Crypto 2012
Crypto 2012
Crypto 2012
Cryptography
000
Alice : b uy 1 Bob
E ve
Eve
000
Alice : b uy 1 Bob
E ve
Eve
000
Alice : b uy 1 Bob
E ve
Eve
000
Alice : b uy 1 Bob
E ve
Eve
000
Alice : b uy 1 Bob
E ve
Eve
000
Alice : b uy 1 Bob
E ve
Eve
000
Alice : b uy 1 Bob
E ve
Eve
000
Alice : b uy 1 Bob
E ve
Eve
• Message integrity:
“A service which addresses the unauthorized alteration of
data like insertion, deletion, and substitution.” [67]
. “Bob should be able to check that the message has not change on its
way from Alice to him.”
. Subsumed by message authenticity.
p.12 – What is cryptography?
Alice Bob
Eve
• Identity authentication:
“Two parties entering into a communication should identify
each other.” [67]
. “Eve shouldn’t be able to trick Bob into believing she was Alice”
. Important when Alice and Bob have never met before.
p.13 – What is cryptography?
Alice Bob
Eve
• Non-repudiation:
“A service which prevents an entity from denying previous
commitments or actions.” [67]
. “Bob should be able to convince other parties (e.g. a judge) that a
message by Alice was indeed sent by her.”
p.14 – Achieving message privacy and authenticity
• Asymmetric setting: Each party holds its own secret key and
broadcasts a public key.
p.15 – Outline: Encryption schemes
• An encryption scheme (ES) consists of
• Disadvantage: Speed
“By comparison, DES (see Section 3.2) and other block ciphers are
much faster than the RSA algorithm. DES is generally at least 100
times as fast in software and between 1,000 and 10,000 times as fast
in hardware, depending on the implementation.” (taken from RSA
labs. webpage)
. AES support in most recent CPUs, see e.g. wikipedia
• Solution: Hybrid encryption, i.e. combine both.
• Use a public-key scheme for encrypting a secret “one-time” key.
• Use a private-key scheme for encrypting the secret message using the
“one-time” key.
Goal 2: Understanding the security of
cryptographic schemes
p.22 – Example: private-key ES
. Modern private-key ES (Gen, Enc, Dec) are built from block ciphers
• Definition: Block cipher B : Σn → PrmΣ,l : k 7→ Bk
. Σ: alphabet; if not stated otherwise: Σ = {0, 1}
. n: key length
. l: block length
. PrmΣ,l : set of all permutations of Σl
• pad(m) = m||10i
. Which padding function would you use? (How can you reverse each
padding?)
p.25 – Example: Constructing an ES from AES-128?
• Enck (m) := ρ(1) ||m(1) ⊕ AESk (ρ(1) )|| . . . ||ρ(s) ||m(s) ⊕ AESk (ρ(s) )
u
. where: ρ, ρ(i) ∈ {0, 1}l chosen independently, uniformly at random for
every m; AESik means to apply AESk i times; ⊕ denotes bitwise XOR.
3 Prove that the stated security indeed follows from the stated
assumption. (prove-by-reduction)
. Usually this means: Show that
If Eve (adversarial model) could break the lock (definition of security),
then Eve could use this attack to refute the assumption, e.g.
she could show that AES is not secure, resp.
she could turn her attack into an efficient factorization algorithm.
p.30 – Framework of provable security
4 Study the assumptions used for the cryptographic schemes.
. What assumptions do we need for a given definition of security?
. When is a block cipher or hash function secure?
. Derive standard assumptions, cryptographic primitives:
pseudorandom (bit) generator, pseudorandom functions/permutations
(secure block cipher), (trapdoor) one-way functions, ...
. Allows for seperation of
the assumption that “AES is a secure block cipher”
what we can achieve if we have some secure block cipher.
. How do these assumptions relate to each other? Does one imply the
other?
. E.g.: If integer factorization is hard, do secure block cipher exist?
. Choose the scheme which requires the weaker assumption.
p.31 – Summary: What is this lecture about?
• The locks needed to achieve the main goals, and their construction:
• Elliptic curves
Principles of (modern) cryptography
p.35 – Kerckhoff’s (main) principle
960 · 1012 , 57.6 · 1015 , 1.4 · 1018 , 41.5 · 1018 , 504.6 · 1018 .
• Encryption of a message m = m1 m2 . . . ms ∈ Σ∗ :
for π ∈ K = PrmΣ,1 .
. Alternative view:
The key π is essentially the block cipher (of block length 1) used in
“ECB” mode.
• Decryption: obvious.
. Size of key space: 26! ≈ 288 (on “our” quad-core: 8 · 108 years).
. Should suffice for the near future (e.g. Supermuc has 1.5 · 105 cores).
p.38 – Example: Mono-alphabetic substitution cipher
• But: The key can easily be found using frequency analysis:
• Goal:
Γ: tape alphabet.
Q: control states with explicit halting state qh and initial state q0 .
δ : Q × Γ → Q × Γ × {→, ←, ↓}: transition function
Initial configuaration: (q0 , B)x where x ∈ {0, 1}∗ :
B x1 x2 x3 x4 x5 ...
q0
B 0 1 0 0 1 ...
q0
p.52 – Randomized computation: Prob. Turing Machines
• Computation of M on input x:
• A TM is a PTM with δ0 = δ1 .
• A PTM runs in time T (n) if it halts after at most T (|x|) steps on any
input x ∈ {0, 1}∗ independently of the coin tosses.
p.54 – Randomized computation: External coin tosses
• Let M be a PTM (randomized algorithm) with time bound T (n).
• Eve can win with probability strictly less than 1/2 iff she can win with
prob. strictly greater than 1/2.
• If (Gen, Enc, Dec) is perfectly secret, there is no randomized algorithm
r
which, on input a ciphertext c := Enck (m), outputs the first bit of m
with prob. strictly greater than 1/2.
p.63 – Perfect secrecy: The “eavesdropping game”
• The game specifies how Eve may interact with Alice&Bob:
• Eve knows the ES and the game, and can accordingly choose her
algorithm (attack) A before the start of the game.
. As soon as the game starts, A (Eve’s behaviour) is fixed.
• The behaviour of A is completely determined by
(i) its own coin tosses and (ii) the input ciphertext c.
• Once (Gen, Enc, Dec) and A are fixed,
• Deck (m) := m k.
• Theorem: The one-time pad is perfectly secrect.
. Formally, use the formula of total probability for all possible values of
M0 , M1 and that the choice of K is independent of M0 , M1 , B:
Pr[C = c, B = b]
P
= Pr[MB ⊕ K = c, M0 = m0 , M1 = m1 , B = b]
Pm0 ,m1
= Pr[K = c mb , M0 = m0 , M1 = m1 , B = b]
Pm0 ,m1
= m0 ,m Pr[K = c mb ] · Pr[M0 = m0 , M1 = m1 , B = b]
1 P1
= l · m0 ,m1 Pr[M0 = m0 , M1 = m1 , B = b]
|Σ|
1
= · Pr[B = b]
|Σ|l
(where m0 , m1 ∈ Σl )
1
. Ex: Show that Pr[C = c] = .
|Σ|l
p.69 – Proof: OTP is prefectly secret
• We now show that the considered A can only win with prob. exactly
1/2, i.e. we show that Pr[RA = B] = 1/2.
. First proof in the style of provable security:
r r r
(m0 , m1 ) := A() (m0 , m1 ) := A() (m0 , m1 ) := A()
r r r
k := Gen() k := Gen() k := Gen()
u u u
b ∈ {0, 1} b ∈ {0, 1} b ∈ {0, 1}
r u u
c := Enck (mb ) c ∈ Σl c ∈ Σl
r r r
r := A(c) r := A(c) r := A(c)
. Left: The original eavesdropping game.
1
. Middle: Use Pr[C = c | B = b] = Pr[C = c] = .
|Σ|l
?
. Right: Get rid of k and m0 , m1 , not relevant for r = b.
p.70 – Proof: OTP is prefectly secret
. What we have just done is:
. We have constructed from an attack A for the game,
. an algorithm P for predicting the coin toss result b:
P:
u
c ∈ Σl
r
r := A(c)
return r
. Let TA be the running time of P and
pA the prob. that A wins the eavesdropping game.
. Then P runs in time TP = TA + l and
predicts b with prob. pP = pA .
u
. As P is independent of b ∈ {0, 1}: pP = 1/2.
p.71 – Proof: OTP is prefectly secret
Pr[R
P A = B]
= Pr[RA = B, B = b, C = c]
Pb,c
= Pr[A(C) = B, B = b, C = c]
Pb,c
= b,c Pr[A(c) = b, B = b, C = c]
Pr[R
P A = B]
= b,c Pr[A(c) = b] · Pr[C = c] · Pr[B = b]
1P
= 2 c Pr[C = c] (Pr[A(c) = 0] + Pr[A(c) = 1])
= 1/2.
p.73 – Remarks: Original definition by Shannon
. For instance:
(Gen, Enc, Dec) is perfectly secret if
Pr[EncK (m0 ) = c] = Pr[EncK (m1 ) = c] for all m0 , m1 ∈ M, c ∈ C.
• Ex: Show that our definition of perfect secrecy is equivalent to the
above one.
• Property is sufficient: Have a look at the proof for the OTP.
• Argue that |Dc | ≤ |K| and use the alternative definition of perfect
secercy.
. For “computationally secret” ES with |K| |M|, we will need to
restrict the computational power of Eve.
• E.g. she should not be able to compute Dc .
p.75 – Remarks: Multiple encryptions using the same key
• Definition: “Perfect secrecy w.r.t. q encryptions”
c1 c2 = (m1 ⊕ k) (m2 ⊕ k) = m1 m2 .
• “P + SAT-oracle = NP”
01||00||10||00||11 0||ε||1||ε||ε = 01
. Ex: Show that in the resulting sequence bits are uniformly distributed.
• In practice, hash functions are used as randomness extractors, too.
Private-key encryption in the presence of an
efficient eavesdropper
–
Indistinguishable encryptions
p.82 – Recap: Perfect secrecy
1 Make the adversarial model for the eavesdropping game less general:
• Restrict Eve (and Alice&Bob) to efficient randomized computation, and
• only require that Eve can only win negligibly better than 1/2.
• The running time and the notion of what is neglibile will depend on the
security parameter (the key length) n.
2 Adapt the one-time pad in order to obtain a computational secret
encryption scheme with |K| |M|:
• Based on the conjecture that pseudorandom generators (PRGs) exist.
Theorem: computational secrecy (|K| < |M|) iff PRGs exist (later).
p.85 – Efficient computation: Asymp. vs. concrete bounds
• In complexity theory, the usual way to measure the efficiency of an
algorithm is an asymptotic bound on its running time T (·) w.r.t. the
input length |x|.
• Often, a problem is said to be efficiently solvable if we know some
polynomial-time algorithm to solve it.
. That is, there exists a TM M which solves the problem and whose
running time is bounded by a polynomial w.r.t. the input length.
• E.g. Sorting an array (a1 , . . . , as ) with ai ∈ [0, 2n − 1].
en/decrypt attack
n = 50 on 1GHz 2.5s ≈ 7d with prob. 2−30
n = 100 on 16GHz 0.675s ≈ 7d with prob. 2−80
p.95 – Example: Super-polynomial attack
. PKES based e.g. on the RSA problem can be broken by factoring a
large intereger N
• where N = p · q with p, q primes of length n the security parameter.
en/decrypt factoring
n = 500 on 1GHz ≈ 4.1min ≈ 138d
n = 1000 on 16GHz ≈ 1.0min ≈ 16.4y
and either
• Mn = {0, 1}l(n) for l(n) ≥ n, or
• Mn = {0, 1}∗ , or
∗
• Mn = {0, 1}l(n) (e.g. for ES built from block ciphers with block
lenght l(n); use a padding function for messages of length not a
multiple of l(n).)
∗
. Statements like “Mn = {0, 1}∗ ” or “Mn = {0, 1}l(n) ” should be
read as “practically arbitrary message length”, i.e. at most exponential
in n or l(n).
p.98 – “PPT-eavesdropping game” and comp. secrecy
• Definition:
Game IndEd for ES E = (Gen, Enc, Dec), attack A, and sec. par. n:
1 Eve runs A(1n ) to obtain m0 , m1 ∈ Mn with |m0 | = |m1 |.
2 Alice&Bob generate a random key k by running Gen(1n );
u
they then choose b ∈ {0, 1} by tossing a fair coin;
r
finally, they send c := Enck (mb ) to Eve.
3 Eve runs A(1n , c) to obtain a reply r.
. Let WinIndEd
n,E (A) denote the event that b = r.
is a negligible function in n.
p.99 – Computational secrecy: Remarks
• Probability space consists again of all (independent) fair coin tosses
used for Gen, Enc, A, and b.
. Alternative formulation:
IndEd (A) for the final reply of A in the game
Random variable Rn,E
IndEd for security parameter n.
h i
Then: Pr WinIndEd
n,E (A) = Pr u R IndEd (A) = b
n,E
b∈{0,1}
“Eve cannot distinguish between the world where she is always given
m1 , and the world where she is always given m0 (recall oracles
O0 /O1 ).”
p.100 – Computational secrecy: Remarks
• Game IndEd is essentially the game underlying perfect secrecy except
that we pass the security parameter n in unary (1n ) to all algorithms.
• To determine the key length, and to give A enough time.
• Enck (m) = k ⊕ m
• Deck (m) = k ⊕ m
is perfectly secret for every n, it is also comp. secret, and every attack
A has zero advantage in winning the game IndEd against it.
• As A runs in time polynomial in n, the message lengths |m0 | , |m1 |
are also polynomial in n.
. Hence, the input to Enc and Dec is also polynomial in n, and the
whole game runs in time polynomial in n.
p.101 – Computational secrecy: Remarks
. So, the output of G is far from uniformly distributed over {0, 1}2n .
• Ex: Determine the success prob. of the following D:
• Input: y ∈ {0, 1}l(n) and 1n .
u
• Generate x0 ∈ {0, 1}n and compute y 0 = G(x0 ).
Init: 1n Init: 1n
u u
Query: outputs y ∈ {0, 1}l(n) Query: outputs G(x) with x ∈ {0, 1}n .
• Definition:
D takes the place of Alice and Bob, and simulates the game IndEd
for n using Eve’s algorithm A as a subprocedure.
Except that D does not run Gen
but instead assumes that its input y is the output of G(k) in order to
simulate Enck (m) by means of
c = m ⊕ y.
p.110 – G-prOTP: Proof of security
Alice&Bob D sub: A
u
b ∈ {0, 1}
u
if b = 0: y ∈ {0, 1}l(n)
u
if b = 1: x ∈ {0, 1}n , y = G(x)
pass y to D
run A(1n )
return m0 , m1 ∈ {0, 1}l(n)
u
b0∈ {0, 1}
assume y = G(x) and
simulate Encx :
compute c = mb0 ⊕ y
run A(1n , c)
return r0
?
return r := (r0 = b0 )
• D wins iff r = b.
• Next: View the whole interaction from A’s perspective, i.e. identify D
with Alice&Bob.
p.114 – G-prOTP: Proof of security
• Case b = 1: From A’s perspective, it is playing vs. G-prOTP
Alice&Bob (&D) sub: A
b := 1
u
x ∈ {0, 1}n
pass y to D
run A(1n )
return m0 , m1 ∈ {0, 1}l(n)
u
b0∈ {0, 1}
assume y = G(x) and
simulate Encx :
compute c = mb0 ⊕ G(x)
run A(1n , c)
return r0
?
r := (r0 = b0 )
• As G is assumed to be a PRG,
(D) − 12
εD (n) = Pr WinIndPRG
n,G
1 1 1
IndEd
= 2 Pr Winn,G-prOTP (A) − 2 = 2 εA (n)
has to be negligible.
• As A was chosen arbitrarily, the G-prOTP is comp. secret.
. In other words:
Given a (TA (n), εA (n))-attack A on the pseudorandom one-time pad
in the game IndEd
we can build a (TD (n), εD (n))-distinguisher D for G
where TD (n) = TA (n) + O(n) and εA (n) = 2εD (n).
p.116 – PRGs of variable stretch
• So, our definition of PRG is sufficient for the existence of comp.
secret PPT-ES with |K| < |M|.
• Later: Our definition is also “the right one” as it is necessary, too.
. PRGs can be built from problems which are sufficiently hard on the
average, e.g.:
• Factorizing an integer N which is the product of two unknown random
primes p, q with p, q ∈ [2n−1 , 2n ). (“BBS PRG”)
• Given a prime p ∈ [2n−1 , 2n ), a generator g of Zp , and a random
u
y ∈ Zp − {0}, find the unique x ∈ Zp with g x (mod p) = y. (BM
PRG)
is a negligible function in n.
p.121 – Eavesdropping multiple ciphertexts
• Theorem: No stateless and deterministic ES has indistinguishable
mulitple encryptions in the presence of an eavesdropper.
• Proof: Let {0, 1}l(n) ⊆ Mn for some l(n).
. Goldwasser-Micali:
Semantic security asks that that which can be efficiently computed
about a plaintext from its ciphertext can be efficiently computed in
the absence of the ciphertext.
. Depending on the concrete adversarial model, there are different
notions of semantic security.
p.124 – Semantic secrecy
• Informal description:
Eve’s PPT-attack A may
• tell Alice&Bob how to choose a plaintext m.
• Probability Pr u WinIndEd
n,E (AIndEd ) ?
b∈{0,1}
. AIndEd wins iff y 6= f (m1 ) iff ASemNoEd loses the game SemNoEd.
p.131 – Semantic secrecy
“In May 1942, US Navy cryptanalysts had discovered that Japan was
planning an attack on Midway island[...]. They had learned this by
intercepting a communication containing the ciphertext fragment
“AF” that they believed corresponded to the plaintext “Midway
islands”. Unfortunately, their attempts to convince Washington
planners that this was indeed the case were futile; the general belief
was that Midway could not possibly be the target. The Navy
cryptanalysts then [...] instructed the US forces at Midway to send a
plaintext message that their freshwater supplies were low. The
Japanese [...] immediately reported [...] that “AF” was low on water.”
• Public-key encryption: Eve can always encrypt herself as everybody
knows the public encryption key.
p.136 – Motivation
• Example of CCA: Needham-Schroeder protocol, 1978
A variant of this protocol describes how Alice and Bob can setup a
public-key communication using a trusted key distribution center
which is used to store their most recent public keys.
In its original version the protocol is vulnerable to a
man-in-the-middle attack first published by Gavin Lowe in 1995:
For this attack, Eve waits until Alice tries to setup communication
with her; Eve then immediately also initiates communication with
Bob, and intertwines the two protocol executions such that Bob in
the end mistakes Eve for Alice.
One essential step of this attack consists of Eve using Alice as
decryption oracle in order to decrypt a message sent by Bob to Alice.
(4th and 5th in the attack described on wikipedia)
• RSAES-PKCS1: broken by a CCA-attack.
p.137 – CPA-security
• Definition: Game IndCPA:
1 Alice&Bob generate a random key k := Gen(1n ) and give Eve’s attack
A oracle access to Enck .
2 Eve runs AEnck (1n ) to obtain two sequences m
~ 0, m
~ 1 with
(1) (q) (i)
~ b = (mb , . . . , mB ), and m0 (j) = m1 (j) , and mb ∈ Mn .
m
3 Alice&Bob choose b ∈ {0, 1} by tossing a fair coin,
(i)
compute c(i) = Enck (mb ) from left i = 1 to right i = q, and
send ~c = (c(1) , . . . , c(q) ) to Eve.
4 Eve runs AEnck (1n , ~c) to obtain her reply r ∈ {0, 1}.
. Let WinIndCPA
n,E be the event that b = r.
1 X
Pr WinIndCPA
n,E (B) = Prb,s WinIndCPA
n,E (B)
2q
b∈{0,1},s∈[q]
~ sb is encrypted:
. Fixing b and s just means to consider the case where m
~ 11 = m
• For b = 1, s = 1: m ~ 1.
~ q0 = m
• For b = 0, s = q: m ~ 0.
• For b = 0, s = i and b = 1, s = i + 1: m ~ i+1
~ i0 = m 1 .
is also CPA-secure.
. This construction does not preserve CCA-security:
Assume E is CCA-secure with Mn = {0, 1}n .
Define A for E 0 as follows:
• Ouput m0 = 0n ||0n and m1 = 1n ||0n .
• When given c = c(1) ||c(2) , make the single query c(1) ||Enck (1n ) to
Deck .
. Return 0 iff the 0n is the first half of the returned decryption.
p.146 – How to achieve CPA-security
• Ideally, we would like to use for each new encryption a “fresh”
one-time pad.
. Because of the perfect secrecy, all ciphertexts then would be of no use
to Eve; the ciphertexts would simply be random strings.
• Using a variable-length PRG G we can emulate this:
is a PRG.
• E.g. let l(n) be the running time of an attack A(1n ),
. Also any part of Gl() (x) has to be indistinguishable for PPT-Eve from
a truly random string.
. Any unused part of the output of Gl (x) is almost as good as a fresh
OTP.
p.147 – Stateful counter (sCTR) mode
. Definition: stateful counter mode (sCTR) for a vl-PRG G
0
For s ≤ s0 and G(x, 1s ) = y1 y2 . . . ys . . . ys0
let G(x)[s, s0 ] = ys . . . ys0 . (Recall the “prefix property” of G).
• Kn = {0, 1}n , Mn = {0, 1}≥n , Cn = {0, 1}≥n
u
• Gen: On input 1n , output k ∈ Kn .
On input k ∈ Kn and m ∈ Mn ,
compute c = bctre||m ⊕ G(k)[ctr + 1, ctr + |m|].
• Where b·e encodes ctr as an n-bit string.
Bk Bk Bk Bk
. Proof sketch:
. Canonical approach:
From a PPT-adversary A for the game IndCPA vs. G-sCTR
• Let T (n) be the running time of A.
• D wins in the
. “real world” (b = 1) iff A wins vs. G-sCTR in IndCPA.
. “perfect world” (b = 0) iff A loses vs. the “OTP” in IndEd.
p.151 – Stateful counter (sCTR) mode
u
• Case b = 0 with y ∈ {0, 1}T (n) :
Alice&Bob AIndEd sub: AIndCPA
u
y ∈ {0, 1}T (n)−n
use y to emulate Encx
run AEnc x n
IndCPA (1 )
return m0 , m1 ∈ {0, 1}n
return m0 , m1
u
b0 ∈ {0, 1}
u
k ∈ {0, 1}n
c = mb0 ⊕ k
pass c to AIndEd
c := bctre||c
ctr := ctr + |m0 |
run AEnc x n
IndCPA (1 , c)
return r0
?
return r := (r0 = b0 )
• In total:
1 1
Pr WinIndCPA
n,G-sCTR (AIndCPA ) − 2 = 2 Pr WinIndPRG
n,G (D) − 2 .
p.153 – Outlook: How to achieve CCA-security
• Lemma: G-sCTR is not CCA-secure:
. Proof: Consider the following AIndCCA
1 Output m0 = 0n and m1 = 1n .
2 Receive c = bctre||c0 .
3 Flip the last bit of c and, thus, of c0 : c̃ = c ⊕ 0n 0n−1 1.
4 As c̃ 6= c, query the decryption oracle for an decryption.
5 Return 0 iff the oracle returns 0n−1 1.
. The crucial step is that AIndCCA can easily forge a new ciphertext.
. Idea: use a MAC so that Alice&Bob resp. the decryption oracle can
authenticate the origin of a ciphertext.
. The MAC will allow the decryption oracle to reject ciphertexts forged
by Eve, thus, forcing her back to the CPA-setting.
. “CPA-secure ES + secure MAC = CCA-secure ES”
Pseudorandom functions and stateless CPA-secure
ES
p.155 – Secure block ciphers
• What kind of encoding: lsbf or msbf? Gray code? big or little endian?
...
• For i = 1 to some q:
Eve may choose some xi (“bie”) for which she is given Bk (xi ).
Her choice of xi may depend on Bk (x1 )|| . . . ||Bk (xi ) seen so far.
. Again: Eve should not be able to distinguish the “reald world”
(above) from the “perfect world”:
u
• In the “perfect world” she is given yi ∈ {0, 1}l instead of Bk (xi ).
For any PPT-encoding be : Z2n → {0, 1}n and any polynomial l(n)
Gl (x) = Fk (b1e)||Fk (b2e)|| . . . ||Fk (bl(n)e) is a PRG of stretch nl(n).
Conclude that F -sCTR is CPA-secure if F is a PRF.
• Ex: Show that PRFs with lout (n) · 2lin (n) ≤ n exist (unconditionally).
G0 (k) G1 (k)
(1) (1)
=: Fk (0) =: Fk (1)
PRGs exist iff PRFs with lin (n) = lout (n) = n exist.
• Ex: Why can’t we simply take a PRG of stretch n · 2n , and read its
output G(k) as the table of a PRF Fk with n = lin (n) = lout (n)?
How does the tree construction avoid this problem?
p.164 – Pseudorandom functions (PRF)
• Our definition of PRF is asymptotic:
. This corresponds to secure block ciphers which allow to increase their
key and block length arbitrarily.
• Definition of (t, q, ε)-PRF analogously: (see also here (Section 3.6))
• Fix n, and restrict the running time of D to t, and its number of oracle
queries to q.
. Example: Let TAES be the number of steps done by AES, and c a
constant modeling the speed of the used computer.
t/TAES q2
Conjecture: Every (t, q)-adversary has advantage ε ≤ c · 2128 + 264 in
the game IndPRF.
• One advantage of PRFs: we can built stateless CPA-secure ES
• Stateful ES require Alice&Bob to synchronize when using the same key
for bidirectional communication.
. PRFs allow to “forget the value of ctr” and instead simply “guess an
unused value for ctr”.
p.165 – Randomized counter (rCTR) mode
Fk Fk Fk Fk
• Proof sketch:
. Recall:
W.l.o.g. we may assume that A only outputs a single message pair.
p.168 – Randomized counter (rCTR) mode
Alice&Bob D sub: A
u
b ∈ {0, 1}
b = 0: O := RO
u
b = 1: k ∈ {0, 1}n ; O := Fk
pass O to D
(use O for Enck )
run AEnck (1n )
return (m0 , m1 ) (|m0 | = |m1 |)
u
b0 ∈ {0, 1}
c = Enck (mb0 )
run AEnck (1n , c)
return r0
?
return r := (r0 = b0 )
• RO-rCTR:
u
. on input m = m(1) || . . . ||m(t) , choose ctr ∈ Z2l(n) ,
output bctre||m(1) ⊕ RO(bctr + 1e)|| . . . ||m(1) ⊕ RO(bctr + te).
. Let ~x = (x1 , . . . , xq(n) ) be the sequence of all values for which RO is
queried:
• xi is the i-th query; the queries do not need to be distinct.
. Pr u [xi = xj ] = 2−l(n)
xi ,xj ∈{0,1}l(n)
hW i
q(n)
2−l(n) .
. Pr[“no OTP”] = Pr u
i6=j xi = xj ≤ 2
x1 ,...,xq ∈{0,1}l(n)
1
Pr WinIndCPA
n,RO-rCTR (A) ≤ 2 · Pr[“OTP”] + 1 · Pr[“no OTP”]
1 q(n)2
≤ 2 + 2l(n)
• All in all:
2Pr WinIndPRF
n,F (D)
= Pr WinIndCPA IndCPA
n,F -rCTR (A) + 1 − Pr Winn,RO-rCTR (A)
1 q(n)2
≥ Pr WinIndCPA
n,F -rCTR (A) + 2 − 2l(n)
. I.e.:
1
1 q(n)2
Pr WinIndCPA
n,F -rCTR (A) − 2 ≤ 2 Pr WinIndPRF
n,F (D) − 2 + 2l(n)
p.172 – Randomized counter (rCTR) mode
If Eve can obtain q = 232 blocks (32 GiB) of encrypted data, the
security bound becomes meaningless, and with prob. roughly 1/2 some
random value for ctr is used at least twice.
p.173 – Randomized output feedback (rOFB) mode
. Definition: rOFB for a PRF F with l(n) = lin (n) = lout (n)
∗ ∗
• Kn = {0, 1}n , Mn = {0, 1}l(n) , Cn = {0, 1}l(n) {0, 1}l(n)
u
• Gen: On input 1n , output k ∈ Kn .
. Idea: in the perfect world (RO instead of Fk ) – except for negl. prob.
of a collision – RO is never queried on the same input twice.
p.174 – Randomized output feedback (rOFB) mode
• Schematic representation of OFB mode for l(n) = lin (n) = lout (n)
u ... ...
IV ∈ {0, 1}l Fk Fk Fk Fk
• To process the i-th block of data, we need to know Fki (IV) for OFB
while s/rCTR mode only requires knowledge of Fk (bctr + ie).
. Ex: Is F -rOFB CCA-secure for F a PRF?
Pseudorandom permutations and secure block
ciphers
p.176 – Definition of secure block cipher
• Problem:
• O0 uses e.g. a second hash map Tinv with Tinv [y] = x iff T [x] = y.
Let f : {0, 1}∗ → {0, 1}∗ be some function s.t. |f (x)| = |x| for all
x ∈ {0, 1}∗ .
A single-round Feistel network FNf is defined by
FNf (x||y) := y||x ⊕ f (y) for all x, y ∈ {0, 1}∗ with |x| = |y| .
• Proposition: (Ex.)
y f1 ⊕ f2 ⊕
(4)
• Fa||b||c||d (x) := FNFa ,Fb ,Fc ,Fd (x||y) is a strong PRP on {0, 1}2n using
4n-bit keys.
p.182 – PRPs as PRFs
• For the modes s/rCTR and rOFB we do not need a PRP.
. I.e. RO and RPO look the same to any D except for negl. prob.
(D) + q(n)2 2−l(n)−2
. Hence: Pr WinIndPRF
n,F (D) ≤ Pr WinIndPRP
n,F
. Theorem:
If F is a PRP (with 2−l(n) negligible), then it is also a PRF.
p.184 – PRPs as PRFs
• Ex: Does also the other direction hold?
So, also for F -sCTR the block length of F matters, and the security
bounds for F -sCTR and F -rCTR become roughly the same.
p.185 – Randomized cipher block chaining (rCBC) mode
. Definition: rCBC mode for a PRP F with block length l(n)
∗ ∗
• Kn = {0, 1}n , Mn = {0, 1}l(n) , Cn = {0, 1}l(n) {0, 1}l(n)
u
• Gen: On input 1n , output k ∈ Kn .
Fk Fk Fk Fk
A MAC scheme is
• of fixed-length l(·) if Mn = {0, 1}l(n) .
• stateful if Mack saves some state (e.g. message counter) between two
runs; otherwise it is stateless.
p.190 – Message authentication code (MAC)
• What should a MAC achieve?
. Only the knowledge of the secret kMac should enable a person to
create, for some message m, a tag t which is valid for m w.r.t. kMac :
• I.e. VrfkMac (m, t) = 1.
. Secure MAC: Forge a valid tag for a message not seen so far.
p.191 – Security of MACs
• Definition: Game FrgMAC:
r
1 Alice& Bob generate k := Gen(1n ), and
give Eve oracle access to Mack .
Alice&Bob keep a list Q of Eve’s oracle queries.
2 Eve runs AMack (1n ) to obtain (m, t).
. Let WinFrgMAC
n,S (A) be the event that (i) Vrfk (m, t) = 1 and (ii) m 6∈ Q.
• Assume that Alice does not care about the privacy of her orders.
• might have access to an SMTP server and simply put Alice’s address in
the FROM field, or
• might intercept and alter an order by Alice.
. By requiring that each order comes with a MAC tag, Bob can detect
a faked order.
p.193 – Message integrity/origin authentication
• But: if Eve intercepts and replays an order, the MAC tag is of no use.
• Ex: Does rOFB mode yield a secure MAC? Does the OTP?
• Ex: Let F be a PRF with l(n) = lin (n) = lout (n). Does
Mack (m) = Fk (m(1) )||Fk (m(2) ) yield a secure MAC (with
Mn = {0, 1}2l(n) )?
• Ex: Show that F -rCBC does not yield a secure MAC.
Hint: By modifying IV, Eve can modify also the first block of an
intercepted message.
p.196 – MACs from encryption schemes?
• Definition: F -MAC
Let F by a PRF with input length lin (n) and output length lout (n).
Then F -MAC is defined by
• Kn = {0, 1}n , Mn = {0, 1}lin (n) , T = {0, 1}lout (n) .
u
• Gen: on input 1n , output k ∈ {0, 1}n .
The decryption oracle then always detects the forged ciphertexts, and,
thus, can be simulated in game IndCPA by always replying ⊥.
(A) ≤ 12 + neglE (n)
Pr WinIndCCA
n,ES (A) | ¬F ≤ Pr WinIndCPA
n,E
p.202 – Extending the domain of a PRF
• As seen: PRFs give us immediately secure MACs.
. Hence, would like to have a PRF with “arbitrary” large lin (n)
and lout (n) just long enough to make the prob. of guessing a correct
tag negligible.
• Candidates for PRFs in practice?
• Block ciphers of fixed block length l = lin = lout > |k|.
0n ⊕ ⊕ ⊕ ⊕ ⊕ ⊕
Fk Fk Fk Fk
If F is a PRF, then F CBC and F ∗ are PRFs under the restriction that
a PPT-adversary D may only use prefix-free oracle queries.
• If x1 , . . . , xq(n) are all oracle queries of D, then for any qi , qj (i < j)
neither may be a prefix of the other.
. W/o this restriction: assume F with lin (n) = lout (n) = n
• y := O(0n ) and z := O(0n ||1n )
?
• For F ∗ : return z = Fy (1n )
?
• For F CBC : return z = O((y ⊕ 1n ) ⊕ IV)
Fkpadext
o ,ki
(m) := Fko (Fkext
i
(pad(m))).
In practice: ko ||ki = Fk (b1e)||Fk (b2e).
p.207 – Extending the domain of a PRF
• Ex*: Let F be a PRF and G a PRG of stretch l(n) = 2n. Split the output
of G into half: G(k) = G0 (k)||G1 (k) with G0 (k), G1 (k) ∈ {0, 1}n .
Show that for any PPT-adversary D having access to two oracles the
following prob. is negligible in n:
F ,F 0 n h 0
i
1 Pr 0 u D k k (1 ) = 1 − Pr D RO,RO (1n ) = 1
k,k ∈{0,1}n
0n ⊕ ⊕ ⊕ ⊕ ⊕ ⊕
Fk Fk Fk Fk
Mack (m)
p.210 – CBC-MAC (Discussion)
• Ex: Show that F CBC (padMD-0 (m)) does not yield a secure MAC.
• It might be tempting to combine F -rCBC with F -CBC-MAC in the
hope to speed up the computation. But:
u
• F -CBC requires a IV ∈ {0, 1}n to be CPA-secure.
• Defintion: F -NMAC
Let F be a PRF with lin (n) ≥ lout (n) = n and padMD either
padMD-0 := m||0p ||b|m|e or padMD-1 := m||10p ||b|m|e.
• Kn = {0, 1}2n , Mn = {m ∈ {0, 1}∗ | |m| < 2lin (n) , Cn = {0, 1}n
u
• Gen: on input 1n , output (ko , ki ) with ko , ki ∈ {0, 1}2n .
ki F F F F
ko F tag
• Not shown: padding for the outer part if lin (n) > n.
p.213 – Nested MAC (NMAC)
• For hash functions, F satisfies lin (n) > lout (n) = n and is called a
compression function.
• E.g. SHA-1 lin = 512, lout = 160.
ki
fixed IV F F F F F
ko
fixed IV F F tag
k ⊕ opad
• Not shown: padding for the outer part if lin (n) > n.
p.215 – Hash-based MAC (HMAC)
. Definition: HMAC
Let F be a PRF of block length n and F -NMAC = (Gen, Mac, Vrf).
Define opad by repeating the bit pattern 0x36 till n bits are
generated. Similarly, generate ipad from 0x5c.
Set out(k)(k) := F (IV||(k ⊕ opad)) and in(k) := F (IV||(k ⊕ ipad)).
Then F -HMAC = (Gen, Mac0 , Vrf) with
Mac0k (m) := Macout(k),in(k) (m).
• Theorem: [56, 8]
. Alternative view:
CBC transforms F into Fk [t](m) := Fk (m ⊕ t) where t is called the
tweak.
• If F is a PRP (secure block cipher),
where t0 ≈ t.
. Decide whether the deduced security bound is good enough for you.
Data Encryption Standard (DES)
p.235 – Data encryption standard (DES)
• DES = data encryption standard
• But nobody believes that the NSA has introduced any “backdoor” into
DES.
p.236 – DES: Feistel network
• DES is basically 16-round Feistel network FNf (1) ,...,f (16) with
input/output length 64bits except for the following:
1 An initial permutation IP is applied to the input before the FN.
2 The two halves of the output the FN are swapped afterwards. (See ex.)
3 Finally, IP−1 is applied.
• The functions f (i) are obtained from the DES-mangler function fˆ and
a 48-bit round-key k (i) , i.e., f (i) := fˆk(i) .
• The mangler function fˆ can be understood as a PRF with l = 32.
• The round-keys k (i) are generated deterministically from k by
duplicating bits of k.
• Think of it as a PRG which stretches k to a 16 · 48-bit string.
• Input:
• R the “right half” of the current Feistel round (32bits),
• Steps:
1 Expansion of R to 48bits: denoted by E(R); E(·) simply duplicates
half of the bits of R.
2 Compute T := E(R) ⊕ K.
3 Partition T into 8 blocks of 6 consecutive bits,
i.e., T = T (1) . . . T (8) with T (i) = 6.
• Let (Li , Ri ) denote the left/right halves fed to the Feistel network in
the i-th round.
• Consider a second computation (L0i , Ri0 ) such that L0 = L00 while R0
and R00 differ exactly in a single bit where the same key is used in
both computations.
• In the first round, the mangler function is applied to R0 , resp. R00 .
• P is defined in such a way that the two differences in the first block
are spread into two different blocks, e.g., into the second and third
block.
• Hence, the final round results (L1 , R1 ) and (L01 , R10 ) will differ in at
least three bits as L1 := R0 and L01 := R00 .
• A single bit difference is expected to influence all 64bits in the worst
case after roughly eight rounds. [56]
• As in the case of the S-boxes, it was shown that if P is replaced by a
randomly chosen permutation, then (with high prob.) the avalance
effect is much weaker.
p.245 – Detour: Confusion-diffusion paradigm
• In [84], besides introducing prefect secrecy, Shannon also suggested a
principle for desgining ciphers which are hard to analyze using
“statistical” methods:
• Confusion:
• Matsui shows how to obtain the key from a sufficient set of known
plain-/ciphertext pairs encrypted using the same key.
• Differential crpytanalysis requires the attacker to be able to choose the
plaintexts.
• In case of DES, the attack still requires 243 known pairs.
. Recall that for MAC schemes and some modes of operations the block
length determines the feasibility of a birthday attack.
• 3DES is an attempt to fix this using three keys k1 , k2 , k3 to define the
block ciper:
• 3DES is still considered a very strong block cipher and widely used
today.
• The main drawbacks are the short block size (just as DES) and that
it is quite slow.
• Faster and still conjectured secure w.r.t. the key space [58]:
• The specification of Rijndael [36] allows to set the block and key
length independently of each other to 128/192/256 bits.
• AES only differs from Rijndael by fixing the block length to 128 bits.
(See also the specification of AES [73].)
• The number of rounds the s/p-network is repeated depends on the
chosen key and block lengths and is defined in the specification.
• The number of rounds were chosen based on the analysis of known
attacks like differential/linear cryptanalysis.
• In case of the AES combinations, the number of rounds are 10/12/14.
The definition of the S-box uses the multiplicative inverse in the field
GF(28 ).
2
In the AES/Rijndael specification a “round” consists of
SubBytes → ShiftRow → MixColumn → AddRoundKey. But this obfuscates the
similarities shared with the DES mangler funtions.
p.260 – AES/Rijndael: Crash course GF(28 )
P7 i
• Carrier: polynomials i=0 ai X with coefficients in Z2 .
Succinct representation:
P7 Either as bit string, e.g. a0 a1 . . . a7 , or as
natural number i=0 ai 2i .
Example: X + X 4 =01001000
ˆ ˆ and 1 + X 2 + X 4 =10101000
=18 ˆ =21.
ˆ
• Addition: First add polynomials as usual, then reduce modulo 2
Example: 18 + 21 = 7 in GF(28 ).
That is, simply bit-wise xor a0 a1 . . . a7 and b0 b1 . . . b7 .
• Multiplication: First multiply polynomials as usual, then reduce
modulo 2 and m(X) = 1 + X + X 3 + X 4 + X 8 .
Example: 18 · 21 = 97 and 32 = 5 in GF(28 ).
• Multiplicative inverse: Can be computed using the extendend
Euclidean algorithm.
Example: 18−1 = 170 in GF(28 )
p.261 – AES/Rijndael: SubBytes
• The single S-box used by Rijndael is a permutation on 8bit strings.
• Recall that in DES the S-boxes are 4-to-1 functions, i.e., not invertible.
3
AES/Rijndael uses the reversed bit order.
p.262 – AES/Rijndael: SubBytes
• Recap: NP
The class of all languages (decision problems) L ⊆ {0, 1}∗ for which
?
we can decide x ∈ L nondeterministically in time polynomial in |x|.
. Example: The set of all satisfiable boolean formulas (SAT).
Given a formula φ, we can nondeterministically guess a satisfying
assignment in time polynomial in |φ|.
Currently, we do not know how to decide SAT deterministically in
polynomial time: in the worst case a SAT-solver runs in time
exponentially in |φ|.
p.272 – Motivation
• For cryptography, we want something even stronger than worst case
super-polynomial run time:
One-way functions (OWF):
“Problems which have almost exclusively worst-case instances”
• Informally, existence of OWFs is necessary for cryptography as:
. For G a PRG, computing x given G(x) needs to be hard not only for
some x ∈ {0, 1}n but for almost all except for a negl. fraction.
. For G-sCTR with G a PRG, computing the secret key k from known
plaintext-ciphertext pairs (m, c) (CPA setting) needs to be hard not
only for some k ∈ {0, 1}n , but for almost all except a negl. fraction.
. For F a PRF, computing the secret key k from a known
input-output-pair (x, Fk (x)) needs to be hard not only for some
k ∈ {0, 1}n but for almost all except a negl. fraction. Analogously for
F -MAC.
p.273 – Motivation
• Outlook:
. Theorem: If comp. secret ES with |K| < |M| exist, then OWF exist.
. Theorem: From any OWF we can built a PRG.
• Conjectured sources for OWFs?
. Mostly, problems related to computational number theory, e.g.:
• Integer factorization: Given N find its prime factorization.
• If a = 1, return (1, 0)
b−(b mod a)
• Else: Compute k = a s.t. b = ka + (b mod a).
Recursively compute (x0 , y 0 ) s.t. gcd(b mod a, a) = x0 (b mod a) + y 0 a.
Return (y − kx, x).
• Final result:
−k0 1 −k1 1 −k2 1 −k3 1 x4
· · · ·
1 0 1 0 1 0 1 0 y4
. Proof:
Assume ab = 1 = ac. Then b = b1 = b(ac) = (ba)c = c.
Assume a10 = a for all a. Then 1 = 1 · 10 = 10 .
• Notation: a−1 denotes the unique inverse of a in G.
• Corollary:
Carrier: {(g1 , g2 ) | g1 ∈ G1 , g2 ∈ G2 }.
Group operation: componentwise.
Neutral element: componentwise.
p.281 – Example: Integers Z
• Z=hZ,
ˆ +, 0i
. Infinite.
. Group operation: canonical addition.
. Cyclic: generated by 1, −1.
• Reminder:
• ZN =hZ
ˆ N , +, 0i
. Group operation: canonical addition on Z modulo N .
. Cyclic: hgi = ZN iff gcd(g, N ) = 1.
. Ex: Compute h4i in Z7 .
. Ex: Compute h4i in Z6 .
. Ex: Compute h(1, 1)i in Z4 × Z6 .
. ZM × ZN is cyclic iff gcd(M, N ) = 1.
p.283 – Example: Multiplicative group modulo N
• Z∗N =h{a
ˆ ∈ ZN | gcd(a, N ) = 1}, ·, 1i
. Group operation: canonical multiplication on Z modulo N .
. Inverse: As gcd(a, N ) = 1 there are x, y s.t. 1 = xa + yN .
. Theorem: (w/o proof)
Z∗N is cyclic iff N ∈ {2, 4, pr , 2pr } for p > 2 prime and r > 0.
. Ex: Compute h4i and h5i in Z∗7 .
. Ex: Compute h5i in Z∗6 .
. Ex: Compute h3i in Z∗8 .
p.284 – Example: Quadratic residues modulo N
• QRN =h{x
ˆ 2 mod N | x ∈ Z∗ }, ·, 1i
N
. Subgroup of Z∗N .
. In general not cyclic. Cyclic if Z∗N is cyclic.
. Ex: Compute h4i in QR7 .
. Ex: Compute QR6 , QR8 , QR85 .
p.285 – Finite commutative groups
• We are only interested in finite commutative groups in this lecture.
• For these, many things can be shown more easily than in the general
setting.
• Let G be finite and commutative.
Then:
1 aλ−1 = a−1 .
2 hai = {a, a2 , . . . , aλ }.
3 ak = ak mod λ and ord(a) | λ.
4 If e ∈ Z∗λ , then ge (x) := xe is a permutation on G.
5 If λ ≥ |G| is prime, then G is cyclic.
• As seen on last slide: ∀a ∈ G : a|G| = 1 if G is finite and
commutative.
. This already holds if G is only finite by virtue of Lagrange’s theorem.
. Ex: Which of above results also holds when G is noncommutative?
p.287 – Finite commutative groups
• Ex: Compute 71023 and 7−1 in Z∗11 .
• Definition:
. So:
Lemma: A cyclic group G has exactly ϕ(|G|) many generators.
• Ex: How many generators has Z∗85 ?
u
• Ex: Is 7 a generator of Z∗54 ? What is the prob. that a ∈ Z∗54 is a
generator?
p.293 – Number of generators
Then (i) ZM N ∼
= ZM × ZN and (ii) Z∗M N ∼
= Z∗M × Z∗N .
by means of h : ZM N → ZM × ZN : a 7→ (a mod M, a mod N ).
For α, β ∈ Z s.t. 1 = αM + βN :
h−1 (u, v) = (uβN + vαM ) mod M N .
• Remark: α, β can be computed using the extended Euclidean
algorithm.
• CRT short for “chinese remainder theorem”.
p.296 – Chinese remainder theorem
. Proof:
. Ex: h is a homomorphism w.r.t. both addition and multiplication.
. h is injective:
h(a) = h(b) iff M |(a − b) ∧ N |(a − b) iff* M N |(a − b)
(* as gcd(M, N ) = 1).
. Using Euclid, we find α, β ∈ Z s.t. 1 = gcd(M, N ) = αM + βN .
Note: αM ≡M 0 but αM ≡N 1. Similarly for βN .
Hence: h(h−1 (u, v)) = (u, v) for all (u, v) ∈ ZM × ZN .
. Assume h(a) 6∈ Z∗M × Z∗N for some a ∈ Z∗M N .
Wlog. (a mod M ) 6∈ Z∗M , i.e.
1 < d = gcd(a mod M, M ) = gcd(a, M ).
But then also 1 < d ≤ gcd(a, M N )., i.e. a 6∈ Z∗M N .
p.297 – Chinese remainder theorem: Applications
• Corollary:
Qr ei
Let N = i=1 pi be a prime factorization of N .
Then: Z∗N ∼
= Z∗pe1 × Z∗pe2 × . . . × Z∗perr .
1 2
Qr ei Qr ei −1
Thus ϕ(N ) = i=1 ϕ(pi ) = i=1 pi (pi − 1).
• Remark: The CRT allows us to compute within ZM × ZN instead of
ZM N , i.e. we may compute with smaller numbers.
This can be used to speed-up the decryption of RSA-based PKES
(later).
. Ex: Let p = 13, q = 19 and N = pq = 247. Compute 197200 in Z∗N
using the CRT.
p.298 – Chinese remainder theorem: Applications
• Reminder:
then Z∗N ∼
= Z∗pe1 × Z∗pe2 × . . . × Z∗perr .
1 2
return “composite”;
. Classical computers:
64 1 2
General number field sieve factorizes N in time O(e( 9 n) 3 (log n) 3 ).
For n = 1024, this is roughly c · 289 in the worst case for some
constant c.
. Quantum computers:
Shor’s algorithm runs in time O(n3 ) and requires O(n) qubits.
Currently, the largest “announced” quantum computer has 128 qubits
(see here).
. See here for a list of “factorization records”.
p.316 – Integer factorization
Want to use only groups for which the DLP is always hard.
• Computing the discrete logarithm is easy in ZM =hZ
ˆ M , +, 0i.
• As every cyclic group G is isomorpic to hZ|G| , +, 0i, we want
“worst-case” representations of ZM which make computing the
discrete logarithm hard.
• Let M = |G|, and assume M = pr N with p prime and gcd(p, N ) = 1.
Note: QRp is of prime order q, i.e. we cannot use the CRT to move to
smaller groups.
• More general: strong primes
on input 1n , generates
(i) an n-bit Sophie-Germain prime q, so that p = 2q + 1 is a safe
prime, and
(ii) a generator g of Z∗p , and
outputs I = (p, p − 1, g) as description of hgi = Z∗p .
. Remark: W.r.t. to hZ∗p , ·, 1i with p prime, the map
f(p,p−1,g) : Zp−1 → Zp−1 : x 7→ (g x mod p) mod p − 1
is a permutation on Zp−1 .
p.327 – Discrete logarithm
• Definition: Let GenQRsafe be a PPT-algorithm which,
on input 1n , generates
(i) an n-bit Sophie-Germain prime q, so that p = 2q + 1 is a safe
prime, and
(ii) a generator g of QRp , and
outputs I = (p, q, g) as description of hgi = QRp .
. Conjecture: The DLP is hard w.r.t. GenQRsafe .
. Remark: Recall that
p+1
modulo a safe prime p, we have (x2 ) 4 ≡ ±x (mod p).
That is, we can efficiently map every x2 ∈ QRp to its positive square
root in {1, . . . , q},
thereby turning the DLP w.r.t. GenQRsafe into a OWP over Zq .
p.328 – Discrete logarithm
• Remarks:
. So, if the RSA problem is an OWP w.r.t the specific GenP2 , none of
the above can be done efficiently, in particular, factorizing N given
(N, e) has to be hard.
• But: In general, it is not known, if solely the conjecture that
factorizing N on input (N, e) is hard, suffices for the RSA problem to
be an OWP. Only for the restricted setting of generic algorithms, this
has been shown so far [3].
p.334 – Trapdoor one-way permutation collection
• Definition: A trapdoor one-way permutation (TDP)
F = (Gen, f, Smpl):
Informally, fe treats its input {0, 1}n as random bit string which it
uses to run Gen and Smpl.
p.336 – OWFs from comp. secret ES
• Lemma: Let E = (GenE , Enc, Dec) be a deterministic comp. secret
u
ES with GenE (1n ) ∈ Kn = {0, 1}n and {0, 1}2n ⊆ Mn . Then the
following F = (GenF , Smpl, f ) is a OWF:
u
GenF : on input 1n , output I = m where m ∈ {0, 1}2n , Domm = Kn ,
and Rngm = Cn .
u
Smpl: on input I = m, output k ∈ {0, 1}n .
f : on input I = m and k ∈ {0, 1}n , output fm (k) := Enck (m).
. Remark: As for comp. secrecy we only have to encrypt a single
message, we can make the coin tosses ρ by Enc external, and simply
supply Enc instead with the extended key k||ρ.
For similar reasons, we can assume that GenE (1n ) always generates a
random key chosen uniformly from {0, 1}n .
Then above statement says that it is has to be hard to find k||ρ even
when m and c = Enck||ρ (m) are known.
p.337 – OWFs from comp. secret ES*
• Proof: Let B be any PPT-algorithm which tries to invert F, i.e.
. A wins iff r = 1.
. m0 can be removed.
. Rearrange interaction into the game OWF.
p.339 – OWFs from comp. secret ES*
• Case b = 0:
Alice&Bob A B
run A(1n )
u
m0 , m1 ∈ {0, 1}2n
return m0 , m1
u
b ∈ {0, 1} b := 0
u
k ∈ {0, 1}n
c := Enck (m0 )
run A(1n , c)
run B(m1 , c)
return k 0
if Enck0 (m1 ) = c: return r := 1
u
else: return r ∈ {0, 1}
. A wins iff r = 0.
. Again, collapse Alice&Bob and A.
p.341 – OWFs from comp. secret ES*
• Case b = 0: From B’s perspective:
Alice&Bob&A B
u
m0 , m1 ∈ {0, 1}2n
u
k ∈ {0, 1}n
c := Enck (m0 )
run B(m1 , c)
return k 0
if Enck0 (m1 ) 6= c: WinIndEd
n,E (A) with prob. 1/2
else: ¬WinIndEd
n,E (A)
• A wins iff B, on input (m1 , c) does not find some k 0 ∈ {0, 1}n with
Enck0 (m1 ) = c where c = Enck (m0 ),
• B can only find such a k 0 if m1 ∈ Dc = {Deck00 (c) | k 00 ∈ {0, 1}n }.
u
. As m1 ∈ {0, 1}2n and independently of m0 , the prob. for m1 ∈ Dc is
|Dc | 2−2n ≤ 2−n .
(A) ≥ (1 − 2−n ) · 12 .
and A guesses correctly: Prb=0 WinIndEd
n,E
p.342 – OWFs from comp. secret ES*
• In total:
4 · Pr WinIndEd
n,E (A) ≥
−n )
2 · Pr WinOWF OWF
n,F (B) + (1 − Pr Winn,F (B) ) + (1 − 2
. Thus:
1
+ 2−n ≥ Pr WinOWF
4 · Pr WinIndEd
n,E (A) − 2 n,F B .
P 6= NP
pseudorandom comp. secret
generator encryption of one-way
of stretch fixed-length function
l(n) = 2n l(n) = 2n
Factorization,
DLP
That is, P guesses the missing bits in order to run D, and assumes
that yi = yi0 iff D thinks that y 0 has been generated by G.
p.347 – Hard-core predicates
. Recall: Any DPT-computable f with f ({0, 1}n ) = {0, 1}n for all
n ∈ N is unpredictable.
. Idea: Make a single bit hc(x) of information on x public.
G(x) := f (x)||hc(x)
r
Analogously, for a function collection: Then I := Gen(1n ),
r
x := Smpl(1n ), and both A and hc are also given the parameter I.
• Corollary:
Let f : {0, 1}∗ → {0, 1}∗ be a permutation on {0, 1}n for every n
with hard-core predicate hc. For every j ≥ 0 set
BMj (x) := hc(f j−1 (x))||hc(f j−2 (x))|| . . . ||hc(f (x))||hc(x).
Then BMl(|x|) (x) is a PRG for every polynomial l(n) > n, i.e. a PRG
of variable stretch.
• Ex: Show that Gl (x) := f l (x)||BMl (x) is a PRG of fixed stretch for
every fixed l polynomial in n.
• Discuss the advantages/disadvantages of outputting also f l (x).
• In particular, consider the case when a TDP is used for f and the
resulting PRG is used within the prOTP.
• Remark: The result holds analogously for a permutation collection F
which has a hard-core predicate.
Simply replace f (x) by fI (x) and hc(x) by hcI (x) = hc(I, x) for
x ∈ DomI .
p.351 – Proof of the Blum-Micali construction
hc(f l(n)−1 (x0 ))||hc(f l(n)−2 (x0 ))|| . . . ||hc(f l(n)−1−(i−2) (x0 ))
u u
with x0 ∈ {0, 1}n and i ∈ [l(n)], and computes a guess for the ith bit,
i.e. hc(f l(n)−1−(i−1) (x0 )).
• Observe: P predicts hc(x) if x0 := f −l(n)+i (x).
• May we choose x0 in this way?
u u
• As f is a permutation and x ∈ {0, 1}n , also f −l(n)+i (x) ∈ {0, 1}n .
= Prx0 ,x=f l−i (x0 ) P(BMi−1 (f l−i+1 (x0 ))) = hc(f l−i (x0 ))
• Note the proof requires that the predictor sees hc(x) the latest as it
reads from left to right.
. Ex: For G(x) = y1 . . . yl set GR (x) = yl . . . y1 .
Then G(·) is a PRG iff GR (·) is a PRG.
. Corollary:
For f a OWP with hard-core predicate hc
Unpredictability,
compt. secret
Blum-Micali
Conjecture
encryption
(|K| < |M|)
TP
O
pr
DLP one-way PRG
collection poly. stretch
Cryptographic hash function
p.358 – Hash and compression functions
• Definition:
• Definition:
• Example: DLP-CCF
Gen: on input 1n , run GenQRsafe (1n ) to obtain (p, q, g), then choose
u
x ∈ Zq , and set r := g x mod p. Output I = (p, q, g, r).
h: on input I = (p, q, g, r) and (u, v) ∈ Zq × Zq output
h(p,q,g,r) (u, v) := g u · rv mod p.
• Assume that 2n ≤ q ≤ p ≤ 2q + 1 ≤ 2n+1 − 1.
• If r = 1, output x = 0.
z (0) := IV and z (i) := h(z (i−1) ||m(i) ) for padMD (m) = m(1) || . . . ||m(t) .
IV h h h h HIV (m)
• Theorem: [68]
IV h h h h HIV (m)
• Currently recommended:
coll-res.
UOWHF
CHF [82]
MD [83]
GenQRsafe hc,BM
DLP OWPs
GenZ∗safe ,GenQRsafe
Public-key schemes
p.375 – Motivation
• Main drawbacks of private-key ES and MACs:
(i) Key distribution:
Either Alice and Bob have to meet in person from time to time in order
to generate a new secret key;
or one of the two generates the key which then has to be securely
transfered to the other.
(ii) Key storage (Number of keys):
Given n parties, we need to generate n2 secret keys in total; every
• The private key and the ability bestowed by it identify Bob (except
for negl. prob.) and its secrecy has only to be guaranteed by Bob.
• The public key is given to everyone, e.g., stored in a public directory.
. The original proposal of Diffie and Hellman was to use it as a key for
a private-key ES(+MAC).
. Problem: Most ES and MAC, like AES-rCTR, AES-CBC-MAC,
u
AES-OFB, require that k ∈ {0, 1}n for their security.
How to obtain from g ab a secret uniformly distributed random key?
• Note that Eve knows g a and g b , and, thus, has some information on k.
• As already sketched, we have to assume that Eve does not attack the
communication between Alice and Bob itself.
. I.e. Eve can only eavesdrop on the exchanged messages and has
further access to the public key and, in the CCA-setting, oracle access
to the decryption instantiated for Bob’s private key.
• Lemma: El Gamal is not CCA-secure.
. Proof:
If c = (u, v) is a ciphertext, then (u, v · x) for any x ∈ G is again an
admissible ciphertext which Eve may now decrypt using her oracle.
Multiplying with x−1 yields the original plaintext.
p.391 – Security of the DH protocol and El Gamal
• So, the best we can hope for is CPA-security.
• See [35] for a PKES CCA-secure relative to the DDH problem (using
the DLP hash function family).
• Certainly, the DLP needs to be hard relative to GenGcyc in order to
prevent Eve from computing a, b from g a , g b .
But this does not suffice for CPA-security.
• As motivated, El Gamal can be understood as the DH protocol plus
the idea to use the shared secret group element k as pseudorandom
one-time pad.
. The decisional Diffie-Hellman problem formalizes exactly the
requirement that k = g ab is pseudorandom, i.e.:
Although PPT-Eve knows the public information (G, q, g), g b , and g a ,
u
she cannot distinguish the secret g ab from truely random x ∈ G.
p.392 – Decisional Diffie-Hellman problem
• Definition: Let GenGcyc be a DLP-generator.
. See [26] for an overview on the results regarding the DDH problem.
p.393 – CPA-security of El Gamal: Proof outline
The proof works essentially the same as the one for the
pseudorandom OTP.
The distinguisher D gets (G, q, g, g1 , g2 , g3 ),
and simulates the CPA-game v.s. an attack on El Gamal.
To this end it passes (G, q, g, g1 ) to A as public key,
and encrypts mb as (g2 , g3 · mb ).
. Ex: Complete the proof.
p.394 – The DDH problem vs. the DLP
• The preceding result guarantees that the hardness of the DDH
problem is sufficient for the CPA-security of El Gamal.
• Obviously:
“DDH hard (G, q, g) ⇒ DLP hard” w.r.t. the same (G, q, g).
. But there are groups for which the DDH is easy, while the DLP is still
conjectured to be hard [54]:
. For instance, consider G = hgi = Z∗p with p prime.
u
• Let a, b, r ∈ Zp−1 = {0, 1, . . . , p − 2}.
• See [26, 54] for more examples, in particular, w.r.t. elliptic curves.
p.396 – The DDH problem vs. the DLP
. There are families of groups w.r.t. which “DLP ≡PPT CDH” but
“DDH easy”. See [54].
p.398 – El Gamal in practice
• Recall: M(G,q,g,h) = G is the message space of El Gamal.
• As El Gamal is CPA-secure, we can obtain from it a CPA-secure
PKES for Σ+ .
• Alice splits the message m into blocks m(i) which can be encoded in G
u
. She then chooses for every block m(i) a random element a(i) ∈ Zq and
(i) (i)
sends g a , haB · m(i) to Bob.
• Downside:
• Recall that the DH protocol allows Alice and Bob to share a secret
group random element k = g ab .
. The idea therefore is to use some “randomness-extractor” K to
u
obtain from k, ideally, a uniformly distributed string K(k) ∈ {0, 1}l
with l sufficiently large.
. Often, K is called a key derivation function (KDF).
• The so-called “leftover hash lemma”
• A part of the proof that a PRG can be constructed from any
OWF [52]).
. The intuition is that the KDF K (resp. the underlying hash function)
obfuscates the relation between x and K(x), s.t. the only practical
way for PPT-Eve to obtain K(x) is to compute x, i.e., to solve CDH.
. But right now, it is not known how to prove that this intuition is
correct using standard assumptions on hash functions like
collision-resistance or “one-wayness”.
p.404 – The random oracle model
• As a “sanity check” we can consider the following idealized setting:
. The only way for Eve to obtain K(g ab ) – except for guessing – is then
to know g ab .
• In this idealized setting, called random oracle model (ROM), one can
show formally that Eve is indeed forced to solve the CDH problem
making also Z∗p a reasonable choice again.
• See e.g. here (slide 134).
p.405 – The random oracle model
• Bellare and Rogaway propose in [16] to use the ROM as a heuristic
for obtaining more efficient cryptographic constructions.
• Yet, obviously security crucially depends on the choice of the
deterministic function K used for instantiating the random oracle.
• Bad choice: K(x) := 0l for all x.
• exp−1
e = expd for ed ≡ 1 (mod λ).
Zpq ∼
= Zp × Zq and Z∗pq ∼
= Z∗p × Z∗q
h(xd ) = (xd mod (p−1) mod p, xd mod (q−1) mod q) for all x ∈ ZN , k ∈ Z.
−l
Dec: given (y, c) and dk, sets l := |c|, computes x := fek (y) using
l
td, and finally outputs m := c ⊕ BM (x).
• Theorem:
• There exist problems which are conjectured to yield lossy TDFs and for
which no efficient algorithm, not even for quantum computers is
currently known – in contrast to factorization or discrete logarithm.
p.419 – Minimal assumptions for secure PKES
conj.
RSA TDP
• Rabin (1979):
The shared secret k allows Alice and Bob to verify that a received
message m has originated from one of the two by means of the
supplied MAC-tag t.
In particular, if Eve tries to manipulate m, the origin of the message
changes from AliceBob to Eve.
. Downside:
Alice resp. Bob cannot prove to a third party that a given message
(m, t) has been created explicitly by Bob resp. Alice.
• Possible fix:
• Definition:
A DSS (Gen, Sgn, Vrf) is secure if every PPT-attack A succeeds only
with negligible prob. εA (n) in the following experiment for every n:
1 Alice runs Gen(1n ) to obtain sk and vk.
She passes vk directly to Eve, while only admitting her oracle access to
Sgnsk .
The oracle remembers the queries made by Eve in some list Q.
2 Eve runs ASgnsk (vk) to obtain a message m and a signature σ.
. Eve succeeds if (1) Vrfvk (m, σ) = 1 and (2) m 6∈ Q.
• The definition essentially copies the definition of secure MAC.
p.425 – DSS: Security – Remarks
• Minimal assumption for secure DSSs:
• As for PKES: obtaining sk needs to be infeasible (OWF).
. Nonces.
• As for PKES, the definition does not consider the setting where Eve
tries to attack the distribution of vk. (No man-in-the-middle.)
• I.e., Alice still has to solve the problem of how to transmit vk securely
to Bob remains.
. Certificates/public-key infrastructure (PKI).
p.426 – Certificates and PKI
• One important use of DSS is the secure distribution of public keys
under the assumption that a single trusted party, called the certificate
authority (CA), exists:
• The CA (a) guarantees the secure distribution of its own public
verification vkCA , (b) binds an entity A to its public key pair
(ekA , vkA ) by signing a certificate using skCA , and (c) everyone trusts
these certificates:
• Say, Bob has generated (ekB , dkB , skB , vkB ).
• She then uses the trusted vkCA to validate that certCA→B was indeed
generated by CA, perhaps also checks on CA’s webpage that certCA→B
(Cert-ID) has not been revocated, and extracts ekB from certCA→B .
p.427 – Certificates and PKI
• Extension: several CAs allow to:
• pick the certificate from the CA you trust the most.
• transfer trust:
where e.g. m =
“I, CA1 , trust all certificates issued by CA2 using the public keys (ekCA2 , v
. Leads to certificate chains:
If Alice trusts CA1 , and CA1 trusts CA2 , then the certificate chain
certCA1 →CA2 , certCA2 →B allows her to obtain a trusted copy of ekB .
• Generalization: web of trust (or “everyone is a CA”)
• Alice obtains certU1 →B , . . . , certUl →B , and decides based on her
experience how much she trusts each user Ui resp. vkUi , to obtain
some accumulated trust in the obtained keys, and chooses the most
trusted one.
p.428 – Certificates and PKI
• Assuming a single trustworthy CA and that Alice stores skA safely,
non-repudiation can be achieved:
If Alice attaches t := SgnskA (m) to a message m sent to Bob, with
vkA certified by certCA→A , Bob can prove to anyother party that
(m, t) was indeed generated by Alice.
• But if Eve somehow obtains Alice’s secret skA (w/o her noticing it),
Eve can impersonate her.
• Possible solution: Store the private keys exclusively on a sufficiently
secured smart card, and do all computations requiring the private keys
onto the smart card. See e.g. Common Access Card.
Set g1 (x) to be the first k bits of g(x), and g2 (x) the remaining
n − k − l − 1 s.t. g(x) = g1 (x)g2 (x).
Gen: standard RSA-generator for (N, e, d) with N ∈ [2n−1 , 2n ) and
sk := (N, d), vk := (N, d).
• Admissible messages: {0, 1}∗
u
Sgn: given m ∈ {0, 1}∗ , choose r ∈ {0, 1}k , compute w = h(m||r),
then r∗ = r ⊕ g1 (w) and interpret x = 0||w||r∗ ||g2 (w) as an integer
r
in ZN (msbf). Output Sgn(N,d) (m) := xd mod N .
Vrf: Ex.
• See PKCS #1 v2.1 for concrete values for k, l.
p.435 – El Gamal’s DSS
• El Gamal proposed in [39] also a stateful DSS:
u
• Keys: Let p be a prime and g a generator of Z∗p . Choose x ∈ Z∗p−1 and
set y := g x mod p.
Then sk = (p, g, x) and vk := (p, g, y).
u
• Signing: Given m ∈ Zp , choose first k ∈ Z∗p−1 ; set r := g k mod p; and
compute s := (m − x · r) · k −1 mod (p − 1). Output (r, s).
• Verification: Given (r, s), check that g m ≡ y r r s (mod p).
• El Gamal’s DSS requires that the DLP is hard on Z∗p . But it is not
known if this is already sufficient.
• [39] notes that k must be kept secret and never used twice for signing
a message for fixed private key sk = (p, g, x). (See DSA later.)
• For instance, remember the number of messages signed so far, and use
a PRF F as PRG to obtain from a secret random k the ki := Fk (i)
used in the i-th signature.
p.436 – El Gamal’s DSS
• [39] also shows how to efficiently forge a valid tag for a new message:
• Let (m, r, s) be a valid message-tag pair.
• Definition: DSA
Let
• hn : {0, 1}∗ → {0, 1}l(n) be a CRHF family, and
Gen: given 1n ,
1 Run GenGDSA (1n ) to obtain (p, q, g).
u
2 Choose x ∈ Z∗q .
3 Compute y := g x mod p.
4 Output sk := (p, q, g, x) and vk := (p, q, g, y).
p.438 – DSA
• Definition: DSA (cont’d)
Sgn: given m ∈ {0, 1}∗ and (p, q, g, x),
u
1 Choose k ∈ Z∗q .
• Also for DSA the random k must be kept secret and must not be
used twice:
• Ex: For given security parameter n let h be a fixed hash function, and
sk = (p, q, g, x) and vk = (p, q, g, y).
Now, let m1 , m2 be two plaintexts with h(m1 ) 6= h(m2 ). Assume that
the same k is used for signing both messages s.t. Sgnsk (m1 ) = (r, s1 )
and Sgnsk (m2 ) = (r, s2 ). Further, assume that r 6= 0.
Show how to obtain the signing key sk.
• For El Gamal this works similarly, but becomes a bit more difficult as
the group is not of prime order (no field).
• See here, and here for an example of this attack.
• Also when only a few bits of each k are revealed in each signature, the
private key can be obtained, see, e.g., [21] or here.
p.441 – CCA-security from CPA-security and secure DSS?
• Recall: CPA-secure ES + secure MAC yields CCA-secure ES via
Enc-then-Mac.
• Analogous construction Enc-then-Sgn for PKES (GenES , Enc, Dec)
and DS (GenDS , Sgn, Vrf):
• Gen(1n ): runs GenES (1n ) and GenDS (1n ) to obtain ek, dk, sk, vk.
The public key is then vek = (vk, ek), while the private key becomes
sdk = (sk, dk).
• SgnEnc: given m, the sender uses his private skS , and receiver’s public
ekR , to compute SgnskS (EncekR (m)).
• DecVrf: given (m, t), the receiver uses his private dkR and sender’s
public vkS to compute DecdkR (c) only if VrfvkS (c, t) = 1; otherwise ⊥.
• An, Dodis, Rabin show in [4] that in general this construction does
not yield a CCA-secure PKES, even if the underlying PKES is
CCA-secure and the DS is secure.
• But argue that this is mainly an artifact of the (too) strong notion of
IND-CCA2.
Elliptic Curves
p.443 – Motivation
• Recall: G ∼
= hZ|G| , +, 0i.
there is some particular bad representation G of hZN , +, 0i which
makes the algorithm run in O(2n/2 ) with N ≈ 2n prime.
• For the precise, more general statement, see [86].
• For Z∗p the non-generic index calculus method can be used which runs
√
in subexponential time 2O( n·log n) (assuming p ≈ 2n ).
. Runtime of the index calculus method bounds from below the size of
p for which Z∗p can be used securely.
p.445 – Motivation
• E.g., Menezes, Okamoto, Vanstone show in [65] how solving the DLP
on elliptic curves over GF(q) can be reduced to solving the DLP in
GF(q k ) where k is some constant depending on the particular curve.
. This reduction – although exponential in k – rules out certain
“supersingular” elliptic curves.
p.446 – Elliptic curves: Definition
• Definition: Let F = hF, +, ·, 0, 1i be a field.
• Definition: (char(F) 6= 2, 3)
y 2 ≡ x3 + x + 1 (mod 11).
x 0 1 2 3 4 5 6 7 8 9 10
y 2 1 3 0 9 3 −1 3 −1 4 2 −1
y ±1 ±5 0 ±3 ±5 ⊥ ±5 ⊥ ±2 ⊥ ⊥
p.449 – Elliptic curves: Group structure
• Definition: Let E = E(F, a, b) for char(F) 6= 2, 3, ∆a,b 6= 0.
xR := m2 − xP − xQ and yR := m(xP − xR ) − yP .
• Else: R := O.
u
• Projective coordinates, e.g. x := w , y := wv , allow to reduce the
number of inversion operations.
p.450 – Geometric interpretation for F = R: Finite case
5
Resp. 2B 6≡ 1 (mod N ) for 1 ≤ B ≤ 100m.
p.455 – Elliptic curves in cryptography
for
1 − k 2 x2
R(x, y) = and P (x) = (1 − k 2 x2 )(1 − x2 ).
y
p.458 – Why “elliptic”?
√ Z 1
1 1
8a √ dx with R(x, y) = , P (x) = 1 − x4 .
x=0 1−x 4 y
• Using Abel’s addition theorem for elliptic functions, one can show
that P, Q, −(P ⊕ Q) are always collinear
1 q
. Hence, Pr[C] ≥ 1 − e− N (2) ≥ 1 q
2N 2 .
Finite fields
p.468 – Motivation: Reversible operations on bit-strings
0101 · 1011
=
ˆ (X + X 3 ) · (1 + X 2 + X 3 ) (mod 2)
= X + 2X 3 + X 4 + X 5 + X 6 (mod 2)
= X + X4 + X5 + X6
=
ˆ 0100111
• · distributes over +.
0 · a = (1 − 1) · a = 1a − 1a = a − a = 0
• Example: R, Q, C are fields, Z is an integral domain.
p.472 – Rings and Fields
• Example: hZN , +, ·, 0, 1i is a finite commutative ring for any natural
number N > 0. It is a field iff N is prime.
• If N is prime, then Z∗N = ZN \ {0}.
1 + . . . + 1 = 0,
| {z }
n
and
P P P
d i · e i = d+e P
i=0 ai · X j=0 bi · X k=0 i+j=k ai · bj · Xk
ˆ + X 3 =2
0101=X ˆ + X 2 + X 3 =1
ˆ + 8 = 10 and 1011=1 ˆ + 4 + 8 = 13.
Hence: 10 · 13 = 114 over Z2 [X].
p.475 – Multiplication of bit-strings
• We can identify Zl2 with the set of all polynomials in Z2 [X] of degree
less than l.
. Simply restricting multiplication over Z2 [X] to degree less than l,
does not yield a reversible multiplication:
Assume l = 4:
ˆ 1 · X 3 = X 4 =00001
0100 · 0001=X ˆ =0000.
ˆ
I.e. there are again zero divisors.
• Just as ZN is a field only if N is prime, we need to “truncate”
polynomials modulo irreducible polynomials.
• Definition: A polymomial m(X) ∈ ZN [X] is reducible if there exist
polynomials p(X), q(X) ∈ ZN [X] \ ZN s.t. m(X) = p(X) · q(X).
A polynomial m(X) ∈ ZN [X] is irreducible if it is not reducible.
p.476 – Irreducible polynomials and finite fields
• Remark: If F is a field, then polynomial division works over F[X] just
as over the reals.
In particular, given a non-zero polynomial m(X) ∈ F[X] \ {0} we can
reduce any other polynomial a(X) ∈ F[X] modulo m(X) over F.
That is, there are unique polynomials t(X), r(X) such that
0 1 0 0 1 ˆ + X4 + X5 + X6
1 1 =X
1 1 0 ˆ 2 · m(X)
0 1 =X
0 1 1 1 1 1 ˆ + X2 + X3 + X4 + X5
=X
1 1 0 0 1 ˆ · m(X)
=X
0 0 0 1 1 ˆ 3 + X4
=X
1 1 0 0 1 ˆ 0 · m(X)
=X
1 1 0 1 ˆ + X + X3
=1
Elements of Z2 [X]/m(X): 0, 1, X, 1 + X.
We need to have X −1 ≡ 1 + X (mod m(X)).
p.480 – Irreducible polynomials and finite fields
• Example: Consider Z2 [X].
m(X) := 1 + X + X 4 is irreducible.
Multiplicative inverse of a(X) = 1 + X modulo
m(X) := 1 + X + X 4 over Z2 :
Using Euclid’s algorithm:
• a(X) = 1 + X, b(X) = 1 + X + X 4 with
b(X) = a(X)(X 3 + X 2 + X) + 1.
• a(X) = 1, b(X) = 1 + X with
1 = gcd(a(X), b(X)) = 1 · a(X) + 0 · b(X) yields
(u(X), v(X)) = (1, 0).
• a(X) = 1 + X, b(X) = 1 + X + X 4 ) yields
(u(X), v(X)) = (0 − (X 3 + X 2 + X) · 1, 1).
• Shoup shows in [88] that we can limit the search for a primitive
polynomial in DPT to a polynomial-sized set of polynomials.
But testing whether a polynomial in this set is primitive, currently
requires us to know the factorization of ϕ(pn − 1) – just as for any
cyclic group in general.
• Shparlinski shows in [85] how to find a primitive element in GF(pn ) in
1
time O(p 4 n ) (neglecting logarithmic factors).
p.485 – Primitive elements and polynomials
• Example:
• Example (cont’d):
Then: (i) hai = hbi iff oa = ob , and (ii) there are exactly ϕ(d) many
elements of order d for d | M .
• Proof:
. G∼
= ZM . So, it suffices to prove the claims w.r.t. ZM .
. Part (i): If hai = hbi, then oa = ob .
If oa = ob , then by the preceding result:
gcd(a, M ) = gcd(b, M ), and hai = hgcd(a, M )i = hgcd(b, M )i = hbi.
. Part (ii): Let d | M . Then gcd( M
d , M) =
M
d .
M
By the preceding result: d has order d.
By part (i), h M
d i is the unique subgroup of order d.
As h M ∼
d i = Zd and Zd has ϕ(d) many generators, part (ii) follows.
p.490 – Structure of finite cyclic groups
• Example:
. Z∗11 ∼
= Z10 .
10
. The elements of order o of Z10 are {a ∈ Z10 | gcd(a, 10) = o }:
• Order 1: 0
• Order 2: 5
• Order 5: 2, 4, 6, 8
• Order 10: 1, 3, 5, 7
• Order 2: 25 ≡ −1 ≡ 10
• Order 5: 22 ≡ 4, 24 ≡ 5, 26 ≡ 9, 28 ≡ 3
• Order 10: 21 ≡ 2, 23 ≡ 8, 27 ≡ 7, 29 ≡ 6
Computing square roots of quadratic residues
p.492 – Quadratic residues modulo N
u
. As zi ∈ {0, 1} independently of the other bits, zi “hits” yi with prob.
1/2 no matter what value yi has:
1
= Pry=G(x),x,z [D(y1 . . . yi−1 yi zi+1 . . . zl ) = 1] · 2
1
+ Pry=G(x),x,z [D(y1 . . . yi−1 yi zi+1 . . . zl ) = 0] · 2
p.502 – Proof of Yao’s theorem*
. Set
di := Pry=G(x),x,z [D(y1 . . . yi−1 yi zi+1 . . . zl ) = 1]
ci := Pry=G(x),x,z [D(y1 . . . yi−1 yi zi+1 . . . zl ) = 0]
1 1
Pry=G(x),x,z [P(y1 . . . yi−1 ) = yi ] = (di + ci ) = + di − di−1 .
2 2
p.503 – Proof of Yao’s theorem*
di−1
= Pry=G(x),x,z [D(y1 . . . yi−2 yi−1 zi zi+1 . . . zl ) = 1]
= Pry=G(x),x,z [D(y1 . . . yi−2 yi−1 zi zi+1 . . . zl ) = 1 ∧ yi = zi ]
+ Pry=G(x),x,z [D(y1 . . . yi−2 yi−1 zi zi+1 . . . zl ) = 1 ∧ yi 6= zi ]
= Pry=G(x),x,z [D(y1 . . . yi−2 yi−1 yi zi+1 . . . zl ) = 1] · 1/2
+ Pry=G(x),x,z [D(y1 . . . yi−2 yi−1 yi zi+1 . . . zl ) = 1] · 1/2
= 1/2(di + 1 − ci )
i.e. ci = 1 + di − 2di−1 .
p.504 – Proof of Yao’s theorem*
• We therefore obtain for the advantage εP of the constructed
predictor:
1
2 + εP = Pr u [P(y1 . . . yi−1 ) = yi ]
y=G(x),x,z,i∈{1,2,...,l}
1P
= l i∈[l] Pry=G(x),x,z [P(y1 . . . yi−1 ) = yi ]
= 1l i∈[l] 21 + di − di−1
P
1
= 2 + 1l (dl − d0 )
1 εD
= 2 + 1l (Prx [D(G(x)) = 1] − Prz [D(z) = 1]) = 1
2 + l .
1
2 + ε(n) = Prx,r [P(f (x), r) = gl(x, r)]
= Prx,r [P(f (x), r) = gl(x, r) | x ∈ Sn ] |S2nn |
|Sn |
+ Prx,r [P(f (x), r) = gl(x, r) | x 6∈ Sn ] 1 − 2n
≤ |S2nn | + 12 + ε(n)
2
2n−1 ε(n)
So, |Sn | ≥ ε(n) · 2n−1 > p(n) , i.e., Prx [x ∈ Sn ] ≥ 2 .
6 1 ε(n)
We may also take > 2
+ c
for any c > 1.
p.508 – Proof of the Goldreich-Levin theorem
• It is therefore enough to show how to invert f for x ∈ Sn ;
1 ε
. so assume Prr [P(f (x), r) = gl(x, r)] > 2 + 2 in the following.
• Still, simply calculating P(f (x), ei ) as before does not work, as we
never can be sure that the prediction P(f (x), ei ) is correct.
• The important idea is to use a sufficiently large number of
r1 , r2 , . . . , rm ∈ {0, 1}n (7 ) which depend on each other in order to
sample gl(x, ·) on both rj and rj ⊕ ei :
• Assume that both predictions for gl(x, r j ) and gl(x, r j ⊕ ei ) are
correct. Then:
Prs1 ,...,sk P(f (x), rJ ⊕ ei ) = gl(x, rJ ⊕ ei ) = Prr [P(f (x), r) = gl(x, r)]
m
• Then we are interested in Pr Zi ≥ 2 .
• When determining Pr[Zi,J = 1], we did so for a fixed J ⊆ [k].
Var[Zi ]
Pr[|Zi − E[Zi ]| < δ] ≥ 1 − .
δ2
8
This is a bit imprecise as k := dlog me and J ⊆ [k], but the analysis is the same,
and we may simply assume that 2k ≈ m.
p.512 – Proof of the Goldreich-Levin theorem
• We have
E[Zi,J ] ≥ m · 1+ε
P
• E[Zi ] = J 2 , and
• If we take δ ≥ m
2 ε, this allows us to bound the prob. that the majority
guess Zi deviates too much from m
2 (1 + ε):
hm m i m 1
Pr ≤ Zi ≤ (1 + 2ε) ≥ 1 − m2
=1− .
2 2 4· ·ε 2 m · ε2
4
Vn m
1
• Taking e.g. c = 2 we obtain Pr i=1 Zi ≥ 2 ≥ 2 for
2n
m≈ ε2 (n)
≈ 2np(n)2 and all x ∈ Sn .
• As Pr[x ∈ Sn ] ≥ ε(n)
2 , the proposed algorithm successfully inverts f
given y with prob. at least 12 · ε(n) ε(n)
2 = 4 >
1
4p(n) for inifinitely many
n, i.e., with non-negligibly probability
. which contradicts our assumption that f is one-way.
9
Note that the Zi are certainly not independent.
Notation and symbols
Math
u
∈ chosen uniformly at random
Un random variable uniformly distributed on {0, 1}n
Pr[A] probability of event A
Prx [A(x)] probability of event A(x) with x uniformly chosen at random
Z integers
N natural numbers (nonnegative integers)
[n] {1, 2, . . . , n} for n ∈ N
gcd(a, b) greatest common divisor of a and b
ab
lcm(a, b) least common multiple of a and b, lcm(a, b) = gcd(a,b)
Zn {0, 1, 2, . . . , n − 1} with addition modulo n
Z∗n {k ∈ Zn | gcd(k, n) = 1} with multiplication modulo n
a|b a divides b, i.e., ∃k ∈ N : b = k · a
a mod n least natural number s.t. n | (a − (a mod n))
a ≡ b (mod n) (a mod n) = (b mod n)
G a group, short for hG, ·, 1i
Σ finite alphabet
a||b concatenation of the strings a and b, also (a, b) or ab
Algorithms
PPT probabilistic polynomial-time
DPT deterministic polynomial-time
r
:= random assignment, used for outputs genereated by PPT-
algorithms
A algorithm
E encryption scheme
K key space
M message (plaintext) space
C ciphertext space
Gen key generator, usually a PPT-algorithm
Enc encryption algorithm, usually a PPT-algorithm
Dec decryption algorithm, usually a DPT-algorithm
ek encryption key
dk decryption key
sk signature key
vk verification key
b·e some encoding function
Generators
[6] H. Baier
Efficient Algorithms for Generating Elliptic Curves over Finite Fields
Suitable for Use in Cryptography [PDF]
[7] M. Bellare
Lecture notes
[8] M. Bellare
New Proofs for NMAC and HMAC: Security without
Collision-Resistance [PDF]
[9] M. Bellare, R. Canettiy, H. Krawczykz
Keying Hash Functions for Message Authentication [PDF]
[22] D. Bleichenbacher
Chosen Ciphertext Attacks Against Protocolls Based on the RSA
Encryption Standard PKCS # 1 [PDF]
[28] D. Brown
What Hashes Make RSA-OAEP Secure? [PDF]
[29] J. Buchmann.
Einführung in die Kryptographie.
Springer, 2010.
[39] T. ElGamal
A public key cryptosystem and a signature scheme based on discrete
logarithms [PDF]
[46] O. Goldreich.
Foundations of Cryptography: basic tools [Drafts]
Cambridge University Press, 2001.
[47] O. Goldreich.
Foundations of Cryptography: basic applications [Drafts]
Cambridge University Press, 2004.
[55] C. Jutla
PRF Domain Extension Using DAGs [PDF]
[59] J. Lagarias.
Pseudorandom Number Generators in Number Theory and
Cryptography [Google books] [JSTOR]
[62] M. Matsui
Linear Cryptanalysis Method for DES Cipher [PDF].
[63] U. Maurer, S. Wolf
The Relationship Between Breaking the Diffie-Hellman Protocol and
Computing Discrete Logarithms
[64] A. Menezes
Elliptic curve public key cryptosystems
Kluwer Academic Publishers, 1965.
[68] R. Merkle
PhD thesis [PDF]
[73] NIST.
Specification for the Advanced Encryption Standard (AES) [PDF].
[74] NIST.
Specification for the Data Encryption Standard (DES) [PDF].
[75] C. Papadimitriou.
Computational Complexity.
Addison-Wesley, 1994.
[78] B. Preneel
Analysis and design of cryptographic hash functions [PDF]
[79] R. Rivest.
Handbook of theoretical computer science.
Elsevier Science Publishers, 1990, 719–755.
[83] J. Rompel
One-way functions are necessary and sufficient for secure signatures
[PDF]
[84] C. Shannon.
Communication Theory of Secrecy Systems [PDF]
[85] I. Shparlinski
On finding primitive roots in finite fields
[86] V. Shoup
Lower Bounds for Discrete Logarithms and Related Problems [PDF]
[87] V. Shoup
New Algorithms for Finding Irreducible Polynomials over Finite Fields
[PDF]
[88] V. Shoup
Searching for Primitive Roots in Finite Fields [PDF]
[89] V. Shoup
A Proposal for an ISO Standard for Public Key Encryption (version
2.1) [PDF]
[90] V. Shoup
OAEP Reconsidered [PDF]
[91] D. Simon
Finding Collisions on a One-Way Street: Can Secure Hash Functions
be Based on General Assumptions [Link]
[92] A. Werner.
Elliptische Kurven in der Kryptographie.
Springer, 2002.
[93] A. Yao.
Theory and Applications of Trapdoor Functions (Extended Abstract)
[PDF]