







Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
The discrete logarithm problem and its related problems, including computational diffie-hellman (cdh) and decisional diffie-hellman (ddh), in the context of number theory primitives. The document also introduces the rsa system, a popular public-key cryptography solution based on the rsa function, which is a permutation in the group z∗n. How to generate rsa keys using an rsa generator and discusses the one-wayness property of the rsa functions.
Typology: Study notes
1 / 13
This page cannot be seen from the preview
Don't miss anything!








Number theory is a source of several computational problems that serve as primitives in the design of cryptographic schemes. Asymmetric cryptography in particular relies on these primitives. As with other beasts that we have been calling “primitives,” these computational problems exhibit some intractability features, but by themselves do not solve any cryptographic problem directly relevant to a user security goal. But appropriately applied, they become useful to this end. In order to later effectively exploit them it is useful to first spend some time understanding them. This understanding has two parts. The first is to provide precise definitions of the various problems and their measures of intractability. The second is to look at what is known or conjectured about the computational complexity of these problems. There are two main classes of primitives. The first class relates to the discrete logarithm problem over appropriate groups, and the second to the factoring of composite integers. We look at them in turn. This chapter assumes some knowledge of computational number theory as covered in the chapter on Computational Number Theory.
Let G be a cyclic group and let g be a generator of G. Recall this means that G = {g^0 , g^1 ,... , gm−^1 }, where m = |G| is the order of G. The discrete logarithm function DLogG,g : G → Zm takes input a group element a and returns the unique i ∈ Zm such that a = gi. There are several computational problems related to this function that are used as primitives.
The computational problems we consider in this setting are summarized in Fig. 10.1. In all cases, we are considering an attacker that knows the group G and the generator g. It is given the quantities listed in the column labeled “given,” and is trying to compute the quantities, or answer the question, listed in the column labeled “figure out.” The most basic problem is the discrete logarithm (DL) problem. Informally stated, the at- tacker is given as input some group element X, and must compute DLogG,g(X). This problem is conjectured to be computationally intractable in suitable groups G.
2 NUMBER-THEORETIC PRIMITIVES
Problem Given Figure out Discrete logarithm (DL) gx^ x Computational Diffie-Hellman (CDH) gx, gy^ gxy Decisional Diffie-Hellman (DDH) gx, gy, gz^ Is z ≡ xy (mod |G|)?
Figure 10.1: An informal description of three discrete logarithm related problems over a cyclic group G with generator g. For each problem we indicate the input to the attacker, and what the attacker must figure out to “win.” The formal definitions are in the text.
One might imagine “encrypting” a message x ∈ Zm by letting gx^ be the ciphertext. An adversary wanting to recover x is then faced with solving the discrete logarithm problem to do so. However, as a form of encryption, this has the disadvantage of being non-functional, because an intended recipient, namely the person to whom the sender is trying to communicate x, is faced with the same task as the adversary in attempting to recover x.
The Diffie-Hellman (DH) problems first appeared in the context of secret key exchange. Suppose two parties want to agree on a key which should remain unknown to an eavesdropping adversary. The first party picks x ←$ Zm and sends X = gx^ to the second party; the second party correspond- ingly picks y ←$ Zm and sends Y = gy^ to the first party. The quantity gxy^ is called the DH-key corresponding to X, Y. We note that
Y x^ = gxy^ = Xy^. (10.1)
Thus the first party, knowing Y, x, can compute the DH key, as can the second party, knowing X, y. The adversary sees X, Y , so to recover the DH-key the adversary must solve the Computational Diffie-Hellman (CDH) problem, namely compute gxy^ given X = gx^ and Y = gy. Similarly, we will see later a simple asymmetric encryption scheme, based on Equation (10.1), where recovery of the encrypted message corresponds to solving the CDH problem.
The obvious route to solving the CDH problem is to try to compute the discrete logarithm of either X or Y and then use Equation (10.1) to obtain the DH key. However, there might be other routes that do not involve computing discrete logarithms, which is why CDH is singled out as a computational problem in its own right. This problem appears to be computationally intractable in a variety of groups.
We have seen before that security of a cryptographic scheme typically demands much more than merely the computational intractability of recovery of some underlying key. The computational intractability of the CDH problem turns out to be insufficient to guarantee the security of many schemes based on DH keys, including the secret key exchange protocol and encryption scheme mentioned above. The Decisional Diffie-Hellman (DDH) problem provides the adversary with a task that can be no harder, but possibly easier, than solving the CDH problem, namely to tell whether or not a given group element Z is the DH key corresponding to given group elements X, Y. This problem too appears to be computationally intractable in appropriate groups.
We now proceed to define the problems more formally. Having done that we will provide more specific discussions about their hardness in various different groups and their relations to each other.
4 NUMBER-THEORETIC PRIMITIVES
The formalization considers a “two worlds” setting. The adversary gets input X, Y, Z. In either world, X, Y are random group elements, but the manner in which Z is chosen depends on the world. In World 1, Z = gxy^ where x = DLogG,g(X) and y = DLogG,g(Y ). In World 0, Z is chosen at random from the group, independently of X, Y. The adversary must decide in which world it is. (Notice that this is a little different from the informal description of Fig. 10.1 which said that the adversary is trying to determine whether or not Z = gxy, because if by chance Z = gxy^ in World 0, we will declare the adversary unsuccessful if it answers 1.)
Definition 10.3 Let G be a cyclic group of order m, let g be a generator of G, let A be an algorithm that returns a bit, and let b be a bit. We consider the following experiments:
Experiment Expddh G,g -^1 (A) x ←$ Zm y ←$ Zm z ← xy mod m X ← gx^ ; Y ← gy^ ; Z ← gz d ← A(X, Y, Z) Return d
Experiment Expddh G,g -^0 (A) x ←$ Zm y ←$ Zm z ←$ Zm X ← gx^ ; Y ← gy^ ; Z ← gz d ← A(X, Y, Z) Return d
The ddh-advantage of A is defined as
Advddh G,g (A) = Pr
[ Expddh G,g -^1 (A) = 1
] − Pr
[ Expddh G,g -^0 (A) = 1
] .
Again, the DDH problem is said to be hard in G if the ddh-advantage of any adversary of reasonable resources is small, where the resource in question is the adversary’s time complexity.
Relative to a fixed group G and generator g for G, if you can solve the DL problem then you can solve the CDH problem, and if you can solve the CDH problem then you can solve the DDH problem. So if DL is easy then CDH is easy, and if CDH is easy then DDH is easy. Equivalently, if DDH is hard then CDH is hard, and if CDH is hard then DL is hard. We note that the converses of these statements are not known to be true. There are groups where DDH is easy, while CDH and DL appear to be hard. (We will see examples of such groups later.) Correspondingly, there could be groups where CDH is easy but DL is hard. The following Proposition provides the formal statement and proof corresponding to the above claim that if you can solve the DL problem then you can solve the CDH problem, and if you can solve the CDH problem then you can solve the DDH problem.
Proposition 10.4 Let G be a cyclic group and let g be a generator of G. Let Adl be an adversary (against the DL problem). Then there exists an adversary Acdh (against the CDH problem) such that
Advdl G,g(Adl) ≤ Advcdh G,g(Acdh). (10.2)
Furthermore the running time of Acdh is the that of Adl plus the time to do one exponentiation in G. Similarly let Acdh be an adversary (against the CDH problem). Then there exists an adversary
Bellare and Rogaway 5
Addh (against the DDH problem) such that
Advcdh G,g(Acdh) ≤ Advddh G,g (Addh) +
Furthermore the running time of Addh is the same as that of Acdh.
Proof of Proposition 10.4: Adversary Acdh works as follows:
Adversary Acdh(X, Y ) x ← A(X) Z ← Y x Return Z
Let x = DLogG,g(X) and y = DLogG,g(y). If Adl is successful then its output x equals x. In that case
Y x^ = Y x^ = (gy)x^ = gyx^ = gxy
is the correct output for Acdh. This justifies Equation (10.2).
We now turn to the second inequality in the proposition. Adversary Addh works as follows:
Adversary Addh(X, Y, Z) Z ← B(X, Y ) If Z = Z then return 1 else return 0
We claim that
Pr
[ Expddh G,g -^1 (Addh) = 1
] = Advcdh G,g(Acdh)
Pr
[ Expddh G,g -^0 (Addh) = 1
which implies Equation (10.3). To justify the above, let x = DLogG,g(X) and y = DLogG,g(y). If Acdh is successful then its output Z equals gxy, so in world 1, Addh returns 1. On the other hand in world 0, Z is uniformly distributed over G and hence has probability 1/|G| of equalling Z.
The computational complexity of the above problems depends of course on the choice of group G. (But not perceptibly on the choice of generator g.) The issues are the type of group, and also its size. Let us look at some possibilities.
For any “reasonable” group G, there is an algorithm that can solve the discrete logarithm problem in time |G|^1 /^2 · O(|p|^3 ). (The exceptions are groups lacking succinct representations of group elements, and we will not encounter such groups here.) In thinking about this running time we neglect the |p|^3 factor since it is very small compared to |G|^1 /^2 , so that we view this as a O(|G|^1 /^2 ) algorithm.
Bellare and Rogaway 7
Proof of Proposition 10.5: The input to our adversary A is a triple X, Y, Z of group elements, and the adversary is trying to determine whether Z was chosen as gxy^ or as a random group element, where x, y are the discrete logarithms of X and Y , respectively. We know that if we know Jp(gx) and Jp(gy), we can predict Jp(gxy). Our adversary’s strategy is to compute Jp(gx) and Jp(gy) and then see whether or not the challenge value Z has the Jacobi symbol value that gxy^ ought to have. In more detail, it works as follows:
Adversary A(X, Y, Z) If Jp(X) = 1 or Jp(Y ) = 1 Then s ← 1 Else s ← − 1 If Jp(Z) = s then return 1 else return 0
We know that the Jacobi symbol can be computed via an exponentiation modulo p, which we know takes O(|p|^3 ) time. Thus, the time-complexity of the above adversary is O(|p|^3 ). We now claim that
Pr
[ Expddh G,g -^1 (A) = 1
] = 1
Pr
[ Expddh G,g -^0 (A) = 1
Subtracting, we get
Advddh G,g (A) = Pr
[ Expddh G,g -^1 (A) = 1
] − Pr
[ Expddh G,g -^0 (A) = 1
] = 1 −
as desired. Let us now see why the two equations above are true.
Let x = DLogG,g(X) and y = DLogG,g(Y ). We know that the value s computed by our adversary A equals Jp(gxy^ mod p). But in World 1, Z = gxy^ mod p, so our adversary will always return 1. In World 0, Z is distributed uniformly over G, so
Pr [Jp(Z) = 1] = Pr [Jp(Z) = −1] = (p − 1)/ 2 p − 1
Since s is distributed independently of Z, the probability that Jp(Z) = s is 1/2.
Now we consider the CDH and DL problems. It appears that the best approach to solving the CDH in problem in Z∗ p is via the computation of discrete logarithms. (This has not been proved in general, but there are proofs for some special classes of primes.) Thus, the main question is how hard is the computation of discrete logarithms. This depends both on the size and structure of p. The currently best algorithm is the GNFS (General Number Field Sieve) which has a running time of the form
O(e(C+o(1))·ln(p) 1 / (^3) ·(ln ln(p)) 2 / 3 ) (10.4)
where C ≈ 1 .92. For certain classes of primes, the value of C is even smaller. These algorithms are heuristic, in the sense that the run time bounds are not proven, but appear to hold in practice. If the prime factorization of the order of the group is known, the discrete logarithm problem over the group can be decomposed into a set of discrete logarithm problems over subgroups. As a result, if p − 1 = pα 1 1 · · · pα nn is the prime factorization of p − 1, then the discrete logarithm problem in Z∗ p can be solved in time on the order of
∑^ n
i=
αi · (
pi + |p|).
8 NUMBER-THEORETIC PRIMITIVES
If we want the discrete logarithm problem in Z∗ p to be hard, this means that it must be the case that at least one of the prime factors pi of p − 1 is large enough that
pi is large. The prime factorization of p − 1 might be hard to compute given only p, but in fact we usually choose p in such a way that we know the prime factorization of p − 1, because it is this that gives us a way to find a generator of the group Z∗ p, as discussed in the chapter on Computational Number Theory So the above algorithm is quite relevant. From the above, if we want to make the DL problem in Z∗ p hard, it is necessary to choose p so that it is large and has at least one large prime factor. A common choice is p = sq + 1 where s ≥ 2 is some small integer (like s = 2) and q is a prime. In this case, p − 1 has the factor q, which is large. Precise estimates of the size of a prime necessary to make a discrete logarithm algorithm infeasi- ble are hard to make based on asymptotic running times of the form given above. Ultimately, what actual implementations can accomplish is the most useful data. In April 2001, it was announced that discrete logarithms had been computed modulo a 120 digit (ie. about 400 bit) prime (Joux and Lercier, 2001). The computation took 10 weeks and was done on a 525MHz quadri-processor Digital Alpha Server 8400 computer. The prime p did not have any special structure that was exploited, and the algorithm used was the GNFS. A little earlier, discrete logarithms had been computed modulo a slightly larger prime, namely a 129 digit one, but this had a special structure that was exploited [1]. Faster discrete logarithm computation can come from many sources. One is exploiting paral- lelism and the paradigm of distributing work across available machines on the Internet. Another is algorithmic improvements. A reduction in the constant C of Equation (10.4) has important impact on the running time. A reduction in the exponents from 1/ 3 , 2 /3 to 1/ 4 , 3 /4 would have an even greater impact. There are also threats from hardware approaches such as the design of special purpose discrete logarithm computation devices. Finally, the discrete logarithm probably can be solved in polynomial time with a quantum computer. Whether a quantum computer can be built is not known. Predictions are hard to make. In choosing a prime p for cryptography over Z∗ p, the security risks must be weighed against the increase in the cost of computations over Z∗ p as a function of the size of p.
In elliptic curve groups, the best known algorithm is the O(
√ |G|) one mentioned above. Thus, it is possible to use elliptic curve groups of smaller size than groups of integers modulo a prime for the same level of security, leading to improved efficiency for implementing discrete log based cryptosystem.
The RSA system is the basis of the most popular public-key cryptography solutions. Here we provide the basic mathematical and computational background that will be used later.
We begin with a piece of notation:
10 NUMBER-THEORETIC PRIMITIVES
Definition 10.9 A modulus generator with associated security parameter k (where k ≥ 2 is an integer) is a randomized algorithm that takes no inputs and returns integers N, p, q satisfying:
An RSA generator with associated security parameter k is a randomized algorithm that takes no inputs and returns a pair ((N, e), (N, p, q, d)) such that the three conditions above are true, and, in addition,
We call N an RSA modulus, or just modulus. We call e the encryption exponent and d the decryption exponent.
Note that (p − 1)(q − 1) = ϕ(N ) is the size of the group Z∗ N. So above, e, d are relatively prime to the order of the group Z∗ N. As the above indicates, we are going to restrict attention to numbers N that are the product of two distinct odd primes. Condition (4) for the RSA generator translates to 1 ≤ e, d < (p − 1)(q − 1) and gcd(e, (p − 1)(q − 1)) = gcd(d, (p − 1)(q − 1)) = 1. For parameter generation to be feasible, the generation algorithm must be efficient. There are many different possible efficient generators. We illustrate a few. In modulus generation, we usually pick the primes p, q at random, with each being about k/ 2 bits long. The corresponding modulus generator K$mod with associated security parameter k works as follows:
Algorithm K$mod
1 ← bk/ 2 c ; 2 ← dk/ 2 e Repeat p ← {$ 2 ^1 −^1 ,... , 2^1 − 1 } ; q ← {$ 2 ^2 −^1 ,... , 2^2 − 1 } Until the following conditions are all true:
Above, TEST-PRIME denotes an algorithm that takes input an integer and returns 1 or 0. It is designed so that, with high probability, the former happens when the input is prime and the latter when the input is composite. Sometimes, we may want modulii product of primes having a special form, for example primes p, q such that (p − 1)/2 and (q − 1)/2 are both prime. This corresponds to a different modulus generator, which works as above but simply adds, to the list of conditions tested to exit the loop, the conditions TEST-PRIME((p − 1)/2)) = 1 and TEST-PRIME((q − 1)/2)) = 1. There are numerous other possible modulus generators too. An RSA generator, in addition to N, p, q, needs to generate the exponents e, d. There are several options for this. One is to first choose N, p, q, then pick e at random subject to gcd(N, ϕ(N )) =
Bellare and Rogaway 11
1, and compute d via the algorithm of Proposition 10.8. This random-exponent RSA generator, denoted K$rsa, is detailed below:
Algorithm K$rsa
(N, p, q) ← K$ $mod M ← (p − 1)(q − 1) e ←$ Z∗ M Compute d by running the algorithm of Proposition 10.8 on inputs M, e Return ((N, e), (N, p, q, d))
In order to speed-up computation of RSAN,e, however, we often like e to be small. To enable this, we begin by setting e to some small prime number like 3, and then picking the other parameters appropriately. In particular we associate to any odd prime number e the following exponent-e RSA generator :
Algorithm Ke rsa Repeat (N, p, q) ← K$ $mod(k) Until
The basic assumed security property of the RSA functions is one-wayness, meaning given N, e, y it is hard to compute RSA− N,e^1 (y). One must be careful to formalize this properly though. The formalization chooses y at random.
Definition 10.10 Let Krsa be an RSA generator with associated security parameter k, and let A be an algorithm. We consider the following experiment:
Experiment Expow Krsa-kea (A) ((N, e), (N, p, q, d)) ← K$ rsa x ←$ Z∗ N ; y ← xe^ mod N x′^ ←$ A(N, e, y) If x′^ = x then return 1 else return 0
The ow-kea-advantage of A is defined as
Advow Krsa-kea (A) = Pr
[ Expow Krsa-kea (A) = 1
] .
Above, “kea” stands for “known-exponent attack.” We might also allow a chosen-exponent attack, abbreviated “cea,” in which, rather than having the encryption exponent specified by the instance of the problem, one allows the adversary to choose it. The only condition imposed is that the adversary not choose e = 1.
[1] T. Denny and D. Weber The solution of Mccurley’s discrete logchallenge. Advances in Cryptology – CRYPTO ’98, Lecture Notes in Computer Science Vol. 1462, H. Krawczyk ed., Springer-Verlag, 1998.