B 504 / I 538:
Introduction to
Cryptography
Spring 2017 • Lecture 20
Ryan Henry
Recall: Modular eth roots
Defn: Let n and e be positive integers and let a∈℥n. Then
b∈℥n is called an eth root of a modulo n if a≡b
??? e mod n.
We write b≡a1/e mod n to indicate that b is an eth root of
a modulo n.
Q: When does a unique solution for a1/e mod n exist?
A: If gcd(e，φ(n))=1, then a1/e≡ad mod n where d≔e-1 mod φ(n)
If gcd(e，φ(n))≠1, then a1/e may or may not exist; if it does
exist, it is not unique
1
Ryan Henry
Recall: The eth root problem
Defn: The eth root problem (aka the RSA problem) is:
Given (n，e，a) such that
1.
n=pq for distinct s-bit primes p and q ,
3.
gcd(e，φ(n))=1,
2.
a∈℥n, and
compute a1/e mod n.
One possible solution: compute d≔e-1 mod φ(n) and output ad mod n
Fact: Computing d≔e-1 mod φ(n) is equivalent to factoring n!
2
Ryan Henry
Recall: Discrete logarithms
Defn: Let G be a group with |G|=n and let g，h∈G. A discrete
logarithm (DL) of h to the base g in G is a number x∈ℤn such
h=gx in G.
that ???
We write x=logg h to indicate that x is a DL of h to the base g
Q: Does the DL of h to the base g always exist?
A: No! But it does always exists if g is a generator of G.
3
Q: If the DL of h to the base g exists, is it unique?
A: Sort of… If x1 and x2 are DLs of h to the base g, then
x1≡x2 mod |g| (i.e., the DL is unique in ℤ|g|).
Ryan Henry
Recall: The DL problem
Defn: The DL problem is:
Given (G，q，g，h) such that
1.
(G，•) is a cyclic group of s-bit prime order q ,
3.
h is an arbitrary element of G,
2.
g is a generator of G, and
compute x≡logg h.
▪ If (G，+) is an additive group, then the DL problem is,
given (G，q，g，h) as above, to compute k such that
4
k·g=h in G.
Ryan Henry
Intractable problems
▪ Intuitively, a problem is intractable if no PPT algorithm
can solve a uniform random instance the problem,
except with negligible probability
Q: How do we formalize the notion of intractability for
problems defined in a finite group?
A: Very carefully…
5
– Algorithm must be PPT in what parameter?
– Success probability must be negligible in what parameter?
– Instance must be uniform random instance from what
sample space?
Ryan Henry
Group generating algorithm
▪ The DL problem is both defined in a finite group ⇒ no
parameter to grow large!
▪ Problem may be easy in some groups and hard in others
Defn: A group generating algorithm Ｇ is a PPT algorithm
that, on input a security parameter 1s∈1ℕ, outputs a
description of a finite group (G，•) with s-bit prime order q
and a fixed generator g∈G.
We write (G，q，g)← Ｇ(1s) to indicate that (G，•) is a group with
s-bit prime order q and generator g, sampled from the
output of Ｇ.
6
Ryan Henry
Group generating algorithm
Idea: Don’t consider problem instances in a particular fixed
group (G，•); rather, consider instances in groups (G，q，g)←Ｇ(1s)
sampled from a fixed group generating algorithm Ｇ!
Q: How do we formalize the notion of intractability for
problems defined in a finite group?
Q1: Algorithm must be PPT in what parameter?
A1: The security parameter s such that (G，q，g)←Ｇ(1s)
Q2: Success probability must be negligible in what parameter?
A2: The security parameter s such that (G，q，g)←Ｇ(1s)
Q3: Instance must be uniform random instance from what sample space?
A3: The set of problem instances in (G，•)
7
Ryan Henry
The DL assumption
1s
Challenger (C)
Attacker (A)
(G，q，g)←Ｇ(1 s)
x∊℥q
h≔gx
1s
(G，q，g，h)
Let E be the event that x≡x’ mod q
Define A’s advantage to be AdvDL,Ｇ(A)≔Pr[E]
x’
Defn: Let Ｇ be a fixed group generating algorithm. The
discrete logarithm (DL) assumption holds with respect to Ｇ
if, for every PPT algorithm A, there exists a negligible
function ε：ℕ→ℝ+ such that AdvDL，Ｇ(A)≤ε(s).
8
Ryan Henry
Average-case hardness of DL
Thm (informal): Let (G，•) be a group with prime order q . If the
DL problem in is hard for some instance, then it is hard for
almost every instance!
Proof (sketch): Assume that it is hard to compute x≡logg h in (G，•)
Idea: Reduce hardness of computing x≡logg h to hardness
of solving a uniform random instance in (G，•)
– Randomize g: (G，q，g，h)→(G，q，gr，h) for r∊℥q
⇒ logg h≡(loggr h)•r mod q
– Randomize h: (G，q，g，h)→(G，q，g，hs) for s∊℥q
⇒ logg h≡(logg hs)•s-1 mod q
9
☐
Ryan Henry
RSA instance generating algorithm
Defn: An RSA instance generating algorithm Ｇ is a PPT
algorithm that, on input a security parameter 1s∈1ℕ,
outputs a pair of distinct s-bit primes (p，q) and e∊℥φ(pq).
We write (p，q，e)← Ｇ(1s) to indicate that s-bit primes (p，q)
and e∈℥φ(pq) are sampled from the output of Ｇ.
10
Ryan Henry
The eth root assumption
1s
Challenger (C)
Attacker (A)
s
(p，q，e)←Ｇ(1 )
1s
N≔p·q
a∊℥N
b≔ae mod N
(N，e，b)
Let E be the event that a≡a’ mod N
Define A’s advantage to be AdvRSA,Ｇ(A)≔Pr[E]
a’
Defn: Let Ｇ be a fixed RSA instance generating algorithm.
The eth root (RSA) assumption holds with respect to Ｇ if,
for every PPT algorithm A, there exists a negligible function
ε：ℕ→ℝ+ such that AdvRSA，Ｇ(A)≤ε(s).
11
Ryan Henry
The RSA trapdoor permutation
Observation: The eth root assumption is qualitatively
different from the DL assumption
– In DL assumption, attacker gets complete output of Ｇ
– In eth root assumption, attacker learns N=p·q but not p
and q; if attacker knows (p，q) the eth root problem is easy!
▪ This is our first example of a trapdoor permutation
with (p，q) being the trapdoor
– More on this later…
12
Ryan Henry
Diffie-Hellman key exchange protocol
What if Alice and Bob don’t
already share a secret ket?
Enc (m)
Bob
Alice
m =?
Eve
13
Ryan Henry
Diffie-Hellman key exchange protocol
a∊℥q
b∊℥q
≔h((gb)a)
≔h((ga)b)
ga
gb
Enc (m)
Bob
Alice
=?
m=?
Eve
14
Suppose (G，q，g)←Ｇ(1s) for some group generating algorithm Ｇ
Ryan Henry
Security of Diffie-Hellman key exchange
Q: Suppose the DL assumption holds with respect to Ｇ.
Is the Diffie-Hellman protocol “secure” in the
presence of an eavesdroppers?
A: Errr…well, probably?
– DL assumption implies that it is hard for an eavesdropper to
compute a from ga or b from gb
– But, is it hard to compute gab from ga and gb?
15
Ryan Henry
Diffie-Hellman assumption
1s
Challenger (C)
Attacker (A)
(G，q，g)←Ｇ(1 s)
a,b∊℥q
h1≔ga,
h2
≔gb
1s
(G，q，g，h1，h2)
Let E be the event that h=gab
Define A’s advantage to be AdvCDH,Ｇ(A)≔Pr[E]
h
Defn: Let Ｇ be a group generating algorithm. The
(computational) Diffie-Hellman (CDH) assumption holds with
respect to Ｇ if, for every PPT algorithm A, there exists a
negligible function ε：ℕ→ℝ+ such that AdvCDH,Ｇ(A)≤ε(s).
16
Ryan Henry
Decision Diffie-Hellman assumption
A tuple (G，q，g，ga，gb，h) is a DH tuple if and only if h=gab
1s∈1ℕ
1s∈1ℕ
Game 0:
(input to A is a DH tuple)
Challenger
(G，q，g)←Ｇ(1 s)
a，b∊℥q
Game 1:
Distinguisher (D)
(G，q，g，ga，gb，gab)
b’∈{0，1}
(input to A is not a DH tuple)
Challenger
(G，q，g)←Ｇ(1 s)
a，b，c∊℥q
Distinguisher (D)
(G，q，g，ga，gb，gc)
Let E be the event that b’=0 in Game 0 or b’=1 in Game 1
17
1s∈1ℕ
Defn: AdvDDH,Ｇ(D)≔|Pr[E]- ½|
1s∈1ℕ
b’∈{0，1}
Ryan Henry
Decision Diffie-Hellman assumption
Defn: Let Ｇ be a group generating algorithm. The Decision
Diffie-Hellman (DDH) assumption holds with respect to Ｇ if,
for every PPT algorithm A, there exists a negligible function
ε：ℕ→ℝ+ such that AdvDDH,Ｇ(A)≤ε(s).
18
Ryan Henry
The DL, CDH, and DDH assumptions
Thm: Let Ｇ be a group generating algorithm.
– Fact 1: If the DDH assumption holds with respect to Ｇ, then
the CDH assumption also holds with respect to Ｇ.
The converse is believed to be false.
– Fact 2: If the CDH assumption holds with respect to Ｇ, then
the DL assumption also holds with respect to Ｇ.
The converse is not known to be true.
19
Ryan Henry
Public-key encryption schemes
Defn: A public-key encryption scheme is a triple of
algorithms (Gen, Enc, Dec) such that
– Gen：1ℕ→Ｋe×Ｋd is a randomized “keypair generation” algorithm;
– Enc：Ｋe×Ｍ→Ｃ is an (often randomized) “encryption” algorithm;
– Dec：Ｋd×Ｃ→Ｍ is a deterministic “decryption” algorithm.
20
Usually write Encke(m) and Deckd(m) instead of Enc(ke,m) and Dec(k d,m)
• Ｋe is the encryption key space (set of possible encryption keys)
• Ｋd is the decryption key space (set of possible decryption keys)
(set of possible messages)
• Ｍ is the message space
(set of possible ciphertexts)
• Ｃ is the ciphertext space
Ryan Henry
Correctness
▪ Intuitively: Correctness is the property of being able to
decrypt (given the appropriate decryption key)
Defn: A public-key encryption scheme (Gen, Enc, Dec) with
message space M is correct if there exists a negligible
function ε：ℕ→ℝ+ such that, ∀s∈ℕ and ∀m∈Ｍ,
Pr[Deckd(Encke(m))=m｜(ke,k d)←Gen(1s)]≥1-ε(s)
21
Ryan Henry
That’s all for today, folks!
22
Ryan Henry