Đang tải... (xem toàn văn)
(BQ) Part 2 book Introduction to modern cryptography has contents Number theory and cryptographic hardness assumptions, factoring and computing discrete logarithms, private key management and the public key revolution, digital signature schemes,....and other contents.
Part III Public-Key ( Asymmetric ) Cryptography 241 Chapter Number Theory and Cryptographic Hardness Assumptions Modern cry- ptography, as we have seen, is almost always based on an as sumption that some problem cannot be solved in polynomial time (See Sec tion 1.4.2 for a discussion of this point.) In Chapters and 4, for example, we saw that efficient private-key cryptography- both encryption and message authentication - can be based on the assumption that pseudorandom per mutations exist Recall that, roughly speaking, this means that there exists some keyed permutation F for which it is impossible to distinguish in poly nomial time between interactions· with Fk (for a randomly-chosen key k) and interactions with a truly random permutation On the f;;tce of it, the assumption that pseudorandom permutations exist seems quite strong and unnatti.ral, and it is reasonable to ask whether this assumption is likely to be true or whether there is any evidence to support it In Chapter we explored how pseudorandom permutations (i.e., block ciphers) are constructed in practice 'The resistance of these constructions to attack at least serves as an indication that Jhe existence of pseudorandom perrimtations is plausible Still, it is difficult to imagine looking at some F and somehow being convinced on any intuitive level that it is a pseudorandom pernmtation Moreover, th.e current state of our theory is such that we not know how to prove the pseudorandomness of any of the existing practical constructions relative to any "Il!ore reasonable" assumption All in all, this is a not entirely satisfying state of affairs In contrast, as mentioned in Chapter (and investigated in detail in Chap ter 6) it is possible to p rove that pseudorandom permutations exist based on the much milder assumption that one-way functions exist (Informally, a func tion is one-wa y if it is easy to compute but hard to invert; see Section 7.4.1.) Apart from a brief discussion in Section 6.1 2, however, we have not yet seen any concrete examples of functions believed to be one-way One of the goals of this chapter is to introduce various problems that are believed to be· "hard" , and to present the conjectured one-way functions that can be based on these problems The second goal of this chapter is to develop Recall that we currently not know how to pr.ove that one-way functions exist, and so the best we can is to base one-way functions on assumptions regarding the hardness of certain problems 243 244 the basis needed for studying public-key cryptography (the next main topic of this book) All the examples we explore will be number -t heoretic in nature, and we therefore begin with a short introduction to number theory and group the ory Because we are additionally interested in problems that can be solved efficiently (even a one-way function needs to be easy to compute in one di rection, and a cryptographic scheme must admit efficient algorithms for the honest parties) , we also initiate a study of algorit hmic number theory Thus, even the reader who is familiar with number theory or group theory is en couraged to read this chapter, since algorithmic aspects are typically ignored in a purely mathematical treatment of these topics In the context of algorithmic number theory, a brief word is in order re garding what is meant by "polynomial time" An algorithm's running time is always measured as a function of the length(s) of its input(s) (If the algo rithm is given as additional input a security parameter n then the total input length is increased by n ) This means, for example, that the running time of an algorithm taking as input an integer N is measured in terms of IIN II, the lengt h of t he binar y representation of N , and not in terms of N itself An algo rithm running in time 8(N) on input N is thus actually an exponential-time algorithm when measured in terms of its input length liN II = e(Iog N) The material in this chapter is not intended to be a comprehensive survey of number theory, but is intended rather to present the minimal amount of material needed for the cryptographic applications discussed in the remainder of the book Accordingly, our discussion of number theory is broken into two: the material covered in this chapter is sufficient for understanding Chapters 81 , 12, and 13 In Chapter 11, additional number theory is develop�d that is used only within that chapter The readerm ay be wondering why there was no discussion of number theory thus far, and why it is suddenly needed now There are two reasons for placing number theory at this point of the book: · I ' I· ' · This chapter can be viewed as a culmination of the "top down" approach we have taken in developing private-key cryptography in Chapters 3-6 That is, we have shown in Chapters and that all of privat�: k�y cryptography can be based on pseudorandom functions and perm"!lt:a tions The latter can be instantiated in practice using �lock ciphers., as explored in Chapter , but can also be constructed in a rigorous and provably-sound··manner from any · one-way function, as shown in Chapter Here, we take this one step further and show how one-way functions can be based on certain hard mathematical problems We summarize this top-down approach in Figure · A second motivation for studying this material illustrates a difference between the private-key setting we have been concerned with until now, and the public-ke y setting with which we will be concerned in the re mainder of the book (The public-key setting will be introduced in 245 Number T heor y and Cr yptograp hic Hardness A ssumptions Private-Key Encryption Chapter3 Message Authentication Codes Block C hers ip ChapterS Chapter4 Chapter One-Way Functions RSA, Discrete Log, Factoring Chapter FIGURE 7.1: The world of private-key cryptography: a top-down approach ( arrows represent implication ) Chapter ) Namely, in the private-key setting there exist suitable prim itives ( i.e_: , hash functions and pseudorandom generators, functions, and permutat ions ) for constructing schemes, and these primitives can be constructed �fficiently - at least in a heuristiC sense·-·· without invok · ing any number theory In the public-key setting, however, all known e fficient constructions rel y on hard mat hematical problems from al go rit hmic num _ber t heor y (We will also study constructions that not rely directly on number theory Unfortunately, however, these are far less efficient.} _ · The material in this �hapter thus serves as both a culmination of_ what we have studied so f�r in private�key cryptography, as well as the foundation upon which public-key cryptography stands · 7.1 Preliminaries and Basic Group Theory We begin with a review of prime numbers and basic modular arithmetic Even the reader who has seen these topics before should skim the next two 246 sections since some of the material may be new and we include proofs for most of the stated results (Any omitted proofs can be found in standard algebra texts; see the references at the end of this chapter.) - · Primes and Divisibility The set of integers is denoted by Z For a, bE Z , we say that a divides b, written a I b, if there exists an integer c such that ac = b If a,does not divide b, we write a;( b (We are primarily interested in the case where a, b and c are all positive, though the definition makes sense even when one or more of these is negative or zero.) A simple observation is that if a I b and a I c then a I (X b+ Y c) for any X, Y E Z If a I b and a is positive, we call a a divisor of b If in.addition a (j_ { , b} then a is called a non -trivial divisor, or a factor, of b A positive integer p > is prime if it has no factors; i.e., it has only two divisors: and itself A positive integer greater than that is riot prime is called composite By convention, ' ' is neither prime nor composite A fundamental theorem of arithmetic is· that every integer greater than can be expressed uniquely (up to ordering) as a product of primes That is, any positive integer N > can be written as N = IJi pfi, where the {Pi} are distinct primes and e i > for all i ; furthermore, the {pi} and { ei} are uniquely determined up to ordering We are familiar with the process of division with remainder from elementary school The following proposition formalizes this notion PROPOSITION 7.1 Let a be an integer and b a positive integer Then there ex is t uniq ue intege rs q , r for whi ch a = qb+ r and < r < b Furthermore, given integers a and b as in the proposition, it is possible to compute q and r in polynomial time See Appendix B l The greatest common divisor of two non-negative integers a, b, written gcd(a, b) , is the largest integer c such that c l a and c I b (We leave gcd(O, 0) undefined.) The notion of greatest common divisor also makes sense when either or both of a, b are negative but we will never need this; therefore, when we write gcd(a, b) we always assume that a, b > Note that gcd(b, 0) gcd(O, b) = b; also, if p is prime then gcd(a, p) is either equal to or p If gcd(a, b) = we say that a and b are relatively prime The following is a useful result: PROPOSITION 7.2 Let a, b be pos itive integers Then there exist in tegers X, Y such that Xa + Y b = gcd(a, b) Furthermore , gcd(a, b) is the smallest positive integer that can be e xpressed in this way J ff':-' ." Number Theory and Cryptographic Hardness Assumptions def � � A 247 A Consider the set I = {Xa + Yb I X, Y E Z } Note that a, b E I , and so I certainly contains some positive integers Let d be the smallest positive i nteger in I We show that d = gcd(a, b); since d can be written as d = X a + Yb for some X, Y E Z (because d E I ) , this prov es the theorem To show this, we must prove that d I a and d I b, and that d is the largest integer with this property In fact, we c an show that d divides every element in I To see this, take an arb itrary c E I and write c = X'a + Y'b with X' , Y' E Z Usin g div ision with remaind er (Proposition 7.1) we have that c = qd + r with q, r integers and < r We use the notation [Q mod N] to denote the remainder of a upon division by N In more detail: by Proposition there exist unique q, r with a =qN + r and < r < N, and we define [a mod N] to be equal to this r Note therefore that < [a mod N] < N We refer to the process of mapping a to [a mod N] as reduction modulo N We say that a and b are congruent modulo N, written a b mod N, if [a mod N] = [b mod N] , i.e., the remainder when a is divided by N i� the same as the remainder when b is divided by N Note that a = b mod N if and only if N I ( a - b) By way of notation, in an expression such as = a =b =c =· · =z mod N · ' the understanding is that every equal sign in this sequence (and not just the last) refers to congruence modulo N b mod N, but not vice versa (On Note that a = [b mod N] implies a the other hand, [a mod N] = [b mod N] if and only if a = b mod N.) For example, 36 =2 mod 15 but 36 -::f [-21 mod 5] =6 Congruence modulo N is an equivalence relation: i.e , it is reflexive ( a = a mod N for all a ) , symmetric (a = b mod N implies b = a mod N), and transitive (if a ·=b mod N and b =c II? -o d N then a = c mod N) Congru ence modulo N also obeys the standard rules of arithmetic with respect to addition, subtraction, and multiplication; so, for exar:nple, ·if a =a' mod N and b =b' mod N then (a + b) =(a' + b') mod N and ab = a'b' mod N A consequence is that we can "reduce and then add/multiply" instead of hav ing to "add/multiply and then reduce-," a feature which c an often be used to simplify calculations · � Example 7.5 Let us compute [109302 ·190301 mod 00] Since 09302 = mod 00 and 190301 =1 mod 100, we have 09302 190301 =[1 09302 mod 100 ) [190301 mod 00 ) mod 00 =2 mod 100 · · = · IJ Number Theory and Cryptographic Hardness Assumptions 249 The alternative way of calculating the answer (namely, computing the product 109302 · 190301 and then reducing the answer modulo 00) is much more time-consuming Congruence modulo N does not (in general) respect division That is, if a' mod N and b = b' mod N then it is not necessarily true that a/b = a' /b' mod N; in fact, the expression "a/b mod N" is not always well-defined As a specific example that often causes confusion, ab = eb �od N does not necessarily imply/that a= e mod N a = Example 7.6 Take N= 24 Then = = mod 24, but =1- mod 24 · · In certain cases, however, we can define a meaningful nption of division If for a given integer b there exists an integer b- such that bb- = mod N, we say that b- is a (multiplicative) inverse of b modulo N and call b invertible modulo N Clearly, '0' is never invertible It is also not difficult to show that if fJ is a multiplicative inverse of b modulo N then so is [,6 mod N] Furthermore, if ,6' is another multiplicative inverse of b then [,6 mod N] = [,6' mod N] When b is invertible we can therefore simply let b-1 denote the unique multiplicative inverse of b that lies in· the range { , , N } When b is invertible modulo N we define division by b modulo N as muldef ab- mod N) We stress tiplication by b- modulo N (i.e., we define ajb that division by b is only defined when b is invertible If a b = eb mod N and /J is invertible, then we may divide · each side of the equation by b (or, equivalently, multiply each side by b- ) to obtain - (ab) b - · = (eb) b- mod N · ==?- a= e mod N We see that in this case, division works "as expected." Invertible integers are therefore "nicer" to work with, in some sense The natural question is: which integers are invertible modulo a given mod ulus N? We can fully answer this question using Proposition 7.2: PROPOSITION 7 Let a, N be integers, with N > ible modulo N if and only if gcd( a , N) = Then a is invert Assume a is invertible modulo N, and let b denote its inverse Note that a =1- since b = mod N regardless of the value of b Since ab mod N, the definition of congruence modulo N implies that ab-"-1 : e N for some e E Z Equivalently, ba - eN Since, by Proposition 7.2, gcd( a, N) is the smallest positive integer that can be expressed in this way, and ther� is no integer smaller than 1, this implies that gcd(a, N)= PROOF = · = 250 Conversely, if gcd(a, N) = then by Proposition 7.2 there exist integers X, Y such that X a+ YN = Reducing each side of this equation modulo N gives X a = mod N, and we see that [X mod N] is a multiplicative inverse of a • Example 7.8 Let a = 11 and N = 17 Then ( -3)· 11 + · 17 = 1, and so 14 = [ -3 mod 17) is the inverse of 11 One can verify that 14 1 = mod · Addition, subtraction, multiplication, and computation of inverses (when they exist) modulo N can all be carried out in polynomial time; see Ap pendix B.2 Exponentiation (i.e., computing [ab mod N) forb > an integer) can also be computed in polynomial time; see Appendix B.2 7.1.3 Groups Let G be a set A binary operation o on G is simply a function o(·, ) that takes as input two elements of G If g, h E G then instead of using the cumbersome notation o(g, h) , we write go h We now introduce the important notion of a group · A gro u p is a set