Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                

Crypto 2012

Download as pdf or txt
Download as pdf or txt
You are on page 1of 539

Introduction to

Cryptography

Dr. Michael Luttenberger

Chair for Foundations of Software Reliability and Theoretical Computer Science


Technische Universität München

LATEXed on Monday 28th January, 2013, 18:04


Introduction
Goal 1: “Locks” for “secure” communication over
a public channel
p.4 – What is cryptography?

Alice: buy 100 Alice: buy 100

000
Alice : b uy 1 Bob
E ve

Eve

“Cryptography is about communication in the presence of adver-


saries.” (R. L. Rivest [79])
p.5 – What is cryptography?

Alice: buy 100 Alice: buy 100

000
Alice : b uy 1 Bob
E ve

Eve

“We like to compare cryptography to locks [...]. The lock is just


a small part of a much larger security system. The same goes for
cryptography[...].” (Ferguson/Schneier [43])
p.6 – What is cryptography?

Alice: buy 100 Alice: buy 100

000
Alice : b uy 1 Bob
E ve

Eve

“There is nobody in the world who knows everything about cryp-


tography. There isn’t even anybody who knows most of it.” (Fer-
guson/Schneier [43])
p.7 – What is cryptography?

Alice: buy 100 Alice: buy 100

000
Alice : b uy 1 Bob
E ve

Eve

• Single message m from Alice to Bob using a public channel.


m ∈ Σ+ , usually Σ = {0, 1}.
. E.g.: m is the ASCII encoding of “Alice: buy 100 Swiss public bonds”
. We don’t (want to) care about the concrete encoding.
• Adversary Eve may eavesdrop, intercept, replace, forge, ... messages.
• Remark: We do not consider transmission errors in this lecture.
p.8 – What is cryptography?

Alice: buy 100 Alice: buy 100

000
Alice : b uy 1 Bob
E ve

Eve

• Central goals of cryptography for this lecture:

Message privacy Identity authentication


Message authenticity (and integrity) Non-repudiation
p.9 – What is cryptography?

Alice: buy 100 Alice: buy 100

000
Alice : b uy 1 Bob
E ve

Eve

• Message Privacy: (also: confidentiality/secrecy)


“A service used to keep the content of information from all
but those authorized to have it.” [67]
. “Eve should not be able to extract any relevant information from
intercepted messages.”
p.10 – What is cryptography?

Alice: buy 100 Alice: buy 100

000
Alice : b uy 1 Bob
E ve

Eve

• Message authenticity: (also: message origin authentication)


“A service related to identification. Messages should be
authenticated as to origin, date of origin, data content, time
sent, etc.” [67]
. “Bob should be able to verify that a message he believes to come
from Alice was indeed sent by her.”
p.11 – What is cryptography?

Alice: buy 100 Alice: buy 100

000
Alice : b uy 1 Bob
E ve

Eve

• Message integrity:
“A service which addresses the unauthorized alteration of
data like insertion, deletion, and substitution.” [67]
. “Bob should be able to check that the message has not change on its
way from Alice to him.”
. Subsumed by message authenticity.
p.12 – What is cryptography?

Alice: buy 100

Alice Bob

Eve

• Identity authentication:
“Two parties entering into a communication should identify
each other.” [67]
. “Eve shouldn’t be able to trick Bob into believing she was Alice”
. Important when Alice and Bob have never met before.
p.13 – What is cryptography?

Alice: buy 100

Alice Bob

Eve

• Non-repudiation:
“A service which prevents an entity from denying previous
commitments or actions.” [67]
. “Bob should be able to convince other parties (e.g. a judge) that a
message by Alice was indeed sent by her.”
p.14 – Achieving message privacy and authenticity

• The “locks” used to achieve these goals:


symmetric setting asymmetric setting
message private-key public-key
privacy encryption scheme (ES) encrytion scheme (PKES)
message message authentication digital signature
authenticity code (MAC) scheme (DSS)
• “Locks” are usually called cryptographic schemes.

• Symmetric setting: A secret key shared by Alice and Bob.

• Asymmetric setting: Each party holds its own secret key and
broadcasts a public key.
p.15 – Outline: Encryption schemes
• An encryption scheme (ES) consists of

. a key generator Gen:


Bob runs Gen to obtain ek and dk, and gives ek to Alice.
. an encryption algorithm Enc:
r
Alice uses ek to encrypt m into a ciphertext c := Encek (m).
r
“:=” denotes a randomized algorithm, i.e. several runs on the same
input will yield different outputs.

. an decryption algorithm Dec:


Bob uses his secret dk to decrypt the ciphertext: Decdk (c) = m.
• Basic assumption:

Eve does not know dk which makes it “infeasible” to her to obtain


any relevant information on m from c.
p.16 – Examples: Encryption schemes

• Private/symmetric-key encryption: “ek = dk”

The secret ek = dk is exclusively known to Bob and Alice.


. Private-key encryption schemes we will study:
rCTR, rCBC, rOFB, OCB based on block ciphers like AES or DES.
• Public/asymmetric-key encryption: “ek 6= dk”

The secret dk is exclusively known to Bob; ek is known to everyone.


. Public-key schemes we will study:
RSA-OAEP based on the RSA problem, El Gamal based on the
discrete logarithm.
p.17 – Outline: MAC/digital signature schemes
• A MAC resp. digital signature schemes consists of

. a key generator Gen:


Alice runs Gen to obtains keys sk and vk, and gives vk to Bob.
. a tag generator Mac resp. Sgn:
r
Alice uses sk to compute a message tag t := Sgnsk (m) and sends the
extended message m||t.
r
• Recall: := randomized output; || concatenation of strings.

. a verification algorithm Vrf:


?
Bob uses vk to verify that t is valid for m (Vrfvk (m, s) = 1).
• Basic assumption:

Eve does not know sk which makes it “infeasible” to her to construct


some valid s0 for some new message m0 .
p.18 – Examples: MAC/digital signature schemes

• Message authentication code (MAC): “vk = sk”

The secret sk = vk is exclusively known to Alice and Bob.


. MACs we will study:
CBC-MAC based on block ciphers, NMAC/HMAC based on block
ciphers or hash functions.
• Digital signature scheme: “vk 6= sk”

The secret sk is exclusively known to Alice; vk is known to everyone.


. Digital signature schemes we will study:
RSA-PSS based on the RSA problem, DSA/El Gamal based on the
discrete logarithm.
p.19 – Why use private-key schemes?
• Public-key encryption and signatures can seemingly do everything
what their private-key counterparts can do, and even more:
. Advantage: Exchanging the secret key not necessary.
(But how to make sure that everyone gets the correct public key?)

. Advantage: The knowledge of the secret key identifies Alice (resp.


Bob) which makes
identity authentication and non-repudiation possible.
(But what if someone steals this secret without Alice noticing it?)
. Advantage: Security of public-key schemes usually based on well
researched long-standing mathematical problems.
• Also studied by researchers not interested in cryptography.

• In contrast: most private-key schemes rely on block ciphers or hash


functions constructed to withstand all currently known attacks.
p.20 – Why use private-key schemes?

• Disadvantage: Speed

“By comparison, DES (see Section 3.2) and other block ciphers are
much faster than the RSA algorithm. DES is generally at least 100
times as fast in software and between 1,000 and 10,000 times as fast
in hardware, depending on the implementation.” (taken from RSA
labs. webpage)
. AES support in most recent CPUs, see e.g. wikipedia
• Solution: Hybrid encryption, i.e. combine both.
• Use a public-key scheme for encrypting a secret “one-time” key.

• Use a private-key scheme for encrypting the secret message using the
“one-time” key.
Goal 2: Understanding the security of
cryptographic schemes
p.22 – Example: private-key ES

. Modern private-key ES (Gen, Enc, Dec) are built from block ciphers
• Definition: Block cipher B : Σn → PrmΣ,l : k 7→ Bk
. Σ: alphabet; if not stated otherwise: Σ = {0, 1}
. n: key length
. l: block length
. PrmΣ,l : set of all permutations of Σl

where Bk (w) and Bk−1 (w) can be computed “fast”.


. Examples:
AES-128/192/256: Σ = {0, 1}, n ∈ {128, 192, 256}, l = 128
DES: Σ = {0, 1}, n = 56, l = 64
p.23 – Example: Constructing an ES from AES-128?

• Choice of the key generator Gen?

. Often outputs a key k to be used directly in the block cipher, i.e.


k ∈ {0, 1}128
. “Common” choices:
• Gen: outputs some
k ∈ {bpassworde, b123456e, bqwertye, bletmeine, b654321e, babc123e}
where b·e is some encoding as a 128bit string.
. Just look for password lists on the internet, e.g. stolen from some
forum.
• Gen: outputs a k ∈ {0, 1}128 chosen uniformly at random (denoted by
u
“∈”) using some true random source.

. Which would you use? (Which should you use?)


p.24 – Example: Constructing an ES from AES-128?
• Choice of Enc and Dec?
. Problem: AES takes only blocks of 128bit of data.
. Assumption: m is already the encoding of the actual message.

. Solution: Pad m to a length divisible by l = 128.


Many possibilities:
• pad(m) = m||0i

• pad(m) = m||10i

• pad(m) = m||0i ||b|m|el (b|m|el : l-bit encoding of the length |m|)

• pad(m) = b|m|el ||m||0i

(Choose i so that l divides |pad(m)|.)

. Which padding function would you use? (How can you reverse each
padding?)
p.25 – Example: Constructing an ES from AES-128?

• Choice of Enc and Dec?


. Assume some padding pad(m) = m(1) || . . . ||m(s) for now.
• Notation: m(i) is a block of l = 128 bits

Many possibilities to process the blocks using the secret key k:


• Enck (m) := AESk (m(1) )|| . . . ||AESk (m(s) )

• Enck (m) := ρ||m(1) ⊕ AESk (ρ)|| . . . ||m(s) ⊕ AESsk (ρ)

• Enck (m) := AESk (ρ)||m(1) ⊕ AESk (ρ)|| . . . ||m(s) ⊕ AESsk (ρ)

• Enck (m) := ρ(1) ||m(1) ⊕ AESk (ρ(1) )|| . . . ||ρ(s) ||m(s) ⊕ AESk (ρ(s) )
u
. where: ρ, ρ(i) ∈ {0, 1}l chosen independently, uniformly at random for
every m; AESik means to apply AESk i times; ⊕ denotes bitwise XOR.

. Which would you use? (Specify Dec in each case.)


p.26 – Example: private-key ES
• Possible questions:
Q1: Which construction should we choose?
. Possible criterias: time needed to en-/decrypt, the length of the
ciphertext, number of random bits needed, or the security of a scheme.
. Comparison w.r.t. time, length, and/or random bits easy, but ...
Q2: How to compare the security of constructions?
. Q2.1: Does the security of a construction solely depend on AES?
If so, what kind of security guarantee do we require of AES, i.e. what
should AES do?
Can we swap AES for any other block cipher with the same security
guarantee?
. Q2.2: What kind of security do we need?
What resources and/or informations has Eve at her disposal, and what
are the theoretical limits on the attainable security then?
p.27 – Framework of provable security

• To answer these questions means to:


1 Fix a definition of security including an adversarial model:
. Adversarial model:
Defines precisely Eve’s capabilities and knowledge, i.e. how she may
interact with the “lock”, what (computational) power she has, etc.
. Definition of security:
What is the goal of Eve against which the lock should protect us?
p.28 – Framework of provable security

2 State the assumption based on which the lock is assumed to be


secure.
. Possibly void.
. But pratical schemes are based on some unproven but widely believed
conjecture.
. E.g. “AES is a secure block cipher (pseudorandom permutation)”,
“Integer factorization is hard”
p.29 – Framework of provable security

3 Prove that the stated security indeed follows from the stated
assumption. (prove-by-reduction)
. Usually this means: Show that
If Eve (adversarial model) could break the lock (definition of security),
then Eve could use this attack to refute the assumption, e.g.
she could show that AES is not secure, resp.
she could turn her attack into an efficient factorization algorithm.
p.30 – Framework of provable security
4 Study the assumptions used for the cryptographic schemes.
. What assumptions do we need for a given definition of security?
. When is a block cipher or hash function secure?
. Derive standard assumptions, cryptographic primitives:
pseudorandom (bit) generator, pseudorandom functions/permutations
(secure block cipher), (trapdoor) one-way functions, ...
. Allows for seperation of
the assumption that “AES is a secure block cipher”
what we can achieve if we have some secure block cipher.
. How do these assumptions relate to each other? Does one imply the
other?
. E.g.: If integer factorization is hard, do secure block cipher exist?
. Choose the scheme which requires the weaker assumption.
p.31 – Summary: What is this lecture about?
• The locks needed to achieve the main goals, and their construction:

Encryption schemes, Message authentication codes, Digital signature


schemes, ...
• The adversary a lock has to withstand, and when it is broken:

Key-recovery attacks, Chosen-plaintext attacks, Chosen-chiphertext


attacks, ...
• The cryptographic primitives needed for their construction:

One-way functions, pseudorandom generators, pseudorandom


functions/permutations, secure hash functions
• The existence of these primitives.

. Lecture is based on the lecture notes (online) by Bellare and


Goldwasser, resp. Rogaway, and Introduction to Modern
Cryptography (library)
p.32 – What is this lecture not about?

• Concrete attacks on some specific block cipher, protocol, ...

. In particular, Side-channel attacks, i.e. attacks based on information


gained from the physical implementation like time or power consumed
by a computation, or acoustics.
For more information on side-channel attacks see the talk by Adi
Shamir here.
• Detailed study of the construction of block ciphers.

• Please see the courses offered by the Chair of IT Security (Prof.


Eckert)
p.33 – Outline
• Provable security and perfect secrecy

• Computational secrecy and pseudorandom generators

• Computation security beyond eavesdropping and pseudorandom


functions/permutations
• DES and AES

• Algebra (and Rabin-Miller test)

• Pseudorandom generators from one-way functions

• Secure hash functions

• Public-key encryption schemes

• Digital signature schemes

• Elliptic curves
Principles of (modern) cryptography
p.35 – Kerckhoff’s (main) principle

“The cipher method must not be required to be secret, and it


must be able to fall into the hands of the enemy without
inconvenience.”
• Short: “The enemy knows the system.” (Shannon’s maxim)

. Security should only depend on the secret key.


• Main motivations:
• Allows for standards (e.g. NIST standards DES, AES, SHA) and
validation of implementations (CAVP).
• People have more confidence in an (unbroken) open system.

• A short key is easier to keep secret/store/exchange/replace.


p.36 – “Sufficient key space” principle
“Any cryptography scheme must have a key space that is not
vulnerable to exhaustive search.”
• Key space K: set of all keys generated by the key generator Gen
. Testing all keys in |K| should be impracticable for at least the near
future.
• For simplicity: a modern quad-core cpu with 4 GHz can test per core
one key per cycle (independent of the actual ciphertext).
. Numbers of keys checked within a minute/day/week/month/year:

960 · 1012 , 57.6 · 1015 , 1.4 · 1018 , 41.5 · 1018 , 504.6 · 1018 .

. Checking a list with 106 stolen passwords is trivial.


. Testing all DES keys {0, 1}56 takes 52 days (too small today).
. Testing all AES-128 keys {0, 1}128 takes roughly 245.6 · 1021 years.
. Estimated age of the universe: 13.75 ± 0.17 · 109 y (roughly 292 cycles).
p.37 – Example: Mono-alphabetic substitution cipher
• Simple encrpytion scheme:
• Alphabet: Σ = {A, B, C, . . . , Z}

• Key space: K := PrmΣ,1 , i.e. all permutations of Σ.

• Encryption of a message m = m1 m2 . . . ms ∈ Σ∗ :

Encπ (m) = π(m1 )||π(m2 )|| . . . ||π(ms )

for π ∈ K = PrmΣ,1 .
. Alternative view:
The key π is essentially the block cipher (of block length 1) used in
“ECB” mode.
• Decryption: obvious.

. Size of key space: 26! ≈ 288 (on “our” quad-core: 8 · 108 years).
. Should suffice for the near future (e.g. Supermuc has 1.5 · 105 cores).
p.38 – Example: Mono-alphabetic substitution cipher
• But: The key can easily be found using frequency analysis:

. Let pA (m) be the frequency of the letter A in the text m ∈ Σ∗ .


Then pa (m) = pπ(a) (c) for all a ∈ Σ.
. For large texts (“|m| → ∞”), frequency of a letter only depends on
the language, e.g. for US-English:
pUS US US US US
A ≈ 0.082, pB ≈ 0.015, pC ≈ 0.028, pD ≈ 0.0042, pE ≈ 0.127.

. Consider only keys π 0 which satisfy pEng


a ≈ pπ0 (a) (c) for all a ∈ Σ.
. Drastically reduces the search space, i.e. effective key space is much
smaller than 288 .
(Attack already known in 9th century; attributed to Al-Kindi.)
. Note: “Sufficient key space principle” is necessary, but not sufficient
for a secure scheme.
p.39 – Example: Mono-alphabetic substitution cipher
• Ex: Consider the following slight adaption:

Encπ (m) = ρ1 ||π(ρ1 ) ⊕ m1 || . . . ||ρl ||π(ρl ) ⊕ ms


where
• Each ρi is chosen uniformly at random from Σ = {A, B, C, . . . , Z}.

• Addition on Σ is defined by means of the bijection Σ → Z26 where


A 7→ 0, B 7→ 1, . . . , Z 7→ 25 and the addition modulo 26.

. Aadapt the “frequency analysis”-attack to this encrytion scheme.


How does |Σ| influence the speed of your attack?
• Above construction works for any block cipher of block length l:

Replace π by Bk , break the message up into blocks of length l.


. Does your attack still work? How is it influenced by l?
. Is above scheme insecure because of the used construction, the used
block cipher, or both?
p.40 – Provable security

• Goal:

We would like to assess the security (and efficiency) of a


cryptographic scheme.
(It’s “effective key space”.)
Problem:
Most cryptographic schemes used today are based on conjectures, i.e.
unproven, but widely accepted assumptions.
. In general, we do not know how to prove uncoditionally that
cryptographic system is secure.
p.41 – Provable security: Outline

Partial solution: Principle of provable security.


1 Formalize a definition of security including adversarial model:
The adversarial model defines exactly Eve’s capabilities and
knowledge.
The definition of security describes what we want to prevent Eve from
doing.
2 State the assumption (the cryptographic primitive that has to exist)
underlying the construction.
3 Prove that the constructed scheme satisfies the definition using only
the stated assumption. (prove-by-reduction)
p.42 – Provable security: Adversarial model
• Adversarial model: What Eve knows and what she is allowed to do.
. In particular, how she can interact with the cryptographic scheme
(type of attack), e.g.:
• Eavesdropping (passive listener): Eve can only copy the information
sent over the public channel.
• Chosen-plaintext attack (CPA) (subsumes eavesdropping): Eve can
further influence what is sent over the public channel.
• Chosen-ciphertext attack (CCA) (subsumes CPA): Eve may further ask
for decryptions of ciphertexts created by her.
• Side-channel attack (not discussed): Eve can meassure the resources
consumed by the en/decryption e.g. on a smart card (time/energy).
and her computational power, e.g.:
• Model of computation: deterministic (classical), probabilistic, quantum

• Bounds on the time or messages: none, asymptotic, concrete


p.43 – Provable security: Definition of security

• Definition of security: What Eve (as described by the adversarial


model) tries to do,
i.e. what the cryptographic scheme should prevent her from doing.
. Usually this means a bound on the probability that she succeeds.
• As Eve might simply might be lucky and guess the secret key.

. But when is a definition of security “good”?


• You still have to decide if a definition of security is the right one for
your concrete setting/application.
. We will study the basic definitions of security used today:
perfect secrecy, IND-CPA, IND-CCA, secure MACs/DSS
p.44 – Provable security: Assumption
• Assumption: Everything we need to assume in order to prove that the
scheme satisfies the given definition of security.
. Usually computationally hard (“infeasible”) problems.
. Standard assumptions most schemes are based on: Cryptographic
primitives.
• Their existence has to be conjectured.

. An (unconditional) proof of their existence would also show: P 6= NP.


. Allows to separate the conjecture
“At this point of time DES/AES is a secure block cipher”
from the weaker conjecture
“There is some secure block cipher B”.
. Construct schemes based on the assumption that there is some secure
block cipher B; swap candidates (AES for DES) if necessary.
p.45 – Provable security: The Proof

• Proof of security: A formal proof that the constructed scheme satisfies


the stated definition of security using only the stated assumption.
• The proof reduces the security of the scheme to the assumption.

. Usually works by showing the contraposition:


If Eve could break the scheme as specified by the definition of security,
then she could also show that our assumption is false.
. More precisley such a proof shows
how a successful attack on scheme can be transformed into an efficient
algorithm for the problem assumed to be computationally
hard/infeasible.
. For instance: An efficient attack on the Rabin encryption scheme can
be used to efficiently factorize integers.
p.46 – Provable security: Example (?)

• Definition of security: Building is insecure if Eve can enter it.

• Adversarial model: Eve weighs as much as a duck.

• Construction: Put a wall of fire around the building.

• Assumption/primitive: A wall of fire burning so hot nobody made of


wood can pass.
• Proof of security: As Eve weights as much as a duck, she has to float
on water. Hence, Eve has to be made out of wood. Conclusion: Eve
cannot pass the wall of fire.
p.47 – Provable security: Advantages

• What do we gain from this?

. Without specifying what we expect of a cryptographic scheme


(definition of security), it’s impossible to tell if the scheme does what
it is supposed to do in the first place.
. Studying the cryptographic primitives gives us a better understanding
of what cryptography can and can not achieve.
. We can choose the construction which uses the weaker primitive.
. From two constructions based on the same primitive, we can choose
the one which is faster/attains the better security guarantee/etc.
. We can keep the construction and simply swap one conjectured
implementation of a primitive for another one.
E.g.: Transition from DES to AES.
p.48 – Perfect secrecy

• First example of provable security: Perfect secrecy.

. Intuitive definition: “Ciphertext should not contain any information”.


. C. Shannon: Communication Theory of Secrecy Systems (1949).
. Eavesdropping adversary using randomized computations without
time or space bounds.
. We will move from there to the setting where Eve is restricted to
efficient randomized computation.
. First: Randomized computation.
Randomized computation
p.50 – Randomized computation
• Most cryptographic schemes rely on randomization of some sort.

. For instance, for key generation (Gen) but also encryption.


. Randomized computation:
Algorithms having access to a function fair coin.
• Assumption: fair coin implements a fair coin toss; result of every
function call is 0 with prob. 1/2, and 1 with prob. 1/2 independently of
any previously call. (Hardware random number generator)

. Randomized polynomial time computation:


Algorithm always stops in time polynomial in the input size no matter
the outputs of fair coin.
• Important application: Primality tests (later)

Randomized polynomial-time algorithms (e.g. Miller-Rabin (1980),


Solovay-Strassen (1977)) prefered to deterministic polynomial-time
test (AgrawalKayalSaxena) because of speed.
p.51 – Randomized computation: Prob. Turing Machines
• Deterministic Turing machine (TM) M = (Γ, Q, δ)

Γ: tape alphabet.
Q: control states with explicit halting state qh and initial state q0 .
δ : Q × Γ → Q × Γ × {→, ←, ↓}: transition function
Initial configuaration: (q0 , B)x where x ∈ {0, 1}∗ :
B x1 x2 x3 x4 x5 ...

q0

E.g. for δ(q, 1) = (q 0 , 0, →):


B 0 1 1 0 1 ...
q

B 0 1 0 0 1 ...
q0
p.52 – Randomized computation: Prob. Turing Machines

• Computation of M on input x:

Apply δ repeatedly until qh is reached starting from the initial


configuration (q0 , B)x.
The output M(x) of M on input x is its tape content after halting.
Runs in time T (n) if it halts after at most T (|x|) steps for any input
x ∈ {0, 1}∗
• A function f : {0, 1}∗ → {0, 1}∗ is computable if there is a M which
calculates it, i.e. M(x) = f (x) for all x ∈ {0, 1}∗ .
• Up to a polynomial overhead equivalent to other models of sequential
(classical) computation like random access machines.
• Church-Turing thesis
p.53 – Randomized computation: Prob. Turing Machines

• Probabilistic Turing machine (PTM) M = (Γ, Q, δ0 , δ1 )

Γ, Q, initial configuration: as for deterministic TMs


δ0 , δ1 : transition functions Q × Γ → Q × Γ × {→, ←, ↓}.
• Run of a PTM M on input x:
Starting from (q0 , B)x, the PTM tosses in every step a fair coin and
then applies either δ0 or δ1 ; this is repeated until qh is reached.
• All coin tosses are assumed to be independent of each other.

• A TM is a PTM with δ0 = δ1 .

• A PTM runs in time T (n) if it halts after at most T (|x|) steps on any
input x ∈ {0, 1}∗ independently of the coin tosses.
p.54 – Randomized computation: External coin tosses
• Let M be a PTM (randomized algorithm) with time bound T (n).

. On input x, M will do at most T (|x|) internal coin tosses.


• Alternative view: Make coin tosses external, i.e.

. Extend M by a second input (tape) u.


. Then replace the i-th coin toss by reading the i-th bit of u.
u
. For every run of M, first generate a random sequence u ∈ {0, 1}T (|x|) ,
then run M(x, u).
. M(x, u) is a traditional deterministic TM.
. For every fixed x, M(x, ·) is a random variable defined w.r.t. the
uniform distribution on {0, 1}|x| .
. Pr[M(x) = y] := Pr u [M(x, u) = y]
u∈{0,1}T (|x|)

denotes the prob. that M on input x outputs y.


p.55 – Randomized computation: Example

• Example: Generating large random odd integers.

. Input: Natural number n > 1.


. Output: A random odd number in [2n−1 , 2n − 1].
. Algorithm M:
1 Set x0 = 1, xn−1 = 1.
2 For i in 1 to n − 2: Set xi = fair coin().
3 Let x be the integer represented by the bit string x0 x1 . . . xn−1 with
the least-significant bit first (LSBF-rep).
• Ex: Determine the distribution of the output of M(n).
What is the prob. that the output number is a prime?
• Use that within [2n−1 , 2n − 1] there are at least 2n−1
n primes.
p.56 – Computational model: Randomized computation
• A (P)TM M runs in polynomial time if its running time T (n) is
bounded by some polynomial p(n), i.e. T (n) ≤ p(n).
• P: all languages L s.t. there is a polynomial-time TM M with

x ∈ L ⇒ M(x) = 1 and x 6∈ L ⇒ M(x) 6= 1.

• NP: all languages L s.t. there is polynomial-time PTM M with

x ∈ L ⇒ Pr[M(x) = 1] > 0 and x 6∈ L ⇒ Pr[M(x) 6= 1] = 1.

• BPP: all languages L s.t. there is polynomial-time PTM M with

x ∈ L ⇒ Pr[M(x) = 1] > 2/3 and x 6∈ L ⇒ Pr[M(x) 6= 1] > 2/3.

• Computational power of poly-time PTMs:

Known: P ⊆ NP, P ⊆ BPP; conjectured: P 6= NP, P = BPP.


Perfect secrecy
p.58 – Definition of the considered ES (Gen, Enc, Dec)

• Assumption: Gen, Enc, Dec are randomized algorithms with finite


running time, but not necessarily efficient.
• Gen outputs a random key k chosen from a finite key space K.
u
• W.l.o.g. we may always assume k ∈ {0, 1}n for some (large) n. (Ex)

• Enc takes as input a key k ∈ K and a message m ∈ M,


• the message space M is assumed to be finite (but arbitrarily large),
r
and outputs a possibly random ciphertext c := Enck (m).
• C := {Enck (m) | k ∈ K, m ∈ M} ciphertext space.

• Dec takes as input a ciphertext c ∈ C and a key k ∈ K, and outputs a


plaintext Deck (c) where Deck (Enck (m)) = m for all m ∈ M, k ∈ K.
• We assume that Dec is deterministic, i.e. not randomized.
p.59 – Prefect secrecy: Scenario
• Standard setup: Alice&Bob, Eve, public channel
• Alice&Bob:
• Have chosen an ES (Gen, Enc, Dec) (as on the previous slide).

• Share a secret key k generated by Gen.


r
• Exchange a single ciphertext c := Enck (m).

• Eve: (Adversarial model)


• Does not know the secret key used by Alice and Bob.

• May only eavesdrop the c over the public channel.

• Knows (“the source code of”) the ES used by Alice&Bob.

• Attack of Eve is described by means of a randomized algorithm A.

. In essence: Eve “=” A.


. We assume A terminates, but no further restrictions.
p.60 – Perfect secrecy
• Informal definition of perfect secrecy:
1 Eve may choose two plaintexts m0 , m1 .
2 Alices secretly chooses m uniformly at random from {m0 , m1 } and
r
sends c := Enck (m) to Bob, i.e. Alice&Bob simply give c to Eve.
3 Eve’s task is to correctly decide whether m = m0 or m = m1 .
. Perfect secrecy requires that Eve cannot do better than simply
guessing, i.e.
she only guesses the correct plaintext with prob. 1/2, i.e.
the ciphertext does not contain any information on the plaintext.
• The way how Eve chooses m0 , m1 is assumed to be fixed for a given
attack on the ES.
. In the formal definition, Eve’s algorithm A therefore generates
m0 , m1 , too.
p.61 – Perfect secrecy: The “eavesdropping game”
• Definition: An ES (Gen, Enc, Dec) is prefectly secret if

there is no attack (i.e. randomized algorithm) A


which wins with prob. strictly greater than 1/2 in the following
“eavesdropping game”:
1 Eve runs A to obtain messages m0 , m1 ∈ M, and gives these messages
to Alice&Bob.
2 In secrecy, Alice&Bob run Gen to obtain the key k, toss a fair coin to
u r
obtain b ∈ {0, 1}, and compute c := Enck (mb ).
Finally, they give c to Eve.
3 Eve continues the computation of A with the additional input c;
eventually A outputs a reply r ∈ {0, 1}.
. Eve wins if b = r.

. “Perfectly indistinguishable encryptions”: Encryptions of m0 cannot


be distinguished from encryptions of m1 .
p.62 – Perfect secrecy: The “eavesdropping game”

• Ex: Show that


• Eve can always win with prob. exactly 1/2.

• Eve can win with probability strictly less than 1/2 iff she can win with
prob. strictly greater than 1/2.
• If (Gen, Enc, Dec) is perfectly secret, there is no randomized algorithm
r
which, on input a ciphertext c := Enck (m), outputs the first bit of m
with prob. strictly greater than 1/2.
p.63 – Perfect secrecy: The “eavesdropping game”
• The game specifies how Eve may interact with Alice&Bob:
• Eve knows the ES and the game, and can accordingly choose her
algorithm (attack) A before the start of the game.
. As soon as the game starts, A (Eve’s behaviour) is fixed.
• The behaviour of A is completely determined by

(i) its own coin tosses and (ii) the input ciphertext c.
• Once (Gen, Enc, Dec) and A are fixed,

we can simulate the game in several ways, e.g.:


r r u
(m0 , m1 ) := A() k := Gen() b ∈ {0, 1}
r r r
k := Gen() (m0 , m1 ) := A() k := Gen()
u u r
b ∈ {0, 1} b ∈ {0, 1} (m0 , m1 ) := A()
r r r
c := Enck (mb ) c := Enck (mb ) c := Enck (mb )
r r r
r := A(c) r := A(c) r := A(c)

. All programs give the same distribution of r as


causally independent computations may be rearranged.
p.64 – Perfect secrecy: The “eavesdropping game”

• Remark: The underlying probability space


• The coin tosses made by the algorithms (Gen, Enc, A) and by Alice and
Bob (b) define a discrete probability space:
If T is the maximal run time of the complete game, we need at most T
random bits. Elementary events: {0, 1}T
. Define random variables:
B: Result of Alice and Bob’s coin toss
RA : Final reply by A.
. Then: (Gen, Enc, Dec) is perfectly secret iff
Pr[RA = B] = 1/2 for every randomized algorithm A.
p.65 – The one-time pad
• Fix some finite alphabet Σ identified with Z|Σ| .

• Let ⊕, be the addition/subtraction modulo |Σ|.


• Extended to Σl by a1 . . . al ⊕ b1 . . . bl := (a1 ⊕ b1 )|| . . . ||(al ⊕ bl )

• Definition: (Σ, l)-one-time pad (OTP)


• M = C = K = Σl (“fixed-length encryption scheme”)
u
• Gen generates uniformly at random a key k = k1 k2 . . . kl ∈ Σl

(See Venona project.)


• Enck (m) := m ⊕ k.

• Deck (m) := m k.
• Theorem: The one-time pad is perfectly secrect.

(Requires only a random bit generator/fair coins.)


• Ex: Let hG, ◦, 1i be a group. Define a one-time pad with Σ = G, and
show that your “(G, l)-one-time pad” is perfectly secure.
p.66 – Proof: OTP is prefectly secret

• Fix any (admissible) attack A.


• Define the following random variables according to the eavesdropping
game:
• M0 , M1 : Plaintexts output by A in the first step.

• B: Result of AliceBob’s coin toss with Pr[B = 0] = Pr[B = 1] = 1/2.

• K: Key generated by Gen (K := Gen).

• C: Ciphertext given to Eve, i.e. C := EncK (MB ) = K ⊕ MB .

• RA : Final output by A in the third step, i.e.


RA := A(C) = A(K ⊕ MB ).
• Note by definition of the algorithms used in the game:
• B is independent of M0 , M1 , K (but it influences C and thus RA ).

• K is independent of M0 , M1 , B (but again it influences C and RA ).


p.67 – Proof: OTP is prefectly secret

• We first show that for the OTP:

Pr[C = c, B = b] = Pr[C = c] · Pr[B = b] for all m, c ∈ Σl .

. I.e. the ciphertext C is independet of the coin toss B.


. Ex: Show for fixed m, c ∈ Σl , but random key K
1
Pr[EncK (m) = c] = .
|Σ|l

. The informal argument is now that no matter what values M0 , M1


and B take, the probability that K is exactly c MB is always 1 l .
|Σ|
p.68 – Proof: OTP is prefectly secret

. Formally, use the formula of total probability for all possible values of
M0 , M1 and that the choice of K is independent of M0 , M1 , B:

Pr[C = c, B = b]
P
= Pr[MB ⊕ K = c, M0 = m0 , M1 = m1 , B = b]
Pm0 ,m1
= Pr[K = c mb , M0 = m0 , M1 = m1 , B = b]
Pm0 ,m1
= m0 ,m Pr[K = c mb ] · Pr[M0 = m0 , M1 = m1 , B = b]
1 P1
= l · m0 ,m1 Pr[M0 = m0 , M1 = m1 , B = b]
|Σ|
1
= · Pr[B = b]
|Σ|l

(where m0 , m1 ∈ Σl )
1
. Ex: Show that Pr[C = c] = .
|Σ|l
p.69 – Proof: OTP is prefectly secret

• We now show that the considered A can only win with prob. exactly
1/2, i.e. we show that Pr[RA = B] = 1/2.
. First proof in the style of provable security:
r r r
(m0 , m1 ) := A() (m0 , m1 ) := A() (m0 , m1 ) := A()
r r r
k := Gen() k := Gen() k := Gen()
u u u
b ∈ {0, 1} b ∈ {0, 1} b ∈ {0, 1}
r u u
c := Enck (mb ) c ∈ Σl c ∈ Σl
r r r
r := A(c) r := A(c) r := A(c)
. Left: The original eavesdropping game.
1
. Middle: Use Pr[C = c | B = b] = Pr[C = c] = .
|Σ|l

?
. Right: Get rid of k and m0 , m1 , not relevant for r = b.
p.70 – Proof: OTP is prefectly secret
. What we have just done is:
. We have constructed from an attack A for the game,
. an algorithm P for predicting the coin toss result b:
P:
u
c ∈ Σl
r
r := A(c)
return r
. Let TA be the running time of P and
pA the prob. that A wins the eavesdropping game.
. Then P runs in time TP = TA + l and
predicts b with prob. pP = pA .
u
. As P is independent of b ∈ {0, 1}: pP = 1/2.
p.71 – Proof: OTP is prefectly secret

• For comparison an alternative “conventional” proof:

. Use the formula of total probability for all values of B and C:

Pr[R
P A = B]
= Pr[RA = B, B = b, C = c]
Pb,c
= Pr[A(C) = B, B = b, C = c]
Pb,c
= b,c Pr[A(c) = b, B = b, C = c]

. What is Pr[A(c) = b, C = c, B = b]?


(That is, what is the probability that for fixed concrete values b, c, the
attack A on input c outputs b, and Alice&Bob get in their coin toss
b, and the resulting ciphertext is c.)
p.72 – Proof: OTP is prefectly secret
. Recall that A is a randomized algorithm.
. For a fixed ciphertext c, the computation A(c) only dependes on the
internal coin tosses made by A.
. By definition of randomized computation, these coin tosses are
independent of all other coin tosses made by the other algorithms.
. Thus, the event that A(c) outputs the concrete value b is
independent of the event that “C = c and B = b”:

Pr[A(c) = b, B = b, C = c] = Pr[A(c) = b] · Pr[B = b, C = c].

. As we have already seen that C is independent of B:

Pr[R
P A = B]
= b,c Pr[A(c) = b] · Pr[C = c] · Pr[B = b]
1P
= 2 c Pr[C = c] (Pr[A(c) = 0] + Pr[A(c) = 1])
= 1/2.
p.73 – Remarks: Original definition by Shannon

• Shannon gave several (equivalent) characterizations of perfect secrecy.

. For instance:
(Gen, Enc, Dec) is perfectly secret if
Pr[EncK (m0 ) = c] = Pr[EncK (m1 ) = c] for all m0 , m1 ∈ M, c ∈ C.
• Ex: Show that our definition of perfect secrecy is equivalent to the
above one.
• Property is sufficient: Have a look at the proof for the OTP.

• Property is necessary: Give an attack otherwise.


p.74 – Remarks: Key length
• The OTP is impractical for most applications, as the key is just as
long as the message.
. In order to encrypt 4GB of data Alice&Bob first have to meet and
secretly exchange a secret of key of size 4GB.
. In fact, any perfectly secret ES has this disadvantages:
Lemma: An ES with |K| < |M| cannot be perfectly secret.
Proof: Ex.
• For any c, consider all possible decryptions Dc = {Deck (c) | k ∈ K}.

• Argue that |Dc | ≤ |K| and use the alternative definition of perfect
secercy.
. For “computationally secret” ES with |K|  |M|, we will need to
restrict the computational power of Eve.
• E.g. she should not be able to compute Dc .
p.75 – Remarks: Multiple encryptions using the same key
• Definition: “Perfect secrecy w.r.t. q encryptions”

An ES (Gen, Enc, Dec) is prefectly secret under q encryptions if


there is no randomized algorithm A which wins with prob. strictly
greater than 1/2 in the following game:
1 Eve runs A to obtain message sequences

~ 0 = (m0 (1) , . . . , m0 (q) ), m


m ~ 1 = (m1 (1) , . . . , m1 (q) ),

and gives these messages to Alice&Bob (mi (j) ∈ M).


2 In secrecy, Alice&Bob run Gen to obtain the key k, toss a fair coin to
u
obtain b ∈ {0, 1}, and consecutively compute c(1) = Enck (mb (1) ) to
c(q) = Enck (mb (q) )
Finally, they give c = (c(1) , . . . , c(q) ) to Eve.
3 Eve continues the computation of A with the additional input ~c;
eventually A outputs a reply r ∈ {0, 1}.
. Eve wins if b = r.
p.76 – Remarks: Multiple encryptions using the same key

• Remark: Frequency analysis for the one-time pad and q = 2:

c1 c2 = (m1 ⊕ k) (m2 ⊕ k) = m1 m2 .

Statistics on the frequency of a b for a, b ∈ Σ can also be used to


recover m1 , m2 .
• Ex:

. Show that the one-time pad is not perfectly secret under q = 2


encryptions: Find an A which recovers k with prob. 1.
. Propose a q-time pad which is perfectly secret under q encryptions.
Does your scheme remember some “state” between two
en/decryptions?
p.77 – Remark: Oracle view of the perfect secercy
• Alternative presentation used in literature uses oracles.
• Oracle “=” black-box auxiliary function which can answer certain
questions in a single computation step.
• Black box: We can only sent queries to it and read its answer

• We cannot break the black box open and look inside.

• “P + SAT-oracle = NP”

• Definition: oracle access

Let f : {0, 1}∗ → {0, 1}∗ be some function.


Then Mf denotes a Turing machine M with oracle access to f :
• The M may write a query x to the special oracle tape, then ask the
oracle for the value f (x).
• The oracle is assumed to answer within a single computation step by
writing f (x) to the oracle tape.
p.78 – Remark: Oracle view of perfect secrecy
• Oracle view of the “eavesdropping game”
1 Alice and Bob set up two oracles (black boxes) O0 and O1 ,
• Behaviour of oracle Oi :

. Initialization: Run Gen and store the obtained key k.


. Query: On input m0 , m1 ∈ M, return Enck (mi ).
u
flip a fair coin b ∈ {0, 1}, and give Ob to Eve in a black box O.
2 Eve now runs AO to obtain the reply r
• Restriction: AO must not query O more than once.

. Eve wins if AO correctly identifies the oracle, i.e. r = b.

. Ex: The ES (Gen, Enc, Dec) is perfectly secret iff

|Pr[RAO1 = 1] − Pr[RAO0 = 1]| = 0.


| {z }
“Advantage of A”
p.79 – Detour: Hardware random number generators
• Sources of randomness:

. Physical processes which are by their mathematical model random like


quantum phenomena:
Photons travelling through a semi-transparent mirror, nuclear decay,
shot noise
. Other physical sources used:
Thermal noise, clock drift
. Other sources conjectured to yield randomness:
Interrupts by keyboard or hard disk
. Some free randomness sources:
QRNG (Photons), Hotbits (Decay), random.org (Noise)
• Problem: These sources usually are biased, and the bias variates with
time in general.
p.80 – Detour: Hardware random number generators
• In order to obtain random bit streams adequate for cryptography the
bias has to be removed.
• These algorithms are called Randomness extractor.

. Example: “von Neumann extractor”


Assume a biased coin with constant bias Pr[C = 1] = p > Pr[C = 0]
and let b1 b2 b3 . . . be a sequence of results by independent coin tosses.
For i ≥ 0 take b2i b2i+1 and define b0i := 0 if b2i b2i+1 = 01; b0i := 1 if
b2i b2i+1 = 10; and b0i := ε otherwise, e.g.:

01||00||10||00||11 0||ε||1||ε||ε = 01

. Ex: Show that in the resulting sequence bits are uniformly distributed.
• In practice, hash functions are used as randomness extractors, too.
Private-key encryption in the presence of an
efficient eavesdropper

Indistinguishable encryptions
p.82 – Recap: Perfect secrecy

• Recap perfect secrecy:


• ES is perfectly secret iff Eve can win the “eavesdropping game” only
with prob. 1/2.
• Eve was given a single ciphtertext c.

• Eve’s attack was randomized algorithm without time or space bounds


(she had to terminate though).
. |K| ≥ |M| is necessary.
• For a pratical ES we want keys much shorter than the actual
messages: |K|  |M|
(: much less than)
. Need to consider a less powerful Eve.
p.83 – Recap: Perfect secrecy

Necessary restrictions when |K|  |M|:


1 Eve should not be able to compute Dc = {Deck (c) | k ∈ K}.
. This allows Eve to rule out the majority of plaintexts as
|Dc | ≤ |K|  |M|.
. Need to restrict the time of her attackA to significantly less than |K|.
2 We need to relax our requirement that Eve can only win with prob. 1/2:
u
. She can always guess k ∈ K which gives her a non-zero advantage
(compared to simply guessing) in the game.
(The advantage depends on the ration |K| / |M|.)
p.84 – Outline of computational secrecy

1 Make the adversarial model for the eavesdropping game less general:
• Restrict Eve (and Alice&Bob) to efficient randomized computation, and

• only require that Eve can only win negligibly better than 1/2.

• The running time and the notion of what is neglibile will depend on the
security parameter (the key length) n.
2 Adapt the one-time pad in order to obtain a computational secret
encryption scheme with |K|  |M|:
• Based on the conjecture that pseudorandom generators (PRGs) exist.

“PRG G stretches a short random key k to a long binary string G(k)


which still looks almost random to Eve under above restrictions”

Theorem: computational secrecy (|K| < |M|) iff PRGs exist (later).
p.85 – Efficient computation: Asymp. vs. concrete bounds
• In complexity theory, the usual way to measure the efficiency of an
algorithm is an asymptotic bound on its running time T (·) w.r.t. the
input length |x|.
• Often, a problem is said to be efficiently solvable if we know some
polynomial-time algorithm to solve it.
. That is, there exists a TM M which solves the problem and whose
running time is bounded by a polynomial w.r.t. the input length.
• E.g. Sorting an array (a1 , . . . , as ) with ai ∈ [0, 2n − 1].

Input length: O(s · n).


Running time using merge sort: O(n · s · log s).
. P: Class of all decision problems solvable in polynomial time.
• For cryptography one of two (slightly) different ways is used to
measure the efficiency of an attack resp. measure the quality of a
construction underlying a cryptographic scheme.
p.86 – Efficient computation: Concrete bounds
• Consider a block cipher B : Σn → PrmΣ,l :
• E.g. DES with n = 56 and l = 64.

. Meassuring the efficiency of an attack on a block cipher in an


asymptotic sense w.r.t. the key or block length does not make sense
(as n, l are fixed for DES).
. Need to give concrete numbers for the resources used by an attack,
and its advantage:
• t: number of computation steps.

• q: number q of “queries” (plain-/ciphertexts/interaction with B).

• ε: how much better the attack does than simple guessing.

. E.g. a brute force attack on DES with t = 256 and q = 4 eavesdropped


ciphertexts (all encrypted using the same key) will find the correct key
k with prob. approx. 1, i.e. it has an advantage of 1 − 2−56 .
p.87 – Efficient computation: Concrete bounds
• Same approach can be used for cryptographic schemes:

Proof of the security of a scheme relates resources used by an attack


on the scheme to those used by a derived attack on the primitive:
. Example: Randomized counter mode (rCTR) (later)
Enck (m) = ρ||m(1) ⊕ Bk (ρ ⊕ b1e)|| . . . ||m(s) ⊕ Bk (ρ ⊕ bse)
u
with ρ ∈ {0, 1}l and B a block cipher of block length l.
. Proof of security shows:
A (t, q, ε)-attack on this ES yields a (t0 , q 0 , ε0 )-attack on B
q2
where ε ≤ ε0 + 2n and t0 = t + 2lq and q 0 = q.
. Thus: If the best currently known attack on B is (240 , 236 , 2−56 ),
then B-rCTR is (240 + 4l, 236 , 2−56 + 2−n+2 )-secure.
. Example: Proof that OTP is perfectly secret.
p.88 – Efficient computation: Concrete bounds

• Advantage: Allows to assess and compare the quality of cryptographic


schemes:
. Pick the construction which achieves the best security guarantee
based on AES-128.
• But: Perhaps there is another proof of security which yields a better
(t, q, ε)-bound for scheme?
• But: When is a (t, q, ε)-bound a meaningful statement?
• Need to fix a concrete machine model to decide if the attack is realistic
or can be considered infeasible.
. Enumerating all 256 DES keys was infeasible in the 1970s, but is
realistic today.
• Need to decide when we consider ε negligible.
p.89 – Efficient computation: Asymptotic bounds
• Asymptotic notion of efficient computation relative to some security
parameter n (see e.g. [56])
• Often, n is simply the key length.

• Emphasizes the intuition that a “good” construction should allow to


make all (known) attacks impractical by increasing n.
• More convenient to state results (hides (t, q, ε) in asymptotics).

• No need to a fix a machine model or threshold value.

• Well suited to study the relation between cryptographic primitives.

• But: Does not fit block ciphers like AES-128.


• But: A scheme which can be proven to be secure asymptotically, may
be practically insecure.
. To resolve both problems, need to resolve asymptotics and derive
concrete bounds.
p.90 – Efficient computation: Asymp. vs. concrete bounds

• We will use most of the time asymptotic definitions and bounds.

. Less notation, more convenient.


. Essentially, proofs and ideas are the same in both settings.
• If you want to see concrete bounds:

You can see them in some of the proofs here.


For even more: Lecture notes by Bellare and Rogaway.
p.91 – Efficient computation: Asymptotic notion
• Assumption: Alice, Bob, Eve (A) run in probabilistic polynomial
time (PPT)
. Notation: DPT for deterministic polynomial time.
• Cryptographic schemes and algorithms used by Eve are e.g. PTMs or
probabilistic RAMs with polynomial run time bounds w.r.t. their inputs.
• Eve’s attack A gets as (initial) input the security parameter in unary
1n so that it may run in time bounded by some polynomial in n.
. A PPT-attack A can asymptotically only
generate messages of polynomial length w.r.t. n;
interact with (“query”) Alice&Bob at most a polynomial time w.r.t. n
(e.g. eavesdrop a polynomial number of ciphertexts).

. Alternative to “PPT-Eve”: nonuniform polynomial time


(P/poly, circuit complexity)
p.92 – Negligible probability
• Recall that for |K| < |M|, Eve’s probability of guessing the original
plaintext improves from |M|−1 to ≥ |K|−1 .
. In our example: from 2−2n to 2−n .
. I.e. Eve has an advantage of 2−n − 2−2n to guess the plaintext.
• Therefore, allow allow Eve to have a negligible “advantage” ε
compared to the “perfect” setting
. When is a probability negligible?
. E.g. for side-effects of pharmaceuticals:
• very rare: < 10−4

• rare: < 10−3

• on occasion: < 10−2

• often: < 10−1

• very often: > 10−1


p.93 – Negligible probability
• Asymptotic notion: Probability decreases “quickly” when increasing
security parameter (key length) n.
. Let the user choose n depending on his definition of negligible.
• Definition: ε(n) is negligible if

for every c ∈ N there is an N ∈ N s.t. ∀n ≥ N : ε(n) < n−c .


√ 2
• Some examples: 2−n , 2− n, 2−(log n) .
• Motivation:

As Eve is restricted to PPT, she may do a polynomial q(n) number of


experiments, all succeeding with negligible probability ε(n).
. Ex: The prob. that at least one of these experiments succeeds is then
still negligible.
• Ex: Show that for ε1 (n), ε2 (n) negligible and p(n) a polynomial, the
following functions are also negligible: ε1 (n) + ε2 (n), p(n) · ε1 (n).
p.94 – Example: PPT-attack (taken from [56])
• For simplicity, assume encrypting and decrypting takes time 106 · n2
(measured in cpu cycles, for instance), while the attack A runs in
time 108 · n4 in order to succeed with prob. 220 · 2−n .
Assuming a 1GHz cpu (i.e., 109 cycles per second) and a key length
of n = 50, we obtain 2.5s for en/decryption, while the attack takes
rougly one week in order to succeed with prob. 2−30 .
Moving to a 16GHz cpu, these times decrease by a factor of sixteen.
So, even if we the double the key length by moving from 50 bit keys
to 100 bit keys, en/decryption again still runs four times faster, while
the attack still requires roughly one week but now only succeeds with
prob. 2−80 , i.e., the attack has become worse.

en/decrypt attack
n = 50 on 1GHz 2.5s ≈ 7d with prob. 2−30
n = 100 on 16GHz 0.675s ≈ 7d with prob. 2−80
p.95 – Example: Super-polynomial attack
. PKES based e.g. on the RSA problem can be broken by factoring a
large intereger N
• where N = p · q with p, q primes of length n the security parameter.

The best (classical) algorithm known for factoring integers runs in


1/3 2/3
time C · ec·n ·(log n) (for some constant c > 1), i.e.,
super-polynomial in n.
For this example, assume that c = log 2 and C = 108 and that
en/decryption still takes 106 · n2 as in the previous example.

en/decrypt factoring
n = 500 on 1GHz ≈ 4.1min ≈ 138d
n = 1000 on 16GHz ≈ 1.0min ≈ 16.4y

Currently, ≥ 2048-bit primes are recommended for RSA by the NIST


for security up to 2030 (see e.g. www.keylength.com).
p.96 – PPT-ES

• Definition: An ES E = (Gen, Enc, Dec) is a PPT-ES if all algorithms


run in time polynomial w.r.t. their resp. inputs:
Algorithm Type Input Output
r
Gen PPT 1n k ∈ Kn with |k| ≥ n
r
Enc PPT k ∈ Kn , m ∈ Mn c := Enck (m) ∈ Cn
Dec DPT k ∈ Kn , c ∈ Cn m = Deck (c) ∈ Mn
where Deck (Enck (m)) = m for all m ∈ M, k ∈ K.
The ES is stateless if Enc (Dec) starts from the same initial
configuration each time it is called; otherwise it is stateful.
• A stateful ES may remember e.g. a message counter (“q-time pad”).

The ES is deterministic if Enc is a DPT-algorithm.


The ES is fixed-length if Mn = Σl(n) for some function l(n).
• l(n) is usually a polynomial in n as otherwise no PPT-attack could
operate with the ES.
p.97 – PPT-ES: Remarks
u
• Example: The ({0, 1}, n)-one-time pad with Gen(1n ) : k ∈ {0, 1}n is
a deterministic, stateless, fixed-length PPT-ES.
• In the following, we usually consider ES with
• Σ = {0, 1},
u
• Kn = {0, 1}n where Gen(1n ) generates k ∈ {0, 1}n ,

and either
• Mn = {0, 1}l(n) for l(n) ≥ n, or

• Mn = {0, 1}∗ , or
∗
• Mn = {0, 1}l(n) (e.g. for ES built from block ciphers with block
lenght l(n); use a padding function for messages of length not a
multiple of l(n).)
∗
. Statements like “Mn = {0, 1}∗ ” or “Mn = {0, 1}l(n) ” should be
read as “practically arbitrary message length”, i.e. at most exponential
in n or l(n).
p.98 – “PPT-eavesdropping game” and comp. secrecy
• Definition:
Game IndEd for ES E = (Gen, Enc, Dec), attack A, and sec. par. n:
1 Eve runs A(1n ) to obtain m0 , m1 ∈ Mn with |m0 | = |m1 |.
2 Alice&Bob generate a random key k by running Gen(1n );
u
they then choose b ∈ {0, 1} by tossing a fair coin;
r
finally, they send c := Enck (mb ) to Eve.
3 Eve runs A(1n , c) to obtain a reply r.
. Let WinIndEd
n,E (A) denote the event that b = r.

A PPT-ES E has indistinguishable encryptions in the presence of an


eavesdropper (is computationally secret) if
for every PPT-adversary A its advantage
 
εA (n) := Pr WinIndEd
n,E (A) − 1/2

is a negligible function in n.
p.99 – Computational secrecy: Remarks
• Probability space consists again of all (independent) fair coin tosses
used for Gen, Enc, A, and b.
. Alternative formulation:
IndEd (A) for the final reply of A in the game
Random variable Rn,E
IndEd for security parameter n.
  h i
Then: Pr WinIndEd
n,E (A) = Pr u R IndEd (A) = b
n,E
b∈{0,1}

. Notation: Making the prob. space (partially) explicit


• Pr u [event(b)] short for “b is a uniformly distributed RV”.
b∈{0,1}

• Fixing a value: Pr u [event(b) | b = 1] = Prb=1 [event(1)].


b∈{0,1}
h i h i
IndEd (A) = 1 − Pr
• E.g.: εA (n) = Prb=1 Rn,E IndEd (A) = 1 .
b=0 Rn,E

“Eve cannot distinguish between the world where she is always given
m1 , and the world where she is always given m0 (recall oracles
O0 /O1 ).”
p.100 – Computational secrecy: Remarks
• Game IndEd is essentially the game underlying perfect secrecy except
that we pass the security parameter n in unary (1n ) to all algorithms.
• To determine the key length, and to give A enough time.

. Corollary: As the one-time pad


• Mn = Cn = Kn = {0, 1}n
u
• Gen(1n ) : k ∈ {0, 1}n

• Enck (m) = k ⊕ m

• Deck (m) = k ⊕ m

is perfectly secret for every n, it is also comp. secret, and every attack
A has zero advantage in winning the game IndEd against it.
• As A runs in time polynomial in n, the message lengths |m0 | , |m1 |
are also polynomial in n.
. Hence, the input to Enc and Dec is also polynomial in n, and the
whole game runs in time polynomial in n.
p.101 – Computational secrecy: Remarks

• Restriction |m0 | = |m1 |:


. Necessary as otherwise many practical ES would be insecure w.r.t. our
definition.
. For efficiency, we usually want |m| ≈ |c|.
. E.g. one-time pad or rCTR.

. In fact necessary, as otherwise any ES with Mn = {0, 1}∗ would be


insecure w.r.t. our definition.
. Ex: Assume we relax the definition of comp. secrecy by allowing A to
output messages of distinct length.
Show that no PPT-ES (Gen, Enc, Dec) with Mn = {0, 1}∗ can be
secure w.r.t. this relaxed definition.
(Recall, for perfect secrecy we assumed M to be finite.)
p.102 – Computational secrecy: Remarks
• Resolving the asymptotics:

. “Unpacking” the definition of comp. secrecy we have that


if E = (Gen, Enc, Dec) is comp. secret, then
1
< n−a .
 
∀A∀a ∈ N∃Na,A ∀n ≥ Na,A : Pr WinIndEd n,E (A) − 2

. But nothing is said for when n < Na,A :


A might have a much larger advantage than n−a .
. To choose the correct value for the security parameter, we need to
resolve the asymptotics.
• Assuming that A is chosen from a finite set “KnownPPTAttacks”,

we then may choose e.g. a = 3 and, subsequently,


n ≥ max{1000, N3,A | A ∈ KnownPPTAttacks}
so that all KnownPPTAttacks succeed with prob. at most 1/2 + 10−9 .
p.103 – Pseudorandom generators and the one-time pad
• Recall: would like to have comp. secret PPT-ES with |K| < |M|.

• Basic idea: one-time pad plus “key stretcher G” which gets as


u
input a short random key k ∈ {0, 1}n , and
outputs a stretched key G(k) ∈ {0, 1}l(n)
which is then xor’ed with the plaintext: m ⊕ G(k).
• Properties G should have:

G needs to run in DPT.


To PPT-Eve, G(k) should “look (almost) like” a random string in
u
{0, 1}l(n) as long as she does not know the secret k ∈ {0, 1}n .
. I.e. to PPT-Eve the output of G should be indistinguishable from the
uniform distributed on {0, 1}l(n) :
p.104 – Pseudorandom generators of fixed stretch
• Definition: Let l : N → N, and G : {0, 1}∗ → {0, 1}∗ with
• l(n) > n for all n ∈ N.

• G({0, 1}n ) := {G(x) | x ∈ {0, 1}n } ⊆ {0, 1}l(n) .

• G can be computed in DPT. (So l(n) is polynomially bounded.)

G is a pseudorandom generator (PRG) of stretch l(n) if


every PPT-algorithm
 D has negligible
 advantage
εD (n) := Pr WinIndPRG
n,G (D) − 1/2 in the game IndPRG:
u
1 Alice&Bob toss a fair coin b ∈ {0, 1};
u u
if b = 0, then y ∈ {0, 1}l(n) ; if b = 1, then x ∈ {0, 1}n and y := G(x);
they pass y to Eve;
2 Eve runs D(1n , y) to obtain the reply r.
. Let WinIndPRG
n,G (D) denote the event r = b.

• Ex: 2εD (n) = Pr u [D(1n , G(x)) = 1] − Pr u [D(1n , y) = 1]


x∈{0,1}n y ∈{0,1}l(n)
p.105 – PRG: Remarks
• Example: “Assuming that AES is a (t, q, ε)-secure block cipher,
G(k) = AESk (0128 )||AESk (1128 ) is a (t, q, ε)-PRG.” (later)
• Example: Consider the following proposal for a PRG with stretch
l(n) = n + 1 for x = x1 x2 . . . xn ∈ {0, 1}n
G(x1 x2 . . . xn ) = x1 x2 . . . xn x2
. As always we assume that Eve knows how G works.
. Eve therefore uses the D which, on input y = y1 y2 . . . yn yn+1 ,
outputs 1 iff y2 = yn+1 .
. Case b = 0: y2 = yn+1 with prob. 1/2.
. Case b = 1: y2 = yn+1 with prob. 1.

. So, D has nonnegligible advantage of 1/4.


• Ex: Let f : {0, 1}∗ → {0, 1} be any DPT-computable function.

Show that Gf (x) = x||f (x) is no PRG.


p.106 – PRG: Remarks
• Usually, we want a PRG whose stretch l(n) is much larger than n.
• E.g. let G be a PRG of stretch l(n) = 2n.

. Ex: Then G can only output a negligible fraction of {0, 1}2n .


In particular, there is an exponential time distinguisher D with:

Pr u [D(1n , G(x)) = 1] − Pr u [D(1n , y) = 1] ≥ 1 − 2−n .


x∈{0,1}n y ∈{0,1}2n

. So, the output of G is far from uniformly distributed over {0, 1}2n .
• Ex: Determine the success prob. of the following D:
• Input: y ∈ {0, 1}l(n) and 1n .
u
• Generate x0 ∈ {0, 1}n and compute y 0 = G(x0 ).

• Return 1 if y = y 0 ; else return 0.

Conclude that for l(n) ≥ 2n Eve has always at least a negligible


advantage in the game IndPRG vs. any G.
p.107 – PRG: Remarks
• We can also reformulate the game IndPRG using the oracles
O0 O1

Init: 1n Init: 1n
u u
Query: outputs y ∈ {0, 1}l(n) Query: outputs G(x) with x ∈ {0, 1}n .

. In the game, Alice&Bob pass Ob in a black box O to D – where we


now require that DO (1n ) makes at most one oracle query.
. G is a PRG, if Eve cannot distinguish (with a single query) the “real
world O1 ” from the “perfect world O0 ” – except for negligible prob.
• Ex: Analyze the advantage of the following distinguisher D which is
allowed to query the oracle q times:
• Init: L = ∅

• Repeat: query O to obtain y; if y ∈ L, stop and output 1; if |L| > q,


stop and output 0; else L := L ∪ {y}.
p.108 – Pseudorandom one-time pad

• Definition:

Let G(·) be a PRG of polynomial stretch l(·).


The pseudorandom one-time pad w.r.t. G(·) (G-prOTP) is defined
by:
u
• Gen(1n ) outputs a key k ∈ Kn = {0, 1}n uniformly at random.

• Enck (m) := m ⊕ G(k) for every m ∈ Mn = {0, 1}l(n) .

• Deck (c) := c G(k) for every c ∈ Cn = {0, 1}l(n) .


(Note that ⊕ ≡ for Σ = {0, 1}.)
• Theorem:

The G-prOTP is a comp. secret ES of fixed-length l(·) if G is indeed


a PRG of stretch l(·).
p.109 – G-prOTP: Proof of security

• Let A be any PPT-attack on the pseudorandom one-time pad in the


“PPT-eavesdropping” game IndEd.
• Given A we construct the following D for the game IndPRG vs. G:

D takes the place of Alice and Bob, and simulates the game IndEd
for n using Eve’s algorithm A as a subprocedure.
Except that D does not run Gen
but instead assumes that its input y is the output of G(k) in order to
simulate Enck (m) by means of
c = m ⊕ y.
p.110 – G-prOTP: Proof of security
Alice&Bob D sub: A
u
b ∈ {0, 1}
u
if b = 0: y ∈ {0, 1}l(n)
u
if b = 1: x ∈ {0, 1}n , y = G(x)
pass y to D
run A(1n )
return m0 , m1 ∈ {0, 1}l(n)
u
b0∈ {0, 1}
assume y = G(x) and
simulate Encx :
compute c = mb0 ⊕ y
run A(1n , c)
return r0
?
return r := (r0 = b0 )

• D wins iff r = b.

• Running time TD (n) of D given by running time TA (n) of A plus


time needed for simulating game IndEd (O(n)).
p.111 – G-prOTP: Proof of security
• Case b = 0: Inserting b = 0
Alice&Bob D sub: A
u
b ∈ {0, 1} b := 0
u
if b = 0: y ∈ {0, 1}l(n)
u
if b = 1: x ∈ {0, 1}n , y = G(x)
pass y to D
run A(1n )
return m0 , m1 ∈ {0, 1}l(n)
u
b0∈ {0, 1}
assume y = G(x) and
simulate Encx :
compute c = mb0 ⊕ y
run A(1n , c)
return r0
?
return r := (r0 = b0 )

• D wins iff r = 0 iff r 0 =


6 b0
• Next: View the whole interaction from A’s perspective, i.e. identify D
with Alice&Bob.
p.112 – G-prOTP: Proof of security
• Case b = 0: From A’s perspective, it is playing vs. the OTP
Alice&Bob (&D) sub: A
b := 0
u
y ∈ {0, 1}l(n)
pass y to D
run A(1n )
return m0 , m1 ∈ {0, 1}l(n)
u
b0∈ {0, 1}
assume y = G(x) and
simulate Encx :
compute c = mb0 ⊕ y
run A(1n , c)
return r0
?
r := (r0 = b0 )

• Hence, D wins vs. G iff r = 0 iff r 0 =


6 b0 iff A loses vs. the OPT.
   
. Prb=0 WinIndPRG
n,G D = 1 − Pr WinIndEd
n,OTP (A) = 1/2.
p.113 – G-prOTP: Proof of security
• Case b = 1: Inserting b = 1
Alice&Bob D sub: A
u
b ∈ {0, 1} b := 1
u
if b = 0: y ∈ {0, 1}l(n)
u
if b = 1: x ∈ {0, 1}n , y = G(x)
pass y to D
run A(1n )
return m0 , m1 ∈ {0, 1}l(n)
u
b0∈ {0, 1}
assume y = G(x) and
simulate Encx :
compute c = mb0 ⊕ y
run A(1n , c)
return r0
?
return r := (r0 = b0 )

• D wins iff r = 1 iff r 0 = b0

• Next: View the whole interaction from A’s perspective, i.e. identify D
with Alice&Bob.
p.114 – G-prOTP: Proof of security
• Case b = 1: From A’s perspective, it is playing vs. G-prOTP
Alice&Bob (&D) sub: A
b := 1
u
x ∈ {0, 1}n
pass y to D
run A(1n )
return m0 , m1 ∈ {0, 1}l(n)
u
b0∈ {0, 1}
assume y = G(x) and
simulate Encx :
compute c = mb0 ⊕ G(x)
run A(1n , c)
return r0
?
r := (r0 = b0 )

• Hence, D wins vs. G iff r = 1 iff r 0 = b0 iff A wins vs. G-prOPT.


   
. Prb=1 WinIndPRG
n,G D = Pr WinIndEd
n,G-prOTP (A) .
p.115 – G-prOTP: Proof of security
u
• As b ∈ {0, 1}, both cases occur with prob. 1/2, so:
1
+ 12 Pr WinIndEd
   
Pr WinIndPRG
n,G (D) = 4 n,G-prOTP (A)

• As G is assumed to be a PRG,

(D) − 12
 
εD (n) = Pr WinIndPRG
n,G
1 1 1
 IndEd

= 2 Pr Winn,G-prOTP (A) − 2 = 2 εA (n)

has to be negligible.
• As A was chosen arbitrarily, the G-prOTP is comp. secret.

. In other words:
Given a (TA (n), εA (n))-attack A on the pseudorandom one-time pad
in the game IndEd
we can build a (TD (n), εD (n))-distinguisher D for G
where TD (n) = TA (n) + O(n) and εA (n) = 2εD (n).
p.116 – PRGs of variable stretch
• So, our definition of PRG is sufficient for the existence of comp.
secret PPT-ES with |K| < |M|.
• Later: Our definition is also “the right one” as it is necessary, too.
. PRGs can be built from problems which are sufficiently hard on the
average, e.g.:
• Factorizing an integer N which is the product of two unknown random
primes p, q with p, q ∈ [2n−1 , 2n ). (“BBS PRG”)
• Given a prime p ∈ [2n−1 , 2n ), a generator g of Zp , and a random
u
y ∈ Zp − {0}, find the unique x ∈ Zp with g x (mod p) = y. (BM
PRG)

. Essential idea: A problem instance is transformed into a


pseudorandom bit string, and the PRG property is reduced to solving
the corresponding problem.
. These PRGs have in fact variable stretch.
p.117 – PRGs of variable stretch
• Definition:
u
A PRG G of variable stretch not only takes a random x ∈ {0, 1}n as
input, but also a stretch parameter 1s such that
1 G(x, 1s ) ∈ {0, 1}s .
2 G is DPT-computable w.r.t. n + s.
0
3 For every x, and s < s0 , G(x, 1s ) is a prefix of G(x, 1s ).
(“prefix property”)
4 G is a “normal” PRG when fixing its stretch, i.e.:
For every polynomial l(n), Gl(·) (x) := G(x, 1l(|x|) ) is a PRG of fixed
stretch l(n).
• Example: Blum-Micali (BM) PRG:
1 Generate from the random x: a prime p, a generator g of Zp , and a
random x ∈ Zp − {0}.
p−1
2 Do s-times: output (x < 2 ? 1 : 0); set x := (g x mod p).
p.118 – PRGs of variable stretch

• Example: Assuming that AES (n = l = 128) is a “secure” block


cipher,
G(k, 1l·s ) = AESk (b0e)||AESk (b1e)|| . . . ||AESk (bse)
is a PRG of variable length (w.r.t. some concrete (t, q, ε)-bound).
. Ex: Linear congruential generator
Let m ∈ N and a, c ∈ Zm .
• For simplicity, let m = 2n so that we may identify Zm with {0, 1}n .

For x ∈ {0, 1}n , let f (x) = (a · x + c) mod m, and


G(x, 1n·s ) = f (x)||f (f (x))|| . . . ||f s (x).
Show that this is a not a PRG (in the sense of cryptography).
p.119 – PRGs of variable stretch
• Ex: For G a PRG of variable stretch, we may define a
“variable-length G-prOTP” (short: “G-stream cipher”):
u
• Gen(1n ) : k ∈ {0, 1}n .

• Enck (m) = G(k, 1|m| ) ⊕ m

• Deck (c) = G(k, 1|c| ) ⊕ c

with Mn = {0, 1}∗ .


Show that E is comp. secret if G is a PRG of variable length.
Hint: Let A be a PPT-attack on E in the game IndEd. Denote by
TA the running time of A. As before, construct from A a
distinguisher D for GTA (·) .
0
Make use of the requirement that G(x, 1s ) is a prefix of G(x, 1s ) for
s < s0 .
p.120 – Eavesdropping multiple ciphertexts
• Definition: Game IndMultEd
1 Eve runs A(1n ) to obtain message sequences m
~ 0, m
~ 1 with
(1) (q) (i) (i) (i)
m
~ b = (mb , . . . , mb ), and m0 = m1 , and mj ∈ Mn .

2 Alice&Bob generate a random key k by running Gen(1n );


u
they then choose b ∈ {0, 1} by tossing a fair coin;
they compute c(i) = Enck (m(i) ) for left i = 1 to right i = q;
finally, they send ~c = (c(1) , . . . , c(q) ) to Eve.
3 Eve runs A(1n , ~c) to obtain a reply r.
. Let WinIndMultEd
n,E (A) denote the event that b = r.

A PPT-ES E has indistinguishable mulitple encryptions in the presence


of an eavesdropper if
for every PPT-adversary A its advantage
 
εA (n) := Pr WinIndMultEd
n,E (A) − 1/2

is a negligible function in n.
p.121 – Eavesdropping multiple ciphertexts
• Theorem: No stateless and deterministic ES has indistinguishable
mulitple encryptions in the presence of an eavesdropper.
• Proof: Let {0, 1}l(n) ⊆ Mn for some l(n).

~ 0 = (0l(n) , 0l(n) ) and m


Let A always output m ~ 1 = (0l(n) , 1l(n) ).
Given ~c, let A output 1 iff c(1) 6= c(2) .
. ECB mode is not secure for multiple encryptions.
• Ex*: Turn the “variable-length G-prOTP” into a stateful ES which
has indistinguishable mulitple encryptions in the presence of an
eavesdropper.
• Make use of the “prefix property” of G, and remember how “far” the
key has already been stretched.
• Extend the ciphertext accordingly.

• See also the exercise on the “q-time pad”.

Adapt the proof of the security of the G-prOTP.


Private-key encryption in the presence of an
efficient eavesdropper

Semantic security
p.123 – Semantic security: Motivation
• Shannon:

An encryption scheme is secure if “that which can be determined


about a plaintext from its ciphertext can be determined in the
absence of the ciphertext.”
. Perfectly secret OTP: ciphertext is a random bit string which is
independent of the plaintext
. Attacker can generate ciphertext without the actual plaintext.
• Replace “determined” by “efficiently computed”:

. Goldwasser-Micali:
Semantic security asks that that which can be efficiently computed
about a plaintext from its ciphertext can be efficiently computed in
the absence of the ciphertext.
. Depending on the concrete adversarial model, there are different
notions of semantic security.
p.124 – Semantic secrecy
• Informal description:
Eve’s PPT-attack A may
• tell Alice&Bob how to choose a plaintext m.

• choose “that which can be efficiently computed”,

namely, a DPT-computable function f .


In particular, A may choose f after it is given c.

A wins if it can compute f (m) given only c.


• Semantic secrecy requires that

For any such A there exists a PPT-algorithm B which


succeeds with “almost” the same prob. as A w/o being given c.
• This is formalized in the following two games SemEd and
SemNoEd.
p.125 – Semantic secrecy when given c
• Game SemEd: Ciphertext c avaible
1 A(1n ) outputs the description of a PPT-algorithm MM which outputs
a random message in {0, 1}l(n) ⊆ Mn .
• For simplicity, we consider only ES with {0, 1}l(n) ⊆ Mn .
u
• E.g. “b ∈ {0, 1}; if b = 0, output m0 ; else output m1 ”.

2 Alice&Bob run MM (1n ) to obtain m ∈ {0, 1}l(n) ⊆ Mn .


r
They then generate a secret key k := Gen(1n ).
r
Finally, they compute c := Enck (m) and pass it to Eve.
3 A(1n , c) outputs (1) the description of an DPT-algorithm Mf
computing a function f , and (2) a guess y for f (m).
. Let WinSemEd
n,E (A) be the event y = f (m).
• If A chooses MM so that it outputs always the same message m, it
trivially can win the game SemEd with prob. one; but then A does
not require c.
p.126 – Semantic secrecy when given no c

• Game SemNoEd: Eve cannot eavesdrop c


1 B(1n ) outputs the (1) description of a PPT-algorithm MM which
outputs a random message in {0, 1}l(n) ⊆ Mn , (2) the description of
an DPT-algorithm Mf computing a function f , and (3) a guess y for
f (m).
2 Alice&Bob run MM (1n ) to obtain m ∈ {0, 1}l(n) ⊆ Mn .
. Let WinSemNoEd
n,E (B) be the event y = f (m).
• As B does not need to wait for c, we can combine the first and third
step of the game SemEd.
p.127 – Semantic secrecy
• Our notion of semantic secrecy:

Given PPT − A for game SemEd:


Alice&Bob A(1n )
compute MM and give it to Alice&Bob
r
m := MM (1n )
r
k := Gen(1n )
r
c := Enck (m)
pass c to ASemEd
compute (Mf , y) and pass it to Alice&Bob
Win if y = Mf (m)

there should be PPT − B for game SemNoEd:


Alice&Bob BSemNoEd (1n )
compute MM and (Mf , y)
pass all to Alice&Bob
r
m := MM (1n )
Win if y = Mf (m)
   
such that Pr WinSemEd
n,E (A) − Pr WinSemNoEd
n,E (B) is negligible.
• Claim: If E is comp. secret, it is also secure in above sense.
p.128 – Semantic secrecy
• Assume that the used PPT-ES E = (Gen, Enc, Dec) is comp. secret.

. Let ASemEd be any PPT-alg. for the game SemEd.


r
. Idea: The encryption of m := MM “looks (almost) like” the
encryption of any other plaintext, say 0l(n) , to any PPT-A.
. Thus Enck (0l(n) ) should be just as useful as Enck (m) to ASemEd .
. Consider now the following AIndEd with subproc. ASemEd :
Alice&Bob AIndEd (1n ) sub: ASemEd (1n )
pass MM to AIndEd
r
m0 := 0l(n) , m1 := MM (1n )
pass m0 , m1 to Alice&Bob
u
b ∈ {0, 1}
r
k := Gen(1n )
r
c := Enck (mb )
pass c to AIndEd
pass c to ASemEd
compute (Mf , y)
pass (Mf , y) to AIndEd
return 1 iff y = Mf (m1 )
p.129 – Semantic secrecy

 
• Probability Pr u WinIndEd
n,E (AIndEd ) ?
b∈{0,1}

• Case b = 1: Interaction of ASemEd with Alice&Bob&AIndEd


Alice&Bob&AIndEd (1n ) ASemEd (1n )
pass MM to Alice&Bob&AIndEd
r
m1 := MM (1n )
r
k := Gen(1n )
r
c := Enck (m1 )
pass c to ASemEd
compute (Mf , y)
pass (Mf , y) to Alice&Bob&AIndEd

. ASemEd plays the game SemEd with Alice&Bob&AIndEd .


. AIndEd wins iff y = f (m1 ), i.e. iff ASemEd wins the game SemEd.
   
. Prb=1 WinIndEd
n,E (AIndEd ) = Pr WinSemEd n,E (ASemEd )
p.130 – Semantic secrecy
• Case b = 0: Interaction of ASemEd with Alice&Bob&AIndEd
Alice&Bob&AIndEd (1n ) ASemEd (1n )
pass MM to Alice&Bob&AIndEd
r
m0 := 0l(n) , m1 := MM (1n )
r
k := Gen(1n )
r
c := Enck (0l(n) )
pass c to ASemEd
compute (Mf , y)
pass (Mf , y) to Alice&Bob&AIndEd

• Rearrange these steps into the game SemNoEd:


Alice&Bob ASemNoEd (1n ) sub: ASemEd
pass MM to Alice&Bob
r
m1 := MM (1n )
m0 := 0l(n)
r
k := Gen(1n )
r
c := Enck (0l(n) )
pass c to ASemEd
compute (Mf , y)
pass (Mf , y) to ASemNoEd

. AIndEd wins iff y 6= f (m1 ) iff ASemNoEd loses the game SemNoEd.
p.131 – Semantic secrecy

• Both cases occur with prob. 1/2, so:


 
Pr WinIndEd
n,E (AIndEd )
 
= 1/2Prb=1 WinIndEd
n,E (AIndEd )
+ 1/2Prb=0 WinIndEd
n,E (AIndEd )
= 1/2    
+ 1/2 Pr WinSemEd
n,E (ASemEd ) − Pr WinSemNoEd
n,E (ASemNoEd )
| {z }
Advantage has to be negl. in n as ES is comp. secret

. So, ASemNoEd is the algorithm we are looking for.


p.132 – Semantic security in general
• Even more general notions of semantic security further allow A to
choose a function h which models public information on e.g. m.
. I.e. besides c, both A and A0 get further h(m) as input.
• For a formal definition of this more general setting, see e.g. [47]
Definition 5.1.2.
• As we have seen, our notion of comp. secrecy implies also our
restricted notion of semantic security in the presence of an
eavesdropper (“semantic secrecy”).
• For the private-key setting, semantic security w.r.t. an eavesdropping
adversary/chosen-plaintext attack/chosen-ciphertext attack can be
shown to be equivalent to indistinguishable encryptions (“decide
?
b = 0”).
• In the public-key setting, semantic security is in general a stronger
requirement than indistinguishable encryptions.
Computational security beyond eavesdropping

Indistinguishable encryptions under CPA/CCA, unforgeable MACs
p.134 – Attack scenarios beyond eavesdropping
• Seen so far:

Variable-length PRG allow us to built PPT-ES which have


indistinguishable encrytions when Eve is allowed to eavesdrop multiple
messages encrypted with the same key.
• In this section, we give Eve further limited access to the ES
instantiated on the secret key k:
. Chosen-plaintext attack (CPA): Eve is given oracle access to Enck so
that she may obtain encryptions for any plaintext chosen by her.
. Chosen-ciphertext attack (CCA): Eve is given oracle access to both
Enck and Deck so that she may further obtain decryptions of
ciphertexts chosen by her.
• Oracle access: Eve can only observe the final output of the oracle, but
she cannot look into the oracle (black box); she cannot see k.
• This models the situation that Eve can trick – in a very general way –
Alice&Bob to en-/decrypt certain texts for her.
p.135 – Motivation

• Historical example for CPA [56]:

“In May 1942, US Navy cryptanalysts had discovered that Japan was
planning an attack on Midway island[...]. They had learned this by
intercepting a communication containing the ciphertext fragment
“AF” that they believed corresponded to the plaintext “Midway
islands”. Unfortunately, their attempts to convince Washington
planners that this was indeed the case were futile; the general belief
was that Midway could not possibly be the target. The Navy
cryptanalysts then [...] instructed the US forces at Midway to send a
plaintext message that their freshwater supplies were low. The
Japanese [...] immediately reported [...] that “AF” was low on water.”
• Public-key encryption: Eve can always encrypt herself as everybody
knows the public encryption key.
p.136 – Motivation
• Example of CCA: Needham-Schroeder protocol, 1978

A variant of this protocol describes how Alice and Bob can setup a
public-key communication using a trusted key distribution center
which is used to store their most recent public keys.
In its original version the protocol is vulnerable to a
man-in-the-middle attack first published by Gavin Lowe in 1995:
For this attack, Eve waits until Alice tries to setup communication
with her; Eve then immediately also initiates communication with
Bob, and intertwines the two protocol executions such that Bob in
the end mistakes Eve for Alice.
One essential step of this attack consists of Eve using Alice as
decryption oracle in order to decrypt a message sent by Bob to Alice.
(4th and 5th in the attack described on wikipedia)
• RSAES-PKCS1: broken by a CCA-attack.
p.137 – CPA-security
• Definition: Game IndCPA:
1 Alice&Bob generate a random key k := Gen(1n ) and give Eve’s attack
A oracle access to Enck .
2 Eve runs AEnck (1n ) to obtain two sequences m
~ 0, m
~ 1 with
(1) (q) (i)
~ b = (mb , . . . , mB ), and m0 (j) = m1 (j) , and mb ∈ Mn .
m
3 Alice&Bob choose b ∈ {0, 1} by tossing a fair coin,
(i)
compute c(i) = Enck (mb ) from left i = 1 to right i = q, and
send ~c = (c(1) , . . . , c(q) ) to Eve.
4 Eve runs AEnck (1n , ~c) to obtain her reply r ∈ {0, 1}.
. Let WinIndCPA
n,E be the event that b = r.

An ES E = (Gen, Enc, Dec) has indistinguishable (multiple)


encryptions under a chosen-plaintext attack (is CPA-secure) if every
PPT-attacks A has only negligible advantage
(A) − 12 .
 
εA (n) = Pr WinIndCPA
n,E
p.138 – CCA-security
• Definition: Game IndCCA:
1 Alice&Bob generate a random key k := Gen(1n ) and give Eve’s attack
A oracle access to Enck and Deck .
2 Eve runs AEnck ,Deck (1n ) to obtain two sequences m
~ 0, m
~ 1 with
(1) (q) (i)
~ b = (mb , . . . , mB ), and m0 (j) = m1 (j) , and mb ∈ Mn .
m
3 Alice&Bob choose b ∈ {0, 1} by tossing a fair coin,
(i)
compute c(i) = Enck (mb ) from left i = 1 to right i = q, and
(1) (q)
send ~c = (c , . . . , c ) to Eve.
4 Eve runs AEnck ,Deck (1n , ~c) to obtain her reply r ∈ {0, 1} where
AEnck ,Deck is not allowed to query Deck for any c(i) .
. Let WinIndCCA
n,E be the event that b = r.

An ES E = (Gen, Enc, Dec) has indistinguishable (multiple)


encryptions under an adaptive chosen-ciphertext attack (is
 1 A has only negligible advantage
CCA-secure) if every PPT-attacks
IndCCA
εA (n) = Pr Winn,E (A) − 2 .
p.139 – Example: Plaintext recovery under CPA

• Consider the experiment


r
k := Gen(1n );
u
m ∈ {0, 1}l(n) ;
r
c := Enck (m);
r
m0 := B Enck (1n , c);
WIN: m0 = m
where {0, 1}l(n) ⊆ Mn .
. Ex*: Assume that the ES is CPA-secure.
Show that then every PPT-algorithm B can only succeed with negl.
prob. in n in above experiment.
• Semantic security under CPA (CCA) is equivalent to CPA-security
(CCA-security).
p.140 – Single vs. multiple encryptions

• Define CPAsingle -security by restricting A to choose a single message


pair m0 , m1 ∈ Mn with |m0 | = |m1 | instead of two message
sequences.
. Similarly, define CCAsingle -security.
• Theorem:

An ES is CPAsingle -secure iff it is CPA-secure.


An ES is CCAsingle -secure iff it is CCA-secure.
. Obviously, indistinguishablity w.r.t. multiple encrpytions implies
indistinguishabilitiy w.r.t. a single encryption.
. We sketch the proof idea for the other direction.
p.141 – Single vs. multiple encryptions*
• Let A be an adversary challenging Alice&Bob on sequences m
~ 0, m
~1
consisting of at most q = q(n) messages.
(1) (q)
~ b = (mb , . . . , mb ) for b ∈ {0, 1}.
• For simplicity, assume always m

. We build from A an adversary B which challenges Alice&Bob on a


single message pair:
• Main idea: As B has oracle access to Enck , it should be able to
simulate the encryption of multiple messages itself.
(s) (s)
. Hence, let B pick a single message pair (m0 , m1 ) from m
~ 0, m
~ 1.
u
• Simply choose one at random: s ∈ [q].
(s)
• Problem: B has to know which message mb Alice&Bob have picked
~ b for A.
in order to encrypt the right m
. Hybrid argument: B “interpolates” between m
~ 0 and m
~ 1:
(1) (s−1) (s) (s+1) (q)
~ s0
m = m0 ... m0 m0 m1 ... m1
(1) (s−1) (s) (s+1) (q)
~ s1
m = m0 ... m0 m1 m1 ... m1
p.142 – Single vs. multiple encryptions*
Alice&Bob B A
r
generate k := Gen(1n )
run B Enc k n
(1 )
run AEnck (1n )
return m
~ 0, m
~1
u
choose s ∈ [q]
for i = 1 to i = s − 1:
r (i)
c(i) := Enck (m0 )
(s) (s)
return challenge (m0 , m1 )
u
choose b ∈ {0, 1}
r (s)
c := Enck (mb )
run B Enc k n
(1 , c)
set c(s) := c
for i = s + 1 to s = q:
r
c(i) := Enck (m(() i)1 )
run AEnck (1n , ~c)
return r
return r
p.143 – Single vs. multiple encryptions*
• Probability that B wins the game IndCPA:

  1 X  
Pr WinIndCPA
n,E (B) = Prb,s WinIndCPA
n,E (B)
2q
b∈{0,1},s∈[q]

~ sb is encrypted:
. Fixing b and s just means to consider the case where m

~ 11 = m
• For b = 1, s = 1: m ~ 1.
~ q0 = m
• For b = 0, s = q: m ~ 0.
• For b = 0, s = i and b = 1, s = i + 1: m ~ i+1
~ i0 = m 1 .

. By definition, B Enck (1n , c) forwards AEnc


q
k (1n , ~
c)’s reply;
as AEnc
q
k is an algorithm, its reply can only depend on its internal coin

tosses and its input ~c.


p.144 – Single vs. multiple encryptions*
. Ex: Hence
h i h i
• Prb=0,s=q WinIndCPA
n,E (B) = Prb=0 WinIndCPA
n,E (Aq ) ,
h i h i
• Prb=1,s=1 WinIndCPA
n,E (B) = Prb=1 WinIndCPA
n,E (Aq ) , and
h i h i
• Prb=0,s=i WinIndCPA
n,E (B) + Prs=1,b=0 WinIndCPA
n,E (B) = 1.
q−1
(B) = 1q Pr WinIndCPA
   
. So: Pr WinIndCPA
n,E n,E (A) + 2q

. In general, A might use less than q = q(n) messages in some cases:


   
Pr WinIndCPA
n,E (A) − 1/2 ≤ q(n) Pr WinIndCPA
n,E (B) − 1/2 .
. But the product of a negligible advantage with a polynomial is again
negligible. .
• The preceding result allows to resort to the easier setting of a single
encryption when proving CPA- or CCA-security.
p.145 – Single vs. multiple encryptions
• Corollary:

If E = (Gen, Enc, Dec) is a fixed-length (say Mn = {0, 1}n )


CPA-secure ES,
then E 0 = (Gen, Enc0 , Dec0 ) with

• “M0n = ({0, 1}n ) ”, and Enc0k (m) = Enck (m(1) )|| . . . ||Enck (m(s) )

is also CPA-secure.
. This construction does not preserve CCA-security:
Assume E is CCA-secure with Mn = {0, 1}n .
Define A for E 0 as follows:
• Ouput m0 = 0n ||0n and m1 = 1n ||0n .

• When given c = c(1) ||c(2) , make the single query c(1) ||Enck (1n ) to
Deck .
. Return 0 iff the 0n is the first half of the returned decryption.
p.146 – How to achieve CPA-security
• Ideally, we would like to use for each new encryption a “fresh”
one-time pad.
. Because of the perfect secrecy, all ciphertexts then would be of no use
to Eve; the ciphertexts would simply be random strings.
• Using a variable-length PRG G we can emulate this:

. By defintion, for any fixed polynomial stretch l(n),

Gl (x) := G(x, 1l(|x|) )

is a PRG.
• E.g. let l(n) be the running time of an attack A(1n ),

. Also any part of Gl() (x) has to be indistinguishable for PPT-Eve from
a truly random string.
. Any unused part of the output of Gl (x) is almost as good as a fresh
OTP.
p.147 – Stateful counter (sCTR) mode
. Definition: stateful counter mode (sCTR) for a vl-PRG G
0
For s ≤ s0 and G(x, 1s ) = y1 y2 . . . ys . . . ys0
let G(x)[s, s0 ] = ys . . . ys0 . (Recall the “prefix property” of G).
• Kn = {0, 1}n , Mn = {0, 1}≥n , Cn = {0, 1}≥n
u
• Gen: On input 1n , output k ∈ Kn .

• Enc: Static variable ctr; initially ctr = 0.

On input k ∈ Kn and m ∈ Mn ,
compute c = bctre||m ⊕ G(k)[ctr + 1, ctr + |m|].
• Where b·e encodes ctr as an n-bit string.

. So, encrypt no more than 2n bits with a single k (throw an exception).

Set ctr := ctr + |m|, then output c.


• Dec: On input k ∈ Kn and c ∈ Cn , read the first n bits as the value of
ctr, then decrypt the remaining bits.
p.148 – Stateful counter (sCTR) mode using block ciphers
• In practice, e.g. a block cipher B (block length l) is used for G:
• E.g. G(x, 1l·s ) = Bk (b1e)||Bk (b2e)|| . . . ||Bk (bse).
∗
• Then M = {0, 1}l .
. Remember in ctr the number of blocks encrypted so far.
bctre bctr + 1e bctr + 2e ... bctr + ie ... bctr + te

Bk Bk Bk Bk

m(1) ⊕ m(2) ⊕ ... m(i) ⊕ ... m(t) ⊕

c(0) c(1) c(2) ... c(i) ... c(t)

• Advantage of using a block cipher as a PRG of variable stretch:


• “random access” to the pseudorandom output stream: Bk (bie) does
not depend on Bk (bi + 1e).
• Allows to process message blocks in parallel.
p.149 – Stateful counter (sCTR) mode
• Theorem: G-sCTR is CPA-secure if G is a variable-length PRG.

. Proof sketch:
. Canonical approach:
From a PPT-adversary A for the game IndCPA vs. G-sCTR
• Let T (n) be the running time of A.

. A can only encrypt messages of length T (n) in total.


we construct a PPT-distinguisher for G for fixed stretch T (n).
• D simulates the interaction of A and G-sCTR in the game IndCPA.

. D gets as input y = y1 y2 . . . yT (n) .


. D uses y to emulate the encryption: bctre||m ⊕ y[ctr + 1, ctr + |m|]
• Recall the prefix-property of G.
• If y = G(x, 1T (n) ), then this is exaclty Encx (m).
• D answers all oracle-queries by A in this way.
p.150 – Stateful counter (sCTR) mode
Alice&Bob D sub: AIndCPA
u
b ∈ {0, 1}
u
b = 0: y ∈ {0, 1}T (n)
u
b = 1: x ∈ {0, 1}n , y = G(x, 1T (n) )
pass y to D
use y = G(x, 1T (n) )
to emulate Encx
run AEnc x n
IndCPA (1 )
return m0 , m1 ∈ {0, 1}n
u
b0∈ {0, 1}
c = Encx (mb0 )
run AEnc x n
IndCPA (1 , c)
return r0
?
return r := (r0 = b0 )

• D wins in the
. “real world” (b = 1) iff A wins vs. G-sCTR in IndCPA.
. “perfect world” (b = 0) iff A loses vs. the “OTP” in IndEd.
p.151 – Stateful counter (sCTR) mode
u
• Case b = 0 with y ∈ {0, 1}T (n) :
Alice&Bob AIndEd sub: AIndCPA
u
y ∈ {0, 1}T (n)−n
use y to emulate Encx
run AEnc x n
IndCPA (1 )
return m0 , m1 ∈ {0, 1}n
return m0 , m1
u
b0 ∈ {0, 1}
u
k ∈ {0, 1}n
c = mb0 ⊕ k
pass c to AIndEd
c := bctre||c
ctr := ctr + |m0 |
run AEnc x n
IndCPA (1 , c)
return r0
?
return r := (r0 = b0 )

• So, D correctly outputs r = b = 0 iff r 0 =


6 b0 iff AIndEd loses against
the perfectly secret OTP in the game IndEd.
. Pr u [D(1n , y) = 0] = 1/2.
y ∈{0,1}T (n)
p.152 – Stateful counter (sCTR) mode
u
• Case b = 1: y = G(x, 1T (n) ) with x ∈ {0, 1}n
Alice&Bob AIndCPA
u
x∈ {0, 1}n
pass Encx as oracle to AIndCPA
return m0 , m1 ∈ {0, 1}n
u
b0∈ {0, 1}
c = Encx (mb0 )
pass c to AIndCPA
return r0
?
return r := (r0 = b0 )

• In this case, D correctly outputs r = b = 1 iff r 0 = b0 iff AIndCPA


wins the game IndCPA vs. G-sCTR.
D(1n , G(x, 1T (n) )) = 1 = Pr WinIndCPA
   
. Pr u n n,G-sCTR (AIndCPA ) .
x∈{0,1}

• In total:
1 1
   
Pr WinIndCPA
n,G-sCTR (AIndCPA ) − 2 = 2 Pr WinIndPRG
n,G (D) − 2 .
p.153 – Outlook: How to achieve CCA-security
• Lemma: G-sCTR is not CCA-secure:
. Proof: Consider the following AIndCCA
1 Output m0 = 0n and m1 = 1n .
2 Receive c = bctre||c0 .
3 Flip the last bit of c and, thus, of c0 : c̃ = c ⊕ 0n 0n−1 1.
4 As c̃ 6= c, query the decryption oracle for an decryption.
5 Return 0 iff the oracle returns 0n−1 1.

. The crucial step is that AIndCCA can easily forge a new ciphertext.
. Idea: use a MAC so that Alice&Bob resp. the decryption oracle can
authenticate the origin of a ciphertext.
. The MAC will allow the decryption oracle to reject ciphertexts forged
by Eve, thus, forcing her back to the CPA-setting.
. “CPA-secure ES + secure MAC = CCA-secure ES”
Pseudorandom functions and stateless CPA-secure
ES
p.155 – Secure block ciphers

• As stated before, sCTR mode is often used with a block cipher B:

G(k, 1l·q ) = Bk (b1e)||Bk (b2e)|| . . . ||Bk (bqe)


. How define “secure block cipher”?
. Lazy approach: want our proof for sCTR still to work, so
Gq (k) = Bk (b1e)||Bk (b2e)|| . . . ||Bk (bqe)
should be a PRG w.r.t. some concrete (t, q, ε)-bound.
• Where b·e is the chosen encoding of Z2l in {0, 1}l .

• What kind of encoding: lsbf or msbf? Gray code? big or little endian?
...

. We don’t want to have to care what encoding is used.


p.156 – Secure block ciphers

• Idea: let Eve define a “worst” encoding adaptively, i.e.:


• Choose some secret k.

• For i = 1 to some q:

Eve may choose some xi (“bie”) for which she is given Bk (xi ).
Her choice of xi may depend on Bk (x1 )|| . . . ||Bk (xi ) seen so far.
. Again: Eve should not be able to distinguish the “reald world”
(above) from the “perfect world”:
u
• In the “perfect world” she is given yi ∈ {0, 1}l instead of Bk (xi ).

• except, if xi = xj for i < j, set yj := yi to be consistent.

. Remark: For now we neglect that Bk should be a permutation.


See later the notion of pseudorandom permutation.
p.157 – Pseudorandom functions (PRF)
• Definition: Let F (k, x) =: Fk (x) be a DPT-comp. function which
• for every k ∈ {0, 1}n defines a function Fk : {0, 1}lin (n) → {0, 1}lout (n) .

• The length n of k determines the input and output length.

. lin (n), lout (n) are polynomially bounded in n.


F is a PRF if every PPT-alg. D has negl. adv. in the game IndPRF:
1 Alice&Bob set up two oracles O0 and O1 :
O0 : “random function oracle (RO)” O1 : replies using F
Init: create an empty hashmap T Init: create k ∈ {0, 1}n
Query: on input x ∈ {0, 1}lin (n) Query: on input x ∈ {0, 1}lin (n)
u
if T [x] is undefined, T [x] := y ∈ {0, 1}lout (n)
return T [x] return Fk (x).
u
They toss a fair coin b ∈ {0, 1} and pass Ob in a black box O to Eve.
2 Eve runs DO (1n ) to obtain a reply r.
. Let WinIndPRF
n,F (D) denoe the event that r = b.
p.158 – Pseudorandom functions (PRF)

• Ex: Fk (x) = x ⊕ k with n = lin (n) = lout (n) is not a PRF.



• Ex: Let d(n) = lin (n) = lout (n) = b nc.

Given k ∈ {0, 1}n , take the first d(n) bits of k to define a


d(n) × d(n)-matrix Mk :
 
k0 . . . kd(n)−1
 kd(n) . . . k2d(n)−1 
Mk = 
 
.. 
 . 
kd(n)(d(n)−1) . . . kd(n)2 −1

and define Fk (x) = Mk · x with matrix-vector mulitplication mod2.


Is this a PRF?
p.159 – Pseudorandom functions (PRF)

• Ex: Assume Alice receives a phone call by someone claiming to be


Bob. She now wants to verify that the caller is indeed Bob. How can
she use a PRF F and a key k ∈ {0, 1}n exclusively known to her and
Bob to do so?
Your authentication method should work in the presence of an
efficient eavesdropper Eve who may eavesdrop several phone calls
between Alice and Bob and who eventually tries to impersonate Bob.
Try to give a formal definition of the security you would require in this
scenario.
p.160 – Pseudorandom functions (PRF): Random oracle

• Definition: Random (function) oracle (RO)

Random function oracle (RO)


Init: create an empty hashmap T ;
Query: on input x ∈ {0, 1}lin (n)
u
if T [x] is undefined, T [x] := y ∈ {0, 1}lout (n) ;
return T [x];
. Random oracles serve as “ideal” to which we compare some
algorithm/function, e.g. a block cipher.
• Convention:

If not stated otherwise, the domain and codomain (range) of a


random oracle are implicitly assumed to match the domain and
codomain of the considered algorithm/function.
p.161 – Pseudorandom functions (PRF): Random oracle
. Random oracles with domain {0, 1}∗ are also used as an (unrealistic)
ideal of hash functions (later):
Ex: Assume a RO which takes an arbitrary number of bits as input,
and outputs a hash consisting of n bits.
What is the probability for any two distinct inputs m0 , m1 that their
hash values are the same?
. Random oracles with codomain {0, 1}∗ can be considered ideal PRGs:
Given a seed x the RO gives returns a stream of equiprobable bits.
Assume Alice and Bob could share such a RO and use it in stateful or
randomized CTR.
(ROs are handy!)
. Random permutation oracle (RPO):
A random oracle which not only implements a function, but a
permutation.
p.162 – Pseudorandom functions (PRF)
• Ex: Let F be PRF with n = lin (n) = lout (n).

For any PPT-encoding be : Z2n → {0, 1}n and any polynomial l(n)
Gl (x) = Fk (b1e)||Fk (b2e)|| . . . ||Fk (bl(n)e) is a PRG of stretch nl(n).
Conclude that F -sCTR is CPA-secure if F is a PRF.
• Ex: Show that PRFs with lout (n) · 2lin (n) ≤ n exist (unconditionally).

• Ex: Let G be a PRG of stretch lG (n) = 2n.


Split G(k) =: G0 (k)||G1 (k) into two n bit strings.
(1) (1)
• Define Fk (0) := G0 (k) and Fk (1) := G1 (k).

Show: F (1) is a PRF with lin (n) = 1 and lout (n) = n.


(2) (1)
• Set Fk (x1 x2 ) := Gx2 (Fk (x1 )) for x1 x2 ∈ {0, 1}2 .

Show*: F (2) is a PRF with lin (n) = 2 and lout (n) = n.


p.163 – Pseudorandom functions (PRF)
k
0 1

G0 (k) G1 (k)
(1) (1)
=: Fk (0) =: Fk (1)

G0 (G0 (k)) G1 (G0 (k)) G0 (G1 (k)) G1 (G1 (k))


(2) (2) (2) (2)
=: Fk (00) =: Fk (01) =: Fk (10) =: Fk (11)

... ... . . . G1 (G1(3)


(G0 (k)))
... ... ... ...
=: Fk (011)

• Theorem: (See e.g. Theorem 3.6.5 in [46] or Theorem 6.25 in [56].)

PRGs exist iff PRFs with lin (n) = lout (n) = n exist.
• Ex: Why can’t we simply take a PRG of stretch n · 2n , and read its
output G(k) as the table of a PRF Fk with n = lin (n) = lout (n)?
How does the tree construction avoid this problem?
p.164 – Pseudorandom functions (PRF)
• Our definition of PRF is asymptotic:
. This corresponds to secure block ciphers which allow to increase their
key and block length arbitrarily.
• Definition of (t, q, ε)-PRF analogously: (see also here (Section 3.6))
• Fix n, and restrict the running time of D to t, and its number of oracle
queries to q.
. Example: Let TAES be the number of steps done by AES, and c a
constant modeling the speed of the used computer.
t/TAES q2
Conjecture: Every (t, q)-adversary has advantage ε ≤ c · 2128 + 264 in
the game IndPRF.
• One advantage of PRFs: we can built stateless CPA-secure ES
• Stateful ES require Alice&Bob to synchronize when using the same key
for bidirectional communication.
. PRFs allow to “forget the value of ctr” and instead simply “guess an
unused value for ctr”.
p.165 – Randomized counter (rCTR) mode

. Definition: rCTR mode for a PRF F


∗ ∗
• Kn = {0, 1}n , Mn = {0, 1}lout (n) , Cn = {0, 1}lin (n) {0, 1}lout (n)
u
• Gen: On input 1n , output k ∈ Kn .

• Enc: On input k ∈ Kn and m = m(1) || . . . ||m(t) ∈ Mn ,


u
choose ctr ∈ Z2lin (n) , and set c(0) := bctre;
for i = 1 to i = t compute c(i) := m(i) ⊕ Fk (bctr + ie);
output c = c(0) ||c(1) || . . . ||c(t) .
• Dec: Ex

• Theorem: F -rCTR is CPA-secure if F is a PRF.


p.166 – Randomized counter (rCTR) mode

• Schematic representation of F -rCTR:


u ... ...
bctre ∈ Z2l bctr + 1e bctr + 2e bctr + ie bctr + te

Fk Fk Fk Fk

m(1) ⊕ m(2) ⊕ ... m(i) ⊕ ... m(t) ⊕

c(0) c(1) c(2) ... c(i) ... c(t)

• Analogous to F -sCTR mode: parallel processing of message blocks.


p.167 – Randomized counter (rCTR) mode

• Proof sketch:

• Assume that the used PRF F represents a block cipher of block


length l(n) = lin (n) = lout (n).
• Canonical approach:

Let A be any PPT-adversary for F -rCTR in the game IndCPA.


Build a PPT-adversay D for F in the game IndPRF.
D plays the game IndCPA vs. A.
D uses O-rCTR to encrypt all messages.
• Both the queries by A and the encryption by Alice&Bob.

. Recall:
W.l.o.g. we may assume that A only outputs a single message pair.
p.168 – Randomized counter (rCTR) mode
Alice&Bob D sub: A
u
b ∈ {0, 1}
b = 0: O := RO
u
b = 1: k ∈ {0, 1}n ; O := Fk
pass O to D
(use O for Enck )
run AEnck (1n )
return (m0 , m1 ) (|m0 | = |m1 |)
u
b0 ∈ {0, 1}
c = Enck (mb0 )
run AEnck (1n , c)
return r0
?
return r := (r0 = b0 )

• “Real world” (b = 1): D wins iff A wins vs. F -rCTR.


• “Perfect world” (b = 0): D wins iff A loses vs. RO-rCTR.
• Previously (prOTP/sCTR): Both schemes yield a OTP in the perfect
world so that A wins with prob. 1/2.
• Now (rCTR): Argue that rCTR mode with a perfect block cipher RO
yields a OTP almost all the time.
p.169 – Randomized counter (rCTR) mode

• RO-rCTR:
u
. on input m = m(1) || . . . ||m(t) , choose ctr ∈ Z2l(n) ,
output bctre||m(1) ⊕ RO(bctr + 1e)|| . . . ||m(1) ⊕ RO(bctr + te).
. Let ~x = (x1 , . . . , xq(n) ) be the sequence of all values for which RO is
queried:
• xi is the i-th query; the queries do not need to be distinct.

• q(n) is the total number of encrypted message blocks in the course of


game IndCPA.

. Overapproximation: If ~x consists of q(n) distinct values,


then just as in sCTR mode:
the sequence of all message blocks is encrypted using one big OTP by
definition of RO.
p.170 – Randomized counter (rCTR) mode
• Prob. Pr[“no OTP”], i.e. some xi is used twice.
• For simplicity, assume that all xi are chosen uniformly at random and
independently of each other.
• E.g. when A only uses messages of length exactly 0l(n) .

. Pr u [xi = xj ] = 2−l(n)
xi ,xj ∈{0,1}l(n)
hW i
q(n)
2−l(n) .

. Pr[“no OTP”] = Pr u
i6=j xi = xj ≤ 2
x1 ,...,xq ∈{0,1}l(n)

• Ex: Assume that in total e(n) messages are encrypted, each


consisting of at most s(n) blocks.
e(n)2 s(n)
Show that Pr[“no OTP”] ≤ 2l(n)
.
2
• Safe upper bound: Pr[“no OTP”] ≤ q(n) .
2l(n)
. “rCTR mode yields a OTP in the perfect world except for a negl.
fraction of cases.”
p.171 – Randomized counter (rCTR) mode
• So, with E the ES used by D in the “perfect world”:

1
 
Pr WinIndCPA
n,RO-rCTR (A) ≤ 2 · Pr[“OTP”] + 1 · Pr[“no OTP”]
1 q(n)2
≤ 2 + 2l(n)

• All in all:
 
2Pr WinIndPRF
n,F (D)
   
= Pr WinIndCPA IndCPA
n,F -rCTR (A) + 1 − Pr Winn,RO-rCTR (A)
  1 q(n)2
≥ Pr WinIndCPA
n,F -rCTR (A) + 2 − 2l(n)

. I.e.:
  1
  1 q(n)2
Pr WinIndCPA
n,F -rCTR (A) − 2 ≤ 2 Pr WinIndPRF
n,F (D) − 2 + 2l(n)
p.172 – Randomized counter (rCTR) mode

. Consquence of this analysis:


Besides the key length, also the block length of a block cipher should
be sufficiently large – at least when used in rCTR mode.
• Probability for a collision (see appendix) when choosing q values
uniformly from {1, . . . , N } independently of each other:
2
q
Θ( 2N ).
• E.g. for DES we have l = 64, i.e. N = 264 .

If Eve can obtain q = 232 blocks (32 GiB) of encrypted data, the
security bound becomes meaningless, and with prob. roughly 1/2 some
random value for ctr is used at least twice.
p.173 – Randomized output feedback (rOFB) mode

. Definition: rOFB for a PRF F with l(n) = lin (n) = lout (n)
∗ ∗
• Kn = {0, 1}n , Mn = {0, 1}l(n) , Cn = {0, 1}l(n) {0, 1}l(n)
u
• Gen: On input 1n , output k ∈ Kn .

• Enc: On input k ∈ Kn and m = m(1) || . . . ||m(t) ∈ Mn ,


u
choose IV ∈ {0, 1}l(n) and set c(0) = IV, and
for i = 1 to i = t compute c(i) := m(i) ⊕ Fki (IV);
output c = c(0) ||c(1) || . . . ||c(t) .
• Dec: Ex

• Theorem (w/o proof): F -rOFB is CPA-secure if F is a PRF.

. Idea: in the perfect world (RO instead of Fk ) – except for negl. prob.
of a collision – RO is never queried on the same input twice.
p.174 – Randomized output feedback (rOFB) mode

• Schematic representation of OFB mode for l(n) = lin (n) = lout (n)
u ... ...
IV ∈ {0, 1}l Fk Fk Fk Fk

m(1) ⊕ m(2) ⊕ ... m(i) ⊕ ... m(t) ⊕

c(0) c(1) c(2) ... c(i) ... c(t)

• To process the i-th block of data, we need to know Fki (IV) for OFB
while s/rCTR mode only requires knowledge of Fk (bctr + ie).
. Ex: Is F -rOFB CCA-secure for F a PRF?
Pseudorandom permutations and secure block
ciphers
p.176 – Definition of secure block cipher

• Recall: Our definition of a PRF was based on the observation


that rCTR mode essentially uses a block cipher F as PRG.
• Would like to have that Fk (x) is indistinguishable from a OTP for any
input x.
• Led to the “ideal” of random oracle (RO).

• Problem:

If F is a block cipher, then Fk is invertible for every key k.


. The more values Fk (xi ) we know, the less random the output of Fk
becomes as Fk (xi+1 ) 6∈ {Fk (x0 ), . . . , Fk (xi )}.
. We should not compare block ciphers to RO,
but to RPO (“ideal block cipher”) instead.
p.177 – Random permutation oracle
“random permutation oracle RPO”
Init: create an empty hashmap T and empty set S
Query: on input x ∈ {0, 1}l(n)
u
if T [x] is undefined: T [x] := (y ∈ {0, 1}l(n) \ S)
S := S ∪ {T [x]}
return T [x].
• Random permutation oracle RPO or ideal block cipher.

. Just as RO with the only exception that T is the table of a random


injective map.
. Quite handy if Alice and Bob could share a RPO.
• Alice could of course generate the whole table, and securely transmit
n2n bits to Bob ... for n = 128 that would be 292 TB of data.
. A secure block cipher should be indistinguishable from a RPO:
• Although Alice and Bob only need to exchange securely a secret n-bit
key.
p.178 – Pseudorandom permutations (PRP)
• Definition: Let F (k, x) =: Fk (x) be a DPT-comp. function which
• for every k defines a permutation Fk on {0, 1}l(n) , and

• whose inverse Fk−1 is also DPT-computable.

F is a PRP if every PPT-alg. D has negl. adv. in the game IndPRP:


1 Alice&Bob set up two oracles O0 and O1 :
O0 : “random permutation oracle RPO” O1 : replies using F
Init: create an empty hashmap T and empty set S Init: create k ∈ {0, 1}n
Query: on input x ∈ {0, 1}l(n) Query: on input x ∈ {0, 1}l(n)
u
if T [x] is undefined: T [x] := (y ∈ {0, 1}l(n) \ S)
S := S ∪ {T [x]}
return T [x] return Fk (x).
u
They toss a fair coin b ∈ {0, 1} and pass Ob in a black box O to Eve.
2 Eve runs DO (1n ) to obtain a reply r.
. Let WinIndPRP
n,F (D) denoe the event that r = b.
p.179 – Pseudorandom permutations (PRP)

• Definition of (t, q, ε)-PRP as for PRF.

• Definition: strong PRP


Definition of PRP but the oracles also can compute the inverse.
• O1 answers normal queries using Fk , and “inverse” queries using Fk−1 .

• O0 uses e.g. a second hash map Tinv with Tinv [y] = x iff T [x] = y.

. Strong PRPs required for the CCA-security of some ES.


. (Strong) PRPs can be constructed from PRFs using a construction
underlying the DES-cipher, called Feistel network.
p.180 – Pseudorandom permutations (PRP)
• Definition:

Let f : {0, 1}∗ → {0, 1}∗ be some function s.t. |f (x)| = |x| for all
x ∈ {0, 1}∗ .
A single-round Feistel network FNf is defined by

FNf (x||y) := y||x ⊕ f (y) for all x, y ∈ {0, 1}∗ with |x| = |y| .

Similarly, given functions f1 , . . . , fj a j-round Feistel network is


inductively defined by

FNf1 ,f2 ,...,fj (x||y) := FNfj (FNf1 ,f2 ...,fj−1 (x||y))

• Proposition: (Ex.)

Independent of the choice of f1 , . . . , fj the function FNf1 ,...,fj is


invertible when f1 , . . . , fj are known.
p.181 – Pseudorandom permutations: Feistel networks

y f1 ⊕ f2 ⊕

• Theorem: (w/o proof, see [46])


r
Let F (·, ·) be a PRF and choose a, b, c, d ∈ {0, 1}n independently and
uniformly at random. Then:
(3)
• Fa||b||c (x) := FNFa ,Fb ,Fc (x||y) is a PRP on {0, 1}2n using 3n-bit keys.

(4)
• Fa||b||c||d (x) := FNFa ,Fb ,Fc ,Fd (x||y) is a strong PRP on {0, 1}2n using
4n-bit keys.
p.182 – PRPs as PRFs
• For the modes s/rCTR and rOFB we do not need a PRP.

• In fact, we rather would like to have PRF because of our proofs.

. Can we treat a PRP as a PRF?


• Difference between the games IndPRF and IndPRP:

IndPRP: RPO IndPRF: RO


Init: create an empty hashmap T and empty set S Init: create an empty hashmap T
Query: on input x ∈ {0, 1}l(n) Query: on input x ∈ {0, 1}l(n)
u u
if T [x] is undefined: T [x] := (y ∈ {0, 1}l(n) \ S) if T [x] is undefined: T [x] := (y ∈ {0, 1}l(n) )
S := S ∪ {T [x]}
return T [x] return T [x].

. All that matters to D is the answers it gets from its oracle O.


. If RO does not generate a collision, any D has to behave just as if it
was given RPO:
Pr DRO (1n ) = 0 | no collision = Pr DRPO (1n ) = 0
   
p.183 – PRPs as PRFs

. If D makes q(n) oracle queries (birthday problem):


cq(n) := Pr[collision] = θ · q(n)
 −l(n)
2 2 for some θ ∈ [1/2, 1]
. So:
Pr DRO (1n ) = 0 − Pr DRPO (1n ) = 0 (cq(n) + 1 − cq(n) )
   

= cq(n) Pr DRO (1n ) = 0 | col. − Pr DRPO (1n ) = 0


   

≤ cq(n) ≤ q(n)2 2−l(n)−1

. I.e. RO and RPO look the same to any D except for negl. prob.
(D) + q(n)2 2−l(n)−2
   
. Hence: Pr WinIndPRF
n,F (D) ≤ Pr WinIndPRP
n,F

. Theorem:
If F is a PRP (with 2−l(n) negligible), then it is also a PRF.
p.184 – PRPs as PRFs
• Ex: Does also the other direction hold?

That is, if F is a PRF, then may we use it also a PRP?


(Leaving aside the problem of how to compute the inverse of F .)
• Ex: Show that there is a PPT-adversary which distinguishes a PRP F
from RO with a negligible, but nonzero advantage.
• Remark:

For the CPA-security of F -sCTR, F -rCTR, F -rOFB we assumed that


F is a PRF.
By the preceding result, when F is instead only a PRP, the advantage
2
of the constructed adversaries D increases by roughly 2q(n)
l(n)+1 .

So, also for F -sCTR the block length of F matters, and the security
bounds for F -sCTR and F -rCTR become roughly the same.
p.185 – Randomized cipher block chaining (rCBC) mode
. Definition: rCBC mode for a PRP F with block length l(n)
∗ ∗
• Kn = {0, 1}n , Mn = {0, 1}l(n) , Cn = {0, 1}l(n) {0, 1}l(n)
u
• Gen: On input 1n , output k ∈ Kn .

• Enc: On input k ∈ Kn and m = m(1) || . . . ||m(t) ∈ Mn ,


u
choose IV ∈ {0, 1}l(n) and set c(0) = IV, and
for i = 1 to i = t compute c(i) := Fk (c(i−1) ⊕ m(i) );
output c = c(0) ||c(1) || . . . ||c(t) .
• Dec: Ex

• Theorem (see e.g. here): F -rCBC is CPA-secure if F is a PRP.


. Idea: Similar to rOFB mode:
• If c(i−1) is uniformly distributed, so is c(i−1) ⊕ m(i) .

. If no collision, RPO(c(i−1) ⊕ mi) is again uniformly distributed


(RO ≈ RPO).
p.186 – Randomized cipher block chaining (rCBC) mode

• Schematical representation of rCBC mode:

m(1) m(2) ... m(i) ... m(t)


u
IV ∈ {0, 1}l ⊕ ⊕ ⊕ ⊕ ⊕ ⊕

Fk Fk Fk Fk

c(0) c(1) c(2) ... c(i) ... c(t)

• Main drawback: no parallel encryption as data blocks depend on each


other.
• Ex: Is F -rCBC CCA-secure for F a PRP?
Message authentication codes (MACs)
p.188 – Message origin authentication for CCA-security
• Recall: game IndCCA
1 Alice&Bob generate a random key k := Gen(1n ) and give Eve’s attack
A oracle access to Enck and Deck .
2 Eve runs AEnck ,Deck (1n ) to obtain two sequences m
~ 0, m
~ 1 with
(1) (q) (i)
~ b = (mb , . . . , mb ), and m0 (j) = m1 (j) , and mb ∈ Mn .
m
3 Alice&Bob choose b ∈ {0, 1} by tossing a fair coin,
(i)
compute c(i) = Enck (mb ) from left i = 1 to right i = q, and
send ~c = (c(1) , . . . , c(q) ) to Eve.
4 Eve runs AEnck ,Deck (1n , ~c) to obtain her reply r ∈ {0, 1} where
AEnck ,Deck is not allowed to query Deck for any c(i) .
. Let WinIndCCA
n,E be the event that b = r.
• Idea: want to reuse CPA-results, so make the Deck -oracle useless

. Extend ciphertext by a message authentication code (MAC): c||t


. Goal: Deck can use t to detect and reject c originating from A.
p.189 – Message authentication code (MAC)
• Definition: A MAC scheme consists of
Algorithm Type Input Output
r
Gen PPT 1n k ∈ Kn with |k| ≥ n
Mac PPT k ∈ Kn , m ∈ Mn t ∈ Tn
Vrf DPT k ∈ Kn , m ∈ Mn , t ∈ Tn r ∈ {0, 1}
where for all k ∈ Kn : Vrfk (m, Mack (m)) = 1 iff m ∈ Mn .
• Kn /Mn /Tn : key/message/tag space

• Gen/Mac/Vrf: key generator/mac generator/mac verifier

• Alice sends m||Mack (m) to Bob.

A MAC scheme is
• of fixed-length l(·) if Mn = {0, 1}l(n) .

• deterministic if Mac is a DPT-algorithm.

• stateful if Mack saves some state (e.g. message counter) between two
runs; otherwise it is stateless.
p.190 – Message authentication code (MAC)
• What should a MAC achieve?
. Only the knowledge of the secret kMac should enable a person to
create, for some message m, a tag t which is valid for m w.r.t. kMac :
• I.e. VrfkMac (m, t) = 1.

. Without the knowledge of kMac , an adversary should succeed only


with negl. prob. in forging a tag for a message m.
• Which messages m?

. Let the adversary choose m to make the definition as general as


possible.
. So, we do not need to care what particular subset of Mn our
application is using.
• Any message chosen by the adversary?

. The adversary knows valid tags for all eavesdropped messages.

. Secure MAC: Forge a valid tag for a message not seen so far.
p.191 – Security of MACs
• Definition: Game FrgMAC:
r
1 Alice& Bob generate k := Gen(1n ), and
give Eve oracle access to Mack .
Alice&Bob keep a list Q of Eve’s oracle queries.
2 Eve runs AMack (1n ) to obtain (m, t).
. Let WinFrgMAC
n,S (A) be the event that (i) Vrfk (m, t) = 1 and (ii) m 6∈ Q.

A MAC scheme S = (Gen, Mac, Vrf) is existentially unforgeable under


an adaptive chosen-message attack
h (short: secure)
i if for every
FrgMAC
PPT-adversary A the prob. Pr Winn,S (A) is negligible in n:

• A secure MAC is not required to provide message privacy!

. The MAC tag t is simply appended to the message m: m||t.


• Remark: Above definition assumes that Eve can compute Vrfk
herself. This is the case for all MACs discussed here (Ex.). In general,
the definition would Eve also give oracle access to Vrfk .
p.192 – Message integrity/origin authentication
• Bob runs a pizzeria and takes orders via telephone/email/SMS:

• Assume that Alice does not care about the privacy of her orders.

. So, Alice simply sends her orders as plaintext to Bob.


• Although there is no harm in Eve knowing that Alice has ordered
some pizza, Eve can still try to play Alice a prank:
Eve: “Alice here. Please send 20 pizzas”
• Eve could try to imitate Alice’s voice, or

• might have access to an SMTP server and simply put Alice’s address in
the FROM field, or
• might intercept and alter an order by Alice.

• The MAC tag is supposed to prevent Eve from doing so.

. By requiring that each order comes with a MAC tag, Bob can detect
a faked order.
p.193 – Message integrity/origin authentication

• But: if Eve intercepts and replays an order, the MAC tag is of no use.

. Such attacks can be prevented by introducing a state into the


communication which guarantees that a message m is sent at most
once:
. Append to each message a nonce (number used once)
• E.g. (a combination of) time-stamps, (pseudo)random numbers,
message counters.

. Then send m||bnoncee||Mack (m||bnoncee) instead of m||Mack (m).


• Technical problems:
• How to guarantee that Alice&Bob are in the same state? E.g. clock
synchronisation.
• How long should a time stamp be considered valid?
p.194 – MACs from encryption schemes?
• Example: B-r/sCTR as MAC?

For simplicity, assume a block cipher of block length l = 104.


Set Mack (m) := ctr||m(1) ⊕ Fk (bctr + 1e)|| . . . ||m(t) ⊕ Fk (bctr + te).
Let m be the 8bit-ASCII encoding of “send 2 pizzas”, i.e. |m| = 104.
Then (m, t) is a 39 byte string, e.g.,

send 2 pizzas pk2njM%f-9231 r-9wfvwaXR,#bP


| {z }| {z }| {z }
=m =bctre =m⊕Fk (bctre+1)

Eve can turn 2=00110010


ˆ into 6=00110110
ˆ by flipping a single bit.
To make the tag valid again, simply flip the corresponding bit in
m ⊕ Fk (bctr + 1e).
• Even if we only send the encryption bctre||m ⊕ Fk (bctre), Eve might
still manipulate the message by flipping randomly chosen bits.
. If orders have a fixed format, then Eve knows which bits to attack.
p.195 – MACs from encryption schemes?

• Ex: Does rOFB mode yield a secure MAC? Does the OTP?

• Ex: Let F be a PRF with l(n) = lin (n) = lout (n). Does
Mack (m) = Fk (m(1) )||Fk (m(2) ) yield a secure MAC (with
Mn = {0, 1}2l(n) )?
• Ex: Show that F -rCBC does not yield a secure MAC.

Hint: By modifying IV, Eve can modify also the first block of an
intercepted message.
p.196 – MACs from encryption schemes?

• In general, even CPA-secure ES cannot be used (directly) as secure


MACs.
• Message privacy and message origin authentication should be treated
as different goals.
• Common to both is that we may use the same cryptographic primitive
to achieve them: pseudorandom functions
An adversary, not knowing k, cannot predict the value Fk (x) for a
“fresh” x if F is a PRF; Fk (x) simply looks like a truly random string
(random oracle) to him.
. Use a PRF directly as MAC.
p.197 – Secure MACs from PRFs

• Definition: F -MAC

Let F by a PRF with input length lin (n) and output length lout (n).
Then F -MAC is defined by
• Kn = {0, 1}n , Mn = {0, 1}lin (n) , T = {0, 1}lout (n) .
u
• Gen: on input 1n , output k ∈ {0, 1}n .

• Mac: on input k ∈ Kn and m ∈ Mn , output Fk (m).

• Vrf: on input k ∈ Kn , m ∈ Mn , t ∈ Tn , output 1 iff Fk (m) = t.

• Theorem: F -MAC is a secure MAC if F is a PRF.


p.198 – Secure MACs from PRFs: Proof
Alice&Bob D A
u
b ∈ {0, 1}
if b = 0: O := RO
if b = 1: O := Fk
run DO (1n )
emulate Mack using O
remember the queries by A in Q
run AMack (1n )
return (m, t)
return m 6∈ Q ∧ O(m) = t
 
Pr WinIndPRF
n,F  (D)   
= 1/2 · Prb=0 WinIndPRF
n,F (D) +1/2 · Prb=1 WinIndPRF
n,F (D)
| h {z }i | h
{z i
}
FrgMAC FrgMAC
=1−Pr Winn,RO-MAC (A) =Pr Winn,F -MAC (A)
| {z }
−l (n)
 h ≤2 out i 
FrgMAC
≥ 1/2 + 1/2 Pr Winn,F -MAC (A) − 2−lout (n)
p.199 – CCA-secure ES from CPA-secure ES + secure MAC
• So far, we have only seen block ciphers as candidates for PRFs.

. For a block cipher B of block length l(n),


the “PRF-as-MAC” approach allows us only to compute a MAC for
messsages of length l(n).
. Later: How to extend the domain of a PRF?
. Next: How to obtain CCA-secure ES
• Possible ways of combining an ES with a MAC:

Enc-and-Mac: Enck (m)||Mack (m)


Mac-then-Enc: Enck (m||Mack (m))
r
Enc-then-Mac: c||Mack (c) with c := Enck (m)
. Except for the Enc-then-Mac approach (see also [14]), one can
construct (sometimes contrived) counter-examples which do not yield
a CCA-secure ES in general.
p.200 – Encrypt then authenticate
• Defintion: (encrypt-then-authenticate)

Let E = (GenE , Enc, Dec) be a CPA-secure ES, and


S = (GenS , Mac, Vrf) a secure deterministic MAC with MEn ⊆ MSn .
Define ES = (Gen0 , Enc0 , Dec0 ) as follows:
0
• Kn = KnE × KnS , M0n = MEn , Cn0 = CnE × TnS .
r r
• Gen0 : on input 1n , compute k E := GenE (1n ) and k S := GenS (1n ),
E S
output k = (k , k ).
r
• Enc0 : on input m and (k E , k S ), compute c := EnckE (m), then
r
t := MackS (c), output c||t.
?
• Dec0 : on input c||t and (k E , k S ), check if VrfkS (c, t) = 1; if yes, output
DeckE (c); otherwise output an exception ⊥.
• Theorem: (see [56], p. 144)

ES is a CCA-secure ES if E is a CPA-secure ES and S is a secure


MAC.
p.201 – Encrypt then authenticate
• Remark: The Enc-then-Mac approach not only guarantees
CCA-security, but preserves the properties of a MAC (authenticated
encryption).
• Proof idea:

. We may assume that an adversary A queries its decryption oracle only


for ciphertexts which A has not obtained from its encryption oracle.
• Event F : “A succeeds at least once at forging a ciphertext.”
h i
Pr[F ] ≤ qDeck (n)Pr WinFrgMAC
n,S (B) ≤ neglS (n)

where B simply selects a random Deck -query of A.


• Event ¬F : “A does not succeed at forging a single ciphertext.”

The decryption oracle then always detects the forged ciphertexts, and,
thus, can be simulated in game IndCPA by always replying ⊥.
(A) ≤ 12 + neglE (n)
   
Pr WinIndCCA
n,ES (A) | ¬F ≤ Pr WinIndCPA
n,E
p.202 – Extending the domain of a PRF
• As seen: PRFs give us immediately secure MACs.

. Hence, would like to have a PRF with “arbitrary” large lin (n)
and lout (n) just long enough to make the prob. of guessing a correct
tag negligible.
• Candidates for PRFs in practice?
• Block ciphers of fixed block length l = lin = lout > |k|.

• Compression functions used within some hash functions with


lin > lout = |k|.
(In cryptography, a compression function is in general not invertible.)

. So the problem becomes:


Given Fk with domain {0, 1}lin (n) and codomain {0, 1}lout (n)
∗
construct Fkext with domain “ {0, 1}lin (n) ” and codomain
{0, 1}lout (n) .
p.203 – Extending the domain of a PRF
• Idea: output Fk (x) is just as good as a truly random string vs. an
adversary that does not know k and has not seen Fk (x) so far.
. F only takes two inputs, so given m = m(1) || . . . ||m(d) :
. Either use Fk (x) to randomly permute the next block as in CBC mode:
Set x(0) := IV := 0lin (n) .
For i = 1 to i = d: set x(i) := Fk (m(i) ⊕ x(i−1) ).
Output FkCBC (m) := x(d) .
Suited for F a block cipher with lin = lout > |k|.
. or use Fk (x) as a new key for processing the next messag block:
Set k (0) := k.
For i = 1 to i = d: set k (i) := Fk(i−1) (m(i) ).
Output Fk∗ (m) := k (d) .
Suited for F a compression function with lin > lout = |k|,
p.204 – Extending the domain of a PRF

m(1) m(2) ... m(i) ... m(d)

0n ⊕ ⊕ ⊕ ⊕ ⊕ ⊕

Fk Fk Fk Fk

x(1) x(2) x(i−1) x(i) x(d−1) F CBC (m)

m(1) m(2) m(d−1) m(d)

k (1) k (2) ,. . . ,k (d−2) k (d−1) k (d)


k F F F F Fk∗ (m)
p.205 – Extending the domain of a PRF
• Theorem [15, 77, 10]:

If F is a PRF, then F CBC and F ∗ are PRFs under the restriction that
a PPT-adversary D may only use prefix-free oracle queries.
• If x1 , . . . , xq(n) are all oracle queries of D, then for any qi , qj (i < j)
neither may be a prefix of the other.
. W/o this restriction: assume F with lin (n) = lout (n) = n
• y := O(0n ) and z := O(0n ||1n )
?
• For F ∗ : return z = Fy (1n )
?
• For F CBC : return z = O((y ⊕ 1n ) ⊕ IV)

In case of RO, these checks succeed only with negl. prob.


• Consequence: The adversary must not have access to the
intermediate values x(i) resp. k (i) .
. Necessary: force the adversary to use only prefix-free queries, and
keep intermediate values secret.
p.206 – Extending the domain of a PRF
• Let F be a “small” PRF of input length lin (n), F ext its extension, and
pad : {0, 1}+ → ({0, 1}n )+ be some reasonable padding function,
• E.g.: padCBC (m) = b|m|e||m||0p , or padMD-0 (m) = m||0p ||b|m|e

with b|m|e encoded using lin (n) bits, and p minimal.


• Some options to enforce prefix-free queries [12, 8, 10]:
1 For each length l use the pseudorandom key Fk (ble):
Fkpadext (m) := FFext
k (b|m|e)
(pad(m)).
2 Use a padding function with prefix-free output, e.g. padCBC :
F padext (m) := F ext (padCBC (m)).
Ex: Show that padCBC has prefix-free output.
3 Use two keys ki , ko to “seal” the output of Fkext
i
:

Fkpadext
o ,ki
(m) := Fko (Fkext
i
(pad(m))).
In practice: ko ||ki = Fk (b1e)||Fk (b2e).
p.207 – Extending the domain of a PRF

• Ex*: Let F be a PRF and G a PRG of stretch l(n) = 2n. Split the output
of G into half: G(k) = G0 (k)||G1 (k) with G0 (k), G1 (k) ∈ {0, 1}n .
Show that for any PPT-adversary D having access to two oracles the
following prob. is negligible in n:
 F ,F 0 n  h 0
i
1 Pr 0 u D k k (1 ) = 1 − Pr D RO,RO (1n ) = 1
k,k ∈{0,1}n

Hint: Use a hybrid argument to decide which of the missing oracles to


simulate. How might this be generalized to a polynomial number of
keys?
2  F
D G0 (k) ,FG1 (k) (1n ) = 1
 F ,F 0 n  
Pr u D k k (1 ) = 1 − Pr u
k,k0 ∈{0,1}n k∈{0,1}n
h 0
i  F
D G0 (k) ,FG1 (k) (1n ) = 1

3 Pr DRO,RO (1n ) = 1 − Pr u n
k∈{0,1}
where the two keys k, k 0 are chosen independently of each other, and also
RO, RO0 are independent of each other, i.e. each keeps its own hash map to
remember its answers.
p.208 – CBC-MAC
• Definition: CBC-MAC with prepended message length
Let F be a PRF with lin (n) = lout (n):
∗
• Kn = {0, 1}n , Mn = {0, 1}lin (n) , Tn = {0, 1}lout (n)
u
• Gen: on input 1n , output k ∈ {0, 1}n .

• Mac: on input k ∈ Kn , m ∈ Mn , output F CBC (padCBC (m))

with padCBC (m) := |m| ||m||0p .


Reminder: The IV is fixed and publicly known, in general IV = 0lin (n) .
• Vrf: on input k ∈ Kn , m ∈ Mn , t ∈ Tn , output 1 iff Mack (m) = t.

• Theorem [12, 56]:

F -CBC-MAC (with padCBC ) is a secure MAC for F a PRF.


• See [12] for further discussion of how to turn F CBC into a secure
MAC for messages of arbitrary length.
p.209 – CBC-MAC

b|m|e m(1) ... m(i) ... m(d)

0n ⊕ ⊕ ⊕ ⊕ ⊕ ⊕

Fk Fk Fk Fk

Mack (m)
p.210 – CBC-MAC (Discussion)

• Ex: Show that F CBC (padMD-0 (m)) does not yield a secure MAC.
• It might be tempting to combine F -rCBC with F -CBC-MAC in the
hope to speed up the computation. But:
u
• F -CBC requires a IV ∈ {0, 1}n to be CPA-secure.

• F -CBC-MAC requires a fixed IV (e.g. IV = 0n ) to be secure.

• The Enc-then-Mac approach requires two independent keys.

• OCB mode combines encryption and MAC:


• CCA-secure and authenticated encryption for F a strong PRP.

• Uses a single key.

• Allows for parallel processing of data blocks.


p.211 – Nested MAC (NMAC)

• Defintion: F -NMAC

Let F be a PRF with lin (n) ≥ lout (n) = n and padMD either
padMD-0 := m||0p ||b|m|e or padMD-1 := m||10p ||b|m|e.
• Kn = {0, 1}2n , Mn = {m ∈ {0, 1}∗ | |m| < 2lin (n) , Cn = {0, 1}n
u
• Gen: on input 1n , output (ko , ki ) with ko , ki ∈ {0, 1}2n .

ko : outer key; ki : inner key.


• Mac: on input (ko , ki ) ∈ Kn , m ∈ Mn , output Fko (Fk∗i (padMD (m))).

• Vrf: on input (ko , ki ), m ∈ Mn , t ∈ Cn , output 1 iff t = Mack (m).

• Theorem: ([8]) F -NMAC is a secure MAC for any PRF F .


p.212 – Nested MAC (NMAC)

• Schematic representation of F -NMAC.

m(1) m(2) m(d) b|m|e

ki F F F F

ko F tag

• Keys are assumed to be the input coming from the left.

• Not shown: padding for the outer part if lin (n) > n.
p.213 – Nested MAC (NMAC)

• The inner part of F -NMAC consists of computing F ∗ (padMD (m)).


• Many hash functions use essentially the same construction internally.
• Merkle-Damgard construction (later)

• For hash functions, F satisfies lin (n) > lout (n) = n and is called a
compression function.
• E.g. SHA-1 lin = 512, lout = 160.

• In practice, NMAC is thus usually instantiated using a hash function.


• [8]: Security of NMAC can then be understood as implicitly assuming
that the compression function used within the hash function is a PRF.
• When working with a concrete implementation of a hash function it
might not be possible to set ki as “initialization vector”.
. For this reason, a variant of NMAC, called HMAC is used in practice.
p.214 – Hash-based MAC (HMAC)
• Schematic representation of F -HMAC.

k ⊕ ipad m(1) m(2) m(d) b|m|e

ki
fixed IV F F F F F

ko
fixed IV F F tag

k ⊕ opad

• Keys are assumed to be the input coming from the left.

• Not shown: padding for the outer part if lin (n) > n.
p.215 – Hash-based MAC (HMAC)
. Definition: HMAC
Let F be a PRF of block length n and F -NMAC = (Gen, Mac, Vrf).
Define opad by repeating the bit pattern 0x36 till n bits are
generated. Similarly, generate ipad from 0x5c.
Set out(k)(k) := F (IV||(k ⊕ opad)) and in(k) := F (IV||(k ⊕ ipad)).
Then F -HMAC = (Gen, Mac0 , Vrf) with
Mac0k (m) := Macout(k),in(k) (m).
• Theorem: [56, 8]

For any PRF F , if G(k) := out(k)in(k) is a PRG, then F -HMAC is a


secure MAC.
• In practice: Given a hash function H : {0, 1}∗ → {0, 1}l ,

set Mack (m) := H((k ⊕ opad)||H((k ⊕ ipad)||m)).


p.216 – Hash-based MAC (HMAC)
• Before NMAC and HMAC, several ad-hoc solutions for constructing
MACs were used.
For instance, given a (hash) function H : {0, 1}∗ → {0, 1}l , the tag
was defined to be Mack (m) := H(k||m), i.e. the outer encryption
used in NMAC and HMAC is missing.
• Ex: Assume a PRF F with, for simplicity, n = lin (n) = lout (n).

Using the padding function pad := m||10p ||b|m|e,


set Mack (m) := H(k||m) := Fk∗ (pad(m))
for k ∈ {0, 1}n .
Show that Mack (m) is not secure.
Hint: Recall that the outer encryption used by NMAC and HMAC is
to restrict the adversary to prefix-free queries.
p.217 – Birthday (collision) attacks on MACs
• As mentioned, CBC-MAC, NMAC, and HMAC can essentially be
treated as a PRF F ext built from some “small” PRF F of fixed
output length lout .
. For secret random key k, Eve therefore cannot detect if we replace
F ext by RO.
. The prob. that, within q distinct messages, two message
 −lhave the
q
same MAC tag (“collision”) is thus again asymp. 2 · 2 out .
. But this neglects the underlying “small” PRF F :
Hence, a safer bound on the collision prob. therefore should take for q
the total number of data blocks processed.
. Because of this, current recommendations (see here):
• SHA-256 (lout = 256) instead of SHA-1 (lout = 160) for HMAC.

• AES (lout = 128) instead of DES (lout = 64) for CBC-MAC.


p.218 – Other MAC schemes

• Lots of variants of CBC-MAC: CMAC, XCBC


Most significant changes to “CBC-MAC + prefix-free padding”
• From a single truly random key k two or more pseudorandom keys are
obtained by using Fk as a PRG.
• Depending on whether the given message is a multiple of the block
length or not a different pseudorandom key is used for permuting the
last message block.
• PMAC (parallelizable)
• Carter-Wegman MACs [30], e.g., UMAC (parallelizable)
• Based on the idea of universal hashing. See the following exercise.
p.219 – Carter-Wegman MACs
• Ex: Let A, B be finite sets and H some finite set of functions from A
to B. H is called strongly 2-universal if for every two distinct
a1 , a2 ∈ A and any two (not necessarily distinct) b1 , b2 the number of
functions f ∈ H with f (a1 ) = b1 ∧ f (a2 ) = b2 is exactly |H|/|B|2 .
1 Let p be a prime. Zp is then a field w.r.t. addition and multiplication
modulo p (simply think of R).
For c, d ∈ Zp , let lc,d (x) := (c · x + d) mod p be the line with slope c
and y-intercept d. Set A = B = Zp and H = {lc,d | c, d ∈ Zp }.
Show that H is strongly 2-universal.
2 Consider the following experiment:
u
• Alice&Bob choose a prime p and then c, d ∈ Zp .
They pass p directly to Eve and grant her a single oracle query m to
lc,d .
• Eve returns at some point m0 and y 0 .

. Eve wins iff m 6= m0 and lc,d (m0 ) = y 0 .

What is Eve’s probability to win?


Tweakable block ciphers
p.221 – Tweakable block ciphers
• Recall: CBC mode t(i) = Fk (m(i) ⊕ t(i−1) )

. Alternative view:
CBC transforms F into Fk [t](m) := Fk (m ⊕ t) where t is called the
tweak.
• If F is a PRP (secure block cipher),

then “F -rCBC-then-F -CBC-MAC” is CCA-secure.


. Ideally, we would like to reuse the similarities in F -rCBC and
F -CBC-MAC to speed up the whole computation, but:
. F -rCBC: the IV has to be random, all tweaks t(i) have to be made
public.
. F -CBC-MAC: the IV has to be fixed, the intermediate tweaks t(i) have
to be kept secret.
. We first need to compute EnckEnc (m), only then we may compute
MackMac (EnckEnc (m)).
p.222 – Tweakable block ciphers

• Definition: A tweakable block cipher (TBC) F of block-length l


defines for any secret n-bit key k and any public tweak t ∈ T a
permutation Fk [t] on {0, 1}l .
. In order to unify and simplifiy the treatment of ESs and MACs,
security should only depend on the secrecy of k.
That is, for any two distinct tweaks t, t0 , an efficient adversary should
not be able to distinguish the permutations Fk [t] and Fk [t0 ] (where
u
k ∈ {0, 1}l is secret) from independently chosen random
permutations.
p.223 – Tweakable block ciphers
• Definition: Let F be a TBC with tweak space T .
1 Alice&Bob set up two oracles O0 and O1 :
O0 : “tweaked random permutation oracle TRPO” O1 : replies using F
Init: create an empty hashmap P : T → RPO Init: create k ∈ {0, 1}n
Query: on input (t, x) Query: on input (t, x)
if P [t] is undefined: P [t] := new RPO
return P [t] → RPO(x) return Fk [t](x).
u
They toss a fair coin b ∈ {0, 1} and pass Ob in a black box O to Eve.
2 Eve runs DO (1n ) to obtain a reply r.
. D wins iff r = b.

F is a secure TBC if any efficient distinguisher D has only negligible


advantage in above game (efficient: either PPT or (t, q, ε) formalism).
. Example: Set F [t](x) := Fk (x ⊕ t).
Consider then D which replies 1 iff O(0n , 0n ) = O(1n , 1n ).
p.224 – Tweakable block ciphers

• Remark: As “secure TBC” generalizes PRP, “strong TBC”


generalizes strong PRP, i.e. in case of a strong TBC, the oracle also
computes the inverse Fk [t]−1 (x) for any (t, x) chosen by D.
• The notion of TBCs and their security was first introduced by Liskov,
Rivest, and Wagner in [60] who observed that many existing
construction had already been using this idea implicitly.
• Theorem [60]: If F is a (t, q, ε)-PRP,

then Fk (t ⊕ Fk (m)) is a (t, q, ε + Θ(q 2 /2l ))-secure TBC.


• [60] also shows how to turn a strong (t, q, ε)-PRP into a strong TBC.

• Disadvantage: double encryption of every message block.

• Ex**: Is Fk [t](m) := FFk (t) (m) a secure TBC if F is a PRP?


p.225 – Tweakable block ciphers
• A more practical construction of a strong TBC is the
XEX-construction (see [81]) used e.g. by TrueCrypt and OCB/PMAC:
. The data m is uniquely partitioned into blocks of data mN,i :
N : data unit index; i: block index within the data unit.
. For F a block cipher F of block length l set:

Fk [N, i](x) := ∆ ⊕ Fk (∆ ⊕ x) where ∆ = Fk (N ) · 2i .

. The product Fk (N ) · 2i is calculated in GF(2l ) assuming 2=X


ˆ a
primitive root (see appendix).
. If Fk [N, i] is a secure TBC, then each block is essentially processed
by its own RPO which is independent of all other blocks.
• Note that ∆ is independent of m and can thus be precomputed for
each tweak (N, i).
p.226 – TBC example: OCB-mode

Taken from http://www.cs.ucdavis.edu/~rogaway/ocb/ocb-faq.htm

• Check above link for the most current revision.

• Designed for block length 128bit.

• Allows to also authenticate “associated data A” along the actual


message m.
. If A = ε, then Auth = 0128 .
• Left (right): length of A is (not) a multiple of block length.
p.227 – TBC example: OCB-mode

Taken from http://www.cs.ucdavis.edu/~rogaway/ocb/ocb-faq.htm

• OCB requires a nonce N , e.g. a global message counter.

• Encryption if m is a multiple of the block length.

• Checksum := M1 ⊕ M2 ⊕ M3 ⊕ (M4 Pad[|M4 | , l]) for block length l.


p.228 – TBC example: OCB-mode

Taken from http://www.cs.ucdavis.edu/~rogaway/ocb/ocb-faq.htm

• Encryption if m is not a multiple of the block length.


Practical constructions of pseudorandom
permutations

DES, AES/Rijndael
p.230 – Reminder: asymptotic vs. concrete bounds

• We have used asmyptoptic definitions of PRF, PRP, PRG,


“negligible”, PPT so far.
• Idea: we can choose the security parameter (key length) n so large that
all known efficient attacks are only slightly better than guessing.
• For block ciphers like AES or DES n is fixed.
. We need to resolve asymptotics
• by introducing concrete bounds on the used resources like time t and
oracle queries q, and the advantage ε.
• by making concrete asymptions on the security of the block cipher.

• by deducing from the proofs of security the concrete relation between


e.g. a encryption scheme and the used block cipher.
p.231 – Reminder: asymptotic vs. concrete bounds
• Example: Let B be a block cipher of key length n, block length l(n).

• Based on the currently known attacks on B, we conjecture that for


any adversary D running in time t and making q oracle queries:
  1 t/TB q2
Pr WinIndPRF
n,F [B](Dt,q ) − ≤ c1 · n + c2 · l
2 2 2

where TB is the time need to compute Bk (x) and c1 , c2 are constants


which model the concrete hardware used by the adversary.
. The first term essentially treats the case of a brute force attack:
The more keys we test, the likelier it is that we succeed in finding the
correct key and, thus, in distinguishing the block cipher from a RO.
. The second term q 2 2−l essentially says that we can distinguish a
block cipher from a RO by waiting for a collision.
• Recall: PRP as a PRF.
p.232 – Reminder: asymptotic vs. concrete bounds
Alice&Bob D sub: A
u
b ∈ {0, 1}
b = 0: O := RO
u
b = 1: k ∈ {0, 1}n ; O := Fk
pass O to D
(use O for Enck )
run AEnck (1n )
return (m0 , m1 ) (|m0 | = |m1 |)
u
b0∈ {0, 1}
c = Enck (mb0 )
run AEnck (1n , c)
return r0
?
return r := (r0 = b0 )

• Construction of distinguisher D from CPA-attack A on F -rCTR.

. D essentially runs in the same time as A.


. We showed:
  1
  1 q(n)2
Pr WinIndCPA
n,F -rCTR (A) − 2 ≤ 2 Pr WinIndPRF
n,F (D) − 2 + 2l(n)
p.233 – Reminder: asymptotic vs. concrete bounds

. Based on our assumption on B, we obtain from the proof of rCTR


the concrete security guarantee that for any (t0 , q)-adversary At0 ,q
attacking B-rCTR in the CPA-setting:
  1 t0 /TB q2 q2
Pr WinIndCPA
n,B-rCTR (A 0
t ,q ) − ≤ c1 · + c2 · + l
2 2n 2l 2

where t0 ≈ t.
. Decide whether the deduced security bound is good enough for you.
Data Encryption Standard (DES)
p.235 – Data encryption standard (DES)
• DES = data encryption standard

• In 1973, NBS (now NIST) on behalve of the NSA solicited proposals


for a cipher based on Kerckhoff’s principle that the security was solely
based on the secrecy of the key.
• All initial submissions were deemed unsuitable which led to a second
round in 1974.
• This time IBM submitted a design based on Feistel’s Lucifer cipher.
• Depending on the source
• “We developed the DES algorithm entirely within IBM using IBMers.
The NSA did not dictate a single wire!”
• “NSA convinced IBM that a reduced key size was sufficient; indirectly
assisted in the development of the S-box structures”
• See the links on wikipedia Engl. and Ger..

• But nobody believes that the NSA has introduced any “backdoor” into
DES.
p.236 – DES: Feistel network
• DES is basically 16-round Feistel network FNf (1) ,...,f (16) with
input/output length 64bits except for the following:
1 An initial permutation IP is applied to the input before the FN.
2 The two halves of the output the FN are swapped afterwards. (See ex.)
3 Finally, IP−1 is applied.
• The functions f (i) are obtained from the DES-mangler function fˆ and
a 48-bit round-key k (i) , i.e., f (i) := fˆk(i) .
• The mangler function fˆ can be understood as a PRF with l = 32.
• The round-keys k (i) are generated deterministically from k by
duplicating bits of k.
• Think of it as a PRG which stretches k to a 16 · 48-bit string.

• We won’t discuss the details of the generation of k (i) .

• The initial permutation is of no cryptographic use.

• See the NIST specification [74] for implementation details.


p.237 – DES: Feistel network

Taken from [74]


p.238 – DES: Mangler function

• Input:
• R the “right half” of the current Feistel round (32bits),

• K the current round key (48bits).

• Steps:
1 Expansion of R to 48bits: denoted by E(R); E(·) simply duplicates
half of the bits of R.
2 Compute T := E(R) ⊕ K.
3 Partition T into 8 blocks of 6 consecutive bits,
i.e., T = T (1) . . . T (8) with T (i) = 6.

4 Feed T (i) to the i-th S-boxes U (i) := Si (T (i) ) with U (i) = 4.

5 Apply a final a permutation P to U = U (1) . . . U (8) .


p.239 – DES: Mangler function

Taken from [74]


p.240 – DES: Substitution-boxes (S-boxes)

• Take 6bit as input, output 4bits.

• The security of the DES crucially depends on the choice of the


Substitution-boxes (S-boxes).
• It was shown that small changes to them or the random choice of
them leads to vulnerabilities.
• Designed make differential cryptanalysis useless (later).
• S-boxes are usually implemented via look-up 22 × 24 tables:
• The first and the last input bit determine the row,

• while the inner bits (2–5) determine the column.

• Every cell contains a 4bit output.


p.241 – DES: Substitution-boxes (S-boxes)

taken from here

• S-boxes are defined in such a way that:


1 each row in the table is a permutation of {0, 1}4 .
. hence, exactly four inputs are mapped on the same output (26 /24 = 4).
2 Changing one input bit always changes at least two output bits.
p.242 – DES: Substitution and diffusion
• Recall:

. The ideal to which we compare a block cipher is a RO.


u
. A RO outputs two independent random strings y, y 0 ∈ {0, 1}n even
when the inputs differ only in a single bit. two
. The expected number of bits in which y, y 0 differ is then n/2 because
of the linearity of the expectation.
• The S-boxes amplify single bit difference within a single 6-bit block.
(Confusion by substitution)
• The permutation P spreads the differences introduced by the S-boxes
into at least two other 6-bit blocks processed by different S-boxes in
the next round. (Diffusion by permutation)
. Subsequent rounds guarantee that small changes to the original
plaintext influence all output bits eventually. (DES avalanche effect)
p.243 – DES: Avalanche effect

• Let (Li , Ri ) denote the left/right halves fed to the Feistel network in
the i-th round.
• Consider a second computation (L0i , Ri0 ) such that L0 = L00 while R0
and R00 differ exactly in a single bit where the same key is used in
both computations.
• In the first round, the mangler function is applied to R0 , resp. R00 .

• Assume the expansion function only duplicates bits on which both


agree.
• As the round-key is deterministic, T := E(R0 ) ⊕ K and
T 0 := E(R00 ) ⊕ K still differ in exactly one bit.
p.244 – DES: Avalanche effect

• Assume the difference is in the first block of T resp. T 0 .

• By its design, the output of S1 differs (in at least) two bits.

• P is defined in such a way that the two differences in the first block
are spread into two different blocks, e.g., into the second and third
block.
• Hence, the final round results (L1 , R1 ) and (L01 , R10 ) will differ in at
least three bits as L1 := R0 and L01 := R00 .
• A single bit difference is expected to influence all 64bits in the worst
case after roughly eight rounds. [56]
• As in the case of the S-boxes, it was shown that if P is replaced by a
randomly chosen permutation, then (with high prob.) the avalance
effect is much weaker.
p.245 – Detour: Confusion-diffusion paradigm
• In [84], besides introducing prefect secrecy, Shannon also suggested a
principle for desgining ciphers which are hard to analyze using
“statistical” methods:
• Confusion:

“The method of confusion is to make the relation between the simple


statistics of [the intermediate ciphertext] c and the simple description
of k a very complex and involved one.”
• Diffusion:

“In the method of diffusion the statistical structure of m which leads


to its redundancy is dissipated into long range statistics[...].”
• In modern block ciphers, confusion is achieved via S-boxes, while
diffusion is achieved via a suitable permutation.
• Often the intermediate ciphertext is obtained by xor’ing a round key
derived from the actual key to the given input.
• Their combination is called Substitution-permutation network.
p.246 – DES: Security
• Attacks on reduced-round versions:
• When less than 16 rounds of the FN are used, attacks exist which not
only obtain the plaintext, but also the key.
• See [56] for attacks on 1/2/3-rounds.

• There exists an attack on 9-round DES using 215.8 plain-/ciphertext


pairs (same key) which only needs to consider 229.2 keys.
• Today the key space of DES is considered too small:
• Already in 1998 specialized hardware (cost USD250.000) solved the
DES Challenge II-2 in 56h.
• Using cheaper reconfigurable hardware enumerating all keys took
34h/68h in 2009.
• Also the short block length can be a problem:
• E.g., recall rCTR and the problem of a collision in the counter value.

• Probability for a collision within q encryptions: Θ(q 2 /2l )

. The “effective” block length is halved.


p.247 – DES: Security
• Ex: As both the expansion and the round-key generation only
duplicate input bits, one can show that

DESk (m) = DESk (m)

reducing the key space to 255 under a chosen-plaintext attack.


• In general, given two keys k1 , k2 one cannot find a third key k3

s.t. DESk1 (DESk2 (·)) = DESk3 (·).


• For DES, the following keys are considered “weak”:
• Keys k which produce sixteen identical round keys s.t.
DESk (DESk (m)) = m.
• Keys which produce only two distinct round keys each of the two used
eight times.
These keys form pairs (k1 , k2 ) s.t. DESk1 (DESk2 (m)) = m.
• See wikipedia for a list of all (semi-)weak keys.
p.248 – DES: Differential cryptanalysis
• Attributed to Biham and Shamir [18], although claimed to be known
to the DES designers and the NSA already in the 1970’s.
• Basic idea for block cipher F :
1 Choose δi , δo ∈ {0, 1}n (with n the output length).
2 Define p(δi , δo ) by Prm,k [Fk (m) ⊕ Fk (m ⊕ δi ) = δo ].
. I.e., p(δi , δo ) is the prob. that a random plaintext pair of difference δi
yields a ciphertext pair of difference δo when encrypted using a random
key.
• Usually, p(δi , δo ) is not precomputed using brute-force; instead, e.g.,
the S-boxes are analyzed.
• For badly designed S-boxes (confusion), some difference pairs appear
with higher prob. than other pairs.
• Using a sufficient number of chosen plaintexts, these small differences
can be sufficiently amplified allowing it to break the cipher.
• FEAL is susceptible to this attack.
p.249 – DES: Differential cryptanalysis

• In the case of DES, 247 chosen-plaintexts are needed, which makes


the attack less practical than brute-force key search.
• See [18] for more details:
• If one chooses all round keys at random, i.e., one uses a random key of
16 · 48bits, differential cryptanalysis allows to break DES using “only”
261 chosen-plaintext pairs, i.e., a significantly larger key space of 768bit
keys only yields a small increase in security compared to the 56bit keys
used by DES w.r.t. differential cryptanalysis.
• The S-boxes can be reordered in such a way that DES can be broken
within 246 chosen-plaintext pairs.
• “Corollary”: Never assume that a “simple” change to a good
cryptographic algorithm/protocol yields again a good one.
p.250 – DES: Linear cryptanalysis

• Attributed to Matsui, published in 1992 [62]

• Also used to attack the FEAL cipher.


• Basic idea for block cipher F :
• Study “linear” relations between particular input, output, and key bits.

• I.e., choose subsets Ii , Io , Ik of input/output/key bits and compute


the “bias” p(Ii , Io , Ik ):
" #
M M M
Prm,k,c:=Fk (m) mi ⊕ ci ⊕ ki = 0
i∈Ii Io i∈Ik

• Linear cryptanalysis tries to approximate the nonlinear behavior of


S-boxes using linear functions.
p.251 – DES: Linear cryptanalysis

• Matsui shows how to obtain the key from a sufficient set of known
plain-/ciphertext pairs encrypted using the same key.
• Differential crpytanalysis requires the attacker to be able to choose the
plaintexts.
• In case of DES, the attack still requires 243 known pairs.

• See [62] for more details.


p.252 – DES: Multiple encryptions

• Because of the absence of any practical attacks against DES (better


than exhaustive search), the short key length is considered the only
real shortcoming of DES.
• At least when its block length does not matter.

. Recall that for MAC schemes and some modes of operations the block
length determines the feasibility of a birthday attack.
• 3DES is an attempt to fix this using three keys k1 , k2 , k3 to define the
block ciper:

3DESk1 ,k2 ,k3 (x) := DESk3 (DES−1


k2 (DESk1 (x)))
p.253 – DES: Multiple encryptions
• Keying options:
1 k1 , k2 , k3 are chosen at random and independently of each other.
This option is susceptible to a “a meet-in-the-middle attack” reducing
the effictive keylength to 22n at the cost of a constant number of
known1 plain-/ciphertext pairs and O(22n ) memory:
. Given a plain-/ciphertext-pair (m, c), (i) precompute
r(k1 , k2 ) := DES−1 −1
k2 (DESk1 (mi )) , (ii) precompute l(k3 ) := DESk3 (ci ),
(iii) search for r(k1 , k2 ) = l(k3 ).
2 k1 , k2 are chosen at random and independently of each other with
k3 := k1 .
Currently, only an (inefficient) chosen-plaintext attack using 2n pairs
and reducing the key space to 2n is known. (See here.)
3 k1 is chosen at random with k2 , k3 := k1 .
This option is used for backward compatability and explains the inner
decryption step as 3DESk,k,k (x) = DESk (x).
1
I.e., Alice and Bob choose the pairs, not Eve.
p.254 – DES: Multiple encryptions

• 3DES is still considered a very strong block cipher and widely used
today.
• The main drawbacks are the short block size (just as DES) and that
it is quite slow.
• Faster and still conjectured secure w.r.t. the key space [58]:

DESXko ,ki ,k (m) := ko ⊕ DESk (m ⊕ ki ) with ki , ko ∈ {0, 1}64 .


. Still, this does not fix the block length.
• Main motivation for AES: fast block cipher with larger block length.
Advanced Encryption Standard (AES)
p.256 – AES: advanced encryption standard

• Based on the Rijndael cipher by Joan Daemen and Vincent Rijmen.

• Winner of a three round contest held by the NIST (1997-2000).

• All submissions were open to the public, checked by competing


proposers, and the winner was selected from five finalists:
Rijndael, Serpent, Twofish, RC6, MARS
• Fore more details on the AES selection process see e.g. NIST or here.
p.257 – AES/Rijndael: Outline
• Rijndael is a substitution-permutation network.
• Recall the DES-mangler function is a single-round s/p network.

• The specification of Rijndael [36] allows to set the block and key
length independently of each other to 128/192/256 bits.
• AES only differs from Rijndael by fixing the block length to 128 bits.
(See also the specification of AES [73].)
• The number of rounds the s/p-network is repeated depends on the
chosen key and block lengths and is defined in the specification.
• The number of rounds were chosen based on the analysis of known
attacks like differential/linear cryptanalysis.
• In case of the AES combinations, the number of rounds are 10/12/14.

(There is some criticism regarding the number of rounds for key


lengths 192/256.)
• The specification also discusses possible extensions to arbitrary block
and key lengths (see section 12.1 of [36]).
p.258 – AES/Rijndael: Outline

• The basic structure of Rijndael is a substitution-permutation network


similar to the DES mangler function:
. The intermediate ciphertext is again obtained by xor’ing a round key
to the given input. (AddRoundKey)
• The round keys are obtained from the secret key by essentially using
the S-box (below) as a PRG, i.e., w/o a secret key.
• See the specification for further details on AddRoundKey.

. A single 8bit S-box is then used for achieving confusion. (SubBytes)


. The permutation for achieving diffusion is split into two permutations.
(ShiftRows,MixColumns)
p.259 – AES/Rijndael: Outline
• The complete s/p network for Nr rounds2 :

(AddRoundKey → SubBytes → ShiftRow → MixColumn)Nr−1


→ AddRoundKey → SubBytes → ShiftRow → AddRoundKey.

. The final xor’ing of a round key is required in order to prevent an


adversary from easily reverting SubBytes → ShiftRow.
• In DES, the S-boxes (the mangler function) are not invertible as they
are not injective.
The Feistel network guarantees than that DES is invertible.
• In AES, the S-box itself is already invertible.

The definition of the S-box uses the multiplicative inverse in the field
GF(28 ).
2
In the AES/Rijndael specification a “round” consists of
SubBytes → ShiftRow → MixColumn → AddRoundKey. But this obfuscates the
similarities shared with the DES mangler funtions.
p.260 – AES/Rijndael: Crash course GF(28 )
P7 i
• Carrier: polynomials i=0 ai X with coefficients in Z2 .
Succinct representation:
P7 Either as bit string, e.g. a0 a1 . . . a7 , or as
natural number i=0 ai 2i .
Example: X + X 4 =01001000
ˆ ˆ and 1 + X 2 + X 4 =10101000
=18 ˆ =21.
ˆ
• Addition: First add polynomials as usual, then reduce modulo 2

Example: 18 + 21 = 7 in GF(28 ).
That is, simply bit-wise xor a0 a1 . . . a7 and b0 b1 . . . b7 .
• Multiplication: First multiply polynomials as usual, then reduce
modulo 2 and m(X) = 1 + X + X 3 + X 4 + X 8 .
Example: 18 · 21 = 97 and 32 = 5 in GF(28 ).
• Multiplicative inverse: Can be computed using the extendend
Euclidean algorithm.
Example: 18−1 = 170 in GF(28 )
p.261 – AES/Rijndael: SubBytes
• The single S-box used by Rijndael is a permutation on 8bit strings.
• Recall that in DES the S-boxes are 4-to-1 functions, i.e., not invertible.

• The S-box is defined as follows:


• Let b = b0 . . . b7 be the eight input bits.3

1. First determine a = a0 a1 . . . a7 ∈ {0, 1}8 s.t.


7
! 7
!
X X
i
bi · X · i
ai · X ≡ 1 (mod 2, 1 + X + X 3 + X 4 + X 8 ).
i=0 i=0

2. The output s = s0 . . . s7 of the S-box is obtained from a via a


permutation (with ci defined in the specification):

si := ai ⊕ ai+4 mod 8 ⊕ ai+5 mod 8 ⊕ ai+6 mod 8 ⊕ ai+7 mod 8 ⊕ ci .

Ex: Show that this step is invertible.

3
AES/Rijndael uses the reversed bit order.
p.262 – AES/Rijndael: SubBytes

• The basic goal of step 1 is to introduce a nonlinear operation which


e.g. complicates differential and linear cryptanalysis.
. Formally, it consists of calculating the multiplicative inverse of b when
interpreted as an element of GF(28 ) represented using the irreducible
polynomial m(X) = 1 + X + X 3 + X 4 + X 8 .
See the appendix for details.
• The second step is an invertible affine transformation which
adds/averages particular bits.
. Stated goal: Should make the algebraic description of the
combination of both steps difficult.
. Changing the bit ai will lead to a change in
si , si−4 mod 8 , si−5 mod 8 , si−6 mod 8 , si−7 mod 8 .
p.263 – From the Rijndael specifications:
p.264 – From the Rijndael specifications:

• Nyberg discusses in [Ny94] how to design S-boxes which, amongst


others, make differential and linear cryptanalysis difficult.
• See also S-Box Design: A Literature Survey.
p.265 – AES/Rijndael: ShiftRows and MixColumns
• Data representation used for ShiftRows and MixColumns:

. By definition, the block length equals 32 · Nb for Nb ∈ {4, 6, 8}.


. The Nb · 32bit string manipulated in every round is called the state.
. AES/Rijndael interprets the state as a 4 × Nb matrix with 8bit
entries.
. For simplicity, let Nb = 4 (as in AES). Then:
 
(b0 . . . b7 ) . . . (b96 . . . b103 )
b0 b1 b2 . . . b126 b127 =
ˆ 
 .. .. 
. . 
(b24 . . . b31 ) . . . (b120 . . . b127 )
b(0,0) b(0,1) b(0,2) b(0,3)
 
b(1,0) b(1,1) b(1,2) b(1,3) 
=: 
b(2,0) b(2,1) b(2,2) b(2,3) 

b(3,0) b(3,1) b(3,2) b(3,3)


p.266 – AES/Rijndael: ShiftRows and MixColumns
• ShiftRows:
• Consists of a predefined cyclic shift applied to each row ([36]):

• The choice of the shifts makes Rijndael resistant against specific


attacks [36].
• MixColumns:
• Every column is interpreted as a polynomial of degree 4 in GF(28 )[X],
and then multiplied by a predifined polynomial
c(X) ∈ GF(28 )[X]/X 4 + 1.
• Besides diffusion, also efficient implementation influenced the design.

• Within two rounds full diffusion is achieved [36].


p.267 – From the Rijndael specifications:
p.268 – AES/Rijndael: Security

• Recently, an attack on full-round AES has been found which is roughly


four times faster than brute force enumeration of all keys, e.g. in case
of AES-128 instead of 2128 only 2124 computations are needed. [25]
• For AES-192/256 several related-key attacks are known:
• Several related secret keys, e.g. the most-significant bit of all keys is 1,
and the attacker knows or even may choose this relation.
• Using a related-four-key attack, where the relation is chosen by the
attack, AES-256 can be broken in 299.5 steps.
. This is not considered to be a practical attack, but it is taken as a hint
that number of rounds might be too small for key lengths 192/256.
p.269 – AES/Rijndael: Security

• Another concern is its simple algebraic formulation:


• The S-box can be completely described as quadratic equation system
on GF(28 ) by embedding AES in a block cipher of block length
1024bits [70].
• This in turn yields a quadratic equation system for the complete cipher
whose solution yields the key [70, 20].
• Currently, only side-channel attacks on concrete implementations of
AES pose the greatest risk.
See e.g. here for an overview, or here for a specific attack.
One-way functions and construction of PRGs
p.271 – Motivation

• Recap: NP

The class of all languages (decision problems) L ⊆ {0, 1}∗ for which
?
we can decide x ∈ L nondeterministically in time polynomial in |x|.
. Example: The set of all satisfiable boolean formulas (SAT).
Given a formula φ, we can nondeterministically guess a satisfying
assignment in time polynomial in |φ|.
Currently, we do not know how to decide SAT deterministically in
polynomial time: in the worst case a SAT-solver runs in time
exponentially in |φ|.
p.272 – Motivation
• For cryptography, we want something even stronger than worst case
super-polynomial run time:
One-way functions (OWF):
“Problems which have almost exclusively worst-case instances”
• Informally, existence of OWFs is necessary for cryptography as:

. For G a PRG, computing x given G(x) needs to be hard not only for
some x ∈ {0, 1}n but for almost all except for a negl. fraction.
. For G-sCTR with G a PRG, computing the secret key k from known
plaintext-ciphertext pairs (m, c) (CPA setting) needs to be hard not
only for some k ∈ {0, 1}n , but for almost all except a negl. fraction.
. For F a PRF, computing the secret key k from a known
input-output-pair (x, Fk (x)) needs to be hard not only for some
k ∈ {0, 1}n but for almost all except a negl. fraction. Analogously for
F -MAC.
p.273 – Motivation

• Outlook:

. Theorem: If comp. secret ES with |K| < |M| exist, then OWF exist.
. Theorem: From any OWF we can built a PRG.
• Conjectured sources for OWFs?
. Mostly, problems related to computational number theory, e.g.:
• Integer factorization: Given N find its prime factorization.

• Discrete logarithm: Given a cyclic group hgi = G and y ∈ G, find


x ∈ Z s.t. g x = y.
• RSA problem: Given N ∈ N, e ∈ Zλ(N ) and y ∈ Z∗N , find x ∈ Z∗N s.t.
xe ≡ y (mod N ).
• Quadratic residues: Given N and y ∈ Z∗N , compute x ∈ Z∗N with
x2 ≡ y (mod N ) resp. decide if such an x exists.
Basics on finite cyclic groups and computational
number theory
p.275 – Notation
• Definition:

Let a, b, N ∈ Z with N > 0. Then:


. ZN := {0, 1, 2, . . . , N − 1}.
. a|b if ∃k ∈ Z : b = k · a, i.e., if a divides b.
. a mod N is the unique k ∈ ZN s.t. N |(a − k).
. gcd(a, b) := max{d ∈ N | d|a ∧ d|b}.
ab
. lcm(a, b) := min{m ∈ N | m > 0 ∧ a|m ∧ b|m} = gcd(a,b) .

. Z∗N := {k ∈ ZN | gcd(k, N ) = 1}.


. ϕ(N ) := |Z∗N | (Euler’s phi-function)
. a ≡ b (mod N ), a ≡ b (N ), and a ≡N b short for
a mod N = b mod N .
p.276 – Extended Euclidean algorithm
• Given: Natural numbers 0 ≤ a ≤ b.

Goal: Compute integers (x, y) s.t. gcd(a, b) = xa + yb.


Algorithm:
• If a = 0, return (0, 1)

• If a = 1, return (1, 0)
b−(b mod a)
• Else: Compute k = a s.t. b = ka + (b mod a).
Recursively compute (x0 , y 0 ) s.t. gcd(b mod a, a) = x0 (b mod a) + y 0 a.
Return (y − kx, x).

. Correctness: Obviously gcd(a, b) = gcd(b mod a, a).


Inductively: gcd(a mod b, b) = x0 (b mod a) + y 0 a =
x0 (b − ka) + y 0 a = (kx0 − y 0 )a + x0 b.
Thus: y = x0 and x = (y 0 − kx0 ).
• Remark: There are at most 2 log2 a many recursive calls.
p.277 – Extended Euclidean algorithm

• Example: recursive calls


• a0 = 27, b0 = 35: recursion (k0 = 1).

• a1 = 8, b1 = 27: recursion (k1 = 3).

• a2 = 3, b2 = 8: recursion (k2 = 2).

• a3 = 2, b3 = 3: recursion (k3 = 1).

• a4 = 1, b4 = 2: return (x4 , y4 ) = (1, 0)

• Final result:
         
−k0 1 −k1 1 −k2 1 −k3 1 x4
· · · ·
1 0 1 0 1 0 1 0 y4

Ex: Compute x, y for a = 23, b = 120.


p.278 – Group: Definition
• Definition: G=hG,
ˆ ·, 1i is a group if
1 · : G × G → G (closed under ·).
2 ∀a, b, c ∈ G : a · (b · c) = (a · b) · c (· associative).
3 ∀a ∈ G : a · 1 = 1 · a = a (1 is neutral).
4 ∀a ∈ G∃b ∈ G : a · b = b · a = 1 (b inverse of a).

|G| is called the order of G; G is finite if |G| < ∞.


G is commutative (abelian) if a · b = b · a for all a, b ∈ G.
For every a ∈ G set hai := {ak | k ∈ Z} where
a0 := 1, and for k ≥ 0: ak+1 := ak · a and a−(k+1) := a−k · a−1 .
ord(a) := |hai| is called the order of a (in G).
G is cyclic if there is some generator g ∈ G s.t. hgi = G.
p.279 – Group: Properties
• Notation: We write ab for a · b, and G for hG, ·, 1i, if the group
operation is clear from the context.
• Lemma: Neutral element and inverse are unique in a group.

. Proof:
Assume ab = 1 = ac. Then b = b1 = b(ac) = (ba)c = c.
Assume a10 = a for all a. Then 1 = 1 · 10 = 10 .
• Notation: a−1 denotes the unique inverse of a in G.

• Corollary:

(i) (a−1 )−1 = a,


(ii) (ab)−1 = b−1 a−1 , and
(iii) hai = ha−1 i.
p.280 – Group: Properties

• Lemma: Every cyclic group hgi is commutative.

. Proof: 1, g, g −1 always commute.


• Definition:

A subset H ⊆ G is a subgroup of G (short: H ≤ G) if


1 ∈ H, and H is closed under multiplication and inversion.
. Example: hai is a commutative subgroup of G for any a ∈ G.
• Definition: Direct product G1 × G2 of two groups G1 , G2

Carrier: {(g1 , g2 ) | g1 ∈ G1 , g2 ∈ G2 }.
Group operation: componentwise.
Neutral element: componentwise.
p.281 – Example: Integers Z
• Z=hZ,
ˆ +, 0i
. Infinite.
. Group operation: canonical addition.
. Cyclic: generated by 1, −1.
• Reminder:

For additive groups (group operation denoted by +), the inverse is


denote by −a,
and hai becomes:

. . . , (−a) + (−a) + (−a), (−a) + (−a), (−a), 0, a, a + a, a + a + a, . . .


| {z }
3·(−a)

. Here: h2i = {2k | k ∈ Z} = 2Z.


p.282 – Example: Additive group modulo N

• Let N be a positive natural number.

• ZN =hZ
ˆ N , +, 0i
. Group operation: canonical addition on Z modulo N .
. Cyclic: hgi = ZN iff gcd(g, N ) = 1.
. Ex: Compute h4i in Z7 .
. Ex: Compute h4i in Z6 .
. Ex: Compute h(1, 1)i in Z4 × Z6 .
. ZM × ZN is cyclic iff gcd(M, N ) = 1.
p.283 – Example: Multiplicative group modulo N

• Let N be a positive natural number.

• Z∗N =h{a
ˆ ∈ ZN | gcd(a, N ) = 1}, ·, 1i
. Group operation: canonical multiplication on Z modulo N .
. Inverse: As gcd(a, N ) = 1 there are x, y s.t. 1 = xa + yN .
. Theorem: (w/o proof)
Z∗N is cyclic iff N ∈ {2, 4, pr , 2pr } for p > 2 prime and r > 0.
. Ex: Compute h4i and h5i in Z∗7 .
. Ex: Compute h5i in Z∗6 .
. Ex: Compute h3i in Z∗8 .
p.284 – Example: Quadratic residues modulo N

• Let N be a positive natural number.

• QRN =h{x
ˆ 2 mod N | x ∈ Z∗ }, ·, 1i
N

. Subgroup of Z∗N .
. In general not cyclic. Cyclic if Z∗N is cyclic.
. Ex: Compute h4i in QR7 .
. Ex: Compute QR6 , QR8 , QR85 .
p.285 – Finite commutative groups
• We are only interested in finite commutative groups in this lecture.

• For these, many things can be shown more easily than in the general
setting.
• Let G be finite and commutative.

. Obviously, the map fa : G → G : x 7→ ax is bijective for any a ∈ G.


. Hence: G = {fa (x) | x ∈ G} and
Y Y
c := x= fa (x).
x∈G x∈G

. Lemma: Let G be a finite commutative group with M := |G|.


Then aM = 1 for all a ∈ G.
. Proof: Ex
(Where do you need to use the commutativity? Where that G is
finite?)
p.286 – Finite commutative groups
• Lemma: Let
• G be a finite commutative group and

• λ any positive natural number s.t. ∀a ∈ G : aλ = 1.

Then:
1 aλ−1 = a−1 .
2 hai = {a, a2 , . . . , aλ }.
3 ak = ak mod λ and ord(a) | λ.
4 If e ∈ Z∗λ , then ge (x) := xe is a permutation on G.
5 If λ ≥ |G| is prime, then G is cyclic.
• As seen on last slide: ∀a ∈ G : a|G| = 1 if G is finite and
commutative.
. This already holds if G is only finite by virtue of Lagrange’s theorem.
. Ex: Which of above results also holds when G is noncommutative?
p.287 – Finite commutative groups
• Ex: Compute 71023 and 7−1 in Z∗11 .

• Definition:

The exponent λG of a group G is


the smallest positive integer λ s.t. ∀a ∈ G : aλ = 1.
In particular for G = Z∗N :
λ(N ) := λZ∗N is called the Carmichael function.
• Lemma: Let G be finite and commutative.

Then ge (x) := xe is a permutation on G iff gcd(e, λG ) = 1.


. Ex: Compute the exponent of (1) Z6 , (2) Z∗8 , (3) Z10 × Z6 .
• Lemma: If G = hgi is cyclic, then every subgroup is cyclic, too.

. Corollary: If H ≤ hai ≤ G, then H is cyclic.


p.288 – Finding generators of cyclic groups
• Often we know that a group is cyclic, e.g. as its order is a prime.

. But we still need to find some generator.


. Use rejection sampling:
u
• Choose a group element a ∈ G uniformaly at random.

. For G = Z∗N , you can also use rejection sampling here:


u
Choose a ∈ ZN and reject it if gcd(a, N ) > 1.
• Test if a is a generator.

. This works quite well if


(1) we hit a generator with high prob. (enough generators) and
(2) we can efficiently test if a is a generator.
. First: How to test if a is generator.
. Then: How many generators has a cyclic group?
p.289 – Generator test

• Lemma: Let G be a finite group of order M .

Then: hai = G iff aM/p 6= 1 for every prime p | M .


• Proof:

. (⇒) Assume hai = G. Then ord(a) = M = min{k > 0 | ak = 1}.


. (⇐) Assume hai =
6 G, i.e. ord(a) < M .
. As ord(a) | M , there is a m > 1 s.t. M = m · ord(a).
0
. Choose any p|m s.t. m = m0 p. Then: aM/p = am ·ord(a) = 1.
• Remark: There are at most log2 M distinct primes p with p | M .

• Remark: When the prime factors of M are unknown, no efficient


generator test is known.
. Corollary: hai = ZN iff gcd(a, N ) = 1.
p.290 – Number of generators: Euler’s ϕ-function
• First question: How many generators has ZN ?

. As just seen: hai = ZN iff gcd(a, N ) = 1.


. So Z∗N is exactly the set of all generators of ZN (!).
. Euler’s ϕ-function: ϕ(N ) := |Z∗N |.
• Lemma:

ϕ(pr ) = pr−1 (p − 1) for any prime p and r > 0.


ϕ(M N ) = ϕ(M ) · ϕ(N ) if gcd(M, N ) = 1.
• Proof:

. First claim: gcd(a, pr ) > 1 iff a = p · s with s ∈ Zpr−1 .


. Second claim follows from the Chinese remainder theorem (later).
• Ex: Compute ϕ(57).

• Ex: How many generators has Z100 ?


p.291 – Number of generators: Euler’s ϕ-function

• Ex: Let N = pq for p 6= q distinct odd primes.

Show: Given N and ϕ(N ), we can compute p, q efficiently.


That is: if factoring N is hard, then so is computing ϕ(N ).
. So, in general computing ϕ(N ) is infeasible for large N if we do not
know a factorization of N .
p.292 – Number of generators
• Second question: How many generators has a finite cyclic group
hgi = G?
. Let M = |G|. Then G is isomorphic to ZM by means of
h : ZM → G : k 7→ g k .
• Remark: Isomorphic groups G1 ∼
= G2 are “the same” w.r.t. the group
properties.
From a computational point of view, computing in G1 (e.g. ZM ) can
still be much easier than in G2 .
See the discrete logarithm problem later.

. So:
Lemma: A cyclic group G has exactly ϕ(|G|) many generators.
• Ex: How many generators has Z∗85 ?
u
• Ex: Is 7 a generator of Z∗54 ? What is the prob. that a ∈ Z∗54 is a
generator?
p.293 – Number of generators

• Note: Let p be prime.

Then Zp∗ has ϕ(ϕ(p)) many generators.


While computing ϕ(p) = p − 1 is trivial,
computing ϕ(ϕ(p)) = ϕ(p − 1) requires a factorization of p − 1.
One possible solution: Use safe primes.
• Definition: A prime p > 5 is safe iff p = 2q + 1 for q prime.

(q is called a Sophie-Germain prime.)


1 1
. Ex: For p a safe prime, Pr u [ord(a) = p − 1] = 2 − 2q .
a∈Z∗p
p.294 – Homomorphisms and isomorphism

• Definition: Let G1 , G2 be two groups.

A homomorphism is a map h : G1 → G2 which respects the group


operations: h(ab) = h(a)h(b).
An isomorphism is a bijective homomorphism.
G1 , G2 are called isomorphic (short: G1 ∼
= G2 ) if there is an
isomorphism between the two.
• Lemma: If h is an isomorphism, so is h−1 .

. Proof: h−1 (h(a)h(b)) = h−1 (h(ab)) = ab = h−1 (h(a))h−1 (h(b)).


• Example: For every cyclic group G = hgi, exponentation is a
homomorphism from Z to G: h : Z → G : z 7→ g z .
p.295 – Chinese remainder theorem

• Theorem: Let M, N be coprime, i.e. gcd(M, N ) = 1.

Then (i) ZM N ∼
= ZM × ZN and (ii) Z∗M N ∼
= Z∗M × Z∗N .
by means of h : ZM N → ZM × ZN : a 7→ (a mod M, a mod N ).
For α, β ∈ Z s.t. 1 = αM + βN :
h−1 (u, v) = (uβN + vαM ) mod M N .
• Remark: α, β can be computed using the extended Euclidean
algorithm.
• CRT short for “chinese remainder theorem”.
p.296 – Chinese remainder theorem
. Proof:
. Ex: h is a homomorphism w.r.t. both addition and multiplication.
. h is injective:
h(a) = h(b) iff M |(a − b) ∧ N |(a − b) iff* M N |(a − b)
(* as gcd(M, N ) = 1).
. Using Euclid, we find α, β ∈ Z s.t. 1 = gcd(M, N ) = αM + βN .
Note: αM ≡M 0 but αM ≡N 1. Similarly for βN .
Hence: h(h−1 (u, v)) = (u, v) for all (u, v) ∈ ZM × ZN .
. Assume h(a) 6∈ Z∗M × Z∗N for some a ∈ Z∗M N .
Wlog. (a mod M ) 6∈ Z∗M , i.e.
1 < d = gcd(a mod M, M ) = gcd(a, M ).
But then also 1 < d ≤ gcd(a, M N )., i.e. a 6∈ Z∗M N .
p.297 – Chinese remainder theorem: Applications

• Corollary:
Qr ei
Let N = i=1 pi be a prime factorization of N .
Then: Z∗N ∼
= Z∗pe1 × Z∗pe2 × . . . × Z∗perr .
1 2
Qr ei Qr ei −1
Thus ϕ(N ) = i=1 ϕ(pi ) = i=1 pi (pi − 1).
• Remark: The CRT allows us to compute within ZM × ZN instead of
ZM N , i.e. we may compute with smaller numbers.
This can be used to speed-up the decryption of RSA-based PKES
(later).
. Ex: Let p = 13, q = 19 and N = pq = 247. Compute 197200 in Z∗N
using the CRT.
p.298 – Chinese remainder theorem: Applications
• Reminder:

λG is the least positive integer λ s.t. ∀a ∈ G : aλ = 1.


For G = Z∗N : λ(N ) := λZ∗N (Carmichael function).
. By the CRT: If N = ri=1 pei i (prime factorization),
Q

then Z∗N ∼
= Z∗pe1 × Z∗pe2 × . . . × Z∗perr .
1 2

Hence: λ(N ) = lcm(λ(pe11 ), . . . , λ(perr )).


. Recall: Z∗N is cyclic iff N ∈ {2, 4, pr , 2pr } (p > 2 prime,r > 0).
Hence: λ(pr ) = ϕ(pr ) if p is a odd prime.
. What about Z∗2k ?
One can show: Z∗2k ∼
= Z2 × Z2k−2 for k > 2.
. Hence: λ(2) = 1, λ(4) = 2, λ(2k ) = 2k−2 for k > 2.
. 2 is the “oddest” prime.
p.299 – Quadratic residues modulo N
• Recall: QRN := {x2 mod N | x ∈ Z∗N } is the set of quadratic
residues modulo N .
QRp will be important later for the El Gamal PKES.
• Lemma: QRN ≤ Z∗N .

. Proof: 1 ∈ QRN and it is closed under multiplication.


• Corollary: QRp is cyclic for any prime p.
Qr ei
• Remark: Let N = i=1 pi be a prime factorization of N . From the
CRT it follows:
x2 ≡ y (mod N ) iff ∀i ∈ [r] : x2 ≡ y (mod pei i ).
That is: QRN ∼
= QRpe11 × . . . × QRperr .
. Ex: Modulo a composite N = pq (both prime), every y ∈ QRN has
at least four square roots. Hence: |QRN | ≤ ϕ(N )/4.
p.300 – Quadratic residues modulo N
• Lemma: Let p > 2 be prime.

Then every y ∈ QRp has exactly two square roots modulo p.


. Proof:
Let u2 ≡ v 2 , i.e. u2 − v 2 = (u − v)(u + v) ≡ 0 (mod p).
Either: p | (u − v), i.e. u ≡ v (mod p),
or: p | (u + v), i.e. u ≡ −v (mod p).
p−1
. Corollary: x 2 ≡ ±1 (mod p) for p prime and QRp = (p − 1)/2.
• Remark: Let p be prime with p ≡ 3 (mod 4)) (e.g. a safe prime).
p+1 p+1 p−1
Then: (x2 ) 4 ≡x 2 ≡x 2 · x ≡ ±x (mod p).
Computing a square root of x2 in the case p ≡ 1 (mod 4) is more
difficult, see e.g. here.
p.301 – Quadratic residues modulo N
. Definition: Let p > 2 be prime.
p−1
x

p := x mod p is the Legendre symbol modulo p.
2

. Lemma: Let p > 2 be prime, and y ∈ Z∗p . Then:


y ∗ y
p = −1 iff y ∈ Zp \ QRp , and p = 1 iff y ∈ QRp .

. Proof: Let hgi = Z∗p . Then:


p−1 p−1
g 2 ≡ −1 (mod p) as (g 2 )2 ≡ 1 (mod p) and hgi = Z∗p .
Let y ≡ g k (mod p) for some k ∈ Zp−1 .
p−1
• If k = 2j, then y 2 ≡ (g p−1 )j ≡ 1 (mod p).
p−1 p−1
• If k = 2j + 1, then y 2 ≡g 2 ≡ −1 (mod p).
p−1
Hence, if y 2 ≡ 1 (mod p), then y ≡ g 2j ≡ (g j )2 (mod p), i.e.
p−1
y ∈ QRp . Clearly, if y ∈ QRp , then y 2 ≡ 1 (mod p).
p.302 – Quadratic residues modulo N

• Ex: Let p = 2q + 1 be a safe prime and a ∈ G.

Then ha 2 i = QRp ifa2 6≡ 1 (mod p), i.e.


Pr u ∗ ha2 i = QRp = 1 − 1q .
a∈Zp

• Ex: Compute all solutions of X 2 ≡ 118 (mod 221).

• Ex: Is 6 a quadratic residue modulo 47? If so, compute its square


roots.
p.303 – Prime number theorem
• Theorem (w/o proof, see e.g. here):

Let π(x) = |{p ≤ x | p is prime }|.


π(x)
Then: limx→∞ x/ ln x .

• Lemma (w/o proof, see e.g. here):


 
x x 1 2.51
For x ≥ 355991: ln x(1+ ln1x )
< π(x) < ln x 1+ ln x + (ln x)2
.
n
• Ex: Use above lemma to show that there are at least 0.6 2n primes in
[2n−1 , 2n − 1] (“n-bit primes”) if n ≥ 20.
• Heuristic estimate on the number of Sophie-Germain primes
(Hardy,Littlewood)
Let πs (x) = {p ≤ x | p is a Sophie-Germain prime }.
Then: πs (x) ≈ 1.32 (lnxx)2 .
p.304 – Generating random primes
• Remark: Let n ≥ 20.

By the preceding corollary: a random odd number in [2n−1 , 2n − 1] is


n /n
with prob. at least 0.6·2
2n−2
= 2.4 · n−1 a prime.
As Primes is in P we can use again rejection sampling:
u
• Choose x ∈ {0, 1}n−2 .

• Read 1||x||1 as an odd integer a in [2n−1 , 2n − 1].

• If a is not a prime, go back to step 1; else return a.

Prob. that within r rounds we haven’t found a prime:


r
− n/2.4
≤ (1 − 2.4 · n−1 )r = (1 − 1
n/2.4 )
r ≤e .

Choose e.g. r = n2 , then this prob. is negligible in n.


Ex: If the estimate on the number of Sophie-Germain primes is
asympt. correct, we can also generate in this way safe primes (for
r ≈ n3 ).
p.305 – Miller-Rabin primality test

• While the AKS primality test runs in DPT, in practice, the


probabilistic Miller-Rabin test is still used more often as it faster, and
its prob. to give a false answer is negligible.
. It is based on the following results:
(i) aM = 1 for all a ∈ G if G is of finite order M .
(ii) Z∗N is a finite group of order ϕ(N ).
(iii) ϕ(N ) = N − 1 iff N is prime.
(iv) For p > 2 prime: x2 ≡ 1 (mod p) iff x ≡ ±1 (mod p).
• Lemma: Let p > 2 be prime with p − 1 = 2t d with d odd and t > 0.

For every a ∈ Z∗p :


jd
ad ≡ ±1 (mod p) or a2 ≡ −1 (mod p) for some 0 < j < t.
p.306 – Miller-Rabin primality test
• Proof:

Consider a prime p > 2 and let p − 1 = 2t d with d odd and t > 0.


t−1 d
Then ap−1 = (a2 )2 ≡ 1 (mod p)
t−1 d
Hence: a2 ≡ ±1 (mod p)
If a 2t−1 d ≡ 1 (mod p) and t > 1, then a2
t−2 d
≡ ±1 (mod p).
And so on.
• The Miller-Rabin test uses preceding lemma to detect composites N :
jd
Output “composite” if ad 6≡ ±1 (mod N ) and a2 6≡ −1 (mod N )
for all 0 < j < t.
• As ±1 are the only square-roots of 1 modulo a prime p > 2,
jd
we can also output “composite” if a2 6≡ ±1 (mod N ) but
j+1
a2 d ≡ 1 (mod N ).
p.307 – Miller-Rabin primality test
• Definition: Input: odd integer N > 2 and number of rounds r > 0
N
Compute t ≥ 1 such that d := 2t is odd;
(*) for i = 1 . . . r:
u
choose a ∈ {2, . . . , N − 2};
if gcd(a, N ) 6= 1, return “composite”;
if ad ≡ ±1 (mod N ), goto (*);
for j = 1 . . . r − 1:
j
if a2 d
≡ 1 (mod N ), return “composite”;
j
if a2 d
≡ −1 (mod N ), goto (*);

return “composite”;

return “probably prime”;


p.308 – Miller-Rabin primality test
• By the previous lemma, every prime p > 2 passes the test.

• Assume N is a odd composite, i.e. N ≥ 9.

Then N passes one round of the test if by chance


jd
a ∈ Bad := {a ∈ Z∗N | ad ≡N ±1 ∨ ∃0 < j < t : a2 ≡N −1}.
• Lemma (see e.g. here): |Bad| ≤ 41 ϕ(N ).

. Corollary An odd composite passes r rounds of the Miller-Rabin test


with prob. at most 4−r .
• Remark: The running time is dominated by the computation of
jd
a2 mod N for 0 ≤ i < t.
Using repeated-squaring, the inner loop can be implemented to run in
time O((log2 N )3 ).
Hence, the total running time is O(r(log2 N )3 ).
One-way functions and pseudorandomness
p.310 – Story so far
• Solely based on that assumption that a PRG G exists (and that we
have access to some randomness source), we have seen:
• Comp. secret ES exist with |Kn | < |Mn |: G-prOTP

• PRFs and PRPs exist: can be constructed from G.

• Secure MACs exist: F -MAC for F a PRF.

• CPA-secure ES exist: F -rCTR for F a PRF.

• CCA-secure ES exist: enc-then-mac using a CPA-secure ES and a


secure MAC.
. I.e. existence of PRGs
• resp. the intuition underlying the definition of PRGs

suffices to achieve the main goals of private-key cryptography:


message privacy and message origin authentication.
• What remains is to argue that our notion of PRG is the “right” one.
p.311 – Things to come
• Outline:
• Step 1: One-way functions and permutations (OWF/OWP)
• Problems for which (i) we only know nondetermistic polynomial-time
algorithms, and (ii) most instances are hard to solve.
• E.g.: integer factorization (OWF) or discrete logarithm (OWP)

• Step 2: OWF have to exist for secure private-key communication


r
• “Given a message m and a valid MAC tag t := Mack (m), it must be
difficult to compute k from m||t except for a negl. fraction of cases for
a MAC to be secure.”
• Step 3: From every OWF, we can built a PRG
• Main idea: (i) seed for the PRG is randomly generated problem
instance of the OWF; (ii) PRG construction forces the adversary to find
an efficient algorithm for the OWF.
• Easier result: From every OWP, we can built a PRG.

Includes: Blum-Micali PRG based on discrete logarithm.


p.312 – One-way function and permutation (collections)

• Definition: A PPT-function collection F = (Gen, f ) consists of

Algorithm Type Input Output


r
Gen PPT 1n I ∈ In with |I| ≥ n
f DPT I ∈ In , x ∈ DomI y ∈ RngI
where
Gen generates function parameters I ∈ In .
Every parameter I defines a domain DomI and range RngI , and the
function fI : DomI → RngI : x 7→ fI (x) := f (I, x)
F is a permutation collection if fI is a permutation on DomI = RngI
for every I ∈ In .
p.313 – One-way functions and permutations
• Definition: A one-way function/permutation (collection)
(OWF/OWP) F = (Gen, f, Smpl) is a function/permutation
collection (Gen, f ) plus a sampling algorithm
Algorithm Type Input Output
r
Smpl PPT I ∈ In
some x where x ∈ DomI
except for negl. prob.
 
such that for any PPT-adversary Pr WinOWF
n,F (A) is negl. in n:
r
1 Alice&Bob generate I := Gen(1n ),
r
choose x := Smpl(I), compute y := fI (x), and
pass (I, y) to Eve.
2 Eve runs A(I, y) to obtain x0 .
0
. Let WinOWF
n,F (A) be the event that fI (x ) = y.

A(I, fI (x)) ∈ fI−1 (fI (x)) is negl. in n.


 
Short: PrI :=Gen(1
r r
n ),x:=Smpl(I)

• Theorem: If a OWF exists, then P 6= NP.


p.314 – Integer factorization
• Notation:

N positive interger (N ∈ N), usually N > 1.


N is an n-bit integer if 2n−1 ≤ N < 2n .
d|N short for “d divides N ”.
d is a nontrivial factor of N if d|N and d 6∈ {1, N }.
• Problem: Integer factorization

Given a positive integer N , find any nontrivial factor d of N – if there


is one.
• Example: On input N = 12345678910111213, find 113.

• Ex: Let A be an algorithm which finds a nontrivial factor of a given


N if there is one, and denote by TA its running time.
Show how to compute the complete prime factorization of an n-bit
integer N in time n · TA (n).
p.315 – Integer factorization

• Best algorithms known (aka. published) today:

. Classical computers:
64 1 2
General number field sieve factorizes N in time O(e( 9 n) 3 (log n) 3 ).
For n = 1024, this is roughly c · 289 in the worst case for some
constant c.
. Quantum computers:
Shor’s algorithm runs in time O(n3 ) and requires O(n) qubits.
Currently, the largest “announced” quantum computer has 128 qubits
(see here).
. See here for a list of “factorization records”.
p.316 – Integer factorization

• How difficult is it to find a factor?


u
. For most N , it’s trivial: assume we choose N ∈ [0, 2n − 1], then N is
even with prob. 1/2.
. Ex: For d < 2n , give a lower bound on the prob. that d|N when
u
N ∈ [0, 2n − 1].
• Recall: We want to use a randomly generated problem instance as key
in a cryptographic scheme.
• What we really want: those n-bit integers which make the general
number field sieve (almost) always run in super-poly. time.
• “almost always”: except for negl. fraction of instances.

• Current approach: for given security parameter n, choose N as the


product of two (distinct) random n/2-bit primes so that N ≈ 2n .
p.317 – Integer factorization
• Definition: Let

Gen: on input 1n , output parameters I where DomI ⊆ Nk for some


fixed k, and RngI = N.
u
Smpl: on input I, output (x1 , x2 , . . . , xk ) ∈ DomI (except for negl.
prob.).
f : on input I and (x1 , . . . , xk ), output fI (x1 , . . . , xk ) := ki=1 xi .
Q

Factorization is hard w.r.t. Gen, if the above is a OWF.


• The parameters I tell Smpl how to sample, for instance, I might
include the code for a primality test.
• Note that inverting fI means to find (x1 , . . . , xk ) within the domain
DomI , not within Nk .
• Conjecture: Let Gen, on input 1n , define DomI to be the set of
unordered pairs of distinct primes (p, q) with p, q ∈ [2n/2−1 , 2n/2 − 1].
Then factorization is hard w.r.t. this Gen.
p.318 – Integer factorization

. Recall: Using the prime number theorem, we can generate a random


u
prime p ∈ [2n−1 , 2n − 1] in PPT except for negl. prob. in n, by
u
choosing some random odd x ∈ [2n−1 , 2n − 1] and testing if x is a
prime, until we have found one.
. Ex: Use the prime number theorem to estimate the prob. that p = q if
we choose both uniformly at random and independently of each other.
p.319 – Integer factorization
• For several other problems (RSA, square roots modulo N ), we also
need to generate pairs of distinct n/2-bit primes such that
factorization is hard.
For these problems it is more convenient to combine Gen and Smpl
into a single algorithm:
• Definition:

Let GenP2 denote a PPT-algorithm which, on input 1n , outputs a pair


(p, q) of distinct (p 6= q) n/2-bit primes p, q ∈ [2n/2−1 , 2n/2 − 1]
(except for negl. prob. in n).
Factorization is hard w.r.t. GenP2 if Pr(p,q):=Gen(1
r
n
n ) [A(1 , pq) = p] is

negligible in n for any PPT-algorithm A.


• Remark: Factorization is hard w.r.t. GenP2 iff computing square
roots of quadratic residues modulo N = pq is hard. (See the
appendix for details.)
p.320 – Discrete logarithm

• Problem: Discrete logarithm problem (DLP)

Given a description of a finite cyclic group G, a generator hgi = G,


and a group element y ∈ G, find an x ∈ Z such that g x = y in G.
• Example: Let (p, p − 1, g) be a description of hgi = Z∗p for p prime.

Given p = 1019, g = 7, and y = 65,


find x with 7x ≡ 65 (mod 1019).
p.321 – Discrete logarithm
• Best algorithms known today:
. Classical computers: Depends on G.
• If G ≤ Z∗p modulo a prime p: General number field sieve can be
adapted; again super-polynomial, but subexponential running time in
|G|.
• If G ≤ GF(2n ): Index calculus algorithm takes also super-polynomial,
bu subexponential time |G|.
• For a general cyclic group G: Several generic algorithms arep
known
(see here for a list), all of which run in exponential time O( |G|) in
the worst case.
• Remark: A generic algorithm does not make use of the particular
representation of G or the implementation of the group operation, and
essentially treats the
p group as a black box. Generic algorithms cannot
do better than O( |G|) in the worst case [86].

. Quantum computers: Shor’s algorithm can also be used.


• See here for a list of “DLP records”.
p.322 – Discrete logarithm
• As in the case of integer factorization:

Want to use only groups for which the DLP is always hard.
• Computing the discrete logarithm is easy in ZM =hZ
ˆ M , +, 0i.
• As every cyclic group G is isomorpic to hZ|G| , +, 0i, we want
“worst-case” representations of ZM which make computing the
discrete logarithm hard.
• Let M = |G|, and assume M = pr N with p prime and gcd(p, N ) = 1.

By the CRT: hgi = G ∼


= ZM ∼
= Zpr × ZN ∼
r
= hg N i × hg p i
That is: we can remove small prime factors of M , and work in smaller
subgroups of G.
For this reason, we want to use primes p such that p − 1 has a large
prime factor, like in the case of safe primes.
p.323 – Discrete logarithm
• Example: Let p = 11 with |Z∗11 | = φ(11) = 10 = 2 · 5.
Then Z∗11 is generated by 2:
• 210/5 ≡ 22 ≡ 4 6≡ 1 (mod 11)

• 210/2 ≡ 25 ≡ 32 ≡ −1 6≡ 1 (mod 11)

Assume we want to solve 2x ≡ 7 (mod 11).


Then also: (2x )2 ≡ 72 (mod 11) and (2x )5 ≡ 75 (mod 11).
Note that 22 has order 5, while 25 has order 2. So:
4x ≡ 4x mod 5 ≡ 5 (mod 11) ∧ (−1)x ≡ (−1)x mod 2 ≡ −1 (mod 11).
This means: x ≡ 2 (mod 5) and x ≡ 1 (mod 2).
By the CRT: Z10 ∼
= Z2 × Z5 by means of h(x) = (x mod 2, x mod 5).
As 1 = gcd(2, 5) = −2 · 2 + 1 · 5, we obtain:
x = h−1 (1, 2) = (5 · 1 − 4 · 2) mod 10 = 7.
p.324 – Discrete logarithm
• Several currently conjectured worst-case representations, e.g.:
• Z∗p for a n-bit (safe) prime p.

• QRp for a n + 1-bit safe prime p.

Note: QRp is of prime order q, i.e. we cannot use the CRT to move to
smaller groups.
• More general: strong primes

A strong prime p is of the form p = kq + 1 with q an n-bit prime and k


“small” so that we can efficiently determine k from p − 1.
Let g generate Z∗p , and use hg k i for G.

Ex: hg k i is of prime order q, and a subgroup of QRp .


• Later: Cyclic subgroups of certain elliptic curves.

For certain curves, only generic, i.e. exponential-time algorithms are


known. Allows to resort to smaller groups which allow for more
efficient computation.
p.325 – Discrete logarithm
• Definition: Let

Gen: on input 1n , output I = (G, M, g) where G is (the description


of) a cyclic group of finite order M with g = hgi.
u
Smpl: on input I = (G, M, g), output x ∈ ZM (or x ∈ ZM \ {0}).
f : on input I = (G, M, g) and x ∈ ZN , output fI (x) = g x ∈ G.
The discrete logarithm problem (DLP) is hard w.r.t. Gen if above is a
OWF.
• Remark: Note that the adversary is given I = (G, M, g). So, in order
for the DLP to be hard w.r.t. a given Gen, the description of G
should be succinct (e.g. of size O(log2 M )) in order to prevent an
?
adversary from simply testing g x = y for all x ∈ ZM . Still, the
description of G should allow to compute efficiently within G.
. E.g.: A succinct description of hZ∗p , ·, 1i is simply p, as it enables us
to compute (ab) mod p and a−1 mod p in time polynomial in log2 p.
p.326 – Discrete logarithm

• Two of several conjectures regarding DLP-OWFs/OWPs:

• Definition: Let GenZ∗safe be a PPT-algorithm which,

on input 1n , generates
(i) an n-bit Sophie-Germain prime q, so that p = 2q + 1 is a safe
prime, and
(ii) a generator g of Z∗p , and
outputs I = (p, p − 1, g) as description of hgi = Z∗p .
. Remark: W.r.t. to hZ∗p , ·, 1i with p prime, the map
f(p,p−1,g) : Zp−1 → Zp−1 : x 7→ (g x mod p) mod p − 1
is a permutation on Zp−1 .
p.327 – Discrete logarithm
• Definition: Let GenQRsafe be a PPT-algorithm which,

on input 1n , generates
(i) an n-bit Sophie-Germain prime q, so that p = 2q + 1 is a safe
prime, and
(ii) a generator g of QRp , and
outputs I = (p, q, g) as description of hgi = QRp .
. Conjecture: The DLP is hard w.r.t. GenQRsafe .
. Remark: Recall that
p+1
modulo a safe prime p, we have (x2 ) 4 ≡ ±x (mod p).
That is, we can efficiently map every x2 ∈ QRp to its positive square
root in {1, . . . , q},
thereby turning the DLP w.r.t. GenQRsafe into a OWP over Zq .
p.328 – Discrete logarithm

. Recall: Except for negl. probability, based on the conjecture by


Hardy-Littlewood, we can generate both a (random) n-bit safe prime,
and a generator of Z∗p in time polynomial in n.
• In practice, the actual group (description) is sometimes simply chosen
from a list of precomputed descriptions, in particular, when using
subgroups of elliptic curves (see e.g. here).
• The main reason why Gen is a randomized algorithm is that this
allows us to efficiently find some (random) safe n-bit prime and some
(random) generator of Z∗p resp. QRp .
p.329 – RSA problem: Exponentation as isomorphism
• Reminder: Let G be a finite commutative group. Then:

. Its exponent λG is the least positive integer λ s.t. ∀a ∈ G : aλ = 1.


. If G = Z∗N , then λ(N ) := λZ∗N is called the Carmichael function.
. Lemma: Let N = ri=1 pei i be a prime factorization of N .
Q

Then: λ(N ) = lcm(λ(pe11 ), . . . , λ(perr ))


where λ(2) = 1, λ(4) = 2, λ(2k ) = 2k−2 ,
and λ(pe ) = (p − 1)pe−1 for p > 2.
. The map expe : G → G : x 7→ xe is a permutation if and only if
gcd(e, λG ) = 1.
If 1 = gcd(e, λG ) = ed + λG f , then exp−1
e = expd .
• In fact, ge is always a homorphism. So in the latter case, it is also an
isomorphism.
p.330 – RSA problem: Exponentation as isomorphism

• Remarks:

. Just as for ϕ(N ), we do not know how to compute λ(N ) if


factorizing N is hard.
. Ex: Let N = pq with p, q distinct primes.
Then: gcd(e, λ(N )) = 1 iff gcd(e, ϕ(N )) = 1.
. Ex: Compute Z∗λ(35) and Z∗ϕ(35) .
How are the two groups related to each other?
p.331 – RSA problem

• The basic idea of the RSA problem is to use expe as a one-way


function.
. In order to be able to compute expe we need to know
1 A (succinct) description of G which enables us to compute efficiently
within G.
2 The exponent e ∈ Z. Wlog. e ∈ Zλ .
. expe can then be computed efficiently by means of repeated squaring.
• BUT: In order for expe to be a candidate for an OWF, it has to be
computational infeasible to compute λ given the description of G and
the exponent e.
• Candidates for such groups:

G = Z∗N with N a composite which is hard to factorize.


p.332 – RSA problem
• Definition: Let

Gen: on input 1n , run GenP2 (1n ) to obtain p, q, set N := pq,


compute λ := λ(N ), choose any e ∈ Z∗λ \ {1}, and output I = (N, e).
u
Smpl: on input I = (N, e), output x ∈ Z∗N .
f : on input I = (N, e) and x ∈ Z∗N , output fI (x) := xe mod N .
The RSA problem is hard w.r.t. GenP2 if above is a OWP.
• Conjecture:

If factorization is hard w.r.t. GenP2 , then RSA is hard w.r.t. GenP2 .


• In fact, the RSA problem is a candidate for a trapdoor one-way
permutation:
When the trapdoor λ(N ) (or ϕ(N ) or p, q) is known, we can compute
d such that ed ≡ 1 (mod λ), and, hence, (xe )d ≡ x (mod N ).
p.333 – RSA problem
• Lemma: If Eve, given (N, e), can efficiently compute ...
• p, q, she can efficiently compute ϕ(N ), λ(N ), and d.

• ϕ(N ), she can efficiently compute p, q. (Ex)

Hint: Show that q 2 + q(N + 1 − ϕ(N )) + N = 0 has to hold.


• λ(N ), she can efficiently compute p, q. See, e.g., [43] p.232.

• d, she can efficiently compute p, q. See, e.g., [29] p.143.

• an x ∈ ZN \ Z∗N , she can efficiently compute p, q. (Ex)

. So, if the RSA problem is an OWP w.r.t the specific GenP2 , none of
the above can be done efficiently, in particular, factorizing N given
(N, e) has to be hard.
• But: In general, it is not known, if solely the conjecture that
factorizing N on input (N, e) is hard, suffices for the RSA problem to
be an OWP. Only for the restricted setting of generic algorithms, this
has been shown so far [3].
p.334 – Trapdoor one-way permutation collection
• Definition: A trapdoor one-way permutation (TDP)
F = (Gen, f, Smpl):

Algorithm Type Input Output


r
Gen PPT 1n (I, td) ∈ In × Tn with |I| ≥ n
f DPT I ∈ In , x ∈ DomI y ∈ RngI
r
Smpl PPT I ∈ In x ∈ DomI
such that (i) (I, td) allows to efficiently compute fI−1 ,
 
but (ii) for any PPT-adversary Pr WinTDP n,F (A) is negl. in n:
r
1 Alice&Bob generate (I, td) := Gen(1n ) and destroy td,
r
choose x := Smpl(I), compute y := fI (x), and
pass (I, y) to Eve.
2 Eve runs A(I, y) to obtain x0 .
0
. Let WinTDP
n,F (A) be the event that x = x .
p.335 – “Simple” OWF and OWP collections
• For proofs the following “normal form” for OWF and OWP
collections is helpful:
• Definition:

A DPT-computable function f : {0, 1}∗ → {0, 1}∗ is called a simple


OWF if for any PPT-algorithm
A(1n , f (x)) ∈ f −1 (x) ∩ {0, 1}n is negligible in n.

Pr u n
x∈{0,1}

It is a simple OWP if f ({0, 1}n ) = {0, 1}n for all n ∈ N.


• Ex: Given a simple OWF/OWP, define Gen, Smpl to show that it is
also a OWF/OWP collection.
• We can transform any OWF/OWP collection into a simple OWF:

Given (Gen, Smpl, f ), we combine all three algorithms into a single


DPT-algorithm fe:

Informally, fe treats its input {0, 1}n as random bit string which it
uses to run Gen and Smpl.
p.336 – OWFs from comp. secret ES
• Lemma: Let E = (GenE , Enc, Dec) be a deterministic comp. secret
u
ES with GenE (1n ) ∈ Kn = {0, 1}n and {0, 1}2n ⊆ Mn . Then the
following F = (GenF , Smpl, f ) is a OWF:
u
GenF : on input 1n , output I = m where m ∈ {0, 1}2n , Domm = Kn ,
and Rngm = Cn .
u
Smpl: on input I = m, output k ∈ {0, 1}n .
f : on input I = m and k ∈ {0, 1}n , output fm (k) := Enck (m).
. Remark: As for comp. secrecy we only have to encrypt a single
message, we can make the coin tosses ρ by Enc external, and simply
supply Enc instead with the extended key k||ρ.
For similar reasons, we can assume that GenE (1n ) always generates a
random key chosen uniformly from {0, 1}n .
Then above statement says that it is has to be hard to find k||ρ even
when m and c = Enck||ρ (m) are known.
p.337 – OWFs from comp. secret ES*
• Proof: Let B be any PPT-algorithm which tries to invert F, i.e.

on input I = m and c = Enck (m), B tries to find some key in


fI−1 (c) = {k 0 ∈ {0, 1}n | Enck0 (m) = c}.
We construct from B the following PPT-adversary A for the game
IndEd vs. E:
Alice&Bob A B
run A(1n )
u
m0 , m1 ∈ {0, 1}2n
return m0 , m1
u
b ∈ {0, 1}
u
k ∈ {0, 1}n
c := Enck (mb )
run A(1n , Enck (mb ))
run B(m1 , Enck (mb ))
return k 0
if Enck0 (m1 ) = c: return r := 1
u
else: return r ∈ {0, 1}
p.338 – OWFs from comp. secret ES*
• Case b = 1:
Alice&Bob A B
run A(1n )
u
m0 , m1 ∈ {0, 1}2n
return m0 , m1
u
b ∈ {0, 1} b := 1
u
k ∈ {0, 1}n
c := Enck (m1 )
run A(1n , c)
run B(m1 , c)
return k 0
if Enck0 (m1 ) = c: return r := 1
u
else: return r ∈ {0, 1}

. A wins iff r = 1.
. m0 can be removed.
. Rearrange interaction into the game OWF.
p.339 – OWFs from comp. secret ES*

• Case b = 1: From B’s point of view


Alice&Bob&A B
u
m1 ∈ {0, 1}2n
u
k ∈ {0, 1}n
c := Enck (m1 )
run B(m1 , c)
return k 0
if Enck0 (m1 ) = c: WinIndEd
n,E (A)
else: WinIndEd
n,E (A) with prob. 1/2

. A wins iff either


(i) B wins the game OWF vs. F or
(ii) B loses the game OWF vs. F but A guesses b correctly:
1
     
Prb=1 WinIndEd
n,E (A) = Pr WinOWF OWF
n,F (B) + (1 − Pr Winn,F (B) ) · 2
p.340 – OWFs from comp. secret ES*

• Case b = 0:
Alice&Bob A B
run A(1n )
u
m0 , m1 ∈ {0, 1}2n
return m0 , m1
u
b ∈ {0, 1} b := 0
u
k ∈ {0, 1}n
c := Enck (m0 )
run A(1n , c)
run B(m1 , c)
return k 0
if Enck0 (m1 ) = c: return r := 1
u
else: return r ∈ {0, 1}

. A wins iff r = 0.
. Again, collapse Alice&Bob and A.
p.341 – OWFs from comp. secret ES*
• Case b = 0: From B’s perspective:
Alice&Bob&A B
u
m0 , m1 ∈ {0, 1}2n
u
k ∈ {0, 1}n
c := Enck (m0 )
run B(m1 , c)
return k 0
if Enck0 (m1 ) 6= c: WinIndEd
n,E (A) with prob. 1/2
else: ¬WinIndEd
n,E (A)

• A wins iff B, on input (m1 , c) does not find some k 0 ∈ {0, 1}n with
Enck0 (m1 ) = c where c = Enck (m0 ),
• B can only find such a k 0 if m1 ∈ Dc = {Deck00 (c) | k 00 ∈ {0, 1}n }.
u
. As m1 ∈ {0, 1}2n and independently of m0 , the prob. for m1 ∈ Dc is
|Dc | 2−2n ≤ 2−n .

(A) ≥ (1 − 2−n ) · 12 .
 
and A guesses correctly: Prb=0 WinIndEd
n,E
p.342 – OWFs from comp. secret ES*

• In total:
 
4 · Pr WinIndEd
n,E (A) ≥
−n )
   
2 · Pr WinOWF OWF
n,F (B) + (1 − Pr Winn,F (B) ) + (1 − 2

. Thus:
1
+ 2−n ≥ Pr WinOWF
   
4 · Pr WinIndEd
n,E (A) − 2 n,F B .

. As E is comp. secret, the advantage of A is negl. in n, and, thus, any


B can only succeed with negl. prob.
p.343 – What we have seen so far

P 6= NP
pseudorandom comp. secret
generator encryption of one-way
of stretch fixed-length function
l(n) = 2n l(n) = 2n
Factorization,
DLP

• What remains is to show that from OWFs we can also construct


PRGs of stretch l(n) = 2n.
• We only discuss how PRGs of arbitrary (polynomial) stretch can be
constructed from OWPs based on the idea of the Blum-Micali PRG.
. See [52] for a general proof based on any OWF.
p.344 – Overview: from OWPs to PRGs
• Recall:

A DPT-computable function G : {0, 1}∗ → {0, 1}∗ which stretches


inputs of length n to outputs of length l(n) > n is a pseudorandom
generator (PRG) if for every PPT-distinguisher D

Pr u [D(G(x)) = 1] − Pr u [D(y) = 1] is negligible.


x∈{0,1}n y ∈{0,1}l(n)

• We follow the presentation of [5]:


1 Yao’s characterization of PRGs via unpredictability: G(·) is a PRG iff
given the first i bits of G(x) the i + 1-th bit cannot be predicted
(=computed) reliably.
2 Hard-to-predict bits (hard-core predicates) hcI for one-way
permutations fI allow to stretch a random string by one.
3 Blum-Micali construction for obtaining arbitrary polynomial stretch.
Repeat: output hcI (x) (with x the seed) and “reseed” x := fI (x).
p.345 – Unpredictability of PRGs

• Definition: A DPT-computable function G : {0, 1}∗ → {0, 1}∗ with


polynomial stretch l(n) ≥ n, i.e., |G(x)| = l(|x|) ≥ |x| for all x, is
unpredictable (from the left) if for every PPT-algorithm P the prob.

Prx,y=G(x),i [P(1n , y1 y2 . . . yi−1 ) = yi ] − 1/2 is negligible.


u u
for x ∈ {0, 1}n and i ∈ [l(n)] (and the coin tosses done by P).
• Ex: Every permutation is unpredictable; every PRG is unpredictable.

• Ex: Reformulate above definition as a game between Alice&Bob


(using G) and Eve (using P).
p.346 – Yao’s theorem

• Theorem [93]: (see the appendix for a proof)

Let G(·) be as above. If G is unpredictable, then it is a PRG.


. Proof idea: Given a distinguisher D for stretch s(n), define PD by:
• Input: y1 y2 . . . yi−1
u
• Set y 0 := y1 y2 . . . yi−1 yi0 . . . ys(n)
0
with yj0 ∈ {0, 1}.
• Return yi iff D(1n , y 0 ) = 1 else return 1 − yi .

That is, P guesses the missing bits in order to run D, and assumes
that yi = yi0 iff D thinks that y 0 has been generated by G.
p.347 – Hard-core predicates

• First goal: obtain a PRG of stretch l(n) = n + 1.

. Recall: Any DPT-computable f with f ({0, 1}n ) = {0, 1}n for all
n ∈ N is unpredictable.
. Idea: Make a single bit hc(x) of information on x public.

G(x) := f (x)||hc(x)

. Yao’s theorem: suffices to show that G is unpredictable.


As f (x) is unpredictable, we only need to require that the last bit is
unpredictable:
Given f (x) computing hc(x) with prob. better than guessing has to
be hard.
p.348 – Hard-core predicates
• Definition:

A DPT-computable function hc is a hard-core predicate of a function


f : {0, 1}∗ → {0, 1}∗ if for every PPT-algorithm A the prob.

Pr u [A(f (x)) = hc(x)] − 1/2 is negligible.


x∈{0,1}n

r
Analogously, for a function collection: Then I := Gen(1n ),
r
x := Smpl(1n ), and both A and hc are also given the parameter I.
• Corollary:

If f is a PPT-computable permutation on {0, 1}n (for every n) with


hard-core predicate hc, then G(x) := f (x)||hc(x) is PRG of stretch
l(n) = n + 1.
. Which functions possess hard-core predicates?
Ex: f has to be OWP in order to possess a hard-core predicate.
p.349 – Goldreich-Levin theorem
• Any simple OWP can be transformed into a new simple OWP which
has a hard-core predicate:
• Theorem [48]: (see the appendix for a proof)

Let f : {0, 1}∗ → {0, 1}∗ be a simple one-way permutation.


For every n ∈ N and x, r ∈ {0, 1}n set
n
X
g(x, r) := f (x)||r and gl(x, r) := xi · ri mod 2.
i=1
Then gl is a hard-core predicate of g.
• Ex: Show that g(x, r) is also a OWP.
• For the conjectured OWP collections we have seen so far specific
hard-core predicates are known:
p−1
• DLP within Z∗p for p prime: hc(p,p−1,g) (x) = (x < 2 ? 1 : 0). [24]
• RSA: Any single bit of x, given xe mod N , is as hard to compute as x
itself. [72].
p.350 – The Blum-Micali construction
• Theorem:

Let f : {0, 1}∗ → {0, 1}∗ be a permutation on {0, 1}n for every n
with hard-core predicate hc. For every j ≥ 0 set
BMj (x) := hc(f j−1 (x))||hc(f j−2 (x))|| . . . ||hc(f (x))||hc(x).
Then BMl(|x|) (x) is a PRG for every polynomial l(n) > n, i.e. a PRG
of variable stretch.
• Ex: Show that Gl (x) := f l (x)||BMl (x) is a PRG of fixed stretch for
every fixed l polynomial in n.
• Discuss the advantages/disadvantages of outputting also f l (x).

• In particular, consider the case when a TDP is used for f and the
resulting PRG is used within the prOTP.
• Remark: The result holds analogously for a permutation collection F
which has a hard-core predicate.
Simply replace f (x) by fI (x) and hc(x) by hcI (x) = hc(I, x) for
x ∈ DomI .
p.351 – Proof of the Blum-Micali construction

• We want to show that the Blum-Micali construction is a PRG of


variable stretch.
. We only need to show that BMl(n) (·) is a PRG for any fixed
polynomial stretch l(n) > n.
. By Yao’s theorem, it is equivalent to show that BMl(n) (·) is
unpredictable (from the left).
• As before: We construct an algorithm A which tries to compute
hc(x) given f (x) using a given predictor P a black-box subprocedure,
and show that this implies that P can succeed only with negligible
probability.
p.352 – Proof of the Blum-Micali construction
• Recall:
u
• A gets f (x) with x ∈ {0, 1}n , and computes a guess for hc(x).

• P gets the first i − 1 bits of BMl(n) (x0 )

hc(f l(n)−1 (x0 ))||hc(f l(n)−2 (x0 ))|| . . . ||hc(f l(n)−1−(i−2) (x0 ))
u u
with x0 ∈ {0, 1}n and i ∈ [l(n)], and computes a guess for the ith bit,
i.e. hc(f l(n)−1−(i−1) (x0 )).
• Observe: P predicts hc(x) if x0 := f −l(n)+i (x).
• May we choose x0 in this way?
u u
• As f is a permutation and x ∈ {0, 1}n , also f −l(n)+i (x) ∈ {0, 1}n .

(Alternative we may assume that x = f l(n)−i (x0 ).)


. So defining x0 in this way does not change the experiment.

. How to compute f −l(n)+i (x)?


p.353 – Proof of the Blum-Micali construction
• We don’t need to explicitly compute x0 = f −l(n)+i (x) as

hc(f l(n)−1 (x0 )) ||hc(f l(n)−2 (x0 )) || . . . ||hc(f l(n)−1−(i−2) (x0 ))


= hc(f i−1 (x)) ||hc(f i−2 (x)) || . . . ||hc(f (x))
i−1
= BM (f (x))

which A can efficiently compute given f (x). (For i = 1, this is simply


the empty word.)
. Define A so that it simulates the prediction experiment for
x0 = f i−l (x):
1 Input: f (x).
u
2 Choose i ∈ [l(n)].
r
3 Compute yi0 := P(1n , BMi−1 (f (x))).
4 Output: yi0 .
• Ex: Why can’t A simply choose e.g. i = l?
p.354 – Proof of the Blum-Micali construction*
• Success probability of A:

First consider the case that A chooses a particular i ∈ [l]


Prx P(BMi−1 (f (x))) = hc(x)
 

= Prx0 ,x=f l−i (x0 ) P(BMi−1 (f l−i+1 (x0 ))) = hc(f l−i (x0 ))
 

= Prx0 ,BMl (x0 )=y [P(y1 . . . yi−1 ) = yi )]


u
For arbitrary i ∈ [l(n)] we then have:
Prx,i [A(f (x)) = hc(x)]
i−1
(f (x)) = hc(x) · 1l
P  
= i Prx P(BM
P 1
= i Prx0 ,BMl (x0 )=y [P(y1 . . . yi−1 ) = yi ] · l
= Prx0 ,G(x0 )=z,i [P(y1 . . . yj−1 ) = yj ]
I.e.: A succeeds in predicting hc(x) with the same prob. as P
succeeds in predicting a uniformly chosen bit output by BMl(n) (·).
. Hence, P can only succeed with negligible advantage.
p.355 – Proof of the Blum-Micali construction

• Note the proof requires that the predictor sees hc(x) the latest as it
reads from left to right.
. Ex: For G(x) = y1 . . . yl set GR (x) = yl . . . y1 .
Then G(·) is a PRG iff GR (·) is a PRG.
. Corollary:
For f a OWP with hard-core predicate hc

G(x; 1l ) := hc(x)||hc(f (x))|| . . . ||hc(f l−2 (x))||hc(f l−1 (x))

is a PRG of variable stretch.


p.356 – Summary
one-way Unpredictability, PRG
permutation hard-core predicate stretch one

Unpredictability,
compt. secret

Blum-Micali
Conjecture

encryption
(|K| < |M|)

TP
O
pr
DLP one-way PRG
collection poly. stretch
Cryptographic hash function
p.358 – Hash and compression functions

• Definition:

Let lout ∈ N and h : M → {0, 1}lout a DPT-computable function.


h is a compression function if M = {0, 1}lin for some lin > lout .
l
h is a hash function if M = {0, 1}<2 for some l > 0.
. The Merkle-Damgård construction is often used to build from a
compression function a hash function. For instance:
64
• RIPEMD-160: M = {0, 1}<2 .

Compression function: lout = 160, lin = 160 + 512.


128
• SHA-512: M = {0, 1}<2 .
Compression function: lout = 512, lin = 512 + 1024.

. Ideally, computation of h(m) takes O(|m|) time.


p.359 – Security of hash functions
• In the design of efficient algorithms and data structures, the goal of a
hash function is to yield a short, (ideally) unique ID-number
h(m) ∈ {0, 1}lout for a usually much larger and more complex object
m.
Usually, the choice of the concrete hash function therefore depends on
the actual data type of m.
• For cryptographic uses, several (informal) notions of secure hash
function h : M → {0, 1}lout exist:
• Collision resistance: It is computationally infeasible to find m1 , m2 s.t.
h(m1 ) = h(m2 ) and m1 6= m2 .
• Second-preimage resistance: Given m1 , it is computationally infeasible
to find m2 with h(m1 ) = h(m2 ) and m1 6= m2 .
• Preimage resistance: Given h(m1 ), it is computationally infeasible to
find any m2 with h(m1 ) = h(m2 ). (“one-wayness”)
p.360 – Security of hash functions
. What means “computationally infeasible”?
. Need to fix either asymptotic or concrete bounds on the resources and
success probability of the adversary.
. Preimage and second-preimage resistance: How is m1 chosen?
• Second-preimage resistance is meaningless if we are allowed to choose
m1 deterministically.
u
. Either let the advesary choose m1 or m1 ∈ {0, 1}L(n) ⊆ M.
. Any function h : A → B with |A| > |B| has always a collision, i.e. a
pair m1 6= m2 with h(m1 ) = h(m1 ).
• There always exists an efficient adversary which simply outputs m1 , m2 .

. It seems difficult to give a meaningful formal definition of collision


resistance when considering solely a single hash function as the
adversary does not get any input.
. To overcome this problem, collections of hash functions are considered.
p.361 – Hash functions

• Definition:

Let H = (Gen, h) be a function collection such that


hI : Mn → {0, 1}lout (n) for any I output by Gen(1n ) where lout (n) is
a polynomial.
H is a collection of compression functions (CCF) if Mn = {0, 1}lin (n)
for some polynomial lin (n) > lout (n).
l(n)
H is a collection of hash functions (CHF) if M = {0, 1}<2 for
some polynomial l(n) > 0.
p.362 – A compression function collection based on the DLP

• Example: DLP-CCF

Gen: on input 1n , run GenQRsafe (1n ) to obtain (p, q, g), then choose
u
x ∈ Zq , and set r := g x mod p. Output I = (p, q, g, r).
h: on input I = (p, q, g, r) and (u, v) ∈ Zq × Zq output
h(p,q,g,r) (u, v) := g u · rv mod p.
• Assume that 2n ≤ q ≤ p ≤ 2q + 1 ≤ 2n+1 − 1.

. Then any n-bit string u represents some element in Zq , and


any x ∈ Z∗p ⊆ Zp can be represented as a n + 1-bit string.
. I.e. hI compresses lin (n) = 2n-bit strings to lout (n) = n + 1-bit
strings.
p.363 – Security of hash functions

• [82] discusses several formalizations of the preceding informal


requirements, and studies their relation.
• In total, seven formalizations are obtained from the informal
requirements depending on
. whether the adversary chooese m1 or if m1 is chosen uniformly at
u
random from a finite subset of m1 ∈ {0, 1}L(n) ⊆ Mn .
(L(n) = lin (n) for a collection of compression functions.)
. the adversary may pick a function from the collection or the function
is generated randomly by Gen.
p.364 – Security of hash functions
• Definition: Let H = (Gen, h) be a CCF or CHF, and L(n) any
polynomial such that {0, 1}L(n) ⊆ Mn .
Game Coll Game UOWHF[L(n)] Game Sec[L(n)] Game Pre[L(n)]
r u u
m1 := A(1n ) ∈ {0, 1}L(n) m1 ∈ {0, 1}L(n) m1 ∈ {0, 1}L(n)
r r r r
I := Gen(1n ) I := Gen(1n ) I := Gen(1n ) I := Gen(1n )
r r r r
(m1 , m2 ) := A(I) m2 := A(I, m1 ) m2 := A(I, m1 ) m2 := A(I, hI (m1 ))
Coll UOWHF[L(n)] Sec[L(n)] Pre[L(n)]
Winn,H (A): Winn,H (A): Winn,H (A): Winn,H (A):
hI (m1 ) = hI (m2 ) hI (m1 ) = hI (m2 ) hI (m1 ) = hI (m2 ) hI (m1 ) = hI (m2 )
and m1 6= m2 and m1 6= m2 and m1 6= m2

If the respective winning probability is negligigble w.r.t. n for any


admissible PPT-adversary A, then H is
• Coll: collision resistant

• UOWHF[L(n)]: a universal one-way hash function w.r.t. inputs of


length L(n)
• Sec[L(n)]: second-preimage resistant w.r.t. inputs of length L(n)

• Pre[L(n)]: preimage resistant (one-way) w.r.t. inputs of length L(n)


p.365 – Security of hash functions
• Theorem [82]: Let H = (Gen, h) be a CCF/CHF of output length
lout (n).
If H is collision resistant, then it is a UOWHF for any L(n).
If H is a UOWHF for L(n), then it is second-pre. resistant for L(n).
If H is second-preimage resistant for L(n), and 2lout (n)−L(n) is
negligible, then it is also preimage resistant for L(n).
. The term 2lout (n)−L(n) is esssentially the prob. that hI (m1 ) has a
unique preimage within {0, 1}L(n) .
• Ex: Assume that (Gen, g) is collision resistant with output length
lout (n). Let hI (x) := 1x if |x| = lout (n); otherwise hI (x) := 0gI (x).
Show that (Gen, h) is also collision resistant, but not preimage
resistant for inputs of length L(n) = lout (n).
• Theorem: UOWHFs can be constructed from OWFs. [83]

• Conjecture: OWFs not enough for collision resistance. [91]


p.366 – Collision resistance of the DLP-CCF
• Lemma:

Assume that the DLP is hard relative to GenQRsafe .


Then the DLP-CCF is collision resistant.
. Proof: Let A be a PPT-collision attack on (Gen, h).
Define B as follows:
u
• Input: (p, q, g) and r = g x mod p for some secret x ∈ Zq .

• If r = 1, output x = 0.

• Otherwise, pass (p, q, g, r) to A to obtain (a, b) 6= (u, v).

• If hI (a, b) 6= hI,r (u, v), output any element in Zq .

• Otherwise return (a − u) · (v − b)−1 mod q.

Ex: Determine the prob. that B succeeds in computing a logarithm of


r modulo p. (Why is it important that q is prime?)
p.367 – Extending the domain of a compression function
• In practice, hash functions are often constructed from compression
functions by means of the Merkle-Damgård construction. [68]
• Definition: Let h : {0, 1}lin → {0, 1}lout be a compression function
with δ := lin − lout > 0.
Let padMD (m) := m||0p ||b|m|e such that |padMD (m)| is a minimal
multiple of δ and b|m|e is encoded using exactly δ bits.4
For any IV ∈ {0, 1}lout , and m ∈ {0, 1}∗ with |m| < 2δ , define
HIV (x) := z (t) where:

z (0) := IV and z (i) := h(z (i−1) ||m(i) ) for padMD (m) = m(1) || . . . ||m(t) .

For a CCF (Gen, h) apply the construction to each hI yielding HI,IV .


• Ex: Adapt the DLP-CCF so that the Merkle-Damgård construction
can be applied to it.
4
This is not the only possible choice, but it suffices for us.
p.368 – Collision resistance of Merkle-Damgård

m(1) m(2) m(d) |m|

IV h h h h HIV (m)

• Theorem: [68]

Let (Gen, h) be a collision-resistant CCF. Construct (Gen, H) from


(Gen, h) using the Merkle-Damgård construction.
Then (Gen, H) is a collision-resistant CHF for any fixed IV.
• The IV can be treated as a further function parameter of the CHF.

It is only important, that the IV is fixed by the function parameters I


so that Alice and Bob uses the same IV.
Recall for F -NMAC we indeed need to be able to change the IV.
p.369 – Proof of the Merkle-Damgård construction
• Fix any IV. We show that any collision of HI := HI,IV yields a
collision of hI .
To this end, assume that HI (x) = HI (y) for some x 6= y ∈ {0, 1}∗ .
• Let padMD (x) = x(1) . . . x(d) x(d+1) resp.
padMD (y) = y (1) . . . y (t) y (t+1) .
• Let u(i) be the intermediate values obtained from x, i.e.

u(0) = IV and u(i) = hI (u(i−1) ||x(i) )


Analogously for v (i) and y (i) .
• Recall that by definition, |x| , |y| fit into a single block, i.e.

x(d+1) = y (t+1) ⇒ |x| = |y|.


• Assume first x(d+1) =
6 y (t+1) .
Then: u(d) ||x(d+1) 6= v (t) ||y (t+1) is a collision of hI .
p.370 – Proof of the Merkle-Damgård construction
m(1) m(2) m(d) |m|

IV h h h h HIV (m)

• Assume thus x(d+1) = y (t+1) , i.e. t = d and |x| = |y|.

As x 6= y, there is some i ∈ [d + 1] s.t. x(i) 6= y (i) .


Hence, there is also some maximal index m s.t.
u(m−1) ||x(m) 6= v (m−1) ||y (m) .
. If m = d + 1, then u(d) ||x(d+1) 6= v (d) ||y (d+1) and
hI (u(d) ||x(d+1) ) = HI (x) = HI (y) = hI (v (d) ||x(d+1) ).
. If m ≤ d and m is maximal, we need to have u(m) = v (m) .
Thus, hI (u(m−1) ||x(m) ) = u(m) = v (m) = hI (v (m−1) ||y (m) ).
p.371 – Collision resistance and the birthday problem
• Similar to block ciphers, the output length lout of a hash function
needs to be large enough so that the prob. of a collision is negligible:
. Assume we have a compression function h : {0, 1}2l → {0, 1}l .
Let X1 , . . . , Xq be independent RV uniformly distributed on {0, 1}2l .
22l
Intuitively, the best that h can do is to map 2l
inputs on the same
output, i.e. h−1 (y) = 2l for every y.
• If for some y the set of preimages is significantly larger than 2l , the
prob. of a collision only increases. [13]
Then, h(Xi ) is uniformly distributed on {0, 1}l . Probability of a
collision:
q
2−l ) within {h(X1 ), . . . , h(Xq )}.

• Θ( 2
q
2−2l ) within {X1 , . . . , Xq } (exponentially smaller).

• Θ( 2

That is, a collision h(Xi ) = h(Xj ) results almost always from


Xi 6= Xj .
p.372 – Hash functions used in practice

• Currently recommended:

RIPEMD-160/320: lout = 160/320


SHA-1: lout = 160
“SHA-2 family”: lout = 256/512
. NIST (BSI) is recommending hash functions with lout ≥ 224 for
security up to year 2030 (2015) (see www.keylength.com)
. NIST has selected the new SHA-3 in October 2012 (final round)
Final round candidates: BLAKE, Grøstel, JH, Keccak, Skein
. Have a look at the Skein papers: [Specification], [Proofs]
p.373 – Summary: cryptographic primitives
RO

coll-res.
UOWHF
CHF [82]

MD [83]

coll-res. [52] PRF,


OWFs PRG
CHF tree,FN (s)PRP

GenQRsafe hc,BM

DLP OWPs
GenZ∗safe ,GenQRsafe
Public-key schemes
p.375 – Motivation
• Main drawbacks of private-key ES and MACs:
(i) Key distribution:
Either Alice and Bob have to meet in person from time to time in order
to generate a new secret key;
or one of the two generates the key which then has to be securely
transfered to the other.
(ii) Key storage (Number of keys):
Given n parties, we need to generate n2 secret keys in total; every


party needs to store n − 1 keys securely.


(iii) Lack of identity authentication w.r.t. to a third party:
Private-key schemes only allow for message privacy, message
integrity/origin authentication, and identity authentication between
Alice&Bob, but not identity authentication w.r.t. a third party or
non-repudiation. as the secret key is shared between Alice and Bob.
p.376 – Motivation
• Private-key schemes are thus unfeasible for open systems or transient
interactions, e.g., consider an on-line sales company.
• Basic idea: Try to implement a “Post-office box”
• Only Bob has the key to his P.O. box giving him the unique ability to
access it.
(Unless the key is stolen from him and/or duplicated ...)
• To send a letter to Bob, look up the address of Bob’s P.O. box in a
public directory and put the letter directly into it.
(As long as the integrity of the directory is guaranteed ...)
• Public-key schemes work essentially like this:

Only Bob (Gen) generates a key pair consisting of


a private key exclusively known to him (the key to his P.O. box), and
a public key known to everyone (Alice and Eve) (the address of his
P.O. box).
p.377 – Motivation

• The private key and the ability bestowed by it identify Bob (except
for negl. prob.) and its secrecy has only to be guaranteed by Bob.
• The public key is given to everyone, e.g., stored in a public directory.

Introduce a certificate authority (CA) which is (a) trusted by


everyone, (b) guarantees the secure distribution of its own public
keys, (c) certifies the correctness of the public keys of the other users
(later).
. Private to public: ES PKES, MAC Signatures.
. Definitions and notions of security essentially the same except that
Gen generates now a key pair, and Eve is given the public key.
p.378 – Public-key encryption schemes
• Definition: A public-key encryption scheme (PKES) consists of
PPT-algorithms (Gen, Enc, Dec) s.t.:
Algorithm Type Input Output
r
Gen PPT 1n I ∈ In with |I| ≥ n
r
Enc PPT ekI ∈ KnEnc , m ∈ Mek c := EncekI (m) ∈ Cek
Dec DPT dkI ∈ KnDec , c ∈ Cek m = DecdkI (c) ∈ Mek
Gen, on input 1n , outputs key parameters I.
The parameteres I determine the public encryption key ekI and the
private decryption key dkI .
• We assume that |ekI | , |dkI | ≥ n.

• ekI determines the set of plain- and ciphertexts: MekI ,CdkI .

• Pr r u [DecdkI (EncekI (m)) 6= m] has to be negligible.


I :=Gen(1n ),m∈MekI

• “deterministic” and “stateless/stateful” defined as for general ES.


p.379 – Public-key encryption schemes

• We have already discussed how OWFs based on integer factorization


and the DLP can be obtained.
. This usually envolves generating specific objects like prime numbers.
. For instance, when using the Miller-Rabin test, we might mistake a
composite for a prime with some negligible, but non-zero probability.
. In these cases, the algebraic assumptions underlying a
public-encryption scheme need not be satisfied s.t. decryption might
not yield the original plaintext anymore.
. Hence, we allow that for PKES decryption fails with negligible
probability.
• We only consider stateless PKES in the following, and therefore only
pass ek to Eve in the following definitions.
p.380 – CPA-security for PKES
• Definition: Game IndCPA-PK
1 Bob runs Gen(1n ) to obtain I and passes ek := ekI to Eve.
(1) (t)
2 Eve runs A(ek) to obtain messages sequences (m0 , . . . , m0 ) and
(1) (t) (i) (i)
(m1 , . . . , m1 ) with all messages in Mek and m0 = m1 .
u r (i)
3 Bob chooses b ∈ {0, 1} and computes c(i) := Encek (mb ).
4 Eve runs A(ek, c(1) , . . . , c(t) ) to obtain r.
. Let WinIndCPA-PK
n,E (A) be the event that r = b.

A PKES E = (Gen, Enc, Dec) has indistinguishable (multiple)


encryptions under a chosen-plaintext attack (IND-CPA) (short: is
CPA-secure) if for every PPT-attack A its advantage in winning the
game IndCPA-PK is negligible, i.e.:
  1
Pr WinIndCPA-PK
n,E (A) − is negligigble in n.
2
p.381 – CCA-security for PKES
• Definition: Game IndCCA-PK
1 Bob runs Gen(1n ) to obtain I and passes to Eve both ek := ekI , and
DecdkI in a black box (decryption oracle).
(1) (t)
2 Eve runs ADecdkI (ek) to obtain messages sequences (m0 , . . . , m0 )
(1) (t) (i) (i)
and (m1 , . . . , m1 ) with all messages in Mek and m0 = m1 .
u r (i)
3 Bob chooses b ∈ {0, 1} and computes c(i) := Encek (mb ).
4 Eve runs ADecdkI (ek, c(1) , . . . , c(t) ) to obtain r where A must not query
DecdkI for any c(i) .
. Let WinIndCCA-PK
n,E (A) be the event that r = b.

A PKES E = (Gen, Enc, Dec) has indistinguishable (multiple)


encryptions under an adaptive chosen-ciphertext attack (IND-CCA2)
(short: is CCA-secure) if for every PPT-attack A its advantage in
winning the game IndCCA-PK is negligible, i.e.:
  1
Pr WinIndCCA-PK
n,E (A) − is negligigble in n.
2
p.382 – Security for PKES
• Weak CCA-security (IND-CCA1): Eve must not use the decryption
oracle once c is obtained.
• The definition of CPA- and CCA-security in the public-key setting are
essentially the same as in the private-key setting:
The only difference is that Eve is given directly the public ek.
. Many results carry over:
• Ex: No stateless and deterministic PKES can be CPA-secure.

• Equivalent semantic notions of security exist. See [49].

. Theorem: A PKES is CPA-secure resp. CCA-secure iff it is already


CPA-secure resp. CCA-secure when Eve is restricted to a single
message pair (t = 1). (See e.g. [56] p. 345 for a proof.)
. Corollary: We can built from a CPA-secure PKES with finite message
space a CPA-secure PKES which can encrypt messages of unbounded
length.
p.383 – Security for PKES

• Notions of CPA- and CCA-security do not capture attacks where Eve


actively attacks the communication between Alice and Bob.
For instance, Eve could try to intercept Bob’s public key ekBob on its
way to Alice, and make her believe that ekEve is Bob’s public key.
. We must ensure the integrity of the “phone book” relating public
keys to entities.
Later: Public key infrastructure (PKI) based on digital signatures and
certificates.
• For PKES, CCA-security is regarded as the more appropriate
definition of security in comparison with CPA-security:
• E.g., a webserver which automatically replies to all received messages
and therefore may act as a decryption oracle to an attacker. (See here.)
p.384 – CCA-security for PKES

. [38] shows that IND-CCA2 security is equivalent to non-malleability


of ciphertexts under CCA:
• Assume Alice sends orders for buying/selling stocks to Bob.

• Semantic security guarantees that Eve cannot obtain any additional


information from c,
but assuming that Bob also does business with Eve, she has can also
interact with Bob, thus, knows the message format used for orders, and
therefore can try to change c in such a way that “buy” becomes “sell”
or that the stated quantity changes.

. Non-malleability guarantees that PPT-Eve cannot obtain from an


intercepted ciphertext c a new ciphertext which is related to c in a
way determined by Eve – except with negligible prob.
p.385 – The public-key “revolution”
• In 1976, Whitfield Diffie and Martin Hellman published a paper “New
Directions in Cryptography” [37]:
. The two are credited to be be the first to point out the impact of
public-key schemes on public communication,
• Before, cryptography was regarded to be only of use for
military/intelligence agency or highly secret business communication
because of the need to securely distribute/share the secret key.
and to publish the first practical public-key scheme for public key
exchange (DH protocol).
• Diffie and Hellman themselves give also credit to Merkle, but the
protocol had already been discovered and kept secret by Williamson in
1974 working at the British intelligence agency “Government
Communications Headquarters”. (See here.)
• Nowadays, the DH protocol is part of several larger protocols, and is
used as key encapsulating mechanism in hybrid PKES.
p.386 – Diffie-Hellman protocol
• Goal: Share a secret k over a public channel.

• Definition: (basic version)


Let GenGcyc be a DLP-generator.
1 Bob runs GenGcyc (1n ) to obtain I = (G, q, g), i.e., a (description of a)
cyclic group G of order q generated by g.
u
2 Bob generates b ∈ Zq and computes hB := g b .
He sends (G, q, g, hB ) to Alice.
u
3 Alice generates a ∈ Zq and computes hA := g a .
She sends hA to Bob.
4 Alice and Bob obtain the shared secret k := g ab = hbA = haB .
• In practice, a, b 6= 0.

• See [37] for the multi-party extension.


p.387 – Diffie-Hellman protocol: Remarks
• Necessary requirements for the secrecy of k:
. We need to assume that Alice and Bob can verify the origin of a
message/identity of the sender.
• Using a MAC would require Alice and Bob to share a pre-shared secret
key.
. Ex: Describe a man-in-the-middle attack under the assumption that
Alice and Bob do not verify the origin of a message.
. We also need to require that the DLP is hard relative to GenGcyc .
• Otherwise Eve can compute b from (G, q, g, hB ), and, thus, can also
obtain b and k = hbA .
But depending on the considered notion of security, this is not
enough.
• E.g., we also should require that PPT-Eve is not capable of computing
g ab given (G, q, g, hA , hB ). See the computational Diffie-Hellman
(CDH) problem later.
p.388 – Diffie-Hellman protocol: Remarks
• What to do with the shared secret group-element k?

. The original proposal of Diffie and Hellman was to use it as a key for
a private-key ES(+MAC).
. Problem: Most ES and MAC, like AES-rCTR, AES-CBC-MAC,
u
AES-OFB, require that k ∈ {0, 1}n for their security.
How to obtain from g ab a secret uniformly distributed random key?
• Note that Eve knows g a and g b , and, thus, has some information on k.

• We might hope to use k = g ab as seed for the Blum-Micali-PRG


instantiated for (G, g, q) – although Eve has partial information on k,
namely g a and g b .
• Practical solution: Built from a hash function a key derivation
functions (KDF) (later).
. Only in 1985, El Gamal proposed to use k = g ab directly as a
(pseudorandom) one-time pad for encrypting another plaintext group
element m.
p.389 – El Gamal PKES
• Definition: Let GenGcyc be a DLP-generator.
Gen: On input 1n , generates I = (G, q, g, x, h) where
• (G, q, g) is obtained by running GenGcyc (1n ).

• h = g x with x chosen uniformly at random from Zq .

• En-/deccryption key: ekI = (G, q, g, h), dkI = (G, q, g, x)

• Admissible plain-/ciphertexts: MekI = G, CekI = G × G


u
Enc: Given ek and m ∈ Mek , choose y ∈ Zq , and output
c = (g y , hy · m).
Dec: Given dk and c = (u, v) ∈ Cek , output v · uq−x .
• GenGcyc is allowed to generate with negl. prob. key parameters not
satisfying these assumption.
• In practice, x, y 6= 0 (prob. that x = 0 ∨ y = 0 is negl.).
p.390 – Security of the DH protocol and El Gamal

• As already sketched, we have to assume that Eve does not attack the
communication between Alice and Bob itself.
. I.e. Eve can only eavesdrop on the exchanged messages and has
further access to the public key and, in the CCA-setting, oracle access
to the decryption instantiated for Bob’s private key.
• Lemma: El Gamal is not CCA-secure.

. Proof:
If c = (u, v) is a ciphertext, then (u, v · x) for any x ∈ G is again an
admissible ciphertext which Eve may now decrypt using her oracle.
Multiplying with x−1 yields the original plaintext.
p.391 – Security of the DH protocol and El Gamal
• So, the best we can hope for is CPA-security.
• See [35] for a PKES CCA-secure relative to the DDH problem (using
the DLP hash function family).
• Certainly, the DLP needs to be hard relative to GenGcyc in order to
prevent Eve from computing a, b from g a , g b .
But this does not suffice for CPA-security.
• As motivated, El Gamal can be understood as the DH protocol plus
the idea to use the shared secret group element k as pseudorandom
one-time pad.
. The decisional Diffie-Hellman problem formalizes exactly the
requirement that k = g ab is pseudorandom, i.e.:
Although PPT-Eve knows the public information (G, q, g), g b , and g a ,
u
she cannot distinguish the secret g ab from truely random x ∈ G.
p.392 – Decisional Diffie-Hellman problem
• Definition: Let GenGcyc be a DLP-generator.

The decisional Diffie-Hellman (DDH) problem is hard w.r.t. GenGcyc


if every PPT-distinguisher D wins only negl. better than prob. 1/2 in:
r
1 (G, q, g) := GenGcyc (1n ).
u
2 g1 := g x , g2 := g y for x, y ∈ Zq .
u
3 b ∈ {0, 1}.
u u
4 If b = 0: z ∈ Zq ,g3 := g z ; (“perfect world”: g3 ∈ G)
If b = 1: g3 := g xy . (“real world”: g3 = g1y = g2x the shared secret)
r
5 c := D(G, g, q, g1 , g2 , g3 ).
. D wins iff r = b.

. See [26] for an overview on the results regarding the DDH problem.
p.393 – CPA-security of El Gamal: Proof outline

• Theorem: If the DDH problem is hard relative to GenGcyc ,

then the El Gamal PKES based on GenGcyc is CPA-secure.


• Proof sketch:

The proof works essentially the same as the one for the
pseudorandom OTP.
The distinguisher D gets (G, q, g, g1 , g2 , g3 ),
and simulates the CPA-game v.s. an attack on El Gamal.
To this end it passes (G, q, g, g1 ) to A as public key,
and encrypts mb as (g2 , g3 · mb ).
. Ex: Complete the proof.
p.394 – The DDH problem vs. the DLP
• The preceding result guarantees that the hardness of the DDH
problem is sufficient for the CPA-security of El Gamal.
• Obviously:

“DDH hard (G, q, g) ⇒ DLP hard” w.r.t. the same (G, q, g).
. But there are groups for which the DDH is easy, while the DLP is still
conjectured to be hard [54]:
. For instance, consider G = hgi = Z∗p with p prime.
u
• Let a, b, r ∈ Zp−1 = {0, 1, . . . , p − 2}.

. Then a is even, i.e., g a a square with prob. 1/2.


. So, ab is even, i.e., g ab a square with prob. 3/4.
• Given (g a , g b , g3 ) we can distinguish g3 = g ab from g3 = g r by testing
whether g3 is a square or not.
p−1
g3

. Simply compute the Legendre symbol p = g3 2 mod p.
p.395 – The DDH problem vs. the DLP

• We can prevent this way of distinguishing g ab from g r by moving to


the subgroup of quadratic residues modulo safe primes: QRp ≤ Z∗p .
. Or more general, use strong primes:
. Conjecture: Let p, q be primes such that p = kq + 1 for some k ∈ N,
and q > p1/10 , i.e., “q almost as large as p”.
For hgi = Z∗p , the DDH problem is hard w.r.t. hg k i.
• Note that k is always even, so hg k i ≤ QRp , and hg k i = q.

• See [26, 54] for more examples, in particular, w.r.t. elliptic curves.
p.396 – The DDH problem vs. the DLP

• Ex: Give a CPA-attack on El Gamal when used with Z∗p .

• Ex: For a safe prime p = 2q + 1, we can easily compute a square root


p+1
of a quadratic residue x by means of x 4 mod p.
Let s(x) be the smaller of the two square roots of x modulo p.
u
Determine the distribution of s(g ab ) for a, b ∈ Zq .
• Ex: Explicitly formulate El Gamal w.r.t. QRp modulo a safe prime p.

Use s(x) from above for Dec.


• Ex: Let G = hgi be any group of prime order q.
u
Determine the distribution of g ab for a, b ∈ Zq in general.
p.397 – The Computational Diffie-Hellman (CDH) problem
• Recall for the DH protocoll we need to require that

Eve cannot compute the secret g ab from the public values


(G, q, g, g a , g b ).
. Defintion: The CDH is hard relative to GenGcyc if
every PPT-adversary A succeeds only with negl. prob. in:
r
1 (G, q, g) := GenGcyc (1n ).
u
2 g1 := g x , g2 := g y for x, y ∈ Zq .
r
3 r := D(G, q, g, g1 , g2 ).
. D wins iff r = g xy (in G).
• “DDH hard ⇒ CDH hard ⇒ DLP hard” w.r.t. the same (G, q, g).

• “DLP hard ⇒ CDH hard” is unknown.

. There are families of groups w.r.t. which “DLP ≡PPT CDH” but
“DDH easy”. See [54].
p.398 – El Gamal in practice
• Recall: M(G,q,g,h) = G is the message space of El Gamal.
• As El Gamal is CPA-secure, we can obtain from it a CPA-secure
PKES for Σ+ .
• Alice splits the message m into blocks m(i) which can be encoded in G
u
. She then chooses for every block m(i) a random element a(i) ∈ Zq and
(i) (i)
sends g a , haB · m(i) to Bob.
• Downside:

For sufficiently secure groups, a single exponentiation takes as much


time as several thousand calls to a block cipher like AES.
. In practical PKES, El Gamal resp. the DH protocol is only used for
exchanging a secret key between Alice and Bob which is then used for
a private-key ES.
. This is called hybrid encryption.
p.399 – Hybrid encryption
• Hybrid encryption is formulated using the notions of key encapsulating
mechanism (KEM) and data encapsulating mechanism (DEM) [89].
• The DEM is simply a private-key ES built, e.g., from a combination of
AES-128 and SHA-1.
• The KEM is some mean for exchanging a secret key, to be used in the
DEM, over a public channel.
. “Example”: El Gamal uses the DH protocol as KEM and the prOTP as
DEM.
. One possibility is to generate a “one-time key/seed” and encrypt it
using any PKES available.
. Another possibility is to use the DH protocol for exchanging a secret
group element from which then a random key is generated using a key
derivation function (KDF).
• We won’t discuss the general definition of KEMs and their security
here (see, e.g., [89]) but restrict ourselves to the case where a PKES
is used as KEM.
p.400 – Hybrid encryption: Using a PKES as KEM
• Definition:

Let E a = (Gena , Enca , Deca ) resp. E s = (Gens , Encs , Decs ) be a


public-key (asymmetric) ES resp. a private-key (symmetric) ES. Then
the PKES E h = (Genh , Ench , Dech ) is defined by:
Genh : on input 1n runs Gena (1n ) to obtain I and ekI , dkI . We
assume some efficient encoding of {0, 1}n in MekI (e.g.,
{0, 1}n ⊆ MekI ).
Ench : on input ek and a plaintext m admissible w.r.t. E s :
u
1 Choose k ∈ {0, 1}n .
2 Output c = (Encaek (k), Encsk (m)).

Dech : on input dk and ciphertext c = (ck , cm ):


1 Compute k := Decadk (ck ).
2 Output Decsk (cm ).
p.401 – Hybrid encryption: Using a PKES as KEM

• Theorem: (see [56], p. 351)

If E a is CPA-secure and E s is comp. secret, then E h is also


CPA-secure.
. Note that by definition of E h , for every new message a new key k is
chosen by Ench .
• Theorem: (see [35, 51])

If both E a and E s are CCA-secure, then E h is also CCA-secure.


• Above results carry over to the setting of general KEMs, like the DH
protocol, but would require us to introduce CPA/CCA-security for
KEMs.
. We only sketch how the DH protocol is used as KEM in practice, e.g.,
in [1, 89].
p.402 – DH protocol as KEM

• Recall that the DH protocol allows Alice and Bob to share a secret
group random element k = g ab .
. The idea therefore is to use some “randomness-extractor” K to
u
obtain from k, ideally, a uniformly distributed string K(k) ∈ {0, 1}l
with l sufficiently large.
. Often, K is called a key derivation function (KDF).
• The so-called “leftover hash lemma”
• A part of the proof that a PRG can be constructed from any
OWF [52]).

shows that this is indeed possible if G is large enough – under the


assumption that the DDH is hard relative to the used DLP-generator
s.t. g ab looks random to Eve. [26]
p.403 – DH protocol as KEM
. In practice, many KDFs (see [89]) are built from hash functions h:
• E.g., use the first l bits of

K(x) := h(b0e||x) h(b1e||x) h(b2e||x) . . .

with b·e some fixed-length encoding so that bie||x is never a prefix of


bje||x for i < j.
• For h use, e.g., SHA-1 or RIPEMD-160.

• In case of the DH protocol use x = g ab or x = g a ||g ab with g a , g ab


encoded as bit strings in a predefined way. [1, 89]

. The intuition is that the KDF K (resp. the underlying hash function)
obfuscates the relation between x and K(x), s.t. the only practical
way for PPT-Eve to obtain K(x) is to compute x, i.e., to solve CDH.
. But right now, it is not known how to prove that this intuition is
correct using standard assumptions on hash functions like
collision-resistance or “one-wayness”.
p.404 – The random oracle model
• As a “sanity check” we can consider the following idealized setting:

. We make the unrealistic assumption that K is a random oracle:


u
For every “fresh” x, choose y ∈ {0, 1}l , and set K(x) := y.
• Note that K is a deterministic function; Eve knows how to compute
K; it cannot be a RO.
• In some sense, this assumption captures the intuition that
cryptographic hash functions, and functions derived from them, are so
hard to analyze that an adversary is going to consider their output to
be completely uncorrelated to the input.

. The only way for Eve to obtain K(g ab ) – except for guessing – is then
to know g ab .
• In this idealized setting, called random oracle model (ROM), one can
show formally that Eve is indeed forced to solve the CDH problem
making also Z∗p a reasonable choice again.
• See e.g. here (slide 134).
p.405 – The random oracle model
• Bellare and Rogaway propose in [16] to use the ROM as a heuristic
for obtaining more efficient cryptographic constructions.
• Yet, obviously security crucially depends on the choice of the
deterministic function K used for instantiating the random oracle.
• Bad choice: K(x) := 0l for all x.

. Even worse, proofs in the ROM have no real implications:


[31] describes constructions which can be proven secure in the ROM,
but which are insecure for any deterministic (PPT)-function used for
instantiating the random oracle.
• Still, the ROM-heuristic seems to work very well in practice when
used properly and when reasonable hash function constructions are
used for instantiating the random oracle.
. For instance, RSA is nowadays used in conjunction with a randomized
padding scheme called OAEP for which a proof of CCA-security only
in the ROM is known. (later)
p.406 – RSA based PKES
• The most commonly known PKES are based on the RSA-TDP:
• Main idea is to use the exponentation
expe : G → G : x 7→ xe
within a commutative finite group G as an isomorphism.
• expe is an isomorphism iff gcd(e, λ) = 1 where λ is the exponent of G.

• exp−1
e = expd for ed ≡ 1 (mod λ).

• Knowledge of e and the trapdoor λ allows to compute d efficiently.

Hence, computing λ from the description of G needs to be hard.


• For G = Z∗N we currently only know how to compute λ efficiently if a
prime factorization of N is known.
. Hence, use G = Z∗N with N = pq generated by GenP2 .
• Generic setup:

Public encryption key: (N, e)


Private decryption key: (p, q, d)
p.407 – The RSA-PKES: Basic version
• Definition: Given GenP2 :
GenRSA: on input 1n , run GenP2 (1n ) to obtain (p, q), compute
N = pq, and λ = lcm(p − 1, q − 1); choose any e ∈ Z∗λ − {1} and
compute d ∈ Z∗λ with ed ≡ 1 (mod λ).
• En-/decryption key: ekI = (N, e), dkI = (p, q, d)

• Plain-/ciphertexts: MekI = CekI = Z∗N

Enc: on input ek = (N, e) and m ∈ Z∗N , outputs me mod N .


Dec: on input dk = (N, d) and c ∈ Z∗N , outputs cd mod N .
• Necessary: Has to be a TDP w.r.t. GenRSA.

. But: Not CPA-secure!


The basic RSA-PKES is deterministic and stateless.
. Fix: randomized encryption via randomized padding (later).
p.408 – The RSA PKES: Basic version – Remarks
• It is conjectured that e can be chosen arbitrarily.

. In order to speed up encryption, e is usually chosen small or of the


form e = 2l + 1 s.t. xe can be easily computed by repeated squaring.
. For e small, the basic version becomes vulnerable to several attacks
which can be overcome by randomized padding. See, e.g., [56] p.359.
. Ex: Consider the following hybrid PKES:
The DEM is AES-based and uses a key k of size 512 bits (ES+MAC).
The KEM uses the RSA problem and encrypts k as (k e mod N ).
For simplicity assume that e = 3. Show how to efficienlty recover k
given the ciphertext.
• d should always be at least that large that it cannot be found by
brute-force enumeration.
. Wiener attack for d < 31 N 1/4 (see e.g. [23]).
p.409 – RSA-based PKES and the CRT
• Recall the CRT states that for gcd(p, q) = 1:

Zpq ∼
= Zp × Zq and Z∗pq ∼
= Z∗p × Z∗q

by means of the (ring) isomorphism

h : Zpq → Zp × Zq : x 7→ (x mod p, x mod q).

. Further note that for p prime, we have


Z∗p = Zp \ {0}, and xk ≡ xk mod p−1 (mod p) in Z∗p .
. Hence:

h(xd ) = (xd mod (p−1) mod p, xd mod (q−1) mod q) for all x ∈ ZN , k ∈ Z.

. Ex: Conclude that λ(pq) = lcm(p − 1, q − 1) for p, q odd primes.


. Ex: If 1 = gcd(d, λ(N )), then xd defines also a permutation on Zp
resp. Zq , and, thus, also on ZN .
p.410 – RSA-based PKES and the CRT
• Consequences:

• We can speed up decryption by a factor 4:

Bob precomputes (d mod p − 1, d mod q − 1) and α, β such that


1 = gcd(p, q) = αp + βq.
He then may compute cd mod pq by means of
 
(cd mod (p−1) mod p)qβ + (cd mod (q−1) mod q)pα mod pq.

. Advantage: Exponentiation modulo N = pq (cost: |N |3 ) is replaced


 3
by two exponentiations modulo p resp. q (total cost: 2 |N2 | ).

• Encryption and decryption also work for m, c ∈ ZN \ Z∗N .


u
Ex: For x ∈ ZN , the prob. that x 6∈ Z∗N is negligible, i.e. the hardness
of the RSA-TDP does not change if we extend its domain to ZN .
p.411 – The RSA PKES: PKCS #1 v1.5

• PKCS = public-key cryptography standard by the RSA labs, see here.

• PKCS #1 v1.5: (Variable-length randomized padding)

Let a be the length of N in bytes, i.e., a = d |N8 | e.


|m|
• Admissible plaintexts: m ∈ ({0, 1}8 )∗ with 8 ≤ a − 11.
u
• Enc: given (N, e), choose r ∈ ({0, 1}8 )a−D−3 , then msbf-interpret
x = 08 ||06 10||r||08 ||m as an integer in ZN , and output xe mod N .

. Is assumed to be CPA-secure but it is not known whether hardness of


the RSA problem is sufficient.
. It is not CCA-secure. See [22].
p.412 – The RSA PKES: OAEP(+)

Taken from http://en.wikipedia.org/wiki/File:Oaep-diagram-20080305.png

• More recent RSA-variants (PKCS #1 v2.1) use the optimal


asymmetric encryption padding (OAEP) by Bellare and Rogaway.
• n is the bit length of N .
• k0 , k1 are predefined constants, see PKCS #1 v2.1.
• Read X||Y as msbf-representation of an integer < N .

• G, H are deterministic functions based on hash functions.


p.413 – The RSA PKES: OAEP(+)
• RSA with OAEP(+) can be proven CCA-secure based on the hardness
of the RSA problem in the idealized setting where G, H are modeled
as random oracles (random oracle model).
• OAEP+ is a revised version proposed by Shoup [90].

. [90] even shows that, at least in the ROM, CCA-security of RSA-OAEP


holds for encrytpion exponent e = 3.
. Recall: Proofs in the ROM do not imply security in the “real world”.
• Deterministic functions used for instantiating the random oracles G, H
still need to be chosen carefully.
• [28] studies the question of what security properties hash functions
need to satisfy in order to securely instantiate RSA-OAEP:
. Ex: G(x) := 0n−k0 , H(x) := 0k0 is a bad choice under the assumption
that e = 3 and k0 is so small that (0n−k1 ||r)3 < N :
3
Eve can then distinguish OAEP(0n−k0 −k1 ) mod N from
3
OAEP(10n−k0 −k1 −1 ) mod N .
p.414 – RSA as KEM
• In practice, the used private-key ES will be built from, say, AES-128
and SHA-256, and, thus, the private key has fixed length 384.
• On the other hand, the size of the RSA modulus will grow over time.

For instance, the BSI recommends to use a 2048bit RSA-modulus for


security till the year 2016. See also www.keylength.com for a
comparison of several recommendations.
. As a consequence, w/o randomized padding, we would need to
require that the RSA problem is already hard for the negligible
fraction of approx. 2384 /22048 inputs.
. In fact, w/o randomized padding, the multiplicative structure of RSA
allows for a meet-in-the-middle attack (recall 3DES) which allows to
reduce the search space from 2l to 2l/2 if private keys of length l are
used. (See [56] p.360.)
. This again underlines the importance of using RSA in combination
with randomized padding.
p.415 – RSA as KEM

• Alternatively, we can proceed similar to how the DH protocol is used


as KEM, i.e., we choose a random group element x ∈ Z∗N and obtain
from it a secret key using some KDF.
• Or we use it as a seed for the BM-construction based on the RSA-TDP
to obtain a pseudorandom one-time pad to obtain a CPA-secure PKES.
Bob simply uses the trapdoor to reverse the Blum-Micali construction
and obtain the random seed used by Alice.
This works for arbitrary TDPs. See the next slide.

. In combination with a CCA-secure DEM, the resulting PKES can be


proven CCA-secure in the random oracle model, i.e., when the KDF is
modeled as a random oracle. See [56], p.473.
. Still, use of RSA-OAEP seems to be favored as it leads to shorter
ciphertexts.
p.416 – Trapdoor permutations and hard-core bits
• Definition: Trapdoor PKES (Gen, Enc, Dec)

Let (Genf , ~, Smpl, f ) by a family of TDPs. Let hc be any hard-core


predicate for this family.
Gen: runs Genf (1n ) to obtain (I, td). Then ekI := I, dkI := (I, td).
Enc: given m ∈ {0, 1}∗ of length l and ek, runs Smplek (1n ) to obtain
x ∈ Domek , then computes Encek (m) := (fekl (x), m ⊕ BMl (x)).

−l
Dec: given (y, c) and dk, sets l := |c|, computes x := fek (y) using
l
td, and finally outputs m := c ⊕ BM (x).
• Theorem:

The trapdoor PKES is CPA-secure relative to any family of trapdoor


permutations.
• Ex: Is the trapdoor PKES CCA-secure?
p.417 – Minimal assumptions for secure PKES

• In the private-key setting, we have seen that the assumption that


comp. secure ES exist is equivalent to the assumption that OWFs
exist.
. As every CPA-secure PKES can be used as a private-key ES, existence
of OWFs is necessary also in the public-key setting.
• Naturally the question arises if existence of OWFs is also sufficient:
• It is known that CPA-security is equivalent to the existence of trapdoor
predicates [50].
• By a result of [53] it seems unlikely that OWPs/OWFs imply trapdoor
predicates.
p.418 – Minimal assumptions for secure PKES
• It seems unlikely that CCA-secure PKES can be constructed from
trapdoor predicates. [45]
• As just seen, trapdoor one-way permutations (TDP) with hardcore
predicates allow us to obtain CPA-secure PKES.
• As shown in [38], TDP already allow to construct CCA-secure PKES:
• The proof uses several cryptographic primitives ((CPA-)secure PKES,
secure signatures, non-interactive zero-knowledge proofs, UOWHF) all
of which known to exist under the assumption that TDPs exist.
• Is the existence of TDP equivalent to the existence of CCA-secure
PKES?
Lossy TDFs resp. adaptive TDFs suffice. [69])
• TDF = trapdoor one-way function (see next slide).

• There exist problems which are conjectured to yield lossy TDFs and for
which no efficient algorithm, not even for quantum computers is
currently known – in contrast to factorization or discrete logarithm.
p.419 – Minimal assumptions for secure PKES

• Trapdoor one-way function (TDF):


Defined analogously to TDPs except that (i) the range and domain of
fJ may differ, and (ii)) fJ does not need to be injective.
• Depending on the number of pre-images fJ−1 (y) :

one-to-one (⇒) poly-to-one (⇒) super-poly-to-one


. (i) poly-to-one TDFs imply CPA-secure PKES; (ii) one-to-one TDF can
be obtained from El Gamal/DDH; (iii) super-poly-to-one TDF can be
obtained from OWFs, conjectured not to suffice for CPA-secure
PKES. [11]
p.420 – Minimal assumptions for secure PKES
spoly-to-one
OWF
TDF

poly-to-one td. pred- CPA-sec.


TDF icate PKES

conj. one-to-one CCA-sec.


DDH
TDF PKES

conj.
RSA TDP

• Arrows represent known implications of existence.

• See also here for further references.


p.421 – Further public-key cryptosystems

• Rabin (1979):

CPA-security can be reduced to factoring the modulus N = pq.


Allows to obtain a family of TDPs based equivalent to factoring.
• Goldwasser-Micali (1982):

CPA-security can be reduced to deciding whether an x ∈ Z∗N (with


N = pq) is a square or not.
(Trapdoor predicate)
• Paillier (1999):

CPA-security con be reduced to deciding whether an x ∈ Z∗N 2 (with


N = pq) is an N -th power modulo N 2 or not.
• See [56] (chapter) 11 for details.
p.422 – Digital signatures: Motivation
• MAC scheme:

The shared secret k allows Alice and Bob to verify that a received
message m has originated from one of the two by means of the
supplied MAC-tag t.
In particular, if Eve tries to manipulate m, the origin of the message
changes from AliceBob to Eve.
. Downside:
Alice resp. Bob cannot prove to a third party that a given message
(m, t) has been created explicitly by Bob resp. Alice.
• Possible fix:

Make the secret k of how to “sign” a message m, i.e., compute the


tag t, exclusive to Alice (Bob), and give everyone the information on
how to verify that – except for negligible prob. – the tag t was indeed
created by Alice for the received message.
p.423 – Digital signature schemes: Definition
• Definition:

A digital signature scheme (DSS) consists of PPT-algorithms


(Gen, Sgn, Vrf) s.t.:
Gen, on input 1n , outputs key parameters I describing the public
verification key vkI and the private signing key skI .
• We assume that |vkI | , |skI | ≥ n and that from both keys we can
determine the set of the of admissible plaintexts/signatures
(MskI ,CvkI ).

Sgn, on input a signing key sk and an admissible plaintext m, outputs


r
a signature σ := Sgnsk (m).
Vrf, on input a verification key vk, an admissible plaintext m, and an
admissible signature σ, outputs a single bit Vrfvk (m, σ) ∈ {0, 1}.
• σ is valid for m iff Vrfvk (m, σ) = 1.

We require that Vrf is deterministic (DPT) and that


r
Vrfvk (m, Sgnsk (m)) = 1 for all I := Gen(1n ) and m ∈ MskI .
p.424 – DSS: Security

• Definition:
A DSS (Gen, Sgn, Vrf) is secure if every PPT-attack A succeeds only
with negligible prob. εA (n) in the following experiment for every n:
1 Alice runs Gen(1n ) to obtain sk and vk.
She passes vk directly to Eve, while only admitting her oracle access to
Sgnsk .
The oracle remembers the queries made by Eve in some list Q.
2 Eve runs ASgnsk (vk) to obtain a message m and a signature σ.
. Eve succeeds if (1) Vrfvk (m, σ) = 1 and (2) m 6∈ Q.
• The definition essentially copies the definition of secure MAC.
p.425 – DSS: Security – Remarks
• Minimal assumption for secure DSSs:
• As for PKES: obtaining sk needs to be infeasible (OWF).

• Building up on Lamport’s one-time DSS, Naor-Yung show that secure


DSSs can be obtained from UOWHFs [71].
. As shown by Rompel, UOWHFs can be constructed from OWFs. [83]
• As in the case of MACs, it is only required that PPT-Eve is not
capable of forging a valid tag for any “fresh” message m.
• I.e., Eve can replay a valid message-tag pair previously intercepted.

. Nonces.
• As for PKES, the definition does not consider the setting where Eve
tries to attack the distribution of vk. (No man-in-the-middle.)
• I.e., Alice still has to solve the problem of how to transmit vk securely
to Bob remains.
. Certificates/public-key infrastructure (PKI).
p.426 – Certificates and PKI
• One important use of DSS is the secure distribution of public keys
under the assumption that a single trusted party, called the certificate
authority (CA), exists:
• The CA (a) guarantees the secure distribution of its own public
verification vkCA , (b) binds an entity A to its public key pair
(ekA , vkA ) by signing a certificate using skCA , and (c) everyone trusts
these certificates:
• Say, Bob has generated (ekB , dkB , skB , vkB ).

• He then goes to CA, identifies himself (ID card), and CA generates a


certificate certCA→B := (m, SgnskCA (m)) where, e.g.,
m = “[User-ID] Bob’s public key is (ekB , vkB ). [Cert-ID]”.
• Assume now that Alice wants to send Bob a message.

• Alice obtains from somewhere a (claimed) certificate certCA→B .

• She then uses the trusted vkCA to validate that certCA→B was indeed
generated by CA, perhaps also checks on CA’s webpage that certCA→B
(Cert-ID) has not been revocated, and extracts ekB from certCA→B .
p.427 – Certificates and PKI
• Extension: several CAs allow to:
• pick the certificate from the CA you trust the most.

• transfer trust:

CA1 issues an “extended” certificate certCA1 →CA2 = m||SgnskCA (m)


1

where e.g. m =
“I, CA1 , trust all certificates issued by CA2 using the public keys (ekCA2 , v
. Leads to certificate chains:
If Alice trusts CA1 , and CA1 trusts CA2 , then the certificate chain
certCA1 →CA2 , certCA2 →B allows her to obtain a trusted copy of ekB .
• Generalization: web of trust (or “everyone is a CA”)
• Alice obtains certU1 →B , . . . , certUl →B , and decides based on her
experience how much she trusts each user Ui resp. vkUi , to obtain
some accumulated trust in the obtained keys, and chooses the most
trusted one.
p.428 – Certificates and PKI
• Assuming a single trustworthy CA and that Alice stores skA safely,
non-repudiation can be achieved:
If Alice attaches t := SgnskA (m) to a message m sent to Bob, with
vkA certified by certCA→A , Bob can prove to anyother party that
(m, t) was indeed generated by Alice.
• But if Eve somehow obtains Alice’s secret skA (w/o her noticing it),
Eve can impersonate her.
• Possible solution: Store the private keys exclusively on a sufficiently
secured smart card, and do all computations requiring the private keys
onto the smart card. See e.g. Common Access Card.

. Similarly, if the CA gets corrupted (or is not trustworthy right from


the start), it can trick Bob into using the wrong keys for replying to
Alice (man-in-the-middle).
. See also [40] and [here] for a discussion of problems associated with
PKI.
. For more details on PKI in general see, e.g. [2].
p.429 – Constructing practical DSSs from PKES?
• DSS as the inverse of PKES?

Set sk := dk, vk := ek, and Sgnsk (m) := Decsk (m),


Vrfvk (m, t) := (Encvk (m) = t?1 : 0).
• In general, this construction is simply not applicable:

E.g., consider a CPA-secure PKES where Enc is randomized (Vrf is


required to be deterministic).
• The more precise formulation of the underlying idea is to use a TDP:

. For instance RSA-TDP: Sgn(N,d) (m) = md mod N for m ∈ Z∗N .


Problem: RSA-TDP is an isomorphism on Z∗N
Forging a tag for m ∈ Z∗N :
Choose any m1 ∈ Z∗N and set m2 := m−1
1 m mod N .

Then Sgn(N,d) (m1 ) · Sgn(N,d) (m2 ) mod N = Sgn(N,d) (m).


p.430 – Constructing practical DSSs from TDPs/OWPs
• As a heuristic for “destroying” the algebraic structure underlying
problems like RSA-TDP or DLP-OWP, a hash function is applied first
to the given message.
• For TDPs this is called the hash-then-invert paradigm.

. In case of RSA-TDP: (PKCS #1 v1.5)


Let h : {0, 1}∗ → {0, 1}n .
• For simplicity, assume that the output of h can be interpreted directly
as an element in Z∗N .

Set Sgn(N,d) (m) := h(m)d mod N and Vrf(N,e) (m, t) := (h(m) ≡ te


(mod N )?1 : 0).
• At least it seems quite unlikely that for h a reasonable hash function
like SHA-1 h(m1 )d · h(m2 )d ≡ h(m1 · m2 mod N )d (mod N ) still
holds.
• This also lifts possible restrictions on the admissible plaintexts.

• Necessary condition for h: collision resistance.


p.431 – Constructing practical DSSs from TDPs/OWPs
• Ideally, one would hope that security of this construction follows from
the (necessary) intractability assumptions on the underlying problem,
like the RSA-TDP or the DLP/DDH problem, and the used hash
function (family).
• No such proofs are known today and – at least for practical hash
functions – also seem unlikely to exist:
. For instance, consider RSA-TDP in combination with a standard hash
function h with fixed output length l, e.g., SHA-1 with l = 160.
. Then the RSA-TDP is sampled on at most 2160 possible values.
. But for reasonable values of N ' 21976 , this is only a negligible
fraction of Z∗N . (Recall RSA as KEM.)
. It might, thus, be the case that the RSA assumption holds, i.e., the
RSA-TDP is hard to invert on Z∗N except for the negligible fraction of
values obtained from h.
p.432 – Constructing practical DSSs from TDPs/OWPs
• At least in the ROM, this heuristic can be justified for TDPs [16]:
. Under the idealization that h : {0, 1}∗ → Z∗N is a random oracle,
• Full-domain-hash: the hash samples the full domain of the RSA-TDP,
u
i.e., for every “fresh” input x, h(x) := y ∈ Z∗N .

the security of the preceding construction based on RSA can be


reduced to the hardness of the RSA problem.
• As in the case of the DH-KEM or the RSA-OAEP, a standard hash
function should not be used directly to instantiate the random oracel:
. E.g., use the KDF K(x) := h(b0e||x) h(b1e||x) . . . h(bre||x) instead.
• All constants need to be encoded using the same number of bits.

• If instantiating another RO, “fresh” constants should be used.


• Obtain from K(x) log N bits encoding an element of ZN .
• Or even a sequence (si )i∈N ∈ ZN and take the first si ∈ Z∗N . [16]
p.433 – RSA-PSS

Taken from [17].

• PKCS #1 v2.1 also includes the probabilistic signature scheme (PSS)


construction by Bellare and Rogaway [17].
• h is usually a standard hash function, while g a KDF.

. Advantage: the actual message needs only to be hashed once.


. Probabilistic padding (r) allows to obtain improved bounds on the
attainable security and to sample a larger fraction of ZN .
. The signature is still a single element in ZN .
• Security can be reduced to RSA-TDP in the ROM.
p.434 – RSA-PSS
• Definition: PSS[k, l]

For fixed security parameter n, let k, l be positive constants with


k + l < n, let h : {0, 1}∗ → {0, 1}l and g : {0, 1}l → {0, 1}n−l−1 be
DPT-computable functions.

Set g1 (x) to be the first k bits of g(x), and g2 (x) the remaining
n − k − l − 1 s.t. g(x) = g1 (x)g2 (x).
Gen: standard RSA-generator for (N, e, d) with N ∈ [2n−1 , 2n ) and
sk := (N, d), vk := (N, d).
• Admissible messages: {0, 1}∗
u
Sgn: given m ∈ {0, 1}∗ , choose r ∈ {0, 1}k , compute w = h(m||r),
then r∗ = r ⊕ g1 (w) and interpret x = 0||w||r∗ ||g2 (w) as an integer
r
in ZN (msbf). Output Sgn(N,d) (m) := xd mod N .
Vrf: Ex.
• See PKCS #1 v2.1 for concrete values for k, l.
p.435 – El Gamal’s DSS
• El Gamal proposed in [39] also a stateful DSS:
u
• Keys: Let p be a prime and g a generator of Z∗p . Choose x ∈ Z∗p−1 and
set y := g x mod p.
Then sk = (p, g, x) and vk := (p, g, y).
u
• Signing: Given m ∈ Zp , choose first k ∈ Z∗p−1 ; set r := g k mod p; and
compute s := (m − x · r) · k −1 mod (p − 1). Output (r, s).
• Verification: Given (r, s), check that g m ≡ y r r s (mod p).

• El Gamal’s DSS requires that the DLP is hard on Z∗p . But it is not
known if this is already sufficient.
• [39] notes that k must be kept secret and never used twice for signing
a message for fixed private key sk = (p, g, x). (See DSA later.)
• For instance, remember the number of messages signed so far, and use
a PRF F as PRG to obtain from a secret random k the ki := Fk (i)
used in the i-th signature.
p.436 – El Gamal’s DSS
• [39] also shows how to efficiently forge a valid tag for a new message:
• Let (m, r, s) be a valid message-tag pair.

• Choose A, B, C ∈ Z s.t. gcd(Ar − Cs, p − 1) = 1.

• Set r 0 := r A · g B · y C mod p, s0 := sr 0 (Ar − Cs)−1 mod p − 1, and


m0 := r0 (Am + Bs)(Ar − Cs)−1 mod p − 1.
• Ex: Show that (r 0 , s0 ) is valid for m0 .

. As a heuristic for preventing this attack, not the message m but


instead its image h(m) under a OWF h : {0, 1}∗ → Zp−1 is signed.
• I.e., the adversary needs to compute h−1 (m0 ) to use the above attack.

• Obvioulsy, h needs also to be collision resistant.

• Still, even when modeling h as random oracle, it is currently not known


if the hardness of the DLP suffices.
• The digital signature algorithm is a variant of El Gamal’s DSS
working directly in a prime subgroup of Z∗p .
p.437 – DSA

• Definition: DSA
Let
• hn : {0, 1}∗ → {0, 1}l(n) be a CRHF family, and

• GenGDSA a group-generator s.t. GenGDSA (1n ) outputs (p, q, g) with


hgi ≤ Z∗p a cyclic group of prime order q ≥ 2l(n) .
• For instance, use GenQRsafe .

Gen: given 1n ,
1 Run GenGDSA (1n ) to obtain (p, q, g).
u
2 Choose x ∈ Z∗q .
3 Compute y := g x mod p.
4 Output sk := (p, q, g, x) and vk := (p, q, g, y).
p.438 – DSA
• Definition: DSA (cont’d)
Sgn: given m ∈ {0, 1}∗ and (p, q, g, x),
u
1 Choose k ∈ Z∗q .

2 Compute R := g k mod p and truncate it to r := R mod q.


3 Let z be the integer with binary encoding hn (m).
4 Compute s = (z + x · r) · k −1 mod q.
5 If r = 0 ∨ s = 0, go back to the first step, else return (r, s).
Vrf: given m ∈ {0, 1}∗ and t = (r, s) ∈ Zq × Z∗q ,
1 Let z be the integer encoding hn (m).
2 Compute u1 = z · s−1 mod q and u2 := r · s−1 mod q.
3 Compute R := g u1 y u2 mod p.
4 Output 1 iff r ≡ R mod q.
p.439 – DSA
• Main differences to El Gamal’s DSS:
• Works directly in a subgroup hgi of Z∗p with q = |hgi| prime.

So generating elements in Z∗q = Zq \ {0} is trivial.


• Does not use R = g k mod p, but its truncation r := R mod q:

Yields a shorter signature, but Vrf needs to recover g k mod p which in


turn requires s ∈ Z∗q .
• By adapting the truncation of the random group element R to an
element of r ∈ Zq , the algorithm can also be generalized to elliptic
curves (EC-DSA).
• The digital signature algorithm (DSA) is a DSS standardized by the
NIST. See PKCS #1 v2.1 for a specification.
• As for El Gamal’s DSS, it is not known if hardness of the DLP (or
CDH/DDH) is also sufficient (also not in the ROM).
p.440 – DSA

• Also for DSA the random k must be kept secret and must not be
used twice:
• Ex: For given security parameter n let h be a fixed hash function, and
sk = (p, q, g, x) and vk = (p, q, g, y).
Now, let m1 , m2 be two plaintexts with h(m1 ) 6= h(m2 ). Assume that
the same k is used for signing both messages s.t. Sgnsk (m1 ) = (r, s1 )
and Sgnsk (m2 ) = (r, s2 ). Further, assume that r 6= 0.
Show how to obtain the signing key sk.
• For El Gamal this works similarly, but becomes a bit more difficult as
the group is not of prime order (no field).
• See here, and here for an example of this attack.

• Also when only a few bits of each k are revealed in each signature, the
private key can be obtained, see, e.g., [21] or here.
p.441 – CCA-security from CPA-security and secure DSS?
• Recall: CPA-secure ES + secure MAC yields CCA-secure ES via
Enc-then-Mac.
• Analogous construction Enc-then-Sgn for PKES (GenES , Enc, Dec)
and DS (GenDS , Sgn, Vrf):
• Gen(1n ): runs GenES (1n ) and GenDS (1n ) to obtain ek, dk, sk, vk.

The public key is then vek = (vk, ek), while the private key becomes
sdk = (sk, dk).
• SgnEnc: given m, the sender uses his private skS , and receiver’s public
ekR , to compute SgnskS (EncekR (m)).
• DecVrf: given (m, t), the receiver uses his private dkR and sender’s
public vkS to compute DecdkR (c) only if VrfvkS (c, t) = 1; otherwise ⊥.
• An, Dodis, Rabin show in [4] that in general this construction does
not yield a CCA-secure PKES, even if the underlying PKES is
CCA-secure and the DS is secure.
• But argue that this is mainly an artifact of the (too) strong notion of
IND-CCA2.
Elliptic Curves
p.443 – Motivation

• DLP in a finite cyclic group hG, ·, 1i:

For most y ∈ G finding a x ∈ Z s.t. g x = y should be hard in


PPTw.r.t. description of G.

• Cryptographic schemes/assumptions requiring the DLP to be hard:

CDH, DDH, El Gamal PKES, El Gamal DSS, CCA-secure PKES by


Cramer-Shoup, Blum-Micali-PRG
. Families seen so far:
• hZ∗p , ·, 1i for a prime p ≈ 2n .

Description: (p, p − 1, g). (Bad for DDH/El Gamal.)


• Prime order subgroups of hZ∗p , ·, 1i for a strong/safe prime p ≈ 2n .

Description: (p, q, g) with prime q ≈ 2n .


p.444 – Motivation

• Recall Shoup’s result on generic algorithms for the DLP:


For any generic DLP-solver A
• I.e., A works for any representation of a cyclic group G.

• Recall: G ∼
= hZ|G| , +, 0i.
there is some particular bad representation G of hZN , +, 0i which
makes the algorithm run in O(2n/2 ) with N ≈ 2n prime.
• For the precise, more general statement, see [86].

• For Z∗p the non-generic index calculus method can be used which runs

in subexponential time 2O( n·log n) (assuming p ≈ 2n ).
. Runtime of the index calculus method bounds from below the size of
p for which Z∗p can be used securely.
p.445 – Motivation

• Is there any “better” representation of G for which we only know


generic algorithms?
. AES-128: brute force ≈ 2128

n log n
. DLP: ICM ≈ 2 , so n ≈ 2048
n/2
. DLP: Generic ≈ 2 , so n ≈ 256
. For cyclic subgroups of certain elliptic curves the most efficient
algorithms currently known are generic.
• For some types of elliptic curves subexponential algorithms are known.

• E.g., Menezes, Okamoto, Vanstone show in [65] how solving the DLP
on elliptic curves over GF(q) can be reduced to solving the DLP in
GF(q k ) where k is some constant depending on the particular curve.
. This reduction – although exponential in k – rules out certain
“supersingular” elliptic curves.
p.446 – Elliptic curves: Definition
• Definition: Let F = hF, +, ·, 0, 1i be a field.

The characteristic char(F) is 0 if k · 1 = 1 + . . . + 1 6= 0 for all k;


otherwise it is the smallest such k.
• Example: char(R) = 0, char(Zp ) = p, char(GF(2k )) = 2.

• Fact: If char(F) > 0, then it is prime.

• Definition: (char(F) 6= 2, 3)

Let F be a field with char(F) 6= 2, 3, and a, b ∈ F with


∆a,b = 4a3 + 27b2 6= 0. The (affine) elliptic curve described by
(F, a, b) is
E(F, a, b) := {(x, y) ∈ F × F | y 2 = x3 + ax + b} ∪ {O}
with O some additional symbol (called the point at infinity).
• For the cases char(F) = 2, 3 see, e.g., [64, 92].

. Fields with char(F) = 2 are also common in practice because of the


natural binary representation.
p.447 – Examples of elliptic curves over F = R

• {(x, y) ∈ [−3, 3]2 | y 2 = x3 + ax + b} .


(Image taken from here)

. Note that a = b = 0 is by def. not a elliptic curve, as ∆a,b = 0.


. ∆a,b 6= 0 means that x3 + ax + b has three distinct roots which
guarantees that the curve is smooth, i.e. does not have any cusps.
p.448 – Example of an elliptic curve over F = hZ11 , +, ·i
• Note that p = 11 ≡ 3 (mod 4), so we can compute a square root of
p+1
a quadratic residue z ∈ QRp by means of z 4 mod p.
• Recall: We can test if a z ∈ Zp is a quadratic residue by computing
p−1
z 2 mod p.
• Let a = b = 1, i.e. the elliptic curve is defined by

y 2 ≡ x3 + x + 1 (mod 11).

. So E(Z11 , 1, 1) consists of the following points plus O:

x 0 1 2 3 4 5 6 7 8 9 10
y 2 1 3 0 9 3 −1 3 −1 4 2 −1
y ±1 ±5 0 ±3 ±5 ⊥ ±5 ⊥ ±2 ⊥ ⊥
p.449 – Elliptic curves: Group structure
• Definition: Let E = E(F, a, b) for char(F) 6= 2, 3, ∆a,b 6= 0.

The group hE, ⊕, Oi is defined as follows:


Neutral: O, i.e., O ⊕ P = P ⊕ O = P for all P ∈ E.
Inverse: −P := (xP , −yP ) for P = (xP , yP ) ∈ E \ {O}; −O := O.
Addition: For P, Q ∈ E \ {O} define R := P ⊕ Q as follows:
• If xP 6= xQ , let m := (yQ − yP ) · (xQ − xP )−1 , or
if xP = xQ ∧ yP = yQ 6= 0, let m := (3x2P + a)(2yP )−1 .
Then R = (xR , yR ) with:

xR := m2 − xP − xQ and yR := m(xP − xR ) − yP .

• Else: R := O.
u
• Projective coordinates, e.g. x := w , y := wv , allow to reduce the
number of inversion operations.
p.450 – Geometric interpretation for F = R: Finite case

• Structure of y 2 = x3 + ax + b with ∆a,b 6= 0 guarantees that for


P, Q ∈ E there is a unique point R ∈ E \ {P, Q} located on the line
P Q; if P = Q, let P Q be the tangent. Define −R := (xR , −yR ).
1 Case xP 6= xQ with P ⊕ Q := −R.
2 Case P = Q ∧ yP 6= 0 with P ⊕ P := −R.
p.451 – Geometric interpretation for F = R: Infinite case

• If P Q does not intersect E in F × F, take O (point at infinity).

3 Case xP = xQ ∧ yP = −yQ with P ⊕ Q := O.


4 Case xP = xQ ∧ yP = yQ = 0 with P ⊕ Q := O.
• (Images taken from here.)
p.452 – Elliptic curves: Group structure

• Theorem: (w/o proof)

E = hE(F, a, b), ⊕, Oi is a commutative group.


If q := |F| < ∞, then
• Hasse’s theorem:
√ √
|E| ∈ [1 + q − 2 q, 1 + q + 2 q].
• Schoof-Elkies-Atkin (SEA) algorithm:

|E| can be computed in DPT w.r.t. log q.


• Regarding associativity and commutativity of ⊕ see also later.
p.453 – Elliptic curves in cryptography
• Hasse’s theorem guarantees that one can select a P ∈ E efficiently at
random:
• At most two points on E have the same x-value;
u |E|/2
. Hence, xP ∈ F defines a point on E with prob. ≈ |F| ≈ 1/2;

. Then solve y 2 = x3 + ax + b for yP .


. E.g., if F = Zp for a prime p with p ≡ 3 (mod 4), then
p+1
(x3 + ax + b) 4 is a square root – if there is one.
• Still, we need to find a base point P ∈ E which generates a
sufficiently large (prime) subgroup hP i ≤ E.
• This can be done by choosing a random point P and computing its
order, but this requires the factorization of |E| to be known, or to use
subexponential algorithms.
• The complex multiplication appraoch allows to generate parameters
a, b s.t. |E(GF(q), a, b)| = S for given q, S. See, e.g., [6].
p.454 – Elliptic curves in cryptography
• [32] In practice, first a sufficiently large field F is chosen,
• Most of the time, either F = Zp with p ≈ 2n prime, or F = GF(2m ).
u
then a, b ∈ F are chosen, and |E| is determined for E = E(F, a, b).
|E|
. Next one checks that |E| is “almost prime”, i.e. N := h is prime for
some sufficiently small h.
• h is called the co-factor of the group, often h ≤ 4.

. Allows to efficiently find a base point P of prime order N .


. Finally, |E| resp. N should satisfy:
• |E| 6= |F|.

• pB 6≡ 1 (mod N ) for all 1 ≤ B ≤ 1005 .

• Both N − 1 and N + 1 should have a large prime factor.

5
Resp. 2B 6≡ 1 (mod N ) for 1 ≤ B ≤ 100m.
p.455 – Elliptic curves in cryptography

• Regarding the restrictions on |E| and N :


• See, e.g., appendix B of [32] for details and a discussion of attacks
known in 2009.
• Several types of curves considered sufficiently secure several years ago
aren’t used anymore today, so check up-to-date sources.
• The standard description of hP i ≤ E(F, a, b) is:
• (p, a, b, P, N, h) for F = Zp

• (m, f (x), a, b, P, N, h) for F = Z2 [X]/f (x) ∼


= GF(2m )
• In practice, often precomputed descriptions are used. See, e.g., [33].

Verify the correctness of precomputed descriptions!


p.456 – Example: ECIES-KEM

• ECIES-KEM is a variant of the DH-KEM using elliptic curves [89]:


1 Bob chooses a (description of a) sufficiently secure subgroup of an
elliptic curve, e.g., G = (p, a, b, P, N, h).
u
He then chooses sB ∈ ZN \ {0} and computes HB := sB · P , e.g., by
squaring.
He publishes his public key (G, HB ).
u
2 For every new message m, Alice chooses sA ∈ ZN \ {0}, and computes
HA := sA · P and K = (xK , yK ) := sA · HB .
She derives a secret DEM-key k by computing KDF(HA ||xK ).
She sends HA and an encryption of m to Bob.
3 Bob computes K = (xK , yK ) := sB · HA , and obtains the DEM-key k
by computing KDF(HA ||xK ).
p.457 – Why “elliptic”?

• When determining the arc length of planar curves often so called


elliptic integrals arise
Z p
R(x, P (x))dx

with R(x, y) a rational function and P (x) a polynomial of degree 3, 4.


x2 y2
. For instance, the arc length of the ellipse a2
+ b2
= 1 is given by
r
1
1 − k 2 x2 a2 − b2
Z
2
4a dx with k = <1
x=0 1 − x2 a2

for
1 − k 2 x2
R(x, y) = and P (x) = (1 − k 2 x2 )(1 − x2 ).
y
p.458 – Why “elliptic”?

Taken from here.

• Similarly, the arc length of the lemniscate (x2 + y 2 )2 = a2 (x2 − y 2 ) is

√ Z 1
1 1
8a √ dx with R(x, y) = , P (x) = 1 − x4 .
x=0 1−x 4 y

• In general, such elliptic integrals cannot be expressed using



“elementary” functions like rational functions, x, ex , sin x, . . .,
Rt p
. and E(t) = 0 R(x, P (x))dx can therefore be considered to define
an independent class of functions.
p.459 – Why “elliptic”?
• Around 1720, Fagnano showed a “doubling theorem” for the arc
length of the lemniscate:

2t 1−t4
Z t Z
dx 1+t4 dx
2 √ = √ .
0 1 − x4 0 1 − x4

• This result was extended by Euler to a general addition theorem for


elliptic integrals.
inverse (elliptic function) E −1 (t) of elliptic integrals
• By studying thep
R t
E(t) = 0 R(x, P (x))dx over the complex numbers, Abel and
Jacobi were able to simplify and unify many of the results on elliptic
integrals known so far.
• Later on Weierstraß showed that every elliptic function can be
expressed as a rational function in two elliptic functions, the
Weierstaß ℘-function, and its derivative ℘0 .
p.460 – Why “elliptic”?
• More precisely, the ℘-function is defined w.r.t. to a certain
“half-periods”, and is related to ℘0 by means of
℘0 (t)2 = 4℘(t)3 − g2 ℘(t) − g3
where g2 , g3 describe the half-periods.
. In particular, γ(t) := (℘(t), 1/2℘0 (t)) can be considered a
parametrization of
E(a, b) := {(x, y) | y 2 = x3 + ax + b}.

• For instance, for a = −3, b = 3:


p.461 – Why “elliptic”?
• Consider now two distinct points P = γ(u), Q = γ(v) on E.

. Then P ⊕ Q := γ(u + v) is again a point on E, i.e., the


parametrization induces a group structure on E(a, b).
. In particular for P = γ(u), Q = γ(v), R = γ(w):
(P ⊕ Q) ⊕ R = γ(u + v) ⊕ γ(w) = γ(u + v + w) = P ⊕ (Q ⊕ R).

• Using Abel’s addition theorem for elliptic functions, one can show
that P, Q, −(P ⊕ Q) are always collinear

which leads to the geometric definition of addition for elliptic curves.


Appendix
Birthday problem – Probability of collisions
p.464 – Probability of collisions
• Consider the experiment where you choose x1 , x2 , . . . , xq uniformly at
random from the set [N ] = {1, 2, . . . , N }.
What is the probability all q numbers are distinct?
• Formally: let X1 , . . . , Xq be independent random variables, each
uniformly distributed on [N ].
W
Then C := i6=j Xi = Xj is the event that at one numbers is chosen
twice (collision), while C is the event that q distinct numbers are
obtained.
• Theorem:

For C as defined above :


   
1 q −N1 q
( ) 1 q
≤1−e 2 ≤ Pr[C] ≤ .
2N 2 N 2

where the first inequality only holds for 2q ≤ N .



p.465 – Probability of collisions

. For the upper bound:


 
 
_ X q 1
Pr[C] = Pr  Xi = Xj ≤
 Pr[Xi = Xj ] = .
2 N
i6=j i6=j

. For the lower bound:


   
Consider Pr C = 1 − Pr[C]. The prob. Pr C that all q numbers
are distinct is
 
Pr C = 1 − N0 · 1 − N1 · · · 1 − q−1
   
N
Pq−1
Qq−1 i loge (1− Ni )

= i=0 1 − N = e .
i=0
p.466 – Probability of collisions
• We need the following two inequalities:
1 1 + x ≤ ex for all x ∈ R.
2 e−x ≤ 1 − (1 − e−1 )x for all 0 ≤ x ≤ 1.

Both inequalities follow directly from the convexity of ex .


For the first, consider the tangent y = 1 + x at y = ex taken in x = 0.
For the second, it suffices to check the correctness for x = 0, x = 1.
• From the first inequality we obtain loge (1 + x) ≤ x and, thus,
Pq−1 i
e i=0 loge (1− N )
 
Pr C =
Pq−1 i
≤ e− i=0 N
1 q
= e− N (2) .
q
1 − (1 − e−1 ) N1

≤ 2
1 q
≤ 1 − 2N 2

1 q
. Hence, Pr[C] ≥ 1 − e− N (2) ≥ 1 q

2N 2 .
Finite fields
p.468 – Motivation: Reversible operations on bit-strings

• Many encryption schemes encrypt (permute) the plaintext by xor’ing


bitwise to it the key (or its pseudorandom extension).
For the OTP: Enck (m) = m ⊕ k
. We may view k, m also a bit vectors: Zl2 = {0, 1}l .
. Then bitwise-xor is simply vector addition modulo 2.
• Abstract view: key k and plaintext m are elements of the same group,
and we use the group operation to combine the two.
• In case of AES, not only addition on Zl2 is used, but also a
multiplication on {0, 1}l .
. This multiplication is based on the interpretation of a bit string as a
univariate polynomial.
p.469 – Interpretation of bit strings as polynomials
• Assume we read a bit string from left to right (lsbf), and take the i-th
bit as the coefficient of X i :
ˆ + X 3 , and 1011=1
E.g.: 0101=X ˆ + X 2 + X 3.
. We may define the product 0101 · 1011 then by means of the product
of the corresponding polynomials

0101 · 1011
=
ˆ (X + X 3 ) · (1 + X 2 + X 3 ) (mod 2)
= X + 2X 3 + X 4 + X 5 + X 6 (mod 2)
= X + X4 + X5 + X6
=
ˆ 0100111

where we add and multiply the coefficients modulo 2 in order to


obtain again a bit string.
p.470 – Interpretation of bit strings as polynomials

• In general, e.g. for AES, we want the product of two l-bit-string to be


an l-bit string again.
. Simply truncating the product to the l first bits
E.g.: 0101 · 1011 7→ 0100.
yields in general a non-reversible multiplication.
E.g.: 0100 · 0001=00001
ˆ 7→ 0000.
. One therefore is interested in truncating the result in such a way that
one obtains a field over the l-bit strings.
p.471 – Rings and Fields
• Defintion: R=hR,
ˆ +, ·, 0, 1i is a ring if
• hR, +, 0i is a commutative group.

• hR, ·, 1i is a monoid, i.e. · is associative with neutral element 1.

• · distributes over +.

R is finite if |R| < ∞.


R is commutative if · is commutative.
R is an integral domain if R is com. and ∀a, b ∈ R \ {0} : a · b 6= 0.
R is a field if hR \ {0}, ·, 1i is a commutative group.
. Every field is an integral domain.
• Remark: In every ring R:

0 · a = (1 − 1) · a = 1a − 1a = a − a = 0
• Example: R, Q, C are fields, Z is an integral domain.
p.472 – Rings and Fields
• Example: hZN , +, ·, 0, 1i is a finite commutative ring for any natural
number N > 0. It is a field iff N is prime.
• If N is prime, then Z∗N = ZN \ {0}.

• If N = pq is a composite with p 6≡ 0 6≡ q (mod N ), then p · q ≡ 0


(mod N ). p, q are called zero divisors.
• Definition: Let F be a field. The characteristic char(F) of F is the
least natural number n such that

1 + . . . + 1 = 0,
| {z }
n

if such a number exists; otherwise char(F) := 0.


• Example: char(Q) = char(R) = char(C) = 0, char(Zp ) = p for p
prime.
• Lemma: char(F) is either 0 or a prime.

. Proof: Assume char(F) = pq for p, q > 1. Then p, q are zero divisors.


p.473 – Ring of polynomials

• Definition: Let R=hR,


ˆ +, ·, 0, 1i be a commutative ring, and X a
variable.
The set of P
all polynomials in X with coefficients in R is denoted by
R[X] := { di=0 ai · X i | d ∈ N, ai ∈ R}.
Addition and multiplication on R[X] are defined as usual:
P  P  P
d i + e i = max(d,e)
a
i=0 i · X b
j=0 i · X k=0 (ak + bk ) · X k

and
P  P  P  
d i · e i = d+e P
i=0 ai · X j=0 bi · X k=0 i+j=k ai · bj · Xk

R itself is identified with the constant polynomials in R[X].


• Lemma: hR[X], +, ·, 0, 1i is again a commutative ring. It is an
integral domain if R is an integral domain.
p.474 – Ring of polynomials over Zp
• Remark: We are mostly interested in Zp [X] as a ring with p a prime
so that Zp is a field.
We may identify a polynomial a(X) ∈ Zp [X] with the finite sequence
(word) of its coefficients:
a(X) = a0 X 0 + a1 X 1 + . . . + ad X d =a
ˆ 0 a1 . . . ad .
Often, a more succinct representation of a(X) is used:
a(X) is represented by the value a(p) evaluated over Z.
• Ex: Show that this representation of a(X) ∈ Zp [X] is unique for any
fixed p.
• Example: Consider Z2 [X].

ˆ + X 3 =2
0101=X ˆ + X 2 + X 3 =1
ˆ + 8 = 10 and 1011=1 ˆ + 4 + 8 = 13.
Hence: 10 · 13 = 114 over Z2 [X].
p.475 – Multiplication of bit-strings
• We can identify Zl2 with the set of all polynomials in Z2 [X] of degree
less than l.
. Simply restricting multiplication over Z2 [X] to degree less than l,
does not yield a reversible multiplication:
Assume l = 4:
ˆ 1 · X 3 = X 4 =00001
0100 · 0001=X ˆ =0000.
ˆ
I.e. there are again zero divisors.
• Just as ZN is a field only if N is prime, we need to “truncate”
polynomials modulo irreducible polynomials.
• Definition: A polymomial m(X) ∈ ZN [X] is reducible if there exist
polynomials p(X), q(X) ∈ ZN [X] \ ZN s.t. m(X) = p(X) · q(X).
A polynomial m(X) ∈ ZN [X] is irreducible if it is not reducible.
p.476 – Irreducible polynomials and finite fields
• Remark: If F is a field, then polynomial division works over F[X] just
as over the reals.
In particular, given a non-zero polynomial m(X) ∈ F[X] \ {0} we can
reduce any other polynomial a(X) ∈ F[X] modulo m(X) over F.
That is, there are unique polynomials t(X), r(X) such that

a(X) = m(X) · t(X) + r(X)

where the degree of r(X) is less than that of m(X).


Consequences:
. Any polynomial a(X) ∈ F[X] of degree d > 0 has at most d roots in F.
If x ∈ F is a root of a(X), then a(X) = (X − x)t(X).
. The extended Euclidean algorithm works over F[X] just as over Z.
Given polynomials a(X), b(X) ∈ F[X], we can compute
u(X), v(X) ∈ F[X] with gcd(a(X), b(X)) = a(X)u(X) + b(X)v(X)
over F.
p.477 – Multiplication of bit-strings
• Example Let m(X) = 1 + X + X 4 =11001.
ˆ
Then (X + X 3 ) · (1 + X 2 + X 3 ) modulo m(X) over Z2 :

0 1 0 0 1 ˆ + X4 + X5 + X6
1 1 =X
1 1 0 ˆ 2 · m(X)
0 1 =X
0 1 1 1 1 1 ˆ + X2 + X3 + X4 + X5
=X
1 1 0 0 1 ˆ · m(X)
=X
0 0 0 1 1 ˆ 3 + X4
=X
1 1 0 0 1 ˆ 0 · m(X)
=X
1 1 0 1 ˆ + X + X3
=1

I.e.: X + X 4 + X 5 + X 6 = m(X)(X 2 + X + 1) + 1 + X + X 3 over


Z2 [X].
Note that above computation can easily be implemented using shifts
and xors as multiplying with X corresponds to a shift, and
adding/substracting X k · m(x) means simply xoring the two strings.
p.478 – Irreducible polynomials and finite fields
• Definition: Let m(X) ∈ Zp [X] with p prime.

Then Zp [X]/m(X) is the set of all remainders of polynomials in


Zp [X] modulo m(X).
• Theorem: Let p be a prime and m(X) ∈ Zp [X] an irreducible
polynomial of degree n.
Then Zp [X]/m(X) is a finite field with pn elements.
. Proof: One easily checks that Zp [X]/m(X) is an integral domain.
By virtue of the extended Euclidean algorithm:
t(X) := gcd(a(X), m(X)) = a(X) · u(X) + m(X) · v(X) over Zp .
Assume a(X) ∈ Zp /m(X) − {0}, i.e. a(X) 6= 0 has degree less than
m(X).
As t(X) divides both m(X) and a(X), t(X) has degree less than
m(X). As m(X) is irreducible, t(X) = t ∈ Z∗p .
So, a(X) · t−1 u(X) = 1 over Zp modulo m(X).
p.479 – Irreducible polynomials and finite fields

• Example: Consider Z2 [X].


Polynomials of degree 1:
• Clearly, m(X) = X is irreducible with Z2 [X]/X ∼
= Z2 .
• m(X) = 1 + X is also irreducible with Z2 [X]/(1 + X) ∼
= Z2 .
Polynomials of degree 2:
• Reducible polynomials: p(X) · q(X) with p(X), q(X) ∈ {X, 1 + X}.

E.g.: m(X) = 1 + X 2 ≡(1


ˆ + X)2 is reducible, and 1 + X has no
inverse in Z2 [X]/(1 + X 2 ).
• Unique irreducible polynomial: m(X) = 1 + X + X 2

Elements of Z2 [X]/m(X): 0, 1, X, 1 + X.
We need to have X −1 ≡ 1 + X (mod m(X)).
p.480 – Irreducible polynomials and finite fields
• Example: Consider Z2 [X].

m(X) := 1 + X + X 4 is irreducible.
Multiplicative inverse of a(X) = 1 + X modulo
m(X) := 1 + X + X 4 over Z2 :
Using Euclid’s algorithm:
• a(X) = 1 + X, b(X) = 1 + X + X 4 with
b(X) = a(X)(X 3 + X 2 + X) + 1.
• a(X) = 1, b(X) = 1 + X with
1 = gcd(a(X), b(X)) = 1 · a(X) + 0 · b(X) yields
(u(X), v(X)) = (1, 0).
• a(X) = 1 + X, b(X) = 1 + X + X 4 ) yields
(u(X), v(X)) = (0 − (X 3 + X 2 + X) · 1, 1).

So: (1 + X)−1 ≡ −(X 3 + X 2 + X) ≡ X + X 2 + X 3 (mod 2, m(X)).


p.481 – Irreducible polynomials and finite fields
• One can show that from an algebraic point of view there is a unique
finite field with pn elements (for p prime).
• Theorem: (w/o proof)

Any two fields of size pn are isomorphic.


• Definition:

GF(pn ) (also Fpn ) denotes the (up to isomorphism) unique field of


size pn .
• Theorem: (w/o proof, Shoup [87])

For every prime p and positive integer n an irreducible polynomial


m(X) ∈ Zp [X] of degree n can be constructed deterministically in
time polynomial in n (but exponential in log2 p).
• For fixed prime p, in particular p = 2, we can always efficiently
construct a representation of GF(pn ).
p.482 – Multiplicative group of a finite field
• Theorem: Let F be a finite field. Then F∗ =hF
ˆ \ {0}, ·, 1i is cyclic.
. Proof: Let M = |F∗ |. Then aM = 1 for all a ∈ F∗ .
That is, the polynomial X M − 1 has at least M roots over F.
As F is a field, the degree bounds the number of roots.
• Polynomial division over F works just as over R.
P Md −1
For any d | M , we have: X M − 1 = (X d − 1) · i=0 X i·d .
Thus: X d − 1 has exactly d roots over F.
If e | d, then every root of X e − 1 is a root of X d − 1.
• I.e. there are exactly d − e elements whose order divides d but not e.
Qr ej
Let M = j=1 pj be a prime factorization.
e
• For each, j ∈ [r] we find aj ∈ F∗ of order exactly pj j .

g = a1 · · · ar has order M = lcm(pe11 , . . . , perr ).


p.483 – Primitive elements and polynomials

• Sometimes representations Zp [X]/m(X) of GF(pn ) are needed where


X represents a primitive element.
• Definition: A generator of the multiplicative group of GF(pn ) is
called a primitive element.
. GF(pn ) has ϕ(pn − 1) many primitive elements.
• Definition:

An irreducible polynomial m(X) ∈ Zp [X] of degree n is called


primitive if X is a primitive element in Zp [X]/m(X).
• Theorem: (w/o proof)

There are ϕ(pn − 1)/n many primitive polynomials of degree n in


Zp [X].
p.484 – Primitive elements and polynomials

• Shoup shows in [88] that we can limit the search for a primitive
polynomial in DPT to a polynomial-sized set of polynomials.
But testing whether a polynomial in this set is primitive, currently
requires us to know the factorization of ϕ(pn − 1) – just as for any
cyclic group in general.
• Shparlinski shows in [85] how to find a primitive element in GF(pn ) in
1
time O(p 4 n ) (neglecting logarithmic factors).
p.485 – Primitive elements and polynomials

• Example:

Recall that for a cyclic finite group G of order N , g ∈ G is a


generator iff g N/p 6= 1 for all primes p dividing N .
We consider the two polynomials m1 (X) = 1 + X + X 2 + X 3 + X 4
and m2 (X) = 1 + X + X 4 over Z2 .
One can show that m1 is also irreducible.
Hence Z2 [X]/m1 ∼= Z2 [X]/m2 ∼
= GF(24 ) and the multiplicative
4
group has order 2 − 1 = 15.
In order to check whether m1 resp. m2 is a primitive polynomial, we
need to compute X 3 and X 5 modulo m1 resp. m2 .
Trivially, X 3 6≡ 1 (mod 2, mi ) in both cases.
p.486 – Primitive elements and polynomials

• Example (cont’d):

X 5 mod m1 (X) with m1 (X) = 1 + X + X 2 + X 3 + X 4 :


X 5 ≡ X · X 4 ≡ X · (1 + X + X 2 + X 3 ) ≡ X + X 2 + X 3 + X 4 ≡ 1
X 5 mod m2 (X) with m2 (X) = 1 + X + X 4 :
X 5 ≡ X · X 4 ≡ X · (1 + X) ≡ X + X 2 6≡ 1
So, only m2 is a primitive polynomial.
A primitive element of Z2 [X]/m1 is e.g. 1 + X.
Structure of finite cyclic groups
p.488 – Structure of finite cyclic groups
• Lemma*:
Let a, b ∈ hZN , +, 0i. Then:
N
1 oa = gcd(a,N ) .

2 hai, hbi ⊆ hgcd(a, b)i.


3 hai = hgcd(a, N )i.
• Proof:
N
1 oa = min{k > 0 : N |ka} = gcd(a,N ) .

2 Let d := gcd(a, b). Then a, b ∈ hdi as d|a ∧ d|b and a, b < N .


3 Let t := gcd(a, N ). Then hai, hti ⊆ hgcd(a, t)i.
But gcd(a, t) = t as t|a, i.e., hai ⊆ hti.
N N
Further ot = gcd(t,N ) = t = oa as t|N .

So: hai = hti.


p.489 – Structure of finite cyclic groups
• Corollary: Let G = hgi be of finite order M , and a, b ∈ G.

Then: (i) hai = hbi iff oa = ob , and (ii) there are exactly ϕ(d) many
elements of order d for d | M .
• Proof:

. G∼
= ZM . So, it suffices to prove the claims w.r.t. ZM .
. Part (i): If hai = hbi, then oa = ob .
If oa = ob , then by the preceding result:
gcd(a, M ) = gcd(b, M ), and hai = hgcd(a, M )i = hgcd(b, M )i = hbi.
. Part (ii): Let d | M . Then gcd( M
d , M) =
M
d .
M
By the preceding result: d has order d.
By part (i), h M
d i is the unique subgroup of order d.

As h M ∼
d i = Zd and Zd has ϕ(d) many generators, part (ii) follows.
p.490 – Structure of finite cyclic groups
• Example:

. Z∗11 ∼
= Z10 .
10
. The elements of order o of Z10 are {a ∈ Z10 | gcd(a, 10) = o }:
• Order 1: 0

• Order 2: 5

• Order 5: 2, 4, 6, 8

• Order 10: 1, 3, 5, 7

. As Z∗11 is generated by 2, h(x) := (2x mod 10) is an isomorphism.


• Order 1: 20 ≡ 1

• Order 2: 25 ≡ −1 ≡ 10

• Order 5: 22 ≡ 4, 24 ≡ 5, 26 ≡ 9, 28 ≡ 3

• Order 10: 21 ≡ 2, 23 ≡ 8, 27 ≡ 7, 29 ≡ 6
Computing square roots of quadratic residues
p.492 – Quadratic residues modulo N

• Lemma: Let N = pq for distinct odd primes p, q. Then:


(p−1)(q−1) (p−1)(q−1)
and {x ∈ Z∗N | x x
 
|QRN | = 4 p · q = 1} = 2 .

. Proof: By the CRT


x2 ≡ 1 (mod N ) iff x2 ≡ 1 (mod p) and x2 ≡ 1 (mod q).
We have xp · xq = 1 iff either xp = 1 = xq or xp = −1 = x
     
q .
• Remark: Currently, we do not know how to decide efficiently if
?
x ∈ QRN given x ∈ Z∗N with x x
 
p q = 1,
when factorizing N = pq is hard.
p.493 – Quadratic residues modulo N

• Lemma: Let N = pq for distinct odd primes p, q.

Given a, b such that a2 ≡ b2 (mod N ) but a 6≡ ±b (mod N ),


we can factorize N .
. Proof: Set z := a2 mod N .
Recall: Z∗N ∼
= Z∗p × Z∗q by means of h(x) = (x mod p, x mod q).
In particular: QRN ∼
= QRp × QRq .
Let ±zp and ±zq be the two square roots of z modulo p resp. q.
As a 6≡ ±b, we may assume h(a) = (zp , zq ) and h(b) = (zp , −zq ).
Hence: h(a + b) = (2zp , 0), i.e. a + b 6≡ 0 (mod N ) but q|a + b.
So: gcd(a + b, N ) = q.
p.494 – Quadratic residues modulo N
• Lemma: Let N = pq for distinct odd primes p, q.

Every PPT-algorithm A which, on input N and any z ∈ QRN ,


computes a square root a of z modulo N with prob. ε(n),
can be used to factorize N with prob. 21 ε(n).
u
. Proof: Choose a ∈ Z∗N and set z := a2 mod N , then run A(N, z) to
obtain b.
If b2 6≡ z (mod N ), stop. Else:
As a was chosen uniformly at random, it is also uniformly distributed
over the set of four possible square roots of z.
That is, for any value of b, a 6≡ ±b (mod N ) with prob. 1/2.
By the previous result, we then can factorize N .
In total: we successfully factorize N in half of the cases in which A
succeeds in computing a square root.
p.495 – Computing square roots modulo N
• Definition: Let

Gen(1n ): on input 1n , output I = N ∈ [2n−1 , 2n − 1]


u
Smpl(N ): on input N , output x ∈ Z∗N .
f : given N and x, output fN (x) = x2 mod N .
Computing square roots modulo N is hard w.r.t. Gen if above is a
OWF.
• Corollary:

Let factorization be hard w.r.t. GenP2 , and define Gensqr by:


On input 1n , run GenP2 (1n ) to obtain p, q, then output N := pq.
Then: Computing square roots modulo N is hard.
• Ex: Assume that p ≡ q ≡ 3 (mod 4). Show that knowledge of p, q
allows to compute square roots modulo N = pq.
Existence of OWF and P vs. NP
p.497 – Existence of OWF
• It seems highly unlikely that one can prove the existence of OWF as

Theorem: If a OWF exists, then P 6= NP.


. Proof:
For the proof we assume a simple OWF f .
We show the contraposition, i.e. let f be a one-way function and
assume P = NP.
Fix on {0, 1}∗ the following total order:
x  y :≡ |x| < |y| ∨ |x| = |y| ∧ x ≤lex y
Lf := {(x, y) | ∃z : f (z) = y ∧ z  x} ∈ NP.
As NP = P by assumption, there is a DPT-algorithm B for Lf .
Consider now the following DPT-algorithm A:
On input (1n , y), use binary search on {0, 1}n w.r.t. the order  in
order to find some (x0 , y) ∈ Lf with x0  1n .
?
p.498 – OWF and P = NP

• There is a long list of “claimed” proofs of both P = NP and


P 6= NP, see
http://www.win.tue.nl/~gwoegi/P-versus-NP.htm.
. So, it is possible that neither OWFs nor computationally secret (with
|K| < |M|) exist.
. Most researchers conjecture that P = BPP 6= NP.
• Note that P 6= NP is necessary for the existence of OWFs, but it is
unknown if this is also sufficient.
. NP-hard problems: for every n there is at least one problem in
{0, 1}n which we do not know how to solve efficienlty.
. OWFs: for every n we only know for at most a negligible fraction of
{0, 1}n how to solve the problem efficiently.
Proof of Yao’s theorem
p.500 – Proof of Yao’s theorem*

• Let G be unpredictable for stretch l := l(n).

• Let D be a distinguisher for G with

εD (n) := Pr u [D(G(x)) = 1] − Pr u [D(y) = 1].


x∈{0,1}n z ∈{0,1}l

• We transform D into a predictor P as follows:


1 Input: y1 . . . yi−1 for some i ∈ [l]
u
2 Generate z = z1 . . . zl ∈ {0, 1}l .
3 Set y 0 := y1 . . . yi−1 zi . . . zl . (Pad y to length l)
4 Run D(y 0 ) to obtain r.
5 If r = 1: output zi . (“D thinks that G(x) = y 0 , i.e. yi = zi ”)
Else: output zi = 1 − zi . (“Else output the complement”)
p.501 – Proof of Yao’s theorem*
• Fix any i ∈ [l] and consider first the prob. that P correctly predicts
u u
the i-th bit (for x ∈ {0, 1}n and z ∈ {0, 1}l ):
Pry=G(x),x,z [P(y1 . . . yi−1 ) = yi ]
= Pry=G(x),x,z [D(y1 . . . yi−1 zi . . . zl ) = 1 ∧ yi = zi ]
+ Pry=G(x),x,z [D(y1 . . . yi−1 zi . . . zl ) = 0 ∧ yi 6= zi ]

. In the case yi = zi (yi 6= zi ), we may replace zi by yi (yi = 1 − zi ):


= Pry=G(x),x,z [D(y1 . . . yi−1 yi zi+1 . . . zl ) = 1 ∧ yi = zi ]
+ Pry=G(x),x,z [D(y1 . . . yi−1 yi zi+1 . . . zl ) = 0 ∧ yi 6= zi ]

u
. As zi ∈ {0, 1} independently of the other bits, zi “hits” yi with prob.
1/2 no matter what value yi has:
1
= Pry=G(x),x,z [D(y1 . . . yi−1 yi zi+1 . . . zl ) = 1] · 2
1
+ Pry=G(x),x,z [D(y1 . . . yi−1 yi zi+1 . . . zl ) = 0] · 2
p.502 – Proof of Yao’s theorem*

. Set
di := Pry=G(x),x,z [D(y1 . . . yi−1 yi zi+1 . . . zl ) = 1]
ci := Pry=G(x),x,z [D(y1 . . . yi−1 yi zi+1 . . . zl ) = 0]

i.e.: Pry=G(x),x,z [P(y1 . . . yi−1 ) = yi ] = 21 di + 21 ci .


• An analogous calculation shows: ci = 1 + di − 2di−1 (see the next
slide).
• Hence,

1 1
Pry=G(x),x,z [P(y1 . . . yi−1 ) = yi ] = (di + ci ) = + di − di−1 .
2 2
p.503 – Proof of Yao’s theorem*

di−1
= Pry=G(x),x,z [D(y1 . . . yi−2 yi−1 zi zi+1 . . . zl ) = 1]
= Pry=G(x),x,z [D(y1 . . . yi−2 yi−1 zi zi+1 . . . zl ) = 1 ∧ yi = zi ]
+ Pry=G(x),x,z [D(y1 . . . yi−2 yi−1 zi zi+1 . . . zl ) = 1 ∧ yi 6= zi ]
= Pry=G(x),x,z [D(y1 . . . yi−2 yi−1 yi zi+1 . . . zl ) = 1] · 1/2
+ Pry=G(x),x,z [D(y1 . . . yi−2 yi−1 yi zi+1 . . . zl ) = 1] · 1/2
= 1/2(di + 1 − ci )

i.e. ci = 1 + di − 2di−1 .
p.504 – Proof of Yao’s theorem*
• We therefore obtain for the advantage εP of the constructed
predictor:
1
2 + εP = Pr u [P(y1 . . . yi−1 ) = yi ]
y=G(x),x,z,i∈{1,2,...,l}
1P
= l i∈[l] Pry=G(x),x,z [P(y1 . . . yi−1 ) = yi ]
= 1l i∈[l] 21 + di − di−1
P 
1
= 2 + 1l (dl − d0 )
1 εD
= 2 + 1l (Prx [D(G(x)) = 1] − Prz [D(z) = 1]) = 1
2 + l .

. Hybrid argument: The di interpolate step-wise between the extreme


cases d0 (D gets a truly random string) and dl (D gets a
pseudorandom string).
(See also CPA-secure w.r.t. single and multiple encryptions.)
. The advantage εD (n) of the distinguisher D equals l(n) · εP (n) .
. As εP is negligible and l(n) a polynomial, also εD is negligible.
Proof of the Goldreich-Levin theorem
p.506 – Proof of the Goldreich-Levin theorem
• Assume for a moment that P is a PPT-predictor which always
succeeds, i.e.,
Prx,r [P(f (x), r) = gl(x, r)] = 1
r
with x, r ∈ {0, 1}n independent and uniformly at random.
• Given f (x) we can use P to calculate the single bits xi , as we can
freely choose r by definition of g(x, r).
• In particular, for ei := 0 . . . 010 . . . 0 the i-th canonical unit vector, we
have gl(x, ei ) = xi , s.t.

Prx P(f (x), ei ) = xi = 1.


 

• I.e., we can invert f (x) in polynomial time using n calls to P.

• We now adapt this approach for predictors which do not succeed


always, but only with prob. non-negligibly better than 1/2.
p.507 – Proof of the Goldreich-Levin theorem
• In the general setting, we only may assume that for some polynomial
p and inifinitely many n we have
1 1
Prx,r [P(f (x), r) = gl(x, r)] − =: ε(n) >
2 p(n)
r
with x, r ∈ {0, 1}n independent and uniformly at random.
• First, one has to realize that there is a non-negligible set Sn of n-bit
1 ε(n) 6
inputs s.t. P still predicts gl with prob. > 2 + 2 :

1
2 + ε(n) = Prx,r [P(f (x), r) = gl(x, r)]
= Prx,r [P(f (x), r) = gl(x, r) | x ∈ Sn ] |S2nn | 
|Sn |
+ Prx,r [P(f (x), r) = gl(x, r) | x 6∈ Sn ] 1 − 2n
 
≤ |S2nn | + 12 + ε(n)
2

2n−1 ε(n)
So, |Sn | ≥ ε(n) · 2n−1 > p(n) , i.e., Prx [x ∈ Sn ] ≥ 2 .
6 1 ε(n)
We may also take > 2
+ c
for any c > 1.
p.508 – Proof of the Goldreich-Levin theorem
• It is therefore enough to show how to invert f for x ∈ Sn ;
1 ε
. so assume Prr [P(f (x), r) = gl(x, r)] > 2 + 2 in the following.
• Still, simply calculating P(f (x), ei ) as before does not work, as we
never can be sure that the prediction P(f (x), ei ) is correct.
• The important idea is to use a sufficiently large number of
r1 , r2 , . . . , rm ∈ {0, 1}n (7 ) which depend on each other in order to
sample gl(x, ·) on both rj and rj ⊕ ei :
• Assume that both predictions for gl(x, r j ) and gl(x, r j ⊕ ei ) are
correct. Then:

gl(x, rj ) ⊕ gl(x, rj ⊕ ei ) = gl(x, rj ⊕ rj ⊕ ei ) = gl(x, ei ) = xi .

• The dependency of the r j s on each other will allow us to correctly


determine gl(x, rj ) w.r.t. each other, thereby reducing the prob. of
making wrong guesses.
7
with m polynomial in n
p.509 – Proof of the Goldreich-Levin theorem
• Algorithm:

• Given y = f (x) and m choose s1 , . . . , sk ∈ {0, 1}n independently and


uniformly at random with k := dlog me.
• For each J ⊆ [k], compute r J := j n
L
j∈J s ∈ {0, 1} .

• For each α ∈ {0, 1}k :


L
• Compute β(J) := j∈J αj .

Remark: Assuming that gl(x, sj ) = αj , we know that gl(x, rJ ) = β(J).


As we consider all possible values for α, our assumption will be correct
in one iteration.
• For each i ∈ [n]:
• Run P on (f (x), rJ ⊕ ei ) for all J ⊆ [k] to obtain the guess
zi (J) := β(J) ⊕ P(f (x), rj ⊕ ei ) for xi .

• Let zi be the majority value among {zi (J) | J ⊆ [k]}.

• Stop if f (z) = f (x) and output z.


p.510 – Proof of the Goldreich-Levin theorem
• Let us analyze the success prob. of the proposed algorithm.

• As we test for all possible values of gl(x, sj ), in one iteration our


guess αj for gl(x, sj ) will be correct, and so also β(J) = gl(x, rJ ) will
hold in that iteration.
• Let Zi,J be the random variable which is 1 if zi (J) = xi .
• We have
Prs1 ,...,sk [Zi,j = 1] = Prs1 ,...,sk P(f (x), rJ ⊕ ei ) = gl(x, rJ ⊕ ei )
 

as we “guess gl(x, rJ ) correctly”. As x is fixed, the prob. only depends


on the choice of the random strings s1 , . . . , sk .
• As these are independently and uniformly chosen at random,
rJ = sj is also uniformly distributed, and so is rJ ⊕ ei , i.e.,
L
j∈J

Prs1 ,...,sk P(f (x), rJ ⊕ ei ) = gl(x, rJ ⊕ ei ) = Prr [P(f (x), r) = gl(x, r)]
 

• As we assume that x ∈ Sn , we therefore have


1 ε(n)
Pr[Zi,J = 1] ≥ + .
2 2
p.511 – Proof of the Goldreich-Levin theorem
• What remains is to analyze the prob.
P that them majority of our guesses
for x is correct, i.e., what is Pr
i Z ≥ J ?8
i,J 2
P
• Abbreviation: Zi := Zi,k .
J⊆[k]

m
 
• Then we are interested in Pr Zi ≥ 2 .
• When determining Pr[Zi,J = 1], we did so for a fixed J ⊆ [k].

• As the vectors r J are completely determined by s1 , . . . , sk , the


random variables {Zi,J }J⊆[k] cannot be independent.
• But for any two J, J 0 ⊆ [k] with J 6= J 0 , one can show that Zi,J and
Zi,J 0 are independent (Ex.).
• This observation enables us to use Chebyshev’s inequality:

Var[Zi ]
Pr[|Zi − E[Zi ]| < δ] ≥ 1 − .
δ2
8
This is a bit imprecise as k := dlog me and J ⊆ [k], but the analysis is the same,
and we may simply assume that 2k ≈ m.
p.512 – Proof of the Goldreich-Levin theorem
• We have
E[Zi,J ] ≥ m · 1+ε
P
• E[Zi ] = J 2 , and

• Var[Zi ] = J Var[Zi,J ] ≤ m · 14 as the Zi,J are pairwise ind.


P

• Plugging these values into Chebyshev’s inequality, we obtain:


h m i m
Pr Zi − (1 + ε) < δ ≥ 1 − 2 .
2 4δ

• If we take δ ≥ m
2 ε, this allows us to bound the prob. that the majority
guess Zi deviates too much from m
2 (1 + ε):
hm m i m 1
Pr ≤ Zi ≤ (1 + 2ε) ≥ 1 − m2
=1− .
2 2 4· ·ε 2 m · ε2
4

• Choosing e.g. m = c εn2 for some constant c > 1 we obtain:


h mi hm m i 1
Pr Zi ≥ ≥ Pr ≤ Zi ≤ (1 + 2ε) ≥ 1 −
2 2 2 cn
p.513 – Proof of the Goldreich-Levin theorem
• The final step is to bound the probability that all guesses Zi are
Vn m

correct, i.e., Pr i=1 Zi ≥ 2 .
• We consider the complementary prob. and apply the very rough union
bound:9
n n
" #
_ m X h mi 1 1
Pr Zi < ≤ Pr Zi < ≤n· = .
2 2 cn c
i=1 i=1

Vn m
 1
• Taking e.g. c = 2 we obtain Pr i=1 Zi ≥ 2 ≥ 2 for
2n
m≈ ε2 (n)
≈ 2np(n)2 and all x ∈ Sn .

• As Pr[x ∈ Sn ] ≥ ε(n)
2 , the proposed algorithm successfully inverts f
given y with prob. at least 12 · ε(n) ε(n)
2 = 4 >
1
4p(n) for inifinitely many
n, i.e., with non-negligibly probability
. which contradicts our assumption that f is one-way.
9
Note that the Zi are certainly not independent.
Notation and symbols
Math
u
∈ chosen uniformly at random
Un random variable uniformly distributed on {0, 1}n
Pr[A] probability of event A
Prx [A(x)] probability of event A(x) with x uniformly chosen at random
Z integers
N natural numbers (nonnegative integers)
[n] {1, 2, . . . , n} for n ∈ N
gcd(a, b) greatest common divisor of a and b
ab
lcm(a, b) least common multiple of a and b, lcm(a, b) = gcd(a,b)
Zn {0, 1, 2, . . . , n − 1} with addition modulo n
Z∗n {k ∈ Zn | gcd(k, n) = 1} with multiplication modulo n
a|b a divides b, i.e., ∃k ∈ N : b = k · a
a mod n least natural number s.t. n | (a − (a mod n))
a ≡ b (mod n) (a mod n) = (b mod n)
G a group, short for hG, ·, 1i
Σ finite alphabet
a||b concatenation of the strings a and b, also (a, b) or ab
Algorithms
PPT probabilistic polynomial-time
DPT deterministic polynomial-time
r
:= random assignment, used for outputs genereated by PPT-
algorithms
A algorithm
E encryption scheme
K key space
M message (plaintext) space
C ciphertext space
Gen key generator, usually a PPT-algorithm
Enc encryption algorithm, usually a PPT-algorithm
Dec decryption algorithm, usually a DPT-algorithm
ek encryption key
dk decryption key
sk signature key
vk verification key
b·e some encoding function
Generators

GenP2 on input 1n , outputs I = (p, q) with p, q random θ(n)-bit


primes (usually approx. n/2 bits)
GenZ∗safe on input 1n , outputs I = (p, q, g) where (except with prob.
negligible in n) p is an n-bit prime p, q = p − 1, and g
generates Z∗p
GenQRsafe as GenZ∗safe except that p = 2q + 1 with q also prime and g
generates the subgroup of quadratic residues of Z∗p of order
q
References
[1] M. Abdalla, M. Bellare, P. Rogaway
DHIES: An encryption scheme based on the Diffie-Hellman Problem
[PDF]

[2] C. Adams, S. Lloyd


Understanding PKI: Concepts, Standards, and Deployment
Considerations

[3] D. Aggarwal, U. Maurer


Breaking RSA Generically is Equivalent to Factoring [PDF]

[4] J. An, Y. Dodis, T. Rabin


On the security of joint signature and encryption [PDF]
[5] S. Arora, B. Barak.
Computational complexity: a mordern approach [draft version].
Cambridge University Press, 2009.

[6] H. Baier
Efficient Algorithms for Generating Elliptic Curves over Finite Fields
Suitable for Use in Cryptography [PDF]

[7] M. Bellare
Lecture notes

[8] M. Bellare
New Proofs for NMAC and HMAC: Security without
Collision-Resistance [PDF]
[9] M. Bellare, R. Canettiy, H. Krawczykz
Keying Hash Functions for Message Authentication [PDF]

[10] M. Bellare, R. Canettiy, H. Krawczykz


Pseudorandom Functions Revisited: The Cascade Construction and
its Concrete Security [PDF]

[11] M. Bellare, S. Halevi, A. Sahai and S. Vadhan.


Many-to-one trapdoor functions and their relation to public-key
cryptosystems [PDF]

[12] M. Bellare, J. Kiliany, P. Rogaway


The Security of the Cipher Block Chaining Message Authentication
Code [PDF]
[13] M. Bellare, T. Kohno
Hash Function Balance and its Impact on Birthday Attacks [PDF]

[14] M. Bellare, C. Namprempre


Authenticated Encryption: Relations among notions and analysis of
the generic composition paradigm

[15] M. Bellare, K. Pietrzak, P. Rogaway


Improved Security Analyses for CBC MACs [PDF]

[16] M. Bellare, P. Rogaway


Random Oracles are Practical: A Paradigm for Designing Efficient
Protocols [PDF]
[17] M. Bellare, P. Rogaway
The exact security of digital signatures: How to sign with RSA and
Rabin [PDF]

[18] E. Biham, A. Shamir


Differential Cryptanalysis of DES-like Cryptosystems [PDF]

[19] A. Biryukov, O. Dunkelman, N. Keller, D. Khovratovich, A. Shamir.


Key Recovery Attacks of Practical Complexity on AES-256 Variants
with up to 10 Rounds.
[link]

[20] A. Biryukov, C. De Canniére.


Block Ciphers and Systems of Quadratic Equations [PDF].
[21] I. Blake, T. Garefalakis
On the Security of the Digital Signature Algorithm

[22] D. Bleichenbacher
Chosen Ciphertext Attacks Against Protocolls Based on the RSA
Encryption Standard PKCS # 1 [PDF]

[23] J. Blömer, A. May


A Generalized Wiener Attack on RSA [PDF]

[24] M. Blum, S. Micali


How to Generate Cryptographically Strong Sequences of
Pseudo-Random Bits [PDF]

[25] A. Bogdanov, D. Khovratovich, C. Rechberger


Biclique Cryptanalysis of the Full AES [PDF]
[26] D. Boneh
The Decisional Diffie-Hellman Problem [PDF]

[27] R. Boppana, J. Lagarias


One-way functions and circuit complexity [PDF]

[28] D. Brown
What Hashes Make RSA-OAEP Secure? [PDF]

[29] J. Buchmann.
Einführung in die Kryptographie.
Springer, 2010.

[30] J. Carter, M. Wegman


New hash functions and their use in authentication and set equality
[PDF]
[31] R. Canetti, O. Goldreich, S. Halevi
The Random Oracle Methodology, Revisited [PDF]

[32] Certicom (D. Brown)


Standards for Efficient Cryptography 1 (SEC 1) [Link]

[33] Certicom (D. Brown)


Standards for Efficient Cryptography 2 (SEC 2) [Link]

[34] J. Coron, Y Dodis, C Malinaud, and P. Puniya


Merkle-Damgård Revisited : how to Construct a Hash Function [PDF]

[35] R. Cramer, V. Shoup


A Practical Public Key Cryptosystem Provably Secure against
Adaptive Chosen Ciphertext Attack [PDF]
[36] J. Daemen, V. Rijmen.
AES Proposal: Rijndael [PDF].

[37] W. Diffie, M. Hellman


New Directions in Cryptography [PDF]

[38] D. Dolev, C. Dwork, M. Naor


Non-malleable cryptography

[39] T. ElGamal
A public key cryptosystem and a signature scheme based on discrete
logarithms [PDF]

[40] C. Ellison, B. Schneier


Ten Risks of PKI: What Youre not Being Told about Public Key
Infrastructure [PDF]
[41] U. Feige, D. Lapidot, A. Shamir
Multiple Non-Interactive Zero Knowledge Proofs Based on a Single
Random String

[42] N. Ferguson, S. Lucks, B. Schneier, D. Whiting, M. Bellare,


T. Kohno, J. Callas, J. Walker.
Provable Security Support for the Skein Hash Family [PDF]

[43] N. Ferguson, B. Schneier


Practical cryptography

[44] Y. Gertner, T. Malkin, O. Reingold


On the Impossibility of Basing Trapdoor Functions on Trapdoor
Predicates [PS]
[45] Y. Gertner, T. Malkin, S. Myers
Towards a Separation of Semantic and CCA Security for Public Key
Encryption

[46] O. Goldreich.
Foundations of Cryptography: basic tools [Drafts]
Cambridge University Press, 2001.

[47] O. Goldreich.
Foundations of Cryptography: basic applications [Drafts]
Cambridge University Press, 2004.

[48] O. Goldreich, L. Levin.


A Hard-Core Predicate for all One-Way Functions [PDF]
[49] O. Goldreich, Y. Lustig, M. Naor
On Chosen Ciphertext Security of Multiple Encryptions [link]

[50] S. Goldwasser, S. Micali.


Probabilistic encryption [link]

[51] D. Hofheinz, E. Kiltz


Secure Hybrid Encryption from Weakened Key Encapsulation [PDF]

[52] J. Håstad, R. Impagliazzo, L. Levin, M. Luby


Construction of a Pseudo-Random Generator From Any One-Way
Function [PDF]

[53] R. Impagliazzo, S. Rudich


Limits on the provable consequences of one-way permutations
[54] A. Joux, K. Nguyen
Separating Decision Diffie-Hellman from Computational
Diffie-Hellman in Cryptographic Groups

[55] C. Jutla
PRF Domain Extension Using DAGs [PDF]

[56] J. Katz, Y. Lindell.


Introduction to Modern Cryptography.
Chapman & Hall/CRC, 2007.

[57] J. Katz, M. Yung


Characterization of Security Notions for Probabilistic Private-Key
Encryption [PDF]
[58] J. Kilian, P. Rogaway
How to Protect DES Against Exhaustive Key Search (an analysis of
DESX) [PDF]

[59] J. Lagarias.
Pseudorandom Number Generators in Number Theory and
Cryptography [Google books] [JSTOR]

[60] M. Liskov, R. Rivest, D. Wagner


Tweakable block ciphers [PDF]

[61] W. Marrero, E. Clarke, S. Jha


A model checker for authentication protocols[PDF]

[62] M. Matsui
Linear Cryptanalysis Method for DES Cipher [PDF].
[63] U. Maurer, S. Wolf
The Relationship Between Breaking the Diffie-Hellman Protocol and
Computing Discrete Logarithms

[64] A. Menezes
Elliptic curve public key cryptosystems
Kluwer Academic Publishers, 1965.

[65] A. Menezes, T. Okamoto, S. Vanstone


Reducing elliptic curve logarithms to logarithms in a finite field [PDF]

[66] A. Menezes, S. Vanstone


Reducing elliptic curve logarithms to logarithms in a finite field
[Springer]
[67] A. Menezes, P. van Oorschot, S. Vanstone.
Handbook of Applied Cryptography [online version]
CRC Press, 2001

[68] R. Merkle
PhD thesis [PDF]

[69] D. Micciancio, O. Regev


Lattice-based Cryptography [PDF]

[70] S. Murphy, M. Robshaw.


Essential Algebraic Structure within the AES [PDF]

[71] M. Naor, M. Yung


Universal one-way hash functions and the cryptographic applications
[PDF]
[72] M. Näslund
Bit Extraction, Hard-Core Predicates, and the Bit Security of RSA
[PDF]

[73] NIST.
Specification for the Advanced Encryption Standard (AES) [PDF].

[74] NIST.
Specification for the Data Encryption Standard (DES) [PDF].

[75] C. Papadimitriou.
Computational Complexity.
Addison-Wesley, 1994.

[76] C. Peickert, B. Waters


Lossy Trapdoor Functions and Their Applications [PDF]
[77] E .Petrank, C. Rackoff
CBC MAC for Real-Time Data Sources [PDF]

[78] B. Preneel
Analysis and design of cryptographic hash functions [PDF]

[79] R. Rivest.
Handbook of theoretical computer science.
Elsevier Science Publishers, 1990, 719–755.

[80] R. Rivest, A. Shamir, L. Adleman


A Method for Obtaining Digital Signatures and Public-Key
Cryptosystems [PDF]
[81] P. Rogaway
Efficient instantiations of tweakable blockciphers and refinements to
modes OCB and PMAC [PDF]

[82] P. Rogaway, T. Shrimpton


Cryptographic Hash-Function Basics: Definitions, Implications, and
Separations for Preimage Resistance, Second-Preimage Resistance,
and Collision Resistance [PDF]

[83] J. Rompel
One-way functions are necessary and sufficient for secure signatures
[PDF]

[84] C. Shannon.
Communication Theory of Secrecy Systems [PDF]
[85] I. Shparlinski
On finding primitive roots in finite fields

[86] V. Shoup
Lower Bounds for Discrete Logarithms and Related Problems [PDF]

[87] V. Shoup
New Algorithms for Finding Irreducible Polynomials over Finite Fields
[PDF]

[88] V. Shoup
Searching for Primitive Roots in Finite Fields [PDF]

[89] V. Shoup
A Proposal for an ISO Standard for Public Key Encryption (version
2.1) [PDF]
[90] V. Shoup
OAEP Reconsidered [PDF]

[91] D. Simon
Finding Collisions on a One-Way Street: Can Secure Hash Functions
be Based on General Assumptions [Link]

[92] A. Werner.
Elliptische Kurven in der Kryptographie.
Springer, 2002.

[93] A. Yao.
Theory and Applications of Trapdoor Functions (Extended Abstract)
[PDF]

You might also like