Skip to Content
CSE442TExam reviewsCSE442T Exam 2 Review

CSE442T Exam 2 Review

Review

Assumptions used in cryptography (this course)

Diffie-Hellman assumption

The Diffie-Hellman assumption is that the following problem is hard.

Given g,ga,gb, it is hard to compute gab.\text{Given } g,g^a,g^b\text{, it is hard to compute } g^{ab}.

More formally,

If pp is a randomly sampled safe prime.

Denote safe prime as Π~n={pΠn:q=p12Πn1}\tilde{\Pi}_n=\{p\in \Pi_n:q=\frac{p-1}{2}\in \Pi_{n-1}\}

Then

P[pΠn~;aZp;g=a21;xZq;y=gxmodp:A(y)=x]ε(n)P\left[p\gets \tilde{\Pi_n};a\gets\mathbb{Z}_p^*;g=a^2\neq 1;x\gets \mathbb{Z}_q;y=g^x\mod p:\mathcal{A}(y)=x\right]\leq \varepsilon(n)

pΠn~;aZp;g=a21p\gets \tilde{\Pi_n};a\gets\mathbb{Z}_p^*;g=a^2\neq 1 is the function condition when we do the encryption on cyclic groups.

Discrete logarithm assumption

If Diffie-Hellman assumption holds, then discrete logarithm assumption holds.

This is a corollary of the Diffie-Hellman assumption, it states as follows.

This is collection of one-way functions

pΠ~n( safe primes ),p=2q+1p\gets \tilde\Pi_n(\textup{ safe primes }), p=2q+1 aZp;g=a2( make sure g1)a\gets \mathbb{Z}*_{p};g=a^2(\textup{ make sure }g\neq 1) fg,p(x)=gxmodpf_{g,p}(x)=g^x\mod p f:ZqZpf:\mathbb{Z}_q\to \mathbb{Z}^*_p

RSA assumption

The RSA assumption is that it is hard to factorize a product of two large primes. (no polynomial time algorithm for factorization product of two large primes with nn bits)

Let ee be the exponents

P[p,qΠn;Npq;eZϕ(N);yNn;xA(N,e,y);xe=ymodN]<ε(n)P[p,q\gets \Pi_n;N\gets p\cdot q;e\gets \mathbb{Z}_{\phi(N)}^*;y\gets \mathbb{N}_n;x\gets \mathcal{A}(N,e,y);x^e=y\mod N]<\varepsilon(n)

Factoring assumption

If RSA assumption holds, then factoring assumption holds.

The only way to efficiently factorize the product of prime is to iterate all the primes.

Fancy product of these assumptions

Trapdoor permutation

RSA assumption     \implies Trapdoor permutation exists.

Idea: f:DRf:D\to R is a one-way permutation.

yRy\gets R.

  • Finding xx such that f(x)=yf(x)=y is hard.
  • With some secret info about ff, finding xx is easy.

F={fi:DiRi}iI\mathcal{F}=\{f_i:D_i\to R_i\}_{i\in I}

  1. i,fi\forall i,f_i is a permutation
  2. (i,t)Gen(1n)(i,t)\gets Gen(1^n) efficient. (iIi\in I paired with tt), tt is the “trapdoor info”
  3. i,Di\forall i,D_i can be sampled efficiently.
  4. i,x,fi(x)\forall i,\forall x,f_i(x) can be computed in polynomial time.
  5. P[(i,t)Gen(1n);yRi:fi(A(1n,i,y))=y]<ε(n)P[(i,t)\gets Gen(1^n);y\gets R_i:f_i(\mathcal{A}(1^n,i,y))=y]<\varepsilon(n) (note: A\mathcal{A} is not given tt)
  6. (trapdoor) There is a p.p.t. BB such that given i,y,ti,y,t, B always finds x such that fi(x)=yf_i(x)=y. tt is the “trapdoor info”

There is one bit of trapdoor info that without it, finding xx is hard.

Collision resistance hash function

If discrete logarithm assumption holds, then collision resistance hash function exists.

Let h:{0,1}n+1{0,1}nh: \{0, 1\}^{n+1} \to \{0, 1\}^n be a CRHF.

Base on the discrete log assumption, we can construct a CRHF H:{0,1}n+1{0,1}nH: \{0, 1\}^{n+1} \to \{0, 1\}^n as follows:

Gen(1n):(g,p,y)Gen(1^n):(g,p,y)

pΠ~n(p=2q+1)p\in \tilde{\Pi}_n(p=2q+1)

gg generator for group of sequence modp\mod p (G_q)

yy is a random element in GqG_q

hg,p,y(x,b)=ybgxmodph_{g,p,y}(x,b)=y^bg^x\mod p, ybgxmodp{0,1}ny^bg^x\mod p \in \{0,1\}^n

gxmodpg^x\mod p if b=0b=0, ygxmodpy\cdot g^x\mod p if b=1b=1.

Under the discrete log assumption, HH is a CRHF.

  • It is easy to sample (g,p,y)(g,p,y)
  • It is easy to compute
  • Compressing by 1 bit

One-way permutation

If trapdoor permutation exists, then one-way permutation exists.

A one-way permutation is a function that is one-way and returns a permutation of the input.

One-way function

If one-way permutation exists, then one-way function exists.

One-way function is a class of functions that are easy to compute but hard to invert.

Weak one-way function

A weak one-way function is

f:{0,1}n{0,1}f:\{0,1\}^n\to \{0,1\}^*
  1. \exists a P.P.T. that computes f(x),x{0,1}nf(x),\forall x\in\{0,1\}^n
  2. a\forall a adversaries, ε(n),n\exists \varepsilon(n),\forall n.
P[x{0,1}n;y=f(x):f(a(y,1n))=y]<11p(n)P[x\gets \{0,1\}^n;y=f(x):f(a(y,1^n))=y]<1-\frac{1}{p(n)}

The probability of success should not be too close to 1

Strong one-way function

If weak one-way function exists, then strong one-way function exists.

A strong one-way function is

f:{0,1}n{0,1}(n)f:\{0,1\}^n\to \{0,1\}^*(n\to \infty)

There is a negligible function ε(n)\varepsilon (n) such that for any adversary aa (n.u.p.p.t)

P[x{0,1}n;y=f(x):f(a(y))=y,a(y)=x]ε(n)P[x\gets\{0,1\}^n;y=f(x):f(a(y))=y,a(y)=x']\leq\varepsilon(n)

Probability of guessing correct message is negligible

Hard-core bits

Strong one-way function     \iff hard-core bits exists.

A hard-core bit is a bit that is hard to predict given the output of a one-way function.

Pseudorandom generator

If one-way permutation exists, then pseudorandom generator exists.

We can also use pseudorandom generator to construct one-way function.

And hard-core bits can be used to construct pseudorandom generator.

Pseudorandom function

If pseudorandom generator exists, then pseudorandom function exists.

A pseudorandom function is a function that is indistinguishable from a true random function.

Multi-message secure private-key encryption

If pseudorandom function exists, then multi-message secure private-key encryption exists.

A multi-message secure private-key encryption is a function that is secure against an adversary who can see multiple messages.

Single message secure private-key encryption

If multi-message secure private-key encryption exists, then single message secure private-key encryption exists.

Message-authentication code

If pseudorandom function exists, then message-authentication code exists.

Public-key encryption

If Diffie-Hellman assumption holds, and Trapdoor permutation exists, then public-key encryption exists.

Digital signature

A digital signature scheme is a triple (Gen,Sign,Ver)(Gen, Sign, Ver) where

  • (pk,sk)Gen(1k)(pk,sk)\gets Gen(1^k) is a p.p.t. algorithm that takes as input a security parameter kk and outputs a public key pkpk and a secret key sksk.
  • σSignsk(m)\sigma\gets Sign_{sk}(m) is a p.p.t. algorithm that takes as input a secret key sksk and a message mm and outputs a signature σ\sigma.
  • Verpk(m,σ)Ver_{pk}(m, \sigma) is a deterministic algorithm that takes as input a public key pkpk, a message mm, and a signature σ\sigma and outputs “Accept” if σ\sigma is a valid signature for mm under pkpk and “Reject” otherwise.

For all nNn\in\mathbb{N}, all mMnm\in\mathcal{M}_n.

P[(pk,sk)Gen(1k);σSignsk(m);Verpk(m,σ)=“Accept”]=1P[(pk,sk)\gets Gen(1^k); \sigma\gets Sign_{sk}(m); Ver_{pk}(m, \sigma)=\textup{``Accept''}]=1

One-time secure digital signature

Fixed-length one-time secure digital signature

If one-way function exists, then fixed-length one-time secure digital signature exists.

Last updated on
CSE442T Exam 1 ReviewIntroduction to Cryptography (Lecture 1)