Presentation is loading. Please wait.

Presentation is loading. Please wait.

On the Notion of Pseudo-Free Groups Ronald L. Rivest MIT Computer Science and Artificial Intelligence Laboratory TCC 2/21/2004.

Published byOphelia Ross Modified over 8 years ago

Similar presentations

Presentation on theme: "On the Notion of Pseudo-Free Groups Ronald L. Rivest MIT Computer Science and Artificial Intelligence Laboratory TCC 2/21/2004."— Presentation transcript:

1 On the Notion of Pseudo-Free Groups Ronald L. Rivest MIT Computer Science and Artificial Intelligence Laboratory TCC 2/21/2004

2 Outline u Assumptions: complexity-theoretic, group- theoretic u Groups: Math, Computational, BB, Free u Weak pseudo-free groups u Equations over groups and free groups u Pseudo-free groups u Implications of pseudo-freeness u Open problems

3 Cryptographic assumptions u Computational cryptography depends on complexity-theoretic assumptions. u  two types: –Generic: OWF, TDP, P!=NP,... –Algebraic: Factoring, RSA, DLP, DH, Strong RSA, ECDLP, GAP, WPFG, PFG, … u We’re interested in algebraic assumptions ( about groups )

4 Groups u Familiar algebraic structure in crypto. u Mathematical group G = (S,*): binary operation * defined on (finite) set S: associative, identity, inverses, perhaps abelian. Example: Z n * (running example). u Computational group [G] implements a mathematical group G. Each element x in G has one or more representations [x] in [G]. E.g. [Z n * ] via least positive residues. u Black-box group: pretend [G] = G.

5 Free Groups u Generators: a 1, a 2, …, a t u Symbols: generators and their inverses. u Elements of free group F(a 1, a 2, …, a t ) are reduced finite sequences of symbols---no symbol is next to its inverse. ab -1 a -1 bc is in F(a,b,c) ; abb -1 is not. u Group operation: concatenation & reduction. u Identity: empty sequence ε (or 1).

6 Free Group Properties u Free group is infinite. u In a free group, every element other than the identity has infinite order. u Free group has no nontrivial relationships. u Reasoning in a free group is relatively straightforward and simple;  “Dolev-Yao” for groups… u Every group is homomorphic image of a free group.

7 Abelian Free Groups u There is also abelian free group FA(a 1, a 2, …, a t ), which is isomorphic to Z x Z x … x Z (t times). u Elements of FA(a 1, a 2, …, a t ) have simple canonical form: a 1 e 1 a 2 e 2 …a t e t u We will often omit specifying abelian; most of our definitions have abelian and non- abelian versions.

8 Pseudo-Free Groups (Informal) u “A finite group is pseudo-free if it can not be efficiently distinguished from a free group.” u Notion first expressed, in simple form, in Susan Hohenberger’s M.S. thesis. u We give two formalizations, and show that assumption of pseudo-freeness implies many other well-known assumptions.

9 1 a a a a a a a b b b b b b b 1 a a a b b b b a a a b b Cayley graph of finite group Cayley graph of free group

10 Two ways of distinguishing u In a weak pseudo-free group (WPFG), adversary can’t find any nontrivial identity involving supplied random elements: a 2 b 5 c -1 = 1 (!) u In a (strong) pseudo-free group (PFG), adversary can’t solve nontrivial equations: x 2 = a 3 b

11 Weak Pseudo-freeness u A family of computational groups { G k } is weakly pseudo-free if for any polynomial t(k) a PPT adversary has negl(k) chance of: –Accepting t(k) random elements of G k, a 1, …,a t(k) –Producing any word w over the symbols a 1, …,a t(k) a 1 -1, …,a t(k) -1 when interpreted as a product in G k using the obtained random values, yields the identity 1, while w does not yield 1 in the free group. –Adversary may use compact notion (exponents, straight-line programs) when describing w.

12 Order problem u Theorem: In a WPFG, finding the order of a randomly chosen element is hard. u Proof: The equation a e = 1 does not hold for any e in FA(a). No element other than 1 in a free group has finite order.

13 Discrete logarithm problem u Theorem: In a WPFG, DLP is hard. u Proof: The equation a e = b does not hold for any e in FA(a,b); a and b are distinct independent generators, one can not be power of other.

14 Subgroups of PFG’s u Subgroup Theorem for WPFG’s: If G is a WPFG, and g is chosen at random from G, then is a WPFG. [not in paper] u Proof sketch: Ability to find nontrivial identities in can be shown to imply that g has finite order. u ==> DLP is hard in WPFG even if we enforce “promise” that b is a (random) power of a. u Similar proof implies that QR n is WPFG when n = (2p’+1)(2q’+1).

15 Equations in Groups u Let x, y, … denote variables in group. u Consider the equation x 2 = a (*) This equation may be satisfiable in Z n * (when a is in QR n ), but this equation is never satisfiable in a free group, since reduced form of x 2 always has even length. u Exhibiting a solution to (*) in a group G is another way to demonstrate that G is not a free group.

16 Equations in Free Groups u Can always be put into form: w = 1 where w is sequence over symbols of group and variables. u It is decidable (Makanin ’82) in PSPACE (Gutierrez ’00) whether an equation is satisfiable in free group. u Multiple equations equivalent to single one. u For abelian free group it is in P. Also: if equation is unsatisfiable in FA() it is unsatisfiable in F().

17 Pseudo-freeness u A family of computational groups { G k } is pseudo-free if for any poly’s t(k), m(k) a PPT adversary has negl(k) chance of: –Accepting t(k) random elements of G k, –Producing any equation E(a 1,…,a t(k),x 1,…,x m(k) ): w = 1 with t(k) generator symbols and m(k) variables that is unsatisfiable over F(a 1,…,a t(k) ) –Producing a solution to E over G k, with given random elements substituted for generators.

18 Main conjecture u Conjecture: { Z n * } is a (strong) (abelian) pseudo-free group u aka “Super-strong RSA conjecture” u What are implications of PFG assumption?

19 RSA and Strong RSA u Theorem: In a PFG, RSA assumption and Strong RSA assumptions hold. u Proof: For e>1 the equation x e = a is not satisfiable in FA(a) (and also thus not in F(a)).

20 Taking square roots u Theorem: In a PFG, taking square roots of randomly chosen elements is hard. u Proof: As noted earlier, the equation x 2 = a(*) has no solution in FA(a) or F(a). u Note the importance of forcing adversary to solve (*) for a random a; it wouldn’t do to allow him to take square root of, say, 4.

21 Computational Diffie-Hellman  u CDH: Given g, a = g e, and b = g f, computing x = g ef is hard. u Conjecture: CDH holds in a PFG. u Remark: This seems natural, since in a free group there is no element (other than 1) that is simultaneously a power of more than one generator. Yet the adversary merely needs to output x; there is no equation involving x that he must output.

22 Open problems u Show factoring implies Z n * is PFG. u Show CDH holds in PFG’s. u Show utility of PFG theory by simplifying known security proofs. u Determine is satisfiability of equation over free group is decidable when variables include exponents. u Extend theory to groups of known size (e.g. mod p), and adaptive attacks (adversary can get solution to some equations of his choice for free).

23 ( THE END ) Safe travels!

Download ppt "On the Notion of Pseudo-Free Groups Ronald L. Rivest MIT Computer Science and Artificial Intelligence Laboratory TCC 2/21/2004."

Similar presentations

ONE WAY FUNCTIONS SECURITY PROTOCOLS CLASS PRESENTATION.

ONE WAY FUNCTIONS SECURITY PROTOCOLS CLASS PRESENTATION.
Shortest Vector In A Lattice is NP-Hard to approximate

Shortest Vector In A Lattice is NP-Hard to approximate
Mathematics of Cryptography Part II: Algebraic Structures

Mathematics of Cryptography Part II: Algebraic Structures
Cryptography and Network Security

Cryptography and Network Security
Primality Testing Patrick Lee 12 July 2003 (updated on 13 July 2003)

Primality Testing Patrick Lee 12 July 2003 (updated on 13 July 2003)
Math 3121 Abstract Algebra I

Math 3121 Abstract Algebra I
Algebraic Structures: Group Theory II

Algebraic Structures: Group Theory II
Algebraic Structures DEFINITIONS: PROPERTIES OF BINARY OPERATIONS Let S be a set and let  denote a binary operation on S. (Here  does not necessarily.

Algebraic Structures DEFINITIONS: PROPERTIES OF BINARY OPERATIONS Let S be a set and let  denote a binary operation on S. (Here  does not necessarily.
1.  Detailed Study of groups is a fundamental concept in the study of abstract algebra. To define the notion of groups,we require the concept of binary.

1.  Detailed Study of groups is a fundamental concept in the study of abstract algebra. To define the notion of groups,we require the concept of binary.
7. Asymmetric encryption-

7. Asymmetric encryption-
1 Undecidability Andreas Klappenecker [based on slides by Prof. Welch]

1 Undecidability Andreas Klappenecker [based on slides by Prof. Welch]
15-251 Great Theoretical Ideas in Computer Science.

Great Theoretical Ideas in Computer Science.
Session 4 Asymmetric ciphers.

Session 4 Asymmetric ciphers.
CPSC 411, Fall 2008: Set 12 1 CPSC 411 Design and Analysis of Algorithms Set 12: Undecidability Prof. Jennifer Welch Fall 2008.

CPSC 411, Fall 2008: Set 12 1 CPSC 411 Design and Analysis of Algorithms Set 12: Undecidability Prof. Jennifer Welch Fall 2008.
CNS2010handout 8 :: introduction to number theory1 computer and network security matt barrie.

CNS2010handout 8 :: introduction to number theory1 computer and network security matt barrie.
1 Undecidability Andreas Klappenecker [based on slides by Prof. Welch]

1 Undecidability Andreas Klappenecker [based on slides by Prof. Welch]
Analysis of Security Protocols (V) John C. Mitchell Stanford University.

Analysis of Security Protocols (V) John C. Mitchell Stanford University.
Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.

Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.
Introduction Polynomials

Introduction Polynomials
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

Similar presentations

Ads by Google