Discrete Logarithm Problems and RSA System: DL, CDH, DDH and One-Wayness, Study notes of Introduction to Sociology

The discrete logarithm problem and its related problems, including computational diffie-hellman (cdh) and decisional diffie-hellman (ddh), in the context of number theory primitives. The document also introduces the rsa system, a popular public-key cryptography solution based on the rsa function, which is a permutation in the group z∗n. How to generate rsa keys using an rsa generator and discusses the one-wayness property of the rsa functions.

Typology: Study notes

Pre 2010

Uploaded on 03/28/2010

koofers-user-yi0
koofers-user-yi0 🇺🇸

9 documents

1 / 13

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
Chapter 10
Number-Theoretic Primitives
Number theory is a source of several computational problems that serve as primitives in the design
of cryptographic schemes. Asymmetric cryptography in particular relies on these primitives. As
with other beasts that we have been calling “primitives,” these computational problems exhibit
some intractability features, but by themselves do not solve any cryptographic problem directly
relevant to a user security goal. But appropriately applied, they become useful to this end. In
order to later effectively exploit them it is useful to first spend some time understanding them.
This understanding has two parts. The first is to provide precise definitions of the various
problems and their measures of intractability. The second is to look at what is known or conjectured
about the computational complexity of these problems.
There are two main classes of primitives. The first class relates to the discrete logarithm problem
over appropriate groups, and the second to the factoring of composite integers. We look at them
in turn.
This chapter assumes some knowledge of computational number theory as covered in the chapter
on Computational Number Theory.
10.1 Discrete logarithm related problems
Let Gbe a cyclic group and let gbe a generator of G. Recall this means that G={g0, g1, . . . , gm1},
where m=|G|is the order of G. The discrete logarithm function DLogG,g :GZmtakes input a
group element aand returns the unique iZmsuch that a=gi. There are several computational
problems related to this function that are used as primitives.
10.1.1 Informal descriptions of the problems
The computational problems we consider in this setting are summarized in Fig. 10.1. In all cases,
we are considering an attacker that knows the group Gand the generator g. It is given the
quantities listed in the column labeled “given,” and is trying to compute the quantities, or answer
the question, listed in the column labeled “figure out.”
The most basic problem is the discrete logarithm (DL) problem. Informally stated, the at-
tacker is given as input some group element X, and must compute DLogG,g(X). This problem is
conjectured to be computationally intractable in suitable groups G.
1
pf3
pf4
pf5
pf8
pf9
pfa
pfd

Partial preview of the text

Download Discrete Logarithm Problems and RSA System: DL, CDH, DDH and One-Wayness and more Study notes Introduction to Sociology in PDF only on Docsity!

Chapter 10

Number-Theoretic Primitives

Number theory is a source of several computational problems that serve as primitives in the design of cryptographic schemes. Asymmetric cryptography in particular relies on these primitives. As with other beasts that we have been calling “primitives,” these computational problems exhibit some intractability features, but by themselves do not solve any cryptographic problem directly relevant to a user security goal. But appropriately applied, they become useful to this end. In order to later effectively exploit them it is useful to first spend some time understanding them. This understanding has two parts. The first is to provide precise definitions of the various problems and their measures of intractability. The second is to look at what is known or conjectured about the computational complexity of these problems. There are two main classes of primitives. The first class relates to the discrete logarithm problem over appropriate groups, and the second to the factoring of composite integers. We look at them in turn. This chapter assumes some knowledge of computational number theory as covered in the chapter on Computational Number Theory.

10.1 Discrete logarithm related problems

Let G be a cyclic group and let g be a generator of G. Recall this means that G = {g^0 , g^1 ,... , gm−^1 }, where m = |G| is the order of G. The discrete logarithm function DLogG,g : G → Zm takes input a group element a and returns the unique i ∈ Zm such that a = gi. There are several computational problems related to this function that are used as primitives.

10.1.1 Informal descriptions of the problems

The computational problems we consider in this setting are summarized in Fig. 10.1. In all cases, we are considering an attacker that knows the group G and the generator g. It is given the quantities listed in the column labeled “given,” and is trying to compute the quantities, or answer the question, listed in the column labeled “figure out.” The most basic problem is the discrete logarithm (DL) problem. Informally stated, the at- tacker is given as input some group element X, and must compute DLogG,g(X). This problem is conjectured to be computationally intractable in suitable groups G.

2 NUMBER-THEORETIC PRIMITIVES

Problem Given Figure out Discrete logarithm (DL) gx^ x Computational Diffie-Hellman (CDH) gx, gy^ gxy Decisional Diffie-Hellman (DDH) gx, gy, gz^ Is z ≡ xy (mod |G|)?

Figure 10.1: An informal description of three discrete logarithm related problems over a cyclic group G with generator g. For each problem we indicate the input to the attacker, and what the attacker must figure out to “win.” The formal definitions are in the text.

One might imagine “encrypting” a message x ∈ Zm by letting gx^ be the ciphertext. An adversary wanting to recover x is then faced with solving the discrete logarithm problem to do so. However, as a form of encryption, this has the disadvantage of being non-functional, because an intended recipient, namely the person to whom the sender is trying to communicate x, is faced with the same task as the adversary in attempting to recover x.

The Diffie-Hellman (DH) problems first appeared in the context of secret key exchange. Suppose two parties want to agree on a key which should remain unknown to an eavesdropping adversary. The first party picks x ←$ Zm and sends X = gx^ to the second party; the second party correspond- ingly picks y ←$ Zm and sends Y = gy^ to the first party. The quantity gxy^ is called the DH-key corresponding to X, Y. We note that

Y x^ = gxy^ = Xy^. (10.1)

Thus the first party, knowing Y, x, can compute the DH key, as can the second party, knowing X, y. The adversary sees X, Y , so to recover the DH-key the adversary must solve the Computational Diffie-Hellman (CDH) problem, namely compute gxy^ given X = gx^ and Y = gy. Similarly, we will see later a simple asymmetric encryption scheme, based on Equation (10.1), where recovery of the encrypted message corresponds to solving the CDH problem.

The obvious route to solving the CDH problem is to try to compute the discrete logarithm of either X or Y and then use Equation (10.1) to obtain the DH key. However, there might be other routes that do not involve computing discrete logarithms, which is why CDH is singled out as a computational problem in its own right. This problem appears to be computationally intractable in a variety of groups.

We have seen before that security of a cryptographic scheme typically demands much more than merely the computational intractability of recovery of some underlying key. The computational intractability of the CDH problem turns out to be insufficient to guarantee the security of many schemes based on DH keys, including the secret key exchange protocol and encryption scheme mentioned above. The Decisional Diffie-Hellman (DDH) problem provides the adversary with a task that can be no harder, but possibly easier, than solving the CDH problem, namely to tell whether or not a given group element Z is the DH key corresponding to given group elements X, Y. This problem too appears to be computationally intractable in appropriate groups.

We now proceed to define the problems more formally. Having done that we will provide more specific discussions about their hardness in various different groups and their relations to each other.

4 NUMBER-THEORETIC PRIMITIVES

10.1.4 The Decisional Diffie-Hellman problem

The formalization considers a “two worlds” setting. The adversary gets input X, Y, Z. In either world, X, Y are random group elements, but the manner in which Z is chosen depends on the world. In World 1, Z = gxy^ where x = DLogG,g(X) and y = DLogG,g(Y ). In World 0, Z is chosen at random from the group, independently of X, Y. The adversary must decide in which world it is. (Notice that this is a little different from the informal description of Fig. 10.1 which said that the adversary is trying to determine whether or not Z = gxy, because if by chance Z = gxy^ in World 0, we will declare the adversary unsuccessful if it answers 1.)

Definition 10.3 Let G be a cyclic group of order m, let g be a generator of G, let A be an algorithm that returns a bit, and let b be a bit. We consider the following experiments:

Experiment Expddh G,g -^1 (A) x ←$ Zm y ←$ Zm z ← xy mod m X ← gx^ ; Y ← gy^ ; Z ← gz d ← A(X, Y, Z) Return d

Experiment Expddh G,g -^0 (A) x ←$ Zm y ←$ Zm z ←$ Zm X ← gx^ ; Y ← gy^ ; Z ← gz d ← A(X, Y, Z) Return d

The ddh-advantage of A is defined as

Advddh G,g (A) = Pr

[ Expddh G,g -^1 (A) = 1

] − Pr

[ Expddh G,g -^0 (A) = 1

] .

Again, the DDH problem is said to be hard in G if the ddh-advantage of any adversary of reasonable resources is small, where the resource in question is the adversary’s time complexity.

10.1.5 Relations between the problems

Relative to a fixed group G and generator g for G, if you can solve the DL problem then you can solve the CDH problem, and if you can solve the CDH problem then you can solve the DDH problem. So if DL is easy then CDH is easy, and if CDH is easy then DDH is easy. Equivalently, if DDH is hard then CDH is hard, and if CDH is hard then DL is hard. We note that the converses of these statements are not known to be true. There are groups where DDH is easy, while CDH and DL appear to be hard. (We will see examples of such groups later.) Correspondingly, there could be groups where CDH is easy but DL is hard. The following Proposition provides the formal statement and proof corresponding to the above claim that if you can solve the DL problem then you can solve the CDH problem, and if you can solve the CDH problem then you can solve the DDH problem.

Proposition 10.4 Let G be a cyclic group and let g be a generator of G. Let Adl be an adversary (against the DL problem). Then there exists an adversary Acdh (against the CDH problem) such that

Advdl G,g(Adl) ≤ Advcdh G,g(Acdh). (10.2)

Furthermore the running time of Acdh is the that of Adl plus the time to do one exponentiation in G. Similarly let Acdh be an adversary (against the CDH problem). Then there exists an adversary

Bellare and Rogaway 5

Addh (against the DDH problem) such that

Advcdh G,g(Acdh) ≤ Advddh G,g (Addh) +

|G|

Furthermore the running time of Addh is the same as that of Acdh.

Proof of Proposition 10.4: Adversary Acdh works as follows:

Adversary Acdh(X, Y ) x ← A(X) Z ← Y x Return Z

Let x = DLogG,g(X) and y = DLogG,g(y). If Adl is successful then its output x equals x. In that case

Y x^ = Y x^ = (gy)x^ = gyx^ = gxy

is the correct output for Acdh. This justifies Equation (10.2).

We now turn to the second inequality in the proposition. Adversary Addh works as follows:

Adversary Addh(X, Y, Z) Z ← B(X, Y ) If Z = Z then return 1 else return 0

We claim that

Pr

[ Expddh G,g -^1 (Addh) = 1

] = Advcdh G,g(Acdh)

Pr

[ Expddh G,g -^0 (Addh) = 1

]

|G|

which implies Equation (10.3). To justify the above, let x = DLogG,g(X) and y = DLogG,g(y). If Acdh is successful then its output Z equals gxy, so in world 1, Addh returns 1. On the other hand in world 0, Z is uniformly distributed over G and hence has probability 1/|G| of equalling Z.

10.2 The choice of group

The computational complexity of the above problems depends of course on the choice of group G. (But not perceptibly on the choice of generator g.) The issues are the type of group, and also its size. Let us look at some possibilities.

10.2.1 General groups

For any “reasonable” group G, there is an algorithm that can solve the discrete logarithm problem in time |G|^1 /^2 · O(|p|^3 ). (The exceptions are groups lacking succinct representations of group elements, and we will not encounter such groups here.) In thinking about this running time we neglect the |p|^3 factor since it is very small compared to |G|^1 /^2 , so that we view this as a O(|G|^1 /^2 ) algorithm.

Bellare and Rogaway 7

Proof of Proposition 10.5: The input to our adversary A is a triple X, Y, Z of group elements, and the adversary is trying to determine whether Z was chosen as gxy^ or as a random group element, where x, y are the discrete logarithms of X and Y , respectively. We know that if we know Jp(gx) and Jp(gy), we can predict Jp(gxy). Our adversary’s strategy is to compute Jp(gx) and Jp(gy) and then see whether or not the challenge value Z has the Jacobi symbol value that gxy^ ought to have. In more detail, it works as follows:

Adversary A(X, Y, Z) If Jp(X) = 1 or Jp(Y ) = 1 Then s ← 1 Else s ← − 1 If Jp(Z) = s then return 1 else return 0

We know that the Jacobi symbol can be computed via an exponentiation modulo p, which we know takes O(|p|^3 ) time. Thus, the time-complexity of the above adversary is O(|p|^3 ). We now claim that

Pr

[ Expddh G,g -^1 (A) = 1

] = 1

Pr

[ Expddh G,g -^0 (A) = 1

]

Subtracting, we get

Advddh G,g (A) = Pr

[ Expddh G,g -^1 (A) = 1

] − Pr

[ Expddh G,g -^0 (A) = 1

] = 1 −

as desired. Let us now see why the two equations above are true.

Let x = DLogG,g(X) and y = DLogG,g(Y ). We know that the value s computed by our adversary A equals Jp(gxy^ mod p). But in World 1, Z = gxy^ mod p, so our adversary will always return 1. In World 0, Z is distributed uniformly over G, so

Pr [Jp(Z) = 1] = Pr [Jp(Z) = −1] = (p − 1)/ 2 p − 1

Since s is distributed independently of Z, the probability that Jp(Z) = s is 1/2.

Now we consider the CDH and DL problems. It appears that the best approach to solving the CDH in problem in Z∗ p is via the computation of discrete logarithms. (This has not been proved in general, but there are proofs for some special classes of primes.) Thus, the main question is how hard is the computation of discrete logarithms. This depends both on the size and structure of p. The currently best algorithm is the GNFS (General Number Field Sieve) which has a running time of the form

O(e(C+o(1))·ln(p) 1 / (^3) ·(ln ln(p)) 2 / 3 ) (10.4)

where C ≈ 1 .92. For certain classes of primes, the value of C is even smaller. These algorithms are heuristic, in the sense that the run time bounds are not proven, but appear to hold in practice. If the prime factorization of the order of the group is known, the discrete logarithm problem over the group can be decomposed into a set of discrete logarithm problems over subgroups. As a result, if p − 1 = pα 1 1 · · · pα nn is the prime factorization of p − 1, then the discrete logarithm problem in Z∗ p can be solved in time on the order of

∑^ n

i=

αi · (

pi + |p|).

8 NUMBER-THEORETIC PRIMITIVES

If we want the discrete logarithm problem in Z∗ p to be hard, this means that it must be the case that at least one of the prime factors pi of p − 1 is large enough that

pi is large. The prime factorization of p − 1 might be hard to compute given only p, but in fact we usually choose p in such a way that we know the prime factorization of p − 1, because it is this that gives us a way to find a generator of the group Z∗ p, as discussed in the chapter on Computational Number Theory So the above algorithm is quite relevant. From the above, if we want to make the DL problem in Z∗ p hard, it is necessary to choose p so that it is large and has at least one large prime factor. A common choice is p = sq + 1 where s ≥ 2 is some small integer (like s = 2) and q is a prime. In this case, p − 1 has the factor q, which is large. Precise estimates of the size of a prime necessary to make a discrete logarithm algorithm infeasi- ble are hard to make based on asymptotic running times of the form given above. Ultimately, what actual implementations can accomplish is the most useful data. In April 2001, it was announced that discrete logarithms had been computed modulo a 120 digit (ie. about 400 bit) prime (Joux and Lercier, 2001). The computation took 10 weeks and was done on a 525MHz quadri-processor Digital Alpha Server 8400 computer. The prime p did not have any special structure that was exploited, and the algorithm used was the GNFS. A little earlier, discrete logarithms had been computed modulo a slightly larger prime, namely a 129 digit one, but this had a special structure that was exploited [1]. Faster discrete logarithm computation can come from many sources. One is exploiting paral- lelism and the paradigm of distributing work across available machines on the Internet. Another is algorithmic improvements. A reduction in the constant C of Equation (10.4) has important impact on the running time. A reduction in the exponents from 1/ 3 , 2 /3 to 1/ 4 , 3 /4 would have an even greater impact. There are also threats from hardware approaches such as the design of special purpose discrete logarithm computation devices. Finally, the discrete logarithm probably can be solved in polynomial time with a quantum computer. Whether a quantum computer can be built is not known. Predictions are hard to make. In choosing a prime p for cryptography over Z∗ p, the security risks must be weighed against the increase in the cost of computations over Z∗ p as a function of the size of p.

10.2.3 Other groups

In elliptic curve groups, the best known algorithm is the O(

√ |G|) one mentioned above. Thus, it is possible to use elliptic curve groups of smaller size than groups of integers modulo a prime for the same level of security, leading to improved efficiency for implementing discrete log based cryptosystem.

10.3 The RSA system

The RSA system is the basis of the most popular public-key cryptography solutions. Here we provide the basic mathematical and computational background that will be used later.

10.3.1 The basic mathematics

We begin with a piece of notation:

10 NUMBER-THEORETIC PRIMITIVES

Definition 10.9 A modulus generator with associated security parameter k (where k ≥ 2 is an integer) is a randomized algorithm that takes no inputs and returns integers N, p, q satisfying:

  1. p, q are distinct, odd primes
  2. N = pq
  3. 2 k−^1 ≤ N < 2 k^ (ie. N has bit-length k).

An RSA generator with associated security parameter k is a randomized algorithm that takes no inputs and returns a pair ((N, e), (N, p, q, d)) such that the three conditions above are true, and, in addition,

  1. e, d ∈ Z∗ (p−1)(q−1)
  2. ed ≡ 1 (mod (p − 1)(q − 1))

We call N an RSA modulus, or just modulus. We call e the encryption exponent and d the decryption exponent.

Note that (p − 1)(q − 1) = ϕ(N ) is the size of the group Z∗ N. So above, e, d are relatively prime to the order of the group Z∗ N. As the above indicates, we are going to restrict attention to numbers N that are the product of two distinct odd primes. Condition (4) for the RSA generator translates to 1 ≤ e, d < (p − 1)(q − 1) and gcd(e, (p − 1)(q − 1)) = gcd(d, (p − 1)(q − 1)) = 1. For parameter generation to be feasible, the generation algorithm must be efficient. There are many different possible efficient generators. We illustrate a few. In modulus generation, we usually pick the primes p, q at random, with each being about k/ 2 bits long. The corresponding modulus generator K$mod with associated security parameter k works as follows:

Algorithm K$mod

1 ← bk/ 2 c ; 2 ← dk/ 2 e Repeat p ← {$ 2 ^1 −^1 ,... , 2^1 − 1 } ; q ← {$ 2 ^2 −^1 ,... , 2^2 − 1 } Until the following conditions are all true:

  • TEST-PRIME(p) = 1 and TEST-PRIME(q) = 1
  • p 6 = q
  • 2 k−^1 ≤ N N ← pq Return (N, e), (N, p, q, d)

Above, TEST-PRIME denotes an algorithm that takes input an integer and returns 1 or 0. It is designed so that, with high probability, the former happens when the input is prime and the latter when the input is composite. Sometimes, we may want modulii product of primes having a special form, for example primes p, q such that (p − 1)/2 and (q − 1)/2 are both prime. This corresponds to a different modulus generator, which works as above but simply adds, to the list of conditions tested to exit the loop, the conditions TEST-PRIME((p − 1)/2)) = 1 and TEST-PRIME((q − 1)/2)) = 1. There are numerous other possible modulus generators too. An RSA generator, in addition to N, p, q, needs to generate the exponents e, d. There are several options for this. One is to first choose N, p, q, then pick e at random subject to gcd(N, ϕ(N )) =

Bellare and Rogaway 11

1, and compute d via the algorithm of Proposition 10.8. This random-exponent RSA generator, denoted K$rsa, is detailed below:

Algorithm K$rsa

(N, p, q) ← K$ $mod M ← (p − 1)(q − 1) e ←$ Z∗ M Compute d by running the algorithm of Proposition 10.8 on inputs M, e Return ((N, e), (N, p, q, d))

In order to speed-up computation of RSAN,e, however, we often like e to be small. To enable this, we begin by setting e to some small prime number like 3, and then picking the other parameters appropriately. In particular we associate to any odd prime number e the following exponent-e RSA generator :

Algorithm Ke rsa Repeat (N, p, q) ← K$ $mod(k) Until

  • e < (p − 1) and e < (q − 1)
  • gcd(e, (p − 1)) = gcd(e, (q − 1)) = 1 M ← (p − 1)(q − 1) Compute d by running the algorithm of Proposition 10.8 on inputs M, e Return ((N, e), (N, p, q, d))

10.3.3 One-wayness problems

The basic assumed security property of the RSA functions is one-wayness, meaning given N, e, y it is hard to compute RSA− N,e^1 (y). One must be careful to formalize this properly though. The formalization chooses y at random.

Definition 10.10 Let Krsa be an RSA generator with associated security parameter k, and let A be an algorithm. We consider the following experiment:

Experiment Expow Krsa-kea (A) ((N, e), (N, p, q, d)) ← K$ rsa x ←$ Z∗ N ; y ← xe^ mod N x′^ ←$ A(N, e, y) If x′^ = x then return 1 else return 0

The ow-kea-advantage of A is defined as

Advow Krsa-kea (A) = Pr

[ Expow Krsa-kea (A) = 1

] .

Above, “kea” stands for “known-exponent attack.” We might also allow a chosen-exponent attack, abbreviated “cea,” in which, rather than having the encryption exponent specified by the instance of the problem, one allows the adversary to choose it. The only condition imposed is that the adversary not choose e = 1.

Bibliography

[1] T. Denny and D. Weber The solution of Mccurley’s discrete logchallenge. Advances in Cryptology – CRYPTO ’98, Lecture Notes in Computer Science Vol. 1462, H. Krawczyk ed., Springer-Verlag, 1998.