Skip to Content
CSE442TIntroduction to Cryptography (Lecture 10)

CSE442T Introduction to Cryptography (Lecture 10)

Chapter 2: Computational Hardness

Discrete Log Assumption (Assumption 52.2)

This is collection of one-way functions

pΠ~n( safe primes ),p=2q+1p\gets \tilde\Pi_n(\textup{ safe primes }), p=2q+1 aZp;g=a2( make sure g1)a\gets \mathbb{Z}*_{p};g=a^2(\textup{ make sure }g\neq 1) fg,p(x)=gxmodpf_{g,p}(x)=g^x\mod p f:ZqZpf:\mathbb{Z}_q\to \mathbb{Z}^*_p

Evidence for Discrete Log Assumption

Best known algorithm to always solve discrete log mod p, pΠnp\in \Pi_n

O(22log(n))O(2^{\sqrt{2}\sqrt{\log(n)}})

RSA Assumption

Let ee be the exponents

P[p,qΠn;Npq;eZϕ(N);yNn;xA(N,e,y);xe=ymodN]<ϵ(n)P[p,q\gets \Pi_n;N\gets p\cdot q;e\gets \mathbb{Z}_{\phi(N)}^*;y\gets \mathbb{N}_n;x\gets \mathcal{A}(N,e,y);x^e=y\mod N]<\epsilon(n)

Theorem 53.2 (RSA Algorithm)

This is a collection of one-way functions

I={(N,e):N=pq,p,qΠn and eZϕ(N)}I=\{(N,e):N=p\cdot q,p,q\in \Pi_n \textup{ and } e\in \mathbb{Z}_{\phi(N)}^*\}

D(N,e)=ZND_{(N,e)}=\mathbb{Z}_N^*

R(N,e)=ZNR_{(N,e)}=\mathbb{Z}_N^*

f(N,e)(x)=xemodNf_{(N,e)}(x)=x^e\mod N

Example:

On encryption side

p=5,q=11,N=5×11=55p=5,q=11,N=5\times 11=55, ϕ(N)=410=40\phi(N)=4*10=40

pick eZ40e\in \mathbb{Z}_{40}^*. say e=3e=3, and f(x)=x3mod55f(x)=x^3\mod 55

pick yZ55y\in \mathbb{Z}_{55}^*. say y=17y=17. We have (55,3,17)(55,3,17)

x401mod55x^{40}\equiv 1\mod 55

x41xmod55x^{41}\equiv x\mod 55

x40k+1xmod55x^{40k+1}\equiv x \mod 55

Since xaxamod40mod55x^a\equiv x^{a\mod 40}\mod 55 (by corollary of Fermat’s little Theorem: axmodN=axmodΦ(N)modNa^x\mod N=a^{x\mod \Phi(N)}\mod N s )

The problem is, what can we multiply by 33 to get 1modϕ(N)=1mod401\mod \phi(N)=1\mod 40.

by computing the multiplicative inverse using extended Euclidean algorithm we have 3271mod403\cdot 27\equiv 1\mod 40.

x317mod55x^3\equiv 17\mod 55

x1727mod55x\equiv 17^{27}\mod 55

On adversary side.

they don’t know ϕ(N)=40\phi(N)=40

f(N,e):ZNZNf(N,e):\mathbb{Z}_N^*\to \mathbb{Z}_N^*

is a bijection.

Proof

Suppose x1ex2emodnx_1^e\equiv x_2^e\mod n

Then let d=e1modϕ(N)d=e^{-1}\mod \phi(N) (exists b/c eϕ(N)e\in\phi(N)^*)

So (x1e)d(x2e)dmodN(x_1^e)^d\equiv (x_2^e)^d\mod N

So x1edmodϕ(N)x2edmodϕ(N)modNx_1^{e\cdot d\mod \phi(N)}\equiv x_2^{e\cdot d\mod \phi(N)}\mod N (Euler’s Theorem)

x1x2modNx_1\equiv x_2\mod N

So it’s one-to-one.

Let yZNy\in \mathbb{Z}_N^*, letting x=ydmodNx=y^d\mod N, where de1modϕ(N)d\equiv e^{-1}\mod \phi(N)

xe(yd)eymodnx^e\equiv (y^d)^e \equiv y\mod n

Proof

It’s easy to sample from II:

  • pick p,qΠnp,q\in \Pi_n. N=pqN=p\cdot q
  • compute ϕ(N)=(p1)(q1)\phi(N)=(p-1)(q-1)
  • pick eZNe\gets \mathbb{Z}^*_N. If gcd(e,ϕ(N))1gcd(e,\phi(N))\neq 1, pick again (Zϕ(N)\mathbb{Z}_{\phi_(N)}^* has plenty of elements.)

Easy to sample ZN\mathbb{\mathbb{Z}_N^*} (domain).

Easy to compute xemodNx^e\mod N.

Hard to invert:

    P[(N,e)I;xZN;y=xemodN:f(A((N,e),y))=y]=P[(N,e)I;xZN;y=xemodN:xA((N,e),y)]=P[(N,e)I;yZN;y=xemodN:xA((N,e),y),xeymodN]\begin{aligned} &~~~~P[(N,e)\in I;x\gets \mathbb{Z}_N^*;y=x^e\mod N:f(\mathcal{A}((N,e),y))=y]\\ &=P[(N,e)\in I;x\gets \mathbb{Z}_N^*;y=x^e\mod N:x\gets \mathcal{A}((N,e),y)]\\ &=P[(N,e)\in I;y\gets \mathbb{Z}_N^*;y=x^e\mod N:x\gets \mathcal{A}((N,e),y),x^e\equiv y\mod N]\\ \end{aligned}

By RSA assumption

The second equality follows because for any finite DD and bijection f:DDf:D\to D, sampling yDy\in D directly is equivalent to sampling xDx\gets D, then computing y=f(x)y=f(x).

Theorem If inverting RSA is hard, then factoring is hard.

 RSA assumption      Factoring assumption\textup{ RSA assumption }\implies \textup{ Factoring assumption}

If inverting RSA is hard, then factoring is hard.

i.e If factoring is easy, then inverting RSA is easy.

Proof:

Suppose A\mathcal{A} is an adversary that breaks the factoring assumption, then

P[pΠn;qΠn;N=pq;A(N)=(p,q)]>1p(n)P[p\gets \Pi_n;q\gets \Pi_n;N=p\cdot q;\mathcal{A}(N)=(p,q)]>\frac{1}{p(n)}

infinitely often.for a polynomial pp.

Then we designing BB to invert RSA.

Suppose

p,qΠn;N=pq;eZϕ(N);xZn;y=xemodNp,q\gets \Pi_n;N=p\cdot q;e\gets \mathbb{Z}_{\phi(N)}^*;x\gets \mathbb{Z}^n;y=x^e\mod N

def B(N,e,y):
    """
    Goal: find x
    """
    p,q=A(N)
    if n!=p*q:
        return None
    phiN=(p-1)*(q-1)
    # find modular inverse of e \mod N
    d=extended_euclidean_algorithm(e,phiN)
    # returns (y**d)%N
    x=fast_modular_exponent(y,d,N)
    return x

So the probability of B succeeds is equal to A succeeds, which >1p(n)>\frac{1}{p(n)} infinitely often, breaking RSA assumption.

Remaining question: Can xx be found without factoring NN? y=xemodNy=x^e\mod N

One-way permutation (Definition 55.1)

A collection function F={fi:DiRi}iI\mathcal{F}=\{f_i:D_i\to R_i\}_{i\in I} is a one-way permutation if

  1. i,fi\forall i,f_i is a permutation
  2. F\mathcal{F} is a collection of one-way functions

basically, a one-way permutation is a collection of one-way functions that maps {0,1}n\{0,1\}^n to {0,1}n\{0,1\}^n in a bijection way.

Trapdoor permutations

Idea: f:DRf:D\to R is a one-way permutation.

yRy\gets R.

  • Finding xx such that f(x)=yf(x)=y is hard.
  • With some secret info about ff, finding xx is easy.

F={fi:DiRi}iI\mathcal{F}=\{f_i:D_i\to R_i\}_{i\in I}

  1. i,fi\forall i,f_i is a permutation
  2. (i,t)Gen(1n)(i,t)\gets Gen(1^n) efficient. (iIi\in I paired with tt), tt is the “trapdoor info”
  3. i,Di\forall i,D_i can be sampled efficiently.
  4. i,x,fi(x)\forall i,\forall x,f_i(x) can be computed in polynomial time.
  5. P[(i,t)Gen(1n);yRi:fi(A(1n,i,y))=y]<ϵ(n)P[(i,t)\gets Gen(1^n);y\gets R_i:f_i(\mathcal{A}(1^n,i,y))=y]<\epsilon(n) (note: A\mathcal{A} is not given tt)
  6. (trapdoor) There is a p.p.t. BB such that given i,y,ti,y,t, B always finds x such that fi(x)=yf_i(x)=y. tt is the “trapdoor info”

Theorem RSA is a trapdoor

RSA collection of trapdoor permutation with factorization (p,q)(p,q) of NN, or ϕ(N)\phi(N), as trapdoor info ff.

Last updated on
Introduction to Cryptography (Lecture 9)Introduction to Cryptography (Lecture 11)