Efficient Pseudorandom Generators Based on the DDH Assumption

Similar documents
Efficient Pseudorandom Generators Based on the DDH Assumption

Cryptanalysis of the Dual Elliptic Curve Pseudorandom Generator

Introduction to Modern Cryptography Recitation 3. Orit Moskovich Tel Aviv University November 16, 2016

Pseudo-random Number Generation. Qiuliang Tang

14 Diffie-Hellman Key Agreement

True & Deterministic Random Number Generators

Introduction to Cryptography. Lecture 8

State Recovery Attacks on Pseudorandom Generators

Lecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004

Short Exponent Diffie-Hellman Problems

Lecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography

An Implementation of Ecient Pseudo-Random Functions. Michael Langberg. March 25, Abstract

Lecture 17: Constructions of Public-Key Encryption

Advanced Cryptography 1st Semester Public Encryption

The Dual Elliptic Curve Deterministic RBG

Ex1 Ex2 Ex3 Ex4 Ex5 Ex6

Lecture 6: Cryptanalysis of public-key algorithms.,

Technische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION. Cryptography Endterm

CPSC 467: Cryptography and Computer Security

Chair for Network Architectures and Services Institute of Informatics TU München Prof. Carle. Network Security. Chapter 2 Basics

Lecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004

Number Theory: Applications. Number Theory Applications. Hash Functions II. Hash Functions III. Pseudorandom Numbers

An Improved Pseudo-Random Generator Based on Discrete Log

Practice Number Theory Problems

Security II: Cryptography exercises

Cryptography IV: Asymmetric Ciphers

Notes. Number Theory: Applications. Notes. Number Theory: Applications. Notes. Hash Functions I

Intro to Public Key Cryptography Diffie & Hellman Key Exchange

Lecture 28: Public-key Cryptography. Public-key Cryptography

Information Security

El Gamal A DDH based encryption scheme. Table of contents

CS 395T. Probabilistic Polynomial-Time Calculus

Codes and Cryptography. Jorge L. Villar. MAMME, Fall 2015 PART XII

Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security

Hardness of Distinguishing the MSB or LSB of Secret Keys in Diffie-Hellman Schemes

Lecture 7: ElGamal and Discrete Logarithms

Introduction to Cybersecurity Cryptography (Part 4)

ENEE 459-C Computer Security. Message authentication (continue from previous lecture)

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

The Decisional Diffie-Hellman Problem and the Uniform Boundedness Theorem

An Improved Pseudorandom Generator Based on Hardness of Factoring

1 Cryptographic hash functions

Introduction to Cybersecurity Cryptography (Part 4)

Introduction to Cryptology. Lecture 20

Design and analysis of provably secure pseudorandom generators Sidorenko, A.

1 Number Theory Basics

Lecture 3: Randomness in Computation

1 Cryptographic hash functions

Practice Final Exam Winter 2017, CS 485/585 Crypto March 14, 2017

Pseudorandom Generators

Public-Key Cryptography. Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange

Public-Key Encryption: ElGamal, RSA, Rabin

Discrete logarithm and related schemes

Random number generators

Advanced Topics in Cryptography

Lecture 10 - MAC s continued, hash & MAC

Pseudo-Random Generators

Permutation Generators Based on Unbalanced Feistel Network: Analysis of the Conditions of Pseudorandomness 1

Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption

Pseudo-Random Generators

Transitive Signatures Based on Non-adaptive Standard Signatures

Public Key Cryptography

Secure and Practical Identity-Based Encryption

Provable Security for Public-Key Schemes. Outline. I Basics. Secrecy of Communications. Outline. David Pointcheval

Lecture Notes, Week 6

Elliptic Curve DRNGs. Çetin Kaya Koç Winter / 21

Topics. Pseudo-Random Generators. Pseudo-Random Numbers. Truly Random Numbers

Digital Signatures. Adam O Neill based on

Discrete Logarithm Problem

The Cramer-Shoup Cryptosystem

CSC 5930/9010 Modern Cryptography: Number Theory

Lecture Notes Cryptographic Protocols

Provable security. Michel Abdalla

The Group Diffie-Hellman Problems

BU CAS CS 538: Cryptography Lecture Notes. Fall itkis/538/

A New Paradigm of Hybrid Encryption Scheme

Lecture 14: Hardness Assumptions

Introduction to Elliptic Curve Cryptography. Anupam Datta

Modulo Reduction for Paillier Encryptions and Application to Secure Statistical Analysis. Financial Cryptography '10, Tenerife, Spain

6.080 / Great Ideas in Theoretical Computer Science Spring 2008

G Advanced Cryptography April 10th, Lecture 11

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Elliptic Curve DRNGs. Çetin Kaya Koç Winter / 19

EXPONENTIAL SUMS EQUIDISTRIBUTION

Lecture 1. 1 Introduction to These Notes. 2 Trapdoor Permutations. CMSC 858K Advanced Topics in Cryptography January 27, 2004

Public Key Cryptography

Fundamentals of Modern Cryptography

YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE

Computational Number Theory. Adam O Neill Based on

From Fixed-Length to Arbitrary-Length RSA Encoding Schemes Revisited

Notes for Lecture Decision Diffie Hellman and Quadratic Residues

CS 355: Topics in Cryptography Spring Problem Set 5.

An Efficient Discrete Log Pseudo Random Generator

Public Key Cryptography

Strongly Unforgeable Signatures Based on Computational Diffie-Hellman

CPSC 467b: Cryptography and Computer Security

Public-key Cryptography: Theory and Practice

CS 6260 Some number theory

Beyond the MD5 Collisions

1 What are Physical Attacks. 2 Physical Attacks on RSA. Today:

Transcription:

Efficient Pseudorandom Generators Based on the DDH Assumption Andrey Sidorenko (Joint work with Reza Rezaeian Farashahi and Berry Schoenmakers) TU Eindhoven

Outline Introduction provably secure pseudorandom generators (PRG) Blum-Micali PRG based on the DL problem security reduction is not tight decisional Diffie-Hellman (DDH) problem concrete vs. asymptotic security New PRG based on the DDH problem almost tight reduction specific instances group of quadratic residues modulo safe prime arbitrary subgroup of Z p *

Application of randomness Noncryptographic purposes Monte Carlo Simulations (collecting statistics) Randomized algorithms (e.g. QuickSort) Cryptographic schemes Probabilistic signing/encryption algorithms Protocols, using Nonces Session keys Stream Ciphers Lotteries and electronic gambling Stronger constraints for cryptographic use!! Security indistinguishability

Pseudorandom Generator n truly random bits (seed) 10001010111001110101111010111101 deterministic algorithm 10011010110110010101111010111101101011111011000100111010001011101010111010110001010101 M bits that look random (pseudorandom sequence) Preferably M àn and fast PRG Seed value is usually derived from variances in timing of low-level devices keyboard, mouse, disc drive, process ID

Security of PRGs Pseudorandom sequence chosen at random Distinguisher: running time T I think that you gave me a pseudorandom sequence OR Truly random sequence of the same length If probability of successful guess < ½(1 + ε) the PRG is called (T, ε)-secure

seed (initial state) Typical PRG

Typical PRG seed (initial state) state 1

Typical PRG seed (initial state) state 1 output 1

Typical PRG seed (initial state) state 1 state 2 output 1

Typical PRG seed (initial state) state 1 state 2 output 1 output 2

Typical PRG seed (initial state) state 1 state 2 state i output 1 output 2 output i

Some PRGs used in practice function rand() included into the ANSI C Standard uses a 32-bit seed based on a linear feedback shift register non-cryptographic class SHA1PRNG included into an open source Java library uses 160-bit seed based on SHA-1 hash function seems to be secure

Some PRGs used in practice function rand() included into the ANSI C Standard uses a 32-bit seed based on a linear feedback shift register non-cryptographic class SHA1PRNG included into an open source Java library uses 160-bit seed based on SHA-1 hash function seems to be secure SHA-1 is not collision-resistant [Wang et al. 2005] does it affect security of the generator?

Some PRGs used in practice function rand() included into the ANSI C Standard uses a 32-bit seed based on a linear feedback shift register non-cryptographic class SHA1PRNG included into an open source Java library uses 160-bit seed based on SHA-1 hash function seems to be secure SHA-1 is not collision-resistant [Wang et al. 2005] does it affect security of the generator? What about provably secure PRGs? a PRG is called provably secure if breaking the PRG is as hard as solving a difficult (unsolvable?) problem

Provably secure PRGs (T, ε)-distinguisher for a PRG: {0, 1} n {0, 1} M (T', ε')-solver for a hard problem with security parameter n (e.g., DL problem in n-bit finite field) If T'/ε' T/ε, the reduction is called tight If T'/ε' àt/ε, the reduction is called not tight

Provably secure PRGs (T, ε)-distinguisher for a PRG: {0, 1} n {0, 1} M (T', ε')-solver for a hard problem with security parameter n (e.g., DL problem in n-bit finite field) If T'/ε' T/ε, the reduction is called tight If T'/ε' àt/ε, the reduction is called not tight Tighter reduction desired security level for smaller value of n

Blum-Micali PRG [1982] Let g be a generator of Z p * seed x R Z p *

Blum-Micali PRG [1982] Let g be a generator of Z p * seed x R Z p * x g x

Blum-Micali PRG [1982] Let g be a generator of Z p * seed x R Z p * x g x output [x < p/2]

Blum-Micali PRG [1982] Let g be a generator of Z p * seed x R Z p * x g x x g x output [x < p/2] output [x < p/2] Outputs only 1 bit per modular exponentiation

Blum-Micali PRG [1982] Let g be a generator of Z p * seed x R Z p * x g x x g x output [x < p/2] output [x < p/2] Outputs only 1 bit per modular exponentiation Security proof: (T, ε)-distinguisher implies a solver for DL problem with expected time T' = 128n 3 (M/ε) 4 T n = log 2 p M is total number of output bits

Blum-Micali PRG [1982] Let g be a generator of Z p * seed x R Z p * x g x x g x output [x < p/2] output [x < p/2] Outputs only 1 bit per modular exponentiation Security proof: (T, ε)-distinguisher implies a solver for DL problem with expected time T' = 128n 3 (M/ε) 4 T n = log 2 p M is total number of output bits 128n 3 (M/ε) 4 is a large factor, so the reduction is not tight

Blum-Micali PRG (continued) Thus, the Blum-Micali generator is (T, ε)-secure if 128 n 3 (M/ε) 4 T < T DL (Z p* ), where T DL (Z p* ) is estimated time to solve the DL problem in Z p *

Blum-Micali PRG (continued) Thus, the Blum-Micali generator is (T, ε)-secure if 128 n 3 (M/ε) 4 T < T DL (Z p* ), where T DL (Z p* ) is estimated time to solve the DL problem in Z p * For M = 2 20, T/ε = 2 80, BM PRG is (T, ε)-secure if n > 61000 High seed length implies poor efficiency the reason is that the reduction is not tight

Blum-Micali PRG (continued) Thus, the Blum-Micali generator is (T, ε)-secure if 128 n 3 (M/ε) 4 T < T DL (Z p* ), where T DL (Z p* ) is estimated time to solve the DL problem in Z p * For M = 2 20, T/ε = 2 80, BM PRG is (T, ε)-secure if n > 61000 High seed length implies poor efficiency the reason is that the reduction is not tight We propose a PRG with much tighter security reduction based on the DDH assumption (stronger than DL assumption) output n bits per iteration

Decisional Diffie-Hellman (DDH) problem G multiplicative group of prime order q g generator of G Algorithm A solves the DDH problem in G with advantage ε if and only if for a random triple (a, b, r) Pr(A(g, g a, g b, g ab ) = 1) Pr(A(g, g a, g b, g r ) = 1) ε We consider groups in which DDH is assumed to be as hard as DL

DDH generator (intuition) G multiplicative group of prime order q g generator of G x, y R G Let Double x,y (s) = (x s, y s ) [Naor, Reingold 1997] for unknown s R Z q the output is pseudorandom under the DDH assumption in G doubles the input Is Double a pseudorandom generator?

DDH generator (intuition) G multiplicative group of prime order q g generator of G x, y R G Let Double x,y (s) = (x s, y s ) [Naor, Reingold 1997] for unknown s R Z q the output is pseudorandom under the DDH assumption in G doubles the input Is Double a pseudorandom generator? No! It produces pseudorandom group elements rather than pseudorandom bits Converting group elements into bits is a non-trivial problem Double cannot be iterated to produce as much randomness as required by the application

DDH generator (construction) enum is a bijective function that enumerates the elements of the group enum: G Z l Z q Z l

DDH generator (construction) enum is a bijective function that enumerates the elements of the group enum: G Z l Z q Z l Public parameters x, y R G seed s R Z q, r x, r y R Z l

DDH generator (construction) enum is a bijective function that enumerates the elements of the group enum: G Z l Z q Z l Public parameters x, y R G seed s R Z q, r x, r y R Z l (s, r x ) enum(x s, r x )

DDH generator (construction) enum is a bijective function that enumerates the elements of the group enum: G Z l Z q Z l Public parameters x, y R G seed s R Z q, r x, r y R Z l (s, r x ) enum(x s, r x ) (z, r y ) enum(y s, r y ) output z

DDH generator (construction) enum is a bijective function that enumerates the elements of the group enum: G Z l Z q Z l Public parameters x, y R G seed s R Z q, r x, r y R Z l (s, r x ) enum(x s, r x ) (s, r x ) enum(x s, r x ) (z, r y ) enum(y s, r y ) output z (z, r y ) enum(y s, r y ) output z

Security of the DDH generator DDH generator produces pseudorandom integers from Z q if q º 2 n, it produces pseudorandom bits for an arbitrary q, convert random numbers into random bits (easy problem)

Security of the DDH generator DDH generator produces pseudorandom integers from Z q if q º 2 n, it produces pseudorandom bits for an arbitrary q, convert random numbers into random bits (easy problem) Security proof: reduction of (T, ε)-distinguisher to a solver for DDH problem in G with time T with advantage ε/k k is the number of output integers proof is based on the hybrid argument reduction is almost tight

First instance p is a safe prime, that is, p = 2q + 1, q is prime G = QR p, G = q Bijection from G to Z q (see, e.g., Cramer-Shoup 2003; Chevassut et al. 2005): x, if 1 x q; enum 1 ( x) = p x, if q+ 2 x< p; 0, otherwise. Public parameters x, y R G PRG seed s R Z q s enum 1 (x s 1 : ) outputenum 1 (y s ) s enum 1 (x s ) outputenum 1 (y s ) Extracts log 2 p bits per 2 modular exponentiation

First instance performance Let M = 2 20, T/ε = 2 80 Corresponds to solving DL problem in 1200-bit fields What seed length n guarantees security?

First instance performance Let M = 2 20, T/ε = 2 80 Corresponds to solving DL problem in 1200-bit fields What seed length n guarantees security? Recall that for Blum-Micali PRG n > 61000 Huge prime p, more than 50 times 1200

First instance performance Let M = 2 20, T/ε = 2 80 Corresponds to solving DL problem in 1200-bit fields What seed length n guarantees security? Recall that for Blum-Micali PRG n > 61000 Huge prime p, more than 50 times 1200 PRG 1 is (T, ε)-secure if n > 1600 Only 30% larger than standard 1200 bit modulus

First instance performance Let M = 2 20, T/ε = 2 80 Corresponds to solving DL problem in 1200-bit fields What seed length n guarantees security? Recall that for Blum-Micali PRG n > 61000 Huge prime p, more than 50 times 1200 PRG 1 is (T, ε)-secure if n > 1600 Only 30% larger than standard 1200 bit modulus The secure seed length is short because the reduction is (almost) tight PRG 1 is much more efficient than Blum-Micali PRG PRG 1 is based on a stronger assumption (the DDH assumption) Limitation: works only for specific subgroup of Z p *

Second instance p is a prime G is an arbitrary prime order subgroup of Z p*, G = q, (p 1) = ql t Z p* is an element of order l, that is, t l = 1 Bijection from G Z l to Z q Z l : enum 2 (x, r) = (x t r mod q, x t r div q) Public parameters x, y R G PRG 2 : seed s R Z q, r x, r y R Z l (s, r x ) enum 2 (x s, r x ) (s, r x ) enum 2 (x s, r x ) (z, r y ) enum 2 (y s, r y ) output z (z i, r y ) enum 2 (y s, r y ) output z

Related work Independently, Jiang [ACISP 2006] proposed another PRG, which is also provably secure under the DDH assumption g is a generator of QR p, where p = 2q + 1 is a safe prime, #QR p = q As before, x, if 1 x q; enum 1 ( x) = p x, if q+ 2 x< p; 0, otherwise. Jiang s generator: seed (A 0,A 1 ) R Z q Z q A 2 g enum 1(A0)enum1(A1) A 3 g enum 1(A1)enum1(A2) outputenum 1 (g enum 1(A2) ) outputenum 1 (g enum 1(A3) )

Jiang s generator versus ours The speed of the two generators is the same Our generator can be used with any prime order group such that the elements of the group can be efficiently enumerated Jiang s generator is designed for a specific subgroup of Z p * for safe primes p The seed of our generator is two times shorter than the seed of Jiang s generator For most of the applications, the length of the seed is a critical issue

Conclusion A new pseudorandom generator based on the decisional Diffie-Hellman assumption is proposed Two specific instances of the new PRG are presented subgroup of quadratic residues modulo safe prime arbitrary subgroup of Z p * Open problem: design a pseudorandom generator based on the DDH problem in an ordinary elliptic curve

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback