This content was uploaded by our users and we assume good faith they have the permission to share this book. If you own the copyright to this book and it is wrongfully on our website, we offer a simple DMCA procedure to remove your content from our site. Start by pressing the button below!
Pr[MRn (1n ) = 1] + (n) The algorithm A executes the following algorithm: 1. Sample 1 ≤ J < q uniformly at random. 2. Invoke M on input 1n . 3. Answer each one of the first J queries of M with a uniformly chosen bit. Denote by x the J th query and by σ the answer given to it. 4. Let xi be the ith query for i > J, answer this query with fs (xi ) r (by querying fs on xi ). 5. If M outputs 1 then output σ. Otherwise output σ ¯. It is immediate that the choice of x is indeed independent of r. Proving the success probability of A (claimed above) is done by a standard hybrid argument. For any unpredictable function fs , Construction 4.1gives a single-bit pseudorandom function gs,r . Extracting more bits is possible in two (complementary) ways: 1. Taking the inner product of the unpredictable function fs with a few random vectors. I.e., using the function g¯s,r1 ,r2 ,...,rt (x) = fs (x) r1 , fs (x) r2 , . . . , fs (x) rt . 2. Taking the inner product of any polynomial number of (independent) unpredictable functions fsi with the same random vector. I.e., using the function gˆs1 ,s2 ,...,st ,r (x) = fs1 (x) r, fs2 (x) r, . . . , fst (x) r. While the first method is more efficient (the function fs is only computed once) it decreases security more rapidly. More precisely, assume that there is an efficient oracle-machine M that distinguishes g¯s,r1 ,r2 ,...,rt from random with advantage using q queries then it is possible to define an oracle machine A as in the proof of Theorem 7 that outputs a guess for fs (x) r which is correct with probability at least 1/2 + /(q · 2t ). Therefore it is possible to define a machine D that breaks the unpredictable function f with O(`(n) · (q/)2 · 22t · q) queries 2 and success probability Ω((/q) · 2−2t ). However, in case fs is sufficiently secure and t is not too large (say, t = 20) this method can still be used. For the second method, it is not hard to show a much more moderate reduction in security. I.e., a reduction by 1/t2 factor (getting a factor of 1/t is possible by using t different strings ri instead of a single string r). The two methods can naturally be combined to give a reasonably efficient and secure pseudo-random function with a large output.
From Unpredictability to Indistinguishability
5
277
Weaker Notions
In this section we consider weaker notions of indistinguishability and unpredictability then those of Definitions 3 and 5. We show how to relax either one of these definitions by allowing the adversary a random attack rather than an adaptive attack. As will be described below, such random attacks come up naturally in applications such as identification and encryption. Two meanings in which an attack can be random are: 1. A Random Challenge. The adversary is required to compute the value of fs on a random point. This is formalized by letting V send xq ∈ Un to D after the first q − 1 rounds. 2. A Random Sample. The adversary gets the value of fs on polynomial number of random inputs instead of adaptively choosing the inputs itself. This is formalized by removing the first q − 1 rounds of the protocol and adding to the common input the values hx1 , fs (x1 ), x2 , fs (x2 ), . . . xq−1 , fs (xq−1 )i, where each one of the xi ’s is an independent instance of Un . Remark 8. An alternative to an adaptive attack and a random attack is a static attack. In this case, D has to choose and send x1 , x2 , . . . xq at the first round. Such an attack seems less natural in the applications we consider here and we therefore ignore it. For some intuition on the difference between adaptive and static attacks see [21]. The total number the definitions we obtain by considering all combinations (i.e., indistinguishability vs. unpredictability, adaptive samples vs. random samples and adaptive challenges vs. random challenges) is eight. The observation that no two of these definitions are equivalent (as long as one-way functions exist) easily follows from the separations we sketch below. Furthermore, there are no implications except for the obvious ones: – Let fs be a pseudo-random function and define the function gs (x) = hx,fs (x)i (x concatenated with fs (x)). Then gs is an unpredictable function but is not indistinguishable even against a random sample and a random challenge. – Let fs be a pseudo-random function and define the function gs such that gs (x) = fs (x) for every x 6= 0 and gs (0) = 0. Then gs is indistinguishable against an adaptive sample and a random challenge but is not even unpredictable against a random sample and an adaptive challenge. – Let fs be a pseudo-random function and define the function gs such that gs (x) = fs (x) for every x 6= fs (0) and (unless the rare condition fs (0) = 0 holds) gs (fs (0)) = s. Then gs is indistinguishable against a random sample and an adaptive challenge but is not even unpredictable against an adaptive samples and a random challenge. More “natural” examples for functions that are suspected to be secure (indistinguishable) against a random attack but are completely insecure against an adaptive attack come up in the context of Computational Learning-Theory (see [5,20] for details). Consider for example the following distribution on functions with parameters k and n. Each function is defined by two, uniformly distributed, disjoint sets A, B ⊂ {1, . . . , n} each of size k. Given an n-bit input, the
278
Moni Naor and Omer Reingold
output of the function is the exclusive-or of two values: the parity of the bits indexed by A and the majority of the bits indexed by B. Restating [5] in the terminology of this paper, it is estimated there that distinguishing these functions (for k = log n) from a random function using a random sample and a random challenge requires “profoundly” new ideas. However, the key of such a function (for any k) can easily be recovered using an adaptive attack. The extreme efficiency of function families that are suspected to be weak pseudo-random functions (i.e., indistinguishable against a random sample and a random challenge) raises the following questions: 1. Can the construction in [20] of a full-fledged pseudo-random function from weak pseudo-random functions be improved? 2. Can weak pseudo-random functions be directly used in private-key encryption and authentication schemes? We further consider the second question in Section 5.1. 5.1
The Requirements of Private-Key Tasks
Identifying the exact requirements for function families used in any given protocol can imply more efficient implementations of this protocol. We therefore consider in this section the actual requirements for standard private-key schemes. The three most common tasks in private-key cryptography are user identification, message authentication and encryption. Consider the following schemes for the above tasks. A group of parties that share a pseudo-random function fs may perform: Authentication The authentication tag of a message m is defined to be fs (m). Here the requirement is unpredictability against an adaptive sample and an adaptive challenge (in case we want existential unforgeability against a chosen message attack). Identification A member of the group, V, determines if A is also a member by issuing a random challenge r and verifying that the respond of A is fs (r). Assuming that the adversary can perform an active attack (i.e., can participate in executions of the protocol as the verifier), we need unpredictability against an adaptive sample and a random challenge. If the adversary is limited to a passive attack (i.e., can only eavesdrop to previous executions of the protocol), then we only need unpredictability against a random sample and a random challenge. Encryption The encryption of a message m is defined to be hr, fs (r) ⊕ mi, where r is a uniformly chosen input. We are using the terminology of [9] for attacks (chosen plaintext, chosen ciphertext in the preprocessing and postprocessing modes) and notions security (semantic and non-malleability). Assuming that the adversary is limited to a chosen plaintext attack, we need indistinguishability against a random sample and a random challenge (in case we are interested in semantic security). If the adversary can perform a chosen ciphertext attack in the preprocessing mode, then we need indistinguishability against an adaptive sample and a random challenge to get semantic security. For any implementation
From Unpredictability to Indistinguishability
279
of f this scheme is malleable and hence not secure against a chosen ciphertext attack in the postprocessing mode. I.e., when the adversary queries the function after getting the challenge. The functions used in all the schemes considered above should be secure against an adaptive sample (when we consider the stronger attack in each case). The following encryption scheme (that can also be used for authentication and identification) proposed in the full version of [9] eliminates this requirement. The encryption of a message m under this scheme is defined to be hr, f (r) ⊕ m, g(r, f (r) ⊕ m)i, where r is a uniformly chosen input. To get non-malleable security against a chosen ciphertext attack in the postprocessing mode it is enough for f and g to be indistinguishable against a random sample and an adaptive challenge. The role of g is to “authenticate” the first part of the encryption and make it infeasible for an adversary to generate valid ciphertexts it did not explicitly receive (i.e. the encryption scheme is self-validating). An interesting open question is whether there exist an efficient authentication or encryption scheme which can be based on functions secure against a random sample and a random challenge. 5.2
Improving Efficiency for Weaker Definitions
In this section we give another demonstration that weaker definitions may imply better efficiency. We do so by showing a more efficient variant for one of the constructions of [22] that is sufficient for the standard identification scheme. In [22], two related constructions of pseudo-random functions are presented. The construction that is based on factoring gives a single-bit (or few-bits) pseudorandom function. We show that if we are only interested in unpredictability against an adaptive sample and a random challenge this construction can be improved. Informally, the construction of pseudo-random functions that are at least as secure as factoring is as follows: Let N be distributed over Blum-integers (N = P · Q, where P and Q are primes and P = Q = 3 mod 4) and assume that (under this distribution) it is hard to factor N . Let g be a uniformly distributed quadratic residue in Z∗N , let a = ha1,0 , a1,1 , a2,0 , a2,1 , . . . an,0 , an,1 i be a def
uniformly distributed sequence of 2n elements in [N ] = {1, 2, . . . , N } and let r be a uniformly distributed bit-string of the same length as N . Then the Binaryfunction, fN,g,a,r , is pseudo-random. Where the value of fN,g,a,r on any n-bit input, x = x1 x2 · · · xn , is defined by: Qn def fN,g,a,r (x) = g i=1 ai,xi mod N r Using similar techniques to the proof in [22], it can be shown that if factoring Blum-integers is hard then the function f˜N,g,a , is unpredictable against an adaptive sample and a random challenge. Where the value of f˜N,g,a on any n-bit input, x = x1 x2 · · · xn , is defined by: Qn def f˜N,g,a (x) = g i=1 ai,xi mod N
280
Moni Naor and Omer Reingold
As described in Section 5.1, such a function can be used for the standard challenge-response identification scheme. 5.3
Additional Transformations of Unpredictability to Indistinguishability
In Section 4, we considered the gs,r (x) = fs (x) r construction (Construction 4.1) as a transformation of unpredictable functions to pseudo-random functions. As discussed there, the problem in using a public r in this construction is that it enables the distinguisher to choose inputs for gs,r (x) that directly depend on r. For such an input x, the value gs,r (x) might be distinguishable from random. However, when we consider weaker definitions of unpredictability and indistinguishability where the challenge is random such a problem does not occur. In this case a rather simple application of the GL-bit gives the following theorem: Theorem 7. Let F = {Fn }n∈N be an efficient I n 7→ I `(n) function-ensemble. Define G = {Gn }n∈N as in Construction 4.1. It follows that: 1. If F is unpredictable against an adaptive sample and a random challenge, then G is indistinguishable against an adaptive sample and a random challenge. 2. If F is unpredictable against a random sample and a random challenge, then G is indistinguishable against a random sample and a random challenge. Both (1) and (2) hold even if for each function gs,r ∈ Gn we let r be public As discussed in Section 5.1, indistinguishability against an adaptive sample and a random challenge is sufficient for the standard private-key encryption scheme whereas unpredictability against an adaptive sample and a random challenge is sufficient for the standard challenge-response identification scheme. Therefore, any function that is designed for the identification scheme can be transformed into a private-key encryption scheme (using the methods described in Section 4 for getting a larger output length).
6
Conclusion and Further Research
We have considered several notions of unpredictability and their relationship with the corresponding notions of indistinguishability. For three of these notions we have shown that the Goldreich-Levin hard-core bit can simply turn unpredictability into indistinguishability. By this construction efficient implementations of MACs can be used to obtain efficient implementations of pseudo-random functions. An interesting open problem is to prove or disprove the validity of the construction in a fourth setting: Can the GL-bit be used to turn unpredictability against a random sample and an adaptive challenge into indistinguishability against a random sample and an adaptive challenge? The second part of Theorem 7 and the construction in [20] of full-fledged pseudo-random functions from weak pseudo-random functions give a relatively efficient transformation (compared with the transformation obtained
From Unpredictability to Indistinguishability
281
by [12,16,17]) from the weakest notion considered in this paper (i.e. unpredictability against a random sample and a random challenge) to the stronger notion (i.e. indistinguishability against an adaptive sample and an adaptive challenge). An interesting task should be to achieve a more efficient transformation. Section 5.1 considers the exact requirements for function families used in standard private-key schemes. An interesting line for further research discussed there is to design efficient private-key encryption and authentication schemes that only use weak pseudo-random functions. Implementations of such schemes may be very efficient given the extreme efficiency of candidates for weak pseudorandom functions.
Acknowledgments We thank Ran Canetti and Benny Pinkas for motivating the problem. We thank Oded Goldreich for encouragement and many helpful comments. We also thank the reviewers of CRYPTO ’98 and Hugo Krawczyk for many helpful comments.
References 1. M. Bellare, R. Canetti and H. Krawczyk, Keying hash functions for message authentication, Proc. Advances in Cryptology - CRYPTO ’96, LNCS, Springer, vol. 1109, 1996, pp. 1-15. 268, 269, 269 2. M. Bellare, A. Desai, E. Jokipii and P. Rogaway, A Concrete Security Treatment of Symmetric Encryption, Proc. 38th IEEE Symp. on Foundations of Computer Science, 1997, pp. 394-403. 273 3. M. Bellare, J. Kilian and P. Rogaway, The security of cipher block chaining, Advances in Cryptology - CRYPTO ’94, Lecture Notes in Computer Science, vol. 839, Springer-Verlag, 1994, pp. 341-358. 269 4. M. Bellare and S. Goldwasser, New paradigms for digital signatures and message authentication based on non-interactive zero knowledge proofs Proc. Advances in Cryptology - CRYPTO ’89, LNCS, Springer, 1990, pp. 194-211. 268 5. A. Blum, M. Furst, M. Kearns and R.J. Lipton, Cryptographic primitives based on hard learning problems, in: D.R. Stinson, ed., Advances in Cryptology - CRYPTO ’93, LNCS, vol. 773, Springer, 1994, pp. 278-291. 271, 271, 277, 278 6. M. Blum and S. Micali, How to generate cryptographically strong sequence of pseudo-random bits, SIAM J. Comput., vol. 13, 1984, pp. 850-864. 268 7. G. Brassard, Modern cryptology, LNCS, vol. 325, Springer, 1988. 268 8. R. Canetti, J. Garay, G. Itkis, D. Micciancio, M. Naor and B. Pinkas, Multicast security: A taxonomy and efficient authentication, manuscript. 270, 270 9. D. Dolev, C. Dwork and M. Naor, Non-malleable cryptography, Proc. 23rd Ann. ACM Symp. on Theory of Computing, 1991, pp. 542-552. Full version available at: http://www.wisdom.weizmann.ac.il/~naor. 278, 279 10. O. Goldreich, Two remarks concerning the Goldwasser-Micali-Rivest signature scheme, Advances in Cryptology - CRYPTO’ 86, LNCS, vol. 263, 1987, pp. 104110. 268 11. O. Goldreich, Foundations of Cryptography (Fragments of a Book), 1995. Electronic publication in the Electronic Colloquium on Computational Complexity: http://www.eccc.uni-trier.de/eccc/info/ECCC-Books/eccc-books.html. 271, 275
282
Moni Naor and Omer Reingold
12. O. Goldreich, S. Goldwasser and S. Micali, How to construct random functions, J. of the ACM., vol. 33, 1986, pp. 792-807. 267, 269, 269, 272, 273, 273, 281 13. O. Goldreich, S. Goldwasser and S. Micali, On the cryptographic applications of random functions, Advances in Cryptology - CRYPTO ’84, LNCS, vol. 196, Springer, 1985, pp. 276-288. 268 14. O. Goldreich and L. Levin, A hard-core predicate for all one-way functions, in: Proc. 21st Ann. ACM Symp. on Theory of Computing, 1989, pp. 25-32. 269, 274 15. S. Halevi and H. Krawczyk, MMH: message authentication in software in the Gbit/second rates, Proc. Fast Software Encryption, Lecture Notes in Computer Science, Springer-Verlag, 1997. 269 16. J. Hastad, R. Impagliazzo, L. A. Levin and M. Luby, Construction of a pseudorandom generator from any one-way function, To appear in SIAM J. Comput. Preliminary versions by Impagliazzo et. al. in 21st STOC, 1989 and Hastad in 22nd STOC, 1990. 269, 269, 281 17. R. Impagliazzo and M. Luby, One-way functions are essential for complexity based cryptography, Proc. 30th FOCS, 1989, pp. 230-235. 269, 281 18. M. Luby, Pseudo-randomness and applications, Princeton University Press, 1996. 268, 272 19. M. Luby and C. Rackoff, How to construct pseudorandom permutations and pseudorandom functions, SIAM J. Comput., vol. 17, 1988, pp. 373-386. 268 20. M. Naor and O. Reingold, Synthesizers and their application to the parallel construction of pseudo-random functions, Proc. 36th IEEE Symp. on Foundations of Computer Science, 1995, pp. 170-181. 271, 271, 271, 277, 278, 280 21. M. Naor and O. Reingold, On the construction of pseudo-random permutations: Luby-Rackoff revisited, To appear in: J. of Cryptology. Preliminary version in: Proc. 29th Ann. ACM Symp. on Theory of Computing, 1997. pp. 189-199. 268, 271, 277 22. M. Naor and O. Reingold, Number-Theoretic constructions of efficient pseudorandom functions, Proc. 38th FOCS, 1997, pp. 458-467. 271, 279, 279, 279 23. B. Preneel and P. C. van Oorschot, On the security of two MAC algorithms, Advances in Cryptology - EUROCRYPT ’96, LNCS, vol. 1070, 1996, pp. 19-32. 268 24. R. L. Rivest, Chaffing and winnowing: confidentiality without encryption, MIT Lab for Computer Science, http://theory.lcs.mit.edu/~rivest/chaffing.txt, March 18, 1998. To appear in: RSA CryptoBytes, Summer 1998. 270 25. P. Rogaway, Bucket hashing and its application to fast message authentication, Advances in Cryptology - CRYPTO ’95, Lecture Notes in Computer Science, vol. 963, Springer-Verlag, 1995, pp. 74-85. 269 26. A. Shamir, On the generation of cryptographically strong pseudo-random number sequences, ACM Trans. Comput. Sys., vol 1, 1983, pp. 38-44. 268 27. M. Wegman and L. Carter, New hash functions and their use in authentication and set equality, J. of Computer and System Sciences, vol. 22, 1981, pp. 265-279. 269 28. A. C. Yao, Theory and applications of trapdoor functions, Proc. 23rd IEEE Symp. on Foundations of Computer Science, 1982, pp. 80-91. 268
Many-to-One Trapdoor Functions and Their Relation to Public-Key Cryptosystems Mihir Bellare1 , Shai Halevi2 , Amit Sahai3 , and Salil Vadhan3 1
Dept. of Computer Science & Engineering, University of California at San Diego 9500 Gilman Drive, La Jolla, CA 92093, USA [email protected] http://www-cse.ucsd.edu/users/mihir. 2 IBM T. J. Watson Research Center P.O. Box 704, Yorktown Heights, NY 10598, USA [email protected]. 3 MIT Laboratory for Computer Science 545 Technology Square, Cambridge, MA 02139, USA [email protected] [email protected]. URL:http://www-math.mit.edu/~salil.
Abstract. The heart of the task of building public key cryptosystems is viewed as that of “making trapdoors;” in fact, public key cryptosystems and trapdoor functions are often discussed as synonymous. How accurate is this view? In this paper we endeavor to get a better understanding of the nature of “trapdoorness” and its relation to public key cryptosystems, by broadening the scope of the investigation: we look at general trapdoor functions; that is, functions that are not necessarily injective (ie., one-to-one). Our first result is somewhat surprising: we show that non-injective trapdoor functions (with super-polynomial pre-image size) can be constructed from any one-way function (and hence it is unlikely that they suffice for public key encryption). On the other hand, we show that trapdoor functions with polynomial pre-image size are sufficient for public key encryption. Together, these two results indicate that the pre-image size is a fundamental parameter of trapdoor functions. We then turn our attention to the converse, asking what kinds of trapdoor functions can be constructed from public key cryptosystems. We take a first step by showing that in the random-oracle model one can construct injective trapdoor functions from any public key cryptosystem.
1
Introduction
A major dividing line in the realm of cryptographic primitives is that between “one-way” and “trapdoor” primitives. The former effectively means the primitives of private key cryptography, while the latter are typically viewed as tied to public key cryptosystems. Indeed, the understanding is that the problem of building public key cryptosystems is the problem of “making trapdoors.” H. Krawczyk (Ed.): CRYPTO’98, LNCS 1462, pp. 283–299, 1998. c Springer-Verlag Berlin Heidelberg 1998
284
Mihir Bellare et al.
Is it really? It is well known that injective (ie. one-to-one) trapdoor functions suffice for public key cryptography [Ya,GoMi]. We ask: is the converse true as well, or can public key cryptosystems exist under a weaker assumption? We take a closer look at the notion of a trapdoor, in particular from the point of view of how it relates to semantically secure encryption schemes, and discover some curious things. Amongst these are that “trapdoor one-way functions” are not necessarily hard to build, and their relation to public key encryption is more subtle than it might seem.
1.1
Background
The main notions discussed and related in this paper are one-way functions [DiHe], trapdoor (one-way) functions [DiHe], semantically secure encryption schemes [GoMi], and unapproximable trapdoor predicates [GoMi]. Roughly, a “one-way function” means a family of functions where each particular function is easy to compute, but most are hard to invert; trapdoor functions are the same with the additional feature that associated to each particular function is some “trapdoor” information, possession of which permits easy inversion. (See Section 2 for formal definitions.) In the study of one-way functions, it is well appreciated that the functions need not be injective: careful distinctions are made between “(general) oneway functions”, “injective one-way functions,” or “one-way permutations.” In principle, the distinction applies equally well to trapdoor one-way functions. (In the non-injective case, knowledge of the trapdoor permits recovery of some preimage of any given range point [DiHe].) However, all attention in the literature has focused on injective trapdoor functions, perhaps out of the sense that this is what is necessary for constructing encryption schemes: the injectivity of the trapdoor function guarantees the unique decryptability of the encryption scheme. This paper investigates general (ie. not necessarily injective) trapdoor oneway functions and how they relate to other primitives. Our goal is to understand exactly what kinds of trapdoor one-way functions are necessary and sufficient for building semantically secure public key encryption schemes; in particular, is injectivity actually necessary? Among non-injective trapdoor functions, we make a further distinction based on “the amount of non-injectivity”, measured by pre-image size. A (trapdoor, one-way) function is said to have pre-image size Q(k) (where k is the security parameter) if the number of pre-images of any range point is at most Q(k). We show that pre-image size is a crucial parameter with regard to building publickey cryptosystems out of a trapdoor function. Rather than directly working with public-key cryptosystems, it will be more convenient to work with a more basic primitive called an unapproximable trapdoor predicate. Unapproximable trapdoor predicates are equivalent to semantically secure public key schemes for encrypting a single bit, and these in turn are equivalent to general semantically secure cryptosystems [GoMi].
Many-to-One Trapdoor Functions and Their Relation to Cryptosystems semantically secure public-key cryptosystems
285
Injective trapdoor functions Theorem 3
[Ya]
[GoMi] Unapproximable trapdoor predicates
Theorem 2
[ImLu] One-way functions
trivial
Trapdoor functions with poly-bounded pre-image size trivial
Theorem 1
Trapdoor functions with super-poly pre-image size
Fig. 1. Illustrating our results: Solid lines are standard implications; the dotted line is an implication in the random oracle model.
1.2
Results
We have three main results. They are displayed in Fig. 1 together with known relations. We now discuss them. One-way functions imply trapdoor functions. Our first result, given in Theorem 1, may seem surprising at first glance: we show that one-way functions imply trapdoor functions. We present a general construction which, given an arbitrary one-way function, yields a trapdoor (non-injective) one-way function. Put in other words, we show that trapdoor functions are not necessarily hard to build; it is the combination of trapdoorness with “structural” properties like injectivity that may be hard to achieve. Thus the “curtain” between one-way and trapdoor primitives is not quite as opaque as it may seem. What does this mean for public key cryptography? Impagliazzo and Rudich [ImRu] show that it would be very hard, or unlikely, to get a proof that one-way functions (even if injective) imply public key cryptosystems. Hence, our result shows that it is unlikely that any known technique can be used to construct public key encryption schemes from generic, non-injective, trapdoor functions. As one might guess given [ImRu], our construction does not preserve injectivity, so even if the starting one-way function is injective, the resulting trapdoor one-way function is not. Trapdoor functions with poly pre-image size yield cryptosystems. In light of the above, one might still imagine that injectivity of the trapdoor functions is required to obtain public key encryption. Still, we ask whether the injectivity condition can be relaxed somewhat. Specifically, the trapdoor one-way functions which we construct from one-way functions have super-polynomial pre-image size. This leads us to ask about trapdoor functions with polynomially bounded pre-image size.
286
Mihir Bellare et al.
Our second result, Theorem 2, shows that trapdoor functions with polynomially bounded pre-image size suffice to construct unapproximable trapdoor predicates, and hence yield public key cryptosystems. This belies the impression that injectivity of the trapdoor function is a necessary feature to directly build a public key cryptosystem from it, and also suggests that the super-polynomial pre-image size in the construction of Theorem 1 is necessary. From trapdoor predicates to trapdoor functions. We then turn to the other side of the coin and ask what kinds of trapdoor functions must necessarily exist to have a public key cryptosystem. Since unapproximable trapdoor predicates and semantically secure public key cryptosystems are equivalent [GoMi] we consider the question of whether unapproximable trapdoor predicates imply injective trapdoor functions. In fact whether or not semantically secure public key cryptosystems imply injective trapdoor functions is not only an open question, but seems a hard one. (In particular, a positive answer would imply injective trapdoor functions based on the Diffie-Hellman assumption, a long standing open problem.) In order to get some insight and possible approaches to it, we consider it in a random oracle model (cf. [ImRu,BeRo]). Theorem 3 says that here the answer is affirmative: given an arbitrary secure public key cryptosystem, we present a function that has access to an oracle H, and prove the function is injective, trapdoor, and one-way when H is random. The construction of Theorem 3 is quite simple, and the natural next question is whether the random oracle H can be replaced by some constructible cryptographic primitive. In the full version of the paper [BHSV], we show that this may be difficult, by showing that a cryptographically strong pseudorandom bit generator [BlMi,Ya], which seems like a natural choice for this construction, does not suffice. The next step may be to follow the approach initiated by Canetti [Ca]: find an appropriate cryptographic notion which, if satisfied by H, would suffice for the correctness of the construction, and then try to implement H via a small family of functions. However, one should keep in mind that replacement of a random oracle by a suitable constructible function is not always possible [CGH]. Thus, our last result should be interpreted with care. 1.3
Discussion and Implications
Theorems 1 and 2 indicate that pre-image size is a crucial parameter when considering the power of trapdoor functions, particularly with respect to constructing public-key cryptosystems. The significance and interpretation of Theorem 3, however, requires a bit more discussion. At first glance, it may seem that public key cryptosystems “obviously imply” injective trapdoor functions. After all, a public key cryptosystem permits unique decryptability; doesn’t this mean the encryption algorithm is injective? No, because, as per [GoMi], it is a probabilistic algorithm, and thus not a function. To make it a function, you must consider it a function of two arguments, the message and the coins, and then it may no longer be injective, because two
Many-to-One Trapdoor Functions and Their Relation to Cryptosystems
287
coin sequences could give rise to the same ciphertext for a given message. Moreover, it may no longer have a (full) trapdoor, since it may not be possible to recover the randomness from the ciphertext. (Public key cryptosystems in the Diffie and Hellman sense [DiHe] imply injective trapdoor one-way functions as the authors remark, but that’s because encryption there is deterministic. It is now understood that secure encryption must be probabilistic [GoMi].) Theorem 3 has several corollaries. (Caveat: All in the random oracle model). First, by applying a transformation of [BeRo], it follows that we can construct non-malleable and chosen-ciphertext secure encryption schemes based on the Ajtai-Dwork cryptosystem [AjDw]. Second, combining Theorems 3 and 2, the existence of trapdoor functions with polynomially bounded pre-image size implies the existence of injective trapdoor functions. (With high probability over the choice of oracle. See Remark 5.) Third, if the Decisional Diffie-Hellman problem is hard (this means the El Gamal [ElG] cryptosystem is semantically secure) then there exists an injective trapdoor function. Note that in the random oracle model, it is trivial to construct (almost) injective one-way functions: a random oracle mapping, say, n bits to 3n bits, is itself an injective one-way function except with probability 2−n over the choice of the oracle. However, random oracles do not directly or naturally give rise to trapdoors [ImRu]. Thus, it is interesting to note that our construction in Theorem 3 uses the oracle to “amplify” a trapdoor property: we convert the weak trapdoor property of a cryptosystem (in which one can only recover the message) to a strong one (in which one can recover both the message and the randomness used). Another interpretation of Theorem 3 is as a demonstration that there exists a model in which semantically secure encryption implies injective trapdoor functions, and hence it may be hard to prove a separation result, in the style of [ImRu], between injective trapdoor functions and probabilistic encryption schemes.
2
Definitions
We present definitions for one-way functions, trapdoor functions, and unapproximable trapdoor predicates. Preliminaries. If S is any probability distribution then x ← S denotes the operation of selecting an element uniformly at random according to S, and [S] is the support of S, namely the set of all points having non-zero probability under S. If S is a set we view it as imbued with the uniform distribution and write x ← S. If A is a probabilistic algorithm or function then A(x, y, · · · ; R) denotes the output of A on inputs x, y, . . . and coins R, while A(x, y, . . .) is the probability distribution assigning to each string the probability, over R, that it is output. For deterministic algorithms or functions A, we write z:=A(x, y, . . .) to mean that the output of A(x, y, . . .) is assigned to z. The notation Pr [ E : R1 ; R2 ; . . . ; Rk ] refers to the probability of event E after the random processes R1 , . . . , Rk are performed in order. If x and y are strings we write their concatenation as xky
288
Mihir Bellare et al.
or just xy. “Polynomial time” means time polynomial in the security parameter k, PPT stands for “probabilistic, polynomial time”, and “efficient” means computable in polynomial time or PPT. 2.1
One-Way and Trapdoor Function Families
We first define families of functions, then say what it means for them to be one-way or trapdoor. Families of Functions. A family of functions is a collection F = {Fk }k∈N where each Fk is probability distribution over a set of functions. Each f ∈ [Fk ] has an associated domain Dom(f ) and range Range(f ). We require three properties of the family: • Can generate: The operation f ← Fk can be efficiently implemented, meaning there is a PPT generation algorithm F -Gen that on input 1k outputs a “description” of a function f distributed according to Fk . This algorithm might also output some auxiliary information aux associated to this function (this is in order to later model trapdoors). • Can sample: Dom(f ) is efficiently samplable, meaning there is a PPT algorithm F -Smp that given f ∈ [Fk ] returns a uniformly distributed element of Dom(f ). • Can evaluate: f is efficiently computable, meaning there is a polynomial time evaluation algorithm F -Eval that given f ∈ Fk and x ∈ Dom(f ) returns f (x). For an element y ∈ Range(f ) we denote the set of pre-images of y under f by f −1 (y) = { x ∈ Dom(f ) : f (x) = y } . We say that F is injective if f is injective (ie. one-to-one) for every f ∈ [Fk ]. If in addition Dom(f ) = Range(f ) then we say that F is a family of permutations. We measure the amount of “non-injectivity” by looking at the maximum preimage size. Specifically we say that F has pre-image size bounded by Q(k) if |f −1 (y)| ≤ Q(k) for all f ∈ [Fk ], all y ∈ Range(f ) and all k ∈ N. We say that F has polynomially bounded pre-image size if there is a polynomial Q(k) which bounds the pre-image size of F . One-wayness. Let F be a family of functions as above. The inverting probability of an algorithm I(·, ·) with respect to F is a function of the security parameter def k, defined as InvProbF (I, k) = 0 Pr x ∈ f −1 (y) : f ← Fk ; x ← Dom(f ) ; y ← f (x) ; x0 ← I(f, y) . F is one-way if InvProbF (I, k) is negligible for any PPT algorithm I. Trapdoorness. A family of functions is said to be trapdoor if it is possible, while generating an instance f , to simultaneously generate as auxiliary output “trapdoor information” tp, knowledge of which permits inversion of f . Formally, a family of functions F is trapdoor if F -Gen outputs pairs (f, tp) where f is the “description” of a function as in any family of functions and tp is auxiliary
Many-to-One Trapdoor Functions and Their Relation to Cryptosystems
289
trapdoor information. We require that there exists a probabilistic polynomial time algorithm F -Inv such that for all k, all (f, tp) ∈ [F -Gen(1k )], and all points y ∈ Range(f ), the algorithm F -Inv(f, tp, y) outputs an element of f −1 (y) with probability 1. A family of trapdoor functions is said to be one-way if it is also a family of one-way functions. A good (candidate) example of a trapdoor, one-way function family which is non-injective is the Rabin family [Rab]: here each function in Fk is four to one. (Traditionally, this function is used as the basis of a public key cryptosystem by first modifying it to be injective.) Remark 1. It is well known that one can define one-way functions either in terms of function families (as above), or in terms of a single function, and the two are equivalent. However, for trapdoor functions, one must talk of families. To maintain consistency, we use the family view of one-way functions as well. 2.2
Trapdoor Predicate Families
We define unapproximable trapdoor predicate families [GoMi]. Recall that such a family is equivalent to a semantically secure public-key encryption scheme for a single bit [GoMi]. A predicate in our context means a probabilistic function with domain {0, 1}, meaning a predicate p takes a bit b and flips coins r to generate some output y = p(b; r). In a trapdoor predicate family P = {Pk }k∈N , each Pk is a probability distribution over a set of predicates, meaning each p ∈ [Pk ] is a predicate as above. We require: • Can generate: There is a generation algorithm P -Gen which on input 1k outputs (p, tp) where p is distributed randomly according to Pk and tp is trapdoor information associated to p. In particular the operation p ← Pk can be efficiently implemented. • Can evaluate: There is a PPT algorithm P -Eval that given p and b ∈ {0, 1} flips coins to output y distributed according to p(b). We say P has decryption error δ(k) if there is a PPT algorithm P -Inv who, with knowledge of the trapdoor, fails to decrypt only with this probability, namely def
DecErrP (P -Inv, k) =
Pr [ b0 6= b : p ← Pk ; b ← {0, 1} ; y ← p(b) ; b0 ← P -Inv(p, tp, y) ]
(1)
is at most δ(k). If we say nothing it is to be assumed that the decryption error is zero, but sometimes we want to discuss families with non-zero (and even large) decryption error. Unapproximability. Let P be a family of trapdoor predicates as above. The predicting advantage of an algorithm I(·, ·) with respect to P is a function of the def security parameter k, defined as PredAdvP (I, k) = 1 Pr [ b0 = b : p ← Pk ; b ← {0, 1} ; y ← p(b) ; b0 ← I(p, y) ] − . 2
290
Mihir Bellare et al.
We say that P is unapproximable if PredAdvP (I, k) is negligible for any PPT algorithm I.
3
From One-Way Functions to Trapdoor Functions
In this section we establish the following result: Theorem 1. Suppose there exists a family of one-way functions. Then there exists a family of trapdoor, one-way functions. This is proved by taking an arbitrary family F of one-way functions and “embedding” a trapdoor to get a family G of trapdoor functions. The rest of this section is devoted to the proof. 3.1
Proof Sketch of Theorem 1
Given a family F = {Fk }k∈N of one-way functions we show how to construct a family G = {Gk }k∈N of trapdoor one-way functions. Let us first sketch the idea. Given f ∈ Fk we want to construct g which “mimics” f but somehow embeds a trapdoor. The idea is that the trapdoor is a particular point α in the domain of f . Function g will usually just evaluate f , except if it detects that its input contains the trapdoor; in that case it will do something trivial, making g easy to invert given knowledge of the trapdoor. (This will not happen often in normal execution because it is unlikely that a randomly chosen input contains the trapdoor.) But how exactly can g “detect” the trapdoor? The first idea would be to include α in the description of g so that it can check whether its input contains the trapdoor, but then g would no longer be one-way. So instead the description of g will include β = f (α), an image of the trapdoor under the original function f , and g will run f on a candidate trapdoor to see whether the result matches β. (Note that we do not in fact necessarily detect the real trapdoor α; the trivial action is taken whenever some pre-image of β under f is detected. But that turns out to be OK.) In the actual construction, g has three inputs, y, x, v, where v plays the role of the “normal” input to f ; x plays the role of the candidate trapdoor; and y is the “trivial” answer returned in case the trapdoor is detected. We now formally specify the construction and sketch a prof that it is correct. A particular function g ∈ [Gk ] will be described by a pair (f, β) where f ∈ [Fk ] and β ∈ Range(f ). It is defined on inputs y, x, v by y if f (x) = β g(y, x, v) = (2) f (v) otherwise. Here x, v ∈ Dom(f ), and we draw y from some samplable superset Sf of Range(f ). (To be specific, we set Sf to the set of all strings of length at most p(k) where p(k) is a polynomial that bounds the lengths of all strings in Range(f ).) So the domain of g is Dom(g) = Sf × Dom(f ) × Dom(f ). We now give an intuitive explanation of why G is one-way and trapdoor. First note that for any z it is the case that (z, α, α) is a preimage of z under g,
Many-to-One Trapdoor Functions and Their Relation to Cryptosystems
291
so knowing α enables one to invert in a trivial manner, hence G is trapdoor. For one-wayness, notice that if g(y, x, v) = z then either f (v) = z or f (x) = β. Thus, producing an element of g −1 (z) requires inverting f at either z or β, both of which are hard by the one-wayness of F . A formal proof that G satisfies the definition of a family of one-way trapdoor functions can be found in the full version of this paper [BHSV]. Remark 2. One can verify that the trapdoor functions g produced in the above construction are regular (ie. the size of g −1 (y) is the same for all y ∈ Range(g)) if the original one-way functions f are regular. Thus, adding regularity as a requirement is not likely to suffice for making public-key cryptosystems.
4
From Trapdoor Functions to Cryptosystems
Theorem 1 coupled with [ImRu] says that it is unlikely that general trapdoor functions will yield semantically secure public-key cryptosystems. However, in our construction of Section 3.1 the resulting trapdoor function was “very noninjective” in the sense that the pre-image size was exponential in the security parameter. So, we next ask, what is the power of trapdoor function families with polynomially bounded pre-image size? We show a positive result: Theorem 2. If there exist trapdoor one-way function families with polynomially bounded pre-image size, then there exists a family of unapproximable trapdoor predicates with exponentially small decryption error. Theorem 2 extends the well-known result of [Ya,GoMi] that injective trapdoor functions yield semantically secure public-key cryptosystems, by showing that the injectivity requirement can be relaxed. Coupled with [ImRu] this also implies that it is unlikely that the analogue of Theorem 1 can be shown for trapdoor functions with polynomially bounded pre-image sizes. 4.1
Proof of Theorem 2
Let F = {Fk }k∈N be a family of trapdoor one-way functions with pre-image size bounded by a polynomial Q. The construction is in two steps. We first build an unapproximable family of trapdoor predicates P with decryption error 1/2 − 1/ poly(k), and then reduce the decryption error by repetition to get the family claimed in the theorem. The first step uses the Goldreich-Levin inner-product construction [GoLe]. This construction says that if f is a one-way function, one can securely encrypt a bit b via f (x), r, σ where σ = b ⊕ (x r) with r a random string, x ∈ Dom(f ), and denoting the inner-product mod 2. Now, if f is an injective trapdoor function, then with the trapdoor information, one can recover b from f (x), r, and σ by finding x and computing b = σ ⊕ (x r). If instead f has polynomial-size pre-images, the “correct” x will only be recovered with an inverse polynomial probability. However, we will show that the rest of the time, the success proba1 ) bias towards the right bility is exactly 50%. This gives a noticeable ( 12 + poly(k)
292
Mihir Bellare et al.
value of b. Now, this slight bias needs to be amplified, which is done by repeating the construction many times in parallel and having the decryptor take the majority of its guesses to the bit in the different coordinates. A full description and proof follow. We may assume wlog that there is a polynomial l(k) such that Range(f ) ⊆ {0, 1}l(k) for all f ∈ [Fk ] and all k ∈ N. We now describe how to use the Goldreich-Levin inner-product construction [GoLe] to build P = {Pk }k∈N . We associate to any f ∈ [Fk ] a predicate p defined as follows: Predicate p(b) x ← Dom(f ) r ← {0, 1}l(k) σ := b ⊕ (x r) Output (f (x), r, σ)
// // // //
Takes input a bit b Choose x at random from the domain of f Choose a random l(k)-bit string XOR b with the GL bit
Here ⊕ denotes XOR (ie. addition mod 2) and denotes the inner-product mod 2. The generator algorithm for P will choose (f, tp) ← F -Gen(1k ) and then output (p, tp) with p defined as above. Notice that p is computable in PPT if f is. The inversion algorithm P -Inv is given p, the trapdoor tp, and a triple (y, r, σ). It first runs the inversion algorithm F -Inv of F on inputs f, tp, y to obtain x0 , and then outputs the bit b0 = σ ⊕ (x0 r). It is clear that the inversion algorithm is not always successful, but in the next claim we prove that it is successful appreciably more often than random guessing. Claim. P is an unapproximable trapdoor predicate family, with decryption error at most (1/2) − 1/[2Q(k)]. Proof. We know that F is one-way. Thus, the inner product is a hardcore bit for F [GoLe]. This implies that P is unapproximable. It is left to show that the decryption error of P is as claimed, namely that DecErrP (P -Inv, k) (as defined in Equation (1)) is at most (1/2) − 1/[2Q(k)]. Fix f, tp, b, let x, r be chosen at random as by p(b), let y = f (x), let σ = b ⊕ (x r), let x0 ← F -Inv(f, tp, y), and let b0 = σ ⊕ (x0 r). Notice that if x0 = x then b0 = b, but if x0 6= x then the random choice of r guarantees that b0 = b with probability at most 1/2. (Because F -Inv, who generates x0 , gets no information about r.) The chance that x = x0 is at least 1/Q(k) (because F -Inv gets no information about x other than that f (x) = y) so 1 1 · DecErrP (P -Inv, k) ≤ 1 − Q(k) 2 as desired. t u def
Now, we can iterate the construction q(k) = Θ(kQ(k)2 ) times independently and decrypt via a majority vote to reduce the decryption error to e−k . In more detail, our final predicate family P q = {Pkq }k∈N is like this. An instance pq ∈ [Pkq ] is still described by a function f ∈ [Fk ] and defined as pq (b) = p(b)k · · · kp(b), meaning it consists of q(k) repetitions of the original algorithm p on independent
Many-to-One Trapdoor Functions and Their Relation to Cryptosystems
293
coins. The inversion algorithm P q -Inv is given the trapdoor tp and a sequence of triples (y1 , r1 , σ1 )k · · · k(yq(k) , rq(k) , σq(k) ) . For i = 1, . . . , q(k) it lets b0i = P -Inv(p, tp, (yi , ri , σi )). It outputs b0 which is 1 if the majority of the values b01 , . . . , b0q(k) are 1, and 0 otherwise. Chernoff bounds show that DecErrP q (P q -Inv, k) ≤ e−k . Furthermore standard “hybrid”arguments [GoMi,Ya] show that P q inherits the unapproximability of P . This concludes the proof of Theorem 2. Remark 3. Notice that Theorem 2 holds even if the family F only satisfies a very weak trapdoor property — namely, that F -Inv produces an element of f −1 (y) with probability at least 1/p(k) for some polynomial p. Essentially the same proof will show that P -Inv can guess b correctly with probability at least 1/2 + 1/[2Q(k)p(k)].
5
From Cryptosystems to Trapdoor Functions
In this section we investigate the relation between semantically secure public key cryptosystems and injective trapdoor functions. It is known that the existence of unapproximable trapdoor predicates is equivalent to the existence of semantically secure public-key encryption [GoMi]. It is also known that injective trapdoor one-way functions can be used to construct unapproximable trapdoor predicates [Ya] (see also [GoLe]). In this section, we ask whether the converse is true: Question 1. Can unapproximable trapdoor predicates be used to construct injective trapdoor one-way functions? Note the importance of the injectiveness condition in Question 1. We already know that non-injective trapdoor functions can be constructed from trapdoor predicates (whether the latter are injective or not) because trapdoor predicates imply one-way functions [ImLu] which in turn imply trapdoor functions by Theorem 1. We suggest a construction which requires an additional “random looking” function G and prove that the scheme is secure when G is implemented as a random oracle (to which the adversary also has access). Hence, IF it is possible to implement using one-way functions a function G with “sufficiently strong randomness properties” to maintain the security of this scheme, then Question 1 would have a positive answer (as one-way functions can be constructed from unapproximable trapdoor predicates [ImLu]). The key difference between trapdoor functions and trapdoor predicates is that predicates are probabilistic, in that their evaluation is a probabilistic process. Hence, our construction is essentially a de-randomization process. Suppose we have a family P of unapproximable trapdoor predicates, and we want to construct a family F of injective one-way trapdoor functions from P . A
294
Mihir Bellare et al.
first approach would be to take an instance p of P and construct an instance f of F as f (b1 b2 · · · bk kr1 k · · · krk ) = p(b1 ; r1 )k · · · kp(bk ; rk ), where k is the security parameter. Standard direct product arguments [Ya] imply that F constructed in this manner is one-way. However, F may fail to be trapdoor; the trapdoor information associated with p only allows one to recover b1 , . . . , bk , but not r1 , . . . , rk . Our approach to fixing this construction is to instead have r1 , . . . , rk determined by applying some “random-looking” function G to b1 , . . . , bk : where r1 k · · · krk = G(b1 · · · bk ). f (b1 b2 · · · bk ) = p(b1 ; r1 )k · · · kp(bk ; rk ), Since G must be length-increasing, an obvious choice for G is a pseudo-random generator. A somewhat circular intuitive argument can be made for the security of this construction: If one does not know b1 , . . . , bk , then r1 , . . . , rk “look random,” and if r1 , . . . , rk “look random,” then it should be hard to recover b1 , . . . , bk by the unapproximability of P . In the full version of the paper [BHSV], we show that this argument is in fact false, in that there is a choice of an unapproximable trapdoor predicate P and a pseudorandom generator G for which the resulting scheme is insecure. However, it is still possible that there are choices of functions G that make the above secure. Below we show that the scheme is secure when G is implemented as a truly random function, ie. a random oracle (to which the adversary also has access). Intuitively, having access to the oracle does not help the adversary recover b1 · · · bk for the following reason: the values of the oracle are irrelevant except at b1 · · · bk , as they are just random strings that have nothing to do with b1 · · · bk or f (b1 · · · bk ). The adversary’s behavior is independent of the value of the oracle at b1 · · · bk unless the adversary queries the oracle at b1 · · · bk . On the other hand, if the adversary queries the oracle at b1 · · · bk , it must already “know” b1 · · · bk . Specifically, if the adversary queries the oracle at b1 · · · bk with non-negligible probability then it can invert f with non-negligible probability without making the oracle call, by outputting the query. We now proceed with a more formal description of the random oracle model and our result. The random oracle model. In any cryptographic scheme which operates in the random oracle model, all parties are given (in addition to their usual resources) the ability to make oracle queries [BeRo]. It is postulated that all oracle queries, independent of the party which makes them, are answered by a single function, denoted O, which is uniformly selected among all possible functions (where the set of possible functions is determined by the security parameter). The definitions of families of functions and predicates are adapted to the random oracle model in a straightforward manner: We associate some fixed polynomial Q with each family of functions or predicates, such that on security parameter k all the algorithms in the above definitions are given oracle access to a function O : {0, 1}∗ → {0, 1}Q(k) . The probabilities in these definitions are then taken over the randomness of these algorithms and also over the choice of O uniformly at random among all such functions.
Many-to-One Trapdoor Functions and Their Relation to Cryptosystems
295
Theorem 3. If there exists a family of unapproximable trapdoor predicates, then there exists a family of injective trapdoor one-way functions in the random oracle model. Remark 4. Theorem 3 still holds even if the hypothesis is weakened to only require the existence of a family of unapproximable trapdoor predicates in the random oracle model. To see that this hypothesis is weaker, note that a family of unapproximable trapdoor predicates (in the standard, non-oracle model) remains unapproximable in the random oracle model, as the oracle only provides randomness which the adversary can generate on its own. See Sections 1.2 and 1.3 for a discussion of the interpretation of such a result. We now proceed to the proof. 5.1
Proof of Theorem 3
Let P = {Pk }k∈N be a family of unapproximable trapdoor predicates. Let q(k) be a polynomial upper bound on the number of random bits used by any p ∈ Pk . When used with security parameter k, we view the oracle as a function O : {0, 1}∗ → {0, 1}kq(k) . We define a family F = {Fk }k∈N of trapdoor functions in the random oracle model as follows: We associate to any p ∈ [Pk ] the function f defined on input b1 . . . bk ∈ {0, 1}k by f (b1 · · · bk ) = p(b1 ; r1 )k · · · kp(bk ; rk ), where r1 k · · · krk = O(b1 · · · bk ), ri ∈ {0, 1}q(k) . The generator F -Gen takes input 1k , runs (p, tp) ← P -Gen(1k ) and outputs (f, tp) where f is as defined above. It is clear that f can be evaluated in polynomial time using the evaluator P -Eval for p. Notice that f can be inverted given the trapdoor information. Given f, tp, and y1 k · · · kyk = f (b1 . . . bk ), inverter F -Inv computes bi = P -Inv(p, tp, yi ) for i = 1, . . . , k, and outputs b1 . . . bk . Furthermore, f is injective because P has zero decryption error: in this inversion process, P -Inv correctly returns bi , so we correctly recover the full input. It remains to show that F is one-way. Claim. F is one-way. We prove this claim by describing several probabilistic experiments, modifying the role of the oracle with each experiment. The first arises from the definition of a family of one-way functions in the random oracle model. Let A be any PPT, let k be any positive integer, and let q = q(k). Experiment 1. (1) Choose a random oracle O : {0, 1}∗ → {0, 1}kq(k) . (2) Choose p ← Pk
296
(3) (4) (5) (6)
Mihir Bellare et al.
Select b1 , . . . , bk uniformly and independently from {0, 1}. Let r1 k · · · krk = O(b1 · · · bk ), where |ri | = q(k) for each i. Let x = p(b1 ; r1 )k · · · kp(bk ; rk ). Compute z ← AO (1k , p, x).
We need to prove the following: Claim. For every PPT A, the probability that z = b1 · · · bk in Experiment 1 is a negligible function of k. To prove Claim 5.1, we first analyze what happens when the ri ’s are chosen independently of the oracle, as in the following experiment: Let A be any PPT, let k be any positive integer, and let q = q(k). Experiment 2. (1)–(3) As in Experiment 1. (4) Select r1 , . . . , rk uniformly and independently from {0, 1}q . (5)–(6) As in Experiment 1. Claim. For every PPT A, the probability that z = b1 · · · bk in Experiment 2 is a negligible function of k. Claim 5.1 follows from standard direct product arguments [Ya,GNW]. Specifically, Claim 5.1 is a special case of the uniform complexity version of the Concatenation Lemma in [GNW, Lemma 10]. Claim. For every PPT A, the probability that O is queried at point b1 · · · bk during the execution of AO (1k , p, x) in Step 6 of Experiment 2 is a negligible function of k. Proof. Suppose that the probability that O is queried at point b1 · · · bk was greater that 1/s(k) for infinitely many k, where s is a polynomial. Then we could obtain a PPT A0 that violates Claim 5.1 as follows. Let t(k) be a polynomial bound on the running time of A. A0 does the following on input (1k , p, x): (1) Select i uniformly from {1, . . . , t(k)}. (2) Simulate A on input (1k , p, x), with the following changes: (1) Replace the oracle responses with strings randomly selected on-line, with the condition that multiple queries at the same point give the same answer. (2) Halt the simulation at the i’th oracle query and let w be this query. (3) Output w. Then A0 , when used in Experiment 2, outputs b1 · · · bk with probability greater that 1/(s(k)t(k)) for infinitely many k, which contradicts Claim 5.1. t u In order to deduce Claim 5.1 from Claims 5.1 and 5.1, we give an equivalent reformulation of Experiment 1: Let A be any PPT, let k be any positive integer, and let q = q(k).
Many-to-One Trapdoor Functions and Their Relation to Cryptosystems
297
Experiment 3. (1)–(3) As in Experiment 1. (4) Select r1 , . . . , rk uniformly and independently from {0, 1}q . (5) Let x = p(b1 ; r1 )k · · · kp(bk ; rk ). (6) Modify O at location b1 · · · bk to have value r1 k · · · krk . (7) Compute z ← AO (1k , p, x). We now argue that Experiment 3 is equivalent to Experiment 1. In Experiment 1, r1 , . . . , rk are uniformly and independently distributed in {0, 1}q and after Step 5 of Experiment 1 the only information about the oracle that has been used is that r1 k · · · krk = O(b1 · · · bk ). Thus, the final distribution on all random variables are identical in the two experiments and it suffices to prove Claim 5.1 for Experiment 3 rather than Experiment 1. Proof. Let E be the event that z = b1 · · · bk in Experiment 3. Let F be the event that O is queried at point b1 · · · bk during the execution of AO (p, x) in Step 7 of Experiment 3. To show that E occurs with negligible probability, it suffices to argue that both F and E ∧ F occur with negligible probability. First we show that F occurs with negligible probability. Notice that whether or not AO queries O at b1 · · · bk in Experiment 3 will not change if Step 6 is removed. This is because its behavior cannot be affected by the change in O(b1 · · · bk ) until it has already queried that position of the oracle. If Step 6 is removed from Experiment 3, we obtain Experiment 2. Hence, the probability of F is negligible by Claim 5.1. Similarly, the probability that [z = b1 · · · bk and AO never queries the oracle at b1 · · · bk ] will not change if Step 6 is removed. Thus, the probability of E ∩ F is bounded above by the probability that z = b1 · · · bk in Experiment 2, which is negligible by Claim 5.1. t u Remark 5. If the family of unapproximable trapdoor predicates we start with has negligible decryption error, then the family of trapdoor functions we construct will in general also have negligible decryption error and may fail to be injective with some small probability. By first reducing the decryption error of the predicate family to exp(−Ω(k 3 )) as in the proof of Theorem 2 and then using the oracle to derandomize the inversion algorithm, one can produce an injective family that has zero decryption error with probability 1−2−k (where the probability is just taken over the choice of the oracle).
Acknowledgments The first author was supported by a 1996 Packard Foundation Fellowship in Science and Engineering, and by NSF CAREER Award CCR-9624439. The third and fourth authors were supported by DOD/NDSEG Graduate Fellowships and partially by DARPA grant DABT-96-C-0018.
298
Mihir Bellare et al.
The starting point of this research was a question posed to us by Shafi Goldwasser, namely whether trapdoor permutations could be built from the assumptions underlying the Ajtai-Dwork cryptosystem. Thanks to Oded Goldreich and the members of the Crypto 98 program committee for their comments on the paper.
References AjDw.
AMM.
BHSV.
BeRo.
Be. BlMi.
Ca.
CGH.
DiHe.
DDN.
ElG.
GoLe.
GoMi.
GNW.
M. Ajtai and C. Dwork. A public-key cryptosystem with worst-case / average-case equivalence. Proceedings of the 29th Annual Symposium on the Theory of Computing, ACM, 1997. 287 Adleman, Manders and Miller. On taking roots in finite fields. Proceedings of the 18th Symposium on Foundations of Computer Science, IEEE, 1977. M. Bellare, S. Halevi, A. Sahai, and S. Vadhan. Many-to-one trapdoor functions and their relation to public-key cryptosystems. Full version of this paper, available via http://www-cse.ucsd.edu/users/mihir. M. Bellare and P. Rogaway. Random oracles are practical: a paradigm for designing efficient protocols. Proceedings of the First Annual Conference on Computer and Communications Security, ACM, 1993. 286, 287, 294 E. Berlekamp. Factoring polynomials over large finite fields. Mathematics of Computation, Vol. 24, 1970, pp. 713–735. M. Blum and S. Micali. How to generate cryptographically strong sequences of pseudo-random bits, SIAM Journal on Computing, Vol. 13, No. 4, 850-864, November 1984. 286 R. Canetti. Towards realizing random oracles: Hash functions that hide all partial information. Advances in Cryptology – Crypto 97 Proceedings, Lecture Notes in Computer Science Vol. 1294, B. Kaliski ed., Springer-Verlag, 1997. 286 R. Canetti, O. Goldreich and S. Halevi. The random oracle model, revisited. Proceedings of the 30th Annual Symposium on the Theory of Computing, ACM, 1998. 286 W. Diffie and M. Hellman. New directions in cryptography. IEEE Trans. Info. Theory, Vol. IT-22, No. 6, November 1976, pp. 644–654. 284, 284, 284, 287 D. Dolev, C. Dwork, and M. Naor. Non-Malleable Cryptography. Proceedings of the 23rd Annual Symposium on the Theory of Computing, ACM, 1991. T. El Gamal. A public key cryptosystem and a signature scheme based on discrete logarithms. IEEE Trans. Inform. Theory, Vol. 31, 1985, pp. 469–472. 287 O. Goldreich and L. Levin. A hard predicate for all one-way functions. Proceedings of the 21st Annual Symposium on the Theory of Computing, ACM, 1989. 291, 292, 292, 293 S. Goldwasser and S. Micali. Probabilistic Encryption. Journal of Computer and System Sciences, Vol. 28, April 1984, pp. 270–299. 284, 284, 284, 284, 286, 286, 287, 289, 289, 291, 293, 293 O. Goldreich, N. Nisan, and A. Wigderson. On Yao’s XOR Lemma. Electronic Colloquium on Computational Complexity, TR95-050. March 1995. http://www.eccc.uni-trier.de/eccc/ 296, 296
Many-to-One Trapdoor Functions and Their Relation to Cryptosystems HILL.
ImLu.
ImRu.
NaYu.
Rab. Ya.
299
J. H˚ astad, R. Impagliazzo, L. Levin and M. Luby. Construction of a pseudo-random generator from any one-way function. Manuscript. Earlier versions in STOC 89 and STOC 90. R. Impagliazzo and M. Luby. One-way Functions are Essential for Complexity-Based Cryptography. Proceedings of the 30th Symposium on Foundations of Computer Science, IEEE, 1989. 293, 293 R. Impagliazzo and S. Rudich. Limits on the provable consequences of one-way permutations. Proceedings of the 21st Annual Symposium on the Theory of Computing, ACM, 1989. 285, 285, 286, 287, 287, 291, 291 M. Naor and M. Yung. Public-Key Cryptosystems Provably Secure against Chosen Ciphertext Attacks. Proceedings of the 22nd Annual Symposium on the Theory of Computing, ACM, 1990. M. Rabin. Digitalized Signatures and Public Key Functions as Intractable as Factoring. MIT/LCS/TR-212, 1979. 289 A. Yao. Theory and applications of trapdoor functions. Proceedings of the 23rd Symposium on Foundations of Computer Science, IEEE, 1982. 284, 286, 291, 293, 293, 294, 296
Authentication, Enhanced Security and Error Correcting Codes Extended Abstract Yonatan Aumann1 and Michael O. Rabin2 1
2
Department of Mathematics and Computer Science, Bar Ilan University, Ramat-Gan, Israel, [email protected] DEAS, Harvard University, Cambridge, MA, and Institute of Computer Science, The Hebrew University, Jerusalem, Israel, [email protected]
Abstract. In electronic communications and in access to systems, the issue of authentication of the Sender S of a message M , as well as of the message itself, is of paramount importance. Recently S. Goldwasser has raised the additional issue of Deniable Authentication where the sender S authenticates the message M to the Receiver’s (R) satisfaction, but can later deny his authorship of M even to an Inquisitor INQ who has listened to the exchange between S and R and who gains access to all of the the secret information used by S and R. We present two practical schemes for Deniable Authentication of messages M of arbitrary length n. In both schemes the Receiver R is assured with probability greater than 1 − 2−k , where k is a chosen security parameter, that M originated with the Sender S. Deniability is absolute in the information theoretic sense. The first scheme requires 2.4kn XOR operations on bits and one public key encoding and decoding of a short message. The second scheme requires the same number of XOR operations and k multiplications mod N , where N is some fixed product of two large primes. A key new feature of our method is the use of a Shannon-style error correction code. Traditional authentication for a long message M starts by hashing M down to a standard word-size. We expand M through error correction. The first Deniable Authentication method is provably valid for any encryption scheme with minimal security properties, i.e. this method is generic. The second Deniable Authentication method is provably valid under the usual assumption that factorization is intractable.
Background and New Results The question of authentication of transmitted messages is of paramount importance. When a Sender S communicates with a receiver R and sends him a message M , it does not suffice for R to authenticate (identify) S in order to know that M has actually originated with S. An Adversary AD can actively tap the line between S and R, and after R has authenticated the sender S, AD can ¯ to R. block the Sender’s transmission and inject his own message M H. Krawczyk (Ed.): CRYPTO’98, LNCS 1462, pp. 299–303, 1998. c Springer-Verlag Berlin Heidelberg 1998
300
Yonatan Aumann and Michael O. Rabin
There is also an obvious need for Deniable Authentication (DA). In electronic voting schemes DA is a tool for providing freedom from coercion. In negotiations over the Internet it may be desirable for S to be able to make price offers M to R in a manner that prevents R from showing the offer to another party in order to elicit a better offer. Namely, R cannot prove to the third party that S has made the offer contained in M . It should be noticed that the manner in which the Internet and Electronic Commerce are evolving, call for the widespread use of public-key signatures and for public-key based schemes for establishing shared secret keys. The usual approach to creating Message Authentication Code (MAC) assumes that S and R share a secret key K. The message M is hashed down to a fixed block size b by use of a hash function H(K, M ) which folds the key K into the hashing process. The Sender S then sends (M, H(K, M )) to R who verifies the tag H(K, M ). Alternatively, S digitally signs H(M ), where H is a known hash function, using a public key signature SgnS (H(M )), and R verifies SgnS (H(M )). There are a number of difficulties associated with this approach. To be efficient we need fast hash functions H and fast digital signatures. When it comes to the construction of MAC schemes that are provably secure (based on an assumption such as intractability of factoring), one has to use particularly compute intensive hash functions such as the beautiful scheme proposed in [8,3]. As to deniability of authorship of M , it is obvious that a scheme using digital signatures in a straightforward manner has in consequence also strict undeniability, which is the purpose of digital signatures. As mentioned in the abstract, our schemes are highly efficient, are provably secure, and provide information theoretic deniability. We shall outline our solutions after discussing previous work and background. Previous Work. Because of the significant practical importance of Message Authentication, there is a very extensive literature on MACs. This literature deals with theoretical as well as with practical issues of authentication. For long messages, hashing down to a short message is the first step. In the papers that aim at creating MACs for actual systems use, there is strong emphasis on rate, i.e. speed, of the hashing process. Let us mention here as representative important examples the papers by Wegman and Carter [14], Bellare, Canetti and Krawczyk [1], Halevi and Krawczyk [9], and Krawczyk [10]. The papers, as well as for example Schneier’s book [12], contain a wealth of references to the literature on authentication. The present practical MACs do not require interaction. The message M , with some authenticating tag, is sent by the Sender to the Receiver who verifies the tag. The Deniable Authentication schemes presented here do require, after transmission of the message, a small number of additional message rounds. The additional messages are of size at most O(k log n), where M is the the length of the message to be authenticated, and k is the security parameter. On the other hand, these schemes do not require pre-shared secret keys for S and R. In this setting interaction seems to be necessary for Deniable Authentication. We feel that the cost of interaction is not onerous.
Authentication, Enhanced Security and Error Correcting Codes
301
Canetti et. al. [2] solve a problem closely related to the Deniable Authentication problem, namely the problem of deniable encryption, in a model where the Inquisitor INQ listens to the transmission between S and and R. In their model the Sender is identified in the sense that the eavesdropper knows that he is listening to a conversation between S and R. The only issue for him is to be able to prove what the contents of that conversation was. The sender S sends an encrypted message E(M ) = C to R, where E is the a probabilistic encryption function. INQ, who knows C, can then go to S and/or R and interrogate them as to the value of M . [2] provide deniable encryption in the sense that S or R ¯ so that C = E(M ¯ ). If one assumes a secret can produce any other message M one-time pad of length |M | = n which is shared by R and S, then the problem is trivial. The challenging problem arises in a setting where only public keys and the corresponding private keys held by the participants are used. The [2] solution provides only polynomially secure deniability and the Inquisitor INQ is limited to polynomial computing power. If INQ can compel every participant in the protocol to reveal their private keys then deniability collapses. The protocol is compute intensive. In a new paper [4], Dwork et al address the deniable authentication of messages as an application of concurrent zero knowledge proofs. They require a timing constraint that they call an (α, β)-assumption on the response time of processes. Their solutions directly apply to messages M shorter than the public keys used and are compute intensive. New Results. Coming to our solutions, we assume a model in which the Sender S and the Receiver R are connected by an insecure link. The adversaries in the schemes we construct include an Impostor who tries to impersonate S and send ¯ appearing to originate from S. The Impostor can also be a to R a message M Person In the Middle (PIM), sitting on the link between S and R, intercepting the traffic between them and injecting messages of his own. In essence, the PIM can employ the Sender S as an oracle in his attempt to fool R. Thus general chosen message attacks should also be protected against. When discussing deniability of authentication, we assume that the communication between S and R is such that listening to the transmission does not identify S. For example, S may use a notebook computer and a modem at a public telephone. We allow an Inquisitor INQ who listens on the line to the exchange between S and R. INQ later comes to S and R and compels them to reveal all the secret data, such as encryption/signature keys, used in the protocol. Even so, INQ cannot prove that the message M was authored by S. It follows that the Receiver R himself cannot prove after the fact to a third party that M was authored by S. Also, the INQ cannot impersonate R to S and elicit from S an authenticated message M to R. This seems to be impossible if INQ has the capabilities of a Person In the Middle , but our schemes do have this property as well. The central tool in our schemes is the use of an error correction code C. Let us assume messages M comprising n bits. We assume that C(M ) = y1 , y2 , . . . , ym ¯ then the Hamming distance between C(M ) has the property that if M 6= M
302
Yonatan Aumann and Michael O. Rabin
¯ ) is greater than m/4, i.e. C(M ) and C(M ¯ ) differ at more than m/4 and C(M indices. For our purposes we choose a code C which is very efficient to encode. We never have a need to decode C(M ). Also, in our application S and R need to compute only a fixed number 2.4k of (randomly chosen) bits of C(M ). For our first Deniable Authentication scheme we assume a public key encryption function ES for S (who, of course, possesses the corresponding secret decryption function DS ). The Sender S sends M to R. They then create a random sequence Y = i1 , . . . , ik of k different indices between 1 and m. The bits of C(M ) at these indexes are computed by S and by R. Sender S then deniably authenticates these bits as well as Y to R. Thus Deniable Authentication of the long message M is reduced to Deniable Authentication of a short message. For our second Deniable Authentication scheme we assume a publicly available Directory containing certain public keys for each potential Sender. The sender S wants to transmit messages M = x1 x2 . . . xn , where each xi is a bit. We again employ the error correction code C which codes M into C(M ) = y1 y2 . . . ym , where m = cn (say m = 5n) and the Hamming distance between any two code words Y1 and Y2 is αm. With m = 5n we ensure α > 1/4. The code C is publicly known and is used by every Sender. The public Directory contains C and a number N = p · q chosen as a product of two large primes, and where the factorization of N is not known to R (and possibly not to S either). Every potential sender S randomly chooses ∗ a0 , a1 , g0 , . . . , gm in ZN , computes their squares mod N , and publishes those squares A0 , A1 , G0 , ·, Gm , in the Directory. In the full paper we give a version of our protocol that allows to reduce the size of each Sender’s Directory entry from m + 2 to log2 m + 2. The Sender S sends M to R. To authenticate M as having originated with S, the Receiver R randomly chooses L = d · k (where d > 1 depends only on c, i.e. on the code C; for c = 5 we have d = 2.4) indices i1 , . . . , iL between 1 and m (the size of the error correcting coded message C(M ) = y1 y2 . . . ym ). He then computes yi1 , . . . , yiL . For the code C that we use, each such computation of a yij requires just n XOR operations on bits regardless of c. The Receiver R then conducts an L-round interaction with S. Roughly speaking, in round j the Receiver R verifies that yij is the ij -th bit in the code word of a message that S has actually sent him. The precise details and the proof of authentication are given in the full paper. Each round requires four multiplications mod N by the sender and by the receiver. If we want a more compact Directory with just log2 m+2 words for each Sender, then the above 4 is replaced by log2 m + 3. However, precomputation by the Sender and by the Receiver (in case R will receive many authenticated messages from S), will again reduce the number of multiplications to 4. Note that the total number of multiplications 2.4 · 4k = 9.6k for each participant, and is independent of the message length n. After this interaction, R knows, with probability of being cheated smaller than 2−k that M has originated with S. This is provable on the assumption that factorization of N is intractable.
Authentication, Enhanced Security and Error Correcting Codes
303
We then prove that, provided that S does not conduct more than a fixed number of message-authentications simultaneously, our message authentication is deniable in the strong information-theoretic sense explained in the Abstract. Under any reasonable timing restrictions on concurrency, such as those in [4], we directly achieve deniability in the unbounded concurrency setting. The intractability of extracting square roots mod N based on the intractability of factoring N , which lies at the heart of our authentication scheme, was first introduced and used in [11]. Square roots mod N are used for user authentication and for digital signatures in [6] and in [5]. Zero Knowledge Proofs of languages involving squares mod N and of knowledge of square roots mod N are discussed in [7] and in [13].
References 1. M. Bellare, R. Canetti, and H. Krawczyk. Keying hash functions for message authentication. In Proceedings of Crypto 96, 1996. 300 2. R. Canetti, C. Dwork, M. Naor, and R. Ostrovsky. Deniable encryption. In Proceedings of Crypto 97, 1997. 301, 301, 301 3. I. Damgard. Collision free hash functions. In Eurocrypt ’87, pages 203–216, 1987. 300 4. C. Dwork, M. Naor, and A. Sahari. Concurrent zero knowledge. In Proceedings of the 30th STOC, 1998. 301, 303 5. U. Feige, A. Fiat, and A. Shamir. Zero knowledge proofs of identity. In Proceedings of the 19th STOC, 1987. 303 6. A. Fiat and A. Shamir. How to prove yourself: Practical solutions to identification and signature problem. In Proceedings of Crypto ’86, pages 186–194, 1997. 303 7. S. Goldwasser, S. Micali, and C. Rackoff. The knowledge complexity of interactive proof systems. SIAM Journal on Computing, 18:186–208, 1989. 303 8. S. Goldwasser, S. Micali, and R. Rivest. A secure digital signature scheme. SIAM Journal on Computing, 17(2):281–308, 1988. 300 9. S. Halevi and H. Krawczyk. Mmh: Message authentication in software in the gbit/second rates. In Proceedings of the 4th Workshop on Fast Software Encryption, 1997. 300 10. H. Krawczyk. Lfsr-based hashing and authentication. In Proceedings of Crypto ’94, pages 129–139, 1994. 300 11. M. O. Rabin. Digitized signatures and public key functions as intractible as factorization. MIT Laboratory for Computer Science Technical Report LCS/TR-212, MIT, 1979. 303 12. B. Schneier. Applied Cryptography : Protocols, Algorithms, and Source Code in C. John Wiley and Sons, 1995. 300 13. M. Tompa and H. Woll. Random self-reducibility and zero-knowledge interactive proofs of possession of information. In Proceedings 28th STOC, pages 472–482, 1987. 303 14. M.N. Wegman and J.L. Carter. New hash functions and their use in authentication and set equality. JCSS, 22:265–279, 1981. 300
An Efficient Discrete Log Pseudo Random Generator Sarvar Patel and Ganapathy S. Sundaram Bell Labs 67 Whippany Rd, Whippany, NJ 07981, USA {sarvar,ganeshs}@bell-labs.com
Abstract. The exponentiation function in a finite field of order p (a prime number) is believed to be a one-way function. It is well known that O(log log p) bits are simultaneously hard for this function. We consider a special case of this problem, the discrete logarithm with short exponents, which is also believed to be hard to compute. Under this intractibility assumption we show that discrete exponentiation modulo a prime p can hide n−ω(log n) bits (n = dlog pe and p = 2q+1, where q is also a prime). We prove simultaneous security by showing that any information about the n − ω(log n) bits can be used to discover the discrete log of g s mod p where s has ω(log n) bits. For all practical purposes, the size of s can be a constant c bits. This leads to a very efficient pseudo-random number generator which produces n − c bits per iteration. For example, when n = 1024 bits and c = 128 bits our pseudo-random number generator produces a little less than 900 bits per exponentiation.
1
Introduction
A function f is said to be one-way if it is easy to compute but hard to invert. With appropriate selection of parameters, the discrete exponentiation function over a finite field, g x mod p,is believed to be a one-way function (where g is a generator of the cyclic group of non zero elements in the finite field). The intractability of its inverse, the discrete logarithm problem, is the basis of various encryption, signature and key agreement schemes. Apart from finite fields, other finite groups have been considered in the context of discrete exponentiation. One such example is the group of points on an elliptic curve over a finite field. Koblitz and Miller (independently) [15], [17], considered the group law on an elliptic curve to define a public key encryption scheme suggesting that elliptic curve addition is also a one-way function. Another number theoretic problem that is considered to be hard is the problem of factoring integers. Examples of functions relying on factoring which are believed to be one-way are the RSA and Rabin functions. Closely related to factoring is the problem of deciding quadratic residuosity modulo a composite integer. A concept which is intimately connected to one-way functions is the notion of hard bits, which was first introduced by Blum & Micali. Informally, a hard bit B(.) for a one way function f (.) is a bit which is as hard to compute as it H. Krawczyk (Ed.): CRYPTO’98, LNCS 1462, pp. 304–317, 1998. c Springer-Verlag Berlin Heidelberg 1998
An Efficient Discrete Log Pseudo Random Generator
305
is to invert f . Blum and Micali showed that the most significant bit is a hard bit for the discrete logarithm problem over a finite field. To be precise, their notion of most significant bit corresponds to the Boolean predicate which is one if the index of the exponent is greater than p−1 2 and zero otherwise. They defined and proved this hard bit and successfully used it to show the importance of hard bits in secure pseudo-random bit generation. Soon after, the hard bits of RSA & Rabin functions were also discovered by Ben-Or etal [2] which led to a new secure pseudo-random bit generator. Blum, Blum and Shub [3] used the quadratic residue problem over a composite integer to design yet another secure pseudo-random bit generator. Their work was based on the security of the quadratic residue problem which was investigated by Goldwasser and Micali [8]. Later Goldreich and Levin [7] proved that all one-way functions have a hard bit. More generally they were able to show that for any one-way function a logarithmic number of one bit predicates are simultaneously hard. This led to the work of [9], where they proved how to use any one-way function to build secure pseudo-random bit generators. The use of pseudo-random bits in cryptography relates to one time pad style encryption and bit commitment schemes, to name a few. All the above generators based on one bit predicates suffer from the same problem, namely they are too slow. All of them output one bit per modular exponentiation. The concept of simultaneous hardness is the first step in speeding things up. Intuitively, the notion of simultaneous hardness applied to a group of bits associated to a one-way function f states that it is computationally as hard as the inverse of the one-way function to succeed in computing any information whatsoever about the given group of bits given only f (x). Using this notion one can extract collections of bits per operation and hence the speed up. Long and Wigderson [16] and Peralta [20] showed that log log p bits of the discrete log modulo a prime number p are simultaneously hard. On the other hand the works of Vazirani and Vazirani [24] and Alexi etal [1] address the notion of simultaneous hardness of RSA and Rabin bits. Later Kaliski [12] showed individual hardness of bits (in the Blum Micali sense) of the elliptic curve group addition problem using a novel oracle proof technique applicable to any finite Abelian group. His methods extend to show simultaneous hardness (stated but not proved in the paper) of log n bits where n is the order of the group. More recently, Hastad, Schrift and Shamir [10], have designed a much more efficient generator which produces n2 bits per iteration where n is the number of bits of the modulus. The one-way function they have considered is the discrete exponentiation function modulo a composite integer (to be precise a Blum integer). Once again the method of generation relies on the proof that n2 bits of every iteration are simultaneously hard. The use of a composite modulus allows them to relate individual and simultaneous hardness of bits to factoring the modulus. In all these works the common strings are the results of Yao contained in his seminal work [25] which laid the foundations to a complexity theoretic approach to cryptography which paved the way for a quantification of security in terms of known hard problems.
306
Sarvar Patel and Ganapathy S. Sundaram
In this paper we construct a very efficient cryptographic pseudo-random bit generator attached to modular exponentiation in a finite field of cardinality p (where p is a prime number of the form 2q + 1, and q is also prime). This assumption on the structure of the finite field holds for the entire paper. We show that n−ω(log n) bits of every iteration are simultaneously secure (where 2O(log n) is a polynomial value in n and O(log n) is the order of the number of bits needed to represent a polynomial in n. Note that 2ω(log n) is greater than any polynomial value in n and ω(log n) is the order of the number of bits needed to represent it.) Hence each iteration produces more bits than any other method discovered so far. In fact, the construction that we present here is maximal since if we extract more bits then only O(log n) would have to be guessed, which can be exhaustively searched in polynomial time (since 2O(log n) is polynomial in n). The novelty in this work is to relate the security of the random bit generation to the problem of solving the discrete logarithm with short exponents. The motivation for this technique is derived from the above mentioned work of [10] where although they are using a modular exponentiation function modulo a composite, the security of the system is related to factoring the underlying modulus. In a similar but not so obvious sense, we use exponentiation in a finite field for the generation but relate the security to the strength of the discrete log problem (over the same prime modulus) but with short exponents. The proofs are simple and rely on known techniques. In this paper an oracle for the i − th bit gives the value of i − th bit when the binary representation is used for the argument. This is a different representation of the i-th bit than that used by Blum-Micali and Long-Wigderson. The paper is organized as follows: In section 2 we discuss the discrete log problem and in particular the short exponent discrete log problem. Details of the oracles and hardness of bits are formalized in this section. In section 3 we show that the trailing n − ω(log n) bits are individually hard with respect to the discrete logarithm problem with short exponents. In section 4 we prove simultaneous hardness of the trailing n − ω(log n) bits. Once again this is with respect to the discrete log with short exponents problem. In section 5 we discuss the design of the pseudo-random generator and provide the proof of security and conclude in section 6. In the appendix, we discuss some extensions of this work to include other Abelian groups and possible ways to improve the efficiency of the pseudo random generator.
2
The Discrete Logarithm Problem
We first define the discrete logarithm problem. Let p be a prime and g a generator for Zp ∗ , the multiplicative cyclic group of nonzero elements in the finite field of order p. Then for 1 ≤ x ≤ p − 1 the function which maps x to g x mod p defines a permutation. Problem 1. The discrete logarithm problem is to find x given yZp ∗ such that g x mod p ≡ y.
An Efficient Discrete Log Pseudo Random Generator
307
Let n = dlog pe be the length of p in binary, then g x mod p is computable in Poly (n) time. However, there is no known deterministic or randomized algorithm which can compute the discrete logarithm in Poly (n) number of steps. The best algorithm to compute the discrete logarithm in a finite field of order p, is the index calculus method. Even this is infeasible if p is appropriately large (e.g. 1024 bits) since the complexity is subexponential and not polynomial in n. On the other hand for primes such that p − 1 consists of only small factors, there are very fast algorithms whose complexity is equal to the complexity of the discrete log in a field whose cardinality is equal to its largest prime factor. This algorithm is due to Pohlig and Hellman [21]. 2.1
Discrete Logarithm with Short Exponents
For efficiency purposes the exponent x is sometimes restricted to c bits (e.g. c = 128 or 160 bits) since this requires fewer multiplications. There are square root time algorithms to find x in 2c steps, due to Shanks [14] and Pollard [22]. Thus c should be at least 128 bits to provide 64 bits of security. By this we mean an attacker should perform at least 264 operations in order to crack the discrete logarithm using these algorithms. At the moment, there is no faster way to discover the discrete logarithm even with x so restricted. In particular, the complexity of index calculus algorithms is a function of the size of the entire group and does not depend on the size of the exponent. We will also restrict x, in particular, we will restrict it to be slightly greater than O(log n) bits, but not to save on multiplications. The size of the exponent will be denoted ω(log n), described in section 1. Hence, even with the square root attack one needs greater than 2O(log n) steps or greater than a polynomial in n number of steps. The hard problem we consider in this paper is the inverse of this special case of the discrete exponentiation function. In other words: Problem 2. Let s be an integer which is significantly smaller compared to p. The DLSE problem is to find s given yZp ∗ such that g s mod p ≡ y. The DLSE problem has been studied by [19] in the context of the DiffieHellman key agreement scheme. The use of short exponents in the Diffie-Hellman protocol is to speed up the process of exponentiation. Typically the cost of computing g x is linearly related to the bit length of x, hence real-time computing costs have motivated the use of low order exponents. Care is necessary to ensure that such optimizations do not lead to security weaknesses. The above mentioned paper [19], presents a set of attacks and methods to rectify the situation. In particular their conclusions suggest the use of safe primes. Another example of the use of shorter exponents is in the generation of digital signatures. The digital signature standard (DSS) published by the NIST [6] is based on the discrete logarithm problem. It is a modification of the ElGamal signature scheme. The ElGamal scheme usually leads to a signature having 2n bits, where n is the number of bits of p (the modulus). For potential applications
308
Sarvar Patel and Ganapathy S. Sundaram
a shorter signature is desirable. DSS modifies the ElGamal scheme so that a 160-bit message is signed using a 320 bit signature but computations are all done modulo a 512 bit prime. The methodology involves the restrictions of all computations to a subgroup of size 2160 . The assumed security of the scheme is based on two different but very related problems. First of these is the discrete log in the entire group which uses a 512 bit modulus, where the index calculus algorithm applies. The second is the discrete log problem in the subgroup of the cyclic group of nonzero elements in the finite field. Here Shanks’square root algorithm reduces the complexity to O(280 ) since the exponent is only 160-bits. Although the DLSE and the subgroup discrete log problems are not equivalent, the square root time attacks apply to both problems. 2.2
Hardness of Bits
As indicated in the introduction, the notion of hard bits is intimately connected to that of a one-way function. In this paper we define a mild generalization of hard bits. Definition 3. Let f (x) and f 0 (s) be one-way functions. Let B :→ {0, 1} be a Boolean predicate. Given f (x) for some x, the predicate B(x) is said to be f 0 -hard if computing B(x) is as hard as inverting f 0 (s), i.e. discovering s. When f and f 0 are the same as are x and s, then we have the usual definition of hard bits. For example, discovering the Blum-Micali bit is as hard as computing the discrete logarithm. But in this paper we allow f and f 0 to be different. An example of this phenomenon, is discrete exponentiation modulo a composite modulus. Here the discrete logarithm in the ring of integers modulo a composite is a hard function, and so is factoring. So f (x) = g x mod m and f 0 (s) = f 0 (s = p, q) = m. Clearly, there are boolean predicates B(x) which are f -hard but there may be other predicates which are f 0 -hard, but not f -hard. That is computing B(x) is as hard as factoring the modulus m, but may be not as hard as the discrete log modulo a composite [10]. In this paper we consider a similar situation. We consider the one-way function of discrete exponentiation, but we prove that the n− ω(log n) bits of the exponent are DLSE-simultaneously hard. That is for us f (x) = g x mod p and f 0 (s) = g s mod p where s is a short exponent. The best previous result showed simultaneous hardness of n2 of the bits [10], but our result shows simultaneous hardness for almost all the n bits. Our results are maximal. In other words, in a pseudo-random generator, if in any iteration we hide only O(log n) or fewer bits, then any attacker can compute the seed of the generator by making a polynomial number of guesses. Hence one cannot further improve on these results regarding number of bits produced per iteration. 2.3
Binary Representation
The number x can be represented in binary as bn · 2n−1 + bn−1 · 2n−2 + . . . + b2 · 21 + b1 ·20 where bi is either 0 or 1. The i − th bit problem is to discover the value
An Efficient Discrete Log Pseudo Random Generator
309
of bi of x. The i − th bit is hard if computing it is as difficult as computing the inverse of f 0 (s). If we had an perfect oracle, Oi (g, p, y), which outputs the value of bi then the bit is hard if there is a Poly(n) time algorithm which makes Poly(n) queries to the oracle Oi (g, p, ·) and computes the entire value of s. We know the least significant bit is not hard because there is a Poly (n) time algorithm to compute it, namely by computing the Legendre symbol. An imperfect oracle, O (p, g, ·), is usually defined as an oracle which outputs 1 the correct bit value with probability greater than 12 + P oly(n) . Some of the most significant bits of x, in fact O(log n) most significant bits, can be biased, but as we shall see later they do not affect us. 2.4
Blum-Micali Representation
In this paper, we will use the binary representation when we discuss the security of the i-th bit, however, we want to mention another interpretation of the ith bit. Blum-Micali introduced a particular bit predicate, B(x) and showed its p−1 hardness. B(x) is 0 if 1 ≤ x ≤ p−1 2 and B(x) is 1 if 2 < x ≤ p − 1. This is sometimes referred to as the most significant bit of x and it is clearly different from the most significant bit of x under the binary representation. Others [16] have extended the definitions to define the k most significant bits. Often the Blum-Micali representation is used to refer to the most significant bits, while the binary representation is used for the least significant bits. In this paper we will use the binary representation when referring to the ith bit, unless specified otherwise.
3
Individual Hardness of Bits
In this section, we discuss the security of the trailing n − ω(log n) bits, where ω(log n) is as defined earlier. To be precise we show that except the least significant bit, all the n − ω(log n) lower bits are individually hard with respect to the DLSE problem. Based on definition 3, this amounts to proving the bits of the discrete logarithm are DLSE-hard. The proof techniques we employ are variations of techniques from [4] and [20]. Let Oi (g, y, p) be a perfect oracle which gives the ith bit (for any i ∈ [2, n − ω(log n)]. Note that i increases from right to left and i = 1 for the least significant bit. Given this oracle we show that in polynomial number of steps we can compute the short exponent discrete logarithm. In addition, we prove hardness of individual bits by showing that given an imperfect oracle Oi (g, y, p) with advantage to predict the ith bit (for any i in the prescribed range), we can turn this into an algorithm to compute the discrete logarithm of a short exponent in probabilistic polynomial time by making a polynomial number of queries to this oracle. For the rest of the paper we will refer to lower k bits to mean lower k bits excluding the least significant bit, for any k. Theorem 4. The lower n − ω(log n) bits are individually DLSE-hard.
310
Sarvar Patel and Ganapathy S. Sundaram
Proof: According to definition 3, it is enough to show that given Oi (g, y, p) (where g is a generator of the group in question) we can compute log y for all y such that s = log y is a short exponent. In this paper we assume that p − 1 = 2q, where q is an odd integer. (a) Perfect Oracles - Oi (g, y, p). We are given g s and g and we know in advance that s is small (consisting of ω(log n) bits). Now, computing the least significant bit is always easy, via the Legendre symbol. Hence we compute it and set it to zero. Let i = 2 and suppose we have an oracle for the 2nd bit. If this is a perfect oracle then we discover the second bit. Once this is known then we set it to zero and we will continue to refer to the new number as g s . Next we p−1 s s compute the square roots of g s . The roots are g 2 and g 2 + 2 where we refer to the former as the principal square root. Since the two least significant bits of g s are zero, we know that the principal square root has LSB equal to zero (or equivalently Legendre symbol one). This allows us to identify the principal square root. Now run the oracle on the principal square root and compute the second least significant bit. This bit is really the third least significant bit of s. Once again, set this bit to zero and repeat the process. Clearly, in poly(n) steps we would have computed s one bit at a time from right to left, given an oracle for the second bit. Now, in general when we are given the oracle for the ith bit (i > 2) we square s g i − 2 times. Then the 2nd LSB of s is at the ith position, and we run the oracle to compute this bit; we zero this bit and once again compute square roots. The principal square root corresponds to the root with LSB equal to zero. Now the (i + 1)th bit of s can be computed by running the oracle on the principal square root. Continue this process and in c steps where c = log s, we would know s. (b) Imperfect Oracles - Oi (g, y, p). Suppose we have an imperfect oracle which succeeds in finding the ith bit in only more than fifty percent of the x ∈ Zp∗ . Then we can concentrate the stochastic advantage and turn this oracle into an oracle which answers any specific instance correctly with arbitrarily high probability. We divide the proof into two parts (i) The lower 2 ≤ i < n − ω(log n) − O(log n) bits are individually hard. (ii) The middle n−ω(log n)−O(log n) ≤ i ≤ n−ω(log n) bits are individually hard. (i) Let i = 2 and suppose we have an imperfect oracle for the 2nd bit whose advantage is , i.e., the oracle can give the correct answer on more than fifty percent of the possible inputs (and we do not know which ones). Then let {rj } be a sequence of polynomial number of random numbers between 1 and p − 1. We run the oracle on g s+rj , where the LSB of s is zero. Via the weak law of large numbers [4], a simple counting of the majority of 10 s and 00 s of the oracle output (after neutralizing the effect of the random number) for the second LSB yields this bit with high probability. Now compute the square roots and pick the principal square root as earlier. Once again repeat the process with a fresh set of random numbers to discover the next bit. In c = log s steps we recover a candidate and verify that g candidate = g s mod p. If they are not equal then the
An Efficient Discrete Log Pseudo Random Generator
311
whole process is repeated. Clearly in poly(n) steps we would have discovered s one bit at a time from right to left. The details of the proofs are omitted, and we refer to [4] or [20] for further details. The only aspect that needs additional mention is the fact, when we randomize it is possible that for some rj when we add them to the exponent we may exceed p − 1. We refer to this as cycling. Assuming that we pick our random numbers uniformly, then we argue that the probability of this cycling is negligible because most of the leading bits of g s are zero. Suppose i > 2. Then we square g s i − 1 times, and repeat the above process and conclude that any oracle which has an advantage will lead to a polynomial time algorithm to compute s. The probability of cycling is still negligible for 2 ≤ i < n − ω(log n) − O(log n) because even in the extreme case when i = 1 n − ω(log n) − O(log n) the chance of cycling is 2ω(log n) or less than one over any polynomial. (ii) The proof of this step is also similar to the second part of the proof of (i) except that one has to set the initial t bits of s to zero by guessing, before we start the randomizing process. Even when i = n − ω(log n) and s has been shifted so that the 2nd least significant bit is in the ith position, the probability 1 for any Polynomial in n. Here t is up to of cycling can be bounded by P oly(n) O(log n) number of bits and hence the probability of cycling is bounded above 1 and hence we need to increase the number of queries by a certain by P oly(n) amount corresponding to the drop in advantage due to cycling. Once again the details are omitted for brevity (see [4]) and will be included in an expanded version of this paper.
4
Discrete Logarithm Hides Almost n Bits
In this section we prove the simultaneous hardness of n − ω(log n) lower bits of the index in modular exponentiation. Intuitively, given a generator g of a finite field of order p, and g x for some x then we show that gaining any information about the trailing n − ω(log n) bits is hard. Here hardness is with respect to the DLSE problem. In other words, for any prime p given a random generator g and a random element g x of the finite field, any information on the relevant bits of x can be converted into an poly(n) algorithm to solve the DLSE problem. Now, the phrase gaining any information is rather vague, and this is clarified by the concept of simultaneous security which is defined below for any generic one-way function. Definition 5. Let f be a one-way function. A collection of k bits, B k (x) is said to be simultaneously secure for f if B k (x) is easy to compute given x and for every Boolean predicate B an oracle which computes B(B k (x)) correctly with probability greater than 12 given only f (x) can be used to invert f in Poly(n) time. In this paper we will be employing a modified notion of simultaneous security relative to a possibly different one-way function.
312
Sarvar Patel and Ganapathy S. Sundaram
Definition 6. Let f and f 0 be one-way functions. A k-bit predicate B k is said to be f 0 -simultaneously hard if given f (x), for every non-trivial Boolean predicate B on k bits, an oracle which outputs B(B k (x)) can be used to invert f 0 in polynomial time. If B k is a f 0 hard predicate then we say the bits of B k (x) are f 0 -simultaneously hard. The above definition, although precise, is not easy to apply when understanding simultaneous security. A more working definition is provided in definition 7, phrased in the language of the discrete logarithm problem over a prime modulus. Definition 7. The bits of the exponentiation function g x mod p at location j ≤ i ≤ k are DLSE-simultaneously hard if the [j, k] bits of the discrete logarithm of g x mod p are polynomially indistinguishable from a randomly selected [j, k] bit string for random chosen (g, p, g x mod p). In addition any polynomial distinguishability will lead to an oracle which solves the DLSE problem in polynomial time. Once again, proving polynomial indistinguishability of a group of bits as above is difficult. But the notion relative hardness helps alleviate this problem and in fact leads to a test of simultaneous security. Definition 8. The ith bit, j ≤ i ≤ k, of the function g x mod p is relatively hard to the right in the interval [j, k] if no polynomial time algorithm can, given a random admissible triplet (g, p, g x mod p) and in addition given the k − i bits of the discrete logarithm of g x to its right, computes the ith bit of the discrete loga1 for any polynomial rithm of g x with probability of success greater than 12 + poly(n) poly(n) where n = log p. Based on this definition, we have a test for simultaneous security. The statement of this test is the following fact. Fact Definitions 7 and 8 are equivalent. The proof of this equivalence is implied by the well-known proof of the universality of the next bit test due to Yao [25]. Now, using this fact and the intractibility of the DLSE problem we show that the trailing n − ω(log n) bits are simultaneously hard. Theorem 9. The n− ω(log n) trailing bits of g x mod p are simultaneously hard, with respect to the DLSE problem. Proof: Based on the above fact, it is sufficient to show that every trailing bit of x (given g and g x ) is relatively hard to the right in the interval [2, n − ω(log n)]. Following the definitions and theorem above we know that, in order to show simultaneous security, we are allowed to use only a weak oracle: given g x , to predict the ith bit of x , all the i − 1 trailing bits of the unknown x should also be given to the oracle. Such a weak oracle may not work in general. Assume the theorem is false. Then, for some i ∈ [2, n − ω(log n)] there exists an oracle which when supplied with the trailing i − 1 bits of a generic x succeeds
An Efficient Discrete Log Pseudo Random Generator
313
1 in predicting the ith bit of x with advantage (where is poly(n) ). Now pick s an element S = g where s is a short exponent. We can shift s to the left by squaring S the appropriate number of times. Now all the bits to the right of the ith bit are zero. Since 0 ≤ i < n − ω(log n) we can shift s by i − 1 bits to the left without cycling. Recall, by cycling we mean the exponent exceeds p − 1 and hence its remainder modulo p − 1 replaces the exponent. Now the 2nd LSB of s rests on the ith bit and we can run the oracle repeatedly by multiplying by g r mod p where r is a random number between 0 and p − 1. In order to make sure that the probability of cycling is low we may have to set the t = O(log n) leading bits of s to zero which we can exhaustively guess and run the algorithm for each guess. Since we will continue to have an 0 ≥ − 1t advantage we can deduce the bit from the oracle in poly(n) time. We know the 2nd LSB of s in this manner. We set that bit to zero, and take the square root of the number. Of the two roots we should pick the one which is the quadratic residue because all the lower bits are zero to begin with and hence the square root should have a zero in the LSB. Now the next bit of s is in the ith position and we can run the oracle repeatedly to discover this bit and so on to recover all the bits of s. At the end of the algorithm we have a candidate and we can see if g candidate equals S. If it does then we stop or else repeat the algorithm with another guess for t bits or different random numbers r. Note the oracle is very weak unlike the case for the individual bit oracle. The oracle here will tell you the i th bit with advantage provided you also supply all the i − 1 bits to the right of i. However we are able to do this because all the bits to the right of the shifted s are known to be zero, since we started with a short exponent. Now we have shown that for every i such that 2 ≤ i < ω(log n) we can use this weak oracle to discover s thus we have shown the trailing bits to be simultaneously hard provided the function g s mod p with s of size ω(log n) is hard to invert.
5
Pseudo Random Bit Generator
In this section we provide the details of the new pseudo-random bit generator. In particular we extend the scheme used by Blum-Micali [4] to extract more bits. This is the same scheme that Long-Wigderson [16] used in their generator but their output consisted of log n bits per iteration. In our new scheme we produce n−ω(log n) bits per iteration. Recall from section 2 that the Blum-Micali scheme used a mildly different definition of “bits”. We use the same definition of bits as [10], but we do not encounter the difficulties they did in defining the generation scheme since our exponentiation induces a permutation on Zp ∗ . NEW GENERATOR Pick a seed x0 from Zp ∗ . Define xi+1 = g xi mod p. At the ith step (i > 0) output the lower n − ω(log n) bits of xi , except the least significant bit.
314
5.1
Sarvar Patel and Ganapathy S. Sundaram
Proof of Security
Suppose A is an -distinguisher of the l (l is poly in n) long output of our generator, then there is a (/l)-distinguisher for some output at the i th step. By appropriately running the generator then there is a (/l)-distinguisher for n − ω(log n) bits of s0 . According to our definitions in the previous section, due to Yao [25], we can use a distinguisher to create a weak oracle which will tell us the i-th bit of s provided we also give it the rightmost i − 1 bits of s. Now we note that we can use this to discover s given g s mod p where s has ω(log n) bits. We repeatedly invoke the ”weak oracle” by setting s0 = g s g r . Thus we can discover the i bit in poly(n) time. Using techniques shown in theorem 9 we can discover the entire s. So if the output sequence of our generator is -distinguishable then in poly(n) time we can discover s of our exponentiation function. Assuming it is intractable to invert the function g s mod p where s has ω(log n) bits (i.e., short exponent) then the output sequence of our generator is polynomially indistinguishable.
6
Conclusion
We have shown that the discrete logarithm mod a prime p hides n− ω(log n) bits by showing the simultaneous hardness of those bits. The hardness in this result is with respect to the discrete logarithm problem with short exponents, i.e., DLSE-simultaneously hard (as defined in section 2 of this paper). This allows us to extract n − ω(log n) bits at a time for pseudo-random generation and other applications. As an example for n of size 1024 bits and s of size 128 bits this allows us to extract almost 900 bits per exponentiation. Spoken informally, we note that the security of this example is 264 since it takes O(264 ) for the best known algorithm to crack a modular exponentiation with 128 bits. Also, if one desires more security at every step then we can decrease the number of bits extracted at every stage. This generator outputs the maximal number of bits from a single iteration. Extracting any more bits in any iteration leads to a prediction of bits - since we would then be hiding O(log n) or fewer bits and hence in polynomial number of guesses we would know the complete exponent in every iteration.
References 1. 2. 3. 4.
W. Alexi, B. Chor, O. Goldreich and C. P. Schnorr, RSA/Rabin bits are 1/2+1/poly(log N) secure, Proceedings of 25th FOCS, 449–457, 1984. 305 M. Ben-Or, B. Chor, A. Shamir, On the cryptographic security of single RSA bits, Proceedings of 15th STOC, 421–430, 1983. 305 L. Blum, M. Blum, and M. Shub, A simple secure pseudo-random number generator, SIAM J. Computing, 15 No. 2:364–383, 1986. 305 M. Blum, and S. Micali, How to generate cryptographically strong sequences of pseudo random bits, SIAM J. Computing, 13 No. 4:850–864, 1984. 309, 310, 311, 311, 313
An Efficient Discrete Log Pseudo Random Generator 5. 6. 7. 8. 9.
10.
11. 12. 13. 14. 15. 16. 17. 18. 19.
20. 21.
22. 24. 25.
315
R. B. Boppana, and R. Hirschfeld, Pseudorrandom generators and complexity classes, Advances in Computing Research, 5 (S. Micali, Ed.), JAI Press, CT. U. S. Department of Commerce/ N. I. S. T, Digital Signature Standard, FIPS 186, May 1994. 307 O. Goldreich, and L. A. Levin, A hard-core predicate for all one way functions, Proceedings of 21st STOC, 25–32, 1989. 305 S. Goldwasser, and A. Micali, Probabilistic encryption, Journal of Computer and Systems Science, 28: 270-299, 1984. 305 J. Hastad, R. Impagliazzo, L. A. Levin, and M. Luby, Construction of pseudorandom generator from any one-way function, SIAM J. Computing, to appear. 305 J. Hastad, A. W. Schrift, and A. Shamir, The discrete logarithm modulo a composite modulus hides O(n) bits, Journal of Computer and System Sciences, 47: 376–404, 1993. 305, 306, 308, 308, 313, 316 R. Impagliazzo, L. A. Levin, and M. Luby, Pseudo-random generation from one-way functions, Proceddings of 20th STOC, 12–24, 1988. 316 B. S. Kaliski, A pseudo-random bit generator based on elliptic logarithms, Advances in Cryptology - CRYPTO ’86 (LNCS 263), 84–103, 1987. 305, 316 J. Kilian, S. Micali, and R. Ostrovsky, Minimum resource zero-knowledge proofs, Procedings of 30th FOCS, 474–489, 1989. D. E. Knuth, The Art of Computer Programming (vol 3): Sorting and Searching, Addison Wesley, 1973. 307 N. Koblitz, Elliptic curve cryptosystems, Mathematics of Computation, 48:203–209, 1987. 304 D. L. Long, and A. Wigderson, The discrete log hides O(log n) bits, SIAM J. Computing, 17:363–372, 1988. 305, 309, 313 V. Miller, Elliptic curves and cryptography, Advances in Cryptology CRYPTO ’85 (LNCS 218), 417–426, 1986. 304 M. Naor, Bit commitment using pseudo-randomness, Advances in Cryptology - CRYPTO ’89 (LNCS 435), 128–136, 1989. P. van Oorschot, M. Wiener, On Diffie-Hellman key agreement with short exponents, Advances in Cryptology - EUROCRYPT ’96 (LNCS 1070), 332– 343, 1996. 307, 307 R. Peralta, Simultaneous security of bits in the discrete log, Advances in Cryptology - EUROCRYPT ’85 (LNCS 219), 62–72, 1986. 305, 309, 311 S. C. Pohlig, and M. E. Hellman, An improved algorithm for computing over GF (p) and its cryptographic significance, IEEE Trans. IT, 24: 106–110, 1978. 307 J. M. Pollard, Monte Carlo methods for index compution (mod p), Mathematics of Computation, 32, No. 143:918–924, 1978. 307 U. V. Vazirani, and V. V. Vazirani, Efficient and secure pseudo-random number generators, Proceedings of 25th FOCS, 458–463, 1984. 305 A. C. Yao, Theory and applications of trapdoor functions, Proceedings of 23rd FOCS, 80–91, 1982. 305, 312, 314
316
7
Sarvar Patel and Ganapathy S. Sundaram
Appendix
In this section we discuss some extensions of our results which will be addressed in the future. 7.1
Improving Efficiency of Computations
Let us focus on the mechanics of the generator. We start with a finite field, and a generator g of its multiplicative cyclic group. Let x0 be a secret seed. Then we define xi+1 = g xi iteratively. The output of the generator are the trailing n − ω(log n) bits of xi for all i > 0, where n = log p. Although the number of bits generated per iteration is large, each iteration involves a large exponent and this could impact on the speed of the generator. Instead, we could start with p, g, and x0 as earlier but at each stage we define xi+1 = g si where si = leading ω(log n) bits of xi . This will ensure that at each stage we are using short exponents and hence guarantee a significant speed up. This raises some interesting questions. Question 10. Will this speed impact the security of the generator? Note that when we restrict our exponents we no longer have a permutation. Hence the simple construction used here is inapplicable. A possible method of settling this problem is outlined in Hastad-etal in the context of discrete logarithms over composite moduli [10]. In particular, exploiting a certain hashing lemma proved in [11] they construct a perfect extender and the pseudo-random generation is achieved through repeated applications of the extender to a random seed. Question 11. Are there efficient extenders which guarantee the same level of security (as the DLSE) but yet perform short exponent exponentiation at each step? 7.2
Discrete Logarithms in Abelian Groups
Let G be a finite Abelian group. Let g ∈ G and let y = g x (where x is unknown and we are using the multiplicative notation to denote the group operation). The discrete logarithm problem in the subgroup generated by g asks for the value of x given g and y. In this context, Kaliksi [12] has shown that under the intractibility assumption of the discrete log in the subgroup generated by g the individual bits of x are hard. In this paper the Blum-Micali notion of bits is employed, and the proof of individual hardness is based on a novel and new oracle proof technique. The main idea being, the identification of bits is based on a correlation function which automatically accommodates cycling and changes in bits due to randomization. In addition, he completely avoids the computation of square roots which is central to several of the other works on individual bit security. This paper also
An Efficient Discrete Log Pseudo Random Generator
317
states that log n bits are simultaneously hard. Presumably, the techniques of Long-Wigderson once applied in the framework of generic Abelian groups yields this result. Now, we note that assuming the discrete logarithm problem with short exponents is also hard in the chosen Abelian group our results on simultaneous hardness of the trailing bits may be applicable. This result will be very useful when applied to the group of points on an elliptic curve over a finite field. 7.3
Discrete Logarithms in Small Subgroups
The security of the digital signature standard (DSS) is based on the intractability of the discrete logarithm in small subgroups (DLSS). This leads to a natural question: Question 12. Are there k-bit predicates attached to the input of the discrete exponentiation function that are simultaneously hard with respect to DLSS? In particular, is k = n − ω(log n)?
Fast RSA-Type Cryptosystem Modulo pk q Tsuyoshi Takagi NTT Software Laboratories 3-9-11, Midori-cho Musashino-shi, Tokyo 180-0012, Japan [email protected]
Abstract. We propose a cryptosystem modulo pk q based on the RSA cryptosystem. We choose an appropriate modulus pk q which resists two of the fastest factoring algorithms, namely the number field sieve and the elliptic curve method. We also apply the fast decryption algorithm modulo pk proposed in [22]. The decryption process of the proposed cryptosystems is faster than the RSA cryptosystem using Chinese remainder theorem, known as the Quisquater-Couvreur method [17]. For example, if we choose the 768-bit modulus p2 q for 256-bit primes p and q, then the decryption process of the proposed cryptosystem is about 3 times faster than that of RSA cryptosystem using Quisquater-Couvreur method. Keywords: RSA cryptosystem, Quisquater-Couvreur method, fast decryption, factoring algorithm
1
Introduction
The RSA cryptosystem is one of the most practical public key cryptosystems and is used throughout the world [19]. Let n be a public key, which is the product of two appropriate primes, e be an encryption key, and d be a decryption key. The algorithms of encryption and decryption consist of exponentiation to the eth and dth powers modulo n, respectively. We can make e small, but must consider low exponent attacks [3,4,6]. The encryption process takes less computation and is fast. On the other hand, the decryption key d must have more than one fourth the number of bits of the public key n to preclude Wiener’s attack [24] and its extension [23]. Therefore, the cost of the decryption process is dominant for the RSA cryptosystem. In this paper, we propose an RSA-type cryptosystem modulo n = pk q. Even though the modulus is not of the form pq, we choose appropriate sizes for the secret primes p and q to preclude both the number field sieve and the elliptic curve method. Using this modulus pk q, we construct a fast decryption public-key cryptosystem. In the key generation, we generate the public key e and secret key d using the relation ed ≡ 1 (mod L), where L = LCM(p−1, q−1). Note that L is not the same as φ(n) = pk−1 (p−1)(q−1) or even λ(n) = LCM(pk−1 (p−1), q−1). Thus, the secret exponent d becomes much smaller than n = pk q. Moreover, for decrypting Mp ≡ M (mod pk ) we show that it is possible to apply the fast decryption algorithm proposed in [22]. The running time for computing Mp is H. Krawczyk (Ed.): CRYPTO’98, LNCS 1462, pp. 318–326, 1998. c Springer-Verlag Berlin Heidelberg 1998
Fast RSA-Type Cryptosystem Modulo pk q
319
essentially equivalent to that for C d (mod p). Therefore, the decryption process is much faster than in the RSA cryptosystem using the Chinese remainder theorem [17]. The paper is organized as follows. In Section 2, we describe the algorithm of the proposed cryptosystem. We discuss the size of the secret primes which prevents the use of both the number field sieve and the elliptic curve method in Section 3. Then, we show the running time of the proposed cryptosystem in comparison with the RSA cryptosystem using the Quisquater-Couvreur method in Section 4. We explain the effectiveness of Wiener’s attack in Section 5. We show some properties of our cryptosystem related to some attacks in Section 6. Notation: Z is an integer ring. Zn is a residue ring Z/nZ and its complete residue class is {0, 1, 2, . . . , n − 1}. Z× n is a reduced residue group modulo n. LCM(m1 , m2 ) is the least common multiple of m1 and m2 . GCD(m1 , m2 ) is the greatest common divisor of m1 and m2 .
2
Proposed Public-Key Cryptosystem
In this section, we describe an RSA-type cryptosystem modulo pk q, and discuss the size of its secret keys and the running time. 2.1
Algorithm
1. Generation of the keys: Generate two random primes p, q, and let n = pk q. Compute L = LCM (p−1, q−1), and find e, d which satisfies ed ≡ 1 (mod L) and GCD(e, p) = 1. Then e, n are public keys, and d, p, q are the secret keys. 2. Encryption: Let M ∈ Z× n be the plaintext. We encrypt the plaintext by the equation: C ≡ Me
(mod n).
(1)
3. Decryption: We decrypt Mp ≡ M (mod pk ) and Mq ≡ M (mod q) using the secret key d, p, q. The plaintext M can be recovered by the Chinese remainder theorem. Here, Mq is computed by Mq ≡ C d (mod q) and Mp is computed by the fast algorithm described in [22]. 2.2
Details of the Decryption Algorithm
is pk−1 (p− 1). When Mp ≡ M (mod pk ) is recovered The order of the group Z× pk using the standard algorithm of RSA, we have to compute Mp ≡ C d (mod pk ) for d ≡ e−1 (mod LCM(pk−1 (p − 1), q − 1)). Then the running time is slower than that of the method using the Chinese remainder theorem for n = pq [17], so there are no significant advantages in using the modulus pk q. Instead, we apply the method described in [22], where the author presents a fast algorithm for computing RSA decryption modulo nk using n-adic expansion. Then, the
320
Tsuyoshi Takagi
running time for computing Mp becomes essentially equivalent to computing Mp ≡ C d (mod p) for d ≡ e−1 (mod LCM(p − 1, q − 1)). First, we modify the algorithm into a more efficient form. We denote the ciphertext reduced modulo pk by Cp . Then the relationship between the ciphertext Cp and the plaintext is Cp ≡ Mpe (mod pk ). Note that Mp the plaintext modulo pk , has the p-adic expansion such that Mp ≡ K0 + pK1 + p2 K2 + . . . + pk−1 Kk−1
(mod pk ).
(2)
Here, we define the function Fi (X0 , X1 , . . . , Xi ) as follows: Fi (X0 , X1 , . . . , Xi ) = (X0 + pX1 + . . . + pi Xi )e , where i = 0, 1, . . . , k − 1. Fk−1 (X0 + pX1 + . . . + pk−1 Xk−1 )e is the same as the function that encrypts the plaintext Mp in equation (2). By reducing modulo pi+1 , we get the relationship Fi (X0 , X1 , . . . , Xi ) ≡ Fi−1 + pi Gi−1 Xi
(mod pi+1 ),
where Fi−1 = Fi−1 (X0 + pX1 + . . . + pi−1 Xi−1 )e and Gi−1 = e(X0 + pX1 + . . . + pi−1 Xi−1 )e−1 for i = 0, 1, . . . , k − 1. ¿From this relationship, we can recursively calculate K1 , . . . , Kk−1 . For i = 1, K1 is the solution of the following linear equation of X1 : C ≡ F0 (K0 ) + pG0 (K0 )X1 (mod p2 ). (3) Assume we have already calculated K1 , K2 , . . . , Ki−1 . Using these values, we compute Fi−1 (K0 , K1 , . . . , Ki−1 ), Gi−1 (K0 , K1 , . . . , Ki−1 ) in Z, and denote them by Fi−1 , Gi−1 , respectively. Then, Ki is the solution of the following linear equation of Xi : C ≡ Fi−1 + pi Gi−1 Xi (mod pi+1 ). (4) Note that (Gi−1 , p) = 1, because GCD(K0 , p) = GCD(e, p) = 1, so we can uniquely decrypt Ki . After computing K0 , K1 , . . . , Kk−1 , we can evaluate Mp (mod pk ) from equation (2). Finally, the plaintext M (mod pk q) is also computed from the values Mp (mod pk ), Mq (mod q), and the Chinese remainder theorem. Moreover, note that we do not have to use the secret exponent d for evaluating K1 , K2 , . . . , Kk−1 . Thus, when we compute the two values of K0 ≡ C d (mod p) and Mq ≡ C d (mod q), the secret exponent d can be reduced modulo p − 1 and q−1. Indeed, C d ≡ C dp (mod p) and C d ≡ C dq (mod q) hold, where dp ≡ d (mod p − 1) and dq ≡ d (mod q − 1). In Appendix A, we describe the decryption program written in pseudo-code. For x ∈ Z and a positive integer N , [x]N denotes the remainder of x modulo N , which is in {0, 1, . . . , N − 1}.
3
Size of Secret Parameters
Here, we discuss the size of the secret parameters p and q. The RSA cryptosystem uses a composite number of the symmetry type pq, where p and q are the same
Fast RSA-Type Cryptosystem Modulo pk q
321
bit size. The cryptosystem proposed in this paper depends on the security of factoring the modulus pk q. We have to carefully choose the size of p and q. There are two types of fast factoring algorithm to consider: the number field sieve [11] and the elliptic curve method [10]. Other factoring algorithms have the same or slower running times, so the size of the RSA-modulus can be estimated by these two factoring algorithms [7,13,20]. Let LN [s, c] = exp((c + o(1)) logs (N ) log log1−s (N )). The number field sieve is the fastest factoring algorithm, and the running time is estimated from the total bit size of the integer n to be factored, which is expected as Ln [1/3, (64/9)1/3]. If we choose n to be larger than 768 bits, the number field sieve becomes infeasible. In our case, we have to make the modulus n = pk q larger than 768 bits. The elliptic curve method is effective for finding primes which are divisors of the integer n to be factored. The running time is estimated in terms of the bit size of the prime divisor p. Its expected value is Lp [1/2, 21/2 ]. Note that the running time of the elliptic curve method is different from that of the number field sieve, and the order is much different. If we choose p to be larger than 256 bits, the elliptic curve method becomes infeasible. In our case, we have to make the primes p and q of the modulus larger than 256 bits. The factoring algorithm strongly depends on the implementation. In my knowledge, the fastest implementation record for the number field sieves factored 130-digit RSA modulus [5] and that for the elliptic curve method found 48-digit prime factor [8]. Here, we again emphasize that there is a big difference in the cost between the number field sieve and the elliptic curve method. Therefore, if we choose the 768-bit modulus p2 q with 256-bit primes p and q, neither of the factoring algorithms is feasible, so the scheme is secure for cryptographic purposes. But the size of secret primes must be thoroughly discussed for the practical usage of our proposed cryptosystem, and this is work in progress. Here, we wonder if there exists factoring algorithms against the modulus with a square factor p2 q. This factoring problem appeared in the list of the open problems in number theoretic complexity by Adleman and McCurley [1], and it is unknown whether there exists Lp [1/3]-type sub-exponential algorithm which finds the primes of the composite number p2 q. Recently, Peralta and Okamoto proposed a factoring algorithm against numbers of the form p2 q based on the elliptic curve method [16]. They focused on the fact the Jacobi symbol is equal to one for a square integer, and the running time becomes a little bit faster than that of the original elliptic curve method. Remark 1. A digital signature scheme [14] and two public key cryptosystems [9,15] which rely on the difficulty of factoring numbers of the type p2 q have been proposed. These cryptosystems are fast and practical. For secure usage of these cryptosystems and our proposed cryptosystem, the research of factoring algorithms against a composite number with a square factor is desirable.
322
4
Tsuyoshi Takagi
Running Time
In this section, we estimate the running time of the proposed cryptosystem. We assume that the public modulus n = p2 q is 768 bits for 256-bit primes p and q in the following. We also assume the running time for computing Z a (mod b) is O(log22 (b) log2 (a)). Below, we estimate the worst-case running time. In the decryption process of the proposed cryptosystem, the algorithm does not depend on the secret exponent d except when we compute Cd
(mod p),
Cd
(mod q).
(5)
After calculating C d (mod p), we compute only a few multiplications for obtaining Mp ≡ M (mod pk ). This costs the same as the encryption process. If we choose a very small e, this algorithm is very efficient. For example, if the modulus be p2 q, then we only compute at most blog2 ec multiplications modulo p2 and one division of p, two multiplications modulo p, and one inversion modulo p. Moreover, when we compute the two values of equation (5), the secret exponent d can be reduced modulo p− 1 and q − 1. In other words, C d ≡ C dp (mod p) and C d ≡ C dq (mod q) hold, where dp ≡ d (mod p − 1) and dq ≡ d (mod q − 1). Thus, the size of the secret exponent can be reduced. Denote by T the running time for computing the decryption algorithm of the 0 original RSA cryptosystem, i.e., C d (mod n), where d0 is as large as n. Then, the running time of the proposed cryptosystem for a 768-bit modulus is about (2(1/3)3 + αe )T = (0.074 + αe )T , where αe depends only on the encryption exponent e. When we make the encryption exponent e very small, αe becomes negligible. A similar decryption algorithm for the RSA cryptosystem using Chinese remainder theorem, the Quisquater-Couvreur method, mainly computes C d (mod p) and C d (mod q), where n = pq is the RSA modulus, both p and q are as large as (log2 n)/2 bits, and we assume d is as large as p and q. So, the running time of Quisquater-Couvreur method is about 4 times faster than the original RSA cryptosystem. Here, we compare the running time of our proposed cryptosystem with that of Quisquater-Couvreur method. The comparison is carried out based on the common bit length of the modulus. The proposed cryptosystem with the small encryption exponent e is about 3 times faster than the RSA cryptosystem applying the Quisquater-Couvreur method for the 768-bit modulus. In addition, consider the RSA cryptosystem with the square-free modulus n = p1 p2 · · · pl , where we assume that pi are as large as (log2 n)/l bits for i = 1, 2, . . . , l. As we discussed in Section 3, we can use a 768-bit modulus n = p1 p2 p3 with 256-bit primes pi (i = 1, 2, 3) for the cryptographic purpose. This version of RSA will be faster when we use the decryption technique using the Chinese remainder theorem. Indeed, the decryption time with this modulus is dominant for computing C di (mod pi ), where we assume di are as large as pi for i = 1, 2, 3. So, the running time of this RSA variant is about 9 times faster than the original RSA cryptosystem. Here, we compare this RSA variant with
Fast RSA-Type Cryptosystem Modulo pk q
323
our proposed cryptosystem. Our proposed cryptosystem is about 1.5 times faster for a 768-bit modulus.
5
Short Secret Exponent d
A short secret exponent is desirable for the fast decryption algorithm. However, Wiener reported an attack based on the continued fraction algorithm which detects a short secret exponent d [24]. This attack is effective for d < n1/4 . The secret key d and the public key e of the proposed cryptosystem have the relation ed ≡ 1 (mod LCM(p − 1, q − 1)), and the primes p and q are much smaller than n. So, we wonder if Wiener’s attack is applicable to larger secret exponents d. Moreover, if the attacker can compute d0 such that ed0 ≡ 1 (mod LCM(pk−1 (p − 1), q − 1)),
(6)
then proposed cryptosystem will also be broken. Here, we discuss Wiener’s attack for relation (6). ¿From LCM(pk−1 (p−1), q− 1) = pk−1 (p−1)(q−1)/GCD(pk−1 (p−1), q−1), we have ed0 = 1+mpk−1 (p−1)(q− 1)/GCD(pk−1 (p−1), q−1) for some integer m. Generally, GCD(pk−1 (p−1), q−1) is very small compared with p and q. Let m/GCD(pk−1 (p − 1), q − 1) = h/g, where GCD(h, g) = 1. Then, we get the relation e h 0 pk q − gd0 = δ , k
k−1
(7)
k−1
q−p −g/h h p +p . ¿From h/d0 g ≤ 1, the upper bound of δ 0 where δ 0 = gd 0 pk q is of the size n−1/(k+1) . It is known that for a rational number x such that |x − P/Q| < 1/2Q2 , P/Q is a convergent in the continued fraction of x, where P and Q are relatively prime integers. Therefore, if n−1/(k+1) < 1/2(gd0 )2 holds, then Wiener’s attack is applicable by computing the continued fraction of e/pk q. 1 Therefore, Wiener’s attack is effective for d0 < n 2(k+1) . During key generation one must ensure that d0 ≡ e−1 (mod LCM(pk−1 (p − 1), (q − 1)) is sufficiently large. In the same manner, we can discuss the Wiener’s attack for the relation ed ≡ 1 (mod LCM(p − 1, q − 1)). In this case, we get the relation
e h pk q − gdpk−1 = δ,
(8)
h p+q−1−g/h where δ = gd . The lower bound on δ is of the size 1/gdnk/(k+1) , and pk q 1/gdnk/(k+1) is larger than the upper bound 1/2(gdpk−1 )2 ∼ 1/2(gdn(k−1)/(k+1) )2 which the continued fraction can detect. So, Wiener’s attack seems infeasible for the relation ed ≡ 1 (mod LCM(p − 1, q − 1)). Further work on this is in progress.
324
6
Tsuyoshi Takagi
Other Properties
In this section, we describe some attacks against our proposed cryptosystem and some other properties of it. Permutation: Let S be a finite set, and let F (x) be a function from S to S. The function F (x) is called a permutation function if every pair x, y ∈ S that satisfies F (x) = F (y) also satisfies x = y. The encryption function must be a permutation function in order to have unique decryption. The encryption function of the proposed cryptosystem is F (X) ≡ X e (mod pk q). This function is a permutation function if and only if GCD(p − 1, e) = GCD(q − 1, e) = GCD(p, e) = 1. The last condition is always satisfied for small e, so this condition becomes the same as that for the original RSA cryptosystem. Message concealing: A function F (x) is called unconcealed when F (x) = x holds for some x. If the encryption function is unconcealed, some plaintexts are not encrypted. Blakley and Borosh showed that the encryption function of the RSA cryptosystem is unconcealed [2]. And they also estimated the number of unconcealed messages for a modulus having the form pk q. They proved N = (1 + GCD(e − 1, pk−1 (p − 1)))(1 + GCD(e − 1, (q − 1))). This number is negligible because we choose e to be small in our proposed cryptosystem. Cycling attack: The cycling attack is to find an integer s such that s C e ≡ C (mod pk q) [12,25]. If we find such an integer, then the modulus pk q can be factored with probability greater than 1/2. From a recent result by Rivest and Silverman, it is known that the probability of the cycling attack success is negligible [20]. This analysis is also true for our proposed cryptosystem, because p and q must be chosen to be more than 256-bit primes. Here, denote by ordm (Q) the order of the point Q in the group Zm for some integer m, and ordordn (C) (e)|s holds. Note that ordm (Q)|ordn (Q) for m|n and Q in Zn . The probability that p|ordpk (Q) for a random point Q in Zpk is 1 − 1/p, so p|ordn (C) holds for a random ciphertext C in Zn with high probability, and ordp (e) is greater than the largest prime of p − 1, which is more than 50 bits with high probability. Therefore, the integer s is greater than 50 bits with high probability. Other attacks: All other attacks are applicable, for example, the low exponent attacks [3,4,6], the common modulus attack, and the chosen message attack (See, for example, [7,13]). Digital signature: Of course, the proposed algorithm can be used for a digital signature.1 The prominent property of our proposed cryptosystem is the running time for generating the signature, which it is faster than that of the RSA cryptosystem using Chinese remainder theorem. Rabin-type cryptosystem: We can construct a Rabin-type cryptosystem by applying the algorithm proposed in this paper. We can also prove that the extended Rabin-type cryptosystem is as intractable as factoring the modulus pk q. 1
Shamir proposed a variation of RSA cryptosystem with an unbalanced modulus [21]. As he stated in the paper, Shamir’s RSA can not be used for digital signatures.
Fast RSA-Type Cryptosystem Modulo pk q
325
Acknowledgments I wish to thank Shozo Naito for his helpful discussion. I would also like to thank the anonymous referees for their valuable comments.
References 1. L. M. Adleman and K. S. McCurley, “Open problems in number theoretic complexity, II” proceedings of ANTS-I, LNCS 877, (1994), pp.291-322. 321 2. G. R. Blakley and I. Borosh, “Rivest-Shamir-Adleman public key cryptosystems do not always conceal messages,” Comput. & Maths. with Appls., 5, (1979), pp.169-178. 324 3. D. Coppersmith, M. Franklin, J. Patarin and M. Reiter, “Low-exponent RSA with related messages,” Advances in Cryptology – EUROCRYPT ’96, LNCS 1070, (1996), pp.1-9. 318, 324 4. D. Coppersmith, “Finding a small root of a univariate modular equation,” Advances in Cryptology – EUROCRYPT ’96, LNCS 1070, (1996), pp.155-165. 318, 324 5. J. Cowie, B. Dodson, R. Elkenbracht-Huizing, A. K. Lenstra, P. L. Montgomery, J. Zayer; “A world wide number field sieve factoring record: on to 512 bits,” Advances in Cryptology – ASIACRYPT ’96, LNCS 1163, (1996), pp.382-394. 321 6. J. H˚ astad, “Solving simultaneous modular equations of low degree,” SIAM Journal of Computing, 17, (1988), pp.336-341. 318, 324 7. B. S. Kaliski Jr. and M. Robshaw, “Secure use of RSA,” CRYPTOBYTES, 1 (3), (1995), pp.7-13. 321, 324 8. ECMNET Project; http://www.loria.fr/ zimmerma/records/ecmnet.html 321 9. D. H¨ uhnlein, M. J. Jacobson, S. Paulus, and T. Takagi, “A cryptosystem based on non-maximal imaginary quadratic orders with fast decryption.” Advances in Cryptology – EUROCRYPT ’98, LNCS 1403, (1998), pp.294-307. 321 10. H. W. Lenstra, Jr., “Factoring integers with elliptic curves”, Annals of Mathematics, 126, (1987), pp.649-673. 321 11. A. K. Lenstra and H. W. Lenstra, Jr. (Eds.), “The development of the number field sieve,” Lecture Notes in Mathematics, 1554, Springer, (1991). 321 12. U. M. Maurer; “Fast generation of prime numbers and secure public-key cryptographic parameters,” Journal of Cryptology, Vol.8, (1995), pp.123-155. 324 13. A. J. Menezes, P. C. van Oorschot and S. A. Vanstone, “Handbook of applied cryptography,” CRC Press, (1996). 321, 324 14. T. Okamoto, “A fast signature scheme based on congruential polynomial operations,” IEEE Transactions on Information Theory, IT-36, (1990), pp.47-53. 321 15. T. Okamoto and S. Uchiyama; “A new public-key cryptosystem as secure as factoring,” Advances in Cryptology – EUROCRYPT ’98, LNCS 1403, (1998), pp.308-318. 321 16. R. Peralta and E. Okamoto, “Faster factoring of integers of a special form,” IEICE Trans. Fundamentals, Vol.E79-A, No.4, (1996), pp.489-493. 321 17. J. -J. Quisquater and C. Couvreur, “Fast decipherment algorithm for RSA publickey cryptosystem,” Electronic Letters, 18, (1982), pp.905-907. 318, 319, 319
326
Tsuyoshi Takagi
18. M. O. Rabin, “Digitalized signatures and public-key functions as intractable as factorization”, Technical Report No.212, MIT, Laboratory of Computer Science, Cambridge (1979), pp.1-16. 19. R. Rivest, A. Shamir and L. M. Adleman, “A method for obtaining digital signatures and public-key cryptosystems,” Communications of the ACM, 21(2), (1978), pp.120-126. 318 20. R. Rivest and R. D. Silverman, “Are ‘strong’ primes needed for RSA,” The 1997 RSA Laboratories Seminar Series, Seminars Proceedings, (1997). 321, 324 21. A. Shamir; “RSA for paranoids,” CryptoBytes, 1, Autumn, (1995), pp. 1-4. 324 22. T. Takagi, “Fast RSA-type cryptosystem using n-adic expansion,” Advances in Cryptology – CRYPTO ’97, LNCS 1294, (1997), pp.372–384. 318, 318, 319, 319 23. E. R. Verheul and H. C. A. van Tilborg, “Cryptanalysis of ‘less short’ RSA secret exponents,” Applicable Algebra in Engineering, Communication and Computing, 8, (1997), pp.425-435. 318 24. M. J. Wiener, “Cryptanalysis of short RSA secret exponents,” IEEE Transactions on Information Theory, IT-36, (1990), pp.553-558. 318, 323 25. H. C. Williams and B. Schmid, “Some remarks concerning the M.I.T. public-key cryptosystem,” BIT 19, (1979), pp.525-538. 324
A
Decryption Algorithm
In this appendix, we describe the decryption program written in pidgin ALGOL. For x ∈ Z and a positive integer N , [x]N will denote the remainder of x modulo N , which is in {0, 1, . . . , N − 1}. The plaintext M is encrypted by C ≡ M e (mod pk q). The relation between the encryption exponent e and the decryption exponent d is ed ≡ 1 (mod LCM(p − 1, q − 1)). procedure DECRYPTION: INPUT: d, p, q, e, k, C OUTPUT: M (1)
dp := [d]p−1 , dq := [d]q−1 ;
(2)
K0 := [C dp ]p , Mq := [C dq ]q ;
(3)
A0 := K0 ; FOR i = 1 to (k − 1) do Fi := [Ai−1 e ]pi+1 ; Ei := [C − Fi ]pi+1 ; Bi := Ei /pi in Z; Ki := [(eFi )−1 Ai−1 Bi ]p ; Ai := Ai−1 + pi Ki in Z;
(4)
Mp := Ak−1 ;
(5)
p1 := [(pk )−1 ]q , q1 := [q −1 ]pk ;
(6)
M := [q1 qMp + p1 pk Mq ]pk q .
An Elliptic Curve Implementation of the Finite Field Digital Signature Algorithm Neal Koblitz Dept. of Mathematics, Box 354350, Univ. of Washington Seattle, WA 98195 USA [email protected]
Abstract. We construct a supersingular implementation of the Elliptic Curve Digital Signature Algorithm (ECDSA) that is essentially equivalent to a finite field implementation of the Digital Signature Algorithm (DSA), and then we compare the efficiency of the two systems. The elliptic curve method is about 12 times faster. In the last section we use the same ideas to give a particularly efficient nonsupersingular implementation of elliptic curve cryptography in characteristic 7. Keywords: Digital Signature, Elliptic Curve, Supersingular, Nonadjacent Form
1
Introduction
The security of elliptic curve cryptosystems depends on the presumed intractability of the discrete logarithm problem in the group of points on the curve. Aside from the exponential time algorithms that apply to an arbitrary group — all of which are impractical if the order of the group is divisible by a prime of more than 40 decimal digits — the only discrete log algorithms that have been found for an elliptic curve group are the algorithm of Semaev–Smart–Satoh–Araki [20,22,17], which applies only to an elliptic curve over a prime field Fp whose order is equal to p, and the algorithm of Menezes–Okamoto–Vanstone (MOV) [12]. The MOV algorithm uses the Weil pairing to imbed the group of points of an elliptic curve E over a finite field Fq into the multiplicative group F× qK of an extension field FqK ; the elliptic curve discrete log problem then reduces to the discrete log problem in F× qK . This algorithm is practical if K can be taken to be small. If E is a supersingular elliptic curve, then K can always be chosen equal to 1, 2, 3, 4, or 6 [12]; whereas if E is nonsupersingular, then K is almost always much too large [1]. For this reason it is usually assumed that supersingular curves should not be used in cryptography. The purpose of this article is to give a cryptographic application of a family of supersingular elliptic curves for which K = 6 in the MOV algorithm. Suppose that #E(Fq ) is a prime l (or a very small integer factor times a prime l) of between 40 and 80 decimal digits (which is the range one would use with a nonsupersingular curve). Then q K = q 6 is roughly in the 250- to 500-digit range, H. Krawczyk (Ed.): CRYPTO’98, LNCS 1462, pp. 327–337, 1998. c Springer-Verlag Berlin Heidelberg 1998
328
Neal Koblitz
which is beyond the practical limits of algorithms for the discrete log in F× qK . Thus, such a family of curves can be used in cryptography. Moreover, the family of curves that we study lends itself to particularly efficient computation of a multiple of a point, which is the basic operation in elliptic curve cryptosystems. Because the curves have complex multiplication by cube roots of unity, this family can be treated in a manner similar to the family of anomalous binary curves that was studied in [6], [10], and [23]. §§2–3 are devoted to the properties of the curves we are proposing and to the use of a special type of ternary expansion of an integer k that allows one to compute kP with only ≈ 25 log3 q elliptic curve additions. In §§4–5 we describe our main motivation for looking at this family of supersingular elliptic curves: it enables us in characteristic 3 to make a very direct comparison of efficiency between the Digital Signature Algorithm (DSA) using finite fields (see [16]) and the Elliptic Curve Digital Signature Algorithm (ECDSA) (see, for example, [9]). Recall that in DSA one works in a cyclic subgroup of prime order l inside a finite field whose bitlength is between 3 and 6 times that of l. Thus, it would be completely consistent with the Digital Signature Standard to take Fq6 as one’s finite field and the image of E(Fq ) under the MOV imbedding as one’s cyclic subgroup of order l. Then, conjecturally, the ECDSA and the corresponding DSA have identical security, and so it is interesting to compare efficiency. We show that the elliptic curve implementation is about 12 times as fast. In other words, even though the two groups of order l are apparently cryptographically equivalent, the elliptic curve “exponentiation” can be carried out more rapidly than exponentiation in the finite field. Remark. We say “conjecturally” and “apparently” because we do not know how to prove that the discrete log problem on the elliptic curve group could not be easier than the discrete log problem in the corresponding subgroup of F× q6 . This is because we do not know how to compute the inverse of the imbedding E(Fq ) ,→ F× q6 given by the Weil pairing. Finally, in §6 we use the same ideas as in §§2–3 to give a family of nonsupersingular elliptic curves in characteristic 7 for which one also has a particularly efficient method to compute multiples of points.
2
The Curves
Let q = 3m , where m is not divisible by 2 or 3, and let a = 0 or 1. Let E be the elliptic curve (1) Y 2 = X 3 − X − (−1)a over the field of 3 elements F3 ; and let Nm denote the number of Fq -points on E. Because x3 − x = 0 for all x ∈ F3 , it is easy to see that N1 = 4 − (−1)a 3. We can also write N1 = 4 − τ − τ , where √ (−1)a 3 + i 3 τ= 2
An Elliptic Curve Implementation
329
is the root with positive imaginary part of the characteristic polynomial T 2 − (−1)a 3T + 3 of the Frobenius map Φ : (x, y) 7→ (x3 , y 3 ).1 In other words, τ satisfies the relation 3 = (−1)a 3τ − τ 2 . (2) Then, by Weil’s theorem, Nm = |τ where
3 m
m
m
a
− 1| = 3 − (−1) 2
3 m
3(m+1)/2 + 1,
(3)
is the Jacobi symbol, which is defined as follows:
3 m
=
1 if m ≡ ±1 (mod 12); −1 if m ≡ ±5 (mod 12).
Since Nm is divisible by Nm0 whenever m0 |m, we have the best chance of getting a large prime factor of Nm when m is prime. In that case N1 |Nm , but it may happen that Nm /N1 is prime. In other words, when m is prime Nm could be a prime in the case a = 0 and 7 times a prime in the case a = 1. For example, when a = 0 we find that N163 = 3163 + 382 + 1 is a prime of 78 decimal digits (259 bits); and when a = 1 we find that N97 = 397 + 349 + 1 is 7 times a prime of 46 decimal digits (154 bits). Remark. One might want to use composite m in order to be able to perform multiplications and inversions in F3m more efficiently using a tower of subfields. It is still possible to get a large prime factor of Nm with m not much larger than in the case when m is prime. For example, when a = 0, a 66-digit prime divides N169 ; and when a = 1, a 47-digit prime divides N121 , and a 74-digit prime divides N187 . We let ω denote the 6th root of unity √ (−1)a + i 3 a , (4) ω = τ − (−1) = 2 and we let Z[ω] denote the ring of integers of the form u + vω, u, v ∈ Z. Then when m is prime we are interested in primality of the element (ω + 1)m − 1 when a = 0 and primality of the element ((ω − 1)m − 1)/(ω − 2) when a = 1, since it is a prime element of Z[ω] if and only if Nm if a = 0; |(ω + 1)m − 1|2 , = 1 m 2 |(ω − 1) − 1| , if a = 1, N1 7 is a prime in Z. When a = 0 this is a close analogue of the Mersenne prime problem, as we see by replacing ω by 1. (This example of an elliptic curve 1 2 a This means that Φ − (−1) 3Φ + 3 P = O for any point P on the curve. This polynomial (more precisely, its reciprocal polynomial 1 − (−1)a 3T + 3T 2 ) is also the numerator of the zeta-function of the curve. For details on this and other properties of elliptic curves, see §VI.1 of [7] and Ch. V of [21].
330
Neal Koblitz
for cryptography and the analogy with the Mersenne prime problem were first mentioned in Exercise 11 of §VI.1 and Exercise 6 of §VI.2 in [7].) As always, the Frobenius map Φ : (x, y) 7→ (x3 , y 3 ) takes negligible time, provided that we are working in a normal basis of Fq over F3 ; and the negation map (x, y) 7→ (x, −y) is also trivial to carry out. The Frobenius map Φ acting on points P ∈ E(Fq ) may be regarded as the element τ ∈ Z[ω], because it satisfies the same quadratic equation Φ2 − (−1)a 3Φ + 3 = 0. In the case of the particular equation (1), it is also extremely easy to describe the action on points P ∈ E(Fq ) of the cube roots of unity. Let us take a = 1; the case a = 0 is virtually identical.√Then we are interested in how the nontrivial cube root of unity ω = (−1 + 3i)/2 = τ + 1 acts on P = (x, y) ∈ E(Fq ). That is, we want to find the coordinates of (Φ + 1)P = Px,y + Px3 ,y3 . Using the addition law for Px1 ,y1 + Px2 ,y2 = Px3 ,y3 , which takes the following form when Px2 ,y2 6= ±Px1 ,y1 : 2 1 − x1 − x2 ; x3 = xy22 −y −x1 3 1 y3 = y1 + y2 − xy22 −y , −x1 and the relation x3 − x = y 2 − 1 from (1), we obtain: Px,y + Px3 ,y3 = Px+1,y . (It is easy to check that this formula also holds when Px3 ,y3 = Px,y , i.e., when Px,y is an F3 -point.) Thus, the action on points of any power of τ and any sixth root of unity can be computed in trivial time. Remark. Another convenient feature of the curves (1) in characteristic 3 is that, m−1 } of Fq , then there is an easy if we use a normal F3 -basis {β, β 3 , . . . , β 3 compression technique for storing a point Px,y , by analogy with the characteristic 2 method in [13]. Namely, we represent P as (x0 , y), where x0 ∈ {0, 1, −1} is the P i first coordinate of x. Then x = xi β 3 can be recovered by setting xi = xi−1 + P i zi , i = 1, 2, . . . , m−1, where the zi are the coordinates of −y 2 −(−1)a = zi β 3 .
3
Base-τ Expansions
Suppose that we want to compute a multiple kP of an F3m -point on the elliptic curve (1). As in [10] and [23], our first step is to divide k by τ m − 1 in the ring Z[ω], and then replace k by its remainder k 0 modulo τ m − 1. This is justified because (τ m − 1)P = Φm P − P = O. Our next step is to find a base-τ expansion of k 0 with digits {0, ±1, ±ω, ±ω 2} that has nonadjacent form (NAF), where, following [23], we define “nonadjacent form” to mean that no two consecutive coefficients are nonzero. Theorem 1. Every element of Z[ω] reduced modulo τ m − 1 has a unique NAF base-τ expansion with digits {0, ±1, ±ω, ±ω 2}, in which at most (m + 1)/2 digits are nonzero. Asymptotically on the average 60% of the digits are zero.
An Elliptic Curve Implementation
331
Proof. We first recall the algorithm for finding the usual base-τ expansion of an element u + vω ∈ Z[ω] with digits j ∈ {0, 1, −1}. By (4) we have u + vω = (u − (−1)a v) + vτ . Dividing the integer u − (−1)a v by 3, we can write u − (−1)a v = 3w + ε0 for some ε0 ∈ {0, 1, −1}. Then we use (2) to write u + vω = (3w + ε0 ) + vτ = (((−1)a 3w + v) − wτ ) τ + ε0 . We then take the quotient ((−1)a 3w + v) − wτ and repeat the process to find ε1 , ε2 , and so on. Now we describe the algorithm for finding the NAF base-τ expansion of an element of Z[ω]. In each step we divide our previous quotient qj−1 by τ , getting a quotient u + vτ and a remainder ε ∈ {0, 1, −1}, as we did in the previous paragraph: qj−1 = (u + vτ )τ + ε. If ε = 0 or if 3|u, then we leave the above equality unchanged and set qj = u+vτ , ηj = ε. Otherwise, we modify the above equation as follows: qj−1 = qj τ + ηj , where
qj =
(u + (−1)a 2ε) + (v − ε)τ (u + (−1)a ε) + vτ
and ηj =
−(−1)a εω −(−1)a εω
if u ≡ (−1)a ε (mod 3); if u ≡ −(−1)a ε (mod 3),
if u ≡ (−1)a ε (mod 3); if u ≡ −(−1)a ε (mod 3).
Uniqueness of the NAF expansion is clear from the construction. Finally, the asymptotic expectation is that every nonzero digit is followed by 1+ 13 + 312 +· · · = 1.5 zero digits, in which case 60% of the digits are zero. t u √ Here is an example. Let us take a = 0 and find the expansion of 10 + 2i 3. We have: √ 10 + 2i 3 = (7 − τ )τ + 1 = (9 − 2τ )τ + ω 2 ; 9 − 2τ = (7 − 3τ )τ + 0; 7 − 3τ = (3 − 2τ )τ + 1; 3 − 2τ = (1 − τ )τ + 0; 1 − τ = 0 · τ + ω4, and hence the digits are η4 = ω 4 , η3 = 0, η2 = 1, η1 = 0, η0 = ω 2 . Remark. The expected number 25 log3 q of elliptic curve additions given by Theorem 1 is about 25% less than the previous lowest result for the number of additions of points in computing kP , which was 13 log2 q due to Solinas [23]. However, from a practical point of view this improvement in the number of elliptic curve additions might be offset by the decreased efficiency of working in characteristic 3 rather than 2. For example, in characteristic 2 one can often minimize time for a field operation by using an optimal normal basis [15]. In order to avoid field inversions and determine the time required to compute a multiple of a point in terms of field multiplications alone, we introduce projective coordinates. (See §6.3 of [11] for a discussion of this in characteristic 2.)
332
Neal Koblitz
When converted to homogeneous coordinates, the equations for point addition (see §2) become z3 = (x2 z1 − x1 z2 )3 z1 z2 ; x3 = (y2 z1 − y1 z2 )2 (x2 z1 − x1 z2 )z1 z2 − (x2 z1 − x1 z2 )3 x1 z2 − −(x2 z1 − x1 z2 )3 x2 z1 ; y3 = −(x2 z1 − x1 z2 )3 y1 z2 + (y2 z1 − y1 z2 )(x2 z1 − x1 z2 )2 x1 z2 − −x3 (y2 z1 − y1 z2 )/(x2 z1 − x1 z2 ). (Note that the last expression is a polynomial, because x3 is divisible by x2 z1 − x1 z2 .) In each stage of the computation of kP one adds a partial sum to a point of the form ηj τ j P (in which the NAF digit ηj is a sixth root of unity). The latter point is computed in negligible time in affine (i.e., non-homogeneous) coordinates; so we may assume that its projective coordinates are (x2 , y2 , 1), that is, z2 = 1. Assuming now that z2 = 1, the above formulas can be computed as follows. Successively set A = x2 z1 ;
B = y2 z1 ;
E = (B − y1 )2 ;
C = (A − x1 )2 ;
F = x1 C;
D = (A − x1 )3 ;
G = z1 E − (D + 2F ).
Then z3 = z1 D;
x3 = (A − x1 )G;
y3 = −y1 D + (B − y1 )(F − G).
This all takes 10 field multiplications. (Note that D is computed in negligible time, since we are in characteristic 3.) Since on the average 25 m point additions are needed to compute a multiple of a point, it follows that in projective coordinates one expects to compute a multiple of a point with 4m field multiplications. From the formulas for adding points in affine coordinates (see §2) we see that, alternatively, a point addition can be accomplished with 1 field inversion and 2 field multiplications. Thus, if an inversion can be done in less time than 8 field multiplications, we should use affine rather than projective coordinates. In characteristic 2 there are implementations of field inversion that take time roughly equal to that of 3 field multiplications (see [19] and [24]); and it is reasonable to expect that the same equivalence can be achieved in characteristic 3 [18]. We have obtained the following corollary of Theorem 1. Corollary 1. If one uses projective coordinates, the expected number of field multiplications in F3m needed to compute a multiple of a point on the curve (1) is 4m. Using affine coordinates, on the average one can compute a multiple of a point on (1) with 45 m field multiplications and 25 m field inversions. If a field inversion can be carried out in time equivalent to that of three field multiplications, then in affine coordinates one has a time estimate of 2m field multiplications for computing a multiple of a point.
An Elliptic Curve Implementation
4
333
DSA and ECDSA
We shall use DSA in a slightly generalized form, in which the finite field Fq , q = pm , is not necessarily a prime field. Here q has at least 500 bits, and q − 1 is divisible by a prime l of at least 160 bits. Let f : Fq → Fl be a fixed, easily computable function such that #f −1 (y) ≈ q/l for each y ∈ Fl ; that is, f spreads Fq fairly evenly over Fl . If q = p, then we represent elements of Fq by integers x ∈ {0, 1, . . . , p−1}, and we usually take f (x) to be the least nonnegative residue of x P modulo l. If m > 1, and if {β0 , . . . , βm−1 } is our Fp -basis of Fq , then for x= xi βi , xi ∈ {0, 1, . . . , p − 1}, we could, for example, define f (x) to be the P least nonnegative residue modulo l of the integer xi pi . Let g ∈ Fq be a generator of the unique subgroup of F× q of order l, and let H be a hash function taking values in Fl . Here q, l, {βi }, g, f , and H are publicly known. Alice’s secret key is a random integer x in the range 1 < x < l, and her public key is y = g x ∈ Fq . To sign a message M , Alice does the following: 1) She selects a random integer k in the range 1 < k < l. 2) She computes g k ∈ Fq and r = f (g k ). If r = 0, she returns to step 1). 3) She computes k −1 ∈ Fl and s = k −1 (H(M ) + xr) ∈ Fl . If s = 0, she returns to step 1). 4) Her signature for the message M is the pair (r, s). To verify the signature, Bob computes u1 = s−1 H(M ) ∈ Fl , u2 = s−1 r ∈ Fl , and then g u1 y u2 ∈ Fq . If f (g u1 y u2 ) = r, he accepts the signature. We now describe the elliptic curve version ECDSA. Let E be an elliptic curve defined over Fq such that #E(Fq ) is equal to a prime l of at least 160 bits (or to a small integer factor times such a prime l). Let P be an Fq -point of E of order l. Let fE : E(Fq ) → Fl be a fixed, easily computable function that spreads the points over Fl fairly evenly (for instance, we might require that #fE−1 (y) be bounded by a small constant for y ∈ Fl ). One way to define the elliptic curve function fE , for example, would be to take the x-coordinate of a point and then apply to it the function f : Fq → Fl in the above description of DSA. Alice’s secret key is an integer x in the range 1 < x < l, and her public key is the point Q = xP ∈ E(Fq ). To sign a message M , Alice does the following: 1) She selects a random integer k in the range 1 < k < l. 2) She computes kP and r = fE (kP ). If r = 0, she returns to step 1). 3) She computes k −1 ∈ Fl and s = k −1 (H(M ) + xr) ∈ Fl . If s = 0, she returns to step 1). 4) Her signature for the message M is the pair (r, s). To verify the signature, Bob computes u1 = s−1 H(M ) ∈ Fl , u2 = s−1 r ∈ Fl , and then u1 P + u2 Q ∈ E(Fq ). If fE (u1 P + u2 Q) = r, he accepts the signature.
334
5
Neal Koblitz
Comparison of DSA and ECDSA
We set up ECDSA using the curve E in (1) over Fq , q = 3m . We assume that 2 m Nm τ m − 1 3 − l= = = N1 τ −1 3m +
3 (m+1)/2 + 1, m 3 3 (m+1)/2 + 1 /7, 3 m
if a = 0; if a = 1,
is prime. Let P ∈ E(Fq ) be a point of order l. Let F : E(Fq ) → F× q6 be an MOV imbedding of the elliptic curve group into the multiplicative group of Fq6 constructed using the Weil pairing [12]. Let g = F (P ), which is a generator of the unique subgroup of F× q6 of order l. × We set up DSA in Fq6 and ECDSA in E(Fq ) so as to be equivalent to one another by means of F . Thus, if f : Fq6 → Fl is the function in DSA, then we define fE : E(Fq ) → Fl by the formula fE = f ◦ F . Remark. In a practical situation it would be more efficient to define fE without using the MOV imbedding F (for example, by applying f to the x-coordinate of a point, as suggested in §4), because even though the computation of F is polynomial time, it is not very fast. We have chosen to set fE = f ◦ F for a theoretical rather than practical reason: to make the DSA and ECDSA implementations completely equivalent. We can now easily verify that the MOV imbedding F gives an equivalence between the two signature schemes. In both cases Alice’s secret key is an integer x in the range 1 < x < l; her public key is Q = xP in ECDSA and F (Q) = F (xP ) = F (P )x = g x = y in DSA. The k, r, and s are the same in both cases. So are the u1 and u2 in signature verification. In ECDSA the signature is verified by computing u1 P + u2 Q, and in DSA by computing g u1 y u2 . The signature is accepted if r = fE (u1 P + u2 Q) = f (F (u1 P + u2 Q)) = f (g u1 y u2 ). Thus, the DSA and ECDSA implementations are equivalent. In order to get an approximate idea of the relative efficiency of the two systems, let us compare the times to compute 1) kP ∈ E(Fq ) and 2) g k ∈ Fq6 , where k is a random integer in the range 1 < k < l, i.e., k has about the same bitlength as q = 3m . We shall neglect possible speed-ups using precomputations, fast multiplication techniques, etc., and shall assume that a field multiplication in Fq takes time proportional to (log2 q)2 . We shall also assume that a field inversion in Fq takes approximately the same amount of time as 3 field multiplications; in that case the computation of kP on the average takes the equivalent of 2m field multiplications in Fq , by the corollary to Theorem 1 (see §3). On the DSA side, we have a significant efficiency advantage because we are workingPin characteristic 3. Namely, we first write the exponent k in ternary form as k = εj 3j , where εj ∈ {0, 1, 2}. For ν = 0, 1, 2 let Jν be the set of j for which j εj = ν. Since the computation of g 3 takes negligible time, the computation of
An Elliptic Curve Implementation
335
Q 2 Q j 3j g k = j∈J1 g 3 g takes just #(J1 ) + #(J2 ) field multiplications. We j∈J2 expect about one third of the digits in k to be zero, so we conclude that the computation of g k takes roughly 23 m field multiplications in Fq6 , each of which takes about 36 times as long as a field multiplication in Fq . Thus, the ratio of time for g k to time for kP is roughly 36 · 23 m = 12. 2m In other words, when we choose parameters for ECDSA and for DSA in such a way as to make the two systems equivalent, we find that ECDSA is approximately 12 times faster than DSA, independently of the value of m.
6
A Nonsupersingular Family
Consider the curve Y 2 = X 3 − b,
b 6= 0,
defined over F7 . This elliptic curve is nonsupersingular. The number N1 = 8 − t of F7 -points and the root τ with positive imaginary part of the characteristic polynomial T 2 − tT + 7 are given in the following table: t τ√ b ±1 ±4 ±2 +√ 3i ±2 ±1 (±1 + 3√ 3i)/2 ±3 ±5 (±5 + 3i)/2 As usual, we choose b and a prime m so that Nm /N1 = |(τ m − 1)/(τ − 1)|2 is prime. For instance, when b = −1 the number N59 is 12 times a 49-digit prime; and when b = 3 the number N61 is 3 times a 52-digit prime, and the number N71 is 3 times a 60-digit prime. Note that, up to complex conjugation, the six value of τ in the√table differ from one another by a factor of ±1, ±ω, or ±ω 2 , where ω = (−1 + 3i)/2. S As before, we define the action of τ on a point P ∈ E(F7 ), where F7 = m F7m is the algebraic closure of F7 , to be the Frobenius map τ Px,y = ΦPx,y = Px7 ,y7 . In this way Z[ω] imbeds in the ring of endomorphisms of E(F7 ); and it follows from the properties of nonsupersingular curves (see p. 137 of [21]) that the image of Z[ω] is all of the endomorphism ring of E(F7 ). It is easy to check that the maps Px,y 7→ P2x,y √ and Px,y 7→ P4x,y are endomorphisms of E(F7 ) of order 3. Since ω = (−1 + 3i)/2 and ω 2 = ω are the only nontrivial cube roots of unity, it follows that in each case ωP must be given by one of these maps; one can quickly determine which of the two by testing on an F7 - or F72 -point of E. Thus, the action on F7m -points of any of the sixth roots of unity ±1, ±ω, ±ω 2 is trivial to compute. Suppose that we want to compute a multiple kP for P ∈ E(F7m ). As usual, we first replace k by its remainder k 0 ∈ Z[ω] after division by τ m − 1. We
336
Neal Koblitz
then compute the base-τ expansion of k 0 using {0, ±1, ±ω, ±ω 2} rather than {0, ±1, ±2, ±3} as digits; this is easy to do using the equality τ 2 = tτ − 7 and the simple relations between τ, ω, and ±2, ±3. We cannot obtain an NAF expansion, but we have the advantage that k 0 has fewer digits in characteristic 7, where the base τ has larger norm (7 rather than 2 or 3). Since 1/7 of the digits are expected to be 0, we conclude that on the average the computation of kP requires ≈ 67 log7 q = 0.3052 log2 q elliptic curve additions. This estimate for the number of elliptic curve additions is slightly lower than Solinas’ value of 13 log2 q on an anomalous binary curve [23]. But in practice the improvement from 13 log2 q to 0.3052 log2 q is not enough to compensate for the lower efficiency of working in characteristic 7 rather than in characteristic 2. Remark. A disadvantage of this family of curves is that there are not many curves and fields to choose from. The same applies to the curves in §2, and to the anomalous binary curves in [6,10,23]. Random curves allow far more choice, but less efficient implementation.
Acknowledgments I would like to thank Arjen Lenstra, Richard Schroeppel, and Alfred Menezes for several very helpful comments and suggestions.
References 1. R. Balasubramanian and N. Koblitz, The improbability than an elliptic curve has subexponential discrete log problem under the Menezes–Okamoto–Vanstone algorithm, J. Cryptology 11 (1998), 141-145. 327 2. I. Blake, X. H. Gao, R. C. Mullin, S. A. Vanstone, and T. Yaghoobian, Applications of Finite Fields, Kluwer Acad. Publ., 1993. 3. S. Gao and H. W. Lenstra, Jr., Optimal normal bases, Designs, Codes and Cryptography 2 (1992), 315-323. 4. K. Ireland and M. I. Rosen, A Classical Introduction to Modern Number Theory, 2nd ed., Springer-Verlag, 1990. 5. N. Koblitz, Elliptic curve cryptosystems, Math. Comp. 48 (1987), 203-209. 6. N. Koblitz, CM-curves with good cryptographic properties, Advances in Cryptology – Crypto ’91, Springer-Verlag, 1992, 279-287. 328, 336 7. N. Koblitz, A Course in Number Theory and Cryptography, 2nd ed., SpringerVerlag, 1994. 329, 330 8. N. Koblitz, Algebraic Aspects of Cryptography, Springer-Verlag, 1998. 9. N. Koblitz, A. Menezes, and S. A. Vanstone, The state of elliptic curve cryptography, to appear in Designs, Codes and Cryptography. 328 10. W. Meier and O. Staffelbach, Efficient multiplication on certain non-supersingular elliptic curves, Advances in Cryptology – Crypto ’92, Springer-Verlag, 1993, 333344. 328, 330, 336 11. A. Menezes, Elliptic Curve Public Key Cryptosystems, Kluwer Acad. Publ., 1993. 331
An Elliptic Curve Implementation
337
12. A. Menezes, T. Okamoto, and S. A. Vanstone, Reducing elliptic curve logarithms to logarithms in a finite field, IEEE Trans. Information Theory 39 (1993), 1639-1646. 327, 327, 334 13. A. Menezes and S. A. Vanstone, Elliptic curve cryptosystems and their implementation, J. Cryptology 6 (1993), 209-224. 330 14. V. Miller, Uses of elliptic curves in cryptography, Advances in Cryptology — Crypto ’85, Springer-Verlag, 1986, 417-426. 15. R. Mullin, I. Onyszchuk, S. A. Vanstone, and R. Wilson, Optimal normal bases in GF (pn ), Discrete Applied Math. 22 (1988/89), 149-161. 331 16. National Institute for Standards and Technology, Digital signature standard, FIPS Publication 186, 1993. 328 17. T. Satoh and K. Araki, Fermat quotients and the polynomial time discrete log algorithm for anomalous elliptic curves, preprint. 327 18. R. Schroeppel, personal communication, Dec. 2, 1997. 332 19. R. Schroeppel, H. Orman, S. O’Malley, and O. Spatscheck, Fast key exchange with elliptic curve systems, Advances in Cryptology — Crypto ’95, Springer-Verlag, 1995, 43-56. 332 20. I. A. Semaev, Evaluation of discrete logarithms in a group of p-torsion points of an elliptic curve in characteristic p, Math. Comp. 67 (1998), 353-356. 327 21. J. Silverman, The Arithmetic of Elliptic Curves, Springer-Verlag, 1986. 329, 335 22. N. Smart, The discrete log problem on elliptic curves of trace 1, preprint. 327 23. J. Solinas, An improved algorithm for arithmetic on a family of elliptic curves, Advances in Cryptology – Crypto ’97, Springer-Verlag, 1997, 357-371. 328, 330, 330, 331, 336, 336 24. E. De Win, A. Bosselaers, S. Vandenberghe, P. De Gersem, and J. Vandewalle, A fast software implementation for arithmetic operations in GF (2n ), Advances in Cryptology — Asiacrypt ’96, Springer-Verlag, 1996, 65-76. 332
Quantum Bit Commitment From a Physical Assumption Louis Salvail1? BRICS Basic Research in Computer Science of the Danish National Research Foundation Department of Computer Science,University of ˚ Arhus Ny Munkegade, Building 540,DK-8000 ˚ Arhus C, Denmark [email protected]
Abstract. Mayers and independently Lo and Chau have shown that unconditionally secure quantum bit commitment is impossible. In this paper we show that under the assumption that the sender is not able to perform generalized measurements involving more than n qubits coherently (n-coherent measurements) then quantum bit commitment is possible. A commitment scheme is δ-binding if for each execution there is an x ˜ ∈ {0, 1} that cannot be unveiled with probability of success better than δ. Our bit commitment scheme requires the transmission of N qubits and is δ-binding, for any δ > 0, if the committer can only carry out n-coherent measurements for some n ∈ Ω(N ). For some α > 0, −αN the scheme -binding against n-coherent measurements for some √ is 2 n ∈ Ω( N ). The security against malicious receivers is unconditional.
1
Introduction
The first application of quantum mechanics in cryptography was proposed by Wiesner [34] in the late 1960’s through what he called “quantum multiplexing”. Classically, this primitive has been reinvented a decade later by Rabin [32] as one-out-of-two oblivious transfer. The power of oblivious transfer is known to provide the sufficient and necessary tool for solving the very general secure twoparty computation problem[20,15]. In its original paper [34], Wiesner describes an attack based on generalized quantum measurements against its own scheme. Although proven insecure, Wiesner’s scheme requires a quantum attacker with technology far beyond what is achievable today. In 1984, Bennett and Brassard proposed two new cryptographic applications of quantum mechanics: secret-key exchange and coin flipping by telephone [3]. Whilst the former is still strongly believed to be secure [25,7] the latter was already known to be breakable using EPR pairs [16,3]. The proposed coin flipping protocol can be modified easily to implement a quantum bit commitment scheme that can indeed be defeated by the same EPR attack [9]. Unlike Wiesner protocol, the attack is conceivable using today’s technology [1]. Some attempts to find a quantum bit commitment ?
Part of this work has been done while the author was at CWI.
H. Krawczyk (Ed.): CRYPTO’98, LNCS 1462, pp. 338–354, 1998. c Springer-Verlag Berlin Heidelberg 1998
Quantum Bit Commitment From a Physical Assumption
339
scheme not suffering the same weaknesses have then been made [9,10]. In 1993, Brassard, Cr´epeau, Jozsa and Langlois [10] proposed a quantum commitment scheme (the BCJL scheme) that was claimed to be unconditionally secure until Mayers discovered a subtle flaw in 1995 [26]. This was bad news considering Yao [35] had provided a proof that, under the assumption that secure bit commitment scheme exists, the BBCS protocol [5] for quantum oblivious transfer(QOT) is secure. Despite BCJL was known to be insecure, it was still conceivable that a secure quantum quantum bit commitment scheme could be found. The situation turned out to be a dead end when Mayers [29], and independently Lo and Chau [22], showed that no quantum bit commitment whatsoever exists. It was shown that the EPR attack can be generalized against any quantum bit commitment provided the committer can deal with large entangled quantum states. Different approaches have then been tried in order to escape the no-go theorem [13]. All these attempts aimed at taking advantage of subtle assumptions in the theorem statement. The common feature of most approaches is the use of a classical assumption that has to hold only temporarily. The goal being to build from such a temporary assumption a commitment scheme that is both concealing and binding even after the assumption is withdrawn. Unfortunately, none of these attempts has produced a scheme achieving more than what classical cryptography alone can provide. Quantum bit commitment is now known to be impossible in scenarios lying beyond the initial statement of the no-go theorem [11]. It naturally raises the question of what assumptions are needed in order for secure quantum bit commitment to exist and can these assumptions be made independent of the classical one whilst remaining meaningful? In other words, does quantum mechanics helps in providing secure two-party computation? In this paper we consider a physical limitation upon which the security of quantum bit commitment, and QOT [35], can be based. The assumption does not restrict the computing power and therefore makes sense whether or not oneway functions exist in the classical world [19]. For, we restrict the ability of one party to carry out arbitrary quantum coherent measurements. We say that a measurement is n-coherent if it involves no more than n qubits coherently. We propose a variant of BCJL that is shown to be secure under this restriction. One reason for considering this assumption is that large coherent measurements are not known to be realizable by a reliable physical process. As an example, consider the simplest interesting case n = 2. Perhaps the most important 2coherent measurement that is not 1-coherent is the Bell measurement which, together with the ability to produce EPR pairs, leads to quantum teleportation [6]. Interestingly, although quantum teleportation has been shown to work experimentally [8], the Bell measurements could only be approximated. It is in general more difficult to make several qubits interact in a measurement than producing entangled states [31,24,8]. Whereas EPR pairs can be easily produced experimentally, measuring in the Bell basis requires more work. Even though Bell measurements will probably be accomplished in the near future, large coherent measurements are very challenging even in a controlled environment. The complexity and reliability required for the physical process implementing large
340
Louis Salvail
n-coherent measurements might well not be achievable in a foreseeable future. A coherent measurement can be seen as an unitary transformation acting on the observed system plus an ancilla, followed by a standard Von Neumann measurement. This process is exactly what is meant by a quantum algorithm. The ability to perform n-coherent measurements suggests that quantum computers working on n qubits can also be realized. However, it might be the case that n-qubits quantum computers exist but n-coherent measurements against quantum protocols don’t. One reason could be that quantum cryptography, unlike quantum computation, can take place in an extremely hostile environment for the survival of large entangled quantum states [17]. Our result shows that large coherent measurements are necessary in order to apply Mayers’ attack against our scheme. A commitment scheme is δ-binding if for each execution there is a bit x ˜ ∈ {0, 1} that cannot be unveiled with probability of success better than δ. Our bit commitment scheme requires the transmission of N qubits and is δbinding, for any δ > 0, provided the committer can only carry out n-coherent −αN measurements for some n ∈ Ω(N ). For some α > 0, -binding √ the scheme is 2 against n-coherent measurements for some n ∈ Ω( N ). The commitment is also shown to conceal unconditionally the committed bit. In section 2 we give the preliminary ingredients. Section 3 presents a variation of the BCJL protocol, called LJCB. In section 4 we introduce the definitions and tools about quantum measurements and outcomes. In section 5, we define the class of n-coherent strategies against the binding condition. We show that LJCB is binding against the class of n-coherent strategies for some n ∈ Ω(N ) where N is the total number of qubits sent through the quantum channel. In section 6, LJCB is shown to be unconditionally concealing. We conclude in section 7.
2
Preliminaries
We write x ∈R X for “the element x is picked uniformly Ln and randomly from the set X”. Notation x y for x, y ∈ {0, 1}n means i=1 xi · yi . For sets X = {x0 , x1 , . . . , xn } and s ∈ {0, . . . , n} we write Xs for the s-th element xs in X. If y represents the outcome of some random experiment then we write y as the random variable associate with the experiment. We denote the Shannon entropy and information functions by H(y) and I(y) respectively. For any strings c, c0 ∈ {0, 1}n we define ∆(c, c0 ) as the Hamming distance between c and c0 . When the context allows, we also write ∆(c, c0 ) as the set of distinct positions. For X ⊆ {1, . . . , n} and b ∈ {0, 1}n we denote by bX the substring of b defines for positions in X. 1 2.1
Bit Commitment
A bit commitment scheme allows Alice to send a piece of evidence to Bob that she has a bit x ∈ {0, 1} in mind. Given what he receives, Bob cannot tell what x 1
If b, c, c0 ∈ {0, 1}n are any n-bit string then b∆(c,c0 ) ∈ {0, 1}∆(c,c b restricted to positions where c and c0 differ.
0
)
is the substring of
Quantum Bit Commitment From a Physical Assumption
341
is. This phase of the bit commitment scheme is called the committing phase. After a while, Bob can ask Alice to unveil x in such a way that it is not possible for her to unveil 1 − x without being detected. This phase is called the opening phase. The security of such a scheme is captured by the following definition: Definition 1. A bit commitment scheme is – statistically concealing if the information V the receiver gets about the committed bit x ∈ {0, 1} after the committing phase (and before opening) is such that I(x|V) ≤ 2−αN for some α > 0 and N a security parameter, – δ–binding for 0 < δ < 1, if after the execution of the committing phase there exists x˜ ∈ {0, 1} such that the probability to unveil x ˜ with success is less than δ, – δ-secure if it is both concealing and δ-binding. In this paper we are concerned with a slightly weaker form of the binding property than what is usually considered. Namely, we allow the sender to change her mind with some bounded probability of success δ. Nevertheless, a δ–secure bit commitment scheme is sufficient for secure quantum oblivious transfer[35,5]. Mayers’ theorem shows how to break any concealing commitment by constructing an attack allowing to reveal any bit with probability of success almost 1. The attack also applies for concealing but δ-binding commitment schemes whenever δ < 1 [28,29]. 2.2
Quantum Coding
The essential quantum ingredient is the BB84 coding scheme [3]. In order to transmit the bit b = 0 one of the two non-orthogonal quantum states |0i+ = 10 √1 and |0i× = √12 is chosen and sent through the quantum channel 2 . For the 2 transmission of b = 1, the two non-orthogonal quantum states are |1i+ = 01 −1 √ and |1i× = √12 . If for transmitting b ∈ {0, 1} the quantum state |bi+ is 2
chosen then we say that b is transmitted in rectilinear basis “+”. If b is encoded in |bi× we say that b is transmitted in diagonal basis “×”. Let ρb be the quantum mixture associates with the transmission of bit b in a random basis θ ∈R {+, ×}. Let {γ0 , γ1 } be the unit vectors of the Breidbart basis (i.e. γ0 = (cos π8 , sin π8 ) and γ1 = (− sin π8 , cos π8 )). We have, for any b ∈ {0, 1}, that (see [10] for more information) π π (1) ρb = cos2 |γb ihγb | + sin2 |γ1−b ihγ1−b |. 8 8 Equation 1 stands as long as the coding basis θ is random and independent. One interpretation of equation 1 is that the BB84 coding scheme is inherently ambiguous. Given any outcome of any quantum measurement, the transmitted 2
Notation |bi for b ∈ {0, 1} means |bi+ which is the computational basis.
342
Louis Salvail
bit b cannot be known with probability better than cos2 ( π8 ). The intrinsic entropy H V N (ρb ) (Von Neumann entropy) about b ∈ {0, 1} is H V N (ρb ) = H(cos2
π π , sin2 ) ≥ 0.4157611883. 8 8
(2)
No possible outcome of any measurement can give more information about b than 1−H V N (ρb ) simply because the quantum state does not carry more information than that. For any X ⊆ {1, . . . , n} and b ∈ {0, 1}n we define ρX (b) = ⊗i∈X ρbi as the density matrix associates with bX when b is transmitted according to the BB84 coding scheme. As for equation 2 we have that 2 H V N (ρX b ) = #X · H(cos
π π , sin2 ) ≥ 0.4157611883 · #X. 8 8
(3)
In addition, since ρ+ = ρ× it follows that for all measurements no outcome gives information about the transmission basis. 2.3
Generalized Measurements
It is shown in [27] (see also section 2.2 of [33]) that any possible measurement can be represented by a single IPP (Inner Product Preserving Operator) transformation from the initial space of states to a larger space of states followed by an ordinary von Neumann measurement on the latter. An m-outcome generalized measurement on a space V is described by m operators Mk : V → Wk , k = 1, . . . , m, such that if the initial state is |φi and the observed classical outcome is k then the state after the measurement, up to normalization, is Mk |φi. The probability to observe k when |φi is transmitted is kMk |φik2 . The operator Mk is IPP if it is represented as a matrix of orthonormal columns. An IPP operator Mk for the measurement of an n qubits system has 2n columns. The value hki is called the classical outcome for Mk . From Mk , we define the column vector Φθ (hki|b) = Mk |biθ containing the transition amplitudes from state |biθ to any of the final state in Mk . The probability of observing hki when |biθ is the initial state is kΦθ (hki|b)k2 . If the measurement is complete then Mk is one-dimensional and Φθ (hki|b) is not a vector but a complex number. We use the IPP representation because, as in [30], we want to analyze measurements acting on a fixed number n of qubits independently of the degree of freedom provided by appending an ancilla to the system (unlike the POVM model). When we say that a measurement is n-coherent, we mean that it measures a quantum state of dimension 2n regardless the dimension of the ancilla.
3
The Protocol
The protocol we describe works on the same principles than BCJL [10]. The main difference is the direction of the quantum transmission allowing Alice to commit. For this reason our scheme is called LJCB. Unlike the BCJL scheme, the commitment is made by choosing how to measure the received qubits. The
Quantum Bit Commitment From a Physical Assumption
343
commitment is initiated by Bob who sends to Alice N qubits in state |biθ for b ∈R {0, 1}N and θ ∈R {+, ×}N . For each qubits she receives, one of the two incompatible Von Neumann measurements + and × is chosen and the result is announced to Bob. Since the two measurements are incompatible, even knowing the outcome does not reveal all the information about which one has actually been done. Let C be an error-correcting code of length N , dimension k and minimum distance d. The code C does not need to have an efficient decoding algorithm. In order to commit (see protocol 1), Alice picks c ∈R C, measures the i–th photon πi with the Von Neumann measurement {+, ×}ci and announces the classical outcome βi ∈ {0, 1}. Alice also chooses and announces a random r ∈ {0, 1}n subject to r c = x. This completes the committing phase. In order to open x (see protocol 2), Alice simply announces c and x allowing Bob to verify (for each πi ) that when she measured in the basis he had chosen then the announced outcome corresponds to the bit originally sent. In this paper, we assume a noiseless quantum channel allowing Bob to reject Alice’s commitment as soon as one position i is found such that θi = ci but bi 6= βi . The case of a noisy quantum channel will be addressed in the final version. Protocol 1 ( commit(x) ) 1: Bob picks and announces a random boolean generating matrix G for a linear [N, k, d]–code C with N and k chosen according to theorem 3,
2: Alice picks m ∈R {0, 1}k , sets c ∈R G · m and picks r ∈R {0, 1}N subject to c r = x. Alice announces r to Bob,
3: Bob chooses randomly b ∈R {0, 1}N and θ ∈R {+, ×}N , N
4: DO i=1
– Bob sends a photon πi in polarization state |bi iθi , – Alice measures πi in basis {+, ×}ci and obtains the classical outcome βi ∈ {0, 1}, 5: Alice announces β = β1 , . . . , βN to Bob.
Protocol 2 ( open(r, β, θ, b)(c, x) ) 1: Alice announces c and x to Bob, 2: Bob accepts if and only if
1. c ∈ C, 2. (∀i ∈ {1, . . . , N })[θi = ci ⇒ bi = βi ] and 3. x = c r.
4
Tools
In this section, we give general properties applicable to any quantum measurement Alice may apply when she commits and opens the bit x. These properties are tools that will be used to deal with Alice general strategy against the binding condition.
344
Louis Salvail
When Alice commits, she measures the initial state |biθ in order to get the classical outcome hr, βi. When she opens x, she refines her measurement and gets the final classical outcome hr, β, ci. The bit x needs not to appear in the final outcome description since it is uniquely defined as c r. It is convenient to write hr, β, vi to represent a partial outcome with an extra piece of information v ∈ V for an arbitrary set V. The extra outcome v will be used in section 5 to model successive steps in Alice opening strategy. The final outcome hr, β, ci is accepted by Bob if and only if c ∈ C and the string b ∈ {0, 1}N is in the set S(β, c, θ) = {b ∈ {0, 1}n|(∀i ∈ {1, . . . , n})[θi = ci ⇒ bi = βi ]}. The following definition characterizes partial outcomes hr, β, vi allowing to announce safely the codeword c. Definition 2. A partial result with classical outcome hr, β, vi is (θ, c, p)–safe if for 12 < p < 1, θ ∈ {+, ×}n and c ∈ {+, ×}n we have P (b ∈ S(β, c, θ)|β = β ∧ θ = θ ∧ v = v) ≥ p.
(4)
We also say that hr, β, vi is (c, p, q)-safe if there exists a subset Θ ⊆ {+, ×}n such that #Θ 2n ≥ q and for each θ ∈ Θ the partial outcome hr, β, vi is (θ, c, p)-safe. Suppose the result hr, β, vi is (θ, c, p)-safe. The IPP operator implementing the measurement that produces hr, β, vi can be written in terms of transition amplitudes given the following identity (see section 2.3): P θ 2 b∈S(β,c,θ) kΦ (hr, β, vi|b)k . P (b ∈ S(β, c, θ)|hr, β, vi ∧ θ = θ) = P θ 2 b∈{0,1}n kΦ (hr, β, vi|b)k This allows to rewrite equation 4 as X kΦθ (hr, β, vi|b)k2 ≥ p b∈S(β,c,θ)
X
kΦθ (hr, β, vi|b)k2 .
(5)
b∈{0,1}n
If hr, β, vi is (c, p, q)-safe then there exists Θ ⊆ {+, ×}n such that #Θ 2n ≥ q and equation 5 holds for all θ ∈ Θ. In section 5, we shall see that next definition characterizes the partial outcomes of n-coherent measurements Alice needs in order to attack the binding condition of LJCB. Lemma 1 will then put restrictions on what Alice can physically achieve. Definition 3. Let θ ∈ {+, ×}n, r, β, c, c0 ∈ {0, 1}n. A partial result with classical outcome hr, β, vi is (θ, c, c0 , p)–promising if hr, β, vi is (θ, c, p)–safe and (θ, c0 , p)– safe. We also say that hr, β, vi is (c, c0 , p, q)-promising if there exists a subset Θ ⊆ {+, ×}n such that #Θ 2n ≥ q and for each θ ∈ Θ the partial outcome hr, β, vi is (θ, c, c0 , p)-promising. Let S(β, c, c0 , θ) = S(β, c, θ) ∩ S(β, c0 , θ) be the set of initial strings b ∈ {0, 1}n such that from hr, βi both c and c0 can be announced without error. Using equation 5, we easily get that hr, β, vi is (θ, c, c0 , p)-promising implies X X kΦθ (hr, β, vi|b)k2 ≥ (2p − 1) kΦθ (hr, β, vi|b)k2 . (6) b∈S(β,c,c0,θ)
b∈{0,1}n
Next lemma shows that promising partial results don’t always exist.
Quantum Bit Commitment From a Physical Assumption
345
Lemma 1. Let c, c0 ∈ {0, 1}n be such that ∆(c, c0 ) ∈ Ω(n) and let r, β ∈ {0, 1}n. Then, there exists no (c, c0 , p, q)–promising partial result with classical outcome hr, β, vi whenever q(2p − 1) ≥ pmax = 0.586. Proof. Let Θ ⊆ {+, ×}n be a set of basis such that #Θ 2n ≥ q and for all θ ∈ Θ the partial outcome hr, β, vi is (θ, c, c0 , p)-promising. ¿From equation 6, for all θ ∈ Θ, P (b ∈ S(β, c, c0 , θ)|hr, β, vi is (θ, c, c0 , p)-promising) ≥ 2p − 1. By construction we also have that P b∆(c,c0 ) = β∆(c,c0 ) |b ∈ S(β, c, c0 , θ) = 1. It follows that P b∆(c,c0 ) = β∆(c,c0 ) |hr, β, vi is (θ, c, c0 , p)-promising ≥ 2p − 1.
(7)
Since no measurement outcome gives information about the transmission basis θ, we have that P (θ ∈ Θ|hr, βi) ≥ q. It follows from Bayes’ law that P b∆(c,c0 ) = β∆(c,c0 ) |hr, β, vi is (c, c0 , p, q)-promising ≥ q(2p − 1). The amount of uncertainty about b∆(c,c0 ) can therefore be upper bounded as follows: H(b∆(c,c0 ) |hr, β, vi is (c, c0 , p, q)–promising ) 0 2∆(c,c ) −1 times z }| { 1 − q(2p − 1) 1 − q(2p − 1) , . . . , ∆(c,c0 ) ) ≤ H(q(2p − 1), ∆(c,c0 ) 2 −1 2 −1 ≤ H(q(2p − 1), 1 − q(2p − 1)) + (1 − q(2p − 1))∆(c, c0 ).
The above equation contradicts the lower bound expressed equation 3 since q(1 − 2p) > pmax implies H(b∆(c,c0 ) |hr, β, vi is (c, c0 , p, q)–promising ) ≤ H(0.586, 0.414) + 0.414∆(c, c0 ) ∆(c,c0 )
≤ H V N (ρb when ∆(c, c0 ) ∈ Ω(n) is large enough.
) t u
In other words, any outcome hr, β, vi that is (c, c0 , p, q)-promising for p and q such that q(2p − 1) ≥ pmax , conveys more information about b∆(c,c0 ) than what is allowed by equation 3. This holds regardless of the extra outcome v.
346
5 5.1
Louis Salvail
The Binding Condition n-Coherent Opening Strategies
Alice’s opening strategies are of the following form: – During the committing phase, Alice incompletely measures the N qubits in order to get the partial outcome hr, βi for r ∈ {0, 1}N and β ∈ {0, 1}N . She announces r and β to Bob. – During the opening phase, Alice completes her previous measurement according to the bit x she wants to unveil. The outcome of the refinement is a codeword c ∈ C and the unveiled bit x ∈ {0, 1} is c r = x. The final and complete outcome hr, β, ci allows Bob to learn x. An opening strategy is n-coherent if all measurements performed by Alice during both phases are n-coherent. Unlike fully coherent strategies, a n–coherent strategy is made out of t ≥ d N n e measurements depending only classically upon each others. Each possible measurement must be expressible as an IPP operator with no more than 2n columns. However, the description of each IPP operator may depend upon some partial outcomes obtained from previous measurements and therefore can change dynamically as the opening strategy evolves. In order to model arbitrary n-coherent opening strategies, it is convenient to use a tree structure TNn . Each node in TNn represents the current state and the next measurement to be applied. The relevant operations are quantum measurements and classical announcements. For the sake of simplicity, we only represent in TNn the opening part of Alice’s strategy. In other words, the root of TNn represents the first refinement Alice applies from the partial outcome hr, βi when the opening phase is initiated. We require that each measurement along any path P of TNn can be expressed as a set of measurements MP = {M1 , . . . , Mt } where each M ∈ MP , is an IPP operator of at most 2n columns acting on a subset B ⊆ {1, . . . , N } of the received qubits. Without loss of generality we assume that all announcements are made at the very end of the measurement process i.e. they are leafs of TNn . We also assume each internal node to define a binary outcome refinement. The outgoing edges are labelled according to the possible outcomes and lead to the next node. At the end of each path, a final announcement c ∈ C is made. Each path P in TNn defines a complete final outcome hr, β, ci which is the concatenation of all t measurement outcomes defined along P . Since each measurement Mi ∈ MP is applied to a block Bi ⊆ {1, . . . , N } of at most n qubits, P defines a partition B = {B1 , . . . , Bt } such that for all i ∈ {1, . . . , t}, #Bi ≤ n. Each measurement Mi may act coherently on photons {πj }j∈Bi . We call B the block decomposition of P and each B ∈ B is called a block. The partial and final outcomes for a measurement M ∈ MP acting on block B ∈ B are denoted by hr, βiB = hrB , βB i and hr, β, ciB = hrB , βB , cB i respectively. It is also convenient to define the block decomposition B(d) at node d which is the block decomposition for measurements along the path from the root to node d. Once the measurement in node d is completed during the execution of TNn with root hr, βi, Alice gets the partial outcome hr, β, v(d)i where v(d) represents
Quantum Bit Commitment From a Physical Assumption
347
the composite partial outcome (or view) for refinements down to d. We denote the final outcome by hr, β, ci with c ∈ C dropping the irrelevant auxiliary view u v(d). Let d0 be a node in TNn reachable from d. We write hr, β, v(d)i → hr, β, v(d0 )i if the probability to go from d to d0 in TNn is at least u. We write hr, β, v(d)i → hr, β, v(d0 )i to indicate that the probability of transition from d to d0 is nonzero. We denote L(TNn , s) the set of nodes at level s in TNn . Definition 4. Let TNn be a n-coherent opening strategy from partial outcome hr, βi. We say that TNn is (u, γ)–successful if there exists C ∗ ⊆ C such that P (c ∈ C ∗ |hr, βi ∧ TNn ) ≥ u and for all c ∈ C ∗ , P (b ∈ S(θ, β, c)|hr, βi ∧ TNn ) ≥ γ. Similarly, a node d in TNn is said to be (u, γ)–successful if the subtree TNn (d) of TNn is (u, γ)–successful. Next lemma gives some simple properties any n-coherent opening strategy TNn must have. The proof is omitted but follows easily from the definition 4 and the above discussion. Lemma 2. Let TNn be an n-coherent opening strategy with root hr, βi. Let γ = 1 − (1 − %)(1 − q) for 0 < %, q < 1 and let l > 0 be an integer. Let d ∈ TNn and n t = dN e. The following holds: 1. If d0 is a son of d in TNn then #(B(d0 ) ∩ B(d)) ≥ t − 1, 2. If hr, β, v(d)i is both (c, %, q)-safe and (c0 , %, q)-safe then hr, β, v(d)i is (c, c0 , %, 2q − 1)-promising, u 3. If for B ∈ B(d), hr, β, v(d)iB → hr, β, ciB and hr, β, ciB is (c, %, q)-safe then hr, β, v(d)iB is (c, %u, q)-safe, %l
4. if hr, β, v(d)i → hr, β, ci then % b b b ≥ t − l], (∃B(d) ⊆ B(d))(∀B ∈ B(d))[hr, β, v(d)iB → hr, β, ci ∧ #B(d) 5. if P (b ∈ S(θ, β, c)|hr, β, ci) ≥ γ l then b b b ≥ t − l]. (∃D(d) ⊆ B(d))(∀B ∈ D(d))[hr, β, ciB is (c, %, q)-safe ∧ #D(d) 5.2
LJCB is Binding
In this section we prove that whenever n is small with respect to C’s minimum distance d, Alice cannot change her mind with arbitrary good probability of success. The smaller n is, compared to d, the better the probability is for Bob to detect Alice changing her mind. Next lemma shows that any successful strategy allows to unveil only one c ∈ C with good probability of success. The binding condition will then follow. d . If TNn is a (%l , γ l )-successful Lemma 3. Let % = 0.93,γ = 0.9937 and n ≤ 4l+5 n-coherent opening strategy from partial outcome hr, βi then the following predicate holds,
H(s) ≡ [(∀d ∈ L(TNn , s))(∃!c∗ ∈ C)
[hr, β, v(d)i → hr, β, c∗ i ∧ P (b ∈ S(θ, c∗ , β)|hr, β, c∗ i) ≥ γ l ]].
348
Louis Salvail
Proof. Let q = 0.91 be such that γ = 1 − (1 − %)(1 − q). Let t = d N n e be a lower bound on the number of n-coherent measurements. The proof proceeds by mathematical induction. In the first place, it is easy to see that H(0) holds since all nodes at level 0 are announcements. Second, assume H(s) holds, we show that H(s + 1) also holds. Let d ∈ L(TNn , s + 1). Let d0 and d1 be the left and right son of d respectively. If TNn (d0 ) or TNn (d1 ) is not (%l , γ l )-successful then H(s + 1) followed directly from H(s). Now suppose both TNn (d0 ) and TNn (d1 ) are (%l , γ l )-successful. By induction hypothesis, TNn (d0 ) and TNn (d1 ) are such that %l
%l
hr, β, v(d0 )i → hr, β, c0 i and hr, β, v(d1 )i → hr, β, c1 i respectively, for c0 , c1 ∈ C. If c0 = c1 then H(s + 1) follows from H(s). Assume for a contradiction that c0 6= b 0 ) and B(d b 1 ) be defined according to lemma 2-4). We have that for c1 . Let B(d b 0 ) and D(d b 1 ) be defined as in lemma 2-5) b w ) ≥ t − l. Let D(d all w ∈ {0, 1}, #B(d b w )∩D(d b w )∩B(d) be b w ) ≥ t−l. Let Γ w = B(d ensuring that for all w ∈ {0, 1},#D(d % w w the set of blocks B ∈ B(d) such that hr, β, v(d )iB → hr, β, c iB and hr, β, cw iB w are (cw ≥ t − 2(l + 1) and from B , %, q)-safe. From property 2-1), we get that #Γ w w 2 0,1 lemma 2-3), all B ∈ Γ are such that hr, β, v(d )iB is (cw = B , % , q)-safe. Let Γ 0 1 0 1 2 Γ ∩Γ be the set of blocks B ∈ B(d) such that hr, β, v(d)iB is (cB , cB , % , 2q−1)promising. Since both #Γ 0 and #Γ 1 are greater than t − 2(l + 1) it follows that #Γ 0,1 ≥ t − 4(l + 1). Let B∆ = {B ∈ B(d)|∆(c0B , c1B ) ∈ Ω(n)} be such that d #B∆ ≥ 4l+5 from the fact that n ≤ 4l+5 . From lemma 2-2), all B ∈ Γ∆ = (Γ 0 ∩ 1 0 Γ ) ∩ B∆ are such that hr, β, v(d)iB is (cB , c1B , %2 , 2q − 1)-promising in addition to ∆(c0B , c1B ) ∈ Ω(n). To get a contradiction, it suffices to show that Γ∆ is not empty since any B ∈ Γ∆ is such that hr, β, v(d)iB is (c0B , c1B , %2 , 2q −1)-promising contradicting lemma 1 since (2%2 −1)(2q−1) > pmax . By the pigeonhole principle, since #(B(d) \ Γ 0,1 ) ≤ 4l + 4 and #B∆ ≥ 4l + 5, it must exist a block B ∈ B∆ that is also in Γ 0,1 and therefore #Γ∆ ≥ 1. We must conclude that c0 6= c1 is impossible and H(s + 1) follows. t u Next theorem uses lemma 3 in order to conclude that LJCB is δ-binding for any δ > 0 and against all n-coherent opening strategies for some n ∈ Ω(N ). Theorem 1. Let N be the number of BB84 qubits transmitted. Let l > 0 be an integer. Let d ∈ Ω(N ) be C’s minimum distance. Protocol LJCB is δ(l)-binding d and against any n-coherent opening strategy for δ(l) = γ l + %l provided n ≤ 4l+5 γ, % are defined as in lemma 3. Proof. Assume Alice can open any x ∈ {0, 1} with an appropriate n-coherent opening strategy TNn (x). The trees TNn (0) and TNn (1) cannot be both (%l , γ l )successful since otherwise the tree TNn with TNn (0) and TNn (1) as left and right subtree respectively will also be (%l , γ l )-successful. By construction, TNn has two codewords c0 6= c1 such that for all x ∈ {0, 1} hr, βi → hr, β, cx i and P (b ∈ S(θ, cx , β)|hr, β, cx i) ≥ γ l contradicting lemma 3. It follows that there exists x ˜ ∈ {0, 1} having probability less than δ(l) ≤ (1 − %l )γ l + %l ≤ γ l + %l of being unveiled with success. t u
Quantum Bit Commitment From a Physical Assumption
6
349
The Concealing Condition
In this section we show how to choose the code C such that Bob gets almost no Shannon information about the committed bit x. The technique is similar to the one introduced in [10] to deal with the concealing condition of BCJL. Here, we sketch the proof that LJCB is concealing along the same lines. We first define the density matrix ρc that characterizes Bob’s view about c ∈ C given the announcement hr, βi. We then show that Bob’s view about c is equivalent to receiving c through a noisy channel. This is done by introducing a fictitious protocol used by Alice to send c ∈ C in such a way that Bob gets the same view than after the committing phase of LJCB. We finally show, using privacy amplification techniques [4,12], that the fictitious protocol conceals x and therefore so it is for LJCB. The most general attack for Bob is to prepare a quantum system initially in pure state |ψi ∈ H2N ⊗ HB where H2N is the Hilbert space of N qubits and HB is an auxiliary Hilbert space helping Bob in its quest P for x. The quantum state |ψi can be written, for some I ∈ IN, as |ψi = 1≤i≤I ai |ψiA i ⊗ |ψiB i where |ψiA i ∈ H2N , |ψiB i ∈ HB and the ai ’s are complex numbers such that P 2 A B i |ai | = 1. We do not require |ψi i’s (resp. |ψi i) to be orthogonal. Bob then sends ρA = TrHB (|ψihψ|) to Alice and keeps the remaining part ρB = TrH2N (|ψihψ|) for later use. Once β, r ∈ {0, 1}N have been announced, Bob determines an unitary transformation U (r, β) which he applies to ρB . The strategy is completed after a standard measurement M is finally applied to the final state U (r, β)ρB U (r, β)† . First, we show that Bob has no advantage in preparing ρA in a mixed state. Consider that, instead of preparing state |ψi as described above, Bob follows the procedure Simulate(ψ) defined as: 1. 2. 3. 4.
Bob Bob Bob Bob
picks i ∈ {1, . . . , I} with probability |ai |2 , sends to Alice the quantum state |ψiA i and keeps |ψiB i for later, waits for r, β ∈ {0, 1}N and applies |ψbiB i = U (r, β)|ψiB i, measures |ψbiB i with measurement M .
The above procedure gives exactly the same view than what Bob would get if he had prepared the entangled state |ψi since |ψi is a purification of Simulate(ψ) [18]. The density matrices, for Alice’s and Bob’s systems, before M is applied are identical in both cases. It follows that M behaves the same way in both scenarios and therefore, if the initial preparation |ψi helps Bob in cheating then so it is for Simulate(ψ). By the same argument, each qubit πi can be assumed in pure state |φi i ∈ H2 allowing us to restrict the analysis to Bob’s strategy consisting of sending N qubits in state ⊗N i=1 |φi i. Let Bob’s qubits πi , for i ∈ {1, . . . , N }, be in quantum state |φi i = cos αi |0i+ sin αi |1i where αi is an arbitrary angle. For m, w ∈ {0, 1}, let pwm (αi ) be the probability that Alice observes the classical outcome m whenever |φi i is measured in basis {+, ×}w. We have that p00 (αi ) = cos2 αi , p01 (αi ) = sin2 αi , p10 (αi ) = (cos αi + sin αi )2 /2 and p11 (αi ) = (sin αi − cos αi )2 /2.
350
Louis Salvail
Let ρici be the density matrix describing what Bob gets when Alice chooses to measure πi in basis {+, ×}ci : ρici (αi ) = pci 0 (αi )|0ih0| + pci 1 (αi )|1ih1|.
(8)
The density matrix ρx (α) associates with the commitment of bit x and given the polarization angles α = α1 , α2 , . . . , αN is such that (see [10] for details) X
ρx (α) =
{c∈C|c r=x}
2−k+1
N O
ρici (αi ).
i=1
Consider the following fictitious protocol for transmitting c ∈R C from Alice to Bob. It is easy to verify that the density matrix ρbx (α) corresponding to the transmission of a random codeword from C in fictitious(x), satisfies ρbx (α) = ρx (α). Protocol 3 ( fictitious(x) ) 1: Alice chooses c ∈R C, 2: For each i ∈ {1, . . . , N }, Alice sends to Bob a photon πi in state:
– If ci = 0 then she sends |0i with probability p00 (αi ) and sends |1i with probability p01 (αi ), – If ci = 1 then she sends |0i with probability p10 (αi ) and sends |1i with probability p11 (αi ). 3: Alice announces a random r ∈ {0, 1}N such that c r = x.
Protocol fictitious(x) does not require the transmission of qubits. Classical communication is enough since only orthogonal states are sent. Given α, Bob’s view about c in LJCB is the same as if c was sent through a classical noisy channel. Let ωi be the bit received by Bob in the i-th transmission. In general, for any c, w ∈ {0, 1} and any actual view Vi up to the i-th transmission , we have P (ci = c|ωi = w ∧ αi ∧ Vi ) =
P (ci = c|Vi ) pcw (αi ) . (9) P (ci = 0|Vi ) p0w (αi ) + P (ci = 1|Vi ) p1w (αi )
An easy calculation shows that for any actual view Vi , the best choice for αi 1 vπ is αi = vπ 4 for some v ∈ IN. Whenever P (ci = c|Vi ) = 2 any αi = 4 for v ∈ IN works equally good. In order to simplify the analysis, we assume that C is a [N, k]-systematic random code. This ensures that for all i ∈ {1, . . . , k}, P (ci = c|Vi ) = 12 allowing us to set αi = 0 without loss of generality. In addition, we also assume that the redundancy part c˜ ∈ {0, 1}N −k of c ∈ C is sent perfectly to Bob. This new procedure is called fictitious∗ (x) and is identical to protocol 3 except that C is systematic and only the message part m ∈ {0, 1}k of a codeword c is sent imperfectly. Obviously if Bob does not get much information when c is sent according to fictitious∗ (x) then he gets no more information whenever c is received according to fictitious(x).
Quantum Bit Commitment From a Physical Assumption
351
The first step consists of finding a lower bound on Bob’s R´enyi (or collision) entropy about c before Alice announces the redundancy part c˜ and r ∈ {0, 1}N in fictitious∗ (x). Setting αi = 0 in equation 9 gives that for all c ∈ {0, 1}: P (ci = c|wi = 0 ∧ Vi ) ≥
1 . 3
(10)
The subset of positions J ⊆ {i|ωi = 0} is, except with negligible probability 2 2−λ k , such that #J ≥ P (ω i = 0|Vi ) k − λk = ( 34 − λ)k. Bob’s R´enyi entropy R(c|V) given the view V = ∪1≤i≤k Vi after the transmission of the k bits of message in c is such that, 5 3 3 R(c|V) ≥ −k( − λ)lg = 0.848( − λ)k. 4 9 4
(11)
Next, Bob learns perfectly N −k parity bits about cJ . The situation is identical to receiving the bits in cJ over a binary symmetric channel with error probability 13 plus u = N −k parity bits. This situation has been analyzed extensively in [12]. It is shown that, except with probability 2−λk , the R´enyi entropy R(c|V ∧ U = U ) given the complete view V and the parity bits U satisfies: R(c|V ∧ U = U ) ≥ R(c|V) − 2u − 2λk ≥ 2.63k − 2N − 3λk.
(12)
Equation 12 and the privacy amplification theorem (PAT) of [4] allows to conclude that the committed bit x = c r is statistically hidden to Bob. b > 0 such that except with negligible probability, the Theorem 2. There exists λ λN information Bob gets about x after the commit phase of LJCB is less than 2−b provided
k N
≥ 0.77.
Proof sketch. According to the PAT [4], the amount of Shannon information I(x|V ∧ U = U ∧ r = r) about x after the execution of fictitious∗ (x) is such k that I(x|V ∧ U = U ∧ r = r) ≤ 2−R(c|U =U ∧V)+1 / ln 2. Plugging N ≥ 0.77 and λN setting λ small enough in equation 12 gives I(x|V ∧ U = U ∧ r = r) ≤ 2−b ∗ b for some λ > 0. This also holds for LJCB since fictitious (x) gives always more information about x. t u
7
Conclusion
Theorem 1 and 2 ensure that LJCB can be tuned to provide both the binding and the concealing conditions. Using Gilbert-Varshamov bound (GVB) on random binary codes allows to conclude that the same tuning can satisfy both conditions simultaneously. According to GVB [23], a random N × k matrix with k N > 0.77 defines a [N, 0.77N, 0.035N ]–code except with negligible probability. Theorems 1, 2 and GVB allow to conclude with our main result: Theorem 3. Let C be a [N, 0.77N ] random binary code. Let l > 0 be an integer and let n ≤ 0.035N 4l+5 . Protocol LJCB is δ(l)-secure against all n-coherent opening strategies for γ = 0.9937, % = 0.93 and δ(l) = γ l + %l .
352
Louis Salvail
The binding condition, which is the target of Mayers’ attack, holds because if Alice could succeed in changing her mind, it would imply that some measurement outcomes have given more information than what is physically achievable. Even n though our analysis gives n ∈ Ω(N ) for any δ(l) > 0, the constant N ≈ 0.035N 4l+5 is small even for relatively large values of δ(l). It is important for practical applications to improve the constants appearing in the statement of theorem 3. Bootstrapping the BBCS protocol with LJCB leads to secure QOT provided the receiver cannot carry out n-coherent opening strategies against the commitments [35]. In BBCS, the receiver must commit on measurement outcomes. Two commitments are produced for each of the N qubits received. ¿From theorem 3 and assuming each commitment requires the transmission of N qubits, we √ get that BBCS is secure against n-coherent measurements for some n ∈ Ω( N ). Moreover, one call to BBCS is sufficient to get a 2−αN -secure commitment scheme for some√α > 0. The resulting commitment is therefore 2−αN -secure for some n ∈ Ω( N ) as well. This leads to our main open question: Is LJCB 2−αN -binding against any n-coherent opening strategy for some n ∈ Ω(N )? When used in BBCS, LJCB allows to realize QOT using only unidirectional quantum transmission. If QOT is used for quantum identification [14] then the scheme achieves unconditional security for the client and conditional security for the server. All quantum transmissions taking place are from the client to the server. This is interesting in practice because only the technology for sending photons (which is simpler than the one for receiving) is required for the client. However, in other scenarios it might be better to have a commitment scheme where the committer is sending the qubits. In such a case BCJL would be a better choice. Theorem 3 should also hold for BCJL but with different constants. It would be interesting to prove theorem 3 for BCJL as well. Different experiments in quantum information theory (see [17,24,8,31]) have given strong evidences that our assumption is realistic. It appears that the physical complexity of implementing n-coherent measurements grows very quickly as n increases. Today’s technology only allows to deal imperfectly with the simple case n = 2. Future experiments will be important in order to capture more precisely what is the inherent difficulty of implementing arbitrary large coherent measurements. Despite the fact that quantum cryptography does not provide unconditional secure two-party computation, it allows to base cryptography upon physical, realistic and well-defined assumptions. In this paper, we have shown how quantum mechanics can help in providing an alternative framework to complexity-based cryptography.
Acknowledgements The author is very grateful to Peter Høyer for indispensable help. I would like to thank Ivan Damg˚ ard, Jeroen van de Graaf and Claude Cr´epeau for helpful discussions and comments. I am also indebted to Gilles Brassard for having proposed the problem in the first place. Finally, thanks to the anonymous referees for valuable remarks.
Quantum Bit Commitment From a Physical Assumption
353
References 1. Aspect, A, P. Grangier and G. Roger, “Experimental realization of the Einstein-Podolsky-Rosen-Bohm gedankenexperiment: A new violation of Bell’s inequalities”, Physical Review Letters, vol. 49, no. 2, 1982, pp. 91 – 94. 338 2. Bell, J.S.,“On the Einstein Podolsky Rosen Paradox”, Physics, vol. 1, no. 1, 1964, p. 195. 3. Bennett, C. H. and G. Brassard, “Quantum cryptography: Public key distribution and coin tossing”, Proceedings of IEEE International Conference on Computers, Systems and Signal Processing, Bangalore, India, December 1984, pp. 175 – 179. 338, 338, 341 4. Bennett, C. H., G. Brassard, C. Cr´ epeau and U. Maurer, “Generalized Privacy Amplification”, IEEE Transaction on Information Theory, vol. 41, 1995, pp. 1915 – 1923. 349, 351, 351 5. Bennett, C. H., G. Brassard, C. Cr´ epeau and M.–H. Skubiszewska, “Practical quantum oblivious transfer”, Advances in Cryptology — Proceedings of Crypto ’91, August 1991, Springer – Verlag, pp. 351 – 366. 339, 341 6. Bennett, C. H., G. Brassard, C. Cr´ epeau, R. Jozsa, A. Peres and W.K. Wootters, “Teleporting an Unknown Quantum State via Dual Classical and EPR Channels”,Physical Review Letters, vol.70, no. 13, 1993, pp. 1895 – 1899. 339 7. Biham, E, G. Brassard,M. Boyer,J. van de Graaf and T. Mor, “Security of Quantum Key Distribution Against All Collective Attacks”, Los Alamos preprint archive quant-ph/9801022, January 1998. 338 8. Bouwmeester, D, J.W. Pan, K. Mattle,M. Eibl,H. Weinfurter and A. Zeilinger, “Experimental Quantum Teleportation”,Nature, vol.390, 1997,p.575. 339, 339, 352 9. Brassard, G.and C. Cr´ epeau, “Quantum bit commitment and coin tossing protocols”, Advances in Cryptology — Proceedings of Crypto ’90, August 1990, Springer – Verlag, pp. 49 – 61. 338, 339 10. Brassard, G., C. Cr´ epeau, R. Jozsa and D. Langlois, “A quantum bit commitment scheme provably unbreakable by both parties”, Proceedings of 34th Annual IEEE Symposium on the Foundations of Computer Science, November 1993, pp. 362 – 371. 339, 339, 341, 342, 349, 350 11. Brassard, G., C. Cr´ epeau, D. Mayers and L. Salvail, “A Brief Review on the Impossibility of Quantum Bit Commitment”, Los Alamos preprint archive quant-ph/9712023, December 1997. 339 12. Cachin, C.and U. Maurer,“Linking Information Reconciliation and Privacy Amplification”,Journal of Cryptology, vol. 10, no. 2, 1997,pp. 97 – 110. 349, 351 13. Cr´ epeau, C., “What is going on with quantum bit commitment?”, Proceedings of Pragocrypt ’96: 1st International Conference on the Theory and Applications of Cryptology, Prague, October 1996. 339 14. Cr´ epeau, C. and L. Salvail, “Quantum oblivious mutual identification”, Advances in Cryptology — Proceedings of Eurocrypt ’95, May 1995, Springer – Verlag, pp. 133 – 146. 352 15. Cr´ epeau, C., J. van de Graaf and A. Tapp, “Committed Oblivious Transfer and Private Multi-Party Computation”, in Advances in Cryptology: Proceedings of Crypto ’95 (Springer – Verlag, Berlin, 1995), Vol. 963, pp. 110 – 123. 338 16. Einstein A., B. Podolski and N. Rosen, “Can Quantum-Mechanical Description of Physical Reality be Considered Complete?”, Physical Review, no. 47, 1935, pp. 777 – 780. 338
354
Louis Salvail
17. Hughes, R.J.,D.F.V. James,J.J. Gomez,M.S. Gulley,M.H. Holzscheites, P.G. Kwiat,S.K. Lamoreaux,C.G. Peterson,V.D. Sandberg,M.M. Schauer,C.M. Simmons, C.E. Thorburn, D. Tupa, P.Z. Wang and A.G. White, “The Los Alamos Trapped Ion Quantum Computer Experiment”,Los Alamos preprint archive quant-ph/9708050, August 1997. 340, 352 18. Hughston, L. P., R. Jozsa, and W.K. Wootters, “A complete classification of quantum ensembles having a given density matrix”, Physics Letters A, vol. 183, 1993, pp. 14 – 18. 349 19. Impagliazzo, R. and M. Luby,“One-way Functions are Essential for Complexity Based Cryptography”, Proceedings of 21th Annual IEEE Symposium on the Foundations of Computer Science, 1989,pp. 230 – 235. 339 20. Kilian, J., Founding Cryptography on Oblivious Transfer, in the proceeding of 20th Symposium on Theory of Computation, Chicago, 1988, pp. 20 – 31. 338 21. Kranakis,E.,“Primality and Cryptography”,John Wiley and Sons, 1986. 22. Lo, H.–K. and H. F. Chau, “Is quantum bit commitment really possible?”, preprint archive http://xxx.lanl.gov/ps/quant-ph/9603004, March 1996. 339 23. MacWilliams, F.J.and N.J.A. Sloane,“The Theory of Error-Correcting Codes”, North-Holland, 1977. 351 24. Mattle, K.,H. Weinfurter, P.G. Kwiat and A. Zeilinger, “Dense coding in experimental quantum communication”, Physical Review Letters, vol. 76, 1996, pp. 4656 – 4659. 339, 352 25. Mayers, D., On the security of the quantum oblivious transfer and key distribution protocols, Advances in Cryptology: Proceeding of Crypto ’95, Lecture Notes in Computer Science, 1995. 338 26. Mayers, D., “The trouble with quantum bit commitment”, Presented at a workshop on quantum information theory, Montr´eal, October 1995. Available at http://xxx.lanl.gov/ps/quant-ph/9603015, March 1996. 339 27. Mayers, D., “La s´ecurit´e des protocoles de la cryptographie quantique”, PhD dissertation, Universit´e de Montr´eal, 1996. 342 28. Mayers, D., “Unconditionally secure quantum bit commitment is impossible”, presented in the Fourth Workshop on Physics and Computation — PhysComp ’96, Boston, November 1996. 341 29. Mayers, D., “Unconditionally secure quantum bit commitment is impossible”, Physical Review Letters, vol 78, 1997, pp. 3414 – 3417. 339, 341 30. Mayers, D. and L. Salvail, “Quantum oblivious transfer is secure against all individual measurements”, Proceedings of the Third Workshop on Physics and Computation — PhysComp ’94, Dallas, November 1994, IEEE Computer Society Press, pp. 69 – 77. 342 31. Michler, M., K. Mattle, H. Weinfurter and A. Zeilinger, “Interferometric Bell-state analysis”,Physical Review Letters,vol. 53, 1996,pp. 1209 – 1212. 339, 352 32. Rabin, M. O., “How to exchange secrets by oblivious transfer”, Technical Memo TR–81, Aiken Computation Laboratory, Harvard University, 1981. 338 33. Schumacher, B.,“Sending quantum entanglement through noisy channels”, Los Alamos preprint archive http://xxx.lanl.gov/ps/quant-ph/9604023, April 1996. 342 34. Wiesner, S., “Conjugate coding”, Sigact News, Vol. 15, no. 1, 1983, pp. 78 – 88; original manuscript written circa 1969. 338, 338 35. Yao, A. C.–C., “Security of quantum protocols against coherent measurements”, Proceedings of 26th Annual ACM Symposium on the Theory of Computing, 1995, pp. 67 – 75. 339, 339, 341, 352
On Concrete Security Treatment of Signatures Derived from Identification Kazuo Ohta and Tatsuaki Okamoto NTT Laboratories Nippon Telegraph and Telephone Corporation 1-1 Hikari-no-oka, Yokosuka, Kanagawa, 239-0847 Japan {ohta,okamoto}@isl.ntt.co.jp
Abstract. Signature schemes that are derived from three move identification schemes such as the Fiat-Shamir, Schnorr and modified ElGamal schemes are a typical class of the most practical signature schemes. The random oracle paradigm [1,2,12] is useful to prove the security of such a class of signature schemes [4,12]. This paper presents a new key technique, “ID reduction”, to show the concrete security result of this class of signature schemes under the random oracle paradigm. First, we apply this technique to the Schnorr and modified ElGamal schemes, and show the “concrete security analysis” of these schemes. We then apply it to the multi-signature schemes.
1 1.1
Introduction Background
To realize a practical and provably secure cryptosystem is one of the most important research topics, and digital signatures are a very important ingredient in cryptography. This paper focuses on practical and provably secure signature schemes. 1.1.1 Standard Security Paradigm versus Random Oracle Paradigm The first formal definition of the security for digital signatures (“existentially unforgeable against adaptively chosen-message attacks”) was given by Goldwasser, Micali and Rivest [7], and a concrete signature scheme satisfying this security definition was shown by assuming the existence of a claw-free pair of functions [7]. Hereafter, this formal definition and model for signatures is called the “standard security paradigm”, and a signature scheme with the standard security paradigm is just called a “provably secure” signature scheme. An ultimate target in the standard security paradigm was to realize a provably secure signature scheme assuming the weakest computational assumption, the existence of a one-way function. This target was finally solved affirmatively by Naor, Yung and Rompel [9,13]. Their solution, however, was geared towards feasibility result and thus very inefficient and far from practical. In addition, even the scheme by [7] is much less efficient than typical practical schemes such H. Krawczyk (Ed.): CRYPTO’98, LNCS 1462, pp. 354–370, 1998. c Springer-Verlag Berlin Heidelberg 1998
On Concrete Security Treatment of Signatures
355
as the RSA[14] and Schnorr[15] schemes. Therefore, no provably secure scheme as efficient as typical practical schemes has been proposed. To realize provable security and efficiency simultaneously, another paradigm to prove the security of cryptographic schemes has been proposed [1,2,12]. This is called the “random oracle paradigm”, in which an ideally random and imaginary oracle, the “random oracle”, is assumed when proving the security, and the random oracle is replaced by a practical random-like function such as a oneway hash function (e.g., SHA etc.) when realizing it in practice. Here random oracle F generates an answer randomly to a query posed to F at first. If the same query is asked later, F will answer the same value as was provided to the first query. Although the security under the random oracle paradigm cannot be guaranteed formally when using a practical random-like function in place of the random oracle, this paradigm yields much more efficient schemes than the standard security paradigm. The security with the random oracle gives an informal guarantee to the security of practical random-like functions. In addition, the random oracle model not only provides a methodology for constructing an efficient and secure scheme, but also gives some security guarantee for schemes that practitioners intuitively constructed using a random-like functions in actual systems. 1.1.2 Asymptotic Security Analysis versus Concrete Security Analysis The random oracle paradigm has another advantage over the standard security paradigm: it can much more easily provide “concrete security analysis”, which avoids complexity theory and asymptotic property when proving the security (i.e., reducing the breaking of a primitive problem to breaking a signature scheme). Such concrete security analysis provides a much better guarantee than asymptotic security analysis, since the computational complexity currently required to break a signature scheme with a “fixed size” (e.g., 1024 bits) and “fixed key” can be estimated by the assumed lower bound of the complexity of breaking the underlying primitive with the “fixed size” and “fixed key.” Note that asymptotic security gives no useful information on the security of a fixed size and fixed key system. The concrete security analysis of the reduction from breaking a signature scheme to solving a primitive problem is usually trivial and optimal (i.e., optimally efficient). Hence, we have to obtain the concrete security analysis of the opposite direction of the reduction as much as optimal. If the opposite direction is as efficient as the trivial direction, then we can call such a reduction exact. That is, the exact reduction implies that the required time (and success probability) of breaking the signature scheme is exactly equivalent to that of breaking the primitive problem. (In other words, the signature scheme is exactly as secure as the primitive problem.) The (almost) exact security of the RSA signature scheme along with random functions has been shown under the random oracle paradigm [2]. The asymptotic security of the Schnorr and modified ElGamal schemes has been proven under the same paradigm [12].
356
1.2
Kazuo Ohta and Tatsuaki Okamoto
Main Result
This paper shows the concrete security analysis of the Schnorr, modified ElGamal (MEG) and multi-signature schemes under the random oracle paradigm. (The concrete security analysis of the other signature schemes based on the FiatShamir conversion technique can be proven similarly.) In order to show the concrete security analysis of the signature schemes, we have developed a new technique, “ID reduction”, in which the identification scheme corresponding to the signature scheme is used when showing the reduction from breaking the underlying primitive to breaking the signature scheme. There are two stages of reduction. The first stage is from breaking the corresponding identification to breaking the signature scheme, and the second stage is from breaking the underlying primitive to breaking this identification. In order to obtain a tighter (i.e., close to optimal) reduction and its tighter evaluation from breaking the underlying primitive to breaking the signature scheme, our “ID reduction” technique has an advantage over the previous technique, “forking lemma”, by Pointcheval and Stern [12]. This is because the first stage of ID reduction (ID reduction lemma: Lemma 9) is optimal1 in our signature scheme model and the second stage of this reduction (Lemma 13 and Lemma 15) may be more efficient than the reduction in the forking lemma of [12], since to analyze the corresponding identification scheme is easier than to analyze the signature scheme directly. Here, finding a forking pair of signatures in the forking lemma of [12] corresponds to finding two success entries in a heavy row in our approach. Therefore, the ID reduction technique seems to be more appropriate to obtain a tighter reduction than the previous technique. In addition, the asymptotic result of the Fiat-Shamir signature scheme proven in [12] can be trivially obtained just by combining the ID reduction lemma as the first stage reduction and the well-known techniques given by [5] as the second stage reduction.
2
Framework
In this paper, we investigate a specific class of signature schemes that are derived from three move identification schemes, where the identification schemes are perfect zero-knowledge against an honest verifier [6]. This section shows the models and notations of such signature and identification schemes.
2.1
Signature Scheme
In the signature scheme, signer P publishes public key Kp while keeping secret key Ks . In this paper, we will adopt the following model as a signature scheme, which covers the class of the Fiat-Shamir scheme [4],Schnorr scheme [15] and the modified ElGamal scheme [12]: 1
We will show the meaning of “optimal” in the end of Section 3.
On Concrete Security Treatment of Signatures
357
Model 1. (Signature Model) Key generation: Each signer P generates a pair, (Kp , Ks ), of a secret key and a public key using a key generation algorithm G which, on input 1k , where k is the security parameter, produces (Kp , Ks ). Signature generation: P generates the signature of his message m using a public random oracle function F as follows: P generates X from both Ks and random string R, accesses the random oracle function F to get E = F (X, m) ∈ E, calculates Y using Ks , R and E, and sends (X, m, Y ) to V . Verification: a verifier V checks the validity of the signature of the message by the relations of (Kp , X, E, Y ) and E = F (X, m). Remark 1. We assume that this signature scheme is derived from the following identification scheme. 2.2
Identification Scheme
Here we can define an identification scheme that produces the above-mentioned signature scheme. In an identification scheme, prover P publishes a public key while keeping the corresponding secret key, and proves his identity to verifier V . Model 2. (Identification Scheme) Key generation: Prover P generates a pair, (Kp , Ks ), of a secret key and a public key using a key generation algorithm G which, on input 1k , where k is the security parameter, produces (Kp , Ks ). Identification Protocol: P proves his identity, and verifier V checks the validity of P ’s proof as follows: Step Step Step Step
1 2 3 4
P V P V
generates X from both Ks and random string R and sends it to V . generates random challenge E ∈ E and sends it to P . generates an answer Y from (Ks , R, E) and sends it to V checks the validity of the relations of (Kp , X, E, Y ).
Remark 2. We assume that this three move protocol is perfect zero-knowledge against an honest verifier. 2.3
Security
We will adopt the quantifiable notion of exact security proposed in Reference [2]. 2.3.1 Security of Key Searching Problem Definition 3. A probabilistic Turing machine (adversary) A breaks a key search problem with (t, ) if and only if A can find a secret key from a public key with success probability greater than within processing time t. The probability is taken over the coin flips of A. Definition 4. A key searching problem is (t, )-secure if and only if there is no adversary that can break it with (t, ).
358
Kazuo Ohta and Tatsuaki Okamoto
2.3.2
Security of Identification Schemes
Definition 5. A probabilistic Turing machine (adversary) A breaks an identification scheme with (t, ) if and only if A as a prover can cheat honest verifier V with a success probability greater than within processing time t. Here, A doesn’t conduct any active attack2 . Here, the probability is taken over the coin flips of A and V . Definition 6. An identification scheme is (t, )-secure if and only if there is no adversary that can break it with (t, ). 2.3.3 Security of Signature Schemes Next we will quantify the security of a signature scheme: Here we assume that the attacker can dynamically ask the legitimate user P to sign any message, m, using him as a kind of oracle. This model covers the very general attack of the signature situations, adaptive chosen message attack. Definition 7. A probabilistic Turing machine (adversary) A breaks a signature scheme with (t, qsig , qF , ) if and only if A can forge a signature of a message with success probability greater than . We allow chosen-message attacks in which A can see up to qsig legitimate chosen message-signature pairs participating in the signature generating procedure, and allow qF invocations of F , within processing time t. The probability is taken over the coin flips of A, F and signing oracle P . Definition 8. A signature scheme is (t, qsig , qF , )-secure if and only if there is no adversary that can break it with (t, qsig , qF , ).
3
ID Reduction Lemma
The general techniques by which we can derive signature schemes from three move interactive protocols were proposed in [4] and hash functions are used in order to create a kind of virtual verifier, which gives the conversion from an identification scheme to a signature scheme. To analyze the security of such a class of signature schemes, we will examine the opposite direction of conversion for adversaries in Lemma 9 in order to prove the security of signature schemes as the first stage of ID Reduction Technique. Here note a signature scheme and an identification scheme in this section mean those defined in the previous section. We assume the uniform coin flips 1 over E (i.e., Pr[E occurs] = #E ) are provided. Lemma 9. (ID Reduction Lemma) −
1
(i.e., 0 ≥ #Esig , where 0 = qF#E ). Let ≥ F sig #E 1) If A1 breaks a signature with (t, qsig , qF , ), there exists A2 which breaks the q (q
2
+4)+1
4+q
As the result of Lemma 9 3), it is enough to cover this case only for discussion of the security of identification schemes, where the honest verifier is assumed.
On Concrete Security Treatment of Signatures −
359
1
signature with (t, qsig , 1, 0 ), where 0 = qF#E . 2) If A2 breaks a signature with (t, qsig , 1, 0 ), there exists A3 which breaks the sigqsig nature with (t0 , 0, 1, 00), where 00 = 0 − #E and t0 = t + (the simulation time of qsig signatures). 3) If A3 breaks a signature with (t0 , 0, 1, 00 ), there exists A4 which breaks the corresponding identification scheme with (t0 , 00 )3 . Here we assume that the values of qF and qsig can be employed by these reductions4 . We neglect the time of reading/writing data on (random, communication, etc.) tapes, simple counting, and if-then-else controls. (Hereafter in this paper, we assume them.) Sketch of Proof: 1) Let Qi be the i-th query from A1 to the random oracle F and ρi be the i-th answer from F to A1 . Construct a machine B using A1 as follows: Step 1 Select an integer i satisfying 1 ≤ i ≤ qF randomly. Step 2 Run A1 with a random oracle F and get (X, m, E, Y ). Step 3 If (X, m) = Qi and E = ρi , then output (X, m, E, Y ). Otherwise output (Qi , ρi , ri ) where ri is a random element of the range of Y . If A1 succeeds in forging a signature (X, m, E, Y ), there are two cases: 1) (X, m) was not asked to the random oracle F , and 2) (X, m) was asked as the i-th query to the random oracle F (1 ≤ i ≤ qF ). In the former case, the success probability of A1 is at most 1/#E, because of the randomness of the random oracle. Thus Pr[B succeeds] qF X ≥ Pr[i is selected] Pr[A1 succeeds ∧ (X, m) = Qi ] i=1 qF X 1 Pr[A1 succeeds ∧ (X, m) = Qi ] = q i=1 F
=
qF 1 X Pr[A1 succeeds ∧ (X, m) = Qi ] qF i=1
1 (Pr[A1 succeeds] − Pr[A1 succeeds ∧ (X, m) is not a query to F ]) qF 1 1 ), ( − ≥ qF #E =
because Pr[A1 succeeds] ≥ . e using A1 as follows: Construct a machine B 3
4
4 From the condition of , 00 ≥ #E holds. It makes the heavy row technique available in Lemma 13 and Lemma 15, since there are at least two ‘1’ in a heavy row of a Boolean matrix H defined in Section 4.2.2. For simplicity, we also assume that these values don’t depend on the adversary’s coin flips but only on the length of its input.
360
Kazuo Ohta and Tatsuaki Okamoto
Step 1 Select an integer i satisfying 1 ≤ i ≤ qF randomly. Step 2 Run A1 with a random oracle F and a random working tape Θ, and get (X, m, E, Y ), where only the i-th query is asked to F and the remaining (qF − 1) queries are asked to Θ. Here Θ contains of (qF − 1) random blocks used as answers from Θ. Step 3 If (X, m) = Qi and E = ρi , then output (X, m, E, Y ). Otherwise output (Qi , ρi , ri ) where ri is a random element of the range of Y . A1 cannot distinguish (qF −1) random blocks of Θ from (qF −1) answers from F , e succeeds] holds. because of the randomness of F . Thus Pr[B succeeds] = Pr[B Therefore, 1 − #E e succeeds] ≥ . Pr[B qF e Put A2 = B. 2) Construct a machine A3 using A2 as follows: Step 1 For j = 1 to qsig do. Step 1-1 Run A2 with simulated (Xi , mi , Ei , Yi ) (1 ≤ i ≤ j − 1), and get a message mj chosen by A2 whose signature is requested to the signer. Step 1-2 Simulate (Xj , mj , Ej , Yj ) by the standard perfect ZKIP simulation technique of the corresponding identification scheme with an honest verifier. If there exists an integer i(< j) satisfying Xj = Xi , discard Xj and repeat this step. Step 2 Run A2 with a random oracle F and simulated (Xi , mi , Ei , Yi ) (1 ≤ i ≤ qsig ), and get (X, m, E, Y ). Step 3 Output (X, m, E, Y ). If A2 does not ask (Xi , mi ) (1 ≤ i ≤ qsig ) to F , then A2 cannot distinguish the simulated message-signature pairs from legitimate pairs because of the perfect indistinguishability described in Section 2 and the the randomness of F ’s output. The success probability of A3 is given as follows: 00 = Pr[A3 succeeds] = Pr[A2 succeeds ∧ (Xj , mj )6=(the query from A2 to F ) for 1 ≤ ∀j ≤ qsig ] = Pr[A2 succeeds] − Pr[∃i such that 1 ≤ i ≤ qsig ∧ (Xi , mi )=(the query from A2 to F )] qsig , ≥ 0 − #E while t0 = t + (the simulation time of qsig signatures in Step 1-2). 3) Let Q be a query from A3 to the random oracle F and ρ be an answer from F to A3 . Construct a machine A4 using A3 interacting with an honest verifier V as follows:
On Concrete Security Treatment of Signatures
361
Step 1 Run A3 and get a query Q = (X, m) which is sent to the random oracle F. Step 2 Send Q to V and get a challenge E from V . Step 3 Run A3 with an input ρ = E and get (X, m, E, Y ). Step 4 Output Y to V . Note that a valid signature (X, m, E, Y ) satisfies a relation of (Kp , X, E, Y ) and E = F (X, m). When a verifier V checks the validity of this relation, V accepts A4 ’s proof with (t0 , 00 ). 2 Remark 10. When ignoring the minor terms (the simulation time and 0 − 00 ), the first stage of ID reduction for the signature schemes in this paper is optimal in the following sense: For any strategy of A1 , 0 =
1 − #E qF
. On the other hand, let
f1 succeeds ∧ (X, m) = Qi ] = f1 , where Pr[A assume a specific A
1 − #E qF
. Then, for −
1
any strategy of the first stage reduction (signature to identification), 0 = qF#E . f1 , we cannot obtain Since we cannot neglect the existence of such a specific A −
1
the first stage reduction whose value of 0 is better than qF#E . Note that this does not mean the “exact” security, since 0 ≈ in the “exact” security, while 0 ≈ qF in our “optimal” reduction. In addition, note that this observation depends on the signature scheme model shown in Section 2.
4
Schnorr Signature Scheme
We discuss here the Schnorr scheme [15] as an example, though similar results can be obtained for the Fiat-Shamir scheme [4,5] etc. The schemes can also be implemented using an elliptic curve [8]. 4.1
Scheme
Key generation: A trusted center publishes two large primes, p and q, such that q | (p − 1), and element g ∈ (Z/pZ)∗ of order q. A signer P chooses a secret key s ∈ Z/qZ and publishes the public key I, where I = g s mod p. Signature generation: A signer P generates the signature of his message m using a public hash function h, and a verifier V checks the validity of signature of the message as follows: P generates a random integer r ∈ Z/qZ, calculates X = g r mod p, e = F (X, m) ∈ Z/qZ and y = r + es mod q, and sends (X, m, y) to V . Verification: V checks the validity of a signature of the message by the following ?
equations: g y ≡ XI e 4.2
?
(mod p) and e = F (X, m).
Security
The following identification scheme is reduced to the Schnorr signature scheme in Section 4.1, and it will be analyzed adopting the scenario given in Section 3.
362
Kazuo Ohta and Tatsuaki Okamoto
4.2.1 Identification Scheme Key generation: A trusted center publishes two large primes p and q such that q | (p − 1), and element g ∈ (Z/pZ)∗ of order q. A prover P chooses a secret key s ∈ Z/qZ and publishes the public keys I, where I = g s mod p. Identification Protocol: P proves his identity and a verifier V checks the validity of P ’s proof as follows: Step 1 P generates a random integer r ∈ Z/qZ, calculates X = g r mod p, and sends X to verifier V . Step 2 V generates a random integer e ∈ Z/qZ and sends it to P . Step 3 P calculates y = r + es mod q and sends it to P . ?
Step 4 V checks the following equation: g y ≡ XI e
(mod p).
4.2.2 Heavy Row Lemma A Boolean matrix and heavy row will be introduced in order to analyze the security of one-round identification schemes. Assume that there is a cheater A who can break a one-round identification scheme with (t, ), where ≥ 4q . Definition 10. (Boolean Matrix of (A, V )) Let’s consider the possible outcomes of the execution of (A, V ) as a Boolean matrix H(RA, e) whose rows correspond to all possible choices of RA, where RA is a private random tape of A; its columns correspond to all possible choices of e, which means e ∈ RV . Its entries are 0 if V rejects A’s proof, and 1 if V accepts A’s proof. Note that RV = (Z/qZ) in Schnorr’s case. Definition 11. (Heavy Row) A row of matrix of H is heavy if the fraction of 1’s along the row is at least /2, where is the success probability of A. Lemma 12. (Heavy Row Lemma) The 1’s in H are located in heavy rows of H with a probability of at least 12 . 4.2.3
Security of Identification Scheme
Lemma 13. (Security of Schnorr Identification Scheme) Let ≥ 4q . Suppose that the key searching problem of (p, g, I), that is, calculation of s from I satisfying I = g s mod p, is (t∗ , ∗ )-secure. Then the Schnorr identification scheme with parameter (p, g, I) is (t, )-secure, where 2 1 3(t + Φ1 ) 1 9 ∗ ∗ + Φ3 and = 1− . t = > 2 e 50 Here Φ1 is the verification time of the identification protocol, Φ3 is the calculation time of s in the final stage of the reduction, and e is the base of the natural logarithm.
On Concrete Security Treatment of Signatures
363
Sketch of Proof: Assume that there is a cheater A who can break an identification with (t, ). We will construct a machine A∗ which breaks the key searching problem of (p, g, I) with (t∗ , ∗ ) using A. We will discuss the following probing strategy of H to find two 1’s along the same row in H [5]: Step 1 Probe random entries in H to find an entry a(0) with 1. We denote the row where a(0) is located in H by H (0) . Step 2 After a(0) is found, probe random entries along H (0) to find another entry with 1. We denote it by a(1) . It is proven that this strategy succeeds with constant probability in just O(1/) probes, using Lemma 12 concerning a useful concept, heavy row, defined in Definition 11. Let p1 be the success probability of step 1 with 1 repetition. p1 ≥ 1 − (1 − 1/ = p01 > 1 − 1e > 35 , because the fraction of 1’s in H is . Let p2 be the ) success probability of step 2 with 2 repetition. p2 ≥ 12 × 1 − (1 − 2 )2/ = 3 , because the probability that H (0) is heavy is at least 12 p02 > 12 (1 − 1e ) > 10 by Lemma 12 and the fraction of 1’s along a heavy row is at least 2 . Therefore 9 and t∗ = t × ( 1 + 2 ) = 3t ∗ = p1 × p2 ≥ p01 × p02 > 12 (1 − 1e )2 > 50 . d(i)
(i)
a(i) represents (X (i) , e(i) , y (i) ). g y ≡ X (i) I (mod p) (i = 0, 1) holds, since a(i) is an entry with 1. Two 1’s, a(0) and a(1) , in the same row H (0) means X (1) = X (0) . Since there are two unknown variables, r(0) and s, and two (0) (1) equations are obtained, a secret key s can be calculated by s = ye(0) −y mod q −e(1) in Schnorr’s scheme, since q is prime and 0 < e(0) − e(1) < q. 2
4.2.4 Security of Signature Scheme The following theorem is proven by combining Lemma 9 and Lemma 13. Theorem 14. (Security of Schnorr Signature Scheme) − 1
Let 0 ≥ qsig , where 0 = qFq . Suppose that key searching problem of (p, g, I) is (t∗ , ∗ )-secure. Then the Schnorr signature scheme with parameter (p, g, I) is (t, qsig , qF , )-secure, where 4+q
3t0 t = 00 + Φ3 ∗
and
1 = 2 ∗
2 1 9 1− . > e 50
Here t0 = t + Φ1 + Φ2
and
00 =
− qF
1 q
−
qsig , q
where Φ1 is the verification time of the identification protocol, Φ2 is the simulation time of qsig signatures, Φ3 is the calculation time of s in the final stage of the reduction, and q is the order of g ∈ (Z/pZ)∗ .
364
4.3
Kazuo Ohta and Tatsuaki Okamoto
Discussion on the Efficiency of Our Reduction
We have proven that if the key searching problem is (t∗ , ∗ )-secure, then the Schnorr signature scheme is (t, qsig , qF , )-secure. On the other hand, if the key searching problem is breakable with (t, ), then the signature scheme is breakable with (t, 0, 1, ) by the trivial reduction. If our reduction is “exact (optimally efficient),” (t∗ , ∗ ) should be the same quantity as (t, ) for any values of qsig and qF . Here note that is does not always imply t = t∗ and = ∗ , since (t, ) and (t∗ , ∗ ) are considered to have the same quantity when t∗ = βt and ∗ = 1 − (1 − )β . Here we will estimate the degree of “exactness” of our reduction (i.e., how much close is the above mentioned reduction to the exact case) by comparing the quantities of (t∗ , ∗ ) and (t, ). For the purpose, we normalize (t, ) into (t+ , + ) with + = ∗ . Let β = α be the number of repetition of (t, )-breakable algorithm, in order to attain the same success probability as ∗ . Since ∗ = 12 (1 − 1e )2 > 9/50, α α ≈ 0.223 holds because of the requirement of 1 − (1 − ) = ∗ > 9/50. ∗ + Therefore, t+ = αt gives the degree (α ≈ 0.223) and the ratio of t and t of exactness of our reduction. If we assume that t ≈ t0 and 0 ≈ qF , since qsig is small and q is large, then its ratio is 3qαF ≈ 13.5qF . Thus, our reduction is still efficient, though it is not exact. Here note that qF can not be eliminated from this ratio because of the optimality of the ID reduction lemma.
5
Modified ElGamal Signature Scheme
We will discuss the modified ElGamal (MEG) signature scheme [12] in this section.
5.1
Scheme
Key generation: the same as the Schnorr scheme. Signature generation: A signer P generates the signature of his message m using a public hash function h as follows: P generates a random integer r ∈ (Z/qZ)∗ , calculates X = g r mod p, e = F (X, m) ∈ Z/qZ and y = e−sX mod q, r and sends (X, m, y) to V . Verification: a verifier V checks the validity of the signature of the message by ?
?
the following equations: g e ≡ X y I X (mod p) and e = F (X, m). Note: In the original ElGamal scheme, the order of g ∈ (Z/pZ)∗ is p − 1. Although we can prove the security of the MEG with ord(g) = p − 1 in a manner similar to that with ord(g) = q, here for simplicity of description we assume ord(g) = q.
On Concrete Security Treatment of Signatures
5.2
365
Security
5.2.1 Identification Scheme The following identification scheme is reduced to the MEG signature scheme in Section 5.1, and it will be analyzed adopting the scenario given in Section 3. Key generation: the same as the Schnorr scheme. Identification Protocol: P proves his identity and verifier V checks the validity of P ’s proof as follows: Step 1 P generates a random integer r ∈ (Z/qZ)∗ , calculates X = g r mod p, and sends X to verifier V . Step 2 V generates a random integer e ∈ Z/qZ and sends it to P . Step 3 P calculates y = e−sX mod q, and sends it to P . r ?
Step 4 V checks the following equation: g e ≡ X y I X 5.2.2
(mod p).
Security of Identification Scheme
Lemma 15. (Security of ElGamal Identification Scheme) Let ≥ 4q . Suppose that the key searching problem of (p, g, I) is (t∗ , ∗ )-secure. Then the ElGamal identification scheme with parameter (p, ge, I)5 is (t, )-secure, where t∗ =
√ 3(t + Φ1 ) + Φ3 R
and
∗ =
1 1 (1 − )2 2 e
√R
>
9 50
√R .
Here Φ1 is the verification time of the identification protocol, Φ3 is the calculation time of r and s (or e g) at Step 3 and Step 4, R = p−1 and q is the order of q ∗ g ∈ (Z/pZ) . Sketch of Proof: Assume that cheater A breaks the ElGamal identification with (t, ) for (p, I) and all ge ∈< g >. We will construct a machine A∗ that breaks the key searching problem of (p, g, I) with (t∗ , ∗ ) using A. We will discuss the following probing strategy of H to find two 1’s along the same row in H [5] for the identification scheme with parameter (p, g, I): Step 1 Probe random entries in H to find an entry a(0) with 1. We denote the row where a(0) is located in H by H (0) . Step 2 After a(0) is found, probe random entries along H (0) to find another entry a(1) with 1. Step 3 Calculate the value of r as follows, r= 5
e(0) − e(1) mod q y (0) − y (1)
eg is an appropriate element in the subgroup, < g >, generated by g.
366
Kazuo Ohta and Tatsuaki Okamoto
where a(i) represents (X (i) , e(i) , y (i) ) and X = X (0) = X (1) (i = 0, 1) holds. Note that r is coprime to q. In Case 1 with gcd(X, q) = 1, calculate a secret value of s as follows, output it and halt:
s=
e(0) − ry (0) mod q. X
In Case 2 with gcd(X, q) 6= 1, obtain b satisfying X = bq(= g r mod p), where 0 < b < p−1 q = R, and go to Step 4. Step 4 (For Case 2 only) Run A with input e g = Ig l mod p applying Step 1 to Step 3, where l ∈ Z/qZ is randomly selected. There are two cases, Case 1 and Case 2. e q) = 1, calculate s by the same way as Step3. In Case 1 with gcd(X, e q) 6= 1, obtain eb as well as re satisfying ebq = In Case 2 with gcd(X, g re mod p by the same way in Step 3. e If eb = b holds, calculate a secret value of s as follows, output it and halt: s=
r − le r mod q. re
Otherwise, repeat Step 4 with another input. The worst case for finding two values of b that collide is that these R − 1 1 events occur with equal probability R−1 within Case 2. Let p1 be the success probability of step 1 with 1 repetition, and p2 be the success probability of step 2 with 2 repetition. Let p3−1 be the success probability of Case 1 in step 3, and √ p3−1 = 0 in the worst case. Let p4 be the success probability of step 4 with R repetition. Then p4 ≈ 1 because of the birthday paradox of finding b = b0 satisfying 0 < b, b0 < R. Therefore √
∗ = (p1 × p2 )
R
p4 ≥
1 1 (1 − )2 2 e
√R
and t∗ =
√ √ 1 2 3(t + Φ1 ) + Φ3 (t + Φ1 ) × ( + ) + Φ3 R= R. 2
On Concrete Security Treatment of Signatures
367
5.2.3 Security of Signature Scheme The following theorem is proven by combining Lemma 9 and Lemma 15. Theorem 16. (Security of ElGamal Signature Scheme) − 1
sig Let 0 ≥ , where 0 = qFq . Suppose that the key searching problem of q (p, g, I) is (t∗ , ∗ )-secure. Then the ElGamal signature scheme with parameter (p, ge, I) is (t, qsig , qF , )-secure, where
4+q
∗
t =
√ 3(t + Φ1 + Φ2 ) + Φ R 3 00
and
∗
=
1 1 (1 − )2 2 e
√R
>
9 50
√R .
Here Φ1 is the verification time of the identification protocol, Φ2 is the simulation time of qsig signatures, and Φ3 is the calculation time of r and s (or e g) at Step 3 and Step 4. 00 =
− 1q qF
−
qsig q ,
where q is the order of g ∈ (Z/pZ)∗ .
Remark 17. The simulation time of qsig signatures can be obtained in a manner similar to that in Lemma 8 in Reference [12]. 5.3
More Efficient Reduction of MEG
Clearly the reduction for the MEG signature scheme is much less efficient than that of the Schnorr scheme, and the reduction does not preserve the parameter, (p, g, I). If we modify the MEG scheme as follows, the reduction can be almost as efficient as that of the Schnorr scheme and can preserve the parameter. The modified version of the MEG scheme is the same as the MEG scheme except: Verifier V checks whether gcd(X, q) = 1, and if it does not hold, V rejects the signature, (m, X, y). Note that when a valid signer generates (m, X, y), the probability that gcd(X, q) 6= 1 is 1/q (negligible probability).
6
Multi-Signature Schemes
Multi-signature schemes are signature schemes in which plural signers (e.g., L signers) jointly generate a signature (multi-signature) of a message under the condition that the length of the multi-signature is less than the total length of ordinary (single) signatures by plural signers (e.g., L × |s|, where |s| is the ordinary signature length). We can apply our ID reduction technique to the “one-round type” of multisignature schemes6 . This section briefly introduces our results regarding multisignature schemes. Due to the space limitation, we omit a detailed description of the results [11]. 6
The “two-round type” of multi-signature schemes have been proposed [10]. Our technique can also be applied to these schemes easily.
368
6.1
Kazuo Ohta and Tatsuaki Okamoto
The Proposed Multi-Signature Schemes
We propose provably secure multi-signature schemes against the most general attack, adaptively chosen message insider attacks [7] with the random oracle model. The proposed schemes are as follows7 : Key generation: A trusted center publishes two large primes p and q such that q | (p − 1), and element g ∈ (Z/pZ)∗ of order q. Each signer Pi chooses a secret key si ∈ Z/qZ and publishes the public key Ii , where Ii = g si mod p (1 ≤ i ≤ L) and L is the number of signers. Multi-Signature: Each signer Pi generates the signature of his message m using two public hash functions Fi and Hi as follows (1 ≤ i ≤ L): Step 1 For i = 1 to L do, where y0 = 0 and V = PL+1 : Pi generates a random integer ri ∈ Z/qZ, calculates Xi = g ri mod p, ei = Fi (X1 , . . . , Xi , m) ∈ Z/qZ, di = Hi (X1 , . . . , Xi , m) ∈ Z/qZ and yi = yi−1 + di ri + ei si mod q, and sends (X1 , . . . , Xi , m, yi ) to Pi+1 . ?
Step 2 V checks the following equations: g yL ≡ X1d1 · · ·XLdL I1e1 · · ·ILeL ?
(mod p),
?
and ei = Fi (X1 , . . . , Xi , m), di = Hi (X1 , . . . , Xi , m) (1 ≤ i ≤ L) . Remark 1. 1) We call the scheme where di = 1 Type I, the scheme where ei = 1 Type II, and the scheme where there is no restriction on di , ei Type III. 2) The schemes can also be implemented using an elliptic curve [8]. 3) It is possible for each Pi to check the validity of (I1 , . . . , Ii−1 , X1 , . . . , Xi−1 , m, E1 , . . . , Ei−1 , Yi−1 ) before generating his signature. 6.2
Security of the Schemes
The main results are as follows: Theorem 17. (Security of the Proposed Multi-Signature Scheme (Type II)) 2(L+1) +q
H
−1
sig q Let 0 ≥ . Here 0 = HL , where H0 = , and Hi = i−1 (1 ≤ i ≤ q qHi L). Suppose that the calculation of s from I1 , . . . , IL satisfying I1 × · · · × IL = g s mod p is (tII (L), II (L))-secure. Then the proposed multi-signature scheme with the same parameter is (t, qsig , qH1 , qH2 , )-secure, where
tII (L) =
II (L) = 7
t0 (2L+1) 2 + 1 + Φ3 , 00 3
2L (2L −1) 2L (2L −1) 1 3 1 1 1− > . 2 e 2 5
For simplicity of explanation, in this paper we use the multiplicative group (Z /pZ )∗ to present our schemes and the security proofs. Only the implementations over elliptic curves [8], however, are feasible in light of the multi-signature size. Note that the security of the elliptic curve versions can be proven in the same manner as those of the multiplicative group versions.
On Concrete Security Treatment of Signatures
369
Here t0 = t + Φ1 + Φ2 and 00 = HL − sig q . Φ1 is the verification time of the identification protocol, Φ2 is the simulation time of qsig signatures, Φ3 is the calculation time of s in the final stage of the reduction, and q is the order of g ∈ (Z/pZ)∗ . q
Theorem 18. (Security of the Proposed Multi-Signature (Type III)) 2(L+2) +qsig . Here q Fi − 1q Hi = qH (1 ≤ i ≤ L). i satisfying Ii = g si mod p is
Let 0 ≥
0 = HL , where H0 = , Fi =
Hi−1 − 1q qFi
, and
Suppose that the calculation of si from I1 , . . . , IL
(tIII (L), III (L))-secure. Then the proposed multisignature scheme with the same parameter is (t, qsig , qF1 , qH1 , . . . , qFL , qHL , )secure, where tIII (L) =
t0 (2L+1) (L+1) (L+1) 2 + 3L × 2 − 3 × 2 + 1 + Φ3 , 300
III
II
(L) = (L)
(L−1) (2L +L−2) (2L +L−1) 1 3 1 1 (1 − ) > . 2 e 2 5
Here t0 = t + Φ1 + Φ2 and 00 = HL − sig q . Φ1 is the verification time of the identification protocol, Φ2 is the simulation time of qsig signatures, Φ3 is the calculation time of s in the final stage of the reduction, and q is the order of g ∈ (Z/pZ)∗ . q
Remark 2. The multi-signature scheme of Type I is forgeable by a true signer, for example, signer L can make a multi-signature of arbitrary message m without coalition of other (L − 1) signers.
7
Conclusion
This paper presented a new key technique, “ID reduction”, to show the concrete security result of a class of practical signature schemes under the random oracle paradigm. We applied this technique to the Schnorr and modified ElGamal schemes, and showed the “concrete security” of these schemes. We also applied it to the multi-signature schemes. This technique should be useful in proving the concrete security of various types of signatures such as blind signatures, group signatures and undeniable signatures.
Acknowledgments We would like to thank Adi Shamir for his talks at NTT in1988, which inspired us to create the reduction technique introduced in this paper. We would also like to greatly thank Moti Yung for his invaluable support in revising our manuscript. We wish to thank anonymous reviewers for useful comments.
370
Kazuo Ohta and Tatsuaki Okamoto
References 1. M. Bellare and P. Rogaway, “Random Oracles are Practical: A Paradigm for Designing Efficient Protocols,” Proc. of the First ACM Conference on Computer and Communications Security, pp.62–73. 354, 355 2. M. Bellare and P. Rogaway, “The Exact Security of Digital Signatures –How to Sign with RSA and Rabin,” Advances in Cryptology –EUROCRYPT’96, SpringerVerlag, pp.399–416. 354, 355, 355, 357 3. T. ElGamal, “A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms,” IEEE Transactions on Information Theory, IT-31, 4, pp.469– 472, 1985. 4. A. Fiat and A. Shamir, “How to Prove Yourself,” Advances in Cryptology – CRYPTO’86, Springer-Verlag, pp.186–194. 354, 356, 358, 361 5. U. Feige, A. Fiat and A. Shamir, “Zero-Knowledge Proofs of Identity,” J. of Cryptology, 1, p.77–94. 356, 361, 363, 365 6. S. Goldwasser, S. Micali and C. Rackoff, “The Knowledge Complexity of Interactive Proof Systems,” SIAM J. on Computing, 18, pp.186-208, 1989. 356 7. S. Goldwasser, S. Micali and R. Rivest, “A Digital Signature Scheme Secure Against Adaptive Chosen-Message Attacks,” SIAM J. on Computing, 17, pp.281– 308, 1988. 354, 354, 354, 368 8. N. Koblitz, “Elliptic Curve Cryptosystems,” Mathematics of Computation, 48, pp.203–209, 1987. 361, 368, 368 9. M. Naor and M. Yung, “Universal One-Way Hash Functions and Their Cryptographic Applications,” Proc. of STOC, pp.33–43, 1989. 354 10. K. Ohta and T. Okamoto, “A Digital Multisignature Scheme Based on the FiatShamir Scheme,” Advances in Cryptology –ASIACRYPT’91, Springer-Verlag, pp. 139–148. 367 11. K. Ohta and T. Okamoto, “The Exact Security of Multi-Signature Schemes,” Technical Report of IEICE, ISEC97-27 (July, 1997), pp.41-52. 367 12. D. Pointcheval and J. Stern, “Security Proofs for Signature Schemes,” Advances in Cryptology –EUROCRYPT’96, Springer-Verlag, pp.387–398. 354, 354, 355, 355, 356, 356, 356, 356, 356, 364, 367 13. J. Rompel, “One-Way Functions are Necessary and Sufficient for Secure Signature,” Proc. of STOC, pp.387–394, 1990. 354 14. R. Rivest, A. Shamir and L. Adleman, “A Method for Obtaining Digital Signatures and Public Key Cryptosystems,” Communications of ACM, 21, 2, pp.120-126, 1978. 355 15. C.P. Schnorr, “Efficient Identification and Signatures for Smart Card,” Advances in Cryptology –EUROCRYPT’89, Springer-Verlag, pp.235–251. 355, 356, 361
Building PRFs from PRPs? Chris Hall1 , David Wagner2 , John Kelsey1 , and Bruce Schneier1 1
Counterpane Systems {hall,kelsey,schneier}@counterpane.com 2 U.C. Berkeley [email protected]
Abstract. We evaluate constructions for building pseudo-random functions (PRFs) from pseudo-random permutations (PRPs). We present two constructions: a slower construction which preserves the security of the PRP and a faster construction which has less security. One application of our construction is to build a wider block cipher given a block cipher as a building tool. We do not require any additional constructions—e.g. pseudo-random generators—to create the wider block cipher. The security of the resulting cipher will be as strong as the original block cipher. Keywords: pseudo-random permutations, pseudo-random functions, concrete security, block ciphers, cipher feedback mode.
1
Introduction and Background
In this paper we examine building psuedo-random functions from pseudo-random permutations. There are several well known constructions for building pseudorandom permutations from pseudo-random functions, notably [LR88]. However, the only results we are aware of for going in the reverse directions are the recent results of Bellare et. al. in [BKR98]1 . One primary justification for building pseudo-random functions is that it allows one to use the results of Bellare et. al. [BDJR97] to produce an n-bit cipher that can be used to encrypt more than 2n/2 blocks. Due to birthday attacks, nbit permutations will leak information about the plaintext after 2n/2 blocks. By closing the loop between pseudo-random functions and permutations, we can also accomplish a number of things: widening the block width of a cipher, creating a provably secure 1-bit cipher feedback mode, and building encryption functions secure for more than 2n/2 blocks. Given the plethora of existing practical block ciphers, it would be nice to be able to create pseudo-random functions from them directly without having to resort to building new primitives from scratch. Our work extends previous work on pseudo-random functions (PRFs) and permutations (PRPs). PRFs and PRPs were initially defined in [GGM86] as functions (resp. permutations) which a polynomially-bounded attacker cannot ? 1
The full paper is available at http://www.counterpane.com/publish-1998.html. We were unaware of these results when we originally wrote our paper, but they were instead pointed out to us by an anonymous referee.
H. Krawczyk (Ed.): CRYPTO’98, LNCS 1462, pp. 370–390, 1998. c Springer-Verlag Berlin Heidelberg 1998
Building PRFs from PRPs
371
to distinguish from truly random functions (resp. permutations) with more than neglible probability. A more recent paper by Bellare et al. [BDJR97] evaluates four different notions of security and applies those notions to the definitions of PRFs and PRPs. In addition, M. Luby has written a book on pseudorandomness which provides an excellent summary of the theoretical constructions leading up to PRFs [Lub96]. Some authors have made a distinction between PRPs and super PRPs. With a super PRP, an adversary is allowed to query for inverse evaluations of the permutation [LR88]. For our applications, we require the “super” variety of PRP. Therefore, for the remainder of this paper we shall consider only super PRPs; we usually omit the “super” prefix for conciseness. Extensive research has been conducted on building PRPs from PRFs. Many of the constructions are based on Luby and Rackoff’s original work [LR88]. Let F (l, r) = Ψ m (f1 , . . . , fm )(l, r) denote an m-round Feistel network where fi ∈ IFn:n . Then F (l, r) ∈ IP2n where Ψ i (f1 , . . . , fi ) is defined by Ψ (f )(l, r) = (r, l ⊕ f (r)) k
Ψ (f1 , . . . , fk ) = Ψ (fk ) ◦ Ψ (fk−1 ) ◦ · · · ◦ Ψ (f1 )(l, r). Luby and Rackoff [LR88] showed that an adversary has advantage at most m(m − 1)/2n if they make m < Q(n) queries for some polynomial Q(x). Recall that the advantage is computed as Adv A = |P [Ap = 1] − P [Af = 1]| where A is an adversary who returns 1 if they believe they are looking at a 2n-bit permutation from the Ψ 3 (f1 , f2 , f3 ) family and 0 otherwise. Then P [Ap = 1] denotes the probability that an attacker returns 1 when given p ∈ {Ψ 3 (f1 , f2 , f3 ) : fi ∈ Fn:n } and P [Af = 1] denotes the probability that an attacker returns 1 when given f ∈ P2n . The result was generalized for m < 2n/2 [AV96,M92,P91b,P92] to Adv A = O(m2 /2n ). Many different researchers have investigated variations of this construction [AV96,C97,Luc96,M92,P91b] [P92,P97,SP91,SP92,ZMI89a,ZMI89b] and even proposed different constructions [M92,P97]. The exact nature of these constructions is beyond the scope of this document; they investigate building PRPs from PRFs, and we are interested in going the other direction. In addition to designing PRPs from PRFs, some researchers have studied designing PRFs from smaller PRFs. Aiello and Venkatesan built a 2n-bit to 2nbit function from eight n-bit to n-bit functions using a Benes transform [AV96]. They achieved the notable bound that Adv A = |P [AB = 1] − P [Af = 1]| = O(m/2n ) after m queries, where AB is the result of executing the adversary A with the oracle instantiated by a function B from the Benes family, and Af is the result of running the adversary with a random 2n-bit function.
372
Chris Hall et al.
Aside from building wider functions, some researchers have examined building variable-length input PRFs (VI-PRFs). In [BCK96], Bellare et al. formalize the notation of VI-PRFs and analyze the security of several constructions. Their functions are constructed using simpler primitives: fixed-length input PRFs (FIPRFs) which were first defined in [BKR94] in order to model the Data Encryption Algorithm (DES). One important feature of these papers is that they focus on concrete security analysis, which attempts to provide precise estimates of security, rather than being satisfied with asymptotic results. Bellare et al. initiated this study in [BKR94,BGR95]. When it comes to building PRFs from PRPs, though several different people have noted that a PRP can be used as a PRF with advantage O(m2 /2n ) for m < 2n/2 (e.g. [AV96]), there has been a notable lack of research in this area. One recent exception is the excellent paper of Bellare et. al. [BKR98], which uses the notion of data-dependent keying to build a PRF from a PRP. Their results present strong evidence for the security of their PRP→PRF construction, and they take some initial steps towards a more complete analysis of its strength against computationally-bounded adversaries. One of the most appealing features of their construction is its practicality: the construction is very simple, and performance is degraded by only a factor of two (or less, when in stream cipher modes). It should be possible to use their re-keying construction in the applications found in Section 3, as a drop-in replacement for our PRP→PRF construction. This would provide corresponding improvements in performance; the tradeoff is that the available security results are weaker for the re-keying construction. One interesting motivation for building PRFs from PRPs is that we could build larger PRPs from smaller PRPs by first constructing PRFs from the PRPs, using the results of [AV96] to strengthen the function, and finally using one of the many results available for building PRPs from PRFs. This is in fact the approach we take in our paper, and it provides the first useful technique (which we are aware of) for securely increasing the block width of a trusted block cipher. The format of the rest of our paper is as follows. In Section 2 we introduce our two constructions for producing PRFs from PRPs: ORDER(P )j:k and i TRUNCATE(P )n−m . In Section 3 we apply our constructions to a few different n problems and give descriptions of our solutions. Finally, in Section 4 we analyze the security of the constructions presented in Section 2. 1.1
Notation
In this section we introduce some of the notation we will use through the rest of the paper: Rn Zn2 , the set of all n-bit blocks. IPn The symmetric group on 2n elements (specifically, the set of all permutations on Rn ). IFn:m The set of all functions with the signature Rn → Rm .
Building PRFs from PRPs
373
p(a, b) Denotes the evaluation of a permutation p with the bit concatentation of a and b. (t, q, e)-secure Captures the notion of a cryptographic primitive which is secure, in the sense that any adversary who uses at most t units of offline work and issues at most q chosen-plaintext/ciphertext queries can only get advantage at most e for distinguishing the primitive from a random function (or permutation). This roughly means that an attacker must either do t work or implement q chosen-text queries to have any chance of breaking the primitive; however, even then the attacker is not guaranteed a practically-useful attack. Therefore, this is a very strong measure of security, in the sense that if a primitive is proven strong under this model, it is likely to be very strong indeed.
2
The Constructions
We introduce two constructions: ORDER(P )j:k and TRUNCATE(P )n−m . The former n i uses a permutation p ∈ IPi to produce a function f ∈ IFj:k . The latter uses a permutation p ∈ IPn to produce a function f ∈ IFn:n−m . In this section we give a brief description of each of these constructions along with their security, but leave the analysis of their security until Section 4. 2.1
ORDER(P )n:1 n+1
Our first construction, ORDER(P )n:1 n+1 uses the order of entries in a table representing a n+1-bit permutation to encode a function fp ∈ IFn:1 . More specifically, if p ∈ IPn+1 then we assign a function fp ∈ IFn:1 where 0 if p(0, x) < p(1, x) fp (x) = 1 otherwise. Here the expression p(0, x) stands for the result of applying p to the concatenation of the bit 0 and the n-bit value x. Note, this construction is really a special instance of a much more general construction given in the next two sections. However, for our analysis we found it much simpler to analyze this simple case (in a later section) and extrapolate to the more general case. 2.2
k−1
n:2 m Wider Outputs: ORDER(P )n+km
Of course, in practice a PRF with a 1-bit output is rarely useful. Fortunately, there are some simple techniques to build wide-output PRFs from PRPs with a 1-bit output. One basic approach is to observe that j = 2k (independent) PRFs from IFn:m suffice to build a PRF on IFn:jm . This yields the following construction. Given a PRF F ∈ IFn+k:m , we build a wider PRF G ∈ IFn:2k m by G(x) = (F (0, x), F (1, x), . . . , F (2k − 1, x)).
374
Chris Hall et al.
This construction has the disadvantage that it reduces the input size slightly, which can be a problem for some applications. Of course, this does not produce an optimal construction. We leave the analysis to Section 4, but in fact the next construction is optimal. By optimal we mean that it divides the set of permutations IPn into equally-sized equivalence classes such that each equivalence class has an odd number of permutations. This implies that we cannot divide the equivalence classes any further and still expect to have equally-sized equivalence classes. 2.3
m
n:2 −1 Wider Outputs, Efficiently: ORDER(P )n+m
As one might expect, the construction of the previous section fails to extract all of the possible bits from a permutation. In some cases we can nearly double the number of bits that we obtain from a given permutation p by extracting more information about the sorted order of p(x). Suppose that we have a permutation p ∈ IPn+m ; then we build a function f ∈ IFn:2m −1 in the following fashion. First we determine 2m−1 bits of f (x) by using the construction outlined in the previous section. That is, if [f (x)]i denotes bit i of f (x) and 0 ≤ i < 2m−1 , then ( 0 if p(0, i, x) < p(1, i, x) . [f (x)]i = 1 otherwise Briefly, the remaining bits of information are obtained by comparing the minimum elements of two pairs of values min {p(xj ), p(x0j )} for j = 1, 2. To be more precise, we start by creating 2n perfectly-balanced binary trees with 2m − 1 nodes (i.e. each one has height m − 1) and uniquely assign each tree to a different n-bit value x. Hence tree x will correspond to f (x). For any given tree, each node has three values associated with it: a n + m-bit value X(x), a 1-bit value Y (x), and a m-bit value Z(x), which serves to identify the node. For ease of exposition, we assign Z(x) so that the root node has Z(x) = 0, the left child of a node has the value 2Z(x) + 1, and the right child of a node has the value 2Z(x) + 2 (implying Z is independent of x so we can drop it). This assigns each node a unique m-bit value and allows us to associate bit i of f (x) with the Y (x) value of node i.2 Using these particular Z-values, the leaf nodes will have the values 2m−1 − 1 to 2m − 2. Let Xi (x) and Yi (x) denote the X and Y values respectively of the leaf nodes with Z = i. Then for i ≥ 2m−1 − 1 ( 0 if p(0, Zi − 2m−1 − 1, x) < p(1, Zi − 2m−1 − 1, x) Yi (x) = 1 otherwise. Xi (x) = min{p(0, Zi − 2m−1 − 1, x), p(1, Zi − 2m−1 − 1, x)} 2
Some other ordering of the nodes will also work, such as one given by a postorder traversal of the tree.
Building PRFs from PRPs
375
This is precisely the information obtained by the construction of the previous section. For the remaining 2m−1 − 1 bits of information, we assign ( 0 if X2i+1 (x) < X2i+2 (x) Yi (x) = 1 otherwise. Xi (x) = min{Y2i+1 (x), Y2i+2 (x)} It should be clear that this tree partially encodes the order of p(0, x), . . . , p(2m − 1, x), but that more than one permutation may produce the same function. It requires 2m invocations of the permutation p to produce the 2m − 1 bits of fp (x). For an example evaluation of f (x) for p ∈ IP3 , see Figure 1. f(x) = 0111000 (postorder traversal) X = 0, Y = 0 X = 0, Y = 1 X = 2, Y = 0
X = 0, Y = 1
X = 3, Y = 0 X = 3, Y = 1
X = 4, Y = 0
P(0,x) :=P(1,x) 2 := 5P(2,x) := P(3,x) 1 := 0P(4,x) := P(5,x) 6 := 3P(6,x) := P(7,x) 4 := 7
Fig. 1. Example Function from p ∈ IP3 .
We can use this latter technique to build a PRF in IFm:n using a permutation in IPa where a = d m+log2 (n+1)+1 e. It will require d log2 (n+1)+1 e invocations of E per invocation of IFm:n . Note, if n 6= 2l −1 for some l, we will actually obtain a wider output than n bits. In that case we can simply truncate the output to n bits and retain the security of the PRF. While this construction provably transfers (essentially) all of the security of the underlying block cipher to the PRF, the disadvantage is that it has poor performance: we can get a 57:127 PRF that’s provably as strong as DES (and hence a 57:64 PRF), but it requires 128 queries to DES per PRF computation. 2.4
TRUNCATE(P )n−m n
Our second construction has much better performance, but uses a very different idea: we merely truncate a few bits of the output of the underlying block cipher, so the PRF can be almost as fast as the block cipher. Formally, let p ∈ IPn be a random permutation. We assign a function fp ∈ IFn:n−m by fp = g ◦ p where g : Rn → Rn−m denotes the function which truncates the high m bits from its input. For a PRP family {πk } the resulting PRF family would be {fπk }.
376
Chris Hall et al.
The disadvantage to this approach is that it doesn’t preserve the security of the underlying block cipher nearly as well: our proofs only work when the attacker has at most O(min{2(n+m)/2 , 22(n−m)/3 }) chosen texts available to him, where n is the block width of the underlying cipher and m is the number of truncated bits. In practice, this means that we can prove security up to O(24n/7 ) chosen texts by truncating m = n/7 bits, but our analysis degrades too much to be provide better bounds for larger m.
3
Applications
There are several nice applications of our result. Probably one of the most interesting is that we “close the loop” between PRFs and PRPs. Luby-Rackoff [LR88] gave a nice PRF → PRP construction; we have now shown how to go the other direction3 . We explore two additional possibilities in the next sections. There are others listed below, but due to a lack of time and space we have omitted further analysis of these ideas. Hence we pose them as open problems for further study. 1. Building MACs (or possibly hash functions) with provable security. The disadvantage is that they are likely to be very slow. 2. Building provably-strong PRNGs out of our constructions for provablystrong PRFs. Such a tool might be used for session key derivation, for example. The advantage is that in many cases (depending upon the application, of course) the PRNG isn’t performance-critical, so slow techniques are still interesting if they have notable security advantages. 3. Building provably-strong stream ciphers from our constructions for provablystrong PRFs. By running a good PRF in counter mode, you can get security past the birthday bound. In contrast, 64-bit block ciphers typically run into security problems when used in a standard chaining mode to encrypt more than 232 known texts, no matter how strong the cipher is. Bellare et. al. have explored this application further in [BKR98]. 3.1
Building Wider Block Ciphers
Techniques for building wider block ciphers are especially relevant as the AES standards effort ramps up. The problem with most existing ciphers, such as Triple-DES, is that they offer only 64-bit blocks, and thus fall prey to certain birthday attacks that can work with only 232 texts or so. (The matching ciphertext attack is one example.) As network communication speeds rise, this limit becomes increasingly concerning: for instance, on a 1 Gbit/sec encrypted link, we expect that information about two plaintext blocks will leak after only 6 minutes or so. The only solution is to move towards ciphers with wider block lengths, but if this involves a full cipher redesign, then we may forfeit the insights provided 3
We don’t consider treating a PRP as a PRF as an example because it won’t produce more general functions, and because its security level is limited.
Building PRFs from PRPs
377
by more than two decades of analysis on DES and Triple-DES. This motivates our search for a construction which can provably retain the time-tested security level of Triple-DES while providing a wider block length. This paper provides new results in this area. If we have a trusted cipher, then we can model it as a PRP family. Using one of our constructions we can construct a PRF family, use the Benes transform [AV96] to create a wider PRF family, and finally use Luby-Rackoff to create a PRP family again. The nice thing is that the resulting PRP family will be almost four times as wide as the original construction. Furthermore, we will be able to provide provable security reductions to show that the widened cipher is likely to be strong if the original cipher is secure. We will focus on a particular example and consider Triple-DES. Hence let n = 64 and P = {Ek } be the Triple-DES family where Ek (X) denotes encryption with key k and plaintext X. Also suppose that P is (t, q, e) secure. Then using we can construct a PRF family F = {fEk } ⊂ IF58:58 (truncate the ORDER(P )58:63 64 5 extra bits). As later analysis will show, F is (t, q/64, e) secure. In other words, F largely retains the security properties of Triple-DES. Using the modified Benes transform, we can form a second PRF family F 2 = {gf } where f ∈ F and F 2 ⊂ IF110:110 . The reason we do not obtain a family F 2 ⊂ IF116:116 is that the modified Benes transform requires six independent functions. Hence we can use the first three bits of our functions in F to obtain eight independent function families for constructing IF2 . The results of [AV96] show that F 2 is a (t, q/64, e+e0)-secure PRF, where e0 is neglible for q/64 < 2110 . Finally, using F 2 and Luby-Rackoff we can create a final PRP family P 2 = {pg1 ,g2 ,g3 } where gi ∈ F 2 and P 2 ⊂ P220 . P 2 will have nearly identical security to F 2 : (t, q/64, e + e0 + e00 ) where e00 is neglible for q/64 < 2554 . The primary disadvantage of this construction is that the resulting widened cipher P 2 will be almost 450 times slower than the original cipher P . With a normal 4-round Luby-Rackoff construction, we will use 4 invocations of functions from F 2 for each invocation of a permutation in P 2 . Each function in F 2 uses 6 invocations of functions from F . Finally, for each function in F we will use 64 invocations of a permutation in P . Hence we will require 4 × 6 × 64 = 1536 invocations of Triple-DES per invocation of P 2 ; of course, each invocation of P 2 encrypts 220/64 times as many bits as P , so the performance of the widened cipher P 2 will be 1536 · 64/220 ≈ 447 times worse than Triple-DES. This is definitely very slow, but it is provably secure! An alternative to using Luby-Rackoff is to use a construction by M. Naor and O. Reingold [NR96]. There you get a twofold speed-up in execution and we only require 768 invocations of Triple-DES. This translates to a total of roughly 223 times worse performance than Triple-DES. The advantage, of course, is that the resulting cipher is that we have removed the 232 -texts limitation on the security of Triple-DES. 4
Note: the security proof of the Luby-Rackoff construction given in [LR88] actually assume that the gi are independent; but the proofs in [NR96] remove that restriction.
378
Chris Hall et al.
Our construction uses the Benes transform only for technical reasons. The reason we can’t apply the Luby-Rackoff construction directly to our PRF family F is that a 4-round Luby-Rackoff cipher with m-bit blocks is only secure up to 2m/4 texts; with m = 2 · 58, the security level would be too low, so we build a double-width PRF family F 2 to increase m. However, eliminating the Benes transform could produce significant performance speedups, so this motivates the search for PRP constructions with better security. For example, by using Patarin’s recent results on the 6-round Luby-Rackoff construction [P98], we can build a widened cipher P 3 ⊂ P116 that is secure with up to about min{q, 243.5 } texts; by using single-DES instead of Triple-DES as our starting point, we can get a 116-bit cipher which is provably as secure as DES and has performance about 212 times worse than DES (or about 71 times worse than Triple-DES), though it has somewhat less security than our construction of P 2 . construction to build It would also be possible to use the TRUNCATE(P )n−m n a double-width block cipher, instead of ORDER(P )6 458:63 as above. This would provide significantly better performance (the widened cipher could be as fast as 1/3 the performance of the original cipher). However, at present the available proofs provide no guarantee of security past about 236 texts, which is probably not a compelling advantage over the 232 birthday bound. As a third alternative, one could use the re-keying construction of Bellare et. al. [BKR98] to build F out of Triple-DES (say). Applying the Benes transform and the Naor-Reingold construction would then provide a 256-bit cipher which is only 3 times slower than Triple-DES. The disadvantage is that the available security results are difficult to compare with the figures given above. The examples we gave here usually resulted in a block cipher with a peculiar width. It should be clear how to modify this example slightly to generate (say) a 192-bit block cipher, by truncating F or F 2 to the appropriate size. 3.2
Applications to 1-Bit CFB Mode
We note that our main construction provides a way to increase the robustness of 1-bit CFB mode by tweaking the mode slightly. The standard 1-bit CFB mode builds a function h : ZZ n2 → ZZ 2 by letting h(x) be the least significant bit of the encryption Ek (x) of x under a block cipher E with key k. Then we build a stream cipher as Cj = Pj ⊕ h(Cj−64 , . . . , Cj−1 ). The problem is that we are not aware of any proof that CFB mode preserves the security of the underlying block cipher. Clearly all of the security of 1-bit CFB mode must come from the non-linear Boolean function h. Theorem 1 (in Section 4.1) guarantees the security of h against an adversary with access to q 2n/2 chosen-text queries, assuming the underlying block cipher is secure. However, for typical block ciphers 2n/2 = 232 , which means that the “security warranty” provided by Theorem 1 is voided after 232 chosen-text queries5 . As 5
Theorem 7 can guarantee security up to q = O(24n/7 ), but this is still significantly smaller than the O(2n ) query security we would ideally hope to see. As we shall see, this hope is not unreasonable.
Building PRFs from PRPs
379
most typical block ciphers are built to resist much more powerful adversaries, we would prefer to have better reductions. We do not know of any better security proofs for 1-bit CFB in the literature, but we can improve the situation with a slight modification to the mode. Replace h by the function fEk defined in Section 2.1. (We will need to sacrifice one bit of feedback, so that Cj = Pj ⊕fEk (Cj−63 , . . . , Cj−1 ), but 63 bits is more than sufficient for practical purposes.) This requires two encryptions per invocation of fEk , so our mode will be twice as slow as the standard 1-bit CFB, but we do not expect this to be a serious problem, as implementors typically use 1-bit CFB mode for its resynchronization properties rather than for its performance characteristics. Of course, the primary advantage of our 1-bit modified cipher feedback mode is that we can provide provable security reductions for fEk . If E is a (t, q, e)-PRP, then fEk will be a (t, q/2, e)-PRF. In short, our construction of fEk preserves the security level of the underlying block cipher extremely effectively. Therefore, this modification to 1-bit CFB mode looks attractive for practical use.
4
Analysis
In this section we provide analysis of our ORDER(P )j:k and TRUNCATE(P )n−m n i constructions. In addition, we evaluate the security of a PRP family when viewed as a PRF family. 4.1
Previous Attempts
As we have mentioned earlier, every PRP can be viewed as a PRF with certain security parameters. We first analyze this trivial construction. Theorem 1. Let p be a random permutation on n bits. Then p is a (t, q, e)-PRF for e = q 2 /2n+1 . Proof. Standard; omitted due to lack of space. Furthermore, it is simple to show that this bound is tight. We can easily construct an adversary which distinguishes between p and a random function with advantage approximately q(q − 1)/2n+1 (for q = O(2n/2 )): simply look for collisions and return 0 if you see a collision (where you are supposed to return 1 if you think it’s not a random function). It is worth noting that this analysis also establishes the security of another related construction. One might naively propose a construction based (loosely) on the Davies-Meyer hashing mode [MMO85]: fp (x) = p(x) ⊕ x. The final xor of x into the ciphertext destroys the bijective property of p, so at first glance fp might look like a reasonable candidate for a better PRF. However,
380
Chris Hall et al.
we note that this construction has no better security than before. It can be distinguished from a random function with advantage q 2 /2n+1 : merely apply the adversary of the previous paragraph to the function g defined by g(x) = fp (x)⊕x. The security reduction we showed in Theorem 1 is sufficient to show that PRFs exist if PRPs do, from a complexity-theoretic point of view, since the security bound it shows is exponential in n. Therefore, complexity theorists interested only in asymptotics need read no further. However, practical applications are a bit more demanding: they require concrete security guarantees. We find this O(2n/2 ) level of security inadequate for practical applications. Most block ciphers today offer 64-bit block widths, thus providing a convenient and efficient PRP with n = 64. For such ciphers, the above theorem provides no security assurances when adversaries are allowed to make q ≈ 2(n+1)/2 = 232.5 chosen-text queries (or more). This is too weak for serious cryptologic use; we would prefer something that provides better resistance to chosen-text attacks. After all, the underlying block cipher typically provides better security than that—so it is natural to wonder whether we can do better. Is there a PRF construction that preserves the security of the underlying block cipher? We show below that the answer is yes. 4.2
Analysis of ORDER(P )n:1 n+1
We gave a description of ORDER(P )n:1 n+1 in Section 2.1. Let π be a (keyed) family of permutations {πk : k ∈ K} ⊂ IPn+1 on Rn+1 . Using this construction we obtain a family fπ = {fπk : k ∈ K} of functions in IFn:1 . We can (by a slight abuse of notation) view π as a random variable, taking values in IPn+1 , by taking k to be a random variable uniformly distributed over K. (We drop the subscript, writing π instead of πk as a slight abuse of notation, to avoid an unwieldy morass of distractingly nested subscripts.) Similarly, fπ can be viewed as a random variable, too. We say that p is a random permutation (on Rn+1 ) to mean that it is a random variable which is uniformly distributed over all elements of IPn+1 . Similarly, we say that f is a random function (from IFn:m ) when we mean that it is a random variable which is uniformly distributed over IFn:m . We wish to show that fπ preserves the security level of the underlying PRP π. Most of the work to be done is handled by a purely information-theoretic analysis, which ignores all issues of computational complexity. We tackle this in Theorem 2. Theorem 2. If p is a random permutation on Rn+1 , then fp is a random function over IFn:1 . Proof. Take any g ∈ IFn:1 . It is clear that there exists a p ∈ IPn+1 such that g = fp : for example, take the p such that p(2x) = 2x + g(x)
p(2x + 1) = 2x + 1 − g(x)
∀x ∈ Rn .
Building PRFs from PRPs
381
Next we show that |{p : g = fp }| is a constant that does not depend on g, i.e. that there are an equal number of representative permutations p for all g. First, suppose that g1 , g2 ∈ IFn:1 are two functions that differ at exactly one point X (i.e. g1 (x) = g2 (x) for all x 6= X and g1 (X) 6= g2 (X)). Then we construct a bijective mapping φ : IPn+1 → IPn+1 , which has the property that fp = g1 exactly when fφ(p) = g2 . This will show that there are an equal number of representations for any two functions g1 , g2 which differ at exactly one point. Then it will be easy to see that this implies the desired result, since for any two functions g,h ∈ IFn:1 one can construct a sequence g = g0 , g1 , g2 , . . . , gk−1 , gk = h such that all the consecutive pairs gi , gi+1 differ at exactly one point. The mapping φ is built as follows. Take any input p; we define φ(p) = p0 by p(b, x) if x 6= X p0 (b, x) = p(1 − b, x) if x = X. Now it is clear that fp0 = g2 if fp = g1 , and vice versa. Furthermore, φ is an involution, so it is clear that it is a bijective mapping, as claimed. This completes the proof. t u Once we have this nice result, extending it to the setting of computationallybounded adversaries is not so hard. It requires much unravelling of notation, but essentially no new ideas. We first introduce the notion of pseudo-randomness, to handle the most important case where the adversary is computationally bounded. Informally, saying that π is a pseudo-random permutation (PRP) on Rn+1 is supposed to convey the idea that it is computationally infeasible for an adversary to distinguish π from a random permutation on Rn+1 . (Some authors use the phrase “pseudorandom permutation generator” to refer to this object; for conciseness, we will omit the “generator” term throughout this paper.) We formalize this notion as follows. An adversary is an oracle machine −1 −1 B p,p ,π,π which outputs a 0 or 1 (according to whether it thinks p is truly random or is drawn from the family {πk : k ∈ K}). It takes four oracles as inputs: a test permutation p (which outputs p(x) on input x) along with its inverse p−1 , and an oracle for π (which outputs πk (x) on input k, x) as well as an oracle for π −1 . Its advantage Adv B is −1
Adv B = |Prob(B πk ,πk
,π,π −1
= 1) − Prob(B r,r
−1
,π,π −1
= 1)|,
where r is a random permutation and k is uniformly distributed over K. More formally, we say that π is a (t, q, e)-PRP if the advantage of any adversary which is allowed at most q queries (total) to the first two oracles and t offline work is at most e. This models a block cipher which is secure with up to q adaptive chosen-plaintext/ciphertext queries and t trial encryptions. See [BKR94,BGR95] for more information about (t, q, e) security. We can define a (t, q, e)-PRF (pseudo-random function) in a similar fashion. −1 In this definition, an adversary is an oracle machine Ag,γ,π,π with access to four oracles: a function g which outputs g(x) on input x, an oracle γ which
382
Chris Hall et al.
outputs γk (x) on input k, x, and two oracles π, π −1 for the PRP class (as above). We define its advantage by Adv A = |Prob(Aγk ,γ,π,π
−1
= 1) − Prob(As,γ,π,π
−1
= 1)|,
where s is a random function and k is uniformly distributed over K. In the cases that we are most interested in, we have γk = fπk . We say that γ is a (t, q, e)PRF if all adversaries A which make at most q oracles queries (total) to g, γ and perform at most t computations obey Adv A ≤ e. Note that it is important to include the oracles for π, π−1 in the definition of a (t, q, e)-PRF. In what follows, we will be interested in PRFs built from a PRP π. Here π models a block cipher; we assume the algorithm is publicly known (by Kerchkoff’s principle), so anyone trying to attack fπ can freely compute πk (x) on any chosen inputs k, x. This required us to extend the standard definition of a PRF to model this situation. With those preliminaries out of the way, we may proceed to the rest of the analysis. We get the following pleasing consequence of Theorem 2 whose proof we leave to the appendices. Theorem 3. If π is a (t, q, e)-PRP on Rn+1 , then fπ is a (t, q/2, e)-PRF over IFn:1 . t u
Proof. See Appendix A. 4.3
m
n:2 −1 Analysis of ORDER(P )n+m m
n:2 −1 In Section 2.3 we introduced the general ORDER(P )n+m construction. There are two corresponding theorems whose full proofs we omit due to a lack of space.
Theorem 4. If π is a random permutation on Rn+m , then fπ is a random function over IFn:2m −1 . Proof. (sketch) The basic idea is to again consider two functions f1 , f2 ∈ IFn:2m −1 which differ in exactly one output (say f1 (0) 6= f2 (0)). We can build a map φ : IPn+m → IPn+m such that fp = f1 exactly when fφ(p) = f2 . Again this will show that all f ∈ IFn:2m −1 have an equal number of representative permutations p (existance is trivial). To build the map φ, we need merely look at the binary tree we constructed for x = 0. (Actually we must consider a slightly expanded version of the tree in which the leaf nodes of our original tree are expanded into two children containing the values p(0, Z, x) and p(1, Z, x).) Starting with i = 0, we compare bit i of f1 (0) and f2 (0) and swap the left and right subtrees of node i if f1 (0) and f2 (0) differ in bit i. Note, this may destroy the original equality of bits j > i for f1 (0) and f2 (0) so in evaluating bit i we assume that f1 (0) has the value denoted by the most recent tree. The end result is a series of subtree swaps for evaluating f1 (0) which are clearly reversible. The subtree swaps specified will remap values of a permutation to values of another permutation and we take φ to be that map. It is clearly onto and hence bijective. This completes the proof of the theorem. t u
Building PRFs from PRPs
383
Theorem 5. If π is a (t, q, e)-PRP on Rn+m , then fπ is a (t, q/2m , e)-PRF over IFn:2m −1 . Proof. The proof is nearly identical to that of Theorem 3.
t u
In Section 2.3 we made a claim that this construction was optimal. By that we meant that one could not create a map from IPn+m to IFn:l for l > 2m − 1. We state this in the following lemma. Lemma 1. There exists no map φ : IPn+m → IFn:l for l > 2m − 1 such that N (f ) = |{p ∈ IPn+m : φ(p) = f }| is constant for all f ∈ IFn:l . Proof. Let φ be a map such that N (f ) is constant for all f ∈ IFn:l , then we will n show that l ≤ 2m − 1. There are 2l2 functions in IFn:l hence we are dividing n IPn+m into 2l2 equivalence classes. For any j, |IPj | = (2j )! and it is not hard j to show that 22 −1 exactly divides (2j )!. Hence the power of 2 dividing the size n+m n n m −1 /2l2 = 22 (2 −l)−1 . In order for N (f ) to of each equivalence class is 22 be constant, we must have that 2n (2m − l) − 1 ≥ 0, which implies 2m − l ≥ 1, whence l ≤ 2m − 1. This completes the proof of the lemma. t u Our analysis above used a strongly information-theoretic framework: first, we showed that the construction produces a random function when fed a random permutation (Theorem 2), and then all the desired pseudo-randomness results just fall out trivially from that. This framework is desirable because it makes the analysis relatively simple; however, we showed in Lemma 1 that it imposes serious limitations on the performance of the resulting constructions. The above bound essentially shows that, to achieve better performance, we’ll need to do abandon the information-theoretic framework and take another approach. This we do below. 4.4
Analysis of TRUNCATE(P )n−m n
The construction of Section 4.2 is probably most attractive because it is so amenable to theoretical analysis, and because it preserves the security of the underlying block cipher so efficiently no matter how many chosen-text queries are issued. However, it also has a severe disadvantage for practical use: it is quite slow. based on truncating In Section 2.4 we defined a PRF family TRUNCATE(P )n−m n bits of a permutation. The result trades off security for performance. Recall the construction: for any permutation πk on Rn , we define a function f ∈ IFn:n−m by fπk = g ◦ πk where g : Rn → Rn−m denotes the function which truncates the high m bits from its input. We could instead have taken g to be any fixed function g : Rn → Rn−m such that each y ∈ Rn−m has 2m easily-computable pre-images g −1 (y), and the
384
Chris Hall et al.
results would still apply. However, bit-truncation is attractive because it is both fast and amenable to a simple mathematical description6 . Therefore, for clarity of exposition we concentrate hereafter solely on bit-truncation. First we show that if π is a random permutation, then fπ is a pseudo-random function. The following theorem proves that, roughly speaking, Adv A is negligible while q min{2(n+m)/2 , 22(n−m)/3 }. Theorem 6. If π is a random permutation on Rn , then fπ is a (t, q, e)-PRF over IFn:n−m , where e = 5(q 2 /2n+m )1/3 + q 3 /22(n−m)+1 . Proof. See Appendix B.
t u
This shows that truncating some bits from the output of πk gives slightly better security. For m ≤ n/7, the theorem says that truncating m bits adds nearly m/2 bits of security against adaptive chosen-text attacks to the PRF πk . However, for m > n/7, the second term in e dominates (in that it is largest and hence limits q), and our analysis does not provide better security reductions when increasing m past n/7. We believe that these limits are not inherent, but rather are a reflection of the inadequacy of our analysis. As an illustration, the best attack we can find needs q = O(2(n+m)/2) texts to distinguish fπ from random with significant advantage (see Theorem 8), so this leaves a substantial gap between the upper and lower bounds. We suspect that a better analysis could provide a better security reduction. (However, we could be wrong.) The main idea of the proof is to show that the probability of getting any particular set of outputs Y to a given set of oracle-queries X is roughly the same whether the oracle is instantiated “under the hood” by a PRF or by a truncated-PRP. We use this to show that any oracle algorithm A must behave almost exactly the same regardless of which type of oracle it is given. That follows just because A’s execution can depend only on the list of inputs and outputs to the oracle. This can then be used to show that Adv A is small. Of course, our bounds only hold when q is small enough. The first step in the analysis is to compute the probabilities that a random function F and a truncated-PRP fπ will map X to Y . For F this is easy, but for fπ it is substantially harder. In the general case this gets quite messy, so we restrict ourselves to the special case where there are no three-way collisions in Y ; this makes the calculation tractable. (This restriction adds an artificial contribution q 3 /22(n−m)+1 to our bound on the advantage, so we have sacrificed tightness for tractability.) After that, all that is left is relatively straightforward computations (albeit in large quantities). Theorem 7. If π is a (t, q, e)-PRP on Rn , then fπ is a (t, q, e0 )-PRF over IFn:n−m , where e0 = e + 5(q 2 /2n+m )1/3 + q 3 /22(n−m)+1 . 6
The study of the properties of bit-truncation may also have some independent interest, as several authors have already suggested applying a bit-truncation output transform to existing MAC constructions in hopes of improving their security (see, e.g., [PO95]).
Building PRFs from PRPs
385
Proof. Omitted. Follows directly from Theorem 6 along lines analogous to the proof of Theorem 3. t u Theorem 8. Let π be a permutation family on Rn . Then for all q = O(2(n+m)/2 ), there is an adversary which can distinguish fπ from a random function with q known texts, O(q) work, and advantage Ω(q 2 /2n+m ). Proof. (sketch) Let r count the number of collisions in the outputs fπ (1), . . . , fπ (q). Then our adversary outputs 1 (guessing that the oracle is fπ ) if r < q(q − 1)/2n−m+1, and 0 otherwise. Using the techniques found in the proof of Theorem 6, we find that this adversary operates with advantage Ω(q 2 /2n+m ). t u
5
Conclusion
We have presented two constructions for generating pseudo-random functions given pseudo-random permutations: ORDER(P )j:k and TRUNCATE(P )n−m . The forn i mer had the notable property that it preserved the security of the underlying pseudo-random permutation whereas the latter had the property that it was much more efficient. Unfortunately, the gain in speed results in a trade-off in security and the latter construction fails to preserve the strength of the underlying pseudo-random permutation. Using our constructions we were able to solve a few different problems, including stretching the width of a block cipher while preserving the security. We also examined a secure 1-bit cipher feedback mode using a pseudo-random permutation.
Acknowledgements Thanks to Dan Boneh, Ian Goldberg, and the anonymous referees for many helpful comments.
References AV96.
W. Aiello, R. Venkatesan, “Foiling birthday attacks in length doubling transformations,” Advances in Cryptology—EUROCRYPT ’96 Proceedings, Springer-Verlag, pp. 307–320. 371, 371, 371, 372, 372, 377, 377 BCK96. M. Bellare, R. Canetti, H. Krawczyk, “Pseudorandom Functions Revisited: The Cascade Construction and its Concrete Security,” Proceedings of the 37th Symposium on Foundations of Computer Science, IEEE, 1996. 372 BDJR97. M. Bellare, A. Desai, E. Jokipii, P. Rogaway, “A Concrete Security Treatment of Symmetric Encryption: Analysis of the DES Modes of Operation,” Full version, Extended abstract in Proceedings of 38th Annual Symposium on Foundations of Computer Science (FOCS 97), IEEE, 1997. 370, 371
386
Chris Hall et al.
BGR95. M. Bellare, R. Gu´erin, P. Rogaway, “XOR MACs: New methods for message authentication using finite pseudorandom functions,” Advances in Cryptology—CRYPTO ’95 Proceedings, Springer-Verlag, 1995, pp 15–28. 372, 381 BKR94. M. Bellare, J. Kilian, P. Rogaway, “The security of cipher block chaining,” Advances in Cryptology—CRYPTO ’94 Proceedings, Springer-Verlag, 1994. 372, 372, 381 BKR98. M. Billare, T. Krovetz, P. Rogaway, “Luby-Rackoff Backwards: Increasing Security by Making Block Ciphers Non-Invertible (Extended Abstract),” Advances in Cryptology—EUROCRYPT ’98 Proceedings, Springer-Verlag, 1998. 370, 372, 376, 378 BM84. M. Blum, S. Micali, “How to Generate Cryptographically Strong Sequences of Pseudo-random Bits,” SIAM J. Comput., 13 (Nov. 1984), pp. 850–864. C97. D. Coppersmith, “Luby-Rackoff: Four rounds is not enough,” IBM Research Report, RC 20674 (12/24/96), Mathematics. 371 GGM86. O. Goldreich, S. Goldwasser, S. Micali, “How to Construct Random Functions,” Journal of the ACM, Vol. 33, No. 4, October 1986, pp. 792–807. 370 LR88. M. Luby, C. Rackoff, “How to Construct Pseudorandom Permutations from Pseudorandom Functions,” SIAM J. Comput., Vol. 17, No. 2, April 1988, pp. 373–386. 370, 371, 371, 371, 376, 377 Lub96. M. Luby, Pseudorandomness and Cryptographic Applications, Princeton University Press, 1996. 371 Luc96. S. Lucks, “Faster Ruby-Lackoff Ciphers,” Proceedings of Third Fast Software Encryption Workshop, Springer-Verlag, pp. 189–203. 371 M92. U.M. Maurer, “A Simplified and Generalized Treatment of LubyRackoff Pseudorandom Permutation Generators,” Advances in Cryptology— EUROCRYPT ’92 Proceedings, Springer-Verlag, 1992, pp. 239–255. 371, 371, 371 MMO85. S.M. Matyas, C.H. Meyeter, J. Oseas, “Generating strong one-way functions with cryptographic algorithm,” IBM Technical Disclosure Bulletin, 27 (1985), 5658–5659. 379 NR96. M. Naor, O. Reingold, “On the construction of pseudo-random permutations: Luby-Rackoff revisited.,” preliminary version, http://www.wisdom.weizmann.ac.il/Papers/trs/CS96-10/abstract.html 377, 377 P90. J. Pieprzyk, “How to Construct Pseudorandom Permutations from Single Pseudorandom Functions,” Advances in Cryptology—EUROCRYPT ’90, Springer-Verlag, pp. 140–150. P91a. J. Patarin, “Etude des g´ n´rateurs de permutations bas´es sure le Sch´ema du D.E.S.,” Ph. D. Thesis, INRIA, Domaine de Voluceau, Le Chesnay, France, 1991. P91b. J. Patarin, “New Results on Pseudorandom Permutation Generators Based on the DES Scheme,” Advances in Cryptology—CRYPTO ’91 Proceedings, Springer-Verlag, pp. 301–312. 371, 371 P92. J. Patarin, “How to Consruct Pseudorandom and Super Pseudorandom Permutations from One Single Pseudorandom Function,” Advances in Cryptology—EUROCRYPT ’92 Proceedings, Springer-Verlag, pp. 256–266. 371, 371 P97. J. Patarin, “Improved Security Bounds for Pseudorandom Permutations,” Proceedings of the Fourth ACM Conference on Computer and Communications Security, April 1–4, 1997, pp. 142–150. 371, 371
Building PRFs from PRPs
387
J. Patarin, “About Feistel Schemes with Six (or More) Rounds,” Proceedings of the Fifth Fast Software Encryption Workshop, LNCS 1372, Springer, 1998, pp. 103–121. 378 PO95. B. Preneel, P. van Oorschot, “MDx MAC and building fast MACs from hash functions,” Advances in Cryptology—CRYPTO ’95 Proceedings, LNCS 1070, Springer-Verlag, 1996. 384 SP91. B. Sadeghiyan, J. Pieprzyk, “On Necessary and Sufficient Conditions for the Construction of Super Pseudorandom Permutations,” Advances in Cryptology—ASIACRYPT ’91, Springer-Verlag, pp. 194–209. 371 SP92. B. Sadeghiyan, J. Pieprzyk, “A Construction for Super Pseudorandom Permutations from A Single Pseudorandom Function,” Advances in Cryptology— EUROCRYPT ’92, Springer-Verlag, pp. 267–284. 371 Y82. A.C. Yao, “Theory and Applications of Trapdoor Functions,” Proceedings of the 23rd IEEE Symposium on Foundations of Computer Science, IEEE, New York, 1982, pp. 80–91. ZMI89a. , Y. Zheng, T. Matsumoto, H. Imai, “On the Construction of Block Ciphers Provably Secure and Not Relying on Any Unproved Hypothesis,” Advances in Cryptology—CRYPTO ’89 Proceedings, Springer-Verlag, pp. 461-480. 371 ZMI89b. Y. Zheng, T. Matsumoto, H. Imai, “Impossibility and Optimality Results on Constructing Pseudorandom Permutations,” Advances in Cryptology— EUROCRYPT ’89, Springer-Verlag, pp. 412–421. 371 P98.
A
Proof of Theorem 3
Proof. Our proof proceeds as follows. Suppose we have an adversary A which (t0 , q 0 , e0 )-breaks fπ .7 We construct an adversary B which (t0 , 2q 0 , e0 )-breaks π. The result will follow. −1 −1 The construction for B requires very little creativity. B p,p ,π,π performs −1 the same computations as Ag,γ,π,π ; anytime A makes an oracle query, we simulate the oracle and return the result to the computation in progress. The simulation of oracle queries goes like this. If A queries the g oracle with x, then B issues two queries to p with inputs (0, x) and (1, x) and compares the results; if p(0, x) < p(1, x), B uses the result 0, and otherwise uses 1. If A queries the γ oracle with k, x, then B issues the two queries k, (0, x) and k, (1, x) to its oracle for π, and constructs the result similarly. Finally, A’s oracle queries for π and π −1 can be satisfied trivially. Let e0 = Adv A, and let t0 , q 0 count the time and number of oracle queries that A requires. Clearly t0 , 2q 0 counts the time and number of oracle queries that B requires. It merely remains to bound Adv B, which we achieve with the following series of observations. Lemma 2. Let r be a random permutation, and s be a random function. (Recall that according to our terminology both will be uniformly distributed on their respective spaces.) 7
This means that with at most q 0 queries and t0 offline encryptions, there is an adversary who has advantage greater than e0 .
388
Chris Hall et al. −1
−1
−1
(i) For any permutation p, Afp ,fπ ,π,π = B p,p ,π,π . (ii) The random variable fr has the same distribution as s; in other words, fr is a random function. (iii) With the random variables r, s as before, we have −1 −1 Prob(As,fπ ,π,π = 1) = P rob(Afr ,fπ ,π,π = 1). −1 −1 −1 (iv) Prob(As,fπ ,π,π = 1) = Prob(B r,r ,π,π = 1). −1 −1 −1 (v) Prob(Afπk ,fπ ,π,π = 1) = Prob(B πk ,πk ,π,π = 1). Proof. (i) follows by construction of B. (ii) is exactly Theorem 2. (iii) follows immediately from (ii). (iv) follows from (i) and (iii). (v) is merely a special case of (i), substituting p = πk .
t u
Lemma 3. Adv B = Adv A. Proof. Apply part (v) of Lemma 2 to the first term in Adv B, and apply part (iv) of Lemma 2 to the second term in Adv B. We get exactly the expression for Adv A. t u Now this suffices to prove the theorem. Given that π is a (t, q, e)-PRP, we show that fπ is a (t, q/2, e)-PRF by examining the contrapositive. Suppose there exists an adversary A who (t, q/2, e0 )-breaks fπ with advantage e0 > e. We have shown how to construct an adversary B which breaks π. By Lemma 3, Adv B = Adv A = e0 ; also, B requires at most t time and q oracle queries. In other words, B (t, q, e0 )-breaks π, for e0 > e. But this contradicts our assumption that π is a (t, q, e)-PRP. Therefore, such A cannot exist, and the theorem follows. t u
B
Proof of Theorem 6 −1
Proof. Let Afπk ,π,π be any adversary that breaks fπk . Let X = (X1 , . . . , Xq ) be a q-vector over Rn of q different “inputs,” and let Y = (Y1 , . . . , Xq ) be a q-vector over Rn−m of “outputs.” The random variables (X, Y ) will be a “transcript” of a run of the adversary A: Xj records the j-th query to the fπ oracle, and Yj records the corresponding output from the oracle. Without loss of generality, we may take X = (1, . . . , q), since any adversary A which makes repeated queries Xi = Xj (i < j) can be easily converted to an adversary A0 with the same advantage such that A0 makes no repeated queries. (Our construction of A0 merely simulates the action of A, for each oracle query Xj made by A: if Xj is a new query, A0 behaves identically to A; but if Xj = Xi for some i < j, then A0 sets Yj = Yi and continues to simulate the action of A without querying the fπ oracle.) Furthermore, since π is presumed to be a truly random permutation, the values of the oracle queries don’t matter, so long as they don’t repeat.
Building PRFs from PRPs
389
Let F ∈ IFn:n−m be a truly random function. Define pF (X, Y ) = Prob(F (X) = Y ) to be the probability that F maps each Xj 7→ Yj ; define pf (X, Y ) = Prob(fπ (X) = Y ) in a similar fashion. We often leave off the (X, Y ) and simply write pf or pF when the choice of (X, Y ) is clear from context. Also, we sometimes Pwrite pf (S) to mean the probability (with respect to f ) of a set S, i.e. pf (S) = (X,Y )∈S pf (X, Y ). We wish to show that fπ is roughly indistinguishable from F if q is not too large. The main idea is to show that pf (X, Y ) ≈ pF (X, Y ). Our argument proceeds as follows. We bound pf /pF , showing that it is close to 1. This bound doesn’t hold uniformly for all choices of (X, Y ), but it holds for nearly all of them—or more precisely, the set S where the bound holds has probability very close to 1. Formally, we prove that |pf /pF − 1| ≤ δ for all (X, Y ) ∈ S; we also show that both pf (¬S) and pF (¬S) are small. This can be informally viewed as a sort of “probabilistic bound.” We prove, in another crucial lemma, that Adv A ≤ max{pf (¬S), pF (¬S)} + δ. This is a generic result that relies only on the bound on pf /pF ; no domain-specific knowledge is required. Therefore, it suffices to bound pf /pF tightly enough that pf (¬S), pF (¬S), and δ are small. We move to the details of the proof. We take S to be the set of all q-vectors Y over Rn−m which have r repeated values, no triply-repeated values, and for which |r − q(q − 1)/2n−m+1 | ≤ cq/2(n−m+1)/2 , where c ≥ 1 is a small constant left free for the moment. Lemma 5 helps us show that |pf /pF − 1| ≤ δ for (X, Y ) ∈ S. Lemma 6 bounds pF (¬S), and Lemma 7 bounds pf (¬S). Finally, Lemma 4 proves that Adv A ≤ max{pf (¬S), pF (¬S)} + δ. Combining these four lemmas, we get the big result Adv A ≤ 1/c2 + 4cq/2(n+m+1)/2 + q 3 /22(n−m)+1 + q 2 /2n+m for all c ≥ 1. Finally, we optimize over c to obtain the best bound; taking c = (2(n+m−1)/2 /q)1/3 yields Adv A ≤ 4(q 2 /2n+m )1/3 + q 3 /22(n−m)+1 + q 2 /2n+m ≤ 5(q 2 /2n+m )1/3 +q 3 /22(n−m)+1 , as claimed. Due to lack of space, the proofs of the lemmas are omitted; full details are available at http://www.counterpane.com/publish-1998.html. Lemma 4. With S defined as above, we have Adv A ≤ max{pf (¬S), pF (¬S)} + δ when δ ≥ max(X,Y )∈S |pf (X, Y )/pF (X, Y ) − 1|.
390
Chris Hall et al.
Lemma 5. Let Y have r repeated values and no triply-repeated values, with X = (1, 2, . . . , q). Then pF = 2−q(n−m) , and pf = (1 − 2−m )r
q−1 Y i=0
2m . −i
2n
We have pf /pF ≈ exp{q(q−1)/2n+1 −r/2m } for large q, r. Finally, if (X, Y ) ∈ S and q ≤ 2(n+m)/2 /c and q ≤ 22n/3 , then |pf /pF −1| ≤ δ for δ = 2cq/2(n+m+1)/2 + 2q 3 /3 · 2−2n + q 2 /2n+m+1 . Lemma 6. We have pF (¬S) ≤ 1/c2 + q 3 /6 · 2−2(n−m) . Lemma 7. We have pf (¬S) ≤ 1/c2 + q 3 /6 · 2−2(n−m) + δ. This completes the proof of Theorem 6.
t u
Security Amplification by Composition: The Case of Doubly-Iterated, Ideal Ciphers W. Aiello1 , M. Bellare2 , G. Di Crescenzo1 , and R. Venkatesan3 1
2
Bellcore, 445 South St., Morristown, NJ 07960, USA [email protected] Dept. of Computer Science & Engineering, University of California at San Diego 9500 Gilman Drive, La Jolla, California 92093, USA {mihir,giovanni}@cs.ucsd.edu. URL:http://www-cse.ucsd.edu/users/{mihir,giovanni} 3 Microsoft Research, One Microsoft Way, Redmond, WA 98052, USA [email protected]
Abstract. We investigate, in the Shannon model, the security of constructions corresponding to double and (two-key) triple DES. That is, we consider Fk1 (Fk2 (·)) and Fk1 (Fk−1 (Fk1 (·))) with the component functions 2 being ideal ciphers. This models the resistance of these constructions to “generic” attacks like meet in the middle attacks. We obtain the first proof that composition actually increases the security in some meaningful sense. We compute a bound on the probability of breaking the double cipher as a function of the number of computations of the base cipher made, and the number of examples of the composed cipher seen, and show that the success probability is the square of that for a single key cipher. The same bound holds for the two-key triple cipher. The first bound is tight and shows that meet in the middle is the best possible generic attack against the double cipher. Keywords: Ciphers, cascaded ciphers, Shannon model, information theory, DES, Double DES, meet in the middle attacks.
1
Introduction
A block cipher is a map F : {0, 1}κ ×{0, 1}n → {0, 1}n . Here κ is the key size and def n is the block size. Each κ-bit key k induces a map Fk (·) = F (k, ·) : {0, 1}n → n n −1 denote the inverse cipher, {0, 1} which is a permutation on {0, 1} . Let F meaning F −1 (k, ·) = Fk−1 is the inverse map of Fk (·). For example, DES is such a cipher with κ = 56 and n = 64. It is common practice to compose ciphers in attempts to increase security. The result of composition is a new cipher, with a larger key size but the same block size. Here are the two most popular mechanisms, corresponding, respectively, to double DES and (two-key) triple DES: def
– Double F , or the 2-cascade cipher: Dbl-F : {0, 1}2κ × {0, 1}n → {0, 1}n is defined by Dbl-F k1 ,k2 (x) = Fk1 (Fk2 (x)) . H. Krawczyk (Ed.): CRYPTO’98, LNCS 1462, pp. 390–407, 1998. c Springer-Verlag Berlin Heidelberg 1998
Security Amplification by Composition
391
– Two-key triple F : Trp2 -F : {0, 1}2κ × {0, 1}n → {0, 1}n is defined by (Fk1 (x))) . Trp2 -F k1 ,k2 (x) = Fk1 (Fk−1 2 ∗
Let Op-F : {0, 1}κ × {0, 1}n → {0, 1}n denote one of these, where κ∗ = 2κ and Op ∈ {Dbl, Trp2 }. What we want to know is: How good a cipher is Op-F ? Has the composition and the increased key length actually bought us anything? Generic versus cryptanalytic attacks. There are several possible approaches to this question, depending on what kinds of attacks one wants to take into account. There are two main classes of attacks: • Cryptanalytic attacks: Like differential [3,4] and linear [9] cryptanalysis • Generic attacks: Like exhaustive key search and meet-in-the-middle attacks. Generic attacks are, roughly, those that don’t exploit the structure of the cipher, but work against any cipher, even an ideal one. More precisely, we define generic attacks as those that succeed in the Shannon model of an ideal cipher discussed below. The strength of specific composed ciphers like double DES against cryptanalytic attacks is not known; certainly, one does not expect a proof of such strength. The strength of the composed cipher against generic attacks, in contrast, can at least in principle be determined, by an analysis in the Shannon model, since it is a purely information theoretic question. However, the technical problems here are quite challenging; in particular, it is not even known that composition increases the strength of a cipher at all in this model. In this paper we tackle this question, analyzing, in the Shannon model, twokey based compositions such as the above. We will prove upper bounds on the probability of “breaking” the composed cipher as a function of the “effort” invested by the adversary, with both terms in quotes to be properly defined. Our results are the first to show that cipher composition in the Shannon model actually increases security: the success probability of an adversary, as a function of her resources, is significantly lower than in the case of a single key cipher. For the double cipher our results are actually tight (optimal) and show that meet in the middle is the best possible generic attack on this cipher. We now define the model, and state our results, more precisely. 1.1
The Model
We model F as an ideal block cipher in the sense of Shannon. This means F (k, ·) is a random permutation on {0, 1}n, for each k. More precisely, let PERM(n) be the set of all permutations on {0, 1}n. Then, for each κ-bit key k, select, uniformly and independently, a map from PERM(n), and assign Fk this value. So F consists of 2κ maps, each a random permutation. Now, we want to ask how good is Op as a composition operator. How can we measure this? We do so in a strong adversarial model, which allows the adversary chosen plaintext attacks on Op-F . Furthermore, success for the adversary A does not mean she has to find the key: it suffices that A identify some “weakness” in
392
W. Aiello et al.
the cipher. This means A should be able to detect any deviation in Op-F k∗ (·) from a truly random permutation, when k ∗ is a random and hidden key for Op-F . Formally, give the adversary oracles for F, F −1 . (This models her ability to compute the original cipher at any points she likes.) Also give her an oracle we call E : {0, 1}n → {0, 1}n, which can take one of two forms: ∗ • World 1: Set E = Op-F k∗ (·) where k ∗ ∈ {0, 1}κ is a randomly chosen key for cipher Op-F • World 2: Set E = π where π is a permutation chosen randomly from PERM(n). Put the adversary A in one of these worlds, and ask her which one she is in. If she can’t tell then Op-F k∗ (·) is behaving like a random permutation, meaning it is good. Formally, define the advantage of A as P1 − P2 , where Pi is the probability that A outputs 1 in world i ∈ {1, 2}. (The probability is over the choice of the oracles in each case.) Call A a (q, t)-adversary if it makes at most t queries to the F, F −1 oracles and at most q queries to the E oracle. (Note in practice t is likely to be much larger than q since F, F −1 queries are just DES computations and E queries are plaintexts in a chosen plaintext attack. We always assume q ≥ 1 since otherwise the advantage of the adversary is zero no matter what the construction.) Define Sec(Op, κ, n, q, t) as the maximum advantage attainable by any (q, t)-adversary. This is the key quantity; it is a function we call the security of the operator Op. The question is to determine this function as accurately as possible. In particular we want to upper bound it as a function of the adversary resources q, t and the block cipher parameters κ, n. Before stating the results we stress the power of the model. It allows chosen plaintext attacks on the composite cipher Op-F . Note it certainly captures common attacks like birthday attacks and meet-in-the-middle attacks, but also more sophisticated attacks which could be adaptive. Notice that the advantage of a (q, t) adversary in attacking the single key cipher F itself in this model (namely E = Fk for a random κ bit string k in world 1) will be (at most) t/2κ . This is the mark we have to beat if we want to show that the composed cipher is stronger than the original one. 1.2
The Results
It is known that the strength of the composed cipher is at least that of the first [10], but prior to this work it was not known whether the advantage of a (q, t) adversary versus Dbl-F was any lower than its advantage versus the single key cipher F itself. Here we are able to show that composition actually increases security, in the ideal cipher model described above. The double key cipher. Recall that the double F cipher Dbl-F has 2κ bits of key. Our main result is Theorem 1, which says that Sec(Op, κ, n, q, t) is at most t2 /22κ . Namely, no (q, t)-adversary attacking the double cipher can achieve an advantage greater than t2 /22κ .
Security Amplification by Composition
393
1 Sec1(x) Sec2(x)
0.8
0.6
0.4
0.2
0 46
48
50
52
54
56
Fig. 1. Sec1(x) (the upper curve) and Sec2(x) (the lower curve) are, respectively, the maximal possible advantage obtainable by an adversary in breaking the single and double key ideal ciphers, respectively, as a function of x = log2 (t), the logarithm of the number of cipher computations made. We are using a key length of κ = 56. We see that Sec2 lies below Sec1 but they meet at 1. The text provides the exact formulas for these quantities.
We also show this bound is essentially tight, due to (a variant of) the meet in the middle attack. Theorem 2 presents an adversary who runs this attack, and analyzes it to show that its advantage is within a small factor of t2 /22κ . Note that the maximum possible advantage of an adversary attacking the double cipher case is the square of the maximum possible advantage of an adversary of the same resources attacking the original single key cipher. Thus, it is considerably smaller in most cases. (For example if κ = 56 and t = 245 then the former is 2−22 and the latter is 2−11 . Or, looking at it another way, to achieve an advantage of 2−11 against the double cipher you need at least 250 queries, while to get the same advantage against the single cipher you need only 245 queries.) To see the relation better, we plot in Figure 1 the maximal advantage t/2κ of an adversary in breaking the original single key cipher, and the maximal advantage t2 /22κ of an adversary in breaking the double cipher, as a function of x = log2 (t). Notice that the upper bound on the advantage in the double key case hits one (meaning, the scheme can be broken) when t = 2κ . This is expected: that’s the meet in the middle attack. Of course, that’s the same point at which the advantage hits one for the original single key cipher. (In this case due to an exhaustive key search attack.) Thus, the “effective key length” of the double cipher is not more than that of the single one. That does not mean that security has not increased. Security is not a number, but a function of the resources invested, and our analysis and Figure 1 show that for values of t below 2κ the
394
W. Aiello et al.
chance of breaking the double cipher is smaller than that of breaking the original one. The two-key triple cipher. We show that the same bound holds for the two-key triple cipher, meaning the advantage of a (q, t) adversary is bounded by t2 /22κ . This shows that here too there is an improvement in the security curve as a function of t. In this case our bound is tight for the case t ≈ q but not tight in general. See [1] for this material. The m-fold cascade. The m-fold composition of cipher F is the cipher with key k1 , . . . , km defined by Fk1 ,...,km = Fk1 ◦ Fk2 ◦ · · · ◦ Fkm . The techniques above extend to show that the advantage of an (q, t) adversary is at most tm /2mκ . This shows that the advantage grows more and more slowly as m increases. However, for m ≥ 3 the result is not tight; we expect the 3-fold composed cipher to have an even greater strength than this indicates. Thus, we won’t discuss this result any more in this paper. The future. The analysis of the two key ciphers we present here is a start on a problem that appears to be quite technically challenging. In the future we would like to see tight bounds on the advantage for the m-fold composition for m ≥ 3 and also for the two-key triple cipher in the case q 0 it is (x, E(x)), (k, x, Fk (x)), or (k, Fk−1 (y), y), corresponding, respectively, to the query qi−1 ; for i = 0 it is the empty string.
Security Amplification by Composition
399
Also: Viewi (AE,F,F
−1
) : For i ∈ Mvs, the view of the adversary after i moves; this is q1 r2 . . . qi−1 ri if i > 0 is even; q1 r1 . . . ri−1 qi if i is odd; and the empty string if i = 0 −1 −1 View(AE,F,F ) : View2(q+t) (AE,F,F ).
Note the adversary’s output bit is some deterministic function of the last view. We call the keys (k1∗ , k2∗ ) chosen in the games the crucial key pair. Our analysis will focus on whether or not this key pair is “eliminated” by a current view, and what is its distribution from the point of view of A if not. So let vi represent a possible view after i moves of the game. We consider two sets of key pairs, the “seen key pairs” (SKP) and the “remaining key pair” (RKP): SKP(vi ) : A key pair k1 , k2 is in SKP(vi ) if there are two queries q and q 0 in vi such that q is an F -query or F −1 query with key k1 (i.e., a query of the form (k1 , x, ∗) or (k1 , ∗, y), respectively), and q 0 is an F -query or F −1 query with key k2 (i.e., a query of the form (k2 , x, ∗) or (k2 , ∗, y), respectively). RKP(vi ) : ({0, 1}κ × {0, 1}κ) − SKP(vi ) Note that SKP(vi ) depends only on the queries in vi and not on the replies. That is, SKP(vi ) = SKP(vi+1 ) for i ∈ OdMvs. If A knows that Fk2 (x) = y and Fk1 (y) = z and has also made the E query x then it can with high probability eliminate (k1 , k2 ) as a candidate for the crucial key pair. Intuitively, we might think of the key pairs (k1 , k2 ) ∈ SKP(v) as being “eliminated”. (Of course, they might not be eliminated, but we can’t be sure, so we count them out.) Thus RKP(vi ) captures the set of remaining key pairs associated to any view. These are the key pairs (k1 , k2 ) so that at least one of them has not been in either an F or an F −1 query. Note the key pair is not considered “eliminated” if one of its components has been in a F/F −1 query: both have to have been in such queries to “eliminate” the pair. The current view vi contains some number of F or F −1 queries on a particular key k. This effectively “opens up” the corresponding spots in row k of the F table, in the sense that in the randomly chosen F table, these entries become known to the adversary. Similarly for E-queries. We let F-Qrs(vi , k) = The set of all y such that there are responses in vi of the form (k, x, y). E-Qrs(vi ) = The set of all y such that there are responses in vi of the form (x, y). The random variables. Under the random choice of E, F, F −1 made in the probability spaces 1 and 2, the above discussed quantities become random variables. Here are some random variables we will need to refer to explicitly:
400
W. Aiello et al.
Qi : Ri : Ti : Viewi : View : Ui,j :
Takes value qi , the i-th query, for i ∈ OdMvs. Takes value ri , the i-th reply, for i ∈ EvMvs. Equals Qi if i is odd and Ri if i is even. −1 Takes value Viewi (AE,F,F ), for i ∈ Mvs. −1 Takes value View(AE,F,F ). Equals Ti . . . Tj
The bad event. We also define a central event: badi : For i ∈ Mvs, event badi is said to happen if the crucial key pair (k∗1 , k∗2 ) is seen, that is, (k∗1 , k∗2 ) ∈ SKP(Viewi ). In other words, the crucial key pair is “eliminated”. Whether a particular key pair has been seen only depends on the queries of A and thus badi = badi+1 for i ∈ OdMvs. We let bad be bad2(q+t) , meaning it captures whether the bad event happened at the end of the game. 3.2
Proof Outline
A very rough cut at the idea of the analysis is that as long as bad has not happened in probability space 1, the answers coming back to oracle queries there “look random” and so probability space 1 looks like probability space 2. We can then bound the advantage by the probability of the bad event. This is overly simplistic. It is also incorrect. One should first note that even if the bad event fails to happen in game 1, that game will not look like game 2; there are events that have probability one in the latter and zero in the former. In fact, we need to condition on the bad event not happening in both probability spaces. We will show that the conditional probability of a particular view given that bad has not occurred is the same in the two games. To show this we will be forced to show something stronger as stated in the lemma below. Lemma 1. Let i ∈ Mvs and let vi be a possible view of the adversary after the i-th move. Then for all 0 ≤ s ≤ 2(q + t) − i, Pr1 [ Viewi = vi | badi+s ] = Pr2 [ Viewi = vi | badi+s ] . The proof of this lemma is postponed until later. Since the final decision of the adversary depends only on its view, the distribution of the adversary’s decision is the same in the two games as long as the bad event has not happened. Thus, a corollary to the above lemma is h h i i −1 −1 (1) Pr1 AE,F,F = 1 | bad = Pr2 AE,F,F = 1 | bad . Less obvious is that Lemma 1 will also be needed to show that the probability of the bad event is the same in both games. To show this we need to prove something a bit stronger: we need to show that the equality holds at any stage. This is stated in the lemma stated below.
Security Amplification by Composition
401
Lemma 2. For all i = 0, . . . , 2(q + t), Pr1 [ badi ] = Pr2 [ badi ] .
(2)
The proof of this lemma is also postponed until later. Lemmas 1 and 2 can be used to bound the advantage of the adversary by the probability of the bad event. Lemma 3. AdvA (Dbl, κ, n) ≤ Pr2 [ bad ]. Proof (Lemma 3). The lemma is shown using the following straightforward cal−1 culation. We suppress the superscripts of AE,F,F for clarity. Pr1 [ A = 1 ] − Pr2 [ A = 1 ] =
Pr1 [ A = 1 | bad ] · Pr1 [ bad ] − Pr2 [ A = 1 | bad ] · Pr2 [ bad ] + Pr1 [ A = 1 | bad ] · Pr1 [ bad ] − Pr2 [ A = 1 | bad ] · Pr2 [ bad ]
=
(Pr1 [ A = 1 | bad ] − Pr2 [ A = 1 | bad ]) · Pr2 [ bad ]) + (Pr1 [ A = 1 | bad ] − Pr2 [ A = 1 | bad ]) · Pr2 [ bad ]
= (Pr1 [ A = 1 | bad ] − Pr2 [ A = 1 | bad ]) · Pr2 [ bad ] . The second equality is by Lemma 2. The last equality is by Equation (1).
t u
Of course, since the probability of the bad event is the same in both probability spaces we could have bounded the advantage by the probability of the bad event in probability space 1. However, calculating the probability of the bad event is very easy in probability space 2 as can be seen below. Lemma 4. Pr2 [ bad ] ≤ t2 /22κ . Proof (Lemma 4). This is straightforward, since in Game 2, no information about the keys (k∗1 , k∗2 ) is given to the adversary. The bad event depends only on the number of F and F −1 queries, and in the worst case all the t such queries are made to different keys. Then the chance that k∗1 is in any query is t/2κ , and t u the same, independently, for k∗2 , so the bound holds. Clearly, Lemmas 3 and 4 imply Theorem 1. This completes the outline of the proof of Theorem 1. To complete the proof we must prove Lemmas 1 and 2. To do so we will first need a sequence of three lemmas, Lemmas 5, 6, and 7. The last of these will be used in the proof of Lemma 1. Lemma 5 will again be used to prove Lemma 8 on the conditional probability of the crucial key pair. Lemma 8 will then be used with Lemma 1 to prove Lemma 2. 3.3
Distribution of Replies in the Next Round
In Game 2, given the view vi at any point, the distribution of the answer to the next oracle query is, clearly, uniform, over the remaining range; for example, the answer to an E-query is uniform over {0, 1}n − E-Qrs(vi ). The first lemma will say this is true for Game 1 too, as long as the bad event does not happen. However, we will need to say this in a strong sense. Namely,
402
W. Aiello et al.
fix any key pair that has still not been “eliminated”. Conditioned on this being the crucial key pair, as well as on the current view, the distribution of the answer to the next oracle query is still “as it should be,” meaning uniform over whatever possibilities remain. Note we must show this for all types of queries: E, F and F −1 . Lemma 5. Let j ∈ {1, 2} and i ∈ OdMvs. Let vi = q1 r2 . . . qi−2 ri−1 qi be a possible view of the adversary just before the answer to query qi is obtained. For any string ri+1 ∈ {0, 1}n and all (k1 , k2 ) ∈ RKP(vi kri+1 ), Prj [ Ri+1 = ri+1 | (k∗1 , k∗2 ) = (k1 , k2 ) ∧ Viewi = vi ] = 1 if qi is an E-query and ri+1 6∈ E-Qrs(vi ) n 2 − |E-Qrs(vi )| 1 if qi is an F or F −1 query with key k and ri+1 6∈ n 2 − |F-Qrs(k, vi )| F-Qrs(k, vi ) 0 otherwise. In particular, the value depends neither on j nor on (k1 , k2 ). Proof (Lemma 5). See [1].
t u
The above lemma shows that for a fixed partial conversation vi where i ∈ OdMvs, and fixed pair of keys k1 , k2 such that badi is true (i.e., (k1 , k2 ) ∈ RKP(vi )), all the answers ri+1 which continue to keep the partial conversations from being “bad” (i.e., (k1 , k2 ) ∈ RKP(vi ri+1 )), have the same probability in each probability space. We will use this lemma to prove an extension of this. Namely, for a fixed partial conversation vi and fixed pair of keys k1 , k2 such that badi is true, all further move sequences which continue to keep the partial conversations from being “bad” have the same probability in each probability space. We state this formally below. Lemma 6. Let j ∈ {1, 2}. Let vi be a possible view of the adversary after move i ∈ Mvs, and let 1 ≤ ` ≤ 2(q + t) − i. For any possible extension ui+1,i+` of vi by ` moves, and for any key pair (k1 , k2 ) ∈ RKP(vi kui+1,i+` ), Prj [ Ui+1,i+` = ui+1,i+` | (k∗1 , k∗2 ) = (k1 , k2 ) ∧ Viewi = vi ] depends neither on j nor on (k1 , k2 ). (That is, it depends only on vi and ui+1,i+` .) Proof (Lemma 6). See [1].
t u
We now use the above lemma to prove a generalization of Lemma 5 which we will need subsequently. Lemma 7. Let j ∈ {1, 2} and i ∈ OdMvs. Let vi = q1 r2 . . . qi−2 ri−1 qi be a possible view of the adversary just before the answer to query qi is obtained. For any string ri+1 ∈ {0, 1}n, all (k1 , k2 ) ∈ RKP(vi kri+1 ), and all 0 ≤ s ≤ 2(q+t)−i, Prj [ Ri+1 = ri+1 | (k∗1 , k∗2 ) = (k1 , k2 ) ∧ Viewi = vi ∧ badi+s ] depends neither on j nor on k1 , k2 . (That is, it depends only on vi and ri+1 and s.)
Security Amplification by Composition
403
t u
Proof (Lemma 7). See [1].
Proof (Lemma 1). The proof will be by induction on i ∈ Mvs. The base case of the induction is when i = 0, and in this case the lemma is trivially true because the view is by definition the empty string. So assume the statement of the lemma up to move i. We will prove it for i + 1. Fix an arbitrary s ≥ 0. First consider the case where i ∈ EvMvs, meaning the last move in vi is a reply. Let qi+1 be arbitrary. Then: Prj [ Viewi+1 = vi qi+1 | badi+1+s ] = Prj [ Viewi = vi | badi+1+s ] · Prj [ Qi+1 = qi+1 | Viewi = vi ∧ badi+1+s ] . First, look at the first factor. Since s ≥ 0 by assumption, then s + 1 ≥ 0, and therefore the first term is the same for j = 1 and 2 by induction. Next look at the second factor. A’s query is just dependent on A and on vi , the view so far. Thus, the probability is the same for both j = 1 and j = 2. (And is equal to 0 except possibly for one value of qi+1 .) Therefore, the product of the two probabilities is equal for j = 1 and j = 2, for all s ≥ 0. Next consider the case where i ∈ OdMvs, meaning the last move in vi is a query. Let ri+1 ∈ {0, 1}n be arbitrary and let vi+1 = vi ri+1 . Then: Prj [ Viewi+1 = vi ri+1 | badi+1+s ] = Prj [ Viewi = vi | badi+1+s ] · Prj [ Ri+1 = ri+1 | Viewi = vi ∧ badi+1+s ] . Consider the first factor. Since s ≥ 0 by assumption, then s+1 ≥ 0, and therefore, by induction, the first term is the same for j = 1 and 2. The second factor is equal to: X pj (k1 , k2 ) · qj (k1 , k2 ) (k1 ,k2 )
where the sum is over all (k1 , k2 ) ∈ {0, 1}κ × {0, 1}κ and we have set pj (k1 , k2 ) = Prj [ Ri+1 = ri+1 | (k∗1 , k∗2 ) = (k1 , k2 ) ∧ Viewi = vi ∧ badi+1+s ] qj (k1 , k2 ) = Prj [ (k∗1 , k∗2 ) = (k1 , k2 ) | Viewi = vi ∧ badi+1+s ] We start by examining the first factor, namely pj (k1 , k2 ). By Lemma 7, for all (k1 , k2 ) ∈ / SKP(vi+1 ), this probability is the same for both j = 1 and 2, and independent of (k1 , k2 ). Call this value p. On the other hand for (k1 , k2 ) ∈ SKP(vi+1 ) we have pj (k1 , k2 ) = 0 because of the conditioning on badi+1+s . Thus the above sum reduces to X p· qj (k1 , k2 ) (k1 ,k2 )
where the sum is over all (k1 , k2 ) ∈ RKP(vi+1 ). We claim that this range is over all the nonzero values of the probability and thus the sum is equal to 1. To see this, note that qj (k1 , k2 ) is equal to 0 for (k1 , k2 ) ∈ SKP(vi+1 ). This completes the induction and the proof of Lemma 1. t u
404
W. Aiello et al.
The remaining task is to prove Lemma 2 which states that the probability that the bad event occurs is the same in both probability spaces. To do so we will first prove the following lemma about the distribution of keys. The proof of this lemma will use Lemma 1 which, recall, states that the probability of a given query and response (which are not bad) for a fixed partial view and a fixed pair of keys (which are not bad) is the same in both probability spaces. 3.4
Equi-Probability of Unseen Keys
A crucial lemma is that in Game 1, as long as the bad event has not happened, if adversary has a particular view, then any “un-eliminated” key pair is equally likely to be the crucial key pair. Without this, it might be that the adversary’s chance of hitting the crucial key is better in Game 1 (given the bad event fails) than in Game 2 (given the bad event fails). To simplify notation, for j ∈ {1, 2} and vi let Prj,vi [ · ] = Prj [ · | Viewi = vi ∧ badi ] . Lemma 8. Let j ∈ {1, 2}. Let vi be a possible view of the adversary after move i ∈ Mvs. Let (k1 , k2 ) ∈ RKP(vi ). Then 1 . Prj,vi [ (k∗1 , k∗2 ) = (k1 , k2 ) ] = |RKP(vi )| Proof (Lemma 8). See [1].
t u
Using the above lemma we can now prove Lemma 2 which (recall) states that Pr1 [ badi ] = Pr2 [ badi ] for all i ∈ Mvs. Proof (Lemma 2). The proof is by induction on i ∈ Mvs. The base case is when i = 0. In this case, the current view v of the adversary, in either game, is empty, so that SKP(v) = ∅. Thus, both probabilities are zero. So, assume the lemma statement is true up to move i ∈ Mvs where i < 2(q + t). We will prove it for i + 1, namely we will show that Pr1 [ badi+1 ] = Pr2 [ badi+1 ] . (3) We first consider the case where i + 1 is even, meaning the last move in vi is a query. We have Prj [ badi+i ] = Prj [ badi ] + Prj [ badi+1 | badi ] . The first term is equal for j = 1 and 2 by induction, and Prj [ badi+1 | badi ] = 0 because i + 1 is even. To complete the induction we need to prove Equation (3) for the case where i + 1 is odd, meaning the last move in vi is a reply. Let j ∈ {1, 2}. We can write Prj [ badi+1 ] = Prj [ badi ] + Prj [ badi+1 | badi ] . The first term is independent of j by the induction hypothesis. We will now argue that the second term is also independent of j. By conditioning we can write the second term as
Security Amplification by Composition
405
Prj [ badi+1 | badi ] X Prj [ badi+1 | badi ∧ Viewi = vi ] · Prj [ Viewi = vi | badi ] = vi ∈Vj
=
X
vi ∈Vj
Prj,vi [ badi+1 ] · Prj [ Viewi = vi | badi ] , {z } | {z } | |
first term
{z
second term
product term associated to vi
}
where Vj = { vi : Prj [ Viewi = vi | badi ] > 0 } is the set of possible views after move i in Game j. Let us first observe that V1 = V2 , namely the set of views vi for which the second term of the “product term associated to vi ” is positive is the same in both games. This is true by Lemma 1, which tells us that Prj [ Viewi = vi | badi ] does not depend on j and hence in particular the values of v for which it is zero are the same for j = 1 and j = 2. Now let us set V = V1 = V2 and compare the sums, term by term, in the cases j = 1 and j = 2. Fix a particular string vi ∈ V and focus on the “product term associated to vi .” The second term in it is independent of j by Lemma 1. We will show the same is true for the first term, which will complete the proof. (One needs to be a little careful. The first term is not well defined for just any v, only for vi ∈ Vj . That’s why it was important, first, to restrict attention to these vi values, and, second, to make sure that V1 = V2 , since otherwise we would not be sure that we have shown equality for every term in the two sums.) So the remaining task is to consider Prj [ badi+1 | badi ∧ Viewi = vi ] for vi ∈ V and show it does not depend on j. First note that RKP(vi ) 6= ∅, because, RKP(vi ) = ∅ would imply Prj [ Viewi = vi | badi ] = 0, and we have assumed the last to not be true. Since the view vi and the adversary are fixed, the next query qi+1 is uniquely determined. Let NKP(vi , qi+1 ) = RKP(vi ) − RKP(vi kqi+1 ) be the set of “new key pairs” that are “seen” by the (i + 1)-th query. (This set is empty if the latter is an E-query. It is also empty if it is an F or F −1 query with key with which A has already queried. If it is an F or F −1 query with key k with which A has not queried, then the set consists of pairs (k, k 0 ) and (k 0 , k) where k 0 is any other key with which A has queried F or F −1 .) We claim that |NKP(vi , qi+1 )| , (4) Prj [ badi+1 | badi ∧ Viewi = vi ] = |RKP(vi )| for both j = 1 and j = 2. Note the fraction is well defined, in that the denominator is not zero, because RKP(vi ) is non-empty. Equation (4) follows from Lemma 8. This says that from the point of view of the adversary, all remaining key pairs remain equally likely, in either game. u t
406
W. Aiello et al.
Acknowledgments The second author was supported by a 1996 Packard Foundation Fellowship in Science and Engineering, and by NSF CAREER Award CCR-9624439. The third author was supported in part by the above mentioned grants of the second author. Thanks to the members of the Crypto 98 program committee for their comments on the paper.
References 1. W. Aiello, M. Bellare, G. Di Crescenzo and R. Venkatesan, “Security Amplification by Composition:The Case of Doubly-Iterated, Ideal Ciphers” Full version of this paper, available via http://www-cse.ucsd.edu/users/mihir. 394, 395, 402, 402, 403, 404, 407 2. M. Bellare, J. Kilian and P. Rogaway, “The security of cipher block chaining”, Advances in Cryptology – Crypto 94 Proceedings, Lecture Notes in Computer Science Vol. 839, Y. Desmedt ed., Springer-Verlag, 1994. 394 3. E. Biham and A. Shamir, “Differential cryptanalysis of DES-like cryptosystems,” J. of Cryptology, Vol. 4, No. 1, pp. 3–72, 1991. 391 4. E. Biham and A. Shamir, “Differential cryptanalysis of the Full 16-round DES,” Advances in Cryptology – Crypto 92 Proceedings, Lecture Notes in Computer Science Vol. 740, E. Brickell ed., Springer-Verlag, 1992. 391 5. W. Diffie and M. Hellman, “Exhaustive cryptanalysis of the NBS data encryption standard,” Computer, Vol. 10, No. 6, pp. 74–84, June 1977. 394 6. S. Even and O. Goldreich, “On the power of cascade ciphers,” ACM Transactions on Computer Systems, Vol. 3, No. 2, May 1985, pp. 108–116. 394, 394 7. S. Even and Y. Mansour, “A construction of a cipher from a single pseudorandom permutation,” Advances in Cryptology – ASIACRYPT 91 Proceedings, Lecture Notes in Computer Science Vol. 739, H. Imai, R. Rivest and T. Matsumoto ed., Springer-Verlag, 1991. 394 8. J. Kilian and P. Rogaway, “How to protect DES against exhaustive key search”, Advances in Cryptology – Crypto 96 Proceedings, Lecture Notes in Computer Science Vol. 1109, N. Koblitz ed., Springer-Verlag, 1996. 394, 394, 394 9. M. Matsui, “Linear cryptanalysis method for DES cipher,” Advances in Cryptology – Eurocrypt 93 Proceedings, Lecture Notes in Computer Science Vol. 765, T. Helleseth ed., Springer-Verlag, 1993. 391 10. U. Maurer and J. Massey, “Cascade ciphers: The importance of being first,” Journal of Cryptology, Vol. 6, No. 1, 1993, pp. 55–61. 392, 394 11. R. Merkle, “Secrecy, authentication, and public key systems,” UMI Research Press, Ann Arbor, Michigan, 1979. 12. R. Merkle, and M. Hellman, “On the security of multiple encryption”, Communications of the ACM, vol. 24, n. 7, pp. 465–467, July 1981. 394 13. C. Shannon, “Communication theory of secrecy systems,” Bell Systems Technical Journal, Vol. 28, No. 4, 1949, pp. 656–715. 394 14. P. Van Oorschot and M. Wiener, “Improving meet in the middle attacks by orders of magnitude,” Advances in Cryptology – Crypto 96 Proceedings, Lecture Notes in Computer Science Vol. 1109, N. Koblitz ed., Springer-Verlag, 1996. 394 15. P. Van Oorschot and M. Wiener. “A known plaintext attack on Two-Key Triple Encryption,” Advances in Cryptology – Eurocrypt 90 Proceedings, Lecture Notes in Computer Science Vol. 473, I. Damg˚ ard ed., Springer-Verlag, 1990.
Security Amplification by Composition
A
407
Best Attack: Meet in the Middle
In this section we will show the following: Lemma 9. For any κ, n ≥ 1, any 1 ≤ s ≤ q ≤ 2n−1 , and any t ≥ 2s, there is an adversary A such that t2 1 1 . · − AdvA (Dbl, κ, n) ≥ 4s2 22κ 2s(n−1) We can now optimize the value of s and obtain the following theorem which says that the bound of Theorem 1 is essentially tight: Theorem 2. For any κ, n ≥ 1, let s = d(2κ + 1)/(n − 1)e. Then for any t ≥ 2s and s ≤ q ≤ 2n−1 it is the case that 1 t2 . Sec(Dbl, κ, n, q, t) ≥ 8s2 22κ Proof. The choice of s guarantees that 22κ+1 ≤ 2s(n−1) . This means that 1 1 1 1 − s(n−1) ≥ . 22κ 2 22κ 2 Now apply Lemma 9.
t u
Notice that for typical block cipher parameters κ, n, the value of s is very small. For example, for the DES parameters κ = 56 and n = 64 we have s = d113/63e = 2. Thus the above lower bound of Theorem 2 is in practice close to the upper bound of Theorem 1. Proof (Lemma 9). The proof is by presenting an adversary A who achieves the claimed advantage. The adversary A plays a version of the meet-in-the-middle attack, but we need to adapt it slightly and then analyze it in our framework. It is convenient to let [N ] = {1, 2, . . . , N } for any integer N ≥ 1. The adversary proceeds as follows: For i = j, . . . , s do Let xj ∈ {0, 1}n be the j-th string in lexicographic order Compute yj = E(xj ) Choose two disjoint sets K1 = { k1,i : i ∈ [t/2s] } and K2 = { k2,i : i ∈ [t/2s] } of κ-bit keys, each set being of size t/2s. (These might be chosen at random, but not necessarily). For i = 1, . . . , t/2s do For j = 1, . . . , s do Compute ui,j = F (k1,i , xj ) and vi,j = F −1 (k2,i , yj ) Let ui = (ui,1 , . . . , ui,s ) and vi = (vi,1 , . . . , vi,s ) Let C = { (a, b) ∈ [t/2s] × [t/2s] : ua = vb } If C 6= ∅ then return 1 else return 0 An analysis of this attack, showing that the advantage of the adversary is as claimed, is in [1]. u t
On the Existence of 3-Round Zero-Knowledge Protocols Satoshi Hada and Toshiaki Tanaka KDD R & D Laboratories 2-1-15 Ohara, Kamifukuoka, Saitama 356-8502, Japan {sa-hada,tl-tanaka}@kdd.co.jp
Abstract. In this paper, we construct a 3-round zero-knowledge protocol for any NP language. Goldreich and Krawczyk proved that a 3-round black-box simulation zero-knowledge protocol exists only for BPP languages. However, there is no contradiction here. That is, our proposed protocol achieves a weaker notion of zero-knowledge: auxiliary-input nonuniform zero-knowledge. Since this notion has not been investigated in the literature, we classify several zero-knowledge notions including it and discuss the relationships among them. Our main contribution is to provide a non-black-box simulation technique. It is based on a novel computational assumption related to the Diffie-Hellman problem. Although this assumption is strong and nonstandard, its non-standard nature seems essential for our simulation technique. Keywords: Zero-knowledge, interactive proof, Diffie-Hellman problem.
1
Introduction
The fundamental notion of zero-knowledge (ZK) introduced by Goldwasser, Micali and Rackoff plays a central role in modern cryptography [GMR85]. In this paper, we investigate the methodology underlying ZK in order to construct a 3-round ZK protocol for NP. 1.1
Background on Zero-Knowledge Protocol
Consider an interactive protocol in which a prover convinces a verifier that some common input x belongs to some underlying language L (In this paper, L is in NP). The length of x is denoted by n and one measures complexity in terms of n. The verifier is always a probabilistic polynomial-time machine. We focus on two properties: “soundness” and “zero-knowledge.” Each can be formalized in two ways depending on whether or not we restrict the adversary (the cheating prover and the cheating verifier) to a resource bound machine. The soundness asks that if x ∈ / L, any cheating prover can not convince the verifier to accept, except with negligible error probability. This notion is formalized in two ways: “proofs” and “arguments.” These provide the statistical H. Krawczyk (Ed.): CRYPTO’98, LNCS 1462, pp. 408–423, 1998. c Springer-Verlag Berlin Heidelberg 1998
On the Existence of 3-Round Zero-Knowledge Protocols
409
soundness and the computational soundness, respectively. The former requires that even a computationally unrestricted cheating prover should be unable to make the verifier accept x ∈ / L, except with negligible probability [GMR85]. On the other hand, the latter requires that any cheating prover restricted to probabilistic polynomial-time should be unable to make the verifier accept x ∈ / L, except with negligible probability [BrCr86][BCC88]. Although the notion of arguments is weaker than the notion of proofs, it is good enough for cryptographic applications. The soundness of arguments will typically depend on the complexity assumptions such as the discrete logarithm assumption. Whenever we talk of proofs or arguments, we always mean ones with negligible error probability. Zero-knowledge asks that when x ∈ L, an interaction with the prover yields no information (other than the fact x ∈ L) to any cheating verifier. Again, this notion is formalized in two ways: “statistical ZK” (SZK) and “computational ZK” (CZK). The former requires that even a computationally unrestricted cheating verifier will not gain useful information, except with negligible probability. On the other hand, the latter requires that any resource bound cheating verifier (probabilistic polynomial-time machine or polynomial-size circuit family) will not gain useful information, except with negligible probability. Clearly, SZK is a special case of CZK. In this paper, unless stated explicitly, ZK protocols mean CZK arguments. Our proposed protocol is a CZK argument. 1.2
Classification of Zero-Knowledge
Our proposed protocol achieves the notion of auxiliary-input non-uniform ZK. Since this notion has not been investigated in detail so far, we classify several relevant ZK notions and discuss the relationships among them. ZK was originally formalized in [GMR85] as follows: for any probabilistic polynomial-time machine Vˆ (the cheating verifier), there exists a probabilistic polynomial-time machine SVˆ (the simulator) which produces a probability distribution which is computationally indistinguishable from the distribution of conversations of Vˆ with the prover P . This original definition (GMRZK) is not suitable for cryptographic applications since it is not closed under sequential composition [GoKr96]. In cryptographic applications, the verifier can have some additional a-priori information. In order to overcome the above problem, auxiliary-input zero-knowledge (AIZK) was introduced in [GoOr94]. AIZK is defined by augmenting GMRZK with auxiliary-input, that is, the simulation requirement is extended to deal with non-uniform verifiers with an auxiliary-input, where the simulator takes the same auxiliary-input used by the verifier. It was shown that AIZK is closed under sequential composition [GoOr94]. Black-box simulation zero-knowledge (BSZK) requires the existence of a universal simulator that, using any non-uniform verifier Vˆ as a black-box, succeeds in simulating the interaction of Vˆ with the prover P . It was shown that BSZK implies AIZK [GoOr94]. Although BSZK is the most restrictive among the above definitions, almost all known ZK protocols are BSZK.
410
Satoshi Hada and Toshiaki Tanaka
All the above definitions are “semi-uniform” in the sense that it uses uniform machines but quantifies over all common inputs x ∈ L. The non-uniform formalization of ZK appeared in [Go93], where all machines are modeled by a family of polynomial-size circuits. We consider two non-uniform formalizations here: non-uniform zero-knowledge and auxiliary-input non-uniform zero-knowledge. Non-uniform zero-knowledge (NUZK) is a non-uniform variant of GMRZK. That is, it requires that for any family of polynomial-size circuits Vˆ , there exists a family of (probabilistic) polynomial-size circuits SVˆ which produces a probability distribution which is computationally indistinguishable from the distribution of conversations of Vˆ with the prover P . It is important to note that NUZK does not imply GMRZK [Go98-2]. In fact, one can devise artificial protocols for sparse languages such that it achieves the notion of NUZK but not GMRZK. For example, consider the following interactive proof for a sparse language Lsp = {1n }n∈N . The prover sends the verifier a hard function K(·) of the common input x ∈ Lsp (e.g., K is a non-recursive function indicating whether the nth Turing machine accepts every input). The verifier accepts iff x is of the form 1n . Certainly, this is an interactive proof for Lsp . It is not GMRZK since there is no way to simulate in probabilistic polynomial-time the interaction in which the prover sends the value of K(x). On the other hand, it is still NUZK since the simulator may just incorporate the hard bit (i.e., the nth circuit will incorporate the bit indicating if the nth Turing machine accepts every input). This shows that NUZK is a very weak notion of ZK and does not satisfy the intuitive requirement of ZK. Also, the result of [GoKr96] can be extended to show that NUZK is not closed under sequential composition. Auxiliary-input non-uniform zero-knowledge (AINUZK) is defined by augmenting the notion of NUZK with auxiliary-input. The above interactive proof for a sparse language achieves not only NUZK but also AINUZK. That is, AINUZK also does not satisfy the intuitive requirement of ZK. However, AINUZK has an advantage over NUZK since it is closed under sequential composition [GoOr94][Go93]. Our proposed protocol achieves this notion. Let Cl(def ) denote the class of all interactive proofs and arguments satisfying the requirements of definition def . In the light of the above, it holds that Cl(BSZK) ⊆ Cl(AIZK) ⊂ Cl(GM RZK) ⊂ Cl(N U ZK) and Cl(AIZK) ⊂ Cl(AIN U ZK) ⊂ Cl(N U ZK). It is an open problem whether Cl(BSZK) equals Cl(AIZK) [GoOr94]. 1.3
Motivation and Contribution
The round complexity, the number of messages exchanged, is a standard complexity measure for the efficiency of ZK protocols. Several researchers constructed constant round ZK protocols for NP [BCY89][FeSh89] [GoKa96] 1 [BJY97]. The 1
ZK protocols constructed in [GoKa96] are proofs rather than arguments.
On the Existence of 3-Round Zero-Knowledge Protocols
411
lower bounds on the round complexity have been investigated from the practical and theoretical viewpoint. Goldreich and Oren proved that only languages in BPP have 2-round AIZK protocols [GoOr94]. Their result can be extended to prove that only languages in P/poly have 2-round AINUZK protocols. Furthermore, Goldreich and Krawczyk proved that only languages in BPP have 3-round BSZK protocols [GoKr96] 2 . Since the argument in [GoKr96] uses the notion of black-box simulation in an essential way, their result does not apply to the weaker notions such as AIZK and AINUZK. Therefore, with respect to AIZK and AINUZK, it is an interesting open problem whether there exists a 3-round ZK protocols for a non-trivial language, i.e., a language not known to be in BPP and P/poly. As mentioned above, almost all known ZK protocols are BSZK, that is, the zero-knowledge property has been demonstrated using the black-box simulation of the verifier. In fact, it seems hard to conceive an alternative way to demonstrate ZK property. Therefore, it seems hard to construct a 3-round ZK protocol for a non-trivial language. In other words, in order to construct such protocols, a new simulation technique is needed. In this paper, we construct a 3-round AINUZK protocol for any NP language. Our result does not contradict the result of [GoKr96] since our proposed protocol does not achieve the notion of BSZK. Our main contribution is to provide a nonblack-box simulation technique. It is based on a novel computational assumption related to the Diffie-Hellman problem. We call it the strong Diffie-Hellman assumption (SDHA). Although this assumption is strong and non-standard, its non-standard nature seems essential for our simulation technique. Organization. In Section 2, we give the definitions of AINUZK arguments and some standard complexity assumptions. Section 3 describes our proposed protocol. In Section 4, we formalize SDHA. In Section 5, we prove the correctness of our proposed protocol. In Section 6, we conclude with some remarks.
2
Preliminaries
In this section, we give the definitions of AINUZK arguments and some standard complexity assumptions. Most of this section follows [BJY97] and [Go98-1]. 2.1
Auxiliary-Input Non-Uniform Zero-Knowledge Arguments
We deal with NP languages and let WL (x) denote the witness set of x which belongs to an NP language L. We say that a function ν(·) : N → R is negligible if for every polynomial poly(·) and all sufficiently large n’s, it holds that ν(n) < 1/poly(n). Also, we say that a function g(·) : N → R is overwhelming if g(·) = 1 − ν(·) for some negligible function ν(·). 2
The proofs in [GoKr96] are for CZK proofs. However, their result extends to CZK arguments. See Remarks 6.3 and 6.5 in that paper.
412
Satoshi Hada and Toshiaki Tanaka
We consider two probabilistic polynomial-time interactive machines called the prover and the verifier. Initially both machines have access to a common input tape which includes x of length n. The prover and the verifier send messages to one another through two communication tapes. After exchanging a polynomial number of messages, the verifier stops in an accept state or in a reject state. Each machine, denoted by A, only sees its own tapes, namely, the common input tape, the random tape, the auxiliary-input tape and the communications tapes. In particular, the prover’s auxiliary input tape includes a witness w ∈ WL (x). Let A(x, m, r) denote A’s next message, where x is the common input, r the random coins and m the messages so far. We let Ax (·, ·) = A(x, ·, ·) and Ax,r (·) = A(x, ·, r). When A takes an auxiliary input y, we write Ayx and Ayx,r for Ax and Ax,r , respectively. Let Acc(Px , Vx ) denote the probability that V accepts when interacting with P on the common input x. The probability is taken over the random tapes of both machines. Definition 1. Let P, V be two probabilistic polynomial-time interactive machines. We say that (P, V ) is an argument for L if the following two conditions are satisfied: - Completeness: For every x ∈ L, every w ∈ WL (x), Acc(Pxw , Vx ) = 1. - Soundness: For every probabilistic polynomial-time machine Pˆ (the cheating prover), every polynomial poly(·), all sufficiently long x ∈ / L and all y’s, Acc(Pˆxy , Vx )
a0 0 0 and y a f (r) = y a f (r0 ). Then y a−a = f (r0 r−1 ), which means we can find a preimage of y by definition of q-one-wayness. This in turn contradicts the assumption that G is one-way, if P ∗ is in polynomial time. Next, we describe an unconditionally binding scheme: – Set-up Phase: P runs unconditionally binding q-homomorphism generator G on input 1l , to obtain f : H → G. He chooses an element y ∈ G according to Definition 23. Then f, G, H, y are sent to V . For some generators V can verify himself that indeed y has the property requested in Definition 23. If this is not the case, P must give a zero-knowledge proof that y 6∈ Im(f ). This can be done by a straightforward modification of the classical quadratic non-residuosity protocol from [20]. – Commitment to integer 0 ≤ a < q: P chooses random r ∈ H, and sends commit(r, a) = y a f (r) to V . – Opening commitment C: P sends a, r to V who accepts if and only if C = commit(r, a) and 0 ≤ a < q. – Hiding Property: follows immediately from the assumption in Definition 23. – Binding Property: Definition 23 guarantees that if V accepts the set-up phase, commitments to different values will be in distinct cosets of Im(f ). We will write [r, a]y for y a f (r), and sometimes, when no misunderstanding is possible, only [r, a] or [a]. It should be clear from the definition of these commitments that both types have a linear homomorphic property: given commitments [r, a] and [s, b], P can open [r, a] · [s, b] to reveal (a + b) mod q. Indeed, let j
430
Ronald Cramer and Ivan Damg˚ ard
be such that a + b = (a + b) mod q + jq, and let t be such that f (t) = y jq . Note that by q-one wayness, t is easy for P to compute. We have [r, a] · [s, b] = [rst, (a + b) mod q]. In a similar way, it follows that [r, a]c = [r0 , ca mod q] and y c · [r, a] = [r00 , (c + a) mod q] for a constant c and easily computable (by P ) values r0 , r00 ∈ H. 2.3
Auxiliary Protocols
All protocols in this section are proofs of knowledge and 3-move Arthur-Merlin games, with a random challenge from V as second message. We say that such a protocol has the special soundness property if from any pair of conversations (m, e, z), (m, e0 , z 0 ), where e 6= e0 , one can efficiently compute the information the prover claims to know. In [3], a definition of proofs of knowledge is given, part of which is the soundness error. Loosely speaking, this is the maximal probability with which the prover can convince the verifier without having the claimed knowledge: the definition requires that any prover with success probability larger than the soundness error should be able to compute the relevant knowledge in expected time inversely proportional to his success probability. We have the following which can be found, e.g. in the coming journal version of [13]. It is hardly surprising, but less trivial to prove than one might expect: Lemma 24 If a protocol has special soundness, it has soundness error 1/c, where c is the number of possible challenges the verifier chooses from. A protocol is special honest verifier zero-knowledge (SHVZK), if it has a simulator which on input e produces a correctly distributed conversation (m, e, z). This is a stronger condition than normal honest verifier zero-knowledge which just calls for a simulator producing a conversation with a random e. We first give a protocol for showing that a commitment contains a 0/1 value. For this, it turns out to be sufficient to be able to prove knowledge of a preimage under f . The following protocol can be used for any f generated by a q-one-way generator, and is a generalization of Schnorr’s discrete log protocol [25]: f -PREIMAGE PROTOCOL Input: f and u ∈ G. P knows v, such that f (v) = u. 1. P chooses r ∈ H at random and sends m = f (r) to V . 2. V chooses a random challenge e, so that 0 ≤ e < q and sends it to P . 3. P sends z = rv e to V , who checks that f (z) = mue . Lemma 25 If P, V follow the protocol, V always accepts. The protocol has the special soundness property and is SHVZK. Proof The first claim is trivial. The second follows directly from the definition of q-one-wayness. Finally, on input e, one simulates by choosing at random z and outputting (f (z)u−e, e, z). t u
Zero-Knowledge Proofs for Finite Field Arithmetic
431
It is clear that this protocol can be used to show that a commitment C contains 0, by using u = C, and that it contains 1 by using u = Cy −1 . We may now use the proof of partial knowledge technique from [10][12] to make a protocol in which P proves that C contains 0 or 1, without revealing which is the case. The resulting protocol is referred to as a bit commitment proof. It is still SHVZK, and has special soundness. Its communication complexity is 4l + 2 log q bits. The final auxiliary protocol we have is a multiplication protocol, an interactive proof showing that the prover can open commitments A, B, C to reveal values a, b, c for which c = ab mod q. As a side effect, we also obtain a protocol for showing that the prover can open a commitment. Assume P knows how to write the commitments in the form A = [r, a]y , B = [u, b]y , C = [s, ab mod q]y . Now observe that if we choose j such that ab = (ab) mod q + jq and set t = f −1 (y −jq )su−a , then t is easily computable by P , and C = [t, a]B . Conversely, assuming that you can open A and B to reveal a, b, knowledge of such a t implies you can open C to reveal ab mod q. With this rewriting of C we see that, loosely speaking, we need a protocol for showing that A contains the same value w.r.t. y as does C w.r.t B. This leads to: MULTIPLICATION PROTOCOL Input: f and commitments A, B, C. P knows a, r, t, b, u, such that A = [r, a]y , C = [t, a]B and B = [u, b]y . The protocol proceeds by executing the following two 3-step protocols in parallel, using the same challenge e in both instances. The first is intended to verify that A, C have the correct form, while the second verifies that the prover can open B 3 : 1. First protocol: (a) P chooses x ∈ Zq and s1 , s2 ∈ H at random and sends M1 = [s1 , x]y , M2 = [s2 , x]B to V . (b) V chooses a random number e, so that 0 ≤ e < q and sends it to P . (c) P sets z = (x + ea) mod q and chooses i such that z = x + ea + iq. He then computes w1 = s1 re f −1 (y −iq ) and w2 = s2 te f −1 (B −iq ). He sends z, w1 , w2 to V , who verifies that [w1 , z]y = M1 Ae and [w2 , z]B = M2 C e . 2. Second protocol: (a) P chooses d ∈ Zq and s ∈ H at random and sends M = [s, d]y to V . (b) V chooses a random number e, so that 0 ≤ e < q and sends it to P . (c) P sets v = (d + eb) mod q and chooses j such that v = d + eb + jq. He then computes w = sue f −1 (y −jq ). He sends v, w to V , who verifies that [w, v]y = M B e The properties of this protocol are the following: 3
In some cases, the context may imply that P knows how to open B, in which case the second subprotocol can be omitted.
432
Ronald Cramer and Ivan Damg˚ ard
Lemma 26 If P, V follow the protocol, V always accepts. The protocol has special soundness: from two accepting conversations with challenges e, e0 , e 6= e0 , one can efficiently compute a, r, b, u, s such that A = y a f (r), B = y b f (u), C = y ab mod q f (s). Finally, the protocol is SHVZK. Proof The first claim is trivial by inspection. For the second, we let two conversations (M, M1 , M2 , e, v, w, z, w1 , w2 ), (M, M1 , M2 , e0 , v 0 , w0 , z 0 , w10 , w20 ), where e 6= e0 be given. If they lead to accept, we immediately obtain 3 equations 0 from each conversation. By dividing them pairwise, we get: y z−z f (w1 w10 −1 ) = 0 0 0 0 0 −1 Ae−e , B z−z f (w2 w20 ) = C e−e and y v−v f (ww0−1 ) = B e−e . Define ω = 0 −1 0 (e − e ) mod q, and i such that (e − e )ω = 1 + iq. Let α = f −1 ((B i )q ), which is easy to compute by q-one wayness. Then by raising the last equation to ω, we get 0 B = y (v−v )ω f ((ww0−1 )ω α−1 ) which is the desired form. The other two equations can be treated similarly. For honest verifier simulation on input e, choose v, w, z, w1 , w2 uniformly at random, and compute the rest of the conversation by: M = y v f (w)B −e , M1 = y z f (w1 )C −e , M2 = B z f (w2 )C −e . t u The communication complexity of the multiplication protocol is 6l + 3 log q bits. Both our auxiliary protocols have soundness error 1/q by construction. For our main protocols, we will need error 2−k . For this, we will iterate the auxiliary protocols in parallel dk/ log qe times. This works, since SHVZK and special soundness are trivially seen to be preserved under parallel composition.
3
Examples of Group Homomorphism Generators
Any of our generators have 1l and a prime q as input parameters. Generators with bounded q include as part of their definition a constant δ. Proofs in this section are left to the reader. RSA GENERATOR The generator selects an RSA modulus N = p1 p2 of bit length l, for primes p1 , p2 , such that (q, (p1 − 1)(p2 − 1)) = 1. The output is N . For this generator, ∗ we define H = G = ZN , and f (x) = xq mod N . Lemma 31 Under the RSA assumption, the RSA generator is a q-one-way generator, with unbounded q. One can also base an unconditionally binding generator on an RSA-like function. The resulting commitment/encryption scheme was first discovered by Benaloh [7] in the context of verifiable secret sharing. q-RESIDUOSITY GENERATOR The generator selects an RSA modulus N = p1 p2 of bit length l, for primes
Zero-Knowledge Proofs for Finite Field Arithmetic
433
p1 , p2 , subject to q|(p1 − 1)(p2 − 1) and δ = log q/ log N . The output is N . ∗ For this generator, we define H = G = ZN , and f (x) = xq mod N . By the q’th residusity assumption, we mean the assumption that random elements in distinct cosets of Im(f ) as defined here are polynomially indistinguishable. This is a natural generalization of the well known quadratic residuosity assumption. Lemma 32 Under the q’th residuosity assumption, the q-residuosity generator is an unconditionally binding q-homomorphism generator. that our We now show a generator based on the discrete log problem modulo a prime number. The commitment scheme resulting from this generator was first discovered by Pedersen [24] in the context of verifiable secret sharing. DISCRETE LOG GENERATOR The generator selects randomly a prime p of bit length l, subject to δ = log q/log p and q|p − 1, where 0 < δ < 1 is a constant. It also selects g ∈ Zp∗ , such that g generates the (unique) subgroup in Zp∗ of order q. The output is p, g. For this generator, we define H = Zq , G =< g >, and f (x) = g x mod p. When using this generator as basis for our protocols, we will assume that a party receiving an element u supposedly in G always verifies that uq = 1 and stops the protocol if not. Lemma 33 Assume that any probabilistic polynomial time algorithm solves the discrete log problem modulo prime numbers as selected by the Discrete Log Generator with negligible probability. Then the Discrete Log Generator is a q-one-way generator with bounded q. We remark that nothing prevents us from using other groups of prime order, such as for example the group on an appropriately chosen elliptic curve. Finally, we show an example of an unconditionally binding generator, based on the DiffieHellman problem [11]: DIFFIE-HELLMAN GENERATOR The generator selects randomly a prime p of bit length l/2, subject to δ = log q/l and q|p − 1, where 0 < δ < 1/2 is a constant. It also selects g ∈ Zp∗ , such that g generates the (unique) subgroup in Zp∗ of order q, and finally a random h ∈< g >. The output is p, g, h. For this generator, we define H = Zq , G =< g > × < g >, and f (x) = (g x mod p, hx mod p) 4 . Recall that (p, q, g, h) can be used as a public key to encrypt an element m ∈< g > by choosing r at random and letting the ciphertext be (g r mod p, mhr mod p) [14]. Recall also the notion of polynomial security, defined by Goldwasser and Micali [18], which says that random encryptions of distinct messages are poynomially indistinguishable. 4
The remark on verification of membership in G for the Discrete Log Generator also applies here
434
Ronald Cramer and Ivan Damg˚ ard
Lemma 34 If Diffie-Hellman encryption is polynomially secure, then the DiffieHellman generator is an unconditionally binding q-homomorphism generator.
4
Protocol Descriptions
This section describes our protocols in a way that is independent from any particular implementation of the commitment scheme. We will describe how to build honest verifier zero-knowledge protocols. Well known techniques may then be used to make protocols that are zero-knowledge in general. Common to all our protocols is an intital step in which the prover and verifier go through the setup phase for the commitment scheme, as described in Section 2. This can be done once and for all, and the instance of the commitment scheme generated can be reused in several protocol executions. Therefore, we do not mention the intital step explicitly in the descriptions below. The linear homomorphic property of commitments can be used to show relations on committed bits. Concretely, suppose we want to show for two sets of bit-commitments D0 , ..., Dn and C0 , ..., Cn , where n < log q, that the same bit bi is contained in Ci and Di , for i = 1...n. This can be done much more efficiently than by comparing each Ci , Di individually. For this, we have the following protocol: EQUALITY PROTOCOL n n 2n−1 2n−1 ·..·C0 , and D = Dn2 ·Dn−1 ·..·D0 V computes the commitments C = Cn2 ·Cn−1 which should both be commitments to the number whose binary representation is bn bn−1 ...b0 . P opens CD−1 to reveal 0. It is easy to see that this game reveals nothing about the value of b0 , ..bn , and that assuming P can open each of the commitments to reveal a one-bit value, all pairs Ci , Di contain the same bit, or he can break the commitment scheme. 4.1
Protocols for Arithmetic Circuits over GF (q)
In this section, we are given an arithmetic circuit Ψ over GF (q), where q is an m-bit prime, with u inputs, t multiplication gates, and any number of linear operations. All gates have arbitrary fan-out. We assume for simplicity that there is only one output value computed, from gate G0 , we are given a value y for this output, and the prover’s goal is to demonstrate that inputs can be selected that lead to output y. STEP 1 The prover makes u commitments I1 , .., Iu , such that Ij contains input value xj ∈ GF (q). The input values are selected such that the circuit computes y as output. The prover also makes t commitments T1 , ..., Tt , such that Ti contains the value that is output by the i’th multiplication gate in the circuit, given that the inputs are x1 , ..., xu . All commitments produced are sent to V , and P proves that he knows how to open all of them.
Zero-Knowledge Proofs for Finite Field Arithmetic
435
STEP 2 Both P and V compute, based on I1 , .., Iu , T1 , .., Tt and using linearity of commitments, for each gate commitment(s) representing its input value(s), and a commitment representing its output value. PROOF, Step 3 For each multiplication gate: let A, B be the commitments representing the input values a, b, and let C be the commitment representing the output value c. P uses the multiplication protocol to convince V that ab mod q = c. PROOF, Step 4 P opens the commitment representing the output value of G0 . V accepts, if and only if all proofs in Steps 1 and 3 are accepted, and P correctly opens the commitment in Step 4 to reveal y. For clarity, we have separated the invocation of subprotocols into steps 1 and 3. However, they can all be executed in parallel, using the same random challenge from V for all of them. By SHVZK for the subprotocols, this can still be simulated against an honest verifier. We get the following, which we state without proof: Lemma 41 The above protocol is using commitments constructed from a q-one-way generator is perfect honest verifier zero-knowledge, and honest verifier zero-knowledge when using commitments constructed from an unconditionally binding q-homomorphism generator. The communication complexity is O((u+ t) (l + m)dk/me) bits in either case. A Non-interactive with Preprocessing Variant We sketch here a variant of the arithmetic circuit protocol that is non-interactive with preprocessing. The asymtotic complexity for the preprocessing is the same as the original protocol, whereas the proof phase has complexity O((u + t)(l + m)) bits. The variant is based on a technique borrowed from Beaver et al. [1]. In the preprocessing, the prover will produce commitments J1 , ..., Jm containing random values (will later represent input values), and t random triples of commitments ([d ], [e], [f ]) such that de = f mod q. The prover will show that he can open all commitments and that the multiplicative relations hold. In the proof phase, a circuit with input values is known to the prover. Consider a fixed multiplication gate. It is first assigned a distinct triple ([d], [e], [f ]) from the preprocessing. Let a, b, c, where ab = c mod q be the values actually occurring at the gate. The prover can now send to the verifier = a − d and δ = b − e. Now, the verifier can on his own compute a triple [a], [b], [c] by letting [a] = y [d], [b] = y δ [e] and [c] = y +δ [f ] · [d]δ · [e] . In the same way, the prover tells the verifier how to modify the Ji ’s to get commitments containing the correct inputs to the circuit by giving the differences between the random values in the Ji ’s and the actual values. All that remains is for the prover to show that “gates connect correctly”, i.e. that if e.g. A0 represents the output from one gate, which is connected to the
436
Ronald Cramer and Ivan Damg˚ ard
input of another gate, represented by A, the prover shows that A and A0 contain the same value by opening A0 A−1 as 0 (where, however, V can handle linear operations on his own). 4.2
Non-Interactive Protocols with Preprocessing for SAT
For the protocol description, we first need some notation and definitions: We will assume (without loss of generality) that the circuit to be proved satisfiable later is given with at most n NAND gates with fan-in 2 and arbitrary fan-out. Definition 42 A NAND-Table is a matrix with 4 rows and 3 columns containing commitments. A NAND-table is correct, if it contains only bit commitments and any of its rows ([a], [b], [c]) satisfies a ∧ b = ¬c. An NAND table is useful if it is correct, and if one obtains, by opening all its commitments and permuting the rows, the truthtable of the NAND-function. In the following the honest prover will make only useful NAND-tables, but to keep the prover from cheating it will be enough to force him to generate at least correct NAND-tables. To show correctness of a NAND-table, P can first show that the 8 commitments in the two first positions of each row are bit commitments. Then for each row [a], [b], [c], P shows that 1 − c = ab mod q. Assuming that a and b are 0/1 values, this ensures that so is c, and that ¬c = a∧b. PREPROCESSING The prover makes n useful NAND-tables, using for each table an independently and uniformly chosen permutation of the rows. He proves that all NAND-tables are correct, as described above. For the proof phase, we are given the concrete circuit Φ that should be shown to be satisfiable, containing gates G1 , .., Gn , where we assume that Gn is the gate computing the final output from the circuit. The proof string to be sent to V is constructed by P as follows: PROOF, Step 1 For i = 1..n, take the first unused NAND table Ti from the preprocessing and assign it to gate Gi . Fix a set of input bits that satisfy the circuit. A computation with these input bits selects in a natural way a row in each Ti . For i = 1..n, P includes 2 bits in the proof string indicating which row is selected. Having selected rows in all truth tables, P has defined commitments representing the inputs and output of each gate. He must now demonstrate that ”gates connect correctly”: PROOF, Step 2 We make a list of pairs of commitments as follows: Let w be a wire in the circuit. If it connects from Ti to Tj , append to to the list the pair of commitments representing the output from Ti resp. the relevant input to Tj . For each circuit input bit b, let Tk be the first gate receiving b. Append to the list a set of pairs,
Zero-Knowledge Proofs for Finite Field Arithmetic
437
each of which have the input commitment from Tk as first component and as the second an input commitment from each distinct gate also receiving b. P must now show that each pair of commitments contain the same bit. Clearly, this gives at most 2n pairs of commitments that must checked for equality. For commitments with unbounded q, or bounded commitments where δl ≥ 2n, P completes these equality proofs by opening only one commitment, by running the Equality protocol shown above. Otherwise, the bits to be compared are distributed over several commitments holding δl bits each, so P will need to open 2n/(δl) commitments. PROOF, Step 3 P opens the last commitment in the selected row of Tn (to reveal 1, in order to convince V about the final result of the computation in the circuit). VERIFICATION OF PROOF If V rejected any of the proofs in the preprocessing, V rejects immediately. V selects the rows designated by the information from Step 2 of the proof. V computes the pairs of commitments used by P in Step 3, and verifies that P have proved that all pairs contain equal bits (this amounts to verifying that P has correctly opened one or more commitments to reveal 0). Finally V verifies that the commitment opened in Step 4 was correctly opened to reveal 1. As for ACP, the subprotocols in the preprocessing can be done in parallel. This, and SHVZK for the subprotocols lead to: Lemma 43 The above protocol using commitments constructed from a q-oneway generator is perfect honest verifier zero-knowledge. If the generator has unbounded q, the communication complexity of the preprocessing is O(nl + k) bits, and O(n)max(k, l) bits otherwise. When using commitments constructed from an unconditionally binding q-homomorphism generator, the protocol is honest verifier zero-knowledge, and the communication complexity of the preprocessing is O(nl + k) bits. The proof stage has size O(n + l) in all cases. 4.3
Zero-Knowledge Proof for QBF
In [26], Shamir gave the first proof that IP = P SP ACE, by exhibiting an interactive proof system for the PSPACE complete QBF problem. A little later, Shen [27], building on Shamirs ideas, gave a somewhat more efficient proof system for QBF, which appears to be the most efficient proof system known for QBF. In this section, we sketch how our techniques may be applied to transform Shens proof system into a zero-knowledge proof system with the essentially the same communication and round complexity. By examining Shen’s protocol, one finds that all the work done takes place in a finite field GF (q) for some prime q. If, for a QBF instance of length n, we want error probability 2−n , the analysis of the protocol shows that this can be done by using a q of bit length O(n). By further inspection of the protocol, one finds that in each round of the protocol, the prover sends the coefficients of some
438
Ronald Cramer and Ivan Damg˚ ard
polynomial, the verifier checks this polynomial, and returns a random element in the field. The operations done by the verifier in order to check the polynomials received all fall in one of the following categories: 1. Evaluate a polynomial received from the prover in a point chosen by the verifier, or in a constant point. 2. Add or multiply a constant number of values computed as in 1). 3. Compare values computed as in 1) or 2). 4. The final step: insert all random values chosen by the verifier into a multivariate polynomial efficiently computable from the input QBF instance. Compare the result to a value obtained from the previous rounds. We now modify the protocol by having the prover communicate his polynomials by in stead sending commitments to each of the coefficients. This affects the number of bits needed to send a polynomial by at most a constant factor, and furthermore the verifier can on his own compute commitments to results of operations of type 1). For the multiplications in 2), the prover supplies a commitment containing the result of each such multiplication. Therefore, at the end of the interaction, the verifier has for each multiplication in the original protocol a set of triples of commitments ([a], [b], [c]), also he has one commitment D together with a value d that can be computed efficiently from the QBF instance. The verifier now only needs to be convinced that for each triple, it holds that ab mod p = c, and that D contains d. The multiplication protocol allows the prover to convince the verifier about these facts in honest verifier zero-knowledge. Since it is constant round and communicates a constant number of commitments, we get a protocol with the same round and communication complexity, up to a constant factor.
5
Results for the Main Protocols
The results below use the same notation as the corresponding protocol descriptions, and all protocols are designed for an error of 2−k . For formal definitions of proof systems, completeness, soundness and zero-knowledge, please refer to [20]. In the case of arguments, completeness and zero-knowledge are as for proof systems. For computational soundness, we use the so called relative soundness definition of [13] (with one change, see below) and show that our protocol, given an instance of the commitment scheme, has soundness error 2−k relative to the problem of breaking the commitment scheme. Concretely, this means that if a cheating prover has success probability > 2−k , then he can break the commitment scheme instance in expected time polynomial in l and linear in 1/( − 2−k ). In [13], the circuit to prove is given as input initially. This cannnot be assumed to be true for a protocol with preprocessing. So for this case, we define the success probability of a cheating prover to be the probability with which he can successfully complete the preprocessing, and then compute a non-satisfiable circuit together with a proof that the verifier will accept.
Zero-Knowledge Proofs for Finite Field Arithmetic
439
We note that all our communication complexity results are computed without including the complexity of setting up the commitment schemes, since the same commitment scheme instance can be reused in many protocol executions 5 . Theorem 51 If there exists a q-one-way generator with unbounded q then there exists a non-interactive perfect zero-knowledge argument with preprocessing for Boolean Circuit Satisfiability. The communication complexity of the preprocessing is O(nl + k) bits, while the proof phase has size O(n + l). If the generator has bounded q, the conclusion is the same, but the communication complexity of the preprocessing becomes O(n)max(k, l) bits. Theorem 52 If there exists an unconditionally binding q-homomorphism generator (with bounded q) then there exists a non-interactive zero-knowledge proof with preprocessing for Boolean Formula Satisfiability, such that the communication complexity of the preprocessing is O(n)max(k, l) bits, while the proof phase has size O(n + l). Theorem 53 If there exists an q-one-way generator, resp. an unconditionally binding q-homomorphism generator then there exists a perfect zero-knowledge argument, resp. a computational zero-knowledge proof for ACP. The communication complexity is O((u + t)(l + m)dk/me) bits in either case. A sketch of the proofs for these theorems: From Lemmas 41, 43, we have honest verifier zero-knowledge protocols, which, except for the initial set-up of commitment schemes are 3-move Arthur-Merlin games with k-bit challenges, and have communication complexities as required in the theorems. To establish soundness, we observe that from correct answers to 2 different challenges, one can compute either a satisfying assignment or two different ways to open some commitment, the latter case being of course impossible with unconditionally binding commitments. This immediately implies soundness for the interactive proof case and, using Lemma 24, also for the argument case. To show zero-knowledge in general, we observe that the interactive arguments we have from the lemmas are already zero-knowledge in general, since the verifier shows knowledge of a trapdoor for the commitments in the initial stage. Adjusting correctly the error probability of this proof, we can ensure that by rewinding the verifier, the simulator can, in expected polynomial time, either extract this trapdoor or exhaustively find a satisfying assignment. Then simulation is trivial in either case. For the interactive proof case, we use the well-known idea that the honest verifier simulator can be used as subrutine in a real simulation provided that the verifier commits to his challenge in advance. For a solution of the subtle technical problems with this, see [17]. If we use our unconditionally hiding commitments for this part, both soundness and asymptotic communication complexity will be unaffected. 5
However, in several cases, including the setup step makes no difference. This is true in general for Theorem 51, and for Theorems 52, 53 when based on the Diffie-Hellman generator.
440
Ronald Cramer and Ivan Damg˚ ard
Theorem 54 If there exists an unconditionally binding q-homomorphism generator (with bounded q), then there exists a zero-knowledge interactive proof system for the QBF problem with the same asymptotic round and communication complexity as Shen’s interactive proof system when designed to have error probability 2−n for a length n QBF instance. Proof sketch The zero-knowledge protocol described in Subsection 4.3 consists of first a stage where the prover and verifier go through ”the same” interaction as in the original proof system, except that the prover sends commitments to his messages. Then a stage, where the prover convinces the verifier that a set of relations hold between the committed values. This stage is only honest verifier zero-knowledge, but can be made zero-knowledge with no essential loss of efficiency as above, using the method from [17]. Hence the proof that our modified protocol is a zero-knowledge proof system for QBF is a straightforward modification of the proof from [6] since, like ours, the protocol built in [6] is a modification of an Arthur-Merlin interactive proof system with one-sided error. Also, the transformation from [6] results in a two-stage protocol of the same form as ours. t u Acknowledgement We thank the anonymous referees for comments that substantially improved our presentation.
References 1. D. Beaver: Efficient Multiparty Protocols Using Circuit Randomization, Proceedings of Crypto 91, Springer-Verlag LNCS, 1992, pp. 420–432. 435 2. L. Babai, L. Fortnow, L. Levin and M. Szegedi: Checking Computations in Polylogarithmic Time, Proceedings of STOC ’91. 427 3. M. Bellare and and O. Goldreich: On Defining Proofs of Knowledge, Proceedings of Crypto ’92, Springer Verlag LNCS, vol. 740, pp. 390–420. 430 4. J. Boyar, G. Brassard and R. Peralta: Subquadratic Zero-Knowledge, Journal of the ACM, November 1995. 426 5. G. Brassard, D. Chaum and C. Cr´epeau: Minimum Disclosure Proofs of Knowledge, JCSS, vol.37, pp. 156–189, 1988. 425, 425 6. M.Ben-Or, O.Goldreich, S.Goldwasser, J.H˚ astad, J.Kilian, S.Micali and P.Rogaway: Everything Provable is Provable in Zero-Knowledge, Proceedings of Crypto 88, Springer Verlag LNCS series, 37–56. 425, 427, 427, 440, 440, 440 7. J. Benaloh: Secret Sharing Homomorphisms: Keeping Shares of a Secret Secret, Proc. of Crypto 86, Springer Verlag LNCS series, 251–260. 432 8. R. Cramer and I. Damg˚ ard: Linear Zero-Knowledge, Proc. of STOC 97. 426, 426, 426, 427 9. R. Cramer, I. Damg˚ ard and U. Maurer: Span Programs and General Secure Multiparty Computations, BRICS Report series RS-97-27, available from http://www.brics.dk. 425 10. R. Cramer, I. Damg˚ ard and B. Schoenmakers: Proofs of Partial Knowledge and Simplified Design of Witness Hiding Protocols, Proceedings of Crypto ’94, Springer verlag LNCS, vol. 839, pp. 174–187. 431 11. W. Diffie and M. Hellman: New Directions in Cryptography, IEEE Transactions on Information Theory IT-22 (6): 644–654, 1976. 433
Zero-Knowledge Proofs for Finite Field Arithmetic
441
12. De Santis, Di Crecenzo, Persiano and Yung, Proceedings of FOCS 1994. 431 13. I. Damga˚ ard and B. Pfitzmann: Sequential Iteration of Interactive Arguments, Proc. of ICALP 98, Springer Verlag LNCS series. 430, 438, 438 14. T. ElGamal, A Public-Key Cryptosystem and a Signature Scheme based on Discrete Logarithms, IEEE Transactions on Information Theory, IT-31 (4): 469–472, 1985. 433 15. L.Fortnow: The complexity of Perfect Zero-Knowledge, Adv. in Computing Research, vol.5, 1989, 327–344. 425 16. E. Fujisaki and T. Okamoto: Statistical Zero-Knowledge Protocols to prove Modular Polynomial Relations, Proceedings of Crypto 97, Springer Verlag LNCS series. 425 17. O. Goldreich and A. Kahan: How to Construct Constant-Round Zero-Knowledge Proof Systems for NP, Journal of Cryptology, (1996) 9: 167–189. 439, 440 18. S. Goldwasser and S. Micali: Probabilistic Encryption, JCSS, vol.28, 1984. 433 19. O. Goldreich, S. Micali and A. Wigderson: Proofs that yield Nothing but their Validity and a Methodology of Cryptographic Protocol Design, Proceedings of FOCS ’86, pp. 174–187. 425 20. S. Goldwasser, S. Micali and C. Rackoff: The Knowledge Complexity of Interactive Proof Systems, SIAM J.Computing, Vol. 18, pp. 186-208, 1989. 425, 429, 438 21. R.Gennaro, T.Rabin and M.Rabin: Simplified VSS and Fast-Track Multiparty Computations, Proceedings of PODC ’98. 425 22. J. Kilian: A note on Efficient Proofs and Arguments, Proceedings of STOC ’92. 426 23. J. Kilian: Efficient Interactive Arguments, Proceedings of Crypto ’95, Springer Verlag LNCS, vol. 963, pp. 311–324. 426, 426, 427, 427, 427 24. T. Pedersen: Non-Interactive and Information Theoretic Secure Verifiable Secret Sharing, proc. of Crypto 91, Springer Verlag LNCS, vol. 576, pp. 129–140. 433 25. C. P. Schnorr: Efficient Signature Generation by Smart Cards, Journal of Cryptology, 4 (3): 161–174, 1991. 430 26. A.Shamir: IP=PSPACE, Journal of the ACM, vol.39 (1992), 869-877. 427, 437 27. A. Shen: IP=PSPACE, Simplified Proof, Journal of the ACM, vol.39 (1992), pp.878-880. 427, 437 28. A. De Santis, S. Micali, G. Persiano: Non-interactive zero-knowledge with preprocessing, Advances in Cryptology - Proceedings of CRYPTO 88 (1989) Lecture Notes in Computer Science, Springer-Verlag pp. 269–282. 426
Concurrent Zero-Knowledge: Reducing the Need for Timing Constraints? Cynthia Dwork1 and Amit Sahai2 1
IBM Almaden Research Center 650 Harry Road, San Jose, CA 95120, USA [email protected] 2 MIT Laboratory for Computer Science 545 Technology Square, Cambridge, MA 02139, USA [email protected]
Abstract. An interactive proof system (or argument) (P, V ) is concurrent zero-knowledge if whenever the prover engages in polynomially many concurrent executions of (P, V ), with (possibly distinct) colluding polynomial time bounded verifiers V1 , . . . , Vpoly(n) , the entire undertaking is zero-knowledge. Dwork, Naor, and Sahai recently showed the existence of a large class of concurrent zero-knowledge arguments, including arguments for all of NP, under a reasonable assumption on the behavior of clocks of nonfaulty processors. In this paper, we continue the study of concurrent zero-knowledge arguments. After observing that, without recourse to timing, the existence of a trusted center considerably simplifies the design and proof of many concurrent zero-knowledge arguments (again including arguments for all of NP), we design a preprocessing protocol protocol, making use of timing, to simulate the trusted center for the purposes of achieving concurrent zero-knowledge . Once a particular prover and verifier have executed the preprocessing protocol protocol, any polynomial number of subsequent executions of a rich class of protocols will be concurrent zero-knowledge.
1
Introduction
In order to be useful in the real world, cryptographic primitives and protocols must remain secure even when executed concurrently with other arbitrarily chosen protocols, run by arbitrarily chosen parties, whose identities, goals, or even existence may not be known. Indeed, this setting, characterized in [13] as a distributed computing aggregate, describes the Internet. Electronic interactions over an aggregate, such as economic transactions, transmission of medical data, data storage, and telecommuting, pose security risks inadequately addressed in computer science research. In particular, the issue of the security of concurrent executions is often1 ignored. ?
1
Most of this work performed while at the IBM Almaden Research Center. Also supported by a DOD NDSEG doctoral fellowship, and DARPA grant DABT-96-C0018. but not always, e.g. [1] in a different setting
H. Krawczyk (Ed.): CRYPTO’98, LNCS 1462, pp. 442–458, 1998. c Springer-Verlag Berlin Heidelberg 1998
Concurrent Zero-Knowledge: Reducing the Need for Timing Constraints
443
A zero-knowledge protocol is supposed to ensure that no information is leaked during its execution. However, when zero knowledge interactions are executed concurrently both parties can be at risk. Consider the case of zero knowledge proofs: the verifier faces the possibility that the prover with which it is interacting is actually using some concurrently running second interaction as an “oracle” to help answer the verifier’s queries – this is the classical chess master’s problem. In the case of a proof of knowledge, the interaction may not actually yield a proof. This is an issue of potential malleability of the interactive proof system, and is addressed in [13]. In contrast, the prover faces the risk that concurrent executions of a protocol with many verifiers may leak information and may not be zero-knowledge in toto. In this case the interaction remains a proof but may fail to remain zero knowledge. This issue was first addressed in [16]. To overcome this difficulty, [16] introduce the notion of an (α, β) constraint for some α ≤ β: For any two (possibly the same) non-faulty processors P1 and P2 , if P1 measures α elapsed time on its local clock and P2 measures β elapsed time on its local clock, and P2 begins its measurement in real time no sooner than P1 begins, then P2 will finish after P1 does. As [16] points out, an (α, β) constraint is implicit in most reasonable assumptions on the behavior of clocks in a distributed system (e.g., the linear drift assumption). According to the (standard) view that process clocks are under the control of an adversarial scheduler, the (α, β) constraint limits the choices of the adversary to schedules that satisfy the constraints. Under an (α, β) constraint, [16] shows that there exist constant round concurrent zero-knowledge protocols of various kinds, for example, arguments for any language in N P 2 . In the protocols of [16], processors make explicit use of their local clocks in order to achieve concurrent zero-knowledge. The protocols require that certain timing constraints be met, which limit the kinds of protocol interleavings that can occur. Our Contribution. In this work, we reduce the need for timing in achieving concurrent zero-knowledge. Specifically, for a rich class of interactive protocols, we are able push all use of timing into a constant round preprocessing phase; furthermore, the real time at which the preprocessing phase between a prover P and verifier V1 occurs need not have any relation to the real time when P and a different verifier V2 execute the preprocessing. After this preprocessing protocol phase, the prover and the verifier can execute any polynomial number of a rich class of protocols without any further timing constraints, and the whole interaction will be concurrent zero-knowledge. We require the existence of a semantically secure public-key encryption scheme. By limiting the use of timing to a single initial phase for each (P, V ) pair, our methods can reduce the real execution time of protocols. This is because once preprocessing completes the parties never deliberately introduce timing delays in executing steps of future protocols. In contrast, in the protocols of [16] such deliberate delays play a critical role. For many applications, where two parties 2
under verious standard computational assumptions
444
Cynthia Dwork and Amit Sahai
will be executing many zero-knowledge protocols, such as authentication with a system, these repeated delays may be expensive. Moreover, as we will see, our approach frequently yields simpler protocols that are easier to prove concurrent zero-knowledge. Colluding Verifiers interacting with the Prover V1 V2 . . . Vn Step 1 Step 2 Step 1 Step 2 .. . Step Step Step Step
1 2 3 4
.. . Step 3 Step 4 Step 3 Step 4 Diagram 1. A troublesome interleaving for concurrent zero-knowledge. Interleavings of Protocols. The difficulty in achieving concurrent zeroknowledge is due to the existence of certain “bad” interleavings of concurrently executing protocols. The bad interleavings revolve around the difficulty of simulating a transcript of multiple concurrent interactions (recall that the ability to simulate an interaction is the core of the definition of zero-knowledge). Consider the standard (computational) zero-knowledge protocol for 3-colorability3 [22], which can be based on any information-theoretic commitment scheme. Generic Zero-Knowledge Argument for 3-Colorability: 1) V −→ P : Information-theoretic commitment to queries. 2) P −→ V : Commitment to graphs and colorings. 3) V −→ P : Open queries. 4) P −→ V : Open queried graphs or colorings, which V then checks are valid. The standard simulator, having access only to V , produces transcripts of this protocol as follows. First, it receives V ’s commitment in Step 1. Then, supplying V initially with “garbage” in Step 2, the simulator discovers the queries V committed to through V ’s Step 3 response. The simulator uses this knowledge to construct graphs and colorings which would fool these particular queries. Then 3
This is the “‘parallelized” version that has negligible error while remaining zeroknowledge.
Concurrent Zero-Knowledge: Reducing the Need for Timing Constraints
445
the simulator “rewinds” the interaction to just after Step 1, and supplies V with a commitment to these new graphs and colorings in Step 2. Since V is already committed by Step 1, its Step 3 response cannot change. Thus, the simulator can open the graphs and colorings according to the queries, and V will accept. This simulator fails in the context of concurrent interactions because of the rewinding. Consider the following interleaving of n colluding verifiers following the generic four-round protocol described above. An adversary controlling the verifiers can arrange that the Step 1 commitments to queries made by verifiers Vi+1 , . . . , Vn can depend on messages sent by the prover in Step 2 of its interaction with Vi . It is a well-known open problem how to simulate transcripts with this interleaving in polynomial time; the difficulty with the straightforward approach is that once the queries in the interaction with Vi are opened (in Step 3), it becomes necessary to re-simulate Step 2 of the interaction with Vi , and therefore the entire simulation of the interaction with verifiers Vi+1 , . . . , Vn must be re-simulated. The most deeply nested transaction, with Vn , is simulated roughly 2n times. Remark on Commitment Schemes The literature discusses two types of bit or string commitment: computational and information-theoretic. In computational string commitment there is only one possible way of opening the commitment. Such a scheme is designed to be secure against a probabilistic polynomial time receiver and an arbitrarily powerful sender. In information theoretic commitment it is possible to open the commitment in two ways, but the assumed computational boundedness of the sender prevents him from finding a second way. Such a scheme is designed to be secure against an arbitrarily powerful receiver and a probabilistic polynomial time prover. See [13] for a formal definition of computational commitment. The commitments in Step 1 of the generic zero-knowledge argument must be information-theoretic, meaning that information theoretically nothing is leaked about the committed values. This is for soundness, rather than for zeroknowledge. Our techniques require that the verifier only use computational commitments (for example, as in the 6-round zero-knowledgeargument for NP of Feige and Shamir [19], which we modify for technical reasons). The Trusted Center Model. Consider a model in which a trusted center gives out signed public key, private key pairs (E, D) of some public key cryptosystem to every user over a secure private channel. As we now explain, in this model arguments such as the one given in [19] can be simulated without rewinding, provided that the commitments by V are performed using the public key E given to it by the trusted center. This is significant because, if there is no rewinding, then interleavings such as the one described above are not problematic. The simulator for V simulates its interaction with the trusted center as well as with P . So, the simulator knows the private key D corresponding to the public key E used in V ’s commitments. Hence, the simulator never has to rewind to learn a committed value. We call such simulations, in which rewinding is
446
Cynthia Dwork and Amit Sahai
avoided, straight-line4 . In the case of straight-line zero-knowledge protocols, it is clear that concurrent interactions pose no threat to simulability, since the simulator can simulate each interaction independently in a straight-line fashion. This trusted center model is extremely powerful, and a great many standard protocols become straight-line zero-knowledge, and hence concurrent zero-knowledge, in the trusted center model with only minor modifications. For example, aside from arguments for N P , we also exhibit natural protocols for deniable message authentication and coin flipping. Although straight-line zero-knowledge implies concurrent zero-knowledge without any timing constraints in the trusted center model, the notion of a trusted center that knows everyone’s private keys and communicates over secure channels is undesirable or infeasible in many contexts. The preprocessing protocol protocol of Section 4 uses timing to permit P and V to agree on a key EV for V to use for commitments in their future interactions. Intuitively, the interaction ensures (with overwhelming probability) that V (perhaps with the collusion of other verifiers, but with absolutely no help from P ), “knows” the corresponding decryption key DV . Formally, the preprocessing protocol protocol will ensure that subsequent interactions between P and V that would have been straight-line zero-knowledge in the trusted center model, are actually straightline zero-knowledge in the conventional model.
2
Model and Definitions
Timing. We assume that all parties in any interaction have access to local clocks. Furthermore, as proposed in [16], we assume that there are known constants α and β ≥ α, for which the following (α, β) constraint holds: For any two (possibly the same) non-faulty processors P1 and P2 , if P1 measures α elapsed time on its local clock and P2 measures β elapsed time on its local clock, vand P2 begins its measurement in real time no sooner than P1 begins, then P2 will finish after P1 does. Zero-Knowledge and Concurrent Zero-Knowledge. In the original “black box” forumulation of zero-knowledge proof systems [24], an interactive proof system (P, V ) for a language L is computational (or perfect) zero-knowledge if there exists a probabilistic, expected polynomial time oracle machine S, called the simulator, such that for every probabilistic polynomial time verifier strategy V ∗ , ∗ the distributions (P, V ∗ )(x) and S V (x) are computationally indistinguishable (or identical) whenever x ∈ L. Here, formally, the machine V ∗ is assumed to take as input a partial conversation transcript, along with a random tape, and 4
Note that without a trusted center or some other extra source of power, straightline zero-knowledge is not an interesting concept, since any language that premits a straight-line zero-knowledge proof in the conventional sense must be in BPP – the simulator could act as the prover.
Concurrent Zero-Knowledge: Reducing the Need for Timing Constraints
447
output the verifier’s next response. This defintion also holds in the case of arguments [7], or computationally-sound proofs, where the prover and verifier are both probabilistic polynomial time machines. Following [16], to investigate preservation of zero-knowledge in a distributed setting, we consider a probabilistic polynomial time adversary that controls many verifiers simultaneously. Here, we consider an adversary A that takes as input a partial conversation transcript of a prover interacting with several verifiers concurrently, where the transcript includes the local times on the prover’s clock when each message was sent or received by the prover. The output of A will either be a tuple (ıreceive, V, α, t), indicating that P receives message α from V at time t on P ’s local clock, or (ısend, V, t), indicating that P must send a message to V at time t on P ’s local clock. The adversary must output a local time for P that is greater than all the times given in the transcript that was input to A (the adversary cannot rewind P ), and standard well-formedness conditions must apply. If these conditions are not met, this corresponds to a non-real situation, so such transcripts are simply discarded. Note that we assume that if the adversary specifies a response time t for the prover that violates a timing constraint of the protocol with V , the prover should answer with a special null response which invalidates the remainder of the conversation with verifier V . The distribution of transcripts generated by an adversary A interacting with a prover P on common input x is denoted (P ↔ A)(x). We say an argument or proof system (P, V ) for a language L is computational (or perfect) concurrent zero-knowledge if there exists a probabilistic, expected polynomial time oracle machine S such that for every probabilistic polynomial time adversary A, the distributions (P ↔ A)(x) and S A (x) are computationally indistinguishable (or identical) whenever x ∈ L. Note that since we assume that the prover acts honestly and follows the protocol, it does not matter if there is a single entity that is acting as the prover for all verifiers, or if there are many entities that are acting as provers for subsets of the verifiers, since the actions of the provers would be the same, and in our model, the timing of events is controlled by the adversary. NIZK. Some of our protocols make use of non-interactive zeroknowledge (NIZK) proof constructions [5,20,2,4] for languages in N P . Note, however, that although typically one considers NIZK in a model where all parties share a public random string, we do not make any such assumptions in any model we consider. In a NIZK proof, the prover P and verifier V have a common input x and also share a random string σ, called the reference string, of length polynomial in the length of x. The prover wishes to convince the verifier of the membership of x in some fixed N P language L. To this end, the prover is allowed to send the verifier a single message m = P (x, σ), computed (probabilistically) as a function of x, σ. The probabilistic polynomial time verifier must decide whether or not to accept as a function of x, σ, and m. Such an interaction (P, V ) is an NIZK proof system for L if: (1) If x ∈ L, for all σ, (P, V )(x, σ) accepts. (2) If x ∈ / L, for all P ∗ , the probability over σ and the random coins of P and V that (P ∗ , V )(x, σ) accepts is negligible. (3) There exists a proba-
448
Cynthia Dwork and Amit Sahai
bilistic polynomial time simulator S such that, if x ∈ L, then the distributions S(x) and (σ, P (x, σ)), where in the latter distribution σ is chosen uniformly, are computationally indistinguishable. We further ask that the prover be probabilistic polynomial time, but also allow that in the case when x ∈ L, the prover is given a witness w for the membership of x ∈ L. We require, however, that the distribution (σ, P (x, σ, w)) be computationally indistinguishable from S(x) no matter how the witness w is chosen. [20,2] show that such NIZK proof systems with efficient provers exist for every language in N P assuming trapdoor permutations exist. Note that the definition above gives “bounded” NIZK proof systems, i.e., a given reference string σ can be used to prove only one N P statement. We also require unbounded NIZK proof systems, in which any polynomial number of N P statements can be proven in zero-knowledge using the same reference string σ. [12,20] have shown that the existence of a bounded NIZK proof system for an N P -complete language L with an efficient prover implies the existence of unbounded NIZK proof systems with efficient provers for any language in N P . A precise definition of unbounded NIZK can be found in [2,4,20]. Note that NIZK proofs are truly non-interactive only if the prover and the verifier already agree on a random string σ, which we do not assume. Furthermore, if the distribution of σ is far from uniform, then the zero-knowledge condition fails to hold. This issue motivates our concurrently simulable random selection protocol, described below. Assumptions. We require a probabilistic public key cryptosystem that is semantically secure [23]. The encryptions must be uniquely decodable (so the scheme must be undeniable [9]). We will use the public key cryptosystem for computationally secure string commitment as follows: V uses an encryption key E to commit to a string s by simply sending an encryption e of s using a random string r. To open s, V sends s, r; the receiver checks that e = E(s, r).
3
Straight-Line Zero-Knowledge in the Trusted Center Model
In order to define the class of protocols for which our construction applies, we consider a trusted center model, in which the trusted center communicates to each participant a public key, private key pair (E, D) for a public key cryptosystem, over a secure private channel. More formally, we assume the existence of a trusted center with which any party can interact using a secure private channel. In our model, before any protocol (P, V ) begins, first V receives a public key and private key pair (E, D) from the trusted center over a secure channel, whereas P receives only E from the trusted center. Then the interaction takes place as in the normal model. Also in our trusted center model, we modify the definition of zero-knowledge to require the simulator to also simulate the interaction with the trusted center, which in particular means that the simulator produces the public key E and private key D given to any verifier.
Concurrent Zero-Knowledge: Reducing the Need for Timing Constraints
449
We use the trusted center model only for definitional purposes; our protocols do not assume a trusted center. In particular, we will define the class of protocols that are straight-line zero-knowledge in the trusted center model and argue that any protocol in this class is concurrent zero-knowledge. We will show that this class is rich, and, in the next section, show how to use timing to replace the role of the trusted center by means of a preprocessing phase. As noted above, the trusted center model is extremely powerful; in particular, in this model Rackoff and Simon were able to define and construct noninteractive zero-knowledge proofs of knowledge [27]. These noninteractive proofs could then be used to prove “plaintext awareness” of encrypted messages (intuitively, that the sender “knows” what he is sending), resulting in a cryptosystem secure against the most general chosen ciphertext attacks (called chosen ciphertext in the post-processing mode in [13]; the construction of the cryptosystem in [27] also requires the trusted center to establish a digital signature scheme). This is equivalent to non-malleable security against a post-processing chosen ciphertext attack [13]. The trusted center model also proves useful in the context of concurrent zero-knowledge. In particular, if the protocol requires that commitments be made using the key E chosen by the trusted center, then the construction of concurrent zero-knowledge protocols becomes a simpler task: the simulator simulates each party’s interaction with the trusted center, and hence knows the secret key D for each public key E later used in the protocol. We will prove concurrent zero-knowledge in the trusted center model by establishing an even stronger property, straight-line zero-knowledge. Intuitively, a protocol is straight-line zero-knowledge if there exists a simulator that does no “re-winding” in order to produce its transcript. Formally, a zero-knowledge interactive protocol (P, V ) is straight-line zero-knowledge if the simulator S for the protocol is of a special form. Recall S is in general an expected polynomial time machine that uses a verifier strategy V ∗ as an oracle, giving it partial transcripts and obtaining the verifier’s next message as its response. Define ∗ O(S V (x; r)) = (q1 , q2 , . . . , qm ) to be the ordered sequence of oracle queries (partial transcripts) given by S to V ∗ , on input x and using random bits r. We ∗ require for every V ∗ , x, and r, letting O(S V (x; r)) = (q1 , q2 , . . . , qm ), that the transcript qi is a prefix of qi+1 for 1 ≤ i ≤ m − 1. Such a simulator S is called a straight-line simulator. It is immediate that a straight-line zero-knowledge protocol is also concurrent zero-knowledge, since interaction with many verifiers simultaneously can be simulated by simply simulating the interaction with each verifier separately using the straight-line simulator. Note that, in the conventional framework for zero-knowledge proofs, straightline zero-knowledge proofs can only exist for languages in BP P , since the polynomial time simulator can act as the prover. In the trusted center model, this need not concern us, since the real prover cannot impersonate the trusted center, whereas the simulator can.
450
3.1
Cynthia Dwork and Amit Sahai
Examples
The class of protocols with straight-line simulators in the trusted center model is rich. Generic NP. The generic argument for membership in an NP language, described in Section 1 requires information-theoretic commitments on the part of the verifier, and therefore does not fit our model. The 6-round protocol of Feige and Shamir [19], which can be based on any one-way function, can be modified to be straight-line zero-knowledge in the trusted center model provided that the verifier’s commitments are made using the key received from the trusted center. The modification involves using an information-theoretic commitment scheme for an additional initial commitment by the prover (details are omitted for lack of space). Thus, there is a constant round straight-line zero-knowledge argument in the trusted center model for every language in NP based only on the existence of semantically secure public-key encryption and information-theoretic commitment schemes. However, there is a simpler, four round scheme, based on the existence of trapdoor permutations, which we present below. Random String Selection. We next describe a random string selection (coinflipping) protocol, by which two parties P and V can select a random string which will be random as long as one of the parties is honest. The random selection protocol has the following extremely useful property: in the trusted center model, the simulator can force any desired string as the outcome of the protocol; moreover, the distribution of simulated transcripts is identical to the distribution on actual transcripts, conditioned on any given output. In the sequel, let E denote the public key assigned to the verifier by the trusted center. The natural cryptographic protocol for random selection of strings of length k, due to [3], can be made straight-line simulable as follows5 : 1) V −→ P : E(rV ) : rV ∈R {0, 1}k 2) P −→ V : rP : rP ∈R {0, 1}k 3) V −→ P : Reveal coins used to generate E(rV ). The output of the protocol is rV ⊕ rP . Since E(rV ) is a computationally secret commitment to any party that does not know D, it is clear that this protocol achieves the desired random selection properties. Here, the simulator, on input x ∈ {0, 1}k , (after having simulated the trusted center, i.e., having supplied V with a public key, private key pair (E, D)), receives the verifier’s Step 1 message. Using D, it recovers rV . The simulator then supplies V ∗ with the Step 2 message x ⊕ rV . In Step 3, V ∗ must decommit to rV , and so the output of the protocol is x. If the input x is chosen uniformly at random, then the simulator’s Step 2 message, x ⊕ rV will also be uniformly random. Hence, the simulator’s distribution will actually be identical to the distribution of actual transcripts. 5
It is interesting that if the roles of P and V are reversed, P ’s new role in the protocol is no longer known to be simulable.
Concurrent Zero-Knowledge: Reducing the Need for Timing Constraints
451
Alternative NP. We can use the random string selection protocol to give a 4round alternative to the straight-line zero-knowledge argument system for N P that is also straight-line zero-knowledge in the trusted center model, if we make the stronger assumption that trapdoor permutations exist. By [20,2], assuming trapdoor permutations exist, there are efficient prover NIZK proofs for N P . Recall that NIZK proofs require a random string to be shared by the parties P and V . We will use the random selection protocol above to select this shared randomness. The following protocol is therefore an argument proving x ∈ L for any language L ∈ N P : 1) 2) 3) 4)
V P V P
−→ P −→ V −→ P −→ V
: : : :
E(rV ) : rV ∈R {0, 1}poly(|x|) rP : rP ∈R {0, 1}poly(|x|) Reveal coins used to generate E(rV ). NIZK proof that x ∈ L using reference string σ = rV ⊕ rP .
Note that Step 4 can later be repeated any (polynomial) number of times to prove different statements in N P once the reference string has been established (using an unbounded NIZK proof system such as the one given in [20]). A straight-line simulator proceeds as follows. First, it calls the simulator SN IZK (x) of the NIZK proof system, which produces a reference string σ and an NIZK proof p. The straight-line simulator given above for the random selection protocol is then invoked to produce a transcript for Steps 1-3 that force rV ⊕ rP = σ. The simulator then outputs p as the prover’s Step 4 message, and terminates the simulation. Since the distribution SN IZK (x) is computationally indistinguishable from the distribution (σ, p) where σ is truly random, and p is generated by the NIZK prover’s algorithm, we have that the distribution of our straight-line simulator will be computationally indistinguishable from the distribution of actual conversation transcripts of this protocol. Deniable Message Authentication. NIZK proofs can also be useful for constructing straight-line zero-knowledge protocols for other applications. Consider the problem of deniable message authentication [13,15,16]. Here, the prover wishes to authenticate a message m to the verifier, in such a way that no other party can verify the authentication. In particular, we require that verifiers cannot prove to anyone else that the prover authenticated m. It suffices that the protocol be concurrent zero-knowledge, since if the verifiers could generate the transcript of their conversations with the prover on their own, then certainly it will not be possible to prove that the prover authenticated m to any other party. We exhibit a very natural protocol for this task, with a slight modification to make it straight-line zero-knowledge. For this protocol, we will require a non-malleable public key encryption scheme. Note that the encryption scheme must be non-malleable in the conventional model, not just in the trusted center model! Let the prover’s public non-malleable encryption key be EP , for which it alone knows the private key. 1) V −→ P : E(rV ), where rV ∈R {0, 1}poly(|x|) 2) P −→ V : rP , where rP ∈R {0, 1}poly(|x|)
452
Cynthia Dwork and Amit Sahai
3) V −→ P : Reveal coins used to generate E(rV ). Choose r ∈R {0, 1}k . Send EP (m ◦ r), y = E(r), and an NIZK proof that the two encryptions sent are consistent with some r ∈ {0, 1}k using reference string σ = rV ⊕ rP . 4) P −→ V : r Note that the first two steps can be omitted if there is some other source of a random string to use as the reference string for the NIZK proof. Such a string could, for example, be found as part of the public key for the prover’s encryption scheme, as it is in the construction of [13]. The straight-line simulator simulates the first 2 steps trivially. In Step 3, after checking the NIZK, the simulator uses D to decrypt y, yielding rS . Note that if the NIZK proof was accepted, then the decryption will correctly give rS = r with all but negligible probability. Hence, the simulator simply outputs rS as the prover’s final message, and terminates. The simulator will thus fail with no more than a negligible probability. These examples illustrate not only that the class of straight-line zeroknowledge protocols in the trusted center model is rich, but also that it is not difficult to construct proofs that fit this definition. In the next section, we show how to eliminate the trusted center for the purpose of concurrent zero-knowledge using a preprocessing protocol based on timing constraints.
4
The Preprocessing Protocol
In this section, we show how to how to achieve concurrent zero-knowledge without the trusted center for all protocols that are straight-line zero-knowledge in the trusted center model. This is accomplished by replacing the trusted center with a preprocessing protocol that employs timing constraints. This eliminates the trusted center for the purpose of maintaining concurrent zero-knowledge. Let G be the generator for a public-key cryptosystem which requires `(n) random bits. We will write G(1n , σ) = (E, D) to mean that G, when given security parameter n and random bits σ ∈ {0, 1}`(n), produces the public encryption algorithm E and private decryption algorithm D. Let C be a secure commitment scheme, such as the elegant scheme of [26]. The protocol uses the Basic Commit with Knowledge protocol (BCK) of [13]. Preprocessing Protocol: 0. V : Generates random strings σ, r01 , r02 , . . . r0n , r11 , r12 , . . . , r1n ∈ {0, 1}`(n) V runs G(1n , σ) to produce E and D, and sets up the scheme C. 1. V −→ P : E, C(σ), C(r01 ), C(r02 ), . . . , C(r0n ), C(r11 ), C(r12 ), . . . , C(r1n ). 2. P −→ V : Random bits b1 , b2 , . . . , bn . i ⊕ σ. 3. V −→ P : For each i, opens C(rbi i ) and sends r(1−b i) 4. V ←→ P : Verifier gives a ZK argument (e.g. [19]) of consistency of the Step 1-3 messages above with some σ such that G(1n , σ) produces E. 5. P −→ V : If Step 4 is accepted, send “READY.”
Concurrent Zero-Knowledge: Reducing the Need for Timing Constraints
453
Timing Constraints: (1) P requires the Step 3 message to be received before time α has elapsed on its local clock since the Step 1 message was sent. If a verifier V fails to respond in this allotted time, we say V has timed out. (2) P does not send the Step 5 signal until time β has elapsed on its local clock since Step 1. For zero-knowledge, we assume that the adversary is constrained by an (α, β)constraint. For completeness we must also assume that V can send its Step 3 message in the real time required for time α to elapse on P ’s local clock. The following theorem shows that these timing constraints effectively eliminate all problematic interleavings. Theorem 1. Assuming that a semantically secure public-key cryptosystem exists, the Preprocessing Protocol, followed by any polynomial number of protocols that are straight-line zero-knowledge in the trusted center model, is (computational) concurrent zero-knowledge. Furthermore, using the Preprocessing Protocol does not give the Prover any advantage it would not have in the original protocol. In particular, using the Preprocessing Protocol does not endanger the soundness of any protocol that was sound in the trusted center model. Theorem 2. Let π = (P, V ) be any protocol in the trusted center model, and let π 0 = (P 0 , V 0 ) be the Preprocessing Protocol followed by π in the normal model. Then, for any probabilistic polynomial time prover P ∗ , there exists another prover P ∗∗ such that the distribution of transcripts from (P ∗ , V 0 ) (not including the transcript of the Preprocessing Protocol) is computationally indistinguishable from the distribution of transcripts from (P ∗∗ , V ) (not including the initial interaction with the trusted center). Proof (of Theorem 2). Theorem 2 follows from the fact that the verifier’s role in the Preprocessing Protocol is simulable without knowing D or a σ such that G(1n , σ) = (E, D). P ∗∗ behaves as follows: First it simulates the Preprocessingprotocol with P ∗ , and then it simply behaves as P ∗ does afterwards. From the trusted center, it first receives E. Then it generates random strings σ, r01 , r02 , . . . r0n , r11 , r12 , . . . , r1n ∈ {0, 1}`(n), and sets up the commitment scheme C with P ∗ . It sends E, C(σ), C(r01 ), C(r02 ), . . . , C(r0n ), C(r11 ), C(r12 ), . . . , C(r1n ) to P ∗ , who responds with some random bits b1 , b2 , . . . , bn . P ∗∗ then for each i, opens i C(rbi i ) and sends r(1−b ⊕ σ. Note that all this time σ had absolutely nothing i) to do with E. However, by the zero-knowledge property of the argument of Step 4, P ∗∗ can simulate Step 4 as if G(1n , σ) = (E, D). By this zero-knowledge condition, the transcript of all steps so far is computationally indistinguishable from a partial transcript of a real interaction of V 0 and P ∗ . Since the state of P ∗ at the end of Step 4 (i.e. the beginning of π) is computationally indistinguishable from its state at this point in a real interaction with V 0 , the theorem follows.
454
Cynthia Dwork and Amit Sahai
Proof (of Theorem 1, using the proof techniques of [16].). First, we observe that the timing constraints yield the following interleaving contraint: Interleaving Constraint: While any verifier is in Steps 1-3 and has not timed out, no new interaction can be started and complete Step 5. Note that this remains true by the (α, β)-constraint even if there are many provers with different local clocks, since the time between Steps 1-3 must always be less in real time than the minimum delay in real time between Steps 1-5. Note also that in all steps the prover needs no special information to carry out her side of the protocol. Hence, for any particular verifier, all steps in the Preprocessing protocol are trivial to simulate (perfectly) in a straight-line fashion. To be able to simulate any subsequent protocol that is straight-line zero-knowledge in the trusted center model, we appeal to the following Lemma: Lemma 1. For any verifier V , if the simulator has Step 3 responses for two different Step 2 queries (for the same Step 1 message), then the simulator can simulate all subsequent executions of protocols with V that are straight-line zeroknowledge in the trusted center model (computationally) in a straight-line fashion with all but negligible probability. Proof. Since the Step 2 queries were different, there exists an i such that V opened both r0i and r1i , and (supposedly) supplied both a = r1i ⊕σ and b = r0i ⊕σ. The simulator can test both a ⊕ r1i and b ⊕ r0i by running G with these inputs. If G produces V ’s encryption key E, then we know that the decryption key D produced must be V ’s secret key. If this is the case, the simulator has V ’s secret key and can simulate all future protocols that are straight-line zero-knowledge in the trusted center model (computationally) in a straight-line fashion, by assumption. If not, for any future simulation of V , when the simulator obtains a Step 3 response γ from V , it again checks with the responses it already has to see if this new response will yield a valid secret key for V . If this is not the case, then the simulator has proof that γ is inconsistent with the commitments in V ’s Step 1 message. Hence with all but negligible probability, V will not pass Step 4 of the protocol, by the soundness of the ZK Argument. Note that the soundness condition for ZK Arguments requires that no PPT prover can succeed in proving a false statement with more than negligible probability. The interaction of the PPT A and the PPT simulator together certainly still comprise a PPT system, and hence cannot prove the false statement with more than negligible probability. Thus with all but negligible probability, V never makes it past Step 4, and the Lemma follows. We now describle a subroutine of the simulator called Extract. The subroutine takes two arguments, the name of a verifier Vi , and a partial starting transcript T that includes the Step 1 message of Vi . Extract(Vi,T ) is only called if the simulator already has obtained one Step 3 response from Vi . The
Concurrent Zero-Knowledge: Reducing the Need for Timing Constraints
455
purpose of calling Extract on Vi is to create for Vi the situation required by the Lemma. In Extract(Vi,T ) the simulator repeats the following procedure as many times as needed to obtain another Step 3 response from V . – Starting with partial transcript T , begin a simulation until either Vi gives a Step 3 response or more than time α has passed since Step 1 of Vi . During this simulation: • For any verifiers introduced after the Step 1 message of Vi , by the Interleaving Constraint, we know these verifiers will never proceed past Step 5 in the time allotted, so simulate the interaction with them perfectly. • If any verifier Vj which was introduced before the Step 1 message of Vi gives a Step 3 response: ∗ If the simulator has already obtained two Step 3 responses from Vj , by the Lemma all interaction with Vj can be simulated in a straightline fashion. ∗ If not, the simulator executes Extract(Vj ,T ). Thus, we are guaranteed that after executing Extract(Vi, T ) we have received two Step 3 responses from Vi . If the two responses received are the same, the simulator fails. This can only happen if the random bits chosen by the simulator in Step 2 were identical, an event with exponentially small probability. We will later argue that the simulator is expected polynomial time. Hence the simulator only gets an expected polynomial number of chances to fail in this manner, and so its probability of failure in this way is negligible. If the two Step 3 responses are different, such a verifier that has satisfied the conditions of the Lemma is called neutralized. Now, to generate its output transcript the simulator begins a straight-line simulation with the adversary. Whenever a verifier V that has not already been neutralized gives a Step 3 response, the simlator calls Extract(V, T ), where T is the partial transcript up to and including the Step 1 message of V . When Extract terminates, V has been neutralized and thus, by the Lemma, all future interaction with V can be simulated in a straight-line fashion. This continues until the simulation is concluded. By construction, the distribution of transcripts produced by such a simulation is computationally indistinguishable from those arising from an actual interaction with the adversary, since the transcript is produced in a straight-line manner. We must confirm that the expected running time of the simulator is polynomially bounded. Each trial within Extract, not counting time taken by recursive function calls, certainly takes polynomial time, say O(nc ). Let us analyze the expected running time of a function call to Extract. Now, conditioned on some partial transcript T , let Xi denote the random variable for the time to complete Extract(Vi , T ). Let pi denote the probability over simulations starting at T that Vi will give its Step 3 response during a simulation trial. If V1 is the first verifier appearing in T , then during Extract(V1 , T ), no recursive calls can be made for other verifiers. Hence, X1 ≤ O(nc )(1 + p1 + (1 − p1 )(1 + X1 )), and so by linearity
456
Cynthia Dwork and Amit Sahai
of expectation, E(X1 ) ≤ O(nc ) p21 . More generally, if Vi is the i’th verifier api−1 P pj Xj +pi +(1−pi)(1+Xi )), pearing in the transcript T , then Xi ≤ O(nc )(1+ j=1
and a simple induction shows that E(Xi ) ≤ O(nc ) p2ii . Now, in the simulation, conditioned on a partial transcript T , the probability that Extract(Vi , T ) will be called (from outside Extract) is exactly pi . Thus, the expected amount of time the simulation will spend on Extract(Vi , T ) is O(nc ) · 2i. Since this does not depend on T , we can remove the conditioning and conclude that the expected amount of time the simulation will spend in Extract for Vi will be O(nc ) · 2i. We note that the total number of verifiers that can be present in the final transcript is bounded by the amount of time the adversary runs for. Hence, if the adversary’s expected running time is t(n), the expected amount of time the simulation will spend in Extract for all of the verifiers is O(nc t(n)2 ). The rest of the simulation will certainly take no more than expected O(nc )t(n) time, and so we conclude that the expected running time is polynomial in n.
5
Additional Remarks and Future Research
Recently, Kilian, Petrank and Rackoff [25] have shown that any 4-round nontrivial zero-knowledge interactive proof is not black-box simulatable under concurrent executions. In a companion paper, Richardson and Kilian [28] have shown that for any ε > 0 and any upper bound k on the amount of concurrency to be tolerated, there exists a zero-knowledge proof for any language in N P requiring k ε messages. We believe that the Kilian-Richardson protocol can be used (with some modifications) as a preprocessing protocol protocol to allow subsequent constant round concurrent zero-knowledge arguments for any statement in N P ; we are in the process of checking the details. The difficulties in achieving non-malleability and concurrent zero knowledge both stem from potentially bad protocol interleavings. In [16] and in the preprocessing protocol protocol described in this paper, timing is used explicitly to proscribe certain interleavings in order to achieve concurrent zero-knowledge. Can timing be used in a natural way to achieve non-malleability? For concreteness, consider non-malleable string commitment. Since non-malleable string commitment protocols exist without recourse to timing [13], any timing-based solution would be interesting only if it is efficient or simple. Can timing be used to achieve other cryptographic objectives?
References 1. M. Bellare and P. Rogaway, Provably Secure Session Key Distribution - The Three Party Case, Proc. 27th STOC, 1995, pp 57–64. 442 2. M. Bellare and M. Yung. Certifying permutations: Noninteractive zero-knowledge based on any trapdoor permutation, Journal of Cryptology, 9(3):149-166, 1996. 447, 448, 448, 451
Concurrent Zero-Knowledge: Reducing the Need for Timing Constraints
457
3. M. Blum. Coin flipping by telephone: A protocol for solving impossible problems. In Allen Gersho, editor, Advances in Cryptology: A Report on CRYPTO 81, pages 11-15, 24-26 August 1981. Department of Electrical and Computer Engineering, U. C. Santa Barbara, ECE Report 82-04, 1982. 450 4. M. Blum, A. De Santis, S. Micali, and G. Persiano. Noninteractive zero-knowledge, SIAM Journal on Computing, 20(6):1084-1118, 1991. 447, 448 5. Blum M., P. Feldman and S. Micali, Non-Interactive Zero-Knowledge Proof Systems, Proc. 20th ACM Symposium on the Theory of Computing, Chicago, 1988, pp 103-112. 447 6. G. Brassard, C. Crepeau and M. Yung, Constant-Round Perfect Zero-Knowledge Computationally Convincing Protocols. Theoretical Computer Science 84, 1991. 7. G. Brassard, D. Chaum, C. Crepeau, Minimum Disclosure Proofs of Knowledge. JCSS, Vol. 37, 1988, pp. 156-189. 447 8. S. Brands and D. Chaum, Distance-Bounding Protocols Advances in Cryptology – EUROCRYPT‘93, 1993. 9. R. Canetti, C. Dwork, M. Naor, R. Ostrovsky, Deniable Encryption, “Security in Communication Networks” workshop, Amalfi, Italy 1996 and CRYPTO’97 448 10. D. Chaum and H. van Antwerpen, Undeniable Signatures, Advances in Cryptology– CRYPTO ’89, G. Brassard (Ed.), Springer-Verlag, pp. 212-216. 11. R. Cramer and I. Damgard New Generation of Secure and Practical RSA-Based Signatures, Advances in Cryptology–CRYPTO ’96. Springer-Verlag, 1996. 12. A. De Santis and M. Yung. Cryptographic Applications of the Metaproof and Manyprover Systems, Proc. CRYPTO’90, Springer-Verlag, 1990. 448 13. D. Dolev, C. Dwork and M. Naor, Non-malleable Cryptography, Preliminary version: Proc. 21st STOC, 1991. Full version: submitted for publication (available from the authors). 442, 443, 445, 449, 449, 451, 452, 452, 456 14. C. Dwork and M. Naor, Pricing via Processing -or- Combatting Junk Mail, Advances in Cryptology – CRYPTO’92, Lecture Notes in Computer Science 15. C. Dwork and M. Naor, Method for message authentication from non-malleable crypto systems, US Patent No. 05539826, issued Aug. 29th 1996. 451 16. C. Dwork, M. Naor, and A. Sahai, Concurrent Zero Knowledge, to appear, STOC’98 443, 443, 443, 443, 443, 443, 446, 447, 451, 454, 456 17. U. Feige, A. Fiat and A. Shamir, Zero Knowledge Proofs of Identity, J. of Cryptology 1 (2), pp 77-94. (Preliminary version in STOC 87). 18. U. Feige and A. Shamir, Witness Indistinguishable and Witness Hiding Protocols Proc. 22nd STOC, 1990, pp. 416–426. 19. U. Feige and A. Shamir, Zero Knowledge Proofs of Knowledge in Two Rounds, Advances in Cryptology – Crypto 89 Proceedings, Lecture Notes in Computer Science Vol. 435, G. Brassard ed., Springer-Verlag, 1989. 445, 445, 450, 452 20. U. Feige, D. Lapidot and A. Shamir, Multiple Non-Interactive Zero-Knowledge Proofs Based on a Single Random String, Proceedings of 31st Symposium on Foundations of Computer Science, 1990, pp. 308-317. 447, 448, 448, 448, 451, 451 21. O. Goldreich, Foundations of Cryptography (Fragments of a Book), 1995. Electronic publication: http://www.eccc.uni-trier.de/eccc/info/ECCC-Books/ecccbooks.html (Electronic Colloquium on Computational Complexity). 22. O. Goldreich and H. Krawczyk. On the Composition of Zero Knowledge Proof Systems. SIAM J. on Computing, Vol. 25, No. 1, pp. 169–192, 1996. 444 23. S. Goldwasser and S. Micali. Probabilistic Encryption, Journal of Computer and System Sciences, Vol. 28, April 1984, pp. 270–299. 448 24. S. Goldwasser, S. Micali, and C. Rackoff, The Knowledge Complexity of Interactive Proof Systems. SIAM Journal on Computing, Vol. 18, 1 (1989), pp. 186-208. 446
458
Cynthia Dwork and Amit Sahai
25. J. Killian, E. Petrank, and C. Rackoff, Zero Knowledge on the Internet. Manuscript, 1998. 456 26. M. Naor, Bit Commitment Using Pseudo-Randomness, Journal of Cryptology, vol 4, 1991, pp. 151-158. 452 27. C. Rackoff and D. Simon, Non-Interactive Zero-Knowledge Proof of Knowledge and Chosen Cipherext Attack, Proc. CRYPTO’91, Springer-Verlag, 1992, pp. 433 – 444 449, 449 28. R. Richardson and J. Killian. Non-Synchronized Composition of Zero-Knowledge Proofs. Manuscript, 1998. 456
The Solution of McCurley’s Discrete Log Challenge Damian Weber1 and Thomas Denny2 1
Institut f¨ ur Techno– und Wirtschaftsmathematik Erwin–Schr¨ odinger–Str. 49, D–67663 Kaiserslautern [email protected] 2 debis IT Security Services Rabinstraße 8, D–53111 Bonn [email protected]
Abstract. We provide the secret Diffie-Hellman-Key which is requested by Kevin McCurley’s challenge of 1989. The DH-protocol in question has been carried out in (ZZ/pZZ)∗ where p is a 129-digit prime of special form. Our method employed the Number Field Sieve. The linear algebra computation was done by the Lanczos algorithm. Keywords: Discrete Logarithms, Number Field Sieve, Index Calculus, Lanczos
1
Introduction
When discrete log cryptosystems are designed the groups (ZZ/pZZ)∗ serve as a standard choice, as for example in [3,4,14]. In view of the Diffie–Hellman key exchange protocol introduced in [3], McCurley stated a challenge by using the following setup [11]: bA = 12740218011997394682426924433432284974938204258693 16216545577352903229146790959986818609788130465951 66455458144280588076766033781 bB = 18016228528745310244478283483679989501596704669534 66973130251217340599537720584759581769106253806921 01651848662362137934026803049 p = (739 · 7149 − 736)/3 q = (p − 1)/(2 · 739) The order of the multiplicative group, which is generated by the element 7, splits as follows: |(ZZ/pZZ)∗ | = 2 · 739 · q. – Alice computes (using her secret key xA ) as 7xA ≡ bA (mod p) – Bob computes (using his secret key xB ) as 7xB ≡ bB (mod p) H. Krawczyk (Ed.): CRYPTO’98, LNCS 1462, pp. 458–471, 1998. c Springer-Verlag Berlin Heidelberg 1998
The Solution of McCurley’s Discrete Log Challenge
459
Kevin McCurley asked for the common secret key K ≡ 7(xA ·xB ) (mod p) which we computed at 03:50pm Middle European Time on Jan 25, 1998 as K = 38127280411190014138078391507929634193998643551018670285056375615 (1) 045523966929403922102172514053270928872639426370063532797740808,
by first calculating xA = 6185869085965188327359333165203790426798764306952171345914622218 (2) 49525998156144877820757492182909777408338791850457946749734,
the secret key of Alice. Since p is of a special form it is very convenient to use the number field sieve discrete log algorithm [17,5] for the precomputation. This step has already been carried out in [21]. It was unclear whether one could keep that attractive number field chosen there for computing the individual logarithms as well [18]. Readers not familiar with the number field sieve are recommended to look up these references. We note that for “general” p, the record for discrete logarithms is 85 decimal digits [20]. In contrast to factoring with the number field sieve, some additional computational difficulties have to be dealt with. For example, it is costly to transform the original congruence to another form such that the number field sieve is actually applicable. Another constraint is the smaller size of factor bases – otherwise the linear algebra step would be infeasible. After the introduction of notation in section 2 we start with a description of how we transformed the original problem to a problem where only logarithms of “small” elements have to be computed in section 3. Section 4 deals with the choice of the polynomial defining the number field. Section 5 is devoted to lattice sieving techniques for discrete log computations. In section 6 we pay attention to computing the solution of the resulting sparse linear system mod q, which eventually yielded the solution to the original discrete log problem.
2
Notation of the Number Field Sieve Parameters
Let the discrete logarithm problem be ax ≡ b (mod p), p prime. Let f be an irreducible polynomial of degree n, the coefficient of X n be called h . Furthermore, let α ∈ C be a root of f . There should be at least one root m of f (X) modulo p. Set ω = h · α. In this case there exists a ring homomorphism ϕ : ZZ[ω] −→ ZZ/pZZ ω 7→ h · m. We set g(X) := X − m. We denote with F Balg (the algebraic factor base) a finite set of prime ideals in the ring of integers of Q(ω), and with F Brat (the rational factor base) a finite set of prime numbers in ZZ.
460
3
Damian Weber and Thomas Denny
Reduction of the Original Problem
With the number field sieving step, logarithms of elements s ∈ ZZ/pZZ can be obtained, if a smooth σ ∈ ϕ−1 (s) ⊂ ZZ[ω] is known. In particular, this is the case if s lies in the rational factor base. Having planned to use a rational factor base size of 30000 this would mean to aim at bounding s by the 30000–th prime, that is 350381. With the current available methods this is not feasible. With the following relation, however, we are reduced to s’s which are not bigger than 5.05 · 1013 : t a141266132 · bA ≡ (mod p), v where t = 23 · 31 · s1 · s3 · s6 · s8 · s10 · s11 (3) v = 353 · s2 · s4 · s5 · s7 · s9 · s12 . with s1 s2 s3 s4 s5 s6 s7 s8 s9 s10 s11 s12
= 603623, = 165073039, = 1571562367, = 1601141623, = 1715568391, = 7575446399, = 13166825869, = 265542836371, = 371303006453, = 4145488613977, = 4338202139093, = 5041332876473.
We proceed with how equation (3) has been found. Each b ∈ (ZZ/pZZ)∗ can √ be expressed as a quotient b ≡ t/v (mod p) with |t|, |v| < p+1 [19, Th.67]. Such a representation can be found by applying the extended Euclidean algorithm. In the challenge computation we computed bl :≡ 7l · b (mod p) for many l’s, found the quotient bl ≡ tl /vl and tried to split tl and vl . The ρ–function [6] tells us how many pairs we need to test until a successful decomposition occurs. The term ρi (α) denotes the probability that the i–th largest prime factor of the number n is at most n1/α . We set ρ(α) := ρ1 (α). We started looking for factors of t and v with at most 15 decimal digits simultaneously. The probability that a 65–digit number has at most 15 digits is ρ(13/3) ≈ 2.12 · 10−3 . Assuming t and v behave as random integers of this size we expect to find a successful l after ≈ 1/(2.12 · 10−3 )2 ≈ 222500 trials. We distributed the interval [141200001; 141422500] among 40 Sparc ELC and 20 Sparc 4. As a Sparc 4 is about four times faster than a Sparc ELC, we chose the interval length for the ELC as 1850 in contrast to 7500 for the Sparc 4 stations. Each machine carried out four different stages; we give the average running times for each stage (Sparc 4 workstation) per l:
The Solution of McCurley’s Discrete Log Challenge
1. 2. 3. 4.
461
trial division up to 106 (1.35 sec), ECM for factors up to 109 (7.11 sec), ECM for factors up to 1012 (30.02 sec), ECM for factors up to 1015 (128.80 sec),
where ECM is an acronym for Lenstra’s elliptic curve factoring method [10]. We label these stages by TDIV, ECM9, ECM12 and ECM15, respectively. A pair (t, v) is useless if either t or v contains a prime factor above our smoothness bound 1015 . We can estimate beforehand how many pairs (t, v) will be recognized as useless by each stage if we evaluate the ρ2 function. Table 1. Probability of a number of 65 digits recognized as useless. useless after stage with probability
TDIV 0.184
ECM9 0.238
ECM12 0.243
ECM15 0.190
Using trial division in combination with ECM is a very tedious smoothness test; we experimented with an early abort strategy. Such a technique has been used in several algorithms, originating from [16]. In our case, after each stage we removed a third of the pairs (t, v) – those with the biggest unfactored part – from our list. The following behaviour is to be expected when applying this strategy on each Sparc 4 processor. On such a machine we start with 7500 pairs (t, v). From table 1 we estimate that approximately (1−0.184)2 ≈ 66.6 %, that is 4994, will survive the trial division step. Our early abort condition removes a third of the pairs, this leaves 3329. From these approximately (1 − 0.238)2 ≈ 58.2 % survive ECM9 (1933). Another cut by early aborting leaves 1288. ECM12 yields 738 pairs left. After removing a third of these pairs, 492 are left for ECM15. In case of no successful pair being found we can now estimate the time of the smoothness tests per processor as: 7500 · 1.35 + 3329 · 7.11 + 1288 · 30.02 + 492 · 128.8 = 135829.55 sec ≈ 37.7 h.
Table 2. Reduction sieve: # pairs per stage. proc 1 2 3 4 5 6
TDIV start useless 7500 2535 7500 2446 7500 2531 7500 2408 7500 2636 7500 2497
ECM9 start useless 3307 1139 3366 1192 3309 1232 3391 1181 3239 1102 3332 1190
ECM12 start useless 1444 574 1448 603 1383 565 1472 592 1423 590 1426 548
ECM15 start useless 579 364 563 339 545 309 586 359 555 341 585 352
run–time (h) total 41.0 41.3 41.5 42.7 40.3 41.5
462
Damian Weber and Thomas Denny
From table 2, which summarizes the output of six Sparc 4 processors, we see that the theoretical prediction of the useless pairs can be used to get a good estimate of the actual total running time per processor.
4
Choice of the Polynomial
This section is devoted to finding an appropriate polynomial f for the number field sieve (see section 2). According to practical experience we should consider number fields of degree n = 3, 4, 5, 6. In order to make the best choice, i.e. to find a maximum number of relations, we examine the probability of finding relations over two factor bases of optimal size with respect to the expected norm of elements c+dα of that number ring. In order to construct suitable polynomials of such degrees we may use the identities 21p = 739 · (750 )3 − 5152 3p = 5173 · (737 )4 − 736 21p = 739 · (730 )5 − 5152 21p = 739 · (725 )6 − 5152. We therefore have to choose among the following pairs of polynomials g(X) = X g(X) = X g(X) = X g(X) = X
− 750 − 737 − 730 − 725
f (X) = 739 · X 3 − 5152 f (X) = 5173 · X 4 − 736 f (X) = 739 · X 5 − 5152 f (X) = 739 · X 6 − 5152
In order to compare the four different possible choices of the degree, we look at the values c + dm, N (c + dα) to be decomposed over the factor bases. On the rational side we get c + dm ≈ dm; on the algebraic side, we obtain −739 · cn − 5152dn ≈ −739 · cn . As a sieving rectangle of 106 × 106 was expected to be needed, we got table 3 with the aid of the ρ–function. Table 3. Comparing different degrees degree 3
m
h · cn |F B1 | |F B2 | # trials per full
dm
1.8 · 1042 1.8 · 1048 31
37
4
1.9 · 10
5
2.3 · 1025 2.3 · 1031
6
21
1.3 · 10
1.9 · 10
27
1.3 · 10
1021
19800 20200
3.7 · 1011
10
19900 20100
6.2 · 109
1033
19600 20400
3.7 · 109
16400 23600
1.1 · 1010
28
39
10
We see from this table that degree 4 and 5 were competing with slight advantage of degree 5. The only way to find out which is the better one is to give both
The Solution of McCurley’s Discrete Log Challenge
463
a try and continue with the one which produced more relations. Test sieving has been carried out for x+ym and N (x+yα) in the rectangle [−106 , 106 ]×[1, 5000]. From the following amount of relations it is evident that degree 5 is the better choice indeed (running time in sec on a Sparc 4).
Table 4. Relations after test sieving. type full 1 LP (alg) 1 LP (rat) 2 LP
5
degree 4 16 49 114 344 running time 5653
degree 5 127 411 631 2056 9535
Sieving
After fixing the polynomials f , g we had to choose appropriate sieving parameters. The precomputation in 1995 was carried out with the quadruple large prime variant. We repeated the precomputations for two reasons: firstly, several improvements in the linear algebra step allowed to use a bigger factor base, secondly, we wanted to find out how effective the double large prime variant would perform for this setting. Table 5 depicts the parameters and the sieving results of 1995 (quadruple large prime variation) and 1997 (double large prime variation). Both setups produced the result we wished: a linear system the solution of which yields the logarithms of particular elements of ZZ/pZZ. We comment on the figures in table 5. We raised the large prime bound in order to increase the likelihood to encounter a partial relation, which now contained at most one large prime for f and g. We shrinked the sieving interval for two reasons. In the polynomial N (X + Y α) = −739X 5 − 5152Y 5 both variables contribute to the same extent to the absolute value of the norm. In our first run, however, we observed that after covering the first half of the square we have already had enough relations. So we attempted to end up with a square sieving range instead of a rectangle which was roughly achieved. The running time of the first run is a very crude estimate on behalf of mips years (mega instructions per second). Although this measurement is outdated, we want to stick to it, in order to have the running times comparable to many of the previous publications concerning discrete log and factoring computations. Our run–time measurement is based on the observation that the UltraSparc we used was eight times faster than a Sparc ELC workstation which is rated at 21 mips.
464
Damian Weber and Thomas Denny
Table 5. Parameters and sieving results
FB rat FB alg LP rat LP alg x–range y–range run–time
1 2 3 4
full LP LP LP LP full
quadruple large prime double large prime parameters 20000 30000 20000 30000 106 5 · 107 5 · 105 5 · 107 6 15 · 10 5 · 106 6 2 · 10 4 · 106 110 mips y ≈ 180 mips y relations 3199 10797 42407 196734 211888 895415 478543 – 388685 – combined partials 306717 75592
By utilizing the amount of relations depicted in table 5, logarithms of specific factor base elements can be computed. Now let’s turn to the computation of logarithms of elements not lying in the factor base. One of the open questions in [18] was: is it possible to compute the logarithm of an arbitrary element of (ZZ/pZZ)∗ without abandoning the especially comfortable polynomial f ? Changing f is required by the theory but its analysis is for p → ∞. In our computation, however, we pursued another route which has already been indicated in section 3. This is the attempt to transform the original problem such that the remaining elements, the logarithm of which is unknown, can be treated like factor base elements. Let s be one of the primes of the right hand side of (3). A relation of the following form is required for each s: Q c + dm = s r rer , product over r ∈ F Brat , Q [c + dα] = r rer , product over r ∈ F Balg .
(4)
The lattice sieve satisfies this request by defining Ms := {(c, d) | c + dm ≡ 0 (mod s)} and searching for smooth elements among (c + dm)/s and c + dα with (c, d) taken from a subset of Ms . This will be called the lattice sieve for s. Analogously, one may introduce lattice sieving for prime ideals. This is a standard technique in number field sieve implementations introduced by [15].
The Solution of McCurley’s Discrete Log Challenge
465
In general it is difficult to find directly a relation like (4). What may be expected is to find relations of the form Q c + dm = s · R1 R2 r rer , product over r ∈ F Brat , Q (5) [c + dα] = R1 R2 r rer , product over r ∈ F Balg , with large prime (ideals) R1 , R2 , R1 , R2 . As with the large prime variation of the classical number field sieve, with additional relations containing each one of the R1 , R2 , R1 , R2 , these can be turned into a relation only containing one large prime, namely s. The heuristic algorithm which eventually led to the solution of the challenge was as follows: 1. by lattice sieving for s find a quadruple large prime relation of the form (5) 2. let R run through the list R1 , R2 , R1 , R2 ; with the lattice sieve for R find either – a single large prime relation containing only the large prime R and proceed with the next R from the list, or – a double large prime relation containing only the large prime R and another large prime which we call R0 ; in this case repeat the second step of this algorithm with R replaced by R0 (called iteration in table 7). Step 1 from above (finding (5) for s = si , 1 ≤ i ≤ 12) has been performed with the following sieving range: Table 6. Lattice sieve step 1, sieving rectangle. primes
x–range
y–range
s1 to s5
[-35000;35000] [1;12000]
s6
[-55000;55000] [1;25000]
s7 to s11 [-30000;30000] s12
[1;5000]
[-50000;50000] [1;50000]
After performing step one – the time of which is shown in table 7 – the lattice sieve iterations had to be carried out for primes which lay in the interval [105 ; 1010 ], the lower bound due to the maximal factor base element having a norm of 349949 (algebraic) and 350377 (rational). The upper bound is due to the difficulty of finding appropriate relations for the s’s above s5 ; s6 has already 10 decimal digits. Each lattice sieve iteration for the R0 was carried out with a sieving rectangle of [−35000, 35000] × [1, 20000] spending about 5000 sec for each on a Sparc 20. Summing this up, about 211 h in total on one Sparc 20 were needed. Clearly, it is trivial to distribute each s and each iteration to different workstations. This concludes the description of all sieving tasks.
466
Damian Weber and Thomas Denny
Table 7. Running times of lattice sieve steps. prime time (sec) # LP in (5) # iterations of step 2 s1 5680 1 1 s2 3089 2 4 s3 3691 3 8 s4 4696 2 7 s5 5003 1 5 s6 50941 4 13 s7 1300 2 9 s8 1314 2 16 s9 1389 2 11 s10 1343 4 21 s11 1394 4 13 s12 96810 4 8
6
Linear Algebra
In this section we describe the method of how to solve the linear system which consists of the exponents of the free and full relations, the combined partials (table 5) and the special relations produced by the heuristic algorithm in section 5. There are five more columns containing additive characters to ensure that q–th powers in Q(α) can be constructed [17]. Hence, we are left with a matrix of a form shown in figure 1.
rat. FB
alg. FB
si
full relations
14.28%
combined partials 83.72%
additive characters
1.98%
exponents indiv. primes
free relations
12
5
special relations 0.02% columns: 60000
Fig. 1. Relation matrix.
The Solution of McCurley’s Discrete Log Challenge
467
The subsequent computation has been divided into two steps. 1. a preprocessing step (refinement of structured Gaussian elimination), 2. the Lanczos algorithm (description in [7], [8]). The practicability of a possible alternative method, a combination of structured Gauss and ordinary Gaussian elimination suffers from enourmous space requirements (in our example about 2 GB of main memory). We define n to be the number of unknowns and ω to be the total number of non–zero entries in the linear system. The running time of the Lanczos algorithm is known to be O(n2 + nω). The goal of step 1 is to iteratively decrease n while increasing ω as long as this running time is decreasing. To make a firm decision at this point, we need to predict the actual running time of step 2 on the machine we are using. Starting from the basic operations in the Lanczos algorithm, the following sections develop the model which we apply for that purpose. 6.1
Operations
The basic operations over ZZ/qZZ that are performed during an iteration of the Lanczos algorithm are – computation of inner products – matrix–vector multiplication – vector updates (adding a multiple of a vector to another vector). In order to speed up the computations over ZZ/qZZ we used the Montgomery representation [12]. Due to the fact that the linear system consists of exponents from decomposing integers, almost 95 % of the non-zero entries are equal to ±1. The remaining entries ci are relatively small (−40 ≤ ci ≤ 40). Table 8 classifies the non-zero entries of our linear system before and after step 1. Table 8. Compactification of relation matrix. original system after preprocessing unknowns
60 001
35 666
equations
75 592
35 688
49.8
164.6
1 785 588 1 761 865
2 657 470 2 711 635
219 483
332 644
avg. weight/equation 1–entries (−1)–entries ci –entries
We could greatly reduce the time to perform a matrix–vector multiplication in ZZ/qZZ by computing all intermediate results in ZZ (but in Montgomery representation) and doing the reduction mod q only once, while creating the result
468
Damian Weber and Thomas Denny
vector. By this technique (lazy reduction) we achieve the substantial gain of 29% of the running time for the matrix-vector multiplication (timing on Sparc 20, different linear system): Table 9. Average running time of one matrix–vector multiplication. running time original version lazy reduction addition 14.05 s 10.47 s subtraction 13.22 s 11.08 s scalar mult 6.17 s 1.70 s final reduction – 0.58 s total 33.44 s 23.83 s
6.2
Running Time Model
An examination of all operations performed during the Lanczos algorithm to solve a linear system of dimension n with ω1 1-entries, ω2 (−1)-entries and ω3 ci -entries lead to the following formula: T (n, ω, r) = n2 · t2 + n · (2 · ω + t1 )
(6)
where ω = cache1 · (ω1 · T (Add) + ω2 · T (Sub)) + cache3 · ω3 · T (kmult) t1 = cache2 · (T (Inv) + (2 + r) · T (M ult)) t2 = cache2 · (T (Square) + 2 · T (Sub m) + (2 + r) · T (Add m) +(3 + r) · T (M ult)) + 2 · cache3 · T (Red). In this formula r is the number of solutions that need to be calculated and T (operation) is the time needed to perform a single arithmetic operation on integers of magnitude of q. The variables cache1 , cache2 and cache3 represent the time needed to access main memory, first level cache and second level cache, respectively. For a Sparc 20 workstation we may take cache1 = 2.0, cache2 = 1.0, cache3 = 1.3. These values are strongly machine dependent and have to be determined by experiment. By using (6), the time needed to solve a linear system of equations can be accurately predicted. This is crucial to decide whether an iteration of step 1 from above does improve the running time. We now proceed by deriving a bound ∆ (> 0) for the maximal increase of ω while decrementing n. This depends on the number and type of entries in our linear system as well as on the time of arithmetic and memory operations. To achieve a speed up and save memory, we have the condition T (n, ω, r) − T (n − 1, ω + ∆, r) ≥ 0.
The Solution of McCurley’s Discrete Log Challenge
469
Solving this for ∆, we obtain ∆ ≤
(2 · n − 1) · t2 + 2 · ω + t1 . 2 · (n − 1)
In practice, this upper bound lies between 100 and 1200. 6.3
Results
Using this formula and the ideas of the structured Gaussian elimination the running time of the Lanczos algorithm to compute 22 solutions of the original system was reduced by more than 50 %. The reduction in the dimension also led to an enormous reduction in the main memory requirements (approx. 30 MB) as 25 vectors have to be stored (see table 8 above). Table 10 depicts the running time for the basic operations and the total running time of the original and the compactified system of linear equations (timings on Sparc 20). Table 10. Speed up by compactification. operation
original system after preprocessing
matrix–vector multiplication update vector
24.1 s 7.4 s
34.9 s 4.4 s
update solutions
85.0 s
48.3 s
3.7 s
2.2 s
inner product computation single iteration complete computation
120.1 s
92.0 s
2002.3 h
911.0 h
The solutions computed by the Lanczos algorithm finally yielded the logarithms of 2, 353, s1 , . . . , s12 . The logarithm of 31 has already been known from [21]. By using the identities of (3), Alice’s key was easy to obtain (2). The final task was to compute the common key K of Bob and Alice from K ≡ bxBA (mod p) shown in (1).
Acknowledgements The authors are particularily grateful to Kevin McCurley for offering that challenge. For providing the computing power we thank Ulrich Gr¨ af (Sun Microsystems Benchmark Center/Germany) and Raimund Seidel (University of Saarland/Germany). The integer computations have been performed by two reliable and efficient multi–precision libraries, LiDIA and FREELIP. Accordingly, many
470
Damian Weber and Thomas Denny
thanks go to the LiDIA Group (University of Darmstadt/Germany) and Arjen Lenstra (Citibank/USA). Additionally, we wish to thank Johannes Buchmann, Oliver Schirokauer, Thomas Setz and J¨ org Zayer.
References 1. I. Biehl and J. Buchmann and Th. Papanikolaou. LiDIA – a library for computational number theory. Technical report, Universit¨ at des Saarlandes/Germany, 1995. http://www.informatik.th-darmstadt.de/TI/LiDIA 2. Th. F. Denny. L¨ osen grosser d¨ unnbesetzter Gleichungssysteme u ¨ber endlichen Primk¨ orpern. PhD thesis, Universit¨ at des Saarlandes/Germany, 1997. 3. W. Diffie and M. Hellman. New directions in cryptography. IEEE Trans. Information Theory 22, pages pp. 472–492, 1976. 458, 458 4. T. ElGamal. A public key cryptosystem and a signature scheme based on discrete logarithms. IEEE Trans. Information Theory, 31:469–472, 1985. 458 5. D. Gordon. Discrete logarithms in GF(p) using the number field sieve. SIAM J. Discrete Math., 6:124–138, 1993. 459 6. D. E. Knuth and L. Trabb Pardo. Analysis of a simple factorization algorithm. Theoretical Computer Science, 3:321–348, 1976. 460 7. M. LaMacchia and A. Odlyzko. Solving large sparse linear systems over finite fields. In Advances in Cryptology – Crypto ’90, number 537 in Lecture Notes in Computer Science, pages 109–133, 1990. 467 8. M. LaMacchia and A. Odlyzko. Computation of discrete logarithms in prime fields. Designs, Codes and Cryptography, 1:46–62, 1991. 467 9. A. K. Lenstra, H. W. Lenstra, Jr. (eds.). The development of the number field sieve. Number 1554 in Lecture Notes in Mathematics. Springer, 1993. 10. H. W. Lenstra, Jr. Factoring integers with elliptic curves. Ann. of Math., 126:649– 673, 1987. 461 11. K. S. McCurley. The discrete logarithm problem. In Cryptology and Computational Number Theory, number 42 in Proc. Symp. in Applied Mathematics, pages 49–74. American Mathematical Society, 1990. 458 12. P. L. Montgomery. Modular multiplication without trial division. Math. Comp., 44:519–521, 1985. 467 13. V. M¨ uller and Th. F. Denny. On the reduction of composed relations from the number field sieve. In H. Cohen, editor, Algorithmic Number Theory – ANTS II, number 1122 in Lecture Notes in Computer Science, 1996. 14. National Bureau of Standards. Digital signature standard, 1994. FIPS Publication 186. 458 15. J. M. Pollard. The lattice sieve. Number 1554 in Lecture Notes in Mathematics. Springer, 1993. 464 16. C. Pomerance and S. S. Wagstaff. Implementation of the continued fraction integer factoring algorithm. In Proc. 12th Manitoba Conf., Winnipeg/Manitoba 1982, Congr. Numerantium, volume 37 of Numerical mathematics and computing, pages 99–118, 1983. 461 17. O. Schirokauer. Discrete logarithms and local units. Phil. Trans. R. Soc. Lond. A 345, pages 409–423, 1993. 459, 466 18. O. Schirokauer, D. Weber, and Th. F. Denny. Discrete logarithms: the effectiveness of the index calculus method. In H. Cohen, editor, Algorithmic Number Theory – ANTS II, number 1122 in Lecture Notes in Computer Science, 1996. 459, 464
The Solution of McCurley’s Discrete Log Challenge
471
19. D. Shanks. Solved and unsolved problems in number theory (3rd ed.). Chelsea Publishing Company, 1985. 460 20. D. Weber. Computing discrete logarithms with quadratic number rings. In Eurocrypt’98, Lecture Notes in Computer Science, 1998. To appear. 459 21. D. Weber. Computing discrete logarithms with the number field sieve. In H. Cohen, editor, Algorithmic Number Theory – ANTS II, number 1122 in Lecture Notes in Computer Science, 1996. 459, 469 22. D. Weber. On the computation of discrete logarithms in finite prime fields. PhD thesis, Universit¨ at des Saarlandes/Germany, 1997. 23. D. Weber. An implementation of the number field sieve to compute discrete logarithms mod p. Advances in Cryptology – Eurocrypt’95. number 921 in Lecture Notes in Computer Science, 1995. 24. J. Zayer. Faktorisieren mit dem Number Field Sieve. PhD thesis, Universit¨ at des Saarlandes/Germany, 1995.
Optimal Extension Fields for Fast Arithmetic in Public-Key Algorithms Daniel V. Bailey1 and Christof Paar2 1
Computer Science Department Worcester Polytechnic Institute, Worcester, MA 01609 USA [email protected] 2 ECE Department Worcester Polytechnic Institute, Worcester, MA 01609 USA [email protected]
Abstract. This contribution introduces a class of Galois field used to achieve fast finite field arithmetic which we call an Optimal Extension Field (OEF). This approach is well suited for implementation of publickey cryptosystems based on elliptic and hyperelliptic curves. Whereas previous reported optimizations focus on finite fields of the form GF (p) and GF (2m ), an OEF is the class of fields GF (pm ), for p a prime of special form and m a positive integer. Modern RISC workstation processors are optimized to perform integer arithmetic on integers of size up to the word size of the processor. Our construction employs well-known techniques for fast finite field arithmetic which fully exploit the fast integer arithmetic found on these processors. In this paper, we describe our methods to perform the arithmetic in an OEF and the methods to construct OEFs. We provide a list of OEFs tailored for processors with 8, 16, 32, and 64 bit word sizes. We report on our application of this approach to construction of elliptic curve cryptosystems and demonstrate a substantial performance improvement over all previous reported software implementations of Galois field arithmetic for elliptic curves. Keywords: finite fields, fast arithmetic, pseudo-Mersenne primes, Optimal Extension Fields, OEF, binomials, modular reduction, hyperelliptic curves, elliptic curves, cryptographic implementation
1
Introduction and Motivation
Arithmetic in finite fields is an integral part of many public-key algorithms, including those based on the discrete logarithm problem in finite fields, elliptic curve based schemes, and emerging applications of hyperelliptic curves. Our ability to quickly perform arithmetic in the underlying finite field determines the performance of these schemes. Finite fields are identified with the notation GF (pm ), where p is a prime and m is a positive integer. Essentially all previous work in this area has focused on two types of finite fields: GF(pm ) with m = 1, p a prime; and p = 2, m some positive integer. In this paper, we consider the H. Krawczyk (Ed.): CRYPTO’98, LNCS 1462, pp. 472–485, 1998. c Springer-Verlag Berlin Heidelberg 1998
Optimal Extension Fields for Fast Arithmetic in Public-Key Algorithms
473
use of extension fields of large characteristic with the characteristic p a prime of special form, m some positive integer. The case of p = 2 is especially attractive for hardware circuit design of finite field multipliers, since the elements of the subfield GF (2) can conveniently be represented by the logical signals “0” and “1.” However, p = 2 does not offer the same computational advantages in a software implementation, since modern workstation microprocessors are designed to calculate results in units of data known as words. Traditional software algorithms for multiplication in GF (2m ) have a complexity of cm m w steps, where w is the processor’s word length and c is some constant greater than one. For the large values of m required for practical public-key algorithms, multiplication in GF (2m ) can be very slow. Similarly, prime fields GF (p) also have computational difficulties on standard computers. For example, practical elliptic curve schemes fix p to be greater than 2150 . Multiple machine words are required to represent elements from these fields on general-purpose workstation microprocessors, since typical word sizes are simply not large enough. This representation presents two computational difficulties: carries between words must be accomodated, and reduction modulo p must be performed with operands that span multiple machine words. In this paper we define a special class of choices of p and m and show that they can yield considerable computational advantages. Our primary motivation in what follows is to exploit the very high performance that modern RISC processors offer for integer arithmetic on single words, which alleviate many of the difficulties found with GF (p) and GF (2m ). Our focus in the present paper is on elliptic curve cryptosystems as introduced in [7] and [13]. However, the arithmetic introduced here can also be applied to hyperelliptic curve public-key systems as introduced in [8].
2
Our New Approach
Our new approach is based on the observation that several well-known optimizations exist for software implementation of finite field arithmetic and that when they are used in conjunction they yield significant performance gains for implementation of elliptic and hyperelliptic curve cryptosystems. To optimize arithmetic in GF (pm ) we stipulate the following properties on the choice of p and m: 1. Choose p to be less than but close to the word size of the processor so that all subfield operations take advantage of the processor’s fast integer arithmetic. 2. Choose p to be a pseudo-Mersenne prime, that is, of the form 2n ± c for some log2 c ≤ 12 n to allow for efficient subfield modular reduction. 3. Choose m so that we have an irreducible binomial xm − ω for efficient extension field modular reduction. The extension degree m can be small if the processor word size allows for large values of p. A field that offers these arithmetic optimizations we call an Optimal Extension Field (OEF). For a formal definition of OEF, see Section 7. We demonstrate
474
Daniel V. Bailey and Christof Paar
that these optimizations can yield a substantial performance improvement over previous results as in [4,16,17,3]. As an example, when a modern RISC workstation with a 64-bit architecture such as the DEC Alpha family is our target platform, we would choose a p near 264 . This approach has the advantage of fully exploiting the RISC CPU’s ability to quickly perform 64 bit × 64 bit integer multiplication, thus performing a subfield multiplication with a single multiply instruction followed by a modular reduction. Due to the special form of p, we may perform this reduction without executing a traditional division algorithm. In order to gain this sort of computational advantage for public-key algorithms with field orders of more than 264 , we use a field extension m of moderate degree. For example, the choice of p = 261 −1 together with an extension degree of m = 3 would result in an OEF with order approximately 2183 . Such a field is desirable in the construction of cryptosystems based on the discrete logarithm problem in elliptic curve groups. In this paper we demonstrate efficient methods to construct such fields, strategies for fast arithmetic in an OEF, and implementation results for an application of this work to elliptic curve cryptosystems.
3
Previous Work
Previous work on optimization of software implementations of finite field arithmetic has often focused on a single cryptographic application, such as designing a fast implementation for one particular finite field. One popular optimization involves the use of subfields of characteristic two. A paper due to DeWin et al. [17] analyzes the use of GF ((2n )m ), with a focus on n = 16, m = 11. This construction yields an extension field with 2176 elements. The subfield GF (216 ) has a Cayley table of sufficiently small size to fit in the memory of a workstation. Optimizations for multiplication and inversion in such composite fields of characteristic two are described in [3]. Schroeppel et al. [16] report an implementation of an elliptic curve analogue of Diffie-Hellman key exchange over GF (2155 ) with an irreducible trinomial as the field polynomial. The arithmetic is based on a polynomial basis representation of the field elements. Elements of the field are each stored in three 64-bit registers. Much optimization work has been done in selection of Optimal Normal Bases (ONB) to speed computations in GF (2m ). Draft standards such as [18,19], and [9] suggest use of ONB for elliptic curve systems. Others have investigated use of pseudo-Mersenne primes to construct Galois fields GF (p) in connection with elliptic curve cryptography as found in [2,14] and some patents have been issued on their use. Unlike the methods in [17,3] which use Cayley tables to implement subfield arithmetic, our approach requires no additional memory and is therefore attractive in memory-constrained applications. In addition, our system is faster in real-world tests as described in Section 8.
Optimal Extension Fields for Fast Arithmetic in Public-Key Algorithms
4
475
Optimal Extension Field Arithmetic
This section describes the basic construction for arithmetic in fields GF (pm ), of which an OEF is a special case. The subfield is GF (p) and the extension degree is denoted by m, so that the field can be denoted by GF (pm ). This field Pm−1 is isomorphic to GF (p)[x]/(P (x)), where P (x) = xm + i=0 pi xi , pi ∈ GF (p), is a monic irreducible polynomial of degree m over GF (p). In the following, a residue class will be identified with the polynomial of least degree in this class. We consider a standard (or polynomial or canonical) basis representation of a field element A ∈ GF (pm ): A(x) = am−1 xm−1 + . . . + a1 x + a0 ,
(1)
where ai ∈ GF (p). Since we choose p to be less than the processor’s word size, we can represent A(x) with m registers. All arithmetic operations are performed modulo the field polynomial. The choice of field polynomial determines the complexity of the operations required to perform the modular reduction. In this paper, we will only be concerned with the operations of addition, multiplication, and squaring. 4.1
Addition and Subtraction
Addition and subtraction of two field elements is implemented in a straightforward manner by adding or subtracting the coefficients of their polynomial representation and if necessary, performing a modular reduction by subtracting p once from the intermediate result. Previous implementations in GF (2n ) offer a slight computational advantage since addition or subtraction is simply an XOR that does not require modular reduction. When compared to the addition operation in GF (p) for large p, we observe that an OEF does not require carry between computer words in computing a sum while GF (p) does. This property results in a modest performance gain over GF (p).
Algorithm 1 Optimal Extension Field Addition Require: A(x) = am−1 xm−1 + . . . + a1 x + a0 , B(x) = bm−1 xm−1 + . . . + b1 x + b0 , A(x), B(x) ∈ GF (pm ). Ensure: A(x) + B(x) ≡ C(x) ∈ GF (pm ) for i ← 0 to m − 1 do ci = ai + bi if ci ≥ p then ci ← ci − p end if end for
476
4.2
Daniel V. Bailey and Christof Paar
Multiplication
Multiplication is performed in two stages. First, we perform an ordinary polynomial multiplication of two field elements A(x) and B(x), resulting in an intermediate product C 0 (x) of degree less than or equal to 2m − 2: C 0 (x) = A(x) × B(x) = c02m−2 x2m−2 + . . . + c01 x + c00 ; c0i ∈ GF (p).
(2)
The schoolbook method to calculate the coefficients c0i , i = 0, 1, . . . , 2m − 2, requires m2 multiplications and (m − 1)2 additions in the subfield GF (p). Since field multiplication is the time critical task in many public-key algorithms this paper will deal extensively with fast multiplication methods, and later sections are devoted to aspects of this operation. In Section 4.4 we present an efficient method to calculate the residue C(x) ≡ C 0 (x) mod P (x), C(x) ∈ GF (pm ). Section 5 gives a method to quickly perform the coefficient multiplication in GF (p). 4.3
Squaring
Squaring may be implemented using the method for general multiplication outlined above. However, we observe that squaring a field element affords some additional computational efficiencies. For example, consider the field element A(x) = a2 x2 + a1 x + a0 , A(x) ∈ GF (p3 ). We compute the square of A(x) and obtain: (a2 x2 + a1 x + a0 )2 = a22 x4 + 2a2 a1 x3 + [2a2 a0 + a21 ]x2 + 2a1 a0 x + a20
(3)
Multiplication by two may be implemented in a computer as a left shift operation by one bit. On many computer architectures, a left shift is faster than an explicit integer multiplication. Thus instead of requiring m2 multiplications, we need only m(m+ 1)/2 explicit multiplications. The remainder may be performed as shifts. 4.4
Extension Field Modular Reduction
After performing a multiplication of field elements in a polynomial representation, we obtain the intermediate result C 0 (x). In general the degree of C 0 (x) will be greater than or equal to m. In this case, we need to perform a modular reduction. The canonical method to carry out this calculation is long polynomial division with remainder by the field polynomial. We observe that we must perform subfield multiplications to implement the reduction, proportional to the number of terms in the field polynomial. However, if we construct a field polynomial with low coefficient weight, the modular reduction will require fewer subfield multiplications. Since monomials xm , m > 1 are obviously always reducible, we turn our attention to irreducible binomials. An OEF has by definition a field polynomial of the form: (4) P (x) = xm − ω
Optimal Extension Fields for Fast Arithmetic in Public-Key Algorithms
477
The use of irreducible binomials as field polynomials yields major computational advantages as will be shown below. Observe that irreducible binomials do not exist over GF (2). In Section 6, we will demonstrate that such irreducible binomials can be constructed. Once such a binomial has been determined, modular reduction can be performed with the following complexity: Theorem 1. Given a polynomial C 0 (x) over GF (p) of degree less than or equal to 2m − 2, C 0 (x) can be reduced modulo P (x) = xm − ω requiring m − 1 multiplications by ω and m − 1 additions, where both of these operations are performed in GF (p). Proof. By assumption, C 0 (x) has the form: C 0 (x) = c02m−2 x2m−2 + . . . + c0m xm + c0m−1 xm−1 + . . . + c01 x + c00
(5)
Only the terms c0m+i xm+i , i ≥ 0, must be reduced modulo P(x). We observe that: c0m+i xm+i ≡ ωc0m+i xi mod P (x); i = 0, 1, . . . , m − 2
(6)
Since the degree of C 0 (x) ≤ 2m − 2, we require at most m − 1 multiplications by ω and m − 1 additions to combine the reduced terms. t u A general expression for the reduced polynomial is given by: C(x) ≡ c0m−1 xm−1 + [ωc02m−2 + c0m−1 ]xm−2 + · · · + [ωc0m+1 + c01 ]x +[ωc0m + c00 ] mod P (x)
(7)
As an optimization, when possible we choose those fields with an irreducible binomial xm − 2, allowing us implement the multiplications as shifts. OEFs that offer this optimization are known as Type II. A method to search for these Type II OEFs is given in Section 7.
5
Fast Subfield Multiplication
As shown above, fast subfield multiplication is essential for fast multiplication in GF (pm ). Subfield arithmetic in GF (p) is implemented with standard modular integer techniques, which are previously reported in the literature, see for example [12]. For actual implementation of OEF arithmetic, optimization of subfield arithmetic is critical to performance, so we include these remarks in this paper for completeness. We recall that multiplication of two elements a, b ∈ GF (p) is performed by a × b ≡ c mod p. Modern workstation CPUs are optimized to perform integer arithmetic on operands of size up to the width of their registers. An OEF takes advantage of this fact by constructing subfields whose elements may be represented by integers in a single register. For example, on a workstation with 64-bit registers, the largest prime we may represent is 264 − 59. So we choose a prime
478
Daniel V. Bailey and Christof Paar
p ≤ 264 − 59 as the field characteristic on this computer. To this end, we recommend the use of Galois fields with subfields as large as possible while still within single-precision limits of our host CPU. We perform multiplication of two single-word integers and in general obtain a double-word integer result. In order to finish the calculation, we must perform a modular reduction. Obtaining a remainder after division of two integers is a well-studied problem [12]. Many methods such as Barrett Reduction exist which offer computational advantages over traditional long division of integers. These methods, however, are still slow when compared to multiplication of single-word integers. Our choice of p allows a far less complex modular reduction operation. It is well known that fast modular reduction is possible with moduli of the form 2n ± c, where c is a “small” integer. Integers of this form allow modular reduction without division. We present a form of such a modular reduction algorithm, adapted from [12]. In this paper we consider only primes of the form 2n − c, although a trivial change to the following algorithm allows the use of primes 2n + c. The operators > are taken to mean “left shift” and “right shift” respectively.
Algorithm 2 Fast Subfield Modular Reduction Require: p = 2n − c, log2 c ≤ 12 n, x < p2 is the integer to reduce Ensure: r ≡ x mod p q0 ← x >> n r0 ← x − q0 2n r ← r0 i←0 while qi > 0 do qi+1 ← qi c >> n ri+1 ← qi c − (qi+1 >> n) i←i+1 r ← r + ri end while while r ≥ p do r ←r−p end while
Under these conditions, the algorithm terminates after a maximum of two iterations of the while loop, so we require at the most two multiplications by c, six shifts by n, and six additions and subtractions. In practice, this leads to a dramatic performance increase over performing explicit division with remainder. For example, when p = 232 − 5, m = 5, and we implement subfield reduction by performing an explicit division with remainder on a 500 MHz DEC Alpha CPU, we require 7.74 µsec for a multiplication in GF (pm ). When we perform modular reduction using this algorithm, we require only 1.35 µsec, a fivefold savings.
Optimal Extension Fields for Fast Arithmetic in Public-Key Algorithms
479
If c = 1, this algorithm executes the first while loop only once. In addition, no multiplications are required for the modular reduction and the entire operation may be performed with 2 shifts and 2 adds if the intermediate result is contained in a single word, a substantial improvement over the c > 1 case. An OEF that offers this optimization is known as Type I. In our implementation as reported in Section 8, we have included p = 261 − 1 for this reason. Our implementation takes advantage of its special form, making p = 261 − 1 the best performing choice of p we consider.
6
Irreducible Binomials
In Section 4.4 we showed that irreducible binomials allow modular reduction with low complexity. The following theorem from [11] describes the cases when an irreducible binomial exists: Theorem 2. Let m ≥ 2 be an integer and ω ∈ GF (p). Then the binomial xm −ω is irreducible in GF (p) if and only if the following two conditions are satisfied: (i) each prime factor of m divides the order e of ω in GF (p), but not (p − 1)/e; (ii) p ≡ 1 mod 4 if m ≡ 0 mod 4. An important corollary is given in [5]: Corollary 1. Let ω be a primitive element for GF (p) and let m be a divisor of p − 1. Then xm − ω is an irreducible polynomial of order (p − 1)m over GF (p). We present the following new corollary which follows directly from the above, since p − 1 is always an even number: Corollary 2. Let ω be a primitive element for GF (p). Then x2 −ω is irreducible over GF (p). An extension degree of 2 is especially attractive for the implementation of cryptosystems based on hyperelliptic curves, since the field orders required are in the range 40-120 bits [15]. On a 32-bit or 64-bit architecture, the use of an OEF with m = 2 can form the basis for a very fast hyperelliptic curve implementation. Irreducible binomials do not exist over GF (2). Thus, previous approaches to this problem focusing on GF (2m ) have been unable to use binomials. For an OEF, however, we require p and m such that an irreducible binomial can be constructed. An algorithm to find such choices of p and m is described in Section 7.
7
Optimal Extension Fields
In the following, we define a new class of finite field, which we call an Optimal Extension Field (OEF). To simplify matters, we introduce a new name for a class of prime numbers:
480
Daniel V. Bailey and Christof Paar
Definition 1. A pseudo-Mersenne prime is a prime number of the form 2n ± c, log2 c ≤ 12 n. We now define an OEF: Definition 2. An Optimal Extension Field is a finite field GF (pm ) such that: 1. p is a pseudo-Mersenne prime, 2. An irreducible binomial P (x) = xm − ω exists over GF (p). We observe that there are two special cases of OEF which yield additional arithmetic advantages, which we call Type I and Type II. Definition 3. A Type I OEF has p = 2n ± 1. A Type I OEF allows for subfield modular reduction with very low complexity, as described in Section 5. Definition 4. A Type II OEF has an irreducible binomial xm − 2. A Type II OEF allows for speedups in extension field modular reduction since the multiplications by ω in Theorem 1 can be implemented using shifts instead of explicit multiplications. The choice of m depends on the factorization of p − 1 due to Theorem 2 and Corollary 1. In the following we describe an efficient construction method for OEFs. From a very high level, this method consists of three main steps: We choose a pseudo-Mersenne prime p first, then factor p − 1, and then finally select an extension degree m. Since p ≤ 264 due to current common processor word lengths, it is sufficient to use trial division to quickly factor p − 1. This procedure does not exhaustively list all OEFs, rather it is designed to quickly locate a Type II OEF for a desired field order and machine word size. Further, this procedure considers only those primes 2n − c, although a prime 2n + c is a valid choice for OEFs. A high-level outline of our field construction algorithm, which is based on Corollary 1 is given as Algorithm 3. There are other possible values for the order of ω that would lead to a greater number of fields that meet our criteria according to Theorem 2. However, the inclusion of these additional fields comes at the expense of an increase in complexity of our algorithm. We found that even with the restriction of ω a primitive element on our search for fields, there are still enough Type II OEFs to construct fields for any application. Our computational experiments indicate that for n = 32 and n = 64 there are hundreds of fields that satisfy these criteria. Tables of OEFs for all 7 ≤ n ≤ 63 are found in [1]. For example, suppose we wish to construct a field for use on a modern workstation with 64-bit integer arithmetic for use in an elliptic curve key exchange algorithm. We set n ← 63, c ← 1, low ← 120, high ← 260. Then we apply a probabilitstic primality test for the integers 2n − c, incrementing c by 2 until we locate a prime. Using this method, we discover that p = 263 − 259 is
Optimal Extension Fields for Fast Arithmetic in Public-Key Algorithms
481
prime. At this point, we factor p − 1 using trial division to obtain the factorization 22 × 32 × 7 × 107 × 342062455008707 = 9223372036854775548. Given this factorization we can easily perform a primitivity check and find that 2 is a primitive element. Algorithms to compute the order of a group element are well known, see [12]. It remains only to select an extension degree. By trial division, we observe that 2, 3, and 4 all divide p − 1 and thus x2 − 2, x3 − 2, and x4 − 2 are all irreducible binomials over GF (p). These binomials yield the fields GF ((263 − 259)2 ), GF ((263 − 259)3 ), and GF ((263 − 259)4 ), respectively. The approximate orders of these fields are 2126 , 2189 , and 2252 , respectively.
Algorithm 3 Fast Type II Optimal Extension Field Construction Procedure Require: n bitlength of desired p; low, high bounds on bit length of field order Ensure: p, m define a Type II Optimal Extension Field with field order between 2low and 2high . c←1 for c ← 1 to 12 n do p ← 2n − c if p is prime then factor p − 1 if 2 is primitive in GF (p) then for m ← low to high do if m|(p − 1) then return p, m end if end for end if end if end for
8 8.1
Implementation Results Application to Elliptic Curve Cryptography
One of the most important applications of our technique is in elliptic curve cryptosystems, where Galois field arithmetic performance is critical to the performance of the entire system. We show that an OEF yields substantially faster software finite field arithmetic than those previous reported in the literature. We implemented our algorithms on a 500 MHz DEC Alpha workstation in optimized C, only resorting to assembly to perform 64 bit × 64 bit multiplications, since these operations are not directly supported by Digital’s C compiler. We executed the Type II OEF construction procedure to find Type II OEFs for the word sizes 8, 16, 32, and 63. These word sizes are representative of the CPUs found in typical applications, although OEFs may be constructed for any
482
Daniel V. Bailey and Christof Paar
arbitrary word size. For each word size we attempted to construct an OEF with approximately 160, 190, and 240 bit length, as such fields are suggested for the implementation of practical elliptic curve systems [18,19]. The OEF construction algorithm from Section 7 found the fields shown in Table 1 with the exception of fields for an 8-bit word size, and the field with p = 261 −1. In both cases, ω = 2 is not primitive in GF (p). We constructed these cases using Theorem 2. In order to obtain accurate timings, we executed field multiplication in GF (pm ) one million times, observed the execution time, and computed the average. Table 1 shows the result of our field construction and subsequent timing measurements. For each of our example OEFs, Table 1 lists nm, which is the approximate bit length of the field order, the prime p, the irreducible binomial, and the time in microseconds to perform the GF (pm ) multiplication. In addition, we provide estimated time in milliseconds for a single elliptic curve group operation, elliptic curve point doubling, and estimated time for a full point multiplication, using the following assumptions. The elliptic curve addition operation in projective coordinates may be performed with 15 multiplications in GF (pm ), while doubling requires 12 multiplications [10]. Then we estimate the time required for an elliptic curve point multiplication as required in the elliptic curve analogue of Diffie-Hellman key exchange, assuming an implementation using the k-ary window method [6] with k = 4 to speed the repeated doubling and add operations. Note that in the estimations we ignored time required to perform additions in the finite field, but also did not employ better point multiplication algorithms such as signed-digit methods [10] and addition chains. Most fields included here are Type II with the exception of the 8-bit fields and the field GF ((261 −1)3 ), which is Type I. This accounts for its very high performance: a field multiplication is performed in 0.52 microseconds. When applied to elliptic curve cryptosystems, this field results in a very fast implementation, requiring only 1.58 milliseconds for a full point multiplication. 8.2
Comparison
We also compared our implementation with three previously reported approaches. For ease in comparison, we report our timing results as measured on a 150 MHz DEC Alpha. Results are found in Table 2. For each implementation, we give the timing for a field multiplication. It can be seen that our OEF GF ((261 − 1)3 ) yields field multiplication speeds which are more than twice as fast as the best previously reported approach. This is true even though our field has an order of 2183 , whereas the field in [16] has an order of 2155 and their workstation has a slightly higher clock rate.
Optimal Extension Fields for Fast Arithmetic in Public-Key Algorithms
483
Table 1. OEF arithmetic timings on a 500 MHz DEC Alpha p = 2n − c binomial GF mult EC add EC douxm − ω (µsec) (µsec) ble (est.) (µsec) (est.) 8 20 2 − 15 x −7 48.3 725 580 28 − 5 x25 − 6 70.1 1050 841 28 − 15 x30 − 7 100 1500 1200 216 − 165 x10 − 2 13.8 207 166 216 − 243 x12 − 2 16.9 253 203 16 15 2 − 165 x − 2 28.0 420 336 232 − 5 x5 − 2 1.35 20 16.2 232 − 387 x6 − 2 2.13 32 26 232 − 1053 x7 − 2 3.00 45 36 61 3 2 −1 x − 37 0.52 7.8 6.24 263 − 259 x3 − 2 0.87 13 10 263 − 259 x4 − 2 1.49 22 18
nm
160 200 240 160 192 240 160 192 224 183 189 252
αP (msec) (est.) 130 231 392 37.1 53.7 110 3.62 6.85 11.0 1.58 2.64 6.12
Table 2. Comparison of arithmetic performance Method
Field Size
Field Type
DeWin [17]
176 bits
GF ((2n )m )
Guajardo176 bits Paar [3] Schroeppel [16] 155 bits
GF ((2n )m )
OEF
GF (pm )
9
183 bits
GF (2m )
GF (µsec) 133 MHz Pen- 62.7 tium 175 MHz DEC 38.6 Alpha 175 MHz DEC 7.1 Alpha 150 MHz DEC 3.3 Alpha Platform
mult
Conclusion
In this paper we have introduced a class of finite fields, known as Optimal Extension Fields, which take advantage of well-known optimizations for finite field arithmetic on microprocessors commonly found in workstations. OEFs are especially attractive for use in elliptic curve and hyperelliptic curve systems. The arithmetic speedups are due to the inherent properties of an OEF. An OEF may be constructed with a subfield close to the size of the host CPU. The field
484
Daniel V. Bailey and Christof Paar
characteristic of an OEF is a pseudo-Mersenne prime, that is, of the form 2n ± c for small c, allowing fast subfield modular reduction. The extension degree of an OEF always allows for an irreducible binomial. Finally, the field polynomial of an OEF is chosen to have a constant term equal to 2. In real-world demonstrations, we have shown that an OEF yields a considerable speed advantage over previous software implementations of Galois field arithmetic for elliptic curve cryptography.
References 1. Daniel V. Bailey. Optimal extension fields. Major Qualifying Project (Senior Thesis), 1998. Computer Science Department, Worcester Polytechnic Institute, Worcester, MA, USA. 480 2. Richard E. Crandall. Method and apparatus for public key exchange in a cryptographic system. US Patent 5463690, 1995. 474 3. Jorge Guajardo and Christof Paar. Efficient algorithms for elliptic curve cryptosystems. In Advances in Cryptology — Crypto ’97, pages 342–356. Springer Lecture Notes in Computer Science, August 1997. 474, 474, 474, 483 4. G. Harper, A. Menezes, and S. Vanstone. Public-key cryptosystems with very small key lengths. In Advances in Cryptology — EUROCRYPT ’92, pages 163–173, May 1992. 474 5. D. Jungnickel. Finite Fields. B.I.-Wissenschaftsverlag, Mannheim, Leipzig, Wien, Z¨ urich, 1993. 479 6. D.E. Knuth. The Art of Computer Programming. Volume 2: Seminumerical Algorithms. Addison-Wesley, Reading, Massachusetts, 2nd edition, 1981. 482 7. N. Koblitz. Elliptic curve cryptosystems. Mathematics of Computation, 48:203– 209, 1987. 473 8. N. Koblitz. Hyperelliptic cryptosystems. Journal of Cryptology, 1(3):129–150, 1989. 473 9. J. Koeller, A. Menezes, M. Qu, and S. Vanstone. Elliptic Curve Systems. Draft 8, IEEE P1363 Standard for RSA, Diffie-Hellman and Related Public-Key Cryptography, May 1996. working document. 474 10. Kenji Koyama and Yukio Tsuruoka. Speeding up elliptic cryptosystems by using a signed binary window method. In Crypto ’92. Springer Lecture Notes in Computer Science, 1992. 482, 482 11. R. Lidl and H. Niederreiter. Finite Fields, volume 20 of Encyclopedia of Mathematics and its Applications. Addison-Wesley, Reading, Massachusetts, 1983. 479 12. A. J. Menezes, P. C. van Oorschot, and S. A. Vanstone. Handbook of Applied Cryptography. CRC Press, 1997. 477, 478, 478, 481 13. V. Miller. Uses of elliptic curves in cryptography. In Lecture Notes in Computer Science 218: Advances in Cryptology — CRYPTO ’85, pages 417–426. SpringerVerlag, Berlin, 1986. 473 14. Atsuko Miyaji and Makoto Tatebayashi. Method for generating and verifying electronic signatures and privacy communication using elliptic curves. US Patent 5442707, 1995. 474 15. S. Paulus. Ein Algorithmus zur Berechnung der Klassengruppe quadratischer Ordnungen u ¨ber Hauptidealringen. PhD thesis, Institute for Experimental Mathematics, University of Essen, Essen, Germany, June 1996. 479
Optimal Extension Fields for Fast Arithmetic in Public-Key Algorithms
485
16. R. Schroeppel, H. Orman, S. O’Malley, and O. Spatscheck. Fast key exchange with elliptic curve systems. Advances in Cryptology — CRYPTO ’95, pages 43–56, 1995. 474, 474, 482, 483 17. E. De Win, A. Bosselaers, S. Vandenberghe, P. De Gersem, and J. Vandewalle. A fast software implementation for arithmetic operations in GF (2n ). In Asiacrypt ’96. Springer Lecture Notes in Computer Science, 1996. 474, 474, 474, 483 18. ANSI X9.62-199x. The Elliptic Curve Digital Signature Algorithm. Draft, January 1998. working document. 474, 482 19. ANSI X9.63-199x. Elliptic Curve Key Agreement and Key Transport Protocols. Draft, January 1998. working document. 474, 482
Time-Stamping with Binary Linking Schemes Ahto Buldas1 , Peeter Laud2 , Helger Lipmaa1 , and Jan Villemson2 1
Cybernetica Akadeemia 21, EE0026 Tallinn, Estonia 2 Cybernetica Tartu Lab, Lai 36, EE2400 Tartu, Estonia {ahtbu,peeter,helger,jan}@cyber.ee Abstract. We state the basic requirements for time-stamping systems applicable as the necessary support to the legal use of electronic documents. We analyze the main drawbacks of the time-stamping systems proposed to date and present a new system that meets all the stated requirements. We prove that these requirements cannot be significantly tightened.
1
Introduction
Time-stamping ([HS91], [BdM91], [BHS92]) is a set of techniques enabling us to ascertain whether an electronic document was created or signed at a certain time. The real importance of time-stamping becomes clear when there is a need for a legal use of electronic documents with a long lifetime. Without time-stamping we neither can trust signed documents when the cryptographic primitives used for signing have become unreliable nor solve the cases when the signer himself repudiates the signing, claiming that he has accidentally lost his signature key. During the last years, especially in the context of legal regulation of using digital signatures, the organizational and legal aspects of time-stamping itself have become the subject of world-wide attention. In addition to defining the responsibilities of the owner of the signature, duties and responsibilities of the third party (Time-Stamping Service, TSS) must be stated as well. Hence, there is an increasing interest in time-stamping systems where the need to trust the TSS is minimized. In order to make users liable only for their own mistakes, there has to be a possibility to ascertain the offender. Unlike physical objects, digital documents do not comprise the seal of time. Thus, the association of an electronic document uniquely with a certain moment of time is very complicated, if not impossible. Even by the theory of relativity, no absolute time exists. The best we can achieve with time-stamping is the relative temporal authentication (RTA) based on the complexity-theoretic assumption on the existence of collision-resistant one-way hash functions. RTA enables the verifier given two time-stamped documents to verify which of the two was created earlier. The main drawbacks of the time-stamping systems proposed to date concern (1) the need to unconditionally trust the TSS and (2) the time-complexity of RTA, which is linear on the number of issued time-stamps. H. Krawczyk (Ed.): CRYPTO’98, LNCS 1462, pp. 486–501, 1998. c Springer-Verlag Berlin Heidelberg 1998
Time-Stamping with Binary Linking Schemes
487
In the current paper theoretical and practical requirements are discussed and a new time-stamping system is presented (1) in which the need to trust the TSS is significantly diminished and (2) which offers RTA with the complexity proportional to the logarithm of the number of issued time-stamps. In Sect. 2 the time-stamping solutions proposed to date are analyzed. Sect. 3 clarifies the security objectives of time-stamping by giving essential requirements to the time-stamping systems. In Sect. 4 the protocols of the new time-stamping system are described using the linear linking scheme. In Sect. 5 binary linking schemes are introduced and a scheme with logarithmic verifying time is presented. In Sect. 6 we prove that the requirements stated in Sect. 3 cannot be tightened.
2
Existing Time-Stamping Systems
By a simple time-stamping protocol ([HS91], Sect. 4), the TSS appends the current time t to the submitted document X, signs the composite document (t, X) and returns the two values t and s = sigTSS (t, X) to the client. The weaknesses of this scheme are the unreliability of old time-stamps after a possible leakage of the signature key of the TSS and the impossibility of verifying whether s was issued actually at time t stated in the time-stamp, implying that the TSS has to be unconditionally trusted. Because of these drawbacks it has been widely accepted that a secure time-stamping system cannot rely solely on keys or on any other secret information. An overview of the existing time-stamping solutions is given in [MQ97]. 2.1
Linear Linking Scheme (LLS)
In order to diminish the need for trust, the users may demand that the TSS links all time-stamps together into a chain using a collision-resistant hash function H as was proposed in [HS91], Sect. 5.1 (variant 1). In this case the time-stamp for the n-th submitted document Xn is s = sigT SS (n, tn , IDn , Xn , Ln ) , where tn is the current time, IDn is the identifier of the submitter and Ln is the linking information defined by the recursive equation Ln := (tn−1 , IDn−1 , Xn−1 , H(Ln−1 )) . There are several complications with the practical implementation of this scheme. At first, the number of steps needed to verify the one-way relationship between two time-stamps is linear with respect to the number of time-stamps between them. Hence, a single verification may be as costly as it was to create the whole chain. This solution has impractical trust and broadcast requirements, as it was pointed out already in [BdM91]. A modification was proposed in [HS91] (Sect. 5.1, variant 2) where every time-stamp is linked with k > 1 time-stamps directly preceding it. This variation decreases the requirements for broadcast by increasing the space needed to store individual time-stamps.
488
Ahto Buldas et al.
2.2
Tree-Like Schemes
Two similar tree-like schemes have been proposed [BdM91,BHS92]. In the HaberStornetta scheme [BHS92,HS97], the time-stamping procedure is divided into rounds. The time-stamp Rr for round r is a cumulative hash of the time-stamp Rr−1 for round r − 1 and of all the documents submitted to the TSS during the round r. After the end of the r-th round a binary tree Tr is built. Every participant Pi who wants to time-stamp at least one document in this round, submits to the TSS a hash yr,i which is a hash of Rr−1 and of all the documents he wants to time-stamp in this round. The leafs of Tr are labeled by different yr,i . Each inner node k of Tr is recursively labeled by Hk := H(HkL , HkR ), where kL and kR are correspondingly the left and the right child nodes of k, and H is a collision-resistant hash function. The TSS has to store only the time-stamps Rr for rounds (Fig. 1). All the remaining information, required to verify whether a certain document was time-stamped during a fixed round, is included into the individual time-stamp of the document.
R r-1
yr,1
H4
yr,2
H5
yr,3 yr,4
H6
Rr
R r-1 yr,1
H4
yr,2
H5
Rr H6
yr,3 yr,4
Fig. 1. An example of the time-stamp for round r by the schemes presented in [BdM91] (left) and [BHS92] (right). For example, the individual time-stamp for yr,3 is [r; (yr,4 , L), (H4 , R)]. The verifying procedure of the time-stamp of yr,3 consists of verifying the equality Rr = H(H(H4 , H(yr,3 , yr,4 )), Rr−1 ). Here, the size of a single time-stamp is logarithmic with respect to the number of participants submitting their documents to the TSS for the current round. The Haber–Stornetta linking scheme [BHS92,HS97] differs slightly from the Benaloh–de Mare scheme [BdM91]. Here, the time-stamp Rn for the n-th round is linked directly to Rn−1 , enabling the verifier to check one-way dependencies between Ri without examining the individual time-stamps of the submitted documents. This is impossible in the Benaloh–de Mare scheme. However, in the Haber–Stornetta scheme the individual time-stamps in the n-th round are not linked to the time-stamp Rn−1 for previous round. These schemes are feasible but provide the RTA for the documents issued during the same round only if we unconditionally trust the TSS to maintain the order of time-stamps in Tr . Therefore, this method either increases the need for trust or otherwise limits the maximum temporal duration of rounds to the
Time-Stamping with Binary Linking Schemes
489
insignificant units of time (one second in Digital Notary system). However, if the number of submitted documents during a round is too small, the expenses of time-stamping a single document may become unreasonably large (Sect. 3.3).
3
Security Objectives
In the following we give a definition of time-stamping systems applicable in legal situations. Later we will justify our approach and compare it to older systems. A time-stamping system consists of a set of principals with the time-stamping server (TSS) together with a triple (S, V, A) of protocols. The stamping protocol S allows each participant to post a message. The verification protocol V is used by a principal having two time-stamps to verify the temporal order between those time-stamps. The audit protocol A is used by a principal to verify whether the TSS carries out his duties. Additionally, no principal (in particular, TSS) should be able to produce fake time-stamps without being caught. A time-stamping system has to be able to handle time-stamps which are anonymous and do not reveal any information about the content of the stamped data. The TSS is not required to identify the initiators of time-stamping requests. Our notion of time-stamping system differs from the one given in, e.g., [BdM91] by several important aspects. Below we motivate the differences. 3.1
Relative Temporal Authentication
The main security objective of time-stamping is temporal authentication [Jus98]– ability to prove that a certain document has been created at a certain moment of time. Although the creation of a digital data item is an observable event in the physical world, the moment of its creation cannot be ascertained by observing the data itself (moreover, no such thing as the absolute thing exists). The best one can do is to check the relative temporal order of the created data items (i.e., prove the RTA) using one-way dependencies defining the arrow of time, analogous to the way in which the growth of entropy defines the arrow of time in the physical world ([Haw88], Chap. 9). For example, if H is a collision-resistant one-way hash function, one can reliably use the following “rough” derivation rule: if H(X) and X are known to a principal P at a moment t, then someone (possibly P himself) used X to compute H(X) at a moment prior to t. To date, the existence of one-way functions has not been proved. Therefore, the proposed time-stamping systems make sense only under the hypothesis of the existence of collision free one-way hash functions. Definition 1. A collision-resistant one-way hash function ([MOV96], Sect. 9.2) is a function H which has the properties of compression, ease of computation, preimage resistance, 2nd-preimage resistance and collision resistance. Definition 2. Let ρ be a binary relation on IN, such that x ρ y implies x < y and H be a collision-resistant one-way hash function. A (ρ, H)-linking scheme is
490
Ahto Buldas et al.
a procedure to link a family (Hn ) of data items together using auxiliary linking items Ln satisfying the recursive formula Ln := H(Hn , Ln1 , . . . , Ln]ρ−1 (n) ) ,
(1)
where n1 ≥ · · · ≥ n]ρ−1 (n) are exactly the elements of ρ−1 (n) := {m | m ρ n} (the preimage of n by ρ). A sequence (mi )`i=1 , where mi ρ mi+1 , is called a verifying chain between m1 and m` with length `. In the context of time-stamping Hn = H(n, Xn ), where Xn denotes the n-th time-stamped document. The linking item Ln is also referred to as a time-stamp of Xn . Note that a one-way relationship between Ln and Lm (n < m) does not prove that in the moment of creating Xn the bit-string Xm did not exist. All we know is that Xn did exist at the moment of creating Lm . We have omitted the tn in the formula for Hn , whereas it should not be taken for granted that the value tn indeed represents the submission time of Xn . The only way for a principal to associate a time-stamp with a certain moment of time is to time-stamp a nonce at this moment. By a nonce we mean a sufficiently long random bit-string, such that the probability it has been already time-stamped is negligible. In order to verify the absolute creating time of a document timestamped by another principal, the verifier has to compare the time-stamp with the time-stamps of nonces generated by the verifier herself. In this solution there are neither supplementary duties to the TSS nor to the other principals. The use of nonces illustrates the similarity between time-stamping and ordinary authentication protocols, where nonces are used to prevent the possible reuse of old messages from previous communications. By using RTA it is possible to determine not only the submitting time of the signature but also the time of signing the document. Before signing a document X the principal P generates a nonce N and time-stamps it. He then includes the time-stamp L(N ) of N to the document, signs it and obtains the time-stamp L(σ) of the signature σ = sigP (L(N ), X). From the view-point of the TSS these stamping events are identical (he need not be aware whether he is time-stamping a nonce or meaningful data). For the verification of the document X, the verifier has to compare both these time-stamps with the timestamps trusted by her. As there are one-way dependencies between L(N ), σ and L(σ) the verifier may conclude that the signature was created in the time-frame between the moments of issuance of L(N ) and of L(σ) respectively. If these moments are close enough, the signing time can be ascertained with necessary precision. 3.2
Detection of Forgeries
A time-stamping system must have properties enabling users to verify whether an arbitrary time-stamp is correct or not. Possession of two documents with corresponding time-stamps is not enough to prove the RTA between the documents because everyone is able to produce fake chains of time-stamps.
Time-Stamping with Binary Linking Schemes
491
A time-stamping system should allow (1) to determine whether the timestamps possessed by an individual have been tampered with; and (2) in the case of tampering, to determine whether the time-stamps were tampered by the TSS or tampered after the issuing (generally by unknown means). In the second case, there is no-one to bring an action against. The principals interested in legal use of time-stamps should themselves verify their correctness immediately after the issuing (using signatures and other techniques discussed later) because if the signature of the TSS becomes unreliable, the signed time-stamps cannot be used as an evidence. In order to increase the trustworthiness of the time-stamping services it should be possible for the clients to periodically inspect the TSS. Also, in the case when the TSS is not guilty he should have a mechanism to prove his innocence, i.e., that he has not issued a certain time-stamp during a certain round. Additionally, the TSS must publish regularly, in an authenticated manner, the time-stamps for rounds [BdM91] in mass media. If the time-stamping protocol includes (by using collision-resistant one-way hash functions) (1) the message digest of any time-stamp issued during the r-th round into the time-stamp for r-th round, and (2) the message digest of the time-stamp for round r − 1 into any time-stamp issued during the r-th round, it will be intractable for anyone to undetectably forge a time-stamp. The forgery detection procedures should be simple. Forgeries should be determinable either during the stamping protocol (when the time-stamp, signed by the TSS, fails to be correct) or later when it is unable to establish the temporal order between two otherwise correct timestamps (see Sect. 4 for details). 3.3
Feasibility Requirements
The time-stamping systems of [BdM91] and [HS97] use nonlinear partial ordering of time-stamps and therefore do not support the RTA. Sect. 4 shows how to modify the linear linking scheme ([HS91], Sect. 5.1) to fulfill the security objectives (RTA and detection of forgeries). On the other hand, in practice, in this scheme the detection of forgeries would take too many steps. As noted in [Jus98], it is easy to forge time-stamps when we can assume that the verifier has limited computational power. This leads us to the question of feasibility. In order to make RTA feasible in the case when time-stamps belong to different rounds, it is reasonable to define an additional layer of links between the time-stamps for rounds. Definition 3. Assume we are given (ρ, H) and (δ, H) linking schemes and a monotonically increasing function ξ : IN → IN. By a (ρ, ξ, δ, H)-linking scheme we mean a procedure for linking a family (Hn ) of data items together using auxiliary linking items Ln and Lr satisfying the recursive formulae Ln := H(Hn , Ln1 , . . . , Ln]ρ−1 (n) )
if n 6∈ ξ(IN)
Lr := Lξ(r) = H(Hr , Lr1 , . . . , Lr]δ−1 (r) ) Hr := H(Hm , Lm1 , . . . , Lm]ρ−1 (n) ) ,
492
Ahto Buldas et al.
where m = ξ(r), ρ−1 (n) = {m1 , . . . , m]ρ−1 (n) } (m1 ≥ ... ≥ m]ρ−1 (n) ) and δ −1 (r) = {r1 , . . . , r]δ−1 (r) } (r1 ≥ . . . ≥ r]δ−1 (r) ). The values Lr are also referred to as the time-stamps for rounds. Note that the time-stamps requested from the TSS during the verification protocol should belong to the set of time-stamps for rounds because only these time-stamps are available in the time-stamping server. Definition 4. A (ρ, ξ, δ, H)-linking scheme is said to be an Accumulated Linking Scheme (ALS) with rank m, if 1. If ξ(r) < n ≤ ξ(r + 1) then ρ−1 (n) ⊂ [ξ(r), ξ(r + 1)] ∪ ξ(IN); 2. ξ(r + 1) − ξ(r) ≥ m. We say that a (ρ, H)-linking scheme enables accumulated time-stamping if for arbitrary positive m there exists ξ, such that the (ρ, ξ, ρ, H)-scheme is an ALS with rank m. If the linking scheme used enables accumulated time-stamping, the duration of the rounds can be flexibly enlarged in order to guarantee that only a negligible fraction of the time-stamps are kept in the memory of the time-stamping server. Let n be the total number of time-stamps issued till the moment of the current run of stamping/verification protocol. The feasibility requirements can be summarized with the following: 1. The number of the evaluations of the hash function during the verification protocol should be O(log n). In particular, the number of time-stamps examined during a single run of the verification protocol should be O(log n); 2. There should be a conveniently small upper bound to the length of rounds, whereas the clients want to get their time-stamps in reasonable time. It seems to be sensible to require that the stamping protocol of the n-th document must terminate before the TSS has received additional O(log n) time-stamp requests. In real applications it is desirable for the average length of rounds to be constant (this would guarantee that for an arbitrary constant c there would be only negligible fraction of rounds with length greater than c). 3. The size of an individual time-stamp should be small. As we will show later (Thm. 2), there is a trade-off between these quantities. In Sect. 5 and the following sections we present an improvement of the scheme of Sect. 4.
4
First Version of Our System: Linear Linking
For pedagogical reasons, we outline the protocols and the basic organizational principles of our system using the linear linking scheme. This scheme fulfills all the trust requirements but is impractical. Further, the described scheme is significantly improved by replacing the linear scheme with a binary linking scheme. Let the number M of time-stamps per round be a constant known to the participants (clients) and all the data items Xn be of fixed size. Therefore, in the case of the linear linking scheme, the time-stamp for the r-th round has a number ξr = M · r.
Time-Stamping with Binary Linking Schemes
4.1
493
Role of the TSS
The TSS maintains the following three databases: 1. the database Dc of the time-stamps of the current round. 2. the database Dp of the time-stamps of the previous round. 3. the database Dr of the time-stamps for rounds. These databases are considered to be on-line in the sense that any client can make requests into them at any moment. The fourth database (the complete data-base of time-stamps) is also stored but not on-line (it may be stored into an archive of CD-s). Requests to this database are possible, but costly (e.g., requiring human interaction). After the end of each round, the time-stamps in Dp are stored to a separate CD (this process may be audited). Thereafter, Dp is emptied. The time-stamp Rr for the current round is computed, added to Dr and published in a newspaper (two processes which should be audited). The database Dc is copied into Dp and a new database Dc is created. 4.2
Stamping Protocol
Suppose, the current round number is r. 1. Client sends Xn to the TSS. 2. The TSS finds Hn = H(n, Xn ) and Ln = (Hn , Ln−1 ), and adds the pair (Hn , Ln ) to Dc . 3. The TSS signs the pair (n, Ln ) and sends (n, Ln , sigTSS (n, Ln )) back to the client. 4. The TSS sends the tuple head(n) = (Hn−1 , Hn−2 , . . . , Hξr−1 +1 ) to the client. 5. The client verifies the signature of TSS and checks, whether H(Hn , H(Hn−1 , . . . H(Hξr−1 +1 , Lξr−1 ) . . . )) = Ln ,
(2)
where the true values Lξi can be found either from the newspaper or by requesting for their values from the on-line database Dr of the TSS. After the M requests have been answered the TSS finishes the round by finding Lξr = H(Hξ0 r , Lξr−1 ) (where Hξ0 r = H(Hξr , Lξr −1 )) and publishing Lξr and his public key KTSS in the newspaper. The client may now continue, during a limited period, the protocol in order to get the complete individual time-stamp for Xn . 6. The client sends a request to the TSS. 7. Let tail(n) = (Hξr −1 , Hξr −2 , . . . , Hn+2 , Hn+1 ) The TSS answers by sending (tail(n), sigTSS (tail(n))) to the client. 8. The client checks whether Lξr = H(Hξr −1 , H(Hξr −2 , . . . H(Hn+2 , H(Hn+1 , Ln )) . . . )) .
(3)
494
Ahto Buldas et al.
Definition 5. The complete individual time-stamp sn for the n-th document is sn := (tail(n), head(n), n, Ln , sigTSS (n, Ln )) . Every client who is interested in the legal use of a time-stamp, should validate it during the stamping protocol. In a relatively short period between the 1st and the 3rd step and between the 4th and 6th step, the signature key of TSS is trusted to authenticate him and therefore, his signature on an invalid head(n) or tail(n) can be used as an evidence in the court. But the client is responsible for doing it when the signature key of TSS can still be trusted. Later, the signature of TSS may become unreliable and therefore only the one-way properties can be used. 4.3
Verification Protocol
Let r(n) denote the round where sn was issued. Assume, the verifier has two time-stamped documents (Xm , sm ) and (Xn , sn ) where m < n. 1. The verifier checks the validity of the equations (2) and (3) for both timestamps. 2. If r(m) = r(n) then the data hold in tail(m) and head(n) will be enough to check whether Ln = H(Hn , H(Hn−1 , . . . H(Hm+1 , Lm ) . . . )) . 3. If r(m) < r(n), the verifier sends a request to the TSS. 4. The TSS answers by sending the tuple vmn = (Hξ0 r(n)−1 , Hξ0 r(n) −2 , . . . , Hξ0 r(m) ) and the signature sigTSS (vmn ) to the verifier. 5. The verifier validates the signature, finds Lξr(m) using (3), finds Lr(n)−1 using the formula Lr(n)−1 = H(Hξ0 r(n)−1 , H(Hξ0 r(n)−2 , . . . H(Hξ0 r(m) , Lξr(m) ) . . . )) and finally, compares the value of Ln in sn with the value given by (2). 4.4
Audit Protocol
Because of the possible legal importance of the time-stamps issued by the TSS, there should be some mechanism to audit TSS. One easy way to do it is to periodically ask time-stamps from the TSS and verify them. If these time-stamps are linked inconsistently (i.e., the Eq. (2) and (3) hold for both time-stamps but the verification protocol fails), the TSS can be proven to be guilty. Also, there has to be a mechanism for the TSS to prove that he has not issued a certain time-stamp S in a certain round r. This can be done if the TSS presents all the time-stamps issued during the r-th round, shows that S is not among them and that the time-stamp for the r-th round, found by using these time-stamps and the linking rules, coincides with the published time-stamp.
Time-Stamping with Binary Linking Schemes
5
495
Binary Linking Schemes
In the current section we give a construction of a practical linking scheme with logarithmic upper bound to the length of the shortest verifying chain between any two time-stamps. Definition 6. Let f and g be functions from IN to IN satisfying the condition f (n) ≤ g(n) < n for any n. A (f, g, H)−binary linking scheme (BLS) is a (ρ, H)linking scheme where for any n, ρ−1 (n) = {f (n), g(n)}. In order to guarantee the existence of a verifying chain between arbitrary x and y, we have to take g(n) := n − 1. In those cases we omit n − 1 and talk just about a (f, H)-BLS. A binary linking scheme can alternatively be defined as a directed countable graph which is connected, contains no cycles and where all the vertices have two outgoing edges (links). Let us construct an infinite family of such graphs Tk in the following way: 1. T1 consists of a single vertex which is labeled with the number 1. This vertex is both the source and the sink of the graph T1 . 2. Let Tk be already constructed. Its sink is labeled by 2k − 1. The graph Tk+1 consists of two copies of Tk , where the sink of the second copy is linked to the source of the first copy, and an additional vertex labeled by 2k+1 − 1 which is linked to the source of the second copy. Labels of the second copy are increased by 2k − 1. The sink of Tk+1 is equal to the sink of the first copy, the source of Tk+1 is equal to the vertex labeled by 2k+1 − 1. Thereafter, link all the vertices of the second copy which have less than two outgoing links, to the source of the first copy. Note that there is now a double link from the sink of the second copy to the source of the first copy. 2 k
2 -1
Tk
Tk+1 2
k+1
-1
k+1
-2
Tk
The sequence (Tk ) defines a binary linking scheme with the vertices labeled by natural numbers which contains each scheme Tk as its initial segment. After the construction of this binary linking scheme, add links from the sources of any such initial segment to a special vertex labeled by 0 (Fig. 2). Here (see also Rem. 1), f (n) = n − 2h(n) + 1, where h(n) is given recursively by the equation ( k , if n = 2k − 1 , h(n) = k−1 h(n + 1 − 2 ) , if 2k−1 ≤ n < 2k − 1 . Theorem 1. Let `(a, b) be the length of the shortest verifying chain from b to a. If k > 2 and 0 < a ≤ b < 2k then `(a, b) ≤ 3k − 5. (See Appendix A)
496
Ahto Buldas et al.
In Sect. 4 we presented an outline of a time-stamping system that fulfills our trust requirements. In the next we show how to make this system feasible by using a BLS. ξ 3 = 22
ξ0 = 0
ξ1 = 7
ξ 2 = 15
ξ 4 = 31 31
15 30 7
14
22 29
3
10
18
13
25 21
6
28
12 0
1
2
4
5
8
9
11
16
17
19
20
23
24
26
27
Fig. 2. The ALS structure built on T5 with m = 7. In order to issue the individual time-stamp for the n-th document, the TSS has to find the shortest verifying chains between ξr(n)−1 and n and between n and ξr(n) . The n-th individual time-stamp consists of the minimal amount of data (Sect. 4.2) necessary to verify the mutual one-way dependencies between all Lj which lay on these chains. It can be shown that if f satisfies the implication m > n ⇒ (f (m) ≤ f (n) ∨ f (m) ≥ n)
(4)
then (f, H) enables accumulated time-stamping (the proof has been omitted because of its technicality). In particular, the binary linking scheme described in Sect. 5 enables accumulated time-stamping. For a fixed m let k := dlog2 me, ξ0 := 0, ξ1 := 2k − 1 (the source of Tk ) and for arbitrary i > 1, ( ξ2j + ξi−2j , if i 6= 2j ξ(i) := 2 · ξi/2 + 1 , if i = 2j , where j := blog2 ic. The length of the n-th time-stamp in this scheme does not exceed 2 · 3 · log(n) · χ bits, where χ is the output size of the hash function H. The maximum length of rounds grows proportionally to O(log n). However, the average length of rounds is constant and therefore it is practical to publish the time-stamps for rounds after constant units of time. This can be achieved easily with the following procedure. If the “deadline” for round is approaching and there are still q time-stamps not issued yet, assign random values to the remaining data items Hn .
Time-Stamping with Binary Linking Schemes
497
Remark 1. Denote by ord n the greatest power of 2 dividing n. In the ALS presented above, it is reasonable to label time-stamps in the lexicographical order with pairs (n, p), where 0 ≤ p ≤ ord n and n > 0. Then, ( (0, p) , n = 2p f (n, p) := p p (n − 2 , ord (n − 2 )) , otherwise and g(n, p) := (n, p − 1) if p > 0 and g(n, 0) := (n − 1, ord (n − 1)). Also, the formulas of ξi will simplify: in this case, ξ(i) := (2k−1 i, k − 1 + ord i), for i ≥ 1. It is easy to show that for each n and m the shortest verifying chain between n and m is uniquely defined. The data vmn necessary to verify the one-way dependence is computed by the procedure TSData(m, n): proc TSData(m, n) ≡ Data := nil while n > m do Data := append(Data, Hn ) if f (n) 6= n − 1 ∧ f (n) ≥ m then Data := append(Data, Ln−1 ); n := f (n) else Data := append(Data, Lf (n) ); n := n − 1 fi od. Here, head(n) := TSData(ξr(n−1) , n) and tail(n) := TSData(n, ξr(n) ). Example 1. Let ξ0 = 0 and ξ1 = 15 (Fig. 2). In order to compute the fourth and the tenth time-stamps we need tail(10) := (H15 , L0 , H14 , L7 , H13 , L12 ) , head(10) := (H10 , L9 , H7 , L6 ) , tail(4) := (H15 , L0 , H14 , L13 , H7 , L0 , H6 , L3 , H5 , L4 ) , head(4) := (H4 , L3 , H3 , L2 ) . Let (f, H) be a BLS satisfying the implication (4). Let x < y < z < w and C1 , C2 be verifying chains from z to x and w to y respectively. It is obvious that C1 and C2 have a common element. Thus, if m < n then the verifying chains tail(m) and head(n) have a common element c which implies the existence of a verifying chain (m = n0 , n1 , . . . , ni−1 , ni = c, ni+1 , . . . , n`−1 , n` = n) . This chain can be found by a simple algorithm and is of logarithmic length. Let r(m) denote the round into which m belongs. The proof of the last claim for the case r(m) = r(n) is given in Appendix A. If m and n belong to different rounds,
498
Ahto Buldas et al.
15
On the verifying chain
14
Other links used for verification
13
Not used for verification
7 3
10 6
0
1
2
4
5
8
9
11
12
Fig. 3. The time-stamp of X10 in the proposed system. the verifying is straightforward, because of the similar structure of the second layer of links. The verifying chain from n to m is of the form (m, . . . , m0 , ξr(m) , . . . , ξr(n)−1 , n0 , . . . , n) , where the number of ξj -s is logarithmic due to the fact that the time-stamps for rounds are linked together in a way similar to the linking of all time-stamps (Fig. 2). The length of the sequences (m, . . . , m0 ) and (n0 , . . . , n) is also logarithmic (Appendix A). Example 2. For the chains given in Example 1, the common element is 7 and the verifying chain between 4 and 10 is (4, 5, 6, 7, 10). Corollary 1. Due to the similarity between the verification and the stamping procedure, for an arbitrary pair of time-stamped documents the number of steps executed (and therefore, also the number of time-stamps examined) during a single run of the verification protocol is O(log n).
6
Optimality
Our solution meets asymptotically the feasibility requirements, but could these requirements be refined? Mostly not, an insight into this is given below. Namely, we show that for any linking scheme there does not exist a time-stamping solution where (1) the length of the time-stamps is O(log n), (2) for any m and n there exists a verifying chain between m and n with the length O(log n) that is completely contained in the union S(m) ∪ S(n) of the corresponding individual time-stamps and (3) the stamping protocol will end in a logarithmic time. We prove this under the assumptions (1) that an individual time-stamp is a subset of IN and (2) that the size of a time-stamp is proportional to the size of ]S(n) + ]ρ−1 (S(n)) = O(]ρ−1 (S(n))) (holds if the transitive closure ρ∗ of ρ coincides with the natural order 1. Observe the following cases: – If 0 < a ≤ ek−1 then `(a, ek ) = `(a, ek−1 ) + `(ek−1 , ek ) ≤ 2(k − 2) + 2 = 2(k − 1) by induction assumption. – If ek−1 < a ≤ ek then observe the following cases: • a = ek . Then `(a, ek ) = 0 ≤ 2(k − 1). • a < ek . Then `(a, ek ) = `(a, ek − 1) + `(ek − 1, ek ) = `(a − ek−1 , ek−1 ) + 1 by the Lemma 2. Induction assumption now gives `(a, ek ) = `(a − ek−1 , ek−1 ) + 1 ≤ 2(k − 2) + 1 < 2(k − 1). t u Proof (Theorem 1). Induction on k. Base: k = 3. In this case one can directly verify that `(a, b) ≤ 4. Step: k > 3. Observe the following cases: – If 0 < a ≤ b ≤ ek−1 then the induction assumption gives us `(a, b) ≤ 3(k − 1) − 5 < 3k − 5. – If 0 < a ≤ ek−1 < b ≤ ek then `(a, b) = `(a, ek−1 ) + `(ek−1 , b) ≤ 2(k − 2) + `(ek−1 , b) by the Lemma 4. The following cases are possible: • b = ek . Then `(ek−1 , b) = 2 < k − 1. • b = ek − 1. Then `(ek−1 , b) = 1 < k − 1. • b < ek − 1. Then the lemmas 2 and 3 give `(ek−1 , b) = `(0, b − ek−1 ) ≤ k − 1. Thus `(a, b) ≤ 2(k − 2) + k − 1 = 3k − 5. – If ek−1 < a ≤ b ≤ ek then observe the following cases: • b = ek . Then `(a, b) = `(a, ek ) ≤ 2(k − 1) < 3k − 5 by Lemma 4. • b < ek . Then `(a, b) = `(a − ek−1 , b − ek−1 ) ≤ 3(k − 1) + 5 < 3k − 5 by Lemma 2 and induction assumption. t u As dlog be = k iff ek−1 + 1 < b ≤ ek + 1 we get k < dlog be + 1 and thus `(a, b) ≤ 3dlog be − 2 .
Threshold Traitor Tracing Moni Naor? and Benny Pinkas?? Dept. of Applied Mathematics and Computer Science Weizmann Institute of Science Rehovot 76100, Israel {naor,bennyp}@wisdom.weizmann.ac.il
Abstract. This work presents threshold tracing schemes. Tracing schemes trace the source of keys which are used in pirate decoders for sensitive or proprietary data (such as pay-TV programs). Previous tracing schemes were designed to operate against any decoder which decrypts with a non-negligible success probability. We introduce threshold tracing schemes which are only designed to trace the source of keys of decoders which decrypt with probability greater than some threshold q (which is a parameter). These schemes present a dramatic reduction in the overhead compared to the previous constructions of tracing schemes. We argue that in many applications it is only required to protect against pirate decoders which have a decryption probability very close to 1 (for example, TV decoders). In such applications it is therefore very favorable to use threshold tracing schemes.
1
Introduction
We present very efficient tracing systems: systems which allow data providers to identify sources of leakage of their keys to illegitimate receivers. Consider for example a pay-TV provider which finds out that someone is selling pirate decoders which enable the decoding of transmissions without paying the required fees. A tracing system enables the provider to identify which legitimate receivers assisted in constructing the pirate decoders. Tracing systems were first presented by Chor, Fiat and Naor [8]. They used the following security requirement, which in our view is too stern for many applications: they required full-resiliency, i.e that the schemes should trace the source of any decoder which decodes with a non-negligible probability. We claim that for many very relevant applications a decoder with a success probability which is non-negligible, but is not very close to 1, is useless. Assume for example that a TV program is divided into one minute segments which are separately encrypted. A decoder which decrypts with probability 90% is expected to fail in the decoding of one out of ten minutes. Very few customers will be willing to pay for such a decoder. ? ??
Research supported by BSF Grant 32-00032. Supported by an Eshkol Fellowship from the Israeli Ministry of Science.
H. Krawczyk (Ed.): CRYPTO’98, LNCS 1462, pp. 502–517, 1998. c Springer-Verlag Berlin Heidelberg 1998
Threshold Traitor Tracing
503
We present threshold tracing schemes which depend on a parameter q. They trace the source of keys of any decoder which decodes with success probability not smaller than q but there is no guarantee for their success against decoders with success probability smaller than q. The efficiency of our threshold tracing schemes is superior to that of the tracing schemes of [8] (see Section 4.3 for a numerical comparison for constructions of typical size). We therefore claim that applications which do not require fully resilient tracing should use threshold tracing schemes. In order to use threshold tracing schemes the communicated content should be divided into blocks which are independently encrypted. A legitimate decoder contains keys which enable it to decrypt every block. These keys identify that decoder. If a (pirate) decoder contains enough keys (taken from the legitimate decoders of traitors) to enable it to decrypt more than a q fraction of the blocks, these keys are sufficient to identify at least one of the traitors. It is assumed that a pirate decoder which decrypts less than a q fraction of the blocks is not useful and therefore it is not important to trace the source of its keys. In general, it is always useful to recognize what is a “success” of the adversary, and design schemes which prevent such a success. This process may lead to very efficient constructions, with an overhead that is proportional to the severity of the “attack” to which they are immune (this is the case with the threshold tracing schemes we present, whose overhead is an inverse function of q). Such constructions can also serve to price the security by presenting the overhead incurred by requiring a certain amount of security. Let us first consider the scenario in which the schemes operate. A data provider is distributing some content to legitimate receivers (e.g. paying subscribers). The content is typically distributed encrypted, and each legitimate receiver has a decryption key. A traitor is a legitimate receiver who attempts to enable unauthorized users to access the content. A traitor can distribute a copy of the cleartext of the content to other illegitimate receivers. We do not attempt to protect against such pirate distribution but claim that in many cases the economy of scale makes such a distribution non-profitable or too dangerous. Typical cases where this is true include – Pay-per-view or subscription television broadcasts. It is an expensive and a risky business to start a pirate broadcast station. (A similar application is the distribution of content over the Internet using “push” technology). – Online services or databases, publicly accessible (say on the Internet) where a charge may be levied for access to all or certain records. The pirate must copy the entire information provided by the online service and maintain an updated copy. This process is non-efficient and can be easily detected. As piracy in these cases is a criminal commercial enterprise the risk/benefit ratio in distributing illegal copies of the content becomes unattractive. A pirate can sell illegal access to the content by providing its customers with much shorter data – the decryption keys. We therefore concentrate in this paper in preventing
504
Moni Naor and Benny Pinkas
traitors from distributing their decryption keys to other users1 . We construct (k,q)-threshold tracing schemes. If an illegitimate user uses a pirate decoder2 which was built using the keys of at most k legitimate users (who are therefore traitors), and if the decoder can decrypt with probability at least q, then our schemes will identify (with high probability) at least one traitor given the pirate decoder (it cannot be promised that the schemes identify more traitors since it is possible that all the keys used in constructing the pirate decoder were taken from a single traitor). We note that in fact our schemes have the very desirable property that the identity of the traitor can be established by considering the pirate decryption process as a black box. It suffices to capture one pirate decoder and its behavior will identify the traitor, there is no need to “break it open” or read any data stored inside. The schemes can be based on any symmetric encryption system. The security parameter is the length of the key of that system. We measure the efficiency of the solutions in terms of several performance parameters. The memory and communication parameters are measured in multiples of the size of the security parameter. The efficiency parameters are: (a) The memory and computation requirements for an authorized user. These parameters are of special importance if the user has limited computation and storage capabilities, as is the case with smartcards. (b) The memory and computation requirements for the data supplier. These parameters are typically less important, since the data supplier can perform its computations off-line and can use large storage space. (c) The data redundancy overhead, i.e. the increase in data size that is needed in order to enable the tracing. This refers to the communication overhead (in broadcast or online systems) or the additional “wasted” storage in CD-ROM type systems. 1.1
Our Results
Consider a tracing scheme for n users, which should be secure with probability 1 − p against coalitions of up to k users. 1
2
In practice today it is often considered sufficient to prevent piracy by supplying the authorized parties with so-called secure hardware solutions (smartcards and their like) that are designed to prevent interference and access to enclosed cryptographic keys. The assumptions about the security of these hardware mechanisms are not always correct. There are several methods that use hardware faults in the “secure hardware solutions” in order to find the keys that are enclosed inside [3,5,4]. Our schemes obtain their claimed security without any secure hardware requirements. Should such devices be used to store the keys, they will undoubtedly make the attack even more expensive, but this is not a requirement. We use the term pirate decoder to represent the pirate decryption process, this may or may not be a physical box, and may simply be some code on a computer.
Threshold Traitor Tracing
505
Our schemes compare very well to the the best tracing scheme of [8] (see also table 1). That scheme required each user to store a personal key of length O(log(1/p) log(n/p)). This was also the running time required from the user. The communication overhead was O(k log(1/p) log(n/p)). We remark that the “O” notation hides considerable coefficients. For a threshold 0 < q < 1, our one-level scheme has personal keys of length 4k log(n/p), and a communication overhead of only 4k. The user is required to 3q perform only a single decryption operation. The length of the personal keys of the simplest two-level threshold scheme k is O(log(k/p) log(n/p)), and its communication overhead is O(k log( q log(k/p) )). A user should perform very few decryption operations. We remark that in this case the coefficients of the “O” notation are very moderate. Table 1 contains a comparison for a reasonable size system, in which all the parameters and coefficients are plugged in From now on we describe the exact complexity of the schemes we present. We do not use an “O” notation but rather present all the constant coefficients. 1.2
Content Distribution Schemes
The schemes which are used to distribute the content from the data provider to the legitimate receivers are of the following general form: The data supplier generates a meta-key which contains a base set A of random keys and assigns subsets of these keys to users, m keys per user (the parameters will be specified later). These m keys jointly form the user’s personal key. Different personal keys may have a nonempty intersection. We denote the personal key for user u by P (u), which is a subset of the base set A. A message in a traitor tracing message consists of pairs of the form henabling block, cipher blocki. The cipher block is the symmetric encryption of the actual data (say part of a video clip), under some secret random key s. Alternately, it could be the exclusive-or of the message with s and we would get an information theoretic secure version of the scheme (although a very inefficient one, since as with any one-time-pad the size of the key should be as long as the encrypted data). The enabling block allows authorized users to obtain s. The enabling block consists of encrypted values under some or all of the keys of the base set A. Every authorized user will be able to compute s by decrypting the values for which he has keys and then computing the actual key from these values. For all the schemes we present the computation on the user end is simply taking the exclusive-or of values that the user is able to decrypt. A very simple scheme is to give each user a different key. Then the enabling block includes an encryption of s with each of the users’ keys. However the length of the enabling block is then linear in the number of legitimate users and might be too large for many applications. Traitors may conspire and give an unauthorized user (or users) a subset of their keys so that the unauthorized user will also be able to compute the key s from the values he has been able to decrypt. The goal of the system designer is to assign keys to the users such that when a pirate decoder is captured it
506
Moni Naor and Benny Pinkas
would be possible to detect at least one traitor, subject to the limitation that the number of traitors is at most k. We remark that the overhead of both the schemes of [8] and of our threshold schemes depends on the parameter k. Since the overhead of our schemes is a considerably smaller function of k it is possible to set this parameter to a higher value and protect against larger coalitions. 1.3
Eliminating Piracy
Traitor tracing schemes help in three aspects of piracy prevention: they deter users from cooperating with pirates, they identify the pirates and enable to take legal actions against them, and they can be used to disable active pirate users. The usage of traitor tracing schemes discourages users from helping pirates and especially from submitting their keys to be used in pirate decoders. In particular, if the process of a user obtaining a personal key requires some sort of registration and physical identification then it should be hard for pirates to obtain a large number of personal keys. Consequently, the tracing traitor scheme can identify the source of keys which are used in pirate decoders and this mere fact should deter users from helping pirates. When a pirate decoder is found and a source of its keys is identified, legal activities should be taken against this source. Indeed, as was pointed by Pfitzmann in [17] a corrupt data provider that wishes to incriminate an honest user might construct a “dummy” pirate decoder containing this user’s keys, “reveal” it and claim that the user is a pirate. Similar misbehavior is possible though with many current types of services and yet there is little evidence that service providers have performed such illegal activities. The broadcast encryption schemes of Fiat and Naor [13] deal very efficiently with disabling active pirate users, i.e. preventing them from further decryption. These schemes allow one to broadcast messages to any dynamic subset of the user set and are specifically suitable for pay-per-view TV applications. The schemes require a single short transmission to disable all pirate decoders if they were manufactured via a collaborative effort of no more than k traitors. Another broadcast encryption scheme was suggested by Wallner et al [18], and is secure against any number of corrupt users. It has better performance than [13] if the number of deletions is small. In particular, personal keys are of length O(log n) and there is no data redundancy in regular operation. A combination of a traitor tracing scheme and a broadcast encryption scheme is a very powerful tool. When a traitor is traced the dynamic subset of users authorized to receive the broadcast should be changed by simply excluding the traced traitor. This procedure should be repeated until the pirate box is rendered useless. In [9] it is described how to combine a tracing traitor scheme and a broadcast encryption scheme in order to achieve this capability. Both the data redundancy overhead and the key length of the resulting scheme are the multiplication of the corresponding overheads for the tracing and broadcast encryption schemes (but used with the scheme of [18] this does not increase the total overhead too much).
Threshold Traitor Tracing
1.4
507
Related Work
The work of Chor, Fiat, and Naor [8] has introduced the concept of traitor tracing, and presented several tracing schemes. We survey their results in section 3. A more complete and formal treatment of the problem is presented in [9] which is the full version of [8] and of our paper. Boneh and Shaw [6] have suggested a scheme for marking different copies of an electronic document by inserting a different fingerprint into each copy. The fingerprint is composed of a sequence of marks with each mark having one of two values (therefore the fingerprint corresponds to a binary string)3 . The scheme is based on a marking assumption which states that a coalition of users who each have a copy with the same value for a certain mark cannot generate a copy with a different value for that mark. The scheme has the property that using up to k copies it is impossible to generate a new copy whose fingerprint does not reveal at least one of the k copies that were used. It offers better security in the sense that it enables to trace the leaked content itself (and not just the key which enables its decryption). It can also be used as a tracing traitors scheme but it is much less efficient than the schemes of [8]: the number of keys that each user should have is k 4 times greater than in the most efficient scheme of [8]. Another solution for copyright protection is through self enforcement schemes, which were suggested by Dwork, Lotspiech and Naor [11]. In these schemes the content is encrypted and each legitimate user receives a different decryption key which includes some sensitive information related to the user (e.g. his credit card number). Users will be reluctant to hand their keys to others since the keys contain this sensitive information. The self enforcement schemes suggested in [11] use the same type of security as was used in [8,6]. Namely, the system is secure against coalitions of less than k corrupt users, and the system’s complexity depends on k. Pfitzmann [17] has suggested a tracing traitors method which yields a proof for the liability of the traced traitors. In this scheme the issuing of keys from the center to the users is performed by an interactive protocol. At the end of the protocol the center is not able to construct a “pirate decoder” that frames a user, but if a real pirate decoder is found the center is able to trace the source of the keys the decoder contains. However, as this construction uses a relatively complex primitive (general secure multi party protocols) which is rather inefficient (e.g. it operates on the circuit which evaluates the function), its overall complexity is high.
2
Definitions
A traitor tracing scheme consists of three components: – A user initialization scheme, used by the data supplier to add new users. The data supplier has a meta-key α that defines a mapping Pα : U 7→ {0, 1}s 3
See for instance [10] for a method for inserting marks into a document.
508
Moni Naor and Benny Pinkas
where U is the set of possible users and s is the number of bits in the personal key of each user. When user ui ∈ U joins, he receives his personal key Pα (ui ). In all of our constructions Pα (ui ) consists of a subset of m decryption keys out of a larger set A of keys. – An encryption scheme Eα : {0, 1}∗ 7→ {0, 1}∗ used by the data supplier to encrypt messages and a decryption scheme Dβ : {0, 1}∗ 7→ {0, 1}∗ used by every user to decrypt those messages. Let the personal key of user ui be β = Pα (ui ), then for any message M ∈ {0, 1}∗ we have M = Dβ (Eα (M )). In our schemes the messages are encrypted block by block where every encrypted block contains an enabling block and a cipher block. The decryption process consists of a preliminary decryption of encrypted keys in the enabling block, a process which combines the results to obtain a common key, and finally a decryption of the cipher block. – A traitor tracing algorithm, used upon confiscation of a pirate decoder, to determine the identity of a traitor. We do not assume that the contents of a pirate decoder can be viewed by the traitor tracing algorithm but rather that the tracing algorithm can access it as a black box and test how (if at all) it decrypts an input ciphertext. (We do assume however that the pirate decoder can be reset to its original state, i.e. that there is no self-destruction mechanism when it detects a traitor tracing algorithm.) The encryption of plaintext blocks in our schemes results in a message which consists of an enabling block and a cipher block. The cipher block contains the plaintext block encrypted by some encryption algorithm using some random block key s which is unique to this block. The enabling block contains encryptions of “shares” of the block key such that every legitimate user can use his personal key to decrypt enough shares to reconstruct the block key. An adversary who wants to decrypt the message can either break the encryption scheme that was used in the cipher block without using any information from the enabling block, or try to learn some information from the enabling block that might help in the decryption process. In this paper we assume that it is hard to break the underlying encryption scheme so we are only interested in preventing attacks of the latter kind. Assume that an adversary has the cooperation of a coalition of at most k legitimate users, and uses their keys to construct a decoder. We would like to trace at least one of the coalition members. Intuitively a scheme is called fully resilient if it is possible to trace (with high certainty) at least one of the traitors that helped build a decoder which does not break the underlying encryption algorithms. More accurately, a system is fully resilient if for every pirate decoder which runs in time t it either holds that it is possible to trace at least one of the traitors which helped its construction, or that the decoder can break one of the underlying encryption algorithms in time t. Fully resilient tracing schemes were suggested and constructed in [8]. There are many applications for which the pirate decoder must decrypt with probability close to 1, like the TV broadcast example we presented in Section 1. In such scenarios we can concentrate on tracing the source of keys which were used to build
Threshold Traitor Tracing
509
decoders which decrypt with probability greater than some threshold. A scheme is called a q-threshold scheme if for every decoder which does not break the underlying encryption algorithms and decrypts with probability greater than q it is possible to trace at least one of the traitors that helped building it. An obvious and preliminary requirement from the tracing traitors schemes is that they supply secure encryption. That is, an adversary which has no information on the keys that are used should not be able to decrypt the encrypted content. Intuitively, our security definitions claim that if an adversary (who might have some of the keys) is able to decrypt and escape from being traced then the scheme is insecure as an encryption scheme even against an adversary who has no keys. Following we present an exact definition of fully-resilient and threshold tracing schemes. Definition 1. Let T be a coalition of at most k users. Let A be an adversary who has a subset F of the values of the keys of the users in T , and who is able to decrypt in time t and with probability greater than q0 the content sent in the tracing traitors scheme. The security assumption is that one of the following two statements holds: – Given F the data supplier is able to trace with probability at least 1 − p at least one of the users in T . – There exists an adversary A0 which uses A as a black box and whose input is only an enabling block and a cipher block of the tracing traitors scheme. A0 can reveal the content that is encrypted in the cipher block in time which is linear in the length of its input and in t, and with probability at least q00 (q 00 is defined in the next paragraph). The probability is taken over the random choices of the data supplier, and when appropriate over the random choices of the adversary or of the tracing algorithm. The scheme is called fully (p, k)-resilient if the security assumption holds for q 0 = q 00 . If the scheme further achieves p = 0 then it is called fully k-resilient. The scheme is called q-threshold (p, k)-resilient if the security assumption holds for q 0 = q + q 00 . Since we assume the underlying encryption algorithms to be secure, we can assume that the probability (q 00 ) with which an adversary A0 which knows nothing but the ciphertext can break the encryption is negligible. Therefore in a fully resilient scheme the data supplier can trace at least one traitor if it finds a pirate decoder (adversary A) which decrypts with non-negligible probability. In a threshold scheme the data supplier is able to do so if it finds a decoder which decrypts with probability greater than q by a non-negligible difference (but to simplify the exposition we often take the freedom to refer to threshold schemes as secure against any pirate decoder which decrypts with probability greater than q).
510
3
Moni Naor and Benny Pinkas
Fully-Resilient Tracing Schemes
The fully-resilient tracing schemes of [8] are based on applying hash functions combined with any private key cryptosystems, and do not require any public key operations. Our threshold schemes will be based on the same operations. The hash functions are used to assign decryption keys (from a base set of decryption keys) to authorized users. The assignment guarantees that any combination of keys, taken from the personal keys of any coalition of traitors, has the following property: If this combination enables decryption then it is “far” from the personal key of any innocent (non–traitor) user. (For more information on hash functions and their applications see [15,7,19,14].) There are two types of traceability schemes defined in [8]. Open schemes assume that the mapping is public and the indexes of the keys which are mapped to any user are publicly known (the only secret information is the content of the keys). Secret schemes are defined to operate in cases where the mapping of keys is secret and it is unknown which keys are used by every user. The constructions of secret schemes can be more efficient than those of open schemes and are therefore recommended to be used in practice. The reason for the gain in efficiency is that traitors do not know which keys the other users received. Therefore even if the set of keys of a coalition of traitors includes a large part of the keys of an innocent user the traitors do not know which keys these are and cannot construct a pirate decoder which incriminates a specific user. Our threshold tracing schemes are secret schemes. Secret fully-resilient schemes were constructed for n users and at most k traitors. Two types of secret schemes were presented in [8]: – Secret fully (p, k)-resilient one-level schemes required the personal key of each user to consist of m = 43 k log(n/p) decryption keys, and the enabling block to 4 2 include 16 3 k log(n/p) key encryptions. Each user should perform 3 k log(n/p) decryptions in order to reveal the broadcasted secret. – Secret fully (p, k)-resilient two-level schemes required the personal key of each user to consist of m = 43 b log(2n/p) decryption keys, and the enabling ln(ek/b) block to include 32 3 ekb log(2n/p)(1 + b−1−ln(ek/b) ) key encryptions, where b = log(4/p). Each user should perform 43 b log(2n/p) decryptions in order to reveal the broadcasted secret. Two-level schemes are more efficient than one-level schemes if k log(1/p).
4
Threshold Tracing Schemes
Threshold tracing schemes are designed to trace the source of keys of any pirate decoder whose advantage in decrypting the content (compared to an adversary who does not have any of the keys) is at least q. The complexity of q-threshold schemes depends on q. These schemes are more efficient for larger values of q. They are secret schemes in the sense that the set of keys that each user receives is unknown to other users. The design concept
Threshold Traitor Tracing
511
of these schemes is as follows: either the pirate decoder holds enough keys to enable the tracing of at least one traitor, or it does not contain enough keys to ensure a decryption probability greater than q. The security of tracing schemes is reduced to the assumption that the encryption scheme that is used is secure and therefore any adversary who does not have the decryption keys cannot decrypt with a non-negligible success probability. The benefit of using threshold tracing schemes is a dramatic reduction in the data redundancy overhead and in the number of operations needed for decryption, whereas the length of the personal key is almost as short as in secret fully resilient schemes. We also present a threshold scheme which improves over fully-resilient schemes in all complexity parameters. Next we define one-level and two-level threshold tracing schemes. The data redundancy overhead and the personal key length are parameterized and there is a tradeoff between them. It is possible to set the parameter to a value which obtains the best tradeoff between the two complexity measures (for instance the last entry of Table 1 demonstrates a reasonable such tradeoff). 4.1
A One-Level Threshold Scheme
The scheme uses a threshold parameter q, against k traitors and for a total of n users, each with a unique identity u ∈ {1, . . . , n}. Initialization: A set of ` hash functions h1 , h2 , . . . , h` are chosen independently at random. Each hash function hi maps {1, . . . , n} into a set of 4k random keys Ai = {ai,1 , ai,2 , . . . , ai,4k }. The hash functions are kept secret. User u receives, upon initialization, the indices and values of ` keys {h1 (u), h2 (u), . . . , h` (u)}. The keys can be imagined as organized in a matrix of size ` × 4k, where each user receives a single key from each row. Distributing a secret: Let s be the secret to be distributed. Let q ≤ w < 1 and 0 < t ≤ ` be two parameters which will be defined later (the scheme would divide the secret into t shares and ensure that a decoder which contain keys from fraction of at least w of the rows would be able to decrypt the secret with probability greater than q). The data provider chooses random values {si }ti=1 subject to the constraint t ⊕i=1 si = s, and chooses t random rows r1 , . . . , rt . For every i (i = 1, 2, . . . , t) the data provider encrypts si under each of the 4k keys in row Ari . Decryption: Each authorized user has one key from every row Ari and is therefore always able to decrypt every si and compute s. Parameters: The memory required per user is m = ` keys. The amount of work that each user should perform in order to reveal a key is O(t). The data redundancy overhead used in distributing the key is r = 4kt. The parameter t should be set so that for t random rows it holds with probability q that a pirate decoder which contains keys from less than a fraction w of the rows does not have a key from at least one of the t rows (and therefore a decoder which does not have keys from a fraction w of the rows cannot decrypt with probability better than q). First observe that w ≥ q since otherwise the probability is less than q even for t = 1. The probability of the decoder having
512
Moni Naor and Benny Pinkas
log(1/q) keys from all t rows is at most wt and therefore setting t = logw q = log(1/w) suffices to make the probability of correct decryption at most q. For example, it is possible to set w = q and t = 1. The broadcast center would only have to broadcast the secret s encrypted by the keys of a single row which it chooses randomly. The data redundancy overhead is then only O(4k). Tracing: We are only concerned with decoders which include keys from at least w` rows4 . Using the methods of [9] it is possible to reveal the set of keys F that a pirate decoder uses while treating the decoder as a black box. Assume w.l.o.g. that F contains one key from each of w` rows. Denote these rows as r1 , . . . , rw` , and denote the key in F ∩ Ari as fri . The body that performs the traitor tracing knows the functions hri (·) and can therefore identify and mark the users in h−1 ri (fri ) for every i. The user with the largest number of marks is exposed as the traitor. Analysis: Since there were at most k traitors it is obvious that one of them contributed w`/k keys to F . Consider the probability that an innocent user, say user 1, contributed w`/k keys to F . Since the hash functions hri are random and secret the mapping hri (1) is random and independent of the mapping of the traitors by hri . The probability that fri equals the key mapped to user 1 is 1/4k. An immediate application of the Chernoff bound shows that the probability that at least w`/k of the keys of user 1 are in F is at most 2−3w`/4k . Choosing an ` such that n · 2−3w`/4k < p ensures a traitor is revealed with probability at least 4k 1 − p. The data provider should therefore set ` = 3w log(n/p). For any practical purpose the parameter q can be set to be a constant. However one-level schemes are used in the next subsection as building blocks for two-level schemes and there q should be a function of other parameters. The results regarding one-level threshold schemes are summed up in the following theorem. We first state the results for a parameterized w. As w increases the key length decreases and the data redundancy overhead increases. Then we state the results for w = q.
Theorem 2. There is a q-threshold (p, k)-resilient scheme, with a parameter 4k log(n/p) keys w taking values in [q, 1), in which a personal key consists of 3w log(1/q) and the data redundancy overhead is of 4k log(1/w) keys. A user should perform log(1/q) log(1/w)
decryptions in order to reveal the broadcasted secret.
When w = q a personal key consists of 4k 3q log(n/p) keys and the data redundancy overhead is of only 4k keys. A user should only perform a single decryption in order to decrypt the broadcasted secret. The scheme we presented displays a tremendous improvement in the data redundancy overhead, but the length of the personal key is a little larger than in the 4k one-level fully resilient scheme (it is 4k 3q log(n/p) compared to 3 log(n/p) in the 4
It is possible to prove, as is done in [9], that if a decoder has keys from less rows and can decrypt with probability better than the threshold then it can be used to break the underlying encryption scheme.
Threshold Traitor Tracing
513
one-level fully resilient scheme). The next subsection presents two-level threshold schemes which balance the two complexity parameters through a tradeoff between the key length and the data redundancy overhead. 4.2
Two-Level Threshold Schemes
Two-level threshold schemes are constructed from one-level threshold schemes by using many one-level schemes and applying a hash function to map users to schemes. We first present a basic construction which displays a tradeoff between the personal key lengths and the data redundancy overhead, and which can obtain shorter key length than the one-level threshold scheme. Then we change the parameters of the construction to obtain schemes with an even shorter key length, in the price of increasing the data redundancy a little. These schemes perform better than fully-resilient schemes in both the personal key length and the data redundancy overhead. The basic construction The construction uses a random mapping h from the domain {1, . . . , n} to a range of size 2ek/b. It is required that for any fixed set of k traitors the probability that b or more traitors are mapped together by h is less than p/2, i.e. b−1 b b−1 k b ek 1 p b ek < = < b−1 b 2ek b 2ek b 2 2 4ek satisfies the inequality. Once such a mapping is Setting b = log p log(1/p) chosen we continue by constructing threshold one-level schemes for each set of preimages h−1 (i) for 1 ≤ i ≤ 2ek/b. In the initialization phase each user u receives his personal key for the subscheme h(u), and the secret s is distributed by each of the 2ek/b subschemes. It is required that each subscheme has the following property against b traitors: either the success probability of the traitors in decrypting the secret qb is greater by at most q˜ = 2ek than the success probability of an adversary who does not have any of the keys, or the traitors can be traced with probability at least 1 − p/2. If in no subscheme the traitors have an advantage greater than q˜ then the pirate decoder cannot decrypt with an advantage better than q. The initialization and secret distribution stages are straightforward. The subschemes are built in the same way as the one-level schemes of the previous subsection. As before w is a parameter that defines the minimal fraction of rows such that with keys from less than w` rows in a certain subscheme a decoder cannot decrypt with probability better than q˜. If a pirate decoder decrypts with probability greater than q it must contain keys from a w fraction of the rows in one or more of the subschemes. The tracing process that was defined for the one-level scheme can then trace at least one of the traitors which contributed keys for this subscheme. The following theorem therefore follows:
514
Moni Naor and Benny Pinkas
Theorem 3. There is a q-threshold (p, k)-resilient scheme, with the parameter qb 4ek w taking values in [ 2ek , 1), where b = log( p log(1/p) ), in which: 4 b log(2n/p) basic keys. – The length of the personal key is m = 3w 1 log( 2ek – The data redundancy overhead is 8ek log(1/w) qb ) basic encryptions.
– The receiver should perform secret.
log(2ek/(qb)) log(1/w)
decryptions in order to decrypt the
The key is longer than the key in the fully resilient secret two-level scheme by a factor of only 1/w, and the data redundancy overhead is substantially shorter. Comparing with the one-level threshold scheme for the same value of the parameter w, the personal key changes by a factor of b/k, and the data redundancy overhead changes by a factor of 2e·(1+log(2ek/b)/ log(1/q)). Therefore the key is shorter and the data redundancy overhead is larger. However, the increase in the data redundancy overhead is relatively moderate: if we denote the ratio between the key length in this scheme and in the one-level scheme as 1/α then the data redundancy overhead increases by a factor of only 2e(1 + log(2eα)/ log(1/q)). qb Note that the minimum value for w is q˜ = 2ek which is smaller than the minimum value for w in the one-level scheme. Setting w to this value yields the minimum possible data redundancy overhead, 8ek encryptions, whereas the key length is maximal, m = 8ek 3q log(2n/p). Both are longer than the values for the one-level scheme by a factor of exactly 2e. The two-level scheme features a tradeoff between the length of the personal key and the data redundancy overhead. At one end of the curve there is a short key but a longer data redundancy overhead and in the other end the key length is maximal and the data redundancy overhead is minimal, and both are equal up to a constant factor to the performance of the one-level threshold scheme for minimal data redundancy overhead. Note that as with the two-level fullyresilient secret scheme the expected number of users that are mapped to each subscheme is smaller than n by a factor of b/2ek. The subschemes can therefore be defined for a smaller set of users to achieve greater efficiency. Shorter personal keys The following variant of a threshold tracing scheme improves all the complexity parameters of the most efficient fully-resilient scheme (whereas the previous tracing scheme had a dramatic improvement in the data redundancy and decryption overheads, but increased the personal key a little). The decrease in the length of the personal keys is enabled as follows: The same construction as before is used, with 2ek/b1 subschemes, and it is required that the probability that more than b2 users are mapped together is at most p/2 (previously the values b1 and b2 were equal). The personal key 4 is composed of 3w b2 log(2n/p) keys, and the data redundancy overhead is of b2 1 8ek b1 log(1/w) log( 2ek qb1 ) basic encryptions. The values b1 , b2 should satisfy the following inequality: b2 −1 b2 b2 −1 b 2ek p k b1 ek b1 b1 2 · ≤ · = · < 2ek b2 2ek b1 2b2 2 b2
Threshold Traitor Tracing
515
α Assume b2 = bα (α > 1). The previous inequality is satisfied if b ≥ 1 = b q log(k/p) α α α−1 · log log(k/p) . The following theorem is therefore obtained:
Theorem 4. For every α > 1 there is a q-thresholdq (p, k)-resilient scheme, with qb the parameter w taking values in [ 2ek , 1), where b =
α
α α−1
·
log(k/p) log log(k/p) ,
in which:
4 – The length of the personal key is m = 3w · bα · log(2n/p) basic keys. α−1 – The data redundancy overhead is 8ekb log( 2ek qb )/ log(1/w) basic encryptions. – A receiver should perform log( 2ek qb )/ log(1/w) decryptions in order to decrypt the secret.
As α increases the personal key length decreases and the data redundancy overhead increases. The limits of these values as α −→ ∞ are 4 · loglog(k/p) – The limit of the length of the personal key is m = 3w log(k/p) · log(2n/p) basic keys. 2ek 1 – The limit of the data redundancy overhead is 8ek loglog(k/p) log(k/p) log( q ) · log(1/w) basic encryptions. – A receiver should perform log(2ek/q) log(1/w) decryptions in order to decrypt the secret.
This scheme has the shortest personal key among all the schemes we presented. The small penalty for this is a data redundancy overhead which is longer than in the other threshold two-level scheme. However, the data redundancy is still shorter than in the fully resilient schemes. 4.3
An Example
Let us consider the following example in order to demonstrate the performance of the different tracing schemes. Suppose that we would like to create a traitor tracing scheme for up to one million authorized users, so that for at most k = 1000 traitors the probability of false identification is at most 2−10 . We describe in Table 1 the length of the personal key of each user and the data redundancy overhead, both measured by the number of basic keys that they contain (i.e. the ratio between their size and the size of a key of the encryption scheme that is used to encrypt the content). The table also shows the number of decryption operations that should be performed by the receiver. We compare the performance of threshold schemes to the performance of the best fully-resilient scheme – the two-level secret scheme described in section 3. The table refers to the section in which each of the schemes is described. The first result is for the most efficient two-level secret fully resilient scheme. The other results are of threshold schemes which were designed to trace only the source of keys of decoders which can decrypt with probability greater than 3/4. This type of schemes allows for a tradeoff between the length of the personal key and the data redundancy, as is demonstrated in the table.
516
Moni Naor and Benny Pinkas
Property
Section Personal Data Decryption Key Redun. Operations 3 496 21,270,000 496 4.1 53,000 4000 1
Secret two-level best fully-res. Threshold one-level, min. data redundancy Threshold two-level, min. 4.2 data redundancy w = 1/2 Threshold two-level 4.2 min. key α→∞ Threshold tradeoff 4.2 w = 1/8
1,660
185,000
9
380
1,290,000
13
10,000
64,500
3
Table 1. Examples of the complexity of different Tracing Traitors schemes, using n = 106 , k = 1000, p = 10−3 , and q = 3/4.
The secret two-level scheme has a short key length but the data redundancy overhead is large. The threshold schemes feature a tradeoff between the length of the personal key and the data redundancy overhead. It is possible to make one parameter very small by increasing the other parameter, and it is also possible to achieve very reasonable results for both measures, as in the last entry. The scheme of Section 4.2 is superior to the secret two-level scheme in all the complexity parameters. It should also be noted that if we are only concerned with decoders which decrypt with probability close to 1 it is possible to get more efficient schemes by defining a scheme for q ≈ 1.
5
Conclusions
We presented threshold tracing schemes which are considerably more efficient than fully-resilient tracing schemes. In many applications there is only need for decoders which decrypt with probability greater than some threshold, and these applications should use threshold tracing schemes to trace the source of illegal decoders. The efficiency of the threshold schemes as a function the size of a corrupt coalition of users, k, allows for resiliency against rather large such coalitions. We remark that in many different applications and scenarios (other than traitor tracing) there is no need for security against adversaries which perform negligibly better than “guessing the secret”. These applications call for threshold security schemes similar to the schemes presented in this work. These schemes should depend on a parameter q (the threshold) and only protect against adversaries which achieve success greater than q.
Threshold Traitor Tracing
517
References 1. N. Alon, J. Bruck, J. Naor, M. Naor and R. Roth, Construction of Asymptotically Good Low-Rate Error-Correcting Codes through Pseudo-Random Graphs, IEEE Transactions on Information Theory, vol. 38 (1992), 509–516. 2. N. Alon and J. Spencer, The Probabilistic Method, Wiley, 1992. 3. R. Anderson and M. Kuhn, Tamper Resistance – A Cautionary Note, Usenix Electronic Commerce Workshop, Oakland (1996), 1–11. 504 4. E. Biham and A. Shamir, Differential Fault Analysis of Secret Key Cryptosystems, Proc. Advances in Cryptology – Crypto ’97, Springr-Verlag LNCS 1294 (1997), 513–525. 504 5. D. Boneh, R. A. Demillo and R. J. Lipton, On the Importance of Checking Computations, Proc. Advances in Cryptology – Eurocrypt ’97 (1997), 37–51. 504 6. D. Boneh and J. Shaw, Collusion-Secure Fingerprinting for Digital date, Proc. Advances in Cryptology – Crypto ’95 (1995), 452–465. 507, 507 7. J. L. Carter and M. N. Wegman, Universal Classes of Hash Functions, Journal of Computer and System Sciences 18 (1979), 143–154. 510 8. B. Chor, A. Fiat and M. Naor, Tracing Traitors, Proc. Advances in Cryptology – Crypto ’94, Springr-Verlag LNCS 839 (1994), 257–270. 502, 503, 505, 506, 507, 507, 507, 507, 507, 508, 510, 510, 510 9. B. Chor, A. Fiat, M. Naor and B. Pinkas, Tracing Traitors, manuscript, (1998). 506, 507, 512, 512 10. Cox I., Kilian J., Leighton T. and Shamoon T., A Secure, Robust Watermark for Multimedia, Information Hiding Workshop, Cambridge, UK, Springer-Verlag LNCS 1174, (1996), 185–206. 507 11. C. Dwork, J. Lotspiech and M. Naor, Digital Signets: Self-Enforcing Protection of Digital Information, 28th Symposium on the Theory of Computation (1996), 489–498. 507, 507 12. P. Erd¨ os, P. Frankl and Z. F¨ uredi, Families of finite sets in which no set is covered by the union of r others, Israel J. of math. 51 (1985), 79–89. 13. A. Fiat and M. Naor, Broadcast Encryption, Proc. Advances in Cryptology - Crypto ’93 (1994), 480–491. 506, 506 14. M.L. Fredman, J. Koml´ os and E. Szemer´edi, Storing a Sparse Table with O(1) Worst Case Access Time, Journal of the ACM, Vol 31 (1984), 538–544. 510 15. K. Mehlhorn, Data Structures and Algorithms: Sorting and Searching, Springer-Verlag (1984). 510 16. F. J. MacWilliams and N. J. A. Sloane, The Theory of Error Correcting Codes, North Holland, Amsterdam, (1977). 17. B. Pfitzmann, Trials of Traced Traitors, Information Hiding Workshop, Cambridge, UK, Springer-Verlag LNCS 1174, (1996), 49–64. 506, 507 18. D.M. Wallner, E.J. Harder, R.C. Agee, Key Management for Multicast: Issues and Architectures, internet draft draft-wallner-key-arch-00.txt (1997). Avaliable at ftp://ietf.org/internet-drafts/draft-wallner-key-arch-00.txt 506, 506 19. M. N. Wegman and J. L. Carter, New Hash Functions and Their Use in Authentication and Set Equality, Journal of Computer and System Sciences 22 (1981), 265–279. 510
Author Index
Aiello W .....................
Lodha S..........................
137
MaurerU .........................
121
Bellare M ................ 26, 283, 390 Bellovin S.M ....................... 46 Biryukov A ........................ 72
NaorM ...................... Nguyen P .........................
267, 502 223
Bleichenbacher D ...................
Ohta K ........................... Okamoto T .......................
354 354
Ostrovsky R ......................
137
Paar C ...........................
472
Patel S ........................... Petrank E ........................
304 169
Aumann
137, 3 9 0
Y .......................
299
Bailey D.V .......................
472
1
Buldas A .........................
486
Catalano D .......................
105
Chabaud
F ........................
Cramer R .....................
56 13, 4 2 4
I ........................
424
Pfitzmann B ......................
153
Denny T .......................... Desai A ............................
458 26
Pinkas B ......................... Pointcheval D ......................
502 26
Di Crescenzo G ................... Dwork C .........................
390 442
Rabin M.O .......................
299
Fitzi M ...........................
121
Rabin T ........................... R.eingold O .......................
89 267
Rivest R.L ........................
153
Gennaro R ........................
105
Rogaway P .........................
26
Goldreich O ......................
153
Hada S ...........................
408
Salvail L ..........................
338
Halevi S.......................... Hall C ............................
283 370
Schneier B ........................ Shamir A .........................
370 257
H~tM
121
Shimoyama T ..................... Shoup V ........................... Stern J ...........................
200 13 223
Sundaram
304
Damgs
Sahai A ......................
...........................
Jakobsen T .......................
212
Joux A ............................
56
Jutla C.S .........................
186
Kaneko T .........................
200
Kelsey J ..........................
370
Kilian J ..........................
169
Kipnis A .........................
257
Koblitz N .........................
327
Kushilevitz E ......................
72
G.S ....................
283, 442
Takagi T .........................
318
Tanaka T .........................
408
Vadhan S ......................... Vaudenay S .......................
283 243
Venkatesan R .....................
390
Villemson J .......................
486
Laud P ...........................
486
Wagner D ........................
370
LipmaaH
486
Weber D ..........................
458
........................
Lecture Notes in Computer Science For information about Vols. 1-1386 please contact your bookseller or Springer-Verlag
Vol. 1387: C. Lee Giles, M. God (Eds.), Adaptive Processing of Sequences and Data Structures. Proceedings, 1997. XII, 434 pages. 1998. (Subseries LNAI).
Vol. 1405: S.M. Embury, N.J. Fiddian, W.A. Gray, A.C. Jones (Eds.), Advances in Databases. Proceedings, 1998. XII, 183 pages. 1998.
Vol. 1388: J. Rolim (Ed.), Parallel and Distributed
VoI. 1406: H. Burkhardt, B. Neumann (Eds.), Computer Vision -ECCV'98. Vol. I. Proceedings, 1998. XVI, 927 pages. 1998.
Processing. Proceedings, 1998. XVII, 1168 pages. 1998. Vol. 1389: K. Tombre, A.K. Chhabra (Eds.), Graphics Recognition. Proceedings, 1997. XII, 421 pages. 1998. Vol. 1390: C. Scheideler, Universal Routing Strategies
for Intereonneetion Networks. XVII, 234 pages. 1998. Vol. 139h W. Banzhaf, R. Poli, M. Schoenaner, T.C. Fogarty (Eds.), Genetic Programming. Proceedings, 1998. X, 232 pages. 1998. Vol. 1392: A. Barth, M. Breu, A. Endres, A. de Kemp (Eds.), Digital Libraries in Computer Science: The MeDoc Approach. VIII, 239 pages. 1998. Vol. 1393: D. Bert (Ed.), B'98: Recent Advances in the Development and Use of the B Method. Proceedings, 1998. VIII, 313 pages. 1998. Vol. 1394: X. Wu. R. Kotagiri, K.B. Korb (Eds.), Research and Development in Knowledge Discovery and Data Mining. Proceedings, 1998. XVI, 424 pages. 1998. (Subseries LNAI). Vol. 1395: H. Kitano (Ed.), RoboCup-97: Robot Soccer World Cup I. XIV, 520 pages. 1998. (Subseries LNAI). Vol. 1396: E. Okamoto, G. Davida, M. Mambo (Eds.), Information Security. Proceedings, 1997. XII, 357 pages. 1998. Vol. 1397: H. de Swart (Ed.), Automated Reasoning with Analytic Tableaux and Related Methods. Proceedings, 1998. X, 325 pages. 1998. (Subseries LNAI). Vol. 1398: C. N6dellec, C. Rouveirol (Eds.), Machine Learning: ECML-98. Proceedings, 1998. XII, 420 pages. 1998. (Subseries LNAI). Vol. 1399: O. Etzion, S. Jajodia, S. Sripada (Eds.), Temporal Databases: Research and Practice. X, 429 pages. 1998. Vol. 1400: M. Lenz, B. Bartsch-SpOrl, H.-D. Burkhard, S. Wess (Eds.), Case-Based Reasoning Technology. XVIII, 405 pages. 1998. (Subseries LNAI).
Vol. 1407: H. Burkhardt, B. Neumann (Eds.), Computer Vision -ECCV'98. Vol. II. Proceedings, 1998. XVI, 881 pages. 1998. Vol. 1409. T. Sehaub, The Automation of Reasoning with Incomplete Information. XI, 159 pages. 1998. (Subseries LNAI). Vnl. 141 h L. Asplund (Ed.), Reliable Software Technologies - Ada-Europe. Proceedings, 1998. XI, 297 pages. 1998. Vol. 1412: R.E. Bixby, E.A. Boyd, R.Z. Rios-Mercado (Eds.), Integer Programming and Combinatorial Optimization. Proceedings, 1998. IX, 437 pages. 1998. Vol. 1413: B. Pernici, C. Thanos (Eds.), Advanced Information Systems Engineering. Proceedings, 1998. X, 423 pages. 1998. Vol. 1414: M. Nielsen, W. Thomas (Eds.), Computer Science Logic. Selected Papers, 1997. VIII, 511 pages. 1998. Vol. 1415: J. Mira, A.P. del Pobil, M.AIi (Eds.), Methodology and Tools in Knowledge-Based Systems. Vol. I. Proceedings, 1998. XXIV, 887 pages. 1998. (Subseries
LNA1). Vol. 1416: A.P. del Pobil, J. Mira, M.Ali (Eds.), Tasks and Methods in Applied Artificial Intelligence. Vol.II. Proceedings, 1998. XXIII, 943 pages. 1998. (Subseries LNAI). Vol. 1417: S. Yalamanchili, J. Duato (Eds.), Parallel Computer Routing and Communication. Proceedings, 1997. XII, 309 pages, t998. Vol. 1418: R. Mercer, E. Neufeld (Eds.), Advances in ArtificialIntelligence. Proceedings, 1998. XII, 467 pages. 1998. (Subseries LNAI). Vol. 1419: G. Vigna (Ed.), Mobile Agents and Security. XII, 257 pages. 1998.
Vol. 1401: P. Sloot, M. Bubak, B. Hertzberger (Eds.), High-Performance Computing and Networking. Proceedings, 1998. XX, 1309 pages. 1998.
Vol. 1420: J. Desel, M. Silva (Eds.), Application and Theory of Petri Nets 1998. Proceedings, 1998. VIII, 385 pages. 1998.
Vol. 1402: W. Lamersdorf, M. Merz (Eds.), Trends in Distributed Systems for Electronic Commerce. Proceedings, 1998. XII, 255 pages. 1998.
Vol. 1421: C. Kirchner, H. Kirchner (Eds.), Automated Deduction - CADE-15. Proceedings, 1998. XIV, 443 pages. 1998. (Subseries LNAI).
Vol. 1403: K. Nyberg (Ed.), Advances in Cryptology EUROCRYPT '98. Proceedings, 1998. X, 607 pages. 1998.
Vol. 1422: J. Jeuring (Ed.), Mathematics of Program Construetion. Proceedings, 1998. X, 383 pages. 1998.
Vol. 1404: C. Freksa, C. Habel. K.F. Wender (Eds.), Spatial Cognition. VIII, 491 pages. 1998. (Subseries LNAI).
Vol. 1423: J.P. Buhler (Ed.), Algorithmic Number Theory. Proceedings, 1998. X, 640 pages. 1998.
Vol. 1424: L. Polkowski, A. Skowron (Eds.), Rough Sets and Current Trends in Computing. Proceedings, 1998. XIII, 626 pages. 1998. (Subseries LNAI). Vol. 1425: D. Hutehison, R. Schafer (Eds.), Multimedia Applications, Services and Techniques - ECMAST'98. Proceedings, 1998. XVI, 532 pages. 1998.
Vol. 1449: W.-L. Hsu, M.-Y. Kao (Eds.), Computing and Combinatorics. Proceedings, 1998. XII, 372 pages. 1998. Vol. 1450: L. Brim, F. Gruska, J. Zlatu~ka (Eds.), Mathematical Foundations of Computer Science 1998. Proceedings, 1998. XVII, 846 pages. 1998.
Vol. 1427: A.J. Hu, M.Y. Vardi (Eds.), Computer Aided Verification. Proceedings, 1998. IX, 552 pages. 1998.
Vol. 1451: A. Amin, D. Dori, P. Pudil, H. Freeman (Eds.), Advances in Pattern Recognition. Proceedings, 1998. XXt, 1048 pages. 1998.
Vol. 1429: F. van der Linden (Ed.), Development and Evolution of Software Architectures for Product Families. Proceedings, 1998. IX, 258 pages. 1998.
Vol. 1452: B.P. Goettl, H.M. Halff, C.L. Redfield, V.J. Shute (Eds.), Intelligent Tutoring Systems. Proceedings, 1998. XIX, 629 pages. 1998.
Vol. 1430: S. Trigila, A. Mullery, M. Campolargo, I-I. Vanderstraeten, M. Mampaey (Eds.), Intelligence in Services and Networks: Technology for Ubiquitous Telecom Services. Proceedings, 1998. XII, 550 pages. 1998.
Vol. 1453: M.-L. Mugnier, M. Chein (Eds.), Conceptual Structures: Theory, Tools and Applications. Proceedings, 1998. XIII, 439 pages. (Subseries LNAI).
Vol. 1431: H. Imai, Y. Zheng (Eds.), Public Key Cryptography. Proceedings, 1998. XI, 263 pages. 1998. Vol. 1432: S. Arnborg, L. Ivansson (Eds.), Algorithm Theory - SWAT '98. Proceedings, 1998. IX, 347 pages. 1998. Vol. 1433: V. Honavar, G. Slutzki (Eds.), Grammatical Inference. Proceedings, 1998. X, 271 pages. 1998. (Subseries LNAI).
Vol. 1454: I. Smith (Ed.), Artificial Intelligence in Structural Engineering. XI, 497 pages. 1998. (Subseries LNAI). Vol. 1456: A. Drogoul, M. Tambe, T. Fukuda (Eds.), Collective Robotics. Proceedings, t998. VII, 161 pages. 1998. (Subseries LNAI). Vol. 1457: A. Ferreira, J. Rolim, H. Simon, S.-H. Teng (Eds.), Solving Irregularly Structured Problems m Prallel. Proceedings, 1998. X, 408 pages. 1998.
Vol. 1434: J.-C. Heudm (Ed.), Virtual Worlds. Proceedings, 1998. XII, 412 pages. 1998. (Subseries LNAI).
Vol. 1458: V.O. Mittal, H.A. Yanco, J. Aronis, R-. Simpson (Eds.), Assistive Technology in Artificial Intelligence. X, 273 pages. 1998. (Subseries LNAI).
Vol. 1435: M. Klusch, G. Wei6 (Eds.), Cooperative Information Agents II. Proceedings, 1998. IX, 307 pages. 1998. (Subseries LNAI).
Vol. 1459: D.G. Feitelson, L. Rudolph (Eds.), Job Scheduling Strategies for Parallel Processing. Proceedings, 1998. VII, 257 pages. 1998.
Vol. 1436: D. Wood, S. Yu (Eds.), Automata Implementataon. Proceedings, 1997. VIII, 253 pages. 1998.
Vol. 1460. G. Quirchmayr, E. Schweighofer, T.J.M. Bench-Capon (Eds.), Database and Expert Systems Applications. Proceedings, 1998. XVI, 905 pages. 1998.
Vol. 1437: S. Albayrak, F.J. Garijo (Eds.), Intelligent Agents for Telecommunication Applications. Proceedings, 1998. XII, 251 pages. 1998. (Subseries LNAI). Vol. 1438: C. Boyd, E. Dawson (Eds.), Information Security and Privacy. Proceedings, 1998. XI, 423 pages. 1998. Vol. 1439: B. Magnusson (Ed.), System Configuration Management. Proceedings, 1998. X, 207 pages. 1998. Vol. 1441: W. Wobcke, M. Pagnucco, C. Zhang (Eds.), Agents and Multi-Agent Systems. Proceedings, 1997. XII. 241 pages. 1998. (Subseries LNAI). Vol. 1442: A. Fiat. G.J. Woeginger (Eds.), Online Algorithms. XVIII, 436 pages. 1998. Vol. 1443: K.G. Larsen, S. Skyum, G. Winskel (Eds.), Automata, Languages and Programming. Proceedings, 1998. XVI, 932 pages. 1998. Vol. 1444: K. Jansen, J. Rolim (Eds.), Approximation Algorithms for Combinatorial Optimization. Proceedings, 1998. VIII, 201 pages. 1998. Vol. 1445: E. Iul (Ed.), ECOOP'98 - Object-Oriented Programming. Proceedings, 1998. XII, 635 pages. 1998. Vol. 1446: D. Page (Ed.), Inductive Logic Programming. Proceedings, 1998. VIII, 301 pages. 1998. (Subseries LNAI). Vol. 1447: V.W. Porto, N. Saravanan, D. Waagen, A.E. Eiben (Eds.), Evolutionary Programming VII. Proceedings, 1998. XVI, 840 pages. 1998. Vol. 1448: M. Farach-Colton (Ed.), Combinatorial Pattern Matching. Proceedings, 1998. VIII, 251 pages. 1998.
Vol. 1461: G. Bilardi, G.F. Italiano, A. Pietracaprina, G. Pucci (Eds.), Algorithms - ESA'98. Proceedings, 1998. XII, 516 pages. 1998. Vol. 1462: H. Krawczyk (Ed.), Advances in Cryptology CRYPTO '98. Proceedings, 1998. XII, 519 pages. 1998. Vol. 1464: H.H.S. Ip, A.W.M. Smeulders (Eds.), Multimedia Information Analysis and Retrieval. Proceedings, 1998. VIII, 264 pages. 1998. Vol. 1465: R. Hirsehfeld (Ed.), Financial Cryptography. Proceedings, 1998. VIII, 311 pages. 1998. Vol. 1466: D. Sangiorgi, R. de Simone (Eds.), CONCUR'98: Concurrency Theory. Proceedings, 1998. XI, 657 pages. 1998. Vol. 1467: C. Clack, K. Hammond, T. Davie (Eds.), Implementation of Functional Languages. Proceedings, 1997. X, 375 pages. 1998. Vol. 1469: R. Pmgjaner, N.N. Savino, B. Serra (Eds.), Computer Performance Evaluation. Proceedings, 1998. XIII, 376 pages. 1998. Vol. 1473: X. Leroy, A. Ohori (Eds.), Types in Compilation. Proceedings, 1998. VIII, 299 pages. 1998. Vol. 1475: W. Litwin, T. Morzy, G. Vossen (Eds.), Advances in Databases and Information Systems. Proceedings, 1998. XIV, 369 pages. 1998. Vol. 1482. R.W. Hartenstein, A. Keevalhk (Eds.), FieldProgrammable Logic and Applications. Proceedings, 1998. XI, 533 pages. 1998.