Modern Cryptography January 7, 2019

Solutions to Homework 10
Lecturer: Daniel Slamanig, TA: Karen Klein

1. DL-related Problems
• [8.15 in book, 2nd edition] Prove that hardness of the CDH problem relative to G
implies hardness of the discrete-logarithm problem relative to G, and that hardness of
the DDH problem relative to G implies hardness of the CDH problem relative to G.
Solution: Let (G, q, g) ← G(1n ), where G is a cyclic group of order q with bit-size
||q|| = O(n) and g a generator of G.
To prove that hardness of the CDH implies hardness of the discrete-logarithm problem,
we show that any algorithm that solves the discrete-logarithm can be used to solve CDH.
Let A be an arbitrary PPT algorithm for the discrete-logarithm problem with respect
0
to G, i.e., on input (G, q, g, g x ) it outputs x0 ∈ Zq and wins the game if g x = g x , i.e.,
x0 = x.1 We construct an algorithm A0 for CDH as follows: Given a CDH instance
(G, q, g, g x , g y ), A0 queries A on (G, q, g, g x ) and receives x0 ∈ Zq . Then A0 computes
0 0
(g y )x . Clearly, A0 succeeds if and only if A succeeds: (g y )x = DHg (g x , g y ) ⇐⇒ x0 = x.
Hardness of CDH relative to G now implies that the success probability of every PPT
algorithm – in particular that of A0 – is bounded by some negligible function negl(n).
Thus, we get
Pr[DLogA,G (n) = 1] = Pr[A0 (G, q, g, g x , g y ) = g xy ] ≤ negl(n).
To prove that CDH is harder than the DDH problem, let A be an arbitrary PPT al-
gorithm for CDH with respect to G, i.e., on input (G, q, g, g x , g y ) it outputs h ∈ G and
wins the game if h = DHg (g x , g y ) = g xy . We construct an algorithm A0 for DDH as
follows: Given access to A and a DDH instance (G, q, g, g x , g y , h0 ), where either h0 = g xy
or h0 = g z for a z ∈ Zq chosen uniformly at random2 , the algorithm A0 queries A on
(G, q, g, g x , g y ) and receives h. A0 outputs 1 if h0 = h and 0 else. Thus,
Pr[A0 (G, q, g, g x , g y , g xy ) = 1] = Pr[A(G, q, g, g x , g y ) = g xy ]
On the other hand,
1
Pr[A0 (G, q, g, g x , g y , g z ) = 1] = .
q
Assuming that DDH is hard with respect to G, we get
|Pr[A0 (G, q, g, g x , g y , g z ) = 1] − Pr[A0 (G, q, g, g x , g y , g xy ) = 1]| ≤ negl(n).
This implies
1
Pr[A(G, q, g, g x , g y ) = g xy ] ≤ negl(n) + ,
q
which is negligible since ||q|| = n. This proves hardness of CDH.
0
1
Note, g x = g x implies x0 = x, since for any generator g of G the map (Zq , +) → (G, ·), x 7→ g x is an isomorphism.
2
Note, if z is chosen uniformly at random from Zq this implies that g z is uniformly random in G.

PS10-1
• [8.19 in book, 2nd edition] Can the following problem be solved in polynomial time?
Given a prime p, a value x ∈ Z∗p−1 , and y := [g x mod p] (where g is a uniform value in
Z∗p ), find g, i.e., compute y 1/x mod p. If your answer is “yes”, give a polynomial-time
algorithm. If your answer is “no”, show a reduction to one of the assumptions introduced
in lecture 10.
Solution: Yes, the above problem can be solved in polynomial time as follows: As
shown in HW9, exercise 2c, the extended Euclidean algorithm can be used to compute
the inverse 1/x of x ∈ Z∗p−1 . Hence, we can compute g = y 1/x mod p.
• Let G be a cyclic group of prime order q and g a generator. The square Diffie-Hellman
2
(sq-DH) problem is given (G, q, g, g a ) for a ∈ Z∗q to compute g a . Show that sq-DH ⇐⇒
CDH (Hint: (x + y)2 ).
Solution: First, we show that hardness of sq-DH implies hardness of CDH: Let A be an
arbitrary PPT algorithm for CDH. We construct an algorithm A0 for sq-DH as follows:
Given an sq-DH instance (G, q, g, g a ), the algorithm A0 chooses r1 , r2 ∈ Zq uniformly
at random and queries A on (G, q, g, (g a )r1 , (g a )r2 ). Note that x = ar1 , y = ar2 are
uniformly distributed in Zq , so (G, q, g, g ar1 , g ar2 ) is a valid CDH instance. After receiving
some value h from A, the algorithm A0 outputs h0 := h1/(r1 r2 ) if r1 r2 is invertible in
Zq , otherwise it outputs some uniformly random h0 ∈ G. Clearly, if A succeeds and
2 2
r1 r2 ∈ Z∗q , then g a r1 r2 /(r1 r2 ) = g a is a solution to sq-DH. More precisely, if r1 r2 ∈ Z∗q ,
then A0 succeeds if and only if A succeeds. Thus, we can compute the success probability
of A0 as follows:
2 2
Pr[A0 (G, q, g, g a ) = g a ] = Pr[A(G, q, g, g ar1 , g ar2 ) = g a r1 r2 ] · Pr[r1 r2 ∈ Z∗q ]
2
+Pr[h0 = g a ] · Pr[r1 r2 6∈ Z∗q ]
2
= Pr[A(G, q, g, g x , g y ) = g xy ] · (q−1)
q2
+ 1q · ( 2q − q12 )

If the sq-DH assumption holds, i.e., sq-DH is hard with respect to the group generator
G, by definition there exists a negligible function negl such that
2
Pr[A0 (G, q, g, g a ) = g a ] ≤ negl(n)

and by the above it follows

q2 1 2 1
Pr[A(G, q, g, g x , g y ) = g xy ] ≤ · (negl(n) − · ( − 2 )),
(q − 1)2 q q q

which is negligible. Since ||q|| = n and A was an arbitrary algorithm for CDH, this
implies hardness of CDH.
To prove equivalence of sq-DH and CDH, we still have to prove that hardness of CDH
implies hardness of sq-DH, i.e., that CDH can be solved using any algorithm A for sq-
DH. To this aim, let A be an arbitrary PPT algorithm for sq-DH, (G, q, g, g x , g y ) be an
instance of CDH and note that (x + y)2 = x2 + y 2 + 2xy. We construct an algorithm
A0 for CDH as follows: If g x = 1 or g y = 1 then it must hold x = 0 or y = 0 and A0
outputs the correct solution 1 = g 0 = g xy , i.e., A0 succeeds with probability 1 in this
case. If g x , g y 6= 1 but g x g y = 1 (i.e., x+y = 0 mod q), then A0 queries A on (G, q, g, g x ).

PS10-2
 After receiving h from A, the algorithm A0 outputs h−1 . Note, that if A succeeds, then
2
h = g x and A0 succeeds since y = −x mod q. Hence, A0 has the same success probability
as A in this case. Finally, if g x , g y , g x g y 6= 1, then A0 chooses r ∈ Z∗q uniformly at
random and queries A three times to obtain h1 = A(G, q, g, g x ), h2 = A(G, q, g, g y )
and h3 = A(G, q, g, (g x g y )r ). Then A0 computes 1/2 mod q and 1/(2r2 ) mod q (note
1/(2r2 )
that both 2 and r are invertible modulo q) and outputs h0 = h3 (h1 h2 )−1/2 . If A
2 2 2
succeeds on all three instances, then h1 = g x , h2 = g y and h3 = g (r(x+y)) , so it follows
1/(2r2 ) 2 (x+y)2 2 2 2 2 −x2 −y 2 )/2
h0 = h3 (h1 h2 )−1/2 = (g r )1/(2r ) (g x g y )−1/2 = g ((x+y) = g xy .

Since A is queried on three independent looking properly distributed sq-DH instances,

we can lower-bound the success probability of A0 as follows:
2
Pr[A0 (G, q, g, g x , g y ) = g xy ] ≥ (Pr[A(G, q, g, g x ) = g x ])3 .

If CDH is hard, it hold Pr[A0 (G, q, g, g x , g y ) = g xy ] ≤ negl(n). Thus, we get

2
Pr[A(G, q, g, g x ) = g x ] ≤ (negl(n))1/3

which is negligible. Thus, we proved hardness of sq-DH.

2. Key-Exchange

• Let p be a prime and g be a generator of Z∗p . Argue why we are not able to prove
c eav security of the Diffie Hellman key-exchange protocol in this setting. Construct a
KE A,Π
polynomial-time distinguisher (Hint: quadratic residues).
∗ eav
Solution: The clue for breaking security of KE c
A,Π over Zp is to consider the subgroup
∗
QRp ≤ Zp of quadratic residues mod p.
Recall, y ∈ Z∗p is called a quadratic residue modulo p if there exists an x ∈ Z∗p such
that x2 = y mod p; such an x is then called a square root of y. It can be shown that
each quadratic residue modulo p has precisely two distinct square roots, namely x and its
additive inverse −x in Zp (which also lies in Z∗p ). If we denote the set of quadratic residues
as QRp , it is easy to see that QRp forms a subgroup and QRp = {g 2i | i ∈ {0, . . . , p−12 }}.
|Z∗p |
In particular, |QRp | = p−1
2 = 2 . Furthermore, there is an efficient algorithm to
compute quadratic residuosity as

p−1 +1 if x ∈ QRp
Jp (x) := x 2 =
−1 if x 6∈ QRp .

Jp (x) is called the Jacobi (or Legendre) symbol.

c eav (b) security game, an adversary A knows the public parameters (Z∗ , p −
In the KE A,Π p
1, g) ← G(1n ) as well as a tuple (k ∗ , trans) with trans = (g x , g y ) for some uniformly
random secret x, y ∈ Z∗p−1 . If b = 0 then k ∗ = DHg (g x , g y ) = g xy , otherwise k ∗ is a
uniformly random element in Z∗p . The adversary A wins the game if he can guess the
bit b with non-negligible probability.

PS10-3
Now, consider the case b = 1 where k ∗ ← Z∗p is uniformly random. Then k ∗ ∈ QRp with
probability 21 . On the other hand, if b = 0, then k ∗ = g xy where x, y ← Zp−1 are chosen
independently and uniformly at random. It holds k ∗ ∈ QRp if and only if xy mod p − 1
is even, i.e., x or y is even, which happens with probability 1 − Pr[x odd ∧ y odd] = 34 .
We use this observation to construct an efficient adversary A against KE c eav (b):
A,Π
On input (Z∗p , p − 1, g, k ∗ , trans), A computes Jp (k ∗ ). If Jp (k ∗ ) = +1, he outputs b0 = 0,
if Jp (k ∗ ) = −1 he outputs b0 = 1. A wins the game with probability

Pr[b0 = b] = Pr[b0 = b|b = 0] · Pr[b = 0] + Pr[b0 = b|b = 1] · Pr[b = 1]

= 12 (Pr[b0 = 0|b = 0] + Pr[b0 = 1|b = 1])
= 12 ( 34 + 12 ) = 58 > 21 + negl(n).

Note, the adversary A above does not even use the information in the transcript trans =
(g x , g y ) to break the scheme. One can improve the attack as follows. It holds

g xy ∈ QRp ⇐⇒ (x = 0 mod 2 ∨ y = 0 mod 2) ⇐⇒ g x ∈ QRp ∨ g y ∈ QRp .

We construct an adversary A0 as follows. A0 computes Jp (g x ), Jp (g y ), Jp (k ∗ ) to decide

whether g x , g y , k ∗ are quadratic residues. Then he defines bits bx , by , b∗ as

0 if k ∗ 6∈ QRp
  
0 if x 6∈ QRp 0 if y 6∈ QRp ∗
bx = b = b =
1 if x ∈ QRp . y 1 if y ∈ QRp . 1 if k ∗ ∈ QRp .

Finally, A0 outputs b0 = 0 if b∗ = bx ∨ by and b0 = 1 else. Now, consider the case b = 0,

i.e., k ∗ = g xy . Then b∗ = bx ∨ by and A0 will output b0 = 0 = b with probability 1. In the
case b = 1, on the other hand, k ∗ will be uniformly random. In this case, the probability
of k ∗ being a quadratic residue or nonresidue is 12 , respectively. This means that the bit
b∗ is uniformly random and independent of bx , by . Hence, with probability 12 it will hold
b∗ = bx ∨ by . It follows that A0 wins the game KE c eav (b) with probability
A,Π

Pr[b0 = b] = Pr[b0 = 0|b = 0] · Pr[b = 0] + Pr[b0 = 1|b = 1] · Pr[b = 1]

= 12 (Pr[b∗ = bx ∨ by |b = 0] + Pr[b∗ = bx ∨ by |b = 1])
= 12 (1 + 12 ) = 34 .

PS10-4