Discrete Exponential Function - One-Way Functions and the Basic Assumptions

6. One-Way Functions and the Basic Assumptions

6.2 Discrete Exponential Function

x3, then . . . .

A typical example is the discrete logarithm assumption in Section 6.2 (Defi- nition 6.1).

The distribution xj ← Xj,x1...xj−1 is the conditional distribution of

xj ∈ Xj,x1...xj−1, assuming x1, . . . , xj−1. The probability can be computed

as follows (we considerr = 3 and the case where A computes a functionf

andB is the predicateA(x) =f(x)):

prob(A(x1, x2, x3) =f(x1, x2, x3) :x1←X1, x2←X2,x1, x3←X3,x1x2) = X x1,x2,x3 prob(x1, x2, x3)·prob(A(x1, x2, x3) =f(x1, x2, x3)) = X x1∈X1 prob(x1)· X x2∈X1,x₁ prob(x2|x1) · X x3∈X1,x1,x2 prob(x3|x2, x1)·prob(A(x1, x2, x3) =f(x1, x2, x3)).

Here prob(x2|x1) (resp. prob(x3|x2, x1)) denotes the conditional probability of x2 (resp.x3) assuming x1 (resp. x1 and x2); see Appendix B.1 (p. 328). The last probability, prob(A(x1, x2, x3) = f(x1, x2, x3)), is the probability that the coin tosses ofAon input (x1, x2, x3) yield the resultf(x1, x2, x3).

In Section 5.1, we introduced the imagepY of the distributionpX under a probabilistic algorithmAfromX toY. We have

pY(y) = prob(A(x) =y :xp←XX) for eachy∈Y.

For each x∈X, we have the distributionpA(x)onY:

pA(x)(y) = prob(A(x) =y).

We write y ← A(x) instead of y p←A(x) Y. This notation suggests that y is generated by the random variableA(x). With this notation, we have

prob(A(x) =f(x) :x←X) = prob(f(x) =y:x←X, y←A(x)).

6.2 Discrete Exponential Function

The notion of one-way functions can be precisely defined using probabilistic algorithms. As a first example we consider the discrete exponential function. Let I := {(p, g) | pa prime number, g ∈ Z∗

p a primitive root}. We call the family of discrete exponential functions

the Exp family. Since g is a primitive root, Exp_p,g is an isomorphism be- tween the additive groupZp−1 and the multiplicative group Z∗p. The family of inverse functions

Log := (Logp,g:Z∗p−→Zp−1)(p,g)∈I is called theLog family.

The algorithm of modular exponentiation computes Expp,g(x) efficiently (see Algorithm A.26). It is unknown whether an efficient algorithm for the computation of the discrete logarithm function exists. All known algorithms have exponential running time, and it is widely believed that, in general, Logp,g is not efficiently computable. We state this assumption on the one- way property of the Exp family by means of probabilistic algorithms.

Definition 6.1.LetIk :={(p, g)∈I| |p|=k}, withk∈N,2and letQ(X)∈

Z[X] be a positive polynomial. Let A(p, g, y) be a probabilistic polynomial algorithm. Then there exists ak0∈N, such that

prob(A(p, g, y) = Log_p,g(y) : (p, g)←u Ik, y←u Z∗p)≤ 1

Q(k) fork≥k0.

This is called thediscrete logarithm assumption.

Remarks:

1. The probabilistic algorithmA models an attacker who tries to compute the discrete logarithm or, equivalently, to invert the discrete exponential function. The discrete logarithm assumption essentially states that for a sufficiently large sizekof the modulusp, the probability ofAsuccessfully computing Logp,g(y) is smaller than1/Q(k). This means that Exp cannot be inverted by A for all but a negligible fraction of the inputs. There- fore, we call Exp a family ofone-way functions. The term “negligible” is explained more precisely in a subsequent remark.

2. When we use the discrete exponential function in a cryptographic scheme, such as ElGamal’s encryption scheme (see Section 3.5.1), selecting a function Exp_p,g from the family means to choose a public key i = (p, g) (actually,i may be only one part of the key).

3. The index setI is partitioned into disjoint subsets:I =S_k_∈_NIk.kmay be considered as the security parameter ofi= (p, g)∈Ik. The one-way property requires a sufficiently large security parameter. The security parameter is closely related to the binary length ofi. Here,k=|p|is half the length ofi.

4. The probability in the discrete logarithm assumption is also taken over the random choice of a keyiwith a given security parameterk. Hence, the

6.2 Discrete Exponential Function 151

meaning of the probability statement is: choosing both the keyi= (p, g) with security parameterk andy =gx _{randomly, the probability that}_A correctly computes the logarithmxfromy is small. The statement is not related to a particular keyi. In practice, however, a public key is chosen and then fixed for a long time, and it is known to the adversary. Thus, we are interested in the conditional probability of success, assuming a fixed public keyi. Even if the security parameterkis very large, there may be keys (p, g) such that A correctly computes Logp,g(y) with a significant chance. However, as we will see below, the number of such keys (p, g) is negligibly small compared to all keys with security parameterk. Choosing (p, g) at random (and uniformly) from Ik, the probability of obtaining one for whichAhas a significant chance of success is negligibly small (see Proposition 6.3 for a precise statement). Indeed, if p−1 has only small prime factors, an efficient algorithm developed by Pohlig and Hellman computes the discrete logarithm function (see [PohHel78]).

Remark.In this book, we often consider families ε = (εk)k∈N of quantities

εk ∈ R, as the probabilities in the discrete logarithm assumption. We call themnegligibleornegligibly small if, for every positive polynomialQ∈Z[X], there is ak0∈N, such that|εk| ≤1/Q(k)fork≥k0. “Negligible” means that the absolute value is asymptotically smaller than any polynomial bound.

Remark.In order to simplify, definitions and results are often stated asymptotically (as the discrete logarithm assumption or the notion of negligible quantities). Polynomial running times or negligible probabilities are not specified more precisely, even if it were possible. A typical situation is as follows. A cryptographic scheme is based on a one-way functionf (e.g. the Exp family). Let g be a function that describes a property of the cryptographic scheme (e.g. g predicts the next bit of the discrete exponential pseudorandom bit generator; see Chapter 8). It is desirable that this propertyg cannot be efficiently computed by an adversary. Sometimes, this can be proven. Typically a proof runs by a contradiction. We assume that a probabilistic polynomial al- gorithmA1which successfully computesgwith probabilityε1is given. Then, a probabilistic polynomial algorithm A2 is constructed which calls A1 as a subroutine and inverts the underlying one-way functionf, with probability

ε2. Such an algorithm is called a polynomial-time reduction of f to g. If ε2 is non-negligible, we get a contradiction to the one-way assumption (e.g. the discrete logarithm assumption).

In our example, a typical statement would be as follows. If discrete loga- rithms cannot be computed in polynomial time with non-negligible probability (i.e., if the discrete logarithm assumption is true), then a polynomial-time adversary cannot predict, with non-negligible probability, the next bit of the discrete exponential pseudorandom bit generator.

Actually, in many cases the statement could be made more precise, by performing a detailed analysis of the reduction algorithm A2. The running

time ofA2 can be described as an explicit function ofε1, ε2 and the running time ofA1(see, e.g., the results in Chapter 7).

As in the Exp example, we often meet families of functions indexed on a set of keys which may be partitioned according to a security parameter. Therefore we propose the notion of indexes, whose binary lengths are measured by a security parameter as specified more precisely by the following definition.

Definition 6.2.LetI=S_k_∈_NIkbe an infinite index set which is partitioned into finite disjoint subsetsIk. Assume that the indexes are binarily encoded. As always, we denote by|i|the binary length ofi.

I is called akey set with security parameter kor an index set with security parameter k, if:

1. The security parameterkofi∈Ican be derived fromiby a deterministic polynomial algorithm.

2. There is a constantm∈N, such that

k1/m_{≤ |}_i_{| ≤}_km_for_i_∈_I k. We usually writeI= (Ik)k∈N instead ofI=

S k∈NIk.

Remarks:

1. The second condition means that the security parameterk is a measure for the binary length|i|of the elementsi∈Ik. In particular, statements such as:

(1) “There is a polynomialP with. . .≤P(|i|)”, or

(2) “For every positive polynomial Q, there is a k0 ∈ N, such that

. . .≤1_/_Q₍_|_i_|₎ _for_|_i_{| ≥}_k₀_”,

are equivalent to the corresponding statements in which |i| is replaced by the security parameter k. In almost all of our examples, we have

k≤ |i| ≤3kfori∈Ik.

2. The index setI of the Exp family is a key set with security parameter. As with all indexes occurring in this book, the indexes of the Exp family consist of numbers inNor residues in some residue class ringZn. Unless otherwise stated, we consider them as binarily encoded in the natural way (see Appendix A): the binary encoding ofx∈Nis its standard encoding as an unsigned number, and the encoding of a residue class [a] ∈Zn is the encoding of its representativexwith 0≤x≤n−1.

3. If I = S_k_∈_NIk satisfies only the second condition, then we can easily modify it and turn it into a key set with a security parameter, which also satisfies the first condition. Namely, let ˜Ik :={(i, k)|i∈Ik}and replace

I by ˜I:=S_k_∈_NI˜k.

In the discrete logarithm assumption, we do not consider a single fixed keyi: the probability is also taken over the random choice of the key. In the following proposition, we relate this average probability to the conditional probabilities, assuming a fixed key.

6.2 Discrete Exponential Function 153

Proposition 6.3. Let I = (Ik)k∈N be a key set with security parameter k.

Let f = (fi:Xi−→Yi)i∈I be a family of functions andA be a probabilistic

polynomial algorithm with inputsi∈I andx∈Xi and output inYi. Assume

that probability distributions are given on Ik and Xi for all k, i (e.g. the

uniform distributions). Then the following statements are equivalent: 1. For every positive polynomial P, there is a k0 ∈ N, such that for all

k≥k0

prob(A(i, x) =fi(x) :i←Ik, x←Xi)≤ 1

P(k).

2. For all positive polynomialsQandR, there is ak0∈N, such that for all

k≥k0 prob µ½ i∈Ik ¯ ¯ ¯prob(A(i, x) =fi(x) :x←Xi)> 1 Q(k) ¾¶ ≤ 1 R(k). Proof. Let pi:= prob(A(i, x) =fi(x) :x←Xi)

be the conditional probability of success ofA assuming a fixedi.

We first prove that statement 2 implies statement 1. LetP be a positive polynomial. By statement 2, there is somek0∈Nsuch that for allk≥k0

prob µ½ i∈Ik ¯ ¯ ¯pi> 1 2P(k) ¾¶ ≤ 1 2P(k). Hence prob(A(i, x) =fi(x) :i←Ik, x←Xi) =X i∈Ik prob(i)·pi = X pi≤1/(2P(k)) prob(i)·pi+ X pi>1/(2P(k)) prob(i)·pi ≤ X pi≤1/(2P(k)) prob(i)· 1 2P(k)+ X pi>1/(2P(k)) prob(i)·1 = prob µ½ i∈Ik ¯ ¯ ¯pi≤ 1 2P(k) ¾¶ · 1 2P(k) + prob µ½ i∈Ik ¯ ¯ ¯pi> 1 2P(k) ¾¶ ≤ 1 2P(k)+ 1 2P(k)= 1 P(k), fork≥k0.

Conversely, assume that statement 1 holds. LetQandRbe positive poly- nomials. Then there is ak0∈Nsuch that for allk≥k0

1 Q(k)R(k) ≥prob(A(i, x) =fi(x) :i←Ik, x←Xi) =X i∈Ik prob(i)·pi ≥ X pi>1/Q(k) prob(i)·pi > 1 Q(k)·prob µ½ i∈Ik ¯ ¯ ¯pi> 1 Q(k) ¾¶ .

This inequality implies statement 2. 2

Remark.A nice feature of the discrete logarithm problem is that it israndom self-reducible. This means that solving the problem for arbitrary inputs can be reduced to solving the problem for randomly chosen inputs. More precisely, let (p, g)∈ Ik :={(p, g) | pa prime,|p| = k, g ∈Z∗p a primitive root}. Assume that there is a probabilistic polynomial algorithmA, such that

prob(A(p, g, y) = Log_p,g(y) :y←u Z∗

p)> 1

Q(k) (6.1) for some positive polynomialQ; i.e.,A(p, g, y) correctly computes the discrete logarithm with a non-negligible probability if the inputyis randomly selected. Since y is chosen uniformly, we may rephrase this statement:A(p, g, y) correctly computes the discrete logarithm for a polynomial fraction of inputs

y∈Z∗

Then, however, there is also a probabilistic polynomial algorithm ˜Awhich correctly computes the discrete logarithm for every input y ∈ Z∗

p, with an overwhelmingly high probability. Namely, given y ∈ Z∗

p, we apply a slight modificationA1 ofA. On input (p, g, y),A1 randomly selectsr←u Zp−1 and returns

A1(p, g, y) := (A(p, g, ygr)−r) mod (p−1).

Then prob(A1(p, g, y) = Logp,g(y))>1/Q(k) for everyy ∈Z∗p. Now we can apply Proposition 5.7. For every positive polynomial P, we obtain – by re- peating the computation ofA1(p, g, y) a polynomial number of times and by checking each time whether the result is correct – a probabilistic polynomial algorithm ˜A, with

prob( ˜A(p, g, y) = Logp,g(y))>1−2−P(k), for every y ∈ Z∗

p. The existence of a random self-reduction enhances the credibility of the discrete logarithm assumption. Namely, assume that the discrete logarithm assumption is not true. Then by Proposition 6.3 there is a probabilistic polynomial algorithm A, such that for infinitely manyk, the inequality (6.1) holds for a polynomial fraction of keys (p, g); i.e.,

In document Introduction to Cryptography Principles & Applications, 2nd Ed pdf (Page 160-166)