Efficient Encryption for Rich Message Spaces
under General Assumptions
Alexander Russell
Hong Wang
Department of Computer Science and Engineering University of Connecticut
April 3, 2001
Abstract
We present a new family of public-key encryption schemes which combine modest computational de-mands with provable security guarantees under only general assumptions. The schemes may be realized with any one-way trapdoor permutation, and provide a notion of security corresponding to semantic secu-rity under the condition that the message space has sufficient entropy. Furthermore, these schemes can be implemented with very few applications of the underlying one-way permutation: schemes which provide security for message spaces in 01
nwith minimum entropy n
can be realized with wk log k
applications of the underlying one-way trapdoor permutation. Here k is the security parameter and wk
is any function which tends to infinity. In comparison, extant systems offering full semantic security require roughly n applications of the underlying one-way trapdoor permutation. Finally, we give a sim-plified proof of a fundamental “elision lemma” of Goldwasser and Micali.
1
Introduction
Given the current state of affairs in complexity theory, the study of encryption has adopted a somewhat ax-iomatic approach. A primary goal of the study is understand the basic relationship between the (complexity-theoretic) assumptions upon which encryption schemes can based, and the efficiency and privacy guarantees offered by such schemes. Naturally, the most desirable encryption scheme is one which makes the most modest assumptions and offers efficient encryption with strong privacy guarantees.
A variety of complexity-theoretic assumptions have been studied, which range from general assump-tions, like the existence of a one-way function, to strong assumptions about specific (often number-theoretic) functions. In this article, we will focus on the development of asymmetric encryption schemes under gen-eral (i.e., weak) assumptions. In particular, we will assume the existence of a one-way trapdoor permutation. (The constructions work under weaker assumptions, for example the existence of a one-way function, though in this case the target schemes must be private-key.)
the message m. Given a one-way trapdoor permutation f and a hard core predicate1 b for f (see e.g., [7]),
a semantically secure encryption for a message m with n bits can be realized with n applications of f . In general, if it is possible to extract sfk simultaneously secure bits from a single application of f to strings with security parameter k, then n sfk evaluations of f suffice. If, for example, f is taken to beRSA, then it is known that if RSA is difficult to invert then sRSAk Ωlog log k [1, 15], so that this scheme can be realized with On log log k applications ofRSA. The encryption schemes described below offer an efficient analogue of semantic security for the case when the adversary’s a priori knowledge of the message is limited.
We say that an encryption scheme offers entropically bounded security if for all message distributions with sufficient entropy, and all pieces of partial information h : 01 0 1 , observation of Em offers no bounded adversary any nonnegligible advantage in prediction of hm. If the definition is strengthened so that it applies for all message spaces, then we exactly recover the definition of semantic security. (See the next section for precise definitions.) We show that for message spaces with minimum entropy n , an encryption scheme offering entropically bounded security can be realized with very few applications of f ; in particular, wk log k sfk applications (inversions) suffice for encryption (decryption), where k is the security parameter, wk is any function that tends to infinity, and sfk is the number of simultaneously secure bits which can be extracted from a single application of f (a one-way trapdoor permutation). When the message space is uniform, then, this results in a system which requires only Owk log k sfk appli-cations of the one-way permutation, for any function w which tends to infinity. The systems also involve a certain amount of “overhead,” which in each case does not exceed On polylog n time.
The above results express the complexity of encryption as a function of both n, the message length, and
k, the security parameter. This is somewhat unusual for asymmetric schemes, which are typically used to
encrypt a key for a private-key scheme (typically of length k), as private-key schemes are generally (much) more efficient than a public-key schemes. Under the assumptions we consider, however, there is no (known) benefit to be had by applying a private-key system after key exchange, so we keep everything “under one hood”. (Alternatively, the results which follow can be cast in a private-key setting, as mentioned above.)
It is interesting to compare these results with known results adopting stronger assumptions. If factor-ing is difficult, then a scheme of Blum and Goldwasser [6] based on the Rabin functions (x x
2mod pq)
encrypt (in a semantically secure fashion) an n-bit message in time Onk polylog k . In comparison, the above scheme offers a weaker guarantee, analogous to semantic security when the message space has n min entropy, in time O ! wk log k"k polylog k# n polylog n , where w is any function which tends to infinity. Under assumptions of a somewhat stronger flavor, Cramer and Shoup [8] show that a constant number of exponentiations over a group suffice to encrypt a message of length k, in such a way that the re-sulting system is secure against even (adaptive) chosen ciphertext attack. In particular, they assume that the Diffie-Hellman decision problem is hard (i.e., that the El Gamal scheme [10] is semantically secure). Pre-vious work has also constructed efficient, secure encryption schemes (with quite strong notions of security) under the strong assumption of availability of an ideal hash function [5].
The two main theorems in the article, Theorem 3 and Theorem 4, are both instantiations of common paradigms in cryptography. The first is an information-theoretic variant on the standard practice of encrypt-ing a short seed which is then used for a pseudorandom generator (in our case, this will be an ε-biased space). The second is a variant of the “simple embedding schemes” often used in practice, where a message is encrypted by applying a one-way permutation after a suitable (bijective) hash function. The scheme of Bellare and Rogaway [5] is also theoretical evidence for the quality of such systems.
In Section 2 we give basic definitions, including a brief discussion ofε-biased spaces, universal hash functions, and the Fourier analysis of $
n
2, which will be used in the main results, presented in Sections 3
1A hard-core predicate b for a one-way function f is a efficiently computable Boolean function so that b
%x& is difficult to predict
and 4.
2
Definitions
For basic definitions of one-way trapdoor permutations and hard-core predicates we refer the reader to, e.g., [26, 19]. For a one-way permutation f , we shall let sfk denote a lower bound on the number of simultaneously secure hard-core predicates for f (see, e.g., [11]).
Definition 1. A public key encryption scheme is a triple (GED), where
'
G is an efficient probabilistic key generation algorithm, which, on input 1k, produces a pair of keys,
PS ; here P denotes the ”public key” and S the “secret key.”
'
E is an efficiently computable encryption algorithm which, given a message m and public key P, outputs c, an encryption of the message m using the key P. We will consider probabilistic encryption schemes, where E may also depend on a sequence of random bits, R. The encryption of m with public key P and random string R is denoted Em; PR.
'
D is an efficiently computable decryption algorithm which, given a ciphertext c and secret key S, produces a message m for which Em; PR( c for some R.
As mentioned in introduction, semantic security is a standard notion of privacy for encryption schemes.
Definition 2. We say that an encryption scheme GED possesses semantic security if for every message
generator M and every probabilistic time Turing machine A, there is a probabilistic polynomial-time Turing machine B, such that for every polynomial Q, there exists an integer k0 such that) k* k0 and
) h : 01 + 01 , ,.-/ A1 k
PEm; PR0 hm1"23,.-/ B1 k
0 hm1"4
1
Q5k6
where the first probability is taken over m7 M1
k
, PS87 G1 k
, R (the coin tosses of E), and coin tosses of A. The second
probability is taken over all choices of m7 M1 k
and coin tosses of B.
We borrow the 9:7+9 notation from [14]: when x is a variable and S a random variable, x7 S denotes the assignment of x according to S. If S is simply a set, we abuse the notation by allowing S to represent the random variable uniform on S. In the sequel, we will use the term “algorithm” to refer to a probabilistic polynomial time Turing machine. Furthermore, “message generators,” as in the above definition, are algo-rithms which, for each k ;=< , produce a output in the set 01
n (determined by the random coins of M),
where n is polynomially bounded in k. Whenever a probability is expressed, as in the above definitions, it is understood that the random coins of any algorithm appearing inside the brackets are to be included in the probability space. When the underlying probability space of a variable x is clear from context, we may simply write ,.-xPx1", or elide x altogether.
Definition 3. We say that an encryption scheme possesses indistinguishability of encryptions if for every
message generator M, every algorithm A, and for every polynomial Q, there exists an integer k0 such that
) k * k0, ,!-?>A1 k
Pm0 m1Emi; PR i@BA
1 2
1
Q5k6
, this probability being taken over m0 7 M1 k
,
m17 M1 k
,PS7 G1 k
, i7C 01 , and selection of R.
Theorem 1. An encryption scheme is semantically secure if and only if it offers indistinguishability of
encryptions.
strengthened version, discussed in Section 2.4, was originally proved in [12]. We give a streamlined proof of this result, which avoids the sampling present in existing proofs. One consequence of this equivalence is that if the piece of partial information h in the definition of semantic security is restricted to be a Boolean function, the notion of security is unchanged.
A random variable m taking values in 01
n has minimum entropy n
= when) mo ;D 01 n,
,.-E m
mo"#2 2F nG#H
. A message generator M, which produces messages of length n nk given 1
k, is said to have
minimum entropy n when the random variable M1 k
possesses this property.
Definition 4. We say that an encryption system possessesIk -entropic security if for every message
gener-ator M with minimum entropy nJk, and every algorithm A, there is an algorithm B, such that for every
polynomial Q, there exists an integer k0such that) k* k0and) h : 0 1 C 01 ,
,.-/ A1 k
PEm; PR( hm1"02K,!- B1 k
L hm1"M 1
Qk
where the first probability is taken over m7 M1 k
, PS7 G1 k
, and R. The second probability is taken
over m7 M1 k
.
Observe that a semantically secure encryption scheme possesses pk-entropic security for every poly-nomial p. We will construct two encryption schemes, GuEu Du and GbEbDb, based on any one-way trapdoor permutation, so that
'
Eu possesses 0-entropic security (i.e., provides security when the message space is uniform) and requires
ON
wk logk
sfk
tfkO wk n log
1G ε
kP
time to encrypt a message, where tfk is the time required to compute a single application of the one-way permutation f to a string with security parameter k, sfk is the number of simultaneously secure bits which can be extracted from an application of f to strings with security parameter k,
wk is any function which tends to infinity in k, andε * 0. In particular, the time cannot exceed
On tfk log
2k
. (The wk n log
1G ε
k term may in fact be replaced by n log k log log k log log log k.)
'
Ebpossesses -entropic security (i.e., provides security when the message space has minimum entropy
n ) and requires
ON
wk log kD
sfk
tfkQ n log
2n log log n
P
time to encrypt a message, where tfk, sf, and w are as above.
For simplicity we will focus on the time taken to encrypt in these schemes, often simply focusing our attention on the number of applications of the underlying one-way permutation required. In these cases, de-cryption involves inverting the one-way permutation on a like number of elements (and the same “overhead” terms: On log n log log n in the above case).
Our constructions make use ofε-biased sample spaces and universal hash functions, defined below.
2.1 ε-biased Sample Spaces
Definition 5. A sample space SR3 01
nis calledε-biased if for all nonemptyα
ST n"UV 1WWWXn ,
Y
Y
Y
Y
Y[Z]\O^ s_ S `
∏
a_ αE 1 saa
Y
Y
Y
Y
Y
Small probability spaces with these properties were initially constructed by Naor and Naor [21] and Peralta [23]. We will use a construction, due to Alon, Goldreich, H˚astad and Peralta [2], which gives an
ε-biased sample space in 01
n of size about
n ε
2. The sample space is given as the image of a certain
functionσnbm: c 2m
d
c 2m e 01
n. (Here
c 2n denotes the finite field with 2
nelements.) To defineσ, let bin :
c 2m f 01
mbe a bijection satisfying bin 0! 0
mand bin
x y. binxOg biny, whereαg βdenotes the componentwise exclusive or ofαandβ. ThenσxyL rhr0WWWirn
F
1 , where ri hjbinx i
Xbinyk 2, the inner product, modulo two, of xi and y. The size of the sample space is 22m. Let Snbm
S: 01
n be the
collection of points so defined. They show that
Theorem 2 ([2]). Snbm
imσm bnis
n
F
1
2m -biased.
Observe that when m mllog nεF
1n , nF
1
2m 2 ε. As we will be constructing elements of Sm
bn during the encryption (and decryption) phase of our encryption scheme, we analyze the complexity of computing the function above. First, we need to find an irreducible polynomial p of degree m over the finite fieldc 2. As the degree of the polynomial will correspond to the block length of the encryption scheme, we can be somewhat flexible concerning the degree of the irreducible polynomial and use an explicit construction (rather than rely on an algorithm2):
Fact 1. For each c;o< , the polynomial pcx! x
2m
x m
1, where m 3
c, is irreducible over c 2. (See [18, Exercise 3.96].) Computation of σ σm
bn for a pair
xy is performed on a component by component basis: given xi, computation of xiG 1
requires a single multiplication in c 2m
p
c 2 x"qU pc . Using fast polynomial multiplication, computing this product takes Om log m log log m time (see [28], or the discussion in [3, p. 232]). As pc is sparse (it has only 3 nonzero terms), reducing this result mod-ulo pc requires Om time. Hence computation of σxy requires Onm log m log log m time. In or-der for S imσ to be ε-biased, we may take msrlogn εut , in which case the above running time is
On logn ε log logn ε log log logn ε . To simplify notation, we letσn
bε denoteσnbm in the sequel, for
mvrlogn εut .
2.2 k-wise Independent Permutations
A family of permutationswxST f : X X is a family of k-wise independent permutations [33] if for all distinct s1WWWisk ; X and all distinct t1WWWitk ; X ,
,!-φ_zy
) iφsiL ti"O t
F
1
∏
i{ 01
|
X
|
i
W
We will use a family of 3-wise independent permutations, described below. See Rees [25] for a more detailed description.
Let V be a two-dimensional vector space over c , a finite field. For two non-zero vectors v and} w} in this space, we write v}
p
}
w when v} cw for some c} ;=c (so that the two vectors span the same one-dimensional subspace). This is an equivalence relation; we write ~}v" for the equivalence class containing
}
v. Projective 2-space over c is then P2c0Q ~}v"
|
}
v }0
. We let GL2c? denote the set of non-singular 2d 2 matrices over
c , and PGL2c? GL2c?O cI
|
c ;c( , where I is the identity matrix. An element
φof PGL2c? acts on P2c? in a natural (and well-defined) way, mapping }v" to φ }v1". It is not difficult to show that for any distinct i}u1" }u2" }u2"; P2c? and any distinct u}v1" u}v2" u}v2"?; P2c?, there is in fact a uniqueφ; PGL2c? so thatφ }ui"qL [}vi" for each i. In particular, PGL2c0 is a 3-wise independent family
2Irreducible polynomials over
2 of degree m can be found deterministically in m
4 ε
time for anyε 0 [30]; a randomized
algorithm is known [31] which finds such a polynomial time in expected m2logO1
of permutations. As multiplication and inversion in a finite fieldc p, for a prime p, may be accomplished in time Olog plog log p
2log log log p
time [29, 27, 16], evaluation of an elementφ; PGL2c p also has this complexity.
2.3 Fourier Analysis of Boolean Functions
Let L$ n
2x f :$
n
2e denote the set of real valued functions on $ n
2 01
n
. Though our interest shall be in Boolean functions, it will be temporarily convenient to consider this richer space. L$
n
2 is a vector space over of dimension 2
n, and has a natural inner product: for f
g ; L$ n
2, define j fgk 2F
n∑ x_0b1
n fxgx. For a subsetα S 1WWWXn , define the function χα: 01 n
C so that χαx
∏a_ α E 1
xa. These functionsχ
αare the characters of$ n
2 01
n. Among their many wonderful properties
is the fact that the characters form an orthonormal basis for L$ n
2 . To see this, observe that) α S n",
∑x_z0b1
nχαx8 2
n when α
/0, and 0 otherwise. Furthermore, for αβ S n", χαxχβx χα β
x , whereαg βdenotes the symmetric difference ofαandβ, so that χαχβ
1 whenα β, and 0 otherwise. Considering that there are 2ncharacters, pairwise orthogonal, they span L$
n
2, as promised. Any function
f : 01 n
e may then be written in terms of this basis:
f
∑
α?n4
fαχα
where
fαTj fχαk is the projection of f ontoχα. These coefficients
fα,αS3 n", are the Fourier coefficients of f , and, as we have above observed, uniquely determine the function f .
Given the above, it is easy to establish the Plancherel equality:
Proposition 1. Let f ; L$ n
2 . Then f
2
2 ∑α
fα2, where f
2
2j f fk.
1
2n∑x_C 0b1
n fx
2.
As always,
f/0 Z]\O^
f" and, when the range of f isz 1 ,∑α
fα2 f
2
2 1W See [32] for an excellent discussions of discrete Fourier analysis.
2.4 An Elision Lemma.
We will use an “elision” lemma for semantically secure encryption schemes, applied in the proofs of Sec-tions 3 and 4. We use the term elision lemma to refer to an assertion that a cryptosystem offering indistin-guishability of encryptions possesses the property that any efficient computation performed with observation of Em, an encryption, (and, perhaps, some related information) may as well have been performed without it.
The following lemma, which generalizes the original elision lemma of [13], is due to [12]. We give a streamlined proof which improves upon previous proofs in the sense that it requires no sampling on the part of the constructed algorithm (F, in the proof below). It gives an error bound which depends only on a natural 2-norm of the message distribution.
Lemma 1. Let GED denote an encryption scheme possessing indistinguishability of encryptions. Then
for every message space M and algorithm A, there is an algorithm B so that for all polynomials Q1, all
efficiently computable f : 01 01 , and every polynomial Q2, ¡ k0q) k * k0 and ) h : 01
01 ,
,.-/ A1 k
P fsmXEm; P RL hsm1"02¢,.-/ B1 k
fsmL hsm1"M 1
Q2k
The first probability is taken over m 7 M1 k
, PS7 G1 k
, s7£ 01 Q15k6
, and R. The second probability is taken over m7 M1
k
and s7C 01 P5k6
.
Proof. The algorithm B uses A as a black box: given 1k and fs m , B proceeds as follows:
1. Select m¤¥7 M1 k
, P S!7 G1 k
, and choose a random string R of appropriate length,
2. Return A1 k
P fsmXEm¤; PR v. Observe that,.- B1
k
fsm# hsm1"z3,.- A1 k
P fsmXEm¤; PR# hsm1" W In this case, the lemma is a consequence of the following claim:
Claim 1. For every message space M, efficient algorithm A, every polynomial Q1, efficiently computable
f : 01C 01 , and every polynomial Q2,¡ k0q) k* k0and) h : 01C 01 ,
,!-E A1 k
P fsmXEm; PRL hsm1"02¢,!-E A1 k
P fsmXEm ¤; P
R hsm1"¦ 1
Q2k
where each probability is taken over m7 M1 k
, m¤ 7 M1 k
,PSL7 G1 k
, s7C 01 Q15k6
, and R.
Proof of Claim. Suppose not. Then there is a polynomial Q2, a message space M, and an algorithm A, a
polynomial Q1and a function f so that) k0u¡ k * k0,
,.-sbmbRbP §
A1 k
P fsmXEm; PR hsm1¨B* ,.-sbmbm©ªbRbP §
A1 k
P fsmXEm ¤; P
RL hsm1¨ ε
whereε εk
1
Q25k6 .
For a pair of messages mm¤, define Pm bm©
x,!-s bRbP A
1 k
P fsmXEm¤; PR« hsm1" and Pm
b
Z]\O^ m© Pm
bm©
". Observe, then, that,.-s bRbPA
1 k
P fsmXEm; PR hsm1"# Pm
bm, so that
,!-sbmbRbP §
A1 k
P fsmXEm; PR hsm1¨¬ Z]\U^m
Pmbm " and
,.-sbmbm©bRbP
§
A1 k
P fsmXEm ¤; P
R hsm1¨¬ Z]\U^m
Pmb
" W
In particular, Z]\O^
mPmbm "¥
Z]\O^ mPmb
"* ε.
Now, we build an algorithm F which, given random m0 and m1, can distinguish an encryption of m0
from one of m1. (See Definition 3.) The algorithm F proceeds as follows: given m0m1andα Emi; PR,
'
j is chosen uniformly in 01 , s is chosen uniformly in 01 P5n6
, and R is chosen uniformly among strings of appropriate length. Emj; PR and fs m0 are computed.
'
A1 k
fsm0XEmj; PR is simulated, resulting in the value vj. A1 k
fsm0Xα is simulated, re-sulting in the value v.
'
If v vj, output j; otherwise output 1 j.
Let InK A1 k
P fs m¤XEm; PR
|
mm¤ ; 01 n
s; 01 Q15n6
R be values that algorithm A can take, when restricted to those inputs possible when
|
m
|
n. Then, for v; In, let
Dsm©®bm
v !x,.-RbP
A1 k
P fsm
¤
so that Pm©bm
Z]\O^ sDsm©
bm
hs m¤1". Now, for a particular pair m0m1,
,!-E Fm0m1αL i"U
1
∑
i©{ 01
∑
j©{ 0,!-E i i ¤°¯ j
j
¤
"¥±°,.-/ Fm0 m1 αL j
¤
|
i i
¤
j j
¤
"
Z]\O^s
²
1 4
∑
v
Dsm0bm0 v
2
21
∑
vDsm0bm0 v#± D
s m0bm1
vO
∑
vDsm0bm1 v
2
1³
´ 1 2
1 4
Z]\O^s >D
s m0bm0
hsm0µ D s m0bm1
hsm0 @
2
1 2
1 4Pm0
bm0 Pm0
bm1
2
W
where inequality
´
follows because ZJ\U^
X"
2never exceeds
Z]\O^
X2" for any random variable. Then
,.-m0bm1
Fm0m1 αL i"
´
Z]\O^ m0bm1 ²
1 2
1 4±4Pm0
bm0 Pm0
bm1
2
³
´ 1 2
1 4 ±4
ZJ\U^ m0bm1
Pm0bm0 Pm0
bm1 "q
2
1 2
1 4 ±4
Z]\O^m0
Pm0bm0
Z]\U^m1
Pm0bm1 "["q
2
1 2
1 4 ±4
ZJ\U^m0
Pm0bm0 Pm0
b
"q
2
1 2
1 4 ±¶
Z]\O^m
Pmbm "¥
Z]\O^m
Pmb
"q
2´ 1
2
ε2
4 W
Hence ED does not offer indistinguishability of encryptions.
As mentioned above, the Lemma follows immediately from the Claim.
3
Security for Uniformly Distributed Message Spaces
We begin by constructing an encryption scheme offering security in the case when the adversary has no a priori knowledge concerning the message (i.e., the message space is uniform).
As mentioned in the introduction, under the assumption that there exists a one-way permutation f , there is a semantically secure public-key cryptosystem, Cf ·GED, which encrypts a message m ;¸ 01
n
with n sfk applications of the function f .
Theorem 3. Let f be a one-way trapdoor permutation, and Cf vGED the associated semantically
secure encryption scheme. Define a new scheme GuEuDu, where Gu G, and Eum; PRsxmg
σnbε
sXEs; PR where
|
m
|
n and s is chosen randomly in the domain ofσn
bε. Decryption is immediate.
Then forε kF
ω516
, where k is the security parameter of the system, this encryption scheme offers 0-entropic security. Furthermore, the scheme requires Owk log k sfk applications of f , where w is any function
tending to infinity. The scheme has On log k log log k log log log k overhead.
Proof. For simplicity, we treat h as a function with rangez 1 rather than 01 . From Lemma 1, we have for every message space M and algorithm A, there is an algorithm B¤ such that for every polynomial P, there exists an integer k0such that) k* k0and) h : M C] 11
,!- A1 k
Pmg σsXEs; PR( hm1"02T,!- B
¤
1 k
mg σs hm1"¦ 1
Pk
We use B¤ to construct an algorithm B, which can predict hm nearly as well as can A, even without witnessing Eum. The algorithm B, on input 1
k, proceeds as follows:
'
Select m¤O; 01
'
Return B¤1 k
m¤L v. Observe that ,!-mB1
k
L hm1"U,.-m bm© B
¤q1 k
m¤¹L hm1".
Claim 2. Let Gmbe the random variable Z]\O^
shmg σs1"¥ Z]\O^
m© h m
¤
1"; then
Y
Y
Y
Y
,.-mbm© §
B¤ 1
k m
¤
! hm 1¨º,.-mbs
§
B¤ 1
k
m hmg σs1¨
Y Y Y Y 2 1 2ZJ\U^m
|
Gm
|
"¦W
Proof. Let cmm¤ be the random variable so that cmm¤? 1 when B¤1 k
m( hm¤ and 0 if B¤1 k
m8
hm¤». As hm¤¹ takes values in the setz 1 , we can rewrite cmm¤¹L
1 2
B© 51
k
bm6h5m
© 6 2 and Y Y Y Y ,.-mbm© §
B¤ 1
k m
¤
hm ¨ º,.-mbs
§
B¤ 1
k
m hmg σs ¨
Y Y Y Y Y Y Y Y Z]\O^m ²
B¤1 k
m
2 N
Z]\U^ m©
>hm
¤
@ Z]\U^s
hmg σs1"¼P ³
Y Y Y Y 2 1 2Z]\O^m
² Y Y Y Y Z]\O^ m©
>hm
¤
u@! Z]\O^s
hmg σs1"
Y Y Y Y ³½ 1 2Z]\O^m
|
Gm
|
"MW
We apply the second moment method to control Z]\O^
m
|
Gm
|
". Observe that Z]\O^
mhm1"U
h/0, so
Gm Z]\O^s
`
∑
α¾{ /0
hαχαmg σs
a
∑
α¾{ /0
hα
Z]\O^s
χαmg σs1"O
∑
α¾{ /0
hαχαm Z]\O^s
χασs1"
Then Z]\O^
m Gm"µ ∑α ¾{ /0
hα
Z]\U^
s χασs1" ZJ\U^
m χαm1"0 0. Now, the random variables
hαχαmg σs and
hβχβmg σs are pairwise independent so that
¿À
-m Gm "O
¿À
-`
∑
α¾{ /0
hαχαm Z]\O^s
χασs1"
a
∑
α¾{ /0
h2α
ZJ\U^s
χασs1"
2¿À
- χαm1"02 ε
2
∑
α¾{ /0
h2α 2 ε
2
by the Plancherel equality (see Section 2.3) and the fact that¿À
-z χαm1"# 1. Now, applying Chebyshev’s inequality, we have ,!-m
|
Gm
|
* λ"A ε
2λ
F
2.
Selectingλ ε 2
3, we have
ZJ\U^m | Gm | "Oh,.-m | Gm |
* λ"z±max m | Gm | Á,.-m | Gm |
2 λ"z±λ2
ε2
λ2 ± 2Â1
ε2
λ2µ± λ2 3ε 2 3 W Hence Y Y Y Y ,.-mbs
B¤ 1
k
mg σs hm 1"¥Ã,.-m B
1 k
hm1"
Y Y Y Y A 3 2ε 2 3
and ,.-/ A1 k
mg σsXEs; PRL hm1"2T,.-E B1 k
. hm1"
1
P5k6
3 2ε
2
3W Asε kF
ω516
, this completes the proof. The bound on
|
s
|
4
Security for Entropically Rich Message Spaces
For convenience, in this section we will assume that the message space is$ p
G 1for a (known) prime p. Now, we select an artificial bijection L :$ p
G 1
P2c p , so that
LzL
²
N
1
z P ³ for 02 z2 p 1 and L pL
²
N
0 1 P ³ W
L can be computed in linear time; LF
1 can be computed by single inversion modulo p. Having fixed this
bijection, we will treat the functions PGL2c p, described in Section 2.2, as if they act on$ p G 1.
Theorem 4. Let f be a one-way trapdoor permutation, and Cf vGED the associated semantically
secure encryption scheme. Define a new schemeGbEbDb , where Gb G, and Ebm; PRz(φmJ
zφEz; PR where m;B$ p
G 1, z is chosen randomly in S SÄ$ p
G 1, andφis chosen randomly from PGL2 c p .
(Here is modulo p 1 and S is an arbitrary, but fixed subset of size 2
s, for example, we may take
S x 01WWWX2 s
1 .) Decryption is immediate. Then for s V. ωlog k, where k is the security
pa-rameter of the system, this encryption scheme offers -entropic security. Furthermore, the scheme can be
realized with no more than s sfk applications of f . Aside from these evaluations (inversions) of f ,
en-cryption (deen-cryption) has On log
2n log log n
overhead.
Proof. From Lemma 1, we know that for every message space M and algorithm A, there is a algorithm B¤ such that for every polynomial P, there exists an integer k0such that) k * k0and) h : MC 01
,.-/ A1 k
P φmQ z φEz; PRL hm1"02:,.-/ B
¤
1 k
φmQ zφ! hm1"¦ 1
Pk
W
We use B¤ to construct an algorithm B, which can predict h
m (nearly) as well as can A, even without witnessing Ebm. The algorithm B, on input 1
k, proceeds as follows:
'
Select m¤ according to M, selectφ; PGL2c p , and select z at random in S.
'
Return B¤q1 k
φm¤[O zφL v. Observe that,!-mB1
k
! hm1"Uh,.-m bm©®bφbzB
¤1 k
φm¤O zφ hm1".
We begin by recording an analogue of Claim 2 for this cryptosystem which allows us to remove the dependence on the behavior of B¤; the proof is placed in an appendix.
Claim 3. For any function h and all algorithms B¤,
Y
Y
Y
Y
,!-mbm©bφbz
§
B¤ 1
k
φmO zφL hm
¤
1¨Å+,!-mbφbz§
B¤ 1
k
φmO zφL hm1¨
Y
Y
Y
Y
2
1 2 Z]\O^
mbφbz`
Y
Y
Y
Y
Y[ZJ\U^ m©
hm
¤
1"I Z]\U^ m©®bz©
>hm
¤
φm
¤
O z
¤
φmQ z@
Y
Y
Y
Y
Y
a
Now, for an element z0 ; S, let Sz0 T z z0mod p 1
|
z; S . Let
Gz0m
bφ
Z]\O^ m©
hm
¤
1"I Z]\O^ m©
bz
©
_ S
z0
>hm
¤
φm
¤
O z
¤
φm @ W
From above, it sufficies to show that for any z0 ; S, Z]\O^
mbφ
|
Gz0m
bφ
|
" is small. Now fix z0 ; S. For a fixed message m0 ;Æ$ p
G 1and an element w ;D$ p
G 1, let
w w φ; PGL2c p
|
φm0 w . Let pm
,.-mm mi". For an element w0 ;Ã$ p
G 1 and a permutation φ
;w w0, let A
φ
w0 ∑
m_ φÇ 1
5w0G S
z06 pm and
Bφw0 ∑m _ φ
Ç
1
5w0G Sz06 pm
±hm ; then
Bφw0
Aφw0
ZJ\U^m
hm
|
φm; w0 Sz0"MW (1)
(Here w0 Sz0 denotes the set w0 z mod p 1
|
z; Sz0 .)
Let Xmbe the random variable taking the value pmifφm.; w0 Sz0, and 0 otherwise. ThenΣm _ MXm
Aφw0 andΣm_ hÇ 1
516Xm B
φ
w0 so that
Z]\O^
φ_zy
w0
Aφw0"J Z]\U^
φ_zy
w0
pm0 Σm ¾{ m0Xm
"J pm0 Σm ¾{ m0
E,.-E φm.; w0 Sz0"± pm? pm0 N 1
2s 1 2n P
2s 1 2n W
Hence2sF
1 2n 2
ZJ\U^
φ_zy
w0 A φ
w0"µ2 pm0
È
1
2s
F
1 2n É
2s
F
1 2n 2 2F
nG s
pm0. Similarly, let qV,.-mhm( 1", then
q± 2s 1
2n 2 ZJ\U^
φ_zy
w0
Bφw0"2 q± 2s 1
2n pm0 N 1
2s 1 2n P W
Recalling that the distribution of m has minimum entropy n ,
Z]\O^ φ_zy w0 B φ w0" Z]\O^
φ_zy w0 A
φ w0"
Z]\U^ m_ M
hm1"02 2H 2s 1 and similarly, Z]\O^ φ_zy w0 B φ w0" Z]\O^ φ_zy w0 A φ w0" Z]\O^ m_ M
hm1"
´ q±42 s
1 2s
2 np
m0 1 q ´ 2 F sG#H W Hence, Y Y Y Y Y Y Z]\O^
φ_zy w0 B
φ w0" Z]\O^ φ_zy w0 A φ w0" Z]\O^ m_ M
hm1"
Y Y Y Y Y Y
2 2± 2
F
sGUH
W
We wish to insure that Aφw0 and Bφw0 are close to their expected vales. In preparation for applying Cheby-shev’s inequality, we compute their variances. We have
¿À
-φ_y
w0
Aφw0"O ¿À
- Σm _ MXm
"O Σm ¾{ m0
¿À
-E Xm"qO Σm1 ¾{ m2¾{ m0
ÊËzÌ Xm1 Xm2" W
Now, Σm¾{ m0 ¿À
- Xm".2 Σm ¾{ m0
Z]\O^
Xm2".2 2F nG s
± Σm _ M
p
2
m2 2F
2nG sGUH
, and these variables are pairwise negatively correlated (so thatÊËzÌ Xm1
Xm2"UA 0 for m1 m2, both distinct from m0). Then, ¿À
-φ _y w0 A
φ w0"#A
2F
2nG sG#H
. Similarly,¿À -φ
_zy
w0 B φ
w0"A q± 2F
2nG sG#H
. Observe that 3-wise independence is required here. By Chebyshev’s inequality we have
,.-φ_zy
w0
>
Y
YAφ w0
ZJ\U^
Aφw0"
Y
Y
´
δa@2 ¿À
- A
φ w0" δ2 a A 2s 22n F H ± δ 2 a (2) and ,.-φ_zy w0 > Y Y
Bφw0 ZJ\U^
Bφw0"
Y
Y
´
δb@ 2 ¿À
- B
φ w0"
δ2
b
A
When both Y Y YA φ w0 ZJ\U^
φ_zy w0 A
φ w0"
Y
Y
Y 2 δaand
Y Y YB φ w0 Z]\O^
φ_y w0 B
φ w0"
Y
Y
Y 2 δb, we have, in particular, from equa-tion (1), Y Y Y Y Y Y Z]\U^ φ_zy w0 B φ w0" Z]\U^ φ_zy w0 A φ w0" Z]\O^m
hm
|
φm; w0 Sz0"
Y Y Y Y Y Y 2
2δa δb
Z]\O^
φ_zy
w0 A φ w0"
2 2δa δbµ± 2 n
F
s
(assuming thatδaδb A 1 2). Whenδa δb
ε1
4Í2
n
Ç
s, this is the statement that
Y
Y
Y
Y
Z]\O^m
hm
|
φm; w0 Sz0"¥ Z]\O^m
hm1"
Y
Y
Y
Y
A ε1 2± 2
F
sGUH
For this z0, we say that φw is anε-concealed pair if
|
Z]\O^ mhm
|
φm; w Sz0"¥ Z]\O^
mhm1"
|
A ε. From inequalities (2) and (3), for any fixed w0andε1 * 0 we see that
,.-φ_y
w0 §
φw0 is not an ε1 2± 2
F
sG#H
-concealed pair¨Î2
2±2 s 22n F H ±δ 2 a A 25 ε2 1± 2
s
F
H
W
Now, for any fixed fixed m0andε* 2± 2F sG#H
,
,!-φ »φφm0 is anε-concealed pair"O Σw
i N
,.-/ φ;w w
i
"¥±D,.-φ_y wi
[φwi is anε-concealed pair"
P ´ 1 25 ε2 ± 2 s F H
4ε 4± 2
F
sG#H
W
For a random pair mφ, we will (lower) bound the probability that φφm is anε-concealed pair for z0, since ZJ\U^m bφ § Y Y YG z0 mbφ
Y
Y
Y¨ 2 ε
,!-mbφ
[φφm isε-concealed"MÂ1 ,.-mbφ
[φφm isε-concealed"qXW
For specific m and random choice ofφ, we define Ymto be the random variable taking the value 1 ifφφm is anε-concealed pair, and 0 otherwise. Now,
,.-mbφ
[φφm is anε-concealed pair"O Z]\O^m
bφ
Ym"O Σm
ipmi ± Z]\O^φ
Ymi"
h,.-φ [φφm is anε-concealed pair"
´ 1 25 ε2 ±2 s F H
4ε 4±2
F
sG#H
so that for allε * 2±2F sG#H
, Z]\O^
mbφ
|
Gz0m
bφ
|
2 ε1 δO δA ε δ, whereδ
25 ε2 Í2 s ÇÏ F
4εG 4Í2Ç
sÐ
Ï
. Selectε
4±2
Ç
sÐ
Ï
3 . As s¸ ωlog k , we can be guaranteed thatε k
F
ω516
and so for all z, Z]\O^
mbφ
§
Y
Y
YG z mbφ
Y
Y
Y¨Å k
F
ω516
W
Hence, ZJ\U^
mbφbz
§
Y
Y
YG z mbφ
Y
Y
Y¨ kF
ω516
which, considering the above claim, completes the proof. The bound on the number of applications of the underlying one-way permutation follows immediately from the definition of s.
5
Acknowledgements
References
[1] Werner Alexi, Benny Chor, Oded Goldreich, and Claus P. Schnorr. RSA/Rabin bits are 1 2 1 polylog N secure. In 25th Annual Symposium on Foundations of Computer Science, pages 449– 457, Singer Island, Florida, 24–26 October 1984. IEEE.
[2] Noga Alon, Oded Goldreich, Johan H˚astad, and Ren´e Peralta. Simple constructions of almost k-wise independent random variables. In 31st Annual Symposium on Foundations of Computer Science, volume II, pages 544–553, St. Louis, Missouri, 22–24 October 1990. IEEE.
[3] Eric Bach and Jeffrey Shallit. Algorithmic number theory. Vol. 1. MIT Press, Cambridge, MA, 1996. Efficient algorithms.
[4] M. Bellare, A. Desai, A. Pointcheval, and P. Rogaway. Relations among notions of public-key cryp-tosystems. In Krawczyk [17], page 540.
[5] Mihir Bellare and Phillip Rogaway. Optimal asymmetric encryption. In Alfredo De Santis, editor,
Advances in Cryptology—EUROCRYPT 94, volume 950 of Lecture Notes in Computer Science, pages
92–111. Springer-Verlag, 1995, 9–12 May 1994.
[6] Manuel Blum and Shafi Goldwasser. An efficient probabilistic public-key encryption scheme which hides all partial information. In G. R. Blakley and David Chaum, editors, Advances in Cryptology:
Pro-ceedings of CRYPTO 84, volume 196 of Lecture Notes in Computer Science, pages 289–299.
Springer-Verlag, 1985, 19–22 August 1984.
[7] Manuel Blum and Silvio Micali. How to generate cryptographically strong sequences of pseudo-random bits. SIAM Journal on Computing, 13(4):850–864, November 1984.
[8] Ronald Cramer and Victor Shoup. A practical public key cryptosystem provably secure against adap-tive chosen ciphertext attack. In Krawczyk [17], pages 13–25.
[9] Danny Dolev, Cynthia Dwork, and Moni Naor. Non-malleable cryptography (extended abstract). In
Proceedings of the Twenty Third Annual ACM Symposium on Theory of Computing, pages 542–552,
New Orleans, Louisiana, 6–8 May 1991.
[10] T. El Gamal. A public key cryptosystem and signature scheme based on discrete logarithms. IEEE
Transactions on Information Theory, 31:469–472, 1985.
[11] Oded Goldreich. Three xor-lemmas – an exposition. This survey is available at ftp://theory.lcs.mit.edu/pub/people/oded/xor.ps., 1991.
[12] Oded Goldreich. A uniform-complexity treatment of encryption and zero-knowledge. Journal of
Cryptology, 6(1):21–53, 1993.
[13] Shafi Goldwasser and Silvio Micali. Probabilistic encryption. Journal of Computer and System
Sci-ences, 28(2):270–299, April 1984.
[14] Shafi Goldwasser, Silvio Micali, and Ronald L. Rivest. A digital signature scheme secure against adaptive chosen-message attacks. SIAM Journal on Computing, 17(2):281–308, April 1988.
[15] Johan H˚astad and Mats N¨aslund. The security of individual RSA bits. In 39th Annual Symposium on
[16] D. E. Knuth. The analysis of algorithms. In Actes du Congr´es International des Math´ematiciens, volume 3. Gauthier-Villars, Paris, 1971.
[17] Hugo Krawczyk, editor. Advances in Cryptology—CRYPTO ’98, volume 1462 of Lecture Notes in
Computer Science. Springer-Verlag, 23–27 August 1998.
[18] Rudolf Lidl and Harald Niederreiter. Finite Fields, volume 20 of Encyclopedia of Mathematics and its
Applications. Addison-Wesley Publishing Company, Reading, Massachusetts, 1983.
[19] Alfred J. Menezes, Paul C. van Oorschot, and Sctoo A. Vanstone. Handbook of Applied Cryptography. CRC Press, 1996.
[20] Silvio Micali, Charles Rackoff, and Bob Sloan. The notion of security for probabilistic cryptosystems.
SIAM Journal on Computing, 17(2):412–426, April 1988.
[21] Joseph Naor and Moni Naor. Small-bias probability spaces: Efficient constructions and applications.
SIAM Journal on Computing, 22(4):838–856, August 1993.
[22] Moni Naor and Moti Yung. Public-key cryptosystems provably secure against chosen ciphertext at-tacks. In Proceedings of the Twenty Second Annual ACM Symposium on Theory of Computing, pages 427–437, Baltimore, Maryland, 14–16 May 1990.
[23] Rene Peralta. On the distribution of quadratic residues and nonresidues modulo a prime number.
Mathematics of Computation, 58(197):433–440, 1992.
[24] Charles Rackoff and Daniel R. Simon. Non-interactive zero-knowledge proof of knowledge and chosen ciphertext attack. In J. Feigenbaum, editor, Advances in Cryptology—CRYPTO ’91, volume 576 of
Lecture Notes in Computer Science, pages 433–444. Springer-Verlag, 1992, 11–15 August 1991.
[25] E. G. Rees. Notes on Geometry. Springer-Verlag, 1983.
[26] Ronald L. Rivest. Cryptography. In J. van Leeuwen, editor, Handbook of Theoretical Computer
Science, volume A. MIT Press, 1990.
[27] A. Sch¨onhage. Schnelle berechnung von kettenbruchentwicklungen. Acta Informatica, 1:139–144, 1971.
[28] A. Sch¨onhage. Schnelle Multiplikation von Polynomen ¨uber K ¨orpern der Charakteristik 2. Acta
Informat., 7(4):395–398, 1976/77.
[29] A. Sch¨onhage and V. Strassen. Schnelle multiplikation groβer zahlen. Computing, 7:281–292, 1971.
[30] Victor Shoup. New algorithms for finding irreducible polynomials over finite fields. Math. Comp., 54(189):435–447, 1990.
[31] Victor Shoup. Fast construction of irreducible polynomials over finite fields. J. Symbolic Comput., 17(5):371–391, 1994.
[32] Audrey Terras. Fourier Analysis on Finite Groups and Applications. Number 43 in Student Texts. Cambridge University Press, Cambridge, UK, 1999.
[33] Mark N. Wegman and J. Lawrence Carter. New classes and applications of hash functions. In 20th
Annual Symposium on Foundations of Computer Science, pages 175–182, San Juan, Puerto Rico, 29–
A
Proof of Claim 3
Proof. Proof of Claim 3
Y
Y
Y
Y
,!-mbm©bφbz
§
B¤ 1
k
φmQ zφ! hm
¤
1¨Ñ,!-mbφbz§
B¤ 1
k
φmO zφ! hm1¨
Y
Y
Y
Y
Y
Y
Y
Y
Y¬Z]\U^ mbm©~bφbz
²
1 B¤1 k
φmQ zφ hm¤
2
1 B¤1 k
φmO zφ hm
2 ³
Y
Y
Y
Y
Y
1 2
Y
Y
Y
Y
Y ZJ\U^ mbm©bφbz
§
B¤ 1
k
φmQ z φhm
¤
¨ ZJ\U^ mbφbz
§
B¤ 1
k
φmO zφ hm ¨
Y
Y
Y
Y
Y
1 2
Y
Y
Y
Y
Y»Z]\O^φ bmbz
²
B¤ 1
k
φmQ zφ N Z]\O^
m©
hm
¤
1"¥ hm P ³
Y
Y
Y
Y
Y
1 2
Y
Y
Y
Y
Y[Z]\O^φ
`
∑
e_¦Ò p Ð 1,.-mbz
φmO z e"z± B
¤
1 k
eφ Z]\O^m
bz ²
N
Z]\O^ m©
hm
¤
1"I hm P φmQ z e³
a
Y
Y
Y
Y
Y
2
1 2 Z]\O^φ
²
∑
e,.-mbz
φmQ z e"¥±
Y
Y
Y
Y
ZJ\U^ m©
hm1"I Z]\O^m
bz
hm φmO z e"
Y
Y
Y
Y
³
Observe now that for any functions f :$ p G 1
e and g :$ p G 1
Ñ$ p G 1,
∑
e
,!-x g x! e"
ZJ\U^x
fgx
|
gx. e"U Z]\O^x
fgx1" W
Then the above is equal to
1 2φZ]\O^
bmbz `
Y
Y
Y
Y
Y[Z]\O^m
hm1"I Z]\U^ m©bz©
>hm
¤
φm
¤
O z
¤
φmO z@
Y
Y
Y
Y
Y
a