Intractable Problems

The Discrete Logarithm Assumption

Let G be a finite cyclic group and g be a generator of G. The discrete logarithm of some element x ∈ G, denoted log_g(x), is the unique integer a, 0 ≤ a < |G|, such that

x = g^a. The discrete logarithm (DL) problem is the following: Given G, g, and an element x ∈ G, find the integer a, 0 ≤ a < |G|, such that x = g^a. It is unknown whether an efficient algorithm for the DL problem exits. All known algorithms have exponential or subexponential running time, and it is widely believed that the problem is intractable. We state the assumption more precisely as follows.

Definition 2.2.16. Let I = {(G, g)|G is a cyclic group, g ∈ G a generator } and I_k = {(G, g) ∈ I|ord(G) = k}. For every probabilistic polynomial-time algorithm A, every positive polynomial Q, and all sufficiently large k,

P r[y = log_g(x) : (G, g)← I^u k, x← G, y ← A(G, g, x)] <^u 1 Q(k). This is called the discrete logarithm assumption.

The Diffie-Hellman and Decision Diffie-Hellman Assumptions

The Diffie-Hellman (DH) problem is the following: Given a finite cyclic group G, a generator g of G, and the two elements g^a and g^b, find the element g^ab. It is believed that the DH problem is intractable. We make this precise in the following.

Definition 2.2.17. Let I = {(G, g)|G is a cyclic group, g ∈ G a generator } and I_k = {(G, g) ∈ I|ord(G) = k}. For every probabilistic polynomial-time algorithm A, every positive polynomial Q, and all sufficiently large k,

P r[y = g^ab : (G, g)← I^u _k, a← Z^u _|G|, b ← Z^u _|G|, y ← A(G, g, g^a, g^b)] < 1 Q(k). This is called the Diffie-Hellman assumption.

Obviously, if the DL problem can be solved in polynomial time, then the DH problem can be solved in polynomial time. For some groups, the DH and the DL problems have been proved to be computationally equivalent. [18, 153, 154, 155].

The decision Diffie-Hellman (DDH) problem is the following: Given a finite cyclic group G, a generator g of G, and the three elements g^a, g^b, and g^c, decide whether the elements g^c and g^ab are equal. It is believed that the problem is intractable. This is made precise in the following.

Definition 2.2.18. Let I = {(G, g)|G is a cyclic group, g ∈ G a generator } and Ik = {(G, g) ∈ I|ord(G) = k}. For every probabilistic polynomial-time algorithm A, every positive polynomial Q, and all sufficiently large k,

P r[c⁰ = c : (G, g)← I^u _k, a← Z^u _|G|, b← Z^u _|G|, z₀ = ab mod |G|, z₁ ← Z^u _|G|, c ← {0, 1},^u c⁰ ← A(G, g, g^a, g^b, g^zc)] < 1

2 + 1 Q(k).

This is called the decision Diffie-Hellman assumption.

Clearly, an efficient algorithm to solve the DH problem implies one for the DDH problem.

Shoup shows that any generic algorithm must perform Ω(p^1/2) group operations for the two problems, where p stands for the largest prime divisor of the group order in the case of the DH problem, and for the smallest prime divisor of the group order in the case of the DDH problem [208]. A generic algorithm does not exploit any special properties of the encodings of group elements except that each group element is encoded as a unique bit string.

The Representation Assumption

The representation problem is a generalization of the DL problem. It is believed that the representation problem is intractable. We make this statement precise in the following.

Definition 2.2.19. Let I = {(G, g₁, . . . , g_r)|G is a cyclic group, g₁, . . . , g_r ∈ G generators}. Let I_k = {(G, g₁, . . . , g_r) ∈ I|ord(G) = k}. For every probabilistic

polynomial-time algorithm A, every positive polynomial Q, and all sufficiently large k,

Pr[g^a₁¹· · · g_r^ar = y : (G, g₀, . . . , g_r)← I^u _k, y ← G,^u (a₁, . . . , a_r) ← A(G, g₁, . . . , g_r, y)] < 1

Q(k). This is called the representation assumption.

If the generators g₁, . . . , g_r are all chosen randomly, finding two different repre-sentations of an element is as hard as the DL problem. Brands gives a thorough discussion on the representation problem in [26].

The Assumption of Equality of Discrete Logarithms

Let G be a group and g₀, g₁ ∈ G be distinct generators of G. The problem of equality of discrete logarithms is the following: Given G, g₀, g₁, and two elements y₀, y₁ ∈ G, decide whether log_g0(y₀) is equivalent to log_g1(y₁). It is believed that there is no efficient algorithm to solve this problem. We make this precise in the following.

Definition 2.2.20. Let I = {(G, g0, g1)|G is a cyclic group, g0, g1 ∈ G generators}

and I_k = {(G, g₀, g₁) ∈ I|ord(G) = k}. Let

EDL_G,g0,g1 : G × G → {0, 1}, EDL_G,g0,g1(x₀, x₁) =

( 1 if log_g0y₀ = log_g1y₁, 0 otherwise,

be a function. For every probabilistic polynomial-time algorithm A, every positive polynomial Q, and all sufficiently large k,

Pr[b = EDL_G,g0,g1(y₀, y₁) : (G, g₀, g₁)← I^u _k, y₀ ← G, y^u ₁ ← G,^u b ← A(G, g0, g1, y0, y1)] < 1

2 + 1 Q(k).

This is called the assumption of equality of discrete logarithms (EDL).

The Factoring Assumption

The integer factorization problem is the following: Given a positive integer n, find its prime factorization, i.e., find pairwise distinct primes p_i and positive integer e_i such

that n = p^e₁¹p^e₂²· · · p^e_k^k. All known factoring algorithms have an exponential running time. Therefore, it is widely believed that the factors of n cannot be computed effi-ciently. The following assumption make this statement more precise. For simplicity, assume n = pq.

Definition 2.2.21. Let I = {n|n = pq, p and q are distinct primes, |p| = |q|} and I_k = {n ∈ I|n = pq, |p| = |q| = k}. For every probabilistic polynomial-time algorithm A, every positive polynomial Q, and all sufficiently large k,

P r[A(n) = p : n ← I^u _k] < 1 Q(k). This is called the factoring assumption.

Furthermore, it is known that factoring n = pq is equivalent to computing square roots in Z^∗_n [189].

The RSA Assumption

Let I = {(n, e) ∈ I|n = pq, p 6= q primes, 0 < e < φ(n), e prime to φ(n)}. The family RSA = (RSA_n,e : Z^∗_n → Z^∗_n, x 7→ x^e)_(n,e)∈I

is called the RSA family.

Consider an (n, e) ∈ I, and let d ∈ Z^∗_φ(n) be the inverse of e mod φ(n). We have x^ed ≡ 1 mod n. This shows that RSA_n,e is a bijection and that the inverse function is also an RSA function, namely RSA_n,d : Z^∗_n→ Z^∗_n, y 7→ y^d.

RSA_n,e can be computed by an efficient modular exponentiation algorithm. The inverse d of e can be easily computed by the extended Euclidean algorithm if φ(n) = (p−1)(q −1) is known. No algorithm to compute RSA⁻¹_n,ein polynomial time is known if p, q and d are kept secret (d or p, q are called the trapdoor information for the RSA function).

To date, factoring n is the only known method to totally break RSA. All known factoring algorithms have an exponential running time. Therefore, it is widely be-lieved that RSA cannot be efficiently inverted. The following assumption makes this more precise.

Definition 2.2.22. Let I_k = {(n, e) ∈ I|n = pq, |p| = |q| = k}. For every proba-bilistic polynomial-time algorithm A, every positive polynomial Q, and all sufficiently large k,

It is believed that there is no efficient algorithm which, without knowing the factors of n, is able to decide whether x ∈ J_n⁺¹ is a quadratic residue. The following assumption make this precise.

Definition 2.2.23. Let I_k = {n : n = pq, |p| = |q| = k}. For every probabilistic polynomial-time algorithm A, every positive polynomial Q, and all sufficiently large k,

P r[y = P QR_n(x) : n← I^u _k, x← J^u _n⁺¹, y ← A(n, x)] < 1 2 + 1

Q(k). This is called the quadratic residuosity assumption.

Note that the factoring assumption follows from the RSA assumptions and also from the quadratic residuosity assumption. Hence, each of these two assumptions is stronger than the factoring assumption.

Discussions

For all assumptions described above, we do not consider a single fixed key i ∈ I_k: The success probability of adversary A is also taken over the random choice of the

key. Hence, the meaning of the probability statement is: Choosing both the key i with security parameter k and an instance randomly, the probability that adversary A correctly computes is small. The statement is not related to a particular key i.

In practice, however, a public key i is chosen and then fixed for a long time, and it is known to the adversary. Thus, we are interested in the conditional probability of success, assuming a fixed public key i. Even if the security parameter k is very large, there may be public keys such that adversary A correctly breaks the system with a significant probability. However, as we will see in the following lemma, the number of such keys is negligibly small compared to the number of all keys with security parameter k. Hence, choosing i at random and uniformly from I_k, the probability of obtaining one for which adversary A has a significant chance of success is negligibly small.

Lemma 2.2.1. Let I = (I_k)_k∈N be a key set with security parameter k. Let A_j be randomized algorithms with input x_j and output y_j, 1 ≤ j ≤ n. Let B be a boolean function. Assume that An is the adversary A. Then the following statements are equivalent:

1. For every positive polynomial P and all sufficiently large k Pr[B(y_n) = 1 : i ← I_k, {y_j ← A_j(x_j)}_1≤j≤n] < 1

P (k). 2. For all positive polynomials Q and R, and all sufficiently large k

Pr

be the conditional probability of success of A assuming a fixed i. We first prove that statement 2 implies statement 1. Let P be a positive polynomial. By statement 2, for sufficiently large k,

Hence

Conversely, assume that statement 1 holds. Let Q an R be positive polynomials.

Then for sufficiently large k

Hash functions can be used to control the integrity of a message. In signature schemes, hash functions are also applied to reduce messages of arbitrary lengths to message digests that can be signed in place of the original messages. Furthermore, hash func-tions can be employed as a substitution for the honest verifier in proofs of knowledge and thus turn them into signature schemes [90].

Definition 2.3.1. A hash function is a function mapping a binary string of arbitrary