7 The problems ELGAMAL and DIFFIE–HELLMAN are Turing equivalent.

Public key cryptography

Proposition 7. 7 The problems ELGAMAL and DIFFIE–HELLMAN are Turing equivalent.

Proof: Suppose we have an algorithm for DIFFIE–HELLMAN. Then given an Elgamal public key (p,g,gx_mod_p_{) and cryptogram (}_k_,_d_{) we have}_k₌

gymodpand so using our algorithm for DIFFIE–HELLMAN we can compute

gx y _mod_p_.

We can then easily find the inverse ofgx y mod pusing Euclid’s algorithm and hence recover the messageM =d(g−x y_{) mod}_p_{as required.}

Conversely suppose we have an algorithm for ELGAMAL. If we are given (p,g,gx_mod_p_,_gy_mod_p_{) then we can use the algorithm for ELGAMAL to} decrypt the cryptogram (gy_mod_p_,_{1), encrypted with the Elgamal public key} (p,g,gxmodp).

This algorithm will then return the corresponding message, which is

g−x y modp since 1=Mgx y modp. Using Euclid’s algorithm we can then find the inverse ofg−x y _mod_p_{to give}_gx y_mod_p_{as required.}

Hence ELGAMAL and DIFFIE–HELLMAN are Turing equivalent. 2 As with the relationship between RSA and factorisation it is not known whether breaking the Elgamal cryptosystem is equivalent to solving the discrete logarithm problem.

One obvious security advantage of the Elgamal cryptosystem over RSA is that if the same message is sent twice then it is highly unlikely that the same cryptogram will be used on both occasions. (This is due to the use of randomness in the encryption process. We will consider other cryptosystems with this property in Chapter 10.)

Exercise 7.3b

(a) Let pbe a prime. Describe a polynomial time algorithm for checking whetherh ∈Z∗pis a primitive root mod p, givenh,pand the prime factorisation ofp−1.

150 7 Public key cryptography

(b) A primeqsuch thatp=2q+1 is also prime is called aSophie Germainprime, whilepis said to be asafeprime. It is conjectured that there are infinitely many Sophie Germain primes and that if

πS(x) denotes the number of such primes less than or equal toxthen

πS(x)∼ C x (logx)2,

whereC1.3203. Assuming that this conjecture is true describe a probabilistic algorithm with polynomial expected running time for generating an Elgamal key.

7.5 Public key cryptosystems as trapdoor functions

Having seen some examples of public key cryptosystems we will now attempt to formalise the properties we would like them to possess in general.

We start by noting that a cryptosystem is not a single function. Rather it is a family of functions. For example the RSA cryptosystem defines the family of functions

RSAn_,e:Zn →Zn, RSAn_,e(x)=xemodn,

wheren= pqis the product of two primes andeis coprime to (p−1)(q−1). We attempt to capture the concept of a public key cryptosystem using the following definition of afamily of trapdoor functions

F = {fi :Di → Di |i∈ I}.

The different properties of the family correspond to the different properties we require of a public key cryptosystem. Namely setup, encryption and decryption should all be easy but breaking the system should be hard.

(1) Setup.First Bob chooses a key lengthk. Once he has done this there should be a probabilistic polynomial time algorithm for ‘key generation’. This should take an input 1k_{, where}_k_{is the key length, and output a pair} (i,ti) wherei ∈R I∩ {0,1}kis Bob’s public key of sizekandtiis the corresponding trapdoor, Bob’s private key.

So in the case of RSAiwould be a public key pair (n,e) andtiwould be the corresponding private keyd. (Note that to obtain a public key of sizekBob should choose two (k/4)-bit primes. This would then ensure that his public modulusnhas sizek/2 and his public exponentehas size at mostk/2, so his public key (n,e) has sizek.)

7.5 Public key cryptosystems as trapdoor functions 151

(2) Encryption.There should be a probabilistic polynomial time algorithm that given a public keyi ∈ Iand a messageM ∈ Dioutputs the cryptogramC = fi(M). This ensures that Alice can easily encrypt any messageM ∈Di, given Bob’s public key.

In the case of RSA this is simply exponentiation by the public exponent

emodn.

(3) Decryption.Since Bob needs to be able to decrypt there should exist a probabilistic polynomial time algorithm that given the cryptogram

C = fi(M), the public keyi and the trapdoor (or private key)tioutputs the messageM.

In the case of RSA this is simply exponentiation by the private keyd

modn.

(4) Security.Recovering the message should be difficult for Eve.

Recalling our definition of a one-way function we formulate this as follows. For any probabilistic polynomial time algorithmA, the

probability thatAsuccessfully inverts a cryptogramC = fi(M), whereM is a random message andiis a random public key of sizek, is negligible. Formally we have

Pr[fi(A(i,C))=C|i∈R I∩ {0,1}k,M ∈R Di, fi(M)=C]≤neg(k). So under what type of intractability assumption would the RSA cryptosystem give a family of trapdoor functions?

We need to assume that any adversary with a polynomial time probabilistic algorithm has a negligible chance of recovering a message from a cryptogram, given that both the public key and the message were chosen at random. Formally we have the following.

In document Complexity & Cryptography An Introduction pdf (Page 162-164)