6.4 KiB
CSE442T Exam 2 Review
Review
Assumptions used in cryptography (this course)
Diffie-Hellman assumption
The Diffie-Hellman assumption is that the following problem is hard.
\text{Given } g,g^a,g^b\text{, it is hard to compute } g^{ab}.
More formally,
If p is a randomly sampled safe prime.
Denote safe prime as \tilde{\Pi}_n=\{p\in \Pi_n:q=\frac{p-1}{2}\in \Pi_{n-1}\}
Then
P\left[p\gets \tilde{\Pi_n};a\gets\mathbb{Z}_p^*;g=a^2\neq 1;x\gets \mathbb{Z}_q;y=g^x\mod p:\mathcal{A}(y)=x\right]\leq \varepsilon(n)
p\gets \tilde{\Pi_n};a\gets\mathbb{Z}_p^*;g=a^2\neq 1 is the function condition when we do the encryption on cyclic groups.
Discrete logarithm assumption
If Diffie-Hellman assumption holds, then discrete logarithm assumption holds.
This is a corollary of the Diffie-Hellman assumption, it states as follows.
This is collection of one-way functions
p\gets \tilde\Pi_n(\textup{ safe primes }), p=2q+1
a\gets \mathbb{Z}*_{p};g=a^2(\textup{ make sure }g\neq 1)
f_{g,p}(x)=g^x\mod p
f:\mathbb{Z}_q\to \mathbb{Z}^*_p
RSA assumption
The RSA assumption is that it is hard to factorize a product of two large primes. (no polynomial time algorithm for factorization product of two large primes with n bits)
Let e be the exponents
P[p,q\gets \Pi_n;N\gets p\cdot q;e\gets \mathbb{Z}_{\phi(N)}^*;y\gets \mathbb{N}_n;x\gets \mathcal{A}(N,e,y);x^e=y\mod N]<\varepsilon(n)
Factoring assumption
If RSA assumption holds, then factoring assumption holds.
The only way to efficiently factorize the product of prime is to iterate all the primes.
Fancy product of these assumptions
Trapdoor permutation
RSA assumption
\impliesTrapdoor permutation exists.
Idea: f:D\to R is a one-way permutation.
y\gets R.
- Finding
xsuch thatf(x)=yis hard. - With some secret info about
f, findingxis easy.
\mathcal{F}=\{f_i:D_i\to R_i\}_{i\in I}
\forall i,f_iis a permutation(i,t)\gets Gen(1^n)efficient. (i\in Ipaired witht),tis the "trapdoor info"\forall i,D_ican be sampled efficiently.\forall i,\forall x,f_i(x)can be computed in polynomial time.P[(i,t)\gets Gen(1^n);y\gets R_i:f_i(\mathcal{A}(1^n,i,y))=y]<\varepsilon(n)(note:\mathcal{A}is not givent)- (trapdoor) There is a p.p.t.
Bsuch that giveni,y,t, B always finds x such thatf_i(x)=y.tis the "trapdoor info"
There is one bit of trapdoor info that without it, finding x is hard.
Collision resistance hash function
If discrete logarithm assumption holds, then collision resistance hash function exists.
Let h: \{0, 1\}^{n+1} \to \{0, 1\}^n be a CRHF.
Base on the discrete log assumption, we can construct a CRHF H: \{0, 1\}^{n+1} \to \{0, 1\}^n as follows:
Gen(1^n):(g,p,y)
p\in \tilde{\Pi}_n(p=2q+1)
g generator for group of sequence \mod p (G_q)
y is a random element in G_q
h_{g,p,y}(x,b)=y^bg^x\mod p, y^bg^x\mod p \in \{0,1\}^n
g^x\mod p if b=0, y\cdot g^x\mod p if b=1.
Under the discrete log assumption, H is a CRHF.
- It is easy to sample
(g,p,y) - It is easy to compute
- Compressing by 1 bit
One-way permutation
If trapdoor permutation exists, then one-way permutation exists.
A one-way permutation is a function that is one-way and returns a permutation of the input.
One-way function
If one-way permutation exists, then one-way function exists.
One-way function is a class of functions that are easy to compute but hard to invert.
Weak one-way function
A weak one-way function is
f:\{0,1\}^n\to \{0,1\}^*
\existsa P.P.T. that computesf(x),\forall x\in\{0,1\}^n\forall aadversaries,\exists \varepsilon(n),\forall n.
P[x\gets \{0,1\}^n;y=f(x):f(a(y,1^n))=y]<1-\frac{1}{p(n)}
The probability of success should not be too close to 1
Strong one-way function
If weak one-way function exists, then strong one-way function exists.
A strong one-way function is
f:\{0,1\}^n\to \{0,1\}^*(n\to \infty)
There is a negligible function \varepsilon (n) such that for any adversary a (n.u.p.p.t)
P[x\gets\{0,1\}^n;y=f(x):f(a(y))=y,a(y)=x']\leq\varepsilon(n)
Probability of guessing correct message is negligible
Hard-core bits
Strong one-way function
\iffhard-core bits exists.
A hard-core bit is a bit that is hard to predict given the output of a one-way function.
Pseudorandom generator
If one-way permutation exists, then pseudorandom generator exists.
We can also use pseudorandom generator to construct one-way function.
And hard-core bits can be used to construct pseudorandom generator.
Pseudorandom function
If pseudorandom generator exists, then pseudorandom function exists.
A pseudorandom function is a function that is indistinguishable from a true random function.
Multi-message secure private-key encryption
If pseudorandom function exists, then multi-message secure private-key encryption exists.
A multi-message secure private-key encryption is a function that is secure against an adversary who can see multiple messages.
Single message secure private-key encryption
If multi-message secure private-key encryption exists, then single message secure private-key encryption exists.
Message-authentication code
If pseudorandom function exists, then message-authentication code exists.
Public-key encryption
If Diffie-Hellman assumption holds, and Trapdoor permutation exists, then public-key encryption exists.
Digital signature
A digital signature scheme is a triple (Gen, Sign, Ver) where
(pk,sk)\gets Gen(1^k)is a p.p.t. algorithm that takes as input a security parameterkand outputs a public keypkand a secret keysk.\sigma\gets Sign_{sk}(m)is a p.p.t. algorithm that takes as input a secret keyskand a messagemand outputs a signature\sigma.Ver_{pk}(m, \sigma)is a deterministic algorithm that takes as input a public keypk, a messagem, and a signature\sigmaand outputs "Accept" if\sigmais a valid signature formunderpkand "Reject" otherwise.
For all n\in\mathbb{N}, all m\in\mathcal{M}_n.
P[(pk,sk)\gets Gen(1^k); \sigma\gets Sign_{sk}(m); Ver_{pk}(m, \sigma)=\textup{``Accept''}]=1
One-time secure digital signature
Fixed-length one-time secure digital signature
If one-way function exists, then fixed-length one-time secure digital signature exists.