\documentclass[11pt]{article}
\usepackage{amssymb,amsmath,amsthm,url}
\usepackage{graphicx}
%uncomment to get hyperlinks
%\usepackage{hyperref}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%Some macros (you can ignore everything until "end of macros")
\def\class{0}
\topmargin 0pt \advance \topmargin by -\headheight \advance
\topmargin by -\headsep
\textheight 8.9in
\oddsidemargin 0pt \evensidemargin \oddsidemargin \marginparwidth
0.5in
\textwidth 6.5in
%%%%%%
\newcommand{\floor}[1]{\lfloor #1 \rfloor}
\newcommand{\getsr}{\gets_{\mbox{\tiny R}}}
\newcommand{\bits}{\{0,1\}}
\newcommand{\Ex}{\mathbb{E}}
\newcommand{\To}{\rightarrow}
\newcommand{\e}{\epsilon}
\newcommand{\R}{\mathbb{R}}
\newcommand{\N}{\mathbb{N}}
\newcommand{\Z}{\mathbb{Z}}
\newcommand{\maxpr}{\text{\rm max-pr}}
\newenvironment{summary}{\begin{quote}\textbf{Summary.}}{\end{quote}}
\newtheorem{theorem}{Theorem}
\newtheorem{axiom}{Axiom}
\newtheorem{lemma}{Lemma}
\newtheorem{claim}{Claim}[theorem]
\theoremstyle{definition}
\newtheorem{exercise}{Exercise}
\newtheorem{definition}{Definition}
\newcommand{\sstart}{\triangleright}
\newcommand{\send}{\triangleleft}
\newcommand{\cclass}[1]{\mathbf{#1}}
\renewcommand{\P}{\cclass{P}}
\newcommand{\NP}{\cclass{NP}}
\newcommand{\Time}{\cclass{Time}}
\newcommand{\BPP}{\cclass{BPP}}
\newcommand{\Size}{\cclass{Size}}
\newcommand{\Ppoly}{\cclass{P_{/poly}}}
\newcommand{\CSAT}{\ensuremath{\mathsf{CSAT}}}
\newcommand{\SAT}{\ensuremath{\mathsf{3SAT}}}
\newcommand{\IS}{\mathsf{INDSET}}
\newcommand{\poly}{\mathrm{poly}}
\newcommand{\inp}{\mathsf{in}}
\newcommand{\outp}{\mathsf{out}}
\newcommand{\Adv}{\mathsf{Adv}}
\newcommand{\Supp}{\mathsf{Supp}}
\newcommand{\dist}{\Delta}
\newcommand{\indist}{\approx}
\newcommand{\PRG}{\mathsf{G}}
\newcommand{\Enc}{\mathsf{E}}
\newcommand{\Dec}{\mathsf{D}}
\newcommand{\Fcal}{\mathcal{F}}
\newcommand{\Sign}{\mathsf{Sign}}
\newcommand{\Ver}{\mathsf{Ver}}
\newcommand{\Com}{\mathsf{Com}}
\newcommand{\angles}[1]{\langle #1 \rangle}
\newcommand{\eqdef}{\stackrel{\vartriangle}{=}}
% end of macros
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\title{Lecture 14 - Public Key Cryptography.}
\author{Boaz Barak}
\begin{document}
\maketitle
{ \ifnum\class=1 \fontsize{14pt}{16pt} \selectfont \fi
\begin{description}
\item[Public key cryptography] In the mid 1970's, Diffie and Hellman, and (independently) Merkle, began to
challenge the conventional wisdom of $\sim$ 3000 years of cryptography, namely that two parties must
exchange some secret information before they can begin to communicate confidentially. Merkle suggested the
notion of a \emph{key exchange protocol} in his 1974 class project. This is a protocol in which Alice and
Bob can interact over a public channel and as a result obtain a secret key $k$ that is known only to them.
He gave a candidate protocol that had non-trivial but rather weak security--- the protocol takes $T$
computational steps and an attacker needs to spend roughly $T^2$ time to break it. (``Time'' here is really
the number of invocations of a hash function / block cipher, in today's processor speeds, one can perhaps
think of $T=10^{9}$, $T^2=10^{18}$.)
Diffie and Hellman considered the notion of a \emph{trapdoor function}. They conjectured that such a
creature exists, and showed that if so, it can be used to obtain both \emph{public key encryption} and
\emph{digital signatures}, thus achieving confidentiality and integrity of communication over an open
channel. (Merkle also had some thoughts on how to solve the confidentiality issue.)
My understanding of the history is that Diffie and Hellman searched for functions that are easy to compute
and hard to invert, and Hellman's colleague John Gill suggested modular exponentiation. The problem was
that it's not known if exponentiation has a \emph{trapdoor} that allows to invert it. But then Diffie and
Hellman realized that it \emph{can} be used to achieve a potentially exponentially secure version of
Merkle's key exchange protocol, hence the protocol known today as Diffie-Hellman key exchange. (The
Diffie-Hellman protocol also immediately yields a probabilistic public-key encryption scheme, known today
as El-Gamal encryption, though at the time people didn't realized that a secure public-key encryption must
be probabilistic.)
After Diffie and Hellman published their 1976 paper, the search for a trapdoor function began, and in 1977
Rivest, Shamir and Adleman (RSA) gave a trapdoor function candidate closely related to the factoring
problem. Diffie-Hellman key exchange and public key encryptions and signatures based on RSA are still the
most popular public key cryptographic implementations today. A year later in 1978, Rabin gave a trapdoor
function inverting which is provably as hard as factoring. Both the RSA and Rabin trapdoor functions are
components that need to be instantiated in a proper way with padding etc.. to yield a CPA or CCA secure
public key encryption, and many natural instantiations can be \emph{insecure}, as people discovered over
the years.
Interestingly, a sequence of works (by Lamport, Goldwasser-Micali-Rivest, Goldreich-Goldwasser-Micali,
Goldreich, Naor-Yung, Rompel and others) culminated in showing that digital signatures can be constructed from
any one-way function, and hence trapdoor functions are not inherent to their constructions.
\item[Trapdoor functions.] As far as we know, both one-way and pseudorandom permutations do not help us to get
\emph{public key} encryption schemes. The way we obtain these is by using \emph{trapdoor functions} (also
known as trapdoor permutations). These are \emph{keyed} collections with the following property: there are
two keys for each function: one to compute it in the forward direction and one to compute it in the reverse
direction (invert it). Now the key for the forward direction can be given to the adversary (not inside a
black box but really given to him) and still this will not help him invert the function (that is, the
function is a one-way permutation to someone not knowing the invertion key or ``trapdoor'').
\begin{definition}[Trapdoor functions.] A \emph{trapdoor
function collection} is a collection $\mathcal{F}$ of finite functions such that every $f \in \mathcal{F}$ is a
one-to-one function from some set $S_f$ to a set $T_f$. We require the following properties:
\begin{description}
\item[Efficient generation, computation, and inversion] There is an probabilistic polynomial-time algorithm
$G$ that on input $1^n$ outputs a pair $(f,f^{-1})$, where these are two $\poly(n)$ size strings that
describe the functions $f,f^{-1}$. That is, the mapping $(x,f) \mapsto f(x)$ and $(y,f^{-1}) \mapsto
f^{-1}(y)$ can be computed in polynomial time.
\item[Efficient sampling] There is a probabilistic polynomial-time algorithm that given $f$ can output a
random element of $S_f$ (or a distribution statistically close to a random element of $S_f$).
\item[One-wayness] The function $f$ is hard to invert. That is, for every polynomial-time $A$ there is a
negligible function $\e$ such that
\[
\Pr_{(f,f^{-1}) \getsr G(1^n), x \getsr S_f}\bigl[ A(1^n,f,f(x))=x \bigr] < \e(n)
\]
\end{description}
\end{definition}
We remark that this is a slight difference from the Boneh-Shoup definition that does not allow the set $S$ to
depend on $f$, the RSA and Rabin trapdoor functions can be massaged to fit the latter definition, and in fact even
to ensure that the set $S$ is $\bits^n$. Thus, later in the course we will often assume \textbf{The Trapdoor
Permutation Axiom} that there exists such a trapdoor permutation family with domain and range being $\{0,1\}^n$.
(The technical term for such a collections is a doubly enhanced trapdoor permutation collection'', see
\url{http://www.wisdom.weizmann.ac.il/~oded/PSBookFrag/nizk-tdp.ps}).
\item[Examples of pseudorandom function.]
\item[Rabin trapdoor function.] The primes and integer factorization have been studied by mathematicians for
thousands of years. Despite this, we still don't know of a $\poly(n)$-time algorithm to factor $n$-digit
numbers. This suggests the conjecture that such an algorithm \emph{does not exist}. For cryptography, we
need a stronger, average-case, form, and we'll assume that factoring random Blum integers is hard. (A Blum
integer is a number $n=pq$ where $p,q = 3 \pmod(4)$.) Let $\mathcal{B}_n$ denote the set $\{ P \in [1..2^n]
: P \text{ prime and } p=3\pmod{4} \}$.
\paragraph{The Factoring Axiom.} For every polynomial-time algorithm $A$ there is a negligible function $\e$ such
that
\[
\Pr_{P,Q \getsr \mathcal{B}_n} [ A(P \cdot Q) = \{ P, Q \} ] \leq \e(n)
\]
The following family of is known as Rabin's trapdoor function (we describe below actually a variant due to
Blum and Williams).
\begin{itemize}
\item Keys: choose $P,Q$ random primes of length $n$ with $P,Q=3\pmod{4}$, $N=P\cdot Q$. Note that $\phi(N)
\pmod{4} = (P-1)(Q-1) \pmod{4} = 2 \cdot 2 \pmod{4} = 0 \pmod{4}$.
\item Forward (public) key: $N$
\item Backward (inversion/trapdoor) key: $P,Q$.
\item Forward evaluation: $RABIN_{N}(X) = X^2 \pmod(N)$.
\item $RABIN_N(X)$ is a permutation on $QR_N$ where $QR_N$ is the set of quadratic residues modulu $N$. We
show this by giving the inverse: if $X \in \Z_N^*$ let $Y=RABIN_N(X)=X^2 \pmod{N}$.
Our inverse will be the following: we'll compute $A = Y \pmod{P}$ and $B = Y \pmod{Q}$. Recall that $P,Q =
3\pmod{4}$ and so we can say $P=4t+3$ and $Q=4t'+3$. We'll compute $X_1 = A^{t+1} \pmod{P}$ and $X_2 =
B^{t'+1} \pmod{q}$ and invert $\angles{X_1,X_2}$ using the chinese remainder theorem to get $X'$. If we
prove $X'=x$ then we're done.
Because Chinese remaindering is a one-to-one operation it is enough to prove that $X_1 = X \pmod{p}$ and
$X_2 = X \pmod{q}$. We'll use here the fact that $X$ was itself a quadratic residue and hence $X=S^2
\pmod{N}$ for some $S$.
We know that $X \pmod{P} = S^2 \pmod{P}$ and hence $X_1 = (X^2)^{T+1} = S^{4(T+1)} = S^{P-1+2} = S^2
\pmod{P} = X \pmod{P}$.
Similarly $X_2 = S^2 \pmod{Q}$ and hence we're done.
\end{itemize}
Note that again we can sample from a distribution close to the uniform distribution over $QR_N$ by choosing a
random $S$ in $\{1,\ldots,N-1\}$ and letting $X=S^2 \pmod{N}$.
\paragraph{One-wayness of Rabin's function.} The key to showing that the function is one-way is the following lemma:
\begin{lemma} Let $X,Y$ be such that $X \neq \pm Y \pmod{N}$ but $X^2 = Y^2 \pmod{N}$. Then
$gcd(X-Y,N) \not\in \{1, N\}$.
\end{lemma}
\begin{proof} Since $X\neq \pm Y \pmod{N}$, $N \not| X-Y$ and $N \not| X+Y$ and so in particular $gcd(X-Y,N) \neq N$.
Moreover we know that $X^2 - Y^2 = 0 \pmod{N}$ and hence $N | (X-Y)(X+Y)$. This implies that $gcd(X-Y,N) \neq
1$, since otherwise we'd have $N | X+Y$.
\end{proof}
This implies that given such $X,Y$, if $N=PQ$ then we can compute $gcd(X-Y,N)$ to find either $P$ or $Q$ (and
then find the other factor by computing $N/gcd(X-Y,N)$). By the same argument we saw last class, if there is an
invertor $A$ for the Rabin function that succeeds with probability $\e$ , if we choose a random $X$ and let
$Y=A(X^2)$, then we have probability at least $\e/2$ that $Y$ will satisfy that $Y^2 = X^2 \pmod{N}$ but $X
\neq \pm Y \pmod{N}$. Thus Rabin's function is a trapdoor function family under the factoring axiom.
\item[RSA function] RSA stands for Rivest, Shamir and Adelman this is the first trapdoor function suggested (in
1977) and is still the most widely used.
\begin{itemize}
\item Keys: choose $P,Q$ random primes of length $\ell$, $N=P\cdot Q$. Note that
$\varphi(N)=|Z^*_N|=(P-1)(Q-1)$. Choose $e$ at random from $Z^*_{\varphi(N)}$ (that is,
$gcd(e,\varphi(N))=1$.\footnote{Choosing $e$ at random is just one possibility, one can also fix $e$ to be
any number in $\Z^*_{\varphi(N)} \setminus 1$, and different choices have been considered in the
literature, in particular people often choose $e=3$ or $e$ that is a prime of the form $e=2^i+1$, to get
faster exponentiation.} Note that $\varphi(N)$ is \emph{even} and hence, unlike in the Rabin case, $e$ can
not equal $2$.
\item Forward (public) key: $N,e$
\item Backward (inversion/trapdoor) key: $d$ such that $d = e^{-1} \pmod{\varphi(N)}$. That is, $ed =
k\varphi(N)+1$. Note that $d$ can be computed from $\varphi(N)$ (which can be computed using the
factorization $P,Q$ of $N$.
\item Forward evaluation: $RSA_{N,e}(X) = X^e \pmod(N)$.
\item $RSA_{N,e}(X)$ is a permutation on $\Z_N^*$. We show this by giving the inverse: if $X \in \Z_N^*$ let
$Y=RSA_{N,e}(X)=X^e \pmod{N}$. Then, $Y^d \pmod{N} = X$. Indeed, for every group $G$ and element $a\in G$
we have that $a^{|G|}=1$ and so in particular $X^{\varphi(N)}=1$. Hence
$X^{ed}=X^{k\varphi(N)+1}=X^{k\varphi(N)}X=1\cdot X$.
\end{itemize}
Note that we can generate a random element of $\Z^*_N$ by choosing a random number $X$ in $0,1,\ldots,N-1$ and
verifying that $gcd(X,N)=1$. The probability for that is overwhelming since there are $(P-1)(Q-1)=PQ-P-Q+2$
elements in $\Z^*_N$ and so only a tiny fraction of the $PQ$ numbers between $0$ and $N-1$ are not in $\Z^*_N$.
The \textbf{RSA Assumption} is that the RSA function is indeed a trapdoor function. It is known to be a
stronger assumption than the assumption that factoring random integers is hard (by random I mean product of two
large random primes). However, it is not known whether or not these assumptions are equivalent. That is, as far
as we know, it may be the case that there is an efficient algorithm to invert the RSA function even if there is
no efficient factoring algorithm.
\item[Using trapdoor functions for public key encryption] Exercise...
\item[Key exchange and the Diffie-Hellman protocol.] Alice and Bob can communicate securely over a line
eavesdropped by Eve by having Alice generate a keypair $(e,d)$ for a public-key encryption scheme, send to
Bob $e$, and then Bob can send messages to Alice by encrypting them with $e$.
However, this is not necessarily the only way to do so. A different approach is using a \emph{key exchange
protocol}. The first (and still most used) such protocol was given in the same paper by Diffie and Hellman
where they first suggested the ``crazy'' notion of public key cryptography. We'll first present the protocol
and then talk about its security goals.
They use the fact that the group $\Z^*_P$ for a prime $P$ is \emph{cyclic}. This means that there is some
number $g \in \Z^*_P$ such that $\Z^*_P = \{ 1 ,g ,g^2,g^3,\ldots, g^{P-2} \}$. $g$ is called a
\emph{generator} for the group. In other words, for every element $X\in \Z^*_P$, there is an $i \in \{ 0,\ldots
, P-2\}$ such that $X =g^i \pmod{P}$. This number $i$ is called the \emph{discrete log} of $X$ with respect to
$g$.
It is known how to efficiently find a generator $g$ for $\Z^*_P$ given a prime $P$. It is not known how to
compute the discrete logarithm and this problem is believed to be hard.
The Diffie-Hellman protocol:
\begin{itemize}
\item Alice chooses prime $P$ at random and finds a generator $g$.
\item Alice chooses $X \getsr \{0,1,\ldots,P-2\}$ and sends $P,g$ and $\Hat{X}=g^X \pmod{P}$ to Bob.
\item Bob chooses $Y \getsr \{0,1,\ldots,P-2\}$ and sends $\Hat{Y}=g^Y \pmod{P}$ to Alice.
\item Alice and Bob both compute $k = g^{XY} \pmod{P}$. Alice does that by computing $\Hat{Y}^X$ and Bob
does this by computing $\Hat{X}^Y$.
\item They then use $k$ as a key to exchange messages using a private key encryption scheme.
\end{itemize}
Clearly, if Eve can compute the discrete log and obtain $X$ from $\Hat{X}$ or $Y$ from $\Hat{Y}$ then this
protocol is insecure. Thus the assumption that DH key exchange is secure is stronger than the assumption that
the discrete log function is hard to compute (or in other words, that the exponentiation function is a one-way
permutation). However, as far as we know, this assumption is \emph{not} sufficient for the security of
Diffie-Hellman protocol. We need a stronger assumption which is the following:
\noindent\textbf{Decisional Diffie Hellman (DDH) assumption --- Take 1.} For every prime $P$ and generator $g$
of $\Z^*_P$, the following two distributions $A$ and $B$ over triplets are computationally indistinguishable:
$A = \angles{g^X,g^,g^{XY}}$ for random $X$ and $Y$ in $\{1,\ldots,P-2\}$ and $B = \angles{g^X,g^Y,Z}$ for
random $X$ and $Y$ in $\{1,\ldots,P-2\}$ and $Z in \Z^*_P$.
This assumption implies that as far as Eve is considered, the key $k$ is a random element in $Z^*_P$ (i.e., a
random number between $1$ and $P-1$) and hence can be safely used as a key for any private key encryption
scheme. For example, to send a message $m$ of length $\ell$, Bob can send Alice $k \oplus m$.
Unfortunately, this assumption is not true (although as far as we know it is ``morally true'') for a very
simple reason: given a number $\Hat{Y} \in \Z^*_P$, we can check if it has a square root modolu $P$ (i.e.,
whether it is a quadratic residue). It is known that $g^X$ is a quadratic residue if and only if $X$ is even.
Thus, given $g^X$ and $g^Y$ we can test whether $X$ and $Y$ are even (which happens with probability $1/4$)
and in this case $g^{XY}$ will be also a quadratic residue, while a random element in $\Z^*_P$ will only be in
$QR_P$ with probability $1/2$.
Fortunately, the assumption can be made for other groups in which it is believed to be true. One such group is
the subgroup of quadratic residues mod $P$, for $P$ of the form $P=2Q+1$. See
\url{http://crypto.stanford.edu/~dabo/abstracts/DDH.html} for more about this assumption.
\item[Different types of permutations.] It's important not to get confused between \emph{pseudorandom permutations}
(PRP), \emph{one way permutations} (OWP) and \emph{trapdoor permutations} (TDP). Both \emph{one-way
permutations} and \emph{pseudorandom permutations} are symmetric primitives, that are related to \emph{private
key} cryptography. A one-way permutation is just one function rather than a collection of functions, and it has
the property that it's easy to compute but hard to invert. A pseudorandom permutation collection has the
property that it's indistinguishable from a random permutation for an adversary that \emph{doesn't know the
key}. The crucial difference in a trapdoor permutation is that an adversary that \emph{is given the (forward)
key} still cannot invert it, even though this is easy to do using the backward (i.e. trapdoor) key.
\end{description}
}
\end{document}