CS 4803 to find some building blocks - hard problems (assumptions - PowerPoint PPT Presentation

• As no encryption scheme besides the OneTimePad is unconditionally secure, we need CS 4803 to find some building blocks - hard problems (assumptions about hardness of some Computer and Network Security problems) to base security of our new encryption schemes on. • Block ciphers and their PRF security is not an Alexandra (Sasha) Boldyreva option since now we don’t have shared keys in Hard problems for public-key crypto. the public-key (asymmetric-key) setting. Discrete log. • Let’s consider the discrete log related problems and the RSA problem. 1 2 Discrete-log related problems DL problem • Def. Let G be a cyclic group and let m = | G |. Let g be a • Let G be a cyclic group and let m = | G |. The discrete generator. Consider the following experiment associated with logarithm function DLog G ,g(a): G � Zm takes a ∈ G and returns an adversary A. i ∈ Zm such that gi = a. Experiment Exp dl G,g ( A ) • $ ← Z m ; X ← g x x • There are several computational problems related to this • x ← A ( X ) function: If g x = X then return 1 else return 0 • • Discrete-logarithm (DL) problem • Computational Diffie-Hellman (CDH) problem • The dl-advantage of A is defined as the probability of the above experiment outputting 1. • Decisional Diffie-Hellman (DDH) problem • Problem Given Figure out Discrete logarithm (DL) • The discrete logarithm problem is said to be hard in G if the g x x dl-advantage of any adversary with reasonable resources is Computational Di ffi e-Hellman (CDH) g x , g y g xy small. Decisional Di ffi e-Hellman (DDH) g x , g y , g z Is z ≡ xy (mod | G | )? 3 4

⇒ ⇒ ⇒ ⇒ CDH DDH • Def. Let G be a cyclic group of order m. Let g be a generator. • Def. Let G be a cyclic group of order m. Let g be a generator. Consider the following experiments associated with an Consider the following experiment associated with an adversary A. adversary A. Experiment Exp ddh - 0 Experiment Exp cdh Experiment Exp ddh - 1 G,g ( A ) ( A ) • ( A ) • G,g G,g $ $ $ $ x x ← Z m ; y ← Z m x ← Z m ← Z m X ← g x ; Y ← g y • $ • $ y y ← Z m ← Z m $ z ← xy mod m z ← Z m Z ← A ( X, Y ) • • X ← g x ; Y ← g y ; Z ← g z X ← g x ; Y ← g y ; Z ← g z If Z = g xy then return 1 else return 0 d ← A ( X, Y, Z ) d ← A ( X, Y, Z ) • • The cdh-advantage of A is defined as the probability of the Return d Return d above experiment outputting 1. • The ddh-advantage of A is defined as the difference between probabilities of outputting 0 in two experiments. • • The decisional Diffie-Hellman (DDH) problem is said to be hard • The computational Diffie-Hellman (CDH) problem is said to be in G if the ddh-advantage of any adversary with reasonable hard in G if the cdh-advantage of any adversary with resources is small. reasonable resources is small. 5 6 Relations between problems • For most groups there is an algorithm that solves the DL problem in O(|G| 1/2 ) • Fix a group and a generator � • Let’s consider G = Zp for a prime p. Can solve Can solve Can solve � • Claim. [DDH is easy]. Let p � 3 be a prime, let G = Zp , and DL CDH DDH let g be a generator of G . Then there is an adversary A, with running time O(|p|3) and ddh-advantage 1/2. DDH is CDH is DL is hard hard hard • Hardness of the problems depends on the choice of a group. 7 8

• Proof. The idea is to compute and analyze the Legendre • The best algorithm to solve the CDH problem in Zp is (seems � symbols of the inputs. to be) by solving the DL problem. Adversary (X,Y,Z) • The (seemingly) best algorithm to solve the DL problem is the GNFS (General Number Field Sieve) that runs Return 1 if (Z and (X or Y) are squares) //(by computing the Legendre • or (Z and X and Y are non-squares) O ( e ( C + o (1)) · ln( p ) 1 / 3 · (ln ln( p )) 2 / 3 ) symbols of X,Y,Z) • • We claim that where C � 1.92. Exp ddh - 1 � � //see the related Pr ( A ) = 1 = 1 G,g facts If the prime factorization of order of the group is known: 1 Exp ddh - 0 � � Pr ( A ) = 1 = G,g 2 if p − 1 = p α 1 1 · · · p α n , the the DL problem can be solved in time n n in the order of α i · ( √ p i + | p | ) � subtracting and noting that computing the Legendre symbol i =1 takes cubic time in |p| (computed via exponentiation) we get • Thus if we want the DL problem to be hard, then at least one the statement. prime factor needs to be large. E.g. p=2q+1, where q is a large prime. 9 10 • We often want the DDH problem to be hard. • The DDH problem is believed to be hard in several groups, e.g. � � • QR( Zp ) -the subgroup of quadratic residues of Zp where p=2q+1, p,q, are primes. It’s a cyclic group of prime order. 11