N that are relatively prime to N: Z N = {1 x N 1 : gcd(x, N) = 1} a Z N x : ax = 1 mod N Such an x is called the inverse of a. 14-1

3 Integers modulo a prime We are of special interest when N is a prime number, say p, which defines: Z p = {0, 1, 2,..., p 1} Z p = {1 x N 1 : gcd(x, p) = 1} = {1, 2,..., p 1} Z p = p 1 3.1 Fermat s Little Theorem If p is a prime, then for any a Z p: Theorem 1 Fermat s Little Theorem a p 1 mod p = 1 3.2 Euler s Generalization Fermat s Little Theorem can be generalized by Euler s theorem. Theorem 2 Euler s Theorem For any N N and a Z p : a φ(n) mod N = 1 where φ(n) = Z N φ(n) is Euler s totient function, which denotes the number of n Z N that is relative to N. Every interger N can be written as the multiplication of its factors as the following theorem. Theorem 3 Fundamental Theorem of Arithmetic N = k i=1 for prime factors p 1 < p 2 <... < p k and positive integers e i > 0 This factorization is unique with empty product taken to be 1 φ(n) = N p e i i k (1 1 ) p i If N = pq for distict primes p and q, then φ(n) = (p 1) (q 1) because there are q and p multiples for p and q respectively in N = pq. i=1 14-2

4 Groups A set G denotes a group with a group operation : G G G, satisfying the following properties: Closure: a, b G, a b G Identity: e G (identity) s.t. a G : a e = e a = a Associativity: a, b, c G : (a b) c = a (b c) Inverse: a G, b G s.t a b = b a = e (identity) In particular, a group with commitative property is called Abelian group where a, b G : a b = b a. For example, (Z N, +), (Z N, ) are additive and multiplicative groups for all N. Theorem 4 Corollary of Lagrange s Theorem x G = e If the set {g, g 2,...} = G, g G is a generator of G. The set of all generators of G is denoted by Gen G. 5 Discrete Logarithm Problem An instance (p, g, y) of the discrete logarithm problem consists of a large prime p and two elements g, y Z p. Since p is prime, difference between Z p and Z p is that Z p includes 0. The task is to find an x such that g x = y mod p. This task is believed to be hard - No known algorithm that can break the problem - except for few special cases. This include: g = 1 p has some special structure like p = 2 k + 1 p 1 has many small factors However, if g is a generator, the problem is believed to be hard. Normally we want to work with a group such that order of the group, G,the number of elements in G, is prime. However, Z p has order (p 1), which is not prime. If p = 2q + 1 and q is also a prime, p is called Sophie Germain prime or a safe prime. This subgroup has order q which is prime. The practical method for sampling safe primes is simple: first pick a prime q as usual, and then check whether 2q + 1 is also prime. Number of elements in Z p, Z p = p 1 = 2q Consider a subset G q = {x 2 : x Z p}. This set G q is a set of quadratic residues mod p. G q has an order of q = (p 1)/2. It is easy to prove that G q is a group of prime order q, by proving that all properties of a group are satisfied by G q. For example, we can compute inverse a in G q by: 14-3

a G q, if at G q x : x 2 = a mod p, a q mod p = a (p 1)/2 mod p = x 2(p 1)/2 = x (p 1) mod p = 1 (By F ermat s Little T heorem) a.a (q 1) mod p = 1 So, Inverse of a = a (q 1) mod p Since G is a prime order group, cycle through all q elements of G by applying the group operation to the generator over and over again. Other ways to construct prime order groups include group formed by points on an appropriate elliptic curve. It is hard to compute discrete log in prime order groups. Assumption 1 Discrete Log Assumption If G q is a group of prime order q, then, for every non-uniform PPT A, there exists a negligible function µ such that: [ ] P r q Π n ; g Gen Gq ; x Z q : A(1 n, g x ) = x µ(n). Adversary A s advantage in solving the discrete logarithm problem is negligible. Π n is the set of n-bit prime numbers. It is important that G is a group of prime-order. So, the normal multiplicative group Z p has order (p 1) and therefore does not satisfy the assumption. 6 Diffie-Hellman Problems 6.1 Computational Diffie-Hellman The adversary gets X = g x mod p and Y = g y mod p and (p, g). Let G q be a cyclic group of prime order q. The CDH problem is : Given (g, q, g x, g y ), compute g xy G q, where, x and y are random and all computations are in G q Assumption 2 CDH Assumption is that Adversary A s probability of solving the computational Diffie-Hellman problem is negligible. non uniform P P T A, negligible µ such that, n : A solves CDH problem with probablility atmost µ(n) Note : When working with a safe p = 2q + 1, g can be generator for order q subgroup, and computations can be modulo p. 14-4

6.2 Decisional Diffie-Hellman g xy looks indistinguishable from a random group element. Assumption 3 Decisional Diffie-Hellman Assumption is the following ensembles are computationally indistinguishable: {p Π n, y Gen q, a, b Z q : g, p, g a, g b, g ab } n {p Π n, y Gen q, a, b, z Z q : g, p, g a, g b, g z } n where x,y,z are all random and all computations are in G q. Adverasary is unable to say if its g xy or random g z. non-uniform PPT distinguishers, D, negligible µ such that n : D solves the DDH problem with probability at most 1/2 + µ(n) It is crucial for the DDH assumption that the group within which we work is a prime-order group. In a prime order group, all elements except the identity have the same order. 7 RSA RSA = Rivest, Shamir, Adleman Let p,q be large random primes of roughly the same size and N = pq. N is called a RSA modulus. φ(n) is the order of Z N, which is (p 1)(q 1), where, Z N = {x Z N : gcd(x, N) = 1} Let e be an odd number between 1 and φ(n) such that gcd(e, φ(n)) = 1. Therefore, e Z φ(n). By using Extended Euclidean Algorithm, we can find a d such that: e.d = 1 mod φ(n). If φ(n) is known, you can compute d.but if φ(n) is not known, d seems hard to compute. Therefore, φ(n) must be kept secret. Let N,e,d be as before so that e.d = 1 mod φ(n). d can be used to compute e-th root of numbers modulo N. Suppose that y = x e mod N, then: y d mod N = x ed mod N = x ed mod φ(n) mod N = x mod N RSA Assumption is that, without d, it seems hard to compute e-th root of numbers modulo N. So even if (N, e) are given it would be hard to find e th roots; can be used as public key. d and factors of N should be kept secret; d can be used as secret trapdoor. 14-5

Assumption 4 RSA Assumption : For every non-uniform PPT A there exists a negligible function µ such that for all n N: [ p, q Π n ; N pq; P r e Z φ(n) ; y Z N ; : xe = y mod N x A(N, e, y) ] µ(n). For N, e as above, the following is called the RSA function: f N,e (x) = x e mod N The RSA Function actually yields a collection of trapdoor one-way permutations. 8 Learning With Errors (LWE) Let S be a vector of length n, where each element belongs to Z n q, some modulus q, greater than 2, and parameter n. s = (s 1,..., s n ) Z n q Suppose you are given many equations for known a values. a 1.s 1 + a 2.s 2 +... + a n.s 1 = b 1 (mod q) a 1.s 1 + a 2.s 2 +... + a n.s 1 = b 2 (mod q) etc This can be solved by using Gaussian elimination. But, it may not work if the equation contain some errors. In particular, solving a system of equations, each with some noise becomes hard when all equations have independent error,according to the Normal Distribution, with standard deviation αq > n. a 1.s 1 + a 2.s 2 +... + a n.s 1 b 1 (mod q) a 1.s 1 + a 2.s 2 +... + a n.s 1 b 2 (mod q) etc Errors should be picked, from Gaussian or Normal distribution, such that error is small enough for problem to be unique but large enough for problem to be hard to solve. 14-6

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback