• 沒有找到結果。

One-Way Functions

N/A
N/A
Protected

Academic year: 2022

Share "One-Way Functions"

Copied!
63
0
0

加載中.... (立即查看全文)

全文

(1)

Public-Key Cryptography

a

• Suppose only d is private to Bob, whereas e is public knowledge.

• Bob generates the (e, d) pair and publishes e.

• Anybody like Alice can send E(e, x) to Bob.

• Knowing d, Bob can recover x by D(d, E(e, x)) = x.

• The assumptions are complexity-theoretic.

– It is computationally difficult to compute d from e.

– It is computationally difficult to compute x from y without knowing d.

aDiffie and Hellman (1976).

(2)

Whitfield Diffie (1944–)

(3)

Martin Hellman (1945–)

(4)

Complexity Issues

• Given y and x, it is easy to verify whether E(e, x) = y.

• Hence one can always guess an x and verify.

• Cracking a public-key cryptosystem is thus in NP.

• A necessary condition for the existence of secure public-key cryptosystems is P ̸= NP.

• But more is needed than P ̸= NP.

• For instance, it is not sufficient that D is hard to compute in the worst case.

• It should be hard in “most” or “average” cases.

(5)

One-Way Functions

A function f is a one-way function if the following hold.a 1. f is one-to-one.

2. For all x ∈ Σ, | x |1/k ≤ |f(x)| ≤ | x |k for some k > 0.

• f is said to be honest.

3. f can be computed in polynomial time.

4. f−1 cannot be computed in polynomial time.

• Exhaustive search works, but it must be slow.

aDiffie and Hellman (1976); Boppana and Lagarias (1986); Grollmann and Selman (1988); Ko (1985); Ko, Long, and Du (1986); Watanabe (1985); Young (1983).

(6)

Existence of One-Way Functions

• Even if P ̸= NP, there is no guarantee that one-way functions exist.

• No functions have been proved to be one-way.

• Is breaking glass a one-way function?

(7)

Candidates of One-Way Functions

• Modular exponentiation f(x) = gx mod p, where g is a primitive root of p.

– Discrete logarithm is hard.a

• The RSAb function f (x) = xe mod pq for an odd e relatively prime to ϕ(pq).

– Breaking the RSA function is hard.

aConjectured to be 2nϵ for some ϵ > 0 in both the worst-case sense and average sense. Doable in time nO(log n) for finite fields of small char- acteristic (Barbulescu, et al., 2013). It is in NP in some sense (Grollmann and Selman (1988)).

bRivest, Shamir, and Adleman (1978).

(8)

Candidates of One-Way Functions (concluded)

• Modular squaring f(x) = x2 mod pq.

– Determining if a number with a Jacobi symbol 1 is a quadratic residue is hard—the quadratic

residuacity assumption (QRA).a

aDue to Gauss.

(9)

The RSA Function

• Let p, q be two distinct primes.

• The RSA function is xe mod pq for an odd e relatively prime to ϕ(pq).

– By Lemma 53 (p. 466),

ϕ(pq) = pq (

1 1 p

) (

1 1 q

)

= pq − p − q + 1. (15)

• As gcd(e, ϕ(pq)) = 1, there is a d such that ed ≡ 1 mod ϕ(pq),

which can be found by the Euclidean algorithm.a

aOne can think of d as e−1.

(10)

A Public-Key Cryptosystem Based on RSA

• Bob generates p and q.

• Bob publishes pq and the encryption key e, a number relatively prime to ϕ(pq).

– The encryption function is y = xe mod pq.

– Bob calculates ϕ(pq) by Eq. (15) (p. 640).

– Bob then calculates d such that ed = 1 + kϕ(pq) for some k ∈ Z.

• The decryption function is yd mod pq.

• It works because yd = xed = x1+kϕ(pq) = x mod pq by the Fermat-Euler theorem when gcd(x, pq) = 1 (p. 477).

(11)

The “Security” of the RSA Function

• Factoring pq or calculating d from (e, pq) seems hard.

– See also p. 473.

• Breaking the last bit of RSA is as hard as breaking the RSA.a

• Recommended RSA key sizes:b – 1024 bits up to 2010.

– 2048 bits up to 2030.

– 3072 bits up to 2031 and beyond.

aAlexi, Chor, Goldreich, and Schnorr (1988).

bRSA (2003). RSA was acquired by EMC in 2006 for 2.1 billion US dollars.

(12)

The “Security” of the RSA Function (continued)

• Recall that problem A is “harder than” problem B if solving A results in solving B.

– Factorization is “harder than” breaking the RSA.

– It is not hard to show that calculating Euler’s phi functiona is “harder than” breaking the RSA.

– Factorization is “harder than” calculating Euler’s phi function (see Lemma 53 on p. 466).

– So factorization is harder than calculating Euler’s phi function, which is harder than breaking the RSA.

aWhen the input is not factorized!

(13)

The “Security” of the RSA Function (concluded)

• Factorization cannot be NP-hard unless NP = coNP.a

• So breaking the RSA is unlikely to imply P = NP.

• RSA was alleged to have received 10 million US dollars from the government to promote an unsecure software!b

aBrassard (1979).

bMenn (2013).

(14)

Adi Shamir, Ron Rivest, and Leonard Adleman

(15)

Ron Rivest

a

(1947–)

aTuring Award (2002).

(16)

Adi Shamir

a

(1952–)

aTuring Award (2002).

(17)

The Secret-Key Agreement Problem

• Exchanging messages securely using a private-key cryptosystem requires Alice and Bob possessing the same key (p. 631).

• How can they agree on the same secret key when the channel is insecure?

• This is called the secret-key agreement problem.

• It was solved by Diffie and Hellman (1976) using one-way functions.

(18)

The Diffie-Hellman Secret-Key Agreement Protocol

1: Alice and Bob agree on a large prime p and a primitive root g of p; {p and g are public.}

2: Alice chooses a large number a at random;

3: Alice computes α = ga mod p;

4: Bob chooses a large number b at random;

5: Bob computes β = gb mod p;

6: Alice sends α to Bob, and Bob sends β to Alice;

7: Alice computes her key βa mod p;

8: Bob computes his key αb mod p;

(19)

Analysis

• The keys computed by Alice and Bob are identical as βa = gba = gab = αb mod p.

• To compute the common key from p, g, α, β is known as the Diffie-Hellman problem.

• It is conjectured to be hard.

• If discrete logarithm is easy, then one can solve the Diffie-Hellman problem.

– Because a and b can then be obtained by Eve.

• But the other direction is still open.

(20)

A Parallel History

• Diffie and Hellman’s solution to the secret-key

agreement problem led to public-key cryptography.

• At around the same time (or earlier) in Britain, the RSA public-key cryptosystem was invented first before the Diffie-Hellman secret-key agreement scheme was.

– Ellis, Cocks, and Williamson of the Communications Electronics Security Group of the British Government Communications Head Quarters (GCHQ).

(21)

Is a forged signature the same sort of thing as a genuine signature, or is it a different sort of thing?

— Gilbert Ryle (1900–1976), The Concept of Mind (1949)

“Katherine, I gave him the code.

He verified the code.”

“But did you verify him?”

— The Numbers Station (2013)

(22)

Digital Signatures

a

• Alice wants to send Bob a signed document x.

• The signature must unmistakably identifies the sender.

• Both Alice and Bob have public and private keys eAlice, eBob, dAlice, dBob.

• Every cryptosystem guarantees D(d, E(e, x)) = x.

• Assume the cryptosystem also satisfies the commutative property

E(e, D(d, x)) = D(d, E(e, x)). (16) – E.g., the RSA system satisfies it as (xd)e = (xe)d.

a

(23)

Digital Signatures Based on Public-Key Systems

• Alice signs x as

(x, D(dAlice, x)).

• Bob receives (x, y) and verifies the signature by checking E(eAlice, y) = E(eAlice, D(dAlice, x)) = x

based on Eq. (16).

• The claim of authenticity is founded on the difficulty of inverting EAlice without knowing the key dAlice.

(24)

Probabilistic Encryption

a

• A deterministic cryptosystem can be broken if the

plaintext has a distribution that favors the “easy” cases.

• The ability to forge signatures on even a vanishingly small fraction of strings of some length is a security weakness if those strings were the probable ones!

• A scheme may also “leak” partial information.

– Parity of the plaintext, e.g.

• The first solution to the problems of skewed distribution and partial information was based on the QRA.

aGoldwasser and Micali (1982). This paper “laid the framework for

(25)

Shafi Goldwasser

a

(1958–)

aTuring Award (2013).

(26)

Silvio Micali

a

(1954–)

a

(27)

Goldwasser and Micali

(28)

A Useful Lemma

Lemma 76 Let n = pq be a product of two distinct primes.

Then a number y ∈ Zn is a quadratic residue modulo n if and only if (y | p) = (y | q) = 1.

• The “only if” part:

– Let x be a solution to x2 = y mod pq.

– Then x2 = y mod p and x2 = y mod q also hold.

– Hence y is a quadratic modulo p and a quadratic residue modulo q.

(29)

The Proof (concluded)

• The “if” part:

– Let a21 = y mod p and a22 = y mod q.

– Solve

x = a1 mod p, x = a2 mod q,

for x with the Chinese remainder theorem.

– As x2 = y mod p, x2 = y mod q, and gcd(p, q) = 1, we must have x2 = y mod pq.

(30)

The Jacobi Symbol and Quadratic Residuacity Test

• The Legendre symbol can be used as a test for quadratic residuacity by Lemma 63 (p. 547).

• Lemma 76 (p. 659) says this is not the case with the Jacobi symbol in general.

• Suppose n = pq is a product of two distinct primes.

• A number y ∈ Zn with Jacobi symbol (y | pq) = 1 may be a quadratic nonresidue modulo n when

(y | p) = (y | q) = −1, because (y | pq) = (y | p)(y | q).

(31)

The Setup

• Bob publishes n = pq, a product of two distinct primes, and a quadratic nonresidue y with Jacobi symbol 1.

• Bob keeps secret the factorization of n.

• Alice wants to send bit string b1b2 · · · bk to Bob.

• Alice encrypts the bits by choosing a random quadratic residue modulo n if bi is 1 and a random quadratic

nonresidue (with Jacobi symbol 1) otherwise.

• So a sequence of residues and nonresidues are sent.

• Knowing the factorization of n, Bob can efficiently test quadratic residuacity and thus read the message.

(32)

The Protocol for Alice

1: for i = 1, 2, . . . , k do

2: Pick r ∈ Zn randomly;

3: if bi = 1 then

4: Send r2 mod n; {Jacobi symbol is 1.}

5: else

6: Send r2y mod n; {Jacobi symbol is still 1.}

7: end if

8: end for

(33)

The Protocol for Bob

1: for i = 1, 2, . . . , k do

2: Receive r;

3: if (r| p) = 1 and (r | q) = 1 then

4: bi := 1;

5: else

6: bi := 0;

7: end if

8: end for

(34)

Semantic Security

• This encryption scheme is probabilistic.

• There are a large number of different encryptions of a given message.

• One is chosen at random by the sender to represent the message.

• This scheme is both polynomially secure and semantically secure.

(35)

What Is a Proof?

• A proof convinces a party of a certain claim.

– “xn + yn ̸= zn for all x, y, z ∈ Z+ and n > 2.”

– “Graph G is Hamiltonian.”

– “xp = x mod p for prime p and p ̸ |x.”

• In mathematics, a proof is a fixed sequence of theorems.

– Think of it as a written examination.

• We will extend a proof to cover a proof process by which the validity of the assertion is established.

– Recall a job interview or an oral examination.

(36)

Prover and Verifier

• There are two parties to a proof.

– The prover (Peggy).

– The verifier (Victor).

• Given an assertion, the prover’s goal is to convince the verifier of its validity (completeness).

• The verifier’s objective is to accept only correct assertions (soundness).

• The verifier usually has an easier job than the prover.

• The setup is very much like the Turing test.a

(37)

Interactive Proof Systems

• An interactive proof for a language L is a sequence of questions and answers between the two parties.

• At the end of the interaction, the verifier decides whether the claim is true or false.

• The verifier must be a probabilistic polynomial-time algorithm.

• The prover runs an exponential-time algorithm.a

– If the prover is not more powerful than the verifier, no interaction is needed!

aSee the problem to Note 12.3.7 on p. 296 and Proposition 19.1 on p. 475, both of the textbook, about alternative complexity assumptions without affecting the definition. Contributed by Mr. Young-San Lin (B97902055) and Mr. Chao-Fu Yang (B97902052) on December 18, 2012.

(38)

Interactive Proof Systems (concluded)

• The system decides L if the following two conditions hold for any common input x.

– If x ∈ L, then the probability that x is accepted by the verifier is at least 1 − 2−| x |.

– If x ̸∈ L, then the probability that x is accepted by the verifier with any prover replacing the original prover is at most 2−| x |.

• Neither the number of rounds nor the lengths of the messages can be more than a polynomial of | x |.

(39)

An Interactive Proof

3

3

3

3

3

9

9

9

9

9

(40)

IP

a

• IP is the class of all languages decided by an interactive proof system.

• When x ∈ L, the completeness condition can be modified to require that the verifier accepts with certainty without affecting IP.b

• Similar things cannot be said of the soundness condition when x ̸∈ L.

• Verifier’s coin flips can be public.c

aGoldwasser, Micali, and Rackoff (1985).

bGoldreich, Mansour, and Sipser (1987).

cGoldwasser and Sipser (1989).

(41)

The Relations of IP with Other Classes

• NP ⊆ IP.

– IP becomes NP when the verifier is deterministic and there is only one round of interaction.a

• BPP ⊆ IP.

– IP becomes BPP when the verifier ignores the prover’s messages.

• IP actually coincides with PSPACE.b

aRecall Proposition 36 on p. 326.

bShamir (1990).

(42)

Graph Isomorphism

• V1 = V2 = {1, 2, . . . , n}.

• Graphs G1 = (V1, E1) and G2 = (V2, E2) are isomorphic if there exists a permutation π on

{1, 2, . . . , n} so that (u, v) ∈ E1 ⇔ (π(u), π(v)) ∈ E2.

• The task is to answer if G1 ∼= G2.

• No known polynomial-time algorithms.

• The problem is in NP (hence IP).

• It is not likely to be NP-complete.a

aSch¨oning (1987).

(43)

graph nonisomorphism

• V1 = V2 = {1, 2, . . . , n}.

• Graphs G1 = (V1, E1) and G2 = (V2, E2) are

nonisomorphic if there exist no permutations π on {1, 2, . . . , n} so that (u, v) ∈ E1 ⇔ (π(u), π(v)) ∈ E2.

• The task is to answer if G1 ̸∼= G2.

• Again, no known polynomial-time algorithms.

– It is in coNP, but how about NP or BPP?

– It is not likely to be coNP-complete.

• Surprisingly, graph nonisomorphism ∈ IP.a

aGoldreich, Micali, and Wigderson (1986).

(44)

A 2-Round Algorithm

1: Victor selects a random i ∈ { 1, 2 };

2: Victor selects a random permutation π on { 1, 2, . . . , n };

3: Victor applies π on graph Gi to obtain graph H;

4: Victor sends (G1, H) to Peggy;

5: if G1 = H then

6: Peggy sends j = 1 to Victor;

7: else

8: Peggy sends j = 2 to Victor;

9: end if

10: if j = i then

11: Victor accepts;

12: else

13: Victor rejects;

(45)

Analysis

• Victor runs in probabilistic polynomial time.

• Suppose G1 ̸∼= G2.

– Peggy is able to tell which Gi is isomorphic to H, so j = i.

– So Victor always accepts.

• Suppose G1 = G2.

– No matter which i is picked by Victor, Peggy or any prover sees 2 identical graphs.

– Peggy or any prover with exponential power has only probability one half of guessing i correctly.

– So Victor erroneously accepts with probability 1/2.

• Repeat the algorithm to obtain the desired probabilities.

(46)

Knowledge in Proofs

• Suppose I know a satisfying assignment to a satisfiable boolean expression.

• I can convince Alice of this by giving her the assignment.

• But then I give her more knowledge than is necessary.

– Alice can claim that she found the assignment!

– Login authentication faces essentially the same issue.

– See

www.wired.com/wired/archive/1.05/atm pr.html for a famous ATM fraud in the U.S.

(47)

Knowledge in Proofs (concluded)

• Suppose I always give Alice random bits.

• Alice extracts no knowledge from me by any measure, but I prove nothing.

• Question 1: Can we design a protocol to convince Alice (the knowledge) of a secret without revealing anything extra?

• Question 2: How to define this idea rigorously?

(48)

Zero Knowledge Proofs

a

An interactive proof protocol (P, V ) for language L has the perfect zero-knowledge property if:

• For every verifier V , there is an algorithm M with expected polynomial running time.

• M on any input x ∈ L generates the same probability distribution as the one that can be observed on the communication channel of (P, V ) on input x.

aGoldwasser, Micali, and Rackoff (1985).

(49)

Comments

• Zero knowledge is a property of the prover.

– It is the robustness of the prover against attempts of the verifier to extract knowledge via interaction.

– The verifier may deviate arbitrarily (but in

polynomial time) from the predetermined program.

– A verifier cannot use the transcript of the interaction to convince a third-party of the validity of the claim.

– The proof is hence not transferable.

(50)

Comments (continued)

• Whatever a verifier can “learn” from the specified prover P via the communication channel could as well be

computed from the verifier alone.

• The verifier does not learn anything except “x ∈ L.”

• Zero-knowledge proofs yield no knowledge in the sense that they can be constructed by the verifier who believes the statement, and yet these proofs do convince him.

(51)

Comments (continued)

• The “paradox” is resolved by noting that it is not the transcript of the conversation that convinces the verifier.

• But the fact that this conversation was held “on line.”

• Computational zero-knowledge proofs are based on complexity assumptions.

– M only needs to generate a distribution that is

computationally indistinguishable from the verifier’s view of the interaction.

(52)

Comments (concluded)

• It is known that if one-way functions exist, then

zero-knowledge proofs exist for every problem in NP.a

• The verifier can be restricted to the honest one (i.e., it follows the protocol).b

• The coins can be public.c

aGoldreich, Micali, and Wigderson (1986).

bVadhan (2006).

cVadhan (2006).

(53)

Are You Convinced?

• A newspaper commercial for hair-growing products for men.

– A (for all practical purposes) bald man has a full head of hair after 3 months.

• A TV commercial for weight-loss products.

– A (by any reasonable measure) overweight woman loses 10 kilograms in 10 weeks.

(54)

Quadratic Residuacity

• Let n be a product of two distinct primes.

• Assume extracting the square root of a quadratic residue modulo n is hard without knowing the factors.

• We next present a zero-knowledge proof for the input x ∈ Zn

being a quadratic residue.

(55)

Zero-Knowledge Proof of Quadratic Residuacity

1: for m = 1, 2, . . . , log2 n do

2: Peggy chooses a random v ∈ Zn and sends y = v2 mod n to Victor;

3: Victor chooses a random bit i and sends it to Peggy;

4: Peggy sends z = uiv mod n, where u is a square root of x; {u2 ≡ x mod n.}

5: Victor checks if z2 ≡ xiy mod n;

6: end for

7: Victor accepts x if Line 5 is confirmed every time;

(56)

A Useful Corollary of Lemma 76 (p. 659)

Corollary 77 Let n = pq be a product of two distinct

primes. (1) If x and y are both quadratic residues modulo n, then xy ∈ Zn is a quadratic residue modulo n. (2) If x is a quadratic residue modulo n and y is a quadratic nonresidue modulo n, then xy ∈ Zn is a quadratic nonresidue modulo n.

• Suppose x and y are both quadratic residues modulo n.

• Let x ≡ a2 mod n and y ≡ b2 mod n.

• Now xy is a quadratic residue as xy ≡ (ab)2 mod n.

(57)

The Proof (concluded)

• Suppose x is a quadratic residue modulo n and y is a quadratic nonresidue modulo n.

• By Lemma 76 (p. 659), (x | p) = (x | q) = 1 but, say, (y | p) = −1.

• Now xy is a quadratic nonresidue as (xy | p) = −1, again by Lemma 76 (p. 659).

(58)

Analysis

• Suppose x is a quadratic residue.

– Then x’s square root u can be computed by Peggy.

– Peggy can answer all challenges.

– Now,

z2 (

ui)2

v2 (

u2)i

v2 ≡ xiy mod n.

– So Victor will accept x.

(59)

Analysis (continued)

• Suppose x is a quadratic nonresidue.

– Corollary 77 (p. 687) says if a is a quadratic residue, then xa is a quadratic nonresidue.

– As y is a quadratic residue, xiy can be a quadratic residue (see Line 5) only when i = 0.

– Peggy can answer only one of the two possible challenges, when i = 0.a

– So Peggy will be caught in any given round with probability one half.

aLine 5 (z2 ≡ xiy mod n) cannot equate a quadratic residue z2 with a quadratic nonresidue xiy when i = 1.

(60)

Analysis (continued)

• How about the claim of zero knowledge?

• The transcript between Peggy and Victor when x is a quadratic residue can be generated without Peggy!

• Here is how.

• Suppose x is a quadratic residue.a

• In each round of interaction with Peggy, the transcript is a triplet (y, i, z).

• We present an efficient Bob that generates (y, i, z) with the same probability without accessing Peggy’s power.

̸∈ L.

(61)

Analysis (concluded)

1: Bob chooses a random z ∈ Zn;

2: Bob chooses a random bit i;

3: Bob calculates y = z2x−i mod n;a

4: Bob writes (y, i, z) into the transcript;

aRecall Line 5 on p. 686: Victor checks if z2 ≡ xiy mod n.

(62)

Comments

• Assume x is a quadratic residue.

• For (y, i, z), y is a random quadratic residue, i is a random bit, and z is a random number.

• Bob cheats because (y, i, z) is not generated in the same order as in the original transcript.

– Bob picks Peggy’s answer z first.

– Bob then picks Victor’s challenge i.

– Bob finally patches the transcript.

(63)

Comments (concluded)

• So it is not the transcript that convinces Victor, but that conversation with Peggy is held “on line.”

• The same holds even if the transcript was generated by a cheating Victor’s interaction with (honest) Peggy.

• But we skip the details.

參考文獻

相關文件

• The binomial interest rate tree can be used to calculate the yield volatility of zero-coupon bonds.. • Consider an n-period

A factorization method for reconstructing an impenetrable obstacle in a homogeneous medium (Helmholtz equation) using the spectral data of the far-field operator was developed

2.1.1 The pre-primary educator must have specialised knowledge about the characteristics of child development before they can be responsive to the needs of children, set

Now, nearly all of the current flows through wire S since it has a much lower resistance than the light bulb. The light bulb does not glow because the current flowing through it

• Environmental Report 2020 of Transport Department, Hong Kong: to provide a transport system in an environmentally acceptable manner to align with the sustainable development of

● the F&B department will inform the security in advance if large-scaled conferences or banqueting events are to be held in the property.. Relationship Between Food and

Daily operation - Sanitizing after guest checked-in / swab test (guest floor

We may observe that the Riemann zeta function at integer values appears in the series expansion of the logarithm of the gamma function.. Several proofs may be found