Underlying Problems

The Representation Problem. Let pand q be large primes such that q

divides p−1. Let Gq be the subgroup of orderqin Z∗p.

Let r ≥ 2 and let g1, . . . , gr be pairwise distinct generators of Gq.10 Then g = (g1, . . . , gr) ∈ Grq is called agenerator of length r. Let y ∈ Gq.

a= (a1, . . . , ar)∈Zrq is arepresentation of y(with respect to g) if

y= r Y i=1 gai i .

To representy, the elementsa1,· · ·, ar−1can be chosen arbitrarily;aris then uniquely determined. Therefore, each y ∈Gq hasqr−1 different representa- tions. Given y, the probability that a randomly chosena ∈ {0, . . . , q}r _{is a} representation ofy is only 1/q.

Proposition 4.21. Assume that it is infeasible to compute discrete loga- rithms in Gq. Then no polynomial algorithm can exist which, on input of a

randomly chosen generator of lengthr≥2, outputsy∈Gq and two different

representations ofy.

10_{Note that every element ofG}

4.5 Digital Cash 129

Proof. Assume that such an algorithm exists. On input of a randomly cho- sen generator, it outputs y ∈ Gq and two different representations a = (a1, . . . , ar) and b = (b1, . . . , br) of y. Then, a−b is a non-trivial repre- sentation of [1]. Thus, we have a polynomial algorithmAwhich on input of a randomly chosen generator outputs a non-trivial representation of [1]. We may use A to define an algorithm B that on input of g ∈ Gq, g 6= [1], and

z∈Gq, computes the discrete logarithm ofz with respect tog.

Algorithm 4.22. intB(intg, z) 1 repeat 2 selecti∈ {1, . . . , r} and 3 uj ∈ {1, . . . , q−1},1≤j≤r, uniformly at random 4 gi←zui, gj ←guj,1≤j6=i≤r 5 (a1, . . . , ar)←A(g1, . . . , gr) 6 untilaiui6≡ 0 modq 7 return −(aiui)−1 ³P j6=iajuj ´ modq We have z−aiui ₌Y j6=i gajuj_.

Hence, the returned value is indeed the logarithm ofz. Since at least oneaj returned byA is6= 0 moduloq, the probability thatai6= 0 moduloqis 1/r.

Hence, we expect that the repeat until loop will terminate afterriterations. Ifr is bounded by a polynomial in the binary length |p|of p, the expected

running time ofB is polynomial in|p|. 2

Remark.Assume there is a polynomial algorithm which, when given as input a generator of lengthr≥2, outputsy∈Gqand two different representations ofy – not with certainty, but at least with some non-negligible probability. Then, this algorithm can be used to compute discrete logarithms inGq with an overwhelmingly high probability (see Exercise 4 in Chapter 6).

The Decision Diffie-Hellman Problem. Letpandqbe large primes, such thatqdividesp−1. LetGq be the subgroup of orderqinZ∗p. Letg∈Gq and

a, b∈ {0, . . . , q−1}be randomly chosen. Then, the Diffie-Hellman assumption (Section 4.1.2) says that it is impossible to computegab_{from g}a _{and g}b_.

Letg1=ga, g2=gbandg3be given. Thedecision Diffie-Hellman problem is to decide if

g3=gab. This is equivalent to deciding whether

logg(g3) = logg(g1) logg(g2), or logg2(g3) = logg(g1).

Thedecision Diffie-Hellman assumption says that no efficient algorithm ex- ists to solve the decision Diffie-Hellman problem ifa, bandg3(g1, g2andg3, respectively) are chosen at random (and independently). The decision Diffie- Hellman problem is random self-reducible (see the remark on page 154). If you can solve it with an efficient probabilistic algorithmA, then you can also solve it, ifg∈Gqis any element ofGqand onlyg1, g2, g3are chosen randomly. Namely, letg∈Gq, then (g, g1, g2, g3) has the Diffie-Hellman property, if and only if (gs_{, g}s

1, g2s, g3s) has the Diffie-Hellman property, withsrandomly chosen in Z∗

q.

The representation problem and the decision Diffie-Hellman problem are studied, for example, in [Brands93].

Exercises

1. Letpbe a sufficiently large prime such that it is intractable to compute discrete logarithms in Z∗

p. Letg be a primitive root inZ∗p. pand g are publicly known. Alice has a secret key xA and a public keyyA :=gxA. Bob has a secret key xB and a public key yB := gxB. Alice and Bob establish a secret shared key by executing the following protocol (see [MatTakIma86]):

Protocol 4.23.

A variant of the Diffie-Hellman key agreement protocol:

1. Alice chooses at randoma, 0≤a≤p−2, sets c:=ga _and sendscto Bob.

2. Bob chooses at randomb, 0≤b ≤p−2, sets d:= gb _and sendsdto Alice.

3. Alice computes the shared keyk=dxA_y

Ba =gbxA+axB. 4. Bob computes the shared keyk=cxB_y

Ab=gaxB+bxA.

Does the protocol provide entity authentication? Discuss the security of the protocol.

2. Letn:=pq, wherepandqare distinct primes andx1, x2∈Z∗n. Assume that at least one of x1 and x2 is in QRn. Peggy wants to prove to Vic that she knows a square root of xi for at least one i ∈ {1,2} without revealing i. Modify Protocol 4.5 to get an interactive zero-knowledge proof of knowledge.

3. Besides interactive proofs of knowledge, there are interactive proofs for proving the membership in a language. The completeness and soundness conditions for such proofs are slightly different. Let (P, V) be an inter- active proof system.P andV are probabilistic algorithms, but onlyV is assumed to have polynomial running time. By P∗ _{we denote a general}

Exercises 131

Bit strings x∈ {0,1}∗ _{are supplied to (P, V) as common input. (P, V)}

is called an interactive proof system for the language L if the following conditions are satisfied:

a. Completeness. If x ∈ L, then the probability that the verifier V

accepts, if interacting with the honest proverP, is≥3_/4.

b. Soundness. Ifx /∈ L, then the probability that the verifierV accepts, if interacting with any proverP∗_{, is≤1/}

2.

Such an interactive proof system (P, V) is (perfect) zero-knowledge if there is a probabilistic simulator S(V∗_{, x), running in expected polyno-}

mial time, such that for every verifier V∗ _{(honest or not) and for every} x∈ Lthe distributions of the random variablesS(V∗_{, x) and (P, V}∗_)(x)

are equal.

The class of languages that have interactive proof systems is denoted by IP. It generalizes the complexity class BPP (see Exercise 3 in Chap- ter 5).

As in Section 4.3.1, let n := pq, with pand q distinct primes, and let J+1

n := {x ∈ Z∗n | ¡_x

n ¢

= 1} be the units with Jacobi symbol 1. Let QNR+1_n := J+1

n \QRn be the quadratic non-residues in J+1n .

The following protocol is an interactive proof system for the language QNR+1_n (see [GolMicRac89]). The common input xis assumed to be in J+1

n (whether or notx∈Zn is in J+1n can be efficiently determined using a deterministic algorithm; see Algorithm A.59).

Protocol 4.24.

Quadratic non-residuosity:

Letx∈J+1 n .

1. Vic chooses r∈Z∗

n andσ∈ {0,1} uniformly at random and sendsa=r2_xσ _{to Peggy.}

2. Peggy computes τ := ½

0 ifa∈QR_n

1 ifa /∈QR_n and sends τ to Vic. (Note that it is not assumed that Peggy can solve this in polynomial time. Thus, she can find out whether a∈QR_n, for example, by an exhaustive search.)

3. Vic accepts if and only ifσ=τ. Show:

a. Ifx∈QNR+1_n and both follow the protocol, Vic will always accept. b. Ifx /∈QNR+1_n , then Vic accepts with probability≤1_/2.

c. Show that the protocol is not zero-knowledge (under the quadratic residuosity assumption; see Remark 1 in Section 4.3.1).

d. The protocol is honest-verifier zero-knowledge.

e. Modify the protocol to get a zero-knowledge proof for quadratic non- residuosity.

4. We consider the identification scheme based on public-key encryption introduced in Section 4.2.1. In this scheme a dishonest verifier can obtain knowledge from the prover. Improve the scheme.

5. We modify the commitment scheme based on quadratic residues.

Protocol 4.25.

QRCommitment:

1. System setup. Alice chooses distinct large prime numbers

p, q ≡ 3 mod 4 and sets n := pq. (Note −1 ∈ J+1

n \QRn, see Proposition A.53.)

2. Commit tob∈ {0,1}. Alice choosesr∈Z∗

n at random, sets

c:= (−1)b_r2 _{and sendsc to Bob.}

3. Reveal. Alice sends p, q, randbto Bob. Bob can verify that

pand qare primes≡ 3 mod 4,r∈Z∗

n, andc:= (−1)br2. Show:

a. Ifc is a commitment tob, then−c is a commitment to 1−b. b. If ci is a commitment tobi, i= 1,2, then c1c2 is a commitment to

b1⊕b2.

c. Show how Alice can prove to Bob that two commitments c1 and c2 commit to equal or distinct values, without opening them.

6. Let P ={Pi | i = 1, . . . ,6}. Set up a secret sharing system, such that exactly the groups {P1, P2},{Q ⊂P | |Q| ≥ 3, P1 ∈Q} and {Q⊂P | |Q| ≥4, P2∈Q} are able to reconstruct the secret.

7. LetP ={P1, P2, P3, P4}. Is it possible to set up a secret sharing system by use of Shamir’s threshold scheme, such that the members of a group

Q⊂P are able to reconstruct the secret if and only if {P1, P2} ⊂Qor {P3, P4} ⊂Q?

8. In the voting scheme of Section 4.4, it is necessary that each authority and each voter proves that he really follows the protocol. Explain why. 9. Let p and q be large primes such that q divides p−1. Let G be the

subgroup of orderq inZ∗

p,g, h, yi, zi∈G,i= 1,2. Peggy wants to prove to Vic that she knows an x, such that yi := gx and zi := hx for at least onei∈ {1,2}, without revealingi. Modify Protocol 4.15 to get an interactive proof of knowledge. Show how the interactive proof can be converted into a non-interactive one.

10. We consider the problem ofvote duplication. This means that a voter can duplicate the vote of another voter who has previously posted his vote. He can do this without knowing the content of the other voter’s ballot. Discuss this problem for the voting scheme of Section 4.4.

11. Blind RSA signatures. Construct a blind signature scheme based on the fact that the RSA function is a homomorphism.

Exercises 133

12. Nyberg-Rueppel Signatures. Letpand q be large primes such that

q divides p−1. Let Gbe the subgroup of orderq in Z∗

p, and letg be a generator ofG. The secret key of the signer is a randomly chosenx∈Zq, the public key isy:=gx_.

Signing. We assume that the message mto be signed is an element in

Z∗

p. The signed message is produced using the following steps: 1. Select a random integerk, 1≤k≤q−1.

2. Setr:=mgk _{ands:=xr+kmodq.} 3. (m, r, s) is the signed message.

Verification. If 1≤r≤p−1, 1≤s≤q−1 and m=ryr_g−s_{, accept} the signature. If not, reject it.

a. Show that the verification condition holds for a signed message. b. Show that it is easy to produce forged signatures.

c. How can you prevent this attack?

d. Show that the condition 1≤r≤p−1 has to be checked to detect forged signatures, even if the scheme is modified as in item c. 13. Blind Nyberg-Rueppel Signatures(see also [CamPivSta94]). In the

situation of Exercise 12, Bob gets a blind signature for a message m∈ {1, . . . , q−1} from Alice by executing the following protocol:

Protocol 4.26.

BlindNybergRueppelSig(m):

1. Alice chooses ˜kat random, 1≤˜k≤q−1, and sets ˜a:=g˜k_. Alice sends ˜ato Bob.

2. Bob chooses α, β uniformly at random with 1≤α≤q−1 and 0≤β ≤q−1, sets ˜m:=ma˜α−1_gβ_α−1_{, and sends ˜mto} Alice.

3. Alice computes ˜r := ˜mg˜k_{,s˜ := ˜rx+ ˜kmodq, and sends ˜r} and ˜sto Bob.

4. Bob checks whether ( ˜m,r,˜ ˜s) is a valid signed message. If it is, then he sets r:= ˜rαands:= ˜sα+β.

Show that (m, r, s) is a signed message and that the protocol is really blind.

14. Proof of Knowledge of a Representation(see [Okamoto92]). Letp

andq be large primes, such thatqdividesp−1. Let Gbe the subgroup of orderqinZ∗

p, andg1andg2be independently chosen generators. The secret is a randomly chosen (x1, x2)∈ {0, . . . , q−1}2, and the public key is (p, q, g1, g2, y), wherey:=g1x1g2x2 ofG.

How can Peggy convince Vic by an interactive proof of knowledge that she knows (x1, x2), which is a representation ofywith respect to (g1, g2)? 15. Convert the interactive proof of Exercise 14 into a blind signature scheme.

Probabilistic algorithms are important in cryptography. On the one hand, the algorithms used in encryption and digital signature schemes often include random choices (as in Vernam’s one-time pad or the DSA) and therefore are probabilistic. On the other hand, when studying the security of cryptographic schemes, adversaries are usually modeled as probabilistic algorithms. The subsequent chapters, which deal with provable security properties, require a thorough understanding of this notion. Therefore, we clarify what is meant precisely by a probabilistic algorithm, and discuss the underlying probabilistic model.

The outputyof adeterministic algorithmAis completely determined by its inputx. In a deterministic way,y is computed fromx by a sequence of steps decided in advance by the programmer.Abehaves like a mathematical mapping: applyingAto the same inputxseveral times always yields the same output y. Therefore, we may use the mathematical notation of a mapping,

A:X −→Y, for a deterministic algorithmA, with inputs fromX and out- puts in Y. There are various equivalent formal models for such algorithms. A popular one is the description of algorithms by Turing machines (see, for example, [HopUll79]). Turing machines are state machines, and deterministic algorithms are modeled by Turing machines with deterministic behavior: the state transitions are completely determined by the input.

A probabilistic algorithmAis an algorithm whose behavior is partly con- trolled by random events. The computation of the output y on input xde- pends on the outcome of a finite number of random experiments. In partic- ular, applyingAto the same inputxtwice may yield two different outputs.

5.1 Coin-Tossing Algorithms

Probabilistic algorithms are able to toss coins. The control flow depends on the outcome of the coin tosses. Therefore, probabilistic algorithms exhibit random behavior.

Definition 5.1.Given an inputx, aprobabilistic (or randomized) algorithm

A may toss a coin a finite number of times during its computation of the outputy, and the next step may depend on the results of the preceding coin

In document Introduction to Cryptography Principles & Applications, 2nd Ed pdf (Page 141-148)