Group-oriented encryption and signature

Signature

Student: Ming-Luen Wu

Advisor: Professor Yuh-Dauh Lyuu

Department of Computer Science and Information Engineering

National Taiwan University

Computer networks bring tremendous progress to the information-based society. Com-panies, organizations, and governments have been using computers and networks to process or transmit digital data. But this also results in many different types of security requirements for group-oriented cryptographic applications.

In this thesis we study existing cryptographic tools and then use them to design more complex cryptographic systems. Several fundamental cryptographic primitives are useful not only as stand-alone applications but also as building blocks in the designing of secure cryptographic objects. Using these building blocks, we develop new cryptographic applications, including a full public-key traitor-tracing scheme and a convertible group undeniable signature scheme.

A fully public-key traitor-tracing scheme is a public-key traitor-tracing scheme that allows a subscriber to choose his or her own private decryption key without others learning the key. The distributor of the digital content uses the public data coming from all subscribers to compute a public encryption key. The paid contents are then transmitted to the subscribers, after being encrypted with the public key. Each subscriber can decrypt the data using his or her own secret key. Even if a coalition of subscribers conspire to create a pirate decoder with a tamper-free decryption key, there is a tracing algorithm to trace them. A realization of the scheme is presented in this thesis. Our scheme is long-lived, which means that the subscribers’ secret keys need not be regenerated after the pirate key is detected or when subscribers join or leave the system. Finally, our scheme guarantees anonymity.

A group undeniable signature satisfies the following requirements: (1) only group members can anonymously sign on behalf of the group; (2) a verifier must interact with the group manager to verify the signature; (3) the group manager can identify the signer of a valid signature. A convertible group undeniable signature scheme allows the group manager to turn select group undeniable signatures into universally verifiable group signatures. An efficient realization of the scheme is proposed in this thesis. Our scheme is unforgeable, exculpable, unlinkable, and coalition-resistant. The proposed scheme allows the group manager to delegate the ability to confirm

and deny signatures to trusted parties. The sizes of the public key and signatures are independent of the group size.

1 Introduction 1

1.1 Background . . . 1

1.2 Group-Oriented Encryption . . . 3

1.3 Group-Oriented Signature . . . 4

1.4 Contributions and Organization of the Thesis . . . 7

2 Foundations 9 2.1 Complexity-Theoretic Preliminaries . . . 9

2.1.1 Randomized Algorithms . . . 9

2.1.2 Computational Complexity . . . 11

2.2 Algebra and Number Theory . . . 15

2.2.1 Integer Arithmetic . . . 15

2.2.2 Basic Algebra . . . 17

2.2.3 Modular Arithmetic . . . 20

2.2.4 Intractable Problems . . . 27

2.3 Hash Functions . . . 34

2.4 Indistinguishability of Probability Ensembles . . . 39

2.5 Interactive Protocols and Proof Systems . . . 41

2.6 Zero-Knowledge Proof Systems . . . 45

2.7 Witness Indistinguishability and Hiding . . . 48

3 Elementary Cryptographic Tools 51 3.1 Public-Key Encryption Schemes . . . 51

3.1.1 The Diffie-Hellman Key Agreement . . . 55

3.1.2 The RSA Encryption Scheme . . . 55 i

3.1.3 The ElGamal Encryption Scheme . . . 56

3.2 Commitment Schemes . . . 57

3.2.1 A Bit Commitment Scheme . . . 60

3.2.2 A Number Commitment Scheme . . . 61

3.3 Identification Protocols . . . 62

3.3.1 The Schnorr Identification Protocol . . . 62

3.3.2 Analysis of the Schnorr Identification Protocol . . . 63

3.4 Digital Signature Schemes . . . 66

3.4.1 The RSA signature scheme . . . 69

3.4.2 The ElGamal Signature Scheme . . . 69

3.4.3 The Schnorr Signature Scheme . . . 70

3.4.4 Signatures of Knowledge . . . 71

4 A Fully Public-Key Traitor-Tracing Scheme 77 4.1 Introduction . . . 77 4.2 Key Terms . . . 79 4.3 Number-Theoretic Preliminaries . . . 81 4.4 Proposed Scheme . . . 82 4.4.1 Security Analysis . . . 83 4.4.2 Semantic Security . . . 85

4.4.3 Forgery of Decryption Keys . . . 86

4.5 Traceability, Long-Livedness, Anonymity . . . 86

4.6 Conclusions . . . 89

5 Group Undeniable Signatures with Convertibility 90 5.1 Introduction . . . 90

5.2 Preliminaries . . . 93

5.2.1 Number-Theoretic Facts and Assumptions . . . 93

5.2.2 Building Blocks . . . 96

5.3 Proposed Scheme . . . 101

5.3.1 The System Model . . . 101

5.3.2 Realization of the Proposed Scheme . . . 103

5.4.1 Exculpability . . . 111

5.4.2 Unforgeability . . . 111

5.4.3 Anonymity, Nontransferability, and Unlinkability . . . 112

5.4.4 Coalition Resistance . . . 113

5.5 Conclusions . . . 115

6 Concluding Remarks 116

Bibliography 119

Introduction

Due to the widespread use of computers and communication networks, group-oriented cryptographic techniques are rapidly becoming important concerns for secure data exchange. In this chapter, we give an overview of group-oriented encryption and signature applications.

1.1

Background

Confidentiality and authenticity of a message are two fundamental issues in cryp-tography. Confidentiality ensures that no adversary will learn anything about the private information held by honest parties. Authenticity ensures that the receiver of a message can verify that the message really comes from the alleged sender. To achieve the two important goals, encryption and signature techniques are used.

In classic encryption schemes, two parties who wish to securely communicate would have to pre-agree on a specific secret key that would help the encryption and decryption. Hence, there must be a secure method to deliver the secret key in ad-vance. However, the process of agreeing on a secret key can be a rather difficult task. In 1976, Diffie and Hellman [78] first introduce a key agreement scheme and intro-duce the significant notion of public-key cryptography. After that, several important public-key cryptosystems are proposed, such as the RSA and the ElGamal schemes. In a public-key cryptosystem, a public key is used for encryption and a secret key for decryption. The two keys are derived in such a way that computing the secret

key from the public key is computationally infeasible. Furthermore, on the basis of public-key cryptosystems, digital signature schemes can be devised. A signer creates digital signatures with his secret key, and everyone can verify the signatures with the corresponding public key. Analogous to handwritten signatures, digital signatures should be easy to produce and verify, but difficult to forge.

Originally, the encryption and signature schemes are implemented for individual privacy and individual signatures, i.e., a private message is intended for an individual and a signature is created on behalf of an individual. In this setting, often only two parties are involved. However, such a framework might not be sufficient for crypto-graphic applications. In many cases, the messages created for a group are of much greater importance, and have far more serious consequences than individual messages. It is desirable that there are cryptographic algorithms and protocols suitable for a group of people communicating over an insecure computer network. Accordingly, group-oriented cryptographic techniques are becoming significant considerations in today’s information-based society [76].

In particular, many companies, organizations, and government departments have widely used computers and networks to process or transmit digital data. This pro-motes cryptographic applications involving more than two parties. For example, consider a data provider such as a wired broadcast station needs to broadcast data to a lot of subscribers securely or an employee wants to sign messages on behalf of his company. Because every group may have different needs in different cases, group-oriented cryptographic applications have many varieties. To design appropriate se-curity services, the first step is to determine the group’s requirements. It is evident that group-oriented cryptographic applications have more complex requirements than two-party situations. To gear toward more complex applications, understanding use-ful cryptographic tools is necessary. In this thesis, we clarify numerous fundamental concepts in cryptography, present several elementary cryptographic tools, and pro-pose two useful group-oriented cryptographic applications.

1.2

Group-Oriented Encryption

We say that an encryption scheme is group-oriented if the parties involved in encryp-tion and decrypencryp-tion are more than two in number. To date, many group-oriented encryption applications have been addressed. In the following, we review well-known applications that have appeared in the literature.

1. Broadcast encryption. Consider the problem of broadcasting digital con-tents to a large set of authorized users. Such applications include paid-TV systems, copyrighted CD/DVD distributions, and fee-based online databases. The problem is that anyone connected to a broadcast channel is able to pick up the data, whether they are authorized or not. To prevent unauthorized users from extracting data, the broadcaster encrypts the message and only the au-thorized users have the decryption keys to recover the data. This issue of secure broadcasting is first addressed in [56]. However, the proposed method carries out n encryptions for each copy of data, where n is the number of subscribers. To improve efficiency, bandwidth requirements, and the keys’ storage space, see [12, 16, 17, 56, 89, 127, 143] for further studies.

2. Traitor tracing. In broadcast encryption, malicious authorized users, called traitors, may use their personal decryption keys to create a pirate decoder. The resulting pirate decoder allows an unauthorized user to extract the context. To discourage authorized users from revealing their keys, traitor tracing is first in-troduced by Chor, et al. [57, 58] and studied further in [96, 113, 169, 170, 181, 211, 213]. The idea is an algorithm that uses the confiscated pirate decoder to track down at least one colluder without wrongly accusing noncolluders with high probability. Most of these traitor-tracing schemes use a secret-key encryp-tion scheme to encrypt data. Public-key traitor-tracing schemes are studied in [19, 128, 134, 135]. A public-key traitor tracing allows everyone to perform en-cryption, and thus anyone can broadcast messages to authorized users securely. 3. Threshold cryptosystems. Within a group, various access policies are pos-sible. Depending on the internal organization of the group and the access type of the message imposed by the sender, a different cryptographic scheme with

the corresponding key management policy is needed. Threshold cryptosystems allow one to send encrypted messages to a group, while only a group achieving a “threshold” has the ability to reconstruct the plaintext. Moreover the process of reconstructing a plaintext should not reveal any participant’s secret. Thresh-old cryptosystems are initiated by Desmedt and Frankel in [76, 77] and studied further in [40, 137, 207]. We remark that the “threshold” can be an arbitrary access structure, such as hierarchical structures [101] or t out of n threshold structures [77]. The latter is the usual case.

One focus of this thesis is to investigate traitor tracing. We are the first to introduce the concept of fully public-key traitor tracing and propose a scheme [145, 146]. A fully public-key traitor-tracing scheme is a public-key traitor-tracing scheme in which subscribers can prevent anyone (including the broadcaster) from learning their secret keys. We present the scheme in Chapter 4.

1.3

Group-Oriented Signature

We say that a signature scheme is group-oriented if signing and verification involve more than two parties. Because a signature scheme can often be turned into an authentication scheme (such as the identification schemes in [87, 90]), in the following we will review many group-oriented signature applications that have appeared in the literature.

1. Group signatures. A group signature scheme allows a group member to sign messages on behalf of the group without revealing his or her identity. Never-theless, in case of a later dispute, a designated group manager can open the signature, thus tracing the signer. At the same time, any one—including the group manager—cannot misattribute a valid signature. The concept of group signatures is introduced by Chaum and van Heyst [44]. Camenisch and Stadler present the first scheme in which the sizes of the public key and signatures are independent of the group size [38]. More works on group signatures include [4, 5, 6, 34, 35, 39, 54, 55, 180]

to convince other parties that he is a member of a group without revealing his identity. For efficiency and different security considerations, many schemes have been proposed in the literature [20, 37, 130, 138, 200, 201]. In particu-lar, Kilian and Petrank introduce identity escrow that is a group identification scheme with revocable anonymity [130]. In a identity escrow scheme, there is a delegated escrow agent to trace the group member that has proved to other parties his group membership. We notice that the property of traceability is also an important requirement for group signatures. Furthermore, Boneh and Franklin introduce identity escrow with subset queries by which a group mem-ber can demonstrate memmem-bership in an arbitrary subset of groups memmem-bers in [20]. Camenisch and Lysyanskaya introduce identity escrow with appointed ver-ifiers by which a group member can only convince the appointed verver-ifiers of his membership in [37].

3. Anonymous credential systems. A anonymous credential system allows users to obtain credentials from organizations and to demonstrate possession of these credentials anonymously. The property of anonymity requires that the same user can not be linked even if he carries out a lot of demonstrations. In addition, several desirable properties have been considered. For example, non-transferability discourages the users from lending their credentials to others. Anonymous credential systems are initiated by Chaum [52] and further studied in [25, 36, 50, 53, 71, 144].

4. Multisignatures. Multisignatures allow more than one user to sign messages together, and anyone can identify the individual signers. Multisignatures are first introduced by Itakura and Nakamura [123] and have been extensively stud-ied in the literature [23, 117, 120, 139, 161]. Several desirable properties have been suggested. For example, Micali et al. propose accountable-subgroup mul-tisignatures by which any subset of users can sign messages and each signer can be identified universally [161]. They refer to the two properties as flexibility and accountability, respectively.

5. Threshold signatures. A threshold signature scheme is a generalization of digital signatures, in which only the persons achieving a “threshold” can

gener-ate a valid signature. For example, a (t, n) threshold signature scheme requires the cooperation of t or more persons for generating a valid signature, where n is the group size and t ≤ n. Threshold signatures are first introduced by Desmedt and Frankel [76, 77] and studied further in [99, 100, 117].

6. Threshold group signatures. A threshold group signature scheme is a gener-alization of group signatures, in which only the members achieving a “threshold” can represent the group to generate signatures anonymously and the identities of signers of a signature can be revealed in case of later disputes. An example is a (t, n) threshold group signature by which the cooperation of t or more group members is necessary to generate signatures on behalf of the group, where n is the group size and t ≤ n. This definition is first presented in [219]. (The (t, n) threshold group signature schemes are called as (t, n) threshold-multisignature schemes in [139, 140]. We notice that in a multisignature scheme the identities of signers are often public and the public keys of signers are needed to verify a signature. At the same time, anonymity and traceability are two essential prop-erties of a group signature scheme. Hence, it is more accurate to call the (t, n) threshold-multisignature schemes in [139, 140] (t, n) threshold group signature schemes.)

In this thesis, we introduce a new type of signature called a group undeniable sig-nature. We also propose the first convertible group undeniable signature scheme. The detailed contents will be presented in Chapter 5. Here we give a simple description of a (convertible) group undeniable signature.

Group undeniable signatures. A group undeniable signature scheme allows a group member to sign on behalf of a group without revealing his identity, and the verification of a signature can only be done with cooperation of the group manager. Furthermore, the group manager must be able to track down the signers in case of a later dispute [147, 149].

Convertible group undeniable signatures. A convertible group undeniable signature scheme is a group undeniable signature in which the group manager can turn selective group undeniable signatures into ordinary group signatures

without compromising the security of the secret key needed to generate signa-tures. Obviously, convertible group undeniable signatures are more powerful than group signatures [148, 150].

1.4

Contributions and Organization of the Thesis

Chapter 2 provides mathematical and cryptographic foundations. We introduce ba-sic contents of algebra, number theory, and complexity theory, which underly our schemes in this thesis. We also clarify some notions that are important in cryptogra-phy, including intractable problem assumptions and randomized algorithms. More-over, definitions of many fundamental cryptographic terms are summarized: indistin-guishability of probability ensembles, interactive proof systems, proofs of knowledge, zero-knowledge proof systems, witness indistinguishability and hiding, and hash func-tions.

In Chapter 3, we present numerous basic cryptographic tools that can be used as building blocks for group-oriented cryptographic applications. These tools include encryption and decryption algorithms, commitment schemes, identification protocols, and digital signature schemes. In many cases, a single building block is not sufficient to solve a complex cryptographic problem. Instead, different basic tools must be com-bined to achieve the desirable security requirements. In addition, we also demonstrate how to show that an identification protocol is a zero-knowledge proof of knowledge. This proof is an important technique for characterizing properties of cryptographic protocols.

In Chapter 4, we propose a fully public-key traitor-tracing scheme in which each subscriber can choose his or her own private decryption key without others learning the key. The distributor of the digital content utilizes the public data coming from all subscribers to compute a public encryption key. The paid contents are then transmitted to the subscribers, after being encrypted with the public key. Each subscriber can decrypt the data using his or her own secret key. Even if a coalition of subscribers conspire to create a pirate decoder with a tamper-free decryption key, we have a tracing algorithm to trace them. Our scheme is long-lived, which means that the subscribers’ secret keys need not be regenerated after the pirate key is detected or

when subscribers join or leave the system. Finally, our scheme guarantees anonymity. In Chapter 5, we introduce a new type of signature for a group of persons called a group undeniable signature, which satisfies the following requirements: (1) only group members can anonymously sign on behalf of the group; (2) a verifier must interact with the group manager to verify the signature; (3) the group manager can identify the signer of a valid signature. A convertible group undeniable signature scheme al-low the group manager to turn select group undeniable signatures into universally verifiable group signatures. They are more suitable than group signatures in appli-cations where signatures are generated for sensitive, nonpublic data. We propose the first convertible group undeniable signature scheme. Furthermore, our scheme is unforgeable, exculpable, unlinkable, and coalition-resistant. The proposed scheme allows the group manager to delegate the ability to confirm and deny signatures to trusted parties. The sizes of the public key and signatures are independent of the group size.

Foundations

This chapter provides an introduction to the topics of algebra, number theory, and fundamental cryptography. There are numerous books devoted to algebra and num-ber theory [116, 118, 132, 196, 205, 206]. References for computational aspects of algebra number theory are [59, 131]. A reference to complexity theory is the book by Papadimitriou [177]. For fundamental cryptography, we refer the reader to [73, 108, 157, 202, 210, 214].

2.1

Complexity-Theoretic Preliminaries

In this section, we review the concept of randomized algorithms and the definitions of several complexity classes such as P, NP, and BPP.

2.1.1

Randomized Algorithms

Randomized algorithm is important in cryptography. Several algorithms used in en-cryption and digital signature schemes often involve random choices and therefore are probabilistic. For example, the encryption algorithms in Goldwasser and Micali’s scheme [111] and ElGamal’s scheme [85] are probabilistic, and the signing algorithms in ElGamal’s scheme [85] and the DSA [93] are also probabilistic. For a fixed input, different runs of a randomized algorithm may give different results, and it is inevitable that the analysis of a randomized algorithm involves probabilistic statements. More-over, when studying the security of cryptographic schemes, adversaries are usually

modelled as randomized algorithms. We give simple definitions of deterministic algo-rithms and randomized algoalgo-rithms below.

Definition 2.1.1. Given an input x, a deterministic algorithm A is a finite sequence

of steps or computations that output y in a deterministic way. The output y of a deterministic algorithm A is completely determined by its input x.

Definition 2.1.2. Given an input x, a randomized algorithm A may toss a coin a

finite number of times during its computation of the output y, and a step may depend on the results of previous coin tosses. The number of coin tosses may depend on the outcome of the previous ones, but it is bounded by some constant tx for a given input

x. The coin tosses are independent and the coin is a fair one, i.e., each side appears with probability 1/2. Tossing a coin is counted as one step. Often a randomized algorithm is called a probabilistic algorithm if it works for practical purposes but has a theoretical chance of being wrong.

A formal computation model for a deterministic algorithm is a deterministic Tur-ing machine (DTM) and that for a probabilistic algorithm is a probabilistic TurTur-ing machine (PTM). A deterministic Turing machine is a finite state machine having an infinite read-write tape and the state transitions are completely determined by the input. In a probabilistic Turing machine, the state transitions are determined by the input and the output of coin tosses.

Often the coin tosses in a randomized algorithm are considered as internal coin tosses. A second way to look at a randomized algorithm A is to consider the output of the coin tosses as an additional input, which is supplied by an external coin-tossing device. In this view, the model of a randomized algorithm is a deterministic machine. We denote by AD the corresponding deterministic algorithm. It takes as input A’s

input x and the outcome r of the coin tosses. When AD wants to make the next step,

it reads the next bit of r and acts accordingly.

Given x, the output A(x) of a randomized algorithm A is a random variable induced by the coin tosses. Let A(x) = y denote the random event “A outputs y on input x.” By P r[A(x) = y], we mean the probability of this event. Assume the number of coin tosses for A is exactly tx. Then the possible outcomes r of the coin

we have the probability of an outcome r is 1/2tx. Hence

Pr[A(x) = y] = Pr[AD(x, r) = y] =

|{r|AD(x, r) = y}|

2tx .

Probability Notation

Let A be an algorithm. By A(·) we denote that A has one input. By A(·, . . . , ·) we denote that A has several inputs. By A(·) we denote that A is an indexed family of

algorithms.

The notation y ← A(x) denotes that y is obtained by running A on input x. If A is deterministic, then y is unique. If A is probabilistic, then y is a random variable. The notation x pS

← S, for a set S, means that x is randomly selected from S according to

a probability distribution pS. If the distribution is clear from the context, we simply

write x ← S. If pS is the uniform distribution, we write x ← S. In this way theu

members of S are chosen randomly. Let expression x ∈R S denote that x is chosen

randomly from set S.

Let B be a boolean function. The notation (B(yn) : {yi ← Ai(xi)}1≤i≤n) denotes

the event that B(yn) is TRUE after the value yn is obtained by successively running

algorithms A1, . . . , An on inputs x1, . . . , xn. The statement

Pr[B(yn) : {yi ← Ai(xi)}1≤i≤n] = p

means that the probability that B(yn) is TRUE after the value yn is obtained by

running algorithms A1, . . . , An on inputs x1, . . . , xn is p, where the probability is over

the random choices of the probabilistic algorithms involved.

2.1.2

Computational Complexity

The efficiency of an algorithm is measured with respect to the resource required to solve the problem. The resource may include time, storage space, random bits, numbers of processors, etc. Typically, the main focus is time. The running time of an algorithm on a particular input is the number of steps executed, expressed as a function of the input size. The worst-case running time of an algorithm is an upper bound on the running time for any input. The average-case running time of an algorithm is the average running time over all inputs of a fixed size. Often it is

difficult to derive the exact running time of an algorithm. To compare running time of algorithms, the standard asymptotic notation is used.

Definition 2.1.3 (Order Notation).

1. (Asymptotic upper bound) f (n) = O(g(n)) if there exits a positive constant c and a positive integer n0 such that 0 ≤ f (n) ≤ cg(n) for all n ≥ n0.

2. (Asymptotic lower bound) f (n) = Ω(g(n)) if there exists a positive c and a positive integer n0 such that 0 ≤ cg(n) ≤ f (n) for all n ≥ n0.

3. (Asymptotic tight bound) f (n) = Θ(g(n)) if there exit positive constants c1 and

c2, and a positive integer n0 such that c1g(n) ≤ f (n) ≤ c2g(n) for all n ≥ n0.

4. (The o-notation) f (n) = o(g(n)) if for any positive constant c > 0 there exits a constant n0 > 0 such that 0 ≤ f (n) < cg(n) for all n ≥ n0.

Intuitively, f (n) = O(g(n)) means that f grows no faster asymptotically than g, and f (n) = o(g(n)) means that g is an upper bound for f that is not asymptotically tight. f (n) = Ω(g(n)) means that f grows at least as fast asymptotically as g to within a constant multiple. If both f (n) = O(g(n)) and f (n) = Ω(g(n)), then

f (n) = Θ(g(n)). The expression o(1) is often used to denote a term f (n) with

limn→∞f (n)=0.

Definition 2.1.4. A polynomial-time algorithm is an algorithm that has a

worst-case running time of the form O(nk_{), where n is the input size and k is a constant.}

Any algorithm whose running time cannot be so bounded is called an exponential-time algorithm.

Definition 2.1.5. A probabilistic polynomial-time algorithm is a probabilistic

algo-rithm that has a running time of the form O(nk_{), where n is the input size and k is a}

constant. The running time of a probabilistic algorithm is measured as the number of steps in the model of algorithms, i.e., the number of steps of the probabilistic Turing machine. Tossing a coin is one step in this model.

Let A be a probabilistic algorithm. The worst-case running time timeA(x) of A

A(x). The expected running time etimeA(x) of A on input x is the average number

of steps that A needs to generate the output A(x), i.e.,

etimeA(x) = ∞

X

t=1

t · P r[timeA(x) = t].

Let P be a computational problem and A be a probabilistic algorithm for P. The worst-case running time of A for P is

tA = max{timeA(x) : for all instances x of P}.

The expected running time of A for P is

etA = max{etimeA(x) : for all instances x of P}.

Definition 2.1.6 (Monte Carlo Algorithms/Las Vegas Algorithms). Let P be

a computational problem.

1. A Monte Carlo algorithm A for P is a probabilistic algorithm A, whose running time timeA(x) for all instance x of P is bounded by a polynomial Q(|x|) and

which yields a correct answer to P with a probability of at least 2/3.

2. A Las Vegas algorithm A for P is a probabilistic algorithm, whose running time etimeA(x) for all instance x of P is bounded by a polynomial Q(|x|) and which

always yields a correct answer to P.

Definition 2.1.7. A subexponential-time algorithm is an algorithm that has a

worst-case running time of the form O(e(b+o(1)na_(ln(n))1−a₎

), where n is the input size, b is a

positive constant, and a is a constant satisfying 0 < a < 1.

A subexponential-time algorithm is slower than a polynomial-time algorithm yet faster than an algorithm whose running time is exponential in the input size. Observe that for a = 0 the running time O(e(b+o(1)na₍ln_(n))1−a₎

) is polynomial O(na_{), while for}

a = 1 the running time O(e(b+o(1)na₍ln_(n))1−a₎

) is exponential O(ebn₎

For simplicity, computational problems are often modelled as decision problems: decide whether a given x ∈ {0, 1}∗ _{belongs to a language L ⊆ {0, 1}}∗_{. Computational}

Definition 2.1.8 (P). The complexity class P is the set of decision problems that

can be solved by deterministic polynomial-time algorithms.

Definition 2.1.9 (NP). The complexity class NP is the set of decision problems

for which a YES answer can be verified by polynomial-time deterministic algorithms given some extra information, called a witness.

Let R ⊆ {0, 1}∗ _{× {0, 1}}∗ _{be a binary relation. We say that R is polynomially}

bounded if there exists a polynomial Q such that |w| ≤ Q(|x|) holds for all (x, w) in R. Furthermore, R is an NP-relation if it is polynomially bounded and if there exists a polynomial-time algorithm for deciding membership of pairs (x, w) in R. Let

LR = {x|∃w such that (x, w) ∈ R} be the language defined by R. A language L is

in NP if there exists an NP-relation RL ⊆ {0, 1}∗ × {0, 1}∗ such that x ∈ L if and

only if there exists a w such that (x, w) ∈ RL. Such a w is called a witness of the

membership of x in L. The set of all witnesses of x is denoted by RL(x).

Definition 2.1.10 (Bounded-Probability Polynomial-Time, BPP). Let L be

the language of some decision problem. We say that L is recognized by the probabilistic polynomial-time algorithm A if for every x ∈ L, Pr[A(x) = 1] ≥ 2/3 and for every x 6∈ L, Pr[A(x) = 0] ≥ 2/3. BPP is the class of languages that can be recognized by a probabilistic polynomial-time algorithm.

Problems in P are considered easy, and problems not in P are considered hard. It is widely believed that the class P is strictly smaller than the class NP. Whether NP=P is the most important open problem in complexity theory.

We will consider as efficient only randomized algorithm whose running time is bounded by a polynomial in the length of the input. A problem is called intractable (or computationally infeasible) if no probabilistic polynomial-time algorithm could solve it, whereas one that can be solved using a probabilistic polynomial-time algorithm is called tractable (or computationally feasible).

All the above complexity classes are defined in terms of worst-case complexity. However, in cryptography, average-case complexity of a problem is a more significant measure than its worst-case complexity. This is because a cryptosystem must be unbreakable in most cases, which implies that it will be intractable to break the cryptosystem on the average. Hence, a necessary condition for a secure cryptographic

scheme is that the corresponding cryptanalysis problem must be intractable on the average.

2.2

Algebra and Number Theory

Algebra and number theory play an important role in contemporary cryptography. Most public-key cryptosystems and secure protocols are based on problems from number theory. In this section, we give several well-known results on algebra and number theory. Most of the proofs are omitted because they can be found in most textbooks on algebra and number theory.

2.2.1

Integer Arithmetic

Let Z denote the set of integers {. . . , −3, −2, −1, 0, 1, 2, 3, . . .} and N = {n ∈ Z|n > 0} denote the set of natural integers. Let a, b ∈ Z, a 6= 0. We can divide b by a with a remainder r. Of particular importance for divisibility is the following algorithm. Theorem 2.2.1 (The Division Algorithm). If a ∈ N and b ∈ Z, then there exist

unique integers q, r ∈ Z with 0 ≤ r < a, and b = aq + r. The number q is called the quotient and r is called the remainder of the division.

The number r is also called the remainder of b modulo a. We write b mod a for

r. The number q is the integer quotient of b and a. We write b div a for q. An

integer a divides an integer b (equivalently, a is a divisor of b, or a is a factor of b) if there is some c ∈ Z, with b = ac. We write a|b for “a divides b.” A nonnegative integer d is the greatest common divisor of a and b if (1) d|a and d|b; (2) If t ∈ Z divides both a and b, then t divides d. The greatest common divisor is denoted by gcd(a, b). If gcd(a, b) = 1, then a is called relatively prime to b, or prime to b for short. An integer p ≥ 2 is said to be prime if its only positive divisors are 1 and p. Otherwise, p is composite. Primes plays an important role in modern cryptography. Fortunately, there are very fast probabilistic primality tests [165, 190, 209] (with a high probability) for finding the correct answer to the question whether a given number is prime or not. More recently, Agrawal, Kayal, and Saxena present the first

deterministic, ˜O(log₂(n)12_{) time algorithm for testing if a number n is prime [1]. The}

notation ˜O(t(n)) denotes O(t(n)poly(log(t(n)))), where t(n) is some function of n.

In addition, numbers can be factored into products of primes.

Theorem 2.2.2 (Fundamental Theorem of Arithmetic). Let n ∈ N, n ≥ 2.

There exist pairwise distinct primes p1, . . . , pk and exponents e1, . . . , ek ∈ N, ei ≥

1, i = 1, . . . k, such that n = k Y i=1 pei i .

The primes p1, . . . , pk and exponents e1, . . . , ek are unique.

Efficient algorithms exist for the addition, subtraction, multiplication, and division of numbers. Let a, b, m ∈ N, a, b ≤ m, k = blog₂(m)c + 1. Note that k is the binary length of m. The binary length of m is usually denoted by |m|, and we only use the notation if it cannot be confused with the absolute value. By the classic grade school method, the numbers of bit operations for the computations of a + b and a − b are O(k), whereas for a · b and a div b are O(k2_{). Multiplication can be improved}

to O(k log₂(k) log₂log₂(k)) if a fast multiplication algorithm is used [2]. It is easy to multiply two numbers, but we do not have a practical algorithm for factoring extremely large numbers so far.

In the following, we introduce the Euclidean algorithm and the extended Euclidean algorithm. The Euclidean algorithm efficiently computes gcd(a, b). It can be extended such that not only gcd(a, b) but also the coefficients d and e of the linear combination gcd(a, b) = da + eb are computed. Moreover, the extended Euclidean algorithm can be used to compute the inverse of an element in a multiplicative group.

Theorem 2.2.3 (The Euclidean Algorithm). Let a, b ∈ Z (b ≥ a > 0), and

set b = r−1 and a = r0. By repeatedly applying the division algorithm, we obtain

rj−1 = rjqj+1 + rj+1 with 0 < rj+1 < rj for all 0 ≤ j < n, where n is the least

nonnegative number such that rn+1 = 0, in which case gcd(a, b) = rn.

Theorem 2.2.4 (The Extended Euclidean Algorithm). Let a, b ∈ N, and let qi

for i = 1, 2, . . . , n + 1 be the quotients obtained from the application of the Euclidean algorithm to find g = gcd(a, b), where n is the least nonnegative integer such that

rn+1 = 0. If s−1 = 1, s0 = 0, and

si = si−2− qn−i+2si−1,

for i = 1, 2, . . . , n + 1, then

g = sn+1b + sna.

Suppose a, b ≤ m, k = blog₂(m)c + 1. The Euclidean algorithm has a running time of O(k2_{) bit operations, as does the extended Euclidean algorithm.}

2.2.2

Basic Algebra

Let S be a nonempty set. An binary operation ∗ defined on S is a mapping from S ×S to S. Let a ∗ b denote the result of ∗ applied to the elements a, b ∈ S. The operation

∗ is associative if a ∗ (b ∗ c) = (a ∗ b) ∗ c holds for all a, b, c ∈ S, and commutative if a ∗ b = b ∗ a holds for all a, b ∈ S. An element e in S is called an identity element if e

satisfies e ∗ a = a ∗ e = a for al a ∈ S. An inverse of an element a ∈ S is an element

b ∈ S such that a ∗ b = b ∗ a = e.

Group

Definition 2.2.1 (Group). Let G be a non-empty set and ∗ an operation defined on

G. Then the pair (G, ∗) is called a group if

1. The operation ∗ is associative.

2. G contains an identity element, say e.

3. Every element in G has an inverse under ∗.

A group (G, ∗) is called abelian or commutative if the operation ∗ is commutative. We speak of a finite group (G, ∗) of order n if G is finite sets of cardinality n. The order of (G, ∗) is denoted by |G| or ord(G).

Often (G, ∗) is denoted simply by G. It can easily be seen that the identity element is unique, so is the inverse of any element. If the operation is called addition, the identity element is denoted as 0 and the inverse element of a as −a. If the operation

is multiplicative, the identity element is denoted as 1 and the inverse of an element

a as 1/a or a−1_{. Unless stated otherwise, we use the multiplicative notation when}

dealing with arbitrary groups. So ak _{mean that a is multiplied k-times by itself, and}

a−k _{denotes (1/a)}k_{. The following are typical groups.}

1. (Z, +) : Z is the set of all integers and + is the regular additive operation. The identity is 0, and the inverse of a is −a.

2. (Zn, +) : Zn= {0, 1, . . . n − 1} and + is the congruent additive operation

(mod-ulo n). The identity is 0, and the inverse of a is n − a. 3. (Z∗

n, ∗) : Z∗n = {a|a ∈ Zn, gcd(a, n) = 1} and ∗ is the congruent multiplicative

operation (modulo n). The identity is 1, and the inverse of a can be computed by the extended Euclidean algorithm.

Definition 2.2.2 (Cyclic Group). A group G is cyclic if there is g ∈ G such

that every element a ∈ G can be written in the form gk _{for some k ∈ Z. That is,}

G = {gi_{|i ≥ 0}. We call such g a generator of G and write hgi = G to indicate that}

g generates G.

Definition 2.2.3. Let G be a group and a ∈ G. The order of a, denoted by ord(a), is

the smallest positive integer n such that an _{= 1, provided that such an integer exits.}

If such an n does not exit, then the order of a is defined to be ∞.

We remark that if G is finite, there are exponents n ∈ N, with an_{= 1.}

Definition 2.2.4 (Subgroup). Let (G, ∗) be a group. We say that (H, ∗) is a

sub-group of G if H ⊆ G and (H, ∗) is a sub-group.

Fact 2.2.5. Let G be a group. For any a ∈ G, hai = {gi_{|i ≥ 0} is a subgroup of G.}

Fact 2.2.6. Let G be a finite group and 1 is the identity element of G. Then a|G| _{= 1}

for all a ∈ G.

Fact 2.2.7 (Lagrange’s Theorem). If H is a subgroup of a finite group G, then

Fact 2.2.8. Let G be a finite group and a ∈ G. Let n ∈ N with an _{= 1. Then ord(a)}

divides n. In particular, the order of any element of a finite group divides the order of the group.

Fact 2.2.9. Let G be cyclic and |G| = n. Then g is a generator of G if and only if

gn/p _{6= 1 for every prime factor p of n.}

Fact 2.2.10. Let G be a finite cyclic group and g be a generator of G. Then

1. The element b = gi _{has order |G|/ gcd(|G|, i). In particular, b is a generator}

of G if and only if gcd(|G|, i) = 1. Hence, if |G| is prime, then every element different from 1 is a generator of G.

2. Suppose d||G|. The G has exactly φ(d) elements of order d. In particular, G has φ(|G|) generators.

3. For all divisors q of |G|, let Gq be the subgroup of G generated by g|G|/q. Then

the groups Gq are all the subgroups of G. In particular, every subgroup of G is

cyclic, and for each divisor q of |G| there is a unique subgroup of G of order q, namely Gq.

Ring and Field

We now consider a situation that two operations are defined on a set. The first will be denoted by a + b, the second by a ∗ b.

Definition 2.2.5 (Ring). The triple (R, +, ∗) is called a ring, if

1. (R, +) is a abelian group.

2. The operation ∗ is associative.

3. Distributivity holds, i.e., for all a, b, c ∈ R, a ∗ (b + c) = a ∗ b + a ∗ c and

(b + c) ∗ a = b ∗ a + c ∗ a.

If the operation ∗ is commutative on R, then the ring (R, +, ∗) is called commu-tative. The following are typical rings.

1. (Z, +, ∗): Z is the set of all integers. The operations + and ∗ are regular addition and multiplication, respectively.

2. (Zn, +, ∗) : Zn = {0, 1, . . . n − 1}. The operations + and ∗ are under modular

n.

Definition 2.2.6 (Field). A triple (F, +, ∗) is called a field, if

1. (F, +) is a abelian group. Its identity element is denoted by 0.

2. (F − {0}, ∗) is a group. The multiplicative identity element is denoted by 1.

3. Distributivity holds.

A commutative field is a field for which (F − {0}, ∗) is commutative. Every finite field is commutative. The following are typical fields.

1. (Q, +, ∗) : Q is the set of rational numbers.

2. (Zp, +, ∗) : Zp = {0, 1, . . . , p − 1} and + and ∗ are computed under modular p,

where p is prime.

2.2.3

Modular Arithmetic

Let a, b ∈ Z. Then a is said to be congruent to b modulo n, denoted by a ≡ b (mod n) if n divides (a − b). The integer n is called the modulus of the congruence. The integer modulo n, denoted Zn is the set of integers {0, 1, . . . , n − 1}. Addition,

subtraction, and multiplication in Zn are performed modulo n. The multiplicative

inverse of a modulo n is an integer x ∈ Zn such that ax ≡ 1 (mod n). If such an x

exists, then it is unique, and a is said to be invertible, or a unit. The multiplicative inverse of a is denoted by a−1_{. Let Z}∗

n= {a ∈ Zn| gcd(a, n) = 1}. If n is prime, then

Z∗

n = {a|1 ≤ a ≤ n − 1}. Note that (Zn, +) and (Z∗n, ∗) are abelian groups.

In the following, we first present important definitions and facts about modu-lar arithmetic. Then we describe several tractable problems that can be solved in polynomial time.

Definitions and Facts

Definition 2.2.7. Let n be a positive integer. The Euler phi function or the Euler

totient function φ(n) is defined to be the number of positive integers not exceeding n which are relatively prime to n.

Definition 2.2.8. Let a and n be relatively prime positive integers. Then, the least

positive integer x such that ax _{≡ 1 (mod n) is called the order of a modulo n, denoted}

by ordna.

Definition 2.2.9. If g and n are relatively prime integers with n > 0 and if ordng =

φ(n), then g is called a primitive root modulo n.

Definition 2.2.10. Let n ∈ N and a ∈ Z. We say that a is a quadratic residue modulo

n if a 6≡ 0 (mod n) and the congruence x2 _{≡ a (mod n) has a solution x ∈ Z. If}

a 6≡ 0 (mod n) and the congruence x2 _{≡ a (mod n) has no solution, we say that a is}

a quadratic nonresidue modulo n.

In most cases, we are only interested in the quadratic residues a which are rela-tively to the modulus n.

Definition 2.2.11. QRn = {a ∈ Z∗n|a is a quadratic residue modulo n}. On the

contrary, QNRn = {a ∈ Z∗n|a is a quadratic nonresidue modulo n}

Note that for any n, QRn is a subgroup of Z∗n, while QNRn is not a subgroup of

Z∗

n because at least 1 6∈ QNRn.

Definition 2.2.12. Let p be a prime > 2, and let a ∈ Z be prime to p. µ a p ¶ = ( +1 if a ∈ QR_p, −1 if a ∈ QNR_p,

is called the Legendre symbol of a mod p. For a ∈ Z with p|a, we set (a p) = 0.

Definition 2.2.13. Let n ∈ Z be a positive odd number and n = Qr_i=1pei

i be the

decomposition of n into primes. Let a ∈ Z. Then

³ a n ´ = r Y i=1 µ a pi ¶_ei

Definition 2.2.14. A universal exponent of the positive integer n is a positive integer

U such that

aU ≡ 1 (mod n) for all integers a relatively prime to n.

Definition 2.2.15. The least universal exponent of the positive integer n is called

the minimal universal exponent of n, denoted by λ(n).

Fact 2.2.11 (Chinese Remainder Theorem). Let m1, m2, . . . , mn be positive

in-tegers that are relatively prime in pairs. Then for any given inin-tegers b1, b2, . . . , bn, the

system of congruences

x ≡ bi (mod mi), 1 ≤ i ≤ n

has a unique solution modulo M = m1m2· · · mn. The solution is given by x = n

P

i=1

biMiyi mod M, where Mi = M/mi and Miyi ≡ 1 (mod mi).

Assume k is the length of every modulus. The computational complexity of apply-ing the Chinese remainder theorem is OB(M(kn) log(n)) + OB(nM(k) log(k)), where

M(x) is the time of multiplying two x bit integers, and OB indicates order of

magni-tude in bit operations [2, Theorem 8.21]. Fact 2.2.12. Simultaneous congruences

x ≡ bi (mod mi), 1 ≤ i ≤ n

have a solution if and only if gcd(mi, mj) divides bi − bj for all pairs of integers

(i, j) with 1 ≤ i < j ≤ n, in which case the solution is unique modulo M = lcm(m1, m2, . . . , mn) and is given by the Chinese remainder theorem with the said

M.

Fact 2.2.13. Let n = pe1

1 pe22· · · pekk be the prime-power factorization of the positive

integer n. Then φ(n) = n(1 − 1 p1 )(1 − 1 p2 ) · · · (1 − 1 pk ). Furthermore, φ(n) > n eγ_log

10(log10(n)) + log10(log2.610(n))

where Euler’s constant γ = 0.5772 . . .. This inequality implies, for example, that

φ(n) > n

6 log₁₀(log₁₀(n)), for n ≥ 1.3 × 10

6_.

Fact 2.2.14 (Fermat’s Little Theorem). If p is a prime and p does not divide

a ∈ Z, then

ap−1 _{≡ 1 (mod p).}

Fact 2.2.15 (Euler’s Theorem). Let n ∈ N and a ∈ Z. If gcd(a, n) = 1, then

aφ(n) _{≡ 1 (mod n).}

Fermat’s little theorem and Euler’s theorem are special cases of Fact 2.2.6. Fact 2.2.16. Suppose that g and n are relatively prime with n > 0. Then gi _{≡ g}j

(mod n) if and only if i ≡ j (mod ordng).

Fact 2.2.17. The positive integer n possesses a primitive root if and only if

n = 2, 4, pt_{, or 2p}t_,

where p is an odd prime and t is a positive integer.

Fact 2.2.18. If the positive integer n has a primitive root, then it has a total of

φ(φ(n)) incongruent primitive roots.

Fact 2.2.19. Let p be a prime. Then Z∗

p is cyclic, and the number of generators is

φ(p − 1).

Fact 2.2.20. Let p be a prime. Then x ∈ Z∗

p is a primitive root if and only if

x(p−1)/q _{6≡ 1 (mod p) for every prime q|p − 1.}

Fact 2.2.21. Let p be a prime > 2 and g ∈ Z∗

p be a primitive root of Z∗p. Let a ∈ Z∗p.

Then a ∈ QRp if and only if a ≡ gt (mod p) for some even number t, 0 ≤ t ≤ (p − 2).

Furthermore, exactly half of the elements of Z∗

p are quadratic residues, i.e., |QRp| =

|QNRp| = (p − 1)/2.

Fact 2.2.22 (Euler’s Criterion). Let p be a prime > 2 and a ∈ Z. Then µ

a p

¶

Euler’s criterion can be generalized to the kth residuosity as follows. Fact 2.2.23. A number a is an eth residue of Z∗

p if and only if a(p−1)/d ≡ 1 (mod p),

where d = gcd(e, p − 1).

Fact 2.2.24 ([6, 98]). Let n = p1p2, where p1 6= p2, p1 = 2q1+ 1, p2 = 2q2+ 1, and

p1, p2, q1, q2 are all prime numbers. Then the following holds.

1. The order of g0 ∈ Z∗n is equal to q1q2 or 2q1q2 if and only if gcd(g0+ 1, n) = 1

and gcd(g0− 1, n) = 1.

2. For any g0 such that gcd(g0+ 1, n) = 1 and gcd(g0− 1, n) = 1, hg20i ⊂ Z∗n is a

cyclic subgroup of order q1q2.

Fact 2.2.25. Let M be a positive integer with odd prime factorization M = p1p2· · · pn.

Then the following holds.

1. λ(M) = lcm(φ(p1), φ(p2), . . . , φ(pn)).

2. There exists an integer g such that ordMg = λ(M), the largest possible order of

an integer modulo M.

3. Let ri be a primitive root modulo pi. The solution of simultaneous congruences

x ≡ ri (mod pi), i = 1, 2, . . . , n, produces such an integer g.

The above fact implies that if M is a product of large primes pi = 2qi+ 1 where qi

are also primes, then there exists a g whose order contains large prime factors. The reason is that

λ(M) = lcm(p1− 1, p2− 1, . . . , pn− 1) = 2q1q2· · · qn. (2.1)

Tractable Problems in Zn

As in Z, basic group operations in Zn can be performed efficiently, i.e., in time

polynomial in the group size. Let n be an integer and k = blog₂(n)c + 1. By the ordinary method, the numbers of bit operations for the computations of (a+b) mod n and (a − b) mod n are O(k), whereas the number of bit operations for (a · b) mod n is

Euclidean algorithm. Modular exponentiation at_{mod n can be performed with at}

most 2 · |t| modular multiplications using the repeated squaring method. Hence, an exponentiation in Z∗

n can be computed in O(k3).

There are hardware implementations for performing modular multiplication fast. In particular, Norris and Simmons use the concept of delayed-carry adders to produce a hardware modular multiplier which computes the product of two t-bit operands modulo a t-bit modulus in 2t clock cycles [172]. Brickell improves the idea to produce a modular multiplier requiring only t + 7 clock cycles [32]. Enhancements of Brickell’s method are given by Walter [218]. Ko¸c provides a comprehensive survey of hardware methods for modular multiplication [133].

We now present several number-theoretic problems that can be solved in proba-bilistic polynomial time. Let p is prime. First, consider computations in Zp. The

following problems is tractable.

1. Finding a primitive root modulo p when the prime factors of p − 1 are known. By Fact 2.2.20, we can use the following algorithm to obtain a primitive root modulo p.

Algorithm 2.2.1. input: prime p

output: a primitive root modulo p

1. Randomly choose an integer g, with 0 < g < p − 1 2. if g(p−1)/q _{6≡ 1 (mod q) for all primes q dividing p − 1.}

3. then output g 4. else go to 1 Because

φ(p − 1) > (p − 1)

6 log₁₀(log₁₀(p − 1)),

the expected iteration to find a primitive root is O(log₁₀(log₁₀(p))). Note that if the prime factors of p − 1 are not known, no efficient algorithms are known for the generation of primitive roots.

2. Testing whether an element is a quadratic residue modulo p.

The problem is called the quadratic residuosity problem and can be solved by Euler’s criterion.

3. Testing whether an element is an eth residue modulo p.

The problem is called eth residuosity problem and can be solved by Fact 2.2.23. 4. Computing the eth root modulo p when gcd(e, p − 1) = 1.

The problem is called eth root problem. When gcd(e, p − 1) = 1, ae−1

mod p is a e’th root of a modulo p, where e−1_{e ≡ 1 (mod p − 1).}

5. Computing square roots of a quadratic residue in Zp.

Because gcd(2, p − 1) 6= 1, computing the square root is not easy. We do not know any polynomial-time algorithm that computes a1/2_{mod p}

deterministi-cally. Nevertheless, there exits a probabilistic polynomial-time algorithm that does it. We describe the algorithm as follows.

Algorithm 2.2.2.

input: (a, p), where a ∈QRp and p is an odd prime

output: a1/2_{mod p}

1. if p ≡ 3 mod 4

2. then output a(p+1) div 4 _{mod p}

3. else 4. randomly choose b ∈ QNRp 5. i ← (p − 1) div 2; j ← 0 6. repeat 7. i ← i div 2; j ← j div 2 8. if ai_bj _{≡ −1 mod p} 9. then j ← j + (p − 1) div 2 10. until i ≡ 1 (mod 2)

11. output a(i+1) div 2_bj div 2 _{mod p}

Suppose p ≡ 1 mod 4. Let (p − 1)/2 = 2`<sub>r, with r odd and ` ≥ 1. The above</sub>

algorithm randomly chooses a quadratic nonresidue b ∈ QNRp and then finds

an exponent s such that ar_b2s _{= 1. Therefore, a}r+1_b2s _{= a and a}(r+1)/2_bs _{is a}

square root of a. To get a quadratic nonresidue we can randomly choose an element b of Z∗

p and test by Euler’s criterion whether b is a nonresidue. Because

half of the elements in Z∗

p are nonresidues, we expect to get a nonresidue after

6. Determining the order of a group element when the prime factorization of the group order is known.

By Fact 2.2.8, we can use the following algorithm to find the order of a group element a modulo p efficiently.

Algorithm 2.2.3.

input: prime p, an element a ∈ Z∗

p, and the prime factorization

p − 1 = pe1

1 pe22· · · pekk

output: the order of a 1. t ← p − 1

2. for i = 1 to k do

3. while at/pi ≡ 1 (mod p) do

4. t ← t/pi

5. output t

Let n be a composite number. Consider computations in Zn. The following

problems are believed to be hard if the factorization of n is unknown but become tractable if the opposite is true.

1. Testing if an element is a quadratic residue in Zn.

2. Computing the square root of a quadratic residue in Zn.

This is provably as hard as factoring n. Assume n = pq. When the factorization of n = pq is known, we compute the square root of a ∈ Z∗

n by first computing

the square root in Zp of a mod p and the square root in Zq of a mod q and then

using the Chinese remainder theorem to obtain roots of x in Zn.

3. Computing eth roots modulo n when gcd(e, φ(n)) = 1.

Suppose n = pq. Then the problem is the so-called RSA problem. φ(n) can be found by factoring n. Thus, if factoring is easy, then so is the RSA problem.

2.2.4

Intractable Problems

The Discrete Logarithm Assumption

Let G be a finite cyclic group and g be a generator of G. The discrete logarithm of some element x ∈ G, denoted log_g(x), is the unique integer a, 0 ≤ a < |G|, such that

x = ga_{. The discrete logarithm (DL) problem is the following: Given G, g, and an}

element x ∈ G, find the integer a, 0 ≤ a < |G|, such that x = ga_{. It is unknown}

whether an efficient algorithm for the DL problem exits. All known algorithms have exponential or subexponential running time, and it is widely believed that the problem is intractable. We state the assumption more precisely as follows.

Definition 2.2.16. Let I = {(G, g)|G is a cyclic group, g ∈ G a generator } and

Ik = {(G, g) ∈ I|ord(G) = k}. For every probabilistic polynomial-time algorithm A,

every positive polynomial Q, and all sufficiently large k,

P r[y = log_g(x) : (G, g)← Iu k, x← G, y ← A(G, g, x)] <u

1

Q(k). This is called the discrete logarithm assumption.

The Diffie-Hellman and Decision Diffie-Hellman Assumptions

The Diffie-Hellman (DH) problem is the following: Given a finite cyclic group G, a generator g of G, and the two elements ga _{and g}b_{, find the element g}ab_{. It is believed}

that the DH problem is intractable. We make this precise in the following.

Definition 2.2.17. Let I = {(G, g)|G is a cyclic group, g ∈ G a generator } and

Ik = {(G, g) ∈ I|ord(G) = k}. For every probabilistic polynomial-time algorithm A,

every positive polynomial Q, and all sufficiently large k,

P r[y = gab _{: (G, g)← I}u

k, a← Zu |G|, b ← Zu |G|, y ← A(G, g, ga, gb)] <

1

Q(k). This is called the Diffie-Hellman assumption.

Obviously, if the DL problem can be solved in polynomial time, then the DH problem can be solved in polynomial time. For some groups, the DH and the DL problems have been proved to be computationally equivalent. [18, 153, 154, 155].

The decision Diffie-Hellman (DDH) problem is the following: Given a finite cyclic group G, a generator g of G, and the three elements ga_{, g}b_{, and g}c_{, decide whether}

the elements gc _{and g}ab _{are equal. It is believed that the problem is intractable. This}

Definition 2.2.18. Let I = {(G, g)|G is a cyclic group, g ∈ G a generator } and

Ik = {(G, g) ∈ I|ord(G) = k}. For every probabilistic polynomial-time algorithm A,

every positive polynomial Q, and all sufficiently large k, P r[c0 _{= c : (G, g)← I}u k, a← Zu |G|, b← Zu |G|, z0 = ab mod |G|, z1 ← Zu |G|, c ← {0, 1},u c0 ← A(G, g, ga, gb, gzc_{)] <} 1 2 + 1 Q(k).

This is called the decision Diffie-Hellman assumption.

Clearly, an efficient algorithm to solve the DH problem implies one for the DDH problem.

Shoup shows that any generic algorithm must perform Ω(p1/2_{) group operations}

for the two problems, where p stands for the largest prime divisor of the group order in the case of the DH problem, and for the smallest prime divisor of the group order in the case of the DDH problem [208]. A generic algorithm does not exploit any special properties of the encodings of group elements except that each group element is encoded as a unique bit string.

The Representation Assumption

Let G be a group and g1, . . . , gr ∈ G be pairwise distinct generators of G. A

repre-sentation of some element y ∈ G is an r-tuple (a1, . . . , ar), 0 ≤ ai ≤ |G| − 1 for all

1 ≤ i ≤ r such that y = r Y i=1 gai i .

The representation problem is the following: Given G, g1, . . . , gr, and an element

y ∈ G, find integers a1, . . . , ar, 0 ≤ ai ≤ |G| − 1, such that

y = r Y i=1 gai i .

The representation problem is a generalization of the DL problem. It is believed that the representation problem is intractable. We make this statement precise in the following.

Definition 2.2.19. Let I = {(G, g1, . . . , gr)|G is a cyclic group, g1, . . . , gr ∈ G

polynomial-time algorithm A, every positive polynomial Q, and all sufficiently large k, Pr[ga1 1 · · · grar = y : (G, g0, . . . , gr)← Iu k, y ← G,u (a1, . . . , ar) ← A(G, g1, . . . , gr, y)] < 1 Q(k). This is called the representation assumption.

If the generators g1, . . . , gr are all chosen randomly, finding two different

repre-sentations of an element is as hard as the DL problem. Brands gives a thorough discussion on the representation problem in [26].

The Assumption of Equality of Discrete Logarithms

Let G be a group and g0, g1 ∈ G be distinct generators of G. The problem of equality

of discrete logarithms is the following: Given G, g0, g1, and two elements y0, y1 ∈ G,

decide whether log_g0(y0) is equivalent to logg1(y1). It is believed that there is no

efficient algorithm to solve this problem. We make this precise in the following. Definition 2.2.20. Let I = {(G, g0, g1)|G is a cyclic group, g0, g1 ∈ G generators}

and Ik = {(G, g0, g1) ∈ I|ord(G) = k}. Let

EDLG,g0,g1 : G × G → {0, 1}, EDLG,g0,g1(x0, x1) =

(

1 if log_g0y0 = logg1y1,

0 otherwise,

be a function. For every probabilistic polynomial-time algorithm A, every positive polynomial Q, and all sufficiently large k,

Pr[b = EDLG,g0,g1(y0, y1) : (G, g0, g1) u ← Ik, y0 ← G, yu 1 ← G,u b ← A(G, g0, g1, y0, y1)] < 1 2 + 1 Q(k).

This is called the assumption of equality of discrete logarithms (EDL).

The Factoring Assumption

The integer factorization problem is the following: Given a positive integer n, find its prime factorization, i.e., find pairwise distinct primes pi and positive integer ei such

that n = pe1

1 pe22· · · pekk. All known factoring algorithms have an exponential running

time. Therefore, it is widely believed that the factors of n cannot be computed effi-ciently. The following assumption make this statement more precise. For simplicity, assume n = pq.

Definition 2.2.21. Let I = {n|n = pq, p and q are distinct primes, |p| = |q|} and

Ik = {n ∈ I|n = pq, |p| = |q| = k}. For every probabilistic polynomial-time algorithm

A, every positive polynomial Q, and all sufficiently large k,

P r[A(n) = p : n ← Iu k] <

1

Q(k). This is called the factoring assumption.

Furthermore, it is known that factoring n = pq is equivalent to computing square roots in Z∗

n [189].

The RSA Assumption

Let I = {(n, e) ∈ I|n = pq, p 6= q primes, 0 < e < φ(n), e prime to φ(n)}. The family

RSA = (RSAn,e : Z∗n → Z∗n, x 7→ xe)(n,e)∈I

is called the RSA family.

Consider an (n, e) ∈ I, and let d ∈ Z∗

φ(n) be the inverse of e mod φ(n). We have

xed _{≡ 1 mod n. This shows that RSA}

n,e is a bijection and that the inverse function

is also an RSA function, namely RSAn,d : Z∗n→ Z∗n, y 7→ yd.

RSAn,e can be computed by an efficient modular exponentiation algorithm. The

inverse d of e can be easily computed by the extended Euclidean algorithm if φ(n) = (p−1)(q −1) is known. No algorithm to compute RSA−1

n,ein polynomial time is known

if p, q and d are kept secret (d or p, q are called the trapdoor information for the RSA function).

To date, factoring n is the only known method to totally break RSA. All known factoring algorithms have an exponential running time. Therefore, it is widely be-lieved that RSA cannot be efficiently inverted. The following assumption makes this more precise.

Definition 2.2.22. Let Ik = {(n, e) ∈ I|n = pq, |p| = |q| = k}. For every

proba-bilistic polynomial-time algorithm A, every positive polynomial Q, and all sufficiently large k,

P r[x = RSAn,d(y) : (n, e)← Iu k, y ← Zu ∗n, x ← A(n, e, y)] <

1

Q(k). This is called the RSA assumption.

The Quadratic Residuosity Assumption

Let I = {n : n = pq, p, q distinct primes, |p| = |q|} and let

J+1 n = n x ∈ Z∗ n| ³ x n ´ = +1 o

be the elements with Jacobi symbol +1. QRn is a proper subset of Jn+1.

Consider the functions

P QRn : Jn+1 → {0, 1}, P QRn(x) =

(

1 if x ∈ QR_n,

0 otherwise.

It is believed that there is no efficient algorithm which, without knowing the factors of

n, is able to decide whether x ∈ J+1

n is a quadratic residue. The following assumption

make this precise.

Definition 2.2.23. Let Ik = {n : n = pq, |p| = |q| = k}. For every probabilistic

polynomial-time algorithm A, every positive polynomial Q, and all sufficiently large k, P r[y = P QRn(x) : n← Iu k, x← Ju n+1, y ← A(n, x)] < 1 2 + 1 Q(k). This is called the quadratic residuosity assumption.

Note that the factoring assumption follows from the RSA assumptions and also from the quadratic residuosity assumption. Hence, each of these two assumptions is stronger than the factoring assumption.

Discussions

For all assumptions described above, we do not consider a single fixed key i ∈ Ik: