6.1 In search of a definition
Having considered classical symmetric cryptography in the previous chapter we now introduce the modern complexity theoretic approach to cryptographic security.
Recall our two characters Alice and Bob who wish to communicate securely. They would like to use a cryptosystem in which encryption (by Alice) and decryption (by Bob using his secret key) are computationally easy but the problem of decryption for Eve (who does not know Bob’s secret key) should be as computationally intractable as possible.
This complexity theoretic gap between the easy problems faced by Alice and Bob and the hopefully impossible problems faced by Eve is the basis of modern cryptography. In order for such a gap to exist there must be a limit to the computational capabilities of Eve. Moreover it would be unrealistic to suppose that any limits on the computational capabilities of Eve did not also apply to Alice and Bob. This leads to our first assumption:
rAlice, Bob and Eve can only perform probabilistic polynomial time
computations.
So for Alice and Bob to be able to encrypt and decrypt easily means that there should be (possibly probabilistic) polynomial time algorithms for both procedures.
But exactly how should we formalise the idea that Eve must face a computa- tionally intractable problem when she tries to decrypt an intercepted cryptogram without Bob’s secret key?
Suppose that we knew thatP=NPand hence that noNP-hard problem has a polynomial time algorithm. If Alice and Bob used a cryptosystem in which the problem of decryption for Eve wasNP-hard, would this guarantee that their
126 6 One way functions
cryptosystem is secure? No. Just because there is no polynomial time algorithm for a particular problem does not ensure that the problem is always difficult to solve. It may be extremely easy in most instances but difficult in a few special cases. A cryptosystem with this property would be useless.
This demonstrates the need for a notion of intractability that is not based on worst-case behaviour.
So might it be reasonable to suppose that Eve shouldneverbe able to decrypt
anycryptogram? Again the answer is no. For instance if Eve simply guesses the message each time then there is a small but nevertheless non-zero chance that she will be correct.
So what might be a reasonable notion of security to demand?
For the moment we hope that Alice and Bob would be happy to use a cryptosystem with the following level of security.
rIf Eve uses any probabilistic polynomial time algorithm then the probability
that she correctly decrypts a cryptogramC=e(M) of a random messageM
is negligible.
But what do we mean by ‘negligible’? Clearly we need the probability that Eve succeeds to be as small as possible, but how small exactly? Since Eve is allowed to use any probabilistic polynomial time algorithm we need to be sure that even if she repeats her attacks a polynomial number of times she is still unlikely to succeed. This leads naturally to the following definition.
A functionr :N→Nisnegligibleif for any polynomial p:N→N, there is an integerk0such thatr(k)<1/p(k) fork≥k0. So a negligible function is
eventually smaller than the inverse of any (positive) polynomial. We will use neg(·) to denote an arbitrary negligible function.
Note that for the remainder of this text all polynomials will be assumed to bepositive. That is to say they satisfyp(k)≥1 for all integersk≥1.
The following result tells us that our definition of negligible fits nicely with the idea that only polynomial time computations are feasible. It says simply that if an algorithm has a negligible chance of success then repeating it polynomially many times cannot alter this fact.
Proposition 6.1 If the probability that an algorithm E succeeds (in some given computational task) on inputs of size k is negligible (in k) then the probability that it succeeds at least once when repeated polynomially many times is also negligible.
6.1 In search of a definition 127
In order to capture the precise security properties we require we will forget about cryptosystems for the moment and instead introduce the slightly more abstract concept of a one-way function.
Informally a one-way function is a function that is ‘easy’ to compute and ‘hard’ to invert. Slightly more formally a one-way function is a function f :
{0,1}∗→ {0,1}∗satisfying:
(1) Easy to compute.The function f is polynomial time computable.
(2) Hard to invert.Any probabilistic algorithm for inverting f(x), when given a random instancey= f(x) (i.e. withxchosen at random), has a
negligible chance of finding a preimage ofy.
So do such functions exist? We start by considering a candidate one-way func- tion.
Example 6.2The functiondexp.
Let pbe a prime,gbe a primitive root modpandx ∈Z∗p. Define dexp(p,g,x)=(p,g,gxmodp).
The functiondexp(p,g,x) is easy to compute since exponentiation mod pcan be performed in polynomial time (see Proposition 2.12). But how difficult is it to invert?
We define the ‘inverse’ function ofdexpto be dlog(p,g,y)=x,
where y=gxmodp. (Note that the inverse function ofdexp should really return the triple (p,g,x), however, it is clearly easy to find p andg given (p,g,y), any ‘difficulty’ in invertingdexplies in the problem of findingx.)
Computingdlogis known as thediscrete logarithm problem. It is believed to be extremely hard. Currently the most efficient algorithm for this problem is based on the Number Field Sieve algorithm for factorisation and under plausible assumptions has expected running timeO(exp(c(lnp)1/3(ln lnp)2/3)).
However, although the discrete logarithm problem is thought to be hard we do notknowthat this is true. If we wish to base cryptographic protocols on the ‘hardness’ of the discrete logarithm problem we need to formulate a precise intractability assumption, describing exactly how difficult we believe (or hope!) the discrete logarithm problem to be.
The assumption we make is a natural one given our earlier informal definition of cryptographic security. It says that any reasonable adversary (a polynomial
128 6 One way functions
time probabilistic algorithm) has a negligible chance of solving a random instance of the discrete logarithm problem.