On the Notion of Pseudo-Free Groups

Slides:



Advertisements
Similar presentations
Models of Computation Prepared by John Reif, Ph.D. Distinguished Professor of Computer Science Duke University Analysis of Algorithms Week 1, Lecture 2.
Advertisements

Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems M. Bellare S. Halevi A. Saha S. Vadhan.
Mathematics of Cryptography Part II: Algebraic Structures
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
Cryptography and Network Security
CPSC 411, Fall 2008: Set 12 1 CPSC 411 Design and Analysis of Algorithms Set 12: Undecidability Prof. Jennifer Welch Fall 2008.
1 Undecidability Andreas Klappenecker [based on slides by Prof. Welch]
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Copyright © Cengage Learning. All rights reserved. CHAPTER 11 ANALYSIS OF ALGORITHM EFFICIENCY ANALYSIS OF ALGORITHM EFFICIENCY.
M. Khalily Dermany Islamic Azad University.  finite number of element  important in number theory, algebraic geometry, Galois theory, cryptography,
CS555Spring 2012/Topic 51 Cryptography CS 555 Topic 5: Pseudorandomness and Stream Ciphers.
Controlled Algebras and GII’s Ronald L. Rivest MIT CSAIL IPAM Workshop October 9, 2006.
ICS 253: Discrete Structures I Induction and Recursion King Fahd University of Petroleum & Minerals Information & Computer Science Department.
Ryan Henry I 538 /B 609 : Introduction to Cryptography.
UNIT - 2.  A binary operation on a set combines two elements of the set to produce another element of the set. a*b  G,  a, b  G e.g. +, -, ,  are.
Great Theoretical Ideas In Computer Science Anupam GuptaCS Fall 2006 Lecture 15Oct 17, 2006Carnegie Mellon University Algebraic Structures: Groups,
On the Notion of Pseudo-Free Groups Ronald L. Rivest MIT Computer Science and Artificial Intelligence Laboratory TCC 2/21/2004.
11 RSA Variants.  Scheme ◦ Select s.t. p and q = 3 mod 4 ◦ n=pq, public key =n, private key =p,q ◦ y= e k (x)=x (x+b) mod n ◦ x=d k (y)=  y mod n.
Great Theoretical Ideas in Computer Science.
1 Undecidability Andreas Klappenecker [based on slides by Prof. Welch]
Math 3121 Abstract Algebra I Lecture 6 Midterm back over+Section 7.
PROBABILITY AND COMPUTING RANDOMIZED ALGORITHMS AND PROBABILISTIC ANALYSIS CHAPTER 1 IWAMA and ITO Lab. M1 Sakaidani Hikaru 1.
Chapter 7 Algebraic Structures
The Relation Induced by a Partition
Chapter 1 Logic and Proof.
Math 3121 Abstract Algebra I
Assignment 4 is due! Assignment 5 is out and is due in two weeks!
Discrete Math II Howon Kim
Network Security Design Fundamentals Lecture-13
Topic 26: Discrete LOG Applications
Probabilistic Algorithms
On the Size of Pairing-based Non-interactive Arguments
Great Theoretical Ideas in Computer Science
5 Systems of Linear Equations and Matrices
Advanced Algorithms Analysis and Design
Abstract Algebra I.
Great Theoretical Ideas In Computer Science
Quick reviews / corrections
Math 3121 Abstract Algebra I
MATH301- DISCRETE MATHEMATICS Copyright © Nahid Sultana Dr. Nahid Sultana Chapter 4: Number Theory and Cryptography.
Cryptographic protocols 2014, Lecture 2 assumptions and reductions
Jaya Krishna, M.Tech, Assistant Professor
Cryptography Lecture 22.
Cryptography Lecture 23.
Math 344 Winter 07 Group Theory Part 1: Basic definitions and Theorems
Topic 25: Discrete LOG, DDH + Attacks on Plain RSA
Complexity 6-1 The Class P Complexity Andrei Bulatov.
Andreas Klappenecker [based on slides by Prof. Welch]
CSCE 411 Design and Analysis of Algorithms
Soundness of Formal Encryption in the Presence of Key Cycles
Foundations of Network and Computer Security
Cryptography Lecture 21.
刘振 上海交通大学 计算机科学与工程系 电信群楼3-509
Great Theoretical Ideas in Computer Science
Great Theoretical Ideas in Computer Science
Cryptology Design Fundamentals
Patrick Lee 12 July 2003 (updated on 13 July 2003)
Cryptography Lecture 18.
Cryptography Lecture 17.
Cryptography Lecture 20.
Cryptography Lecture 19.
Cryptography Lecture 21.
Cryptography Lecture 19.
刘振 上海交通大学 计算机科学与工程系 电信群楼3-509
Network Security Design Fundamentals Lecture-13
Matrix Algebra THE INVERSE OF A MATRIX © 2012 Pearson Education, Inc.
Towards a Classification of Non-interactive Computational Assumptions in Cyclic Groups Essam Ghadafi University of the West of England Jens Groth University.
Mathematical Background : A quick approach to Group and Field Theory
Mathematical Background: Extension Finite Fields
Presentation transcript:

On the Notion of Pseudo-Free Groups Ronald L. Rivest MIT Computer Science and Artificial Intelligence Laboratory TCC 2/21/2004

Outline Assumptions: complexity-theoretic, group-theoretic Groups: Math, Computational, BB, Free Weak pseudo-free groups Equations over groups and free groups Pseudo-free groups Implications of pseudo-freeness Open problems

Cryptographic assumptions Computational cryptography depends on complexity-theoretic assumptions.  two types: Generic: OWF, TDP, P!=NP, ... Algebraic: Factoring, RSA, DLP, DH, Strong RSA, ECDLP, GAP, WPFG, PFG, … We’re interested in algebraic assumptions ( about groups )

Groups Familiar algebraic structure in crypto. Mathematical group G = (S,*): binary operation * defined on (finite) set S: associative, identity, inverses, perhaps abelian. Example: Zn* (running example). Computational group [G] implements a mathematical group G. Each element x in G has one or more representations [x] in [G]. E.g. [Zn*] via least positive residues. Black-box group: pretend [G] = G.

Free Groups Generators: a1, a2, …, at Symbols: generators and their inverses. Elements of free group F(a1, a2, …, at) are reduced finite sequences of symbols---no symbol is next to its inverse. ab-1a-1bc is in F(a,b,c) ; abb-1 is not. Group operation: concatenation & reduction. Identity: empty sequence ε (or 1).

Free Group Properties Free group is infinite. In a free group, every element other than the identity has infinite order. Free group has no nontrivial relationships. Reasoning in a free group is relatively straightforward and simple;  “Dolev-Yao” for groups… Every group is homomorphic image of a free group.

Abelian Free Groups There is also abelian free group FA(a1, a2, …, at), which is isomorphic to Z x Z x … x Z (t times). Elements of FA(a1, a2, …, at) have simple canonical form: a1e1a2e2…atet We will often omit specifying abelian; most of our definitions have abelian and non-abelian versions.

Pseudo-Free Groups (Informal) “A finite group is pseudo-free if it can not be efficiently distinguished from a free group.” Notion first expressed, in simple form, in Susan Hohenberger’s M.S. thesis. We give two formalizations, and show that assumption of pseudo-freeness implies many other well-known assumptions.

1 a b 1 a b Cayley graph of finite group Cayley graph of free group

Two ways of distinguishing In a weak pseudo-free group (WPFG), adversary can’t find any nontrivial identity involving supplied random elements: a2 b5 c-1 = 1 (!) In a (strong) pseudo-free group (PFG), adversary can’t solve nontrivial equations: x2 = a3 b

Weak Pseudo-freeness A family of computational groups { Gk } is weakly pseudo-free if for any polynomial t(k) a PPT adversary has negl(k) chance of: Accepting t(k) random elements of Gk, a1, … ,at(k) Producing any word w over the symbols a1, … ,at(k) a1-1, … ,at(k)-1 when interpreted as a product in Gk using the obtained random values, yields the identity 1 , while w does not yield 1 in the free group. Adversary may use compact notion (exponents, straight-line programs) when describing w.

Order problem Theorem: In a WPFG, finding the order of a randomly chosen element is hard. Proof: The equation ae = 1 does not hold for any e in FA(a). No element other than 1 in a free group has finite order.

Discrete logarithm problem Theorem: In a WPFG, DLP is hard. Proof: The equation ae = b does not hold for any e in FA(a,b); a and b are distinct independent generators, one can not be power of other.

Subgroups of PFG’s Subgroup Theorem for WPFG’s: If G is a WPFG, and g is chosen at random from G, then <g> is a WPFG. [not in paper] Proof sketch: Ability to find nontrivial identities in <g> can be shown to imply that g has finite order. ==> DLP is hard in WPFG even if we enforce “promise” that b is a (random) power of a . Similar proof implies that QRn is WPFG when n = (2p’+1)(2q’+1).

Equations in Groups Let x, y, … denote variables in group. Consider the equation x2 = a (*) This equation may be satisfiable in Zn* (when a is in QRn), but this equation is never satisfiable in a free group, since reduced form of x2 always has even length. Exhibiting a solution to (*) in a group G is another way to demonstrate that G is not a free group.

Equations in Free Groups Can always be put into form: w = 1 where w is sequence over symbols of group and variables. It is decidable (Makanin ’82) in PSPACE (Gutierrez ’00) whether an equation is satisfiable in free group. Multiple equations equivalent to single one. For abelian free group it is in P. Also: if equation is unsatisfiable in FA() it is unsatisfiable in F().

Pseudo-freeness A family of computational groups { Gk } is pseudo-free if for any poly’s t(k), m(k) a PPT adversary has negl(k) chance of: Accepting t(k) random elements of Gk, Producing any equation E(a1,…,at(k),x1,…,xm(k)): w = 1 with t(k) generator symbols and m(k) variables that is unsatisfiable over F(a1,…,at(k)) Producing a solution to E over Gk, with given random elements substituted for generators.

Main conjecture Conjecture: { Zn* } is a (strong) (abelian) pseudo-free group aka “Super-strong RSA conjecture” What are implications of PFG assumption?

RSA and Strong RSA Theorem: In a PFG, RSA assumption and Strong RSA assumptions hold. Proof: For e>1 the equation xe = a is not satisfiable in FA(a) (and also thus not in F(a)).

Taking square roots Theorem: In a PFG, taking square roots of randomly chosen elements is hard. Proof: As noted earlier, the equation x2 = a (*) has no solution in FA(a) or F(a). Note the importance of forcing adversary to solve (*) for a random a; it wouldn’t do to allow him to take square root of, say, 4 .

Computational Diffie-Hellman  CDH: Given g , a = ge, and b = gf, computing x = gef is hard. Conjecture: CDH holds in a PFG. Remark: This seems natural, since in a free group there is no element (other than 1) that is simultaneously a power of more than one generator. Yet the adversary merely needs to output x; there is no equation involving x that he must output.

Open problems Show factoring implies Zn* is PFG. Show CDH holds in PFG’s. Show utility of PFG theory by simplifying known security proofs. Determine is satisfiability of equation over free group is decidable when variables include exponents. Extend theory to groups of known size (e.g. mod p), and adaptive attacks (adversary can get solution to some equations of his choice for free).

( THE END ) Safe travels!