1. B504/I538: Introduction to Cryptography
Spring • Lecture 20
(2017—03—23)

2. Recall: Modular eth roots
Defn: Let n and e be positive integers and let a∈℥n. Then b∈℥n is called an eth root of a modulo n if
We write b≡a1/e mod n to indicate that b is an eth root of a modulo n.
a≡be mod n.
???
Q: When does a unique solution for a1/e mod n exist? A: If gcd(e，φ(n))=1, then a1/e≡ad mod n where d≔e-1 mod φ(n) If gcd(e，φ(n))≠1, then a1/e may or may not exist; if it does exist, it is not unique

3. Recall: The eth root problem
Defn: The eth root problem (aka the RSA problem) is: Given (n，e，a) such that
n=pq for distinct s-bit primes p and q,
a∈℥n, and
gcd(e，φ(n))=1,
compute a1/e mod n.
One possible solution: compute d≔e-1 mod φ(n) and output ad mod n
Fact: Computing d≔e-1 mod φ(n) is equivalent to factoring n!

4. Recall: Discrete logarithms
Defn: Let G be a group with |G|=n and let g，h∈G. A discrete logarithm (DL) of h to the base g in G is a number x∈ℤn such that
We write x=logg h to indicate that x is a DL of h to the base g
???
h=gx in G.
Q: Does the DL of h to the base g always exist? A: No! But it does always exists if g is a generator of G. Q: If the DL of h to the base g exists, is it unique? A: Sort of… If x1 and x2 are DLs of h to the base g, then x1≡x2 mod |g| (i.e., the DL is unique in ℤ|g|).

5. Recall: The DL problem Defn: The DL problem is:
Given (G，q，g，h) such that
(G，•) is a cyclic group of s-bit prime order q,
g is a generator of G, and
h is an arbitrary element of G,
compute x≡logg h.
If (G，+) is an additive group, then the DL problem is, given (G，q，g，h) as above, to compute k such that k·g=h in G.

6. Intractable problems
Intuitively, a problem is intractable if no PPT algorithm can solve a uniform random instance the problem, except with negligible probability
Q: How do we formalize the notion of intractability for problems defined in a finite group?
A: Very carefully…
Algorithm must be PPT in what parameter?
Success probability must be negligible in what parameter?
Instance must be uniform random instance from what sample space?

7. Group generating algorithm
The DL problem is both defined in a finite group ⇒ no parameter to grow large!
Problem may be easy in some groups and hard in others
Defn: A group generating algorithm Ｇ is a PPT algorithm that, on input a security parameter 1s∈1ℕ, outputs a description of a finite group (G，•) with s-bit prime order q and a fixed generator g∈G. We write (G，q，g)← Ｇ(1s) to indicate that (G，•) is a group with s-bit prime order q and generator g, sampled from the output of Ｇ.

8. Group generating algorithm
Idea: Don’t consider problem instances in a particular fixed group (G，•); rather, consider instances in groups (G，q，g)←Ｇ(1s) sampled from a fixed group generating algorithm Ｇ!
Q: How do we formalize the notion of intractability for problems defined in a finite group?
Q1: Algorithm must be PPT in what parameter?
A1: The security parameter s such that (G，q，g)←Ｇ(1s)
Q2: Success probability must be negligible in what parameter?
A2: The security parameter s such that (G，q，g)←Ｇ(1s)
Q3: Instance must be uniform random instance from what sample space?
A3: The set of problem instances in (G，•)

9. The DL assumption
Challenger (C)
Attacker (A)
1 s
1 s
(G，q，g)←Ｇ(1 s)
x∊℥q h≔gx
(G，q，g，h) x’
Let E be the event that x≡x’ mod q
Define A’s advantage to be AdvDL,Ｇ(A)≔Pr[E]
Defn: Let Ｇ be a fixed group generating algorithm. The discrete logarithm (DL) assumption holds with respect to Ｇ if, for every PPT algorithm A, there exists a negligible function ε：ℕ→ℝ+ such that AdvDL，Ｇ(A)≤ε(s).

10. Average-case hardness of DL
Thm (informal): Let (G，•) be a group with prime order q. If the DL problem in is hard for some instance, then it is hard for almost every instance!
Proof (sketch): Assume that it is hard to compute x≡logg h in (G，•)
Idea: Reduce hardness of computing x≡logg h to hardness of solving a uniform random instance in (G，•)
Randomize g: (G，q，g，h)→(G，q，gr，h) for r∊℥q ⇒ logg h≡(loggr h)•r mod q
Randomize h: (G，q，g，h)→(G，q，g，hs) for s∊℥q ⇒ logg h≡(logg hs)•s-1 mod q ☐

11. RSA instance generating algorithm
Defn: An RSA instance generating algorithm Ｇ is a PPT algorithm that, on input a security parameter 1s∈1ℕ, outputs a pair of distinct s-bit primes (p，q) and e∊℥φ(pq). We write (p，q，e)← Ｇ(1s) to indicate that s-bit primes (p，q) and e∈℥φ(pq) are sampled from the output of Ｇ.

12. The eth root assumption
Challenger (C)
Attacker (A)
1 s
(p，q，e)←Ｇ(1 s) N≔p·q
a∊℥N b≔ae mod N
1 s
(N，e，b) a’
Let E be the event that a≡a’ mod N
Define A’s advantage to be AdvRSA,Ｇ(A)≔Pr[E]
Defn: Let Ｇ be a fixed RSA instance generating algorithm. The eth root (RSA) assumption holds with respect to Ｇ if, for every PPT algorithm A, there exists a negligible function ε：ℕ→ℝ+ such that AdvRSA，Ｇ(A)≤ε(s).

13. The RSA trapdoor permutation
Observation: The eth root assumption is qualitatively different from the DL assumption
In DL assumption, attacker gets complete output of Ｇ
In eth root assumption, attacker learns N=p·q but not p and q; if attacker knows (p，q) the eth root problem is easy!
This is our first example of a trapdoor permutation with (p，q) being the trapdoor
More on this later…

14. Diffie-Hellman key exchange protocol
What if Alice and Bob don’t
already share a secret ket?
Enc (m)
Alice
Bob
Eve
m =?

15. Diffie-Hellman key exchange protocol
a∊℥q
b∊℥q
≔h((gb)a)
≔h((ga)b) ga gb
Enc (m)
Alice
Bob
Eve =?
m=?
Suppose (G，q，g)←Ｇ(1s) for some group generating algorithm Ｇ

16. Security of Diffie-Hellman key exchange
Q: Suppose the DL assumption holds with respect to Ｇ Is the Diffie-Hellman protocol “secure” in the presence of an eavesdroppers?
A: Errr…well, probably?
DL assumption implies that it is hard for an eavesdropper to compute a from ga or b from gb
But, is it hard to compute gab from ga and gb?

17. Diffie-Hellman assumption
Challenger (C)
Attacker (A)
1 s
1 s
(G，q，g)←Ｇ(1 s)
a,b∊℥q h1≔ga, h2≔gb
(G，q，g，h1，h2) h
Let E be the event that h=gab
Define A’s advantage to be AdvCDH,Ｇ(A)≔Pr[E]
Defn: Let Ｇ be a group generating algorithm. The (computational) Diffie-Hellman (CDH) assumption holds with respect to Ｇ if, for every PPT algorithm A, there exists a negligible function ε：ℕ→ℝ+ such that AdvCDH,Ｇ(A)≤ε(s).

18. Decision Diffie-Hellman assumption
A tuple (G，q，g，ga，gb，h) is a DH tuple if and only if h=gab
Game 0: (input to A is a DH tuple)
1s∈1ℕ
1s∈1ℕ
Challenger
Distinguisher (D)
(G，q，g)←Ｇ(1 s)
a，b∊℥q
(G，q，g，ga，gb，gab)
b’∈{0，1}
Game 1: (input to A is not a DH tuple)
1s∈1ℕ
Challenger
Distinguisher (D)
1s∈1ℕ
(G，q，g)←Ｇ(1 s)
a，b，c∊℥q
(G，q，g，ga，gb，gc)
b’∈{0，1}
Let E be the event that b’=0 in Game 0 or b’=1 in Game 1 17
Defn: AdvDDH,Ｇ(D)≔|Pr[E]- ½|

19. Decision Diffie-Hellman assumption
Defn: Let Ｇ be a group generating algorithm. The Decision Diffie-Hellman (DDH) assumption holds with respect to Ｇ if, for every PPT algorithm A, there exists a negligible function ε：ℕ→ℝ+ such that AdvDDH,Ｇ(A)≤ε(s).

20. The DL, CDH, and DDH assumptions
Thm: Let Ｇ be a group generating algorithm.
Fact 1: If the DDH assumption holds with respect to Ｇ, then the CDH assumption also holds with respect to Ｇ.
The converse is believed to be false.
Fact 2: If the CDH assumption holds with respect to Ｇ, then the DL assumption also holds with respect to Ｇ.
The converse is not known to be true.

21. Public-key encryption schemes
Defn: A public-key encryption scheme is a triple of algorithms (Gen, Enc, Dec) such that
Gen：1ℕ→Ｋe×Ｋd is a randomized “keypair generation” algorithm;
Enc：Ｋe×Ｍ→Ｃ is an (often randomized) “encryption” algorithm;
Dec：Ｋd×Ｃ→Ｍ is a deterministic “decryption” algorithm.
Usually write Encke(m) and Deckd(m) instead of Enc(ke,m) and Dec(kd,m)
Ｋe is the encryption key space
Ｋd is the decryption key space
Ｍ is the message space
Ｃ is the ciphertext space
(set of possible encryption keys)
(set of possible decryption keys)
(set of possible messages)
(set of possible ciphertexts)

22. Pr[Deckd(Encke(m))=m｜(ke,kd)←Gen(1s)]≥1-ε(s)
Correctness
Intuitively: Correctness is the property of being able to decrypt (given the appropriate decryption key)
Defn: A public-key encryption scheme (Gen, Enc, Dec) with message space M is correct if there exists a negligible function ε：ℕ→ℝ+ such that, ∀s∈ℕ and ∀m∈Ｍ,
Pr[Deckd(Encke(m))=m｜(ke,kd)←Gen(1s)]≥1-ε(s)

23. That’s all for today, folks!