1. Cryptographic protocols 2014, Lecture 2 assumptions and reductions
Helger Lipmaa
University of Tartu, Estonia

2. motivation Assume Alice designs a protocol
How to make sure it is secure?
Approach 1: proof by intimidation
"don't you trust me"
also "tautology"
Theorem. Assume Protocol X is secure. Then Protocol X is secure

3. Unconditional security
motivation
Approach 2 (much better):
prove that the protocol is secure
Problem:
only known how to do for a small number of protocols
need major advances in complexity theory
it is not known how to prove that any function takes more than a linear number of steps to compute
Unconditional security

4. Computational security
motivation
Approach 3 (mostly correct):
make an assumption:
assume that some well-known problem (say, factoring) is hard
prove that if that assumption holds, then your protocol is secure
Computational security

5. security verification
Proof by intimidation
Protocol designer's task
Security verifier's task
proof by intimidation
Simpler: no need to prove anything
Spend years cryptanalyzing OR trust the protocol
proof by reduction
More complex: must reduce security to some assumption
Verify the usually short reduction. Trust the assumption

6. some known assumptions
Factoring and friends
The problem of distinguishing prime numbers from composite numbers and of resolving the latter into their prime factors is known to be one of the most important and useful in arithmetic. ~~~~~~~ Carl Friedrich Gauss
Discrete logarithm and friends
Lattice assumptions
Coding-theoretic assumptions
...
Many more protocols
Many assumptions

7. Various pairing assumptions
Some assumptions
Factoring
RSA
Strong RSA
Discrete Log
CDH
DDH
SVP
CVP
LWE
RLWE
gapSVP
DCRA
Various pairing assumptions

8. Some assumptions Factoring RSA CDH DDH SVP CVP LWE RLWE gapSVP
Underlying mathematical structure
Number-theoretic ℤ_n
Number-theoretic finite cyclic groups
Lattice
Factoring
RSA
Strong RSA
Discrete Log
CDH
DDH
SVP
CVP
LWE
RLWE
gapSVP
DCRA
Various pairing assumptions

9. Some assumptions Factoring RSA CDH DDH SVP CVP LWE RLWE gapSVP
Security against quantum computers
Insecure
Secure(?)
Factoring
RSA
Strong RSA
Discrete Log
CDH
DDH
SVP
CVP
LWE
RLWE
gapSVP
DCRA
Various pairing assumptions

10. Some assumptions Factoring RSA CDH DDH SVP CVP LWE RLWE gapSVP
Strength/familiarity
weaker/known
stronger/less known
More assurance
Often more efficient
Factoring
RSA
Strong RSA
Discrete Log
CDH
DDH
SVP
CVP
LWE
RLWE
gapSVP
DCRA
Various pairing assumptions

11. Choice of assumption: tradeoff
More security assurance or better efficiency?
Quantum security?
Number-theoretic flavor? Any algebra needed by the goal?
Compatibility with other protocols
Some protocols are impossible/very inefficient with some assumptions

12. Assumption = everything
Choice of the assumption is very important
Seeing an assumption already gives a flavor of what can(not) be done efficiently
So let's learn some

13. Recall: isomorphism Assume G₁ is additive and G₂ is multiplicative
f : G₁ → G₂ is isomorphism if it agrees with group operations
f (x + y) = f (x) f (y)
f (0) = 1
f (-x) = f (x)⁻¹
two groups are isomorphic if there exists isomorphism between them

14. isomorphic = equal + G₁ f f⁻¹ · G2
In mathematics, isomorphic groups are considered to be "essentially the same
They have the same structure
Instead of executing group operation in one group, you can map to another group, do group operation there, and then map back G₁ G2 + f
f⁻¹
f can be thought of as data representation
... assuming both f and f⁻¹ can be computed efficiently

15. assumption (not known how to prove such things)
one-way isomorphisms
f : G₁ → G₂ is a one-way isomorphism if
f is an isomorphism
f can be computed efficiently
f⁻¹ cannot be computed efficiently
assumption (not known how to prove such things)

16. One-way isomorphic ≠ equal
efficient G₁ G2 + f
f⁻¹
not efficient

17. Recall: exponentiation
expg : ℤq → G, expg (m) = gᵐ
expg is isomorphism
gᵐ ⁺ ⁿ = gᵐ gⁿ
g⁰ = 1
g⁻ᵐ = 1 / gᵐ

18. Is Exp one-way? What do you think? Depends on the group Easy:
(ℝ*, ·): the inverse of exp is logarithm
(ℤ, +), (ℤq, +): exp = multiplication, inverse = division
In finite groups, inverse of exp is called discrete logarithm

19. Hard DL groups Instantiation 1 Let p be a big prime (3000+ digits)
The order of ℤ p*={1, 2, ..., p - 1} is p - 1
Let q | p-1 be a smaller prime (160+ digits)
By Sylow theorem, ℤp* has a unique subgroup G of order q
DL is assumed to be hard in G
Best known algorithms to break DL in G have subexponential complexity in |p| and exponential complexity in |q|

20. Reminder: basic complexity theory
Running time T(n) of algorithm = function of input length n
Example. Running time of exponentiation is a function of the bitlength n of the group elements
Simplification: in ℤq, n = log q
Efficient algorithm: T(n) is polynomial in n
E.g.: T(n) = 1000 · n^6
Inefficient algorithm: T(n) is not polynomial in n
E.g.: T(n) = n^(log n)

21. Efficient vs inefficient
... but it will eventually become less efficient
Superpolynomial might be more efficient for small n

22. Complexity in cryptography
When we encrypt, security should not depend on the message length but say on key size
Instead of input length n, take security parameter κ
Usually κ related to key length
First, fix κ so that T(κ) of attacks is big and of "honest" algorithms is small
Finally, choose corresponding key

23. Corollaries of complexity
Most of algorithms work with undetermined κ
In practical implementations fix κ so that protocol is fast but attacks are assumed to be hard
E.g., attacks take time 2⁸⁰
If attacks are improved somewhat, increase κ accordingly

24. choosing p Too optimistic graph, so p is chosen much larger p
time of index calculus: best known DL (appr)
Efficient protocol has small value here
log of time
time of exponentiation (appr)
log p
Too optimistic graph, so p is chosen much larger

25. complexity notation
Θ (f (n)): asymptotically c f (n) for some constant c
100 n²+ 20 n - 10 = Θ(n²)
O (f (n)): any fun. that does not grow faster than Θ (f (n))
o (f (n)): any function that grows slower than Θ (f (n))
Ω (f (n)): any fun. that does not grow slower than Θ (f (n))
ω (f (n)): any function that grows faster than Θ (f (n))

26. quiz Question: What is (n⁸ + n + 1) / (n² + n + 1) ?
Answer: it is n⁶ + smaller terms
thus Θ (n⁶)

27. complexity notation
polynomial: poly (n) = n^(O (1)) not faster than any polynomial
superpolynomial: n^(ω (1)) faster than any polynomial
exponential: 2^(Θ (n))
negligible: negl (n) = n^(-ω (1)) slower than inverse of any polynomial
linear: Θ (n) asymptotically c n for some constant c
etc: logarithmic, superlogarithmic, sublinear

28. Best known dl algorithms
Any groups of order q, n := log q
Baby-step-giant-step and Pohlig-Hellman algorithms --- O (√q)
Instantiation 1, parameters p and q
Index calculus, O (e^(√(2 ln p ln ln p)))
BSGS/PH algorithms O (√q)
Recent advances in groups of order pᵐ for midsize m
DL in any group can be broken by using quantum computer
Generic algorithms: only use group operations

29. Hard DL groups Instantiation 2 Elliptic curve groups
Let q be a small prime (160+ digits)
Elliptic curve group G has order q
Definition complicated (see supplementary notes)
DL is assumed to be hard in well-chosen G
Best known algorithms to break DL in G have exponential complexity in |q|

30. comparison of instantiations
Asymptotically not optimal, but good for inputs of that size
Exponent 1.58 due to Karatsuba algorithm
Parameters
Group element representation
Complexity of multiplication
Security
ℤp*
q, log q≥160
log p
O((log p)^1.58)
2⁸⁰
E.C.G.
q, log q≥160
log q
O((log q)^1.58)
q is much smaller than p, though constant in O( ) is larger

31. quiZ Θ ((log p)^1.58) O ((log p)^2.58) O ((log p)^3) Ω ((log q)^1.58)
Question: What is the asymptotic efficiency of exponentiation in the first instantiation?
q = 2^(O (κ)), thus log q = Θ (κ)
2^κ = O (e^√ (ln p ln ln p))) thus log p = Θ (κ² / log κ)
Answer: complexity of multiplication times Θ (log p) multiplications
Θ ((log p)^2.58) = Θ (κ^5.16 / (log κ)^2.58)
Θ ((log p)^1.58)
O ((log p)^2.58)
O ((log p)^3)
Ω ((log q)^1.58)
O ((log q)^2.58)
o ((log q)⁶)
O ((log p)^1.58 log q)
o ((log p)^2.58)
O ((log q)^1.58 log p)
Ω (1)
Θ ((log q)^5.16)
ω ((log p)^1.58)

32. DL assumption: Formal g g
Informally, we need that inverting exponentiation is hard
Complications:
when exponent is smaller than L , one can compute DL in Θ (√L) steps
inverting is impossible when g = 1
inverting is always possible with probability 1 / q (guessing answer randomly)
exponent must be random (e.g., exponent is secret key) g
g must be a generator g
security must hold against probabilistic algorithms that can use random numbers
break is only successful when adversary's advantage is >> 1 / q

33. Security game
A challenger generates values from some fixed "valid" distributions and sends them to the adversary A
After some computation, A returns some value to the challenger
Depending on the input and the output, the challenger declares A to be either successful or not
A breaks the assumption if her advantage is big compared to random guessing

34. Def: DL groups Game DL(G, A) gk ← desc(G) m ← ℤq h ← gᵐ m* ← A (gk, h)
If m = m*
return 1
else
return 0
Let G be a finite cyclic group of order q, let g be its fixed generator
One can take any g, or a random g
Assume desc(G) contains a description of G, incl. g
Adv[DL(G, A)] := | Pr[DL(G,A) = 1] - 1 / q |
A ε-breaks DL in G iff Adv[DL(G, A)] ≥ ε
G is a (τ,ε)-DL group iff Adv[DL(G, A)] ≤ ε for all probabilistic polynomial time adversaries A that take time ≤ τ
G is a DL group iff it is a (poly(κ),negl(κ))-DL group

35. Study outcomes Assumptions: motivation
Some example assumptions, why so many
Discrete logarithm
basic idea
formal definition