223 lines
6.4 KiB
Markdown
223 lines
6.4 KiB
Markdown
# CSE442T Exam 2 Review
|
|
|
|
## Review
|
|
|
|
### Assumptions used in cryptography (this course)
|
|
|
|
#### Diffie-Hellman assumption
|
|
|
|
The Diffie-Hellman assumption is that the following problem is hard.
|
|
|
|
$$
|
|
\text{Given } g,g^a,g^b\text{, it is hard to compute } g^{ab}.
|
|
$$
|
|
|
|
More formally,
|
|
|
|
If $p$ is a randomly sampled safe prime.
|
|
|
|
Denote safe prime as $\tilde{\Pi}_n=\{p\in \Pi_n:q=\frac{p-1}{2}\in \Pi_{n-1}\}$
|
|
|
|
Then
|
|
|
|
$$
|
|
P\left[p\gets \tilde{\Pi_n};a\gets\mathbb{Z}_p^*;g=a^2\neq 1;x\gets \mathbb{Z}_q;y=g^x\mod p:\mathcal{A}(y)=x\right]\leq \varepsilon(n)
|
|
$$
|
|
|
|
$p\gets \tilde{\Pi_n};a\gets\mathbb{Z}_p^*;g=a^2\neq 1$ is the function condition when we do the encryption on cyclic groups.
|
|
|
|
#### Discrete logarithm assumption
|
|
|
|
> If Diffie-Hellman assumption holds, then discrete logarithm assumption holds.
|
|
|
|
This is a corollary of the Diffie-Hellman assumption, it states as follows.
|
|
|
|
This is collection of one-way functions
|
|
|
|
$$
|
|
p\gets \tilde\Pi_n(\textup{ safe primes }), p=2q+1
|
|
$$
|
|
$$
|
|
a\gets \mathbb{Z}*_{p};g=a^2(\textup{ make sure }g\neq 1)
|
|
$$
|
|
$$
|
|
f_{g,p}(x)=g^x\mod p
|
|
$$
|
|
$$
|
|
f:\mathbb{Z}_q\to \mathbb{Z}^*_p
|
|
$$
|
|
|
|
#### RSA assumption
|
|
|
|
The RSA assumption is that it is hard to factorize a product of two large primes. (no polynomial time algorithm for factorization product of two large primes with $n$ bits)
|
|
|
|
Let $e$ be the exponents
|
|
|
|
$$
|
|
P[p,q\gets \Pi_n;N\gets p\cdot q;e\gets \mathbb{Z}_{\phi(N)}^*;y\gets \mathbb{N}_n;x\gets \mathcal{A}(N,e,y);x^e=y\mod N]<\varepsilon(n)
|
|
$$
|
|
|
|
#### Factoring assumption
|
|
|
|
> If RSA assumption holds, then factoring assumption holds.
|
|
|
|
The only way to efficiently factorize the product of prime is to iterate all the primes.
|
|
|
|
### Fancy product of these assumptions
|
|
|
|
#### Trapdoor permutation
|
|
|
|
> RSA assumption $\implies$ Trapdoor permutation exists.
|
|
|
|
Idea: $f:D\to R$ is a one-way permutation.
|
|
|
|
$y\gets R$.
|
|
|
|
* Finding $x$ such that $f(x)=y$ is hard.
|
|
* With some secret info about $f$, finding $x$ is easy.
|
|
|
|
$\mathcal{F}=\{f_i:D_i\to R_i\}_{i\in I}$
|
|
|
|
1. $\forall i,f_i$ is a permutation
|
|
2. $(i,t)\gets Gen(1^n)$ efficient. ($i\in I$ paired with $t$), $t$ is the "trapdoor info"
|
|
3. $\forall i,D_i$ can be sampled efficiently.
|
|
4. $\forall i,\forall x,f_i(x)$ can be computed in polynomial time.
|
|
5. $P[(i,t)\gets Gen(1^n);y\gets R_i:f_i(\mathcal{A}(1^n,i,y))=y]<\varepsilon(n)$ (note: $\mathcal{A}$ is not given $t$)
|
|
6. (trapdoor) There is a p.p.t. $B$ such that given $i,y,t$, B always finds x such that $f_i(x)=y$. $t$ is the "trapdoor info"
|
|
|
|
_There is one bit of trapdoor info that without it, finding $x$ is hard._
|
|
|
|
#### Collision resistance hash function
|
|
|
|
> If discrete logarithm assumption holds, then collision resistance hash function exists.
|
|
|
|
Let $h: \{0, 1\}^{n+1} \to \{0, 1\}^n$ be a CRHF.
|
|
|
|
Base on the discrete log assumption, we can construct a CRHF $H: \{0, 1\}^{n+1} \to \{0, 1\}^n$ as follows:
|
|
|
|
$Gen(1^n):(g,p,y)$
|
|
|
|
$p\in \tilde{\Pi}_n(p=2q+1)$
|
|
|
|
$g$ generator for group of sequence $\mod p$ (G_q)
|
|
|
|
$y$ is a random element in $G_q$
|
|
|
|
$h_{g,p,y}(x,b)=y^bg^x\mod p$, $y^bg^x\mod p \in \{0,1\}^n$
|
|
|
|
$g^x\mod p$ if $b=0$, $y\cdot g^x\mod p$ if $b=1$.
|
|
|
|
Under the discrete log assumption, $H$ is a CRHF.
|
|
|
|
- It is easy to sample $(g,p,y)$
|
|
- It is easy to compute
|
|
- Compressing by 1 bit
|
|
|
|
#### One-way permutation
|
|
|
|
> If trapdoor permutation exists, then one-way permutation exists.
|
|
|
|
A one-way permutation is a function that is one-way and returns a permutation of the input.
|
|
|
|
#### One-way function
|
|
|
|
> If one-way permutation exists, then one-way function exists.
|
|
|
|
One-way function is a class of functions that are easy to compute but hard to invert.
|
|
|
|
##### Weak one-way function
|
|
|
|
A weak one-way function is
|
|
|
|
$$
|
|
f:\{0,1\}^n\to \{0,1\}^*
|
|
$$
|
|
|
|
1. $\exists$ a P.P.T. that computes $f(x),\forall x\in\{0,1\}^n$
|
|
2. $\forall a$ adversaries, $\exists \varepsilon(n),\forall n$.
|
|
|
|
$$
|
|
P[x\gets \{0,1\}^n;y=f(x):f(a(y,1^n))=y]<1-\frac{1}{p(n)}
|
|
$$
|
|
_The probability of success should not be too close to 1_
|
|
|
|
|
|
##### Strong one-way function
|
|
|
|
> If weak one-way function exists, then strong one-way function exists.
|
|
|
|
A strong one-way function is
|
|
|
|
$$
|
|
f:\{0,1\}^n\to \{0,1\}^*(n\to \infty)
|
|
$$
|
|
|
|
There is a negligible function $\varepsilon (n)$ such that for any adversary $a$ (n.u.p.p.t)
|
|
|
|
$$
|
|
P[x\gets\{0,1\}^n;y=f(x):f(a(y))=y,a(y)=x']\leq\varepsilon(n)
|
|
$$
|
|
|
|
_Probability of guessing correct message is negligible_
|
|
|
|
#### Hard-core bits
|
|
|
|
> Strong one-way function $\iff$ hard-core bits exists.
|
|
|
|
A hard-core bit is a bit that is hard to predict given the output of a one-way function.
|
|
|
|
#### Pseudorandom generator
|
|
|
|
> If one-way permutation exists, then pseudorandom generator exists.
|
|
|
|
We can also use pseudorandom generator to construct one-way function.
|
|
|
|
And hard-core bits can be used to construct pseudorandom generator.
|
|
|
|
#### Pseudorandom function
|
|
|
|
> If pseudorandom generator exists, then pseudorandom function exists.
|
|
|
|
A pseudorandom function is a function that is indistinguishable from a true random function.
|
|
|
|
### Multi-message secure private-key encryption
|
|
|
|
> If pseudorandom function exists, then multi-message secure private-key encryption exists.
|
|
|
|
A multi-message secure private-key encryption is a function that is secure against an adversary who can see multiple messages.
|
|
|
|
#### Single message secure private-key encryption
|
|
|
|
> If multi-message secure private-key encryption exists, then single message secure private-key encryption exists.
|
|
|
|
#### Message-authentication code
|
|
|
|
> If pseudorandom function exists, then message-authentication code exists.
|
|
|
|
|
|
### Public-key encryption
|
|
|
|
> If Diffie-Hellman assumption holds, and Trapdoor permutation exists, then public-key encryption exists.
|
|
|
|
### Digital signature
|
|
|
|
A digital signature scheme is a triple $(Gen, Sign, Ver)$ where
|
|
|
|
- $(pk,sk)\gets Gen(1^k)$ is a p.p.t. algorithm that takes as input a security parameter $k$ and outputs a public key $pk$ and a secret key $sk$.
|
|
- $\sigma\gets Sign_{sk}(m)$ is a p.p.t. algorithm that takes as input a secret key $sk$ and a message $m$ and outputs a signature $\sigma$.
|
|
- $Ver_{pk}(m, \sigma)$ is a deterministic algorithm that takes as input a public key $pk$, a message $m$, and a signature $\sigma$ and outputs "Accept" if $\sigma$ is a valid signature for $m$ under $pk$ and "Reject" otherwise.
|
|
|
|
For all $n\in\mathbb{N}$, all $m\in\mathcal{M}_n$.
|
|
|
|
$$
|
|
P[(pk,sk)\gets Gen(1^k); \sigma\gets Sign_{sk}(m); Ver_{pk}(m, \sigma)=\textup{``Accept''}]=1
|
|
$$
|
|
|
|
#### One-time secure digital signature
|
|
|
|
#### Fixed-length one-time secure digital signature
|
|
|
|
> If one-way function exists, then fixed-length one-time secure digital signature exists.
|
|
|
|
|