Uniform Sampling Algorithms - One-Way Functions and the Basic Assumptions

6. One-Way Functions and the Basic Assumptions

6.3 Uniform Sampling Algorithms

|{(p, g)∈Ik | inequality (6.1) holds}|

|Ik| >

R(k)

(withRa positive polynomial). For these keys ˜Acomputes the discrete logarithm for everyy ∈ Z∗

p with an overwhelmingly high probability, and the probability of obtaining such a key is >1_/_R₍_k₎ _{if the keys are selected uni-}

formly at random.

6.3 Uniform Sampling Algorithms

In the discrete logarithm assumption 6.1, the probabilities are taken with respect to the uniform distributions on Ik and Z∗p. Stating the assumption in this way, we tacitly assumed that it is possible to sample uniformly over

Ik (during key generation) andZ∗p, by using efficient algorithms. In practice it might be difficult to construct a probabilistic polynomial sampling algorithm that selects the elements exactly according to the uniform distribution. However, as in the present case of discrete logarithms (see Proposition 6.6), we are often able to find practical sampling algorithms which sample in a “virtually uniform” way. Then the assumptions stated for the uniform distribution, such as the discrete logarithm assumption, apply. This is shown by the following considerations.

Definition 6.4.LetJ = (Jk)k∈Nbe an index set with security parameterk (see Definition 6.2). LetX = (Xj)j∈J be a family of finite sets:

1. A probabilistic polynomial algorithm SX with input j ∈ J is called a

sampling algorithm for X if SX(j) outputs an element in Xj with a probability≥1−εkforj ∈Ik, whereε= (εk)k∈Nis negligible; i.e., given a positive polynomialQ, there is ak0such thatεk ≤1/Q(k) fork≥k0. 2. A sampling algorithmSXforX is called(virtually) uniformif the distri-

butions ofSX(j) and the uniform distributions onXj are polynomially close (see Definition B.22). This means that the statistical distance is negligibly small; i.e., given a positive polynomial Q, there is a k0 such that the statistical distance (see Definition B.19) between the distribution of SX(j) and the uniform distribution onXj is≤1/Q(k), fork≥k0 andj ∈Jk.

Remark.IfSXis a virtually uniform sampling algorithm forX= (Xj)j∈J, we usually do not need to distinguish between the virtually uniform distribution ofSX(j) and the truly uniform distribution when we compute a probability involvingx←SX(j). Namely, consider probabilities

prob(Bj(x, y) = 1 :x←SX(j), y←Yj,x),

where (Yj,x)x∈Xj is a family of probability spaces andBj is a Boolean pred-

|prob(Bj(x, y) = 1 :x←SX(j), y←Yj,x)

− prob(Bj(x, y) = 1 :x←u Xj, y←Yj,x)|< 1

P(k), for k ≥ k0 and j ∈ Jk (by Lemmas B.21 and B.24), and we see that the difference between the probabilities is negligibly small.

Therefore, we usually do not distinguish between perfectly and virtually uniform sampling algorithms and simply talk ofuniform sampling algorithms. We study an example. Suppose we want to construct a uniform sampling algorithm S for (Zn)n∈N. We have Zn ⊆ {0,1}|n|, and could pro- ceed as follows. We toss the coin |n| times and obtain a binary number

x:=b|n|−1. . . b1b0, with 0≤x <2|n|. We can easily verify whetherx∈Zn, by checking x < n. If the answer is affirmative, we return S(n) :=x. Oth- erwise, we repeat the coin tosses. Since S is required to have a polynomial running time, we have to stop after at most P(|n|) iterations (P a polynomial). Thus,S(n) does not always succeed to return an element inZn. The probability of a failure is, however, negligibly small.3

Our construction, which derives a uniform sampling algorithm for a subset, works, if the membership in this subset can be efficiently tested. It can be applied in many situations. Therefore, we state the following lemma.

Lemma 6.5.LetJ = (Jk)k∈Nbe an index set with security parameter k. Let

X = (Xj)j∈J and Y = (Yj)j∈J be families of finite sets with Yj ⊆Xj for all

j ∈J. Assume that there is a polynomialQ, such that |Yj| ·Q(k)≥ |Xj|for

j∈Jk.

LetSX be a uniform sampling algorithm for (Xj)j∈J which on input j∈

J outputs x ∈ Xj4 and some additional information aux(x) about x. Let

A(j, x, aux(x))be a Monte Carlo algorithm which decides the membership in

Yj; i.e., on input j ∈ J, x∈ Xj and aux(x), it yields 1 if x∈Yj, and 0 if

x /∈ Yj. Assume that the error probability of A is negligible; i.e., for every

positive polynomialP, there is ak0 such that the error probability is≤1/P(k)

fork≥k0.

Then there exists a uniform sampling algorithm SY for(Yj)j∈J.

Proof. LetSY be the probabilistic polynomial algorithm which on inputj∈J repeatedly computes x:=SX(j) untilA(j, x, aux(x)) = 1. To get a polynomial algorithm, we stopSY after at most ln(2)kQ(k) iterations.

We now show that SY has the desired properties. We first assume that

SX(j) ∈ Xj with certainty and that A has an error probability of 0. By Lemma B.10, we may also assume thatSY has found an element inYj(before

3_{We could construct a Las Vegas algorithm in this way, which always succeeds.}

See Section 5.2.

4_{Here and in what follows we use this formulation, though the sampling algorithm}

may sometimes yield elements outside of Xj. However, as stated in Definition 6.4, this happens only with a negligible probability.

6.3 Uniform Sampling Algorithms 157

being stopped), because this event has a probability≥1−(1−1_/_Q₍_k₎₎kQ(k)_> 1−2−k_{, which is exponentially close to 1 (see the proof of Proposition 5.7} for an analogous estimate).

By construction, we have forV ⊂Yj that

prob(SY(j)∈V) = prob(SX(j)∈V|SX(j)∈Yj) = prob(SX(j)∈V) prob(SX(j)∈Yj). Thus, we have for all subsetsV ⊂Yj that

prob(SY(j)∈V) = |V| |Xj|+εj(V) |Yj| |Xj|+εj(Yj) ,

with a negligibly small function εj. Then prob(SY(j) ∈ V)− _||_YV_j|_| is also negligibly small (you can see this immediately by Taylor’s formula for the real function (x, y)7→ x_/_y_{). Hence,} _S_Y _{is a uniform sampling algorithm for}

(Yj)j∈J.

The general case, whereSX(j)6∈Xj with a negligible probability and A has a negligible error probability, follows by applying Lemma B.10. 2

Example. Let Yn := Zn or Yn := Z∗n. Then Yn is a subset of Xn := {0,1}|n|_{, n} _∈ _N_{. Obviously,} _{₀_,₁_}|n| _{can be sampled uniformly by} _|_n_| _coin

tosses. The membership ofxin Zn is checked byx < n, and the Euclidean algorithm tells us whetherxis a unit. Thus, there are (probabilistic polynomial) uniform sampling algorithms for (Zn)n∈Nand (Z∗n)n∈N, which on input n∈Noutput an elementx∈Zn (orx∈Z∗n).

To apply Lemma 6.5 in this example, letJ :=NandJk:={n∈N| |n|=k}.

Example. Let Primesk be the set of primes p whose binary length |p| is k; i.e., Primesk := {p ∈ Primes | |p| = k} ⊆ {0,1}k. The number of primes

<2k _is _≈ ₂k

/kln(2) (Theorem A.68). By iterating a probabilistic primality

test (e.g. Miller-Rabin’s test, see Appendix A.8), we can, with a probability

>1−2−k_{, correctly test the primality of an element}_x_in_{₀_,₁_}k_{. Thus, there} is a (probabilistic polynomial) uniform sampling algorithmS which on input 1k _{yields a prime}_p_∈_Primes

To apply Lemma 6.5 in this example, letJk:={1k} andJ :=N= S

k∈NJk, i.e., the index set is the set of natural numbers. However, an indexk∈Nis not encoded in the standard way; it is encoded as the constant bit string 1k (see the subsequent remark on 1k_).

Remark.1k _{denotes the constant bit string 11}_{. . .}_{1 of length} _k_{. Using it as} input for a polynomial algorithm means that the number of steps in the algorithm is bounded by a polynomial in k. If we used k (encoded in the standard way) instead of 1k _{as input, the bound would be a polynomial in} log2(k).

We return to the example of discrete exponentiation.

Proposition 6.6. Let I :={(p, g)|pprime number, g∈Z∗

p primitive root}

and Ik :={(p, g)∈I| |p|=k}. There is a probabilistic polynomial uniform

sampling algorithm for I = (Ik)k∈N, which on input 1k yields an element (p, g)∈Ik.

Proof. We want to apply Lemma 6.5 to the index setJ :=N=S_k_∈_NJk, Jk := {1k_}_,_{and the families of sets}_X

k:= Primesk×{0,1}k, Yk:=Ik⊆Xk(k∈N). The number of primitive roots inZ∗

pisϕ(p−1), whereϕis the Eulerian totient function (see Theorem A.36). Forx∈N, we have

ϕ(x) =x r Y i=1 µ 1− 1 pi ¶ =x r Y i=1 pi−1 pi ,

where p1, . . . , pr are the primes dividing x (see Corollary A.30). Since Q_r

i=1 pi−1

pi ≥

Q_r+1

i=2 i−i1 = r+11 and r+ 1 ≤ |x|, we immediately see that

ϕ(x)· |x| ≥ x.5 _{In particular, we have} _ϕ₍_p₋₁₎_·_k _≥ _p₋₁ _≥ ₂k−1 _for

p∈Primesk, and hence 2k· |Yk| ≥ |Xk|.

Given a prime p ∈ Primesk and all prime numbers q1, . . . , qr dividing

p−1, we can efficiently verify whetherg∈ {0,1}k _{is in} _Z∗

p and whether it is a primitive root. Namely, we first testg < pand then apply the criterion for primitive roots (see Algorithm A.39), i.e., we check whetherg(p−1)/q₆_{= 1 for} all prime divisorsqofp−1.

We may apply Lemma 6.5 if there is a probabilistic polynomial uniform sampling algorithm for (Primesk)k∈N which not only outputs a primep, but also the prime factors of p−1. Bach’s algorithm (see [Bach88]) yields such an algorithm: it generates uniformly distributedk-bit integersn, along with their factorization. We may repeatedly generate such numbersnuntil n+ 1

is a prime. 2

In document Introduction to Cryptography Principles & Applications, 2nd Ed pdf (Page 166-169)