Advances in Cryptology - CRYPTO '98, 18 conf

Lecture Notes in Computer Science Edited by G. Goos, J. Hartmanis and J. van Leeuwen 1462 Hugo Krawczyk (Ed.) Advanc...

Author: Hugo Krawczyk

31 downloads 1314 Views 8MB Size Report

This content was uploaded by our users and we assume good faith they have the permission to share this book. If you own the copyright to this book and it is wrongfully on our website, we offer a simple DMCA procedure to remove your content from our site. Start by pressing the button below!

Report copyright / DMCA form

DOWNLOAD PDF

Lecture Notes in Computer Science Edited by G. Goos, J. Hartmanis and J. van Leeuwen

1462

Hugo Krawczyk (Ed.)

Advances in Cryptology CRYPTO ' 98 18th Annual International Cryptology Conference Santa Barbara, California, USA August 23-27, 1998 Proceedings

~ Springer

Series Editors Gerhard Goos, Karlsruhe University, Germany Juris Hartmanis, Cornell University, NY, USA Jan van Leeuwen, Utrecht University, The Netherlands

Volume Editor Hugo Krawczyk Department of Electrical Engineering Technion Haifa 32000, Israel E-mail: [email protected] Cataloging-in-Publication data applied for

Die Deutsche Bibliothek - CIP-Einheitsaufnahme Advances in cryptology : proceedings / Crypto '98, 18th Annual International Cryptology Conference, Santa Barbara, California, USA, August 23 - 27, 1998. Hugo Krawczyk (ed.). [IACR]. - Berlin ; Heidelberg ; New York ; Barcelona ; Budapest ; Hong Kong ; London ; Milan ; Paris ; Singapore ; Tokyo : Springer, 1998 (Lecture notes in computer science ; Vol. 1462) ISBN 3-540-64892-5

CR Subject Classification (1991): E.3, G.2.1, D.4.6, K.6.5, F.2.1-2, C.2, J.1 ISSN 0302-9743 ISBN 3-540-64892-5 Springer-Verlag Berlin Heidelberg New York This work is subject to copyright. All rights are reserved, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, re-use of illustrations, recitation, broadcasting, reproduction on microfilms or in any other way, and storage in data banks. Duplication of this publication or parts thereof is permitted only under the provisions of the German Copyright Law of September 9, 1965, in its current version, and permission for use must always be obtained from Springer-Verlag. Violations are liable for prosecution under the German Copyright Law. 9 Springer-Verlag Berlin Heidelberg 1998 Printed in Germany Typesetting: Camera-ready by author SPIN 10638300 06/3142 - 5 4 3 2 1 0

Printed on acid-free paper

Preface

Crypto '98, the Eighteenth Annual Crypto Conference, is sponsored by the International Association for Cryptologic Research (IACR), in cooperation with the IEEE Computer Society Technical Committee on Security and Privacy and the Computer Science Department, University of California, Santa Barbara (UCSB). The General Chair, Andrew Klapper, is responsible for local organization and registration. The Program Committee considered 144 papers and selected 33 for presentation. This year's conference program also includes two invited lectures. Michael Rabin will deliver an IACR Distinguished Lecture on the subject of "Authentication". The tradition of IACR Distinguished Lectures at Crypto and Eurocrypt conferences was initiated a few years ago and it honors scientists who have made outstanding contributions to the field of cryptography. Michael Rabin is one of the most prominent pioneers of modern cryptography with many brilliant contributions to the fundamental aspects of this science. The second invited lecture, titled "Cryptography and the Internet", will be delivered by Steve Bellovin. I believe that Bellovin's talk stresses an important point, namely, the need for the active participation of the crypto community in the challenging task of transferring cryptographic science into real-world applications and implementations. In addition to these two invited lectures, Miles Smid from the US National Institute of Standards and Technology (NIST) will present a first report on the Advanced Encryption Standard (AES) Conference, which takes place shortly before Crypto'98. The AES Conference's goal is to present candidate encryption algorithms from which a new US standard for symmetric encryption is to be produced. Finally, we will have the traditional Rump Session for informal short presentations of new results. Stuart Haber kindly agreed to run this session. These proceedings include the revised versions of the 33 papers accepted by the Program Committee. These papers were selected from all the submissions to the conference on the basis of perceived originality, quality and relevance to the field of cryptography. Revisions were not checked as to their contents. The authors bear full responsibility for the contents of their papers. The selection of papers is a difficult and challenging task. I am very grateful to the Program Committee members who did an excellent job in reviewing the submissions in spite of the severe time constraints imposed by the Program Committee's work schedule. Each submission was refereed by at least three reviewers. In total, close to 600 reports were provided by the reviewers - about 18 000 lines of text in total! The Program Committee was assisted by a large number of colleagues who reviewed submissions in their areas of expertise. External reviewers included: W. Aiello, A. Antipa, S. Arita, B. Baum-Waidner, D. Beaver, A. Beimel, M. Bellare, J. Benaloh, C. Bennett, C. Berg, J. Black, S. BlakeWilson, D. Bleichenbacher, G. Bleumer, T. Boogaerts, C. Cachin, J. Ca.menisch, R. Canetti, B. Chor, S. Contini, R. Cramer, C. Crepeau, G. Di Crescenzo,

yl J-F. Dhem, U. Feige, M. Fitzi, R. Gallant, J. A. Garay, P. Gemmell, R. Gennaro, J. Giesen, N. Gilboa, O. Goldreich, S. Haber, S. Halevi, T. Helleseth, M. Hirt, R. Impagliazzo, Y. Ishai, G. Itkis, M. Jakobsson, C. Jutla, J. Kilian, F. Koeune, R. Kohlas, T. Krovetz, E. Kushilevtiz, X. Lai, R. Lambert, P. Landrock, A. Lauder, A. Lenstra, P. MacKenzie, D. Malkhi, H. Massias, W. Meier, M. Michels, V. Miller, M. Naor, M. N~islund, K. Nissim, K. Nyberg, H. Peterson, E. Petrank, B. Pinkas, B. Preneel, C. Rackoff, S. Rajagopalan, O. Reingold, P. Rohatgi, A. Rosen, K. Sakurai, P. Shor, R. Sidney, T. Spies, M. Stadler, D. Stinson, Y. Tsiounis, Y. Tsunoo, D. Tygar, S. Ulfberg, R. Venkatesan, M. Waidner, S. Wolf, R. Wright, Y. Yacobi, Y. Yin, A. Young, and O. Ytrehus. My thanks go to all these reviewers and I apologize for any inadvertent omissions. I also wish to thank the committee's two advisory members, Butt Kaliski and Mike Wiener, the program chairs for Crypto '97 and '98, for their advice, help, and support. Crypto '98 is the first IACR conference with both electronic submissions and an electronic version of the proceedings. The electronic submission option was a clear choice for most authors, with 90% of the papers submitted this way. All credit and thanks for the setup and smooth operation of this process go to Joe Kilian who volunteered to run this first electronic experience for Crypto. To this end, Joe adapted the electronic submission software developed by ACM's SIGACT group. I thank the ACM for allowing the use of their system. The electronic version of these proceedings will be published by Springer and will be available under h t t p : / / l i n k , s p r i n g e r , d e / s e r i e s / l n c s / In organizing the scientific program of the conference and putting together these proceedings I have been assisted by many people in addition to those mentioned above. I would like to especially thank the following people: Tal Rabin for providing me with essential help and support in many of the organizational aspects; Andrew Klapper, the General Chair of the conference, for freeing me from all the issues not directly related to the scientific program and proceedings; Gitta Abraham for secretarial help; Robert Schapire for providing excellent software for automating many of the chores of running a conference program committee; Kevin McCurley for his help with the electronic submissions procedure; Don Coppersmith for much timely help and support. Finally, I wish to thank the authors of all submissions for making this conference possible, and the authors of accepted papers for their work and cooperation in the production of these proceedings.

June 1998

Hugo Krawczyk Program Chair Crypto '98

CRYPTO

'98

August 23-27, 1998, Santa Barbara, California, USA Sponsored by the

International Association for Cryptologic Research (IACR) in cooperation with

IEEE Computer Society Technical Committee on Security and Privacy Computer Science Department, University of California, Santa Barbara General Chair Andrew Klapper, University of Kentucky, USA

Program Chair Hugo Krawczyk, Technion, Israel and IBM Research, USA

Program Committee Dan Boneh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Stanford University, USA Don Coppersmith . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IBM Research, USA Yair Frankel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . CertCo, USA Matt Franklin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A T & T Labs-Research, USA Johan Hs .......................... Royal Institute of Technology, Sweden Lars Knudsen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . University of Bergen, Norway Ueli Maurer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . E T H Zurich, Switzerland Alfred Menezes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Waterloo University, Canada Andrew Odlyzko . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A T & T Labs-Research, USA Rafail Ostrovsky . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Bellcore, USA Jean-Jacques Quisquater . . . . . . . . . . . . . . . . . . . . . . Universit~ de Louvain, Belgium Tal Rabin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IBM Research, USA Matt Robshaw . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . RSA Laboratories, USA Phillip Rogaway . . . . . . . . . . . . . . . . . . . . . . . University of California at Davis, USA Rainer Rueppel . . . . . . . . . . . . . . . . . . . . . R 3 Security Engineering AG, Switzerland Kazue Sako . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . NEC, Japan Dan Simon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Microsoft Research, USA Moti Yung . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . CertCo, USA

Advisory members B u t t Kaliski (Crypto'97 program chair) . . . . . . . . . . . . . . . . RSA Laboratories, USA Michael J. Wiener (Crypto'99 program chair) . . . . . Entrust Technologies, Canada

Table of Contents

Chosen-Ciphertext Security Chosen Ciphertext Attacks Against Protocols Based on the RSA Encryption Standard PKCS # 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Daniel Bleichenbacher A Practical Public Key Cryptosystem Provably Secure Against Adaptive Chosen Ciphertext Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

13

Ronald Cramer, Victor Shoup Relations Among Notions of Security for Public-Key Encryption Schemes . 26

Mihir Bellare, Anand Desai, David Pointcheval, PhiUip Rogaway

Invited Lecture Cryptography and the Internet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

46

Steven M. Bellovin

Cryptanalysis of Hash Functions and Block Ciphers Differential Collisions in SHA-0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

56

Florent Chabaud, Antoine Joux From Differential Cryptanalysis to Ciphertext-Only Attacks . . . . . . . . . . . . .

72

Alex Biryukov, Eyal Kushilevitz

Distributed Cryptography A Simplified Approach to Threshold and Proactive RSA . . . . . . . . . . . . . . . .

89

Tal Rabin New Efficient and Secure Protocols for Verifiable Signature Sharing and Other Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

105

Dario Catalano, Rosario Gennaro Trading Correctness for Privacy in Unconditional Multi-party Computation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

121

Matthias Fitzi, Martin Hirt, Ueli Maurer

Identification and Certification Fast Digital Identity Revocation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

William Aiello, Sachin Lodha, Rafail Ostrovsky

137

Self-Delegation with Controlled P r o p a g a t i o n - or - W h a t If You Lose Your Laptop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

153

Oded Goldreich, Birgit Pfitzmann, Ronald L. Rivest Identity Escrow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

169

Joe Kilian, Erez Petrank

Block Cipher Design and Analysis Generalized Birthday Attacks on Unbalanced Feistel Networks . . . . . . . . . . .

186

Charanjit S. Jutla Quadratic Relation of S-box and Its Application to the Linear Attack of Full Round DES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

200

Takeshi Shimoyama, Toshinobu Kaneko Cryptanalysis of Block Ciphers with Probabilistic Non-linear Relations of Low Degree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

212

Thomas Jakobsen

Algebraic Cryptanalysis Cryptanalysis of the Ajtai-Dwork C r y p t o s y s t e m . . . . . . . . . . . . . . . . . . . . . . .

223

Phon9 Nguyen, Jacques Stern Cryptanalysis of the Chor-Rivest C r y p t o s y s t e m . . . . . . . . . . . . . . . . . . . . . . . .

243

Serge Vaudenay Cryptanalysis of the Oil & Vinegar Signature Scheme . . . . . . . . . . . . . . . . . . .

257

Aviad Kipnis, Adi Shamir

Relations Among Cryptographic Primitives From Unpredictability to Indistinguishability: A Simple Construction of P s e u d o - R a n d o m Functions from MACs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

267

Moni Naor, Omer Reingold Many-to-One T r a p d o o r Functions and their Relation to Public-Key Cryptosystems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

283

Mihir Bellare, Shai Halevi, Amit Sahai, Salil Vadhan

I A C R Distinguished Lecture Authentication, Enhanced Security and Error Correcting Codes . . . . . . . . . .

299

Yonatan Aumann, Michael O. Rabin

Algebraic Schemes An Efficient Discrete Log Pseudo R a n d o m Generator . . . . . . . . . . . . . . . . . . .

Sarvar Patel, Ganapathy S. Sundaram

304

• Fast RSA-type Cryptosystem Modulo pkq . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Tsuyoshi Takagi An Elliptic Curve Implementation of the Finite Field Digital Signature Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Neal Koblitz Quantum

327

Cryptography

Quantum Bit Commitment from a Physical Assumption . . . . . . . . . . . . . . . . Louis Salvail Signatures,

318

Random

Functions

338

and Ideal Ciphers

On Concrete Security Treatment of Signatures Derived from Identification 354 Kazuo Ohta, Tatsuaki Okamoto Building PRFs from PRPs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Chris Hall, David Wagner, John Kelsey, Bruce Schneier Security Amplification by Composition: The Case of Doubly-Iterated, Ideal Ciphers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . William Aiello, Mihir BeUare, Giovanni Di Crescenzo, Ramarathnam Venkatesan

370

390

Zero-Knowledge On the Existence of 3-Round Zero-Knowledge Protocols . . . . . . . . . . . . . . . . Satoshi Hada, Toshiaki Tanaka

408

Zero-Knowledge Proofs for Finite Field Arithmetic, or: Can Zero-Knowledge Be for Free? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 424 Ronald Cramer, Ivan Damg~rd Concurrent Zero-Knowledge: Reducing the Need for Timing Constraints .. 442 Cynthia Dwork, Amit Sahai Implementation The Solution of McCurley's Discrete Log Challenge . . . . . . . . . . . . . . . . . . . . Damian Weber, Thomas Denny

458

Optimal Extension Fields for Fast Arithmetic in Public-Key Algorithms .. 472 Daniel V. Bailey, Christof Paar Rights

Protection

Time-Stamping with Binary Linking Schemes . . . . . . . . . . . . . . . . . . . . . . . . . . Ahto Buldas, Peeter Laud, Helger Lipmaa, Jan Villemson

486

• Threshold Traitor Tracing ...........................................

502

Moni Naor, Benny Pinkas Author Index

.................................................

519

Chosen Ciphertext Attacks Against Protocols Based on the RSA Encryption Standard PKCS #1 Daniel Bleichenbacher Bell Laboratories 700 Mountain Ave., Murray Hill, NJ 07974 [email protected]

Abstract. This paper introduces a new adaptive chosen ciphertext attack against certain protocols based on RSA. We show that an RSA private-key operation can be performed if the attacker has access to an oracle that, for any chosen ciphertext, returns only one bit telling whether the ciphertext corresponds to some unknown block of data encrypted using PKCS #1. An example of a protocol susceptible to our attack is SSL V.3.0. Keywords: chosen ciphertext attack, RSA, PKCS, SSL

1

Overview

In this paper, we analyze the following situation. Let n, e be an RSA public key, and let d be the corresponding secret key. Assume that an attacker has access to an oracle that, for any chosen ciphertext c, indicates whether the corresponding plaintext cd mod n has the correct format according to the RSA encryption standard PKCS #1. We show how to use this oracle to decrypt or sign a message. The attacker carefully prepares ciphertexts that are sent to the oracle. Combining the returns from the oracle, the attacker gradually gains information on cd . The chosen ciphertexts are based on previous outcomes of the oracle. Thus, this technique is an example of an adaptive chosen-ciphertext attack. Usually, a chosen ciphertext attack is based on the theoretical assumption that the attacker has access to a decryption device that returns the complete decryption for a chosen ciphertext. Hence, if a public-key cryptosystem is susceptible to a chosen-ciphertext attack, that often is considered to be only a theoretical weakness. However, the attack shown in this paper is practical, because it is easy to get the necessary information corresponding to the oracle reply. The attack can be carried out if, for example, the attacker has access to a server that accepts encrypted messages and returns an error message depending on whether the decrypted message is PKCS conforming. This paper is organized as follows. We describe the RSA encryption standard PKCS #1 in Section 2. In Section 3, we describe and analyze our chosenciphertext attack. Different situations in which this attack can be carried out H. Krawczyk (Ed.): CRYPTO’98, LNCS 1462, pp. 1–12, 1998. c Springer-Verlag Berlin Heidelberg 1998

2

Daniel Bleichenbacher

are listed in Section 4. We then analyze the vulnerability of SSL to our attack in Section 5. In Section 6, we report experiments with the technique. In Section 7, we conclude by offering recommendations.

2

PKCS #1

In this section, we describe briefly the RSA encryption standard PKCS #1; refer to [11] for details. Currently, there are three block formats: Block types 0 and 1 are reserved for digital signatures, and block type 2 is used for encryption. We describe only block type 2, because it is relevant for this paper.

00

02

padding string

00

data block

Fig. 1. PKCS #1 block format for encryption. The first two bytes in this format are constant. The length of the padding block can vary.

Let n, e be an RSA public key, and let p, q, d be the corresponding secret key (i.e, n = pq and d ≡ e−1 (mod ϕ(n))). Moreover, let k be the byte length of n. Hence, we have 28(k−1) ≤ n < 28k . A data block D, consisting of |D| bytes, is encrypted as follows. First, a padding string P S, consisting of k −3−|D| nonzero bytes, is generated pseudo-randomly. Here, |D| must not exceed k − 11; in other words, the byte length of P S is a least 8. Now, the encryption block EB = 00||02||P S||00||D is formed (Figure 1), is converted into an integer x, and is encrypted with RSA, giving the ciphertext c ≡ xe (mod n). The representation of the ciphertext is not important for this paper. We are, however, interested in how the receiver parses a ciphertext. First, he gets an integer x0 by decrypting the ciphertext with his private key. Then, he converts x0 into an encryption block EB0 . Now he looks for the first zero byte, which indicates the ending of the padding string PS and the start of the data block D. The following definition specifies when this parsing process is successful. Definition 1. An encryption block EB consisting of k bytes – that is, EB = EB1 ||...||EBk is called PKCS conforming – if it satisfies the requirements of block type 2 in PKCS #1. In particular, EB must satisfy the following conditions: – – – –

EB1 = 00. EB2 = 02. EB3 through EB10 are nonzero. At least one of the bytes EB11 through EBk is 00.

Chosen Ciphertext Attacks Against Protocols

3

We also call a ciphertext c PKCS conforming if its decryption is PKCS conforming. Note that the definition of conforming does not include possible integrity checks. We show in Section 3 that it should not be possible for an attacker to decide whether a chosen ciphertext is PKCS conforming. It is sometimes possible for an attacker to do so even if the data block contains further integrity checks.

3

Chosen-Ciphertext Attacks

In a chosen-ciphertext attack, the attacker selects the ciphertext, sends it to the victim, and is given in return the corresponding plaintext or some part thereof. A chosen-plaintext attack is called adaptive if the attacker can chose the ciphertexts depending on previous outcomes of the attack. It is well known that plain RSA is susceptible to a chosen-ciphertext attack [5]. An attacker who wishes to find the decryption m ≡ cd (mod n) of a ciphertext c can chose a random integer s and ask for the decryption of the innocent-looking message c0 ≡ se c mod n. From the answer m0 ≡ (c0 )d , it is easy to recover the original message, because m ≡ m0 s−1 (mod n). Another well-known result is that the least significant bit of RSA encryption is as secure as the whole message [8] (see also [1]). In particular, there exists an algorithm that can decrypt a ciphertext if there exists another algorithm that can predict the least significant bit of a message given only the corresponding ciphertext and the public key. H˚ astad and N¨ aslund recently extended this result to show that all individual RSA bits are secure [9]. Hence, it is not necessary for an attacker to learn the complete decrypted message in a chosen-ciphertext attack: Single bits per chosen ciphertext may be sufficient. The result reported in this paper is similar. We assume that the attacker has access to an oracle that, for every ciphertext, returns whether the corresponding plaintext is PKCS conforming. We show that we can use this oracle to compute cd (mod n) for any chosen integer c. Theoretically, we can use H˚ astad’s and N¨ aslund’s algorithm [9] to find c. In this paper, we describe a different algorithm that has as its goal to minimize the number of chosen ciphertexts; thus, we show the practicality of the attack. That is, we are not trying to generalize the attack; rather, we would like to take advantage of specific properties of PKCS #1. In particular, the algorithm relies on the facts that the first two bytes of the PKCS #1 format are constant, and that we know these two bytes with certainty when a ciphertext is accepted. Also, we use heuristic arguments in our the analysis of the algorithm to approximate the number of expected chosen ciphertexts, rather than finding an upper bound. 3.1

Description of the Attack

First, we give a short overview over the attack; then, we describe the attack in detail.

4

Daniel Bleichenbacher

Assume that the attacker wants to find m ≡ cd (mod n), where c is an arbitrary integer. Basically, the attacker chooses integers s, computes c0 ≡ cse

(mod n),

and sends c0 to the oracle. If the oracle says that c0 is PKCS conforming, then the attacker knows that the first two bytes of ms are 00 and 02. For convenience, let B = 28(k−2) . Recall that k is the length of n in bytes. Hence, that ms is PKCS conforming implies that 2B ≤ ms mod n < 3B. By collecting several such pieces of information, we can eventually derive m. Typically, 220 chosen ciphertexts will be sufficient, but this number varies widely depending on numerous implementation details. The attack can be divided into three phases. In the first phase, the message is blinded, giving a ciphertext c0 that corresponds to an unknown message m0 . In the second phase, the attacker tries to find small values si for which the ciphertext c0 (si )e mod n is PKCS conforming. For each successful value for si , the attacker computes, using previous knowledge about m0 , a set of intervals that must contain m0 . We elaborate this process later. The third phase starts when only one interval remains. Then, the attacker has sufficient information about m0 to choose si such that c0 (si )e mod n is much more likely to be PKCS conforming than is a randomly chosen message. The size of si is increased gradually, narrowing the possible range of m0 until only one possible value remains. Now we describe this attack in detail. The variable Mi will always be a set of (closed) intervals that is computed after a successful si has been found, such that m0 is contained in one of the intervals of Mi . Step 1: Blinding. Given an integer c, choose different random integers s0 ; then check, by accessing the oracle, whether c(s0 )e mod n is PKCS conforming. For the first successful value s0 , set c0 ← c(s0 )e mod n M0 ← {[2B, 3B − 1]} i ← 1. Step 2: Searching for PKCS conforming messages. Step 2.a: Starting the search. If i = 1, then search for the smallest positive integer s1 ≥ n/(3B), such that the ciphertext c0 (s1 )e mod n is PKCS conforming. Step 2.b: Searching with more than one interval left. Otherwise, if i > 1 and the number of intervals in Mi−1 is at least 2, then search for the smallest integer si > si−1 , such that the ciphertext c0 (si )e mod n is PKCS conforming.

Chosen Ciphertext Attacks Against Protocols

5

Step 2.c: Searching with one interval left. Otherwise, if Mi−1 contains exactly one interval (i.e., Mi−1 = {[a, b]}), then choose small integer values ri , si such that bsi−1 − 2B (1) ri ≥ 2 n and

2B + ri n 3B + ri n ≤ si < , b a

(2)

until the ciphertext c0 (si )e mod n is PKCS conforming. Step 3: Narrowing the set of solutions. After si has been found, the set Mi is computed as [ 2B + rn 3B − 1 + rn max a, , min b, (3) Mi ← si si (a,b,r)

for all [a, b] ∈ Mi−1 and

bsi − 2B asi − 3B + 1 ≤r≤ . n n

Step 4: Computing the solution. If Mi contains only one interval of length 1 (i.e., Mi = {[a, a]}), then set m ← a(s0 )−1 mod n, and return m as solution of m ≡ cd (mod n). Otherwise, set i ← i + 1 and go to step 2. Remarks. Step 1 can be skipped if c is already PKCS conforming (i.e., when c is an encrypted message). In that case, we set s0 ← 1. However, step 1 is always necessary for computing a signature, even if we do not wish to get a blind signature. In Step 2.a, we start with s1 = dn/(3B)e, because, for smaller values m0 s1 is never PKCS conforming. We use condition (1) because we want to divide the remaining interval in each iteration roughly in half. We can often improve the attack by using more information. For example, we have not used the fact that any PKCS-conforming message m0 si contains at least one zero byte. Moreover, if the attack is performed in a client–server environment, where both parties use the message m0 si to generate session keys, we might be able to find this message by exhaustive search if we already knew a sufficient portion of it. 3.2

Analysis of the Attack

We now analyze the correctness of the attack and approximate the complexity of, and, in particular, the number of oracle accesses necessary for, this attack. We must make a few heuristic assumptions; hence, we cannot give a rigorous proof of our result. First, we approximate the probability Pr(P ) that a randomly chosen integer 0 ≤ m < n is PKCS conforming. Let Pr(A) = B n be the probability that, for a

6

Daniel Bleichenbacher

randomly chosen integer, the first two bytes are 00 and 02, respectively. Since we have 216 B > n > 28 B, it follows that 2−16 < Pr(A) < 2−8 . The RSA modulus is usually chosen to be a multiple of 8; hence, Pr(A) will usually be close to 2−16 . The probability that the padding block PS contains at least 8 non-zero bytes followed by a zero byte is 8 k−10 ! 255 255 . Pr(P |A) = · 1− 256 256 Assuming a modulus n of at least 512 bit (i.e. k ≥ 64), we have 0.18 < Pr(P |A) < 0.97; hence, we have

0.18 · 2−16 < Pr(P ) < 0.97 · 2−8 .

Next, we explain why our algorithm finds m0 and thus m. We prove that m0 ∈ Mi for all i by induction over i. Since m0 is PKCS conforming, we have 2B ≤ m0 ≤ 3B − 1, and so, trivially, m0 ∈ M0 . Now assume that m0 ∈ Mi−1 . Hence, there exists an interval [a, b] ∈ Mi−1 with a ≤ m0 ≤ b. Since m0 si is PKCS conforming, there exists an integer r such that 2B ≤ m0 si − rn ≤ 3B − 1, and hence asi − (3B − 1) ≤ rn ≤ bsi − 2B. We also have 3B − 1 + rn 2B + rn ≤ m0 ≤ . si si Hence, it follows from the definition of Mi that m0 is contained in one of the intervals. Now we analyze the complexity of the attack. The messages in step 1 are chosen randomly; therefore, this step needs about 1/Pr(P ) accesses to the oracle on average to find s0 . We assume again that, on average, we need 1/Pr(P ) accesses to the oracle to find si for i ≥ 1 in step 2.a and 2.b. (See also the remark at the end of this section.) Let ωi be the number of intervals in Mi . Using heuristic arguments, we can expect that ωi will satisfy the following equation for i ≥ 1. i B ωi ≤ 1 + 2i−1 si (4) n l m Indeed, the length of an interval in Mi is upper bounded by sBi . The knowledge that m0 si is PKCS conforming alone would lead to sinB intervals of the form 3B − 1 + rn 2B + rn , , (5) Ir = si si since r can take at most sinB values in equation (3).

Chosen Ciphertext Attacks Against Protocols

7

In particular, M1 will contain about s1nB intervals. If i > 1, then each of the intervals Ir or a fraction of Ir is included in Mi if Ir overlaps with one interval of Mi−1 . No interval Ir can overlap with two intervals in Mi−1 . If intervals Ir were randomly distributed, then the probability that one intersects with Mi−1 would be upper bounded by 1 1 ωi−1 . + si si−1 Hence, we get Equation (4) by taking into account that one interval must contain m0 . In our case, we expect s2 to be approximately 2/Pr(P ), and we have 2(B/n)2 /Pr(P ) = 2B/(nPr(P |A)) < 2B/(0.18n) < 1/20. Hence, w2 is 1 with high probability. Thus, we expect that Step 2.b will be executed only once. Now we analyze Step 2.c. We have Mi = {[a, b]}; hence, a ≤ m0 ≤ b, and thus 2B + ri n 3B − 1 + ri n 3B − 1 + ri n 2B + ri n ≤ . ≤ si ≤ ≤ b m0 m0 a i n 3B−1+ri n The length of the interval [ 2B+r , ] is b a

3B − 1 + ri n 2B + ri n B−1 1B−1 3B − 1 + ri n 2B + ri n − ≥ . − ≥ ≥ a b m0 m0 m0 3 B Therefore, we can expect to find a pair ri , si that satisfies (2) for about each third value of ri that is tried. Thus, it seems easy to find such pairs ri , si that satisfy (1) and (2) just by iterating through possible values for ri . i n 3B−1+ri n The probability that si ∈ [ 2B+r ] is roughly 1/2. Thus, we will m0 , m0 find a PKCS-conforming si after trying about 2/Pr(P |A) chosen ciphertexts. Since the remaining interval in Mi is divided in half in each step 2.c, we expect to find m0 with about 3/Pr(P ) + 16k/Pr(P |A) chosen ciphertexts, where k denotes the size of the modulus in bytes. For Pr(P ) = 0.18 · 2−16 and k = 128 (which corresponds to a 1024-bit modulus), we expect that the attack needs roughly 220 chosen ciphertexts to succeed. The bit length of the modulus is usually a multiple of 8; hence, Pr(P ) is close to 0.18 · 2−16 , as assumed previously. Remarks. The probabilities in this section were computed under the assumption that the values si are independent of each other. We made that assumption to allow a heuristic analysis of the algorithm. However, the assumption may be wrong in special cases. For example, let us assume that m0 and si m0 are both PKCS conforming with padding strings of similar length; that is, we have, for some integer j, m0 = 2 · 28(k−2) + 28j PS + D si m0 = 2 · 28(k−2) + 28j PS0 + D0 .

8

Daniel Bleichenbacher

Then, (2si − 1)m0 is PKCS conforming with high probability, since (2si − 1)m0 = 2 · 28(k−2) + 28j (2PS0 − PS) + 2D0 − D often is PKCS conforming too. We believe that such relations generally help the attacker, but it in certain situations the attack might require many more chosen ciphertexts than our analysis indicates. Usually, the bit size of the RSA modulus is a multiple of 8. This choice is a good one, because, for such a modulus, Pr(P ) is small. A modulus with a bit length 8k − 7 would make the attack much easier, because, in that case, only about 213 chosen messages would be necessary.

4

Access to an Oracle

In this section, we describe three situations in which an attacker could get access to an oracle. 4.1

Plain Encryption

Let us assume that a cryptographic protocol starts as follows. Alice generates a message m (e.g., a randomly chosen key). She encrypts it with PKCS #1, without applying any further integrity checks, and sends the ciphertext to Bob. Bob decrypts the message. If the format of the message is not PKCS conforming, then he returns an error; otherwise, he proceeds according to the protocol. If Eve impersonates Alice, she can easily send messages to Bob and check them for conformance. Note that Eve’s attack works even when the protocol includes strong authentication at a later step, since Eve has obtained useful information before she has to respond with an authenticated message. Note that the RSA encryption standard PKCS #1 [11, page 8, note 3] recommends that a message digest be included before an RSA operation, but for only the signing procedure. Even though the standard mentions that an encrypted message does not ensure integrity by itself, the standard does not indicate where such an integrity check should be included. 4.2

Detailed Error Messages

Thus far, we have shown that a reliable integrity check is an important part of an RSA encryption. One way to include such a check is to let the sender sign the message with his private key, before he encrypts it with the receiver’s public key. Then, an attacker can no longer hope to create a correct message by accident. Her attack will nonetheless be successful when, in the case of a failed verification, the receiver returns an error message that gives detailed information about where the verification failed. In particular, it would compromise security to return different error messages for a message that is not PKCS conforming and for a message where only the signature verification failed.

Chosen Ciphertext Attacks Against Protocols

4.3

9

A Timing Attack

Certain applications combine encryption and signatures. In such cases, a reliable integrity check often is part of the signature, but is not included in the encryption. Let us assume that an encrypted message c is decrypted and verified as shown in the following pseudo-code: 1. 2. 3. 4.

Let m ≡ cd (mod n) be the RSA-decryption of c. If m is not PKCS conforming, then reject. Otherwise, verify the signature of m. If the signature is not correct, then reject; otherwise, accept.

An attacker will not be able to generate a chosen ciphertext c such that this message has a correct signature. However, she will be able to generate messages such that c sometimes passes the check in step 2 and is rejected only after the signature is checked. Hence, by measuring the server’s response time, an attacker could determine whether c is PKCS conforming. This timing attack is much easier to perform than is Kocher’s timing attack [10], which measures the time difference of single modular multiplications – a small fraction of the time used for one exponentiation. In our case, however, we have to distinguish between performing only an decryption and performing both an decryption and a signature verification. In the worst case, the time for the signature verification could be significantly longer than the time for the decryption – when, for example, we have a 512-bit encryption key because of export restrictions, but we use a 2048-bit key to ensure strong authentication. In addition, the attacker can chose what signing key is sent to the server.

5

SSL V.3.0

00

02

padding string

00

03

00

premastersecret 46 bytes

Fig. 2. SSL block format. Unlike the PKCS format, this format contains the SSL version number. Moreover, the length of the data block is constant.

The situation discussed in this paper arises in SSL V.3.0 [7] during the handshake protocol. In particular. the client and server first exchange the messages client.hello and server.hello, which, among other information exchanges, select the cryptographic routines. After that, the client and server may send their public keys and certificates. The client then generates a random secret bit

10

Daniel Bleichenbacher

string called pre master secret, encrypts that secret bit string with RSA (if that mode was chosen earlier), and sends the resulting ciphertext to the server. The server decrypts the ciphertext. If the plaintext is not PKCS conforming, the server sends an alert message to the client and closes the connection; otherwise, the server continues the handshake protocol. Finally, the client has to send a finished message, which contains strong authentication. In particular, the client has to know the pre master secret to compute that message. Because an attacker must generate a finished message that depends on the pre master secret, she cannot complete the handshake protocol successfully. However, she does not have to complete it; she gets the necessary information – namely, whether her chosen message is PKCS conforming – before the protocol is finished. There are details of SSL V.3.0 that might hinder this attack if they are implemented the right way. Figure 2 shows the format of the message containing the pre master secret before the latter is encrypted with RSA. It contains the version number of the protocol, the purpose of which is to detect versionrollback attacks, in which an attacker tries to modify the hello messages such that both client and server use the compatibility mode and hence use the Version 2.0, instead of Version 3.0, protocols. One implementation that we analyzed [12] checks the version number only if the server is running in the compatibility mode, because otherwise obviously no rollback attack has occurred. A much more secure implementation would check the version number in all modes, and, if it identified a mismatch, would send back to the client the same error alert as it sends in the case of a decryption error. The result would be that a randomly generated message would be accepted with a probability of about 2−40 ; although such a protocol still could not be called secure, the attack shown in this paper would at least be impractical. The SSL documentation does not specify clearly the error conditions and corresponding alerts. As a result, different implementations of SSL do not react consistently with one another in error situations.

6

Experimental Results

We implemented the algorithm described in Section 3 and verified experimentally that this algorithm can decrypt a PKCS #1 encrypted message given access to an oracle that, for any ciphertext, indicates whether the the corresponding plaintext is PKCS conforming. We tested the algorithm with different 512-bit and 1024-bit keys. The algorithm needed between 300 thousand and 2 million chosen ciphertexts to find the message. We implemented our own version of the oracle, rather than using an existing software product. Finney checked three different SSL servers [6] to find out how carefully the servers analyze the message format and what error alerts are returned. One of the servers verified only the PKCS format. The second server checked the PKCS format, message length, and version number, but returned different message

Chosen Ciphertext Attacks Against Protocols

11

alerts, thus still allowing our attack. Only the third server checked all aspects correctly and did not leak information by sending different alerts.

7

Conclusion

We have shown a chosen-ciphertext attack that can be carried out when only partial information about the corresponding message is leaked. We conclude not only that it is important to include a strong integrity check into an RSA encryption, but also that this integrity check must be performed in the correct step of the protocol – preferably immediately after decryption. The phase between decryption and integrity check is critical, because even sending out error messages can present a security risk. We also believe that we have provided a strong argument to use plaintext-aware encryption schemes, such as the one described by Bellare and Rogaway [3]. Note that plaintext awareness implies security against chosenciphertext attacks [2,3]. In particular, Version 2 of PKCS #1, which makes use of [3], is not susceptible to the attack described in this paper. It is a good idea to have a receiver check the integrity of a message immediately after decrypting that message. Even better is to check integrity before decrypting a message, as Cramer and Shoup show is possible [4].

Acknowledgments I thank Markus Jakobsson, David M. Kristol, and Jean-Fran¸cois Misarsky, as well as the members of the program committee, for all their comments and suggestions. I am grateful for the cooperation of the people at RSA Laboratories. I thank Hal Finney for telling me about his experiments on different SSL servers. I am also grateful to Lyn Dupr´e for editing this paper.

References 1. W. Alexi, B. Chor, O. Goldreich, and P. Schnorr. Bit security of RSA and Rabin functions. SIAM Journal of computing, 17(2):194–209, Apr. 1988. 3 2. M. Bellare, A. Desai, D. Pointcheval, and P. Rogaway. Relations among notions of security for public-key encryptions schemes. In H. Krawczyk, editor, Advances in Cryptology – CRYPTO ’98, Lecture Notes in Computer Science. Springer Verlag. (in press). 11 3. M. Bellare and P. Rogaway. Optimal asymmetric encryption. In A. D. Santis, editor, Advances in Cryptology – EUROCRYPT ’94, volume 950 of Lecture Notes in Computer Science, pages 92–111, Berlin, 1995. Springer Verlag. 11, 11, 11 4. R. Cramer and V. Shoup. A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack. In H. Krawczyk, editor, Advances in Cryptology – CRYPTO ’98, Lecture Notes in Computer Science. Springer Verlag. (in press). 11 5. G. I. Davida. Chosen signature cryptanalysis of the RSA (MIT) public key cryptosystem. Technical Report TR-CS-82-2, Departement of Electrical Engineering and Computer Science, University of Wisconsin, Milwaukee, 1982. 3

12

Daniel Bleichenbacher

6. H. Finney. personal communication. 10 7. A. O. Freier, P. Karlton, and P. C. Kocher. The SSL Protocol, Version 3.0. Netscape, Mountain View, CA, 96. 9 8. S. Goldwasser, S. Micali, and P. Tong. Why and how to establish a private code on a public network. In Proc. 23rd IEEE Symp. on Foundations of Comp. Science, pages 134–144, Chicago, 1982. 3 9. J. H˚ astad and M. N¨ aslund. The security of individual RSA bits. manusrcipt, 1998. 3, 3 10. P. C. Kocher. Timing attacks on implementations of Diffie–Hellman RSA, DSS, and other systems. In N. Koblitz, editor, Advances in Cryptology – CRYPTO ’96, volume 1109 of Lecture Notes in Computer Science, pages 104–113, Berlin, 1996. Springer Verlag. 9 11. RSA Data Security, Inc. PKCS #1: RSA Encryption Standard. Redwood City, CA, Nov. 1993. Version 1.5. 2, 8 12. E. A. Young. SSLeay 0.8.1. url = http://www.cryptsoft.com/ 10

A Practical Public Key Cryptosystem Provably Secure against Adaptive Chosen Ciphertext Attack Ronald Cramer1 and Victor Shoup2 1

Institute for Theoretical Computer Science, ETH Zurich, 8092 Zurich, Switzerland [email protected] 2 IBM Zurich Research Laboratory, S¨ aumerstr. 4, 8803 R¨ uschlikon, Switzerland [email protected]

Abstract. A new public key cryptosystem is proposed and analyzed. The scheme is quite practical, and is provably secure against adaptive chosen ciphertext attack under standard intractability assumptions. There appears to be no previous cryptosystem in the literature that enjoys both of these properties simultaneously.

1

Introduction

In this paper, we present and analyze a new public key cryptosystem that is provably secure against adaptive chosen ciphertext attack (as defined by Rackoff and Simon [20]). The scheme is quite practical, requiring just a few exponentiations over a group. Moreover, the proof of security relies only on a standard intractability assumption, namely, the hardness of the Diffie-Hellman decision problem in the underlying group. The hardness of the Diffie-Hellman decision problem is essentially equivalent to the semantic security of the basic El Gamal encryption scheme [12]. Thus, with just a bit more computation, we get security against adaptive chosen ciphertext attack, whereas the basic El Gamal scheme is completely insecure against adaptive chosen ciphertext attack. Actually, the basic scheme we describe also requires a universal one-way hash function. In a typical implementation, this can be efficiently constructed without extra assumptions; however, we also present a hash-free variant as well. While there are several provably secure encryption schemes in the literature, they are all quite impractical. Also, there have been several practical cryptosystems that have been proposed, but none of them have been proven secure under standard intractability assumptions. The significance of our contribution is that it provides a scheme that is provably secure and practical at the same time. There appears to be no other encryption scheme in the literature that enjoys both of these properties simultaneously. H. Krawczyk (Ed.): CRYPTO’98, LNCS 1462, pp. 13–25, 1998. c Springer-Verlag Berlin Heidelberg 1998

14

Ronald Cramer and Victor Shoup

Chosen Ciphertext Security Semantic security, defined by Goldwasser and Micali [14], captures the intuition that an adversary should not be able to obtain any partial information about a message given its encryption. However, this guarantee of secrecy is only valid when the adversary is completely passive, i.e., can only eavesdrop. Indeed, semantic security offers no guarantee of secrecy at all if an adversary can mount an active attack, i.e., inject messages into a network or otherwise influence the behavior of parties in the network. To deal with active attacks, Rackoff and Simon [20] defined the notion of security against an adaptive chosen ciphertext attack. If an adversary can inject messages into a network, these messages may be encryptions, and the adversary may be able to extract partial information about the corresponding cleartexts through its interactions with the parties in the network. Rackoff and Simon’s definition models this type of attack by simply allowing an adversary to obtain decryptions of its choice, i.e., the adversary has access to a “decryption oracle.” Now, given an encryption of a message—the “target” ciphertext—we want to guarantee that the adversary cannot obtain any partial information about the message. To achieve this, we have to restrict the adversary’s behavior in some way, otherwise the adversary could simply submit the target ciphertext itself to the decryption oracle. The restriction proposed by Rackoff and Simon is the weakest possible: the adversary is not allowed to submit the target ciphertext itself to the oracle; however, it may submit any other ciphertext, including ciphertexts that are related to the target ciphertext. A different notion of security against active attacks, called non-malleability, was proposed by Dolev, Dwork, and Naor [9]. Here, the adversary also has access to a decryption oracle, but his goal is not to obtain partial information about the target ciphertext, but rather, to create another encryption of a different message that is related in some interesting way to the original, encrypted message. For example, for a non-malleable encryption scheme, given an encryption of n, it should be infeasible to create an encryption of n + 1. It turns out that non-malleability and security against adaptive chosen ciphertext attack are equivalent [10]. A cryptosystem secure against adaptive chosen ciphertext attack is a very powerful cryptographic primitive. It is essential in designing protocols that are secure against active adversaries. For example, this primitive is used in protocols for authentication and key exchange [11,10,2] and in protocols for escrow, certified e-mail, and more general fair exchange [1,22]. The practical importance of this primitive is also highlighted by the adoption of Bellare and Rogaway’s OAEP scheme [4] (a practical but only heuristically secure scheme) as an internet encryption standard and for use in the SET protocol for electronic commerce. There are also intermediate notions of security, between semantic security and adaptive chosen ciphertext security. Naor and Yung [19] propose an attack model where the adversary has access to the decryption oracle only prior to obtaining the target ciphertext, and the goal of the adversary is to obtain partial information about the encrypted message. Naor and Yung called this type

A Practical Public Key Cryptosystem Provably Secure

15

of attack a chosen ciphertext attack; it has also been called a “lunch-time” or “midnight” attack. In this paper, we will always use the phrase adaptive chosen ciphertext attack for Rackoff and Simon’s definition, to distinguish it from Naor and Yung’s definition.

Previous Work Provably Secure Schemes. Naor and Yung [19] presented the first scheme provably secure against lunch-time attacks. Subsequently, Dolev, Dwork, and Naor [9] presented a scheme that is provably secure against adaptive chosen ciphertext attack. All of the previously known schemes provably secure under standard intractability assumptions are completely impractical (albeit polynomial time), as they rely on general and expensive constructions for non-interactive zeroknowledge proofs. Practical Schemes. Damgard [8] proposed a practical scheme that he conjectured to be secure against lunch-time attacks; however, this scheme is not known to be provably secure, and is in fact demonstrably insecure against adaptive chosen ciphertext attack. Zheng and Seberry [24] proposed practical schemes that are conjectured to be secure against chosen ciphertext attack, but again, no proof based on standard intractability assumptions is known. Lim and Lee [16] also proposed practical schemes that were later broken by Frankel and Yung [13]. Bellare and Rogaway [3,4] have presented practical schemes for which they give heuristic proofs of adaptive chosen ciphertext security; namely, they prove security in an idealized model of computation, the so-called random oracle model, wherein a hash function is represented by a random oracle. Shoup and Gennaro [22] also give El Gamal-like schemes that are secure against adaptive chosen ciphertext attack in the random oracle model, and that are also amenable to efficient threshold decryption. We stress that although a security proof in the random oracle model is of some value, it is still only a heuristic proof. In particular, these types of proofs do not rule out the possibility of breaking the scheme without breaking the underlying intractability assumption. Nor do they even rule out the possibility of breaking the scheme without finding some kind of weakness in the hash function, as recently shown by Canetti, Goldreich, and Halevi [7].

Outline of paper In §2 we review the basic definitions that we need for security and intractability assumptions. In §3 we outline our basic scheme, and in §4 we prove its security. In §5 we discuss some implementation details and variations on the basic scheme.

16

2 2.1

Ronald Cramer and Victor Shoup

Definitions Security Against Adaptive Chosen Ciphertext Attack

We recall Rackoff and Simon’s definition. Security is defined via the following game played by the adversary. First, the encryption scheme’s key generation algorithm is run, with a security parameter as input. Next, the adversary makes arbitrary queries to a “decryption oracle,” decrypting ciphertexts of his choice. Next the adversary chooses two messages, m0 , m1 , and sends these to an “encryption oracle.” The encryption oracle chooses a bit b ∈ {0, 1} at random, and encrypts mb . The corresponding ciphertext is given to the adversary (the internal coin tosses of the encryption oracle, in particular b, are not in the adversary’s view). After receiving the ciphertext from the encryption oracle, the adversary continues to query the decryption oracle, subject only to the restriction that the query must be different than the output of the encryption oracle. At the end of the game, the adversary outputs b0 ∈ {0, 1}, which is supposed to be the adversary’s guess of the value b. If the probability that b0 = b is 1/2 + , then the adversary’s advantage is defined to be . The cryptosystem is said to be secure against adaptive chosen ciphertext attack if the advantage of any polynomial-time adversary is negligible (as a function of the security parameter). 2.2

The Diffie-Hellman Decision Problem

There are several equivalent formulations of the Diffie-Hellman decision problem. The one that we shall use is the following. Let G be a group of large prime order q, and consider the following two distributions: – the distribution R of random quadruples (g1 , g2 , u1 , u2 ) ∈ G4 ; – the distribution D of quadruples (g1 , g2 , u1 , u2 ) ∈ G4 , where g1 , g2 are random, and u1 = g1r and u2 = g2r for random r ∈ Zq . An algorithm that solves the Diffie-Hellman decision problem is a statistical test that can effectively distinguish these two distributions. That is, given a quadruple coming from one of the two distributions, it should output 0 or 1, and there should be a non-negligible difference between (a) the probability that it outputs a 1 given an input from R, and (b) the probability that it outputs a 1 given an input from D. The Diffie-Hellman decision problem is hard if there is no such polynomial-time statistical test. This formulation of the Diffie-Hellman decision problem is equivalent to several others. First, making the substitution g1 → g, g2 → g x , u1 → g y , u2 → g xy ,

A Practical Public Key Cryptosystem Provably Secure

17

one sees that this is equivalent to distinguishing Diffie-Hellman triples (g x , g y , g xy ) from non-Diffie-Hellman triples (g x , g y , g z ). Note that by a trivial random self-reducibility property, it does not matter if the base g is random or fixed. Second, although we have described it as a problem of distinguishing two distributions, the Diffie-Hellman decision problem is equivalent to the worst-case decision problem: given (g x , g y , g z ), decide—with negligible error probability— if z = xy mod q. This equivalence follows immediately from a random selfreducibility property first observed by Stadler [23] and later by Naor and Reingold [17]. Related to the Diffie-Hellman decision problem is the Diffie-Hellman problem (given g, g x and g y , compute g xy ), and the discrete logarithm problem (given g and g x , compute x). There are obvious polynomial-time reductions from the Diffie-Hellman decision problem to the Diffie-Hellman problem, and from the Diffie-Hellman problem to the discrete logarithm problem, but reductions in the reverse direction are not known. Moreover, these reductions are essentially the only known methods of solving the Diffie-Hellman or Diffie-Hellman decision problems. All three problems are widely conjectured to be hard, and have been used as assumptions in proving the security of a variety of cryptographic protocols. Some heuristic evidence for the hardness of all of these problems is provided in [21], where it is shown that they are hard in a certain natural, structured model of computation. See [23,17,6] for further applications and discussion of the Diffie-Hellman decision problem. Note that the hardness of the Diffie-Hellman decision problem is equivalent to the semantic security of the basic El Gamal encryption scheme. Recall that in the basic El Gamal scheme, we encrypt a message m ∈ G as (g r , hr m), where h is the public key of the recipient. On the one hand, if the Diffie-Hellman decision problem is hard, then the group element hr could be replaced by a random group element without changing significantly the behavior of the attacker; however, if we perform this substitution, the message m is perfectly hidden, which implies security. On the other hand, if the Diffie-Hellman decision problem can be efficiently solved, then an attacker can break El Gamal as follows. The attacker chooses two messages m0 , m1 , giving these to an encryption oracle. The encryption oracle produces an encryption (u, e) = (g r , hr mb ), where b ∈ {0, 1} is chosen at random. The attacker’s task is to determine b, which he can do by simply determining which of (u, h, e/m0 ) and (u, h, e/m1 ) is a Diffie-Hellman triple. Note that the basic El Gamal scheme is completely insecure against adaptive chosen ciphertext attack. Indeed, given an encryption (u, e) of a message m, we can feed the (u, g · e) to the decryption oracle, which gives us g · m.

18

2.3

Ronald Cramer and Victor Shoup

Collision-Resistant Hash Functions

A family of hash functions is said to be collision resistant if upon drawing a function H at random from the family, it is infeasible for an adversary to find two different inputs x and y such that H(x) = H(y). A weaker notion is that of a universal one-way family of hash functions [18]. Here, it should be infeasible for an adversary to choose an input x, draw a random hash function H, and then find a different input y such that H(x) = H(y). Such hash function families are also called target collision resistant. See [5] for recent results and further discussion.

3

The Basic Scheme

We assume that we have a group G of prime order q, where q is large. We also assume that cleartext messages are (or can be encoded as) elements of G (although this condition can be relaxed—see §5.2). We also use a universal one-way family of hash functions that map long bit strings to elements of Zq (although we can do without this—see §5.3). Key Generation. The key generation algorithm runs as follows. Random elements g1 , g2 ∈ G are chosen, and random elements x1 , x2 , y1 , y2 , z ∈ Zq are also chosen. Next, the group elements c = g1x1 g2x2 , d = g1y1 g2y2 , h = g1z are computed. Next, a hash function H is chosen from the family of universal one-way hash functions. The public key is (g1 , g2 , c, d, h, H), and the private key is (x1 , x2 , y1 , y2 , z). Encryption. Given a message m ∈ G, the encryption algorithm runs as follows. First, it chooses r ∈ Zq at random. Then it computes u1 = g1r , u2 = g2r , e = hr m, α = H(u1 , u2 , e), v = cr drα . The ciphertext is (u1 , u2 , e, v). Decryption. Given a ciphertext (u1 , u2 , e, v), the decryption algorithm runs as follows. It first computes α = H(u1 , u2 , e), and tests if u1x1 +y1 α u2x2 +y2 α = v. If this condition does not hold, the decryption algorithm outputs “reject”; otherwise, it outputs m = e/uz1 .

A Practical Public Key Cryptosystem Provably Secure

19

We first verify that this is an encryption scheme, in the sense that the decryption of an encryption of a message yields the message. Since u1 = g1r and u2 = g2r , we have ux1 1 ux2 2 = g1rx1 g2rx2 = cr . Likewise, uy11 uy22 = dr and uz1 = hr Therefore, the test performed by the decryption algorithm will pass, and the output will be e/hr = m.

4

Proof of Security

In this section, we prove the following theorem. Theorem 1. The above cryptosystem is secure against adaptive chosen ciphertext attack assuming that (1) the hash function H is chosen from a universal one-way family, and (2) the Diffie-Hellman decision problem is hard in the group G. To prove the theorem, we will assume that there is an adversary that can break the cryptosystem, and that the hash family is universal one-way, and show how to use this adversary to construct a statistical test for the Diffie-Hellman decision problem. For the statistical test, we are given (g1 , g2 , u1 , u2 ) coming from either the distribution R or D. At a high level, our construction works as follows. We build a simulator that simulates the joint distribution consisting of adversary’s view in its attack on the cryptosystem, and the hidden bit b generated by the generated oracle (which is not a part of the adversary’s view). We will show that if the input comes from D, the simulation will be nearly perfect, and so the adversary will have a non-negligible advantage in guessing the hidden bit b. We will also show that if the input comes from R, then the adversary’s view is essentially independent of b, and therefore the adversary’s advantage is negligible. This immediately implies a statistical test distinguishing R from D: run the simulator and adversary together, and if the simulator outputs b and the adversary outputs b0 , the distinguisher outputs 1 if b = b0 , and 0 otherwise. We now give the details of the simulator. The input to the simulator is (g1 , g2 , u1 , u2 ). The simulator runs the following key generation algorithm, using the given g1 , g2 . The simulator chooses x1 , x2 , y1 , y2 , z1 , z2 ∈ Zq at random, and computes c = g1x1 g2x2 , d = g1y1 g2y2 , h = g1z1 g2z2 . The simulator also chooses a hash function H at random. The public key that the adversary sees is (g1 , g2 , c, d, h, H). The simulator knows (x1 , x2 , y1 , y2 , z1 , z2 ).

20

Ronald Cramer and Victor Shoup

Note that the simulator’s key generation algorithm is slightly different from the key generation algorithm of the actual cryptosystem; in the latter, we essentially fix z2 = 0. The simulator answers decryption queries as in the actual attack, except that it computes m = e/(uz11 uz22 ). We now describe the simulation of the encryption oracle. Given m0 , m1 , the simulator chooses b ∈ {0, 1} at random, and computes e = uz11 uz22 mb , α = H(u1 , u2 , e), v = u1x1 +y1 α u2x2 +y2 α , and outputs (u1 , u2 , e, v). That completes the description of the simulator. As we will see, when the input to the simulator comes from D, the output of the encryption oracle is a perfectly legitimate ciphertext; however, when the input to the simulator comes from R, the output of the decryption oracle will not be legitimate, in the sense that logg1 u1 6= logg2 u2 . This is not a problem, and indeed, it is crucial to the proof of security. The theorem now follows immediately from the following two lemmas. Lemma 1. When the simulator’s input comes from D, the joint distribution of the adversary’s view and the hidden bit b is is statistically indistinguishable from that in the actual attack. Consider the joint distribution of the adversary’s view and the bit b when the input comes from the distribution D. Say u1 = g1r and u2 = g2r . It is clear in this case that the output of the encryption oracle has the right distribution, since ux1 1 ux2 2 = cr , uy11 uy22 = dr , and uz11 uz22 = hr ; indeed, these equations imply that e = mb hr and v = cr drα , and α itself is already of the right form. To complete the proof, we need to argue that the output of the decryption oracle has the right distribution. Let us call (u01 , u02 , e0 , v 0 ) ∈ G4 a valid ciphertext if logg1 u01 = logg2 u02 . 0 0 0 Note that if a ciphertext is valid, with u01 = g1r and u02 = g2r , then hr = 0 (u01 )z1 (u02 )z2 ; therefore, the decryption oracle outputs e/hr , just as it should. Consequently, the lemma follows immediately from the following: Claim. The decryption oracle—in both an actual attack against the cryptosystem and in an attack against the simulator—rejects all invalid ciphertexts, except with negligible probability. We now prove this claim by considering the distribution of the point P = (x1 , x2 , y1 , y2 ) ∈ Z4q , conditioned on the adversary’s view. Let log(·) denote logg1 (·), and let w = log g2 . ¿From the adversary’s view, P is a random point on the plane P formed by intersecting the hyperplanes log c = x1 + wx2

(1)

A Practical Public Key Cryptosystem Provably Secure

21

and log d = y1 + wy2 .

(2)

These two equations come from the public key. The output from the encryption oracle does not constrain P any further, as the hyperplane defined by log v = rx1 + wrx2 + αry1 + αrwy2

(3)

contains P. Now suppose the adversary submits an invalid ciphertext (u01 , u02 , v 0 , e0 ) to the decryption oracle, where log u01 = r10 and log u02 = wr20 , with r10 6= r20 . The decryption oracle will reject, unless P happens to lie on the hyperplane H defined by log v 0 = r10 x1 + wr20 x2 + α0 r10 y1 + α0 r20 wy2 , (4) where α0 = H(u01 , u02 , e0 ). But it is clear that the equations (1), (2), and (4) are linearly independent, and so H intersects the plane P at a line. It follows that the first time the adversary submits an invalid ciphertext, the decryption oracle rejects with probability 1 − 1/q. This rejection actually constrains the point P, puncturing the plane H at a line. Therefore, for i = 1, 2, . . ., the ith invalid ciphertext submitted by the adversary will be rejected with probability at least 1−1/(q−i+1). ¿From this it follows that the decryption oracle rejects all invalid ciphertexts, except with negligible probability. Lemma 2. When the simulator’s input comes from R, the distribution of the hidden bit b is (essentially) independent from the adversary’s view. Let u1 = g1r1 and u2 = g1wr2 . We may assume that r1 6= r2 , since this occurs except with negligible probability. The lemma follows immediately from the following two claims. Claim 1. If the decryption oracle rejects all invalid ciphertexts during the attack, then the distribution of the hidden bit b is independent of the adversary’s view. To see this, consider the point Q = (z1 , z2 ) ∈ Z2q . At the beginning of the attack, this is a random point on the line log h = z1 + wz2 ,

(5)

determined by the public key. Moreover, if the decryption oracle only decrypts valid ciphertexts (u01 , u02 , e0 , v 0 ), then the adversary obtains only linearly depen0 0 0 dent relations r0 log h = r0 z1 + r0 wz2 (since (u01 )z1 (u02 )z2 = g1r z1 g2r z2 = hr ). Thus, no further information about Q is leaked. Consider now the output (u1 , u2 , e, v) of the simulator’s encryption oracle. We have e = · mb , where = uz11 uz22 . Now, consider the equation log = r1 z1 + wr2 z2 .

(6)

Clearly, (5) and (6) are linearly independent, and so the conditional distribution of —conditioning on b and everything in the adversary’s view other than e— is uniform. In other words, is a perfect one-time pad. It follows that b is independent of the adversary’s view.

22

Ronald Cramer and Victor Shoup

Claim 2. The decryption oracle will reject all invalid ciphertexts, except with negligible probability. As in the proof of Lemma 1, we study the distribution of P = (x1 , x2 , y1 , y2 ) ∈ Z4q , conditioned on the adversary’s view. ¿From the adversary’s view, this is a random point on the line L formed by intersecting the hyperplanes (1), (2), and log v = r1 x1 + wr2 x2 + αr1 y1 + αwr2 y2 .

(7)

Equation (7) comes from the output of the encryption oracle. Now assume that the adversary submits an invalid ciphertext (u01 , u02 , e0 , v 0 ) 6= (u1 , u2 , e, v), where log u01 = r10 and log u02 = wr20 , with r10 6= r20 . Let α0 = H(u01 , u02 , e0 ). There are three cases we consider. Case 1. (u01 , u02 , e0 ) = (u1 , u2 , e). In this case, the hash values are the same, but v 0 6= v implies that the decryption oracle will certainly reject. Case 2. (u01 , u02 , e0 ) 6= (u1 , u2 , e) and α0 6= α. The decryption oracle will reject unless the point P lies on the hyperplane H defined by (4). However, the equations (1), (2), (7), and (4) are linearly independent. This can be verified by observing that   1 w 0 0 0 0 1  w 2 0 0 0  det   r1 wr2 αr1 αwr2  = w (r2 − r1 )(r2 − r1 )(α − α ) 6= 0. r10 wr20 α0 r10 α0 wr20 Thus, H intersects the line L at a point, from which it follows (as in the proof of Lemma 1) that the decryption oracle rejects, except with negligible probability. Case 3. (u01 , u02 , e0 ) 6= (u1 , u2 , e) and α0 = α. We argue that if this happens with nonnegligible probability, then in fact, the family of hash functions is not universal one-way—a contradiction. Note that if we made the stronger assumption of collision resistance, there would be essentially nothing to prove, but with the weaker universal one-way assumption, an argument is needed. We use the adversary to break the universal one-way hash function as follows. We modify the encryption oracle in the simulator, so that it outputs (u1 , u2 , e, v) as before, except that now, e ∈ G is simply chosen completely at random. Up until such time that a collision occurs, the adversary’s view in this modified simulation is statistically indistinguishable from the view in the original simulation, and so the adversary will also find a collision with nonnegligible probability in the modified simulation. But the argument (u1 , u2 , e) to H is independent of H, and in particular, we can choose it before choosing H.

5

Implementation Details and Variations

In this section, we briefly discuss some implementation details and possible variations of the basic encryption scheme.

A Practical Public Key Cryptosystem Provably Secure

5.1

23

A Simple Implementation

We choose a large prime p such that p − 1 = 2q, where q is also prime. The group G is the subgroup of order q in Z∗p . We restrict a message to be an element of the set {1, . . . , q}, and “encode” it by squaring it modulo p, giving us an element in G. We can recover a message from its encoding by computing the unique square root of its encoding modulo p that is in the set {1, . . . , q}. For the hash function, one could use a function like SHA-1, or possibly some keyed variant, and make the appropriate collision-resistance assumption. However, it is only marginally more expensive to do the following, which is based only on the hardness of discrete logarithms in G. Say we want to hash a bit string to an integer mod q. Write the bit string as a sequence (a1 , . . . , ak ), with each ai ∈ {0, . . . , q − 1}. To define the hash function, choose h1 , . . . , hk in G at random. The hash of (a1 , . . . , ak ) is then the least non-negative residue of ±ha1 1 · · · hakk ∈ Z∗p , where the sign is chosen so that this value is in {1, . . . , q}. This hash function is collision resistant, provided computing discrete logarithms in G is hard. To see this, note that from a collision, we obtain a nonzero sequence (a1 , . . . , ak ) mod q such that ha1 1 · · · hakk ∈ {1, −1} ∩ G = {1}. Using a standard argument, it is easy to see that finding such a relation is equivalent to computing discrete logarithms. Note that the group elements g1 , g2 and h1 , . . . , hk can be system-wide parameters, used by all users of the system. 5.2

A Hybrid Implementation

It would be more practical to work in a smaller subgroup, and it would be nice to have a more flexible and efficient way to encode messages. To do this, assume we have a symmetric-key cipher C with a key length of l bits. Now choose a large prime p such that p − 1 = qm, where q is a 3l-bit prime. The group G is the subgroup of order q in Z∗p . A message in this scheme is just an arbitrary bit string. To encrypt a message m, we modify our encryption algorithm, computing e = CK (m), where the encryption key K is computed by hashing hr to an l-bit string with a public 2-universal hash function. For the hash function H used in the encryption scheme, something like SHA-1, possibly keyed, would be appropriate. The security of this variant is easily proved using the techniques of this paper, along with the left-over hash lemma [15], assuming the cipher C is semantically secure. 5.3

A Hash-Free Variant

We can actually eliminate the hash function H from the scheme, so that the security can be based strictly on the Diffie-Hellman decision problem for an

24

Ronald Cramer and Victor Shoup

arbitrary group G. Suppose the strings we need to hash in the original scheme are of the form (a1 , . . . , ak ), where 0 ≤ ai < p. In the modified scheme, we replace the group element d in the public key by d1 , . . . , dk . For 1 ≤ i ≤ k, we have di = g1yi1 g2yi2 , where yi1 and yi2 are random elements of Zq included in the secret key. When encrypting, we compute v = cr

k Y

dai i r ,

i=1

and when decrypting, we verify that Pk Pk x1 + ai yi1 x2 + ai yi2 i=1 i=1 u2 . v = u1 Using the same proof techniques as for the basic scheme, it is straightforward to prove that this modified version is secure against adaptive chosen ciphertext attack, assuming the Diffie-Hellman decision problem in G is hard. 5.4

A “lite” Version Secure Against Lunch-Time Attacks

To achieve security against lunch-time attacks only, one can simplify the basic scheme significantly, essentially by eliminating d, y1 , y2 , and the hash function H. When encrypting, we compute v = cr , and when decrypting, we verify that v = ux1 1 ux2 2 .

Acknowledgments We would like to thank Moni Naor for his very useful comments on an earlier draft of this paper, and in particular, for pointing out that a universal one-way hash function is sufficient to prove the security of our basic scheme, and for suggesting the hash-free variant in §5.3.

References 1. N. Asokan, V. Shoup, and M. Waidner. Optimistic fair exchange of digital signatures. In Advances in Cryptology–Eurocrypt ’98, 1998. 14 2. M. Bellare, R. Canetti, and H. Krawczyk. A modular approach to the design and analysis of authentication and key exchange protocols. In 30th Annual ACM Symposium on Theory of Computing, 1998. 14 3. M. Bellare and P. Rogaway. Random oracles are practical: a paradigm for designing efficient protocols. In First ACM Conference on Computer and Communications Security, pages 62–73, 1993. 15 4. M. Bellare and P. Rogaway. Optimal asymmetric encryption. In Advances in Cryptology—Crypto ’94, pages 92–111, 1994. 14, 15 5. M. Bellare and P. Rogaway. Collision-resistant hashing: towards making UOWHFs practical. In Advances in Cryptology–Crypto ’97, 1997. 18

A Practical Public Key Cryptosystem Provably Secure

25

6. D. Boneh and R. Venkatesan. Hardness of computing the most significant bits of secret keys in Diffie-Hellman and related schemes. In Advances in Cryptology– Crypto ’96, pages 129–142, 1996. 17 7. R. Canetti, O. Goldreich, and S. Halevi. The random oracle model, revisted. In 30th Annual ACM Symposium on Theory of Computing, 1998. To appear. 15 8. I. Damgard. Towards practical public key cryptosystems secure against chosen ciphertext attacks. In Advances in Cryptology–Crypto ’91, pages 445–456, 1991. 15 9. D. Dolev, C. Dwork, and M. Naor. Non-malleable cryptography. In 23rd Annual ACM Symposium on Theory of Computing, pages 542–552, 1991. 14, 15 10. D. Dolev, C. Dwork, and M. Naor. Non-malleable cryptography, 1998. Manuscript (updated, full length version of STOC paper). 14, 14 11. C. Dwork and M. Naor. Method for message authentication from non-malleable cryptosystems, 1996. U. S. Patent No. 05539826. 14 12. T. El Gamal. A public key cryptosystem and signature scheme based on discrete logarithms. IEEE Trans. Inform. Theory, 31:469–472, 1985. 13 13. Y. Frankel and M. Yung. Cryptanalysis of immunized LL public key systems. In Advances in Cryptology–Crypto ’95, pages 287–296, 1995. 15 14. S. Goldwasser and S. Micali. Probabilistic encryption. Journal of Computer and System Sciences, 28:270–299, 1984. 14 15. R. Impagliazzo, L. Levin, and M. Luby. Pseudo-random number generation from any one-way function. In 21st Annual ACM Symposium on Theory of Computing, pages 12–24, 1989. 23 16. C. H. Lim and P. J. Lee. Another method for attaining security against adaptively chosen ciphertext attacks. In Advances in Cryptology–Crypto ’93, pages 420–434, 1993. 15 17. M. Naor and O. Reingold. Number-theoretic constructions of efficient pseudorandom functions. In 38th Annual Symposium on Foundations of Computer Science, 1997. 17, 17 18. M. Naor and M. Yung. Universal one-way hash functions and their cryptographic applications. In 21st Annual ACM Symposium on Theory of Computing, 1989. 18 19. M. Naor and M. Yung. Public-key cryptosystems provably secure against chosen ciphertext attacks. In 22nd Annual ACM Symposium on Theory of Computing, pages 427–437, 1990. 14, 15 20. C. Rackoff and D. Simon. Noninteractive zero-knowledge proof of knowledge and chosen ciphertext attack. In Advances in Cryptology–Crypto ’91, pages 433–444, 1991. 13, 14 21. V. Shoup. Lower bounds for discrete logarithms and related problems. In Advances in Cryptology–Eurocrypt ’97, 1997. 17 22. V. Shoup and R. Gennaro. Securing threshold cryptosystems against chosen ciphertext attack. In Advances in Cryptology–Eurocrypt ’98, 1998. 14, 15 23. M. Stadler. Publicly verifiable secrete sharing. In Advances in Cryptology– Eurocrypt ’96, pages 190–199, 1996. 17, 17 24. Y. Zheng and J. Seberry. Practical approaches to attaining security against adaptively chosen ciphertext attacks. In Advances in Cryptology–Crypto ’92, pages 292–304, 1992. 15

Relations Among Notions of Security for Public-Key Encryption Schemes Mihir Bellare1 , Anand Desai1 , David Pointcheval2 , and Phillip Rogaway3 1

Dept. of Computer Science & Engineering, University of California at San Diego, 9500 Gilman Drive, La Jolla, CA 92093, USA. {mihir,adesai}@cs.ucsd.edu URL: http://www-cse.ucsd.edu/users/{mihir,adesai} 2 ´ Laboratoire d’Informatique de l’Ecole Normale Sup´erieure, 75005 Paris, France, and GREYC, D´ept d’Informatique, Universit´e de Caen, 14032 Caen Cedex, France. [email protected] URL: http://www.dmi.ens.fr/~pointche/ 3 Dept. of Computer Science, Engineering II Bldg., University of California at Davis, Davis, CA 95616, USA. [email protected] URL: http://www.cs.ucdavis.edu/~rogaway/

Abstract. We compare the relative strengths of popular notions of security for public key encryption schemes. We consider the goals of privacy and non-malleability, each under chosen plaintext attack and two kinds of chosen ciphertext attack. For each of the resulting pairs of definitions we prove either an implication (every scheme meeting one notion must meet the other) or a separation (there is a scheme meeting one notion but not the other, assuming the first notion can be met at all). We similarly treat plaintext awareness, a notion of security in the random oracle model. An additional contribution of this paper is a new definition of non-malleability which we believe is simpler than the previous one. Keywords: Asymmetric encryption, Chosen ciphertext security, Nonmalleability, Rackoff-Simon attack, Plaintext awareness, Relations among definitions.

1

Introduction

In this paper we compare the relative strengths of various notions of security for public key encryption. We want to understand which definitions of security imply which others. We start by sorting out some of the notions we will consider. 1.1

Notions of Encryption Scheme Security

A convenient way to organize definitions of secure encryption is by considering separately the various possible goals and the various possible attack models, and then obtain each definition as a pairing of a particular goal and a particular attack model. This viewpoint was suggested to us by Moni Naor [22]. H. Krawczyk (Ed.): CRYPTO’98, LNCS 1462, pp. 26–46, 1998. c Springer-Verlag Berlin Heidelberg 1998

Relations Among Notions of Security for Public-Key Encryption Schemes

27

We consider two different goals: indistinguishability of encryptions, due to Goldwasser and Micali [17], and non-malleability, due to Dolev, Dwork and Naor [11]. Indistinguishability (IND) formalizes an adversary’s inability to learn any information about the plaintext x underlying a challenge ciphertext y, capturing a strong notion of privacy. Non-malleability (NM) formalizes an adversary’s inability, given a challenge ciphertext y, to output a different ciphertext y 0 such that the plaintexts x, x0 underlying these two ciphertexts are “meaningfully related”. (For example, x0 = x + 1.) It captures a sense in which ciphertexts can be tamper-proof. Along the other axis we consider three different attacks. In order of increasing strength these are chosen plaintext attack (CPA), non-adaptive chosen ciphertext attack (CCA1), and adaptive chosen ciphertext attack (CCA2). Under CPA the adversary can obtain ciphertexts of plaintexts of her choice. In the public key setting, giving the adversary the public key suffices to capture these attacks. Under CCA1, formalized by Naor and Yung [23], the adversary gets, in addition to the public key, access to an oracle for the decryption function. The adversary may use this decryption function only for the period of time preceding her being given the challenge ciphertext y. (The term non-adaptive refers to the fact that queries to the decryption oracle cannot depend on the challenge y. Colloquially this attack has also been called a “lunchtime,” “lunch-break,” or “midnight” attack.) Under CCA2, due to Rackoff and Simon [24], the adversary again gets (in addition to the public key) access to an oracle for the decryption function, but this time she may use this decryption function even on ciphertexts chosen after obtaining the challenge ciphertext y, the only restriction being that the adversary may not ask for the decryption of y itself. (The attack is called adaptive because queries to the decryption oracle can depend on the challenge y.) As a mnemonic for the abbreviations CCA1 / CCA2, just remember that the bigger number goes with the stronger attack. One can “mix-and-match” the goals {IND, NM} and attacks {CPA, CCA1, CCA2} in any combination, giving rise to six notions of security: IND-CPA, IND-CCA1, IND-CCA2, NM-CPA, NM-CCA1, NM-CCA2 . Most are familiar (although under different names). IND-CPA is the notion of [17];1 IND-CCA1 is the notion of [23]; IND-CCA2 is the notion of [24]; NM-CPA, NM-CCA1 and NM-CCA2 are from [11,12,13]. 1.2

Implications and Separations

In this paper we work out the relations between the above six notions. For each pair of notions A, B ∈ { IND-CPA, IND-CCA1, IND-CCA2, NM-CPA, NM-CCA1, NM-CCA2 }, we show one of the following: – A ⇒ B: A proof that if Π is any encryption scheme meeting notion of security A then Π also meets notion of security B. 1

Goldwasser and Micali referred to IND-CPA as polynomial security, and also showed this was equivalent to another notion, semantic security.

28

Mihir Bellare et al.

NM-CCA1 PP P iP PP PP P P 1 4 PPPPPP 3 1 PP PP PP q PP ? ? IND-CPA IND-CCA1 NM-CPA

5

-

NM-CCA2

6 1

2

? IND-CCA2

Fig. 1. An arrow is an implication, and in the directed graph given by the arrows, there is a path from A to B if and only A ⇒ B. The hatched arrows represent separations we actually prove; all others follow automatically. The number on an arrow or hatched arrow refers to the theorem in this paper which establishes this relationship. – A 6⇒ B: A construction of an encryption scheme Π that provably meets notion of security A but provably does not meet notion of security B.2 We call a result of the first type an implication, and a result of the second type a separation. For each pair of notions we provide one or the other, so that no relation remains open. These results are represented diagrammatically in Figure 1. The (unhatched) arrows represent implications that are proven or trivial, and the hatched arrows represent explicitly proven separations. Specifically, the non-trivial implication is that IND-CCA2 implies NM-CCA2, and the separations shown are that IND-CCA1 does not imply NM-CPA; nor does NM-CPA imply IND-CCA1; nor does NM-CCA1 imply NM-CCA2. Figure 1 represents a complete picture of relations in the following sense. View the picture as a graph, the edges being those given by the (unhatched) arrows. (So there are eight edges.) We claim that for any pair of notions A, B, it is the case that A implies B if and only if there is a path from A to B in the graph. The “if” part of this claim is of course clear from the definition of implication. The “only if” part of this claim can be verified for any pair of notions by utilizing the hatched and unhatched arrows. For example, we claim that IND-CCA1 does not imply IND-CCA2. For if we had that IND-CCA1 implies IND-CCA2 then this, coupled with NM-CCA1 implying IND-CCA1 and IND-CCA2 implying NM-CCA2, would give NM-CCA1 implying NM-CCA2, which we know to be false. That IND-CCA2 implies all of the other notions helps bolster the view that adaptive CCA is the “right” version of CCA on which to focus. (IND-CCA2 has already proven to be a better tool for protocol design.) We thus suggest that, in the future, “CCA” should be understood to mean adaptive CCA. 2

This will be done under the assumption that there exists some scheme meeting notion A, since otherwise the question is vacuous. This (minimal) assumption is the only one made.

Relations Among Notions of Security for Public-Key Encryption Schemes

1.3

29

Plaintext Awareness

Another adversarial goal we will consider is plaintext awareness (PA), first defined by Bellare and Rogaway [4]. PA formalizes an adversary’s inability to create a ciphertext y without “knowing” its underlying plaintext x. (In the case that the adversary creates an “invalid” ciphertext what she should know is that the ciphertext is invalid.) So far, plaintext awareness has only been defined in the random oracle (RO) model. Recall that in the RO model one embellishes the customary model of computation by providing all parties (good and bad alike) with a random function H from strings to strings. See [3] for a description of the random oracle model and a discussion of its use. The six notions of security we have described can be easily “lifted” to the RO model, giving six corresponding definitions. Once one makes such definitional analogs it is easily verified that all of the implications and separations mentioned in Section 1.2 and indicated in Figure 1 also hold in the RO setting. For example, the RO version of IND-CCA2 implies the RO version of NM-CCA2. Since PA has only been defined in the RO model it only makes sense to compare PA with other RO notions. Our results in this vein are as follows. Theorem 6 shows that PA (together with the RO version of IND-CPA) implies the RO version of IND-CCA2. In the other direction, Theorem 7 shows that the RO version of IND-CCA2 does not imply PA. 1.4

Definitional Contributions

Beyond the implications and separations we have described, we have two definitional contributions: a new definition of non-malleability, and a refinement to the definition of plaintext awareness. The original definition of non-malleability [11,12,13] is in terms of simulation, requiring, for every adversary, the existence of some appropriate simulator. We believe our formulation is simpler. It is defined via an experiment involving only the adversary; there is no simulator. Nonetheless, it does not lose strength: Theorem 8 (due to [5]) says that our definition implies that of [12,13] under any form of attack. The definitions are not known to be equivalent because the other direction is open. See Appendix A. We stress that the results in this paper are not affected by the definitional change; they hold under either definition. We view the new definition as an additional, orthogonal contribution which could simplify the task of working with non-malleability. We also note that our definitional idea lifts to other settings, like defining semantic security [17] against chosen ciphertext attacks. (Semantic security seems not to have been defined against CCA.) With regard to plaintext awareness, we make a small but important refinement to the definition of [4]. The change allows us to substantiate their claim that plaintext awareness implies chosen ciphertext security and non-malleability, by giving us that PA (plus IND-CPA) implies the RO versions of IND-CCA2 and NM-CCA2. Our refinement is to endow the adversary with an encryption oracle, the queries to which are not given to the extractor. See Section 4.

30

Mihir Bellare et al.

1.5 Motivation In recent years there has been an increasing role played by public key encryption schemes which meet notions of security beyond IND-CPA. We are realizing that one of their most important uses is as tools for designing higher level protocols. For example, encryption schemes meeting IND-CCA2 appear to be the right tools in the design of authenticated key exchange protocols in the public-key setting [1]. As another example, the designers of SET (Secure Electronic Transactions) selected an encryption scheme which achieves more than IND-CPA [25]. This was necessary, insofar as the SET protocols would be wrong if instantiated by a primitive which achieves only IND-CPA security. Because encryption schemes which achieve more than IND-CPA make for easier-to-use (or harder-to-misuse) tools, emerging standards rightly favor them. We comment that if one takes the CCA models “too literally” the attacks we describe seem rather artificial. Take adaptive CCA, for example. How could an adversary have access to a decryption oracle, yet be forbidden to use it on the one point she really cares about? Either she has the oracle and can use it as she likes, or she does not have it at all. Yet, in fact, just such a setting effectively arises when encryption is used in session key exchange protocols. In general, one should not view the definitional scenarios we consider too literally, but rather understand that these are the right notions for schemes to meet when these schemes are to become generally-useful tools in the design of high level protocols. 1.6 Related Work and Discussion The most recent version of the work of Dolev, Dwork and Naor (the manuscript [13]) has, independently of our work, considered the question of relations between notions of encryption, and contains (currently in Remark 3.6) various claims that overlap to some extent with ours. (Public versions of their work, namely the 1991 proceedings version [11] and the 1995 technical report [12], do not contain these claims.) It is not the purpose of this paper to discuss specific schemes designed for meeting any of the notions of security described in this paper. Nonetheless, as a snapshot of the state of the art, we attempt to summarize what is known about meeting “beyond IND-CPA” notions of security. Schemes proven secure under standard assumptions include that of [23], which meets IND-CCA1, that of [11], which meets IND-CCA2, and the much more efficient recent scheme of Cramer and Shoup [8], which also meets IND-CCA2. Next are the schemes proven secure in a random oracle model; here we have those of [3,4], which meet PA and are as efficient as schemes in current standards. Then there are schemes without proofs, such as those of [9,26]. Finally, there are schemes for non-standard models, like [15,24]. It follows from our results that the above mentioned scheme of [8], shown to meet IND-CCA2, also meets NM-CCA2, and in particular is non-malleable under all three forms of attack. Bleichenbacher [6] has recently shown that a popular encryption scheme, RSA PKCS #1, does not achieve IND-CCA1.

Relations Among Notions of Security for Public-Key Encryption Schemes

31

We comment that non-malleability is a general notion that applies to primitives other than encryption [11]. Our discussion is limited to its use in asymmetric encryption. Similarly, chosen ciphertext attack applies to both the symmetric and asymmetric settings, but this work is specific to the latter. Due to space limitations, we have omitted various parts of this paper. A full version of the paper is available [2].

2

Definitions of Security

This section provides formal definitions for the six notions of security of an asymmetric (ie., public key) encryption scheme discussed in Section 1.1. Plaintext awareness will be described in Section 4. We begin by describing the syntax of an encryption scheme, divorcing syntax from the notions of security. Experiments. We use standard notations and conventions for writing probabilistic algorithms and experiments. If A is a probabilistic algorithm, then A(x1 , x2 , . . . ; r) is the result of running A on inputs x1 , x2 , . . . and coins r. We let y ← A(x1 , x2 , . . .) denote the experiment of picking r at random and letting y be A(x1 , x2 , . . . ; r). If S is a finite set then x ← S is the operation of picking an element uniformly from S. If α is neither an algorithm nor a set then x ← α is a simple assignment statement. We say that y can be output by A(x1 , x2 , . . .) if there is some r such that A(x1 , x2 , . . . ; r) = y. Syntax and conventions. The syntax of an encryption scheme specifies what kinds of algorithms make it up. Formally, an asymmetric encryption scheme is given by a triple of algorithms, Π = (K, E, D), where • K, the key generation algorithm, is a probabilistic algorithm that takes a security parameter k ∈ N (provided in unary) and returns a pair (pk, sk) of matching public and secret keys. • E, the encryption algorithm, is a probabilistic algorithm that takes a public key pk and a message x ∈ {0, 1}∗ to produce a ciphertext y. • D, the decryption algorithm, is a deterministic algorithm which takes a secret key sk and ciphertext y to produce either a message x ∈ {0, 1}∗ or a special symbol ⊥ to indicate that the ciphertext was invalid. We require that for all (pk, sk) which can be output by K(1k ), for all x ∈ {0, 1}∗, and for all y that can be output by Epk (x), we have that Dsk (y) = x. We also require that K, E and D can be computed in polynomial time. As the notation indicates, the keys are indicated as subscripts to the algorithms. Recall that a function : N → R is negligible if for every constant c ≥ 0 there exists an integer kc such that (k) ≤ k −c for all k ≥ kc . 2.1

Framework

The formalizations that follow have a common framework that it may help to see at a high level first. In formalizing both indistinguishability and non-malleability we regard an adversary A as a pair of probabilistic algorithms, A = (A1 , A2 ). (We will say that A is polynomial time if both A1 and A2 are.) This corresponds

32

Mihir Bellare et al.

to A running in two “stages.” The exact purpose of each stage depends on the particular adversarial goal, but for both goals the basic idea is that in the first stage the adversary, given the public key, seeks and outputs some “test instance,” and in the second stage the adversary is issued a challenge ciphertext y generated as a probabilistic function of the test instance, in a manner depending on the goal. (In addition A1 can output some state information s that will be passed to A2 .) Adversary A is successful if she passes the challenge, with what “passes” means again depending on the goal. We consider three types of attacks under this setup. In a chosen-plaintext attack (CPA) the adversary can encrypt plaintexts of her choosing. Of course a CPA is unavoidable in the public-key setting: knowing the public key, an adversary can, on her own, compute a ciphertext for any plaintext she desires. So in formalizing definitions of security under CPA we “do nothing” beyond giving the adversary access to the public key; that’s already enough to make a CPA implicit. In a non-adaptive chosen ciphertext attack (CCA1) we give A1 (the public key and) access to a decryption oracle, but we do not allow A2 access to a decryption oracle. This is sometimes called a non-adaptive chosen ciphertext attack, in that the decryption oracle is used to generate the test instance, but taken away before the challenge appears. In an adaptive chosen ciphertext attack (CCA2) we continue to give A1 (the public key and) access to a decryption oracle, but also give A2 access to the same decryption oracle, with the only restriction that she cannot query the oracle on the challenge ciphertext y. This is an extremely strong attack model. As a mnemonic, the number i in CCAi can be regarded as the number of adversarial stages during which she has access to a decryption oracle. Additionally, the bigger number corresponds to the stronger (and chronologically later) formalization. By the way: we do not bother to explicitly give A2 the public key, because A1 has the option of including it in s. 2.2

Indistinguishability of Encryptions

The classical goal of secure encryption is to preserve the privacy of messages: an adversary should not be able to learn from a ciphertext information about its plaintext beyond the length of that plaintext. We define a version of this notion, indistinguishability of encryptions (IND), following [17,21], through a simple experiment. Algorithm A1 is run on input the public key, pk. At the end of A1 ’s execution she outputs a triple (x0 , x1 , s), the first two components being messages which we insist be of the same length, and the last being state information (possibly including pk) which she wants to preserve. A random one of x0 and x1 is now selected, say xb . A “challenge” y is determined by encrypting xb under pk. It is A2 ’s job to try to determine if y was selected as the encryption of x0 or x1 , namely to determine the bit b. To make this determination A2 is given the saved state s and the challenge ciphertext y. For concision and clarity we simultaneously define indistinguishability with respect to CPA, CCA1, and CCA2. The only difference lies in whether or not

Relations Among Notions of Security for Public-Key Encryption Schemes

33

A1 and A2 are given decryption oracles. We let the string atk be instantiated by any of the formal symbols cpa, cca1, cca2, while ATK is then the corresponding formal symbol from CPA, CCA1, CCA2. When we say Oi = ε, where i ∈ {1, 2}, we mean Oi is the function which, on any input, returns the empty string, ε. Definition 1. [IND-CPA, IND-CCA1, IND-CCA2] Let Π = (K, E, D) be an encryption scheme and let A = (A1 , A2 ) be an adversary. For atk ∈ {cpa, cca1, def cca2} and k ∈ N let Advind-atk (k) = A,Π

h 1 2 · Pr (pk, sk) ← K(1k ) ; (x0 , x1 , s) ← AO 1 (pk) ; b←{0, 1} ; y ← Epk (xb ) : i 2 AO 2 (x0 , x1 , s, y) = b − 1 where and O2 (·) = ε If atk = cpa then O1 (·) = ε If atk = cca1 then O1 (·) = Dsk (·) and O2 (·) = ε If atk = cca2 then O1 (·) = Dsk (·) and O2 (·) = Dsk (·) We insist, above, that A1 outputs x0 , x1 with |x0 | = |x1 |. In the case of CCA2, we further insist that A2 does not ask its oracle to decrypt y. We say that Π is secure in the sense of IND-ATK if A being polynomial-time implies that ind-atk (·) is negligible. 2 AdvA,Π 2.3

Non-Malleability

Notation. We will need to discuss vectors of plaintexts or ciphertexts. A vector is denoted in boldface, as in x. We denote by |x| the number of components in x, and by x[i] the i-th component, so that x = (x[1], . . . , x[|x|]). We extend the set membership notation to vectors, writing x ∈ x or x 6∈ x to mean, respectively, that x is in or is not in the set {x[i] : 1 ≤ i ≤ |x|}. It will be convenient to extend the decryption notation to vectors with the understanding that operations are performed componentwise. Thus x ← Dsk (y) is shorthand for the following: for 1 ≤ i ≤ |y| do x[i] ← Dsk (y[i]). We will consider relations of arity t where t will be polynomial in the security parameter k. Rather than writing R(x1 , . . . , xt ) we write R(x, x), meaning the first argument is special and the rest are bunched into a vector x with |x| = t−1. Idea. The notion of non-malleability was introduced in [11], with refinements in [12,13]. The goal of the adversary, given a ciphertext y, is not (as with indistinguishability) to learn something about its plaintext x, but only to output a vector y of ciphertexts whose decryption x is “meaningfully related” to x, meaning that R(x, x) holds for some relation R. The question is how exactly one measures the advantage of the adversary. This turns out to need care. One possible formalization is that of [11,12,13], which is based on the idea of simulation; it asks that for every adversary there exists a certain type of “simulator” that does just as well as the adversary but without being given y. Here, we introduce a novel formalization which seems to us to be simpler. Our formalization does not

34

Mihir Bellare et al.

ask for a simulator, but just considers an experiment involving the adversary. It turns out that our notion implies DDN’s, but the converse is not known. See Appendix A for a brief comparison. Our formalization. Let A = (A1 , A2 ) be an adversary. In the first stage of the adversary’s attack, A1 , given the public key pk, outputs a description of a message space, described by a sampling algorithm M . The message space must be valid, which means that it gives non-zero probability only to strings of some one particular length. In the second stage of the adversary’s attack, A2 receives an encryption y of a random message, say x, drawn from M . The adversary then outputs a (description of a) relation R and a vector y (no component of which is y). She hopes that R(x, x) holds, where x ← Dsk (y). An adversary (A1 , A2 ) is successful if she can do this with a probability significantly more than that with which R(˜ x, x) holds for some random hidden x˜ ← M . Definition 2. [NM-CPA, NM-CCA1, NM-CCA2] Let Π = (K, E, D) be an encryption scheme and let A = (A1 , A2 ) be an adversary. For atk ∈ {cpa, cca1, cca2} and k ∈ N define def nm-atk nm-atk nm-atk (k) = SuccA,Π (k) − SuccA,Π,$ (k) AdvA,Π nm-atk where SuccA,Π (k) =

def

h 1 Pr (pk, sk) ← K(1k ) ; (M, s) ← AO 1 (pk) ; x ← M ; y ← Epk (x) ;

i 2 (R, y) ← AO (M, s, y) ; x ← D (y) : y ∈ 6 y ∧ ⊥ ∈ 6 x ∧ R(x, x) sk 2

nm-atk (k) = and SuccA,Π,$

def

h 1 ˜ ← M ; y ← Epk (x) ; Pr (pk, sk) ← K(1k ) ; (M, s) ← AO 1 (pk) ; x, x i 2 (R, y) ← AO x, x) 2 (M, s, y) ; x ← Dsk (y) : y 6∈ y ∧ ⊥ 6∈ x ∧ R(˜ where and O2 (·) = ε If atk = cpa then O1 (·) = ε If atk = cca1 then O1 (·) = Dsk (·) and O2 (·) = ε If atk = cca2 then O1 (·) = Dsk (·) and O2 (·) = Dsk (·) We insist, above, that M is valid: |x| = |x0 | for any x, x0 that are given non-zero probability in the message space M . We say that Π is secure in the sense of NM-ATK if for every polynomial p(k): if A runs in time p(k), outputs a (valid) message space M samplable in time p(k), and outputs a relation R computable nm-atk (·) is negligible. 2 in time p(k), then AdvA,Π The condition that y 6∈ y is made in order to not give the adversary credit for the trivial and unavoidable action of copying the challenge ciphertext. Otherwise, she could output the equality relation R, where R(a, b) holds iff a = b, and output

Relations Among Notions of Security for Public-Key Encryption Schemes

35

y = (y), and be successful with probability one. We also declare the adversary unsuccessful when some ciphertext y[i] does not have a valid decryption (that is, ⊥ ∈ x), because in this case, the receiver is simply going to reject the adversary’s message anyway. The requirement that M is valid is important; it stems from the fact that encryption is not intended to conceal the length of the plaintext. One might want to strengthen the notion to require that the adversary’s advantage remains small even in the presence a priori information about the message x; such incorporation of message “history” was made in Goldreich’s formalizations of semantic security [14] and the definition of non-malleability in [12,13]. For simplicity we have omitted histories, but note that the above definition can be easily enhanced to take histories into account, and we explain how in [2].

3

Relating IND and NM

We state more precisely the results summarized in Figure 1 and provide proofs. As mentioned before, we summarize only the main relations (the ones that require proof); all other relations follow as corollaries. 3.1

Results

The first result, that non-malleability implies indistinguishability under any type of attack, was of course established by [11] in the context of their definition of non-malleability, but since we have a new definition of non-malleability, we need to re-establish it. The (simple) proof of the following is in [2]. Theorem 1. [NM-ATK ⇒ IND-ATK] If encryption scheme Π is secure in the sense of NM-ATK then Π is secure in the sense of IND-ATK for any attack ATK ∈ {CPA, CCA1, CCA2}. Remark 1. Recall that the relation R in Definition 2 was allowed to have any polynomially bounded arity. However, the above theorem holds even under a weaker notion of NM-ATK in which the relation R is restricted to have arity two. The proof of the following is in Section 3.2. Theorem 2. [IND-CCA2 ⇒ NM-CCA2] If encryption scheme Π is secure in the sense of IND-CCA2 then Π is secure in the sense of NM-CCA2. Remark 2. Theorem 2 coupled with Theorem 1 and Remark 1 says that in the case of CCA2 attacks, it suffices to consider binary relations, meaning the notion of NM-CCA2 restricted to binary relations is equivalent to the general one. Now we turn to separations. Adaptive chosen ciphertext security implies nonmalleability according to Theorem 2. In contrast, the following says that nonadaptive chosen ciphertext security does not imply non-malleability. The proof is in Section 3.3.

36

Mihir Bellare et al.

Theorem 3. [IND-CCA16⇒NM-CPA] If there exists an encryption scheme Π which is secure in the sense of IND-CCA1, then there exists an encryption scheme Π 0 which is secure in the sense of IND-CCA1 but which is not secure in the sense of NM-CPA. Now one can ask whether non-malleability implies chosen ciphertext security. The following says it does not even imply the non-adaptive form of the latter. (As a corollary, it certainly does not imply the adaptive form.) The proof is in Section 3.4. Theorem 4. [NM-CPA6⇒IND-CCA1] If there exists an encryption scheme Π which is secure in the sense of NM-CPA, then there exists an encryption scheme Π 0 which is secure in the sense of NM-CPA but which is not secure in the sense of IND-CCA1. Now the only relation that does not immediately follow from the above results or by a trivial reduction is that the version of non-malleability allowing CCA1 does not imply the version that allows CCA2. See Section 3.5 for the proof of the following. Theorem 5. [NM-CCA16⇒NM-CCA2] If there exists an encryption scheme Π which is secure in the sense of NM-CCA1, then there exists an encryption scheme Π 0 which is secure in the sense of NM-CCA1 but which is not secure in the sense of NM-CCA2. 3.2

Proof of Theorem 2

We are assuming that encryption scheme Π is secure in the IND-CCA2 sense. We show it is also secure in the NM-CCA2 sense. The intuition is simple: since the adversary has access to the decryption oracle, she can decrypt the ciphertexts she would output, and so the ability to output ciphertexts is not likely to add power. For the proof, let B = (B1 , B2 ) be an NM-CCA2 adversary attacking Π. nm-cca2 (k) is negligible. To this end, we describe an We must show that AdvB,Π IND-CCA2 adversary A = (A1 , A2 ) attacking Π. sk Algorithm AD 1 (pk) (M, s) ← B1Dsk (pk) x0 ← M ; x1 ← M s0 ← (M, s) return (x0 , x1 , s0 )

0 0 sk Algorithm AD 2 (x0 , x1 , s , y) where s = (M, s) Dsk (R, y) ← B2 (M, s, y) ; x ← Dsk (y) if (y 6∈ y ∧ ⊥ 6∈ x ∧ R(x0 , x)) then d ← 0 else d ← {0, 1} return d

Notice A is polynomial time under the assumption that the running time of B, the time to compute R, and the time to sample from M are all bounded by a fixed ind-cca2 (k) = pk (0) − pk (1) polynomial in k. The advantage of A is given by AdvA,Π def

where for b ∈ {0, 1} we let pk (b) = h sk Pr (pk, sk) ← K(1k ) ; (x0 , x1 , s0 ) ← AD 1 (pk) ; y ← Epk (xb ) : i 0 sk AD 2 (x0 , x1 , s , y) = 0 .

Relations Among Notions of Security for Public-Key Encryption Schemes

37

def

Also for b ∈ {0, 1} we let p0k (b) = h Pr (pk, sk) ← K(1k ) ; (M, s) ← B1Dsk (pk) ; x0 , x1 ← M ; y ← Epk (xb ) ;

i (R, y) ← B2Dsk (M, s, y) ; x ← Dsk (y) : y 6∈ y ∧ ⊥ ∈ / x ∧ R(x0 , x) .

Now observe that A2 may return 0 either when x is R-related to x0 or as a result of the coin flip. Continuing with the advantage then, 1 1 1 ind-cca2 AdvA,Π (k) = pk (0)−pk (1) = ·[1+p0k (0)]− ·[1+p0k (1)] = ·[p0k (0)−p0k (1)] 2 2 2 We now observe that the experiment of B2 being given a ciphertext of x1 and nm-cca2 (k). On the other hand, R-relating x to x0 , is exactly that defining SuccB,Π,$ nm-cca2 in case it is x0 , we are looking at the experiment defining SuccB,Π (k). So Advnm-cca2 (k) = p0 (0) − p0 (1) = 2 · Advind-cca2 (k) . k ind-cca2 AdvA,Π (k)

B,Π

k

A,Π

But we know that is negligible because Π is secure in the sense nm-cca2 of IND-CCA2. It follows that AdvB,Π (k) is negligible, as desired. 3.3

Proof of Theorem 3

Assume there exists some IND-CCA1 secure encryption scheme Π = (K, E, D), since otherwise the theorem is vacuously true. We now modify Π to a new encryption scheme Π 0 = (K0 , E 0 , D0 ) which is also IND-CCA1 secure but not secure in the NM-CPA sense. This will prove the theorem. The new encryption scheme Π 0 = (K0 , E 0 , D0 ) is defined as follows. Here x denotes the bitwise complement of string x, namely the string obtained by flipping each bit of x. 0 0 Algorithm Epk (x) Algorithm K0 (1k ) Algorithm Dsk (y1 ky2 ) k return Dsk (y1 ) (pk, sk) ← K(1 ) y1 ← Epk (x) ; y2 ← Epk (x) return (pk, sk) return y1 ky2

In other words, a ciphertext in the new scheme is a pair y1 k y2 consisting of the encryption of the message and its complement. In decrypting, the second component is ignored. In [2] we establish that Π 0 is not secure in the sense of NM-CPA sense, while it is secure in the sense of IND-CCA1. 3.4

Proof of Theorem 4

Let’s first back up a bit and provide some intuition about why the theorem might be true and how we can prove it. Intuition and first attempts. At first glance, one might think NM-CPA does imply IND-CCA1 (or even IND-CCA2), for the following reason. Suppose an adversary has a decryption oracle, and is asked to tell whether a given ciphertext y is the encryption of x0 or x1 , where x0 , x1 are messages she has chosen earlier. She is not allowed to call the decryption oracle on y. It seems then the only strategy she could have is to modify y to some related y 0 , call the decryption oracle on y 0 , and use the answer to somehow help her determine

38

Mihir Bellare et al.

whether the decryption of y was x0 or x1 . But if the scheme is non-malleable, creating a y 0 meaningfully related to y is not possible, so the scheme must be chosen-ciphertext secure. The reasoning above is fallacious. The flaw is in thinking that to tell whether y is an encryption of x0 or x1 , one must obtain a decryption of a ciphertext y 0 related to the challenge ciphertext y. In fact, what can happen is that there are certain strings whose decryption yields information about the secret key itself, yet the scheme remains non-malleable. The approach to prove the theorem is to modify a NM-CPA scheme Π = (K, E, D) to a new scheme Π 0 = (K0 , E 0 , D0 ) which is also NM-CPA but can be broken under a non-adaptive chosen ciphertext attack. (We can assume a NM-CPA scheme exists since otherwise there is nothing to prove.) A first attempt to implement the above idea (of having the decryption of certain strings carry information about the secret key) is straightforward. Fix some ciphertext u not 0 in the range of E and define Dsk (u) = sk to return the secret key whenever it is given this special ciphertext. In all other aspects, the new scheme is the same as the old one. It is quite easy to see that this scheme falls to a (non-adaptive) chosen ciphertext attack, because the adversary need only make query u of its decryption oracle to recover the entire secret key. The problem is that it is not so easy to tell whether this scheme remains non-malleable. (Actually, we don’t know whether it is or not, but we certainly don’t have a proof that it is.) As this example indicates, it is easy to patch Π so that it can be broken in the sense of IND-CCA1; what we need is that it also be easy to prove that it remains NM-CPA secure. The idea of our construction below is to use a level of indirection: sk is returned by D0 in response to a query v which is itself a random string that can only be obtained by querying D0 at some other known point u. Intuitively, this scheme will be NM-CPA secure since v will remain unknown to the adversary. Our construction. Given a non-malleable encryption scheme Π = (K, E, D) we define a new encryption scheme Π 0 = (K0 , E 0 , D0 ) as follows. Here b is a bit. 0 0 Algorithm Epk Algorithm K0 (1k ) k u (x) Algorithm Dsk k u k v (b k y) k (pk, sk) ← K(1 ) y ← Epk (x) if b = 0 then return Dsk (y) u, v ← {0, 1}k return 0 k y else if y = u then return v pk 0 ← pk k u else if y = v return sk sk 0 ← sk k u k v else return ⊥ return (pk 0 , sk 0 )

Analysis. The proof of Theorem 4 is completed by establishing that Π 0 is vulnerable to a IND-CCA1 attack but remains NM-CPA secure. The proofs of these claims can be found in [2]. 3.5

Proof of Theorem 5

The approach, as before, is to take a NM-CCA1 secure encryption scheme Π = (K, E, D) and modify it to a new encryption scheme Π 0 = (K0 , E 0 , D0 ) which is also NM-CCA1 secure, but can be broken in the NM-CCA2 sense.

Relations Among Notions of Security for Public-Key Encryption Schemes

39

Intuition. Notice that the construction of Section 3.4 will no longer work, because the scheme constructed there, not being secure in the sense of IND-CCA1, will certainly not be secure in the sense of NM-CCA1, for the same reason: the adversary can obtain the decryption key in the first stage using a couple of decryption queries. Our task this time is more complex. We want queries made in the second stage, after the challenge is received, to be important, meaning they can be used to break the scheme, yet, somehow, queries made in the first stage cannot be used to break the scheme. This means we can no longer rely on a simplistic approach of revealing the secret key in response to certain queries. Instead, the “breaking” queries in the second stage must be a function of the challenge ciphertext, and cannot be made in advance of seeing this ciphertext. We implement this idea by a “tagging” mechanism. The decryption function is capable of tagging a ciphertext so as to be able to “recognize” it in a subsequent query, and reveal in that stage information related specifically to the ciphertext, but not directly to the secret key. The tagging is implemented via pseudorandom function families. Our construction. Let Π = (K, E, D) be the given NM-CCA1 secure encryption scheme. Fix a family F = { F k : k ≥ 1 } of pseudorandom functions as per [18]. (Notice that this is not an extra assumption. We know that the existence of even a IND-CPA secure encryption scheme implies the existence of a one-way function [20] which in turn implies the existence of a family of pseudorandom functions [19,18].) Here each F k = { FK : K ∈ {0, 1}k } is a finite collection in which each key K ∈ {0, 1}k indexes a particular function FK : {0, 1}k → {0, 1}k . We define the new encryption scheme Π 0 = (K0 , E 0 , D0 ) as follows. Recall that ε is the empty string. Algorithm K0 (1k ) (pk, sk) ← K(1k ) K ← {0, 1}k sk 0 ← sk k K return (pk, sk 0 )

0 Algorithm Epk (x) y ← Epk (x) return 0 k y k ε

0 Algorithm Dsk k K (b k y k z) where b is a bit if (b = 0) ∧ (z = ε) then return Dsk (y) else if (b = 1) ∧ (z = ε) then return FK (y) else if (b = 1) ∧ (z = FK (y)) return Dsk (y) else return ⊥

Analysis. The proof of Theorem 5 is completed by establishing that Π 0 is vulnerable to a NM-CCA2 attack but remains NM-CCA1 secure. Formal proofs of these two claims can be found in [2]. Let us sketch the intuition here. The first is easy to see. In stage 2, given challenge ciphertext 0ky k ε, the adversary would like to get back Dsk 0 (0ky k ε) = Dsk (y), but is not allowed to query its oracle at 0ky k ε. However, she can query 1kykε to get FK (y) and then query 1kykFK (y) to get back the decryption of y under sk. At that point she can easily win.

40

Mihir Bellare et al.

The key point for the second claim is that to defeat the scheme, the adversary must obtain FK (y) where 0 k y k ε is the challenge. However, to do this she requires the decryption oracle. This is easy for an NM-CCA2 adversary but not for an NM-CCA1 adversary, which has a decryption oracle available only in the first stage, when y is not yet known. Once y is provided (in the second stage) the possibility of computing FK (y) is small because the decryption oracle is no longer available to give it for free, and the pseudorandomness of F makes it hard to compute on one’s own.

4

Results on PA

In this section we define plaintext awareness and prove that it implies the random oracle version of IND-CCA2, but is not implied by it. Throughout this section we shall be working exclusively in the RO model. As such, all notions of security defined earlier refer, in this section, to their RO counterparts. These are obtained in a simple manner. To modify Definitions 1 and 2, begin the specified experiment (the experiment which defines advantage) by choosing a random function H from the set of all functions from strings to infinite strings. Then provide an H-oracle to A1 and A2 , and allow that Epk H H and Dsk may depend on H (which we write as Epk and Dsk ). 4.1 Definition Our definition of PA is from [4], except that we make one important refinement. An adversary B for plaintext awareness is given a public key pk and access H to the random oracle H. We also provide B with an oracle for Epk . (This is our refinement, and its purpose is explained later.) The adversary outputs a ciphertext y. To be plaintext aware the adversary B should necessarily “know” the decryption x of its output y. To formalize this it is demanded there exist some (universal) algorithm K (the “plaintext extractor”) that could have output x just by looking at the public key, B’s H-queries and the answers to them, and the H answers to B’s queries to Epk . (Note the extractor is not given the queries that H B made to Epk , just the answers received.) Let us now summarize the formal definition and then discuss it.H By (hH , C, y) ← run B H,Epk (pk) we mean the following. Run B on input pk H and oracles H and Epk , recording B’s interaction with its oracles. Form into a list hH = ((h1 , H1 ), . . . , (hqH , HqH )) all of B’s H-oracle queries, h1 , . . . , hqH , and the corresponding answers, H1 , . . . , HqH . Form into a list C = (y1 , . . . , yqE ) H the answers (ciphertexts) received as a result of Epk -queries. (The messages that formed the actual queries are not recorded.) Finally, record B’s output, y. Definition 3. [Plaintext Awareness – PA] Let Π = (K, E, D) be an encryption scheme, let B be an adversary, and let K be an algorithm (the “knowledge def

extractor”). For any k ∈ N let Succpa K,B,Π (k) = h Pr H ← Hash ; (pk, sk) ← K(1k ) ;

i H H (hH , C, y) ← run B H,Epk (pk) : K(hH , C, y, pk) = Dsk (y) .

Relations Among Notions of Security for Public-Key Encryption Schemes

41

We insist that y 6∈ C; that is, B never outputs a string y which coincides with the H value returned from some Epk -query. We say that K is a λ(k)-extractor if K has running time polynomial in the length of its inputs and for every adversary B, Succpa K,B,Π (k) ≥ λ(k). We say that Π is secure in the sense of PA if Π is secure in the sense of IND-CPA and there exists a λ(k)-extractor K where 1 − λ(k) is negligible. 2 Let us now discuss this notion with particular attention to our refinement, which, as we said, consists of providing the adversary with an encryption oracle. At first glance this may seem redundant: since B already has the public key, can’t B encrypt without making use of the encryption oracle? Absolutely. But in the RO model encrypting points oneself may involve making H-queries (remember that the encryption function now depends on H), meaning that B will necessarily know any RO queries used to produce the ciphertext. (Formally, H they become part of the transcript run B H,Epk .) This does not accurately model the real world, where B may have access to ciphertexts via eavesdropping, in which case B does not know the underlying RO queries. By giving B an encryption oracle whose H-queries are not made a part of B’s transcript we get a stronger definition. Intuitively, should you learn a ciphertext y1 for which you do not know the plaintext, still you should be unable to produce a ciphertext H (other than y1 ) whose plaintext you do not know. Thus the Epk oracle models the possibility that B may obtain ciphertexts in ways other than encrypting them herself. We comment that plaintext awareness, as we have defined it, is only achievable in the random oracle model. (It is easy to see that if there is a scheme not using the random oracle for which an extractor as above exists then the extractor is essentially a decryption box. This can be formalized to a statement that an IND-CPA scheme cannot be plaintext aware in the above sense without using the random oracle.) It remains an interesting open question to find an analogous but achievable formulation of plaintext awareness for the standard model. One might imagine that plaintext awareness coincides with semantic security coupled with a (non-interactive) zero-knowledge proof of knowledge [10] of the plaintext. But this is not valid. The reason is the way the extractor operates in the notion and scheme of [10]: the common random string (even if viewed as part of the public key) is under the extractor’s control. In the PA notion, pk is an input to the extractor and it cannot play with any of it. Indeed, note that if one could indeed achieve PA via a standard proof of knowledge, then it would be achievable in the standard (as opposed to random oracle) model, and we just observed above that this is not possible with the current definition. 4.2

Results

The proof of the following is in Section 4.3. Theorem 6. [PA ⇒ IND-CCA2] If encryption scheme Π is secure in the sense of PA then it is secure in the RO sense of IND-CCA2.

42

Mihir Bellare et al.

Corollary 1. [PA ⇒ NM-CCA2] If encryption scheme Π is secure in the sense of PA then Π is secure in the RO sense of NM-CCA2. Proof. Follows from Theorems 6 and the RO-version of Theorem 2. The above results say that PA ⇒ IND-CCA2 ⇒ NM-CCA2. In the other direction, we have the following, whose proof is in [2]. Theorem 7. [IND-CCA26⇒PA] If there exists an encryption scheme Π which is secure in the RO sense of IND-CCA2, then there exists an encryption scheme Π 0 which is secure in the RO sense of IND-CCA2 but which is not secure in the sense of PA. 4.3

Proof of Theorem 6

Intuition. The basic idea for proving chosen ciphertext security in the presence of some kind of proof of knowledge goes back to [15,16,7,10]. Let us begin by recalling it. Assume there is some adversary A = (A1 , A2 ) that breaks Π in the IND-CCA2 sense. We construct an adversary A0 = (A01 , A02 ) that breaks Π in the IND-CPA sense. The idea is that A0 will run A and use the extractor to simulate the decryption oracle. At first glance it may seem that the same can be done here, making this proof rather obvious. That is not quite true. Although we can follow the same paradigm, there are some important new issues that arise and must be dealt with. Let us discuss them. The first is that the extractor cannot just run on any old ciphertext. (Indeed, if it could, it would be able to decrypt, and we know that it cannot.) The extractor can only be run on transcripts that originate from adversaries B in the form of Definition 3. Thus to reason about the effectiveness of A0 we must present adversaries who output as ciphertext the same strings that A0 would ask of its decryption oracle. This is easy enough for the first ciphertext output by A, but not after that, because we did not allow our Bs to have decryption oracles. The strategy will be to define a sequence of adversaries B1 , . . . , Bq so that Bi uses the knowledge extractor K for answering the first i − 1 decryption queries, and then Bi outputs what would have been its i-th decryption query. In fact this adversary A0 might not succeed as often as A, but we will show that the loss in advantage is still tolerable. Yet, that is not the main problem. The more subtle issue is how the encryption oracle given to the adversary comes into the picture. Adversary Bi will have to call its encryption oracle to “simulate” production of the challenge ciphertext received by A2 . It cannot create this ciphertext on its own, because to do so would incorrectly augment its transcript by the ensuing H-query. Thus, in fact, only one call to the encryption oracle will be required — yet this call is crucial. Construction. For contradiction we begin with an IND-CCA2 adversary A = ind-cca2 (k) against Π. In addition, (A1 , A2 ) with a non-negligible advantage, AdvA,Π we know there exists a plaintext extractor, K, with high probability of success, Succpa K,B,Π (k), for any adversary B. Using A and K we construct an IND-CPA ind-cpa (k) against adversary A0 = (A01 , A02 ) with a non-negligible advantage, AdvA 0 ,Π

Relations Among Notions of Security for Public-Key Encryption Schemes Algorithm A01 (pk; R) hH ← () Take R1 from R Run A1 (pk; R1 ), wherein When A1 makes a query, h, to H: A01 asks its H-oracle h, obtaining H(h) Put (h, H(h)) at end of hH Answer A1 with H(h) H : When A1 makes its jth query, y, to Dsk x ← K(hH, ε, y, pk) Answer A1 with x Finally A1 halts, outputting (x0 , x1 , s) return (x0 , x1 , (s, hH, pk))

43

Algorithm A02 (x0 , x1 , (s, hH, pk), y; R) Take R2 from R Run A2 (x0 , x1 , s, y; R2 ), wherein When A2 makes a query, h, to H: A02 asks its H-oracle h, obtaining H(h) Put (h, H(h)) at end of hH Answer A2 with H(h) When A2 makes its jth query, y 0 , H : to Dsk x ← K(hH, (y), y 0 , pk) Answer A2 with x Finally A2 halts, outputting bit, d return d

Fig. 2. Construction of IND-CPA adversary A0 = (A01 , A02 ) based on given IND-CCA2 adversary A = (A1 , A2 ) and plaintext extractor K.

Π. Think of A0 as the adversary A with access only to a simulated decryption oracle rather than the real thing. Let () denote the empty list. Recall that if C(·, ·, · · ·) is any probabilistic algorithm then C(x, y, · · · ; R) means we run it with coin tosses fixed to R. The adversary A0 is defined in Figure 2. Analysis. To reason about the behavior of A0 we define a sequence of adversaries B1 , . . . , Bq , where q is the number of decryption queries made by A. Using the existence of B1 , B2 , . . . we can lower bound the probability of the correctness of K’s answers in A01 . The analysis can be found in [2].

Acknowledgments

Following an oral presentation of an earlier version of this paper, Moni Naor suggested that we present notions of security in a manner that treats the goal and the attack model orthogonally [22]. We are indebted to him for this suggestion. We thank Hugo Krawczyk, Moti Yung, and the (other) members of the CRYPTO ’98 program committee for excellent and extensive comments. Finally we thank Oded Goldreich for many discussions on these topics. The first author was supported by a 1996 Packard Foundation Fellowship in Science and Engineering, and by NSF CAREER Award CCR-9624439. The second author was supported in part by the above mentioned grants of the first author. The fourth author was supported by NSF CAREER Award CCR9624560 and a MICRO grant from RSA Data Security, Inc..

44

Mihir Bellare et al.

References 1. M. Bellare, R. Canetti and H. Krawczyk, A modular approach to the design and analysis of authentication and key exchange protocols. Proceedings of the 30th Annual Symposium on Theory of Computing, ACM, 1998. 30 2. M. Bellare, A. Desai, D. Pointcheval, and P. Rogaway, Relations among notions of security for public-key encryption schemes. Full version of this paper, available via http://www-cse.ucsd.edu/users/mihir/ 31, 35, 35, 37, 38, 39, 42, 43, 45, 46 3. M. Bellare and P. Rogaway, Random oracles are practical: a paradigm for designing efficient protocols. First ACM Conference on Computer and Communications Security, ACM, 1993. 29, 30 4. M. Bellare and P. Rogaway, Optimal asymmetric encryption – How to encrypt with RSA. Advances in Cryptology – Eurocrypt 94 Proceedings, Lecture Notes in Computer Science Vol. 950, A. De Santis ed., Springer-Verlag, 1994. 29, 29, 30, 40 5. M. Bellare and A. Sahai, private communication, May 1998. 29, 46, 46 6. D. Bleichenbacher, A chosen ciphertext attack against protocols based on the RSA encryption standard PKCS #1, Advances in Cryptology — CRYPTO ’98 Proceedings, Lecture Notes in Computer Science, H. Krawczyk, ed., SpringerVerlag 1998. 30 7. M. Blum, P. Feldman and S. Micali, Non-interactive zero-knowledge and its applications. Proceedings of the 20th Annual Symposium on Theory of Computing, ACM, 1988. 42 8. R. Cramer and V. Shoup, A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack. Advances in Cryptology — CRYPTO ’98 Proceedings, Lecture Notes in Computer Science, H. Krawczyk, ed., Springer-Verlag 1998. 30, 30 9. I. Damg˚ ard, Towards practical public key cryptosystems secure against chosen ciphertext attacks. Advances in Cryptology – Crypto 91 Proceedings, Lecture Notes in Computer Science Vol. 576, J. Feigenbaum ed., Springer-Verlag, 1991. 30 10. A. De Santis and G. Persiano, Zero-knowledge proofs of knowledge without interaction. Proceedings of the 33rd Symposium on Foundations of Computer Science, IEEE, 1992. 41, 41, 42 11. D. Dolev, C. Dwork, and M. Naor, Non-malleable cryptography. Proceedings of the 23rd Annual Symposium on Theory of Computing, ACM, 1991. 27, 27, 29, 30, 30, 31, 33, 33, 35, 45 12. D. Dolev, C. Dwork, and M. Naor, Non-malleable cryptography. Technical Report CS95-27, Weizmann Institute of Science, 1995. 27, 29, 29, 30, 33, 33, 35, 45 13. D. Dolev, C. Dwork, and M. Naor, Non-malleable cryptography. Manuscript, 1998. 27, 29, 29, 30, 33, 33, 35, 45, 46 14. O. Goldreich, A uniform complexity treatment of encryption and zeroknowledge. Journal of Cryptology, Vol. 6, 1993, pp. 21-53. 35 15. Z. Galil, S. Haber and M. Yung, Symmetric public key encryption. Advances in Cryptology – Crypto 85 Proceedings, Lecture Notes in Computer Science Vol. 218, H. Williams ed., Springer-Verlag, 1985. 30, 42 16. Z. Galil, S. Haber and M. Yung, Security against replay chosen ciphertext attack. Distributed Computing and Cryptography , DIMACS Series in Discrete Mathematics and Theoretical Computer Science, Vol. 2, ACM, 1991. 42

Relations Among Notions of Security for Public-Key Encryption Schemes

45

17. S. Goldwasser and S. Micali, Probabilistic encryption. Journal of Computer and System Sciences, 28:270–299, 1984. 27, 27, 29, 32 18. O. Goldreich, S. Goldwasser and S. Micali, How to construct random functions. Journal of the ACM, Vol. 33, No. 4, 1986, pp. 210–217. 39, 39 19. J. H˚ astad, R. Impagliazzo, L. Levin and M. Luby, Construction of a pseudorandom generator from any one-way function. Manuscript. Earlier versions in STOC 89 and STOC 90. 39 20. R. Impagliazzo and M. Luby, One-way functions are essential for complexity based cryptography. Proceedings of the 30th Symposium on Foundations of Computer Science, IEEE, 1989. 39 21. S. Micali, C. Rackoff and R. Sloan, The notion of security for probabilistic cryptosystems. SIAM J. of Computing, April 1988. 32 22. M. Naor, private communication, March 1998. 26, 43 23. M. Naor and M. Yung, Public-key cryptosystems provably secure against chosen ciphertext attacks. Proceedings of the 22nd Annual Symposium on Theory of Computing, ACM, 1990. 27, 27, 30 24. C. Rackoff and D. Simon, Non-interactive zero-knowledge proof of knowledge and chosen ciphertext attack. Advances in Cryptology – Crypto 91 Proceedings, Lecture Notes in Computer Science Vol. 576, J. Feigenbaum ed., Springer-Verlag, 1991. 27, 27, 30 25. SETCo (Secure Electronic Transaction LLC), The SET standard book 3 formal protocol definitions (version 1.0). May 31, 1997. Available from http://www.setco.org/ 30 26. Y. Zheng and J. Seberry, Immunizing public key cryptosystems against chosen ciphertext attack. IEEE Journal on Selected Areas in Communications, vol. 11, no. 5, 715–724 (1993). 30

A

Comparing our Notion of NM with Simulation NM

Let SNM refer to the original, simulation-based definition of nonmalleability [11,12,13]. Its three forms are denoted SNM-CPA, SNM-CCA1, and SNM-CCA2. (In the full version of this paper [2] we recall DDN’s definition. A key feature one must note here however is that the simulator is not allowed access to a decryption oracle, even in the CCA cases. We note that we are here discussing the version of SNM without “history”; we will comment on histories later.) The question we address here is how NM-ATK compares to SNM-ATK for each ATK ∈ {CPA, CCA1, CCA2}. It is easy to see that NM-CPA ⇒ SNM-CPA. Intuitively, our definition can be viewed as requiring, for every adversary A, a specific type of simulator, which we can call a “canonical simulator,” A0 = (A01 , A02 ). The first stage, A01 , is identical to A1 . The second simulator stage A2 simply chooses a random message from the message space M that was output by A01 , and runs the adversary’s second stage A2 on an encryption of that message. Since A does not have a decryption oracle, A0 can indeed do this. If we continue to think in terms of the canonical simulator in the CCA cases, the difficulty is that this “simulator” would, in running A, now need access to a decryption oracle, which is not allowed under SNM. Thus it might appear that our definition is actually weaker, corresponding to the ability to simulate by

46

Mihir Bellare et al.

simulators which are also given the decryption oracle. However, this appearance is false; in fact, NM-ATK implies SNM-ATK for all three types of attacks ATK, including CCA1 and CCA2. This was observed by Bellare and Sahai [5]. A proof of the following can be found in [2]. Theorem 8. [5] [NM-ATK ⇒ SNM-ATK] If encryption scheme Π is secure in the sense of NM-ATK then Π is secure in the sense of SNM-ATK for any attack ATK ∈ {CPA, CCA1, CCA2}. Are the definitions equivalent? For this we must consider whether SNM-ATK ⇒ NM-ATK. This is true for ATK = CCA2 (and thus the definitions are equivalent in this case) because [13] asserts that SNM-CCA2 implies IND-CCA2 and Theorem 2 asserts IND-CCA2 implies NM-CCA2. For ATK ∈ {CPA, CCA1} the question remains open. Finally, on the subject of histories, we remark that all that we have discussed here is also true if we consider the history-inclusive versions of both definitions.

Cryptography and the Internet Steven M. Bellovin AT&T Labs–Research, Florham Park, NJ, USA [email protected] http://www.research.att.com/~smb

Abstract. After many years, cryptography is coming to the Internet. Some protocols are in common use; more are being developed and deployed. The major issue has been one of cryptographic engineering: turning academic papers into a secure, implementable specification. But there is missing science as well, especially when it comes to efficient implementation techniques.

1

Introduction

In early 1994, CERT announced1 that widespread password monitoring was occuring on the Internet. In 1995, Joncheray published a paper explaining how an eavesdropper could hijack a TCP connection [Jon95]. In mid-1998, there is still very little use of cryptography. Finally, though, there is some reason for optimism. A number of factors have combined to change people’s behavior. First, of course, there is the rise of the Internet as a mass medium, and along with it the rise of Internet commerce. Consider the following quote from a popular Web site: How does ——.com protect my credit card if I order online? ——.com takes every precaution to protect the privacy of your credit card information. We utilize Secure Socket Layers (SSL), the most advanced security system available. All of your ordering information – including your name, address, and credit card number – is encrypted using a Secure Server for maximum security. Your credit card and billing information cannot be read as it travels to our ordering system. In addition, our ordering system is not connected to the Internet and is not accessible in any way. You can also use our Standard Server, pay by phone option, or fax us your order. There are several noteworthy things here. First, of course, they advertise their use of encryption. Second, as evidenced by the phone payment option—a relatively common choice—there is still persistent public uneasiness about Internet security. Cryptography, of course, is part of the solution; thus, companies that wish to attract business are touting their use of encryption. 1

CERT Advisory CA-94:01, 3 February 1994.

H. Krawczyk (Ed.): CRYPTO’98, LNCS 1462, pp. 46–55, 1998. c Springer-Verlag Berlin Heidelberg 1998

Cryptography and the Internet

47

A second major driver for the adoption of cryptography has been the transformation of the Internet into the data network. More and more, corporations are using the Internet for general data transfer, in the same was as they have traditionally used the phone network for voice traffic. A branch office may have its own link to the Internet and communicate with the home office via this channel, instead of using a leased line. Telecommuters can use an ISP’s modem pool to dial in to work. But both of these practices are risky without encryption. Finally, the technology is ready. Computers are fast enough that the overhead for encryption is—barely, in some cases—tolerable. Standards exist for the much important types of encryption. And most—but not all—of the necessary science exists.

2

Current Uses of Cryptography on the Internet

Perhaps the most mature cryptographic technology in use on the Internet is secure email. Two different schemes—PGP and S/MIME—have achieved reasonably broad penetration. Both have been hampered, though, by lack of a widespread public-key infrastructure. While not strictly necessary, especially for use within comparatively small groups, a more broadly-based certificate graph is necessary for some uses. Imagine, for example, trying to solve the “spam” email problem by relying on PGP’s Web of Trust.2 Another notable use of cryptography is SSL, the Secure Socket Layer. While in theory quite general, in practice SSL is used almost exclusively for communication between Web browsers and servers. Furthermore, in almost all cases authentication is at best one-way—servers have certificates; clients rarely do— and in practice is unauthenticated, since most users of the technology neither know nor care what a certificate is, nor who has signed it. For that matter, the popular browsers give very little guidance on whether or not certificates should be accepted, what the meaning of the signing certificate is, etc. We thus have the dual of the situation with secure email: the certificate authorities exist, and are used, but to little practical effect. The third major area for cryptography in the Internet is the networklayer encryption and authentication protocol set, IPSEC.3 There is also a key exchange protocol derived from Diffie et al’s STS [DvW92] and Krawczyk’s SKEME [Kra96]. IPSEC provides broad-spectrum protection of communications, below the application and transport layers. It is thus invisible to them, but protects them nevertheless. 2 3

“Spam” is the common term for bulk, unsolicited commercial email. At this point, the new IPSEC RFCs have not yet been issued, though they are expected momentarily. The existing ones—RFCs 1825-1829—describe an obsolete version of the protocol. While they are useful as a general guide to IPSEC, there are a number of cryptographically significant differences between them and the newer standards.

48

Steven M. Bellovin

IPSEC also provides the ability to trade cost for granularity of protection. A single IPSEC key can protect a user, a host, or an entire network. An organization can use a single gateway, to minimize its costs; conversely, it can add IPSEC to every host, thus guarding against certain attacks within its site. Since IPSEC is just starting to be deployed, it is impossible to assess its usage patterns. Still, in at least two likely deployment patterns—firewall-to-firewall in a virtual private network (VPN) configuration, and remote employees-to-firewall— the certificate will be used for authorization. This suggests that certificates will be meaningful, but that a widespread PKI will not be needed; instead, each corporation will issue its own certificates. If IPSEC is used in other than end-to-end mode, some intermediate points must be trusted. Furthermore, since the topology of the Internet is dynamic, there may not be a fixed set of trusted parties between two endpoints wishing to converse. In many cases, such delegations should be digitally signed by the ultimate endpoint. In other cases, such as a corporate firewall, the delegation is in fact in the reverse order. That is, the administrator for some zone gigacorporation.com could in fact specify the IPSEC proxies for all hosts within that domain. Regardless, the exact set of IPSEC gateways to be used must be discovered anew for each connection. Mention should also be made of SET, a secure electronic payment protocol developed by the banking and credit card industry. It’s especially interesting because it’s a multiparty protocol: the consumer, the merchant, and the bank. It is worth noting the collision here between cryptographic theory and commercial reality: while one might think that a signature-based protocol would eliminate any need to transmit an actual credit card number, that turns out not to be the case; some merchants use credit card numbers as the look-up key for the customer databases, and are unwilling to lose the previous purchase history. Accordingly, the card number may still be sent to the merchant, though of course in encrypted form.

3

Planned Uses and Missing Pieces

There are a number of things we would like to do on the Internet; however, we don’t know how to do them. I will focus on three: efficient cryptographic processing, routing, and multi-party cryptography. The first is, of course, obvious: we need faster algorithms. While Moore’s Law has helped, often the effect of a faster CPU is that system designers demand more of it. A modern tunnel server, for example, may handle hundreds of simultaneous connections. But if these sessions are cryptographically protected, more CPU power is needed. Worse yet, the public key operations to establish these connections are very expensive. If a server handling 500 remote users crashes and reboots, it can be a quite a while before all of the sessions are re-established: the necessary public-key operations are quite expensive. A less obvious place where efficiency improvements are desperately needed is for authentication and integrity algorithms. During the development of IPSEC,

Cryptography and the Internet

49

we learned that encryption without integrity-checking is all but useless [Bel96]— it turned out to be practical to use the error propagation properties of CBC mode to construct all manner of useful but fraudulent packets. To give just one example, an attacker could splice together the body of a target packet with the header of a packet destined for his or her program. The current choices for such integrity algorithms—IPSEC currently specifies HMAC [BCK96] with either MD5 [Riv92] or SHA-1 [NIS95]—are too slow in many cases, and are not particularly suited for hardware accelerators [Tou96]. Alternatively, an encryption mode or algorithm that prevented any tampering with the ciphertext might suffice. (Rivest’s all-or-nothing encryption mode [Riv97] is too expensive.) There is also a strong need for secure routing protocols. Internet routers exchange reachability and link cost information with their neighbors; from this, each router computes the optimal path to each destination network on the Internet.4 There is no global knowledge of the actual topology. If a router lies about the networks it can reach, its neighbors will be deceived. This in turn can result in traffic being diverted to paths controlled by an enemy. While traffic encryption should prevent eavesdropping, routing attacks represent at least a denial of service attack, and—in the absence of other encryption—more serious threats. It is not obvious how to use cryptography to secure this structure. Protecting the routing exchanges between each pair of routers is straight-forward enough; the problem, however, is that each router knows only what its neighbors have said. They themselves could have been deceived. A solution will involve verifying the full path back to the owner of the network. And that in turn requires calculating and verifying many digital signatures, which is prohibitively expensive. While some work has been done [SK97, SMGLA97, HPT97, MB96], much more remains. Another interesting research area is providing adequate security for multicast sessions. While a number of protocols have been proposed, it is not clear that they are suitable. There are a number of reasons for this; prominent among them is that there is no one model for what multicast is. It may be a television-style broadcast, with authentication of all messages and perhaps encryption so that only subscribers can watch. It may be a conversation between a small number of participants. It may be a combination of a broadcast and a question-and-answer session; while anyone can speak, the session is under control of a central site, which must have the ability to exclude disruptive participants. A constraint on multicast security mechanisms is the trust model. Many proposed protocols assume that the key distribution graph is somehow related to the packet-forwarding graph. For some common uses of multicast technology, this is a bad assumption. Packet-forwarding is often configured by Internet Service Providers; ordinary users can and do create multicast sessions. A compromise 4

The actual routing structure of the Internet is far more complex than is explained here.

50

Steven M. Bellovin

position may be some way to identify some trustable subset of the forwarding graph; discovering this set—and deciding that it is trustable—is not trivial.

4

Trust and Policy Management

Many of the problems discussed earlier can be summed up in one question: who can be trusted to do what? More precisely, how can a user or a computer acting on that user’s behalf know what certificates are acceptable for a given action? Furthermore, out of the set of potentially trustable parties, which are the right ones under some given set of circumstances.? The problem shows up most clearly with IPSEC, where a machine may need to discover the identity of a security gateway for some connection. Even in that case, there can be considerably more complexity. For example, two hosts may wish to use end-to-end encryption. However, both sites are behind firewalls that wish to do their own encryption between them. Furthermore, one host may need to use authentication from it to the outbound firewall, to validate its right to send traffic out of the location. A related issue is the specification of the desired policy. How can an administrator communicate to assorted hosts the identities, both cryptographic and network, of the various gateways that must be involved in a secure connection? More to the point, how is it communicated securely? Who is authorized to set such policies, and how do the endpoints know it? With SSL and secure email, the trust question is made more complex because the answer must relate to the real world. If I request a secure connection to www.wsj.com, my Web browser warns me that the certificate was issued to interactive.wsj.com. Should these two be considered identical? The company name is Dow Jones; is that right? How should I know that, a priori? And domain names are often confusing; nasa.com bears no relation to nasa.gov. Will a user notice the distinction? One can assert that no matter the cryptographic tricks, the user of a certificate is (and should be) responsible for validating its authenticity. Often, though, it is impossible for the user to do so. In particular, a conventional certificate does not indicate what roles the holder can fulfill. The company name in my certificate indicates correctly that I work for a telecommunications company; it does not say whether or not I am authorized to accept payment for phone bills. Possibly, schemes such as PolicyMaker [BFL96, BFS98] or SDSI [RL96] will solve this problem. But enumerating all possible roles for a certificate is easy; enumerating the roles it may not fill is very hard. Furthermore, the distinction may be too subtle for a program. A server certificate valid for, say, accepting orders for books via a Web page may not be the proper certificate for software orders, even from the same Web server. But it may be the proper certificate for sending email to the customer care agent. We must also be wary of techniques that work for humans, but not for programs. A person may be wary enough to note that my certificate contains that word “research”, or that it says nothing about bill collection. But will a program

Cryptography and the Internet

51

check this? IPSEC may become the first large-scale use of certificates intended for checking by programs, not humans. Are our certificates adequate for the task?

5

Cryptography versus Cryptographic Engineering

Often, designing cryptosystems for use in the Internet is one of cryptographic engineering. Partly, it’s a matter of translating abstract notions into concrete packet formats. That is relatively simple. It’s harder to find a way to fit cryptography into a protocol that wasn’t designed to accept it. But the hardest job is maintaining security in the face of actual network practice. Consider, for example, the question of encrypting a message M . The academic paper on the subject would likely have said something like “Alice transmits {M }K to Bob”. An implementation specification might say “Use CAST-128 in CBC mode, with key K, an IV as specified above, the whole preceded by a twobyte length field. The receiver’s identity is specified in the previous message.” But even that isn’t sufficient. As we all know, ciphers can be broken. An implementable cryptographic protocol must have some way to indicate which cipher is being used. That in turn raises questions of what ciphers must be common to all implementations. Worse yet, the cipher to be used must be negotiated, and negotiated securely; an enemy who can force the use of DES instead of a more secure cipher may be able to do considerable damage. Often, different security considerations produce contradictory constraints. In [Bel96], I showed that it was much more secure to use a separate key for each connection, as opposed to a single key for all connections between a pair of hosts. But in [Bel97], I showed that per-connection keying aided an enemy cryptanalyst. Which is right? Operational considerations produce their own conflicts. The Domain Name System (DNS) relies on caches, timeouts, and hierarchies of servers to reduce the load on the network. The design, originally specified in 1983 [Moc83], requires that the record’s time-to-live be in the original response to a query, that it be decremented by servers that cache the response, and that this modified value be passed along to any machines that receive their response from the caching server. But that conflicted badly with a later desire to add digital signatures to DNS records [EK97]. Not only would recalculating the signature each time be prohibitively expensive, the caching server does not (and should not) possess the necessary signing key. Thus, the modified time-to-live field cannot be passed along in a secure fashion. Perhaps the lifetime should have been expressed as an absolute expiration time (though that has problems of its own). But Secure DNS is constrained to live with the earlier structure. Secure DNS has run into other complications as well. The format of the signed records was designed to permit the signing operation to be done offline, to safeguard the private key. However, this operational requirement conflicts with the DNS Dynamic Update protocol [BRTV97]. It has also resulted in a situation where the mechanism to indicate that a record does not exist—signed

52

Steven M. Bellovin

front- and back-pointers—can be used by an enemy to learn all of the names in a domain, which conflicts with other security requirements. But safeguarding the signing key is critical; not only does it act as a certificate-signing key, fraudulent DNS records can be used to perpetrate a wide variety of attacks on Internet systems [Bel95]. IPSEC often conflicts with firewalls. A firewall cannot examine, and hence pass or reject, an encrypted packet. Should end-to-end encryption be permitted through firewalls? The fact that a packet is encrypted and authenticated does not mean that it is harmless; an attacker may have penetrated an external system that is authorized to make incoming calls. Even outgoing calls can be used to launch attack. Suppose that a firewall is configured to permit all outbound calls. Naturally, the reply packets must be allowed back in. However, if the port numbers are encrypted the firewall cannot distinguish between a reply packet and a packet attacking a different port on the inside host. There are no good solutions for this problem. Presumably, some sort of keysharing with the firewall must take place. Again, that demands strong verification of the firewall’s right to the information. It may also demand multiparty key negotiation, or perhaps proxy cryptography [BBS98].

6

Protocol Verification

It should come as no surprise that the cryptographic protocols and mechanisms used in the Internet are in need of verification. They are complex, and as we all know, it is very easy to make mistakes in designing even simple cryptographic protocols. But the analysis here is harder, because it must contend with the complexities of real systems and real operational environments. Several examples of this can be found in [Bel96]. In one class of attacks, I showed how replays could be used to trick the host operating system into decrypting messages. There were a number of variants of this attack; the simplest involved waiting until the target program had ended, then binding to its “port” and reinjecting the messages. The key remains secure, but the plaintext is revealed. A more subtle flaw is exploited by Wagner’s short-block guessing attack. The attacker attempts to guess at the contents of packets containing a single byte of application data. It requires a modest (and practical) amount of chosen plaintext (28 blocks) and a simple (28 packet) active attack. If the injected packet contains an erroneous guess of the data byte, the receiving machine will silently discard the packet. If the guess is correct, the network-level checksum will also be correct and the receiving machine will acknowledge the packet. (The ACK messages can be seen as a side channel, similar to those exploited by Kocher in his timing and power consumption attacks.) To my knowledge, existing formal techniques cannot detect attacks such as these. At the very least, the formalism would have to include a complete description of the networking environment, and probably more besides.

Cryptography and the Internet

53

There has already been some useful input from the theory community. IPSEC originally used keyed hash functions as MACs; Preneel and van Oorschot’s attacks on these [Pv95, Pv96] caused us to adopt HMAC [BCK96], an algorithm that was proven to be secure, instead. Unfortunately, the help has not always been appreciated. The resentment has come not because of “interference” but because of its timing. In an environment where the phrase “sometimes it’s time to shoot the engineers and ship the product” can be uttered, a complaint late in the design cycle is often rejected, simply because it’s too late.

7

What Cryptography Can’t Do

Cryptography is not a panacea for the security problems of the Internet. By my count, no more than 15% of the CERT advisories over the last 10 years describe vulnerabilities that would be irrelevant in a world with ubiquitous cryptography. Most of the other advisories concerned buggy programs, a failing that cryptography cannot address. Indeed, there were a number of reports of flaws in assorted encryption and authentication programs. A second problematic area is the existence—dare I say the prevalence?—of bad cryptography. While part of the problem is lack of science—we’re all familiar with new attacks on old algorithms and protocols—more of the trouble is a lack of education. About the time I was writing this note, it was disclosed that a major vendor’s network encryption product inadvertently used DES with a 48bit key size. That was bad enough, though forgiveable and fixable. But the same product used ECB mode, an egregious error described as a deliberate design choice. Other vendors misuse stream ciphers [SM98] or invent their own flimsy algorithms—and then rely on obscurity for protection. Finally, the user interface to cryptographic functions is often lacking. I will give just one example, an encrypting mail program based on a symmetric cryptosystem. To avoid the need for the recipient to have any particular applications software, this program packages up everything into a self-extracting executable that prompts the recipient for the shared secret key. It is adding insult to injury that the keylength employed is a magnanimous 32 bits. . .

References [BBS98]

[BCK96]

[Bel95]

Matt Blaze, G. Bleumer, and Martin Strauss. Divertible protocols and atomic proxy cryptography. In Proceedings of Eurocrypt ’98, 1998. to appear. 52 M. Bellare, R. Canetti, and H. Krawczyk. Keying hash functions for message authentication. In Advances in Cryptology: Proceedings of CRYPTO ’96, pages 1–15. Springer-Verlag, 1996. 49, 53 Steven M. Bellovin. Using the domain name system for system breakins. In Proceedings of the Fifth Usenix Unix Security Symposium, pages 199–208, Salt Lake City, UT, June 1995. 52

54

Steven M. Bellovin

[Bel96]

[Bel97]

[BFL96]

[BFS98]

[BRTV97]

[DvW92]

[EK97]

[HPT97]

[Jon95]

[Kra96]

[MB96]

[Moc83]

[NIS95] [Pv95]

[Pv96] [Riv92] [Riv97]

[RL96]

Steven M. Bellovin. Problem areas for the IP security protocols. In Proceedings of the Sixth Usenix Unix Security Symposium, pages 205– 214, July 1996. 49, 51, 52 Steven M. Bellovin. Probable plaintext cryptanalysis of the IP security protocols. In Proceedings of the Symposium on Network and Distributed System Security, pages 155–160, 1997. 51 Matt Blaze, Joan Feigenbaum, and Jack Lacy. Decentralized trust management. In IEEE Symposium on Security and Privacy, pages 164–173, 1996. 50 Matt Blaze, Joan Feigenbaum, and Martin Strauss. Compliance checking in the PolicyMaker trust management system. In Proceedings of the 2nd Financial Crypto Conference, 1998. to appear. 50 J. Bound, Y. Rekhter, S. Thomson, and P. Vixie. Dynamic updates in the domain name system (DNS UPDATE). Request for Comments (Proposed Standard) 2136, Internet Engineering Task Force, April 1997. (Obsoletes RFC1035). 51 W. Diffie, P.C. van Oorschot, and M.J. Wiener. Authentication and authenticated key exchange. Designs, Codes and Cryptography, page 107, 1992. 47 D. Eastlake and C. Kaufman. Domain name system security extensions. Request for Comments (Proposed Standard) 2065, Internet Engineering Task Force, January 1997. (Obsoletes RFC1034). 51 Ralf Hauser, Tony Przgienda, and Gene Tsudik. Reducing the cost of security in link-state routing. In Proceedings of the Symposium on Network and Distributed System Security, pages 93–99, 1997. 49 Laurent Joncheray. A simple active attack against TCP. In Proceedings of the Fifth Usenix Unix Security Symposium, Salt Lake City, UT, 1995. 46 Hugo Krawczyk. SKEME: A versatile secure key exchange mechanism for internet. In Proceedings of the Internet Society Symposium on Network and Distributed System Security, pages 114–127, February 1996. 47 S.L. Murphy and M.R. Badger. Digital signature protection of the OSPf routing protocol. In Proceedings of the Symposium on Network and Distributed System Security, pages 93–102, 1996. 49 P. Mockapetris. Domain names: Concepts and facilities. RFC 882, Internet Engineering Task Force, November 1983. (Obsoleted by RFC1034); (Updated by RFC973). 51 NIST. Secure hash standard (SHS), April 1995. Federal Information Processing Standards Publication 180-1. 49 B. Preneel and Paul C. van Oorschot. MDx-MAC and building fast MACs from hash functions. In Proceedings of CRYPTO ’95, pages 1–14, 1995. 53 B. Preneel and Paul C. van Oorschot. On the security of two mac algorithms. In Proceedings of Eurocrypt ’96, pages 19–32, 1996. 53 R. Rivest. The MD5 message-digest algorithm. Request for Comments (Informational) 1321, Internet Engineering Task Force, April 1992. 49 Ronald Rivest. All-or-nothing encryption and the package transform. In Proceedings of the Fast Software Encryption Conference, 1997. To appear. 49 Ronald Rivest and Butler Lampson, 1996. Several papers can be found at http://theory.lcs.mit.edu/~cis/sdsi.html. 50

Cryptography and the Internet [SK97]

55

K.E. Sirois and S.T. Kent. Securing the nimrod routing architecture. In Proceedings of the Symposium on Network and Distributed System Security, pages 74–84, 1997. 49 [SM98] Bruce Schneier and P. Mudge. Cryptanalysis of Microsoft’s Point-toPoint Tunneling Protocol (PPTP), November 1998. 5th ACM Conference on Computer and Communications Security, to appear. 53 [SMGLA97] B.R. Smith, S. Murthy, and J.J. Garcia-Luna-Aceves. Securing distancevector routing protocols. In Proceedings of the Symposium on Network and Distributed System Security, pages 85–92, 1997. 49 [Tou96] Joseph D. Touch. Performance analysis of MD5. In Proceedings of ACM SIGCOMM ’95, pages 77–86, 1996. 49

Differential Collisions in SHA-0 Florent Chabaud and Antoine Joux ´ Centre d’Electronique de l’Armement CASSI/SCY/EC F-35998 Rennes Arm´ees, France {chabaud,joux}@celar.fr Abstract. In this paper we present a method for finding collisions in SHA-0 which is related to differential cryptanalysis of block ciphers. Using this method, we obtain a theoretical attack on the compression function SHA-0 with complexity 261 , which is thus better than the birthday paradox attack. In the case of SHA-1, this method is unable to find collisions faster than the birthday paradox. This is a strong evidence that the transition to version 1 indeed raised the level of security of SHA.

1 1.1

Description of SHA Historical Overview

The Secure Hash Standard (SHS) [7] was issued by the National Institute of Standards and Technology in 1993. It was largely inspired from Rivest’s MD4 [5]. However, a certain number of basic blocks of this function were different from MD4 ones, but no explanation was given for the choices. Two years later, an addendum was made to the standard, slightly altering the function [8]. This change was claimed to correct a technical weakness in SHA but no justification was given. Yet, it was reported that a collision attack better than the birthday paradox had been found by the NSA. Independantly, several attacks on the original MD4 function, and its MD5 improvement [6] have been published [2,4]. However, these attacks couldn’t be applied to the Secure Hash Algorithm (neither in the first nor in the second version) because of the expansion used. 1.2

Notation

The symbols we use in this paper are defined Table 1. Besides, we denote by capital letters 32-bits words, and X (i) stand for the value of X used at i-th round of SHA. 1.3

Description of SHA

Description of the Hash Function. The hash functions in the SHA family deal with 512 bits message blocks and output a 160 hash value. This hash value is formed by concatenating 5 registers of 32 bits each. In order to hash a message, several steps are performed: H. Krawczyk (Ed.): CRYPTO’98, LNCS 1462, pp. 56–71, 1998. c Springer-Verlag Berlin Heidelberg 1998

Differential Collisions in SHA-0

57

Table 1. Notations Notation IFq hX, Y, . . . , Zi + ⊕ ∨ ∧ ROL` (X) Xi

Definition Finite field with q elements. Concatenation of 32-bits words. Addition on 32-bits words modulo 232 . Exclusive or on bits or 32-bits words. Inclusive or on bits or 32-bits words. Logical and on bits or 32-bits words. Rotation by ` bits of a 32-bits word. The ith bit of 32-bits word X, from the least significant 0 to the most significant 31.

1. Pad the message to be hashed by adding a 1, aa appropriate number of 0 and the 64 bits integer representing the length of the message. After this padding operation, the message is formed of a integral number of 512 blocks. 2. Initialize 5 registers of 32 bits A, B, C, D and E with fixed constants: – A = 0x67452301 – B = 0xEFCDAB89 – C = 0x98BADCFE – D = 0x10325476 – E = 0xC3D2E1F0 3. For each message block, copy A, B, C, D and E respectively in AA, BB, CC, DD and EE. Apply the compression function to AA, BB, CC, DD, EE and the message block. This yields AA0 , BB 0 , CC 0 , DD0 and EE 0 . These 5 values are then added respectively to A, B, C, D and E. 4. Output the concatenation of A, B, C, D and E. In the remaining of this paper, we try to find collisions on the compression function, from which collision on the hash function are trivial. Description of the Compression Function. Following [7], we denote by

(0) W , . . . , W (15) the 512 bits input of SHA, constituted by 16 words of 32 bits. The first step of SHA-0 is to perform an expansion on these 512 bits. The result of this expansion is given by the following relation: W (i) = W (i−3) ⊕ W (i−8) ⊕ W (i−14) ⊕ W (i−16) , ∀i, 16 ≤ i < 80 .

(1)

These 80 words of 32 bits are used to alter the five 32-bits words state denoted of the compression by A(i) , B (i) , C (i) , D(i) , E (i)

. The initial state is the input function. We now denote it A(0) , B (0) , C (0) , D(0) , E (0) .

The modification of A(i) , B (i) , C (i) , D(i) , E (i) state is performed by the following transformation, where the function f (i) and the constant K (i) are set according to Table 2, and ADD(U, V, W, X, Y ) = U +V +W +X +Y (mod 232 ):

58

Florent Chabaud and Antoine Joux

for i = 0 to 79 A(i+1) = ADD W (i) , ROL5 A(i) , f (i) B (i) , C (i) , D(i) , E (i) , K (i) B (i+1) = A(i) C (i+1) = ROL30 B (i) D(i+1) = C (i) E (i+1) = D(i)

Table 2. SHA definition of function f (i) (X, Y, Z), and constant K (i) . Round i 0–19 20–39 40–59 60–79

Function f (i) Constant K (i) Name Definition ¯ ∧ Z) IF (X ∧ Y ) ∨ (X 0x5A827999 XOR (X ⊕ Y ⊕ Z) 0x6ED9EBA1 MAJ (X ∧ Y ) ∨ (X ∧ Z) ∨ (Y ∧ Z) 0x8F1BBCDC XOR (X ⊕ Y ⊕ Z) 0xCA62C1D6

The output of the compression function is the 160 bits word obtained in the fi

nal state A(80) , B (80) , C (80) , D(80) , E (80) . By collision, we understand the stan

dard meaning of finding two input words W (0) . . . W (15) and W 0(0) . . . W 0(15)

(80) (80) (80) (80) (80) ,C ,D ,E , using the that gives the same 160-bits output A , B

same initial value A(0) , B (0) , C (0) , D(0) , E (0) . The basic architecture of SHA can be illustrated by Fig. 1. The expansion box 512 2560 to (IF2 ) , that maps can be considered as a linear application from (IF2 )

(0) W . . . W (15) to W (0) . . . W (79) . This linear mapping is the only difference between first and second version of SHA. More precisely, the extension of SHA-1 is obtained by replacing (1) by the following equation, which differs from (1) by the one bit rotation to the left: W (i) = ROL1 W (i−3) ⊕ W (i−8) ⊕ W (i−14) ⊕ W (i−16) , ∀i, 16 ≤ i < 80 . (2) We will denote E0 the initial expansion described by (1), and E1 the modified expansion described by (2). This generic architecture defines a family of hash functions that could be derived by changing the expansion box.

2 2.1

Propagation of Local Perturbations in SHA-Like Hash Functions Weakened SHA Variations

The Bare Architecture of SHA. We first want to study the propagation of local perturbations in a fully linear variation of SHA, in order to discriminate between

Differential Collisions in SHA-0

input (512 bits) expansion E 2560 bits · · · 80 blocks of 32 bits · · · ith block at ith iteration

A

ROL5

ADD

B ROL30 C

f

K

D E

Fig. 1. SHA architecture

59

60

Florent Chabaud and Antoine Joux

the roles of the bare architecture of the hash functions on one side and of the elementary building blocks on the other side. Within the compression function of a hash function in the SHA family, there are two sources of non-linearity, the f (i) functions and the addition function ADD. Thus, the first hash function we consider is SHI11 the compression function in the SHA family built by starting from SHA-0 (thus using expansion E0 ) and by replacing the ADD function by an exclusive-or on 5 variables, and all the f (i) by XOR functions. We denote as usual by W (i) the ith word of the expansion (0 ≤ i < 80), and (i) (i) the 32 bits of this word are numbered W0 , . . . , W31 . We now relax the constraints on the W vector and temporary forget that it results from an expansion process. Thus, we can apply any local perturbation (i) on any bit of W . For example, we can negate the value of W1 . This change (i+1) (i+2) (i+3) will modify bit 1 of A , bit 1 of B , bit 31 of C , bit 31 of D(i+4) (i+5) and finally bit 31 of E . If we want to prevent further changes, we need to (i+1) (i+2) (i+3) (i+4) (i+5) , W1 , W31 , W31 and W31 . These new negate the values of bits W6 modifications prevent the change on bit 1 of A(i+1) to change bit 6 of A(i+2) , the change on bit 1 of B (i+2) to change bit 1 of A(i+3) , the change on bit 31 of C (i+3) to change bit 31 of A(i+4) , the change on bit 31 of D(i+4) to change bit 31 of A(i+5) and the change on bit 31 of E (i+5) to change bit 31 of A(i+6) . Thus (i) (i+1) (i+2) (i+3) (i+4) (i+5) , W1 , W31 , W31 and W31 gives two different negating W1 , W6 paths from A(i) , B (i) , C (i) , D(i) and E (i) to A(i+6) , B (i+6) , C (i+6) , D(i+6) and E (i+6) , and yields a local collision. This is summarized in Fig. 2. Note 1. It is clear that what we say for bit 1, can be generalized for any other bit from 0 to 31. However, it will become clear in the following (see Sect. 1), that this choice is the best one for our purpose. Hence, we focus on this value through the rest of this paper. Since everything is linear, we can apply simultaneously as many local collisions as we want and get two different paths from A(0) , B (0) , C (0) , D(0) and E (0) to A(80) , B (80) , C (80) , D(80) and E (80) , the first path using the original W and the second one using the modified one which we denote by W 0 . The question that now arises is “How to choose the local collisions to come back under the condition that both W and W 0 result from an expansion process ?” Choosing the local collisions simply means to build an error vector m0 of 80 (i) bits (numbered from 0 to 79) with a 1 in position i if we want to negate W1 . (i) However, we can’t choose to negate W1 for i ≥ 75, since a perturbation in round i is never corrected before round i + 6, and since all perturbations must be corrected by round 80. (0) (79) Let m0 , . . . , m0 be one of these error vectors. We deduce from it the E D (−5) (79) perturbative mask on W , M0 = M0 , . . . , M0 defined by: (i)

∀i, −5 ≤ i ≤ −1, M0 = 0 1

SHI1 is a French pun involving cats and dogs.

Differential Collisions in SHA-0 Perturbation

61

Corrections on bits

on bit 1 Initial state A(i) B (i) C (i)

(i)

W6

W1

W31

W31

W31

(i)

A(i+1)

A(i+2)

A(i+3)

A(i+4)

A(i+5)

W1 A1

(i+1)

(i+2)

(i+3)

(i+4)

(i+1)

(i+5)

B (i+5)

B1

(i+2)

C (i+5)

C31

(i+3)

D(i)

D(i+5)

D31

(i+4)

E (i)

E31

E (i+5)

Subscripts denote the perturbed bit of the state.

Fig. 2. SHI1 propagation of perturbation (i)

∀i, 0 ≤ i ≤ 79, M0,k = 0 if k 6= 1; (i)

(i)

∀i, 0 ≤ i ≤ 79, M0,1 = m0

.

This mask is completed by 5 zero-blocks, because the corrective masks are now deduced from this perturbative mask by translation and rotation. The first corrective mask M1 is deduced from M0 by a translation by one round, and a rotation of 5 bits to left. This rotation comes from the description of the SHA transformation (see Sect. 1.3 and Fig. 2). Hence, it applies on bits numbered k = 6. We have: (i) (i−1) . (3) ∀i, −4 ≤ i ≤ 79, M1 = ROL5 M0 The second corrective mask M2 is deduced from M0 by a translation by two rounds and no rotation (see Fig. 2). (i)

(i−2)

∀i, −3 ≤ i ≤ 79, M2 = M0

.

(4)

Similarly, M3 (resp. M4 , M5 ) are deduced from M0 by translation by three (resp. four, five) rounds, and apply on bits numbered k = 31. (i) (i−3) ; (5) ∀i, −2 ≤ i ≤ 79, M3 = ROL30 M0 (i) (i−4) ∀i, −1 ≤ i ≤ 79, M4 = ROL30 M0 ; (6) (i) (i−5) ∀i, 0 ≤ i ≤ 79, M5 = ROL30 M0 ; (7)

62

Florent Chabaud and Antoine Joux

Now, what we need is that the global differential mask M defined by (i)

(i)

(i)

(i)

(i)

(i)

∀i, 0 ≤ i ≤ 79, M (i) = M0 ⊕ M1 ⊕ M2 ⊕ M3 ⊕ M4 ⊕ M5

,

(8)

must be an output of E0 . This condition holds if all masks Mk satisfy (1), which is ensured if the initial perturbative mask satisfies the following equation: (i)

(i−3)

M0 = M0

(i−8)

⊕ M0

(i−14)

⊕ M0

(i−16)

⊕ M0

, ∀i, 11 ≤ i < 80 .

(9)

Moreover, since E0 does not interleave bits (see (1)), we can split the expansion in 32 identical boxes e0 expanding 16 bits to 80 bits, and defined by (1) considered upon bits. The box e0 is small enough to be exhaustively enumerated. The number of possible masks is in fact relatively small, as there are only 128 of the 216 = 65536 possible inputs, that satisfy (9), and the constraint of 5 zeroes on rounds 75 to 79, and thus give a mask m0 . Given such a mask, one can obtain M , and, by reversing the linear application E0 , one can compute the corresponding 512 bits input mask µ such that M = E0 (µ). As the expansion boxes of the SHA functions are coded in a systematic way, it is clear that µ = M (0) , . . . , M (15) . For all input W = W (0) . . . W (15) , W 0 = W ⊕ µ has same output by the linear compression function SHI1. Introducing Non Linear Functions. From a Deterministic to a Probabilistic Method. We now want to study the impact of non-linear functions f (i) in the security of hash function from the SHA family. We consider a second function SHI2, the compression function in the SHA family built by starting from SHA-0 (thus using expansion E0 ) and by replacing the ADD function by an exclusive-or on 5 variables. This can also be seen as SHI1 with added non-linear functions f (i) . It can easily be seen that in some cases the f (i) behaves like a XOR. Thus, the previous attack may work. The questions that arise are “When does it work?” and “What is the probability of success?” In order to compute the probability we need to make a detailed analysis of the IF and M AJ functions. Since these functions work in parallel on 32 bits, we need only study what happens on a single bit. Assuming that we study the behavior of the transition from f (i) (B (i) , C (i) , D(i) ) to f (i) (B 0(i) , C 0(i) , D0(i) ), by looking carefully at the rotations and at our perturbation model one can see that different cases can occur: 1. There is no change at all in the inputs, i.e. B (i) = B 0(i) , C (i) = C 0(i) and D(i) = D0(i) . In that case the output f (B 0(i) , C 0(i) , D0(i) ) = f (B (i) , C (i) , D(i) ) does not change and f (i) behaves as XOR. 2. There is a single difference in the entries on bit 1 of B (i) , i.e. B 0(i) = B (i) ⊕21 . In that case, f (i) behaves as a XOR, if and only if f (i) (B 0(i) , C 0(i) , D0(i) ) = f (i) (B (i) , C (i) , D(i) ) ⊕ 21 .

Differential Collisions in SHA-0

63

3. There is a single difference in the entries on bit 31 of C (i) or D(i) (exclusive or). In that case, f (i) behaves as a XOR, if and only if f (i) (B 0 , C 0(i) , D0(i) ) = f (i) (B (i) , C (i) , D(i) ) ⊕ 231 . 4. There are two differences in the entries on bits 31 of C (i) and D(i) , that is to say C 0(i) = C (i) ⊕ 231 and D0(i) = D(i) ⊕ 231 . In that case, f (i) behaves as a XOR, if and only if the output of f (i) does not change f (i) (B 0(i) , C 0(i) , D0(i) ) = f (i) (B (i) , C (i) , D(i) ). We can now look at the three last cases for the M AJ and IF function. For the M AJ function, Cases 2 and 3 behave identically, the change in the output occurs if and only if the two bits of input that do not change are opposite. This occur with probability 1/2. In Case 4, the output does not change if and only (i) (i) if the two bits C31 and D31 change in opposite directions. This occurs with probability 1/2. (i) For the IF function, in Case 2 the output changes if and only if bits C31 and (i) D31 are opposite. This occurs with probability 1/2. In Case 3, the output changes (i) (i) if and only if bit B31 points on the changing bit (i.e. B31 = 1 if C 0(i) = C (i) ⊕231 (i) changes and B31 = 0 if D0(i) = D(i) ⊕ 231 changes), this occurs with probability 1/2. In Case 4, the output will always change, so the probability of good behavior is 0. This implies, that we need to choose a perturbation pattern with no two adjacent perturbations in the IF rounds. More precisely, as the IF rounds occur from round 0 to 19 (see Table 2), and Case 4 involves states C (i) and D(i) , no two adjacent perturbations can appear before round 16, but there may be two adjacent perturbations on rounds 16 and 17, because the propagation of the error will occur for C (i) and D(i) on round 20 (see Fig. 2). Under all our constraints, we were able to find a pattern with a global probability of success of about 1/224 . We represent hereafter the corresponding 80 bits output of the e0 box. The 5 preceding zeroes are just there to recall that this pattern satisfies the constraints developed in Sect. 1: 00000 00100010000000101111 01100011100000010100 01000100100100111011 00110000111110000000 This pattern m0 is ended and preceded by 5 zeroes, and has no two adjacent bits in the 16 first rounds. By the same construction as described in Sect. 1, we obtain a differential mask that can be applied on input word, and gives a collision with non negligible probability. We reference this mask by M. Evaluating the probability of success is quite tricky, because the 16 first rounds must not be included in this evaluation. The reason for this appears when implementing the collision search. Implementing the Collision Search. We now mask M that

have the differential we can try to apply on any input word W (0) . . . W (15) . In order to check

64

Florent Chabaud and Antoine Joux

whether we have a collision or not, one has to verify for every perturbation, if the correction is done well, that is to say, if the function f (i) behaves like a XOR. Since each perturbation appears in 3 different (successive) f (i) , we need to consider many elementary probabilities. In our example, there are perturbations in positions 2, 6, 14, 16, 17, 18, 19, 21, 22, 26, 27, 28, 35, 37, 41, 45, 48, 51, 54, 55, 56, 58, 59, 62, 63, 68, 69, 70, 71 and 72. Table 3 shows which case each perturbation is related to, for the three f (i) involved. √ Note 2. In Table 3, Case 4 in M AJ case is counted for a probability 1/ 2 for each of the two perturbations involved. In this way, the global overall probability of 1/2 seen above is obtained.

Table 3. Probability of success of mask M in SHI2 model Perturbation in round i 2 6 14 16 17 18, 19, 21 22, 26, 27 28, 35 37 41 45 48 51 54 55 56 58, 59, 62 63, 68, 69 70, 71, 72

f (i+2) case f (i+3) case f (i+4) case

overall probability probability logarithm 1/8 3 1/8 3 1/8 3 = 2 + 1 (see Note 3) 1/4 2 1/2 1

IF IF IF IF IF

2 2 2 2 2

IF IF IF IF XOR

3 3 3 3 –

IF IF IF XOR XOR

3 3 3 – –

XOR

–

XOR

–

XOR

–

1

0

XOR M AJ M AJ M AJ M AJ M AJ M AJ M AJ

– 2 2 2 2 2 2 2

M AJ M AJ M AJ M AJ M AJ M AJ M AJ M AJ

3 3 3 3 3 3 4 4

M AJ M AJ M AJ M AJ M AJ M AJ M AJ XOR

3 3 3 3 3 4 4 –

1/4 1/8 1/8 1/8 1/8 √ 1/4 2 1/4 √ 1/2 2

2 3 3 3 3 2.5 2 1.5

XOR

–

XOR

–

XOR

–

1

0

As the input word is transmitted with no modification through the expansion, it is possible to split the search in two. First, we search W (0) . . . W (14) such that the function f (i) behaves like a XOR when the mask is applied. This occurs with probability 1/26, as the two perturbations involved are in positions 2 and 6. Then, W (0) . . . W (14) being fixed, we try many values of W (15) (of course we must try less than 232 , in practice any large number such as 10000 is satisfactory). Such a W (15) can lead to a collision after 80 rounds if all the other rounds behave nicely. As can be seen on Table 3, this happen with probability 1/226 . Since the

Differential Collisions in SHA-0

65

first part of the construction is done once for many W (15) , the second probability gives the real cost of the enumeration. Note 3. This first evaluation gives an overall probability of 1/226 in place of the claimed probability. But we can further refine this approach and get rid of some of the probability coming from perturbation of round 14. The first function related to this perturbation is the IF function seen in round 16. This function (16) (16) behaves nicely if bits C1 and D1 differs. These bits are known in round 14, (14) (13) since they are copies of A3 and A3 . This allows us to transfer a probability of 1/2 from the second part of the enumeration to the first one. This reduces the probability to 1/225 . The second function related to perturbation of round 14 is the IF function (17) seen in round 17. This function behaves nicely if bit B31 is a 1. Since this bit (16) is a copy of A31 , one can check its correctness just after choosing W (15) , and, if necessary, change bit 31 of W (15) before starting the testing process. This reduces the probability to the announced 1/224 . Note 4. In the case of SHI2, the collision search is very fast and can be performed in less than a half minute. Here is a sample collision: 1a6191b0 062ec496 2270fdbd 002831a9

3c4a331c 48611ca8 2a8090f0 50fe1535

1f228ea2 583401bc 4b12fd98 61ac0d3d

403b7609 399879d0 473cc7a1 f26700ec

3c4a331c c8611ca8 aa8090f0 50fe1535

1f228ea0 d83401be cb12fd98 61ac0d3f

403b7649 b9987990 c73cc7a1 f26700ac

and 1a6191b0 062ec494 2270fdbf 002831a9 both give 1334f224 21a3efc9 b667d2b2 2890013b 56013ca9 after the 80 rounds of the SHI2 function. Introducing Addition. Eventually, before dealing with SHA-0 and SHA-1 we want to study the influence of the addition ADD on our scheme of attack. We consider a third function SHI3, the compression function in the SHA family built by starting from SHA-0 (thus using expansion E0 ) and by replacing the nonlinear functions IF and M AJ by the function XOR. This can also be seen as SHI1 with the addition ADD put back. The new point here is that a perturbation may lead to carries. If we can prevent this from happening, everything will behave nicely as before. At first, it seems that each perturbation bit and each correction bit may lead to carry. This

66

Florent Chabaud and Antoine Joux

would imply an elementary probability of 1/26 per perturbation, and therefore give no usable attack. However, remember that we choose to apply perturbation (i+3) on bit 1 of W (i) thus getting three corrections on bits in position 31 (W31 , (i+4) (i+5) W31 , W31 ). Since there is no possible carry from bit 31, this halves the logarithm of the elementary probability, and this explains our above choice . (i) We can reduce this even further, suppose that W1 is a 0 and that it changes 0(i) (i+1) 0(i+1) to a 1 in W1 , if no carry occurs (probability 1/2) then A1 is a 0 (and A1 (i+1) is a 1). Following this change in the computation of A(i+2) , we see that W6 0(i+1) should be a 1 (and W6 should be a 0), otherwise the correction would lead to a carry. If this condition holds then the correction always occur without carry. The most difficult point is to correct the change in the computation of A(i+3) . (i+2) 0(i+2) to 1 (and W1 to 0). Then the correction As before, we choose to fix W1 (i+2) behaves nicely if the first bit of the result of the XOR function is equal to B1 (i+1) (i+2) (i+2) (i.e A1 ). This is true whenever C1 = D1 (with probability 1/2). (i) The very same arguments show that the probabilities are the same when W1 0(i) is a 1 (and changes to a 2 in W1 ). In fact, the important issue is that a change from 0 to 1 (an incrementation) must be corrected by a change from 1 to 0 (a decrementation) and that a change from 1 to 0 must be corrected by a change from 0 to 1. The elementary probability to consider is formed from a factor 1/2 to ensure that the initial perturbation engenders no carry, and another 1/2 to ensure that the XOR keeps the change in the same direction. Two technical complications arise in this case, the first one is that we need (i) (i+1) (i+2) to build W in such a way that W1 , W6 and W1 will satisfy the above (non-linear) constraints. Since E0 does not interleave bits, we build W1 and W6 at the very beginning and keep them fixed for the rest of the attack. The second complication comes from the fact that nothing prevents us from getting a change (i) (i+2) in W1 , and another in W1 , in that case we get different conditions on W1 and W6 but the elementary probability of 1/4 still holds. In practice, we were able to find a pattern with probability of 1/244 (computed as in the SHI2 case)2 . This pattern is: 00000 01000010100100011110 01011000001110000000 00001100000011011000 00011000101101100000 and we will denote M0 its associated differential mask. Note 5. In this second pattern, we have no condition on adjacent perturbations, since we consider f (i) to always be the XOR function. Thus, one can note that this pattern has two adjacent perturbative bits on rounds 15 and 16. 2

One can refine the enumeration process to force the perturbations of round 16 and 17 and their associated corrections to be successful. The details are too tricky to be explained here, but will appear in the journal version of this paper. This leads to a 240 running time, which was confirmed by our implementation.

Differential Collisions in SHA-0

67

Associated to this pattern, the conditions on bits 1 and 6 of W and the expansion E0 made us choose the following values for these bits: Bit1: 01110010000000011000 10101101011110000110 11010101111101101010 00001001111101010111 Bit6: 00010000000110100000 10110001101001110011 01101101011111000010 00001011101101110111 Note 6. After a few days of computation, we were able to find an explicit collision for SHI3: 53c29e14 0c0abc30 0da433ac 1a3f8b70

44fe051b 3806260d 6337b011 0e7a4620

4a8ce882 76cbeb2f 1041e2a9 25e81245

576e1943 1b8379a8 20b44364 289acb2b

44fe0519 b806260d e337b051 8e7a4622

4a8ce8c2 f6cbeb2d 9041e2ab a5e81245

576e1941 1b8379e8 20b44366 a89acb29

and 53c29e14 8c0abc30 0da433ac 9a3f8b30 both give 983d1f8e e619f190 2e94fa09 0b0d479c 4c536e3e after the 80 rounds of the SHI3 function. 2.2

True SHA-0 Case

Having studied SHI1, SHI2, and SHI3, we now come back to the SHA-0 case. In this case, all perturbations have to be inserted without any carry, as in SHI3 case. Moreover, we need to probe deeper into the analysis of the IF and M AJ functions, that we carried out to deal with SHI2. Let us start with the IF function. As in SHI2, we must consider Cases 2, 3 and 4. Case 4 is always unacceptable in a pattern of attack. In case 3, everything remains the same: the change must go through the IF function, and it happens with probability 1/2. In case 2, the change must go through the function. Moreover, as in SHI3 case, its direction must be preserved. These two conditions are satisfied with probability 1/4. For the M AJ function, we can remark that M AJ never reverses the direction of a change, so that cases 2 and 3 are left unchanged, and each one leads to an elementary probability of 1/2. However, case 4 undergoes an interesting change.

68

Florent Chabaud and Antoine Joux

The new fact, as compared to SHI2, is that as in SHI3, we have the following additional properties: (i+3)

C31

(i+4) D31

(i+1)

= A1 =

(i+2) A1

(i)

= W1 =

,

(i+1) W1

.

This means that in case 4, M AJ behaves as a XOR as soon as the following equation holds, (i) (i+1) , (10) W1 6= W1 (i+3)

(i+4)

and D31 because the result of M AJ does not change if and only if C31 change in opposite directions. Thus, when there are perturbations in round i and i + 1 with 36 ≤ i ≤ 55,, if we add the additional constraints (10) on W1 , then the elementary probability of case 4 for the M AJ function is 1. These conditions are added to the previous ones described for SHI3, when building W1 and W6 . Taking in account all these constraints, we were able to find two good patterns, with probability of success 1/268 (resp. 1/269 ). These patterns are: 00000 00010000000100100000 00100001101101111110 11010010000101010010 10100010111001100000 c=68 00000 00100010000000101111 01100011100000010100 01000100100100111011 00110000111110000000 c=69 We can now build the differential masks deduced from each pattern by the construction of Sect. 1. The second pattern was denoted M in Sect. 1. We denote the first one by M00 . Note 7. The computation of the probabilities can be done from Tables 5 and 4. As explained in Note 3, the perturbation in round 14 is on the boundary between the two enumerations. It contributes to the overall probability of success by a single 1/2. Note 8. Given a pattern M00 (resp. M), once W1 and W6 are chosen according to the constraints, the collision search by itself remains unchanged (see Sect. 1). The expected running complexity is thus 268 (resp. 269 ). However, being more careful when implementing the collision search, we can get rid of the remaining probability implied by the perturbation in round 14. We hence obtain a running complexity of 267 (resp. 268 ). Moreover, in case of M, one can also suppress the probabilities implied by the perturbations in round 16 and 17. This further decreases the probability of success of M to the claimed value of 261 . This ultimate trick can also be used in SHI2 model. Thus, instead of the probability 1/224 obtained in Note 3, we can obtain a probability of 1/220 .

Differential Collisions in SHA-0

69

Table 4. Probability of success of mask M for SHA-0 Perturbation in round i 2 6 14 16 17 18, 19, 21 22, 26, 27 28, 35 37 41 45 48 51 54 55 56 58, 59, 62 63, 68, 69 70, 71, 72

f (i+2) case f (i+3) case f (i+4) case

overall probability probability logarithm 1/32 5 1/32 5 1/32 4+1 1/16 4 1/8 3

IF IF IF IF IF

2 2 2 2 2

IF IF IF IF XOR

3 3 3 3 –

IF IF IF XOR XOR

3 3 3 – –

XOR

–

XOR

–

XOR

–

1/4

2

XOR M AJ M AJ M AJ M AJ M AJ M AJ M AJ

– 2 2 2 2 2 2 2

M AJ M AJ M AJ M AJ M AJ M AJ M AJ M AJ

3 3 3 3 3 3 4 4

M AJ M AJ M AJ M AJ M AJ M AJ M AJ XOR

3 3 3 3 3 4 4 –

1/16 1/16 1/16 1/16 1/16 1/8 1/4 1/4

4 4 4 4 4 3 2 2

XOR

–

XOR

–

XOR

–

1/4

2

Note 9. In the middle of the second 20-rounds block of pattern M with probability 1/269 (basic search) or 1/261 (improved search), we were lucky to find a group of 5 zeroes (in fact 6 but 5 is sufficient for our purpose). This allows us to stop the attack after this group, with a partial collision on 35 rounds of SHA. Here is such a partial collision: 78fb1285 4a4d1c83 a08e7920 38bef788

77a2dc84 186e8429 16a3e469 2274a40c

4035a90b 74326988 2ed4213d 4c14e934

b61f0b39 7f220f79 4a75b904 cee12cec

77a2dc84 986e8429 96a3e469 2274a40c

4035a909 f432698a aed4213d 4c14e936

b61f0b79 ff220f39 ca75b904 cee12cac

and 78fb1285 4a4d1c81 a08e7922 38bef788

both yield after 35 rounds of SHA-0: 7b907fb9 d050108b 88d6e6d6 5c70d4a3 7e06a692 The probability to find such a collision is 1/222 , using the basic collision search, or 1/214 , using the improved collision search.

70

Florent Chabaud and Antoine Joux

Table 5. Probability of success of mask M00 for SHA-0 Perturbation in round i 3 11 14 22, 27, 28 30, 31, 33 34, 35 36 37 38 40 41 43 46 51 53 55 58, 60, 62 66, 68, 69 70, 73, 74

3

f (i+2) case f (i+3) case f (i+4) case

overall probability probability logarithm 3 1/32 5 3 1/32 5 3 1/32 4+1

IF IF IF

2 2 2

IF IF IF

3 3 3

IF IF IF

XOR

–

XOR

–

XOR

–

1/4

2

XOR XOR XOR M AJ M AJ M AJ M AJ M AJ M AJ M AJ

– – – 2 2 2 2 2 2 2

XOR M AJ M AJ M AJ M AJ M AJ M AJ M AJ M AJ M AJ

– 4 4 3 4 3 3 3 3 3

M AJ M AJ M AJ M AJ M AJ M AJ M AJ M AJ M AJ M AJ

4 4 3 4 3 3 3 3 3 3

1/4 1/4 1/8 1/8 1/8 1/16 1/16 1/16 1/16 1/16

2 2 3 3 3 4 4 4 4 4

XOR

–

XOR

–

XOR

–

1/4

2

SHA-1 Case

In the SHA-1 case, the bits are interleaved and therefore it is no more possible to split the expansion in 32 little expansions. However, the invariance by translation is still true. Hence, it is still feasible to deduce the 5 corrective masks from a perturbative one, using the construction of Sect. 1. More precisely, given a perturbative mask M0 that is an output of E1 , Equ. (3) to (7) still hold, and the constructed mask M defined by (8) is again an output of E1 . Finding the perturbative mask M0 can be done using coding theory tools [3], because the mask can be considered as a low-weight codeword of the extension. Performing such a search on E1 leads to some very short codewords as compared to the dimensions of the code. However, with very high probability, no codeword of weight less than 100 exists in E1 , that satisfies the constraints (see Sect. 1), whereas there exists 27 weighted codewords in E0 . As every bit of the perturbative mask M0 implies at least a factor 1/4 in the overall probability of success, our attack will therefore be totally inefficient on SHA-1. However, it remains an open problem to see if differential masks exist in the SHA-1 case, because our attack builds very specific masks.

Differential Collisions in SHA-0

4

71

Conclusion

We have developed a new kind of attack on SHA functions that yields better results than the classical birthday-paradox attack on SHA-0. This attack is related to the well known differential cryptanalysis [1] in that it looks for some kind of characteristic masks that can be added to input word with non trivial probability of unchanging the output of the compression function. The expansion of SHA-1 seems to be designed to counter this kind of attack, which should increase the level of confidence in this standard.

Acknowledgments We wish to thank Matthew Robshaw and the referees for their valuable remarks and improvements to this paper.

References 1. E. Biham, and A. Shamir. Cryptanalysis of the Full 16-Round DES, CRYPTO’92 LNCS 740, pp 487–496, 1993. 71 2. B. den Boer, and A. Bosselaers. Collisions for the compression function of MD5, EUROCRYPT’93 LNCS 773, pp 293–304, 1994. 56 3. A. Canteaut, and F. Chabaud. A new algorithm for finding minimum-weight words in a linear code: Application to primitive narrow-sense BCH codes of length 511, IEEE Trans. Inform. Theory, IT-44(1), pp 367–378, Jan. 1998. 70 4. H. Dobbertin. Cryptanalysis of MD4, Fast Software Encryption LNCS 1039, pp 53–69, 1996. 56 5. R. Rivest. The MD4 Message-Digest Algorithm, CRYPTO’90 LNCS 537, pp 303– 311, 1991. 56 6. R. Rivest. The MD5 Message-Digest Algorithm, Network Working Group Request for Comments: 1321, April 1992. http://theory.lcs.mit.edu/~rivest/Rivest-MD5.txt 56 7. Secure Hash Standard. Federal Information Processing Standard Publication # 180, U.S. Department of Commerce, National Institute of Standards and Technology, 1993. 56, 57, 71 8. Secure Hash Standard. Federal Information Processing Standard Publication # 1801, U.S. Department of Commerce, National Institute of Standards and Technology, 1995 (addendum to [7]). 56

From Differential Cryptanalysis to Ciphertext-Only Attacks Alex Biryukov1 and Eyal Kushilevitz2 1

Applied Mathematics Department, Technion - Israel Institute of Technology, Haifa, Israel 32000. [email protected] 2 Computer Science Department, Technion - Israel Institute of Technology, Haifa, Israel 32000. [email protected]

Abstract. We present a method for efficient conversion of differential (chosen plaintext) attacks into the more practical known plaintext and ciphertext-only attacks. Our observation may save up to a factor of 220 in data over the known methods, assuming that plaintext is ASCII encoded English (or some other types of highly redundant data). We demonstrate the effectiveness of our method by practical attacks on the block-cipher Madryga and on round-reduced versions of RC5 and DES. Keywords: block-ciphers, Madryga, RC5, DES, ciphertext-only attack, differential cryptanalysis, differential-linear attack.

1

Introduction

Differential cryptanalysis [1,12] is a very powerful technique for the analysis of block-ciphers. It has been used with success against many block-ciphers, e.g. [1,2,3,18,4]. One weakness of differential cryptanalysis is that it finds chosen plaintext attacks; these are much less practical than known-plaintext and certainly than ciphertext-only attacks. Ciphertext-only attacks are the most useful attacks on cryptosystems, since they require only passive eavesdropping from the attacker. Such attacks are usually hard to find, since the assumptions on the knowledge of the attacker are minimal. Exceptions include the most basic ciphers, like simple substitution or Vigen`ere [11]. Although there exists a general method for converting any differential chosen plaintext attack into the more favorable known plaintext attack [1], this conversion becomes (almost) impractical due to the huge increase in the data requirements. If a differential attack uses m chosen-plaintext pairs, the correw√ sponding known-plaintext attack will need about 2 2 2m known plaintexts, where w is the block size (in bits) of the analyzed cryptosystem. For example, if a differential attack on a cryptosystem with 64-bit block uses only eight chosen-plaintext pairs, the corresponding known-plaintext attack will require 234 known plaintext-ciphertext pairs, an increase which makes this attack much less practical. H. Krawczyk (Ed.): CRYPTO’98, LNCS 1462, pp. 72–88, 1998. c Springer-Verlag Berlin Heidelberg 1998

From Differential Cryptanalysis to Ciphertext-Only Attacks

73

In this paper we show a method of converting successful differential chosenplaintext attacks into known-plaintext and even ciphertext-only attacks without loosing as much efficiency as the above mentioned method, and under a reasonable assumption that plaintext comes from a redundant source. Notice that due to plaintext redundancy, the probability of some input differences increases, and the probability of other input differences decreases or even becomes negligible. If the probability of the input differences which are useful for the differential attack is increased (depending on the type of input redundancy and the type of input differences required for the attack on the particular cipher), then the cipher is weaker against the differential attack combined with the redundancy assumption. We show, for example, that under the assumption that plaintext comes from ASCII encoded English encrypted in ECB (Electronic CodeBook) mode, the probability of input differences with small Hamming weight (which are the differences needed for most of the known attacks) increases significantly. Therefore, only about 214 known-plaintexts are needed for a known-plaintext attack of the previous example, saving a factor of 220 in data. Moreover, our observation helps to turn differential attacks into much more desirable ciphertext-only attacks, with modest increase in data. Our efficient conversion method applies also for the combined differential-linear attacks [13], which can be converted into efficient known-plaintext attacks. This paper is organized as follows: In section 3 we outline the principles of our method. Then, we demonstrate its applicability for various ciphers; we start by presenting a new differential attack on Madryga [14,21] with only sixteen chosen plaintext pairs. We use this cipher as a testing ground for the development of our ideas. Then, we proceed to a ciphertext-only attack on Madryga with only several thousand ciphertexts. We continue demonstrating the effectiveness of our approach with a ciphertext-only attack on 4-round RC5 using only 217 ciphertexts, and a known plaintext attack on 6-round RC5 (as of today this is the first known plaintext attack on this cipher) with about 218 plaintext/ciphertext pairs (the previous known-plaintext attack on this cipher [8] required 257 for 6-round RC5 but it was found erroneous [22]). We show a new known-plaintext attack on seven round DES [19] with about 217 known plaintexts.1 Finally we show, that our attacks are applicable not only to ECB mode, but also to the first block of the CBC (Cipher Block Chaining) mode if the initial vector (IV) is unchanged for several datagrams or incremented sequentially, starting from a random value (as is usually the practice on the Internet), and to the counter mode [21]. To conclude, we show that differential attacks are very subjective to the underlying plaintext redundancies. We mark the importance of studying differential attacks on ciphers together with the underlying redundancies of the protocols, they are used in. We also suggest methods, that may help to prevent attacks of the kind described in this paper. 1

For FEAL [16,17] there exist several very efficient known-plaintext attacks which use specific features of this cipher. Our analysis is applicable to FEAL as well but yields inferior results.

74

2

Alex Biryukov and Eyal Kushilevitz

Differential Cryptanalysis

Differential cryptanalysis is a very efficient chosen plaintext attack on blockciphers [1]. The idea of differential cryptanalysis is to analyze pairs of plaintexts instead of single plaintexts. An attacker chooses the difference ∆P between plaintexts (P, P ∗ ) and studies the propagation (avalanche) of the changes in the encryption process. During the attack he searches and then studies the ciphertexts pairs (C, C ∗ ), which exhibit difference ∆C, predicted by his analysis. Let us introduce some terminology related to differential cryptanalysis. The difference between two bit-strings X and X ∗ of equal length is defined as X ⊕ X ∗ = ∆X, where ⊕ is a bitwise XOR operation. We call a pair of plaintexts (P, P ∗ ) a good pair with respect to differential analysis of a cipher, if it exhibits the difference propagation and the output difference ∆C, predicted by the analysis of a cipher. We call noise all pairs that are suspected to be good pairs (i.e. pass all our criteria for good pairs (which we call filters)), but which do not exhibit the difference propagation, predicted by the analysis. It is well known, that unlike other chosen plaintext attacks, differential cryptanalytic attacks can be easily converted to known plaintext attacks [1]. The idea is similar to the Birthday paradox. Denote the length of the blocks in bits by w. Suppose that differential chosen plaintext attack needs m pairs to succeed, and w√ that we are given n ≈ 2 2 2m random known plaintexts and their ciphertexts. These plaintexts can form about 2w · m pairs. Since the block size is w bits, there are only 2w possible different XOR values wand thus, due to the uniform distribution of the plaintexts, there are about 2 2w·m = m pairs for each XOR value (and thus, we expect m pairs with the specific differences, used by the attack). In order to find pairs with useful input differences, one can sort the array of n known plaintext/ciphertexts by plaintexts, and then search for pairs with particular differences; the total complexity of this process is O(n log n). Once these pairs are discovered a regular differential attack on the cipher may begin.

3

On Ciphertext-Only Attacks

In this section we describe our method for converting successful differential attacks into ciphertext-only attacks (and known-plaintext attacks) with huge savings over the method described in the previous section. We show practical cases, where this conversion can be applied very efficiently. The essence of differential cryptanalysis is in studying the differences between plaintexts, without using the plaintexts themselves (although there are many ways of helping the analysis by adding the information about plaintexts). Thus, one can perform a ciphertext-only attack on a cipher as soon as he is able to detect ciphertext pairs that come from good plaintext pairs. Suppose that we are in a ciphertext-only attack scenario and that we are given only a pool of n ciphertexts, without the knowledge of the corresponding plaintexts. It may seem 2 that we will have to check all the n2 pairs, which is usually infeasible, and that we will not be able to detect pairs that exhibit useful input difference (as we show

From Differential Cryptanalysis to Ciphertext-Only Attacks

75

in the previous section). However, two observations may help in our case. First, the structure of the ciphertext difference in a good pair may be very restricted, and thus the search in a sorted pool of ciphertexts will still have O(n log n) complexity. The second observation is related to the possible redundancy of the encrypted plaintexts. Usually not all 2w blocks are ”legal” plaintexts, and the probabilities of possible plaintexts may be very non-uniform. Thus, among the pairs taken from a pool of redundant plaintexts, some differences will be very frequent, and some will never occur. Let us proceed with an important but simple to analyze example of plaintext redundancy. Suppose that the plaintext source, produces blocks of w bits, and has entropy of e bits (so there are w − e redundant bits per block). Suppose also that the entropy is ”bit-local”: a fixed subset of e bits out of w is chosen and may get all 2e possible values uniformly. The other w − e = r redundant bits are fixed to arbitrary values. This sort of redundancy describes many types of computerized information (database records, network packets, etc.). Denote the set of all such blocks as Se , and denote the set of all differences, produced by elements of Se as ∆Se . Let there exist a fast differential attack on the cipher, which succeeds with m chosen pairs, using differences from the set ∆Se . If the differences used by the differential attack are not in ∆Se , then the cipher (taken together with the redundancy assumption) is more secure against this differential attack, than in the general (uniformly random plaintext) case2 . For the described e√ 2 type of redundancy, we can use only ne ≈ 2 2m ciphertexts, which form about 2e m pairs. This pool contains about m pairs with useful input differences for a differential attack. If the corresponding plaintexts are known to the attacker, he can simply sort the table of given plaintexts and search in the sorted table for pairs that exhibit the necessary input differences and proceed to analysis of the pairs as in a regular differential attack. If the corresponding plaintexts are not known, we are in a ciphertext-only scenario. If we expect (due to differential analysis) a ciphertext difference in a good pair to have a definite structure (for example, ∆C should be a particular constant), then the probability for a random pair to have similar ciphertext difference may be as small as 2−w . Suppose for simplicity, that the probability 1 of a good pair is p ≈ m (i.e., one good pair is enough to start a differential attack, which is true in many cases). Since in a ciphertext-only scenario we do not know which m pairs exhibit useful input differences, we can only hope that about one pair in a pool of 2e m pairs of ciphertexts will be good for the differential attack3 . The Signal/Noise ratio (ratio of the probability of a good pair to the probability 2

3

This may lead to a method of strengthening for differentially-weak ciphers. Add redundancy to the plaintext, in a way, that prohibits successful input differences. For example one can use error correcting code (plaintexts be codewords), in order to avoid input differences of low Hamming weight. However, in order to find it we do not need to check all 2e m pairs. If we are looking for a well defined ciphertext difference, search in a sorted pool of ne ciphertexts will have O(ne log ne ) complexity.

76

Alex Biryukov and Eyal Kushilevitz −e

−1

r

m of noise) for the ciphertext-only attack in this case is S/N = 2 2−w = 2m . The attack will be successful if S/N > 1. We can generalize the description above in two ways. First, it may be more useful to consider a set of possible ”good” output differences ∆G of size 2k , rather than one output difference. If differences from the set ∆G are equally likely to r−k appear in a good pair, then the Signal/Noise ratio will decrease to 2 m , but the probability of a good pair will increase (since we relax the conditions on the differential propagation pattern), and thus m will decrease. In this case we have to solve a more complex search problem. For example, we would like to find all pairs with differences of low Hamming weight in reasonable time. We can state this problem as follows:

Problem 1 Find all pairs (si , sj ), i 6= j, in a given set S of n binary words from {0, 1}w , such that dH (si , sj ) ≤ k (here dH denotes Hamming distance). Let us call such pairs k-neighbors. We can reduce this problem to a well studied approximate string matching (approximate dictionary queries) problem. However most of the algorithms for this problem are linear in the document size n. Since we have to call this algorithm n times (to check neighbors of each element of the set), this results in a complexity of O(n2 ), which is the complexity of checking all pairs in the set. In [23] an efficient algorithm, based on tries, which runs in O(k|Σ|k ) expected worst case time (here |Σ| denotes the alphabet size), independently of the document size (n) is presented. Trie indices combine suffixes and so are compact in storage. Applying this algorithm to our problem, we get O(nk2k ) complexity. Though exponential in k, it still provides a better algorithm than exhaustive check of all pairs if log n > k + 1 + log k. Thus, for a set of size 220 , the search of all 15-neighbors can be performed faster than 239 using tries. Since we have seen that redundancy in some cases helps for differential attacks, our second observation concerns another useful type of redundancy — the natural language redundancy. For a natural language L over alphabet A, denote by An the set of all n-grams of the language. Then the n-gram entropy of the language is: X H(X1 , . . . , Xn ) = −P (χn = s) log P (χn = s), s∈An

where χn = (X1 , . . . , Xn ) ∈ An . We say that the language has entropy HL if: HL = lim

n→∞

H(X1 , . . . , Xn ) n

In the case of the English language successive approximations of HL go as: log2 26 ≈ 4.7, the first order approximation (English letter frequencies) gives ≈ 4.2, digram frequencies give ≈ 3.9. Shannon [24] suggests a value of 2.3 bits per letter for eight letter blocks. By various experiments, for large n the entropy decreases into the interval 1.0 ≤ HL ≤ 1.5. By a gambling technique Cover and King [6] give an estimate of 1.3 bits of information per letter. In [5] an upper

From Differential Cryptanalysis to Ciphertext-Only Attacks

77

bound of 1.75 bit per letter is estimated from a large sample of ASCII encoded English text. Our experiments with large English files show, that some differences are very frequently encountered, even in a small quantities of English plaintext. For example, differences with low Hamming weights (especially one-bit differences at the beginning and at the end of the block) are very frequent. For a more detailed study of these differences see Appendix A. This fact can be used in a differential known-plaintext and even in differential ciphertext-only attacks on block-ciphers that are weak with respect to these differences. In the following sections we demonstrate new attacks on Madryga, RC5 and DES which follow the ideas expressed in this section4 . As we explained here and as we will show in the further sections, differential attacks are very subjective to the underlying plaintext redundancies. We stress the importance of studying differential attacks on ciphers together with underlying redundancies of the protocols, they are used in.

4

Attacks on Madryga

We used the Madryga block-cipher [14,21] as a testing ground for the development of our ideas. In the following subsections we describe this cipher and our attacks on it. We first find a very fast differential attack on Madryga, which uses negligible amount of data, and then proceed to a differential ciphertext-only attack on this cipher, which is also very efficient. 4.1

Description of Madryga

Madryga is a blockcipher proposed in 1984 by W. E. Madryga [14]. It was designed for efficient software implementation. It consists of data-dependent rotations and exclusive or’s with the bytes of the key. Madryga was designed as an alternative to DES (with larger key size – 64 bits) in order to permit efficient implementation both in software and hardware. Here is a description of the encryption algorithm. Block size and key size in Madryga may vary, but 64-bit block size was suggested for compatibility with DES. The key size in this case is also 64 bits. The encryption process consists of two nested cycles. The out-most cycle consists of eight iterations of the inner cycle. The inner cycle consists of eight local operations on the block. A work frame (Frame) of three consecutive bytes b1 b2 b3 is chosen in the plaintext block (Text), starting from the second last byte (the block is treated as a cyclic entity). The 64-bit key (Key) is rotated by three bit positions to the right and exclusive or’ed with the 64-bit constant (KeyHash). Rotation amount is extracted from the three least significant bits of b3 . Then the least significant byte of the key is exclusive or’ed with b3 . The concatenation of b1 b2 is rotated by 4

For the rest of the paper, all attacks are described for the English language model of redundancy, but they work even better in the ”bit-local” model of redundancy, when the entropy e is the English language entropy.

78

Alex Biryukov and Eyal Kushilevitz

the rotation amount to the left. Then the working frame is shifted one byte to the right and the process continues. The working frame moves to the right from the starting second-last byte to the starting third-last byte. Here is a Madryga implementation (WORD is 64 bits): /* MADRYGA encryption engine, 64-bit implementation. WORD EncKey; /* Secret Key WORD KeyHash = 0x0F1E2D3C4B5A6978; /* Key Hash Constant WORD Key; /* Work Key WORD Text; /* Plaintext block WORD Frame; /* Work Frame #define FrameMask 0xFFFF #define TextMask 0xFFFFFFFFFFFF0000 Key = EncKey; for(i=0; i < 8; i++){ /* for(j=0; j < 8; j++){ /* Frame = ROTL(Text,8*j)&FrameMask;/* Key = ROTR(Key,3)^KeyHash; /* /* rotation_count = (Text >> (56-8*j)) & Text ^= (Key & 0xFF) << (56-8*j); RotateFrame( rotation_count); /* Text = (Text & ROTR(TextMask,8*j)) | } }

4.2

*/ */ */ */ */ */

Eight rounds */ Eight bytes/block*/ Copy to Frame */ Rotate & XOR */ with Hash */ 0x7;

Copy from Frame */ ROTL(Frame,64-8*j);

Differential Attack on Madryga

In this subsection we present a very efficient differential attack on Madryga, with 82% probability of success, that uses only sixteen chosen plaintext pairs. Another differential attack, using 5000 chosen plaintexts was developed by Shirriff [25]. We start with two observations. The first observation is that keyscheduling in Madryga is very simple: the initial key is at least as long as the block-size (64 bits in our case). In every iteration (every time the work frame is shifted) the key is rotated to the right 3 bits, and exclusive or’ed with the key hash constant. That means that simple equations relate bits of the key at each stage to the bits of the initial key. The second observation is that block-sizes larger than 64 bits may only weaken Madryga. Data-dependent rotations in Madryga are very local, and are the only tool to provide avalanche. It will take much longer for small differences to propagate in a larger block. We note that rotation amounts of the first round are known to an attacker. They are saved before the last byte of the working frame is exclusive or’ed with the corresponding byte of the key. Thus in a chosen plaintext attack, starting with one-bit difference in plaintexts, and setting to zero (or other appropriate value) two rotation amounts that may move this bit, one can assure that onebit difference is preserved after the first round (after eight frame operations)

From Differential Cryptanalysis to Ciphertext-Only Attacks

79

and after the second round, if difference is placed in the upper five bits of the 1 byte. With probability (0.57)4 ≈ 10 (the probability for a difference bit not to influence the rotation amounts after one round is intuitively 58 , but due to weak randomizing properties of Madryga it is slightly lower – 0.57; exact analysis was done by [25] and is confirmed by our experiments) this one-bit difference will propagate to the end of the sixth round (we number the rounds of Madryga 1, 2, . . . , 8). At the 7th and 8th rounds, we allow the difference to propagate arbitrarily (and it is even better for us if the one-bit difference will not be preserved). Due to the very slow avalanche in Madryga, it is clear that starting with chosen plaintext pair differing by one bit, we will see many zeroes in the ciphertext difference. The question is: what information about the secret key can be derived from such a pair. In order to learn more from each pair, we do not care for the behavior of the difference in the last two rounds (similar to the 2R attack in [1]). This may cause many ciphertext differences, but we use a ”go up” idea similar to [4] to trace guesses about the key bits and the difference to a one-bit difference after the sixth round. This way we get more bits of the key from each pair (at least four and up to thirty bits, depending on the difference locations in the last round), and at the same time increase the probability of a good pair. Since each found key bit can be traced exactly to a bit of the initial key (due to a simple keyscheduling algorithm in Madryga), our aim is to find about 30 key bits. The rest can be found by a reduced exhaustive search. Putting together the ideas expressed in this section, we need only about sixteen chosen pairs with one-bit differences in order to find partial information about the secret key. The rest can be done by a reduced exhaustive search, which 1 16 becomes feasible. Success probability of this attack is 1 − (1 − 10 ) ≈ 0.82. 4.3

Ciphertext-Only Attack on Madryga

In this section we demonstrate how our method can be used in order to derive ciphertext-only attacks. The differential attack described in the previous section succeeds with only about sixteen chosen pairs. Therefore the corresponding known plaintext attack, due to the conventional technique [1], will require about 235 known plaintexts. Although this number can be reduced, since any one-bit, and even two-bit input difference will suffice for our attack, the pool of required known plaintexts is still too big. Under a reasonable assumption of highly redundant plaintext (for example English text in ASCII format) the amount of data can be significantly reduced. Let us present an example of a ciphertext-only attack on Madryga with only ≈ 212 ciphertexts, corresponding to English plaintexts (95 printable ASCII characters), taken from the beginning of ”The Hound of the Baskervilles” by 12 Sir Arthur Conan Doyle. In the pool of 22 ≈ 223 English pairs, on the average about 26.6 pairs have one-bit differences. The probability that a one-bit difference will be preserved during six rounds of Madryga is about (0.57)6 ≈ 2−5 (this is lower than in the chosen plaintext case, since we cannot control the location of the difference bit and the surrounding rotation counts before the first

80

Alex Biryukov and Eyal Kushilevitz

round). Thus, about four good pairs are contained in the pool (even more if we consider other small input differences). Some of those can be detected due to low Hamming weight of the ciphertext difference. For any pair suspected to be a good pair, we ”go up” two rounds (using an idea from [4]), performing the necessary guessing, and check if we arrive at a one-bit difference. This idea is a very efficient filter, which helps us to discard almost all wrong pairs. If the pair is good, it provides us with 10–30 bits of the secret key. Combining the guesses from several good pairs we find about 30 bits of the key. The rest can be found by a simplified exhaustive search, or by further analysis of the given ciphertexts. Below, we provide an example of the attack discussed above. Note that plaintexts and Plaintext Differences are unknown to the attacker, and they appear here only for the sake of completeness. We printed only ciphertext pairs with Hamming weight (HW) less than 12 (the probability for a random pair to have such a low Hamming weight is ≈ 2−25 ). The probability for a random pair −58 to have one-bit ciphertext difference is 264 and in this example there are 64 = 2 two such differences5 ! Plain1 Plain2 Plaintext Difference Ciphertext Difference HW ----------------------------------------------------------------------’e have b’ ’u have b’ 1000000000000000 0000008000000000 1 ’t such a’ ’d such a’ 1000000000000000 0010000000000000 1 ’ fr’ ’ br’ 0000000000000400 000000D1E01C0100 11

5

Known Plaintext and Ciphertext-Only Analysis of RC5

RC5 is a fast block-cipher designed by Rivest in 1994 [20]. RC5 has an attractively simple structure. It is also very flexible to changes of parameters. RC5 has adaptable word size w in order to suit processors of different word-lengths, a variable number of rounds r and a variable-length cryptographic key b (so that the user can choose the level of security appropriate for his application). The ”nominal” choice of parameters proposed in [20] is: 32 bit words, 12 rounds and a 16 byte key. This version of RC5 is referred to as: RC5-32/12/16. Another version with 64 bit words and 16 rounds was suggested for future 64 bit architectures (RC5-64/16/16). The main feature of the cipher is intensive use of data dependent rotations. We use a description of RC5 as a so-called Feistel cipher from [8]. Denote by (L0 , R0 ) the left and right halves of the plaintext, and let Si be the ith subkey from the expanded key table S generated before encryption. The particular expansion algorithm has no influence on our cryptanalysis. As in all previous attacks, we assume that the subkeys produced by the key schedule are uniformly random. This is a reasonable assumption which helps us concentrate on the properties of the encryption engine itself (it also simplifies the analysis of probabilities). Let w denote the word size which is 32 for RC5-32/12/16. Then the ciphertext (L2r+1 , R2r+1 ) is calculated by the following equations: 5

Note that one-bit ciphertext differences are less useful to us in this scenario, since they disclose less bits of the key.

From Differential Cryptanalysis to Ciphertext-Only Attacks

81

L 1 = L 0 + S0 R1 = R0 + S1 for i = 2 to 2r + 1 do Li = Ri−1 Ri = ((Li−1 ⊕ Ri−1 ) <<< Ri−1 ) + Si , where r – is the number of rounds, A <<< B denotes the rotation of word A by (B mod w) positions to the left (if w = 32, then the rotation amount is contained in five least significant bits of B), + denotes addition (mod 2w ), and ⊕ denotes bitwise XOR. The two equations in the body of the loop are called half-round. Note that two consecutive half-rounds correspond to one original round of RC5. The two initial equations are called the zeroth half-round. Several attacks on RC5 were published [8,10,4]. Currently the best known attack on RC5-32/12/16 is [4], a differential attack which uses 244 chosen plaintexts. As of today no known-plaintext attack on RC5, even with reduced number of rounds, exists due to recent result [22] which found gaps in the linear attack on RC5 described in [8]. In this section we show a ciphertext-only attack on RC5 up to four rounds using only 217 ciphertexts and a known plaintext attack on RC5 up to six rounds, which requires about 218 known plaintext-ciphertexts. The attack described in [4] uses chosen plaintext pairs with small input differences6 . Our main observation is that, as in the previous section, assuming that plaintext comes from an ASCII encoded English (all 95 printable characters are possible), the probability of a small input difference is very high. This is true due to high redundancy of the English language, and due to the special properties of ASCII encoding (for example, upper and lower case letters differ in exactly one bit, etc.). See Appendix A for a study and examples of one-bit differences in ASCII encoded English. Our experiments show that if the differential attack on RC5 uses m√pairs, the corresponding known-plaintext attack by our method will use ≈ 210 · 2m known plaintexts. For example, since the differential attack on six rounds of RC5 requires 216 chosen plaintexts [4] our method provides a known plaintext attack on six-round RC5 with about 218 known plaintexts. However there are several important differences between the two approaches. First of all, note that the actual probability of a good pair for six rounds of RC5 is estimated in [4] to be about 2−12.6 , and 216 chosen plaintexts are required in order to detect several good pairs. Then, the differential attack generates new pairs according to the ”space oracle” suggested by several good pairs. For example, pairs with the same five least significant bits of L0 and R0 as in a good pair. This increases the probability of finding additional good pairs. In our case, we can also detect the oracle structure, but we cannot use it to a full extent by generating pairs according to it. However, we can still use it in order to refine the filtration process, since many good pairs are missed by the attack at the first stage. In our experiments we used 218 different known plaintexts (taken from books by Charles Dickens) and they resulted in about 216.6 pairs with one-bit 6

This attack uses mainly symmetric two-bit differences like 80000000 80000000, however symmetric differences are more rare than one-bit differences in our case, and thus we use one-bit differences, which are still good enough.

82

Alex Biryukov and Eyal Kushilevitz

difference. Among these we were able to detect six pairs with ciphertext difference Hamming weights less than 20 (the probability for a random pair to pass this test is about 2−16.6 ), ranging from 14 to 19. They belonged to three space oracles: two pairs to one oracle, three to another and one pair to another one. Having detected the space oracles, it becomes possible to detect more good pairs missed by the first step, due to the increase of the Signal/Noise ratio by a factor of ≈ 210 . In fact, the pool of 216.6 plaintexts with one-bit differences contains 8–16 good pairs. This amount of good pairs is enough in order to find about ten bits of the last round subkey of RC5. Although the full attack on RC5 according to [4] will require about 30 good pairs, it seems that a more thorough analysis of the given pool of pairs, assisted by a partial knowledge of the key will defeat six-round RC5 (two-bit and three-bit differences, that we omitted for simplicity of the present description will help). Furthermore, the pool of 217 ciphertexts can be used for a ciphertext-only attack on RC5 with four rounds, and detect several good pairs even for five rounds of RC5. The decrease in the number of rounds is due to more complicated filtration, required by the ciphertext-only attack. The idea of this attack is as follows. We know, that the set of all 233 pairs produced by a given pool contains lots of good pairs (more than 27 good pairs). The problem is that without knowing the corresponding plaintexts we have to check all the possible pairs, which considerably complicates the filtration process. The solution is to search for the differences with lower Hamming weight than in a known plaintext case (less than 10). Note, that oracle information from the plaintexts is unavailable in the ciphertext-only case. However, we are still able to detect about 16 good pairs with low Hamming weights (from 4 to 8 in our experiment) and derive the partial key information from them exactly as in the known plaintext case. Using the partial key information, we can proceed to check the pairs with heavier differences and thus find almost all bits of the last subkey. The attack then continues with the same data, but with RC5 reduced by one-half round. Note, that given a pool of the same size, encrypted by RC5 with five rounds, we still can detect several good pairs with high probability. A natural question that arises here is why we do not continue our attack for more rounds of RC5. For example, due to our calculation the known plaintext √ attack on eight-round RC5 by our method will require about 210 · 2 · 228 = 224.5 known plaintexts which still is a very practical amount of data7 . The problem is that we need different plaintexts. In the case of a redundant source of plaintexts we can easily get about 2nH blocks (where n denotes the size of the block in bytes, and H denotes the entropy a single byte (letter)). For the English language, organized in eight-letter blocks, we can get about 218 –219 different plaintext blocks in a file of similar size (about 30% blocks appear several times in the file of this size). Although it is possible to exceed the 2nH bound due to many rare blocks that there are in English, one will have to request much more data in the search for new blocks. Notice, however, that for 128-bit blocks this bound is 7

A pool of only about 220 different English pairs contains one good pair for eightround RC5 with high probability, but how to detect it?

From Differential Cryptanalysis to Ciphertext-Only Attacks

83

about 230 (due to the larger block size, the entropy is lower — between 1.5 and 1.7, and the distribution of the blocks is much more uniform). Thus, our method is able to penetrate RC5-64/r/16 (a 128-bit version of RC5) for more rounds. We leave the details of this attack for the full version of this paper.

6

Known Plaintext Analysis of DES

The Data Encryption Standard [19] is one of the most important block-ciphers nowadays. In the 90-s two powerful methods of cryptanalysis were developed in attempt to break DES: differential cryptanalysis [1] and linear cryptanalysis [15]. The first attack uses 247 chosen plaintexts, the second uses 243 known plaintexts. A mixed differential-linear approach was developed in [13] and successfully demonstrated on DES reduced to eight rounds. This combined approach starts as a differential attack for four rounds, preserving parity of particular bit subsets, which are then used by linear relations for the last four rounds. Their attack is a chosen plaintext attack with about 512 chosen plaintexts. In this section we show that due to differential behavior of the first rounds of the attack of [13], it is perfectly suitable for our method of converting differential attacks into known-plaintext and ciphertext-only attacks. Note however that we cannot afford structures, that were used in [13] to gain the first round for free and to decrease the data requirements from 1400 to 900 pairs. Thus, our attack works against DES, reduced to seven rounds (and not eight rounds as in [13]). We checked the probability of the input difference used in [13], assuming that plaintext is ASCII encoded English8 . In our experiment we used a file with the book ”David Copperfield” by Charles Dickens. This file contains 218 eight-byte blocks, among these about 217.3 blocks are different. This file contains more than 215 different pairs with one-bit input differences. However these differences are distributed very non-uniformly between the 64 possible bit-locations (see Appendix A). About two thirds of the differences occur in the four least significant bits of the first byte and in the four least significant bits of the last byte. The probability of a one-bit difference is relatively low for the middle bits of the block. Taking into account the initial permutation (IP) of DES (which was irrelevant to the analysis in [13]), the two bit locations toggled by the differential-linear attack occupy bits 42,50 (corresponds to original 2,3 bits) or bits 44,52 (corresponds to original 10,11 bits). In our experiment only 2 + 26 = 28 pairs toggled the first group of bits, but 388 + 1348 = 1736 toggled the second group. This data is more than sufficient, since 1400 pairs can be used by [13]’s attack in order to find six bits of the key with success probability more than 95%. Note that our aim here is to demonstrate how our ideas work in practice and not to provide the most efficient attack in a specific case. This task would require a thorough study of the underlying redundancy together with the cryptanalysis of the cipher. For example, one may find new attacks, which are optimal only in this special case. See table 1 for a summary of our results. 8

The input difference toggles bits 2 and/or 3, or 10 and/or 11, the bits are counted from 1 to 64 from msb to lsb.

84

Alex Biryukov and Eyal Kushilevitz

Cipher Data for the Attack Madryga 16 chosen plaintext pairs or 4000 ciphertexts RC5 (4 rounds) 217 ciphertexts RC5 (6 rounds) 218 known plaintexts DES (7 rounds) 217 known plaintexts

Table 1. Summary of our attacks for English plaintexts or bit-local redundancies with English entropies.

7

Discussion

In this section we discuss modes of operation of block-ciphers in the context of our attacks. See [21] for a full account on available modes of operation for block-ciphers. The attacks described in this paper are applicable first and foremost to redundant data encrypted in ECB mode or to the case, when by an error CBC decryption is performed instead of CBC encryption. However, data for these attacks can be derived from the CBC encryption mode as well in the case, when the initial vector (IV) (which is added to the first block of the plaintext before the encryption) is not frequently changed. Another case is the case of sequential IV increments (for example, a counter starting from a random value). These are common practice on the Internet, and are suggested in [9] and in several other Internet-drafts. This method is used to prevent repetitions of the first block, assuming that the first block of the datagram is constant in many applications. However, this method of IV choice provides many pairs, all with small input differences, which can be used by our attack (given the first blocks of 2k such datagrams we get k · 2k−1 pairs with one-bit differences). Another method of IV choice is the encryption of thee datagram sequence numbers or other incremented entities, and sending IV in clear (explicit IV method) in order to avoid problems with loss, duplication or re-ordering of datagrams. This method is also very vulnerable to our analysis, and so is the case with other cryptographicaly weak pseudo-random IV generators (even having relatively long periods). Note that compression option, available in several protocols, does not influence this attack, since it uses only the first block of the plaintext. A good method of IV choice, that is suggested in several recent Internet-drafts, is the last ciphertext block of the previous datagram. This method seems to provide much better resistance to the attacks described in this paper. Another application of our attack is to the block-cipher counter mode [21]. In this case a sequence of numbers is used as the input to a cipher in order to generate a pseudo-random stream. However, due to the sequential nature of the numbers being encrypted, the attacker obtains lots of data with small input differences, so this mode of operation is particularly vulnerable to our attack. There is a simple and efficient method that may increase the complexity of the present attacks (at least for the types of redundancies, used in our examples).

From Differential Cryptanalysis to Ciphertext-Only Attacks

85

Seeing that a combination of a cipher with ASCII encoded English is dangerous, one can perform a fixed random permutation of the ASCII table. Before the encryption, each plaintext byte is to be substituted for a new, permuted value. Although due to the structure of the language, there still will be many blocks differing only in one symbol, the probability of one-bit differences will decrease considerably. Another method is to use error-correcting code, and let codewords represent possible plaintexts. This way one can eliminate all the low Hamming weight differences in the plaintext. Note however, that adding redundancy to the plaintext must be checked with the other existing attacks.

Acknowledgments We would like to thank the Project Gutenberg [7], which was our source for printed texts in English and Eli Biham for helpful discussions.

References 1. E. Biham, A. Shamir, Differential Cryptanalysis of the Data Encryption Standard, Springer-Verlag, 1993. 72, 72, 72, 74, 74, 79, 79, 83 2. E. Biham, A. Shamir, Differential Cryptanalysis of Feal and N-Hash, Lecture Notes in Computer Science 547, Advances in Cryptology – EUROCRYPT’91, pp.1–17, Springer-Verlag, 1991. 72 3. E. Biham, A. Shamir, Differential Cryptanalysis of Snefru, Khafre, REDOC-II, LOKI and Lucifer, Lecture Notes in Computer Science 576, Advances in Cryptology – CRYPTO’91, pp.156–171, Springer-Verlag, 1992. 72 4. A. Biryukov, E. Kushilevitz, Improved Cryptanalysis of RC5, to appear, proceedings of EUROCRYPT’98. 72, 79, 80, 81, 81, 81, 81, 81, 82 5. P. F. Brown, V. J. Della Pietra, R. L. Mercer, S. A. Della Pietra, An Estimate of an Upper Bound for the Entropy of English, Computational Linguistics, Vol. 18, N. 1, pp.31–40, 1992. 76 6. T. M. Cover, R. King, A Convergent Gambling Estimate of the Entropy of English, IEEE Transactions on Information Theory, Vol. 24, N. 4, pp.413–421, 1978. 76 7. Project Gutenberg, http://www.promo.net/pg 85 8. B. S. Kaliski, Y. L. Yin, On Differential and Linear Cryptanalysis of the RC5 Encryption Algorithm, Lecture Notes in Computer Science 963, Advances in Cryptology – CRYPTO’95, pp.171–184, Springer-Verlag, 1995. 73, 80, 81, 81 9. P. Kharn, P. Metzger, W. Simpson, The ESP DES-CBC Transform, ftp://ftp.isi.edu/in-notes/rfc1829.txt, 1995. 84 10. L. R. Knudsen, W. Meier, Improved Differential Attacks on RC5, Lecture Notes in Computer Science 1109, Advances in Cryptology – CRYPTO’96, pp.216–228, Springer-Verlag, 1996. 81 11. A. G. Konheim, Cryptography: A Primer, New York: John Wiley & Sons, 1981. 72 12. X. Lai, J. L. Massey, S. Murphy, Markov Ciphers and Differential Cryptanalysis, Lecture Notes in Computer Science 547, Advances in Cryptology – EUROCRYPT’91, pp.17–38, Springer-Verlag, 1992. 72

86

Alex Biryukov and Eyal Kushilevitz

13. S. K. Langford, M. E. Hellman, Differential-Linear Cryptanalysis, Lecture Notes in Computer Science 839, Advances in Cryptology – CRYPTO’94, pp.17–25, Springer-Verlag, 1994. 73, 83, 83, 83, 83, 83, 83, 83 14. W. E. Madryga, A High Performance Encryption Algorithm, Computer Security: A Global Challenge, Elsevier Science Publishers, pp. 557–570, 1984. 73, 77, 77 15. M. Matsui, Linear Cryptanalysis Method of DES Cipher, Lecture Notes in Computer Science 765, Advances in Cryptology – EUROCRYPT’93, pp.386–397, Springer-Verlag, 1994. 83 16. S. Miyaguchi, A. Shiraishi, A. Shimizu, Fast Data Encryption Algorithm Feal-8, Review of Electrical Communications Laboratories, Vol. 36, N. 4, pp.433-437, 1988. 73 17. S. Miyaguchi, Feal-N specifications, NTT, 1989. 73 18. S. Murphy, The Cryptanalysis of FEAL-4 with 20 Chosen Plaintexts, Journal of Cryptology, pp.145–154, 1990. 72 19. National Bureau of Standards, Data Encryption Standard, U.S. Department of Commerce, FIPS pub. 46, 1977. 73, 83 20. R. L. Rivest, The RC5 Encryption Algorithm, Lecture Notes in Computer Science 1008, Fast Software Encryption, pp.86–96, Springer-Verlag, 1994. 80, 80 21. B. Schneier, Applied Cryptography Second Edition, John Wiley & Sons, New York, NY, 1996. 73, 73, 77, 84, 84 22. A. A. Sel¸cuk, New Results in Linear Cryptanalysis of RC5, to appear, proceedings of Fast Software Encryption 5, 1998. 73, 81 23. H. Shang, T. H. Merrettal, Tries for Approximate String Matching, IEEE Transactions on Knowledge and Data Engineering, Vol. 8, N. 4, 1996. 76 24. C. Shannon, Prediction and Entropy in Printed English, Bell Systems Technical Journal, Vol. 30, N. 1, pp.50–64, 1951. 76 25. K. Shirriff, Differential Cryptanalysis of Madryga, unpublished manuscript, http://ftp.cs.berkeley.edu/ucb/sprite/www/papers/madryga.ps, October 1995. 78, 79

A

An Example of one-bit English plaintext differences

In this Appendix we present a short study of ASCII encoded English difference behavior. We feel however, that this subject is worth a more thorough study. In the left part of Figure 1 we present the distribution of weights of the differences in a sample of 10000 blocks. We compare several English texts of the same length: a sample from Dickens, a sample from Conan Doyle, a sample from Merkle’s description of Khufu and Khafre block-ciphers and the 1st-order approximation to English (correct letter frequencies) with a sample of 10000 uniformly random blocks. Axis x marks the weights of the difference from 0 to 64. Axis y marks the number of pairs with difference weight x. One sees that all samples behave close to binomial distribution, however the mean of the random sample is around 32 while the mean of all English samples is about 20. This is explained by the fact, that English text consists mainly from ASCII encoded letters, and thus only five least significant bits of each byte (40 bits altogether) may vary, while the 24 most significant bits are constant most of the time. Thus, even before starting the analysis of the language itself, one sees that differences in ASCII encoded English are shifted to the low Hamming weight end. However in

From Differential Cryptanalysis to Ciphertext-Only Attacks

87

the 10000-block Random sample there were no differences with Hamming weight less than 11. The English samples behave very similar to each other, with an exception of the 1st-order English, which is the highest of them. This is at the cost of reduced probability of differences in the low Hamming weight tail of the distribution. However in the main part of this paper we are interested exactly in these low Hamming weight differences (e.g. one, two and three-bit differences). This shows, that simple 1st-order English is a bad approximation, for the needs of our analysis. We observed that first order word approximation and especially second order word approximation, behave very close to the real English in the area of low Hamming weight differences.

Pairs x 106

Pairs x 103 Random

-

5.50 1st ord Merkle

5.00

16.00

Doyle 4.50

Dickens

14.00

4.00 12.00 3.50 10.00 3.00

8.00

2.50

2.00

6.00

1.50 4.00 1.00 2.00 0.50

0.00

0.00 HWeight 0.00

10.00

20.00

30.00

40.00

50.00

Bits 0.00

10.00

20.00

30.00

40.00

50.00

60.00

Fig. 1. Distribution of differences: (a) left figure compares English samples vs. Random sample; (b) right figure shows distribution of one-bit differences.

In the right part of Figure 1 we show the distribution of one-bit differences in English, calculated from a sample of about 217 different blocks, taken from ”David Copperfield” by Charles Dickens. Here we number the bit locations from 0 to 63 (from lsb to msb). As mentioned above, one sees that only about 40 out of 64 bit locations account for significant amounts of one-bit differences (due to ASCII encoding of English letters). One may see that 23 of the differences occur in the four least significant bits of the first byte, and in the four least significant bits of the last byte of the block. The probability of the one-bit differences in the middle bits of the block is relatively low. Below we present an example of English one-bit differences. These are the 85 one-bit differences obtained from a file of 5000 blocks, taken from the beginning of ”The Hound of the Baskervilles” by Sir Arthur Conan Doyle. The same data was used in our ciphertext-only attack on Madryga in section 4.3.

88

Alex Biryukov and Eyal Kushilevitz

’ there h’ ’d left h’ ’ ’ ’ to be a’ ’ntation,’ ’rles’s d’ ’uld be m’ ’ examina’ ’ which s’ ’nding or’ ’ examina’ ’e been a’ ’e moor a’ ’ which c’ ’ have re’ ’ stick, ’ ’ br’ ’ was of ’ ’ have be’ ’?" "Do’ ’" "And’ ’ The ’ ’mer. "’ ’had you ’ ’er and s’ ’act ’ ’nd that ’ ’ the moo’ ’d at the’ ’e that t’ ’n that t’ ’t have b’ ’ Baskerv’ ’"I have ’ ’e upon t’ ’ld count’ ’en ’ ’s. ’ ’and ’ ’d such a’ ’He was a’ ’., from ’

’ there i’ ’d left i’ ’ "’ ’ to be c’ ’ntation.’ ’rles’s f’ ’uld be o’ ’ examine’ ’ which w’ ’nding ov’ ’ examini’ ’e been i’ ’e moor i’ ’ which s’ ’ have se’ ’ stick. ’ ’ fr’ ’ was on ’ ’ have re’ ’?" "To’ ’" "Ind’ ’ the ’ ’mes. "’ ’hat you ’ ’es and s’ ’ast ’ ’nt that ’ ’ The moo’ ’e at the’ ’d that t’ ’o that t’ ’u have b’ ’"Baskerv’ ’ I have ’ ’g upon t’ ’nd count’ ’an ’ ’w. ’ ’ind ’ ’t such a’ ’he was a’ ’n, from ’

0000000000000001 0000000000000001 0000000000000002 0000000000000002 0000000000000002 0000000000000002 0000000000000002 0000000000000004 0000000000000004 0000000000000004 0000000000000008 0000000000000008 0000000000000008 0000000000000010 0000000000000100 0000000000000200 0000000000000400 0000000000000800 0000000000001000 0000000000001000 0000000000080000 0000000020000000 0000010000000000 0000100000000000 0001000000000000 0010000000000000 0010000000000000 0020000000000000 0100000000000000 0100000000000000 0100000000000000 0100000000000000 0200000000000000 0200000000000000 0200000000000000 0200000000000000 0400000000000000 0400000000000000 0800000000000000 1000000000000000 2000000000000000 4000000000000000

’by the l’ ’er and r’ ’ health,’ ’hapter 1’ ’of the m’ ’ted. ’ ’ tha’ ’ to my a’ ’, with a’ ’ tha’ ’ the sta’ ’e last f’ ’ to be c’ ’" "I d’ ’e the re’ ’Holmes, ’ ’ do’ ’ do’ ’ my infe’ ’ the far’ ’ the Med’ ’y of the’ ’ on ’ ’wed, and’ ’ as the ’ ’ed ’ ’ it may ’ ’, d’ ’ds with ’ ’ht that ’ ’s. ’ ’u have b’ ’ that Dr’ ’d in ’ ’f the ch’ ’an ’ ’p upon t’ ’ve ’ ’f which ’ ’e have b’ ’Were the’

’by the m’ ’er and s’ ’ health.’ ’hapter 3’ ’of the o’ ’ted. "’ ’ the’ ’ to my e’ ’, with e’ ’ thi’ ’ the sti’ ’e last n’ ’ to be s’ ’" "I t’ ’e the se’ ’Holmes. ’ ’ lo’ ’ to’ ’ my inve’ ’ the nar’ ’ the med’ ’y on the’ ’ of ’ ’wet, and’ ’ is the ’ ’et ’ ’ It may ’ ’d’ ’es with ’ ’it that ’ ’r. ’ ’t have b’ ’"that Dr’ ’f in ’ ’d the ch’ ’en ’ ’t upon t’ ’re ’ ’n which ’ ’u have b’ ’were the’

0000000000000001 0000000000000001 0000000000000002 0000000000000002 0000000000000002 0000000000000002 0000000000000004 0000000000000004 0000000000000004 0000000000000008 0000000000000008 0000000000000008 0000000000000010 0000000000000010 0000000000000100 0000000000000200 0000000000000800 0000000000001000 0000000000001000 0000000000080000 0000000000200000 0000000800000000 0000080000000000 0000100000000000 0008000000000000 0010000000000000 0020000000000000 0100000000000000 0100000000000000 0100000000000000 0100000000000000 0100000000000000 0200000000000000 0200000000000000 0200000000000000 0400000000000000 0400000000000000 0400000000000000 0800000000000000 1000000000000000 2000000000000000

A Simplified Approach to Threshold and Proactive RSA Tal Rabin IBM T.J. Watson Research Center PO Box 704, Yorktown Heights, New York 10598 [email protected]

Abstract. We present a solution to both the robust threshold RSA and proactive RSA problems. Our solutions are conceptually simple, and allow for an easy design of the system. The signing key, in our solution, is shared at all times in additive form, which allows for simple signing and for a particularly efficient and straightforward refreshing process for proactivization. The key size is (up to a very small constant) the size of the RSA modulus, and the protocol runs in constant time, even when faults occur, unlike previous protocols where either the size of the key has a linear blow-up (at best) in the number of players or the run time of the protocol is linear in the number of faults. The protocol is optimal in its resilience as it can tolerate a minority of faulty players. Furthermore, unlike previous solutions, the existence and availability of the key throughout the lifetime of the system, is guaranteed without probability of error. These results are derived from a new general technique for transforming distributed computations for which there is a known n-out-n solution into threshold and robust computations. Keywords: RSA, threshold signatures, proactive signatures, threshold and proactive RSA

1

Introduction

In the distributed computation model there are problems for which the simplest solution is achieved by requiring that all players participate in the computation. Yet, clearly this requirement mandates to give up other very desirable properties, such as enabling a threshold of players to carry out the computation, and to withstand faulty behavior of players. The question which arises is are these things contradictory or whether we can utilize the simple protocol but still preserve the properties of threshold and robustness. In this paper we present a general paradigm for transforming an all player protocol into a threshold and robust protocol, while maintaining the original simplicity of the protocol. We will apply this paradigm to the specific problem of threshold and proactive RSA. The issue of maintaining secret signing keys in a distributed fashion for long periods of time, while enabling uninterrupted signing capabilities is addressed by threshold signatures and proactive security. H. Krawczyk (Ed.): CRYPTO’98, LNCS 1462, pp. 89–104, 1998. c Springer-Verlag Berlin Heidelberg 1998

90

Tal Rabin

Threshold signature schemes allow a group of players to “hold” the key and enable them, as a group, to produce signatures. We shall refer to such a scheme as a (t, n)-threshold signature scheme if there are n players and given a message m, any subset of players of size at least t + 1 can generate the signature on m. The scheme is t-secure if no subset of at most t players can compute a signature on a message not previously signed. A player will be considered corrupted if he does not follow his intended protocol. The scheme is t-robust if it can correctly compute signatures even in the presence of up to t corrupted players. The basic assumption for threshold schemes is that there are at most t faults during the lifetime of the system. Proactive signature schemes use threshold signature schemes as the basis but drastically reduce the assumption concerning failures. The lifetime of the system is split into time periods, and in each such time period it is assumed that no more than t players will be corrupted. We shall say that a scheme is t-proactive if it is secure and robust even in the presence of up to t corrupted players in every time period, where the set of corrupted players can change arbitrarily from one time period to the next. The main idea would be to preserve the value of the key but to change its representation from one period to another, so that the representations are independent. Thus, an attacker wishing to compromise the system will need to corrupt t + 1 players in a short period of time. Threshold signatures are part of a general approach known as threshold cryptography which was introduced in the works of Desmedt [Des87], Boyd [Boy89], Croft and Harris [CH89] and Desmedt and Frankel [DF89]1 . Secure robust threshold schemes for discrete log based systems have been given: El-Gamal [CMI93,Har94] and DSS [GJKR96a]. Yet, solutions for RSA seemed more elusive; the need to protect the secrecy of the factors of the composite N , among other things, disabled the direct adaptation of the techniques used in the discrete log cases to RSA. In two independent works [Boy89,Fra89] gave a first simple and elegant solution for distributed RSA, which was to maintain the signing key d (the RSA exponent) in additive form, among n players P1 , ..., Pn . Player Pi would hold a value di , where d = d1 + ...+ dn . This allows for a straight forward signing scheme, as md = md1 · ... · mdn . Thus, each player Pi gives the value mdi which is called the partial signature, and all the partial signatures are combined to form the complete signature on m. The major drawback of the n-out-n additive solution is that it does not provide for threshold (and hence robustness); if each one of these shares is held by a different player, and one of the players crashes we have lost the secret key. Desmedt and Frankel [DF91] initiated the study of threshold-RSA and gave a heuristic solution to the problem, which was followed by provably secure threshold schemes [FD92,DDFY94]. These schemes provided a step forward, however, in order to overcome the problems generated by the structure of the RSA key, very cumbersome mathematical structures were introduced. Two results followed, which used these same structures, but added robustness [FGY96,GJKR96b]. 1

For a ’94 survey we refer to [Des94].

A Simplified Approach to Threshold and Proactive RSA

91

Proactive signatures are part of a general approach known as proactive security which was introduced in the works of Ostrovsky and Yung [OY91] and Canetti and Herzberg [CH94]2 . The notion of proactive signatures and a framework for discrete log based proactive signatures was given in [HJJ+ 97], in particular incorporating the threshold DSS [GJKR96a] into this framework achieves a proactive DSS. The first solution for proactive RSA was given by Jakobsson et al. [JJKY95], but this solution was exponential in the size of the threshold. Frankel et al. [FGMY97a] used a probabilistic construction to enable a nonexponential solution. While being quite efficient for small instances this solution does not seem to scale gracefully. Furthermore, their solution did not have optimal resilience, i.e. it could not tolerate the maximal possible number of corrupted players. In a recent paper by Frankel et al. [FGMY97b] the first realistic and general solution to proactive RSA was given. By introducing new techniques they modified and proved the protocol of [DF91], and further extended it to solve the problem of proactiveness3. Utilizing our new paradigm we present a solution to both the robust threshold RSA and proactive RSA problems. The main advantage of our solutions, over previous ones, is that they are conceptually simple, and allow for an easy design of the system. We return to the construction of sharing the key at all times in additive form, which allows for simple signing and for a particularly efficient and straightforward refreshing process for proactivization. The key size is (up to a very small constant) the size of the RSA modulus, and the protocol runs in constant time, even when faults occur, unlike previous protocols where either the size of the key has a linear blow-up (at best) in the number of players or the run time of the protocol is linear in the number of faults. The protocol is optimal in its resilience as it can tolerate a minority of faulty players. Furthermore, the existence and availability of the key throughout the lifetime of the system, is guaranteed without probability of error.

2

Overview

Achieving Threshold.4 As stated the key will be shared using an n-out-n additive sharing, this results in each player holding an additive share di of the key. The threshold will be achieved through the notion of share back-up. That is, the share di will be further shared using a t-out-n secret sharing scheme. Thus, if at some point a player crashes, we will be able to retrieve that player’s additive share by activating the back-up using the reconstruction process. We shall show later ways to avoid the exposure of the additive share. The threshold property of our scheme will be inherited from the threshold property of the secret sharing 2 3 4

For a survey we refer to [CGHN97]. Some related results appear in [DJ97]. We assume a trusted dealer in our constructions but this can be substituted using the results of [BF97] for generating an RSA key in a distributed manner. Thus, the following description of our protocol starts after the key has been distributed to the players.

92

Tal Rabin

scheme. To achieve robustness the simple threshold secret sharing scheme can be substituted by a verifiable secret sharing scheme (VSS), which can tolerate t malicious faults. Thus, we achieved our goal of maintaining the sharing in additive form while providing threshold. Proactive Refreshing of Shares. The above additive scheme also lends itself nicely to proactivization, which requires to maintain the same key value yet , ..., dnew will to change its representation. A new set of additive shares dnew 1 n be generated by having each additive share di sub divided into di,1 , ..., d and i,n Pn recombining these values into new additive shares by summing dnew = j=1 dj,i . i Pn Pn = d, i.e. a new representation of d. Measures We have that i=1 di = i=1 dnew i need to be taken to ensure that this resharing has been executed properly, this will be done via a comparison of publicly known values. Share Back-up Refreshing. We will say that the share back-up of a player is valid if the value represented by the VSS is the share held by the player. Clearly, this is a requirement without which the whole idea of back-up will not work. The initial dealer is trusted, hence we assume that the back-up is valid. But now that each player has a new additive share, the share back-up needs to be refreshed as well, as it is no longer a valid back-up of the new share. This is achieved by having each player share his new share using a VSS protocol. The verification that the share back-up is valid is carried out through a comparison of values. The most important point to note is that all verifications performed in this process are computed on publicly known information and without any zeroknowledge proofs for possession of discrete log which characterize the solution of [FGMY97b]. Discarding the zero-knowledge proofs from the proactivization process is not only an issue of efficiency in computation/communication, but allows for a simpler design. Achieving Robustness. The decision on when to activate the back-up is more complex. It can be activated in cases where crashes occur, because then we know which share to reconstruct. But in the case where players are acting in a malicious manner, we first have to determine who they are before reconstructing their share from the back-up. This will be done by employing the robustness techniques which enable to verify that a partial signature was generated correctly [FGY96,GJKR96b]. Avoiding Share Exposure. It should be noted that the exposure of a player’s share when he fails does not compromise the security of the system because as long as not all shares are exposed the secrecy of the key is maintained. And as it is an assumption of the model in threshold cryptography that at no time are all the servers crashed or compromised, the security is maintained. Yet, if it is undesirable in some applications (parallel signing) or situations (a simple crash) to expose a player’s share then this can be avoided through the following. The back-up of a value will not be a single VSS but rather the value itself will be split into n parts, one assigned to each player, each such part will be further shared using VSS5 . When a player does not provide the needed partial signature then each part will be privately reconstructed to the player assigned 5

For related techniques see [GHY87]

A Simplified Approach to Threshold and Proactive RSA

93

to it. Parts assigned to faulty players will be reconstructed publicly. Thus, the original share of the player will not be exposed. If at a later time the player recovers from the crash, then his share can be privately reconstructed to him, and he would be required to refresh the back-up (even though it is valid), and then he can resume proper operation. A further extension would also enable the parallel signatures. Practical Efficiency. In the signature generation, when no faults occur, each player needs to compute a single exponentiation using a small key which is about 2 times the length of the RSA modulus. It can be optimized to eliminate the zeroknowledge proofs by checking whether the generated signature is valid. When faults occur there is the need to first check which players are faulty and then to recover the additive share of these players from the back-up. The recovery operation is an execution of a VSS Reconstruction Phase, which is an efficient protocol. Both the signature generation and the proactivization protocols are constant round protocols, even when faults occur. The proactivization process does not require zero-knowledge proofs in any case. General Paradigm The above described solution is in fact a general paradigm for transforming distributed n-out-n computations into threshold and robust computations. Given a distributed n-out-n computation where each player holds inputs which are need for the computation, these inputs need to be shared using a VSS scheme for back-up. The computation is carried out using all n players, but in the event that one (or up to t) of the players fails to cooperate, or is faulty, then his information can be reconstructed from the “back-up” copy and incorporated into the computation. Thus, the simplicity of the n-out-n protocol can be maintained while adding the properties of threshold and robustness.

3

Model

The following description is taken in part from [HJJ+ 97]. Communication Model. We assume that our computation model is composed of a set of n players {P1 , . . . , Pn } who can be modeled by polynomial-time randomized Turing machines. They are connected by a complete network of private (i.e. untappable) point-to-point channels. In addition, the players have access to a dedicated broadcast channel; by dedicated we mean that if player Pi broadcasts a message, it will be recognized by the other players as coming from Pi . These assumptions (privacy of the communication channels and dedication of the broadcast channel) allow us to focus on a high-level description of the protocols. However, it is worth noting that these abstractions can be substituted with standard cryptographic techniques for privacy, commitment and authentication. Yet, in the proactive case, under these substitutions care needs to be given to refreshing the communication keys. Time. Time is divided into time periods which are determined by the common global clock. Each time period consists of a short refresh period, during which the players engage in an interactive refreshing protocol. After the refresh,

94

Tal Rabin

there is a signature generation period, in which the players generate signatures on given messages. The Adversary. We assume an adversary, A, which can corrupt up to t of the n players in the network in each time period. A player is considered corrupted during a time period if he was corrupted during that time period or if he was corrupted during the preceeding refresh period. Furthermore, it is a malicious adversary, i.e. it learns all the information held by the corrupted players, and may cause them to divert from the specified protocol in any (possible malicious) way. We assume the adversary to be computationally bounded, implying that he cannot forge RSA signatures. Furthermore, we assume the adversary to be static6 .

4

Robust Threshold RSA

Following the method set forth in this paper we shall share the RSA secret key by a sum of shares, refer to these shares as additive-shares. We will achieve robustness by generating share back-up, i.e. each such additive-share will be further shared using a robust threshold verifiable secret sharing (VSS) scheme. Thus, we are guaranteed that we will not “lose” the additive-shares. Upon request to generate a signature each player will produce a partial signature under his additive-share. These partial signatures are combined to generate the signature. In order to optimize the protocol we will first verify whether this combined signature is valid, and if it is not then we will proceed to detect the players who have given incorrect partial signatures. We shall have a method which enables a player to prove that his partial signature is correct. If a player fails to provide the system with a correct partial signature his additive-share is reconstructed from the back-up. In order to make the composition of the additive-shares and the shares from back-up work properly, an underlying assumption has been made, and it is that the back-up value of a specific player is in fact the additive-share held by him. For ease of exposition we assume that the original dealer, sharing the secret, is honest and hence this property is satisfied, but when we move into the full proactive solution this will no longer be a valid assumption. Thus, we bear in mind this point, and will return to it in Section 5. We shall start by directly describing the Robust Threshold RSA while assuming a black-box VSS protocol. This VSS protocol enables to share a secret via its Sharing Phase, and to reconstruct a secret using its Reconstruction Phase. Denote this protocol as Feldman-Zn -VSS, (see Section 4.3). The robust threshold RSA is comprised of two protocols, an initial key distribution which is carried out once at the onset of the system. The second is the protocol for generating signatures. These protocols are described in detail in Sections 4.1 and 4.2. 6

In the full paper we shall give a proof for a static adversary at each time period. And another proof for an adaptive adversary, but at a cost in the computations of the zero-knowledge proofs.

A Simplified Approach to Threshold and Proactive RSA

4.1

95

Distributing the Secret Key

Before distributing the secret key we assume that a set-up process has been carried out in which the RSA key generation took place and the RSA key pair has been computed7 . Denote the public key by (N, e) where N = pq and p, q are primes of the form8 p = 2p0 + 1, q = 2q 0 + 1 and p0 , q 0 are primes. The private key is d where ed ≡ 1 mod φ(N ). Furthermore, the parameters of the system are set, i.e. the number of players n and the threshold t, where n ≥ 2t + 1. An element g of high order is chosen. In order to enable the proof of security the 2 4 high order element will be computed by setting g = g0L mod N where g0 is an 4

element of high order and L = n!. After this set-up process the dealer proceeds to share the key d by generating shares which sum up to the private key, and then backing-up each one of the shares using a VSS protocol. Furthermore, as discussed we will need to be able to verify partial signatures generated under each additive-key di . The dealer lays down this ability by generating a witness signature for each additive-key in the form g di mod N . This witness will be utilized in the signature generation protocol in order to verify partial signatures. In order to unify the description Pn for the players we added a public share dpublic , such that d = dpublic + i=1 di . The steps carried out by the dealer are described in Figure 1. ∗ Input: secret key d ∈ Zφ(N) , composite N , element g of high order in ZN number of players n and threshold t 2 2 1. Choose Pn and hand Pi value di ∈R [−nN ..nN ] for 1 ≤ i ≤ n, set dpublic = d − i=1 di . 4

2. Compute and broadcast the witness wi = g di mod N, 1 ≤ i ≤ n. 3. Share the value di using Feldman-ZN -VSS Sharing Phase (Figure 3) on input, value di , high order element g, composite N , the number of players n, and threshold t.

Fig. 1. Secret Key Distribution The size of the key used for signature generation, in our protocol is comparable to that of [FGMY97b], and is 2 log(nN ), and much smaller than that of [DDFY94] which is n log N and [FGMY97a] which is 106 log N for n = 10, t = 4. Our memory requirements are comparable to those of [DDFY94] and are 2n log(nN ), yet larger by a factor of n than those of [FGMY97b]. 7 8

For a distributed key generation process see Boneh and Franklin [BF97] The special form of the primes is required only to enable the efficient protocol of [GJKR96b] for proving that a partial signature is correct. If there is a need to carry out a distributed key generation then the requirement on the format of the primes can be dropped and the techniques of [FGY96] can be employed for verifying the partial signature.

96

4.2

Tal Rabin

Signature Generation

Given a message m, its signature under the public key is md mod N . In our setting this signature needs to be generated by the players in a distributed manner where each individual player uses P his partial key. As the secret key n d d is shared using a sum, i.e. d = d + public i=1 di ∈ Z, we have that m = Pn Q n mdpublic + i=1 di = mdpublic i=1 mdi mod N . Thus, if each player publicizes the di correct value m mod N which we refer to as the partial signature, then the signature can be directly computed from the partial signatures. And in fact the signature can be generated and verified before proceeding to verify each partial signature. Thus, if an error was detected we will require each player to prove that he has generated his partial signature properly. For each share di there is a public witness wi mod N which can be viewed as a commitment to the value di . When player Pi is required to prove the correctness of his partial signature σi , he will prove with respect to the witness wi that the discrete log of the partial signature is equivalent to the discrete log of the witness. If the player fails this proof, i.e. he did not generate a proper partial signature, his share di will be retrieved from the back-up VSS. This results in a constant round protocol even in the presence of faults. The protocol for signature generation is described in Figure 2.

Public information: high order element g, composite N wi mod N for 1 ≤ i ≤ n witness for Pi ’s partial key Input: message m 1. Player Pi publishes partial signature σi = mdi mod N 2. Pi proves using the protocol of [GJKR96b] (see Footnote 8) that DLm σi = DLg wi . 3. If proof fails for player Pi all players reconstruct di using the Feldman-ZN -VSS di Reconstruction Phase (Figure Qn 3), and compute σi = m mod N . dpublic σ mod N . 4. Set SIG(m) = m i=1 i

Fig. 2. Signature Generation

4.3

Verifiable Secret Sharing (VSS) over ZN

In our protocol we need to share a value s ∈ [−nN 2 ..nN 2 ] in a verifiable method. As explained above we are in effect “storing” the value s using the VSS protocol, as a back-up in case one of the players fails. Given that the only motivation for sharing s would be for back-up it seems that we could use any VSS protocol computed over a prime field, where the prime is larger than the possible range of s. In theory this is true, and we could use for example the VSS protocol of [BGW88], which is information theoretically secure. But as we have alluded

A Simplified Approach to Threshold and Proactive RSA

97

to previously we will need to check that the value shared for player Pi using the VSS corresponds to the actual additive-share held by this player. Using general zero-knowledge proofs this could still be done. Yet, we would like to provide more efficient methods for achieving these goals9. Thus, we will depart from carrying out the VSS over a prime field, and modify the protocol to work over the integers. Such solutions have been given by [DF91,FGMY97b], yet their solutions need to satisfy additional properties, which we do not require, hence these solutions are slightly more complex10 . The following protocol is similar to the one described in [FGMY97b], but which satisfies our needs. As the protocol is based on Feldman’s VSS [Fel87], we shall refer to it as Feldman-ZN -VSS. Theorem 1. The protocol described in Figure 3 is a verifiable secret sharing scheme satisfying the properties of unanimity, acceptance of good secrets, verifiability and unpredictability11 . We shall prove only the unpredictability property in Lemma 1 and 2, as the proof of the other properties follow directly from Feldman’s proof [Fel87]. We defer the simulation of the protocol to Section 4.4 where we prove the Robust Threshold RSA. Lemma 1. Given a t-adversary who can corrupt at most t players, the view of the adversary of the secret shares generated by the protocol Feldman-ZN -VSS of a secret s using a polynomial f (x), such that f (0) = s, and of the sharing of a random secret r by a polynomial r(x) with coefficients taken from the appropriate range are statistically indistinguishable. Proof appears in Appendix A. 4

2

∗ Lemma 2. Assume elements g0 , g = g0L (L = n!) of maximal order in ZN . s Given values α1 , ...αt and an additional value g mod N it is possible to compute 4 values g a1 , ..., g at mod N such that the polynomial f (x) = at xt + ... + a1 x + sL satisfies that f (i) = αi for 1 ≤ i ≤ t. 4

Proof. Define the polynomial f (x) =

Pt i=0

Q

Q

αi j6=i

i−j

j6=i (x− j)

4

where α0 = sL.

This polynomial satisfies the property that f (i) = αi for 1 ≤ i ≤ t, thus it remains to be shown that we can compute g raised to the coefficients of 9

10

11

It may be possible to use Feldman’s VSS over a prime field, which also enables efficient proofs of the above mentioned property, but this sharing would also reveal g di mod p. Though this additional information may not weaken the system, we have not found a way to prove its security. [FGMY97b] need to work over groups where the polynomial interpolation can satisfy that the Lagrangian coefficient of each component is easily computed and is in Z. In our protocol when we decide to use the VSS back-up it will be to directly reconstruct it, thus we can expose all shares and there is an option to carry out the interpolation in a prime field (where the prime will be chosen to be of a certain size). For the definition of VSS see [FM88].

98

Tal Rabin

Sharing Phase: Input: secret value s ∈ [−nN 2 ..nN 2 ] and composite N ∗ element g of high order in ZN n number of players, t threshold value The dealer carries out the following steps: 1. choose at , ..., a1 ∈ [−nL2 N 3 ..nL2 N 3 ] and define f (x) = at xt + ... + a1 x + sL 2. compute f (i) ∈ Z for 1 ≤ i ≤ n 4

4

4

and bt = g at , ..., b1 = g a1 , b0 = g sL mod N 3. hand player Pi the value f (i) and broadcast bt , ..., b0 Verification steps:

Qt

j

(b )i if the equation is not satisfied he 1. Player Pi verifies that g f (i) = j=0 j requests that the dealer make f (i) public. 2. The dealer broadcasts all shares requested in the previous step, if he fails to do so he is disqualified. 3. Player Pi carries out the verification of Step 1 for all public shares. If the verification fails the dealer is disqualified. Reconstruction Phase: Input: high order element g, composite N , number of players n, threshold t values bt , ..., b0 mod N 1. Player Pi broadcasts f (i) 2. Pj finds a set I of size t + 1 of indices such that ∀i ∈ I it holds that g f (i) = Qt j (b )i j=0 j 3. P P > 2nN 2 and computes the secret s, s Pj chooses Q a prime −j f (i) j∈I,j6=i i−j /L mod P i∈I

4

=

Fig. 3. Feldman-ZN -VSS this polynomial. Rearranging terms we have that the coefficient of xk is ak = P t Q αi λ for 0 ≤ k ≤ t, where the λk,i are computable known coni=0 (i−j) k,i j6=i

stants. A problem may arise that we would need to deal with fractions, i.e. extract roots, which is infeasible, but this has been solved through the choice of the element g. Thus g ak can be effectively computed as follows: Pt g

ak

i=0

=g

Q

2 α0 λk,0 Lt!

g0

αi j6=i

(i−j)

Qt

λk,i

=

Q

Qt

αi λk,i ) i=1 (g0

i=0 g Q L2 j6=i

αi

j6=i

(i−j)

(i−j)

λk,i

=

s λk,0 L t!

= (g )

Qt

αi λk,i ) i=1 (g0

Q

L2

j6=i

(i−j)

A Simplified Approach to Threshold and Proactive RSA

4.4

99

Proof of Robust Threshold RSA Protocol

Theorem 2. Under the assumption that factoring is intractable the protocol described in Figures 1 and 2 is a constant round secure, robust, threshold RSA scheme, in the presence of t malicious faults where the total number of players is n ≥ 2t + 1. In order to prove the security of our scheme we will use a simulation argument for the view of the adversary. Intuitively, this means that the adversary who sees all the information of the corrupted players and the signature on m, could generate by itself all the other public information produced by the protocol. A simulator for the key distribution and the signature generation is shown in Figure 4. It runs on input the elements g, g0 the value g d mod N which is the commitment to the key d, and the message m and its signature. The proof of Theorem 2 appears in Appendix A.

5

Proactive RSA

In the previous section we have described a robust threshold RSA, and the last property which we would like to add is proactive. Proactiveness is achieved through changing the representation of the key, but not its value. Given that the current representation of the key is d1 + ... + dn we would like to change it to dnew + ... + dnew 1 n . Once we have changed the representation of the key we will also need to change the representation of the back-up, and this is for two reasons: the first being that it contains the current representation and thus it should be removed, the second is that we need to have a valid back-up for the new representation, otherwise the back-up would be worthless. The essence of the proactivization protocol is that each player takes his additive-share di of the key d, splits it into sub-shares which sum up to di , and gives each player such a sub-share. Then each player adds up all the subshares which he received in order to attain his new share for the new time period. If all players act properly it is clear to see that the new sharing is still a sharing of the key d, yet the sharing is totally independent of the previous sharing. Then each player would further share his new additive share using the VSS protocol to generate the share back-up. As we do not assume that the players act properly we add steps to ensure the correctness of the proactivization. The two issues for verification are the following: 1. That the sum of the sub-shares which Pi generated is the value of the share di . This verification is easily achieved by generating witness/commitments to the new additive sub-shares, and checking in the exponent that the distribution was done properly. 2. The second verification relates to the need to ensure that the back-up generated using the VSS is in fact the new additive share held by the player. Note that after the above mentioned verification we have a witness for the

100

Tal Rabin

4

2

Input: elements g0 , g = g0L , the commitment to the signing key g d mod N the number of players and threshold n, t message m, and its signature md mod N Each step of the simulator corresponds to the same numbered step in the appropriate protocol. Note that information held solely by good players is never exposed, and thus we do not simulate it. SIM1 - Computation Secret Key Distribution 1. choose shares dˆ1 , ..., dˆn−1 ∈R [−nN 2 ..nN 2 ] and dˆpublic ∈R [−n2 N 2 ..n2 N 2 + N ] 4

4

ˆ

ˆ

ˆ n−1 = g dn−1 mod N 2. (a) compute w ˆ 1 = g d1 , ..., w dˆpublic Qn−1

4

ˆ

(b) set w ˆ n = g dn = g d /(g w ˆ i ) mod N i=1 3. Feldman-ZN -VSS (a) using Steps 1-3 of Figure 3 share the value dˆi for 1 ≤ i ≤ n − 1, this results in polynomials fˆi (x) such that fˆi (0) = dˆi L, and public information ˆ g aˆi,t , ..., g aˆi,1 , g di L mod N , where fˆi (x) = a ˆi,t xt + ... + a ˆi,1 x + dˆi L (b) generate a polynomial r(x) with coefficients in [−nL2 N 3 ..nL2 N 3 ] and con4 stant term 0. Set fˆn (i) = r(i), 1 ≤ i ≤ t. Using Lemma 2 on input fˆn (i) L for 1 ≤ i ≤ t and w ˆ n compute the values g aˆn,t , ..., g aˆn,1 mod N Signature Generation 4

ˆ

1. (a) compute σ ˆ i = mdi mod N for 1 ≤ i ≤ n − 1 4

Qn−1

σ public i=1 σ ˆ i ) mod N (b) set σ ˆ n = md /(ˆ 2. execute simulation of zero-knowledge proof as in [FGY96,GJKR96b]

Fig. 4. Simulator for Key Distribution and Signature Generation

new additive-share (through some computation), this witness is of the form new winew = g di mod N . Furthermore, when the VSS protocol is carried out for sharing a secret s, a by-product of this computation is the value g sL mod N . Thus in order to verify that the player shared the correct value all that needs to be checked is that g sL = (winew )L mod N . The share-refreshing protocol for the update period is presented in Figure 5. Theorem 3. Under the assumption that factoring is intractable the protocol described in Figures 1, 2 and 5 is a constant round secure, robust, threshold proactive RSA scheme, in the presence of t malicious faults where the total number of players is n ≥ 2t + 1. We omit the simulator and lemmas related to the size of the shares, and the fact that the repeated distribution of the signing key through additive shares

A Simplified Approach to Threshold and Proactive RSA

101

Public information: element g, composite N wi mod N for 1 ≤ i ≤ n Input of player Pi : secret share di such that g di = wi mod N 1. Player Pi randomly chooses values di,j ∈R [−N 2 ..N 2 ] for 1 ≤ j ≤ n, sets

Pn

2. 3.

4. 5.

6.

7.

4

di,public = di − j=1 di,j , computes and broadcasts gi,j = g di,j mod N . Player Pi sends to player Pj the value di,j . Verification of distribution of proper share size and public commitments: Pj verifies that di,j ∈ [−N 2 ..N 2 ] and that gi,j = g di,j mod N if not then he requests that di,j be made public and set gi,j to g raised to this public value. If Pi does not cooperate in Step 3 then his value di is reconstructed using the Reconstruction Phase (Figure 3). Verification that the sub shares Qn in fact sum up to the previous share of Pi : Pj verifies that wi = gi,public j=1 gi,j mod N , if not then player Pi ’s share di is reconstructed using the Reconstruction PnPhase. new = d (note that the value g di mod Pi computes his new share dnew i j=1 j,i Qn di,j mod N is already public), and shares it using Feldman-ZN -VSS N = j=1 g Sharing Phase. This results in a value g sL mod N where s is the secret that Pi shared. new If Pi fails to share his secret or (g di )L 6= g sL mod N then each player Pj exposes dj,i . If Pj fails to expose dj,i then dj is reconstructed by all players.

Fig. 5. Share-refreshing Protocol does not reveal any statistically significant information. These proofs are similar in flavor to the ones appearing in [FGMY97a], and will appear in the full paper.

Acknowledgments Special thanks go to Rosario Gennaro and Hugo Krawczyk for endless conversations on this topic. We thank Jessica Staddon for comments on an earlier version of the paper.

References BF97.

BGW88.

Boy89.

D. Boneh and M. Franklin. Efficient generation of shared RSA keys. In Crypto ’97, pages 425–439, 1997. Springer-Verlag. LNCS No. 1294. 91, 95 M. Ben-Or, S. Goldwasser, and A. Wigderson. Completeness Theorems for Noncryptographic Fault-Tolerant Distributed Computations. In Proc. 20th Annual Symp. on the Theory of Computing, pages 1–10. ACM, 1988. 96 C. Boyd. Digital Multisignatures. In H. Baker and F. Piper, editors, Cryptography and Coding, pages 241–246. Claredon Press, 1989. 90, 90

102

Tal Rabin

CGHN97.

R. Canetti, R. Gennaro, A. Herzberg, and D. Naor. Proactive Security: Long-term Protextion Against Break-ins. CryptoBytes, 3(1):1–8, 1997. 91 CH89. R. A. Croft and S. P. Harris. Public-key cryptography and re-usable shared secrets. In H. Baker and F. Piper, editors, Cryptography and Coding, pages 189–201. Claredon Press, 1989. 90 CH94. R. Canetti and Amir Herzberg. Maintaining security in the presence of transient faults. Crypto ’94, pages 425–438, 1994. Springer-Verlag. LNCS No. 839. 91 CMI93. M. Cerecedo, T. Matsumoto, and H. Imai. Efficient and secure multiparty generation of digital signatures based on discrete logarithms. IEICE Trans. Fundamentals, E76-A(4):532–545, 1993. 90 DDFY94. Alfredo De Santis, Yvo Desmedt, Yair Frankel, and Moti Yung. How to share a function securely. In Proc. 26th Annual Symp. on the Theory of Computing, pages 522–533. ACM, 1994. 90, 95, 95 Des87. Yvo Desmedt. Society and group oriented cryptography: A new concept. In Crypto ’87, pages 120–127, Berlin, 1987. Springer-Verlag. LNCS No. 293. 90 Des94. Yvo G. Desmedt. Threshold cryptography. European Transactions on Telecommunications, 5(4):449–457, July 1994. 90 DF89. Yvo Desmedt and Yair Frankel. Threshold cryptosystems. In G. Brassard, editor, Advances in Cryptology — Crypto ’89, pages 307–315, Berlin, 1989. Springer-Verlag. LNCS No. 435. 90 DF91. Y. Desmedt and Y. Frankel. Shared generation of authenticators and signatures. In J. Feigenbaum, editor, Advances in Cryptology — Crypto ’91, pages 457–469, Berlin, 1991. Springer-Verlag. LNCS No. 576. 90, 91, 97 DJ97. Y. Desmedt and S. Jajodia. Redistributing secret shares to new access structures and its applications. Tech. Report ISSE-TR-97-01, George Mason University, July 1997. ftp://isse.gmu.edu/pub/techrep/97 01 jajodia.ps.gz. 91 FD92. Yair Frankel and Yvo Desmedt. Parallel reliable threshold multisignature. TR-92-04-02, April, Dept. of EE and CS, U of Wisconsin, 1992. 90 Fel87. P. Feldman. A Practical Scheme for Non-Interactive Verifiable Secret Sharing. In Proc. 28th Annual FOCS , pages 427–437. IEEE, 1987. 97, 97 FGMY97a. Yair Frankel, P. Gemmell, P. Mackenzie, and M. Yung. Proactive RSA. In Crypto ’97, pages 440–454, 1997. Springer-Verlag. LNCS No. 1294. 91, 95, 101 FGMY97b. Y. Frankel, P. Gemmell, P. Mackenzie, and M. Yung. Optimal resilience proactive public-key cryptosystems. In Proc. 38th FOCS , pages 384–393. IEEE, 1997. 91, 92, 95, 95, 97, 97, 97 FGY96. Y. Frankel, P. Gemmell, and M. Yung. Witness-based Cryptographic Program Checking and Robust Function Sharing. In Proc. 28th STOC, pages 499–508. ACM, 1996. 90, 92, 95, 100, 104 FM88. P. Feldman and S. Micali. An Optimal Algorithm for Synchronous Byzantine Agreement. In Proc. 20th STOC, pages 148–161. ACM, 1988. 97 Fra89. Y. Frankel. A practical protocol for large group oriented networks. In Eurocrypt ’89, pages 56–61, 1989. Springer-Verlag. LNCS No. 434. 90 GHY87. Z. Galil, S. Haber, and M. Yung. Cryptographic computation: Secure fauttolerant protocols and the public-key model. In Crypto ’87, pages 135–155, 1987. Springer-Verlag. LNCS No. 293. 92

A Simplified Approach to Threshold and Proactive RSA

103

GJKR96a. R. Gennaro, S. Jarecki, H. Krawczyk, and T. Rabin. Robust threshold DSS signatures. In Eurocrypt ’96, pages 354–371, 1996. Springer-Verlag. LNCS No. 1070. 90, 91, 104 GJKR96b. R. Gennaro, S. Jarecki, H. Krawczyk, and T. Rabin. Robust and efficient sharing of RSA functions. In Crypto ’96, pages 157–172, 1996. SpringerVerlag. LNCS No. 1109. 90, 92, 95, 96, 100 Har94. L. Harn. Group oriented (t, n) digital signature scheme. IEE Proc.Comput.Digit.Tech, 141(5):307–313, Sept 1994. 90 HJJ+ 97. Amir Herzberg, M. Jakobsson, Stanislaw Jarecki, Hugo Krawczyk, and Moti Yung. Proactive public key and signature systems. In 1997 ACM Conference on Computers and Communication Security, 1997. 91, 93 JJKY95. M. Jakobsson, S. Jarecki, H. Krawczyk, and M. Yung. Proactive RSA for Constant-Size Thresholds. Upublished manuscript, 1995. 91 OY91. R. Ostrovsky and M. Yung. How to withstand mobile virus attacks. In Proc. 10th PODC , pages 51–59. ACM, 1991. 91

A

Proofs of Theorem and Lemmas from Section 4

Proof. of Lemma 1 Denote the set of players which the adversary has corrupted by Pbad , and w.l.o.g it is a set of maximal size, i.e. |Pbad | = t. We prove that with high probability there exists a sharing of r with a polynomial r(x) which satisfies that for each player Pi ∈ Pbad the share f (i) received in the sharing of s is equal to the share received in the sharing of r, i.e. r(i) = f (i). Furthermore, the coefficients of r(x) are taken from the appropriate range. Define a polynomial h(x), such that h(0) = (s − r)L and for all Pi ∈ Pbad it holds that h(i) = 0. As we have defined the polynomial h(x) in t + 1 points we can interpolate and compute its coefficients. It remains to be shown that the coefficients are integers and to compute their range. X

h(x) =

Pi ∈Pbad ∪{0}

h(i)

Y j6=i,Pj ∈Pbad ∪{0}

x−j i−j

The only non-zero value ofQ h(x) is at evaluation point 0. Thus we have that i the above is equal to (s − r)L Pj ∈Pbad x−j −j . The coefficient of x is: X

Y (s − r)L Q (−j) Pj ∈Pbad (−j) P j∈B B⊂Pbad ,|B|=i Q The value L/ Pj ∈Pbad (−j) is an integer (note L = n!) hence the coefficient of xi is an integer. Furthermore, the coefficient can be bounded (in absolute value) by X (s − r)Lt! t ≤ (s − r)Lt! ≤ nL2 N 2 (s − r)L ≤ (s − r)L ≤ i!(t − i)! i B⊂Pbad ,|B|=i

104

Tal Rabin

The desired polynomial r(x) is f (x)−h(x), its coefficients are integers and are in the range [−(nL2 N 3 + nL2 N 2 )..nL2 N 3 + nL2 N 2 ]. Thus, the probability that 2 N2 the coefficients of r(x) will not be in the right range is at most t 2(nL22nL N 3 +nL2 N 2 ) = t t u N +1 . Proof. of Theorem 2 Correctness & Robustness. We assume Pn that the dealer carries out his protocol properly12 , hence d = dpublic + i=1 di , wi = g di mod N and the VSS corresponding to player Pi in fact shares the value di . It is easy to see that the signature generation protocol computes the correct value. Security. We give our proof by providing a simulator for the protocol, denoted SIM1, which simulates both the key distribution protocol and the signature generation protocol. Fixing an adversary A, the view of the adversary on execution of the protocol and its view on execution of the simulator are indistinguishable. W.l.o.g. assume that the adversary corrupts players P1 , ..., Pt 13 . We analyze the information viewed by the adversary which is generated by an execution of the protocol and the simulator. Secret Key Distribution 1. dˆi is a random value in [−nN 2 ..nN 2 ] and so is di for 1 ≤ i ≤ t. The value dˆpublic is a random value in [−n2 N 2 ..n2 N 2 + N ] where dpublic is from [−n2 N 2 + d..n2 N 2 + d] these distributions are statistically indistinguishable (details are clear). 2. (a) the values w ˆ i are generated in the same manner as wi and as the additiveshares have the same distribution so do the w ˆ i ’s and wi ’s for 1 ≤ i ≤ n−1 (b) as the distribution of dˆpublic is indistinguishable from that of dpublic so ˆ is the distribution of g dpublic mod N and g dpublic mod N . (c) it is easily argued that the distribution of g r mod N where r ∈ [1..ord(g)] and the distribution of g s mod N where s ∈ [−nN 2 ..nN 2 ] are statistiˆ cally indistinguishable, hence g dn is indistinguishable from g dn (resp.). 3. (a) the simulator carries out exactly the same protocol as the true execution with input values which have the same distribution as the inputs of the protocol, hence the resulting information from the VSS protocol has the same distribution. (b) the argument for this step follows from Lemma 1. Signature Generation 1. (a) follows from the argument on the distribution of dˆi . (b) same argument as in Step 2c 2. follows from the simulation proof of [FGY96,GJKR96a] t u 12 13

We can relax this assumption by introducing more verification steps in the Key Distribution Phase. W.l.o.g that it is the first t players, and that it is no less than t.

New Efficient and Secure Protocols for Verifiable Signature Sharing and Other Applications? Dario Catalano1 and Rosario Gennaro2 1

Dipartimento di Matematica, Universita’ di Catania. Viale A. Doria 6, 95100 Catania. [email protected] 2 I.B.M. T.J.Watson Research Center, P.O.Box 704, Yorktown Heights, NY 10598. [email protected]

Abstract. Verifiable Signature Sharing (VΣS ) enables the recipient of a digital signature, who is not necessarily the original signer, to share such signature among n proxies so that a subset of them can later reconstruct it. The original RSA and Rabin VΣS protocols were subsequently broken and the original DSS VΣS lacks a formal proof of security. We present new protocols for RSA, Rabin and DSS VΣS . Our protocols are efficient and provably secure and can tolerate the malicious behavior of up to half of the proxies. Furthermore we believe that some of our techniques are of independent interest. Some of the by-products of our main result are: a new threshold cryptosystem, a new undeniable signature scheme and a way to create binding RSA cryptosystems.

1

Introduction

The concept of Verifiable Signature Sharing (VΣS ) was introduced by Franklin and Reiter in [14]. VΣS enables the recipient of a digital signature, who is not necessarily the original signer, to share such signature among n proxies so that a subset of them can later reconstruct it. A VΣS protocol is divided in a sharing phase and a recover phase. At the end of the sharing phase each proxy can verify that a valid signature for the given document can be reconstructed. At the end of the recover phase such signature is reconstructed no matter what a malicious subset of proxies may do. Previous Work. In [14] efficient protocols were given for RSA, Rabin, ElGamal, Schnorr and DSS signatures. However their RSA and Rabin VΣS protocols were subsequently broken in [7]. Also their DSS VΣS achieves only an heuristic form of security. In [3] Burmester shows an unifying approach to VΣS based on homomorphism of secret sharing schemes. The approach is very elegant and also secure. ?

Extended abstract. A final version of this paper http://www.research.ibm.com/security/vsigmas.ps

H. Krawczyk (Ed.): CRYPTO’98, LNCS 1462, pp. 105–121, 1998. c Springer-Verlag Berlin Heidelberg 1998

can

be

found

at

106

Dario Catalano and Rosario Gennaro

However its generality does not yield extremely efficient protocols when applied to typical real-life signature schemes. Thus the question of efficient and provably secure VΣS schemes for RSA/Rabin and DSS was still open. Our Contribution. In this paper we present new protocols for RSA, Rabin and DSS VΣS . Our protocols are efficient and provably secure. They can tolerate a malicious sharer (who tries to share something different from a valid signature) and the malicious behavior of up to half of the proxies during sharing or reconstruction time. Motivation. It is important to notice that VΣS can be solved in theory using known cryptographic techniques for zero-knowledge proofs [22,19] and multiparty computation [20,2,5]. However these solutions are hardly practical. We focus instead on practical solutions since there are several real-life applications which would greatly benefit from secure and efficient VΣS protocols. In order to motivate the problem we present first some of the most interesting applications in which VΣS can be used. The main application of VΣS is the incorporation of digital cash into multiparty protocols. Consider the example of cash escrow: digital cash can be represented as the bank’s signature on a digital coin or e-check. By using VΣS financial institutions can divide the cash among a set of authorities so that only through the cooperation of a threshold of them it is possible to spend it, yet the authorities can verify that they collectively have the cash. A related application is secure distributed auctions: bidders to an auction may be required to verifiably share a signature on a check for the amount of their bid. This way it will be impossible for the winner of the bid to default (since the proxies can reconstruct his check), while the payments of the losers will never be recovered. More generally VΣS is useful when a signed document should become valid only under certain conditions. By verifiably sharing the signature, one makes sure that the signature will be recovered if and only if such conditions are created. Other Applications. We believe that parts of our solution are relevant on their own. For example, in Section 3 we present a new threshold cryptosystem which is possibly of independent interest. VΣS protocols are somewhat related to undeniable signatures (introduced by Chaum in [4]), i.e. signatures that can be verified only with the help of the signer. RSA-based undeniable signatures were recently introduced in [17]. Our RSA construction can be seen as an alternative to [17] (though admittedly a less efficient scheme). Interestingly the structure of our RSA VΣS protocol can also be used to construct binding RSA cryptosystems. In [31] the concept of binding cryptography was introduced. In a binding publickey cryptosystem the sender encrypts a message under both the public key of the receiver and the public key of a third party and prove in (non-interactive) ZK that the two ciphertexts contain the same message. In [31] a scheme for binding ElGamal was presented. We show that our RSA VΣS scheme can be used to construct binding RSA public key encryptions. Details about these applications can be found in the final paper.

Protocols for Verifiable Signature Sharing and Other Applications

1.1

107

Overview of Our Solution

Let Bob be the signer, Alice the recipient of the signature and P1 , . . . , Pn the proxies (see Section 2 for a detailed description of the model). The RSA scheme. Let (NB , vB ) be Bob’s RSA public key. The matching signing key is sB such that sB vB = 1 mod φ(NB ). We assume the standard “hashand-sign” paradigm. Alice receives a message M from Bob and Bob’s signature S = msB mod NB on it where m = H(M ) for some collision-resistant hash function H. Alice wants to verifiably share the value S among the proxies P1 , . . . , Pn . That is, at the end of the sharing phase the proxies must be assured that they hold shares of Bob’s signature on m (from now on we will drop the hashing step since it is irrelevant to our purposes). Our new RSA VΣS scheme is based on a completely novel approach. Alice will not share S using conventional secret sharing schemes, but instead she will encrypt S using a threshold cryptosystem, i.e. a public key whose matching secret key is kept shared at the proxies. That is, she gives to the proxies the values m and CS = EEK (S) where E is a public key encryption scheme and the decryption key DK is shared at the proxies, i.e. each proxy Pi has a share DKi of a t-out-of-n secret sharing of DK. At this point all we need is a mechanism to convince the proxies that the decryption of CS is really the signature S on m without revealing S. The crux of the problem was to design a threshold cryptosystem that would make such proof efficient. The main idea here is to use the ElGamal encryption scheme [10,11] over the same composite modulus NB over which the signature was computed. This will allows us to construct efficient methods to convince the proxies that the ciphertext contains the signature. We present two such methods. (1) One is for Alice to provide a zero-knowledge proof [22] that CS contains S. We present an efficient ZK proof for this task. (2) The other variant consists on the proxies using their private key to decrypt a message CˆS publicly computable from CS . If such decryption equals the message m, then the proxies are guaranteed that CS contains the signature S. Method (1) is more efficient for the proxies, but requires interaction with Alice. Method (2) is more efficient for Alice and requires no interaction between her and the proxies. The solution is described in detail in Section 4. The DSS scheme. The DSS VΣS scheme is a modified version of the ElGamal VΣS scheme from [14] which allows for a proof of security. The solution is described in Section 5. 1.2

Related Work

Some ideas in our new RSA VΣS scheme have appeared previously in the literature although in different contexts and with different usage. Performing secret sharing by encrypting a value with a symmetric key that is shared among the proxy appeared first in [23] as a way to shorten the size of shares in computationally secure secret sharing schemes.

108

Dario Catalano and Rosario Gennaro

The idea of encrypting a signature and then proving in ZK that the ciphertext contains a valid signature has appeared in several places. In [8] it was proposed as a general paradigm to construct undeniable signatures but the specific efficient solutions work only for ElGamal-like signatures. In [1] this technique was used to construct fair exchange of digital signatures between two parties using an off-line trusted center. The paper is not concerned with using a threshold cryptosystem for encrypting the signature. Moreover they present general solutions for RSA and DSS signatures using any kind of public-key encryption but employing inefficient binary cut-and-choose ZK proofs which require a number of public-key operations which is proportional to the security parameter. Stadler in [30] uses ElGamal over a composite to verifiably encrypt e-roots. But when it comes to share such encryptions, his scheme can only deal with additive access structures, thus resulting in an O(nt ) exponential blow-up to achieve a t-out-of-n threshold scheme. The construction of an ElGamal-like threshold cryptosystem over a composite modulus uses techniques from the areas of threshold [9,15] and proactive [13,27] RSA signature schemes.

2

Preliminaries

The Model. We assume there are three entities. The signer (which in the following we will usually call Bob), the recipient (Alice) and a set of n proxies. The VΣS protocol will be between Alice and the proxies and must not involve Bob. We assume that Alice and the proxies are connected by a full network of private channels and by a broadcast channel. These assumptions allow us to focus on a high-level description of the protocols. However, it is worth noting that these abstractions can be substituted with standard cryptographic techniques for privacy, commitment and authentication. In some of the variations of our protocols it will not be necessary to have private channels between Alice and the proxies. We assume that there exist an adversary A who can corrupt Alice and at most t of the proxies. By corrupting a player, A can read his memory and cause him to deviate arbitrarily from the protocol. We assume the adversary is static i.e. the set of corrupted players is decided at the beginning of the computation of a protocol. Finally we assume communication to be synchronous. We do however allow for rushing adversaries, i.e. adversaries who decide the messages of the bad players at round R after having seen the messages of the good players at the same round. Notation. In the rest of the paper n will denote the number of proxies and L = n!. If N is a composite modulus, we denote with G0 an element of maximal 2 ∗ and with G = GL order in ZN 0 mod N . DLogG A mod N is the discrete log in base G of A modulo N . Definition. We follow the ideas in the definition of VΣS presented in [14], although we believe our formalization to be simpler and more rigorous. VΣS consists of a pair of protocols (ΣShare , ΣRecover ) for Alice and the proxies. The input of ΣShare for all the players is a message m and the public

Protocols for Verifiable Signature Sharing and Other Applications

109

verification key V K of the signer. The secret input for Alice is a signature S of m under the signer’s key. The output of ΣShare for each proxy Pi is a value Si , which can assume the special value Si = ω denoting that the proxy has rejected the sharing. The protocol ΣRecover is then run on the output of ΣShare by the proxies. We say the VΣS = (ΣShare , ΣRecover ) is a Verifiable Signature Sharing protocol with fault-tolerance t if for any adversary A that can corrupt Alice and at most t proxies the following conditions are met: completeness If Alice is not corrupted then the output of ΣRecover is a signature S on m under the signer’s key V K. soundness If a good proxy Pi outputs Si = ω at the end of ΣShare then each good player Pj outputs Sj = ω. If Si 6= ω for good players then the output of ΣRecover is a signature S on m under the signer’s key V K. security Define the view V of the adversary A as the set of messages sent and received by the bad players (including the broadcasted ones) at the end of ΣShare . Then there exists an algorithm S called the simulator which on input only m and V K and black-box access to A, produces output strings with a distribution which is computationally indistinguishable from V. We accept a negligible probability (over the coin tosses of the players) that these conditions are violated. Informally, completeness means that if Alice really shares the right signature, then, no matter what malicious proxies do, the signature will be recovered at the end. Soundness means that if Alice is malicious, then either she will be caught trying to cheat (i.e. sharing something different from a valid signature) or she will share a valid signature anyway. Security finally says that a run of ΣShare gives the adversary no information he could not compute on his own from the message and the public key. In particular (unless the signature scheme is not secure) no information about the signature S. Computational Assumptions. Our RSA VΣS protocol uses the so-called Decisional Diffie-Hellman Assumption (DDH) over a composite modulus. Informally this assumption says that given two random Diffie-Hellman “public keys” A = Ga and B = Gb the resulting shared key Gab is indistinguishable from a random value to an observer who does not know any of the secret keys a, b. More formally stated: Assumption 1 Let N be a composite modulus product of two large primes. ∗ Let G be an element of ZN and G the group generated by it. Consider the two probability distributions on G 3 defined as DH = (Ga , Gb , Gab ) mod N and R = (Ga , Gb , Gc ) mod N for a, b, c chosen randomly and uniformly in ZN . We assume that the two distributions are computationally indistinguishable. The Decisional Diffie-Hellman Assumption is related to the regular Diffie-Hellman assumption that says that given Ga and Gb one cannot compute Gab in polynomial time. Clearly this assumption relies on the hardness of computing discrete logs. Reductions in the inverse direction are not known.

110

Dario Catalano and Rosario Gennaro

ElGamal over a composite. We recall the functioning of the ElGamal encryption scheme [10,11] over a composite modulus [24,29]. The public encryption key is EK = (N, G, Y ) where N is an RSA modulus product of two primes, G ∗ is an element of ZN of large order and Y is computed as Y = GX mod N with X ∈R ZN . X is the secret decryption key. A message M is encrypted under EK by choosing a random K ∈R ZN and computing A = GK mod N and B = Y K · M mod N . The ciphertext is the pair (A, B). Decryption of a pair (A, B) is computed by taking M = B/AX mod N . Notice that in order to decrypt, all it is required is to raise A to the secret exponent X. The ElGamal encryption scheme can be thought as a one-time pad with a one-time Diffie-Hellman key (the value Y K = GXK ). Thus if the message M is in the same group generated by G it is an easy task to show that the DDH implies the semantic security of the ElGamal encryption scheme (semantic security defined in [21], means that it is impossible for an observer to distinguish between the encryption of two messages). If the message space is larger than the group generated by G then the semantic security of the ElGamal encryption scheme is a seemingly stronger assumption than the DDH. 2.1

Tools

We will use the polynomial-based t-out-of-n secret sharing due to Shamir [28]. Let q be a prime: given a secret σ ∈ Zq , the dealer chooses at random a Pt polynomial f (z) = σ + j=1 aj z j of degree t and gives to player Pi a share σi = f (i) mod q. Clearly t players have no information about the secret while t+1 can reconstruct it by polynomial interpolation. Notice that a (n−1)-out-of-n secret sharing can be obtained simply by sharing σ as a sum σ = σ1 + . . . + σn . Basic secret sharing protocols cannot cope with a malicious dealer who gives out random points that do not lie on a polynomial of degree t and/or with malicious players who contribute false shares at reconstruction time. A Verifiable Secret Sharing (VSS) protocol [6] solves these problems. Here we recall Feldman’s VSS [12]. The dealer follows Shamir’s scheme but in addition he broadcasts the values α0 = g σ mod p and αj = g aj mod p where p is a prime such that q divides p − 1 and g is an element of order q in Zp∗ . The α values will allow the players to check that the values σi really define a secret by checking that Q j g σi = j αij mod p. If the value they hold is inconsistent they complain about the dealer who will reveal their share (that should match the above equation). The α values also allow detection of incorrect shares σi0 at reconstruction time. This protocol can tolerate up to t = n/2 malicious faults including the dealer. Notice that the value of the secret is only computationally secure, e.g., the value g σ mod p is leaked. To avoid this problem it is possible to use Pedersen’s VSS [26] which protects the secret in an information-theoretic sense. P In this implementation the dealer chooses a second t-degree polynomial f 0 = j bj z j and sends the value τi = f 0 (i) mod p to player Pi in addition to the share σi as above. The dealer then commits to each coefficient of the polynomials f, f 0 as follows: he publishes the values βj = g aj hbj mod p where h is an element in the subgroup generated by g such that the discrete log of h in base g is

Protocols for Verifiable Signature Sharing and Other Applications

111

unknown. ThisQwill allow the players to check the received shares by checking j that g σi hτi = j βji mod p. At revealing time the players are required to reveal both σi and τi and the above equation is used to validate the shares. It is possible to prove that the VSS fails if and only if the adversary is able to compute the discrete log of h in base g. Notice that the value of the secret is unconditionally protected since the only value revealed is β0 = g σ hb0 .

3

A New Threshold Cryptosystem

Our RSA VΣS scheme relies on a new ElGamal-based threshold cryptosystem which we present in this section. We believe this new threshold cryptosystem to be of independent interest. Although the construction of this ElGamal-based threshold cryptosystem is new, the techniques used in this section appears in several papers related to threshold [9,15] and proactive [13,27] RSA signature schemes. Threshold Cryptosystems. Let E be a public key encryption scheme. A threshold cryptosystem TE for a scheme E distributes the operation of key generation and decryption among a set of n parties P1 , . . . , Pn . That is, TE is defined by two protocols: T-Key-Gen a randomized protocol that returns as public output the public encryption key EK and as private output for player Pi a value DKi such that DK1 , . . . , DKn constitute a t-out-of-n threshold secret sharing of DK. T-Decrypt each player Pi takes as public input a ciphertext C = EEK (M ) and as secret input his share DKi and returns as public output the message M The two protocols should be secure i.e. they should function correctly and reveal no extra information even in the presence of an adversary that corrupts maliciously up to t players1. In particular notice that the private key DK should not be exposed during T-Decrypt. Formal definitions for threshold cryptosystems appear in the final paper. A Threshold Cryptosystem for ElGamal over a composite. There are several complications that arise from trying to generalize the approach in [25] to work for ElGamal modulo a composite. First of all we will require for our application that the modulus N will be given as a parameter to the key generation protocol2 without its factorization. This implies that the value φ(N ) is unknown to the parties who have to jointly choose and share X. Our threshold cryptosystem overcomes this problem using techniques discovered by [13] for the application of proactive RSA. Feldman’s VSS over a composite. First we present how to modify Feldman’s VSS to work modulo a composite of unknown factorization. This protocol was 1 2

Notice that we are talking about robust protocols that work in the presence of malicious faults. Unless otherwise noted when we say “secure” we mean also “robust”. Jumping ahead, N will be the same modulus from Bob’s public key

112

Dario Catalano and Rosario Gennaro

discovered in [13]. They used it as a crucial tool to refresh shares of a proactive RSA signature scheme. We slightly modified it to work as a component of our key generation protocol. The main idea behind the protocol is for the the dealer to share the secret σ over the integers (since he doesn’t know φ(N )). The coefficients of the sharing polynomial must be chosen large enough to statistically hide information. The protocol appears in Figure 1. Lemma 1. Feldman-ZN -VSS is a VSS of fault-tolerance t for any t, n such that n > 2t.

Feldman-ZN -VSS Input for all players: a composite number N and an element G of maximal ∗ order in ZN . Input for the dealer: a secret σ ∈ [−N 2 . . . N 2 ]. Sharing Phase. 1. The dealer chooses t random integers a1 , . . . , at ∈ [−L2 N 3 . . . L2 N 3 ] and consider the polynomial f (z) = Lσ + a1 z + . . . + at z t 2. The dealer sends to player Pi the integer σi = f (i) and broadcasts α0 = Gσ mod N and αi = Gai mod N . 3. Player Pi checks that Gσi = αL 0

t Y

j

αij mod N

(1)

j=1

If the check fails he asks that the dealer makes σi public. If more than t player make this request the dealer is disqualified. 4. The dealer reveals σi for the players who asked and the previous check is carried out on all public shares. If it fails the dealer is disqualified. Reconstruction Phase. Player Pi broadcasts σi . Accept those for which Equation (1) is satisfied. Take t + 1 accepted shares and compute the secret σ via polynomial interpolation on a prime field large enough (i.e. p > nt+2 L2 N 3 ).

Fig. 1. Feldman VSS over a composite modulus

Key Generation Protocol. We are now ready to show the key generation protocol for the threshold ElGamal scheme. The general idea follows the one of Pedersen [25] for the case of discrete-log cryptosystems in a prime field. Each player Pi shares a random value xi via Feldman’s VSS. The secret key x will be the sum of those random values, while the public key y = g x is easily computable from the public information of the VSS protocols. The key generation continues by having each player sum up the

Protocols for Verifiable Signature Sharing and Other Applications

113

shares he received to create his own share of the secret key for a t-out-of-n secret sharing. There are two difficulties with the above approach however: – Since each Feldman’s VSS reveals g xi it is possible for a rushing adversary to choose the xi ’s of the bad players so that a specific y = g x will appear. Even if the adversary were not rushing, it would be possible for her during the complain phase to “pull out” some bad players (by having them disqualified) in order to affect the value of y. At the end it is not possible to prove that the pair x, y is built with the right (uniform) distribution. This problem was first noticed by [16]. Their solution, which we are going to employ on this paper, is to perform an information-theoretically secure VSS first for xi (for example Pedersen’s VSS) and then on top of that (using the same sharing polynomial) perform the checks required by the Feldman’s VSS. This has the effect of forcing the decision of the adversary when the xi ’s are informationtheoretically secure and thus the choice of the adversary is independent from the ones of the good players. – When working over a composite modulus the threshold decryption protocol is unnecessarily cumbersome if the key is represented in a t-out-of-n fashion. Thus we follow a different approach. Each player will keep as a share of the secret key the random value he originally shared: this is a (n − 1)-out-ofn secret sharing. The shares a player received during Feldman-ZN -VSS will be used for backup in case some other player fails during the decryption protocol. This paradigm was introduced by [27] and called share-backup. The protocol TEG-Key-Gen (for Threshold ElGamal Key Generation) appears in figure 2. Decryption Protocol. We are now left to show the decryption protocol. The approach is the same as the decryption protocol modulo a prime in [25], but it uses the techniques from [13,27], to make it work modulo a composite. The idea is to get a partial decryption from each player by exponentiating the ciphertext to his own additive (not threshold!) share of the secret key. Since the secret key is the sum of the additive shares, the product of the partial decryptions will be the correct decryption. To prevent bad players from contributing bad partial decryption we force them to prove in ZK that they are correct with respect to the witnesses generated during the key generation protocol. The ZK proof for this task is described3 in [15]. The protocol TEG-Decrypt appears in Figure 3. Theorem 1. TEG = (TEG-Key-Gen, TEG-Decrypt) is a secure threshold cryptosystem for ElGamal over a composite with fault-tolerance t for any t, n such that n > 2t.

3

[15] requires the modulus N to be a product of safe primes. It is possible to lift this assumption however by using a different protocol.

114

Dario Catalano and Rosario Gennaro

TEG-Key-Gen Input for all players: A composite number N product of two primes and ∗ an element G of maximal order in ZN . 1. Each player Pi selects a random number xi ∈R [−N 2 . . . N 2 ] and t random integers ai1 , . . . , ait ∈ [−L2 N 3 . . . L2 N 3 ] and consider the polynomial fi (z) = Lxi + ai1 z + . . . + ait z t . Player Pi performs an unconditionally secure VSS of xi using sharing polynomial fi (z) (for example Pedersen’s VSS over a large enough prime field). Let Good be the set of players who are not disqualified at the end of this step. 2. Player Pi broadcasts αi0 = Gxi mod N and αik = Gaik mod N . 3. Let xji = fj (i) be the integer player Pi received during step 1. Player Pi checks that Gxji = αL j0

t Y

k

αijk mod N

(2)

k=1

If the check fails Pi opens the commitment to the share he received in Step 1 and proves that Pj is cheating. 4. Each Pj caught cheating on the previous step is exposed. That is the value xj is reconstructed using the VSS of step 1. The value αj0 is reset to Gxj mod N . Q 5. The public key is set to Y = i∈Good αi0 mod N (including the exposed values). The private share of player Pi is the vector (xi , {xji }j∈Good ).

Fig. 2. A Pedersen-like joint key generation with share-backup

TEG-Decrypt Input for all players: A composite number N product of two primes, an ∗ element G of maximal order in ZN , the public output of TEG-Key-Gen and a ciphertext (A, B). Private Input for Player Pi : The secret output of TEG-Key-Gen, i.e. the vector (xi , {xji }j∈Good ). 1. Each player Pi ∈ Good broadcasts the partial decryption Ai = Axi mod N and proves in ZK using the protocol from [15] that DLogA Ai = DLogG α0i . 2. If Pi ∈ Good and he fails the ZK proof of the above step, all the players run the reconstruction phase of Feldman-ZN -VSS and compute xi and Ai = Axi mod N on their own. mod N . 3. Output the message M = Q B i∈Good

Ai

Fig. 3. Threshold Decryption for ElGamal over a composite

Protocols for Verifiable Signature Sharing and Other Applications

4

115

Sharing an RSA Signature

The Problem. Let (NB , vB ) be Bob’s RSA public key. The matching signing key is sB such that sB vB = 1 mod φ(NB ). Alice receives a message m from Bob and Bob’s signature S = msB mod NB on it. Alice wants to verifiably share the value S among the proxies P1 , . . . , Pn . That is at the end of the sharing the proxies must be assured that they hold a sharing of Bob’s signature on m. The Basic Paradigm. We depart from the approach used by Franklin and Reiter [14] of directly sharing the signature S. Instead we follow the alternative approach to obtain secret sharing using an encryption of the secret with a key which is shared at the proxies. Assume that the proxies have established an instance of a public key encryption scheme E with public key EK and that the matching secret key SK is shared among them in a t-out-of-n fashion. Then all Alice has to do to share S among the proxies is to simply give them the value CS = EP K (S). Indeed t or less proxies have no information about the secret key, thus they cannot decrypt S. In order to achieve the verifiability property we need a proof that CS indeed contains the signature S. Achieving Verifiability. The above proof could be constructed using general zero-knowledge proof techniques, with a loss of efficiency. The key idea to obtain an efficient proof is to encrypt the signature S (created under Bob’s public key (NB , vB )) using an instance of the ElGamal cryptosystem over the same composite modulus NB . If Y = GX mod NB is the public key of the proxies, Alice will encrypt the ∗ signature by choosing a random K ∈ ZN and computing AS = GK mod NB B K and BS = Y · S mod NB . This will allow for an efficient verifiability check using the ZK proof in Figure 4. Alice will be the prover and the proxies will be the verifiers. The protocol is based on [30] with some efficiency improvements (it is not necessary to repeat it several times.) Lemma 2. The protocol EGRSA-ZK-Proof is a honest-verifier zero-knowledge proof that (AS , BS ) is an ElGamal encryption under the key (NB , G, Y ) of the signature S of m under the key (NB , vB ). To make the above protocol ZK against any verifier, known techniques [18] can be used. In particular the Verifier can commit to the challenge before the Prover speaks. The Basic Protocol. On input a message m, Bob’s signature S on it and Bob’s public key NB , vB Alice does the following. She generates an instance of the ElGamal encryption scheme over the composite NB . She generates G as a random power of m (for reasons that will appear clear in the security proof). She selects a random X ∈ [−NB2 , . . . , NB2 ] and the public key Y = GX mod NB . She then encrypts S under by selecting a random K ∈ ZNB and setting AS = GK mod NB and BS = Y K · S mod NB . She hands m, NB , vB , G, Y, AS , BS to the proxies. Then she proves in ZK that AS , BS is indeed an encryption of the

116

Dario Catalano and Rosario Gennaro

EGRSA-ZK-Proof Input for Prover and Verifier: The message m, Bob’s RSA public key NB , vB , the ElGamal public key G, Y = GX , the ciphertext (AS = GK , BS = Y K · S). Secret input for the Prover: A value S such that m = S vB mod NB and the random value K. ∗ 1. The Prover chooses a random value R ∈R ZN and sets r = RvB mod NB B (notice that R is a signature on r according to Bob’s public key). The Prover encrypts R under the ElGamal key of the proxies, i.e. she chooses J ∈R ZN 3 and sets AR = GJ mod NB and BR = Y J · R mod NB . She B sends r, AR , BR to the proxies. 2. The Verifier sends a random challenge c ∈ ZNB 3. The Prover answers with L = J + cK (integer value) and T = RS c mod NB . The Verifier accepts if (a) GL = AR · AcS mod NB , (b) BR · BSc = Y L · T mod NB and (c) T vB = rmc mod NB .

Fig. 4. A ZK Proof that an ElGamal encryption contains an RSA signature

signature S using the EGRSA-ZK-Proof from Figure 4. Finally the last thing left is to share X using Feldman-ZN -VSS from Figure 1. This will guarantee the proxies that they have the correct decryption key to reconstruct S. To recover S the proxies will run the reconstruction phase of Feldman-ZN VSS and then use X to decrypt S. The protocol is described in Figure 5. Notice that this protocol does not make use of the full threshold cryptosystem we have outlined in the previous section but only of the Feldman-ZN -VSS protocol. Theorem 2. Under the Decisional Diffie-Hellman assumption modulo a composite the protocol RSA-VΣS-1 is a secure VΣS protocol for RSA with faulttolerance t, for any n, t with n > 2t. An Alternative Protocol. In this section we show a variation of the previous protocol. The reason we present an alternative protocol is to improve the efficiency of the scheme for Alice. Indeed in this scheme we take full advantage of the new threshold cryptosystem described in Section 3. The main difference with respect to the previous protocol is that the key generation for the ElGamal scheme is done distributively by the proxies instead than by Alice. This will also allow for a very efficient verification that the ciphertext contains the required signature. Indeed the proxies can verify that the

Protocols for Verifiable Signature Sharing and Other Applications

117

RSA-VΣS-1 Input for Alice: The message m, Bob’s RSA public key NB , vB , the signature S on m, i.e. a value such that m = S vB mod NB . RSA-ΣShare-1 1. Alice chooses uniformly at random – r ∈ ZNB and sets G = mr mod NB . 2 2 – X ∈ [−NB , . . . , NB ] and sets Y = GX mod NB . – K ∈ ZNB and sets AS = GK mod NB and BS = Y K · S mod NB . She sends to the proxies m, NB , vB , r, Y, AS , BS . The proxies compute G = mr mod NB . 2. Alice runs the proof EGRSA-ZK-Proof as the prover on input m, NB , vB , G, Y, AS , BS with the proxies as the Verifier. The proxies reject if Alice fails the proof. 3. Alice runs Feldman-ZN -VSS for X as the dealer with the proxies. The proxies reject if Alice fails the VSS protocol. RSA-ΣRecover-1 The proxies run the Reconstruction Phase of Feldman-ZN -VSS and compute BS X and output S = A X mod NB . S

Fig. 5. Basic RSA VΣS Protocol

pair (AS , BS ) is constructed correctly by checking that BSvB (Y K · S)vB Y K·vB · S vB = = m mod NB vB X = K X·v (AS ) (G ) B Y K·vB

(3)

i.e. just by running the TEG-Decrypt protocol on the pair (AvSB , BSvB ). The full protocol appears in Figure 6. Theorem 3. Under the Decisional Diffie-Hellman assumption modulo a composite the protocol RSA-VΣS-1 is a secure VΣS protocol for RSA with faulttolerance t, for any n, t with n > 2t. Comments, Variants and Optimizations. Due to space limitations we refer the reader to the final version of the paper for a description of several variants of the above protocols and a detailed efficiency analysis.

5

Sharing a DSS Signature

The Problem. Recall the DSS signature scheme. The public parameters are a large prime p, a 160-bit prime q that divides p − 1 and an element g of order q in Zp∗ . Bob (the signer) has a secret key x which is a random number in Zq . The

118

Dario Catalano and Rosario Gennaro

RSA-VΣS-2 Input for Alice: The message m, Bob’s RSA public key NB , vB , the signature S on m, i.e. a value such that m = S vB mod NB . RSA-ΣShare-2 1. Alice sends to the proxies the message m, Bob’s public key (NB , vB ) and a random value r ∈ ZNB 2. The proxies run TEG-Key-Gen on input the modulus NB and the basis G = mr mod NB . They return to Alice the public key Y = GX mod NB . 3. Alice encrypts S using the ElGamal encryption scheme with public key (NB , G, Y ). That is, she generates a random number K in ZNB and computes AS = GK mod NB and BS = Y K ·S mod NB . Alice sends (AS , BS ) to the proxies. 4. The proxies run TEG-Decrypt protocol on the pair (AvSB , BSvB ). If the output is m they accept otherwise they reject. RSA-ΣRecover-2 The proxies run TEG-Decrypt protocol on the pair (AS , BS ).

Fig. 6. Alternative RSA VΣS Protocol matching public key is y = g x mod p. A message M is signed by first hashing it down via SHA-1, i.e. m = SHA-1(M ). Then Bob chooses a random number k ∈R Zq , and computes r = g k mod p mod q and s = k −1 (m + xr) mod q. The signature is the pair (r, s). A signature is verified by computing σ = s−1 mod q and checking that r = (g m y r )σ mod p mod q. Alice receives the message M and the pair (r, s) and she wants to verifiably share the pair (r, s) among the proxies P1 , . . . , Pn . The Approach from [14]. We follow the same provably secure approach used in [14] to verifiably share an ElGamal signature. The main difference between a (plain) ElGamal signature and DSS4 is that r = g k mod p (without the extra modq reduction) and s = k −1 (m − xr) (a − instead of a +). The idea in [14] was for Alice to give out r in the clear to the proxies and to share s via a Feldman VSS using an appropriate basis for the verification. For some reason (probably because the extra reduction modq for r seems at first sight not to allow this approach) they decided to switch the roles between r and s in the DSS VΣS . Alice gives out s in the clear and shares r via Feldman’s VSS. However their simulation does not go through, although they claim heuristically that it is secure. Our Approach. We show that a careful adaptation of the ElGamal VΣS from [14] can be shown to be secure. Alice gives out r in the clear to the proxies and shares σ = s−1 via Feldman VSS using the basis G = g m y r (which the 4

Apart from the way messages are hashed which is irrelevant for the purpose of VΣS .

Protocols for Verifiable Signature Sharing and Other Applications

119

proxies can compute on their own from g, y, m, r). Notice that by doing this she reveals r∗ = Gσ mod p. So in order to check that the shared value is really the correct signature the proxies must simply check that r∗ mod q = r. Notice that revealing r∗ (i.e. the value of r before the reduction modq) does not turn into a security problem since this information is easily simulatable (see the proof). Indeed the reduction modq of r serves only to shorten the signature and has no security purpose. The full protocol appears in Figure 7.

DSS-VΣS Input for all players: Bob’s DSS public key (p, q, g, y), a message M and its hash value m. Secret Input for Alice: A DSS signature r, s from Bob on M . DSS-ΣShare 1. Alice broadcasts r to the proxies. She runs Feldman’s VSS on input the secret σ = s−1 and with basis G = g m y r . Let α0 be the commitment to the secret generated by the Feldman’s VSS, i.e. if Alice is honest α0 = Gσ mod p. 2. The proxies run the verification phase of Feldman VSS (including the complaint phase). They reject the sharing if either Alice is disqualified during the verification of Feldman’s VSS or α0 6= r mod q. DSS-ΣRecover The proxies run the reconstruction phase of Feldman’s VSS to recover σ. They compute s = σ −1 mod q and output r, s.

Fig. 7. A protocol for DSS VΣS

Theorem 4. Protocol DSS-VΣS is a secure VΣS protocol for DSS with faulttolerance t, for any n, t with n > 2t.

Acknowledgment We would like to thank Tal Rabin for several discussions over the topic of proactive RSA.

References 1. N. Asokan, V. Shoup and M. Waidner. Optimistic fair exchange of digital signatures. EUROCRYPT’98. 108 2. M. Ben-Or, S. Goldwasser, and A. Wigderson. Completeness Theorems for Noncryptographic Fault-Tolerant Distributed Computations. STOC’88 pp.1–10, 1988. 106

120

Dario Catalano and Rosario Gennaro

3. M. Burmester. Homomorphism of secret sharing schemes: a tool for verifiable signature sharing. EUROCRYPT’96, pp.96–106. LNCS vol.1070. 105 4. David Chaum and Hans Van Antwerpen. Undeniable signatures. CRYPTO’89, pages 212–217. LNCS vol. 435. 106 5. D. Chaum, C. Crepeau, and I. Damgard. Multiparty Unconditionally Secure Protocols. STOC’88, pp.11–19, 1988. 106 6. B. Chor, S. Goldwasser, S. Micali, and B. Awerbuch. Verifiable secret sharing and achieving simultaneity in the presence of faults. FOCS’85, pp.383–395, 1985. 110 7. D. Coppersmith, M. Franklin, J. Patarin and M. Reiter. Low-exponent RSA with related messages. EUROCRYPT’96, pp.1–9. LNCS vol.1070. 105 8. I. Damgard and T. Pedersen. New convertible undeniable signature schemes. EUROCRYPT’96, pp.372–386. LNCS vol. 1070. 108 9. A. De Santis, Y. Desmedt, Y. Frankel, and M. Yung. How to share a function securely. STOC’94, pp.522–533, 1994. 108, 111 10. W. Diffie and M.E. Hellman. New Directions in Cryptography. IEEE Transactions on Information Theory, v. IT-22, no. 6, pp. 644-654, November 1976. 107, 110 11. T. ElGamal. A public-key cryptosystem and a signature scheme based on discrete logarithms. IEEE Transactions on Information Theory, IT-31(4):469–472, 1985. 107, 110 12. P. Feldman. A Practical Scheme for Non-Interactive Verifiable Secret Sharing. FOCS’87, pp.427–437, 1987. 110 13. Y. Frankel, P. Gemmell, P. Mackenzie, and M. Yung. Optimal Resilience Proactive Public-Key Cryptosystems. FOCS’97, pp.384–393. 108, 111, 111, 112, 113 14. M. Franklin and M. Reiter. Verifiable Signature Sharing. EUROCRYPT’95, pp.50– 63. LNCS vol.921. 105, 105, 107, 108, 115, 118, 118, 118, 118 15. R. Gennaro, S. Jarecki, H. Krawczyk, and T. Rabin. Robust and efficient sharing of RSA functions. CRYPTO’96, pp.157–172. LNCS vol. 1109. 108, 111, 113, 113, 114 16. R. Gennaro, S. Jarecki, and T. Rabin. Securely revisiting distributed key generation. Manuscript. 113 17. R. Gennaro, H. Krawczyk and T. Rabin. RSA-Based Undeniable Signatures. CRYPTO’97, LNCS vol.1294. 106, 106 18. O. Goldreich and A. Kahan. How to Construct Constant-Round Zero-Knowledge Proof Systems for NP. J. of Cryptology, Vol.9, No.3, pp.167–190, 1996. 115 19. O. Goldreich, S. Micali, and A. Wigderson. Proofs that Yield Nothing But Their Validity or All Languages in NP Have Zero-Knowledge Proof Systems . Journal of the ACM, 38(1):691–729, 1991. 106 20. O. Goldreich, S. Micali, and A. Wigderson. How to play any mental game. STOC’87, pp.218–229, 1987. 106 21. S. Goldwasser and S. Micali. Probabilistic Encryption. JCSS, 28(2), pp.270–299, April 1984. 110 22. S. Goldwasser, S. Micali, and C. Rackoff. The knowledge complexity of interactive proof-systems. SIAM. J. Computing, 18(1):186–208, February 1989. 106, 107 23. H. Krawczyk. Secret sharing made short. CRYPTO’93, pp.136–146, LNCS 773. 107 24. K.S. McCurley. A key distribution system equivalent to factoring. Journal of Cryptology. vol.1, pp.95–105, 1988. 110 25. T. Pedersen. A threshold cryptosystem without a trusted party. EUROCRYPT’91, pp.522-526, LNCS vol. 547 111, 112, 113 26. T. Pedersen. Non-interactive and information-theoretic secure verifiable secret sharing. CRYPTO’91, pp.129-140, LNCS vol. 576 110

Protocols for Verifiable Signature Sharing and Other Applications

121

27. T. Rabin. A Simplified Approach to Threshold and Proactive RSA. To appear in CRYPTO’98. 108, 111, 113, 113 28. A. Shamir. How to share a secret. Communications of the ACM, 22:612–613, 1979. 110 29. Z. Shmuely. Composite Diffie-Hellman public-key generating systems are hard to break. Technion Dept. of Computer Science Technical Report no.356, 1985. 110 30. M. Stadler. Publicly Verifiable Secret Sharing. EUROCRYPT’96, pp.190–199, LNCS vol.1070. 108, 115 31. E. Verheul and H. van Tilborg. Binding ElGamal. EUROCRYPT’97, LNCS 1233. 106, 106

Trading Correctness for Privacy in Unconditional Multi-Party Computation? (Extended Abstract) Matthias Fitzi, Martin Hirt, and Ueli Maurer Department of Computer Science Swiss Federal Institute of Technology (ETH), Zurich CH-8092 Zurich, Switzerland, {fitzi,hirt,maurer}@inf.ethz.ch

Abstract. This paper improves on the classical results in unconditionally secure multi-party computation among a set of n players, by considering a model with three simultaneously occurring types of player corruption: the adversary can actively corrupt (i.e. take full control over) up to ta players and, additionally, can passively corrupt (i.e. read the entire information of) up to tp players and fail-corrupt (i.e. stop the computation of) up to tf other players. The classical results in multi-party computation are for the special cases of only passive (ta = tf = 0) or only active (tp = tf = 0) corruption. In the passive case, every function can be computed securely if and only if tp < n/2. In the active case, every function can be computed securely if and only if ta < n/3; when a broadcast channel is available, then this bound is ta < n/2. These bounds are tight. Strictly improving these results, one of our results states that, in addition to tolerating ta < n/3 actively corrupted players, privacy can be guaranteed against every minority, thus tolerating additional tp ≤ n/6 passively corrupted players. These protocols require no broadcast and have an exponentially small failure probability. When zero failure probability is required, privacy can be maintained against any minority, but one can even tolerate ta ≤ n/4 of these players to be corrupted actively. We further show that the bound t < n/2 for passive corruption holds even if the adversary is additionally allowed to make the passively corrupted players fail. Moreover, we characterize completely the achievable thresholds ta , tp and tf for four scenarios. Zero failure probability is achievable if and only if 2ta + 2tp + tf < n and 3ta + tp + tf < n; this holds whether or not a broadcast channel is available. Exponentially small failure probability with a broadcast channel is achievable if and only if 2ta + 2tp + tf < n; without broadcast, the additional condition 3ta + tf < n is necessary and sufficient. Keywords: Secure multi-party computation, unconditional security, verifiable secret sharing, threshold cryptography. ?

Research supported by the Swiss National Science Foundation (SNF), SPP project no. 5003-045293.

H. Krawczyk (Ed.): CRYPTO’98, LNCS 1462, pp. 121–136, 1998. c Springer-Verlag Berlin Heidelberg 1998

122

1 1.1

Matthias Fitzi et al.

Introduction Secure Multi-Party Computation

Consider a set of n players who do not trust each other. Nevertheless they want to compute an agreed function of their inputs in a secure way. Security means achieving correctness of the result of the computation while keeping the players’ inputs private, even if some of the players cheat. This is the well-known secure multi-party computation problem (e.g. [Yao82,GMW87,BGW88,CCD88,RB89]). For an excellent overview see [Fra93,Can95]. Secure multi-party computation can alternatively, and more generally, be seen as the problem of performing a task among a set of players that is specified by involving a trusted party, where the goal of the protocol is to replace the need for the trusted party. In other words, the functionality of the trusted party is shared among the players. Secure function evaluation described above can be seen as a special case of this more general setting. Most protocols described in the literature in the context of secure function evaluation also apply in the general context. This is also true for the protocols described in this paper. There exists a rich literature on the subject. Previous approaches can be classified according to a number of criteria that are briefly discussed below. – Communication: The communication models differ with respect to several criteria: Whether or not secure communication channels are available, whether or not broadcast channels are available, and whether the communication channels are synchronous or asynchronous. Some papers also consider incomplete network topologies, i.e. limited connectivity. – Adversaries: Cheating players can be modeled by assuming a central adversary that can corrupt players. One generally distinguishes between actively corrupted players, passively corrupted players, and fail-corrupted players. – Security: The basic security requirements are privacy and correctness. Privacy means that the adversary obtains no information about the uncorrupted players’ inputs beyond what he learns from seeing the corrupted players’ inputs and the output of the computation. Correctness means that the adversary cannot prevent the uncorrupted players from learning the correct output. Furthermore, robustness means that once the inputs have been committed by the players, the adversary cannot stop the computation. We refer to [Can97,Can98] for a precise definition of security in multi-party computation. The types of tolerable adversaries have recently been generalized in a number of directions (adaptive adversaries [CFGN96], uncoercibility [CG96], nonthreshold adversaries [HM97]), and some authors have investigated multi-party computation for various minimality and complexity criteria [FKN94,CGT95,FY92,Kus89]. Security can also be classified according to the adversary’s computational resources (limited, hence cryptographic security, e.g. [CDG87,GMW87], or unlimited, hence unconditional or information theoretic security, e.g. [BGW88,CCD88,RB89]). In the information-theoretic model one can

Trading Correctness for Privacy

123

distinguish between protocols with exponentially small (e.g. [CCD88,RB89]) or with zero failure probability (e.g. [BGW88]). We refer to the latter as perfect multi-party computation. – Generality: Many papers describe protocol constructors which, for any given function, generate a protocol for securely computing this function (e.g. [Yao82,GMW87,GHY87,BGW88,CCD88,RB89,Cha89]), while other approaches are tailored to a particular function like voting (e.g. [CFSY96]), auctioning [FR96], sharing of encryption or signature operations [SDFY94,GJKR96a,GJKR96b], or private information retrieval [CGKS95,KO97].1 1.2

Previous Results and Motivation

Ben-Or, Goldwasser and Wigderson [BGW88] and independently Chaum, Cr´epeau and Damg˚ ard [CCD88] proved two fundamental results in unconditional multi-party computation among a set of n players. When the adversary only passively corrupts players, secure multi-party computation is possible if and only if the number of corrupted players is less than n/2. When the adversary only actively corrupts players, secure multi-party computation is possible if and only if the number of corrupted players is less than n/3. T. Rabin and Ben-Or [RB89] proved that when a broadcast channel is available, then the threshold for active corruption is n/2. These bounds are tight in the sense that every function can be securely computed when the threshold condition is satisfied, but there exist functions (in fact almost all functions) that cannot be securely computed when the threshold condition is violated. The protocols of [BGW88] have zero failure probability, i.e. they are perfect. The failure probability can be made exponentially small for the protocols of [CCD88] and [RB89]. The results of [RB89] cannot be achieved with zero failure probability. This paper introduces and investigates a new model for multi-party computation in which the adversary can simultaneously perform three different kinds of player corruption: active corruption, passive corruption, and fail-corruption. Special cases of adversaries that perform different kinds of player corruption have previously been considered in the literature. Chaum [Cha89] considered general multi-party protocols that are secure against an adversary that can corrupt either up to d players actively or, alternatively, can corrupt up to c players passively, but in his model only one type of corruption occurs at the same time.2 In other words, the adversary chooses between active or passive corruption and all corrupted players are corrupted in the same way. The protocols achieve correctness (with negligible failure probability) with respect to any d actively corrupted, 1 2

The major reason for designing protocols for special functions compared to applying a general-purpose protocol is the potential gain of efficiency. For instance, the thresholds c = 1 and d = b(n − 1)/2c given in the example in Section 3.1 of [Cha89] cannot be tolerated if simultaneous passive and active corruption occur.

124

Matthias Fitzi et al.

or privacy with respect to any c passively corrupted players, where 2c + d < n is required. Meyer and Pradhan [MP91] treated the case of simultaneous active and fail-corruptions for Byzantine agreement. The simultaneous presence of active and passive player corruption was considered by Dolev et al. [DDWY93] in the context of secure message transmission over general networks. That paper also mentions the possibility of extending those results to multi-party computation. In contrast to [Cha89], the models of [MP91,DDWY93] and also of this paper consider a mixed adversary that simultaneously performs different kinds of corruption. 1.3

Contributions of this Paper

We introduce a new model for unconditionally secure multi-party computation among a set of n players where the adversary may actively corrupt, passively corrupt, and fail-corrupt some of the players. We refer to this model as the mixed model. A (ta , tp , tf )-adversary (or simply a (ta , tp )-adversary when tf = 0) may actively corrupt up to ta players and, additionally, passively corrupt up to tp and fail-corrupt up to tf other players. To actively corrupt a player means to take full control over the corrupted player, i.e. to receive and send arbitrary messages in this player’s name. To passively corrupt a player means to have access to all information that this player receives during the whole protocol, including his inputs to the protocol (if any). To fail-corrupt a player means that the adversary may stop the communication from and to that player at an arbitrary time during the protocol. Once a player is caused to fail, he will not recover. However, the adversary is not allowed to read the internal data of a fail-corrupted player, unless the player is also passively corrupted at the same time. In other words, if the adversary wants both to read the internal information of a player and to be able to make the player fail, then he must both passively corrupt and fail-corrupt that player, and the player is counted for both thresholds tp and tf . Note that the cases ta = tf = 0 and tp = tf = 0 correspond to the passive and active model, respectively, as considered in the previous literature. A protocol is (ta , tp , tf )-secure (or (ta , tp )-secure) if any (ta , tp , tf )-adversary (or (ta , tp )-adversary) obtains no additional information about the non-corrupted players’ inputs (beyond what is provided by the function output) and cannot falsify the outcome of the computation. For a precise definition of security, see [Can97,Can98]. In this paper, we consider information-theoretic security, i.e. the adversary can use unlimited computational resources. Players are connected pairwise by secure communication channels in a synchronous network. The necessary and sufficient conditions for secure multi-party computation to be achievable for all functions are derived for the following four cases: – Perfect security, without a broadcast channel, is possible if and only if 2ta + 2tp + tf < n and 3ta + tp + tf < n. – Perfect security, with a broadcast channel, is possible under the same condition, i.e., broadcast does not help increasing the number of players that can be corrupted when perfect security is required.

Trading Correctness for Privacy

125

– Unconditional security (negligible failure probability), without a broadcast channel, is possible if and only if 2ta + 2tp + tf < n and 3ta + tf < n. – Unconditional security, with a broadcast channel, is possible if and only if 2ta + 2tp + tf < n. 1.4

Outline

In Sections 2 and 3 tight bounds on the existence of perfectly secure (Section 2) or unconditionally secure (Section 3) protocols are given for the mixed model without fail-corruptions. In Section 4, these bounds are generalized for the mixed model with fail-corruptions, and the protocols are extended to achieve these generalized bounds. Some conclusions are given in Section 5.

2

Perfectly Secure Multi-Party Computation

The construction of perfectly secure protocols for the mixed model without failcorruptions is based on the protocol of [BGW88] for the active model. We first give a very brief summary of that protocol, and then present some modifications needed for tolerating a mixed adversary. 2.1

The Protocol of Ben-Or, Goldwasser, and Wigderson

The protocol of [BGW88] for the active model requires that the function to be computed is represented as an arithmetic circuit over a finite field (F , +, ∗), where three types of gates are available: an addition gate takes two inputs and outputs their sum, a multiplication gate takes two inputs and outputs their product, and a randomness gate takes no input and outputs a random field element. The protocol proceeds in three stages: In the input stage, every player uses verifiable secret sharing (VSS) to share his input among all players. In the computation stage, the agreed circuit is evaluated gate by gate, where all intermediate results are shared among the players using VSS. In the final stage, the shared result is reconstructed. We briefly describe the subprotocols for verifiable secret sharing and for multiplication. Let n denote the number of players, and let t denote the upper bound on the number of players that the adversary may actively corrupt. Verifiable secret sharing is based on Shamir’s secret sharing scheme [Sha79]. To every player a unique field element wi is associated, where w is a primitive n-th root of unity. In the sharing protocol, the dealer randomly selects a twodimensional polynomial f (x, y) of degree t in both variables such that f (0, 0) is the value to be shared, and sends the polynomials fi (x) = f (x, wi ) and gi (y) = f (wi , y) to the i-th player. Then the i-th and the j-th player verify the cross-over ?

?

points fi (wj ) = gj (wi ) and gi (wj ) = fj (wi ) and complain about inconsistencies. Whenever a player recognizes an inconsistency, he asks the dealer to broadcast the value of the inconsistent cross-over points. Whenever a player receives a

126

Matthias Fitzi et al.

value from the dealer that is not consistent with a previously received value, he accuses the dealer, who then has to broadcast both polynomials of the accusing player. Then the player uses these broadcast polynomials as his polynomials. If more than t players accused the dealer, then clearly the dealer is corrupted and every player picks the default zero polynomial as the dealer’s polynomial. Finally, the share of the i-th player is fi (0). This sharing protocol guarantees that all the shares lie on a polynomial of degree t, and that if the dealer is honest (uncorrupted), then any t players do not obtain any joint information about the secret. In the reconstruction protocol, each player sends his share of the result to those players who should learn this value. Each of them can then correct faulty shares using the properties of the underlying Reed-Solomon code [MS81], and interpolate the secret. At most t shares are faulty and the minimal distance of the Reed-Solomon code with n shares and degree t is n−t−1. Hence (n−t−1)/2 ≥ t faults can efficiently be corrected and reconstruction is possible. Linear Functions. Multiplication by scalars and addition of shared values, and hence the computation of any linear function, can be performed (without communication) by each player doing the corresponding computation on his shares and keeping the result as a share of the new value. Multiplication of two shared values is more involved. Here we describe the improved protocol of [GRR98]. First, every player verifiably secret shares both shares of the two values he holds. Because a corrupted player could secret share a wrong share, the syndrome of the reshared shares is computed in a distributed manner (syndrome computing is linear) and is then reconstructed (reconstruction involves local error-correction for every player). Using this syndrome vector, each player can derive the error vector and can correct his shares according to the error vector. Then, each player shares the product of his two factor shares and proves by a subprotocol that the shared value indeed is the product of his two factor shares. At this point, every player holds a share of all n product shares, and as shown in [GRR98] the interpolation of these product shares results in the product of the two factors. Interpolation is linear and can be computed locally on the shares of the product shares. 2.2

Protocol Modifications for the Mixed Model

Lemma 1. For n players and arbitrary thresholds ta and tp satisfying 3ta +tp < n, there exists a verifiable secret-sharing scheme that is perfectly secure against a (ta , tp )-adversary. Proof. The scheme is a variation of the verifiable secret-sharing scheme presented in [BGW88] whereby the degree of the used polynomials is set to d = ta + tp . This modification was first proposed in [DDWY93] and [Dwo90]. In the sharing protocol, the dealer selects a two-dimensional polynomial f (x, y) of degree d in each variable and sends the polynomials fi (x) and gi (y) to the i-th player. Then the players verify the cross-over points and complain about inconsistencies.

Trading Correctness for Privacy

127

Whenever a player recognizes that the dealer is misbehaving, he accuses the dealer. If more than ta players accused the dealer, then clearly the dealer is faulty and every player picks the default zero polynomial as the dealer’s polynomial. Therefore, in the reconstruction protocol the parameter t of the maximal number of errors is set to ta . Clearly, this scheme tolerates a (ta , tp )-adversary. The complete information the adversary obtains during the protocol contains at most ta + tp shares, which gives no information about the secret (unless the dealer is corrupted). On the other hand, coordinated misbehavior of up to ta players can be tolerated because in the reconstruction protocol, up to (n − d − 1)/2 faulty shares can be corrected (half of the minimum distance of the underlying Reed-Solomon code), which is at least ta . t u Lemma 2. A set of n players can (ta , tp )-securely multiply two shared values if 2ta + 2tp < n and 3ta + tp < n. Proof. The multiplication protocol is along the lines of the multiplication protocol in [BGW88] (including the improvements of [GRR98]), whereby the VSS of Lemma 1 with polynomials of degree d = ta + tp is used. First, every player verifiably secret shares both shares he holds of the two factors (using the VSS scheme of Lemma 1), then the syndrome of the reshared shares is computed and the shares are corrected according to the syndrome. Now, each player shares the product of his two factor shares (again by applying the VSS scheme of Lemma 1) and uses the techniques described in [BGW88] to prove that the shared value is indeed the product of his two factor shares. Then the players interpolate the product [GRR98], and therefore we need that the degree of this polynomial is smaller than n, i.e. 2d < n, which is satisfied because of the condition 2ta + 2tp < n. The described protocol is secure as long as the underlying verifiable secret-sharing protocol is secure, which is guaranteed for 3ta + tp < n by Lemma 1. t u Lemma 3. There are deterministic functions that four players p1 , p2 , p3 , and p4 cannot compute perfectly securely with respect to an adversary who may passively corrupt p1 and (additionally) actively corrupt one of p2 , p3 , or p4 . Even a broadcast channel does not help. Proof. For the sake of contradiction assume that for every deterministic function there exists a protocol among the four players p1 , p2 , p3 , and p4 , where the adversary may passively corrupt p1 and, at the same time, actively corrupt one of the players p2 , p3 , or p4 . In a first step, when assuming a broadcast channel and a public common random source (which will later be shown to be unnecessary), every protocol secure in this scenario can be converted into a protocol among the three players p2 , p3 , and p4 , basically by having each player locally simulate p1 . More precisely, instead of sending a message to p1 , the message is broadcast. When p1 generates a random field element, the common random source is used. The local computations of p1 are performed locally by each player, as every

128

Matthias Fitzi et al.

player knows the internal state of p1 . We now argue that in a setting with three players and a broadcast channel, a common random source is of no use when perfect security is required. Perfect security, i.e. zero failure probability, means that failure must not occur for any particular output sequence of the random source. Hence one can assume that the output sequence is the all-zero sequence (or any other particular sequence), and we are back in a model without common random source. For three players, assuming broadcast, perfect security (for every function) against an active adversary who may corrupt one of the players is impossible as stated in [RB89]. Hence, there exist protocols that are not perfectly secure with respect to the stated adversary. t u Theorem 1. A set of n players can compute every function perfectly (ta , tp )securely if and only if 2ta + 2tp < n and 3ta + tp < n. The computation is polynomial in n and linear in the size of the circuit. This holds whether or not a broadcast channel is available. Proof. (⇐=) As shown in Lemma 1, the verifiable secret-sharing scheme of [BGW88] can be modified such that a (ta , tp )-adversary is tolerated if 3ta +tp < n. Addition and selection of random field elements need no modification (except that the VSS scheme of Lemma 1 is used). Due to the conditions 2ta + 2tp < n and 3ta + tp < n, multiplication can be performed as explained in Lemma 2. (=⇒) In order to prove the necessity of this condition, first consider the case where 2ta + 2tp ≥ n. Clearly, a (ta , tp )-secure protocol is also (0, ta + tp )-secure (i.e. (ta + tp )-secure against a passive adversary), and the protocol would be perfectly secure against a passive adversary that corrupts a majority of the players. This contradicts Theorem 2 of [BGW88]. Second, consider the case where 2ta + 2tp < n and 3ta + tp ≥ n (hence ta > tp ≥ 0). The case tp = 0 (hence 3ta ≥ n) contradicts the result of [RB89] cited in the proof of Lemma 3, thus assume that tp > 0. Assume that every function can be computed (ta , tp )-securely, so in particular, for every deterministic function there exists a protocol that is (ta , tp )-secure. This protocol can be transformed into a protocol for the four players p1 , p2 , p3 and p4 , where p2 , p3 , and p4 each play for ta players, and p1 plays for the remaining (at most tp ) players. Since the original (assumed) protocol is (ta , tp )-secure, this new protocol is secure with respect to an adversary that passively corrupts p1 and actively corrupts one of t u p2 , p3 , or p4 . This contradicts Lemma 3.

3

Unconditionally Secure Multi-Party Computation

We now show that by allowing a negligible rather than zero failure probability, the bounds for the number of corrupted players can be improved. Theorem 2. Allowing a negligible failure probability and given a broadcast channel, a set of n players can compute every function (ta , tp )-securely if and only if 2ta + 2tp < n. The computation is polynomial in n and linear in the size of the circuit.

Trading Correctness for Privacy

129

Proof. (⇐=) The protocol of [RB89] tolerates up to ta < n/2 actively corrupted players. Hence, for all ta and tp that satisfy 2ta + 2tp < n, this protocol is also (ta , tp )-secure.3 The efficiency of this protocol is proven in [RB89]. (=⇒) If for some ta and tp satisfying 2ta + 2tp ≥ n, every function were (ta , tp )securely computable, then every function would also be securely computable against a passive majority, contradicting Theorem 2 of [BGW88]. t u Theorem 3. Allowing a negligible failure probability, without a broadcast channel, a set of n players can compute every function (ta , tp )-securely if and only if 2ta + 2tp < n and 3ta < n. The computation is polynomial in n and linear in the size of the circuit. Proof. (⇐=) The protocol of [RB89] is (ta , tp )-secure if 2ta + 2tp < n. Provided that ta < n/3, a broadcast channel can be simulated among the players [LSP82,FM88,GM93]. Simulating broadcast in the protocol of [RB89] yields a protocol that is (ta + tp )-secure for all ta and tp that satisfy 2ta + 2tp < n and 3ta < n. The efficiency of this protocol immediately follows from the efficiency of the protocols in [RB89] and in [FM88,GM93]. (=⇒) The necessity of the condition 2ta + 2tp < n has already been shown in the proof of Theorem 2. On the other hand, let 3ta ≥ n, and suppose that for every function there exists an unconditionally secure multi-party protocol with negligible failure probability. Since broadcast is one particular function, there would also exists a broadcast protocol that is unconditionally secure against one third of the players, contradicting a result of [LSP82,KY]. t u

4

Multi-Party Computation Tolerating Fail-Corruptions

In this section we generalize the results of the previous two sections by allowing the adversary to fail-corrupt up to tf players, and we give tight bounds for the number of actively corrupted, passively corrupted and fail-corrupted players that can be tolerated (where players that are passively corrupted and fail-corrupted at the same time must be counted for both thresholds). First, we consider a perfect model (with or without a broadcast channel), then an unconditional model with a broadcast channel, and last, an unconditional model without a broadcast channel. Theorem 4. A set of n players can compute every function perfectly (ta , tp , tf )securely if and only if 2ta + 2tp + tf < n and 3ta + tp + tf < n. The computation is polynomial in n and linear in the size of the circuit. This holds whether or not a broadcast channel is available. 3

However, the VSS reconstruction protocol of [RB89] needs a slight modification such that it is possible to reveal a shared value only to some of the players (the original protocol reveals the secret always to all players in parallel, thus only applies to the secure function evaluation model).

130

Matthias Fitzi et al.

Proof. (⇐=) The protocol described in the proof of Theorem 1 needs further modifications in order to be (ta , tp , tf )-secure. Invariant. The degree of the polynomials used for secret sharing is set to d = ta + tp . The invariant during the computation is that every (intermediate) value is shared among the players by a polynomial of degree d, and that every player is committed to his share. This means that whenever a player has to reveal his share, every player can verify whether the revealed share is the correct share or not. VSS. Note that the described VSS of Lemma 1 either achieves this invariant, or the dealer is detected to be corrupted: After the sharing protocol, either there were more than ta accusations against the dealer (in this case, the dealer is disqualified, see below), or every player holds his share, and a share of the share of each other player (called a share-share). The set of the share-shares of a given share can be considered as a shared commitment of that share (cf. [CDM98]). In order to reconstruct the secret, every player must reveal his share by broadcasting the polynomial used for sharing his share, and every player verifies that his corresponding share-share really lies on the broadcast polynomial. If not, the player broadcasts a complaint against the revealing player. If the revealing player is honest, there are at most ta complaints. Now consider the case that the revealing player is actively corrupted and broadcasts a wrong polynomial. There are at most ta + tf players who possibly do not complain even if their shares do not lie on the broadcast polynomial. However, if the polynomial is wrong, it differs from the correct polynomial at least at n − d = n − ta − tp positions, and hence at least (n − ta − tp ) − (ta − tf ) complaints are reported, which is strictly more than ta (since 3ta + tp + tf < n). Once every player has revealed his share, the secret is reconstructed by interpolating the shares for which at most ta complaints were reported (there are at least n − ta − tf such shares).4 Computations. Addition and other linear functions can easily be computed on the shared values (preserving the invariant), since both the secret sharing and the commitments are linear. The multiplication protocol is along the lines of the protocol described in Lemma 2. Due to the invariant every share is also shared among the players, and there is no need for having every player share his factor shares as in [BGW88]. Every player can directly verifiably secret share his product share and use the technique described in [BGW88] to prove that this shared value is equal to the product of his two shares (if the player fails to prove this, he is disqualified; see below). Due to the linearity of the rest of the computation, the invariant is preserved. Note that, as used in [CDM98], this 4

This construction only covers global reconstruction where every player learns the shared secret. If some result must be revealed to only certain players, then the reconstruction protocol must be slightly modified: Every player sends his share, the polynomial with which his share was shared (committed), and all his share-shares to the players who are supposed to learn the output, who then locally determine which of the shares are correct (at most ta wrong share-shares), and interpolate the verified shares.

Trading Correctness for Privacy

131

multiplication protocol does not involve error correction but error detection (in contrast to the multiplication protocol of [BGW88]). Disqualifying players. One major issue of the above protocol is how to deal with disqualified players. In [BGW88], the disqualified players’ data is reconstructed (implicitly by computing the error vector). But in this protocol, a disqualified player can either be actively corrupted or fail-corrupted, and his share must only be reconstructed if the player is actively corrupted. Therefore we need a more involved solution for treating disqualified players. If during the verifiable secret sharing protocol or during the multiplication protocol a player is disqualified, then he is excluded from all further computation. Generally, the shares of a disqualified player must not be revealed. Indeed, the shares of up to tf disqualified players can simply be omitted (this is tolerated in the multiplication protocol). Thus, the first tf times that some player is disqualified the player is excluded from the computation, but no further steps are necessary. If more than tf players are disqualified, the multiplication protocol does not work anymore (there are not enough shares to interpolate the double-degree polynomial). However, among the disqualified players there are at most tf fail-corrupted players, and the other disqualified players (say k) must be actively corrupted. Hence, among the remaining (non-disqualified) players there are at most ta − k actively corrupted players. At this point, every intermediate value is reshared using a scheme for n0 = n−k players, tolerating only t0a = ta −k actively corrupted players. In order to do so, for every intermediate value, every player verifiably secret shares his share of that value among the n0 remaining players by using polynomials of degree d − k, and proves that the shared share is equal to his original share. This can easily be verified by computing the difference of these two shares (in a distributive manner, i.e. every player subtracts one share-share from the other) and by verifying that the difference is zero. Finally, the secret is interpolated in a distributive manner (interpolation is linear). This results in every player having a reduced-degree share of the secret which is committed by a reduced-degree polynomial. If during this degree-reduction protocol some players refuse to cooperate, these players are also disqualified and the reduction protocol restarts (with an increased k). The number of restarts is limited by ta because at most ta + tf players can ever be disqualified. The broadcast channel used in the protocol can be simulated by the broadcast protocol of [MP91] tolerating ta active and tf fail corruptions when 3ta + tf < n. (=⇒) In order to prove the necessity of the conditions of the theorem, assume that for some ta , tp , and tf there exists for every function a (ta , tp , tf )-secure protocol among n players. Trivially, each such protocol is also a (ta , tp )-secure protocol among n0 = n − tf players, simply by considering the case that the adversary fail-corrupts the last tf players at the very beginning of the protocol. However, as proven in Theorem 1, a (ta , tp )-secure protocol among n0 players exists for every function only if the conditions 2ta + 2tp < n0 and 3ta + tp < n0 are satisfied, which implies the conditions of the theorem. t u The following theorem shows that in the passive model, resilience against fail-corruptions is for free, i.e. the same bound that holds in the passive model

132

Matthias Fitzi et al.

also holds in a model in which the adversary may make the passively corrupted players fail. Theorem 5. A set of n players can compute every function perfectly securely with respect to an adversary that may passively corrupt and fail-corrupt up to t players if and only if 2t < n. The computation is polynomial in n and linear in the size of the circuit. Proof. The protocol described in the proof of Theorem 4 achieves this bound after some slight modifications: The degree of all polynomials is set to d = t, and whenever a player fails, then his share is reconstructed using the share-shares, and becomes common knowledge. Theorem 6. Allowing a negligible failure probability and given a broadcast channel, a set of n players can compute every function (ta , tp , tf )-securely if and only if 2ta + 2tp + tf < n. The computation is polynomial in n and linear in the size of the circuit. Proof (sketch). (⇐=) The protocol described in Theorem 2 needs to be modified along the lines of the modifications in the proof of Theorem 4. During the protocol, the shares of disqualified players are never reconstructed. Instead, the first tf disqualified players are simply excluded from the protocol, and their shares are omitted (are considered as erasures when interpolating). However, after more than tf players have been disqualified, it is impossible to perform further multiplications (there are not enough shares to interpolate the polynomial with double degree), and therefore all shared values are reshared using polynomials of smaller degree. In order to do so, the WSS of every share is upgraded to VSS, then the player verifiably secret shares the same share using VSS with reduced degree and proves that the same share was reshared. Finally, the secret is reconstructed in a distributive manner (interpolation is linear), using this new reduced-degree VSS, which results in each player having shared his reduced-degree share by WSS. If during this degree-reduction process a player refuses to cooperate, then this player is also disqualified and the degree-reduction process restarts (where the degree of the polynomials is decremented once more). (=⇒) The optimality of the conditions follows directly from the proof of Theorem 2 by assuming an adversary that corrupts the last tf players at the very beginning of the protocol (obtaining a protocol among n − tf players that is (ta , tp )-secure). Theorem 7. Allowing a negligible failure probability, without a broadcast channel, a set of n players can compute every function (ta , tp , tf )-securely if and only if 2ta + 2tp + tf < n and 3ta + tf < n. The computation is polynomial in n and linear in the size of the circuit. Proof (sketch). The additional condition 3ta + tf < n allows to simulate the assumed broadcast channel in the proof of Theorem 6 by a protocol [MP91]. The optimality of the condition follows immediately from the optimality of the condition in Theorem 6 and of the protocol in [MP91].

Trading Correctness for Privacy

5

133

Conclusions

We have proposed a new model for multi-party computation that, by considering the simultaneous presence of actively, passively and fail-corrupted players, is more general than those in the previous literature. We proved the exact conditions for the existence of unconditionally secure multi-party computation for four natural cases. Moreover, we gave constructions of efficient protocols for all cases. One of the main problems in multi-party computation is that it is not known a priori which players are corrupted. Trivially, if it is known in advance that a certain subset of the players are corrupted (the type of corruption is irrelevant), then the exact conditions for secure protocols to exist are those of this paper applied to the set of remaining players after elimination of the known cheaters. It is surprising that regarding fail-corruptions, this condition holds even when it is not known in advance which players will be fail-corrupted. This follows from the fact that in all bounds tf appears with coefficient only 1. In contrast, tp appears with coefficient 2, and hence every passive corruption must be compensated by one additional non-corrupted player. In the model with exponentially small error probability and a broadcast channel, misbehaviour is detected and hence active corruptions count equally as passive corruptions. In all other models, ta appears with coefficient 3, and hence every active corruption must be compensated by two additional non-corrupted players. Figure 1 summarizes our results. Because the conditions for protocols with failures are the same as those without failures when the number n of players is reduced by tf to n0 = n − tf , the bounds are illustrated only in two dimensions (ta and tp ) for a constant tf . The brightly shaded area is achievable by perfectly secure multi-party computation. By accepting an exponentially small failure probability, one can additionally achieve the semi-dark shaded area. Finally, if a broadcast channel is available, one can even achieve the dark shaded area. These bounds are tight.

n0 2 n0 3

ta 3 6 2

Broadcast 2ta +2tp < n0

Unconditional 0

Perfect

4 3ta < n 5

3ta +tp < n0

n0 = n − tf

1 tp -

n0 2

Fig. 1. Graphical representation of the results.

134

Matthias Fitzi et al.

For the following considerations we restrict our view to the special case with no fail-corruptions (tf = 0, and hence n0 = n). The classical results in unconditional multi-party computation are special cases of the mixed model. The results of Ben-Or, Goldwasser and Wigderson [BGW88] correspond to the points 1 (passive model) and 2 (active model) in Figure 1. The result of Rabin and BenOr [RB89] corresponds to point 3. The points 4 (ta = n/3, tp = n/6) and 5 (ta = n/4, tp = n/4) illustrate that the results of [BGW88] for the active as well as for the passive model can be improved. In addition to ta < n/3 actively corrupted players (point 2), one can tolerate additional tp ≤ n/6 passively corrupted players (point 4). However, this protocol has a negligible failure probability. When perfect security is required, there exist protocols that tolerate not only tp < n/2 passively corrupted players (point 1), but even half of these players being corrupted actively (point 5). Finally, by approaching point 5 from point 2 in the case of perfect security, we can improve the resilience for privacy by reducing the resilience for correctness: In perfectly secure multi-party computation, three additional passive corruptions can be tolerated instead of one active corruption, thus trading correctness for privacy.

Acknowledgments We would like to thank Ran Canetti for sending us early versions of [Can97,Can98] and David Chaum, Ronald Cramer, Rosario Gennaro, Tal Rabin, Markus Stadler, and Michael Waidner for interesting discussions. Finally, we are grateful to the anonymous referees for their constructive remarks.

References BGW88.

Can95.

Can97. Can98. CCD88.

CDG87.

M. Ben-Or, S. Goldwasser, and A. Wigderson. Completeness theorems for non-cryptographic fault-tolerant distributed computation. In Proc. 20th ACM Symposium on the Theory of Computing (STOC), pages 1–10, 1988. 122, 122, 123, 123, 123, 123, 125, 125, 126, 127, 127, 128, 128, 129, 130, 130, 131, 131, 134, 134 R. Canetti. Studies in Secure Multiparty Computation and Applications. PhD thesis, Weizmann Institute of Science, Rehovot 76100, Israel, June 1995. 122 R. Canetti. Modular composition of multi-party cryptographic protocols, Nov. 1997. Manuscript. 122, 124, 134 R. Canetti. Security and composition of multi-party cryptographic protocols, June 1998. Manuscript. 122, 124, 134 D. Chaum, C. Cr´ epeau, and I. Damg˚ ard. Multiparty unconditionally secure protocols (extended abstract). In Proc. 20th ACM Symposium on the Theory of Computing (STOC), pages 11–19, 1988. 122, 122, 123, 123, 123, 123 D. Chaum, I. Damg˚ ard, and J. van de Graaf. Multiparty computations ensuring privacy of each party’s input and correctness of the result. In

Trading Correctness for Privacy

135

Advances in Cryptology — CRYPTO ’87, volume 293 of Lecture Notes in Computer Science, pages 87–119. Springer-Verlag, 1987. 122 CDM98. R. Cramer, I. Damg˚ ard, and U. Maurer. Span programs and general multiparty computation. Manuscript, 1998. 130, 130 CFGN96. R. Canetti, U. Feige, O. Goldreich, and M. Naor. Adaptively secure multiparty computation. In Proc. 28th ACM Symposium on the Theory of Computing (STOC), pages 639–648, Nov. 1996. 122 CFSY96. R. Cramer, M. K. Franklin, B. Schoenmakers, and M. Yung. Multiauthority secret-ballot elections with linear work. In Advances in Cryptology — EUROCRYPT ’96, volume 1070 of Lecture Notes in Computer Science, pages 72–83. IACR, Springer-Verlag, May 1996. 123 CG96. R. Canetti and R. Gennaro. Incoercible multiparty computation. In Proc. 37th IEEE Symposium on the Foundations of Computer Science (FOCS), 1996. 122 CGKS95. B. Chor, O. Goldreich, E. Kushilevitz, and M. Sudan. Private information retrieval. In Proc. 36th IEEE Symposium on the Foundations of Computer Science (FOCS), pages 41–51, Oct. 1995. 123 CGT95. C. Cr´epeau, J. van de Graaf, and A. Tapp. Committed oblivious transfer and private multi-party computation. In Advances in Cryptology — CRYPTO ’95, volume 963 of Lecture Notes in Computer Science, pages 110–123. Springer-Verlag, 1995. 122 Cha89. D. Chaum. The spymasters double-agent problem. In Advances in Cryptology — CRYPTO ’89, volume 435 of Lecture Notes in Computer Science, pages 591–602. Springer-Verlag, 1989. 123, 123, 123, 124 DDWY93. D. Dolev, C. Dwork, O. Waarts, and M. Yung. Perfectly secure message transmission. Journal of the ACM, 40(1):17–47, Jan. 1993. 124, 124, 126 Dwo90. C. Dwork. Strong verifiable secret sharing. In Proc. 4th International Workshop on Distributed Algorithms ’90, volume 486 of Lecture Notes in Computer Science, pages 213–227. Springer-Verlag, 1990. 126 FKN94. U. Feige, J. Kilian, and M. Naor. A minimal model for secure computation. In Proc. 26th ACM Symposium on the Theory of Computing (STOC), pages 554–563, 1994. 122 FM88. P. Feldman and S. Micali. Optimal algorithms for Byzantine agreement. In Proc. 20th ACM Symposium on the Theory of Computing (STOC), pages 148–161, 1988. 129, 129 FR96. M. K. Franklin and M. K. Reiter. The design and implementation of a secure auction service. IEEE Transactions on Software Engineering, 22(5):302–312, May 1996. 123 Fra93. M. K. Franklin. Complexity and Security of Distributed Protocols. PhD thesis, Columbia University, 1993. 122 FY92. M. K. Franklin and M. Yung. Communication complexity of secure computation. In Proc. 24th ACM Symposium on the Theory of Computing (STOC), pages 699–710, 1992. 122 GHY87. Z. Galil, S. Haber, and M. Yung. Cryptographic computation: Secure faulttolerant protocols and the public-key model. In Advances in Cryptology — CRYPTO ’87, volume 293 of Lecture Notes in Computer Science, pages 135–155. Springer-Verlag, 1987. 123 GJKR96a. R. Gennaro, S. Jarecki, H. Krawczyk, and T. Rabin. Robust and efficient sharing of RSA functions. In Advances in Cryptology — CRYPTO ’96, volume 1109 of Lecture Notes in Computer Science, pages 157–172. SpringerVerlag, Aug. 1996. 123

136

Matthias Fitzi et al.

GJKR96b. R. Gennaro, S. Jarecki, H. Krawczyk, and T. Rabin. Robust threshold DSS signatures. In Advances in Cryptology — EUROCRYPT ’96, volume 1070 of Lecture Notes in Computer Science, pages 354–371. Springer-Verlag, May 1996. 123 GM93. J. A. Garay and Y. Moses. Fully polynomial Byzantine agreement in t + 1 rounds (extended abstract). In Proceedings of the Twenty-Fifth Annual ACM Symposium on Theory of Computing, pages 31–41, San Diego, California, May 1993. 129, 129 GMW87. O. Goldreich, S. Micali, and A. Wigderson. How to play any mental game — a completeness theorem for protocols with honest majority. In Proc. 19th ACM Symposium on the Theory of Computing (STOC), pages 218–229, 1987. 122, 122, 123 GRR98. R. Gennaro, M. O. Rabin, and T. Rabin. Simplified VSS and fasttrack multiparty computations with applications to threshold cryptography. In Proc. 17th ACM Symposium on Principles of Distributed Computing (PODC), 1998. 126, 126, 127, 127 HM97. M. Hirt and U. Maurer. Complete characterization of adversaries tolerable in secure multi-party computation. In Proc. 16th ACM Symposium on Principles of Distributed Computing (PODC), pages 25–34, Aug. 1997. 122 KO97. E. Kushilevitz and R. Ostrovsky. Replication is not needed: Single data base computationally-private information retrieval. In Proc. 38th IEEE Symposium on the Foundations of Computer Science (FOCS), pages 364– 373, 1997. 123 Kus89. E. Kushilevitz. Privacy and communication complexity (extended abstract). In Proc. 30th IEEE Symposium on the Foundations of Computer Science (FOCS), pages 416–421, 1989. 122 KY. A. Karlin and A. C. Yao. Unpublished manuscript. 129 LSP82. L. Lamport, R. Shostak, and M. Pease. The Byzantine generals problem. ACM Transactions on Programming Languages and Systems, 4(3):382–401, July 1982. 129, 129 MP91. F. J. Meyer and D. K. Pradhan. Consensus with dual failure modes. In IEEE Transactions on Parallel and Distributed Systems ’91, volume 2, pages 214–221, 1991. 124, 124, 131, 132, 132 MS81. R. J. McEliece and D. V. Sarwate. On sharing secrets and Reed-Solomon codes. Communications of the ACM, 24:583–584, 1981. 126 RB89. T. Rabin and M. Ben-Or. Verifiable secret sharing and multiparty protocols with honest majority. In Proc. 21st ACM Symposium on the Theory of Computing (STOC), pages 73–85, 1989. 122, 122, 123, 123, 123, 123, 123, 128, 128, 129, 129, 129, 129, 129, 129, 134 SDFY94. A. de Santis, Y. Desmedt, Y. Frankel, and M. Yung. How to share a function securely. In Proc. 26th ACM Symposium on the Theory of Computing (STOC), pages 522–533, 1994. 123 Sha79. A. Shamir. How to share a secret. Communications of the ACM, 22:612– 613, 1979. 125 Yao82. A. C. Yao. Protocols for secure computations. In Proc. 23rd IEEE Symposium on the Foundations of Computer Science (FOCS), pages 160–164. IEEE, 1982. 122, 123

Fast Digital Identity Revocation (Extended Abstract) William Aiello1 , Sachin Lodha2? , and Rafail Ostrovsky1 1

2

Bell Communications Research, [email protected] [email protected] Rutgers University Computer Science Department, [email protected]

Abstract. The availability of fast and reliable Digital Identities is an essential ingredient for the successful implementation of the public-key infrastructure of the Internet. All digital identity schemes must include a method for revoking someone’s digital identity in the case that this identity is stolen (or canceled) before its expiration date (similar to the cancelation of a credit-cards in the case that they are stolen). In 1995, S. Micali proposed an elegant method of identity revocation which requires very little communication between users and verifiers in the system. In this paper, we extend his scheme by reducing the overall CA to Directory communication, while still maintaining the same tiny user to vendor communication. We contrast our scheme to other proposals as well. Keywords: Certificate authority, certificate revocation, signatures, public-key infrastructure, digital identities.

1

Introduction

MOTIVATION: Digital identities (and author-identities of messages) are essential for business, private, and government use of the Internet. For example, they are needed for on-line shopping, business-to-business transactions, on-line banking, code-authentication, company-internal identities, etc. (see, for example [16,17]). The U.S. Federal government, NIST, the U.S. Post-office, Visa and Master Card, some major banks, and private companies (like VeriSign, SIAC, IBM, GTE, and Microsoft) are all building digital identity infrastructures. While the general design of all these schemes is similar, and relies on public-key cryptography and Certificate Authority services, the details (and hence the efficiency) of what it means for a digital identity to be valid , and how it can be revoked differs from scheme to scheme. ?

Part of this work was done while this author visited Bellcore, also partially supported by DIMACS.

H. Krawczyk (Ed.): CRYPTO’98, LNCS 1462, pp. 137–153, 1998. c Springer-Verlag Berlin Heidelberg 1998

138

William Aiello et al.

THE GENERAL SETTING: The general setting consists of two ingredients blended together, namely, public-key cryptography [1] and a Certificate Authority Infrastructure (PKI). We briefly review both notions. Public-key cryptography encompasses digital signatures and public-key encryption. A digital signature scheme is a triple of algorithms, a key generation algorithm which generates a public key and a secret key, the signing algorithm and the verification algorithm. The signing algorithm uses the public and private key to generate a signature for an arbitrary document. The verification algorithm uses just the public key to verify the signature of a document. The specifications require that all signatures generated with the valid secret key are verified by the verification algorithm; and, without the private key it is computationally infeasible to generate a signature for a (previously unsigned) message which the verification algorithm would accept. Public-key encryption is also a triple of algorithms, a key-generation algorithm which produces private and secret keys an encryption algorithm and a decryption algorithm. Anyone, given the public key can encrypt a message using the encryption algorithm, but only those who have the secret key can efficiently decrypt. For formal definitions and further details see [13,3,4]. When using public-key cryptography over the Internet, the main issue is the ability to associate the right public-keys to the right individuals/organizations. The overall strategy for doing so is as follows. In its simplest form, we assume one or more trusted Certificate Authority (CA) centers which initially run the signature key generation algorithm to compute its own public and secret keys. Each CA holds its secret key under great security but widely distributes (say, publishes in NY-Times) its public key (or uses some other method to “bind” the public key to the CA). Now, any entity, who wishes to establish its digital identity with this CA, first generates its own public-key/private-key pair. Then, it submits its public key along with its name and other required identifying information to this CA. The CA checks the name and identifying information and if satisfied signs the public key and the name of the individual along with some subset of the identifying information, including expiration date a serial number, and possibly other information. (The amount of identifying information and the scrutiny of the information checking establish the level of trust with which a public key is “bound” to the identified entity.) Now, any user can verify that a message came from this individual by verifying both the signature of the message against a given public key and also verifying that this public key together with the right name and the valid expiration date are properly signed by CA. The above simple scheme extends to various hierarchies of CA structures (such as Federal Public Key Infrastructure (PKI) hierarchy, banks, company-internal CA, etc.) where a user will belong to many such hierarchies [14]. (See also [15] and references therein for more general structures.) For all these schemes, no matter what the structure is, one of the main bottlenecks is the issue of revocation. THE MAIN BOTTLENECK: When a public-key, together with an expiration date, is signed by a CA, there remains a risk. That is, a user’s private key and

Fast Digital Identity Revocation

139

certificate may be stolen/compromised, or a company’s private key and certificate may be retained by a former employee. Without a method for certificate revocation, these keys may be used by unauthorized parties. Just as with creditcards, occasional revocation is a fact of life. According to some estimates, about 10% of public keys will usually be revoked before they expire [9]. Thus, an important element of any CA scheme (or hierarchy) is its revocation procedure. Notice, that with revocation, the above simple setting becomes more involved, since now to verify that some public key is valid, one must not only check that it has been signed by the proper CA, but also that is has not been revoked. (Moreover, in case of CA hierarchy, one must certify that the CA public key has not been revoked either). Thus, the definition of one’s identity depends on the revocation rules in an essential way. In this paper, we extend an elegant method of S. Micali [9,10] of doing revocations. Before we explain our approach, let us review the design objectives and previous work done on this issue. THE SETTING: Our setting is the one identical to [9]. We review it here. We consider some finite universe of users. The setting consists of one or several trusted certificate authorities, which distribute, at regular intervals (for example, each day), information regarding revoked certificates to several untrusted directories D. (The reason for having many directories is to allow replication of data) For each day, any directory should be able to provide a proof whether any user’s u public key is valid or revoked. Of course, we insist that the directory (which is untrusted) can not cheat and change revocation status for any user. The proof of the revocation status the Directory can provide either to user himself (who can then pass it along to any vendor or any other user who wishes to check that the user’s identity is still valid). The critical costs of the scheme are of course the size of the proof of the validity of user’s identity (i.e., this proof should be as small as possible, since this is the most frequently used operation,) as well as the communication from Certificate Authority to the Directories for each period. PREVIOUS WORK: We briefly discuss some of the earlier work done on this problem. Previous to our work, three possible revocation strategies were proposed: the “centralized on-line solution”; Certificate Revocation Lists (see, for example, [16]) and Micali’s proposal and patent [9,10]. Independent of our work, two other schemes by Kocher [6] and Naor and Nissim [11] have been proposed. We review all these schemes below and point out the differences. In the centralized on-line solution, similar to credit-cards, there is a CA trusted central database, which maintains the status of all public-keys that have not expired. The user, in order to verify that a public-key has not been revoked makes a query to this central database, and receives an answer. The answer must be authenticated, either implicitly by use of a private network, with a CA signature, or with CA private-key authentication, provided that the CA shares with this user a private authentication key. This centralized solution has several drawbacks: the CA must be accessed for the verification processes on-line (or

140

William Aiello et al.

risk using revoked public-key) and its answer must be authenticated (to prevent man-in-the-middle attacks of somebody impersonating to the CA). The centralized on-line solution is not acceptable in many cases, and thus a distributed solution is sought. One such solution is the so-called Certificate Revocation List (CRL) (see, for example, VeriSign [16]). In this approach the CA composes a list, say each day, of all keys thus far revoked and signs this list. This list along with the CA’s signature of the list is the CRL for that day. Each day the CA sends the CRL to all the untrusted revocation directories all over the network. To verify a public key certificate, the verifier first checks the expiration date. If the certificate has not expired it contacts any directory for that day’s CRL. If the public key does not appear in the CRL it is still valid. This solution is better than the centralized solution, since now many sites maintain the CRL list, and every such site, instead of maintaining the status of all public-keys must only maintain a list of revoked public-keys, where typically R, the number of revoked keys is much less than the number of keys N . The drawback is that the proof that some key is still valid is the entire CRL list, signed by the CA. In 1995 Micali proposed a scheme in which a verifier needs only a small number of additional bits beyond a user’s signature and the user’s public key certificate and only a small amount of extra computation to insure that the user has not been revoked [9,10]. In this scheme, Micali uses the idea of off-line/online signatures [2], which in turn builds on the work of Lamport [7]. The basic idea is as follows. Let f be a one-way permutation which is easy to compute but hard to invert (in practice, MD5 or other hash-functions are used). Now, for each user, u, the CA picks a random xu and computes yu = f (f (f · · · f (xu ))), where f is applied, for example, for 365 times to compute yu . This yu is called user u’s “0-token.” For each user the CA includes the user’s 0-token along with the users public key, and expiration date and other certificate information in its signed certificate. Now, after the first day, for each user u whose public key has not been revoked that day, the CA releases user u’s “1-token”, f −1 (yu ), to the directories in the network (which is can compute from xu or from cached intermediate values of f i (xu )). Note that, given a 0-token for a user u it is easy to check whether a candidate token is a 1-token for user u, but computationally infeasible to compute a 1-token for user u. To verify on the second day that the public key of a user u was not revoked on the first day, a verifier gets a candidate token from a directory or a candidate token from the user (who retrieved it already from a directory). The verifier then checks whether the candidate is a 1-token for the user. In general, if u’s certificate is not revoked up through day i, the CA provides u’s i-token, f −i (yu ), to the directories. Verifier on the i + 1st day check whether candidate tokens are i-tokens for users. The advantage of the scheme is that communication between a directory and a user (or verifier) is small and need not be authenticated. If a given protocol calls for the user to retrieve the day i-token from the directory then the token remains a short certificate for day i + 1 that user has not been revoked. In addition, verifying a day i-token is less expensive then verifying the signature of a CRL. The disadvantage is that the scheme requires (for each day) the CA to send N − R tokens to each

Fast Digital Identity Revocation

141

directory where N is the number of public keys and R is the number of revoked keys. Micali also considers (as in our setting) the case where a directory may act maliciously by not forwarding the day i-token of a user it received from the CA to the user or verifier. A non-revoked user could thus be considered revoked by a verifier. To prevent this Micali modifies his scheme as follows. For each user the CA also chooses a random x0u , the “revocation token,” and includes f (x0u ) in u’s certificate, along with the 0-token and other certificate information. When u’s public key is revoked the CA sends the revocation token to the directories. When a directory is queried about a user on day i + 1 it must return either the day i-token or the revocation token for that user. Recently, Naor-Nissim [11] have improved upon a scheme of Kocher [6]. We will describe the requirements of their scheme. For the details of the scheme see [11]. For R revoked keys, in the Naor-Nissim scheme the CA maintains an authenticated 2-3 tree of hash values of depth O(log R). For each public key which is revoked in an update period, the CA must update this special tree by computing O(log R) new hash values. As long as one key is added to this revocation tree the root must be recomputed and signed. The CA sends to the directories the lists of users to insert and delete, and a signature of the root. The directories insert and delete the users from the tree, recompute the hash values and check the signature of the root. When a user queries a directory concerning the revocation status of a key, the directory sends O(log R) hash values and the signature of the root. To verify the revocation status of a key, a user must compute O(log R) hash values, compare them in a specified way with the hash values from the directory and verify the signature of the root hash value. In summary, the CA to Directory communication of Naor-Nissim scheme is superior to our scheme (as well as Micali’s scheme) but the verification of the revocation status of the user (or vendor) is smaller for Micali scheme and our scheme. OUR RESULTS: We will build on Micali’s scheme [9,10] to maintain its advantage of efficient verification. Recall that in Micali’s scheme every user’s certificate contains one 0-token. In order for the user to remain unrevoked on day i + 1 the CA must publish the i-token associated with the user’s 0-token. In our scheme the CA will incorporate k 0-tokens into the certificate for each user rather than just one, where k will be a parameter of our scheme. The sets of 0-tokens for the users will be distinct, however, the sets may intersect substantially. The rule for remaining unrevoked will now be slightly different. In order for a user to remain unrevoked on day i + 1 the CA need only publish an i-token associated with one of the user’s 0-tokens. Since the sets of 0-tokens may intersect, one i-token may act as a certificate of non-revocation for many users. Thus the CA may not need to publish N − R tokens when R keys have been revoked as in Micali’s scheme. For example, we show that if the number of 0-tokens in each certificate is log N , and the sets of 0-tokens in each user’s certificate are selected properly, then the number of tokens a CA must publish during an update period is R log N/R. In this paper we insist that the proof from user to vendor of the validity of user’s ID remains very small, as in Micali’s scheme. For the scheme of Naor-

142

William Aiello et al.

Nissim, this is not the case (i.e., while [11] substantially save on the CA to Directories communication over [9], their proof of validity is bigger). In this paper, we study the tradeoff between the number of 0-tokens needed in a certificate and the number of tokens a CA must publish per update period. We summarize our results (and compare it to Micali’s scheme) below. Note that N stands for the number of not-yet-expired certificates, R stands for number of revoked certificates, and c is a parameter in the general scheme, typically a constant. Scheme # Tokens from # Tokens per Name CA to directories Certificate Micali’s Scheme N −R 1 Our Hierarchical Scheme R log (N/R) log N Our Generalized Scheme R logc (N/R) + R (2c−1 − 1) logc N

Table 1. Comparison of Our Results and Micali’s scheme

Notice that if the number of revocations is small our scheme is faster then Micali’s approach. However, even if the number of revocations is large, and in fact for any value of R, 0 ≤ R ≤ N we show that the information update cost is better then the above table indicates, and in fact is always smaller then N − R of Micali’s scheme. In practical settings, both our hierarchical scheme and our general scheme with c = 3 provide savings in communication compared to the Micali’s approach. (For example, for the hierarchical scheme, with 10% revocation rate we gain 2.7 multiplicative factor improvement, and for 1% revocation rate we gain 14.9-fold improvement over Micali’s communication from CA to Directories, while still required a single hash-value (i.e. 128 bits) proof of the validity of one’s identity. For the generalized scheme with c = 3 we get 2.9-fold improvement for the 10% revocation rate and 19-fold improvement for 1% revocation rate) If the percentage of revoked users is smaller then the savings are more substantial. We should remark here that Micali’s method to avoid malicious directories by including one extra token in each certificate applies to our scheme as well and we will not explicitly include this in the description of our scheme. In the Naor-Nissim scheme [11], the communication from CA to Directories is smaller then our scheme and Micali’s scheme. However, both Micali’s scheme and our scheme, the directories need only send one token (of 128 bits) in response to a query about any key. Paper outline: In the next section we describe our scheme and prove a bound of R log R/N on the number of tokens the CA must send the directories. In Section 3 we describe a generalization of our scheme which requires the CA to send asymptotically fewer tokens to the directories using a novel complement cover construction. (We believe that this construction is of independent interest, and might be useful for other purposes as well.) In Section 4 we describe a variant of our scheme which includes an incremental feature. That is, if some public key

Fast Digital Identity Revocation

143

is revoked on day i, we do not have to pay for this on the following days (i.e. we pay for each revocation only once.) We now proceed with the details of our scheme.

2 2.1

Hierarchical Scheme Description of the Scheme

For concreteness, we will assume that certificates are valid for D days and that certificates are revoked once per day. Let f be a one-way permutation from n bits to n bits. Consider the following sequence: (r, f (r), f 2 (r), . . . , f D (r)) where r is a uniformly chosen n bit string. We will call this the chain of r and denote it by cr . We will index this sequence in reverse order and starting from 0. That is, the 0th element of the sequence,cr (0), is f D (r). We will call this the 0-token of the chain of r. Similarly, cr (1) = f D−1 (r) which we will call the 1-token of the chain of r. Note that the 1-token is the inverse of the 0-token, i.e., cr (1) = f −1 (cr (0)) = f D−1 (r). More generally, define cr (j) = f −j (cr (0)) = f D−j (r), j ≥ 1. We will call cr (j) the j-token of the chain of r. Note it is easy to verify whether a token τ is an i-token of a chain once the 0-token (or a j-token, 0 ≥ j < i) of a chain is known. Simply compute f i (τ ) (f i−j (τ )) and check for equality with the 0-token (j-token). However, by the properties of a one-way permutation, given any number of the j-tokens of a chain, 0 ≥ j < i, it is computationally infeasible to compute the i-token of the chain. Before we describe our revocation scheme it will be useful to review Micali’s revocation scheme. In the Micali scheme, for each user v there is a random n bit string rv and a chain crv . For notational simplicity we will hereafter refer to this as the chain of v and denote it by cv . In this scheme the 0-token of v, cv (0), is incorporated into the certificate of v which is signed by the CA. If user v has not been revoked up to and including day i then the CA will issue the i-token of v in response to queries about the status of user v’s certificate. Otherwise, the CA will not issue an i-token. To verify that signer v has not been revoked up to and including day i, a verifier must have v’s certificate and a candidate i-token τ for v which he obtains from either the CA, a directory, or v (who had previously obtained it from the CA or a directory). He accepts that v has not been revoked up to and including day i if τ is verified to be the i-token of v. We will now describe our first and simplest scheme for revocation. For simplicity we will assume that the number of users N = 2l is a power of 2 and that all users are issued certificates at the beginning of day 1. (We remark that these assumptions can be relaxed. We introduce them here for the clarity of exposition.) Each user is given an l bit id v ∈ {0, 1}l . We associate these ids with the leaves of a labeled complete binary tree of height l in the natural way. That is, label the root by the null string φ, and label its two children by 0 and 1. Given any node in the tree whose label is a binary string s of length less than l, label

144

William Aiello et al.

one child with s0 and the other with s1. For each node u in this tree the CA computes a chain cu . For an l bit id, v, let (φ = v0 , v1 , . . . , vl−1 , vl = v) denote the nodes on the path from the root to v in this tree. Call the set of chains for this path the path of chains of v which we denote by pcv , i.e., pcv = (cv0 , . . . , cvl ). Furthermore, call the set of i-tokens of this path of chains the path of i-tokens of v and denote this symbolically as pcv (i), i.e., pcv (i) = (cv0 (i), . . . , cvl (i)). Of course, given the path of 0-tokens of v it is easy to verify whether a token τ is on the path of i-tokens of v (and even easier to verify whether τ is the i-token of, say, the jth node on the path). The CA’s Certificates: When creating a certificate for user v, the CA includes pcv (0), the path of 0-tokens of v, in the certificate (rather than just including the 0-token of chain cv in the certificate as in the Micali scheme). Note that this path consists of log N + 1 0-tokens. The CA’s Update Operation: Let Ri be the set users which have been revoked at some point up to and including day i. At the end of day i, the CA will calculate a subset of nodes of the labelled tree, called the day-i verification nodes with the following two properties. 1. For every v ∈ / Ri , there is at least one node of the path of v which is a day-i verification node. 2. For every user r ∈ Ri , none of the nodes on the path of r is a day-i verification node. For each node which is a day-i verification node, the CA can compute (or has cached) the i-token of that node. Call the collection of all such i-tokens the day-i verification tokens. The CA sends the day-i verification tokens to the directories. A Directory’s Query Response: In response to queries on day i + 1 concerning user u, if u has not been revoked through the end of day i, then at least one node on the path of u is a day-i verification node. The directory issues the i-token of one such node. This i-token is, by definition, a member of the day-i verification tokens. If u has been revoked, no node on the path of u is a member of the day-i verification nodes and, hence, the directory cannot issue an i-token. The Verifier’s Operation: A verifier v must verify both the signature of a signer u and u’s certificate. This certificate contains the path of 0-tokens of u. We assume that the verifier has retrieved u’s certificate and a candidate i-token, τ , from either the signer, the CA, or a directory. He accepts that u has not been revoked up to and including day i if τ is verified to be an i token of one of the nodes on the path of u. By property 1 of the day-i verification nodes, for a non-revoked signer u, an i token of one of the nodes on the path of v will be available for the verifier and the verifier will thus accept v.

Fast Digital Identity Revocation

145

By property 2 of the day-i verification nodes, and the definition of oneway permutation, it is computationally infeasible for a revoked user, u, or any accomplice to deliver a token to the verifier which the verifier will accept as being an i-token of a node on the path of u. Calculating the Day-i Verification Nodes Given a set of revoked users Ri , the CA can calculate the day-i verification nodes by operating on the labelled tree as follows. First, mark as “revoked” every node in the path of every revoked user. Now, the day-i verification nodes consists of all non-revoked nodes which are children of a revoked node. It is easy to verify that this set satisfies the two properties above and moreover, that it is the minimal set which satisfies these two properties. As an example, suppose that none of the users have been revoked on day one, then the set of day-1 verification tokens consists of a single token: the 1-token of the root. Since this 1-token is on every users’ path of 1-tokens, a verifier which is given this token will accept every user. As another example, suppose that the user denoted by the string of all 1s is revoked the 1st day. The day-1 verification tokens consists of the 1-tokens of the l nodes 0, 10, 110, . . . , 11 · · · 110. It is easy to verify that this set can be used to accept all but the revoked user. In the next section we analyze the size of the set of verification nodes as a function of the number of revoked users. 2.2

Size of the Set of Verification Nodes

In this section we derive an upper bound on the number of day-i verification nodes (and hence the number of day-i verification tokens) as a function of the number of nodes which have been revoked up to and including day i. Let N denote the number of users and r be the number of revoked users. Definition 1. Let T¯(N, R) be the number of verification nodes in the labelled tree for N users when the set of revoked users (leaves) is R. Let T (N, r) = max|R|=r T¯ (N, R). We will assume that N is a power of 2. We now prove the following. Theorem 1. For r = 0, T (N, r) = 1. For 1 < r ≤ N/2, T (N, r) ≤ r log (N/r). And, for N/2 ≤ N T (N, r) ≤ N − r. Proof Sketch: Let N = 2l so that the labelled tree is a complete binary tree of height l. When |R| = r = 0, the set of verification nodes just consists of the root of the labelled tree and thus T (N, 0) = 1 for all N . When r = 1, our algorithm will mark as revoked all the nodes on the path of this revoked user. The algorithm puts all nodes which are children of revoked nodes into the set of verification nodes. There are log N such children. So, T (N, 1) = log N ∀N . Now consider the case when r > 1. First consider the case when r = 2k , k ≥ 1, is a power of 2. Consider the r subtrees in the labelled tree whose roots

146

William Aiello et al.

are the nodes at depth k in the labelled tree. These trees have height l − k. We ˜ as follows. R, ˜ for |R| ˜ = r, is in R ˜ if there is define the family of revoked sets R ˜ in each of the subtrees of height l − k. exactly one revoked user of R ˜∈R ˜ each By our previous analysis for one revoked user in a tree, for any R subtree of height l − k requires l − k verification nodes. Note that no other ˜ ∈ R, ˜ the total number of verification nodes are required. Hence, for any R ˜ is just r(l − k) = r log N/r. We will now show that verification nodes, T (N, R), ˜ that T¯ (N, R) < r log N/r. Actually we will prove the stronger for any set R ∈ / R, statement in the lemma below. We will use the following definition. For any set of revoked users R let sR be the number of subtrees of height l − k with no elements of R. Lemma 1. For r a power of 2 and for any set of revoked users R of size r there ˜ in R ˜ such that T¯ (N, R) ≤ T¯ (N, R) ˜ − sR . is a R Proof: We begin with two simple lemmas. Lemma 2. Let R be the set of revoked leaves and consider a maximal subtree with no revoked leaves of height h. Let u be a leaf of this subtree. Then, T¯ (N, R ∪ {u}) = T¯(N, R) + h − 1. To see this note that for the set R the subtree was covered by one verification node at the root of the subtree. However, the number of verification nodes in the subtree after u is added to the revoked set is h. t u Lemma 3. Let R, for |R| ≥ 2 be the set of revoked leaves and consider a minimal subtree containing exactly two elements of R of height h0 . Let u be one of the two elements. Then T¯(N, R − {v}) = T¯ (N, R) − (h0 − 2). To see this note that in R the subtree has 2h − 2 verification nodes whereas R − {v} it has h verification nodes. We will prove the Lemma 1 by induction. That is, we will show that for any R with |R| = r and sR ≥ 1, there is an R0 with |R0 | = r such that sR0 = sR − 1 and T (N, R) ≤ T (N, R0 ) − 1. Clearly, the lemma will then follow. t u So, consider an R with |R| = r and sR ≥ 1 subtrees of height l − k with no elements of R. Let u be one of the leaves of one of these subtrees. Let v be a leaf in R of a subtree of height l − k with two or more leaves in R. Such a subtree must exists. Let R0 = (R/{v}) ∪ {u}. Note that the number of subtrees of height l − k with no elements of R0 is sR − 1. The maximal subtree containing u but containing no elements of R has height at least l − k. The minimal subtree containing v and exactly one other element of R has height at most l − k. Thus using the two claims, we conclude that T¯ (N, R) ≤ T¯ (N, R0 ) − 1. This concludes the proof of the lemma. t u We now consider the case when r is not a power of 2. We write r as 2k + m ˜ in where k = blog rc and 0 < m < 2k . We define the family of revocation sets R ˜ a similar fashion to the case when r is a power of two. The revocation set R is in ˜ if R ˜ has the following properties. Call a subtree of height l − k − 1 a i-subtree R

Fast Digital Identity Revocation

147

˜ Now, of the 2k+1 subtrees of height l − k − 1, r = 2k + m if i of its leaves are in R. of them are 1-subtrees and 2k − m of them are 0-subtrees. Furthermore, each of the 0-subtrees is “paired” with a 1-subtree. That is, the sibling of the root of each 0-subtree is a root of a 1-subtree. (Note that such a pairing is possible since the number of 0-subtrees is strictly less than the number of 1-subtrees.) ˜ in Now let us consider the number of verification tokens required for a R ˜ R. Because each 0-subtree is paired with a 1-subtree, the root of each 0-subtree must be a verification node. The number of verification nodes required for each 1˜ in R, ˜ T (N, R) ˜ = r(l − k − 1) + 2k − m. subtree is just l − k − 1. Thus, for each R k ˜ If r > N/2 so that k = l − 1, then T (N, R) = 2 − m = N − r. Otherwise ˜ = r(l − k) − 2m. Since T (N, R) r log (r/2k ) = r log (1 +

m r ) ≤ m k < 2m k 2 2

it follows that r log (N/2k ) − 2m ≤ r log (N/r). As before, for an arbitrary revocation set R we define sR to be the number of 0-subtrees for R. Note that sR ≥ 2k − m for every R of size r = 2k + m. As in ˜ have the maximum the case when r is a power of two, the revocations sets in R number of verification nodes. This follows from the following lemma. Lemma 4. Consider a set of revoked users R whose size, 2k + m, is not a power ˜ in R ˜ such that T¯(N, R) ≤ T¯(N, R) ˜ − (sR − of 2. For each such R there is a R k (2 − m)). Proof: The proof is in two stages. In the first stage we start with an arbitrary R and find an R0 with 2k − m 0-subtrees such that T¯(N, R) ≤ T¯(N, R0 ) − (sR − (2k − m)). The first stage is identical to the proof of Lemma 1. It proceeds by induction. Each step reduces the number of 0-subtrees by one and increases the number of verification nodes by at least one. The second stage begins with R0 ˜ ∈ R. ˜ We will illustrate the first step of this stage. If R0 ∈ ˜ and ends with an R /R then there are two 0-subtrees whose roots are siblings and two 1-subtrees whose roots are subtrees. Let v be one of the elements of R0 in one of the two 1-subtrees and let u be a leaf of one of the 0-subtrees. Let R00 = (R0 /{v}) ∪ {u}. By our previous claims T (N, R0 ) ≤ T (N, R00 )− 1. This process can proceed by induction on the number of 0-subtrees paired with 1-subtrees until we have a verification ˜ ∈ R. ˜ set R t u We remark that T (N, r) ≤ N − r. This can be shown algebraically or just by observing that by construction, the number of verification nodes is never more than the number of non-revoked users. The number of tokens the CA needs to issue after r users have become revoked is at most T (N, r) in our scheme, and hence, this is at most the number of tokens the CA needs to issue in the Micali scheme which is N − r. For small r there is a large gap between the number of tokens which need to be issued in both schemes. For example, if r = N/64 (i.e., a revocation rate of approximately 1.5%), then N − r = (63/64)N is larger than T (N, r) ≤ (6/64)N by almost a factor of ten.

148

3

William Aiello et al.

Generalized Hierarchical Scheme

In this section we will first describe a set-theoretic object we call a complement cover family. We will then show that it properly captures the idea of assigning tokens to the non-revoked users. Finally, we will describe several complement cover families which thus yield constructions for the revocations problem. 3.1

Complement Cover Families

Consider a universe U of size N . Let R be any subset of U and let S and F ¯ = U − R denote the complement of R. denote families of subsets of U . Let R S ¯ Definition 2. S is a complement cover of R iff W ∈S W = R. Definition 3. F is a complement cover family of U iff for every subset R of U , F contains a complement cover of R. That is, for every subset R of U , there is a subset S of F such that S is a complement cover of R, We will see below that for all of our constructions of a complement cover family F, for every subset R of U , there is a unique subset S of F which is a complement cover of V . We will call such families unique complement cover families. For any unique complement cover family F , and every subset R of U , let CCF (R) denote the unique complement cover of R which is contained in F. Furthermore, denote the function δF as the size of the complement cover of F which is defined as follows: δF (r) = maxR∈U,|R|=r |CCF (R)|. For every complement cover F and every element of u ∈ U , define HF (u) as the sets in F which contain u. Let hF (u) = |HF (u)| denote the height of u in F . By abuse of notation, define the height of F , hF as maxu∈U hF (u). Note that if u∈ / R then the intersection of CCF (R) and HF (u) is not empty, otherwise it is empty. This follows from the definition of a complement cover family. We will now show how a unique complement cover family can be used as a data structure for certificate revocation. Let U be the set of users and F a unique complement cover family of U . The CA creates a chain for each set S of F. Call this chain cS . The CA’s Certificates: Recall that for every user u, HF (u) is the collection of subsets which contain u. For each such subset there is a chain. Call this set of chains the chains of HF (u). Denote the set of i-tokens of the chains of HF (u) as the i-tokens of HF (u). The certificate signed by the CA of each user u contains the 0-tokens of HF (u). The CA’s Update Operation: As before, let Ri denote the set of users which have been revoked at some point up to and including day i. At the end of day i, The CA will set the day-i verification sets to be CCF (Ri ), the complement cover of Ri . Define the set of day-i verification tokens to be the i-tokens of each set in the complement cover of Ri . The CA sends the day-i verification tokens to the directories.

Fast Digital Identity Revocation

149

A Directory’s Query Response: In response to queries on day i + 1 concerning user v, if v has not been revoked through the end of day i, the directory computes the intersection of HF (v) and CCF (Ri ). The directory issues an i-token of one of the sets in the intersection. Note that this i-token is in the set of day-i verification tokens. If v has been revoked, the intersection is empty and, hence, the directory cannot issue a token. The Verifier’s Operation: The day-i verification tokens are used by verifiers on day i + 1 to test whether users have or have not been revoked at some point up through the end of day i. This is done as follows. For a signer, v, as before a verifier is given v’s certificate. This certificate contains the 0-tokens of HF (v). In addition the verifier retrieves a candidate i-token, τ , from either the signer, the CA, or some other source. He accepts that v has not been revoked up to and including day i if τ is verified to be one of the i-tokens of HF (v). By the definition of the complement cover of Ri , for a non-revoked user v one of the i-tokens of HF (v) will be available for the verifier and the verifier will thus accept v. In addition, by the definition of one-way permutation, it is computationally infeasible for a revoked user or any accomplice to deliver a token to the verifier which the verifier will accept as being an i-token of HF (v). Since unique complement cover families are useful as revocation data structures we are interested in finding a family F of U such that 1. |F| is O(N c ) for some small constant c, i.e., number of chains required in the system is practical. 2. hF is small, i.e., the number of 0-tokens in the certificate of every user is small. 3. The complement cover of every set, CCF , can be efficiently computed. 4. The size of the complement covers, δF (·) as a function of the size of the revoked users is small. 3.2

Example Complement Cover Families

We consider two extreme, but simple, solutions for this problem : S – F = {{1}, {2}, . . . , {N }}. Given any R, U − R = x∈R / {x}. Thus, F is a complement cover of U . Clearly, |F | = N . Note that δF (r) = N − r and hF = 1. Observe that this corresponds to Micali’s scheme. Note that since δF (r) = N − r, the number of tokens the CA must issue when r is small is quite large. – F = 2U . Given any R, U − R ∈ F . So, δF (r) = 1. Thus, the number of day-i verification tokens is 1 regardless of the number of revoked users. However, the certificate size is hF = 2N −1 and |F | = 2N . Thus, the solution is obviously not practical because the size of the certificates and the CA’s data structure is exponential. These two families stand at two opposite poles - the first family has small size and small hF but a large δF , and the second family has a small δF but large size and large hF . Below we will describe a scheme which has the advantages of both of the above.

150

William Aiello et al.

3.3

Description of General Scheme

We will now describe a construction for a unique complement cover family which is parameterized by integer c ≥ 2. For simplicity, suppose that N = cl for some positive l. The first subset we put into the family is the entire set of cl elements. We next divide the elements into c subsets of size cl−1 each and put these subsets into the family. These are level 1 subsets. Further divide each level 1 subset into c subsets of size cl−2 . These are level 2 subsets. Continue dividing the subsets and adding them to the family until all the level l subsets of size one have been added to the family. The collection of level i subsets which are subsets of the same level i − 1 subset are called siblings and the level i − 1 subset is called their parent. For example, in Fig. 1, {4}, {5} and {6} are siblings in level 2 and their parent is {4, 5, 6}. Note that thus far we have (cl+1 − 1)/(c − 1) subsets in the family and every element of U is in l + 1 sets. If c = 2 we are done. Otherwise, we will continue to add to this family as follows. For each collection of sibling subsets do the following. First, form subsets which are the union of any two siblings. There are 2c such subsets. Add these to the family. Then, form the subsets which are the union of any three siblings. There are 3c such subsets. Add these to the family. In general, form the ci subsets which are the union of i siblings, for 1 < i < c, and add these to the family. This completes the subsets of the family. Using edges to represent the (maximal, nontrivial) subset relation, this complement cover family can be represented by a graph. See Fig. 1 for an example when c = 3 and N = 32 .

{1,2,3,4,5,6,7,8,9}*

{1,2,3,4,5,6}*

{4,5,6,7,8,9}

{1,2,3,7,8,9}*

Level 1 {1,23}*

{1,2}*

{1}*

{1,3}*

{2}*

{4,5,6}

{2,3}*

{3}

{4,5}

{4}

{4,6}

{5}

{7,8,9}

{5,6}

{6}

{7,8}

{7}

{7,9}

{8}

Siblings

{8,9}

{9}

Level 2 Siblings

Fig. 1. An example of the complement cover of {1, 2} for c = 3 and N = 9. The revoked nodes are marked with an asterisk. The sets which comprise the complement cover are circled.

Fast Digital Identity Revocation

151

The size of this family is 2c cl − 1 c (2 − 2) + 1 ≤ N . c−1 c−1 Also, it is easy to see that every element of U is in l(2c − 1) + 1 = hF ≤ 2c log N/ log c subsets of F. The complement cover of a revoked set R, CCF (R), can be computed as follows. As in the hierarchical scheme, first mark as revoked each singleton set whose sole member is a member of R. In Fig. 1 these sets are denoted by an asterisk. Then mark as revoked each subset of F which is a superset of any of these marked sets. In the graph representation, start by marking the revoked leaves. Then mark the immediate supersets of the marked leaves. Continue working up the graph until every superset of a marked set has been marked. In Fig. 1, the marked sets are marked with an asterisk. The elements of CCF (R) are the maximal subsets of F which have not been marked. In Fig. 1, they are circled. These elements are easy to find. For each set of siblings at a given level in which at least one of the sets, but not all, is marked as revoked do the following. If exactly one of the siblings is not marked, it is a member of CCF (R). For example, node {3} in Fig. 1. Otherwise, there is a unique subset of the parent of the siblings which is the union of the unmarked siblings. For example, node {4, 5, 6, 7, 8, 9} in Fig. 1. This set is a member of CCF (R). The size of the complement covers is given by δF (r) ≤ r logc N/ck − m ≤ r logc N/r − ck . This can be shown using methods similar to those for the hierarchical scheme. It is instructive to instantiate the scheme for several values of c. 1. c = 2 : This is the Hierarchical scheme. The size of the complement cover is |F| = 2N − 1, δF (r) ≤ r log (N/r) and hF = log N + 1. 2. c = 3 : This is an interesting case. It gives us a complement cover family of size 3N −2 with δF (v) = logv 3 log Nv ). Note that there is a 50% increase in size of F compared to the Hierarchical scheme, but more than a 50% decrease in δ (since log 3 = 1.585). So, it could be an alternative to the Hierarchical scheme. log N/v log N 3. c = log N : |F| = (O(N 2 ), δF (v) ≤ v log log N ) and hF ≤ N log log N . Although this setting achieves the lowest value for the size of the complement cover, |F| and hF may not be practical for moderately large N .

4

Incremental Version

Under the current scheme, if r1 users are revoked on day 1 and r2 users are revoked on day 2, the number of day 2 verification nodes is a function of r1 whereas the number of day 3 verification nodes is based on r1 + r2 although the number of users revoked the previous day was only r2 . We propose the following modification to our scheme such that the number of verification nodes needed

152

William Aiello et al.

for a given day depends only on the number of users revoked the previous day and not on all of the users revoked thus far. For the first modification we replace each chain of tokens of length 365 with a hash tree of depth 2 · 365, analogous to [8,5]. The root value of the hash tree becomes the 0-token. There is one such hash tree and 0-token associated with every node in the labelled tree of N elements. On day i, for each node v in the day-i verification set, the CA gives the log(2 · 365) + 1 hash values needed to compute the path from leaf 2i in the the hash tree to the 0-token associated with the node v. Call this the day-i verification path for node v. Note that given the day-j, for 1 ≤ j < i, verification paths for node v, it is computationally infeasible to compute the day-i verification path for v. This motivates our second modification to the scheme. Recall that each user’s certificate contains log N 0-tokens, one for each node in the labelled tree on the path from the user’s id to the root. Previously, for a user to be verified on day i, the verifier would a need a day-i verification path for one of the user’s 0-tokens. We change the protocol as follows. On day i, the CA computes the day-i verification set of nodes in the labelled tree using just the users revoked the previous day. The CA sends to the directory a day-i verification path for each node in the day-i verification set. Now, for a user to be verified on day i, the verifier will need a day-1 through day-i verification path with the additional property that the root of each of the verification paths is contained in the set of 0-tokens in the user’s certificate. This scheme reduces the CA to directory communication costs substantially. It can be shown that the average daily cost is proportional to at most (R/365) log(365N/R) where R is the total number of revocations throughout the year. Of course, this reduction is gained at the expense of a larger communication requirement for the verifier which is proportional to i for day i. This latter communication requirement can be reduced to log 365 by requiring the CA to produce incremental verification paths for the log 365 times scales of 2 days, 4 days, 8 days, etc. This only increases the average daily communication cost of the CA by a factor of 2.

References 1. W. Diffie, M. Hellman, “New directions in cryptography”, IEEE Trans. on Inf. Theory, IT-22, pp. 644–654, 1976. 138 2. S. Even, O. Goldreich and S. Micali “On-line/Off-line Digital Signatures” CRYPTO 1989. 140 3. S. Goldwasser, S. Micali “Probabilistic Encryption” JCSS Vol. 28 No. 22. April 1984. 138 4. S. Goldwasser, S. Micali, R. Rivest “A Digital Signature Scheme Secure Against Adaptive Chosen-Message Attacks” SIAM Journal of Computing, Vol. 17, No 2, April 1988, pp. 281-308. 138 5. C. Jutla and M. Yung “Paytree: amortized signature for flexible micropayments” In Second USENIX workshop on Electronic Commerce, November 1996. 152

Fast Digital Identity Revocation

153

6. P. Kocker, “A quick introduction to Certificate Revocation Trees (CRTs),” http://www.valicert.com/company/crt.html. 139, 141 7. L. Lamport “Password authentication with insecure communication” Communications of ACM, 24(11):770-771, November 1981. 140 8. R. C. Merkle, “A Certified Digital Signature,” Proceedings of Crypto‘89, pp. 234–246, 1989. 152 9. S. Micali “Enhanced Certificate Revocation System” Technical memo MIT/LCS/TM-542 , November 1995. available online URL ftp://ftppubs.lcs.mit.edu/pub/lcs-pubs/tm.outbox/ 139, 139, 139, 139, 140, 141, 142 10. S. Micali “Certificate Revocation System” U.S. Patent number 5666416, issued Sep. 9, 1997. 139, 139, 140, 141 11. M. Naor and K. Nissim, “Certificate Revocation and Certificate Update,” Proceedings of USENIX ‘98. 139, 141, 141, 142, 142 12. R. Rivest “The MD5 message-digest algorithm” Internet Request for Comments, April 1992. RFC 1321 available online URL http://theory.lcs.mit.edu/rivest/publications.html 13. R. Rivest, A. Shamir, L. Adleman “A Method for Obtaining Digital Signature and Public Key Cryptosystems” Comm. ACM, Vol 21, No. 2, 1978. 138 14. R. Rivest, B. Lampson “SDSI-A Simple Distributed Security Infrastructure” available online URL http://theory.lcs.mit.edu/ rivest/sdsi10.html 138 15. M. Reiter, S. Stubblebine “Towards Acceptable Metrics of Authentication” In Proc. of 1997 IEEE Symposium on Security and Privacy. 138 16. VeriSign Corporation, available online URL http://www.verisign.com/ 137, 139, 140 17. Microsoft “Proposal for Authenticating Code Via the Internet” April 1996, available online URL http://www.eu.microsoft.com/security/tech/authcode/authcode.htm 137

Self-Delegation with Controlled Propagation – or – What If You Lose Your Laptop Oded Goldreich1 , Birgit Pfitzmann2 , and Ronald L. Rivest3 1

Department of Computer Science, Weizmann Institute of Science, Rehovot, Israel. 2 Universit¨ at des Saarlandes, Fachbereich Informatik, Saarbr¨ ucken, Germany. 3 Laboratory for Computer Science, MIT, Cambridge, Mass., USA.

Abstract. We introduce delegation schemes wherein a user may delegate certain rights to himself, but may not safely delegate these rights to others. In our motivating application, a user has a primary (longterm) key that receives some personalized access rights, yet the user may reasonably wish to delegate these rights to new secondary (short-term) keys he creates to use on his laptop when traveling, to avoid having to store his primary secret key on the vulnerable laptop. We propose several cryptographic schemes, both generic ones under general assumptions and more specific practical ones, that fulfill these somewhat conflicting requirements, without relying on special-purpose (e.g., tamper-proof) hardware. This is an extended abstract of our work [19].

1

Introduction

In a networked world, users are represented by their public keys. A message whose digital signature verifies with a user’s public key is assumed to have been signed by that user. Hence, users have to maintain the secrecy of their signing keys. In real life, however, they may wish to use relatively insecure computing devices, e.g., networked UNIX machines or laptops, for digital transactions. How can a user make use of such insecure devices while preserving the secrecy of his secret key? One natural solution is for the user to use the secret key of his primary (long-term) key pair only on secure computing devices, and to create secondary (temporary, short-term) key pairs as needed for use on less secure devices. The user delegates a restricted amount of authority from the primary key pair to such a secondary key pair by signing a delegation certificate. This is simply a statement of the form “the secondary public-key hkey2i can be used instead of the primary public-key hkey1i for the following purposes and under the following conditions and/or limitations: hdescriptioni”. The statement is signed with the primary secret key. This delegation certificate is transferred to the insecure device together with the secondary key pair, and is appended to all messages signed with the secondary key, so that the recipient may verify the delegation. If a secondary secret key is compromised, the loss is minimized because only a restricted amount of authority was delegated to it. H. Krawczyk (Ed.): CRYPTO’98, LNCS 1462, pp. 153–168, 1998. c Springer-Verlag Berlin Heidelberg 1998

154

Oded Goldreich et al.

This is a good solution for many cases, but fails in cases where personalized rights are assigned to a key. Here the intention is to restrict the right to a specific person, and this is implemented by requiring a signature (or identification) relative to the key associated with this person. This person may indeed give away its (primary) secret key, and thus the requirement “for personal use” is not really enforced. However, the assumption behind such schemes is that users are highly motivated not to give away their (primary) secret key because this key allows others to do many more things in the user’s name. Thus, the user is deterred from propagating certain personalized rights to others by the fact that other rights will be automatically propagated along with the former rights. For example, a user may be willing to illegally propagate its personal subscription to some service, but not if this is linked to the propagation of the right to withdraw money from his bank account. The new problem introduced by using secondary keys in a setting where personalized rights are to be enforced, is that the users are no longer deterred from propagating personalized rights which they may delegate to secondary keys. This is the case since the delegation certificate may limit the rights of a secondary key to a specific right (e.g., subscription), thus leaving no additional risk for the user if he propagates this secondary key (and the subscription which goes with it). Hence, it seems that delegation of rights to secondary keys and the enforcement of personalized rights are in conflict (see further discussion below). Resolving this conflict is the central goal of this paper. Put in other words, we ask: How can delegation of rights be managed such that a user can delegate these rights to himself, but not to others? Corresponding to our motivating example – the use of insecure computing devices – we only consider solutions that do not employ special-purpose hardware (e.g., tamper-resistant or with biometrics). We consider two different approaches, which we term statutory and transparent. The latter means that the measures are invisible to users except for the unavoidable fact that issuers, holders, and verifiers of a personalized right must be aware that this right is personalized. Both approaches only approximate the above goal. Loosely speaking, they do this by fulfilling the following two weaker requirements (with respect to secondary keys to which personalized rights are delegated): 1. Restricted damage from loss of secondary keys: Loss of a few secondary secret keys causes no (or little) damage to the user, beyond the loss and possible abuse (by the finder or thief) of the power delegated by the user to these secondary keys. 2. Deterring propagation of secondary keys: Giving away many secondary secret keys to other users (e.g., friends) greatly endangers the user in the sense that this may have consequences which are highly unpleasant to the user (and extend way beyond the rights associated with these secondary keys). The slackness present in this formulation seems inevitable since the finder/thief in the first requirement is “indistinguishable” from the friends in the second. Thus, the distinction is made quantitatively.

Self-Delegation with Controlled Propagation

155

The paper focuses on the transparent approach, where the solutions are cryptographic. (These cryptographic schemes may have applications beyond the scope of the self-delegation problem.) The statutory approach, which has noncryptographic solutions, is only discussed in the next subsection. We refrain from addressing the non-technical question of which of the approaches is “better”. We note, however, that the solutions in the two approaches differ in several aspects, and all aspects should be taken into account when evaluating these solutions. 1.1

The Statutory Approach

Following the above paradigm, one may devise simple solutions in which trusted authorities (i.e., a judicial system) inflict suitable punishments on users which are proven to have propagated personalized rights to others. The case against a user will consist of sufficiently many secondary secret-keys (with corresponding certificates assigning personalized rights); it is assumed that no user is going to incriminate himself, whereas other users may be less careful not to incriminate another user. Furthermore, users may even be encouraged (again by statutory means; e.g., awards) to incriminate others. Such a judicial system is very flexible – it may consider special circumstances and determine the verdict based on these. On the other hand, such a system has a significant overhead. Another type of statutory arrangement, closer in spirit to the solution presented next, is to define an action taken with sufficiently many validated secondary secret key (regardless of their assigned rights) as if it was taken by the user (i.e., with the corresponding primary key). However, in such a case, all verifiers of any signatures, even those that have nothing to do with personalized rights, must be aware of this arrangement. Thus, this solution too is not transparent. 1.2

The Transparent Approach

In the transparent approach, users are deterred from delegating personalized rights to others by ensuring that the recipient learns something about the primary secret key of the delegator. A user will then again be highly motivated not to delegate such rights so as not to risk giving up the fundamental rights associated with the primary secret key. The basic principle of all our proposals is that the user has to validate his secondary keys with respect to his primary secret key (in addition to signing an ordinary delegation certificate). As described below, the validation process will deter the user from delegating personalized rights to others. Use of personalized rights is granted only when one proves possession of a validated secondary-key (or possession of the primary-key, as usual), mere possession of a secondary-key (without corresponding validation) will not do. The conflicting goals stated above, are thus rephrased as follows: 1. Restricted damage from loss of secondary keys: Loss of a few validated secondary secret keys will not endanger the security of the primary secret key. That is, they yield little or no knowledge about the primary secret key.

156

Oded Goldreich et al.

2. Deterring propagation of secondary keys: Many validated secondary secret keys allow the recipient to recover the primary secret key efficiently. We present several constructions achieving such a balance. Our constructions are categorized by the following parameters: Generic vs. specific: In Section 3, we present generic schemes which apply to any primary and secondary keys. They rely on non-interactive zero-knowledge proofs [3], and thus on the existence of trapdoor one-way permutations [12,21]. In Section 4, we present more specific and efficient constructions where the primary key pair must belong to a discrete-logarithm based cryptographic scheme like Schnorr or DSS signatures [25,11]. Gradual vs. threshold: In Constructions 1 thru 1.2, the security of the primary secret key degrades gradually with the number of secondary secret keys available to an adversary until the primary secret key is totally revealed. In Constructions 2 and 3, the primary secret key is fully secret up to a certain threshold number of secondary secret keys available to an adversary (e.g., 3, 10, or 100), but is easily recovered from any number of secondary secret keys larger than this or a second threshold. Additionally, some schemes allow the application to freely fix after how many secondary secret keys the adversary will get the primary secret key (i.e., the slope of the gradual degradation or the threshold, respectively), whereas in others this number is predefined by other system parameters, e.g., the key length. Limitations for secondary keys: Apart from honest users, service providers may wish to limit the rights associated with secondary keys. We handle these limitations associated with a secondary key in a general way, and call their description a limitations index. An archetypical example of limitation indices are time periods, such as days, during which a secondary key is valid. Other examples include upper bounds on value of transactions, lists of specific services, etc. A relevant parameter for our schemes is the size of the domain of potential limitation indices. For example, if secondary keys are associated with days, which is indeed a very important case, then the domain of indices is relatively small. If, on the other hand, limitation indices stand for arbitrary specification of rights such as expressed by 1000-words English-text documents, then the domain is huge. The domains in Construction 1.2 is unbounded, in Constructions 2 and 3 bounded, but exponentially large in the security parameter, and in Construction 1.1 relatively small. (Indeed, using appropriate hashing, one may use schemes with an exponentially large domain of limitation indices as if their domain were unbounded.) Our proposals for self-delegation of personalized rights are not in conflict with normal delegation of other types of rights: Both types of rights can be given on the same primary and secondary keys and even with the same delegation certificates. The only difference is that for personalized rights, verifiers will require the presence of validation information related to the primary key of the

Self-Delegation with Controlled Propagation

157

original owner of the right, whereas in other cases they only require a delegation certificate. 1.3

Related Work

Delegation certificates are merely documents which assert that certain rights associated to a specific public key are to be passed to another public key. Such documents are verifiable with respect to the former public key, and are binding (as all digital signatures) under certain statutory provisions. Technical problems with such certificates occur where one makes additional requirements (e.g., anonymity, standardization of contexts, or non-transferability) regarding such certificates. None of these extensions is required in our case. In our case the goal is to restrict the delegation of some rights; specifically, of personalized rights. Thus, ordinary delegation certificates will not do, unless they are augmented by either an auxiliary statutory arrangement or auxiliary validation information, as discussed above. (In fact, one may view the augmentation of delegation certificates, suggested above, as a new type of certificate which one may call a self-delegation certificate.) Other approaches to the issue of limiting the delegation of rights were suggested in [4,5]. We note the analogy between the current work and [10]: The latter paper presents a transparent approach to copyright protection, in contrast to the (typical) statutory approach based on fingerprinting following [27]. Some analogy exists also between self-delegation schemes and (τ − 1)-spendable coins [7,23]. Conceptually speaking, the problems are different since there is no requirement on personal use in the latter, and the main issue is untraceability (otherwise identification of overspenders would be trivial). Technically speaking, one can see that the analogy does not extend too far since here we construct self-delegation schemes based on standard complexity assumptions, whereas such schemes are not known for untraceable cash.

2

The Model

Our model and constructions of self-delegation schemes only concern the core part of the applications described so far, and are therefore largely independent of the concrete application. In particular, we only deal with the primary and secondary keys, and not with certificates that third parties give to assign rights to the primary keys, such as the above-mentioned certificate asserting subscriberhood – these can be realized in standard ways, for example, by signatures with keys held by the third parties on the keys handled in the self-delegation scheme, and thus be added to our constructions in a modular way. Furthermore, we do not explicitly consider the user’s own authorization of the secondary keys, i.e., the delegation certificates (from primary key to secondary key) as described in the introduction. This is not quite as independent of our schemes as the statements by third parties, but whenever the underlying cryptographic scheme is a signature scheme, the delegation certificates can be made in a standard way with the primary secret key.

158

Oded Goldreich et al.

The notion of a generic scheme will more precisely mean the following: An arbitrary underlying cryptographic scheme may be given that contains an algorithm for generating primary key pairs and one for generating secondary key pairs, possibly depending on a primary key pair. The typical case is simply that an algorithm G for generating one key pair is given, and all primary and secondary key pairs are generated independently with this algorithm. Our mechanism allows to control propagation of such secondary keys without posing additional dangers on the underlying scheme and without making assumptions about how the keys of the underlying scheme may be used. For instance, signing (with a secret key) is not a zero-knowledge procedure, and in some protocols secret keys may even sometimes be revealed. Our controlled self-delegation schemes should not pose any additional risk to the keys, i.e., beyond the risk involved in using the given underlying cryptographic schemes. The schemes in Section 3 are of this type, and those in Section 4 are only slightly less generic in that they assume a specific generation algorithm for the primary secret key. We briefly mention variants that may be a little more efficient, but require that primary and secondary keys are only used in well-defined ways, e.g., within a specific signature scheme. In the rest of the model section, we concentrate on generic schemes. We have to consider three types of parties: a server, which corresponds to a key certification infrastructure, users, who have primary and secondary keys, and verifiers, with whom the users interact using their secondary keys. A selfdelegation scheme with controlled propagation has four protocols: Server setup: Here the server generates and publishes global parameters. Registration: Here the user, having generated a primary key pair (sk, pk) from an underlying cryptographic scheme, registers the primary public key with the server. We call the secret information that the user stores at the end of the registration his extended primary secret key, and the corresponding information published by the server the user’s extended primary public key. For simplicity, we often omit the term “extended”, and use (sk, pk) to denote also the extended key pair. Secondary key validation: Here the user, having generated a secondary key pair (sk` , pk` ) from the underlying cryptographic scheme, wants to validate it for a certain limitations index `. He produces a validation tag, denoted val` , that he will use later to convince verifiers of the validity of the secondary key pair (when not having the primary secret key available). Verification: Here a user wants to convince a verifier, typically a service provider, that a certain public key pk` can be used as a secondary key for the primary public key pk. We stress that the user’s secret inputs are only sk` and val` ; he no longer has the primary secret key available. The verifier also inputs the limitations index ` for which pk` is supposed to be valid and global parameters published in server setup. Note that controlled propagation would make no sense if the verifier did not check `; e.g., if ` denotes a specific date, the verifier must enter the current date rather than

Self-Delegation with Controlled Propagation

159

let the alleged user enter a date of his choice (which would always be the one for which the key is valid). These protocols must be efficient, preferably as efficient as the underlying cryptographic scheme. Clearly, correctly validated secondary keys for correctly registered primary public keys should (almost) always be accepted by honest verifiers. We call a triple (sk` , val` , pk` ) a correctly validated secondary key triple if it is a possible output of the correct secondary key generation and validation program. This is what a thief gets from an honest user. However, dishonest users who try to give away secondary keys to others are not restricted to correctly validated keys. We say that a user gives a second person a valid secondary key triple (for a public key pk and a limitations index `) if the information enables the second person to convince an honest verifier almost certainly. Formally, this notion is only meaningful in connection with the second person’s program, which may be arbitrary, yet must be efficient. For simplicity, we concentrate on users giving away full-quality secondary keys, but with definitions as in [1] this can be generalized to giving away information that will only convince the verifier with a certain probability. Our two goals can now be formulated in more detail as follows: Restricted damage from key disclosure: If a certain user is honest, it should be infeasible for an adversary (thief) who only obtains few correctly validated secondary key triples to generate additional valid secondary key triples. Here, “additional” means for a limitations index `∗ for which the adversary has not obtained a correctly validated secondary key triple. The adversary should also not get too much knowledge about existing non-stolen secondary secret keys sk` nor about the primary secret key. More precisely, as we concentrate on generic schemes, we have to speak about any knowledge gained by validation tags. A suitable terminology is that of knowledge complexity (cf., [20,18]).1 Specifically, gradual schemes have a parameter δ, called the slope, so that each correctly validated secondary key triple only gives δ bits of knowledge. Schemes with threshold have a parameter τ , called the threshold, so that less than τ correctly validated secondary key triples do not give the adversary any knowledge. Controlled propagation: If a user gives a second person many different valid secondary key triples, then the second person can efficiently compute the user’s primary secret key. Here, “different” means for different limitations indices. 1

Loosely speaking, saying that a protocol (or a message) gives κ bits of knowledge with respect to a given state means that whatever can be efficiently computed after the execution of the protocol (or receipt of the message) can also be computed efficiently with probability at least 2−κ from the state alone. Thus, for small κ, more precisely κ = O(log n) where n is the key length, if one can find the primary secret key with non-negligible probability after receiving at most κ bits of knowledge, then one can do the same without receiving these bits. (Recall that f (n) is non-negligible if f (n) ≥ 1/poly(n)).

160

Oded Goldreich et al.

In schemes with threshold, “many” typically means at least τ , but there are also schemes with a second threshold τ ∗ > τ , (i.e., allowing a gap). Gradual schemes have a similar parameter β, which will typically be about n/δ, where n is the key length. For simplicity, we assume that all the security parameters δ, τ etc., are chosen at the server setup time. Typically, users are concerned with restricted damage from key disclosure and therefore wish τ to be large (or δ to be small), whereas service providers, mainly concerned with propagation control, want the opposite. We consider the following types of attacks: The adversary for the first goal, “restricted damage”, knows the user’s primary public-key. It includes (both other users and) verifiers who have verified any number of this user’s secondary public keys and with whom the user has then interacted using these keys, e.g., by signing messages. In a strong form of the requirement, the adversary also includes the server (i.e., the user may not want or need to trust the server). The adversary for the second goal, “controlled propagation”, consists of any number of colluding users and other verifiers. Typically, we only speak of “the user” because independence is clear. In some of our constructions achieving this goal depends on proper behaviour of the server (which is supposed to generate some random parameters). In all the following schemes, the first goal, “restricted damage”, is stated and proven with respect to a static adversary, i.e., the limitations indices of the revealed validation tags are determined beforehand rather than chosen adaptively by the adversary. We believe that all schemes are in fact adaptively secure, but refrain at this point from formulating and proving our belief. We also assume for the time being that each participant only carries out one protocol at a time (i.e., we do not consider protocol interleaving).

3

Generic Schemes

The basic idea is that each validation tag val` contains some little “piece of information” σ` about the primary secret key sk. The holder of a secondary key can only convince verifiers if he knows this σ` . Convincing the verifier must be done in zero-knowledge, so that verifiers do not gain an advantage in finding a user’s primary secret key. On the other hand, knowledge of σ` ’s is related to the gradual release of a secret (as introduced for secret exchange in [2]): Knowledge of a few such pieces (i.e., σ` ’s) does not endanger the secret, whereas knowledge of many “orthogonal” pieces does endanger it. A crucial point is to ensure this “orthogonality” whenever many pieces are given to a second person in violation of the “controlled propagation” goal. To ensure this, the value of σ` is made to depend on the limitations index `. Our constructions differ in the way this is achieved. In the proof that he knows σ` , the user also has to prove that σ` is correct with respect to the primary secret key sk, which is no longer available in the

Self-Delegation with Controlled Propagation

161

verification stage. Hence this part of the proof will be precomputed in the secondary key validation protocol. We use a non-interactive zero-knowledge proof system [3], more precisely one where one common random string Ref can be used for an arbitrary number of proofs [12]. (This result also applies to the more efficient basic construction in [21].) In schemes with a small set of limitations indices, we could improve efficiency by using a non-interactive zero-knowledge proof system capable of only proving one assertion, and providing enough reference strings in advance. Finally, we have to guarantee that all σ` ’s refer to the same primary secret key sk. This is easy if the underlying cryptographic scheme guarantees that for every primary public key pk, there is only one possible primary secret key sk and its validity can be verified in polynomial time. For example, this is the case with the prime factorization of RSA moduli or the discrete logarithm of an element in logarithm-based schemes. Yet, in other cases, additional information aux may be required to verify the validity of secrets with respect to publicly available information. Typically, the randomness used in the key-generation process suffices. We then denote by pk the entire information that is published. This motivates our interest in schemes where a 3-ary relation Pred with the following properties exists: NP-recognition of secret keys: Pred is recognizable in polynomial-time. This implies that the set of valid public keys Pred1 = {pk|∃sk, aux : (sk, aux, pk) ∈ Pred} and of valid key pairs Pred2 = {(sk, pk)|∃aux : (sk, aux, pk) ∈ Pred} are in NP and therefore have zero-knowledge proof systems [17]. Unique secret keys: For every pk, there exists at most one sk such that (sk, pk) ∈ Pred2 . Key generation of the given cryptographic scheme produces triples (sk, aux, pk) ∈ Pred. Using any one-way function, one may transform any cryptographic scheme into one with unique secret keys, while maintaining computational secrecy. 3.1 Gradual Schemes The following construction is actually a framework for several slightly different versions with different properties. Construction 1 (generic, gradual, framework): Let a cryptographic scheme with unique secret keys with a relation Pred as above be given. Server setup: The server chooses the length n of the secret keys and the slope δ, where δ divides n. It randomly generates a reference string Ref ∈ {0, 1}poly(n) for the non-interactive zero-knowledge proof system, and sets up a scheme that defines a sequence r1 , r2 , ... of n-bit strings so that anyone can obtain r` in poly(n, log `) time. Several such schemes are discussed below.

162

Oded Goldreich et al.

Registration: Suppose a user has generated a primary key pair (sk, pk), together with the value aux so that (sk, aux, pk) ∈ Pred. The user proves to the server in zero-knowledge that pk is valid, i.e., lies in Pred1 . Secondary key validation: The validation tag for this user’s secondary key w.r.t. the limitations index ` is the pair (σ` , π` ) where (1) σ` is the inner product in GF(2δ ) of sk and r` , where both are considered as n/δ-dimensional vectors over GF(2δ ). (2) π` is a non-interactive zero-knowledge proof, with respect to the reference string Ref , that there exists sk so that (sk, pk) ∈ Pred2 and σ` is the inner product of sk and r` . Verification: The user gives the verifier an interactive zero-knowledge proof of knowledge [20,1] that he knows (σ` , π` ) such that π` is a valid non-interactive zero-knowledge proof as in Item (2) of the validation protocol. We stress that the common input to the interactive proof consists of Ref , pk, and r` .

Proposition 1 (generic, gradual, framework): Any instantiation of Construction 1, that is, no matter how the r` ’s are determined, has the following properties: 1. Restricted damage from key disclosure: The scheme leaks no knowledge except δ bits in each correct validation tag. The user only needs to trust the server for the randomness of the reference string Ref . 2. Controlled propagation: If the user gives a second person valid secondary key triples for a certain set of limitations indices, L, then the second person can efficiently compute the inner product of one fixed primary secret key sk with each value r` corresponding to ` ∈ L. Proof sketch: We first prove Part 1 (“restricted damage”). First, one easily sees that in the registration and verification protocols, the user does not give away any knowledge beyond the standard operation of the public-key infrastructure, because the rest of the protocols gives zero-knowledge proofs. Next, we consider the knowledge an adversary gains by obtaining a correctly validated secondary key triple. Recall that we only need to consider what is revealed on top of the secondary secret key itself, i.e., in the validation tag (σ` , π` ). These are merely δ bits of knowledge, since σ` is only δ bits long and π` is a zero-knowledge proof referring to σ` and values the adversary knows already. (Recall that knowledge complexity is bounded by the actual length of objects and at most additive [18].) We now prove Part 2 (“controlled propagation”). By the soundness of the interactive zero-knowledge proof of knowledge, having a valid secondary key triple (i.e., information that enables the second person to convince an honest verifier) implies that the second person knows a correct pair (σ` , π` ). More formally, there is an effective way (called a knowledge extractor [1]) to reconstruct this pair given access to the second person’s strategy and his auxiliary information. Now the soundness of the non-interactive zero-knowledge proof π` implies that

Self-Delegation with Controlled Propagation

163

σ` is in fact the inner product of the one fixed sk and r` . (Here the uniqueness property of Pred2 is used.) 2 The scheme defining the sequence r1 , r2 , ... should guarantee that sufficiently many of these values span almost the entire vector space, so that giving away many valid secondary keys compromises the primary key. Our first such scheme guarantees this in an optimal way, but can only be used for a domain of up to 2δ − 1 limitations indices. This value is small because δ should be at most logarithmic in n to satisfy the restricted-damage condition. Thus, this scheme is most adequate for cases like our motivating example where the limitations indices correspond to days; e.g., δ = 10 allows 1023 days, after which the primary key pairs could be renewed. Construction 1.1 (generic, gradual, severely bounded limitations indices): We use Construction 1 with the following r` ’s: The server fixes an easily computable enumeration α1 , ..., α2δ −1 of the non-zero elements of GF(2δ ). The value r` is ), where β = n/δ. the vector (1, α` , ..., αβ−1 ` Proposition 2 (generic, gradual, severely bounded limitations indices): Construction 1.1has the following controlled-propagation property: Any β valid secondary key triples yield the primary secret key. Proof sketch: Any β vectors r` form a Vandermonde matrix, which is always non-singular. Thus the system of equations that the second person has (by the general controlled-propagation property of Construction 1) is of full rank. The easily found solution is the primary secret key. 2 To use Construction 1 with a larger domain of limitations indices, we essentially use uniformly random values r` . The server can set these up in different ways: Construction 1.2 (generic, gradual, less bounded limitations indices): We use Construction 1 with one of the following schemes for generating the r` ’s: 1. For medium-sized limitation set: The server generates and publishes, as part of the setup stage, a list of a certain number m of uniformly chosen values r` . 2. For unbounded limitation set: The server provides a “random oracle” (or Beacon) service throughout the lifetime of the system; r` equals the answer of this random oracle on query `. The random oracle may be implemented by the server by using a pseudorandom function [16]. To analyze the controlled-propagation quality of these constructions, we need a technical lemma about the probability that too many of the r` ’s are linearly dependent. Note that when we talk of the rank of a matrix chosen from a subset of a field, we mean its rank over the field (i.e., the maximum number of linearly independent rows with respect to coefficients from the field).

164

Oded Goldreich et al.

Lemma 1 Let m, n, t, R be integers so that m > n > R and m ≥ t ≥ R, and q be a prime power. Let S ⊆ GF(q). Then, the probability PrS (m, n, t, R) that a uniformly chosen m-by-n matrix over S contains t rows which together have rank at most R is bounded above by PrS (m, n, t, R) ≤

(2m)t · |S|−(n−R)·(t−R) . t!

Proof omitted. For simplicity, we now restrict ourselves to the binary case (i.e., δ = 1). Proposition 3 (generic, gradual, less bounded limitations indices): For the first variant of Construction 1.2 , with δ = 1, the following controlled-propagation property holds: With probability at least 1 − 2−n , over the choice of the r` ’s, if a user gives away 2n valid secondary key triples to a second person, the second person can efficiently list a set of at most m2 possibilities for the primary secret key. For the second variant of Construction 1.2, the above holds provided the user makes at most m oracle queries. Proof omitted. The second person can use the above list in different ways: For example, he can efficiently perform any task requiring this secret key with probability 1/m2 , by uniformly selecting an element of this list. Alternatively, in many applications, additional publicly available information can be used to determine which of these keys is correct. 3.2

A Threshold Scheme

We now show a generic threshold construction. The threshold τ can be chosen very freely, i.e., between 1 and 2n − 1, where n is the length of the keys. The set of limitations indices is bounded, but the bound can be much larger than in Construction 1.1: It is now 2n . Construction 2 (generic, threshold, exponentially large indices domain): Let a cryptographic scheme with unique secret keys with a relation Pred as above be given. Additionally, we need a secure commitment scheme that is unconditionally binding; e.g., as in [22]. Server setup: The server chooses parameters n for the length of secret keys and τ for the threshold and a reference string Ref ∈ {0, 1}poly(n) for the non-interactive zero-knowledge proof system. It fixes an easily computable enumeration α1 , ..., α2n −1 of the non-zero elements of GF(2n ). Registration: Suppose a user has generated a primary key pair (sk, pk), together with the value aux so that (sk, aux, pk) ∈ Pred. He first proves to the server in zero-knowledge that pk is valid, i.e., lies in Pred1 . Next, he uniformly selects a polynomial of degree τ − 1 over GF(2n ) with the primary def P −1 pj · xj with p0 = sk. secret key as the constant coefficient, say, p(x) = τj=0

Self-Delegation with Controlled Propagation

165

This corresponds to setting up a secret sharing scheme as in [26]. He makes a commitment C to all the non-constant coefficients using the given commitment scheme. Typically, the length of the commitment automatically shows that the content is a polynomial of degree τ − 1, otherwise this must be shown in zero-knowledge. The user’s extended primary public key is (pk, C). Secondary key validation: The validation tag for this user’s secondary key for the limitations index ` is the pair (σ` , π` ) where (1) σ` is the value of the polynomial p at the point α` ; (2) π` is a non-interactive zero-knowledge proof with respect to the reference string Ref that there exist sk and p so that (sk, pk) ∈ Pred2 , the non-constant coefficients of p correspond to the commitment C, the constant term p0 equals sk, and σ` = p(α` ). Verification: The user gives a zero-knowledge proof that he knows a correct pair (σ` , π` ).

Proposition 4 Construction 2 satisfies 1. Restricted damage from key disclosure: Public information and the validation tags of at most τ − 1 correctly validated secondary key triples leak no knowledge. The user need not trust the server except for the randomness of the reference string Ref . 2. Controlled propagation: Any τ valid secondary key triples yield the primary secret key. Proof sketch: The second part follows as in Proposition 2. For Part 1, the security of the commitment scheme and the zero-knowledge proofs implies that the only non-negligible source of knowledge is in the values σ` . These are τ −1 shares of a secret sharing scheme with threshold τ and therefore give no information about the secret sk [26]. 2

4

Discrete-Logarithm Schemes

We now present a practical self-delegation scheme for cryptographic schemes based on discrete logarithms in groups of prime order. Important examples are Schnorr and DSS signatures [25,11]. The advantage over the schemes in the previous section is that no general zero-knowledge proof techniques are needed, and the resulting self-delegation schemes are essentially as efficient as the underlying schemes. The secondary keys can even be from a different cryptographic scheme; only the primary key pair has to be from the discrete-logarithm-based scheme. More precisely, we assume an underlying cryptographic scheme with the following key generation: First a prime q is chosen, typically 160 bits long; next a prime p, typically 512 bits, such that q divides p − 1; and then an element g of order q in the multiplicative group modulo p. A secret key is a uniformly

166

Oded Goldreich et al.

chosen value sk ∈ GF(q)∗ = {1, ..., q − 1}, and the corresponding main part of the public key is h = g sk mod p. The actual scheme is a slight extension to Feldman’s Verifiable Secret Sharing (VSS) scheme based on discrete logarithms [13]. The validation tags are simply shares of the secret key. We need two extra properties for our application: First, if we want a large domain of limitations indices, the VSS scheme must allow a large number of potential shares with an efficient way to index them. Secondly, in our case it is not the shareholders who need to verify the validity of the shares (the shareholders in the motivating example are the laptops), but external verifiers, i.e., we need an efficient zero-knowledge proof of knowledge of a proper share. Although these extra properties are not required in the general definition of VSS (cf., [8]), they happen to hold in Feldman’s VSS. This gives the following scheme, for any τ ≥ 2. Construction 3 (discrete log, threshold): Let any cryptographic scheme based on discrete logarithms in groups of prime order be given, i.e., the primary key generation is as described above. Server setup: For simplicity, we let the server generate the parameters (q, p, g) of the underlying scheme. The domain of limitations indices is {1, ..., q − 1}. The server also selects an arbitrary threshold τ . Registration: Given a primary key pair (sk, pk) from the underlying discrete logarithm scheme, the user randomly selects a polynomial pol of degree τ − 1 over GF(q) with sk as its constant coefficient. That is, it selects uniformly coefficients (c1 , ..., cτ −1 ) in GF(q). This polynomial is the extended primary secret key. The extended primary public key consists of the values hj = g cj mod p, for j = 1, ..., τ − 1. Secondary key validation: The validation tag for this user’s secondary key for the limitations index ` is the value val` = pol(`), i.e., val` = sk +

τ −1 X

cj `j mod q.

j=1

Note that this validation tag can be seen as a secret key, denoted sk∗` , of the underlying discrete logarithm scheme; the corresponding public key would be pk∗` = g val` mod p. Verification: The verifier can compute this value pk∗` as pk∗` = pk ·

τY −1

j

h`j mod p

j=1

using the values hj in the user’s extended primary public key. Now the user has to give a zero-knowledge proof of knowledge of val` , i.e., of the discrete logarithm of pk∗` (cf., [6,15]). An alternative is Schnorr identification [25], which needs only one exponentiation on each side, but is only known to be witness-hiding [14].

Self-Delegation with Controlled Propagation

167

The security of this scheme is obvious from the perfect security of the Verifiable Secret Sharing scheme when the public key is already given [24]: Less than τ validation tags, i.e., shares, give no information about the secret beyond what is known by the public key, whereas τ validation tags enable reconstruction. An alternative way of using this core scheme is to use the values val` ’s directly as secondary secret keys (i.e., = sk∗` ’s), instead of as validation tags for independently generated secondary key pairs. This improves efficiency in cases where we can omit the proof of knowledge (because the subsequent usage of sk∗` establishes knowledge of it). However, in such a case we have to be careful about how the security of the underlying scheme and our self-delegation scheme influence each other. In particular, the legitimate use of sk∗` in the underlying scheme is typically not zero-knowledge and might therefore additionally endanger the primary secret key sk via our self-delegation scheme. Thus, security in such usage has to be considered specifically for each concrete underlying scheme (e.g., for Schnorr or DSS signatures). Specifically, for Schnorr identification scheme [25], security does hold (for further details see our report [19]). In case the set of limitations indices is much smaller than q (e.g., as in case where limitations correspond to days of a year), efficiency is greatly improved since the evaluation of pk∗` by a Horner-like schema only involves exponentiations with small numbers. That is, pk∗` can be computed from the hj ’s and `, by iteratively computing vi+1 = (hτ −i · vi )` mod p, starting with v1 = 1 and ending with pk∗` = vτ · pk.

Acknowledgments We thank Michael Waidner for interesting discussions. This research was partially supported by DARPA grant DABT63-96-C-0018.

References 1. M. Bellare and O. Goldreich: On Defining Proofs of Knowledge; in Crypto ’92, Springer-Verlag, LNCS Vol. 740, pp. 390-420, 1992. 159, 162, 162 2. M. Blum: How to Exchange (Secret) Keys; ACM Transactions on Computer Systems, Vol. 1, No. 2, pp. 175-193, 1983. 160 3. M. Blum, P. Feldman, and S. Micali: Non-Interactive Zero-Knowledge and its Applications; in 20th STOC, pp. 103-112, 1988. 156, 161 4. D. Chaum: Showing credentials without identification: Transferring signatures between unconditionally unlinkable pseudonyms; in Auscrypt ’90, LNCS 453, Springer-Verlag, Berlin 1990, pages 246-264. 157 5. D. Chaum: Achieving Electronic Privacy; Scientific American, August, pp. 96101, 1976. 157 6. D. Chaum, J.-H. Evertse, and J. van de Graaf: An improved protocol for demonstrating possession of discrete logarithms and some generalizations; in Eurocrypt ’87, Springer-Verlag, LNCS Vol. 304, pp. 127-141, 1988. 166 7. D. Chaum, A. Fiat and M. Naor: Untraceable Electronic Cash; in Crypto ’88, LNCS 403, Springer-Verlag, Berlin 1990, pages 319-327. 157

168

Oded Goldreich et al.

8. B. Chor, S. Goldwasser, S. Micali and B. Awerbuch: Verifiable Secret Sharing and Achieving Simultaneity in the Presence of Faults; in 26th FOCS, pages 383–395, 1985. 166 9. W. Diffie and M. E. Hellman: New Directions in Cryptography; IEEE Transactions on Information Theory, Vol. 22, No. 6, pp. 644-654, 1976. 10. C. Dwork, J. Lotspiech, and M. Naor: Digital Signets: Self-Enforcing Protection of Digital Information; in 28th STOC, pp. 489-498, 1996. 157 11. The Digital Signature Standard Proposed by NIST; Communications of the ACM, Vol. 35, No. 7, pp. 36-40, 1992. 156, 165 12. U. Feige, D. Lapidot, and A. Shamir: Multiple non-interactive zero knowledge proofs based on a single random string; in 31st FOCS, pp. 308-317, 1990. 156, 161 13. P. Feldman: A practical scheme for non-interactive verifiable secret sharing; in 20th FOCS, pp. 427-437, 1987. 166 14. U. Feige and A. Shamir: Witness Indistinguishability and Witness Hiding Protocols; in 22nd STOC, pp. 416-426, 1990. 166 15. A. Fiat and A. Shamir: How to Prove Yourself: Practical Solutions to Identification and Signature Problems; in Crypto ’86, Springer-Verlag, LNCS Vol. 263, pp. 186-194, 1987. 166 16. O. Goldreich, S. Goldwasser, S. Micali: How to Construct Random Functions; Journal of the ACM, Vol. 33, No. 4, pp. 792-807, 1986. 163 17. O. Goldreich, S. Micali, and A. Wigderson: Proofs that Yield Nothing but their Validity or All Languages in NP Have Zero-Knowledge Proof Systems; Journal of the ACM, Vol. 38, No. 1, pp. 691-729, 1991. 161 18. O. Goldreich and E. Petrank: Quantifying Knowledge Complexity; in 32nd FOCS, pp. 59-68, 1991. To appear in Computational Complexity. 159, 162 19. O. Goldreich, B. Pfitzmann and R.L. Rivest: Self-Delegation with Controlled Propagation – or – What If You Lose Your Laptop; Record 97-12 of the Theory of Cryptography Library, url: http://theory.lcs.mit.edu/∼tcryptol. 153, 167 20. S. Goldwasser, S. Micali, and C. Rackoff: The Knowledge Complexity of Interactive Proof Systems; SIAM Journal on Computing, Vol. 18, No. 1, pp. 186-208, 1989. 159, 162 21. J. Kilian and E. Petrank: An Efficient Noninteractive Zero-Knowledge Proof System for NP with General Assumptions; Journal of Cryptology, Vol. 11, No. 1, pp. 1-27, 1998. 156, 161 22. M. Naor: Bit Commitment Using Pseudorandomness; Journal of Cryptology, Vol. 4, No. 2, pp. 151-158, 1991. 164 23. T. Okamoto and K. Ohta: Disposable Zero-Knowledege Authentications and their Applications to Untraceable Electronic Cash; in Crypto ’89, LNCS 435, SpringerVerlag, Berlin 1990, pages 481-496. 157 24. T. P. Pedersen: Distributed Provers with Applications to Undeniable Signatures; in Eurocrypt ’91, Springer-Verlag, LNCS Vol. 547, pp. 221-242, 1991. 167 25. C. P. Schnorr: Efficient Signature Generation by Smart Cards; Journal of Cryptology, Vol. 4, No. 3, pp. 161-174, 1991. 156, 165, 166, 167 26. A. Shamir: How to Share a Secret; Communications of the ACM, Vol. 22, No. 11, pp. 612-613, 1979. 165, 165 27. N. R.Wagner: Fingerprinting; in Proceedings of IEEE Symposium on Security and Privacy, pp. 18-22, 1983. 157

Identity Escrow Joe Kilian1 and Erez Petrank2 1 NEC Research Institute 4 Independence Way, Princeton, NJ 08540, USA. [email protected] 2 IBM Haifa Research Lab, MATAM Haifa 31905, Israel [email protected] Work done while at DIMACS.

Abstract. We introduce the concept of escrowed identity, an application of key-escrow ideas to the problem of authentication. In escrowed identity, one party A does not give his identity to another party B, but rather gives him information that would allow an authorized third party E to determine A’s identity. However, B receives a guarantee that E can indeed determine A’s identity. We consider a number of possible features of escrowed identity schemes, and describe a variety of implementations that achieve various subsets of these features. In particular, we observe that group signature schemes can be used to escrow identities, achieving most (though not all) of the desired features. The most interesting feature we consider is separability. The escrow agency is not involved in the day to day operation of the identification system, but is only called in when anonymity must be revoked. In the extreme case, there exist identity escrow schemes in which an arbitrary party (possessing a public key) can be designated an escrow agent without any knowledge or participation on their part until they are asked to revoke someone’s anonymity.

1

Introduction

We consider a client that obtains regular or continual access to a service or facility. Examples include driving a toll highway with a regular commuter pass, parking regularly in a garage, entering one’s club premises, or using internet services. In order to get the service, the client must convince the gate keeper that he is entitled to the service. The client can do this by identifying himself at the entrance. But must he really identify himself? Such identification raises critical issues of privacy. For example, a more pervasive highway authority might as a side effect allow the tracing of people’s movements to an unprecedented degree. On the other hand, what if the client remains completely anonymous, say, by an access code that is secret, but common to all clients? In certain rare circumstances, the service provider (and society at large) may have a compelling reason to know the identity of the client. For example, consider an automated access system for a parking garage. The garage cares that the person entering it is authorized to do so; the person’s precise identity is normally not a valid concern. However, suppose that on some night a person was murdered in the garage. At H. Krawczyk (Ed.): CRYPTO’98, LNCS 1462, pp. 169–185, 1998. c Springer-Verlag Berlin Heidelberg 1998

170

Joe Kilian and Erez Petrank

this point, the garage owner and society at large may have a legitimate interest in knowing who was there on that night. Or, one might wish to have a computer “chat room” in which one has conditional anonymity: As long as one follows the rules laws, ones identity is secure from even the system administrator. But if one flagrantly breaks the rules (such as arranging drug deals in the “Lion King” kiddie chat room), suitable law enforcement agencies can be appealed to in order to determine one’s identity. The reader may envision other examples such as a drunk driver causing a fatal accident on the highway, etc. Traditionally, access control has been all or nothing. One obtains all the information about the other person up front, with no recourse to learn more if circumstances warrant. This rigidity generally leads one to allow less privacy, since one is likely to want as much information as one can get just in case a “bad case” arises. We give a more flexible alternative. We consider a more flexible, two-tier approach to authentication. On the first tier, a person gives only as much information about themselves as is strictly necessary for ordinary circumstances. On the second tier, a person gives a more precise statement of their identity that may be needed in extraordinary circumstances. This second tier is only accessible with the help of a third party, which is separate from (and not under the control of) the party managing access. We describe identity escrow schemes in Section 1.1 below. Key escrow has proven an active and contentious field of research and discussion (c.f. [24,25,22,18,21,23,27]). Most of the attention in this area has been restricted to the simple case of communication: party A sends an encrypted message EK (M ) to party B; some centralized authority is given the capability to recover either K or the specific message M . As discussed in Section 3, group signatures has an escrow-like feature in which the anonymity of a signer may be revoked. We add yet a new domain for the application of key escrow ideas: authentication and identity schemes. Some distinctive features of this application are that – Escrowed identity may actually enhance privacy. By default, many identity schemes require a person to give their entire identity “up front.” A protocol in which this information is only released under special circumstances may prove an acceptable, and more private substitute. – Escrowed identity schemes work to the advantage of at least one of the parties invoking them. In traditional key escrow systems, both party only lose by following the escrow system, and have everything to gain by bypassing it (which is generally quite easy to do). 1.1

Escrowed Identity

An escrowed identity system consists of the following parties: Identifier: The identifier is the client who identifies himself to the verifier (the gate-keeper). Issuer: The issuer issues certificates to the identifier that allow him to identify himself in an escrowed manner.

Identity Escrow

171

Verifier: The verifier is typically the access provider who verifies the first-tier identity process as well as the escrow proof for the second-tier identity. Escrow Agent(s): The escrow agent(s) use information forwarded by the verifier to make a second-tier identification of the identifier. These parties execute the following protocols: Initializing the system: The certificate issuer, and in some cases the escrow agent, computes whatever private information and publishes whatever public information is necessary to initialize the system. Issuing a certificate: The certificate issuer gives a certificate to the identifier. Checking the weak identity: The identifier convinces the verifier that he has a certificate, gives an escrowed certificate and convinces the verifier that the escrowed certificate is valid. Recovering the complete identity: The verifier gives the escrow agent(s) the escrowed certificate, and the escrow agent(s) recovers the identity of the identifier. There are a number of desirable features of escrowed identity systems. Ideally, one would like an efficient protocol that achieves all of these features. However, as we discuss below, there is a tradeoff between feature coverage and efficiency among the known escrowed identity protocols. Hence, we will describe for each implementation the features it does or does not achieve. The following features are most pertinent to the notion of escrowed identity: Valid first-tier identification: If a user receives a legitimate certificate from the issuer, and if he follows his protocol, then he will succeed in convincing a verifier that he is a legitimate user (i.e. has a certificate) with probability 1. Conversely, a computationally bounded user that has not been issued a certificate by the issuer will fail to convince the verifier of having a certificate with probability almost 1. (This implies that producing a certificate without the issuer’s private key is computationally hard.) Secure second-tier identity: After the verifier has seen one or more first-tier identification proofs, he cannot fake a legitimate identity in the sense described above. Guaranteed escrow for second-tier identity: A computationally bounded user can interactively prove with high confidence that he has escrowed his second-tier identity; the escrow agency can determine this identity from the transcript of this proof. (This imply that producing a second certificate from a given legitimate on is computationally hard). One may further demand that even if many identifiers collaborate, the escrow agency may still recover the identity of one of them with high probability. Resistance to impersonation: The escrow agency, even after recovering many identities of many users from the transcripts of weak identity proofs, cannot fake any legitimate identity in the sense described above. In particular, this implies that the escrowed identity does not reveal the certificate of the user. Similarly, one can require that the certificate issuer cannot fake the identity of someone already in the system.

172

Joe Kilian and Erez Petrank

Separability: The escrow agency is completely independent of the other parties unless a request to uncover the second-tier identity is made. An issuer, verifier and user can set up an identification system without ever registering with or communicating in any way with the escrow agent. The escrow agency is only “woken up” when there is a request to revoke anonymity.

Containing the escrow agent Introducing an escrow agent into a system almost inevitably reduces its security. However, the nature of the problem and the separability property allows us to minimize the damage. By separating the escrow agency from the initialization and normal operation of the identification system, we can have the agency be dormant most of the time. For example, if the escrow agency is implemented with secure hardware, this hardware can be stored in a secure bank vault until needed. This helps to reduce the chance that an escrow agent will be compromised. A further check on a rogue escrow agent is that the verifier has to ask for a more precise identification. Key escrow for communication is typically coercive, and requires that someone be able to obtain the ciphertext of any two people’s communications without their request or consent. Thus, the possibilities for widespread abuse are greater than with our scenario. Nevertheless, it is only prudent to allow for multiple escrow agents; the escrow agents in most of our protocols can be made to work using simple group cryptography (e.g. [15,30]).

1.2

History and Related Work

An earlier version of this work appeared in [20], using cut-and-choose techniques for the zero-knowledge proofs. The current version describes much more efficient implementations based on group signature schemes. Group signature schemes were introduced by Chaum and Heyst [12], and subsequently developed in [13,10,28,11]. Independently and concurrently with [20], Camenisch and Stadler [11] developed new schemes for efficient group signatures, one of which can quite efficiently achieve most of our goals; we describe this solution in Section 3. At the heart of escrowed identity and group signatures is an efficient proof that an encrypted value possesses some property. Frankel, Tsiounis and Yung [17] and Young and Yung [33] give very efficient protocols of this type. Again, these proofs are are not completely applicable to our setting, but suggest that dramatically more efficient identity escrow schemes may be possible. The notion of keeping a trusted agency dormant except for “emergencies” has been proposed in a number of contexts. Asokan, Shoup and Waidner [1] show how to use a dormant third party for a variety of applications related to the exchange of digital signatures. Young and Yung [33] show how to use a dormant escrow agent for key escrow. Brickell, Gemmel and Kravitz [5] and Stadler, Piveteau and Camenisch [32] show how to use a dormant escrow agent in electronic cash systems (more efficient schemes are presented in [29,17]). Quite recently, Micali [26] has shown how to use a dormant agent for certified mail.

Identity Escrow

1.3

173

Road Map

In Section 2 we describe some of the building blocks we use for our protocols. In Section 3 we discuss how to implement identity escrow using group signature schemes. In Section 4 we show how to achieve stronger separability . In Section 5 we show an implementation of an escrowed identity scheme based on the ElGamal encryption and signature schemes.

2

Preliminaries

We describe some of the basic building blocks we use in our protocol. 2.1

Bit Commitments

We work in the argument framework of Brassard, Chaum and Cr´epeau [7]. In this paradigm, all parties are assumed to be computationally bounded. It is shown in [7] how to commit to bits in statistical zero-knowledge, based on the intractability of certain number-theoretic problems. D˚ amgard, Pedersen and Pfitzmann [14] give a protocol for efficiently committing to and revealing strings of bits in statistical zero-knowledge, relying only on the existence of collisionintractable hash functions. This scheme is quite practical. For simplicity, we will simply speak of committing to and revealing bits when referring to the protocols of [14]. In some implementations we also commit to strings by probabilistic encryption [19] using the public key of the escrow agency. These commitments are only computationally secure. Furthermore, they allow for the escrow agents to recover the values of these commitments in addition to those revealed by the identifier in the course of the zero-knowledge proofs. 2.2

The El-Gamal Signature and Encryption Schemes

We base one implementation of escrowed identity on the El-Gamal signature and encryption schemes [16], which we summarize, following [31], with slight modifications to suit our purposes. In both schemes, there is a common prime p, which for our purposes is of the form 2q + 1 where q is a prime. Let g ∈ Zp∗ have order q. For the encryption scheme each party has a private key X ∈ Zq and a public key Y = g X . For the signature scheme we denote the secret key by S ∈ Zq and the public key by P = qS . To encrypt a message M ∈ Zp given public key P , the sender uniformly generates r ∈ Zq and computes EY (M, r) = (g r , M Y r ). The decryption function is given by DX (A, B) = B/AX . The signer signs a message M ∈ Zp−1 as follows. 1. The signer uniformly generates r ∈ Zq , computes a = g r , and casting it as an integer in 0..(p − 1). This step is repeated until a and p − 1 are relatively prime.

174

Joe Kilian and Erez Petrank

2. Using the extended Euclidean algorithm, the signer computes b ∈ Zp−1 such that Sa + rb = 1 mod p − 1. 3. The signer returns (a, b). To verify a signature (a, b) for M , the verifier checks that P a ab = g M mod p. Signing the “0” document is not secure We remark on a weakness in the El-Gamal signature scheme. The document “0” can be signed efficiently by a party that does not have the secret key S. For example, by setting a = P and b = −P mod q we have P a ab = P P P −P = q 0 . More generally, we can set a = P k mod p and setting b = −a/k mod q. For this reason, we use El-Gamal signatures for 1 instead of 0. We assume that given a number of signatures for 1 it is impossible to generate a different signature for 1. This assumption is plausible, but we do not know of any more standard assumptions that imply it. 2.3

The RSA Encryption Scheme

In the RSA encryption scheme the public key consists of n = pq where p and q are prime and an exponent e, where e is relatively prime to n and φ(n). A message M is encrypted by computing M e mod n. The private key consists of d such that de = 1 mod (p − 1)(q − 1) (strictly, de = 1 mod λ(n) suffices), and M e is decrypted by computing (M e )d = M mod n. We make an additional assumption beyond the security of RSA. We assume that for a random δ it is hard to find (a, b) such that ae − be = δ mod n. Furthermore, we assume that given a set of such pairs {(ai , bi )} it is hard to generate a new pair. Given d, it is easy to generate a pair (a, b) with given value of ae by computing a = (ae )d and b = (ae − δ)d . Camenisch and Stadler [11] use essentially the same assumption, and have pointed out that the system is not secure for very small e (2 or 3); the pairs (a, b) fall on a low degree curve, which can be used as a basis for an attack. However, a large e doesn’t seem vulnerable to such an attack.

3

Using Group Signatures to Escrow Identity

Borrowing freely from the exposition in [11], we describe the basics of group signatures. We then proceed to describe how a particular implementation can be used to give an escrowed identity system with most of the desired features. Group Signatures A group signature system consists of a group manager that oversees a group of signers. The group manager can allow other players to join the group. Any member of the group can sign a message on behalf of the group. The group manager can determine precisely who within the group signed the message, but no one else can.

Identity Escrow

175

This framework suggests the following set of protocols for something close to escrowed identification. Being issued a certificate corresponds to joining the signature group. The identifier can identify himself to the verifier by signing a (random) message of the verifier’s choosing. To avoid replay and timing attacks, this message should include the (approximate) time and the verifier’s name. To revoke anonymity the group manager determines who actually signed the message. However, in the reduction outlined above, the group manager plays two roles: the issuer and the escrow agency. To obtain an escrowed identity system, we need to split these roles. As noted in [11], one of their implementations ([11], Section 6) allows for a considerable, though not complete separation between these roles. For completeness, we explicitly describe how this separation is made. 3.1

The Camenisch-Stadler Construction

We briefly describe the parts of the Camenisch-Stadler construction that are relevant to separating the roles of the issuer and the escrow agency. We omit quantities, guarantees, protocols and other issues that are not directly relevant to this goal. The group manager generates an RSA modulus n = pq, RSA exponents e1 , e2 , a cyclic group G = hgi, of order n, an element h ∈ G, an El Gamal private-key, public key pair, (ρ, yR = hρ ). It publishes (n, e1 , e2 , G, g, h, yR ). The identifier randomly generates a private x and computes y = xe1 and z = g y . As part of the registration process, the identifier sends z to the group manager. The only operation the group manager performs relying on its private information is the computation of y˜1/e2 for some y˜ (used as part of a blind decryption to generate the certificate). The signature incorporates a proof of knowledge of a valid certificate and r the private key, x. As one part of the signature, the identifier sends (yR , hr g y ), which is the El-Gamal encryption of z. A group manager can thus recover z, allowing it to determine the identity of the signer. The signing process requires knowledge of x and y. The group manager can be split into an issuer and an escrow agency as follows. The issuer generates n = pq and the corresponding RSA exponents. It then registers n with the escrow agency. The escrow agency chooses G, g, h, ρ and yR appropriately and sends G, g, h, rR to the issuer, keeping ρ private. It is typically not hard to verify that G is of the correct order. Also, the issuer can ensure that h is “random enough” by requiring that is be, for example, a hash of g. The issuer can register participants without knowing ρ. The escrow agency can determine z without knowing the factorization of n. Once it has recovered z, it must go back to the issuer to determine who actually corresponds to z. 3.2

Features Obtained by the Camenisch-Stadler Construction

First, we note that for this and all the (serious) protocols proposed in this paper, we argue purely heuristically. All statements about security are implicitly

176

Joe Kilian and Erez Petrank

preceded by, “Well, it sure looks to us that...”. An interesting open question is to obtain efficient schemes based on well known hardness assumptions. The above construction achieves three of our desired features, and achieves a weak form of the other two. The validity of the first-tier identification and the security of the second-tier identification derive from the corresponding security properties of group signature schemes. Furthermore, the Camenisch-Stadler construction also achieves a strong resistance to impersonation. The group center cannot forge a message from a group member, essentially because the group manager never learns x and y; this inability extends to the issuer and the escrow agency (even working in concert). Guaranteed escrow of the second-tier identification is in a sense also guaranteed by the properties of group signature schemes. However, note that the the escrow agency and the issuer must work in concert to reveal the identity. Thus, if the issuer later refuses to help, or no longer exists, no second-tier identification may be obtained. This problem may be ameliorated by having the issuer continually inform the escrow agency of the identity corresponding to each z. For some applications, this weakness may be a strength, in that it provides another layer of protection for the anonymity of the identifier. A weak form of separability obtained, in that the escrow agency is not involved with any transaction. However, the escrow agency has to be contacted to initialize a group. For some applications, this may be reasonable, but it is not suitable when forming groups should be a lightweight operation and the escrow agency is to be kept dormant nearly all the time.

4

A Scheme Achieving Full Separation

The greatest limitation of the group-signature based schemes is that the issuer and escrow agent cannot be completely separated - they must communicate when the system is set up and whenever anonymity must be revoked. It is of interest to see how much separation is indeed possible. Using general zero-knowledge proofs for NP assertions, great flexibility may be obtained, though with a complete loss of practicality. To allow person X into the group, the issuer can simply sign a message stating that X is in the group. To identify itself, the identifier simply (probabilistically) encrypts this message and signature in the escrow agent’s public key, and gives a zero-knowledge proof that were the message decrypted it would be a valid signed message authorizing entry (further details, such as avoiding resending attacks, omitted). We give an escrowed identification system that is vastly more efficient than the above system, but substantially less efficient than the group-signature based schemes. In its basic form, it allows for impersonation attacks by the issuer; as recent work in progress we believe we can eliminate this attack with a somewhat more complex scheme. 4.1

The Protocols

Central to our protocols is an RSA public key consisting of n = pq and e (relatively prime to φ(n)), with a secret key d such that de = 1 mod (p − 1)(q − 1).

Identity Escrow

177

In addition there is a new parameter, δ, that can be either set randomly or to a fixed number different from 0 or 1 (but must be fixed throughout the execution of the scheme). A certificate is a pair (a, b) such that ae − be = δ. Given d, one can easily generate a certificate, even if a or ae is fixed, since b = (ae − δ)d mod n. We assume that a and b are relatively prime to n. The structure of these certificates follows closely the methodology of [11] (and was independently put forth in [20]). Initializing the system To set up the system, the issuer chooses n, e, d and δ as above, and publishes (n, e, d). Note that unlike the previous scheme, the escrow agency has no part in setting up the system. We only assume that any potential escrow agent has a public key. Issuing a certificate The center chooses a valid certificate (a, b) such that ae contains (say, in its low order bits) the name of the identifier, and gives (a, b) to the identifier. As another security check, a can actually contain a compact signature by the issuer; anyone can verify that only the issuer made a. Checking the weak (first tier) identity On a high level, the identifier proves that he knows a proper certificate (a, b) by a cut-and-choose protocol. The identifier and the verifier may choose their escrow agent independently during each identification session. First, the identifier chooses independently and uniformly at random two numbers a1 , b1 both relatively prime to n. He then sets a2 , b2 to be the numbers satisfying a = a1 a2 and b = b1 b2 . This partition is done to later hide the actual value of a and b from the verifier. The identifier also chooses uniformly and independently at random two numbers x, y such that x and y are relatively prime to n. The identifier commits to the values of a1 , a2 , b1 , b2 , (a1 )e , (a2 )e , (b1 )e , (b2 )e , x, x(a1 )e , x(b1 )e , and x(a1 a2 )e + y, and x(b1 b2 )e + y. He commits to (a1 )e and (a2 )e by probabilistic encryption, using the chosen escrow agents public key. He commits to the other variables using statistical zero-knowledge commitments. The following five tests are used by the verifier to check that the committed values are correct and that the implied a = a1 a2 and b = b1 b2 satisfy ae − be = δ. The verifier will pick one of them at random and check that it holds. 1. The identifier opens the commitments on x, a1 , (a1 )e , a1 x, b1 , (b1 )e and b1 x, and the verifier checks that all the values match their supposed relations. 2. The identifier opens the commitments on a2 , (a2 )e , b2 , (b2 )e and b1 x, and the verifier checks that all the values match their supposed relations. 3. The identifier opens the commitments on x(a1 )e , (a2 )e , y and x(a1 a2 )e + y, and the verifier checks that the values match their supposed relations. 4. The identifier opens the commitments on x(b1 )e , (b2 )e , y and x(b1 b2 )e + y, and the verifier checks that the values match their supposed relations.

178

Joe Kilian and Erez Petrank

5. The verifier opens the commitments on x, on x(a1 a2 )e +y, and on x(b1 b2 )e +y, and the verifier checks that x is relatively prime to n and that (x(a1 a2 )e + y) − (x(b1 b2 )e + y) = δx. Note that the tests all simultaneously hold only if (a1 a2 )e − (b1 b2 )e = δ. Thus, a cheating identifier is caught with probability 1/5. The error probability can be decreased to by repeating this protocol O(log(1/)) times; by choosing the constant appropriately, we have that either two-thirds of the committed (a = a1 a2 , b = b1 b2 ) (they may have different values in each iteration) are good or the verifier accepts with probability at most . Furthermore, identifier and the verifier go through a standard proof by which the identifier can show with high confidence that most of the committed values of a = a1 a2 and b = b1 b2 have the same value (details omitted). Also, if the identifier has a good certificate pair (a, b), then he can always pass all tests. Last, the view of the verifier in each of the tests can be simulated efficiently. Recovering the complete (second tier) identity The verifier gives the transcript of the proof to the escrow agent. Since the commitment on the (a1 )e and (a2 )e were done by probabilistic encryption, using the escrow agent’s public key, the escrow agent can read the value of (a1 )e and (a2 )e and thus get ae . This value plainly reveals the identity of the user; no further consultation with the issuer is required. One subtlety is that there may be multiple values, either because the prover cheated successfully in some rounds or because multiple identifiers colluded. These are thwarted by having the equality check; nearly all the recovered ae ’s will be the same, and will be equal to an a from a certificate known to the identifier. 4.2

Features of the Identification System

As with the group-signature based schemes, all of the arguments for the security of this scheme is heuristic; the same caveats about statements of security apply. Some necessary hardness assumptions that we make are that it is hard to find a pair (a, b) so that ae − be = δ mod n (so no one can fake an identity), that given (a, b) satisfying the above, it is hard to produce a different pair (a0 , b0 ) with the same property (so the user must escrow the real ae ), and that given ae it is not possible to find the appropriate (a, b) (so that the escrow agency cannot fake the user identity). The last condition is implied by the first one, since it is easy to produce ae for any arbitrary a. Further discussion of this assumption is given in [11]. It appears difficult for an outsider to mimic a group member. The interactive proof does imply that the intruder has a valid certificate. Assuming that these are hard to generate (given all the side information available to an attacker), valid first-tier identification appears to hold. Similarly, the zero-knowledge proof implies that with high probability the escrow agent will be able to recover ae for a valid certificate, implying that the second-tier identity has been escrowed.

Identity Escrow

179

However, without the escrow agent, the proof of knowledge of a certificate is zero knowledge, so the second-tier identity is secure. The strongest feature of the protocol is its separability. The escrow agent is completely uninvolved unless asked to revoke anonymity. Indeed, the identifier and verifier have complete freedom of who they pick as their agent for any individual transaction. Anyone with a public key known to the identifier and verifier may be designated an escrow agent, with no prior interaction required. The weakest feature of the protocol as it now stands is its resistance to impersonation. The issuer can forge any player’s identity as soon as a certificate is issued. However, it can be verified that knowing (a1 )e and (a2 )e and seeing the rest of the proof reveals nothing about b. Hence, even after determining the identifier’s identity, the escrow agency and the verifier cannot team up to impersonate the identifier. Hence, this system works best when the issuer is under high security and preferably is destroyed (erases its private data) when no further certificates are to be issued. We note that since it’s sole operation is an RSA decryption, it can be implemented via group cryptography, increasing the security of the system. We also note as a result of this weakness, the escrow agent’s goal is to determine the identifier, but not to prove this identity. 4.3

Recent Enhancements

We report on work in progress that will be described in detail in an upcoming longer version of this paper. We believe we can modify the above protocol, with some loss of efficiency, to make it resistant to impersonation. We briefly describe the basic tricks involved. First, one can achieve resistance to impersonation in a similar manner as in [11] by having a be g r for some element g ∈ Zn∗ , where the random r is chosen by the identifier. Care must be taken so that this discrete log problem is hard. As part of the identification process, the identifier proves knowledge of r, which is never revealed to anyone. Unfortunately, this way of choosing a doesn’t allow the identifier’s name to be encoded. So instead, three certificates (a1 , b1 ), (a2 , b2 ) and (a3 , b3 ) are generated, such that the identifier knows the discrete log of a1 , and a3 contains his identity. A potential impersonation attack by the issuer would simply substitute a new value of a1 whose discrete log is known by the issuer. However, given the existence of space efficient signature schemes, a3 and a1 can be “linked” by the identifier, so that only that value of a1 can be used to establish someone’s identity, and only the identifier can make such a link. Essentially, a3 contains the identifier’s signature for a1 . However, it isn’t possible to directly prove in zero knowledge that these committed pairs are linked (they aren’t normally revealed). One attack is for two identifiers to mix their pairs, so that no linked pairs are recovered. To thwart this attack, a1 , a2 and a3 are additionally constrained so that a3 = a1 + a2 , and this relation is proven during the identification protocol, using standard cut and choose techniques. The issuer can arrange things so that for any 3 valid certificates a3 = a1 + a2 implies that a3 and a1 are linked. Many, many details omitted.

180

5

Joe Kilian and Erez Petrank

An El-Gamal Based Identification System

Given the rather nonstandard and quite similar assumptions used by the previous two schemes, one would like to make sure that plausible schemes can be based on alternative cryptographic functions. We construct an identity escrow system using the El-Gamal signature scheme as the underlying cryptographic primitive. Unfortunately, the protocol is even more inefficient than the last, and does not enjoy its strengths, but serves as evidence that identity escrow does not rely on what is essentially a single nonstandard assumption. We first give a high level discussion of this scheme. Initializing the system The issuer begins by choosing keys for the encryption scheme and for the signature scheme. For both schemes he chooses a big prime p satisfying p = 2q + 1 for a prime q, and a random quadratic residuosity g in Zp∗ . The issuer then chooses a secret key S for the signature scheme and computes the related public key P = g S mod p. The escrow agent chooses a secret key X for its encryption scheme and computes Y = g X mod p. The issuer publishes g, p, P, Y . In the sequel all operations are done modulo p unless otherwise stated. Issuing a certificate The valid certificates will be the set of all signatures on the number 1. Namely, legitimate identities will be all pairs (a, b) satisfying P a ab = g mod p. The issuer selects a random signature of “1” which is a pair (a, b), and sends (a, b) to the identifier. Specifically, the issuer chooses a random number r ∈ [0..q − 1] and computes a = g r . (Note that a is a random quadratic residue modulo p.) The issuer tries again if a = q,1 otherwise, the issuer computes the number b satisfying aS + rb = 1 mod q. (a standard calculation in the field Zq .) The issuer sends (a, b) to the identifier and saves a to allow it to help the escrow agent revoke anonymity. Checking the weak (first tier) identity We go into the details of this process in Section 5.1 below. But in a nutshell, in order to identify himself, the identifier provides an El-Gamal encryption of a, and then proves in perfect zero knowledge that he knows a pair (a, b) such that P a ab = g mod p and such that a is encrypted in the cipher-text he provided. Recovering the complete (second tier) identity If the identity of a user has to be revealed, the verifier sends the escrow agent the encryption of a. The escrow agent decrypts it and, with the help of the issuer, determines which identifier had that value of a. 5.1

Verifying the Identity in Zero Knowledge

Let us get into the details of the identity verification process. Recall that Party A should not get any knowledge from the interaction with U , but only be convinced 1

The number a equals q with (negligible) probability 2/(p − 1).

Identity Escrow

181

that U is a proper user. To this end, U commits on a few numbers, and by A’s request, U opens a few of them. A learns nothing from seeing the opened commitments, but if U tries to cheat, A catches him with a constant probability. Thus, repeating the process O(log(1/)) times, A is convinced that indeed U has a proper identity with probability 1 − . User U begins by encrypting a, i.e., selecting uniformly at random R ∈ Zq and computing the encryption (α, β) = (g R , Y R · a), which he sends to A. Next, U partitions a, b and R into shares in the following manner. For b and for R the user U chooses a random sum modulo q. Namely, he chooses uniformly at random b1 , R1 ∈ Zq , and then sets b2 = b − b1 mod q and R2 = R − R1 mod q. The value of a is partitioned in a more involved manner. User U splits it into a product a1 · a2 which equals a both modulo p and modulo q. He does this in the following manner. U chooses uniformly at random a number a1 ∈ [1..pq − 1] such that a1 is relatively prime to pq. Next, U chooses the unique a2 ∈ [1..pq − 1] satisfying a2 = a/a1 mod p and a2 = a/a1 mod q. This can be done by the Chinese Remainder Theorem. Note that for any fixed a (which is assumed to be relatively prime to pq), a2 (as well as a1 ) is randomly distributed amongst the numbers in [1..pq − 1] which are relatively prime to pq. We first describe the tests on a high level; a more detailed explanation follows. We first specify some of the commitments that U makes. These commitments are the ones needed to state the high level tests, but more commitments will be required by the implementations of these tests.

Commitments U commits to each of the following values: a1 , a2 , b1 , b2 , R1 , R2 , Y R1 , Y R2 , (a1 )b1 , (a1 )b2 , (a2 )b1 , (a2 )b2 , g R1 , g R2 , Y a1 , Y a2 .

Tests We describe on a high level a set of checks. A picks one check at random, and U proves that the test holds by opening some of his commitments. There are 34 low-level tests which are described in high level by the following 6 tests: 1. A multiplication test that Y R1 · Y R2 · a1 · a2 = β. Note that each of the multiplicands is a random number that can be simulated, and g is public. (This consists of 6 basic tests which are described in Subsection 5.1 below.) 2. A multiplication test that g R1 · g R2 = α. Note that each of the multiplicands is a random number that can be simulated, and g and α are public. (This consists of 5 basic tests which are described in Subsection 5.1 below.) 3. A multiplication test that (P a1 )a2 · (a1 )b1 · (a2 )b1 · (a1 )b2 · (a2 )b2 = g. (This consists of 8 tests which are described in Subsection 5.1 below.) 4. U proves to A that a1 ·a2 mod pq is a number in the range 1..p−1. See Section 5.1 for the details of implementing this test (which consists of 9 basic tests). A discussion of why this is a crucial test appears in the appendix of [20]. 5. For i = 1, 2 and for j = 1, 2 the user U opens the commitments on ai on bj and on (ai )bj and A checks that indeed the value of the exponentiation is correct. (These are 4 basic tests.)

182

Joe Kilian and Erez Petrank

6. For i = 1, 2 the user U opens the commitments on Ri , ai and on g Ri and on Y ai and A checks that both exponentiations are correct. (These are two basic tests.) These techniques are quite standard, and one may check that seeing one of these tests is perfectly simulatable. Also, if all tests hold then the multiplications hold as well. And finally, if the multiplications hold, and the user follows the protocol as above, then he never fails to convince A. Implementing the multiplication tests Let us describe the standard manner in which the multiplication tests are implemented. In these tests, at most one of the operands is revealed; we use the test in situations where this leakage does not pose a problem. The first test we are interested in is a multiplication test that Y R1 · Y R2 · a1 · a2 = β. The value of β is given to A. To this end U chooses uniformly at random and independently 4 numbers t1 , t2 , t3 , t4 in Zp∗ . U commits on the values of t1 Y R1 , t2 Y R2 , t3 a1 , t4 a2 , and t1 t2 t3 t4 all modulo p. The following 6 tests check the multiplication. 1. U opens the commitments on t1 , Y R1 , and t1 Y R1 and A checks that the values match. 2. U opens the commitments on t2 , Y R2 , and t2 Y R2 and A checks that the values match. 3. U opens the commitments on t3 , a1 , and t3 a1 and A checks that the values match. 4. U opens the commitments on t4 , a2 , and t4 a2 and A checks that the values match. 5. U opens the commitments on t1 , t2 , t3 , t4 , and t1 t2 t3 t4 and A checks that the values match. 6. U opens the commitments on t1 Y R1 , t2 Y R2 , t3 a1 , t4 a2 , t1 t2 t3 t4 , and U checks that the multiplication t1 Y R1 · t2 Y R2 · t3 a1 · t4 a2 equals t1 t2 t3 t4 β. In a similar manner one can construct 5 basic tests and the corresponding commitments to check that g R1 g R2 = α. The second multiplication test should check that (P a1 )a2 ·(a1 )b1 ·(a2 )b1 ·(a1 )b2 · (a2 )b2 = g. For this test, U chooses independently and uniformly at random 5 numbers t5 , t6 , t7 , t8 , t9 in Zp∗ . U commits on each of these 5 values and also on P a1 t5 , (P a1 )a2 ·t5 a2 , (a1 )b1 t6 , (a2 )b1 t7 , (a1 )b2 t8 , and (a2 )b2 t9 , and on the value of (t5 )a2 t6 t7 t8 t9 . The following 8 tests check the validity of the commitments and the correctness of the multiplication asserted. 1. U opens the commitments on t5 , on a1 and on P a1 t5 , and A checks that the values match. 2. U opens the commitments on P a1 t5 , on a2 , and on (P a1 )a2 · t5 a2 and A checks that the values match. 3. U opens the commitments on t6 , on (a1 )b1 and on (a1 )b1 t6 , and A checks that the values match. 4. U opens the commitments on t7 , on (a2 )b1 , and on (a2 )b1 t7 , and A checks that the values match.

Identity Escrow

183

5. U opens the commitments on t8 , on (a1 )b2 and on (a1 )b2 t8 and A checks that the values match. 6. U opens the commitments on t9 , on (a2 )b2 , and on (a2 )b2 t9 and A checks that the values match. 7. U opens the commitments on values of all t5 , t6 , . . . , t9 , on the value of a2 and on the value of the product (t5 )a2 t6 t7 t8 t9 , and A checks that the values match. 8. U opens the commitments on (P a1 )a2 · t5 a2 , (a1 )b1 t6 , (a2 )b1 t7 , (a1 )b2 t8 , and (a2 )b2 t9 , and on the value of (t5 )a2 t6 t7 t8 t9 . A checks that the product (P a1 )a2 · t5 a2 · (a1 )b1 t6 · (a2 )b1 t7 · (a1 )b2 t8 · (a2 )b2 t9 equals the product β · (t5 )a2 t6 t7 t8 t9 . Testing a range property modulo n = pq Let q, p be two primes such that q < p. A useful tool in our system is a zero knowledge test which verifies that a given pair of numbers a1 , a2 ∈ [0, 1, . . . , pq − 1] satisfies that a1 a2 mod pq is a number in the range [0..p − 1]. A solution to this problem, for a general range, is given by Bellare and Goldwasser [2]; for greatest efficiency they use an improvement due to Cramer based on the techniques of [9]. In their scenario, the prover commits on the value a (which has to be in the right range) by committing on each of the bits in its binary representation. However, these and other such protocols depend intimately on how the value is committed to; the commitment method we use (a is committed to as a product of committed values, a1 and a2 ) precludes the direct use of this solution. In [20], we give a simple cut-andchoose type proof for this commitment format; which is omitted here due to space limitations. 5.2

Features of the Identification System

The interactive proof establishes that the identifier has a valid certificate (a, b) and that he has escrowed the value of a. We know of no way of generating valid certificates, or of generating a new certificate from a number of other valid certificates. Thus, heuristically, this argues that the first-tier identification is valid and that the second-tier identification has been escrowed. However, we note that as with the group-signature based scheme, the escrow agent needs the issuer’s help to revoke anonymity. Without the escrow agent, the zero-knowledge proof only reveals the El Gamal probabilistic encryption of a valid certificate, so the second-tier identity seems secure. The protocol is weakly separable in the same way as with the group-signature scheme: the escrow agent must be involved during the initialization and needs the issuer’s help to revoke anonymity. The escrow agent only sees a, but doesn’t receive b. However, the issuer can impersonate any identifier.

Acknowledgements We thank Markus Stadler for useful discussions.

184

Joe Kilian and Erez Petrank

References 1. Asokan, Shoup and Waidner. Optimistic Fair Exchange of Digital Signatures. IBM Research Report RZ2973, November 17, 1997. 172 2. M. Bellare and S. Goldwasser. Verifiable partial key escrow. Proceedings of the Fourth Annual Conference on Computer and Communications Security, ACM, 1997. Preliminary version appeared as Technical Report CS95-447, Dept. of CS and Engineering, UCSD, October 1995. 183 3. M. Bellare and S. Goldwasser. Encapsulated key escrow. MIT Laboratory for Computer Science Technical Report 688, April 1996. 4. M. Ben-Or, S. Goldwasser and A. Wigderson. Completeness theorems for noncryptographic fault-tolerant distributed computations. In Proc. of the 20th Annu. Symposium on the Theory of Computing, pages 1–10, 1988. 5. E. Brickell, P. Gemmel and D. Kravitz. Trustee-based tracing extensions to anonymous cash and the making of anonymous change. In Proc. 6th Symposium on Discrete Algorithms, 1995, pp. 457-466 172 6. D. Boneh and M. Franklin. Efficient generation of shared RSA keys. Advances in Cryptology – CRYPTO ’97 Proceedings, pp. 425-439. Lecture notes in Computer Science #1294, Springer Verlag, Berlin, 1997. 7. G. Brassard, D. Chaum and C. Cr´epeau. Minimum Disclosure Proofs of Knowledge. In JCSS, pages 156–189. 1988. 173, 173 8. D. Chaum, C. Crepau, and I. D˚ amgard. Multiparty unconditionally secure protocols. In Proc. of the 20th Annu. ACM Symp. on the Theory of Computing, pages 11–19, 1988. 9. R. Cramer, I. Damg˚ ard and B. Schoenmakers. Proofs of partial knowledge and simplified design of witness hiding protocols. Advances in Cryptology – CRYPTO ’94 Proceedings, pp. 174–187. Lecture Notes in Computer Science #839, Berlin: Springer-Verlag, 1994. 183 10. Camenisch. Efficient and generalized group signatures. Advances in Cryptology — EUROCRYPT ’97, volume 1233 of Lecture Notes in Computer Science, pages 465–479. Springer Verlag, 1997. 172 11. J. Camenisch and M. Stadler. Efficient Group Signature Schemes for Large Groups. Advances in Cryptology – CRYPTO ’97 Proceedings, pp. 410–424. Lecture notes in Computer Science #1294, Springer Verlag, Berlin, 1997. 172, 172, 174, 174, 175, 175, 177, 178, 179 12. D. Chaum and E. van Heyst. Group signatures. Advances in Cryptology — EUROCRYPT ’91, volume 547 of Lecture Notes in Computer Science, pages 257– 265. Springer-Verlag, 1991. 172 13. L. Chen and T. P. Pedersen. New group signature schemes. Advances in Cryptology — EUROCRYPT ’94, volume 950 of Lecture Notes in Computer Science, pages 171–181. Springer-Verlag, 1995. 172 14. I. D˚ amgard, T. Pedersen and B. Pfitzmann. On the Existence of Statistically Hiding Bit Commitment Schemes and Fail-Stop Signatures. Advances in Cryptology – CRYPTO ’93 Proceedings, pp. 250-265. Lecture Notes in Computer Science #773, Berlin: Springer-Verlag, 1994. 173, 173 15. Yvo Desmedt and Yair Frankel. Theshold cryptosystems. Advances in Cryptology – CRYPTO ’89 Proceedings, pp. 307–315. Berlin: Springer-Verlag, 1990. 172 16. T. El Gamal. A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms. Advances in Cryptology – CRYPTO ’89 Proceedings, pp. 10–18. Berlin: Springer-Verlag, 1985. 173

Identity Escrow

185

17. Y. Frankel, Y. Tsiounis and M. Yung. “Indirect Discourse Proofs”: Achieving Efficient Fair Off-Line E-Cash. Advances in Cryptology–ASIACRYPT ’96 proceedings, pp. 286–300. Lecture Notes in Computer Science #1163. Springer-Verlag, 19851996. 172, 172 18. Y. Frankel and M. Yung. Escrow Encryption Systems Visited: Attacks, Analysis and Designs. Advances in Cryptology – CRYPTO ’95 Proceedings, Berlin: Springer-Verlag, 1995. 170 19. S. Goldwasser and S. Micali. Probabilistic Encryption. In JCSS Vol 28(2), pages 270-299, 1984. 173 20. J. Kilian and E. Petrank. Identity Escrow. Theory of Cryptography Library, ftp://theory.lcs.mit.edu/pub/tcryptol/97-11.ps, August 1997. 172, 172, 177, 181, 183 21. J. Kilian and F. T. Leighton. Fair Cryptosystems, Revisited. Advances in Cryptology – CRYPTO ’95 Proceedings, Berlin: Springer-Verlag, 1995. 170 22. F. T. Leighton. Failsafe key escrow systems. Technical Memo 483, MIT Lab. for Computer Science, August 1994. 170 23. A. Lenstra, P. Winkler and Y. Yacobi. A Key Escrow System with Warrant Bounds. Advances in Cryptology – CRYPTO ’95 Proceedings, Berlin: Springer-Verlag, 1995. 170 24. S. Micali Fair public-key cryptosystems. Advances in Cryptology – CRYPTO ’92 Proceedings, Berlin: Springer-Verlag, 1993. 170 25. S. Micali. Fair public-key cryptosystems. Technical Report 579, MIT Lab. for Computer Science, September 1993. 170 26. S. Micali. Certified E-Mail With Invisible Post Offices. Talk at Workshop on Secure Computation, Weizmann Institute, June, 1998. 172 27. S. Micali and R. Sydney. A Simple Method for Generating and Sharing PseudoRandom Functions, with Applications to Clipper-like Key Escrow Systems. Advances in Cryptology – CRYPTO ’95 Proceedings, Berlin: Springer-Verlag, 1995. 170 28. H. Petersen. How to convert any digital signature scheme into a group signature scheme. Security Protocols Workshop, Paris, 1997. 172 29. J. Camenisch, U. Maurer, and M. Stadler. Digital payment systems with passive anonymity-revoking trustees. In proceedings, ESORICS: European Symposium on Research in Computer Security”, Springer-Verlag, 1996. 172 30. A. De Santis, Y. Desmedt, Y. Frankel and M. Yung. How to Share a Function Securely (Extended Summary). Proceedings of the Twenty-Sixth Annual ACM Symposium on Theory of Computing, pp. 522–533, Montr´eal, Qu´ebec, May 23–25, 1994. 172 31. Schneier, B. (1993). Applied Cryptography. John Wiley. 173 32. M. Stadler, J.-M. Piveteau and J. Camenisch Fair blind signatures. In Proc. Eurocrypt 95, 1995, LNCS 921, pp. 209 - 219 172 33. Adam Young and Moti Yung. Auto-Recoverable Auto-Certifiable Cryptosystems. Eurocrypt 98, LNCS 1403 (Ed. K. Nyberg), pp. 17–32. 172, 172

Generalized Birthday Attacks on Unbalanced Feistel Networks Charanjit S. Jutla IBM T. J. Watson Research Center Yorktown Heights, NY 10598, USA

Abstract. Unbalanced Feistel networks Fk which are used to construct invertible pseudo-random permutations from kn bits to kn bits using d pseudo-random functions from n bits to (k − 1)n bits, k ≥ 2 are studied. We show a new generalized birthday attack on Fk with d ≤ 3k − 3. With 2(k−1)n chosen plaintexts an adversary can distinguish Fk (with d = 3k − 3) from a random permutation with high probability. If d < (3k − 3) then fewer plaintexts are required. We also show that for any Fk (with d = 2k), any adversary with m chosen plaintext oracle queries, has probability O(mk /2(k−1)n ) of distinguishing Fk from a random permutation. Keywords: Block ciphers, Feistel networks, pseudo-random permutations, second moment method, birthday attacks.

1

Introduction

We study the security of unbalanced Feistel networks [12]. In particular, we demonstrate a new class of attacks based on generalizations of the birthday paradox. Feistel networks are used to construct pseudo-random permutations (2n bits to 2n bits) from pseudo-random functions (n bits to n bits). Unbalanced Feistel networks are also used to construct pseudo-random permutations, but from pseudo-random functions in which the range and domain of the functions may not be of the same size. Unbalanced Feistel networks in which the size of the domain of the pseudorandom functions is larger than that of the range will be called contracting unbalanced Feistel networks. The pseudo-random functions used in the construction will be called contracting substitution boxes. Similarly, networks in which the size of the domain of the pseudo-random functions is smaller than that of the range will be called expanding unbalanced Feistel networks. The pseudo-random functions used in the construction will be called expanding substitution boxes. Such Feistel networks are also called complete target heavy unbalanced Feistel networks [12]. BEAR and LION [11] are two block ciphers which employ both expanding and contracting unbalanced Feistel networks. In this paper we will be concerned with expanding unbalanced Feistel networks. From a practical point of view, expanding unbalanced Feistel networks are easier to devise. For if the substitution boxes were to be given explicitly H. Krawczyk (Ed.): CRYPTO’98, LNCS 1462, pp. 186–199, 1998. c Springer-Verlag Berlin Heidelberg 1998

Generalized Birthday Attacks on Unbalanced Feistel Networks

187

(i.e. by giving the value of the function explicitly for each input) the expanding boxes require much less memory. More precisely, a function from n bits to kn bits requires 2n kn bits of memory, whereas a function from kn bits to n bits requires 2kn n bits of memory. A similar information-theoretic argument can be made if the substitution boxes were not given explicitly, but were themselves constructed using smaller boxes or functions. Naor and Reingold [13] have studied the security of contracting unbalanced Feistel networks. They show much better security (lower) bounds for such networks compared to the bounds proved for usual Feistel networks. Proving comparable bounds for usual Feistel networks is much more difficult. This disparity is apparently due to the information-theoretic distinction mentioned in the previous paragraph. Proving security (lower) bounds for expanding Feistel networks turns out to be even more difficult. If L and R are bit strings, then let L||R denote their concatenation. For k ≥ 2, an expanding Feistel network is a permutation Fk : {0, 1}kn → {0, 1}kn , given by composition of several subrounds of the following transformation: (L1 ||L2 ||...||Lk )→((L1 ||(f (L1) ⊕ (L2 ||...||Lk ))) <<< n). Here, Li is a n bit string, and f a random function from n bits to (k − 1)n bits. The functions used in different subrounds may be independent. X <<< n denotes X rotated left by n bits. An Fkr (r ≥ 1) expanding Feistel network has r subrounds. For example, DES [3] is a F216 Feistel network. We show that for any Fk2k expanding Feistel network F , with independent random functions for different subrounds, any adversary with m chosen plaintext oracle queries (i.e. values of F (x) for m chosen values of x), has probability O(mk /2(k−1)n ) of distinguishing F from a random permutation {0, 1}kn → {0, 1}kn . For, k = 2 (i.e. for the usual Feistel networks) the result was already known [9]. In fact, the bound in [9] held for just 3 sub-rounds. Recently, Patarin [10] has shown that for F26 , the adversary has distinguishing probability at most O(m4 /23n + m2 /22n ). We also show that as k increases more and more subrounds of Fk can be broken by chosen plaintext attacks. We show that Fk3k−3 can be distinguished from a random permutation with about 2(k−1)n chosen plaintexts. For example, F49 can be distinguished from a random permutation with 23n chosen plaintexts. Various other such attacks can be obtained; the number of plaintexts required increasing with the number of subrounds. Some attacks lead to complete recovery of the key (or the substitution boxes, in case the substitution boxes were key dependent). These attacks are based on a new technique employing certain generalizations of the birthday paradox. Usual birthday-like attacks (see e.g. [1],[8],[4],[6]) are based on requiring two random variables involved to be same. Usually, two such “coincidence” events are pairwise independent. Generalizations to more than one coincidence have been studied in [6],[5],[7]. In this paper we study coincidences which are much more dependent than previously considered. We employ the second moment method for our analysis.

188

Charanjit S. Jutla

We also note that if the exclusive-or operation above in the subround definition is replaced by an addition (modulo 2n ) operation, then these attacks do not work. However, if only some of the subrounds use the addition operation, the attacks are still possible.

2

Definitions

Let {0, 1}n denote all n bit strings. If x ∈ {0, 1}n then let xi denote the ith bit of x. Let x <<< t denote the string obtained by rotating x left by t bits. If x and y are two bit strings then x||y will denote their concatenation. Thus, if x and y are n bit strings, then (x||y) <<< n is (y||x). Let F n,m denote the class of all functions F : {0, 1}n→{0, 1}m. A random function F n,m is a function chosen uniformly from F n,m . If the function is oneto-one and n = m, then we call such a function a permutation. When n, m are clear from context we drop the superscripts. An adversary S is a function from bit strings to bit strings. Note that we are not defining complexity theoretic adversaries, as we will not concern ourselves to pseudo-randomness due to lack of space. Whenever the results can be generalized to pseudo-random functions, we will mention so. An oracle adversary is a function S ∈ F r,t which takes as parameter another adversary A ∈ F n1,n2 (A is called the oracle). However, S may not have full access to A, and may only be allowed certain invocations of A (called oracle queries). Thus, if the oracle adversary is allowed to make m oracle queries, then S(x) depends on (P1 , A(P1 ), ..., Pi , A(Pi ), ..., Pm , A(Pm )). Here Pi ∈ {0, 1}n1 and A(Pi ) ∈ {0, 1}n2 . P1 is determined by x, and Pi+1 is determined by P1 , A(P1 ),..., A(Pi ). Also, when A is the oracle, we will refer to the oracle adversary as S A . For (k ≥ 2), we define the operator Hk (or just H if k is understood) applied to a function f1 ∈ F n,(k−1)n to be a permutation Hk [f1 ] ∈ F kn,kn as follows: For all z = z1 ||...||zk , zi ∈ {0, 1}n , Hk [f1 ](z) = (z1 ||(f1 (z1 ) ⊕ (z2 ||...||zk ))) <<< n Sometimes it is convenient to view f1 as (k − 1) functions f11 , f12 , ...f1(k−1) , where f11 (z) is defined as the restriction of f1 (z) to the first n bits and so on (see Fig 1). Then, the above definition of Hk [f1 ] (in the case k=4) can be rewritten as: H4 [f1 ](z) = (f11 (z1 ) ⊕ z2 ||f12 (z1 ) ⊕ z3 ||f13 (z1 ) ⊕ z4 ||z1 ) The above transformation Hk [f1 ] is called one subround of the expanding unbalanced Feistel network. The function f1 is called the expanding substitution box. In a block cipher, this function can either be a fixed function xored with a secret key (as is the case in DES), or a function generated from a secret key. It is not difficult to see that Hk [f1 ] is a permutation. For d ≥ 2, the dsubround transformation is defined recursively: H[f1 , f2 , ...fd ](z) = H[fd ](H[f1 , ..fd−1 ](z)). A typical permutation Hk [f1 , ...fd ] will be denoted Fkd . Figure 1 shows a nine subround Feistel permutation F49 .

Generalized Birthday Attacks on Unbalanced Feistel Networks

M 01

f1

M 11

f2

M 21

M 61

f7

f3

189

M 91

f8

f9

f11 M 92

M 02 f12

M 93

M 03 f13 M 04

M 14

M 94

Fig. 1. An unbalanced Feistel network F49 Let S be an oracle adversary which outputs one bit and makes at most m oracle queries. The distinguishing probability of S for the operator Hk composed d times is |P rf1 ,f2 ,...fd [S H[f1 ,f2 ,...fd ] = 1] − P rF [S F = 1]|, where f1 , f2 , ...fd are uniformly chosen from F n,(k−1)n , and F is uniformly chosen from all permutations in F kn,kn . Probability Theory Basics For a random variable X its variance is defined as var[x] = E[(x − E[x])2 ] If X = X1 + ... + Xi + ... + Xm , where each Xi is a indicator random variable for certain event Ai (i.e. Xi = 1 if event Ai holds and Xi = 0 otherwise), then var[X] ≤ E[X] + Σi6=j cov[Xi , Xj ], where cov[Y, Z] = E[Y Z] − E[Y ]E[Z]. For indices i, j, write i ∼ j if i 6= j and the events Ai , Aj are not independent. Denote by 4 the following sum 4=

X

P r[Ai ∧ Aj ]

i∼j

Using Chebyschev’s inequality the following lemma can be proved (see e.g. [2]) Lemma 1: If E[X]→∞ and var[X] = o(E[X]2 ), then X > 0 almost always. It follows that if E[X]→∞ and 4 = o(E[X]2 ), then X > 0 almost always. This is also called the second moment method. The birthday paradox refers to the fact that if r objects are selected with replacement from a set of N objects, then two of the objects chosen will be same with probability tending to 1 − exp(−r2 /(2N )).

3

Generalized Birthday Attacks

Let Fkd be a d subround unbalanced Feistel network employing random subround functions f1 , ...fd (i.e. Fkd = H[f1 , ...fd ]). We show that for d = 3k −3 subrounds,

190

Charanjit S. Jutla

with about 2(k−1)n chosen plaintexts one can distinguish Fkd from a random permutation in F kn,kn with probability close to one. The total time required is O(n2(k−1)n ), and memory required is O(2(k−1)n ). For simplicity, we demonstrate the attack for F49 (see Fig 1). From now on we will refer to the Feistel permutation as F . For input M = (M01 ||M02 ||M03 ||M04 ), we use the following notation to denote intermediate values after each subround of F . After round j the intermediate value will be denoted (Mj1 ||Mj2 ||Mj3 ||Mj4 ). Recall that (M(j+1)1 ||M(j+1)2 ||M(j+1)3 ||M(j+1)4 ) = (f(j+1)1 (Mj1 ) ⊕ Mj2 || f(j+1)2 (Mj1 ) ⊕ Mj3 || f(j+1)3 (Mj1 ) ⊕ Mj4 ||Mj1 ). Of particular interest are the intermediate values Mj1 , as it is to this value that the next subround function is applied. We start with a pack of s chosen plaintexts with the same first n bits, i.e. keeping M01 constant. We will have a total of t different such packs (i.e. each pack having its distinguishing M01 value). Let M 1 and M 3 be two plaintexts in two different packs (wlog pack1 and pack2 respectively) such that 1 3 M11 = M11 (1) 2 If M and M 4 are plaintexts in pack1 and pack2 respectively such that 1 2 3 4 ⊕ M02 = M02 ⊕ M02 (2) M02 then it follows that 2 4 M11 = M11 (3) If we also require that 1 2 3 4 1 2 3 4 ⊕ M03 = M03 ⊕ M03 , and M04 ⊕ M04 = M04 ⊕ M04 (4) M03 then more good properties will follow. If, 1 2 = M21 (5) M21 then using the earlier equations it follows that 3 4 M21 = M21 (6) To see (6), note that M21 = f21 (M11 ) ⊕ f12 (M01 ) ⊕ M03 . If we take the xorsum of four of these equations (corresponding to the four texts involved), we get 1 2 3 4 ⊕ M21 ⊕ M21 ⊕ M21 =0 (7) M21 1 2 3 4 The RHS sums to zero because of (1), (3), (4), and M01 = M01 , M01 = M01 . Then, (6) follows from (5) and (7). Since the underlying subround functions are random, equation (1) holds with probability 2−n . Similarly, equation (5) holds with probability 2−n . It is not difficult to prove that (5) is independent of (1) and hence the combined probability of (1),(3),(5) and (6) is 2−2n . Figure 2 illustrates these and many more equalities which the adversary would require. The columns represent a particular plaintext. The rows represent the intermediate values. Two points are joined by an edge if the two values are equal. It is a solid edge if the equality happens with probability 2−n . It is a dotted edge if it follows conditionally with probability one (or if it is required by the adversary as part of the plaintext conditions). Edges between different 1 3 and M11 will be called cross edges. packs like the ones between M11 Let us restrict our attention to just the plaintexts M 1 and M 2 . The combined probability required by the equations in Figure 2 is 2−5n (it is not difficult to see

Generalized Birthday Attacks on Unbalanced Feistel Networks

pack2

pack1

2

1 M

191

M

M

3

4 M M 01

(1)

M 11 (3) (5)

(6)

M 21 M

31

M 41 M 51

M 61 M 71 M 81 M 92 M 93 M 94

Fig. 2. Attack on F49 that the events are independent, as the subround functions are independent). Let Xi be the indicator random variable of such an event. Let X be the sum of all Θ(s2 t) such random variables, as there are t packs, and each pack has s texts. The expected number of such events (E[X]) is Θ(s2 t2−5n ). We next show that var[X] = o(E[X]2 ). We just show that 4 = o(E[X]2 ). Let Xi and Xj be the indicator variables of two such events. Let us denote the plaintexts involved in the event (Xi = 1) by M 1 and M 2 , and the plaintexts ¯ 1 and M ¯ 2 . The subevents in the two events involved in the event (Xj = 1) by M are shown in Figure 3 by solid edges. Here, the two packs could be the same pack or different packs. If there are no cross edges then the combined probability of ¯ 1, M ¯ 2 } 6= φ, then the the two events is clearly 2−10n . Also, if {M 1 , M 2 } ∩ {M

192

Charanjit S. Jutla 1 M

2 M

M

1

M

2 M 01 M 11 M 21 M 31 M 41 M 51 M 61 M 71 M 81

Fig. 3. Two events

combined probability of the two events remains 2−10n . It can be shown that some of the solid edges can be made dotted edges by requiring two edges in each of ¯ 1 and the previous few subrounds (as in fig 2). For example, the edge between M 81 2 ¯ M81 can be made a dotted edge (i.e. conditional probability one) if there are two 1 2 1 2 ¯ 41 ¯ 41 edges in each of the rows M71 , M61 , and M51 , and M41 ⊕ M41 ⊕M ⊕M = 0. Moreover, this is the only way to make the edges dependent on other edges. Thus the probability of the event depicted in Figure 3 may be higher if conditions as in Figure 2 hold (i.e. cross edges in the rows M51 , M31 , M11 , and additional requirements on the plaintexts; or some such similar set of conditions). With additional requirements on the plaintexts, the combined probability can indeed be higher. There are a few cases: ¯ 1⊕M ¯ 2 = M 1 ⊕ M 2 : For Θ(s3 t2 ) such pair of events, the combined proba1. M bility is at most 3 ∗ 2−8n. This follows because by requiring a solid cross edge in each of the rows M11 , M31 and M51 , five solid edges among the columns ¯ 2 can be made dotted edges. The factor three comes from the ¯ 1 and M M different ways in which the cross-edges are organised. 1 2 1 2 ¯ 02 ¯ 02 ⊕M = M02 ⊕ M02 , and a similar relation for M04 : For Θ(s3 2n t2 ) such 2. M pair of events, the combined probabilty remains 2−10n . It may seem that by requiring a solid cross edge in each of the rows M11 , M31 and M51 , four solid ¯ 2 can be made dotted edges (in the ¯ 1 and M edges among the columns M ¯ 1 6= M ¯ 2 since rows M41 , M61 , M71 , M81 ). But under such conditions, M 21 21 1 2 1 2 ¯ 6= M ⊕ M . ¯ ⊕M M 03 03 03 03 3. As in the previous case, with relations only among M02 and M03 , the two events remain independent.

Generalized Birthday Attacks on Unbalanced Feistel Networks

193

Thus, as long as s ≈ 23n , it follows that 4 = o(E[X]2 ). Thus, if s = 23n , X > 0 with high probability (see Lemma 1). We now turn our attention to the whole event in Figure 2. Again, let Xi be the indicator variable of such an event. Let X be the sum of all Θ(s3 t2 ) such random variables. Note that we only have s3 t2 and not s4 t4 , as (2) and (4) have completely determined M 4 . Once again, E[X] = Θ(s3 t2 2−8n ). Once again we have to show that 4 = o(E[X]2 ). This is proved in a fashion similar to one mentioned in the previous two paragraphs. Thus, if s = 23n , such an event will happen with high probability. How does the adversary detect such an event? The four ciphertexts satisfy seven equations. Six of these are depicted by dotted edges in rows corresponding to M92 , M93 , M94 . Further, the following relation holds 1 2 3 4 M91 ⊕ M91 ⊕ M91 ⊕ M91 =0 (8) Thus the expected number of such events (noise) occurring in a random permutation over the plaintexts as supplied by the adversary is Θ(s3 t2 2−7n ). Thus, there is more noise than signal. However, this situation can be improved by adding more packs to Figure 2 (see Figure 4). Note that addition of each pack adds a factor of Θ(st2−3n ) to the expected number of events the adversary is interested in (essentially the cross edges are the only edges which will appear as additional solid edges). Thus, with s = 23n the probability of occurrence of such an event remains close to one. The factor added in the expected value of the noise is O(st2−4n ) (2−3n for the three edges in M92 , M93 , and M94 , and another 2−n for the relation among M91 similar to (8)). Thus, if there are a total of five packs involved, as shown in figure 4, the expected value of noise becomes O(s6 t5 2−19n ). If the adversary keeps s close to 23n and t a small constant, noise becomes insignificant. Hence the adversary will be able to distinguish F49 from a random permutation with high probability. Note that the adversary is also able to infer many relations involving the subround functions, the plaintexts and ciphertexts. If the number of subrounds are decreased further, the adversary can actually obtain almost all of the subround functions. We next look at the computational efficiency of the attack. By sorting each pack by its ciphertext values M92 , M93 , M94 one can determine in each pack about 23n pairs with the same M92 , M93 , M94 values. For each such pair i, j, j j j j i i i i ⊕ M91 , M02 ⊕ M02 , M03 ⊕ M03 , M04 ⊕ M04 , and again sort them by compute M91 these values. Next we look for equality of these values across five different packs out of t. The total time required is O(n23n ), and memory required is O(23n ). Of course, these attacks become much more effective in terms of time, memory and number of plaintexts required when the number of subrounds are fewer. It should be noted that if the subround functions are permutations (i.e. f11 etc. are permutations) then the equality in M81 is not possible. However, the adversary could achieve the same result by requiring in Figure 2 that the cross edges be in row M41 instead of row M31 (call this the modified attack). It should also be noted that if the xors are replaced by addition modulo 2n this attack does not seem to work, as it depended on obtaining equations like (7). However e.g., if

194

Charanjit S. Jutla

pack1

pack2

pack3

pack4

pack5 M 01 M 11 M 21 M

31

M 41 M 51 M 61 M 71 M 81 M 92 M 93 M 94

Fig. 4. A five pack attack on F94 M61 = f61 (M51 )⊕(f52 (M41 )⊕(f43 (M31 )+M21 )) and all other operations remain 1 1 xor, the modified attack still works. To see this, note that f43 (M31 ) + M21 = 2 2 f43 (M31 ) + M21 , and hence one still obtains 1 2 3 4 ⊕ M61 ⊕ M61 ⊕ M61 =0 M61 As a general rule in the case of Fk3k−3 (with 2(k−1)n plaintexts), we note that the birthday paradox allows for 2(k − 1) edges among intermediate values of M 1 and M 2 . However, because of the Feistel structure, the second moment method only allows for 2(k − 1) − 1 edges. The generalization presented here allows for additional (k − 1) cross edges. Also, the initial conditions take care of one subround, yielding an attack on (3k − 3) subrounds.

4

Lower Bound on Security of Fk2k

Theorem: Let f1 , f2 , ..., f2k be functions chosen randomly and uniformly from F n,(k−1)n , k ≥ 2. Let Fk2k = Hk [f1 , ...f2k ] be the unbalanced Feistel permutation. Then any oracle adversary S which makes m oracle queries has probability at most O(mk /2(k−1)n ) of distinguishing Fk2k from a permutation randomly and uniformly chosen from F kn,kn (distinguishing probability is defined in section 2). When k = 2, this theorem is related to the well known Luby-Rackoff Theorem [9]; both give a distinguishing probability bound of O(m2 /2n ), but we require four rounds whereas Luby-Rackoff requires three. We give a sketch of the proof for F36 , which is a generalization of the LubyRackoff proof (see [8]). Note that an obvious generalization of Luby-Rackoff would only yield a bound of O(m2 /2n ).

Generalized Birthday Attacks on Unbalanced Feistel Networks

195

Proof: We will write F for the permutation F36 . It suffices to show the result assuming that f62 is a constant function (say, ∀i : f62 (i) = 0). i i i , M62 , M63 represent the random variables corresponding to the outLet M61 put of F on oracle query i, i.e. i i i i i i ||M62 ||M63 ) = F (M01 ||M02 ||M03 ) (M61

M 01

M 11

M 21

M 31

M 41

f2

f3

f4

f5

f1

M 02

M12

f 32

M 51

M 61

f6

f 41

M 03

M 62 M 63

Fig. 5. An unbalanced Feistel network F36 We describe two algorithms, B and C, for computing the answers to the oracle queries of S, both taking f1 , f2 , f3 , f4 , f5 , f6 as input. We will denote f1 , f2 , f3 , f4 , f5 , f6 by f . Recall that f is a sequence of functions chosen randomly from F n,(k−1)n , and these functions are used in different rounds of F by the operator H. The algorithm B will define new random functions, namely φ32 , φ41 , φ42 , φ51 , φ52 , φ61 , and use them instead of f32 , ..., f61 respectively. We will show that these new functions are themselves uniformly and independently distributed. The answer of B on the ith oracle call will be denoted B i (f ) (similarly for C). The description of the algorithm B is given in Figure 6. The algorithm C i (f ) behaves exactly like B i (f ) except that its output is (f61 (i)||f41 (i)||f51 (i)). Thus, P rF [S F = 1] = P rf [S C(f ) = 1] where F is uniformly chosen from all permutations in F kn,kn . Proposition 1: P rf [S H[f ] = 1] = P rf [S B(f ) = 1] Proof: We first show that f11 , f12 , ..., f31 , φ32 (f ), ..., φ61 (f ) are uniformly and independently distributed, as far as the first m inputs are concerned. By induction it can be shown that (e.g.) in the definition of φ61 (f )(i), the random variable f61 (i) (random variable f52 (i)) has never been used before in the definition of any φ, if g i = i (resp. g i 6= i). Even though φ61 (f )(i) is never used by B (while computing M61 ) if g i 6= i, it is important to define it so that φ61 turns out to be uniformly and independently distributed. Then the above claim follows as the role of these new functions in B is the same as that of the old functions in H. 2

196

Charanjit S. Jutla

i i i Oracle computation B i (f ) on input (M01 ||M02 ||M03 ) j i = M01 } Let ai (f ) = min{j ≤ i : M01 i i M11 (f ) = M02 (f ) ⊕ f11 (ai (f )), j i Let bi (f ) = min{j ≤ i : M11 = M11 } i i (f ) = M12 (f ) ⊕ f21 (bi (f )), M21 j i Let ci (f ) = min{j ≤ i : M21 = M21 } i i M31 (f ) = M22 (f ) ⊕ f31 (ci (f ))

i i M12 (f ) = M03 (f ) ⊕ f12 (ai (f )) i i M22 (f ) = M01 (f ) ⊕ f22 (bi (f ))

j i Let di (f ) = min{j ≤ i : M31 = M31 } i if (di = i) M11 (f ) ⊕ f32 (i) φ32 (f )(i) = i i i M11 (f ) ⊕ f32 (d ) ⊕ f41 (d ) ⊕ f41 (i) otherwise i i M32 (f ) = M11 (f ) ⊕ φ32 (f )(ci (f )) i M32 (f ) ⊕ f41 (i) if (di = i) φ41 (f )(i) = i (f ) ⊕ f32 (i) otherwise M32 i i M41 (f ) = M32 (f ) ⊕ φ41 (f )(di (f )) j i Let ei (f ) = min{j ≤ i : M41 = M41 } i if (ei = i) M21 (f ) ⊕ f42 (i) φ42 (f )(i) = i i i M21 (f ) ⊕ f42 (e ) ⊕ f51 (e ) ⊕ f51 (i) otherwise i i M42 (f ) = M21 (f ) ⊕ φ42 (f )(di (f )) i M42 (f ) ⊕ f51 (i) if (ei = i) φ51 (f )(i) = i M42 (f ) ⊕ f42 (i) otherwise i i M51 (f ) = M42 (f ) ⊕ φ51 (f )(ei (f )) j i Let g i (f ) = min{j ≤ i : M51 = M51 } i if (g i = i) M31 (f ) ⊕ f52 (i) φ52 (f )(i) = i i i M31 (f ) ⊕ f52 (g ) ⊕ f61 (g ) ⊕ f61 (i) otherwise i i M52 (f ) = M31 (f ) ⊕ φ52 (f )(ei (f )) i M52 (f ) ⊕ f61 (i) if (g i = i) φ61 (f )(i) = i M52 (f ) ⊕ f52 (i) otherwise i i M61 (f ) = M52 (f ) ⊕ φ61 (f )(g i (f )) i i M62 (f ) = M41 (f ) - since we assumed f62 = 0 i i i (f )||M62 (f )||M51 (f )) Output of B i (f ): (M61

Fig. 6. Definition of algorithm B

We next show that P rf [S B(f ) 6= S C(f ) ] ≤ m3 /22n from which the theorem follows.

Generalized Birthday Attacks on Unbalanced Feistel Networks

197

We say that f is preserving if with adversary using C as oracle, for all i ∈ [1..m] the following three conditions hold (from now on we will drop f whenever it is clear from context) i

1. (g i = i) or ((ei = i) and (eg = g i )) i 2. (ei = i) or ((di = i) and (de = ei )) i 3. (di = i) or ((ci = i) and (cd = di )) Proposition 2: If f is preserving then S B(f ) = S C(f ) . i = f61 (i). Proof: If f is preserving, we show that M61 i i i i If g = i, then M61 = f61 (i). Otherwise, M61 = M52 ⊕ φ61 (g i ). Now, since i gi gi i i i i g = g , φ61 (g ) = M52 ⊕ f61 (g ). Moreover e = i, and eg = g i because f is preserving. Thus, i

i

g g i i M52 ⊕ M52 = (M31 ⊕ φ52 (i)) ⊕ (M31 ⊕ φ52 (g i ))

= (f52 (g i ) ⊕ f61 (g i ) ⊕ f61 (i)) ⊕ (f52 (g i )) = f61 (i) ⊕ f61 (g i ) i = f61 (i). It follows that M61 i i = f51 (i), and M41 = f41 (i). Similarly, it can be shown that M51 The proposition then follows by a simple induction, as the internal computations of B and C are the same. 2 It remains to bound the probability of f not being preserving. Since the output of C is independent of f11 , f12 , f21 , f22 , f31 , f32 , under the use of oracle C, all query-inputs used by S are also independent of f11 , f12 , f21 , f22 , f31 , f32 . (4) We first bound the probability (p1) of ∃i ∈ [1..m] not ((di = i) or ((ci = i) i and (cd = di ))). Without loss of generality, assume that no two oracle queryinputs are same. We calculate the probability of (i) (di = j) and (ci = k) , i > j, i > k, (ii) (di = j) and (cj = k), i > j > k. i k i Now, ci = k implies M21 = M21 , which is same as M03 ⊕ f12 (ai ) ⊕ f21 (bi ) = k k k i k i k i k is not possible, M03 ⊕ f12 (a ) ⊕ f21 (b ). If a = a , and b = b then M03 = M03 i i k i k and hence c 6= k. If either a 6= a , or b 6= b , then by (4) the equality holds with probability 2−n . j i Similarly, di = j implies M01 ⊕ f22 (bi ) ⊕ f31 (ci ) = M01 ⊕ f22 (bj ) ⊕ f31 (cj ). Again, if either bi 6= bj , or ci 6= cj , then by (4) the equality holds with probability 2−n . By (4) this event is also independent of ci = k. Thus the probability of (i) is at most 2−2n . Similarly, the probability of (ii) is at most 2−2n . Thus, p1 = O(m3 /22n ). Next we bound the probability (p2) of ∃i ∈ [1..m] not ((ei = i) or ((di = i) i and (de = ei ))). Again, we calculate the probability of (i) (ei = j) and (di = k) , i > j, i > k, (ii) (ei = j) and (dj = k), i > j > k.

198

Charanjit S. Jutla

We first assume that for all i ∈ [1..m] condition (3) holds. Then, just as in the i proof of proposition 2, it can be shown that M41 = f41 (i). Thus, the probability of ei = j is 2−n . We already know the bound on probability of di = k, from the previous step. Moreover, ei = j is also independent of di = k. Thus, given condition (3) for all i, p2 is bounded by O(m3 /22n ). i The probability (p3) of ∃i ∈ [1..m] not ((g i = i) or ((ei = i) and (eg = g i ))) (given that (2) and (3) hold for all i) is again bounded by (O(m3 /22n ). 2

5

Conclusion

In this paper we have initiated the study of expanding unbalanced Feistel networks. However, further research is required to better our understanding of these and other such networks. In particular, there seems to be scope for further improvement in the security lower bounds for the expanding Feistel networks. We conjecture that any adversary which distinguishes Fk2k from a random permutation using chosen plaintext attacks requires Ω(2(k−1)n/2 ) chosen plaintexts. Since the attacks shown on unbalanced Feistel networks Fk work only for 3k − 3 and fewer subrounds, the natural question arises as to the applicability of these or similar approaches to more subrounds. Another interesting problem is to use differential characteristics in these attacks, especially if the characteristics are uniform in nature. In a similar vein, networks in which the xor operations are replaced by modular addition, or other invertible operations (e.g. data dependent rotation) need to be studied.

Acknowledgments The author would like to thank Don Coppersmith for carefully reading the paper, and for several helpful suggestions. The author would also like to thank Pankaj Rohatgi for helpful discussions.

References 1. W. Aiello, R. Venkatesan, Foiling birthday attacks in length-doubling transformations, Eurocrypt 1996, LNCS 1070. 187 2. N. Alon, J.H. Spencer, The probabilistic method, John Wiley and Sons, 1992. 189 3. FIPS 46, Data Encryption Standard, Federal Information Processing Standards Publication 46, U.S. Department of Commerce/N.I.S.T., National Technical Information Service, Springfield, Virginia, 1977. 187 4. D. Coppersmith, Another Birthday attack, Advances in Cryptology, Crypto 1985. 187 5. D. Coppersmith, Luby-Rackoff: Four rounds is not enough, IBM Research Report, RC20674, Dec. 96. 187 6. M. Girault, R. Cohen, M. Campana, A Generalized birthday attack, Eurocrypt 1988, LNCS 330. 187, 187

Generalized Birthday Attacks on Unbalanced Feistel Networks

199

7. L. Knudsen, X. Lai, B. Preneel, Attacks on fast double block length hash functions, J. of Cryptology, 1998, 11:59-72. 187 8. M. Luby, Pseudorandomness and cryptographic applications, Princeton University Press, 1996. 187, 194 9. M. Luby and C.Rackoff, How to construct pseudorandom permutations from pseudorandom functions, SIAM J.of Comp., 17, pp.373–386, 1988. 187, 187, 194 10. J. Patarin, About Feistel Schemes with Six (or More) Rounds, Proc. Fast Software Encryption, March 1998. 187 11. R. Anderson, E. Biham, Two Practical and Provably Secure Block Ciphers: BEAR and LION, 1996 Workshop on Fast Software Encryption. 186 12. B. Schneier, J. Kelsey, Unbalanced Feistel Networks and Block-Cipher Design, Fast Software Encryption, Third International Workshop Proceedings (February 1996), Springer-Verlag, 1996, pp. 121-144. 186, 186 13. Moni Naor, O. Reingold, On the Construction of Pseudo-Random Permutations: Luby-Rackoff Revisited, Proc. STOC 97 187

Quadratic Relation of S-box and Its Application to the Linear Attack of Full Round DES Takeshi Shimoyama1 and Toshinobu Kaneko2 1

TAO (Telecommunications Advancement Organization of Japan) 1-1-32 Shin’urashima-cho, Kanagawa-ku, Yokohama, 221 Japan [email protected] 2 Science University of Tokyo 2641 Yamazaki, Noda-shi, Chiba, 278 Japan [email protected]

Abstract. In this paper, we derive 7 quadratic relations over GF (2) from the input and output bits of the S-boxes of DES. We apply one of those to an improved linear attack of full round DES. We describe an improved algorithm by combining the non-linear approximation method proposed by Knudsen and Robshaw, and the multiple approximation method proposed by Kaliski and Robshaw. This improvement can reduce the number of required plaintexts and ciphertexts pairs to 25/34 (73.5 %) of those number of pairs 243 required in the linear attack by Matsui.

1

Introduction

It is well known that there is no linear relation between the input and output bits of each S-box of DES [Hel76,Bra77]. On the other hand, by representing Sboxes as Boolean polynomials [Sch82,Dav83,Way92,SAM97], it is easy to derive some algebraic relations of the input and output bits of S-boxes. We know that the degrees of these polynomials are less than or equal to 6, so there are algebraic relations of S-boxes with degree less than or equal to 6. Thus, the following problem may be natural to consider; what is the smallest degree of all algebraic relations of the S-boxes, and how are the algebraic relations which have the smallest degree represented? It can be shown that there is an algebraic relation over GF (2) which has degree 3 in all S-boxes, so the above question is rewritten as follows; does there exist a quadratic relation? This paper shows that there are 7 quadratic relations of S-boxes S1 , S4 and S5 of DES; they can be derived by calculating the Gr¨ obner bases of S-boxes with respect to the degree reverse lexicographic order in the Boolean polynomial ring. We apply one of these quadratic relations to improve the linear cryptanalysis offered by Matsui [Mat93]. In 1993, Matsui succeeded in recovering the secret key of the 16-round DES by using linear cryptanalysis in computational experiments [Mat94]. His main idea was the approximation of the S-boxes by linear relations. He recovered the key of 16-round DES by using 243 pairs of plaintext and ciphertext, which took 50 days. Since then, some theoretical and practical enhancements or extensions to linear cryptanalysis have been proposed [LH94,KR94,KR96,THHK98]. Kaliski and H. Krawczyk (Ed.): CRYPTO’98, LNCS 1462, pp. 200–211, 1998. c Springer-Verlag Berlin Heidelberg 1998

Quadratic Relation of S-box and Its Application to the Linear Attack

201

Robshaw proposed an algorithm using multiple linear approximations [KR94]. They applied it to small-round versions of DES to confirm its performance. As an example, they tried the 1-R attack and 2-R attack of 7-round DES, and succeeded to reduce the number of required texts. On the other hand, Knudsen and Robshaw proposed an algorithm using non-linear approximation [KR96]. They considered whether the linear approximations can be replaced with non-linear approximations. They constructed relatively simple non-linear approximations whose absolute bias are larger than that of the best linear approximation to S-box S5 , and adopted to 5-round DES. However, their techniques do not seem to offer any significant advantage over the existing attack to full round DES. In this paper, we deal with derived quadratic relations of the round function of DES, like non-linear approximations, whose probabilities are 1. By using one of the quadratic relations, we construct an improved linear attack algorithm for full round DES. We combine the non-linear approximations method and the multiple approximations method. This improvement can reduce the number of plaintexts and ciphertexts to 25/34 (73.5 %) of the 243 pairs required in Matsui’s attack.

2

Deriving the Algebraic Relations of S-Boxes

In [Sch82,Dav83,Way92,SAM97], the polynomial expressions of the S-boxes of DES in the Boolean polynomial ring over GF (2) were constructed. At first we summarize the notion of the Boolean polynomial ring. The Boolean polynomial ring over GF (2) with n variables t1 , ..., tn is defined by the following quotient ring of the polynomial ring GF (2)[t1 , ..., tn ]/Id(t21 + t1 , ..., t2n + tn ),

(1)

where Id(t21 + t1 , ..., t2n + tn ) is the ideal generated by the fundamental relations t21 + t1 = 0, ..., t2n + tn = 0 of Boolean variables t1 , ..., tn . Now we review how to obtain representations of the input and output bits of S-boxes in Boolean polynomial. For example, since the output of S-box S1 corresponding to input 4 (= (0,0,0,1,0,0)) is 13 (= (1,1,0,1)) (Figure 1), we have the following algebraic relation of input Boolean variables x1 , ..., x6 and output Boolean variables y1 , ..., y4 . (x1 + 1)(x2 + 1)(x3 + 1)(x4 + 0)(x5 + 1)(x6 + 1) ((y1 + 0)(y2 + 0)(y3 + 1)(y4 + 0) + 1) = 0

(2)

Since there is an algebraic relation corresponding to each input from 0 to 63, we have 64 algebraic relations for each S-box which are similar to equation (2). In commutative algebra, the technique of Gr¨ obner basis is well-known as a basic tool [Bec93]. By using this technique, we can obtain another representation of these algebraic relations. For example, we can obtain the representation of each obner output bit yi by the polynomial of input bits x1 , ..., x6 by computing the Gr¨ basis with respect to the lexicographic order of the sum set of polynomials in the

202

Takeshi Shimoyama and Toshinobu Kaneko

Fig. 1. S-box S1 of DES y 1 y 2 y 3 y 4

1 1 0 1

S1

0 0 0 1 0 0

x 1 x 2 x 3 x 4 x 5 x 6

Table 1. The number of the quadratic and cubic relations of the S-boxes S-box S1 S2 S3 S4 S5 S6 S7 S8 quadratic 1 0 0 5 1 0 0 0 cubic 103 112 112 75 103 112 112 112

above 64 algebraic relations and the fundamental relations x21 + x1 = 0, ..., y42 + obner basis1 in y4 = 0 of all Boolean variables [SAM97]. We compute the Gr¨ order to obtain algebraic relations which have much smaller degrees of S-boxes. With reference to the problem of the degree of the algebraic relations of S-boxes, we have the following lemma. Lemma 1 1. There is no linear relation for all S-boxes. [Hel76,Bra77]. 2. There is a cubic (that is, it has degree 3) algebraic relation for each S-box. (See Appendix A.) Does there exists a quadratic (that is, it has degree 2) algebraic relation of each S-box? In order to see that, we can use the reduced Gr¨ obner basis. By using the reduced Gr¨ obner basis with respect to the degree reverse lexicographic order, we can obtain all algebraic relations of each S-box which are linearly independent over GF (2). Table 1 shows the number of quadratic and cubic polynomials in the reduced Gr¨obner basis of the Boolean algebraic relations of S-boxes as derived above with respect to the degree reverse lexicographic order. From Table 1, we know that there are 7 quadratic relations of S-boxes in total. All quadratic relations are given in Appendix B. Now we pay attention to the quadratic relation corresponding to the S-box S5 : (x1 , x2 , x3 , x4 , x5 , x6 ) → (y1 , y2 , y3 , y4 ) as follows. x1 y1 + x1 y2 + x1 y3 + x1 y4 + x2 y1 + x2 y2 + x2 y3 +x2 y4 + x2 x1 + x5 y1 + x5 y2 + x5 y3 + x5 y4 + x5 x2 +y1 + y2 + y3 + y4 + x1 + x2 + x5 + 1 = 0 1

(3)

In order to compute the Gr¨ obner Basis over GF (2), we used the computer algebra system Risa/Asir developed by Fujitsu LABORATORIES LTD. [Nor92].

Quadratic Relation of S-box and Its Application to the Linear Attack

203

It can be factorized into the polynomial as follows2 . (y1 + y2 + y3 + y4 + x2 + 1) · (x1 + x2 + x5 + 1) = 0

(4)

It is surprising that, in the first factor of the left side of the polynomial (4), there is the best linear approximation (5) with bias 5/16 corresponding to the input and output bits of S5 discovered by Matsui [Mat93]. y1 + y2 + y3 + y4 + x2 = 0

(5)

In the remaining part of this paper, we will try to apply the quadratic relation (4) for improving the linear attack of 16-round DES.

3

Application to Non-Linear Cryptanalysis

We denote the sum of the coordinates from i1 to ij by X[i1 , i2 , . . . , ij ] for each vector X ∈ GF (2)n . In particular, we denote the i-th coordinate of X by X[i]. We can easily extend the algebraic relation (4) to the algebraic relation of i-th round function Fi : (Xi , Ki ) → Fi (Xi , Ki ) as follows; A∗ :

(Fi [3, 8, 15, 24] + Xi [17] + Ki [26] + 1) ·(Xi [16, 17, 20] + Ki [25, 26, 29] + 1) = 0,

(6)

where Xi ∈ GF (2)32 is an input of i-th round and Ki ∈ GF (2)48 is a i-th round key of the round function Fi . In [KR96], Knudsen and Robshaw tried to apply the following non-linear approximations of S-boxes S5 in order to raise the bias of best linear approximation of 5-round DES. Each non-linear approximation has bias 24/64, 18/64, respectively. A 0 : y1 + y2 + y3 + y4 = x2 + x1 x2 + x1 x5 + x2 x6 + x5 x6 + x1 x2 x6 + x1 x5 x6 D 0 : y1 + y2 + y3 = x2 + x4 + x1 x4 + x1 x6 + x2 x4 + x2 x6 + x1 x2 x4 + x1 x2 x6

(7)

By replacing linear approximation with these non-linear approximations, we can raise the bias 2.26 times more than those of linear approximation of 5-round DES, which reduces the number of plaintexts and ciphertexts pairs required for recovering one bit of key information of 5-round DES. They tried to recover more key bits using Matsui’s 1-round and 2-round elimination method. They said, however, their techniques do not seem to offer any significant advantage over the basic attack. In the above, we derived the quadratic representation (6) of the round function. In the first factor of equation (6), we can find the following best linear 2

Because the Boolean polynomial ring is not a unique factored domain, each polynomial in the ring may have another factorized form. In fact, polynomial (3) can be factorized into another form (y1 + y2 + y3 + y4 + x1 + x5 + 1) · (x1 + x2 + x5 + 1) = 0.

204

Takeshi Shimoyama and Toshinobu Kaneko

approximation A for the i-th round function Fi with the absolute valued bias of 5/16 that appeared in [Mat93]. A:

Fi [3, 8, 15, 24] + Xi [17] + Ki [26] = 0

(8)

Matsui derived the following linear approximation (9) for 16-round DES by using best linear approximation of 14-round A-ACD-DCA-ACD- whose bias is p14 = 1.19 · 2−21 which is a concatenation of the three linear approximations A,C,D of the round function [Mat93], Pr [3, 8, 14, 25] + Pl [17] + Cl [8, 14, 25] + F1 (Pr , K1 )[17] +F16 (Cr , K16 )[8, 14, 25] = K2 [26] + K4 [26] + K5 [4] + K6 [26] +K8 [26] + K9 [4] + K10 [26] + K12 [26] + K13 [4] + K14 [26],

(9)

where Pl , Pr are left and right halves of plaintext and Cl , Cr are left and right halves of ciphertext, respectively. Since A∗ is a non-linear approximation with bias 1/2, we obtain the following non-linear approximation A∗ -ACD-DCA-ACD- of 16-round DES by replacing the linear approximation A with quadratic relation A∗ which has higher bias than (9). (Pr [3, 8, 14, 25] + Pl [17] + Cl [8, 14, 25] + F1 (Pr , K1 )[17] +F16 (Cr , K16 )[8, 14, 25] + K2 [26] + K4 [26] + K5 [4] + K6 [26] +K8 [26] + K9 [4] + K10 [26] + K12 [26] + K13 [4] + K14 [26] + 1) ·(Pl [16, 17, 20] + F1 (Pr , K1 )[16, 17, 20] + K2 [25, 26, 29] + 1) = 0

(10)

The bias of non-linear approximation (10) is higher than (9). We may not, however, be able to use (10) directly in order to reduce the number of required plaintexts and ciphertexts for recovering the effective key bits of 16-round DES, involved in (10), because the numbers of effective text bits and effective key bits involved in (10) become much larger than those in (9). In the next section, we will apply (10) to the multiple approximations to avoid this problem.

4

Application to Multiple Approximations Method

In the previous section, we showed the non-linear approximation (10) of 16-round DES. The numbers of effective text bits and effective key bits corresponding to (10) are 24 and 26. We think it is not efficient to derive all 26 effective key bits at once, because the size of counter table corresponding to the effective keys is quite large. In order to avoid this problem, we deal with each factor in (10) independently. The following equation is the second factor of (10). Pl [16, 17, 20] + F1 (Pr , K1 )[16, 17, 20] = K2 [25, 26, 29]

(11)

When (11) holds, the bias of (9) changes to 0 = (1/2)/(5/16)p14 = 8/5p14 . When (11) does not hold, it changes to 1 = 2 · (1 − (8/5)/2)p14 = 2/5p14. Thus,

Quadratic Relation of S-box and Its Application to the Linear Attack

205

we deal with the linear approximation (9) as two linear approximations; one is when the equation (11) holds, and the other is when it does not hold. Let N be the number of plaintexts and ciphertexts pairs. T0 (, T1 ) be the number of plaintexts and ciphertexts pairs such that the left side of equation (9) is equal to 0 and the equation (11) holds (, does not holds). We calculate the statistic U = a0 T0 + a1 T1 for some weights a0 a1 such that a0 + a1 = 2. For maximizing the distance between N/2 and the average E[U ] in terms of the standard deviation σU , we use Lemma 2. Lemma 2 (Kaliski and Robshaw [KR94) ] The distance |N/2 − E[U ]|/σU is maximized for given N when the weights ai are proportional to the biases of the linear approximations. From Lemma 2, we conclude that the best choices of the weights are a0 , a1 such that a0 : a1 = 0 : 1 = 4 : 1. Lemma 3 (Kaliski and Robshaw [KR94) ] The success rate of the algorithm with optimal weights ai with respect to the biases i is s P ! √ 2i P . (12) Φ 2 N 1 − 4 2i Lemma 3 tells us that the success rate of original attack with N plain texts is the same as that of the improved attack with N 0 plaintexts as long as the following relation holds. On the assumption of random input, we can assume that the number of times of holding the equation (11) is N 0 /2. r s √ N0 (8/5p14 )2 + (2/5p14 )2 = 2 2 N p14 (13) 2 1 − 4((8/5p14 )2 + (2/5p14 )2 ) This is equivalent to N0 =

25 34

68 25 1 − 4 · p14 · N ≈ N = 0.735 · N. 25 34

(14)

Therefore, we can reduce the number of pairs to 73.5 % by using our attack.

5

Improved Algorithm for Attacking 16-Round DES

In this section, we show the improved attack algorithm for 16-round DES. It still requires a large number of effective texts and effective keys in equations (9) and (11). In order to minimize the work spent in processing the data, we divide the algorithm into two parts. The first part is Matsui’s original attack (part 1, 2, 3). The second is an improved part which replaces the exhaustive key search part in Matsui’s attack with multiple approximations (part 4, 5, 6).

206

Takeshi Shimoyama and Toshinobu Kaneko

1 Compute plaintexts and ciphertexts pairs and count up the effective text bits of equation (9) and (11). 2 Count up the counters in the set K corresponding to effective key bits of (9) if the left side of (9) is zero. 3 Sort the effective keys of (9) using the counters K in order of reliability. 4 For the most reliable effective key of (9) when the right hand of (9) is zero, count up the counters in the set H0 corresponding to effective key bits of (11), with bias 4 or 1 by whether the left hand of (11) is zero or not, respectively, count up counters in the set H1 with bias 1 or 4, respectively, in the same way as H0 . 5 Sort the effective keys of (11) using the counters H0 and H1 in order of reliability. 6 From the most reliable effective keys of (9) and (11), search for the remaining key bits. In [Mat94], the effective text and key bits of (9) are shown. The 13 effective text bits of the left half of equation (9) are Pr [32], Pr [1], ..., Pr [5], Pr [16], ..., Pr [21], Pr [3, 8, 14, 25]+Pl[17]+Cl [3, 8, 14], (15) and the 12 effective key bits of left half of equation (9) are K1 [1], ..., K1 [6], K1 [25], ..., K1 [30].

(16)

The 11 effective text bits of (11), if the key bits in (16) are fixed, are Pl [16, 17, 20], Pr [8], ..., Pr [17],

(17)

and the 13 effective key bits of (11) if the key bits in (16) are fixed are K1 [13], ..., K1 [24], K2 [25, 26, 29].

(18)

Moreover, we can use another approximation replacing the plaintexts P and ciphertexts C in (9) and (11), similarly. In our algorithm, we prepare a counter corresponding to the effective keys of equation (9) in the first part whose size is 12 bits long, and those of equation (11) in the second part whose size is 13 bits long. Thus, we can reduce the total size of effective key counter from 2 × 225 to 2 × (212 + 213 ) by using the improved algorithm.

6

The Computer Experiments

In this section, we show the results of computer experiments. Detail of the algorithm is shown in Appendix C. In order to estimate the complexity of our improved attack on 16-round DES, we consider the attack of 8-round DES by using plaintexts and ciphertexts pairs whose number is 1.49 · 25/34 · 217 = 1.09 · 217 ,

(19)

Quadratic Relation of S-box and Its Application to the Linear Attack

207

Table 2. Complexity and success rate of attacks on 16-round DES (%)

complexity (1) (2) (3)

237 47.9 24.7 50.1

238 54.9 30.3 54.4

239 62.0 36.6 61.3

240 68.7 44.1 68.2

241 74.3 52.2 75.1

242 81.4 60.5 81.3

243 86.6 68.8 86.8

244 90.9 76.2 91.2

(1) : The original algorithm with 243 pairs. (2) : The original algorithm with 25/34 · 243 pairs. (3) : Our improved algorithm with 25/34 · 243 pairs.

which is equivalent to the attack of 16-round DES using 25/34 · 243 pairs. Our computer experiments recovered the all round keys 10,000 times. Table 2 shows the comparison of the complexity and the success rate of the Matsui’s original algorithm and our improved algorithm. We also conducted a computer experiment of recovering all round keys of full round DES using 25/34 × 243 pairs by our improved algorithm. The computer environments we used are 16 Sun workstations (Ultra SPARC 167MHz × 14 and 200 MHz × 2)3 and a DEC workstation (Alpha 21164A 500MHz). By using the above machines and by implementing the algorithms in a bitslice manner [Bih97,NM97,SAM97] with Kwan’s instructions sets of S-boxes [Kwa98]4 , we achieved 1.14 Gbps in total5 . It took about 6 days to compute all pairs of plaintexts and ciphertexts, 44 seconds for arranging the order of the key bits and about 4 hours for exhaustive key search (= about 237 times of encryption). In total, we could recover the all key bits in less than 7 days.

7

Concluding Remarks

In this paper, we derived the 7 quadratic relations of S-boxes. We used one of those quadratic relations for improving the linear cryptanalysis with 2-round elimination method proposed by Matsui. We constructed an improved algorithm for attacking 16-round DES which is a combination of the non-linear apprximation method and multiple approximation method. Moreover, we showed an effective algorithm that consisted of two parts to reduce the size of counter table of effective keys and minimizing the effort in processing the data. Overall, we could reduce the number of required plaintexts and ciphertexts pairs to 25/34 = 73.5 % of that demanded by Matsui’s original attack for recovering the key of 16round DES. From computer experiments, when we attack 16-round DES with 25/34 · 243 pairs, the probability of finding the secret key equals that of Matsui’s original attack. 3 4 5

These workstations construct the parallel computer AP3000 with 16 nodes developed by FUJITSU LTD. For calculating one S-box, 51 instructions are required on average. Ultra SPARC 167MHz : 51 Mbps, 200MHz : 62 Mbps, Alpha 500MHz : 336 Mbps

208

Takeshi Shimoyama and Toshinobu Kaneko

References Bec93. T. Becker, V. Weispfenning., “Gr¨ obner Bases.” Springer-Verlag, New York, (1993). 201 Bih97. E. Biham., “A Fast New DES Implementation in Software,” FSE’97, LNCS 1267, pp. 245–251, (1997). 207 Bra77. D. Branstead, J. Gait, S. Katzke., “Report of the workshop on cryptography in support of computer security,” National Bureau of Standards, Sept, 21-22 1976, NBSIR 77-1291, Sept. (1977). 200, 202 Dav83. M. Davio, Y. Desmedt, M. Fosseprez, R. Govaerts, J. Hulsbosch, P. Neutjens, P. Piret,J. Quisiquater, J. Vandewall, P. Wouters., “Analytical charactersitics of the DES,” CRYPTO’83, (1984). 200, 201 Hel76. M. Hellman, R. Merkel, R. Schroeppel, L. Washington, W. Diffie, P. Schweiter., “Results of an initial attempt to cryptanalyze the NBS data encryptoion standard,” SEL 76-042, Stanford Univ. (1976). 200, 202 KR94. B. Kaliski, and M. Robshaw., “Linear Cryptnalysis Using Multiple Approximations,” CRYPTO’94, LNCS 839, pp. 26–38, (1994). 200, 201 KR96. L. Knudsen, M. Robshaw., “Non-Linear Approximations in Linear Cryptanalysis,” Eurocrypt’96, LNCS 1070, pp. 224–236, (1996). 200, 201, 203 Kwa98. M. Kwan., ”Bitslice DES,” http://www.cs.mu.oz.au/~mkwan/bitslice, 12 May, (1998). 207 LH94. S. Langford, M. Hellman., “Differential-Linear Cryptanalysis,” CRYPTO’94, LNCS 839, pp. 17–25, (1994). 200 Mat93. M. Matsui., “Linear Cryptanalysis Method for DES Cipher,” Eurocrypt’93, LNCS 765, pp. 386–397, (1993). 200, 203, 204, 204 Mat94. M. Matsui., “The First Experimental Cryptanalysis of the Data Encryption Standard,” CRYPTO’94, LNCS 839, pp. 1–11, (1994). 200, 206 NM97. J. Nakajima, M. Matsui., “Fast Software Implementation of MISTY on Alpha Processors,” Proceedings of Korea-Japan joint workshop on information security and cryptology, pp. 55–64, (1997). 207 Nor92. M. Noro, T. Takeshima., “Risa/Asir – a computer algebra system,” Proceedings of ISSAC ’92, ACM Press, pp. 387-396, (1992). (anonymous ftp from ftp://endeavor.fujitsu.co.jp/pub/isis/asir) 202 Sch82. I. Schaumuller-Bichl., “Cryptanalysis of the Data Encryption Standard by method of formal coding,” Proceedings of the workshop on cryptography, LNCS 149, pp. 235–255, (1982). 200, 201 SAM97. T. Shimoyama, S. Amada, S. Moriai., “Improved Fast Software Implementation of Block Ciphers,” Proceedings of ICICS’97, LNCS 1334, pp. 269–273, (1997). 200, 201, 202, 207 Sti95. D. Stinson., “Cryptography : Theory and Practice,” CRC Press Inc., (1995). THHK98. M. Takeda, T. Hamade, K. Hisamatsu, T. Kaneko., “Linear Cryptanalysis by Linear Sieve Method,” IEICE Trans., Vol.E81-A,No.1, pp. 82–87, (1998). 200 Way92. P. C. Wayner., “Content-Addressable Search Engines and DES-like Systems,” CRYPTO’92, LNCS 740, pp. 575–586, (1992). 200, 201

Quadratic Relation of S-box and Its Application to the Linear Attack

209

Appendix A. Proof of Lemma 1 (2) For each S-box Si : (x1 , x2 , x3 , x4 , x5 , x6 ) → (y1 , y2 , y3 , y4 ), there are Boolean polynomial representations in input bits x1 , x2 , x3 , x4 , x5 , x6 of output bits y1 , . . ., y4 as follows.  y1 = f1 (x1 , ..., x6 )    y2 = f2 (x1 , ..., x6 ) (20) y3 = f3 (x1 , ..., x6 )    y4 = f4 (x1 , ..., x6 ) From these Boolean polynomials, we obtain the following algebraic relations. xi yj = xi fj (x1 , ..., x6 ) (i ∈ {1, ..., 6}, j ∈ {1, ..., 4})

(21)

The number of these polynomials in (20) and (21) is 28 (= 4 + 4 × 6). It is easy to see that the right halves of these Boolean polynomials in (20) and (21) have degrees at most 6, and these polynomials are linearly independent over GF (2). Since the number of terms with degree more than 3 in a Boolean polynomial with 6 variables are 22 (= 15 + 6 + 1), we can eliminate the terms with degree more than 3 from these algebraic relations.

Appendix B. All Quadratic Relations of S-Boxes We label the input and output bits to S-box as follows. Si : (x1 , x2 , x3 , x4 , x5 , x6 ) → (y1 , y2 , y3 , y4 ) S1 : • x2 x1 + x3 x2 + x4 x2 + x5 x2 + x6 x2 + y1 x1 + y1 x2 + y1 x3 + y1 x4 + y1 x5 + y1 x6 + y2 x1 + y2 x2 + y2 x3 + y2 x4 + y2 x5 + y2 x6 + y3 x1 + y3 x2 + y3 x3 + y3 x4 + y3 x5 + y3 x6 + y4 x1 + y4 x3 + y4 x4 + y4 x5 + y4 x6 + y4 y1 + y4 y2 + y4 y3 + x1 + x2 + x3 + x4 + x5 + x6 + y1 + y2 + y3 + y4 + 1 = 0, S4 : • x3 x1 + x5 x1 + x5 x3 + y1 x3 + y1 x5 + y2 x3 + y2 x5 + y3 x3 + y3 x5 + y4 x3 + y4 x5 + x1 + x3 + x5 + y1 + y2 + y3 + y4 + 1 = 0, • x2 x1 + x3 x2 + x4 x1 + x5 x1 + x5 x4 + y1 x5 + y1 x6 + y2 x5 + y2 x6 + y3 x5 + y3 x6 + y4 x5 + y4 x6 + x1 + y2 + y3 = 0, • x3 x2 + x4 x1 + x4 x3 + x5 x1 + x5 x2 + x5 x3 + y1 x1 + y1 x2 + y1 x4 + y1 x6 + y2 x1 + y2 x2 + y2 x4 + y2 x6 + y3 x1 + y3 x2 + y3 x4 + y3 x6 + y4 x1 + y4 x2 + y4 x4 + y4 x6 + x1 + x3 + x6 + y1 + y3 + 1 = 0, • x3 x1 + x3 x2 + x4 x3 + x5 x1 + x5 x2 + x5 x4 + y3 y1 + y3 y2 + y4 y1 + y4 y2 + x2 + x3 + x4 + y1 + y3 + 1 = 0, • x4 x1 + x5 x1 + x5 x4 + y1 x2 + y1 x4 + y2 x2 + y2 x4 + y2 y1 + y3 x2 + y3 x4 + y3 y2 + y4 x2 + y4 x4 + y4 y1 + y4 y3 + x2 + x3 + x4 + x5 + x6 + y1 + y4 + 1 = 0, S5 : • x2 x1 + x5 x2 + y1 x1 + y1 x2 + y1 x5 + y2 x1 + y2 x2 + y2 x5 + y3 x1 + y3 x2 + y3 x5 + y4 x1 + y4 x2 + y4 x5 + x1 + x2 + x5 + y1 + y2 + y3 + y4 + 1 = 0.

210

Takeshi Shimoyama and Toshinobu Kaneko

Appendix C. Detail of Our Algorithm In this section, we show detail of our improved algorithm. The following two non-linear equations are obtained from best linear expression of 14-round DES with 2-R elimination method and the quadratic relation of the input and output bits of S-box S5 ; (Pr [3, 8, 14, 25] + Pl [17] + Cl [8, 14, 25] + F1 (Pr , K1 )[17] +F16 (Cr , K16 )[8, 14, 25] + K2 [26] + K4 [26] + K5 [4] + K6 [26] +K8 [26] + K9 [4] + K10 [26] + K12 [26] + K13 [4] + K14 [26] + 1) ·(Pl [16, 17, 20] + F1 (Pr , K1 )[16, 17, 20] + K2 [25, 26, 29] + 1) = 0,

(22)

(Cr [3, 8, 14, 25] + Cl [17] + Pl [8, 14, 25] + F16 (Cr , K16 )[17] +F1 (Pr , K1 )[8, 14, 25] + K3 [26] + K4 [4] + K5 [26] + K7 [26] +K8 [4] + K9 [26] + K11 [26] + K12 [4] + K13 [26] + K15 [26] + 1) ·(Cl [16, 17, 20] + F16 (Cr , K16 )[16, 17, 20] + K15 [25, 26, 29] + 1) = 0, (23) where Pl , Pr are left and right halves of plaintext and Cl , Cr are left and right halves of ciphertext, respectively, and Ki is i-th round key with 48 bit long. We define the notations of the vectors of effective text and key bits corresponding to equation (22) as follows. A(P, C, K) = Pr [3, 8, 14, 25] + Pl [17] + Cl [8, 14, 25] ∈ GF (2) +F1 (Pr , K1 )[17] + F16 (Cr , K16 )[8, 14, 25] B(P, C) = (Pr [3, 8, 14, 25] + Pl [17] + Cl [8, 14, 25], Pr [32], Pr [1], ..., Pr [5], Cr [16], ..., Cr [21]) ∈ GF (2)13 D(K) = K2 [26] + K4 [26] + K5 [4] + K6 [26] + K8 [26] +K9 [4] + K10 [26] + K12 [26] + K13 [4] + K14 [26] ∈ GF (2) E(K) = (K1 [1], ..., K1 [6], K15 [25], ..., K15 [30]) ∈ GF (2)12 G(P ) = Pl [16, 17, 20] + F1 (Pr , K1 )[16, 17, 20] ∈ GF (2) ∈ GF (2)11 H(P ) = (Pl [16, 17, 20], Pr [8], ..., Pr [17]) I(K) = K2 [25, 26, 29] ∈ GF (2) J(K) = (K1 [13], ..., K1 [24]) ∈ GF (2)12 Similarly, we define the following notations of effective text and key bit vectors related with equation (23). A0 (P, C, K), B 0 (P, C), D0 (K), E 0 (K), G0 (C), H 0 (C), I 0 (K), J 0 (K) Algorithm 1 (Improved Attack Algorithm) 1 (Data Counting Phase) For N pairs {(P1 , C1 ), ..., (PN , CN )} of input and output, count up the following counters. V (b, d) = #{ n | b = B(Pn , Cn ), d = H(Pn )} V 0 (b0 , d0 ) = #{ n | b0 = B 0 (Pn , Cn ), d0 = H 0 (Cn )} 2 (Original Linear Attack Phase)

Quadratic Relation of S-box and Its Application to the Linear Attack

211

P W (b) =P d V (b, d), (0 ≤ b < 213 ) W 0 (b0 ) = d0 V 0 (b0 , d0 ), (0 ≤ b0 < 213 ) By using the above counters W, W 0 , sort the effective key vectors corresponding to the following in order of reliability by using the original linear attack. ((D(K), E(K)), (D0 (K), E 0 (K))) 3 (Data Counting Phase II) Let (k, k 0 ) ∈ GF (2)26 be the most reliable key vector obtained in the step (2). P T (d) = P cond1 V (b, d), T 0 (d0 ) = cond2 V 0 (b0 , d0 ), cond1 : A(b, k) = D(k), cond2 : A0 (b0 , k 0 ) = D0 (k 0 ). 4 (Key Counting Phase) For m, m0 (0 ≤ m, m0 < 212 ), calculate the following counters. P P U (e, a) = 4 cond3 T (d) + cond4 T (d) cond P 3 : G(d, a) = e, Pcond4 : G(d, a) = e + 1, U 0 (e0 , a0 ) = 4 cond5 T 0 (d0 ) + cond6 T 0 (d0 ) cond5 : G0 (d0 , a0 ) = e0 , cond6 : G0 (d0 , a0 ) = e0 + 1. 5 (Key Sort Phase) Sort the set of key vectors {hj (= (e, a))}, {h0j 0 (= (e0 , a0 ))} which are belong to effective key vectors of ((I(K), J(K)), (I 0 (K), J 0 (K))), in order of |U (hj ) − 5/4N |, |U 0 (h0j 0 ) − 5/4N |, respectively, and sort the set of pairs of key vector (hj , h0j 0 ) ∈ GF (2)26 in order of reliability. 6 (Exhaustive Search Phase) For each key vectors (ki , ki00 , hj , h0j 0 ), search for the remaining 14 secret key bits in order of reliability until the correct value is found. In exhaustive search phase (Algorithm 1,(6)), the reliability of a vector (ki , ki00 , hj , h0j 0 ) has been determined in order of the magnitude of ((i + 1) × (i0 + 1))128 × (j + 1) × (j 0 + 1) which is the formula derived experimentally from the case of 8-round DES. In the improved attack algorithm, all of effective key bits are 52 bits, that is, D(K), E(K), D0 (K), E 0 (K), I(K), J(K), I 0 (K), J 0 (K) in total. There are, however, 10 of 52 bits are duplicated as below. Therefore, the number of the remaining key bits which should be executed exhaustive search is 56 − 52 + 10 = 14. K1 [3] = K16 [15], K1 [5] = K16 [24], K1 [13] = K16 [4], K1 [14] = K16 [22], K1 [15] = K16 [23], K1 [16] = K16 [6], K1 [17] = K16 [21], K1 [19] = K16 [2], K1 [20] = K16 [18], K1 [23] = K16 [1].

Cryptanalysis of Block Ciphers with Probabilistic Non-Linear Relations of Low Degree Thomas Jakobsen Department of Mathematics, Building 303, Technical University of Denmark DK-2800 Lyngby, Denmark, [email protected]

Abstract. Using recent results from coding theory, it is shown how to break block ciphers operating on GF(q) where the ciphertext is expressible as evaluations of an unknown univariate polynomial of low degree m over the plaintext with a typically low but non-negligible probability µ. The method employed is essentially Sudan’s algorithm for decoding Reed-Solomon codes beyond the error-correction diameter. The knownplaintext attack needs n = 2m/µ2 plaintext/ciphertext pairs and the running time is polynomial in n. Furthermore, it is shown how to discover more general non-linear relations p(x, y) = 0 between plaintext x and ciphertext y that hold with small probability µ. The second attack needs access to n = (2m/µ)2 plaintext/ciphertext pairs where m = deg p and its running time is also polynomial in n. As a demonstration, we break up to 10 rounds of a cipher constructed by Nyberg and Knudsen provably secure against differential and linear cryptanalysis. Keywords: Cryptanalysis, block cipher, interpolation attack, non-linear relations, Reed-Solomon codes, Sudan’s algorithm.

1

Introduction

For some block ciphers, the round function can be described by a low degree polynomial for a non-negligible fraction of its input values. This may happen if there are bad S-boxes or if simple algebraic functions are used unwisely. (Some simple functions provide very good immunity against differential and linear cryptanalysis.) This paper shows how one may break such ciphers. Previous work has focused on either the linear case or the case where the output is always expressible as a low degree polynomial (not just a fraction of the time). For instance, Matsui’s linear cryptanalysis [14] is applicable when some of the output bits can be described as a linear combination of the input bits for a sufficient fraction of the possible plaintexts. Jakobsen and Knudsen’s interpolation attack [9] demonstrates how to break ciphers for which the ciphertext is always (with probability 1) expressible as a low degree polynomial of the plaintext. Their attack fails when “noise” is introduced. Similarly, Lai’s higher order H. Krawczyk (Ed.): CRYPTO’98, LNCS 1462, pp. 212–223, 1998. c Springer-Verlag Berlin Heidelberg 1998

Cryptanalysis of Block Ciphers with Non-Linear Relations

213

differentials [10,9] work only in the case where the output is always expressible as a low-degree polynomial of the input. Assume that the output of some block cipher can be expressed as evaluations of a degree m polynomial for a fraction of µ of its possible inputs. We will say that such a cipher is (m, µ)-expressible. Intuitively, such ciphers appear to be weak. However, the problem of successfully cryptanalyzing (m, µ)-expressible ciphers can be shown to be essentially equivalent to the problem of decoding very low-rate Reed-Solomon codes subject to severe noise (with error rate above 12 ). Efficient decoding of such codes was not possible until recently where Sudan [17,18] published a very novel algorithm which is able to correct several more errors in polynomial time. The paper is organized as follows. First we give some preliminaries in Section 2 and show how to obtain the round keys of a block cipher one at a time given that there exists a method to distinguish random pairs from actual plaintext/ciphertext pairs. In Section 3, the Reed-Solomon codes and Sudan’s result will be explained and in Section 4 an attack using Sudan’s algorithm is presented. If there exist low degree polynomials describing the ciphertext for a sufficient number of the inputs, then the algorithm will find them. This information leak gives probabilistic knowledge of the ciphertext. As mentioned above this information in turn can be used to obtain the round keys. As a demonstration we cryptanalyze several rounds of a cipher constructed by Nyberg and Knudsen [15] which is immune to both differential and linear cryptanalysis. We break several rounds faster than exhaustive key search and using less than 232 plaintext/ciphertext pairs (p/c-pairs). Section 5 describes a more general attack. Here the probabilistic relation between plaintext x and ciphertext y has the more general form p(x, y) = 0 for some bivariate polynomial p with low degree. We conclude in Section 6 with some comments and by stating possible applications and extensions of the attack.

2

Preliminaries

We consider r-round iterated block ciphers with round function Ci = FKi (Ci−1 ) where C0 is the plaintext, K is the ith round key, and Cr is the ciphertext. We will assume that F is a bijection taking values in GF(q), where q is an integer such that a finite field of size q exists. In addition, we assume that the round keys are independent, uniformly distributed, and, moreover, that they are introduced by some group operation in such a way that the cipher is a Markov cipher [12]. Considering plaintext and keys to be random variables this implies that the inputs to each round may be considered independent.

214

Thomas Jakobsen

Definition 1. Given a function f : GF(q) → GF(q) and a polynomial p : GF(q) → GF(q) we say that f is (m, µ)-expressible if f (x) = p(x) holds with probability at least µ,

(1)

where deg(p) ≤ m. Example 2. Let a, b ∈ GF(2w ) and let the function XOR(a, b) = a + b be defined by the bitwise addition of its arguments. Similarly, let ADD(a, b) be defined by the modulo-n addition of the arguments considered as elements of ZZ n where n = 2w . These functions are used in several block ciphers to represent “incompatible” groups, e.g. in [11] or [16]. Given two values a and b, if there is no bit position other than the most significant both have a 1, then XOR(a, b) = ADD(a, b). In other words, bit where 3 w−1 -expressible over GF(2w ). ADD is 1, 4 We now show what happens if one iterates (m, µ)-expressible round functions. Proposition 3. Consider an r-round Markov cipher with round function F . Assume that F is (m, µ)-expressible. Then the cipher is (mr , µr )-expressible. Note that there may be a better approximation for the whole r-round cipher. However, it is at least (mr , µr )-expressible. Proof. Consider two applications of Fki : y = Fk1 (x) and z = Fk2 (y), i.e., z = Fk2 (Fk1 (x)). Then y is expressible as a polynomial q1 (x) with deg(p1 ) ≤ m for a fraction µ1 = µ of the possible values of x. Similarly z is expressible as a polynomial p2 (y) with deg(p2 ) ≤ m for a fraction µ2 = µ of the possible values of y. Since the cipher is a Markov cipher, we may assume that the inputs to each round are statistically independent, and hence z is expressible as a polynomial p(x) = p2 (p1 (x)) with deg(p) ≤ m2 for a fraction µ1 µ2 = µ2 of the possible input values, i.e., it is (m2 , µ2 )-expressible. The proof is finished by induction on the number of rounds. If we have a probabilistic relation between plaintext and ciphertext expressed as a polynomial, then we already have an information leakage and the cipher may be considered broken. Indeed, the following proposition shows us how we may divide and conquer using this information to obtain the round keys one at a time, in effect peeling off one round after another. But first we need some definitions. Definition 4. Let there be given a set S = {(xi , yi )}i=1,...,n of pairs and a block cipher. An algorithm which can successfully distinguish a set of p/c-pairs from a set of random pairs is called a discriminator (with respect to that cipher).

Cryptanalysis of Block Ciphers with Non-Linear Relations

215

Matsui’s linear relations, the differential characteristics of Biham and Shamir, and the polynomial relations described above are all examples of useful expressions for discriminators. The following is a variant of what Harpes, Kramer, and Massey [6] refer to as the hypothesis of wrong-key randomization. Definition 5. Let there be given an r-round block cipher C. Define by the reduced cipher C˜ the first r − 1 rounds of C. Additionally, let there be given a set ˜ S = {(xi , yi )}i=1,...,n of p/c-pairs and a discriminator for the reduced cipher C. Let Sk be the set constructed from S by decrypting the ciphertexts y by one round using last-round key k. Furthermore, let kc denote the actual (correct) last-round key and let kw 6= kc be a wrong guess. The discriminator is said to be compliant if it successfully distinguishes Skc from Skw . Informally speaking, the term “wrong-key randomization” comes from the fact that (hopefully) decryption using the wrong last-round key will randomize the p/c-pairs. Proposition 6. Given some block cipher C, assume that there exists a compliant discriminator for the corresponding reduced cipher C˜ requiring access to n pairs and running in t steps. Then it is possible to obtain the last round key of C using n p/c-pairs and expected time 12 t|K| where K is the key space of the last round. Proof. To find the last round key simply make a guess and decrypt the ciphertexts by one round. Then use the discriminator to check if the decryptions belong to the reduced cipher. If this is the case we found the correct key. Otherwise proceed with another guess. There are |K| possible round keys and the discriminator runs in t steps for an expected running time of 12 t|K|. Note that an attack like the above might be entirely impractical due to large |K|. The motivation to include Prop. 6, however, was to demonstrate how an information leak can sometimes be exploited to break a cipher entirely. The existence of a polynomial approximation in itself is usually enough to consider a cipher broken.

3

Reed-Solomon Codes

The Reed-Solomon codes [13] are a class of linear codes over the alphabet GF(q). The [n, k]q Reed-Solomon code, where n is the length (usually n = q − 1) and k is the dimension of the code is obtained by letting each message r = r0 . . . rk−1 Pk−1 i denote the coefficients of a degree k − 1 polynomial p(x) = i=0 ri x . The corresponding codeword y = y0 . . . yn−1 is the concatenation of evaluations of p over distinct elements of GF(q) \ {0}, e.g. yi = p(αi ), i = 0, . . . , n − 1, where α is a primitive element of GF(q).

216

Thomas Jakobsen

There exist efficient algorithms for decoding Reed-Solomon codes. For instance, the classical Berlekamp-Massey algorithm [13], which is capable of correcting t = b(d − 1)/2c errors, where d is the minimum distance of the code. However, for previously known algorithms t/n never exceeds 0.5 by much, not even for very low rates. To be useful for our purpose this bound on t is too low. Sudan’s algorithm, on the other hand, corrects 100% of the errors asymptotically (for rates going towards 0). The decoding problem as treated by Sudan may be stated as the following: Given integers n, k, and e. Furthermore n pairs {(xi , yi )}ni=1 , xi , yi ∈ GF(q) with pairwise distinct xi . Compute all polynomials p1 , . . . , pm of degree k − 1 such that for every j = 1, 2, . . . , m, the following holds: pj (xi ) = yi for at least (n − e) values of i = 1, . . . , n. It is not hard to see the similarity between this decoding problem and the problem of discovering a probabilistic relation y = p(x) between plaintext x and ciphertext y. The algorithm given by Sudan [18] solves this problem in polynomial time for values of e very close to n. The main result of Sudan [17] is the following: Theorem 7. For every ε and κ, the bounded distance decoding problem with parameters n, k = κn, and e = (κ)n can be solved in polynomial time provided % $r 1 ρk 2 1 1 ε(κ) < 1 − − − . − κ, where ρκ = 1 + ρk 2 κ 4 2 Here κ is the fraction of information bits per codewordp and ε(κ) is the corresponding error rate. Note that for small κ we have ρκ ≈ √ 2/κ, and in this case the right hand side of the inequality is approximately 1 − 2κ. Decoding beyond the packing radius is achieved by a very novel approach. Sudan’s algorithm obtains a bivariate polynomial Q(x, y) which is then factored into irreducibles. The error positions are then derived from the factorization and the received vector. The following section shows how the error-correcting algorithm may be used to mount an attack.

4

Attack 1

Definition P8. Let a, b ∈ IN. The (a, b)-weighted degree of a bivariate polynomial Q(x, y) = ij qij xi y j is defined by deg(ab) (Q) = max{ia + jb|qij 6= 0}. The following algorithm is based on the modified Sudan’s algorithm found in [4]. Attack 1: • Input: n p/c-pairs {(xi , yi )}ni=1 , 0 ≤ µ ≤ 1, m ∈ IN, such that n > (2m)/(µ2 ).

Cryptanalysis of Block Ciphers with Non-Linear Relations

217

• Output: All expressions y − p(x) with deg(p) ≤ m such that y = p(x) holds with probability at least µ. • Step A: Denote by si (x, y) the i-th bivariate monomial in the (1, m − 1)Pn+1 weighted graded order. Let Q(x, y) = i=1 si (x, y) and let qij denote the coefficient of the monomial xi y j . Find a nonzero solution qij to the set of linear equations Q(xs , ys ) = 0, s = 1, . . . , n. • Step B: Factor the polynomial Q(x, y) into irreducibles over GF(q)[x, y]. • Step C: Output all factors y − p(x) with deg(p) ≤ m such that p(xi ) = yi for at least a fraction µ of i = 1, . . . , n. For a proof of Sudan’s algorithm consult [17], [18], or [4]. The algorithm runs in polynomial time since there are efficient algorithms for solving linear equations and factoring polynomials [5]. As an optimization [8], note that it is possible to obtain from a bivariate polynomial factors on the form y − p(x) by using a homomorphism from GF(q)[y] to GF(q2 ) (for an appropriate power of q, q2 ). Simply consider Q(x, y) ∈ GF(q)[x, y] as a polynomial in y from GF(q2 )[y] and then use, e.g., Berlekamp’s algorithm [2] for factorization of univariate polynomials. Theorem 9. An (m, µ)-expressible cipher can be broken by Attack 1 using n=

2m µ2

(2)

plaintext/ciphertext pairs in time polynomial in n. Proof. The theorem follows directly p by rewriting Sudan’s p formula (setting m = k, µ = 1 − ε and approximating b 2/κ + 1/4 − 1/2c by 2/κ; κ is assumed to be near 0 since k n). Example 10. The cipher constructed in [15] by Knudsen and Nyberg is immune to differential and linear cryptanalysis. It falls for an attack using Sudan’s algorithm. The cipher is a Feistel network with round function Fk (x) = d(f (e(x)+ k)) where f : GF(233 ) → GF(233 ), f (x) = x3 , k ∈ GF(233 ), e : GF(232 ) → GF(233 ) is a function which extends its argument by concatenation with an affine combination of the input bits, and d : GF(233 ) → GF(232 ) discards one bit from the argument. As in [9] we call this cipher KN . The following equations describe the cipher R CiL = Ci−1 R L CiR = FKi (Ci−1 ) + Ci−1 .

The plaintext is (C0L , C0R ) and the ciphertext is the concatenation of CrR and CrL . Note that because of the extend and discard functions, one round cannot be written as a low-degree polynomial over GF(q).

218

Thomas Jakobsen

Define the following variant KN 0 taking inputs (C0L , C0R ) ∈ GF(233 )2 and having outputs (CrR , CrL ) ∈ GF(233 )2 : D0L = d(C0L ) D0R = d(C0R ) R DiL = Di−1 R L DiR = FKi (Di−1 ) + Di−1

CrL = e(DrL ) CrR = e(DrR ), In other words, KN 0 is simply KN preceded by discard operations and followed by extend operations. Clearly, if we can break KN 0 then we can also break KN . Consequently, we proceed by attacking KN 0 . Consider yet another cipher PURE defined by the purely algebraically given round function F˜ : GF(233 ) → GF(233 ), F˜k (x) = f (x + k), f (x) = x3 . I.e., R CiL = Ci−1 R L CiR = F˜Ki (Ci−1 ) + Ci−1 .

Again, the ciphertext is the concatenation of CrR and CrL . Here CiL , CiR ∈ GF(233 ). Essentially, PURE is the same cipher as KN 0 but without the extend/discard functions that ruin the algebraic simplicity. Now keep the right half of the plaintext C0R constant and express the right half of the ciphertext CrL as a polynomial of the left half of the plaintext C0L . In the original proposal, KN has r = 6 rounds. Assume that this holds for KN 0 and PURE as well. Then the output polynomial of the right half has degree 3(6−2) = 81 due to the cipher’s simple algebraic structure (C0L passes through r − 2 instances of F˜ before “becoming” CrL ). This implies that PURE can be broken by the interpolation attack which was exactly what was done in [9]. Assume that the position of the discarded bit is the same as the position of the extended bit. In this case, given the same inputs, the outputs from the round functions F and F˜ of KN 0 and PURE, respectively, will agree with probability 12 (when the extension function correctly “guesses” the missing bit). In other words, e(d(f (x))) is (3, 12 )-expressible over GF(233 ). Consequently, given identical inputs with right halves fixed, the right halves of the outputs of the two ciphers KN 0 and PURE will agree on a fraction of 2−(6−2) = 1/16 of the possible plaintexts (we assume that the inputs to each round are uncorrelated). Now we can use Thm. 9. We have m = 81 and µ = 1/16. Consequently, using Sudan’s algorithm we need at least n=

2 × 81 16 ≈ 40000 < 2 1 2 16

pairs (xi , yi ) to successfully discriminate random samples from p/c-pairs.

Cryptanalysis of Block Ciphers with Non-Linear Relations

219

Combining Prop. 3 and Thm. 9 we can calculate the maximum number of rounds possible to break. Solving 2 · 3r−2 32 2 ≤2 r−2 1/ (2 ) for integer solutions gives a maximum of r = 10 rounds for which the cipher is breakable using at most 232 p/c-pairs. Using higher order differentials (h.o.d.) as in [9], one can break only 7 rounds of KN . Additionally, the h.o.d. approach depends on the extension bit being an affine combination of the input bits; this implies that the output bits of the round function may be considered as evaluations of quadratic polynomials of the input bits. Our attack does not rely on this assumption.

5

Attack 2

In [1], Ar et al. shows how to obtain low-degree relations p(x, y) = 0 that hold on a non-negligible number of elements of some set {(xi , yi )}i=1,...,n (given the relations exist). Here we present a slightly weaker theorem which has the advantage of a shorter and less involved proof. In order to prove that the attack works, we need the following lemmas. Lemma 11. B´ ezout’s Theorem. Let P (x, y), Q(x, y) ∈ GF(q)[x, y] be polynomials in two variables over GF(q). If the polynomials have no common factors, then the number of common zeros is at most deg P · deg Q, where deg denotes total degree. For a proof consult [7]. Lemma 12. Let f (a, b) denote the number of bivariate polynomials in GF(q)[x, y] with degree a in x and degree b in y. Similarly, let Φ(a, b) count the number of irreducibles among these polynomials. Then Φ(a, b) = (1 − q −a )f (a, b) + O(aq ab ), where the constant in the O-term depends on q and a. A proof is found in [3]. Restated we get the following. Lemma 13. Let p(x, y) be a random bivariate polynomial over GF(q) of degree a in x and degree b in y. Then the probability of p(x, y) being irreducible satisfies Prob[p(x, y) is irreducible] ≥ 1 − q − max{a,b} . In other words, nearly all bivariate polynomials are irreducible. Attack 2: • Input: µ, m, n p/c-pairs {(xi , yi )}, where n > (2m/µ)2 .

220

Thomas Jakobsen

• Output (with high probability): All probabilistic links p(x, y) with deg(p) ≤ m satisfying Prob[p(x, y) = 0] ≥ µ. • Step A: Let ti (x, y) denote the i-th monomial in the graded order. Let Pn+1 Q(x, y) = i=1 ti (x, y) and let qij be the coefficient of the monomial xi y j . Find a nonzero solution qij to the set of linear equations Q(xs , ys ) = 0, s = 1, . . . , n. • Step B: Factor Q(x, y). Output all factors of degree less than m. Theorem 14. Given a block cipher, assume that there exists a probabilistic relation p(x, y) = 0 with deg(p) ≤ m between plaintext x and ciphertext y which holds for a fraction µ of the possible plaintexts. Then the cipher can be broken by Attack 2 using at most n=

2m µ

2

plaintext/ciphertext pairs and time polynomial in n. Proof. First, we show that Q(x, y) has non-constant factors if there is a probabilistic low degree relation between input and output. Assume that p(x, y) = 0 with probability µ

(3)

for some p(x, y) ∈ GF(q)[x, y] with deg p ≤ m. In addition, assume that n>

2m µ

2 .

(4)

We have Q(xi , yi ) = 0 for n pairs (xi , yi ). Of these m = µn pairs have the additional property that p(x, y) = 0. Consequently, the number of common zeros of p and Q is at least m. We also√have deg p ≤ m and because of the way we constructed Q, we have deg Q ≤ 2 n. Then due to (4) we have deg Q·deg p < m. By B´ezout’s theorem this means that p and Q have a common factor. Since p 6= Q, the polynomial Q(x, y) must be reducible. In addition, p has a high probability of being irreducible implying that p is most probably one of the obtained factors. Secondly, to prove that the algorithm outputs nothing when the pairs are truly random (implying that no probabilistic relations exist) it suffices to show that Q is “random”. Recall that a random bivariate polynomial has very slim chances of being reducible. Also notice that the construction of Q is a matter of solving n linear equations of n unknown variables (assuming Q is to be normalized). In fact, we may choose the pairs (xi , yi ) such that we obtain any assignment of coefficients qij ∈ GF(q). As a consequence, given random input we may assume that Q is random and therefore irreducible with high probability. The algorithm runs in polynomial time since there exists efficient algorithms for solving sets of linear equations and factoring polynomials.

Cryptanalysis of Block Ciphers with Non-Linear Relations

6

221

Comments

It is possible to break block ciphers which are probabilistically expressible as low degree polynomials faster than exhaustion of the key space. This fact should lead to new design criteria. Clearly, to thwart these attacks it is not enough that round functions have high boolean complexity. Likewise, good properties against differential and linear attacks are no guarantee either. In fact, many almost perfect non-linear functions should be avoided exactly because they are too simple algebraically. At least, they should not be the only ingredients of a strong block cipher. It remains to carry out analysis of existing block ciphers and discover whether they are susceptible to these new attacks. Although both attacks run in polynomial time, in practice the running time may be substantial. Step A dominates the complexity; more precisely, solving linear equations using, e.g., simple Gaussian elimination gives time complexity O(n3 ). Factorization of bivariate polynomials over a finite field has complexity O(n log q)O(1) , see [5]. The memory requirement (to hold the system of linear equations) is proportional to the square of the number of unknown coefficients qij in Q(x, y), i.e. O(n2 ). It might be possible to improve these complexities with elimination algorithms suited for a particular purpose. For both algorithms to work, there must be included in the n pairs at least µn pairs that satisfy the polynomial relation. Statistically, for n randomly chosen p/c-pairs this holds approximately 50% of the time since there is a fraction µ of good pairs among all possible p/c-pairs. To obtain a higher success rate one can simply use sufficiently many more p/c-pairs. In this paper we have considered only bivariate relations. However, Sudan et al. describe extensions to several variables. This might be useful for ciphers where there is no natural correspondence between input or output and GF(q), e.g., for DES a more natural input domain would be GF(2)w instead of GF(2w ) leading to polynomial relations of the form yi = p(x1 , . . . , x64 ) or q(x1 , . . . , x64 , y1 , . . . , y64 ) = 0. Notice that for Prop. 6 to work, the discriminator does not need to explicitly output the probabilistic relation; it just has to state whether one exists. This fact might make it possible to construct even better attacks. In the error-correction setting, this resolves to computing whether a received word is closer to the set of codewords than some given distance. More recently, Sudan [19] has improved his algorithm by requiring each pair (x, y) to appear as a root in Q with multiplicity greater than 1. This makes it possible to correct even more errors when decoding. In our case, the new results imply that the factor of 2 in Eq. (2) becomes close to 1. Finally, note that both attacks are very well suited for (nearly-)black box analysis since no structure on the block cipher is assumed except the correspondence between plaintext/ciphertext and the elements of GF(q).

222

7

Thomas Jakobsen

Acknowledgements

Thanks to Tom Høholdt for fruitful discussions and for mentioning Sudan’s results in the first place.

References 1. Sigal Ar, Richard J. Lipton, Ronitt Rubinfeld, and Madhu Sudan. Reconstructing Algebraic Functions from Mixed Data, Proceedings of the 33rd Annual IEEE Symposium on Foundations of Computer Science, 1992, pp. 503–512. To appear SIAM Journal on Computing. 219 2. Elwyn R. Berlekamp. Factoring Polynomials over Large Finite Fields. Mathematics of Computation, pp. 713, vol. 24, no. 111, 1970. 217 3. Leonard Carlitz. The Distribution of Irreducible Polynomials in Several Indeterminates II. Canadian Journal of Mathematics 17:261-266, 1965. 219 4. Weishi Feng and Richard E. Blahut. On Decoding Reed-Solomon Codes Beyond the Packing Radii. Preprint. Coordinated Science Laboratory, University of Illinois at Urbana-Champaign, Nov., 1997. 216, 217 5. Joachim von zur Gathen and Erich Kaltofen. Factoring multivariate polynomials over finite fields. Math. Comput., 45:251-261, 1985. 217, 221 6. Carlo Harpes, Gerhard G. Kramer, and James L. Massey. A Generalization of Linear Cryptanalysis and the Applicability of Matsui’s Piling-up Lemma. Eurocrypt ’95, Lectures Notes in Computer Science, Springer, 1995. 215 7. Robin Hartshorne. Algebraic Geometry. Springer-Verlag, New York, 1977. 219 8. Tom Høholdt. Private communication. 217 9. Thomas Jakobsen and Lars R. Knudsen. The Interpolation Attack on Block Ciphers. Fast Software Encryption IV, Lecture Notes in Computer Science, Springer, Haifa, 1997. 212, 213, 217, 218, 219 10. Xueijia Lai. Higher order derivatives and differential cryptanalysis. In Proc. “Symposium on Communication, Coding and Cryptography”, in honor of James L. Massey on the occasion of his 60’th birthday, Feb. 10–13, 1994, Monte-Verita, Ascona, Switzerland, 1994. 213 11. Xuejia Lai and James L. Massey. A Proposal for a New Block Encryption Standard, Advances in Cryptology - Eurocrypt ’90 Proceedings, Springer-Verlag, Berlin, 1991, pp. 389–404. 214 12. Xuejia Lai, James L. Massey, and Sean Murphy. Markov ciphers and differential cryptanalysis. Advances in Cryptology, Proceedings Eurocrypt ’91, LNCS 547, D. W. Davies, Ed., Springer-Verlag, 1991, pp. 17–38. 213 13. Florence J. MacWilliams and Neil J. A. Sloane. The Theory of Error-Correcting Codes. North-Holland, 1977. 215, 216 14. Mitsuru Matsui. Linear cryptanalysis for DES cipher. Lecture Notes in Computer Science, 765 (1994), 386–397. (Advances in Cryptology - EUROCRYPT ’93.) 212 15. Kaisa Nyberg and Lars R. Knudsen. Provable Security Against a Differential Attack. Journal of Cryptology, vol. 8, no. 1, 1995. 213, 217 16. Ronald L. Rivest. The RC5 encryption algorithm. In Bart Preneel, editor, Fast Software Encryption: Second International Workshop, Lecture Notes in Computer Science, vol. 1008, pp. 86-96, Leuven, Belgium, Springer-Verlag, Published 1995. 214

Cryptanalysis of Block Ciphers with Non-Linear Relations

223

17. Madhu Sudan. Decoding Reed Solomon Codes beyond the Error-Correction Diameter. Proc. 35th Annual Allerton Conference on Communication, Control and Computing, University of Illinois at Urbana-Champaign, 1997. 213, 216, 217 18. Madhu Sudan. Decoding of Reed Solomon Codes beyond the Error-Correction Bound. Journal of Complexity, 13(1):180-193, March 1997. 213, 216, 217 19. Madhu Sudan. Preprint. May 1998. 221

Cryptanalysis of the Ajtai-Dwork Cryptosystem Phong Nguyen and Jacques Stern ´ Ecole Normale Sup´erieure, Laboratoire d’Informatique 45, rue d’Ulm 75230 Paris Cedex 05, F {Phong.Nguyen,Jacques.Stern}@ens.fr http://www.dmi.ens.fr/~{pnguyen,stern}/

Abstract. Recently, Ajtai discovered a fascinating connection between the worst-case complexity and the average-case complexity of some wellknown lattice problems. Later, Ajtai and Dwork proposed a cryptosystem inspired by Ajtai’s work, provably secure if a particular lattice problem is difficult in the worst-case. We present a heuristic attack (to recover the private key) against this celebrated cryptosystem. Experiments with this attack suggest that in order to be secure, implementations of the Ajtai-Dwork cryptosystem would require very large keys, making it impractical in a real-life environment. We also adopt a theoretical point of view: we show that there is a converse to the Ajtai-Dwork security result, by reducing the question of distinguishing encryptions of one from encryptions of zero to approximating some lattice problems. In particular, this settles the open question regarding the NP-hardness of the Ajtai-Dwork cryptosystem: from a recent result of Goldreich and Goldwasser, our result shows that breaking the Ajtai-Dwork cryptosystem is not NP-hard, assuming the polynomial-time hierarchy does not collapse.

1

Introduction

Lattices are discrete subgroups of some n-dimensional space and have been the subject of intense research, going back to Gauss, Dirichlet, Hermite and Minkowski, among others. More recently, lattices have been investigated from an algorithmic point of view and two basic problems have emerged: the shortest vector problem (SVP) and the closest vector problem (CVP). SVP refers to the question of computing the lattice vector with minimum non-zero euclidean length while CVP addresses the non-homogeneous analog of finding a lattice element minimizing the distance to a given vector. It has been known for some time that CVP is NP-complete [12] and Ajtai has recently proved that SVP is NP-hard for polynomial random reductions [3]. The celebrated LLL algorithm [18] provides a partial answer to SVP since it runs in polynomial time and approximates the shortest vector within a factor of 2n/2 where n denotes the dimension of the lattice. This has been improved to the bound (1 + ε)n by Schnorr [21]. Babai √ [6] gave an algorithm that approximates the closest vector by a factor of (3/ 2)n . The existence of polynomial bounds is completely open: CVP is presumably hard to approximate within a factor 0.99 as shown in [5] but a result of Goldreich and Goldwasser [14] suggests 2(log n) H. Krawczyk (Ed.): CRYPTO’98, LNCS 1462, pp. 223–242, 1998. c Springer-Verlag Berlin Heidelberg 1998

224

Phong Nguyen and Jacques Stern

that unless the polynomial-time hierarchy collapses, this inapproximability result √ cannot be extended to n. Recently, in a beautiful paper, Ajtai [2] found the first connection between the worst-case and the average-case complexity of SVP. He established a reduction from the problem of finding the shortest non zero element u of a lattice provided that it is “unique” (i.e. that it is polynomially shorter than any other element of the lattice which is not linearly related) to the problem of approximating SVP for randomly chosen instances of a specific class of lattices. This reduction was improved in [8]. Later, Ajtai and Dwork [4] proposed a cryptosystem inspired by Ajtai’s work and proved that it was provably secure under the assumption that the “unique” shortest vector problem considered above is difficult in the worst-case. Again, from a theoretical point of view, the achievement in the Ajtai-Dwork paper is a masterpiece. However, its practical significance is unclear. This is partly due to the fact, exemplified by RSA, that the success of a cryptosystem is not only dependent on the computational hardness of the problem on which it is based, but also on the performances that it displays in terms of speed, key size, expansion rate, etc. It is also related to the fact that, so far, use of lattices in cryptography has been directed at successfully breaking schemes [1,22,7,17,10,24,16,9]: experiments have shown that lattice reduction algorithms behave surprisingly well and can provide much better approximations to SVP or CVP than expected. At this point, it was natural to ask whether or not the security level offered by the Ajtai-Dwork cryptosystem is exactly measured by the hardness of approximating lattice problems. In other terms, is there a converse to the Ajtai-Dwork security result ? The present paper shows that this is actually the case by reducing the question of distinguishing encryptions of one from encryptions of zero to approximating CVP or SVP (recall that AD encrypts bits). More precisely, we prove that if one can approximate CVP within a factor cn1.33 , then one can distinguish encryptions with a constant advantage d, where c and d are related constants. This is especially interesting in view of the result of Goldreich and Goldwasser quoted above since it seems to rule out any form of NP-hardness for AD, which was an open question. We prove a similar result for SVP, with a more restrictive factor. This shows that AD is essentially equivalent to approximating the shortest vector within a polynomial ratio and allows to reverse the basic paradigm of AD: for dimensions where lattice reduction algorithms behave well in practice, AD is insecure. This opened the way to a practical assessment of the security of AD for real-size parameters. We answer this question by presenting a heuristic attack suitable for implementation. First experiments showed that this attack was able to recover the private key in a short time for small parameters. Current experiments suggest that the attack is feasible even for real-size parameters: in order to be secure, implementations of the Ajtai-Dwork cryptosystem would require very large keys.

Cryptanalysis of the Ajtai-Dwork Cryptosystem

225

The remainder of the paper is organized as follows. In section 2, the AjtaiDwork cryptosystem is described. Section 3 presents our heuristic attack (to recover the private key) and practical experiments. Sections 4 and 5 deal with a converse to the Ajtai-Dwork security theorem. Section 4 uses a CVP approximation oracle, while section 5 uses a SVP approximation oracle. The reduction obtained in section 4 shows that breaking the Ajtai-Dwork cryptosystem is not NP-hard if the polynomial-time hierarchy does not collapse. Due to lack of space, section 4 and 5 do not include full proofs. These can be found in [20]. The appendix includes the missing proofs.

2

The Ajtai-Dwork Cryptosystem

In this section we recall the construction of Ajtai and Dwork [4], with the notations and the presentation of [15]. For any ε between 0 and 12 , we denote by Z ± ε the set of real numbers for which the distance to the nearest integer is at most ε. We denote the inner product of two vectors in the Euclidean space Rn by hx, yi. Given a set of n linearly independent vectors w1 , . . . , wn , the parallelepiped spanned by the wi ’s is the set P (w1 , . . . , wn ) of all linear combinations of the wi ’s with coefficients in [0, 1[. Its width is the minimum over i of the Euclidean distance between wi and the hyperplane spanned by the other wj ’s. Reducing a vector v modulo a parallelepiped P (w1 , . . . , wn ) means obtaining a vector v 0 ∈ P such that v 0 − v belongs to the lattice spanned by the wi ’s, which we denote by v 0 = v (mod P ). To simplify the exposition, we present the scheme in terms of real numbers, but we always mean numbers with some fixed finite precision. Given a security parameter n (which is also the precision of the binary expansion for real numbers), we let m = n3 and ρn = 2n log n . We denote by Bn the big n-dimensional cube of side-length ρn . We also denote by Sn the small n-dimensional ball of radius n−8 . Given n, the private key is a uniformly chosen vector u in the n-dimensional unit ball. For such a private key, we denote by Hu the distribution on points in Bn induced by the following construction: 1. Pick a point a uniformly at random from {x ∈ Bn : hx, ui ∈ Z}. 2. Select δ1 , . . . , δn uniformlyP at random from Sn . 3. Output the point v = a + i δi . The public key is obtained by picking the points w1 , . . . , wn , v1 , . . . , vm independently at random from the distribution Hu , subject to the constraint that the width of the parallelepiped w = P (w1 , . . . , wn ) is at least n−2 ρn (which is likely to be satisfied, see [4]). Encryption is bit-by-bit. Pm To encrypt a ’0’, uniformly select b1 , . . . , bm in {0, 1}, and reduce the vector i=1 bi vi modulo the parallelepiped w. The vector obtained is the ciphertext. The ciphertext of ’1’ is just a randomly chosen vector in the parallelepiped w. To decrypt a ciphertext x with the private key u, compute τ = hx, ui. If τ ∈ Z ± n−1 , then x is decrypted as ’0’, and otherwise as ’1’. Thus, an encryption of ’0’ will always be decrypted as ’0’, and an encryption

226

Phong Nguyen and Jacques Stern

of ’1’ has a probability of 2n−1 to be decrypted as ’0’. These decryption errors can be removed (see [15]). The main result of [4] states that a probabilistic algorithm distinguishing encryptions of a ’0’ from encryptions of a ’1’ with some polynomial advantage can be used to find the shortest nonzero vector in any n-dimensional lattice where the shortest vector v is unique, in the sense that any other vector whose length is at most n8 ||v|| is parallel to v.

3

A Practical Attack

We describe in this section a heuristic attack to recover the private key. We first present the ideas underlying our attack, the attack itself and then the experiments. Let (u, w1 , . . . , wn , v1 , . . . , vm ) be a set of keys. For any real β > 0, denote by Λβ the m-dimensional lattice (in Rn+m ) spanned by the columns of the following matrix:   βv1 βv2 . . . βvm  1 0 ... 0     ..   0 1 .      . ..  .. . 0  0 ... 0 1 Each hvi , ui belongs to Z ± n−7 : let Vi be the closest integer to hvi , ui. The following result shows that short vectors in Λβ give information on the Vi ’s: Theorem 1. Let x = t β(λ1 v1 + · · · + λm vm ), λ1 , . . . , λm be a point of Λβ , the Pm Pm Pm λi ’s being integers. If n7 i=1 λi vi + i=1 |λi | < n7 , then i=1 λi Vi = 0. In particular, this equality is satisfied if β 2 ≥ 2n71−1 n14 and kxk < √2n17 −1 n7 . Pm Pm Pm Proof. λi Vi ≤ n−7 i=1 |λi |. i ’s, h i=1 λi vi , ui − i=1 P PmBy definition of the−7vP m m If |h i=1 λi vi , ui| < 1 − n i=1 |λi |, then the integer i=1 λi Vi is zero since itP is strictly less than 1 P in absolute value. As kuk ≤ 1, a stronger condition is m m k i=1 λi vi k < 1 − n−7 i=1 |λi | by the Cauchy-Schwarz inequality, and this proves the first statement. Squared, it becomes: m m m

X

2 X X

λi vi < 1 + n−14 λ2i − 2n−7 |λi |.

i=1

i=1

i=1

But |λi | ≤ λ2i since the λi ’s are integers. This gives a new stronger condition: m m

X

2 X

λi vi + (2 − n−7 ) λ2i < n7 , n7 i=1

which is satisfied as soon as β 2 ≥

i=1 14

n7 n √ and kxk < . 2n7 − 1 2n7 − 1

t u

The following combinatorial results suggest that Λβ contains many sufficiently short vectors.

Cryptanalysis of the Ajtai-Dwork Cryptosystem

227

Theorem 2. For all ε > 0, there exists N such that the following holds for all n ≥ N . Let {i1 , i2 , . . . , im0 } be a subset of {1, 2, . . . , m}. If m0 ≥ (1 + ε)n2 log2 n, then there exist λ1 , λ2 , . . . , λm0 (not all zero) in {−1, 0, 1} such that

λ1 vi1 + λ2 vi2 + · · · + λm0 vi 0 ≤ n3.5−n/ log2 n . m Proof. Let α = n/ log2 n and v¯i = bnα vi c. Each vector v¯i has integral entries in the set {−nα ρn , . . . , nα ρn }. Consider all combinations of v¯i1 , . . . , v¯im0 with 0 coefficients in {0, 1}. There are 2m such combinations. But there are at most n (2m0 nα ρn + 1) distinct values for such combinations. By the pigeon-hole prin0 n ciple, it follows that if 2m > (2m0 nα ρn + 1) , then there exist λ1 , λ2 , . . . , λm0 (not all zero) in {−1, 0, 1}, such that λ1 v¯i1 + λ2 v¯i2 + · · · + λm0 v¯im0 = 0. Hence: m X

Pm λk vik =

k=1

whose norm is less than n−α

k=1

λk (nα vik − bnα vik c) , nα

Pm √ n = n3.5−n/ log2 n . Furthermore, k=1

log2 (2m0 nα ρn + 1) ≤ n log2 (2m0 ) + αn log2 n + n log2 ρn + n log2 (1 + 1) ≤ 2n + 3n log2 n + n2 + n2 log2 n n

We conclude since 2n+3n log2 n+n2 +n2 log2 n+ < (1+ε)n2 log2 n for sufficiently large n. t u Corollary 3. For all ε > 0, there exists N such that for all n ≥ N and all β > 0, there exist at least n3p − (1 + ε)n2 log2 n linearly independent lattice points in Λβ , with norm less than n3 + β 2 n7−2n/ log2 n . We now use the notion of an orthogonal lattice introduced in [19]: if L is a lattice in Zn , the orthogonal lattice L⊥ is defined as the set of points in Zn that are orthogonal to all the lattice points. Consider the vector V in Zm whose coordinates are the Vi ’s. Theorem 1 shows that sufficiently short vectors of Λβ correspond to vectors in V ⊥ , which is a m − 1 dimensional lattice in Zm . Corollary 3 shows that many such short vectors exist. We conjecture that there exist at least m − 1 sufficiently short and linearly independent vectors in Λβ . If one knows m−1 linearly independent vectors in V ⊥ , then one can determine the one-dimensional lattice (V ⊥ )⊥ : one can find a vector V 0 ∈ Zm generating (V ⊥ )⊥ . There exists ε ∈ Z such that V = εV 0 . If all the Vi ’s are coprime (which happens with overwhelming probability), then ε = ±1. Since one can exchange −u for u, one can assume that ε = 1. And if one knows the Vi ’s, one can obtain an approximation of the private key u by solving a linear system. This is because each hvi , ui ≈ Vi gives rise to a linear equation whose unknowns are the coordinates of u. If A is the matrix representing (v1 , . . . , vn ) with respect to the canonical basis, then the multiplication of A−1 by the vector formed by V1 , . . . , Vn is an approximation of u (one does not need to know all the Vi ’s, n of them are enough). The approximation is good because hvi , ui is close

228

Phong Nguyen and Jacques Stern

to Vi (difference less than n−7 in absolute value) and the coefficients of A−1 are very small (we omit the details but one can justify that they are roughly around ρ−1 n in absolute value, because the coefficients of A can almost be considered as independent and uniformly distributed over ] − ρn , ρn [). The attack is the following: 1. Obtain vectors in V ⊥ by finding short linear combinations of the vi ’s using lattice reduction algorithms. 2. When enough vectors in V ⊥ are found, compute (V ⊥ )⊥ and ±V . 3. Solve the linear system A.u0 = V 0 to obtain an approximation u0 to the private key u, where A is the matrix representing v1 , . . . , vn and V 0 is the vector formed by V1 , . . . , Vn . For step 1, we do not reduce a complete lattice Λβ (whose dimension m might be too large): we only keep m0 random columns and reduce them. There are heuristic arguments explaining why one can still expect to find short linear combinations with only m0 vectors vi ’s instead of m. Due to lack of space, we omit the details here: it is related to the fact that, given a low-dimensional lattice, a reduced basis for the corresponding orthogonal lattice is much smaller than for the lattice itself (see [19]). To find enough vectors, one repeats the random selection of columns. Since short vectors are found in an apparently random fashion, one can expect to find as many vectors as wanted. For step 2, one has to compute a basis of the orthogonal lattice of a given lattice. To do so, one can use the polynomial time algorithm given in [19], which uses lattice reduction algorithms. But there is a more practical method here: since the orthogonal lattice is one-dimensional only, one can compute it by a basic cross product, that is determinant computations. Actually one does not need to compute the complete cross product: n determinants suffice instead of m, because in step 3, only n coordinates of V are used. Note that each determinant is a n log n-bit integer. We used the NTL library [23] to conduct our experiments. Timings are given for a 170 Mhz Ultra-SPARC-I. We used the floating point variant (double and quadratic precision) of the LLL algorithm as our lattice reduction algorithm: no stronger algorithms were needed. Only steps 1 and 2 are time-consuming. For n = 8, we reduced the complete 512-dimensional lattice Λβ : step 1 took 3 hours, step 2 took less than half an hour and step 3 was immediate. The approximation u0 was matching u with the n-bit precision. For n = 32, we chose m0 = 300 : each reduction of a partial 300-dimensional lattice gave 60 vectors in V ⊥ in less than 4 hours. Actually, this running time might be decreased, as a complete LLL reduction is unnecessary. Hence, one could expect to find enough vectors in less than 100 days on a single machine, and the computations can easily be parallelized (each random combination of 300 columns can be reduced independently) to reduce the running time. Step 2 requires the computation of 32 determinants of huge but sparse matrices. The dimension of these matrices is 32, 767, and there are less than 300 non-zero entries per line, making the computation feasible. Assuming that step 2 determined the Vi ’s, step 3 immediately gave a perfect approximation of u.

Cryptanalysis of the Ajtai-Dwork Cryptosystem

229

Hence a successful attack even for n = 32 looks feasible. Note that at least n5 log n bits are required to store the public key (the vi ’s): for n = 32, this amounts to 20 megabytes, and the ciphertext for each bit is 6144 bits long. This shows that the Ajtai-Dwork cryptosystem is hardly practical even with marginal security.

4

Deciphering with a CVP-Oracle

We define an (n, k)-CVP-oracle to be any algorithm which, given a point x ∈ Rn and a n-dimensional lattice L, outputs a lattice point α ∈ L such that for every β ∈ L: dist(x, α) ≤ kdist(x, β), where dist denotes the Euclidean distance. Each oracle call made by a Turing machine contributes by a single unit to the overall complexity of the machine. Using such an oracle, we will see how one can distinguish in probabilistic polynomial time ciphertexts of ’0’ from ciphertexts of ’1’, thanks to some properties of the keys. To any choice of the keys, we associate a particular lattice. Given a ciphertext, one can build a vector such that: if the ciphertext is a ciphertext of ’0’, this vector is likely to be close to the lattice ; and if the ciphertext is a ciphertext of ’1’, this vector is unlikely to be close enough. To check whether this vector is close enough, one calls an oracle.

4.1

Vulnerable Keys

Theorem 4. For sufficiently large n, for any ε1 and ε2 in ]0, 1[, any set of keys (u, w1 , . . . , wn , v1 , . . . , vm ) picked at random as described in Ajtai-Dwork’s protocol satisfies the following with probability at least (1 − ε1 )(1 − ε2 ): n X j=1

dist(Z, hu, wj i)2 ≤

2π n16 ε1

 *m +2  n X X n4 ρ2n E bi vi , wj⊥  ≤ 2ε2 j=1 i=1

(1)

(2)

where wj⊥ denotes the unit vector orthogonal to the hyperplane spanned by the other wj ’s, and the expectation is with respect to a uniform random choice of (b1 , . . . , bm ) in {0, 1}m. We show how to prove this result, which will be used afterwards. Let u be a non-zero private key: kuk ≤ 1. We start with a technical lemma: Lemma 5. Let δ be a randomly chosen point from Sn . Then E[hu, δi] = 0 and R π/2 4kuk2 W 2 Var[hu, δi] = (n+2)n16n , where Wn = 0 sinn θdθ is the n-th Wallis integral.

230

Phong Nguyen and Jacques Stern

Proof (Sketch). The expectation E[hu, δi] is clearly zero. To compute the variance, we can assume that u = (kuk, 0, 0, . . . , 0) since Sn is invariant by rotation. We obtain: √ Z n−8 Vn−1 ( n−16 − x2 ) dx, Var[hu, δi] = kuk2 x2 Vn (n−8 ) −n−8 where Vn (r) denotes the volume of the n-dimensional ball of radius r. The result follows after a few simplifications using Wallis integrals. t u This leads to a more general result: Lemma 6. Let v be a randomly chosen point from the distribution Hu . Then: E dist(Z, hu, vi)2 ≤

2π . (n + 2)n16

P Proof (Sketch). Write v = a+ i δi where the δi ’s are independently chosen with uniform distribution over Sn . Apply the previous lemma with δi as δ. Conclude t u as Wn2 ≤ 2π/n and kuk ≤ 1. Pn Denote by X the random variable j=1 dist(Z, hu, wj i)2 , where the wj ’s are chosen according to Ajtai-Dwork’s rules. ¿From the previous lemma: E[X] =

n X j=1

E dist(Z, hu, wj i)2 ≤ n

2π 2π ≤ 16 . (n + 2)n16 n

By Markov’s inequality, it follows that 1 is satisfied with probability at least 1 − ε1 over the choice of w1 , . . . , wn . Now, we assume that the the wj ’s are fixed and satisfy 1. We will prove that for sufficiently large n, when (v1 , . . . , vm ) and (b1 , . . . , bm ) are independently picked at random as described in Ajtai-Dwork’s protocol,  *m +2  n X X n4 ρ2n . (3) bi vi , wj⊥  ≤ E 2 j=1 i=1 Thus, by Markov’s inequality, 2 is satisfied with probability at least 1 − ε2 over the choice of v1 , . . . , vm , which completes the proof of Theorem 4. To prove 3, it suffices to prove that for sufficiently large n, for all choice of (b1 , . . . , bm ), 3 is satisfied with respect to a random choice of (v1 , . . . , vm ). The core of this result is the following basic lemma: Lemma 7. Let t on the n-dimensional unit sphere. Let s be a randomly chosen point (with uniform distribution) from the hypercube Bn . Then E[hs, ti] = 0 and E[hs, ti2 ] = ρ2n /3. Proof (Sketch). Decompose s and t with respect to the canonical basis to express the dot product hs, ti. The result follows from a short computation, using the fact that the coordinates of s are independent random variables uniformly distributed t u over ] − ρn , +ρn [.

Cryptanalysis of the Ajtai-Dwork Cryptosystem

231

Now, we fix b1 , . . . , bm in {0, 1} and denote by X the random variable of 3, for which we want to bound the expectation. Assume first that the vi ’s are independent random variables uniformly distributed over the hypercube Bn . Then, applying Lemma 7 several times: E[X] =

m n X X j=1 i=1

b2i E[hvi , wj⊥ i2 ] ≤ nm

ρ2n ρ2 ≤ n4 n . 3 3

To conclude, we show how to take care of the actual distribution of the vi ’s. Let a denote a point chosen at random from {x ∈ Bn : hx, ui ∈ Z}. Let λ be randomly chosen in [0, 1[. Then, the sum a + λu is uniformly distributed over an n-dimensional volume Cn , which differs from Bn by points y such that the segment [y, y + u] crosses the border of Bn . Such points are within distance 1 of this border. It follows that one can bound the volume of the difference of Bn and Cn by 2nρn−1 . Replacing the uniformly distributed variable vi by ai + λi u n chosen according to the above one sees that E[X] is modified by √ 2distribution, √at n 9 ⊥ /ρ × n(mρ n) = 2n ρ since each hv , w i is less than ρ most 2nρn−1 n n i n n. n n j Noting that the actual vi is obtained from some instance of ai by adding a small perturbation vector δi , and that 2n9 ρn = o(n4 ρ2n /3) as n grows, we obtain for sufficiently large n, n4 ρ2n ρ2 . E[X] ≤ n4 n (1 + 1/2) ≤ 3 2 4.2

Deciphering

For any real β, let Lβ be the n + m-dimensional lattice (in R2n+m ) spanned by the columns of the following matrix:   βw1 . . . βwn βv1 . . . βvm  1 0 ... 0      ..   0 .     . . . .  . .  1     . √ .. 2   .. . n n     . .  . 0  √ 0 ... 0 n2 n The following proposition shows that a ciphertext of ’0’ is, in some sense, close to this lattice. Proposition 8. Let ε > 0 and (u, w1 , . . . , wn , v1 , . . . , vm ) satisfying (2). A ciphertext x of ’0’ satisfies with probability at least 1 − ε: for all β > 0, r 1 4 βx n . dist , Lβ ≤ 1 + 0 2ε2 ε

232

Phong Nguyen and Jacques Stern

P Pn Proof. Any ciphertext x of ’0’ is of the form x = m i=1 bi vi + j=1 αj wj where bi ∈ {0, 1} and αj ∈ Z. We prove that the vector X = t (βx, 0) is close enough to t the lattice point Y = . . , αn , b1 , . . . , bm ). We have αj = bθj c where the Pm(βx, α1 , . P n θj ’s are defined by: i=1 bi vi = j=1 θj wj . Since the width of the parallelepiped P (w1 , . . . , wn ) is at least n−2 ρn , we have: n X j=1

α2j

≤

n X

θj2

j=1

*m +2 n n4 X X ⊥ ≤ 2 bi vi , wj . ρn j=1 i=1

Applying Markov’s inequality to (2), we obtain with probability at least 1 − ε over the choice of b1 , . . . , bm : n X j=1

α2j ≤

n8 n4 n4 ρ2n = . × ρ2n 2ε2 ε 2ε2 ε s

Therefore: dist(X, Lβ ) ≤ dist(X, Y ) ≤

n8 + n3 n5 ≤ 2ε2 ε

r 1+

1 4 n . 2ε2 ε

t u

Somehow, there is a converse to the previous proposition: Proposition 9. Let ε > 0 and (u, w1 , . . . , wn , v1 , . . . , vm ) satisfying (1). Let y be a point in the parallelepiped w = P (w1 , . . . , wn ). r r n8 ε1 8 ε1 βy n then hu, yi ∈ Z ± ε 1 + 1+ . If dist , Lβ ≤ ε 0 2π 2π β P Pn m Proof. The vector βy is of the form β + e, where ||e||2 b v + α w i i j j i=1 j=1 Pm 2 5 Pn and i=1 bi n + i=1 α2j are both less than ε2 ε1 n16 /(2π). Thus, m X

n X

ε |bi |dist(Z, hu, vi i) + |αj |dist(Z, hu, wj i) + dist(Z, hu, yi) ≤ β i=1 j=1

r

ε1 8 n . 2π

−7 By the Cauchy-Schwarz inequality and the fact √ that eachphvi , ui ∈ Z ± n , p the first term is bounded by ε2 ε1 n11 /(2π) × mn−14 = ε ε1 /(2π). Also, the second term is less than: v v u n uX u n 2 uX t αj × t dist(Z, hu, wj i)2 . j=1

j=1

p We know that the first term of this product is less than ε ε1 /(2π)n8 . And (1) bounds the second term. We conclude from all the inequalities obtained. t u If we collect these two propositions, we obtain a probabilistic reduction:

Cryptanalysis of the Ajtai-Dwork Cryptosystem

233

Theorem 10. There exists N such that for all σ, σ1 , σ2 > 0, there exists a polynomial time Turing machine taking a public key and a √ciphertext x as an input and making a single call to a (n + m, n4−(3σ+σ1 +σ2 )/2 /[ π(1 + 2n−σ−σ2 )])CVP-oracle which outputs a yes/no answer such that: for all n ≥ N , if the keys are picked at random as described in Ajtai-Dwork’s protocol, then with a probability of at least (1 − n−σ1 )(1 − n−σ2 ), – If x is a ciphertext of ’0’, the answer is yes with probability at least 1 − n−σ . – If x is a ciphertext of ’1’, the answer is yes with probability at most 3n−σ . Proof. We let ε1 = n−σ1 and ε2 = n−σ2 . For sufficiently large n (independently of σ1 and σ2 ), (1) and (2) are satisfied with probability at least (1 − ε1 )(1 − ε2 ) overpthe choice of the public key by Theorem 4. We let ε = n−σ and β = 4n8 ε1 /(2π). Calling once the CVP-oracle above, we obtain a lattice point α ∈ Lβ such that, for all γ ∈ Lβ : p ε ε1 /(2π) βx βx 4 . n dist γ, dist α, ≤p 0 0 1 + 1/(2ε2 ε) The machine outputs ’yes’ if and only if: r ε1 8 βx n . dist α, ≤ε 0 2π If x is a ciphertext of ’0’, Proposition 8 then ensures that the answer is ’yes’ with probability at least 1−ε. Now, if this inequality is satisfied, Proposition 9 implies that: hu, xi ∈ Z ± ε(1 + 14 + 14 ) = Z ± 32 ε. But this happens with probability at most 3ε if x is a ciphertext of ’1’. t u

5

Deciphering with a SVP-Oracle

We now show how to use SVP-oracles. Given a n-dimensional lattice L, an (n, k)SVP-oracle outputs a point α ∈ L such that for every β ∈ L: kαk ≤ kkβk. The main result of this section is the following: Theorem 11. Let θ, γ > 0 such that 5γ 2 + 2θ < 2. For all σ1 , σ2 > 0, there exists N > 0, σ ∈ ]0 ; 3 + 3/5[ and a polynomial time oracle Turing machine calling a (n2+γ , nθ )-SVP-oracle such that: for all n ≥ N , if the keys are picked at random as described in Ajtai-Dwork’s protocol, then with a probability of at least (1 − n−σ1 )(1 − n−σ2 ), the machine distinguishes encryptions of ’0’ from encryptions of ’1’ with polynomial advantage n−σ . Note: recall that the advantage ε of a distinguishing algorithm A is such that 1 + ε. 2 We will need a technical improvement over the computations of section 4 which reads as the following generalization of Theorem 4, proved in the appendix. The key to the improvement is to replace Markov’s inequality by moments inequalities, using the multinomial formula. P [A answers correctly] ≥

234

Phong Nguyen and Jacques Stern

Theorem 12. Let k be a positive integer. There exists M1 and M2 such that for sufficiently large n: for any choice of ε1 and ε2 in ]0, 1[, any set of keys (u, w1 , . . . , wn , v1 , . . . , vm ) picked at random as described in Ajtai-Dwork’s protocol satisfies the following with probability at least (1 − ε1 )(1 − ε2 ): n X

dist(Z, hu, wj i)2 ≤

j=1

M1 1/k n16 ε1

  *m +2  k n X X  n4k ρ2k  n M2 bi vi , wj⊥   ≤ E  ε 2 j=1 i=1

(4)

(5)

This leads to the following results: Lemma 13. For all k, there exists M3 such that: if (u, w1 , . . . , wn , v1 , . . . , vm ) satisfies (5), thenPa random ciphertext y of ’0’ is, with probability at least 1 − ε3 , Pn m of the form y = i=1 bi vi + j=1 αj wj , where bi ∈ {0, 1}, αj ∈ Z and n X

α2j ≤ M3 n8

j=1

1 (ε2 ε3 )1/k

(6)

Proof (Sketch). Apply Markov’s inequality to the random variable of (5), then 1/k extract k-th roots. Conclude with M3 = M2 , by bounding the sum of the α2j as in the proof of Proposition 8. t u Ciphertexts of ’0’ satisfying (6) are called good ciphertexts. Note that it is possible to produce good ciphertexts, given the public key, by a polynomial time algorithm. Lemma 14. For all k, there exists M4 such that: if (u, w1 , . . . , wn , v1 , . . . , vm ) satisfies (4), then any good ciphertext y of ’0’ satisfies dist(Z, hu, yi) ≤ M4

1 . n4 (ε1 ε2 ε3 )1/2k

Proof (Sketch). Decompose y with the bi ’s and√the αj ’s. Conclude by CauchySchwarz thanks to (6) and (4), with M4 = 1 + M1 M3 . t u We now fix some constants. Since 2θ + γ1 , γ2 , σ3 , k, λ such that 2θ +

5γ 2

< 2, there exist strictly positive

1 3γ + γ2 + λ + (σ1 + σ2 + σ3 ) < 2, 2 2k

with: 4/5 > γ2 > γ1 > γ, γ1 < γ + λ, and σ3 > 2(2 + γ + γ1 ). We let ε1 = n−σ1 , ε2 = n−σ2 and ε3 = n−σ3 . We assume that the keys satisfy (4) and (5) (which happens with probability at least (1 − ε1 )(1 − ε2 ) for sufficiently

Cryptanalysis of the Ajtai-Dwork Cryptosystem

235

large n). We will use our oracle as follows: let ν = n2+γ and consider a sequence (y1 , . . . , yν ) of elements of P (w1 , . . . , wn ). Choose a random permutation p of {1, . . . , ν} and apply the (n2+γ , nθ )-SVP-oracle to the lattice spanned by the γ columns of the following matrix, with β = n6 n1+ 2 :   βyp(1) βyp(2) . . . βyp(ν)  1 0 ... 0     ..   0 1 .      . ..  .. . 0  0 ... 0 1 The output is a vector (z, λ1 , . . . , λν ). Say that yi is hit if: γ

0 < |λp−1 (i) | ≤ n 2 +θ+λ . The following two propositions (proved in the appendix) show that ciphertexts of ’0’ and ’1’ behave differently. Proposition 15. If y1 , . . . , yν are ciphertexts of ’1’, then y1 is hit with probability Ω(n−γ1 ). Proposition 16. If y1 is a ciphertext of ’1’ and y2 , . . . , yν are good ciphertexts of ’0’, then y1 is hit with probability O n−γ2 . We show how to conclude. The distributions Sν = (y1 , . . . , yν : yi is a ciphertext of ’1’) and Tν = (y1 , . . . , yν : y1 is a ciphertext of ’1’ and the others are good ciphertexts of ’0’) are distinguished by the test “y1 is hit” with advantage Ω(n−γ1 ). Using the “hybrid technique” (see [13]), we introduce the distributions Si = (y1 , . . . , yν : y1 , . . . , yi are ciphertexts of ’1’ and yi+1 , . . . , yν are good ciphertexts of ’0’). There exists i such that Si−1 and Si are distinguished by the test with advantage: Ω(n−γ1 /ν) = Ω(n−2−γ1 −γ ). One can check whether a given y is a ciphertext of ’0’ or ’1’ by querying the answer of the test for (y1 , . . . , yi−1 , y, yi+1 , . . . , yν ) where y1 , . . . , yi−1 are random ciphertexts of ’1’ and yi+1 , . . . , yν are random good ciphertexts of ’0’. Since the bad ciphertexts of ’0’ form a set of probability less than ε3 = n−σ3 where σ3 > 2(2 + γ + γ1 ), the distinguisher has (for sufficiently large n) polynomial advantage n−σ if σ > 2 + γ + γ1 . But: 2 + γ + γ1 < 2 +

3 4 4 + =3+ . 5 5 5

Therefore, σ can be chosen strictly less than 3 + 3/5, and the result follows. Note: the above construction is non-uniform. Eliminating the non-uniformity requires “sampling” the test for the various distributions Si (see [13]).

236

6

Phong Nguyen and Jacques Stern

Conclusion

We have shown how to reduce the question of distinguishing encryptions of one from encryptions of zero in the Ajtai-Dwork cryptosystem to approximating CVP or SVP. For the sake of simplicity, our results were proved with the choice of constants from [15]. Of course, the method extends to a more general setting as well, with the same proofs. More precisely, if we let m = nc (instead of n3 ) and denote by Sn the n-dimensional ball of radius n−d of n−8 ), one √ (instead d−(c+5)/2−(3γ+γ1 +γ2 )/2 −γ−γ2 can show that with a (n + m, n /[ π(1 + 2n )])-CVPoracle, Theorem 10 remains valid. Theorem 11 also remains valid with a constant σ in ]0 ; 2 + 2(2d − (9 + c))/5[ if θ and γ are such that 5γ 2 + 2θ < d − (9 + c)/2 and we use a (n2+γ , nθ )-SVP-oracle. In particular, the CVP-reduction implies that breaking the Ajtai-Dwork cryptosystem is unlikely to be NP-hard. We have also presented a heuristic attack to recover the private key, given only the public key. It has been successfully implemented in the case of small parameters, and latest expriments suggest that the attack could be applied to real-life parameters in a reasonable time. This shows that unless major improvements are found, the Ajtai-Dwork cryptosystem is only of theoretical importance. Acknowledgements. We would like to thank the anonymous referees for their helpful comments.

References 1. L. M. Adleman. On breaking generalized knapsack public key cryptosystems. In Proc. 15th ACM STOC, pages 402–412, 1983. 224 2. M. Ajtai. Generating hard instances of lattice problems. In Proc. 28th ACM STOC, pages 99–108, 1996. Available at [11] as TR96-007. 224 3. M. Ajtai. The shortest vector problem in L2 is NP-hard for randomized reductions. In Proc. 30th ACM STOC, 1998. Available at [11] as TR97-047. 223 4. M. Ajtai and C. Dwork. A public-key cryptosystem with worst-case/average-case equivalence. In Proc. 29th ACM STOC, pages 284–293, 1997. Available at [11] as TR96-065. 224, 225, 225, 226 5. S. Arora, L. Babai, J. Stern, and Z. Sweedyk. The hardness of approximate optima in lattices, codes, and systems of linear equations. Journal of Computer and System Sciences, 54(2):317–331, 1997. 223 6. L. Babai. On Lov´ asz lattice reduction and the nearest lattice point problem. Combinatorica, 6:1–13, 1986. 223 7. E. Brickell. Breaking iterated knapsacks. In Proc. CRYPTO’84, volume 196 of LNCS, pages 342–358, 1985. 224 8. J.-Y. Cai and A. P. Nerurkar. An improved worst-case to average-case connection for lattice problems. In Proc. 38th IEEE FOCS, pages 468–477, 1997. 224 9. D. Coppersmith. Small solutions to polynomial equations, and low exponent RSA vulnerabilities. J. of Cryptology, 10(4):233–260, 1997. 224 10. M.J. Coster, A. Joux, B.A. LaMacchia, A.M. Odlyzko, C.-P. Schnorr, and J. Stern. Improved low-density subset sum algorithms. Computational Complexity, 2:111– 128, 1992. 224 11. ECCC. http://www.eccc.uni-trier.de/eccc/. The Electronic Colloquium on Computational Complexity. 236, 236, 236, 237, 237, 237, 237

Cryptanalysis of the Ajtai-Dwork Cryptosystem

237

12. P. van Emde Boas. Another NP-complete problem and the complexity of computing short vectors in a lattice. Technical report, Mathematische Instituut, University of Amsterdam, 1981. Report 81-04. 223 13. O. Goldreich. Foundations of Cryptography (Fragments of a Book). Weizmann Institute of Science, 1995. Available at [11]. 235, 235 14. O. Goldreich and S. Goldwasser. On the limits of non-approximability of lattice problems. In Proc. 30th ACM STOC, 1998. Available at [11] as TR97-031. 223 15. O. Goldreich, S. Goldwasser, and S. Halevi. Eliminating decryption errors in the Ajtai-Dwork cryptosystem. In Proc. of Crypto’97, volume 1294 of LNCS, pages 105–111. Springer-Verlag, 1997. Available at [11] as TR97-018. 225, 226, 236 16. A. Joux and J. Stern. Lattice reduction: a toolbox for the cryptanalyst. (to appear in J. of Cryptology). 224 17. J.C. Lagarias and A.M. Odlyzko. Solving low-density subset sum problems. In Proc. 24th IEEE FOCS, pages 1–10. IEEE, 1983. 224 18. A. K. Lenstra, H. W. Lenstra, and L. Lov´ asz. Factoring polynomials with rational coefficients. Math. Ann., 261:515–534, 1982. 223 19. P. Nguyen and J. Stern. Merkle-Hellman revisited: a cryptanalysis of the QuVanstone cryptosystem based on group factorizations. In Proc. of Crypto’97, volume 1294 of LNCS, pages 198–212. Springer-Verlag, 1997. 227, 228, 228 20. P. Nguyen and J. Stern. A converse to the Ajtai-Dwork security proof and its cryptographic implications. Technical Report TR98-010, ECCC, 1998. Revision available at [11]. 225 21. C.-P. Schnorr. A hierarchy of polynomial lattice basis reduction algorithms. Theoretical Computer Science, 53:201–224, 1987. 223 22. A. Shamir. A polynomial time algorithm for breaking the basic Merkle-Hellman cryptosystem. In Proc. 23rd IEEE FOCS, pages 145–152, 1982. 224 23. V. Shoup. Number Theory C++ Library (NTL) version 2.0. Can be obtained at http://www.cs.wisc.edu/~shoup/ntl/. 228 24. J. Stern. Secret linear congruential generators are not cryptographically secure. In Proc. 28th IEEE FOCS, pages 421–426, 1987. 224

A A.1

Appendix Proof of Theorem 12

The proof is similar to the one of Theorem 4. Let u be a private key. For (4), we need to generalize Lemma 5 and 6. Let δ be a randomly chosen point from Sn : E[hu, δi2k ] ≤

4Wn n16

Z

1

(1 − y 2 )(n−1)/2 y 2k dy. 0

R π/2 This integral is equal to I(n, k) = 0 sinn θ cos2k θdθ. We have I(n, 0) = Wn and an integration by parts shows that: I(n, k) = 2k−1 n+1 I(n + 2, k − 1). This k implies I(n, k) ≤ Wn (2k)!/n . Hence: E[hu, δi2k ] ≤

4 (2k)! 2π(2k)! × k Wn2 ≤ 17+k . 16 n n n

238

Phong Nguyen and Jacques Stern

The expectation would P be equal to zero if there was an odd power instead of 2k. Now, let v = a + i δi be a randomly chosen point from the distribution Hu . We have:  !2k  n X . E dist(Z, hu, vi)2k ≤ E  hu, δi i i=1

If we expand this product, we obtain a sum of m2k terms. But all the terms for which some hu, δi i has an odd exponent disappear. By the multinomial formula and the independence of the δj ’s, this expectation is therefore equal to: X i1 +···+in =k

n Y (2k)! E hu, δj i2ij . (2i1 )! · · · (2in )! j=1

We know that each product is less than

Y 2π(2ij )! (2π(2k)!)2k ≤ . And: n17+ij n17k+k i >0 j

X i1 +···+in =k

(2k)! (2k)! ≤ (2i1 )! · · · (2in )! k!

X i1 +···+in =k

(2k)! k k! = n . i1 ! · · · in ! k!

Thus: (2k)! k (2π(2k)!)2k 1 n × E dist(Z, hu, vi)2k ≤ ≤ 17k 4k π 2k (2k)!2k+1 . k! n17k+k n Therefore:  k  n X   dist(Z, hu, wj i)2   ≤ E  j=1

X j1 +···+jn =k

≤

X j1 +···+jn =k

≤

n Y k! E dist(Z, hu, w` i)2j` j1 ! · · · jn ! `=1

k k! 1 4k π 2k (2k)!2k+1 j1 ! · · · jn ! n17k

k 1 4k π 2k (2k)!2k+1 n16k

Thus, by the moment inequality, (4) is satisfied with probability at least 1 − ε1 with respect to the choice of w1 , . . . , wn , if we let M1 = 4k π 2k (2k)!2k+1 . For (5), as in the proof of (2), we bound the expectation when the bi ’s are fixed. A first bound is obtained when the vi ’s are independent random variables uniformly distributed over the hypercube Bn . Then, we show that with the actual distribution of the vi ’s, the additional error is negligible, so that the bound of (5) is satisfied for sufficiently large n, thanks to Markov’s inequality. For the first bound, we generalize Lemma 7 with the same tricks we used to generalize Lemma 5. Let t = (t1 , . . . , tn ) be a vector in the n-dimensional unit sphere. Let s = (s1 , . . . , sn ) be a randomly chosen point with uniform

Cryptanalysis of the Ajtai-Dwork Cryptosystem

239

distribution from Bn . We have:

 2k  n X   E[hs, ti2k ] = E  s j tj   . j=1

If we expand this product, we obtain m2k terms. But all the terms for which some sj has an odd exponent disappear. We obtain by the multinomial formula: X

E[hs, ti2k ] =

i1 +···+in =k

(2k)! E (s1 t1 )2i1 · · · (sn tn )2in . (2i1 )! · · · (2in )!

And since the sj ’s are independent: 2in 2i1 +···+2in 1 E (s1 t1 )2i1 · · · (sn tn )2in = t2i 1 · · · tn ρ n

1 1 ··· . 2i1 + 1 2in + 1

Therefore: X

E[hs, ti2k ] = ρ2k n

i1 +···+in =k

(2k)! n t2i1 · · · t2i n . (2i1 + 1)! · · · (2in + 1)! 1

And this sum is less than: (2k)! k!

X i1 +···+in =k

(2k)! 2 (2k)! k! n t2i1 · · · t2i (t1 + · · · + t2n )k = . n = i1 ! · · · in ! 1 k! k!

Thus:

(2k)! 2k ρ . k! n And this expectation would be equal to zero if there was an odd power instead of 2k. Therefore, if we assume that the vi ’s are distributed uniformly over Bn : * +2k  m m X Y X (2k)! ⊥   E bi vi , wj E hv` , wj⊥ i2i` . ≤ (2i )! · · · (2i )! 1 m i=1 E[hs, ti2k ] ≤

i1 +···+im =k

We know that each product is less than

`=1

Y (2i` )! 2k k ` ρ2i n ≤ ρn (2k)! . And: i ! ` i >0 `

X i1 +···+im =k

(2k)! (2k)! ≤ (2i1 )! · · · (2im )! k!

X i1 +···+im =k

(2k)! k k! = m . i1 ! · · · im ! k!

It follows that: * +2k  m X (2k)!k+1 k k (2k)! k  ≤ ρ2k m = ρ2k m . bi vi , wj⊥ E n (2k)! n k! k! i=1

240

Phong Nguyen and Jacques Stern

P P ⊥ 2 k Therefore, if we denote by X the random variable ( nj=1 h m i=1 bi vi , wj i ) , the multinomial formula shows that: * +2j`  n m X Y X k!  E[X] ≤ E bi vi , w`⊥ j1 ! · · · jn ! i=1 j1 +···+jn =k

≤

X j1 +···+jn =k

≤

X

j1 +···+jn =k

`=1

Y k! (2j` )!j` +1 j` ` m ρ2j j1 ! · · · jn ! j >0 n j` ! `

k! ρ2k (2k)!k+1 mk j1 ! · · · jn ! n

k+1 k ≤ ρ2k m × n (2k)!

≤ n4k ρ2k n

(2k)! k n k!

(2k)!k+2 k!

With the actual distribution of the vi ’s, there is an additional term which is negligible, so that the wanted bound is satisfied for sufficiently large n, with for instance: M4 = (2k + 1)!k+2 /k!. A.2

Proof of Proposition 15

We first need a combinatorial lemma: Lemma 17. For sufficiently large n, for all elements y1 , . . . , yν in the parallelepiped P (w1 , . . . , wn ), there exist coefficients λi (not all zero) in {−1, 0, +1} such that:

ν

X

1

λi yi ≤ 6 .

n i=1 Proof (Sketch). Same reasoning as in the proof of Theorem 2.

t u

Lemma 18. Let λ1 , . . . , λν be integers not all zero. If y1 , . . . , yν are chosen at random in the parallelepiped P (w1 , . . . , wn ) then:

# " ν

X 1 1

≤ n. λi yi ≤ Pr

2n2

ρn i=1

Pν Proof. Assume that the inequality is satisfied. Write i=1 λi yi as Pν on the norm P n 2 j=1 αj wj . We have: |αj | ≤ k i=1 λi yi k × n /ρn ≤ 1/(2ρn ). The probability is therefore bounded by the probability that each αj is between − 2ρ1n and 2ρ1n . Pn Each yi is of the form `=1 µi,` w` where the µi,` ’s are independently chosen Pν in [0, 1[ with uniform distribution. It follows that: αj = λ µ . If λi is i=1 i i,j non-zero, then λi µi,j modulo 1 is uniformly distributed over [0, 1[. Since the λi ’s are not all zero, αj modulo 1 is therefore uniformly distributed over [0, 1[. Furthermore, the αj ’s are independent, and the result follows. t u

Cryptanalysis of the Ajtai-Dwork Cryptosystem

241

This probabilistic lemma is the core of the following result: Lemma 19. Let τ = γ1 −γ. If y1 , . . . , yν are chosen at random in P (w1 , . . . , wn ) then the probability that there exist λ1 , . . . , λν not all zero such that

ν

√ 1

X

λi yi ≤ 2 6−θ (7)

n i=1 √ (8) k(λ1 , . . . , λν )k ≤ 2n1+γ/2+θ 2−τ (9) |{i : λi 6= 0}| ≤ n is exponentially small (with respect to n). Proof. The number of non-zero (λ1 , . . . , λν ) satisfying (8) and (9) is at most 2+γ 2−τ 2−τ 2−τ n (2n1+γ/2+θ )n ≤ (n2+γ )n (2n1+γ/2+γ )n . 2−τ n Since θ < 3, by Lemma 18, each vector has probability less than ρ−n n to satisfy 2+γ n2−τ 1+γ/2+θ n2−τ −n ) (2n ) ρn . (7). This yields an overall probability less than (n Taking logarithms we get: h i γ n2−τ (2 + γ) log2 n + 1 + + θ log2 n + 1 − n2 log2 n. 2 Since 2 − τ < 2, the leading term is −n2 log2 n and the result follows.

t u

. . . , λν ) of the oracle. By Lemma 17 and by Now, consider the output (z, λ1 , P ν definition of the oracle, kzk2 and i=1 λ2i are both less than: 1 n2θ β 2 12 + ν ≤ n2θ n2+γ + n2+γ = 2n2+γ+2θ . n Therefore: √

√

λ1 vp(1) + · · · + λν vp(ν) ≤ 2n6−θ and k(λ1 , . . . , λν )k ≤ 2n1+γ/2+θ . This means that (7) and (8) are satisfied if we use the yp(i) ’s instead of the yi ’s. Since the λi ’s are not all zero and y1 , . . . , yν are ciphertexts of ’1’, Lemma 19 implies that with overwhelming probability, (9) is not satisfied: at least n2−τ coefficients are non zero. By symmetry, the probability that yi is hit does not depend on i. Furthermore, (8) implies that the number x of (λ1 , . . . , λν )’s such that |λi | ≥ nγ/2+θ+λ is such that: xnγ+2θ+2λ ≤ k(λ1 , . . . , λν )k2 ≤ 2n2+γ+2θ . Hence: x ≤ 2n2−2λ . Since λ > τ (because γ1 < γ + λ), this number is negligible with respect to n2−τ . Now, the probability that λi is hit is: 2−τ 1 1 n =Ω =Ω . Ω n2+γ nγ+τ n γ1

242

A.3

Phong Nguyen and Jacques Stern

Proof of Proposition 16

As in the proof of Proposition 15, consider the√ output (z, λ1 , . . . , λν ) of the oracle. kzk and k(λ1 , . . . , λν )k are still less than 2n1+θ+γ/2 . And we have: λp−1 (1) y1 =

ν X 1 z− λp−1 (i) yi . β i=2

Since y2 , . . . , yν are good ciphertexts of ’0’, Lemma 14 implies that for all i ≥ 2: dist(Z, hu, yi i) ≤ M4

1 . n4 (ε1 ε2 ε3 )1/2k

Therefore, by the Cauchy-Schwarz inequality: s +! v * ν u ν X uX 2 t λp−1 (i) yi , u ≤ λp−1 (i) × νM42 dist Z, i=2

i=1

1 n8 (ε1 ε2 ε3 )1/k

√ 1 ≤ 2n1+θ+γ/2 M4 n1+γ/2−4 (ε1 ε2 ε3 )1/2k √ 2 ≤ M4 nθ+γ−2 . (ε1 ε2 ε3 )1/2k

Furthermore: dist(Z, hz/β, ui) ≤ Therefore, for sufficiently large n:

dist(Z, λp−1 (1) y1 , u ) ≤ M4

√

2nθ−6 . √

3 nθ+γ−2. (ε1 ε2 ε3 )1/2k

If λp−1 (1) is a fixed integer, since y1 is a random vector in the parallelepiped, the latter inequality is satisfied with probability at most: √ 3 nθ+γ−2 . 2M4 (ε1 ε2 ε3 )1/2k But if y1 is hit, then:

o n γ |λp−1 (1) | ∈ 1, 2, . . . , n 2 +θ+λ .

Hence, y1 is hit with probability at most: √ 2 3 nθ+γ−2 2nγ/2+θ+λ . 2M4 (ε1 ε2 ε3 )1/2k As n grows, this is: 1 2θ+3γ/2+λ−2+(σ1 +σ2 +σ3 )/(2k) O n . =O n γ2 And this concludes the proof.

Cryptanalysis of the Chor-Rivest Cryptosystem Serge Vaudenay? Ecole Normale Sup´erieure — CNRS [email protected]

Abstract. Knapsack-based cryptosystems used to be popular in the beginning of public key cryptography before being all broken, all but the Chor-Rivest cryptosystem. In this paper, we show how to break this one with its suggested parameters: GF(p24 ) and GF(25625 ). We also give direction on possible extensions of our attack.

Recent interests about cryptosystems based on knapsacks or lattice reduction problems unearthed the problem of their security. So far, the Chor-Rivest was the only unbroken cryptosystem based on the subset sum problem [2,3]. In this paper, we present a new attack on it which definitely breaks the system for all the proposed parameters in Chor-Rivest’s final paper [3]. We also give directions to break the general problem, and related cryptosystems such as Lenstra’s Powerline cryptosystem [8].

1

The Chor-Rivest Cryptosystem

We let q = ph be a power-prime (for a practical example, let p = 197 and h = 24). We consider the finite field GF(q) and we assume that its representation is public (i.e. there is a public h-degreed polynomial P (x) irreducible on GF(p) and elements of GF(q) are polynomials modulo P (x)). We also consider a public numbering α of the subfield GF(p), i.e. {α0 , . . . , αp−1 } = GF(p) ⊆ GF(q). Secret keys consist of – – – –

an element t ∈ GF(q) with algebraic degree h a generator g of GF(q)∗ an integer d ∈ Zq−1 a permutation π of {0, . . . , p − 1}

Public keys consist of all ci = d + logg (t + απ(i) ) mod q − 1 for i = 0, . . . , p − 1. For this reason, the public parameters must be chosen such that the discrete logarithm is easy to calculate in GF(q). In the final paper, the authors suggested to use a relatively small prime power p and a ?

Part of this work was done when the author was visiting AT&T Labs Research.

H. Krawczyk (Ed.): CRYPTO’98, LNCS 1462, pp. 243–256, 1998. c Springer-Verlag Berlin Heidelberg 1998

244

Serge Vaudenay

smooth power h, i.e. an integer with only small factors so that we can apply the Pohlig-Hellman algorithm [11].1 Suggested parameters corresponds to the fields GF(19724 ), GF(21124 ), GF(24324 ), and GF(25625 ). The Chor-Rivest cryptosystem works over a message space which consists of all p-bit strings with Hamming weight h. This means that the message to be encrypted must first be encoded as a bitstring m = [m0 . . . mp−1 ] such that m0 + . . . + mp−1 = h. The ciphertext space is Zq−1 and we have E(m) = m0 c0 + . . . + mp−1 cp−1 mod q − 1. To decrypt the ciphertext E(m), we compute p(t) = g E(m)−hd as a polynomial in term of t over GF(p) with degree at most h − 1, which must be equal to Y (t + απ(i) ) mi =1

in GF(q). Thus, if we consider µ(x) + p(x) where µ(x) is the minimal polynomial of t, we must obtain the formal polynomial Y (x + απ(i) ) mi =1

whose factorization leads to m. Although the public key generation relies on intricate finite fields computations, the decryption problem is based on the traditional subset sum problem (also more familiarly called knapsack problem): given a set of pieces c0 , . . . , cp−1 and a target E(m), find a subset of pieces so that its sum is E(m). This problem is known to be hard, but the cryptosystem hides a trapdoor which enables the legitimate user to decrypt. This modifies the genericity of the problem and the security is thus open.

2

Previous Work

The Merkle-Hellman cryptosystem was the first subset-sum-based cryptosystem [10]. Although the underlying problem is NP-complete, it has surprisingly been broken by Shamir [12]. Later, many other variants have been shown insecure for any practical parameters by lattice reduction techniques (see [6] for instance). Actually, subset-sum problems can be characterized by the density parameter which is (with our notations) the ratio d = p/ log2 q. When the density is far from 1 (which was the case of most of cryptosystems), the problem can 1

This √algorithm with Shanks’ baby step giant step trick has a complexity of O(h3 B log p) simple GF(p)-operations for computing one ci where B is the largest prime factor of ph − 1. (See Koblitz [7].) Since pr − 1 is a factor of ph − 1 when r is a factor of h, B is likely to be small when h only has small prime factors.

Cryptanalysis of the Chor-Rivest Cryptosystem

245

efficiently be solved by lattice reduction algorithms like the LLL algorithm [9]. The Chor-Rivest cryptosystem is an example of cryptosystem which achieves a density close to 1 (for p = 197 and h = 24, the density is 0.93). Its underlying problem has however the restriction that the subsets must have cardinality equal to h. Refinement of lattice reduction tools with this restriction have been studied by Schnorr and H¨ orner [13]. They showed that implementations of the Chor-Rivest cryptosystem with parameters p = 151 and h = 16 could be broken within a few days of computation on a single workstation (in 1995). So far, the best known attack for secret key recovery is Brickell’s attack √ which works within a complexity of O(p2 h h2 log p). It has been published in the final paper by Chor and Rivest [3]. This paper also includes several attempts of attacks when parts of the secret key is disclosed. In Sect. 5, we briefly review a few of them in order to show what all quantities in the secret key are for. The Chor-Rivest cryptosystem has the unnatural property that the choice of the finite field GF(q) must be so that computing the discrete logarithm is easy. A variant has been proposed by Lenstra [8] which overcomes this problem. In this setting, any parameter can be chosen, but the encryption needs multiplications instead of additions. This variant has further been extended by Camion and Chabanne [1].

3

Symmetries in the Secret Key

In the Chor-Rivest cryptosystem setting, one has first to choose a random secret key, then to compute the corresponding public key. It relies on the difficulty of finding the secret key from the public key. It shall first be noticed that there are several equivalent secret keys, i.e. several keys which correspond to the same public key and thus which define the same encryption and decryption functions. We first notice that if we replace t and g by their pth power (i.e. if we apply the Frobenius automorphism in GF(q)), the public key is unchanged because loggp (tp + απ(i) ) =

1 logg ((t + απ(i) )p ) = logg (t + απ(i) ). p

Second, we can replace (t, απ ) by (t + u, απ − u) for any u ∈ GF(p). Finally, we can replace (t, d, απ ) by (ut, d − logg u, u.απ ) for any u ∈ GF(p). Thus we have at least hp2 equivalent secret keys. The Chor-Rivest problem consists of finding one of it. Inspired by the symmetry use in the Coppersmith-Stern-Vaudenay attack against birational permutations [4], these properties may suggest that the poly Qh−1 pi of whom all the equivalent t’s are the roots plays a crucial nomial i=0 x − t role. This is actually the case as shown by the attacks in the following sections.

4

Relation to the Permuted Kernel Problem

Throughout this paper, we will use the following property of the Chor-Rivest cryptosystem.

246

Serge Vaudenay

Fact 1 For any factor r of h, there exists a generator gpr of the multiplicative group of the subfield GF(pr ) of GF(q) and a polynomial Q with degree h/r and coefficients in GF(pr ) and such that −t is a root and that for any i we have Q(απ(i) ) = gpr ci . Proof. We let Q(x) = gpr d

h/r−1

Y

ri

x + tp

(1)

i=0

Q ri where gpr = g p (gpr can be considered as the norm of g when considering the extension GF(pr ) ⊆ GF(q)). We notice that we have Q(x) ∈ GF(pr ) for any x ∈ GF(pr ). Since pr > hr we obtain that all coefficients are in GF(pr ). The property Q(απ(i) ) = gpr ci is straightforward. t u Since h/r is fairly small, it is unlikely that there exists some other (gpr , Q) solutions, and gpr is thus essentially unique. Throughout this paper we will use the notation q−1 gq0 = g q0 −1 . If we consider the Vandermonde matrix M = (αi j )

0≤i

and the vector V = (gpr ci )0≤i

If we let V i denotes the vector of the ith coordinates in vector V , we have ∀i

H.Vπi−1 = 0.

Unfortunately, there exists no known efficient algorithms for solving this problem. Since the matrix has a very special form, the author of the present paper believes it is still possible to attack the problem in this direction, which may improve the present attack.

5

Partial Key Disclosure Attacks

In this section we show that we can mount an attack when any part of the secret key is disclosed. Several such attacks have already been published in [3]. Some have been improved below and will be used in the following.

Cryptanalysis of the Chor-Rivest Cryptosystem

247

Known t Attack. If we guess that π(0) = i and π(1) = j (because of the symmetry in the secret key, we know that an arbitrary choice of (i, j) will work), we can compute log(t + αi ) and log(t + αj ) then solve the equations log(t + αi ) log g log(t + αj ) c1 = d + log g c0 = d +

with unknowns d and log g.2 Known g Attack. If we guess that π(0) = i and π(1) = j (because of the symmetry in the secret key, we know that an arbitrary choice of (i, j) will work), we can compute t + αi g c0 −c1 = t + αj then solve t.3 Known π Attack. We find a linear combination with the form p−1 X

xi (ci − c0 ) = 0

i=1

with relatively small integral coefficients xi ’s. This can be performed through the h LLL algorithm [9]. We can expect that |xi | ≤ B with B ≈ p p−1 . Exponentiating this we get some equation Y Y (t + απ(i) )xi = (t + απ(j) )−xj i∈I

j∈J

with non-negative small powers, which is a polynomial equation with low degree which can be solved efficiently.4 Brickell’s attack with nothing known consists of finding a similar equation but with a limited number ` of απ(i) and then exhaustively finding for those π(i)’s. There is a tradeoff on `: the LLL algorithm may product xi ’s smaller than h B = p ` , the root finding algorithm requires O(B 2 h log p) GF(p)-operations and the exhaustive search requires O(p` ) trials. (For more details and better analysis, see [3].) Known gpr and π Attack. Since we will use this attack several times in the following, we put it here. We can interpolate the Q(x) polynomial of Fact 1 with h/r + 1 pairs (απ(i) , gpr ci ). We thus obtain a h/r-degree polynomial whose roots are conjugates of −t. We can thus solve it in order to get t and perform a known t attack. 2 3 4

Another attack attributed to Goldreich was published in [3]. Another attack was published in Huber [5]. This attack was attributed to Odlyzko and published in [3].

248

6

Serge Vaudenay

Known gpr Attack

Here we assume we know the gpr value corresponding to a subfield GF(pr ) (see Fact 1). Let i0 , . . . , ih/r be h/r + 1 pairwise distinct indices from 0 to p − 1. Because of Fact 1 we can interpolate Q(x) on all απ(ij ) ’s, which leads to the relation gpr ci =

h/r X

gpr cij

Y 0≤k≤h/r k6=j

j=0

απ(i) − απ(ik ) απ(ij ) − απ(ik )

(2)

for i = 0, . . . , p − 1. Actually, we can even write this as gpr ci − gpr ci0 =

h/r X

(gpr cij − gpr ci0 )

Y 0≤k≤h/r k6=j

j=1

απ(i) − απ(ik ) . απ(ij ) − απ(ik )

(3)

Because of the symmetry of π in the secret key, we can arbitrarily choose π(i1 ) and π(i2 ) (see Sect. 3). A straightforward algorithm for finding π consists of exhaustively look for the values of π(ij ) for j = 0, 3, . . . , h/r until Equation (2) gives a consistent permutation π. It is illustrated on Fig. 1. The complexity of this method if roughly O(hph/r−1 ) computations in GF(p).

Input GF(q) descriptors, α numbering, c0 , . . . , cp−1 , r|h, gpr Output a secret key whose corresponding public key is c0 , . . . , cp−1 1. choose pairwise different i0 , . . . , ih/r in {0, . . . , p − 1} 2. choose different π(i1 ) and π(i2 ) arbitrarily in {0, . . . , p − 1} 3. for all the possible values of π(i0 ), π(i2 ), . . . , π(ih/r ) (i.e. all values such that π(i0 ), . . . , π(ih/r ) are pairwise different and in the set {0, . . . , p − 1}), we set S = {π(i0 ), . . . , π(ih/r )} and do the following (a) for all j which is not in S, compute the right-hand term of Equation (2) with αj instead of απ(i) . If it is equal to gpr ci such that π(i) has not been defined, set π(i) = j, otherwise continue loop in step 3. (b) perform a known gpr and π attack. h

Fig. 1. An O(p r −1 ) Known gpr Attack. When √ r is large enough, there is a much better algorithm. Actually, if h/r ≤ r (i.e. r ≥ h), the coefficients in Equation (2) are the only GF(p) coefficients c which write gpr ci − gpr ci0 in the basis gpr ci0 − gpr ci0 , . . . , gpr ih/r − gpr ci0 . Let c aij be the coefficient of gpr ij − gpr ci0 for gpr ci − gpr ci0 . We have απ(i) − απ(i1 ) ai2 =u i απ(i) − απ(i2 ) a1

(4)

Cryptanalysis of the Chor-Rivest Cryptosystem

249

where u is an element of GF(p) which does not depend on i. Hence, if we randomly choose ij for j = 0, . . . , h/r, we can write all gpr ci − gpr ci0 ’s in the basis c (gpr ci0 − gpr ci0 , . . . , gpr ih/r − gpr ci0 ). Now if we guess the GF(p)-value of u, we obtain π(i) from the above equation. This is a polynomial algorithm in p, h, r for getting π. √ Input GF(q) descriptors, α numbering, c0 , . . . , cp−1 , r|h, gpr s.t. r ≥ h Output a secret key whose corresponding public key is c0 , . . . , cp−1 1. choose pairwise different i0 , . . . , ih/r in {0, . . . , p −1} and precompute the basis c transformation matrix for the basis (gpr ci0 − gpr ci0 , . . . , gpr ih/r − gpr ci0 ) 2. choose different π(i1 ) and π(i2 ) arbitrarily in {0, . . . , p − 1} 3. for all possible u in GF(p), do the following (a) for all i, write gpr ci − gpr ci0 in the basis and get ai0 and ai1 . From Equation (4) get π(i). If it is not consistent with other π(i0 ), continue loop in step 3. (b) perform a known gpr and π attack.

Fig. 2. A Polynomial Known gpr Attack for r ≥

√

h.

In the rest of the paper, we show how to find gpr with a choice of r so that these known gpr attacks can be applied.

7

Test for gpr

Equation (3) means that all gpr ci ’s actually stand on the same h/r-dimensional affine subspace of GF(pr ) over GF(p). Thus, if we assume that h/r + 1 ≤ r q (i.e. r ≥

h+

1 4

+ 12 ), this leads to a simple test for gpr .

Fact 2 If there exists a factor r of h such that r ≥ r

q h+

1 4

+ 12 if we let gpr de-

h−r

notes g 1+p +...+p , then all gpr ci ’s stands on the same h/r-dimensional affine space when considering GF(pr ) as an r-dimensional GF(p)-affine space. The existence of such an r can be seen as a bad requirement for this attack, but since the parameters of the Chor-Rivest cryptosystem must make the discrete logarithm easy, we already know that h has many factors, so this hypothesis is likely to be satisfied in practical examples. Actually, h with no such factors are prime and square-prime numbers. The real issue is that r shall not be too large. Thus there is an algorithm which can check if a candidate for gpr is good: the algorithm simply check that all gpr ci ’s are affine-dependent. The algorithm has an average complexity of O(h3 /r) operations in GF(p). Since there are ϕ(pr − 1)/r candidates, we can exhaustively search for√gpr within a complexity of O(h3 pr /r2 ). Since r has to be within the order of h, this attack is better

250

Serge Vaudenay

than Brickell’s attack provided that such an r exists. The algorithm is depicted on Fig. 3.

q

Input GF(q) descriptors, α numbering, c0 , . . . , cp−1 , r|h s.t. r ≥ h + 14 + 12 Output possible values for gpr 1. choose pairwise different i0 , . . . , ih/r in {0, . . . , p − 1} 2. for any generator gpr of GF(pr ), do the following c (a) get the equation of the affine space spanned by (gpr ci0 , . . . , gpr ih/r ) ci (b) for all other i, check that gpr in the space. If not, continue loop in step 2. (c) perform the known gpr attack of Fig. 2.

Fig. 3. An O(pr ) Attack for r ≥

q

h+

1 4

+ 12 .

With the parameter h = 24, we can take r = 6. We have about 241 candidates for gpr so we can find it within 252 elementary operations, which is feasible with modern computers. Here we also believe we can still adapt this attack for smaller r values. The next section however gives an alternate shortcut to this issue.

8

On the Use of all the ci ’s

In his paper [8], Lenstra suspected that disclosing all the ci ’s in the public key was a weakness. Actually, this property enables to drastically improve the previous algorithm by using all the factors of h. We have the following fact. Fact 3 Let Q(x) be a polynomial over GF(pr ) with degree d and let e be an integer such that 1 ≤ e < p−1 d . We have X

Q(a)e = 0.

a∈GF(p)

This comes from the fact that Q(x)e has a degree less than p − 1 and that P ai = 0 for any i < p − 1. This proves the following fact. Fact 4 For any 1 ≤ e < (p − 1)r/h we have p−1 X i=0

gpr eci = 0.

Cryptanalysis of the Chor-Rivest Cryptosystem

251

This provides a much simpler procedure to select all gpr candidates. Its main advantage is that it works in any subfield. For instance, we can P consider r = 1 and find the only gp such that for all 1 ≤ e < (p − 1)r we have gpr eci = 0. The average complexity of checking one candidate is O(p) GF(p)-computations: it is unlikely that a wrong candidate will not be thrown by the e = 1 test. Hence, we can recover gp within O(p2 ) simple computations. Unfortunately, the gpr cannot be used efficiently when r is too small. We can still use gpr in smaller subfields to compute it in large ones. Our goal is to compute gpr with r large enough. Let us consider the problem of computing gpr when r1 , . . . , rk are factors of r with the knowledge of gpri . Since we have ri +...+pr−ri , we obtain that gpri = gp1+p r log gpr =

1+

log gpri + . . . + pr−ri

p ri

(mod pri − 1).

(5)

The knowledge of all gpri ’s thus gives the knowledge of log gpr modulo ` = lcm{pr1 − 1, pr2 − 1, . . . , prk − 1}. Thus we need only (pr − 1)/` trials to recover gpr . The algorithm is illustrated on Fig. 4. It is easy to see that each loop controlled in step 2 requires on average O(pr2 ) operations in GF(p).

Input GF(q) descriptors, α numbering, c0 , . . . , cp−1 , ri |r|h and gpri , i = 1, . . . , k Output set of possible gpr values 1. solve the Equation System (5) for i = 1, . . . , k and obtain that gpr = β.γ x for unknown x 2. for x = 0, . . . , (pr − 1)/lcm{pri − 1; i = 1, . . . , k} − 1 do the following (a) compute β eci γ eci x for e = 1, . . . (p−1)r/h−1 and if one sum is non-zero continue loop on step 2. (b) output gpr = β.γ x

P

Fig. 4. Getting gpr from the gpri .

Thus we can define an algorithm for dedicated h’s by a graph. Definition 5. Let G be a rooted labeled direct acyclic graph in which the root is labeled by a finite field GF(pr ) and such that whenever there is a u → v edge in G then the label L(u) of u is a subfield of the label L(v) of v and an extension of GF(p). We call G a “p-factoring DAG for GF(pr )”. To G and an integer p we associate the quantity C(G) =

X v

#L(v) − 1 . lcm{#L(w) − 1; v ← w}

252

Serge Vaudenay

(By convention, lcm of an empty set is 1.) We can define an algorithm for computing gpr with complexity O(pr2 C(G)). Thus, we can break the Chor-Rivest cryptosystem with parameter h which is neither prime nor a square prime within a complexity essentially   O  min

min

G is a p−factoring r|h √ DAG for GF(pr ) r≥ h

pr2 C(G) .

The corresponding algorithm is illustrated on Fig. 5.

Input GF(ph ) descriptors, α numbering, c0 , . . . , cp−1 , Output a possible secret key

q

1. for the smallest factor r of h such that r ≥ h + 14 + 12 , find the p-factoring DAG with minimal C(G) 2. for any u in G such that for all u ← ui , ui has been visited, visit u by doing the following (a) perform the algorithm of Fig. 4 with GF(pr ) = L(u) and GF(pri ) = L(ui ) and obtain gpr 3. perform the known gpr attack of Fig. 2

Fig. 5. An Efficient Attack Dedicated for h.

Example 6 (h = 25). We can solve the h = 25 case with a trivial G p-factoring DAG for GF(p5 ) which consists of two vertices labeled with GF(p) and GF(p5 ). From gp5 we can then apply the algorithm of Fig. 2. We have C(G) =

p5 − 1 + p − 1 ≈ p4 p−1

so the corresponding complexity is O(p5 ). Example 7 (h = 24). Here is another dedicated attack for h = 24. We can choose r = 6 for which we have h/r + 1 ≤ r. Recovering gp6 requires firstly, O(p) trials to get gp , secondly, O(p) trials to get gp2 with gp , thirdly, O(p2 ) trials to get gp3 with gp , finally, O(p2 ) trials to get gp6 with gp2 and gp3 . The maximum number of trials is thus O(p2 ). Hence the complexity is O(p3 ) multiplications in GF(p6 ). Actually, this attack corresponds to the p-factoring DAG for GF(p6 ) depicted on Fig. 6. For this DAG we have C(G) =

p3 − 1 p2 − 1 p6 − 1 + + +p−1 lcm(p2 − 1, p3 − 1) p−1 p−1

thus C(G) = 78014 for p = 197. We thus need about 229 operations in GF (197) to break the Chor-Rivest cryptosystem in GF(19724 ).

Cryptanalysis of the Chor-Rivest Cryptosystem

253

GF(p6 )

GF(p2 ) s

s @ I @

@ I @ @s

@s GF(p3 )

GF(p)

Fig. 6. A Factoring DAG for GF(p6 ).

9

Generalization

In this section we generalize our attack in order to cover the GF(25625 ) case i.e. when p is a power-prime: there is no reason why to restrict our attacks to finite fields which are extensions of GF(p) since we have many other subfields. For this we need to adapt the algorithm of Fig. 5 with generalized factoring DAGs, i.e. when the labels are not extensions of GF(p). We first state generalized version of Fact 1. Fact 8 Let GF(q 0 ) be a subfield of GF(q) i.e. q = q 0 . We let s

Q(x) = N (g d (x + t)) mod (xp − x) q−1

where N (y) = y q0 −1 . Q(x) is a polynomial such that Q(απ(i) ) = N (g)ci . In 1

addition, if we have gcd(s, h) < p0 where p0 = q lcm(s,h) then the degree of Q(x) is gcd(s, h) pp−1 . 0 −1 Proof. Q(απ(i) ) = N (g)ci is obvious since απ(i) is a root of xp − x. The useful part of this fact is the distance between the degree of Q(x) and p. We have s−1 Y 0i 0i xq + tq (mod (xp − x)). Q(x) ≡ N (g).N (x + t) ≡ N (g) i=0

We notice that xi mod (xp − x) = x(i−1) mod (p−1)+1 thus if we let d=

s−1 X

i q 0 − 1 mod (p − 1) + 1

i=0 1

the degree of Q(x) is d provided that d < p. Let p0 = q lcm(s,h) and p = pg0 . We have g−1 X s g−1 s p−1 sX . pi0 − 1 mod (pg0 − 1) + 1 = pi = d= g i=0 g i=0 0 g p0 − 1

254

Serge Vaudenay

We further notice that

s g

= gcd(s, h) and that d < p.

t u

As a consequence we obtain a generalized form of Fact 4. 1

Fact 9 Let q = ph = q 0 and p0 = q lcm(s,h) be such that gcd(s, h) < p0 − 1. We have p−1 X gq0 eci = 0 s

i=0

for any 1 ≤ e <

p0 −1 gcd(s,h) .

We can thus generalize the attack of Fig. 5 whenever each GF(q 1/s ) label fulfill 1 the assumption gcd(s, h) < p0 − 1 where p0 = q lcm(s,h) . Example 10 (q = 25625 ). The GF(16) field does not fulfill the assumption. However, the GF(256), GF(165 ) and GF(2565 ) fields do. We can thus start the attack with the field GF(256) and then obtain g16 from g162 as illustrated by the (generalized) factoring DAG of GF(2565 ) illustrated on Fig. 7. We have C(G) =

165 − 1 15 1 2565 − 1 + + + 255 = 131841 + 5 lcm(255, 16 − 1) 15 255 17

thus we need about 229 GF(16)-operations to break the Chor-Rivest cryptosystem in GF(25625 ).

GF(2565 )

GF(165 ) s

s @ I @ @s GF(256)

@ I @

@s

GF(16)

Fig. 7. A Generalized Factoring DAG for GF(2565 ).

We believe there is no need for formalizing further generalizations in the Chor-Rivest cryptosystem context. We believe that the more we have some subfield choices of GF(q), the lower is the complexity of the best attack.

Cryptanalysis of the Chor-Rivest Cryptosystem

10

255

Conclusion

We have described general attack when the parameter h has a small factor r q greater than h + 14 + 12 which has a complexity O(h3 pr /r2 ). We also have solved one of Lenstra’s conjectures arguing that keeping all the ci coefficients in the public key is a weakness by exhibiting a shortcut algorithm in the previous attack. The attack has been successfully implemented on an old laptop with the suggested parameters GF(p24 ) by using hand-made (inefficient) arithmetic libraries. Recovering the secret key from the public key takes about 15 minutes. But computing the public key from the secret key takes much longer... We also generalized our attack in order to break the GF(25625 ) proposal. In Appendix, we even suggest an improvement q of the presented attacks when h does not have a small factor r greater than h + 14 + 12 . In order to repair the Chor-Rivest cryptosystem, we believe that

– we must choose a finite field GF(ph ) where p and h are both prime; – we must not put all the ci s in the public key. It is then not clear how to choose the parameters in order to make the discrete logarithm problem easy, and to achieve a good knapsack density in order to thwart the Schnorr-H¨orner attack. One solution is to use Lenstra’s Powerline cryptosystem, or even its recent generalization: the Fractional Powerline System (see Camion-Chabanne [1]). We however have to fulfill the two requirements above. The security in this setting is still open, but we suspect that the simultaneous permuted kernel characterization of the underlying problem may lead to a more general attack on this cryptosystem with any parameters. We highly encourage further work in this direction.

Acknowledgment The author thanks Andrew Odlyzko for many helpful discussions and AT&T for inviting to perform those researches.

References 1. P. Camion, H. Chabanne. On the Powerline system. In Advances in Cryptology, ICICS’97, Beijing, China, Lectures Notes in Computer Science 1334, pp. 381–385, Springer-Verlag, 1997. 245, 255 2. B. Chor, R.L. Rivest. A knapsack-type public key cryptosystem based on arithmetic in finite fields. In Advances in Cryptology CRYPTO’84, Santa Barbara, California, U.S.A., Lectures Notes in Computer Science , pp. 54–65, Springer-Verlag, 1985. 243

256

Serge Vaudenay

3. B. Chor, R.L. Rivest. A knapsack-type public key cryptosystem based on arithmetic in finite fields. IEEE Transactions on Information Theory, vol. IT-34, pp. 901–909, 1988. 243, 243, 245, 246, 247, 247, 247 4. D. Coppersmith, J. Stern, S. Vaudenay. The security of the birational permutation signature schemes. Journal of Cryptology, vol. 10, pp. 207–221, 1997. 245 5. K. Huber. Specialised attack on Chor-Rivest public key cryptosystem. Electronics Letters, vol. 27, no. 23, pp. 2130, 1991. 247 6. A. Joux, J. Stern. Lattice Reduction: a Toolbox for the Cryptanalyst. To appear in Journal of Cryptology. 244 7. N. Koblitz. A Course in Number Theory and Cryptography, 2nd Edition, Graduate Texts in Mathematics 114, Springer-Verlag, 1994. 244 8. H.W. Lenstra, Jr. On the Chor-Rivest Knapsack Cryptosystem. Journal of Cryptology, vol. 3, pp. 149–155, 1991. 243, 245, 250 9. A.K. Lenstra, H.W. Lenstra Jr., L. Lov´ asz. Factoring polynomials with rational coefficients. Math. Ann., vol. 261, pp. 515–534, 1982. 245, 247 10. R.C. Merkle, M. Hellman. Hiding information and signatures in trap-door knapsacks. IEEE Transactions on Information Theory, vol. IT-24, pp. 525–530, 1978. 244 11. S. Pohlig, M. Hellman. An improved algorithm for computing logarithms over GF(q) and its cryptographic significance. IEEE Transactions on Information Theory, vol. IT-24, pp. 106–110, 1978. 244 12. A. Shamir. A polynomial time algorithm for breaking the basic Merkle-Hellman cryptosystem. In Proceedings of the 23rd IEEE Symposium on Foundations of Computer Science, Chicago, Illinois, U.S.A., pp. 145–152, IEEE, 1982. 244 13. C.P. Schnorr, H.H. H¨ orner. Attacking the Chor-Rivest Cryptosystem by improved lattice reduction. In Advances in Cryptology EUROCRYPT’95, Saint-Malo, France, Lectures Notes in Computer Science 921, pp. 1–12, Springer-Verlag, 1995. 245

A

Extension of Algorithm of Fig.2

√ Equation (4) is a simple way to solve the problem when r ≥ h. We still believe we can adapt the above attack for any value of r by more tricky algebraic computations. h Actually, let us consider a value r such that hr ≥ r and ` = P r − r. Let ei cij c i denotes gpr − gpr 0 for i = 1, . . . , h/r. There may exist some j uk,j ej = 0 P equations, namely ` of it. Hence if we write gpr ci − gpr ci0 = j aij ej , there may exist some xik coefficients such that aij −

X k

xik uk,j =

Y 0≤k≤h/r k6=j

απ(i) − απ(ik ) απ(ij ) − απ(ik )

for j = 1, . . . , h/r. When considering a set of n values of i, we have nh/r algebraic equations with n(` + 1) − 1 + h/r unknowns xik , απ(ij ) , απ(i) . Thus if r > 1 we can take n large enough as long as p(r − 1) + 1 ≥ h/r. We thus believe further algebraic tricks may leads to the solution for any r > 1 as long as p + 1 ≥ h/2.

Cryptanalysis of the Oil & Vinegar Signature Scheme Aviad Kipnis1 and Adi Shamir2 1

2

NDS Technologies, Israel Dept. of Applied Math, Weizmann Institute, Israel

Abstract. Several multivariate algebraic signature schemes had been proposed in recent years, but most of them had been broken by exploiting the fact that their secret trapdoors are low rank algebraic structures. One of the few remaining variants is Patarin’s ”Oil & Vinegar” scheme, which is based on a system of n quadratic forms in 2n variables of two flavors (n ”oil” variables and n ”vinegar” variables). The security of the scheme depends on the difficulty of distinguishing between the two types, and does not seem to be susceptible to known low rank attacks. In this paper we describe two novel algebraic attacks which can efficiently separate the oil and vinegar variables, and thus forge arbitrary signatures.

1

Introduction

The problem of developing secure digital signature schemes had been extensively investigated over the last 20 years. The longest surviving and best known of these schemes is the RSA signature scheme, in which the verification condition for a message m, signature x, and public key (e, n) is the single algebraic equation xe = m (modn) of degree e in the single variable x. Its security is based on the difficulty of solving such an equation modulo a large n with unknown factorization. A natural extension of this algebraic approach is to consider several simultaneous equations in several variables. Let M = (m1 , . . . , mk ) and X = (x1 , . . . , xt ) be vectors representing the message and signature, respectively. The signature is said to be valid if: G1 (x1 , . . . , xt ) = m1 G2 (x1 , . . . , xt ) = m2 .. . Gk (x1 , . . . , xt ) = mk where the Gi are multivariate polynomials published by the signer as his public’s key. The designer of the signature scheme can now take one of two routes: 1. He can use a small (=constant) number of variables over a large algebraic domain such as Fn , and base its security on the difficulty of factoring n. Compared to the RSA scheme, he hopes to get the same security but higher performance. H. Krawczyk (Ed.): CRYPTO’98, LNCS 1462, pp. 257–267, 1998. c Springer-Verlag Berlin Heidelberg 1998

258

Aviad Kipnis and Adi Shamir

2. He can use a large (=security parameter) number of variables over a small algebraic domain. The problem of solving systems of polynomial equations is NP-complete even when all the equations are of degree 2 and the algebraic domain is the two-element field F2 . Compared to the RSA scheme, he hopes to get higher security and higher performance. Unfortunately, almost all these schemes were broken shortly after their introduction. For example, the Ong-Schnorr-Shamir [OSS] scheme (which belongs to the first type) was broken by Pollard and Schnorr [PS], the Matsumoto and Imai scheme [MI] (which belongs to the second type) was broken by Patarin [P1], and Shamir’s birational permutation scheme [S] (which belongs to the second type) was broken by Coppersmith Stern and Vaudenay [CSV]. About two years ago, Patarin tried to revive the second approach by introducing several new signature schemes which seemed to be immune to all the known types of algebraic attacks. The ”oil & vinegar” signature scheme [P2] was described as the simplest, while the ”hidden field equations” [P3] was described as the most secure, and a $1000 prize was offered for its cryptanalysis. The only partial attack found so far against any of these schemes (based on private communication with Patarin, January 1998) is due to Coppersmith, who broke a cubic variant of the oil & vinegar scheme, but not the original quadratic version. In this paper we describe two novel algebraic attacks which can break the original ”Oil & Vinegar” scheme in a matter of seconds for all reasonable choices of the security parameter. The first attack linearizes certain quadratic equations which distinguish between the oil and vinegar variables, while the second attack analyses the characteristic polynomials of certain matrices to find two eigenspaces generated by the two types of variables. The attacks extract from the public key an algebraic structure which is equivalent to (but not necessarily equal to) the legitimate signer’s secret key, and after this short precomputation the forger can use the signer’s efficient algorithm to generate signatures for arbitrary messages.

2

A Simplified Oil & Vinegar Scheme

In this section we introduce a homogeneous variant of the Oil & Vinegar scheme, which makes the description and analysis of our attacks simpler. In section 4 we show that essentially the same attack can be applied to the original nonhomogeneous Oil & Vinegar scheme. Let M = (m1 , ..., mk ) be a message consisting of k elements from a finite field F of order q . X = (x1 , ..., x2k ) consisting of 2k elements from F is a valid signature of M if it satisfies G(X) = M where G(X) : F 2k −→ F k is the signer’s public key. The mapping G can be written as G(X) = (G1 (X), G2 (X), ..Gk (X)) where each Ge (X) is a homogeneous quadratic form of 2k variables X = (x1 , . . . , x2k ) over F , i.e., a sum of monomials of the form cij xi xj . Such a quadratic form can be described by the product X t Ge X in which Ge is a 2k × 2k matrix, X is a column vector, and X t is X transposed.

Cryptanalysis of the Oil Vinegar Signature Scheme

259

Each message M has approximately q k possible signatures, but finding any one of them is apparently difficult due to the nonlinearity of the equations. The legitimate signer can solve these equations and compute X by exploiting the secret structure of G, defined by the following construction: Let A be a randomly chosen nonsingular 2k × 2k matrix over F , and let Y = (y1 , . . . , y2k ) be a new set of 2k variables defined by Y = AX. Let F = (F1 , . . . , Fk ) be a vector of k random matrices of size 2k × 2k in which the top left k × k submatrix is zero: 0 B1 Fe = B2 B3 Define the quadratic forms Fe (Y ) for e = 1, . . . , k in the usual way as Y t Fe Y , and derive the equivalent quadratic forms Ge (X) after the linear change of variables Y = AX as the products X t · At · Fe · A · X. Publish their coefficients (i.e., the entries of the triple products At · Fe · A) as the public signature verification key. The signer’s secret key is the matrix A which translates between the public X and secret Y variables. In terms of the Y variables, the quadratic forms are Y t · Fe · Y . The fact that Fe has a top left quarter of zeroes implies that in any monomial of the form cij yi yj at most one of i, j can be in the range [1, k], and thus all the variables from the first half of Y (which we call the oil variables) occur linearly in the quadratic forms, while all the variables from the second half of Y (which we call the vinegar variables) can occur either linearly or quadratically in the quadratic forms. However, when translated into quadratic forms in terms of the X variables, the distinction disappears and all the 2k variables in X seem to multiply each other in all possible combinations with random looking coefficients. To sign a given message M = (m1 , . . . , mk ), the legitimate signer uses the following simple algorithm:

1. Assign random values to all the vinegar variables (yk+1 , . . . , y2k ). 2. Simplify the quadratic equations defined by Y t · Fe · Y = me . The resultant equations are linear and contain only oil variables. 3. Solve the system of k linear equations in k variables. If it is singular, return to step 1 (this can be shown to happen with a probability smaller than some constant which depends on the choice of F). 4. Map the Y solution to an X solution via X = A−1 Y . 5. Provide X as a signature of M . To forge a signature for message M , the forger has to find 2k values for the variables in X satisfying the k random looking quadratic equations Gi (X) = mi . In the next section we show that it is possible to break the scheme by recovering the oil variables.

260

3 3.1

Aviad Kipnis and Adi Shamir

Cryptanalysis of the Oil & Vinegar Signature Scheme The Cryptanalytic Approach

Definition 1. The oil subspace of the Y space is the set of all vectors in F 2k whose second half contain only zeroes. The oil subspace of the X space is the preimage by A of all vectors in F 2k whose second half contain only zeroes. Definition 2. The vinegar subspace of the Y space is the set of all vectors in F 2k whose first half contain only zeroes. The vinegar subspace of the X space is the preimage by A of all vectors in F 2k whose first half contain only zeroes. The notions of oil and vinegar subspaces will often be used without referring to the X or Y spaces, and the meanning will be clear from the context. Since A is nonsingular, each one of these subspaces has dimension k, and the X and Y spaces can be viewed as direct sums of their oil and vinegar subspaces. An important property of the oil space is: Lemma 3. All the published quadratic forms G1 (X)..Gk (X) over F 2k are identically zero on the oil subspace V of X. Proof: In each monomial in Y t Fe Y there can be at most one oil variable. By our simplifying homogeneous assumption, the Oil & Vinegar scheme cannot contain linear monomials, and thus each monomial contains at least one vinegar variable. Since any X ∈ V corresponds to a Y in which all the vinegar variables are zero, the quadratic form is identically zero on V . 2 The set of X vectors which make a particular Ge (X) zero is usually a strict superset of the oil subset, but the intersection of sufficiently many of these sets is likely to be exactly the oil subspace. However, this is not an effective characterization of the oil subspace, since we can’t find the zero sets of quadratic forms with many variables by an efficient algorithm. The next observation is that each matrix Ge can be considered not only as a quadratic form, but also as a linear mapping over the X space. One technical problem is that quadratic forms and linear mappings behave differently under the linear change of variables Y = AX: If B is the matrix of a quadratic form, it is changed by a congruence relation to At BA, while if B is the matrix of a linear mapping, it is changed by a similarity relation to A−1 BA. To overcome this problem, we consider products of matrices of the form B −1 C. If B and C are quadratic forms and A is a linear change of variables, then the new B and C are At BA and At CA, respectively, and thus the new B −1 C −1 is A−1 B −1 At At CA = A−1 B −1 CA, which is B −1 C changed by a similarity relation, as desired. We first characterize the behaviours of the Fe ’s as linear mappings over the Y space: Lemma 4. If Fi and Fj are nonsingular, then Fj maps the oil space onto the vinegar space, Fi−1 maps the vinegar space onto the oil space, and Fi−1 Fj maps the oil space onto itself.

Cryptanalysis of the Oil Vinegar Signature Scheme

261

Proof: Fj has a top left quarter of zeroes. When it is multiplied by a column vector whose second half is zero, the result is a column vector whose first half is zero, and thus Fj maps the oil subspace into the vinegar subspace. If Fj is nonsingular, it maps a subspace of dimension k to a subspace of dimension k, and thus Fj maps the oil subspace onto the vinegar subspace. Since all the vinegar subspace is in the range of this mapping, Fi−1 maps the vinegar subspace back onto the oil subspace, and Fi−1 Fj maps the oil subspace onto itself. 2 When we change Y to X, Fe is changed to Ge as a quadratic form, but not as a linear mapping. However, Fij = Fi−1 Fj is changed to Gij = G−1 i Gj as a linear mapping, and thus for any i, j, Gij maps the oil subspace of the X space onto itself. Remark: There is a subtle point for fields F of characteristic 2, since 0 + 0 = 1 + 1 = 0, and thus the symmetric matrix representation of their quadratic forms does not always exist, and is not always unique. In particular, the party that chooses the signature key can change the top left quarter of Fe from zero to any symmetric matrix with zeroes on the diagonal, and then compute Ge in the usual way as At Fe A. As quadratic forms, all these matrices are equivalent, but as linear mappings they behave very differently, and in particular any attack based on a search for these zeroes in Fe will be foiled by such a modification. The simplest way to overcome this countermeasure was proposed by Coppersmith (private communication): replace each published Ge by G0e = Ge + Gte . As a quadratic form over X, X t G0e X is uninteresting since it is identically zero, but as a linear mapping it is equal to At (Fe + Fet )A, which has the desired form (a matrix Fe + Fet with a top left quarter of zeroes, under congruence relation). Since our attack only considers the behaviour of the given matrices as linear mappings, we can apply it even when the field has characteristic 2 and the Fe matrices are intentionally modified. Definition 5. Assume that all the Ge matrices are nonsingular (eliminate those which are not). Define T as the closure of all the matrices Gij = G−1 i Gj under addition, multiplication, and multiplication by a constant from F . Note that if the Fe and A are chosen at random, at least a constant fraction of the Ge matrices are nonsingular, and thus there are quadratically many Gij matrices. Their closure T is even richer, and contains all the polynomials in all the nonsingular Gij (note that these matrices need not commute, and thus the monomials in these polynomials contain all the different orders in which they can be multiplied, and not just their multiplicity). Definition 6. A linear subspace U is an eigenspace of matrix B if B maps U into itself. U is a common eigenspace of a set of matrices if it is an eigenspace of each one of them. Remark: If B is nonsingular then it maps the eigenspace onto itself. Any eigenvector of B defines an eigenspace of dimension one. If B has several eigenvectors then the space spanned by any subset of eigenvectors is also an eigenspace. If B has a complete set of eigenvectors corresponding to distinct eigenvalues,

262

Aviad Kipnis and Adi Shamir

then all the eigenspaces of B are of this form. However, B can have nontrivial eigenspaces even when it has no eigenvectors at all, and thus the concept of eigenspaces is a strict generalization of the concept of eigenvectors. Random matrices often have only the trivial eigenspaces of the zero vector and the whole space, and several random matrices are very unlikely to have a common nontrivial eigenspace. We can thus provide a strong characterization of the oil subspace: Theorem 7. The oil subspace V of the X space is a common eigenspace of all the matrices in T . Proof: We have already shown that V is a common eigenspace of all the Gij matrices. Since this property is preserved by the operations of addition, multiplication, and multiplication by a constant, V is a common eigenspace of their closure T . 2

4

Finding Common Eigenspaces

In this section we describe two efficient methods for finding a common eigenspace of a sufficiently rich set of matrices. The first method is a linearization heuristic which is expected to succeed with high probability. The second method is based on a simple relationship between eigenspaces and characteristic polynomials of matrices, and can be rigorously analysed. 4.1

The Linearization Method

In this method we first derive a large number of quadratic equations in a small number of variables. We linearize it by replacing the product of any two variables by a new variable, getting linear equations in a quadratic number of variables. If the original number of quadratic equations is quadratic in the number of variables, we hope to get a uniquely solvable system of linear equations. The values of the original variables can now be derived by analysing the values of their pairwise products. To find the quadratic equations, choose a basis T1 , . . . , Tn for the closure T of the Gij matrices. We cannot formally prove a lower bound on n, but there are strong heuristic arguments why n is expected to be θ(k 2 ). Let R = (r1 , . . . , r2k ) be a vector of formal variables denoting some vector in the oil subspace of X. Consider the collection of column vectors T1 R, . . . , Tn R in which each entry is a formal linear combination of ri variables with known coefficients, and arrange them in a 2k × n matrix M . Since the oil space is a common subspace of rank k of all the Tj matrices, the column rank of M cannot exceed k for any choice of R in the oil subspce V . Consequently, the row rank of M cannot exceed k as well, and thus there is a linear relationship between the first k + 1 rows of M . Let S = (s1 , . . . , sk+1 ) be the coefficients of this linear relationship (without loss of generality, we can assume that sk+1 is 1). For each one of the n columns of M ,

Cryptanalysis of the Oil Vinegar Signature Scheme

263

we can thus express the relationship as a quadratic equation in the variables of R and S. We can now solve this system of equations by the linearization method, replacing each product of variables ri sj by a new variable zij . Unfortunately, the ri and sj solution is not unique (any vector in the oil space can give rise to a different linear combination of the rows), and thus there is a non-trivial subspace of solutions for the linearized variables zij . A randomly chosen solution in this subspace is unlikely to correspond to a consistent product of ri variables and sj variables. To overcome this problem, we add random (nonhomogeneous) linear equations relating the 2k variables ri , and use them to eliminate some of the ri variables from the quadratic equations before we linearize them. When sufficiently many random linear equations are added, we expect that the vector R in the oil subspace will become uniquely defined (as the intersection of a linear subspace and an affine subspace of half dimension), and thus we will not get parasitic zij solutions which do not correspond to products of ri and sj variables. We may have to try several collections of random equations of different sizes, but the method is expected to succeed since our characterization of the oil subspace leads to an extremely overdefined system of equations. 4.2

The Characteristic Polynomial Method

In this section we exploit interesting relations between eigenspaces and characteristic polynomials. Let P (x) be the characteristic polynomial of an n × n matrix B. By the Caley-Hamilton theorem, P (B) is the zero matrix. We now consider the matrices obtained by substituting B into other polynomials. Lemma 8. For any polynomial P 0 (x), kernel(P 0 (B)) is an eigenspace of B. Proof: If Z ∈ kernel(P 0 (B)) then P 0 (B)Z = 0 by definition. B commutes with any power of B, and thus with any polynomial in B such as P 0 (B). Consequently, P 0 (B) · BZ = B · P 0 (B)Z = 0. This proves that B maps the kernel of P 0 (B) into itself. 2 The converse of this lemma is not true, in the sense that some eigenspaces of B are not definable as the kernel of any polynomial in B. Consider, for example, the identity matrix B = I. Since all the powers of B are I, the only singular polynomial in B is the zero matrix, whose kernel is the whole space. On the other hand, any linear subspace is an eigenspace of B. For any matrix B and vector Z there exists a minimal nonzero polynomial P 0 (x) such that (P 0 (B)) maps Z to zero (P 0 is defined by the smallest linear relationship between the vectors B i Z). If this P 0 (x) does not divide the characteristic polynomial P (x) of B, there are two polynomials D(x) and E(x) such that D(x)P 0 (x) + E(x)P (x) = P 00 (x) where P 00 (x) = gcd(P 0 (x), P (x)) whose degree is strictly smaller than that of P 0 (x). When B is substituted for x and the resultant matrix is applied to Z, we get a lower degree polynomial which maps Z to zero, in contradiction to the minimality of P 0 (x).

264

Aviad Kipnis and Adi Shamir

The definition can be extended from a single vector Z to any linear subspace V , and the minimal polynomial of V (with respect to B) is the least common multiple of the minimal polynomials of all the vectors Z ∈ V , which is also a divisor of the characteristic polynomial P (x) of B. The following case is of special interst: Theorem 9. If the characteristic polynomial P (x) of B is irreducible, then the only eigenspaces of B are {0} and the whole space. Proof: Let Z be any nonzero vector in the eigenspace V . The minimal polynomial of Z is a divisor of P (x). Since P (x) is irreducible, it can only be P (x) itself. Since the minimal polynomial of Z is of full degree n, the vectors Z, BZ, B 2 Z, . . . , B n−1 Z are n linearly independent vectors. However, Z ∈ V and V is an eigenspace of B, and thus all these vectors are also in V . Consequently, V has full dimension n, and contains the whole space. 2 We cannot use this simple characterization of eigenspaces to search for the oil subspace of matrices in T , since the characteristic polynomials of these matrices are always reducible polynomials. To see this, consider any two matrices Fi and Fj of size 2k × 2k whose top left quarter is zero. It is easy to show that the −1 product F ij = Fi Fj has the form: B1 B2 Fij = 0 B3 and the sum, product, and constant multiples of such matrices have the same form. The characteristic polynomial of any matrix of this form is the product of the characteristic polynomials of B1 and B3 , which are of degrees k each. The characteristic polynomial is not changed by a similarity transformation, and thus the characteristic polynomials of all the matrices in T can be expressed as the products of two k degree polynomials. We are thus led to consider the next simplest case, in which the characteristic polynomial P (x) of B factors into two distinct irreducible factors P (x) = P1 (X) · P2 (X). Define B1 = P1 (B), B2 = P2 (B), K1 = kernel(B1 ), and K2 = kernel(B2 ). Then the following is true: 1. 2. 3. 4. 5.

range(B1 ) ⊆ K2 and range(B2 ) ⊆ K1 . K1 ∩ K2 = {0} (the zero vector). dim(K1 ) + dim(K2 ) = 2k. The space can be represented as a direct sum of K1 and K2 . The only eigenspaces of B are {0}, K1 , K2 , and the whole space.

The intuitive reason for the last part is that any vector Z in an eigenspace V can be decomposed into its K1 and K2 components, which behave independently of each other. If only one of the components is nonzero, repeated application of B to Z spans the corresponding Ki by the irreducibility of Pi . If both components are nonzero, the minimal polynomial of Z is the least common multiple of the two minimal polynomials, which is the whole P (x) since P1 (x) and P2 (x) are distinct and thus relatively prime. These statements will be formally proved in the full version of the paper.

Cryptanalysis of the Oil Vinegar Signature Scheme

265

Remark: It is possible to extend the complete characterization of the eigenspaces to arbitrary matrices by analysing their Jordan normal forms, but the results are more complicated and the characterization becomes useless when there are too many possible eigenspaces. We know that the oil subspace is a common eigenspace of dimension k of all the matrices in T . The characteristic polynomial of any such matrix factors into two polynomials of degree k, but each one of these polynomials can often be factored further into smaller degree polynomials. In particular, if the characteristic polynomial factors completely into 2k linear terms, there are exponentially many ways to multiply k of them to get the k degree polynomial defining the oil space. However, if T contains some matrix B whose charactristic polynomial P (x) can be factored into two distinct irreducible factors P1 (x) and P2 (x) of degree k, then the oil subspace we want to find is easy to compute either as the kernel of P1 (B) or as the kernel of P2 (B). The characteristic polynomial and the kernel of a given matrix can be found in polynomial time, and its complete factorization over a finite field can be found in random polynomial time. To find a usable B, we randomly sample matrices in T . What is left to be shown is that with a sufficiently high probability, the characteristic polynomials of these matrices factor into a pair of distinct irreducible factors. An easy counting argument shows that random k degree polynomials are irreducible with probability about 1/k, and thus a quadratic number of random polynomials almost certainly contains polynomials of the desired form. However, the characteristic polynomials of random matrices may be non-uniformly distributed. We overcome this difficulty by proving: Theorem 10. There is a set B of matrices such that: 1.B contains at least a constant fraction of all the matrices 2. The characteristic polynomials of matrices in B are uniformly distributed. The proof will be given in the full version of the paper, and then applied to our case in which the characteristic polynomials of all the matrices in T are known to factor into two polynomials of degree k, but are somewhat unlikely to factor further into lower degree factors. We can thus conclude that for a randomly chosen public key in the oil & vinegar signature scheme, we can find its oil subspace with high probability by a random polynomial time algorithm.

5

Completing the Attack

Let V be the common oil eigenspace of all the T matrices, found by one of the two methods described in the previous section. We define a new basis (y1 , . . . , y2k ) in which the vectors y1 , . . . , yk span the oil subspace and yk+1 , . . . , y2k complete it into a basis for the 2k dimensional space. This basis is not unique, but it is related to the original basis used by the legitimate signer via some linear transformation which maps the oil subspace onto itself. For any such basis, all the given quadratic forms Ge become linear in the first half of their variables,

266

Aviad Kipnis and Adi Shamir

because this is true when the original basis is used, and remains true under any linear transformation which preserves the oil subspace. Consequently, the forger can use the same efficient algorithm used by the signer to generate forged signatures for arbitrary messages, even though he cannot reconstruct an identical secret key. To complete our attack on the original oil & vinegar signature scheme, we have to consider the differences between the original the simplified versions. The only significant difference is that in Patarin’s original scheme, the quadratic forms Fe can contain linear and constant terms, and the mapping A is affine rather than linear. The resultant Ge forms are not necessarily homogeneous, and we have to modify our definitions of the oil and vinegar domains since they become affine rather than linear subspaces. However, all the modifications affect only the linear and constant terms in each Ge , which are clearly distinguishable from the quadratic terms in the published forms. We can thus apply the attack described so far to the homogeneous quadratic parts of the published forms, find the homogeneous linear part of the mapping A, and add the linear and constant parts of the Ge only when we actually solve the resultant system of linear equations in the oil variables. More details on this point will be provided in the full version of this paper.

Acknowledgements We would like to thank Don Coppersmith, Victor Halperin, Anthony Joseph, Jacques Patarin, Ran Raz and Jacques Stern for many fruitful discussions and improvement ideas.

References CSV. MI.

OSS.

P1. P2. P3.

D. Coppersmith, J. Stern and S. Vaudenay, The Security of the Birational Permutation Signature Scheme, Journal of Cryptology, 1997, pp. 207-221. 258 T. Matsumoto and H. Imai, Public Quadratic Polynomial Tuples for Efficient Signature Verification and Message Encryption, Eurocrypt 88, Springer Verlag, pp.419-453. 258 H. Ong, C. P. Schnorr, and A. Shamir A Fast Signature Scheme Based on Quadratic Equations, Proc. 16-th ACM Symp. Theory of Computation, 1984, pp. 208-216. 258 J.Patarin, Cryptanalysis of the Matsumoto and Imai Public Key Scheme of Eurocrypt 88, Crypto 95, Springer Verlag, pp.248-261. 258 J. Patarin, The Oil and Vinegar Algorithm for Signatures, presented at the Dagstuhl Workshop on Cryptography, September 97. 258 J.Patarin, Hidden Fields Equations (HFE) and Isomorphisms of Polynomials (IP): Two New Families of Asymmetric Algorithms, Eurocrypt 96, Springer Verlag, pp.33-48.

Cryptanalysis of the Oil Vinegar Signature Scheme PS.

S.

267

J. M. Pollard and C. P. Schnorr, An Efficient Solution of the Congruence x2 + ky 2 = m(mod n), IEEE Trans. Information Theory, vol. IT-33, no. 5, 1987, pp. 702-709. 258 258 A. Shamir Efficient Signature Schemes Based on Birational Permutations, Crypto 93, Springer Verlag, pp.1-12. 258

From Unpredictability to Indistinguishability: A Simple Construction of Pseudo-Random Functions from MACs Extended Abstract Moni Naor? and Omer Reingold?? Dept. of Applied Mathematics and Computer Science Weizmann Institute of Science Rehovot 76100, Israel {naor,reingold}@wisdom.weizmann.ac.il

Abstract. This paper studies the relationship between unpredictable functions (which formalize the concept of a MAC) and pseudo-random functions. We show an efficient transformation of the former to the latter using a unique application of the Goldreich-Levin hard-core bit (taking the inner-product with a random vector r): While in most applications of the GL-bit the random vector r may be public, in our setting this is not the case. The transformation is only secure when r is secret and treated as part of the key. In addition, we consider weaker notions of unpredictability and their relationship to the corresponding notions of pseudo-randomness. Using these weaker notions we formulate the exact requirements of standard protocols for private-key encryption, authentication and identification. In particular, this implies a simple construction of a private-key encryption scheme from the standard challenge-response identification scheme.

1

Introduction

This paper studies several ways to weaken the definition of pseudo-random functions that come up naturally in applications such as message authentication and user identification. We focus on the concept of an unpredictable function and its relationship to a pseudo-random function. We also consider the notion of a random attack vs. an adaptive attack. We show that in several settings unpredictability can easily be turned into pseudo-randomness. Pseudo-random functions were introduced by Goldreich, Goldwasser and Micali [12] and are a very well studied object in Foundations of Cryptography. A distribution of functions is pseudo-random if: (1) This distribution is efficient (i.e., it is easy to sample functions according to the distribution and to compute ? ??

Research supported by a grant from the Israel Science Foundation administered by the Israeli Academy of Sciences. Research supported by a Clore Scholars award.

H. Krawczyk (Ed.): CRYPTO’98, LNCS 1462, pp. 267–282, 1998. c Springer-Verlag Berlin Heidelberg 1998

268

Moni Naor and Omer Reingold

their value). (2) It is hard to tell apart a function sampled according to this distribution from a uniformly distributed function given an adaptive access to the function as a black-box. Pseudo-random functions have numerous applications in practically any scenario where a large amount of randomness need to be shared or fixed (see e.g., [4,7,10,13,18,19,21]). In this paper we concentrate on the application to authentication (and also on the applications to identification and encryption): A pseudo-random function fs can be used as a MAC (message authentication code) by letting the authentication tag of a message m be fs (m) (where the key, s, of fs is also the private key of the MAC). As discussed by Bellare, Canetti and Krawczyk [1] (see also [23]) the security of this scheme does not require the full strength of a pseudo-random function. Breaking this MAC (under the strong attack of existential forgery with a chosen message) amounts to adaptively querying fs on chosen messages m1 , m2 , . . . mq−1 and then computing a pair hm, fs (m)i for which m is different from m1 , m2 , . . . mq−1 . As will be argued below, this might be hard even if fs is not pseudo-random. Such a requirement is formalized by the concept of an unpredictable function: A distribution of functions is unpredictable if: (1) This distribution is efficient. (2) For any efficient adversary that is given an adaptive black-box access to a function (sampled according to this distribution) it is hard to compute the value of the function at any point that was not queried explicitly. Note that from this definition it follows that the range of an unpredictable function fs must be large. The definition can be naturally extended to allow fs with a range of arbitrary size N by requiring that (for any unqueried x) the advantage of computing fs (x) over the 1/N probability of a successful guess is negligible. However, in case N is small (i.e. polynomial) this definition implies that fs is pseudo-random.1 As an interesting analogy, consider Shamir’s “unpredictable” number sequences [26]. There, given any prefix of the sequence it is hard to compute the next number. As shown by Yao [28], the unpredictability of the bit sequences introduced by Blum and Micali [6], implies their pseudo-randomness. Thus unpredictability and pseudo-randomness (indistinguishability) are equivalent for bit sequences but not for number sequences in general. This interesting phenomena is yet another reason for making a distinction between unpredictability and pseudo-randomness. Such a distinction has not always been made in the literature so far2 1

2

A relaxation of an unpredictable function in the case of a small range N is the concept of an α-MAC. Informally, these are functions that their value (at any unqueried point) cannot be predicted with advantage over 1/N better than α (where α might not be non-negligible). In criticism to our approach one may suggest a different definition for unpredictable functions that makes them equivalent to pseudo-random functions. Such a definition would require bit-by-bit unpredictability of the function’s output. I.e., that the bit string obtained by concatenating the output of the function on the queries of the distinguisher is unpredictable. However, we feel that the definition used in this paper

From Unpredictability to Indistinguishability

269

Between Pseudo-Random Functions and Unpredictable Functions Since for a random function with large enough range it is impossible to guess its value at any unqueried point, we have that a pseudo-random function with large enough range is unpredictable. Otherwise, the prediction algorithm can be used as a distinguisher. However, an unpredictable function need not “hide” anything about the input, and in particular may reveal the input. For instance, if gs is an unpredictable function, then the function hx, gs (x)i (x concatenated with gs (x)) is an unpredictable function that completely reveals the input. Using unpredictable functions instead of pseudo-random functions may lead to better efficiency. For example, Bellare, Canetti and Krawczyk [1] suggest that modeling cryptographic hash functions such as MD5 and SHA as being unpredictable is a realistic assumption. Nevertheless, pseudo-random functions are still valuable for many applications such as private-key encryption. In fact, pseudorandom functions are useful even in the context of authentication. Consider Wegman-Carter [27] based MACs. I.e., letting the authentication tag of a message m be fs (h(m)) where h is a non-cryptographic hash-function (e.g., almostuniversal2 ).3 Such MACs are a serious competitors to both CBC-MACs [3] and HMACs [1]. They are especially attractive for long messages since the cryptographic function is only applied to a much shorter string and since for some of the recent constructions of hash functions (e.g., [15,25]) computing h(m) is relatively cheap. However, in this case it is not enough for fs to be unpredictable but it should also hide information about its input. Since unpredictable functions imply one-way functions [17] they also imply full-fledged pseudo-random functions [12,16]. However, these general constructions (from one-way functions to pseudo-random generators [16] and from pseudo-random generators to pseudo-random functions [12]) are computationally heavy. An obvious question at this point is whether it is possible to use unpredictable functions in order to construct a pseudo-random function at low cost. A natural construction is to apply the Goldreich-Levin hard-core bit [14] (GL-bit) in order to obtain a single-bit pseudo-random function using the inner-product with a random (but fixed) vector r. In other words, if f : {0, 1}n 7→ {0, 1}m is an unpredictable function, then consider g : {0, 1}n 7→ {0, 1} where g(x) = f (x) r (and denotes the inner product mod 2). However, it turns out that the security of this construction is more delicate than may seem: – If r ∈ {0, 1}m is public, the result might not be pseudo-random. – If r ∈ {0, 1}m is kept secret (part of the key), the result is a single-bit pseudo-random function. We find this result surprising since, as far as we are aware, this is the only application of the GL-bit that requires r to be secret.

3

is more “natural” and that the distinction between unpredictability and pseudorandomness is useful. An alternative variant of the Wegman-Carter based MACs lets the authentication tag of a message m be hr, h(m) ⊕ fs (r)i for a random input r. In this case it is clear that the output of fs should be pseudo-random.

270

Moni Naor and Omer Reingold

One obvious disadvantage of this transformation is that we get a single-bit pseudo-random function. However, using the GL hard-core functions one can extract more than a single bit at the cost of decreasing the security of the functions. Extracting t bits in such a way results in an exponential (roughly 22t ) decrease in security. In case the unpredictable function is very secure, such a reduction might still be tolerable. In general, it is unrealistic to expect to extract more than a logarithmic number of pseudo-random bits from an unpredictable function (since a pseudo-random function with any super-logarithmic number of output bits is unpredictable). An alternative solution is to concatenate the inner product of a random vector r with the output of several unpredictable functions, i.e., to define the pseudo-random function gs1 ,s2 ,...,st ,r (x) = fs1 (x) r, fs2 (x) r, . . . , fst (x) r. Combining the two solutions might imply a sufficiently efficient and secure pseudo-random function with a large range. Moreover, there are several scenarios where a single-bit (or few-bit) pseudo-random function is needed. One such scenario (which also motivated this work) was considered by Canetti et. al. [8] for multicast authentication. In their scheme many functions are used for authentication, and the adversary might know a constant fraction of them. Therefore, letting each function be a one-bit pseudo-random function instead of an unpredictable function with a large range significantly reduces the size of the authentication tag while ensuring the security of the scheme. Consequences The main application of the transformation from unpredictability to indistinguishability is obviously for using efficient constructions of MACs in scenarios that require pseudo-random functions (especially when a single-bit pseudorandom function is needed as in [8]). A recent work of Rivest [24] makes strong arguments against the validity of export regulations’ distinction between MACs and encryption schemes. One may view our work as supporting such arguments since it shows that efficient (software or hardware) implementations of MACs can easily (and in low cost) be turned into implementations of encryption schemes. In fact, as shown by this paper, even functions that are designed for the standard challenge-response identification scheme can be used for encryption. Random Attacks Motivated by the requirements of standard protocols for identification and encryption, we consider two additional relaxations of unpredictable functions. The first is requiring that no efficient algorithm after adaptively querying the function can compute its value on a random challenge instead of any new point of its choice. The second relaxation is achieved by giving the adversary the output of the function on (polynomial number) of random inputs (instead of allowing it an adaptive attack). In addition, we consider the equivalent notions of indistinguishability. We use these concepts for:

From Unpredictability to Indistinguishability

271

– Identifying the exact requirements of standard schemes for authentication, identification and encryption. – Showing that in the case of a random challenge, the transformation from unpredictability to indistinguishability is still secure even if the vector r is public. This transformation provides a simple construction of a privatekey encryption scheme from the standard challenge-response identification scheme. – Showing a more efficient variant for one of the constructions in [22] that achieves some notion of unpredictability (which is sufficient for the standard identification scheme). Random attacks on function families are also natural in the context of Computational Learning-Theory [5]. In addition, it was shown in [20] how to construct a full-fledged pseudo-random function f from such a weak pseudo-random functions h (going through the concept of a pseudo-random synthesizer). Given that h has a large enough output and that f is defined on k-bit inputs, computing f involves O(k/ log k) invocations of h. The construction of this paper completes the transformation from weak unpredictable functions to pseudo-random functions. Since the function families that are suspected to be weak pseudo-random functions (e.g. those described in [5]; also see [20]) are extremely efficient, we consider it an important open question to improve the construction of pseudorandom functions from weak pseudo-random functions given in [20]. Alternatively, it would be interesting to design efficient authentication and encryption schemes that only use weak pseudo-random functions. We further consider these questions in Section 5. Organization In Section 3 we define unpredictable functions. In Section 4 we define the transformation from unpredictable functions to pseudo-random functions and show that it requires the vector r to be secret. In Section 5 we consider weaker notions of unpredictability and pseudo-randomness.

2

Preliminaries

In this section we include the definitions of function-ensembles and pseudorandom functions almost as they appear in [11,21]: 2.1

Notation n

– I denotes the set of all n-bit strings, {0, 1}n. – Un denotes the random variable uniformly distributed over I n . – Let x and y be two bit strings of equal length, then x ⊕ y denotes their bit-by-bit exclusive-or. – Let x and y be two bit strings of equal length, then x y denotes their inner product mod 2.

272

2.2

Moni Naor and Omer Reingold

Function-Ensembles and Pseudo-Random Function Ensembles

Let {An , Bn }n∈N be a sequence of domains. A An 7→ Bn function ensemble is a sequence F = {Fn }n∈N such that Fn is a distribution over the set of An 7→ Bn functions. R = {Rn }n∈N is the uniform An 7→ Bn function ensemble if Rn is uniformly distributed over the set of An 7→ Bn functions. A function ensemble, F = {Fn }n∈N , is efficiently computable if the distribution Fn can be sampled efficiently and the functions in Fn can be computed efficiently. More formally, if there exist probabilistic polynomial-time Turingmachines, I and V, and a mapping from strings to functions, φ, such that φ(I(1n )) and Fn are identically distributed and V(i, x) = (φ(i))(x) (i.e. Fn ≡ V(I(1n ), ·)). Definition 1 (negligible functions). A function h : N 7→ R+ is negligible if for every constant c > 0 and all sufficiently large n’s h(n) <

1 nc

Definition 2 (pseudo-random function). Let {An , Bn }n∈N be a sequence of domains. Let F = {Fn }n∈N be an efficiently computable An 7→ Bn function ensemble and let R = {Rn }n∈N be the uniform An 7→ Bn function ensemble. F is pseudo-random if for every efficient oracle-machine M, Pr[MFn (1n ) = 1] − Pr[MRn (1n ) = 1] is negligible. Remark . In these definitions, as well as in the other definitions of this paper, “efficient” is interpreted as “probabilistic polynomial-time” and “negligible” is interpreted as “smaller than 1/poly”. In fact, the proofs in this paper include more quantitative statements of security. For a discussion on security preserving reductions see [18].

3

Unpredictable Functions

In this section we define unpredictable functions. As described in the introduction, the motivation of this definition is the security of MACs. As an additional motivation, let us first consider an equivalent definition (that already appears in [12]) of pseudo-random functions through an interactive protocol. This protocol will also be used in Section 5 to define other weaker notions. For simplicity, we only consider I n 7→ I `(n) function-ensembles, where ` is some N 7→ N function. Definition 3 (indistinguishability against an adaptive attack). Let F = {Fn }n∈N be an efficient I n 7→ I `(n) function-ensemble and let c ∈ N be some constant. We define an interactive protocol that involves two parties, D and V:

From Unpredictability to Indistinguishability

273

On the common input 1n , the private input of V is a key s of a function fs sampled from Fn and a uniformly distributed bit σ. The protocol is carried out in q = nc rounds. At the ith round of the protocol D sends to V a point xi and in return V sends to D the value fs (xi ). At the q th round, D sends a point xq which is different from x1 , x2 , . . . xq−1 . In return, V sends fs (xq ) if σ = 1 and y ∈ U`(n) otherwise. Finally, D outputs a bit σ 0 which is its guess for σ. F is indistinguishable against an adaptive sample and an adaptive challenge if for any polynomial time machine D and any constant c ∈ N Pr[σ 0 = σ] −

1 2

is negligible. The equivalence of this definition to Definition 2 was shown in [12]. For a recent discussion on similar reductions and their security see the work of Bellare et. al. [2]. Proposition 4 ([12]) Let F = {Fn }n∈N be an efficient I n 7→ I `(n) functionensemble. Then F is pseudo-random iff it is indistinguishable against an adaptive sample and an adaptive challenge. The definition of unpredictable functions is obtained from Definition 3 by replacing the requirement that fs (xq ) is indistinguishable from uniform with a requirement that fs (xq ) is hard to compute (i.e., is unpredictable): Definition 5 (unpredictable functions). Let F = {Fn }n∈N be an efficient I n 7→ I `(n) function-ensemble and let c ∈ N be some constant. We define an interactive protocol that involves two parties, D and V: On the common input 1n , the private input of V is a key s of a function fs sampled from Fn . The protocol is carried out in q − 1 rounds for q = nc . At the ith round of the protocol, D sends to V a point xi ∈ I n and in return V sends to D the value fs (xi ). At the termination of the protocol, D outputs a point xq which is different from x1 , x2 , . . . xq−1 and a string y which is its guess for fs (xq ). F is unpredictable against an adaptive sample and an adaptive challenge if for any polynomial time machine D and any constant c ∈ N Pr[y = fs (xq )] is negligible. The expression “F is an unpredictable function ensemble” is used as an abbreviation for “F is unpredictable against an adaptive sample and an adaptive challenge”.

274

4

Moni Naor and Omer Reingold

Turning Unpredictability into Indistinguishability

In this section we show how to apply the GL hard-core bit [14] in order to construct pseudo-random functions from unpredictable-functions. At first thought, one would imagine that such an application is straightforward as is the case with key-exchange protocols (if two parties that engage in a key-exchange protocol manage to agree on a key that cannot be computed by a passive eavesdropper then they can also easily get a secret random bit using the GL hard-core bit). However, as demonstrated below, this is not the case in our scenario. Goldreich and Levin have shown that for every one-way function, t, given t(x) (for a random input x) and given a random vector r it is infeasible to guess r x with non-negligible advantage over 1/2. In fact, their result apply in a more general context: If given t(x) it is hard to compute f (x), then given t(x) and r it is also hard to guess f (x) r. Since the GL-bit transforms hardness to compute into indistinguishability it is natural to apply it in our context: Given an unpredictable function f : I n 7→ I m a natural candidate for a pseudo-random function is gs,r (x) = fs (x) r, where r is a random vector. Indeed, it is rather straightforward that for any unqueried input x it is hard to guess fs (x) r for a random vector r chosen after x is fixed. However, this is not sufficient for proving that gs,r is pseudorandom: The distinguisher gets gs,r (x) on inputs x of its choice. Since this choice might depend on r it might be easy to guess fs (x) r and to distinguish gs,r from random. As shown by the following example, this is exactly the case when the random string r is public: The Counter-Example Let hs : I 3n 7→ I n be an unpredictable function. Let fs be the I 3n 7→ I 3n function such that for every input x ∈ I 3n the string y = fs (x) is defined as follows: – If at least n bits of x are zeroes, let i1 , i2 , . . . , in be the first locations of such bits. Then for every 1 ≤ j ≤ n the bit yij equals the j th bit of hs (x) and for any other location i the bit yi is set to zero. – If at least 2n bits of x are ones, let i1 , i2 , . . . , i2n be the first locations of such bits. Then for every 1 ≤ j ≤ n the bits yij and yij+n equal to the j th bit of hs (x) and for any other location i the bit yi is set to zero. The function fs (x) is unpredictable since both mappings hx, hs (x)i 7→ hx, fs (x)i and hx, fs (x)i 7→ hx, hs (x)i are easy to compute (therefore a predictionattack on fs easily translates to a prediction-attack on hs ). However, for every r ∈ I 3n and every s we have that fs (r) r = 0. Therefore, when r is public, the function gs,r can easily be distinguished from random. A distinguisher with access to a function P simply query for P (r). If P (r) = 0 the distinguisher outputs “pseudo-random” and otherwise it outputs “random”. In case P = gs,r (for any value of s) the distinguisher will output “pseudo-random” with probability 1 and in case P is truly random the distinguisher will output “pseudo-random” with probability 1/2.

From Unpredictability to Indistinguishability

275

A Secret r Works As shown by the example above, the fs (x) r construction does not work in case r is public. We now show that this construction does work when r is secret. This fact is rather surprising since, as far as we are aware of, there is no other application of the GL-bit that requires r to be kept a secret. Construction 4.1 Let F = {Fn }n∈N be an efficient I n 7→ I `(n) functionensemble. We define an efficient I n 7→ I 1 function-ensemble G = {Gn }n∈N as follows: A key of a function sampled from Gn is a pair hs, ri, where s is a key of a function fs sampled from Fn and r ∈ U`(n) . For every input x ∈ I n the value of gs,r on x is defined by def

gs,r (x) = fs (x) r We still need to handle the fact that the distinguisher gets gs,r (x) on inputs x of its choice and that this choice might depend on r. However, in this case the dependence on r is only through values gs,r (y) that were previously queried by the distinguisher. It turns out that such a dependence is not as fatal. Theorem 6. Let F = {Fn }n∈N be an efficient I n 7→ I `(n) function-ensemble. Define G = {Gn }n∈N as in Construction 4.1. If F is an unpredictable function ensemble then G is a pseudo-random function ensemble. Proof. (Sketch) Assume that there is an efficient oracle-machine M that distinguishes G from random with non-negligible advantage = (n) (as in Definition 2). Let q = q(n) be a polynomial bound on the number of queries made by M. Assume wlog that M always makes exactly q different queries. In order to prove the theorem it is sufficient to construct an efficient oracle machine A that operates as follows: on input r ∈ U`(n) and access to a function fs sampled from Fn A first chooses an input x ∈ I n which only depends on its internal coin-tosses. I.e., x is independent of r. After making at most q queries to fs which are all different from x it outputs a guess for fs (x) r which is correct with probability at least 1/2 + /q. To see that such a machine A is indeed sufficient, note that for at least /2q fraction of the choices for the internal coin-tosses of A the probability that it succeeds in guessing fs (x) r is at least 1/2 + /2q. Therefore, we can now apply the Goldreich-Levin-Rackoff reconstruction algorithm4 to get an efficient oracle machine D such that on input 1n and access to a function fs sampled from Fn operates as follows: D first chooses an input x ∈ I n . After making O(`(n) · (q/)2 · q) queries to fs which are all different from x it outputs a 2 guess for fs (x) which is correct with probability Ω((/q) ). This contradicts the assumption that F is an unpredictable function-ensemble and completes the proof of the theorem. 4

The Goldreich-Levin Theorem is a constructive one that enables reconstruction of x given an algorithm for guessing x r. See [11] for details; the algorithm there is due to Rackoff.

276

Moni Naor and Omer Reingold

It remains to define A that has the required properties: The definition of A: We assume that A knows whether or not Pr[MFn (1n ) = 1] > Pr[MRn (1n ) = 1]. This information can be given to A as part of the input (by D that can afford to try both possibilities). Another standard way that A can learn this information is by sampling. Assume wlog that indeed Pr[MFn (1n ) = 1] > Pr[MRn (1n ) = 1] + (n) The algorithm A executes the following algorithm: 1. Sample 1 ≤ J < q uniformly at random. 2. Invoke M on input 1n . 3. Answer each one of the first J queries of M with a uniformly chosen bit. Denote by x the J th query and by σ the answer given to it. 4. Let xi be the ith query for i > J, answer this query with fs (xi ) r (by querying fs on xi ). 5. If M outputs 1 then output σ. Otherwise output σ ¯. It is immediate that the choice of x is indeed independent of r. Proving the success probability of A (claimed above) is done by a standard hybrid argument. For any unpredictable function fs , Construction 4.1gives a single-bit pseudorandom function gs,r . Extracting more bits is possible in two (complementary) ways: 1. Taking the inner product of the unpredictable function fs with a few random vectors. I.e., using the function g¯s,r1 ,r2 ,...,rt (x) = fs (x) r1 , fs (x) r2 , . . . , fs (x) rt . 2. Taking the inner product of any polynomial number of (independent) unpredictable functions fsi with the same random vector. I.e., using the function gˆs1 ,s2 ,...,st ,r (x) = fs1 (x) r, fs2 (x) r, . . . , fst (x) r. While the first method is more efficient (the function fs is only computed once) it decreases security more rapidly. More precisely, assume that there is an efficient oracle-machine M that distinguishes g¯s,r1 ,r2 ,...,rt from random with advantage using q queries then it is possible to define an oracle machine A as in the proof of Theorem 7 that outputs a guess for fs (x) r which is correct with probability at least 1/2 + /(q · 2t ). Therefore it is possible to define a machine D that breaks the unpredictable function f with O(`(n) · (q/)2 · 22t · q) queries 2 and success probability Ω((/q) · 2−2t ). However, in case fs is sufficiently secure and t is not too large (say, t = 20) this method can still be used. For the second method, it is not hard to show a much more moderate reduction in security. I.e., a reduction by 1/t2 factor (getting a factor of 1/t is possible by using t different strings ri instead of a single string r). The two methods can naturally be combined to give a reasonably efficient and secure pseudo-random function with a large output.

From Unpredictability to Indistinguishability

5

277

Weaker Notions

In this section we consider weaker notions of indistinguishability and unpredictability then those of Definitions 3 and 5. We show how to relax either one of these definitions by allowing the adversary a random attack rather than an adaptive attack. As will be described below, such random attacks come up naturally in applications such as identification and encryption. Two meanings in which an attack can be random are: 1. A Random Challenge. The adversary is required to compute the value of fs on a random point. This is formalized by letting V send xq ∈ Un to D after the first q − 1 rounds. 2. A Random Sample. The adversary gets the value of fs on polynomial number of random inputs instead of adaptively choosing the inputs itself. This is formalized by removing the first q − 1 rounds of the protocol and adding to the common input the values hx1 , fs (x1 ), x2 , fs (x2 ), . . . xq−1 , fs (xq−1 )i, where each one of the xi ’s is an independent instance of Un . Remark 8. An alternative to an adaptive attack and a random attack is a static attack. In this case, D has to choose and send x1 , x2 , . . . xq at the first round. Such an attack seems less natural in the applications we consider here and we therefore ignore it. For some intuition on the difference between adaptive and static attacks see [21]. The total number the definitions we obtain by considering all combinations (i.e., indistinguishability vs. unpredictability, adaptive samples vs. random samples and adaptive challenges vs. random challenges) is eight. The observation that no two of these definitions are equivalent (as long as one-way functions exist) easily follows from the separations we sketch below. Furthermore, there are no implications except for the obvious ones: – Let fs be a pseudo-random function and define the function gs (x) = hx,fs (x)i (x concatenated with fs (x)). Then gs is an unpredictable function but is not indistinguishable even against a random sample and a random challenge. – Let fs be a pseudo-random function and define the function gs such that gs (x) = fs (x) for every x 6= 0 and gs (0) = 0. Then gs is indistinguishable against an adaptive sample and a random challenge but is not even unpredictable against a random sample and an adaptive challenge. – Let fs be a pseudo-random function and define the function gs such that gs (x) = fs (x) for every x 6= fs (0) and (unless the rare condition fs (0) = 0 holds) gs (fs (0)) = s. Then gs is indistinguishable against a random sample and an adaptive challenge but is not even unpredictable against an adaptive samples and a random challenge. More “natural” examples for functions that are suspected to be secure (indistinguishable) against a random attack but are completely insecure against an adaptive attack come up in the context of Computational Learning-Theory (see [5,20] for details). Consider for example the following distribution on functions with parameters k and n. Each function is defined by two, uniformly distributed, disjoint sets A, B ⊂ {1, . . . , n} each of size k. Given an n-bit input, the

278

Moni Naor and Omer Reingold

output of the function is the exclusive-or of two values: the parity of the bits indexed by A and the majority of the bits indexed by B. Restating [5] in the terminology of this paper, it is estimated there that distinguishing these functions (for k = log n) from a random function using a random sample and a random challenge requires “profoundly” new ideas. However, the key of such a function (for any k) can easily be recovered using an adaptive attack. The extreme efficiency of function families that are suspected to be weak pseudo-random functions (i.e., indistinguishable against a random sample and a random challenge) raises the following questions: 1. Can the construction in [20] of a full-fledged pseudo-random function from weak pseudo-random functions be improved? 2. Can weak pseudo-random functions be directly used in private-key encryption and authentication schemes? We further consider the second question in Section 5.1. 5.1

The Requirements of Private-Key Tasks

Identifying the exact requirements for function families used in any given protocol can imply more efficient implementations of this protocol. We therefore consider in this section the actual requirements for standard private-key schemes. The three most common tasks in private-key cryptography are user identification, message authentication and encryption. Consider the following schemes for the above tasks. A group of parties that share a pseudo-random function fs may perform: Authentication The authentication tag of a message m is defined to be fs (m). Here the requirement is unpredictability against an adaptive sample and an adaptive challenge (in case we want existential unforgeability against a chosen message attack). Identification A member of the group, V, determines if A is also a member by issuing a random challenge r and verifying that the respond of A is fs (r). Assuming that the adversary can perform an active attack (i.e., can participate in executions of the protocol as the verifier), we need unpredictability against an adaptive sample and a random challenge. If the adversary is limited to a passive attack (i.e., can only eavesdrop to previous executions of the protocol), then we only need unpredictability against a random sample and a random challenge. Encryption The encryption of a message m is defined to be hr, fs (r) ⊕ mi, where r is a uniformly chosen input. We are using the terminology of [9] for attacks (chosen plaintext, chosen ciphertext in the preprocessing and postprocessing modes) and notions security (semantic and non-malleability). Assuming that the adversary is limited to a chosen plaintext attack, we need indistinguishability against a random sample and a random challenge (in case we are interested in semantic security). If the adversary can perform a chosen ciphertext attack in the preprocessing mode, then we need indistinguishability against an adaptive sample and a random challenge to get semantic security. For any implementation

From Unpredictability to Indistinguishability

279

of f this scheme is malleable and hence not secure against a chosen ciphertext attack in the postprocessing mode. I.e., when the adversary queries the function after getting the challenge. The functions used in all the schemes considered above should be secure against an adaptive sample (when we consider the stronger attack in each case). The following encryption scheme (that can also be used for authentication and identification) proposed in the full version of [9] eliminates this requirement. The encryption of a message m under this scheme is defined to be hr, f (r) ⊕ m, g(r, f (r) ⊕ m)i, where r is a uniformly chosen input. To get non-malleable security against a chosen ciphertext attack in the postprocessing mode it is enough for f and g to be indistinguishable against a random sample and an adaptive challenge. The role of g is to “authenticate” the first part of the encryption and make it infeasible for an adversary to generate valid ciphertexts it did not explicitly receive (i.e. the encryption scheme is self-validating). An interesting open question is whether there exist an efficient authentication or encryption scheme which can be based on functions secure against a random sample and a random challenge. 5.2

Improving Efficiency for Weaker Definitions

In this section we give another demonstration that weaker definitions may imply better efficiency. We do so by showing a more efficient variant for one of the constructions of [22] that is sufficient for the standard identification scheme. In [22], two related constructions of pseudo-random functions are presented. The construction that is based on factoring gives a single-bit (or few-bits) pseudorandom function. We show that if we are only interested in unpredictability against an adaptive sample and a random challenge this construction can be improved. Informally, the construction of pseudo-random functions that are at least as secure as factoring is as follows: Let N be distributed over Blum-integers (N = P · Q, where P and Q are primes and P = Q = 3 mod 4) and assume that (under this distribution) it is hard to factor N . Let g be a uniformly distributed quadratic residue in Z∗N , let a = ha1,0 , a1,1 , a2,0 , a2,1 , . . . an,0 , an,1 i be a def

uniformly distributed sequence of 2n elements in [N ] = {1, 2, . . . , N } and let r be a uniformly distributed bit-string of the same length as N . Then the Binaryfunction, fN,g,a,r , is pseudo-random. Where the value of fN,g,a,r on any n-bit input, x = x1 x2 · · · xn , is defined by: Qn def fN,g,a,r (x) = g i=1 ai,xi mod N r Using similar techniques to the proof in [22], it can be shown that if factoring Blum-integers is hard then the function f˜N,g,a , is unpredictable against an adaptive sample and a random challenge. Where the value of f˜N,g,a on any n-bit input, x = x1 x2 · · · xn , is defined by: Qn def f˜N,g,a (x) = g i=1 ai,xi mod N

280

Moni Naor and Omer Reingold

As described in Section 5.1, such a function can be used for the standard challenge-response identification scheme. 5.3

Additional Transformations of Unpredictability to Indistinguishability

In Section 4, we considered the gs,r (x) = fs (x) r construction (Construction 4.1) as a transformation of unpredictable functions to pseudo-random functions. As discussed there, the problem in using a public r in this construction is that it enables the distinguisher to choose inputs for gs,r (x) that directly depend on r. For such an input x, the value gs,r (x) might be distinguishable from random. However, when we consider weaker definitions of unpredictability and indistinguishability where the challenge is random such a problem does not occur. In this case a rather simple application of the GL-bit gives the following theorem: Theorem 7. Let F = {Fn }n∈N be an efficient I n 7→ I `(n) function-ensemble. Define G = {Gn }n∈N as in Construction 4.1. It follows that: 1. If F is unpredictable against an adaptive sample and a random challenge, then G is indistinguishable against an adaptive sample and a random challenge. 2. If F is unpredictable against a random sample and a random challenge, then G is indistinguishable against a random sample and a random challenge. Both (1) and (2) hold even if for each function gs,r ∈ Gn we let r be public As discussed in Section 5.1, indistinguishability against an adaptive sample and a random challenge is sufficient for the standard private-key encryption scheme whereas unpredictability against an adaptive sample and a random challenge is sufficient for the standard challenge-response identification scheme. Therefore, any function that is designed for the identification scheme can be transformed into a private-key encryption scheme (using the methods described in Section 4 for getting a larger output length).

6

Conclusion and Further Research

We have considered several notions of unpredictability and their relationship with the corresponding notions of indistinguishability. For three of these notions we have shown that the Goldreich-Levin hard-core bit can simply turn unpredictability into indistinguishability. By this construction efficient implementations of MACs can be used to obtain efficient implementations of pseudo-random functions. An interesting open problem is to prove or disprove the validity of the construction in a fourth setting: Can the GL-bit be used to turn unpredictability against a random sample and an adaptive challenge into indistinguishability against a random sample and an adaptive challenge? The second part of Theorem 7 and the construction in [20] of full-fledged pseudo-random functions from weak pseudo-random functions give a relatively efficient transformation (compared with the transformation obtained

From Unpredictability to Indistinguishability

281

by [12,16,17]) from the weakest notion considered in this paper (i.e. unpredictability against a random sample and a random challenge) to the stronger notion (i.e. indistinguishability against an adaptive sample and an adaptive challenge). An interesting task should be to achieve a more efficient transformation. Section 5.1 considers the exact requirements for function families used in standard private-key schemes. An interesting line for further research discussed there is to design efficient private-key encryption and authentication schemes that only use weak pseudo-random functions. Implementations of such schemes may be very efficient given the extreme efficiency of candidates for weak pseudorandom functions.

Acknowledgments We thank Ran Canetti and Benny Pinkas for motivating the problem. We thank Oded Goldreich for encouragement and many helpful comments. We also thank the reviewers of CRYPTO ’98 and Hugo Krawczyk for many helpful comments.

References 1. M. Bellare, R. Canetti and H. Krawczyk, Keying hash functions for message authentication, Proc. Advances in Cryptology - CRYPTO ’96, LNCS, Springer, vol. 1109, 1996, pp. 1-15. 268, 269, 269 2. M. Bellare, A. Desai, E. Jokipii and P. Rogaway, A Concrete Security Treatment of Symmetric Encryption, Proc. 38th IEEE Symp. on Foundations of Computer Science, 1997, pp. 394-403. 273 3. M. Bellare, J. Kilian and P. Rogaway, The security of cipher block chaining, Advances in Cryptology - CRYPTO ’94, Lecture Notes in Computer Science, vol. 839, Springer-Verlag, 1994, pp. 341-358. 269 4. M. Bellare and S. Goldwasser, New paradigms for digital signatures and message authentication based on non-interactive zero knowledge proofs Proc. Advances in Cryptology - CRYPTO ’89, LNCS, Springer, 1990, pp. 194-211. 268 5. A. Blum, M. Furst, M. Kearns and R.J. Lipton, Cryptographic primitives based on hard learning problems, in: D.R. Stinson, ed., Advances in Cryptology - CRYPTO ’93, LNCS, vol. 773, Springer, 1994, pp. 278-291. 271, 271, 277, 278 6. M. Blum and S. Micali, How to generate cryptographically strong sequence of pseudo-random bits, SIAM J. Comput., vol. 13, 1984, pp. 850-864. 268 7. G. Brassard, Modern cryptology, LNCS, vol. 325, Springer, 1988. 268 8. R. Canetti, J. Garay, G. Itkis, D. Micciancio, M. Naor and B. Pinkas, Multicast security: A taxonomy and efficient authentication, manuscript. 270, 270 9. D. Dolev, C. Dwork and M. Naor, Non-malleable cryptography, Proc. 23rd Ann. ACM Symp. on Theory of Computing, 1991, pp. 542-552. Full version available at: http://www.wisdom.weizmann.ac.il/~naor. 278, 279 10. O. Goldreich, Two remarks concerning the Goldwasser-Micali-Rivest signature scheme, Advances in Cryptology - CRYPTO’ 86, LNCS, vol. 263, 1987, pp. 104110. 268 11. O. Goldreich, Foundations of Cryptography (Fragments of a Book), 1995. Electronic publication in the Electronic Colloquium on Computational Complexity: http://www.eccc.uni-trier.de/eccc/info/ECCC-Books/eccc-books.html. 271, 275

282

Moni Naor and Omer Reingold

12. O. Goldreich, S. Goldwasser and S. Micali, How to construct random functions, J. of the ACM., vol. 33, 1986, pp. 792-807. 267, 269, 269, 272, 273, 273, 281 13. O. Goldreich, S. Goldwasser and S. Micali, On the cryptographic applications of random functions, Advances in Cryptology - CRYPTO ’84, LNCS, vol. 196, Springer, 1985, pp. 276-288. 268 14. O. Goldreich and L. Levin, A hard-core predicate for all one-way functions, in: Proc. 21st Ann. ACM Symp. on Theory of Computing, 1989, pp. 25-32. 269, 274 15. S. Halevi and H. Krawczyk, MMH: message authentication in software in the Gbit/second rates, Proc. Fast Software Encryption, Lecture Notes in Computer Science, Springer-Verlag, 1997. 269 16. J. Hastad, R. Impagliazzo, L. A. Levin and M. Luby, Construction of a pseudorandom generator from any one-way function, To appear in SIAM J. Comput. Preliminary versions by Impagliazzo et. al. in 21st STOC, 1989 and Hastad in 22nd STOC, 1990. 269, 269, 281 17. R. Impagliazzo and M. Luby, One-way functions are essential for complexity based cryptography, Proc. 30th FOCS, 1989, pp. 230-235. 269, 281 18. M. Luby, Pseudo-randomness and applications, Princeton University Press, 1996. 268, 272 19. M. Luby and C. Rackoff, How to construct pseudorandom permutations and pseudorandom functions, SIAM J. Comput., vol. 17, 1988, pp. 373-386. 268 20. M. Naor and O. Reingold, Synthesizers and their application to the parallel construction of pseudo-random functions, Proc. 36th IEEE Symp. on Foundations of Computer Science, 1995, pp. 170-181. 271, 271, 271, 277, 278, 280 21. M. Naor and O. Reingold, On the construction of pseudo-random permutations: Luby-Rackoff revisited, To appear in: J. of Cryptology. Preliminary version in: Proc. 29th Ann. ACM Symp. on Theory of Computing, 1997. pp. 189-199. 268, 271, 277 22. M. Naor and O. Reingold, Number-Theoretic constructions of efficient pseudorandom functions, Proc. 38th FOCS, 1997, pp. 458-467. 271, 279, 279, 279 23. B. Preneel and P. C. van Oorschot, On the security of two MAC algorithms, Advances in Cryptology - EUROCRYPT ’96, LNCS, vol. 1070, 1996, pp. 19-32. 268 24. R. L. Rivest, Chaffing and winnowing: confidentiality without encryption, MIT Lab for Computer Science, http://theory.lcs.mit.edu/~rivest/chaffing.txt, March 18, 1998. To appear in: RSA CryptoBytes, Summer 1998. 270 25. P. Rogaway, Bucket hashing and its application to fast message authentication, Advances in Cryptology - CRYPTO ’95, Lecture Notes in Computer Science, vol. 963, Springer-Verlag, 1995, pp. 74-85. 269 26. A. Shamir, On the generation of cryptographically strong pseudo-random number sequences, ACM Trans. Comput. Sys., vol 1, 1983, pp. 38-44. 268 27. M. Wegman and L. Carter, New hash functions and their use in authentication and set equality, J. of Computer and System Sciences, vol. 22, 1981, pp. 265-279. 269 28. A. C. Yao, Theory and applications of trapdoor functions, Proc. 23rd IEEE Symp. on Foundations of Computer Science, 1982, pp. 80-91. 268

Many-to-One Trapdoor Functions and Their Relation to Public-Key Cryptosystems Mihir Bellare1 , Shai Halevi2 , Amit Sahai3 , and Salil Vadhan3 1

Dept. of Computer Science & Engineering, University of California at San Diego 9500 Gilman Drive, La Jolla, CA 92093, USA [email protected] http://www-cse.ucsd.edu/users/mihir. 2 IBM T. J. Watson Research Center P.O. Box 704, Yorktown Heights, NY 10598, USA [email protected]. 3 MIT Laboratory for Computer Science 545 Technology Square, Cambridge, MA 02139, USA [email protected] [email protected]. URL:http://www-math.mit.edu/~salil.

Abstract. The heart of the task of building public key cryptosystems is viewed as that of “making trapdoors;” in fact, public key cryptosystems and trapdoor functions are often discussed as synonymous. How accurate is this view? In this paper we endeavor to get a better understanding of the nature of “trapdoorness” and its relation to public key cryptosystems, by broadening the scope of the investigation: we look at general trapdoor functions; that is, functions that are not necessarily injective (ie., one-to-one). Our first result is somewhat surprising: we show that non-injective trapdoor functions (with super-polynomial pre-image size) can be constructed from any one-way function (and hence it is unlikely that they suffice for public key encryption). On the other hand, we show that trapdoor functions with polynomial pre-image size are sufficient for public key encryption. Together, these two results indicate that the pre-image size is a fundamental parameter of trapdoor functions. We then turn our attention to the converse, asking what kinds of trapdoor functions can be constructed from public key cryptosystems. We take a first step by showing that in the random-oracle model one can construct injective trapdoor functions from any public key cryptosystem.

1

Introduction

A major dividing line in the realm of cryptographic primitives is that between “one-way” and “trapdoor” primitives. The former effectively means the primitives of private key cryptography, while the latter are typically viewed as tied to public key cryptosystems. Indeed, the understanding is that the problem of building public key cryptosystems is the problem of “making trapdoors.” H. Krawczyk (Ed.): CRYPTO’98, LNCS 1462, pp. 283–299, 1998. c Springer-Verlag Berlin Heidelberg 1998

284

Mihir Bellare et al.

Is it really? It is well known that injective (ie. one-to-one) trapdoor functions suffice for public key cryptography [Ya,GoMi]. We ask: is the converse true as well, or can public key cryptosystems exist under a weaker assumption? We take a closer look at the notion of a trapdoor, in particular from the point of view of how it relates to semantically secure encryption schemes, and discover some curious things. Amongst these are that “trapdoor one-way functions” are not necessarily hard to build, and their relation to public key encryption is more subtle than it might seem.

1.1

Background

The main notions discussed and related in this paper are one-way functions [DiHe], trapdoor (one-way) functions [DiHe], semantically secure encryption schemes [GoMi], and unapproximable trapdoor predicates [GoMi]. Roughly, a “one-way function” means a family of functions where each particular function is easy to compute, but most are hard to invert; trapdoor functions are the same with the additional feature that associated to each particular function is some “trapdoor” information, possession of which permits easy inversion. (See Section 2 for formal definitions.) In the study of one-way functions, it is well appreciated that the functions need not be injective: careful distinctions are made between “(general) oneway functions”, “injective one-way functions,” or “one-way permutations.” In principle, the distinction applies equally well to trapdoor one-way functions. (In the non-injective case, knowledge of the trapdoor permits recovery of some preimage of any given range point [DiHe].) However, all attention in the literature has focused on injective trapdoor functions, perhaps out of the sense that this is what is necessary for constructing encryption schemes: the injectivity of the trapdoor function guarantees the unique decryptability of the encryption scheme. This paper investigates general (ie. not necessarily injective) trapdoor oneway functions and how they relate to other primitives. Our goal is to understand exactly what kinds of trapdoor one-way functions are necessary and sufficient for building semantically secure public key encryption schemes; in particular, is injectivity actually necessary? Among non-injective trapdoor functions, we make a further distinction based on “the amount of non-injectivity”, measured by pre-image size. A (trapdoor, one-way) function is said to have pre-image size Q(k) (where k is the security parameter) if the number of pre-images of any range point is at most Q(k). We show that pre-image size is a crucial parameter with regard to building publickey cryptosystems out of a trapdoor function. Rather than directly working with public-key cryptosystems, it will be more convenient to work with a more basic primitive called an unapproximable trapdoor predicate. Unapproximable trapdoor predicates are equivalent to semantically secure public key schemes for encrypting a single bit, and these in turn are equivalent to general semantically secure cryptosystems [GoMi].

Many-to-One Trapdoor Functions and Their Relation to Cryptosystems semantically secure public-key cryptosystems

285

Injective trapdoor functions Theorem 3

[Ya]

[GoMi] Unapproximable trapdoor predicates

Theorem 2

[ImLu] One-way functions

trivial

Trapdoor functions with poly-bounded pre-image size trivial

Theorem 1

Trapdoor functions with super-poly pre-image size

Fig. 1. Illustrating our results: Solid lines are standard implications; the dotted line is an implication in the random oracle model.

1.2

Results

We have three main results. They are displayed in Fig. 1 together with known relations. We now discuss them. One-way functions imply trapdoor functions. Our first result, given in Theorem 1, may seem surprising at first glance: we show that one-way functions imply trapdoor functions. We present a general construction which, given an arbitrary one-way function, yields a trapdoor (non-injective) one-way function. Put in other words, we show that trapdoor functions are not necessarily hard to build; it is the combination of trapdoorness with “structural” properties like injectivity that may be hard to achieve. Thus the “curtain” between one-way and trapdoor primitives is not quite as opaque as it may seem. What does this mean for public key cryptography? Impagliazzo and Rudich [ImRu] show that it would be very hard, or unlikely, to get a proof that one-way functions (even if injective) imply public key cryptosystems. Hence, our result shows that it is unlikely that any known technique can be used to construct public key encryption schemes from generic, non-injective, trapdoor functions. As one might guess given [ImRu], our construction does not preserve injectivity, so even if the starting one-way function is injective, the resulting trapdoor one-way function is not. Trapdoor functions with poly pre-image size yield cryptosystems. In light of the above, one might still imagine that injectivity of the trapdoor functions is required to obtain public key encryption. Still, we ask whether the injectivity condition can be relaxed somewhat. Specifically, the trapdoor one-way functions which we construct from one-way functions have super-polynomial pre-image size. This leads us to ask about trapdoor functions with polynomially bounded pre-image size.

286

Mihir Bellare et al.

Our second result, Theorem 2, shows that trapdoor functions with polynomially bounded pre-image size suffice to construct unapproximable trapdoor predicates, and hence yield public key cryptosystems. This belies the impression that injectivity of the trapdoor function is a necessary feature to directly build a public key cryptosystem from it, and also suggests that the super-polynomial pre-image size in the construction of Theorem 1 is necessary. From trapdoor predicates to trapdoor functions. We then turn to the other side of the coin and ask what kinds of trapdoor functions must necessarily exist to have a public key cryptosystem. Since unapproximable trapdoor predicates and semantically secure public key cryptosystems are equivalent [GoMi] we consider the question of whether unapproximable trapdoor predicates imply injective trapdoor functions. In fact whether or not semantically secure public key cryptosystems imply injective trapdoor functions is not only an open question, but seems a hard one. (In particular, a positive answer would imply injective trapdoor functions based on the Diffie-Hellman assumption, a long standing open problem.) In order to get some insight and possible approaches to it, we consider it in a random oracle model (cf. [ImRu,BeRo]). Theorem 3 says that here the answer is affirmative: given an arbitrary secure public key cryptosystem, we present a function that has access to an oracle H, and prove the function is injective, trapdoor, and one-way when H is random. The construction of Theorem 3 is quite simple, and the natural next question is whether the random oracle H can be replaced by some constructible cryptographic primitive. In the full version of the paper [BHSV], we show that this may be difficult, by showing that a cryptographically strong pseudorandom bit generator [BlMi,Ya], which seems like a natural choice for this construction, does not suffice. The next step may be to follow the approach initiated by Canetti [Ca]: find an appropriate cryptographic notion which, if satisfied by H, would suffice for the correctness of the construction, and then try to implement H via a small family of functions. However, one should keep in mind that replacement of a random oracle by a suitable constructible function is not always possible [CGH]. Thus, our last result should be interpreted with care. 1.3

Discussion and Implications

Theorems 1 and 2 indicate that pre-image size is a crucial parameter when considering the power of trapdoor functions, particularly with respect to constructing public-key cryptosystems. The significance and interpretation of Theorem 3, however, requires a bit more discussion. At first glance, it may seem that public key cryptosystems “obviously imply” injective trapdoor functions. After all, a public key cryptosystem permits unique decryptability; doesn’t this mean the encryption algorithm is injective? No, because, as per [GoMi], it is a probabilistic algorithm, and thus not a function. To make it a function, you must consider it a function of two arguments, the message and the coins, and then it may no longer be injective, because two

Many-to-One Trapdoor Functions and Their Relation to Cryptosystems

287

coin sequences could give rise to the same ciphertext for a given message. Moreover, it may no longer have a (full) trapdoor, since it may not be possible to recover the randomness from the ciphertext. (Public key cryptosystems in the Diffie and Hellman sense [DiHe] imply injective trapdoor one-way functions as the authors remark, but that’s because encryption there is deterministic. It is now understood that secure encryption must be probabilistic [GoMi].) Theorem 3 has several corollaries. (Caveat: All in the random oracle model). First, by applying a transformation of [BeRo], it follows that we can construct non-malleable and chosen-ciphertext secure encryption schemes based on the Ajtai-Dwork cryptosystem [AjDw]. Second, combining Theorems 3 and 2, the existence of trapdoor functions with polynomially bounded pre-image size implies the existence of injective trapdoor functions. (With high probability over the choice of oracle. See Remark 5.) Third, if the Decisional Diffie-Hellman problem is hard (this means the El Gamal [ElG] cryptosystem is semantically secure) then there exists an injective trapdoor function. Note that in the random oracle model, it is trivial to construct (almost) injective one-way functions: a random oracle mapping, say, n bits to 3n bits, is itself an injective one-way function except with probability 2−n over the choice of the oracle. However, random oracles do not directly or naturally give rise to trapdoors [ImRu]. Thus, it is interesting to note that our construction in Theorem 3 uses the oracle to “amplify” a trapdoor property: we convert the weak trapdoor property of a cryptosystem (in which one can only recover the message) to a strong one (in which one can recover both the message and the randomness used). Another interpretation of Theorem 3 is as a demonstration that there exists a model in which semantically secure encryption implies injective trapdoor functions, and hence it may be hard to prove a separation result, in the style of [ImRu], between injective trapdoor functions and probabilistic encryption schemes.

2

Definitions

We present definitions for one-way functions, trapdoor functions, and unapproximable trapdoor predicates. Preliminaries. If S is any probability distribution then x ← S denotes the operation of selecting an element uniformly at random according to S, and [S] is the support of S, namely the set of all points having non-zero probability under S. If S is a set we view it as imbued with the uniform distribution and write x ← S. If A is a probabilistic algorithm or function then A(x, y, · · · ; R) denotes the output of A on inputs x, y, . . . and coins R, while A(x, y, . . .) is the probability distribution assigning to each string the probability, over R, that it is output. For deterministic algorithms or functions A, we write z:=A(x, y, . . .) to mean that the output of A(x, y, . . .) is assigned to z. The notation Pr [ E : R1 ; R2 ; . . . ; Rk ] refers to the probability of event E after the random processes R1 , . . . , Rk are performed in order. If x and y are strings we write their concatenation as xky

288

Mihir Bellare et al.

or just xy. “Polynomial time” means time polynomial in the security parameter k, PPT stands for “probabilistic, polynomial time”, and “efficient” means computable in polynomial time or PPT. 2.1

One-Way and Trapdoor Function Families

We first define families of functions, then say what it means for them to be one-way or trapdoor. Families of Functions. A family of functions is a collection F = {Fk }k∈N where each Fk is probability distribution over a set of functions. Each f ∈ [Fk ] has an associated domain Dom(f ) and range Range(f ). We require three properties of the family: • Can generate: The operation f ← Fk can be efficiently implemented, meaning there is a PPT generation algorithm F -Gen that on input 1k outputs a “description” of a function f distributed according to Fk . This algorithm might also output some auxiliary information aux associated to this function (this is in order to later model trapdoors). • Can sample: Dom(f ) is efficiently samplable, meaning there is a PPT algorithm F -Smp that given f ∈ [Fk ] returns a uniformly distributed element of Dom(f ). • Can evaluate: f is efficiently computable, meaning there is a polynomial time evaluation algorithm F -Eval that given f ∈ Fk and x ∈ Dom(f ) returns f (x). For an element y ∈ Range(f ) we denote the set of pre-images of y under f by f −1 (y) = { x ∈ Dom(f ) : f (x) = y } . We say that F is injective if f is injective (ie. one-to-one) for every f ∈ [Fk ]. If in addition Dom(f ) = Range(f ) then we say that F is a family of permutations. We measure the amount of “non-injectivity” by looking at the maximum preimage size. Specifically we say that F has pre-image size bounded by Q(k) if |f −1 (y)| ≤ Q(k) for all f ∈ [Fk ], all y ∈ Range(f ) and all k ∈ N. We say that F has polynomially bounded pre-image size if there is a polynomial Q(k) which bounds the pre-image size of F . One-wayness. Let F be a family of functions as above. The inverting probability of an algorithm I(·, ·) with respect to F is a function of the security parameter def k, defined as InvProbF (I, k) = 0 Pr x ∈ f −1 (y) : f ← Fk ; x ← Dom(f ) ; y ← f (x) ; x0 ← I(f, y) . F is one-way if InvProbF (I, k) is negligible for any PPT algorithm I. Trapdoorness. A family of functions is said to be trapdoor if it is possible, while generating an instance f , to simultaneously generate as auxiliary output “trapdoor information” tp, knowledge of which permits inversion of f . Formally, a family of functions F is trapdoor if F -Gen outputs pairs (f, tp) where f is the “description” of a function as in any family of functions and tp is auxiliary

Many-to-One Trapdoor Functions and Their Relation to Cryptosystems

289

trapdoor information. We require that there exists a probabilistic polynomial time algorithm F -Inv such that for all k, all (f, tp) ∈ [F -Gen(1k )], and all points y ∈ Range(f ), the algorithm F -Inv(f, tp, y) outputs an element of f −1 (y) with probability 1. A family of trapdoor functions is said to be one-way if it is also a family of one-way functions. A good (candidate) example of a trapdoor, one-way function family which is non-injective is the Rabin family [Rab]: here each function in Fk is four to one. (Traditionally, this function is used as the basis of a public key cryptosystem by first modifying it to be injective.) Remark 1. It is well known that one can define one-way functions either in terms of function families (as above), or in terms of a single function, and the two are equivalent. However, for trapdoor functions, one must talk of families. To maintain consistency, we use the family view of one-way functions as well. 2.2

Trapdoor Predicate Families

We define unapproximable trapdoor predicate families [GoMi]. Recall that such a family is equivalent to a semantically secure public-key encryption scheme for a single bit [GoMi]. A predicate in our context means a probabilistic function with domain {0, 1}, meaning a predicate p takes a bit b and flips coins r to generate some output y = p(b; r). In a trapdoor predicate family P = {Pk }k∈N , each Pk is a probability distribution over a set of predicates, meaning each p ∈ [Pk ] is a predicate as above. We require: • Can generate: There is a generation algorithm P -Gen which on input 1k outputs (p, tp) where p is distributed randomly according to Pk and tp is trapdoor information associated to p. In particular the operation p ← Pk can be efficiently implemented. • Can evaluate: There is a PPT algorithm P -Eval that given p and b ∈ {0, 1} flips coins to output y distributed according to p(b). We say P has decryption error δ(k) if there is a PPT algorithm P -Inv who, with knowledge of the trapdoor, fails to decrypt only with this probability, namely def

DecErrP (P -Inv, k) =

Pr [ b0 6= b : p ← Pk ; b ← {0, 1} ; y ← p(b) ; b0 ← P -Inv(p, tp, y) ]

(1)

is at most δ(k). If we say nothing it is to be assumed that the decryption error is zero, but sometimes we want to discuss families with non-zero (and even large) decryption error. Unapproximability. Let P be a family of trapdoor predicates as above. The predicting advantage of an algorithm I(·, ·) with respect to P is a function of the def security parameter k, defined as PredAdvP (I, k) = 1 Pr [ b0 = b : p ← Pk ; b ← {0, 1} ; y ← p(b) ; b0 ← I(p, y) ] − . 2

290

Mihir Bellare et al.

We say that P is unapproximable if PredAdvP (I, k) is negligible for any PPT algorithm I.

3

From One-Way Functions to Trapdoor Functions

In this section we establish the following result: Theorem 1. Suppose there exists a family of one-way functions. Then there exists a family of trapdoor, one-way functions. This is proved by taking an arbitrary family F of one-way functions and “embedding” a trapdoor to get a family G of trapdoor functions. The rest of this section is devoted to the proof. 3.1

Proof Sketch of Theorem 1

Given a family F = {Fk }k∈N of one-way functions we show how to construct a family G = {Gk }k∈N of trapdoor one-way functions. Let us first sketch the idea. Given f ∈ Fk we want to construct g which “mimics” f but somehow embeds a trapdoor. The idea is that the trapdoor is a particular point α in the domain of f . Function g will usually just evaluate f , except if it detects that its input contains the trapdoor; in that case it will do something trivial, making g easy to invert given knowledge of the trapdoor. (This will not happen often in normal execution because it is unlikely that a randomly chosen input contains the trapdoor.) But how exactly can g “detect” the trapdoor? The first idea would be to include α in the description of g so that it can check whether its input contains the trapdoor, but then g would no longer be one-way. So instead the description of g will include β = f (α), an image of the trapdoor under the original function f , and g will run f on a candidate trapdoor to see whether the result matches β. (Note that we do not in fact necessarily detect the real trapdoor α; the trivial action is taken whenever some pre-image of β under f is detected. But that turns out to be OK.) In the actual construction, g has three inputs, y, x, v, where v plays the role of the “normal” input to f ; x plays the role of the candidate trapdoor; and y is the “trivial” answer returned in case the trapdoor is detected. We now formally specify the construction and sketch a prof that it is correct. A particular function g ∈ [Gk ] will be described by a pair (f, β) where f ∈ [Fk ] and β ∈ Range(f ). It is defined on inputs y, x, v by y if f (x) = β g(y, x, v) = (2) f (v) otherwise. Here x, v ∈ Dom(f ), and we draw y from some samplable superset Sf of Range(f ). (To be specific, we set Sf to the set of all strings of length at most p(k) where p(k) is a polynomial that bounds the lengths of all strings in Range(f ).) So the domain of g is Dom(g) = Sf × Dom(f ) × Dom(f ). We now give an intuitive explanation of why G is one-way and trapdoor. First note that for any z it is the case that (z, α, α) is a preimage of z under g,

Many-to-One Trapdoor Functions and Their Relation to Cryptosystems

291

so knowing α enables one to invert in a trivial manner, hence G is trapdoor. For one-wayness, notice that if g(y, x, v) = z then either f (v) = z or f (x) = β. Thus, producing an element of g −1 (z) requires inverting f at either z or β, both of which are hard by the one-wayness of F . A formal proof that G satisfies the definition of a family of one-way trapdoor functions can be found in the full version of this paper [BHSV]. Remark 2. One can verify that the trapdoor functions g produced in the above construction are regular (ie. the size of g −1 (y) is the same for all y ∈ Range(g)) if the original one-way functions f are regular. Thus, adding regularity as a requirement is not likely to suffice for making public-key cryptosystems.

4

From Trapdoor Functions to Cryptosystems

Theorem 1 coupled with [ImRu] says that it is unlikely that general trapdoor functions will yield semantically secure public-key cryptosystems. However, in our construction of Section 3.1 the resulting trapdoor function was “very noninjective” in the sense that the pre-image size was exponential in the security parameter. So, we next ask, what is the power of trapdoor function families with polynomially bounded pre-image size? We show a positive result: Theorem 2. If there exist trapdoor one-way function families with polynomially bounded pre-image size, then there exists a family of unapproximable trapdoor predicates with exponentially small decryption error. Theorem 2 extends the well-known result of [Ya,GoMi] that injective trapdoor functions yield semantically secure public-key cryptosystems, by showing that the injectivity requirement can be relaxed. Coupled with [ImRu] this also implies that it is unlikely that the analogue of Theorem 1 can be shown for trapdoor functions with polynomially bounded pre-image sizes. 4.1

Proof of Theorem 2

Let F = {Fk }k∈N be a family of trapdoor one-way functions with pre-image size bounded by a polynomial Q. The construction is in two steps. We first build an unapproximable family of trapdoor predicates P with decryption error 1/2 − 1/ poly(k), and then reduce the decryption error by repetition to get the family claimed in the theorem. The first step uses the Goldreich-Levin inner-product construction [GoLe]. This construction says that if f is a one-way function, one can securely encrypt a bit b via f (x), r, σ where σ = b ⊕ (x r) with r a random string, x ∈ Dom(f ), and denoting the inner-product mod 2. Now, if f is an injective trapdoor function, then with the trapdoor information, one can recover b from f (x), r, and σ by finding x and computing b = σ ⊕ (x r). If instead f has polynomial-size pre-images, the “correct” x will only be recovered with an inverse polynomial probability. However, we will show that the rest of the time, the success proba1 ) bias towards the right bility is exactly 50%. This gives a noticeable ( 12 + poly(k)

292

Mihir Bellare et al.

value of b. Now, this slight bias needs to be amplified, which is done by repeating the construction many times in parallel and having the decryptor take the majority of its guesses to the bit in the different coordinates. A full description and proof follow. We may assume wlog that there is a polynomial l(k) such that Range(f ) ⊆ {0, 1}l(k) for all f ∈ [Fk ] and all k ∈ N. We now describe how to use the Goldreich-Levin inner-product construction [GoLe] to build P = {Pk }k∈N . We associate to any f ∈ [Fk ] a predicate p defined as follows: Predicate p(b) x ← Dom(f ) r ← {0, 1}l(k) σ := b ⊕ (x r) Output (f (x), r, σ)

// // // //

Takes input a bit b Choose x at random from the domain of f Choose a random l(k)-bit string XOR b with the GL bit

Here ⊕ denotes XOR (ie. addition mod 2) and denotes the inner-product mod 2. The generator algorithm for P will choose (f, tp) ← F -Gen(1k ) and then output (p, tp) with p defined as above. Notice that p is computable in PPT if f is. The inversion algorithm P -Inv is given p, the trapdoor tp, and a triple (y, r, σ). It first runs the inversion algorithm F -Inv of F on inputs f, tp, y to obtain x0 , and then outputs the bit b0 = σ ⊕ (x0 r). It is clear that the inversion algorithm is not always successful, but in the next claim we prove that it is successful appreciably more often than random guessing. Claim. P is an unapproximable trapdoor predicate family, with decryption error at most (1/2) − 1/[2Q(k)]. Proof. We know that F is one-way. Thus, the inner product is a hardcore bit for F [GoLe]. This implies that P is unapproximable. It is left to show that the decryption error of P is as claimed, namely that DecErrP (P -Inv, k) (as defined in Equation (1)) is at most (1/2) − 1/[2Q(k)]. Fix f, tp, b, let x, r be chosen at random as by p(b), let y = f (x), let σ = b ⊕ (x r), let x0 ← F -Inv(f, tp, y), and let b0 = σ ⊕ (x0 r). Notice that if x0 = x then b0 = b, but if x0 6= x then the random choice of r guarantees that b0 = b with probability at most 1/2. (Because F -Inv, who generates x0 , gets no information about r.) The chance that x = x0 is at least 1/Q(k) (because F -Inv gets no information about x other than that f (x) = y) so 1 1 · DecErrP (P -Inv, k) ≤ 1 − Q(k) 2 as desired. t u def

Now, we can iterate the construction q(k) = Θ(kQ(k)2 ) times independently and decrypt via a majority vote to reduce the decryption error to e−k . In more detail, our final predicate family P q = {Pkq }k∈N is like this. An instance pq ∈ [Pkq ] is still described by a function f ∈ [Fk ] and defined as pq (b) = p(b)k · · · kp(b), meaning it consists of q(k) repetitions of the original algorithm p on independent

Many-to-One Trapdoor Functions and Their Relation to Cryptosystems

293

coins. The inversion algorithm P q -Inv is given the trapdoor tp and a sequence of triples (y1 , r1 , σ1 )k · · · k(yq(k) , rq(k) , σq(k) ) . For i = 1, . . . , q(k) it lets b0i = P -Inv(p, tp, (yi , ri , σi )). It outputs b0 which is 1 if the majority of the values b01 , . . . , b0q(k) are 1, and 0 otherwise. Chernoff bounds show that DecErrP q (P q -Inv, k) ≤ e−k . Furthermore standard “hybrid”arguments [GoMi,Ya] show that P q inherits the unapproximability of P . This concludes the proof of Theorem 2. Remark 3. Notice that Theorem 2 holds even if the family F only satisfies a very weak trapdoor property — namely, that F -Inv produces an element of f −1 (y) with probability at least 1/p(k) for some polynomial p. Essentially the same proof will show that P -Inv can guess b correctly with probability at least 1/2 + 1/[2Q(k)p(k)].

5

From Cryptosystems to Trapdoor Functions

In this section we investigate the relation between semantically secure public key cryptosystems and injective trapdoor functions. It is known that the existence of unapproximable trapdoor predicates is equivalent to the existence of semantically secure public-key encryption [GoMi]. It is also known that injective trapdoor one-way functions can be used to construct unapproximable trapdoor predicates [Ya] (see also [GoLe]). In this section, we ask whether the converse is true: Question 1. Can unapproximable trapdoor predicates be used to construct injective trapdoor one-way functions? Note the importance of the injectiveness condition in Question 1. We already know that non-injective trapdoor functions can be constructed from trapdoor predicates (whether the latter are injective or not) because trapdoor predicates imply one-way functions [ImLu] which in turn imply trapdoor functions by Theorem 1. We suggest a construction which requires an additional “random looking” function G and prove that the scheme is secure when G is implemented as a random oracle (to which the adversary also has access). Hence, IF it is possible to implement using one-way functions a function G with “sufficiently strong randomness properties” to maintain the security of this scheme, then Question 1 would have a positive answer (as one-way functions can be constructed from unapproximable trapdoor predicates [ImLu]). The key difference between trapdoor functions and trapdoor predicates is that predicates are probabilistic, in that their evaluation is a probabilistic process. Hence, our construction is essentially a de-randomization process. Suppose we have a family P of unapproximable trapdoor predicates, and we want to construct a family F of injective one-way trapdoor functions from P . A

294

Mihir Bellare et al.

first approach would be to take an instance p of P and construct an instance f of F as f (b1 b2 · · · bk kr1 k · · · krk ) = p(b1 ; r1 )k · · · kp(bk ; rk ), where k is the security parameter. Standard direct product arguments [Ya] imply that F constructed in this manner is one-way. However, F may fail to be trapdoor; the trapdoor information associated with p only allows one to recover b1 , . . . , bk , but not r1 , . . . , rk . Our approach to fixing this construction is to instead have r1 , . . . , rk determined by applying some “random-looking” function G to b1 , . . . , bk : where r1 k · · · krk = G(b1 · · · bk ). f (b1 b2 · · · bk ) = p(b1 ; r1 )k · · · kp(bk ; rk ), Since G must be length-increasing, an obvious choice for G is a pseudo-random generator. A somewhat circular intuitive argument can be made for the security of this construction: If one does not know b1 , . . . , bk , then r1 , . . . , rk “look random,” and if r1 , . . . , rk “look random,” then it should be hard to recover b1 , . . . , bk by the unapproximability of P . In the full version of the paper [BHSV], we show that this argument is in fact false, in that there is a choice of an unapproximable trapdoor predicate P and a pseudorandom generator G for which the resulting scheme is insecure. However, it is still possible that there are choices of functions G that make the above secure. Below we show that the scheme is secure when G is implemented as a truly random function, ie. a random oracle (to which the adversary also has access). Intuitively, having access to the oracle does not help the adversary recover b1 · · · bk for the following reason: the values of the oracle are irrelevant except at b1 · · · bk , as they are just random strings that have nothing to do with b1 · · · bk or f (b1 · · · bk ). The adversary’s behavior is independent of the value of the oracle at b1 · · · bk unless the adversary queries the oracle at b1 · · · bk . On the other hand, if the adversary queries the oracle at b1 · · · bk , it must already “know” b1 · · · bk . Specifically, if the adversary queries the oracle at b1 · · · bk with non-negligible probability then it can invert f with non-negligible probability without making the oracle call, by outputting the query. We now proceed with a more formal description of the random oracle model and our result. The random oracle model. In any cryptographic scheme which operates in the random oracle model, all parties are given (in addition to their usual resources) the ability to make oracle queries [BeRo]. It is postulated that all oracle queries, independent of the party which makes them, are answered by a single function, denoted O, which is uniformly selected among all possible functions (where the set of possible functions is determined by the security parameter). The definitions of families of functions and predicates are adapted to the random oracle model in a straightforward manner: We associate some fixed polynomial Q with each family of functions or predicates, such that on security parameter k all the algorithms in the above definitions are given oracle access to a function O : {0, 1}∗ → {0, 1}Q(k) . The probabilities in these definitions are then taken over the randomness of these algorithms and also over the choice of O uniformly at random among all such functions.

Many-to-One Trapdoor Functions and Their Relation to Cryptosystems

295

Theorem 3. If there exists a family of unapproximable trapdoor predicates, then there exists a family of injective trapdoor one-way functions in the random oracle model. Remark 4. Theorem 3 still holds even if the hypothesis is weakened to only require the existence of a family of unapproximable trapdoor predicates in the random oracle model. To see that this hypothesis is weaker, note that a family of unapproximable trapdoor predicates (in the standard, non-oracle model) remains unapproximable in the random oracle model, as the oracle only provides randomness which the adversary can generate on its own. See Sections 1.2 and 1.3 for a discussion of the interpretation of such a result. We now proceed to the proof. 5.1

Proof of Theorem 3

Let P = {Pk }k∈N be a family of unapproximable trapdoor predicates. Let q(k) be a polynomial upper bound on the number of random bits used by any p ∈ Pk . When used with security parameter k, we view the oracle as a function O : {0, 1}∗ → {0, 1}kq(k) . We define a family F = {Fk }k∈N of trapdoor functions in the random oracle model as follows: We associate to any p ∈ [Pk ] the function f defined on input b1 . . . bk ∈ {0, 1}k by f (b1 · · · bk ) = p(b1 ; r1 )k · · · kp(bk ; rk ), where r1 k · · · krk = O(b1 · · · bk ), ri ∈ {0, 1}q(k) . The generator F -Gen takes input 1k , runs (p, tp) ← P -Gen(1k ) and outputs (f, tp) where f is as defined above. It is clear that f can be evaluated in polynomial time using the evaluator P -Eval for p. Notice that f can be inverted given the trapdoor information. Given f, tp, and y1 k · · · kyk = f (b1 . . . bk ), inverter F -Inv computes bi = P -Inv(p, tp, yi ) for i = 1, . . . , k, and outputs b1 . . . bk . Furthermore, f is injective because P has zero decryption error: in this inversion process, P -Inv correctly returns bi , so we correctly recover the full input. It remains to show that F is one-way. Claim. F is one-way. We prove this claim by describing several probabilistic experiments, modifying the role of the oracle with each experiment. The first arises from the definition of a family of one-way functions in the random oracle model. Let A be any PPT, let k be any positive integer, and let q = q(k). Experiment 1. (1) Choose a random oracle O : {0, 1}∗ → {0, 1}kq(k) . (2) Choose p ← Pk

296

(3) (4) (5) (6)

Mihir Bellare et al.

Select b1 , . . . , bk uniformly and independently from {0, 1}. Let r1 k · · · krk = O(b1 · · · bk ), where |ri | = q(k) for each i. Let x = p(b1 ; r1 )k · · · kp(bk ; rk ). Compute z ← AO (1k , p, x).

We need to prove the following: Claim. For every PPT A, the probability that z = b1 · · · bk in Experiment 1 is a negligible function of k. To prove Claim 5.1, we first analyze what happens when the ri ’s are chosen independently of the oracle, as in the following experiment: Let A be any PPT, let k be any positive integer, and let q = q(k). Experiment 2. (1)–(3) As in Experiment 1. (4) Select r1 , . . . , rk uniformly and independently from {0, 1}q . (5)–(6) As in Experiment 1. Claim. For every PPT A, the probability that z = b1 · · · bk in Experiment 2 is a negligible function of k. Claim 5.1 follows from standard direct product arguments [Ya,GNW]. Specifically, Claim 5.1 is a special case of the uniform complexity version of the Concatenation Lemma in [GNW, Lemma 10]. Claim. For every PPT A, the probability that O is queried at point b1 · · · bk during the execution of AO (1k , p, x) in Step 6 of Experiment 2 is a negligible function of k. Proof. Suppose that the probability that O is queried at point b1 · · · bk was greater that 1/s(k) for infinitely many k, where s is a polynomial. Then we could obtain a PPT A0 that violates Claim 5.1 as follows. Let t(k) be a polynomial bound on the running time of A. A0 does the following on input (1k , p, x): (1) Select i uniformly from {1, . . . , t(k)}. (2) Simulate A on input (1k , p, x), with the following changes: (1) Replace the oracle responses with strings randomly selected on-line, with the condition that multiple queries at the same point give the same answer. (2) Halt the simulation at the i’th oracle query and let w be this query. (3) Output w. Then A0 , when used in Experiment 2, outputs b1 · · · bk with probability greater that 1/(s(k)t(k)) for infinitely many k, which contradicts Claim 5.1. t u In order to deduce Claim 5.1 from Claims 5.1 and 5.1, we give an equivalent reformulation of Experiment 1: Let A be any PPT, let k be any positive integer, and let q = q(k).

Many-to-One Trapdoor Functions and Their Relation to Cryptosystems

297

Experiment 3. (1)–(3) As in Experiment 1. (4) Select r1 , . . . , rk uniformly and independently from {0, 1}q . (5) Let x = p(b1 ; r1 )k · · · kp(bk ; rk ). (6) Modify O at location b1 · · · bk to have value r1 k · · · krk . (7) Compute z ← AO (1k , p, x). We now argue that Experiment 3 is equivalent to Experiment 1. In Experiment 1, r1 , . . . , rk are uniformly and independently distributed in {0, 1}q and after Step 5 of Experiment 1 the only information about the oracle that has been used is that r1 k · · · krk = O(b1 · · · bk ). Thus, the final distribution on all random variables are identical in the two experiments and it suffices to prove Claim 5.1 for Experiment 3 rather than Experiment 1. Proof. Let E be the event that z = b1 · · · bk in Experiment 3. Let F be the event that O is queried at point b1 · · · bk during the execution of AO (p, x) in Step 7 of Experiment 3. To show that E occurs with negligible probability, it suffices to argue that both F and E ∧ F occur with negligible probability. First we show that F occurs with negligible probability. Notice that whether or not AO queries O at b1 · · · bk in Experiment 3 will not change if Step 6 is removed. This is because its behavior cannot be affected by the change in O(b1 · · · bk ) until it has already queried that position of the oracle. If Step 6 is removed from Experiment 3, we obtain Experiment 2. Hence, the probability of F is negligible by Claim 5.1. Similarly, the probability that [z = b1 · · · bk and AO never queries the oracle at b1 · · · bk ] will not change if Step 6 is removed. Thus, the probability of E ∩ F is bounded above by the probability that z = b1 · · · bk in Experiment 2, which is negligible by Claim 5.1. t u Remark 5. If the family of unapproximable trapdoor predicates we start with has negligible decryption error, then the family of trapdoor functions we construct will in general also have negligible decryption error and may fail to be injective with some small probability. By first reducing the decryption error of the predicate family to exp(−Ω(k 3 )) as in the proof of Theorem 2 and then using the oracle to derandomize the inversion algorithm, one can produce an injective family that has zero decryption error with probability 1−2−k (where the probability is just taken over the choice of the oracle).

Acknowledgments The first author was supported by a 1996 Packard Foundation Fellowship in Science and Engineering, and by NSF CAREER Award CCR-9624439. The third and fourth authors were supported by DOD/NDSEG Graduate Fellowships and partially by DARPA grant DABT-96-C-0018.

298

Mihir Bellare et al.

The starting point of this research was a question posed to us by Shafi Goldwasser, namely whether trapdoor permutations could be built from the assumptions underlying the Ajtai-Dwork cryptosystem. Thanks to Oded Goldreich and the members of the Crypto 98 program committee for their comments on the paper.

References AjDw.

AMM.

BHSV.

BeRo.

Be. BlMi.

Ca.

CGH.

DiHe.

DDN.

ElG.

GoLe.

GoMi.

GNW.

M. Ajtai and C. Dwork. A public-key cryptosystem with worst-case / average-case equivalence. Proceedings of the 29th Annual Symposium on the Theory of Computing, ACM, 1997. 287 Adleman, Manders and Miller. On taking roots in finite fields. Proceedings of the 18th Symposium on Foundations of Computer Science, IEEE, 1977. M. Bellare, S. Halevi, A. Sahai, and S. Vadhan. Many-to-one trapdoor functions and their relation to public-key cryptosystems. Full version of this paper, available via http://www-cse.ucsd.edu/users/mihir. M. Bellare and P. Rogaway. Random oracles are practical: a paradigm for designing efficient protocols. Proceedings of the First Annual Conference on Computer and Communications Security, ACM, 1993. 286, 287, 294 E. Berlekamp. Factoring polynomials over large finite fields. Mathematics of Computation, Vol. 24, 1970, pp. 713–735. M. Blum and S. Micali. How to generate cryptographically strong sequences of pseudo-random bits, SIAM Journal on Computing, Vol. 13, No. 4, 850-864, November 1984. 286 R. Canetti. Towards realizing random oracles: Hash functions that hide all partial information. Advances in Cryptology – Crypto 97 Proceedings, Lecture Notes in Computer Science Vol. 1294, B. Kaliski ed., Springer-Verlag, 1997. 286 R. Canetti, O. Goldreich and S. Halevi. The random oracle model, revisited. Proceedings of the 30th Annual Symposium on the Theory of Computing, ACM, 1998. 286 W. Diffie and M. Hellman. New directions in cryptography. IEEE Trans. Info. Theory, Vol. IT-22, No. 6, November 1976, pp. 644–654. 284, 284, 284, 287 D. Dolev, C. Dwork, and M. Naor. Non-Malleable Cryptography. Proceedings of the 23rd Annual Symposium on the Theory of Computing, ACM, 1991. T. El Gamal. A public key cryptosystem and a signature scheme based on discrete logarithms. IEEE Trans. Inform. Theory, Vol. 31, 1985, pp. 469–472. 287 O. Goldreich and L. Levin. A hard predicate for all one-way functions. Proceedings of the 21st Annual Symposium on the Theory of Computing, ACM, 1989. 291, 292, 292, 293 S. Goldwasser and S. Micali. Probabilistic Encryption. Journal of Computer and System Sciences, Vol. 28, April 1984, pp. 270–299. 284, 284, 284, 284, 286, 286, 287, 289, 289, 291, 293, 293 O. Goldreich, N. Nisan, and A. Wigderson. On Yao’s XOR Lemma. Electronic Colloquium on Computational Complexity, TR95-050. March 1995. http://www.eccc.uni-trier.de/eccc/ 296, 296

Many-to-One Trapdoor Functions and Their Relation to Cryptosystems HILL.

ImLu.

ImRu.

NaYu.

Rab. Ya.

299

J. H˚ astad, R. Impagliazzo, L. Levin and M. Luby. Construction of a pseudo-random generator from any one-way function. Manuscript. Earlier versions in STOC 89 and STOC 90. R. Impagliazzo and M. Luby. One-way Functions are Essential for Complexity-Based Cryptography. Proceedings of the 30th Symposium on Foundations of Computer Science, IEEE, 1989. 293, 293 R. Impagliazzo and S. Rudich. Limits on the provable consequences of one-way permutations. Proceedings of the 21st Annual Symposium on the Theory of Computing, ACM, 1989. 285, 285, 286, 287, 287, 291, 291 M. Naor and M. Yung. Public-Key Cryptosystems Provably Secure against Chosen Ciphertext Attacks. Proceedings of the 22nd Annual Symposium on the Theory of Computing, ACM, 1990. M. Rabin. Digitalized Signatures and Public Key Functions as Intractable as Factoring. MIT/LCS/TR-212, 1979. 289 A. Yao. Theory and applications of trapdoor functions. Proceedings of the 23rd Symposium on Foundations of Computer Science, IEEE, 1982. 284, 286, 291, 293, 293, 294, 296

Authentication, Enhanced Security and Error Correcting Codes Extended Abstract Yonatan Aumann1 and Michael O. Rabin2 1

2

Department of Mathematics and Computer Science, Bar Ilan University, Ramat-Gan, Israel, [email protected] DEAS, Harvard University, Cambridge, MA, and Institute of Computer Science, The Hebrew University, Jerusalem, Israel, [email protected]

Abstract. In electronic communications and in access to systems, the issue of authentication of the Sender S of a message M , as well as of the message itself, is of paramount importance. Recently S. Goldwasser has raised the additional issue of Deniable Authentication where the sender S authenticates the message M to the Receiver’s (R) satisfaction, but can later deny his authorship of M even to an Inquisitor INQ who has listened to the exchange between S and R and who gains access to all of the the secret information used by S and R. We present two practical schemes for Deniable Authentication of messages M of arbitrary length n. In both schemes the Receiver R is assured with probability greater than 1 − 2−k , where k is a chosen security parameter, that M originated with the Sender S. Deniability is absolute in the information theoretic sense. The first scheme requires 2.4kn XOR operations on bits and one public key encoding and decoding of a short message. The second scheme requires the same number of XOR operations and k multiplications mod N , where N is some fixed product of two large primes. A key new feature of our method is the use of a Shannon-style error correction code. Traditional authentication for a long message M starts by hashing M down to a standard word-size. We expand M through error correction. The first Deniable Authentication method is provably valid for any encryption scheme with minimal security properties, i.e. this method is generic. The second Deniable Authentication method is provably valid under the usual assumption that factorization is intractable.

Background and New Results The question of authentication of transmitted messages is of paramount importance. When a Sender S communicates with a receiver R and sends him a message M , it does not suffice for R to authenticate (identify) S in order to know that M has actually originated with S. An Adversary AD can actively tap the line between S and R, and after R has authenticated the sender S, AD can ¯ to R. block the Sender’s transmission and inject his own message M H. Krawczyk (Ed.): CRYPTO’98, LNCS 1462, pp. 299–303, 1998. c Springer-Verlag Berlin Heidelberg 1998

300

Yonatan Aumann and Michael O. Rabin

There is also an obvious need for Deniable Authentication (DA). In electronic voting schemes DA is a tool for providing freedom from coercion. In negotiations over the Internet it may be desirable for S to be able to make price offers M to R in a manner that prevents R from showing the offer to another party in order to elicit a better offer. Namely, R cannot prove to the third party that S has made the offer contained in M . It should be noticed that the manner in which the Internet and Electronic Commerce are evolving, call for the widespread use of public-key signatures and for public-key based schemes for establishing shared secret keys. The usual approach to creating Message Authentication Code (MAC) assumes that S and R share a secret key K. The message M is hashed down to a fixed block size b by use of a hash function H(K, M ) which folds the key K into the hashing process. The Sender S then sends (M, H(K, M )) to R who verifies the tag H(K, M ). Alternatively, S digitally signs H(M ), where H is a known hash function, using a public key signature SgnS (H(M )), and R verifies SgnS (H(M )). There are a number of difficulties associated with this approach. To be efficient we need fast hash functions H and fast digital signatures. When it comes to the construction of MAC schemes that are provably secure (based on an assumption such as intractability of factoring), one has to use particularly compute intensive hash functions such as the beautiful scheme proposed in [8,3]. As to deniability of authorship of M , it is obvious that a scheme using digital signatures in a straightforward manner has in consequence also strict undeniability, which is the purpose of digital signatures. As mentioned in the abstract, our schemes are highly efficient, are provably secure, and provide information theoretic deniability. We shall outline our solutions after discussing previous work and background. Previous Work. Because of the significant practical importance of Message Authentication, there is a very extensive literature on MACs. This literature deals with theoretical as well as with practical issues of authentication. For long messages, hashing down to a short message is the first step. In the papers that aim at creating MACs for actual systems use, there is strong emphasis on rate, i.e. speed, of the hashing process. Let us mention here as representative important examples the papers by Wegman and Carter [14], Bellare, Canetti and Krawczyk [1], Halevi and Krawczyk [9], and Krawczyk [10]. The papers, as well as for example Schneier’s book [12], contain a wealth of references to the literature on authentication. The present practical MACs do not require interaction. The message M , with some authenticating tag, is sent by the Sender to the Receiver who verifies the tag. The Deniable Authentication schemes presented here do require, after transmission of the message, a small number of additional message rounds. The additional messages are of size at most O(k log n), where M is the the length of the message to be authenticated, and k is the security parameter. On the other hand, these schemes do not require pre-shared secret keys for S and R. In this setting interaction seems to be necessary for Deniable Authentication. We feel that the cost of interaction is not onerous.

Authentication, Enhanced Security and Error Correcting Codes

301

Canetti et. al. [2] solve a problem closely related to the Deniable Authentication problem, namely the problem of deniable encryption, in a model where the Inquisitor INQ listens to the transmission between S and and R. In their model the Sender is identified in the sense that the eavesdropper knows that he is listening to a conversation between S and R. The only issue for him is to be able to prove what the contents of that conversation was. The sender S sends an encrypted message E(M ) = C to R, where E is the a probabilistic encryption function. INQ, who knows C, can then go to S and/or R and interrogate them as to the value of M . [2] provide deniable encryption in the sense that S or R ¯ so that C = E(M ¯ ). If one assumes a secret can produce any other message M one-time pad of length |M | = n which is shared by R and S, then the problem is trivial. The challenging problem arises in a setting where only public keys and the corresponding private keys held by the participants are used. The [2] solution provides only polynomially secure deniability and the Inquisitor INQ is limited to polynomial computing power. If INQ can compel every participant in the protocol to reveal their private keys then deniability collapses. The protocol is compute intensive. In a new paper [4], Dwork et al address the deniable authentication of messages as an application of concurrent zero knowledge proofs. They require a timing constraint that they call an (α, β)-assumption on the response time of processes. Their solutions directly apply to messages M shorter than the public keys used and are compute intensive. New Results. Coming to our solutions, we assume a model in which the Sender S and the Receiver R are connected by an insecure link. The adversaries in the schemes we construct include an Impostor who tries to impersonate S and send ¯ appearing to originate from S. The Impostor can also be a to R a message M Person In the Middle (PIM), sitting on the link between S and R, intercepting the traffic between them and injecting messages of his own. In essence, the PIM can employ the Sender S as an oracle in his attempt to fool R. Thus general chosen message attacks should also be protected against. When discussing deniability of authentication, we assume that the communication between S and R is such that listening to the transmission does not identify S. For example, S may use a notebook computer and a modem at a public telephone. We allow an Inquisitor INQ who listens on the line to the exchange between S and R. INQ later comes to S and R and compels them to reveal all the secret data, such as encryption/signature keys, used in the protocol. Even so, INQ cannot prove that the message M was authored by S. It follows that the Receiver R himself cannot prove after the fact to a third party that M was authored by S. Also, the INQ cannot impersonate R to S and elicit from S an authenticated message M to R. This seems to be impossible if INQ has the capabilities of a Person In the Middle , but our schemes do have this property as well. The central tool in our schemes is the use of an error correction code C. Let us assume messages M comprising n bits. We assume that C(M ) = y1 , y2 , . . . , ym ¯ then the Hamming distance between C(M ) has the property that if M 6= M

302

Yonatan Aumann and Michael O. Rabin

¯ ) is greater than m/4, i.e. C(M ) and C(M ¯ ) differ at more than m/4 and C(M indices. For our purposes we choose a code C which is very efficient to encode. We never have a need to decode C(M ). Also, in our application S and R need to compute only a fixed number 2.4k of (randomly chosen) bits of C(M ). For our first Deniable Authentication scheme we assume a public key encryption function ES for S (who, of course, possesses the corresponding secret decryption function DS ). The Sender S sends M to R. They then create a random sequence Y = i1 , . . . , ik of k different indices between 1 and m. The bits of C(M ) at these indexes are computed by S and by R. Sender S then deniably authenticates these bits as well as Y to R. Thus Deniable Authentication of the long message M is reduced to Deniable Authentication of a short message. For our second Deniable Authentication scheme we assume a publicly available Directory containing certain public keys for each potential Sender. The sender S wants to transmit messages M = x1 x2 . . . xn , where each xi is a bit. We again employ the error correction code C which codes M into C(M ) = y1 y2 . . . ym , where m = cn (say m = 5n) and the Hamming distance between any two code words Y1 and Y2 is αm. With m = 5n we ensure α > 1/4. The code C is publicly known and is used by every Sender. The public Directory contains C and a number N = p · q chosen as a product of two large primes, and where the factorization of N is not known to R (and possibly not to S either). Every potential sender S randomly chooses ∗ a0 , a1 , g0 , . . . , gm in ZN , computes their squares mod N , and publishes those squares A0 , A1 , G0 , ·, Gm , in the Directory. In the full paper we give a version of our protocol that allows to reduce the size of each Sender’s Directory entry from m + 2 to log2 m + 2. The Sender S sends M to R. To authenticate M as having originated with S, the Receiver R randomly chooses L = d · k (where d > 1 depends only on c, i.e. on the code C; for c = 5 we have d = 2.4) indices i1 , . . . , iL between 1 and m (the size of the error correcting coded message C(M ) = y1 y2 . . . ym ). He then computes yi1 , . . . , yiL . For the code C that we use, each such computation of a yij requires just n XOR operations on bits regardless of c. The Receiver R then conducts an L-round interaction with S. Roughly speaking, in round j the Receiver R verifies that yij is the ij -th bit in the code word of a message that S has actually sent him. The precise details and the proof of authentication are given in the full paper. Each round requires four multiplications mod N by the sender and by the receiver. If we want a more compact Directory with just log2 m+2 words for each Sender, then the above 4 is replaced by log2 m + 3. However, precomputation by the Sender and by the Receiver (in case R will receive many authenticated messages from S), will again reduce the number of multiplications to 4. Note that the total number of multiplications 2.4 · 4k = 9.6k for each participant, and is independent of the message length n. After this interaction, R knows, with probability of being cheated smaller than 2−k that M has originated with S. This is provable on the assumption that factorization of N is intractable.

Authentication, Enhanced Security and Error Correcting Codes

303

We then prove that, provided that S does not conduct more than a fixed number of message-authentications simultaneously, our message authentication is deniable in the strong information-theoretic sense explained in the Abstract. Under any reasonable timing restrictions on concurrency, such as those in [4], we directly achieve deniability in the unbounded concurrency setting. The intractability of extracting square roots mod N based on the intractability of factoring N , which lies at the heart of our authentication scheme, was first introduced and used in [11]. Square roots mod N are used for user authentication and for digital signatures in [6] and in [5]. Zero Knowledge Proofs of languages involving squares mod N and of knowledge of square roots mod N are discussed in [7] and in [13].

References 1. M. Bellare, R. Canetti, and H. Krawczyk. Keying hash functions for message authentication. In Proceedings of Crypto 96, 1996. 300 2. R. Canetti, C. Dwork, M. Naor, and R. Ostrovsky. Deniable encryption. In Proceedings of Crypto 97, 1997. 301, 301, 301 3. I. Damgard. Collision free hash functions. In Eurocrypt ’87, pages 203–216, 1987. 300 4. C. Dwork, M. Naor, and A. Sahari. Concurrent zero knowledge. In Proceedings of the 30th STOC, 1998. 301, 303 5. U. Feige, A. Fiat, and A. Shamir. Zero knowledge proofs of identity. In Proceedings of the 19th STOC, 1987. 303 6. A. Fiat and A. Shamir. How to prove yourself: Practical solutions to identification and signature problem. In Proceedings of Crypto ’86, pages 186–194, 1997. 303 7. S. Goldwasser, S. Micali, and C. Rackoff. The knowledge complexity of interactive proof systems. SIAM Journal on Computing, 18:186–208, 1989. 303 8. S. Goldwasser, S. Micali, and R. Rivest. A secure digital signature scheme. SIAM Journal on Computing, 17(2):281–308, 1988. 300 9. S. Halevi and H. Krawczyk. Mmh: Message authentication in software in the gbit/second rates. In Proceedings of the 4th Workshop on Fast Software Encryption, 1997. 300 10. H. Krawczyk. Lfsr-based hashing and authentication. In Proceedings of Crypto ’94, pages 129–139, 1994. 300 11. M. O. Rabin. Digitized signatures and public key functions as intractible as factorization. MIT Laboratory for Computer Science Technical Report LCS/TR-212, MIT, 1979. 303 12. B. Schneier. Applied Cryptography : Protocols, Algorithms, and Source Code in C. John Wiley and Sons, 1995. 300 13. M. Tompa and H. Woll. Random self-reducibility and zero-knowledge interactive proofs of possession of information. In Proceedings 28th STOC, pages 472–482, 1987. 303 14. M.N. Wegman and J.L. Carter. New hash functions and their use in authentication and set equality. JCSS, 22:265–279, 1981. 300

An Efficient Discrete Log Pseudo Random Generator Sarvar Patel and Ganapathy S. Sundaram Bell Labs 67 Whippany Rd, Whippany, NJ 07981, USA {sarvar,ganeshs}@bell-labs.com

Abstract. The exponentiation function in a finite field of order p (a prime number) is believed to be a one-way function. It is well known that O(log log p) bits are simultaneously hard for this function. We consider a special case of this problem, the discrete logarithm with short exponents, which is also believed to be hard to compute. Under this intractibility assumption we show that discrete exponentiation modulo a prime p can hide n−ω(log n) bits (n = dlog pe and p = 2q+1, where q is also a prime). We prove simultaneous security by showing that any information about the n − ω(log n) bits can be used to discover the discrete log of g s mod p where s has ω(log n) bits. For all practical purposes, the size of s can be a constant c bits. This leads to a very efficient pseudo-random number generator which produces n − c bits per iteration. For example, when n = 1024 bits and c = 128 bits our pseudo-random number generator produces a little less than 900 bits per exponentiation.

1

Introduction

A function f is said to be one-way if it is easy to compute but hard to invert. With appropriate selection of parameters, the discrete exponentiation function over a finite field, g x mod p,is believed to be a one-way function (where g is a generator of the cyclic group of non zero elements in the finite field). The intractability of its inverse, the discrete logarithm problem, is the basis of various encryption, signature and key agreement schemes. Apart from finite fields, other finite groups have been considered in the context of discrete exponentiation. One such example is the group of points on an elliptic curve over a finite field. Koblitz and Miller (independently) [15], [17], considered the group law on an elliptic curve to define a public key encryption scheme suggesting that elliptic curve addition is also a one-way function. Another number theoretic problem that is considered to be hard is the problem of factoring integers. Examples of functions relying on factoring which are believed to be one-way are the RSA and Rabin functions. Closely related to factoring is the problem of deciding quadratic residuosity modulo a composite integer. A concept which is intimately connected to one-way functions is the notion of hard bits, which was first introduced by Blum & Micali. Informally, a hard bit B(.) for a one way function f (.) is a bit which is as hard to compute as it H. Krawczyk (Ed.): CRYPTO’98, LNCS 1462, pp. 304–317, 1998. c Springer-Verlag Berlin Heidelberg 1998

An Efficient Discrete Log Pseudo Random Generator

305

is to invert f . Blum and Micali showed that the most significant bit is a hard bit for the discrete logarithm problem over a finite field. To be precise, their notion of most significant bit corresponds to the Boolean predicate which is one if the index of the exponent is greater than p−1 2 and zero otherwise. They defined and proved this hard bit and successfully used it to show the importance of hard bits in secure pseudo-random bit generation. Soon after, the hard bits of RSA & Rabin functions were also discovered by Ben-Or etal [2] which led to a new secure pseudo-random bit generator. Blum, Blum and Shub [3] used the quadratic residue problem over a composite integer to design yet another secure pseudo-random bit generator. Their work was based on the security of the quadratic residue problem which was investigated by Goldwasser and Micali [8]. Later Goldreich and Levin [7] proved that all one-way functions have a hard bit. More generally they were able to show that for any one-way function a logarithmic number of one bit predicates are simultaneously hard. This led to the work of [9], where they proved how to use any one-way function to build secure pseudo-random bit generators. The use of pseudo-random bits in cryptography relates to one time pad style encryption and bit commitment schemes, to name a few. All the above generators based on one bit predicates suffer from the same problem, namely they are too slow. All of them output one bit per modular exponentiation. The concept of simultaneous hardness is the first step in speeding things up. Intuitively, the notion of simultaneous hardness applied to a group of bits associated to a one-way function f states that it is computationally as hard as the inverse of the one-way function to succeed in computing any information whatsoever about the given group of bits given only f (x). Using this notion one can extract collections of bits per operation and hence the speed up. Long and Wigderson [16] and Peralta [20] showed that log log p bits of the discrete log modulo a prime number p are simultaneously hard. On the other hand the works of Vazirani and Vazirani [24] and Alexi etal [1] address the notion of simultaneous hardness of RSA and Rabin bits. Later Kaliski [12] showed individual hardness of bits (in the Blum Micali sense) of the elliptic curve group addition problem using a novel oracle proof technique applicable to any finite Abelian group. His methods extend to show simultaneous hardness (stated but not proved in the paper) of log n bits where n is the order of the group. More recently, Hastad, Schrift and Shamir [10], have designed a much more efficient generator which produces n2 bits per iteration where n is the number of bits of the modulus. The one-way function they have considered is the discrete exponentiation function modulo a composite integer (to be precise a Blum integer). Once again the method of generation relies on the proof that n2 bits of every iteration are simultaneously hard. The use of a composite modulus allows them to relate individual and simultaneous hardness of bits to factoring the modulus. In all these works the common strings are the results of Yao contained in his seminal work [25] which laid the foundations to a complexity theoretic approach to cryptography which paved the way for a quantification of security in terms of known hard problems.

306

Sarvar Patel and Ganapathy S. Sundaram

In this paper we construct a very efficient cryptographic pseudo-random bit generator attached to modular exponentiation in a finite field of cardinality p (where p is a prime number of the form 2q + 1, and q is also prime). This assumption on the structure of the finite field holds for the entire paper. We show that n−ω(log n) bits of every iteration are simultaneously secure (where 2O(log n) is a polynomial value in n and O(log n) is the order of the number of bits needed to represent a polynomial in n. Note that 2ω(log n) is greater than any polynomial value in n and ω(log n) is the order of the number of bits needed to represent it.) Hence each iteration produces more bits than any other method discovered so far. In fact, the construction that we present here is maximal since if we extract more bits then only O(log n) would have to be guessed, which can be exhaustively searched in polynomial time (since 2O(log n) is polynomial in n). The novelty in this work is to relate the security of the random bit generation to the problem of solving the discrete logarithm with short exponents. The motivation for this technique is derived from the above mentioned work of [10] where although they are using a modular exponentiation function modulo a composite, the security of the system is related to factoring the underlying modulus. In a similar but not so obvious sense, we use exponentiation in a finite field for the generation but relate the security to the strength of the discrete log problem (over the same prime modulus) but with short exponents. The proofs are simple and rely on known techniques. In this paper an oracle for the i − th bit gives the value of i − th bit when the binary representation is used for the argument. This is a different representation of the i-th bit than that used by Blum-Micali and Long-Wigderson. The paper is organized as follows: In section 2 we discuss the discrete log problem and in particular the short exponent discrete log problem. Details of the oracles and hardness of bits are formalized in this section. In section 3 we show that the trailing n − ω(log n) bits are individually hard with respect to the discrete logarithm problem with short exponents. In section 4 we prove simultaneous hardness of the trailing n − ω(log n) bits. Once again this is with respect to the discrete log with short exponents problem. In section 5 we discuss the design of the pseudo-random generator and provide the proof of security and conclude in section 6. In the appendix, we discuss some extensions of this work to include other Abelian groups and possible ways to improve the efficiency of the pseudo random generator.

2

The Discrete Logarithm Problem

We first define the discrete logarithm problem. Let p be a prime and g a generator for Zp ∗ , the multiplicative cyclic group of nonzero elements in the finite field of order p. Then for 1 ≤ x ≤ p − 1 the function which maps x to g x mod p defines a permutation. Problem 1. The discrete logarithm problem is to find x given yZp ∗ such that g x mod p ≡ y.

An Efficient Discrete Log Pseudo Random Generator

307

Let n = dlog pe be the length of p in binary, then g x mod p is computable in Poly (n) time. However, there is no known deterministic or randomized algorithm which can compute the discrete logarithm in Poly (n) number of steps. The best algorithm to compute the discrete logarithm in a finite field of order p, is the index calculus method. Even this is infeasible if p is appropriately large (e.g. 1024 bits) since the complexity is subexponential and not polynomial in n. On the other hand for primes such that p − 1 consists of only small factors, there are very fast algorithms whose complexity is equal to the complexity of the discrete log in a field whose cardinality is equal to its largest prime factor. This algorithm is due to Pohlig and Hellman [21]. 2.1

Discrete Logarithm with Short Exponents

For efficiency purposes the exponent x is sometimes restricted to c bits (e.g. c = 128 or 160 bits) since this requires fewer multiplications. There are square root time algorithms to find x in 2c steps, due to Shanks [14] and Pollard [22]. Thus c should be at least 128 bits to provide 64 bits of security. By this we mean an attacker should perform at least 264 operations in order to crack the discrete logarithm using these algorithms. At the moment, there is no faster way to discover the discrete logarithm even with x so restricted. In particular, the complexity of index calculus algorithms is a function of the size of the entire group and does not depend on the size of the exponent. We will also restrict x, in particular, we will restrict it to be slightly greater than O(log n) bits, but not to save on multiplications. The size of the exponent will be denoted ω(log n), described in section 1. Hence, even with the square root attack one needs greater than 2O(log n) steps or greater than a polynomial in n number of steps. The hard problem we consider in this paper is the inverse of this special case of the discrete exponentiation function. In other words: Problem 2. Let s be an integer which is significantly smaller compared to p. The DLSE problem is to find s given yZp ∗ such that g s mod p ≡ y. The DLSE problem has been studied by [19] in the context of the DiffieHellman key agreement scheme. The use of short exponents in the Diffie-Hellman protocol is to speed up the process of exponentiation. Typically the cost of computing g x is linearly related to the bit length of x, hence real-time computing costs have motivated the use of low order exponents. Care is necessary to ensure that such optimizations do not lead to security weaknesses. The above mentioned paper [19], presents a set of attacks and methods to rectify the situation. In particular their conclusions suggest the use of safe primes. Another example of the use of shorter exponents is in the generation of digital signatures. The digital signature standard (DSS) published by the NIST [6] is based on the discrete logarithm problem. It is a modification of the ElGamal signature scheme. The ElGamal scheme usually leads to a signature having 2n bits, where n is the number of bits of p (the modulus). For potential applications

308

Sarvar Patel and Ganapathy S. Sundaram

a shorter signature is desirable. DSS modifies the ElGamal scheme so that a 160-bit message is signed using a 320 bit signature but computations are all done modulo a 512 bit prime. The methodology involves the restrictions of all computations to a subgroup of size 2160 . The assumed security of the scheme is based on two different but very related problems. First of these is the discrete log in the entire group which uses a 512 bit modulus, where the index calculus algorithm applies. The second is the discrete log problem in the subgroup of the cyclic group of nonzero elements in the finite field. Here Shanks’square root algorithm reduces the complexity to O(280 ) since the exponent is only 160-bits. Although the DLSE and the subgroup discrete log problems are not equivalent, the square root time attacks apply to both problems. 2.2

Hardness of Bits

As indicated in the introduction, the notion of hard bits is intimately connected to that of a one-way function. In this paper we define a mild generalization of hard bits. Definition 3. Let f (x) and f 0 (s) be one-way functions. Let B :→ {0, 1} be a Boolean predicate. Given f (x) for some x, the predicate B(x) is said to be f 0 -hard if computing B(x) is as hard as inverting f 0 (s), i.e. discovering s. When f and f 0 are the same as are x and s, then we have the usual definition of hard bits. For example, discovering the Blum-Micali bit is as hard as computing the discrete logarithm. But in this paper we allow f and f 0 to be different. An example of this phenomenon, is discrete exponentiation modulo a composite modulus. Here the discrete logarithm in the ring of integers modulo a composite is a hard function, and so is factoring. So f (x) = g x mod m and f 0 (s) = f 0 (s = p, q) = m. Clearly, there are boolean predicates B(x) which are f -hard but there may be other predicates which are f 0 -hard, but not f -hard. That is computing B(x) is as hard as factoring the modulus m, but may be not as hard as the discrete log modulo a composite [10]. In this paper we consider a similar situation. We consider the one-way function of discrete exponentiation, but we prove that the n− ω(log n) bits of the exponent are DLSE-simultaneously hard. That is for us f (x) = g x mod p and f 0 (s) = g s mod p where s is a short exponent. The best previous result showed simultaneous hardness of n2 of the bits [10], but our result shows simultaneous hardness for almost all the n bits. Our results are maximal. In other words, in a pseudo-random generator, if in any iteration we hide only O(log n) or fewer bits, then any attacker can compute the seed of the generator by making a polynomial number of guesses. Hence one cannot further improve on these results regarding number of bits produced per iteration. 2.3

Binary Representation

The number x can be represented in binary as bn · 2n−1 + bn−1 · 2n−2 + . . . + b2 · 21 + b1 ·20 where bi is either 0 or 1. The i − th bit problem is to discover the value

An Efficient Discrete Log Pseudo Random Generator

309

of bi of x. The i − th bit is hard if computing it is as difficult as computing the inverse of f 0 (s). If we had an perfect oracle, Oi (g, p, y), which outputs the value of bi then the bit is hard if there is a Poly(n) time algorithm which makes Poly(n) queries to the oracle Oi (g, p, ·) and computes the entire value of s. We know the least significant bit is not hard because there is a Poly (n) time algorithm to compute it, namely by computing the Legendre symbol. An imperfect oracle, O (p, g, ·), is usually defined as an oracle which outputs 1 the correct bit value with probability greater than 12 + P oly(n) . Some of the most significant bits of x, in fact O(log n) most significant bits, can be biased, but as we shall see later they do not affect us. 2.4

Blum-Micali Representation

In this paper, we will use the binary representation when we discuss the security of the i-th bit, however, we want to mention another interpretation of the ith bit. Blum-Micali introduced a particular bit predicate, B(x) and showed its p−1 hardness. B(x) is 0 if 1 ≤ x ≤ p−1 2 and B(x) is 1 if 2 < x ≤ p − 1. This is sometimes referred to as the most significant bit of x and it is clearly different from the most significant bit of x under the binary representation. Others [16] have extended the definitions to define the k most significant bits. Often the Blum-Micali representation is used to refer to the most significant bits, while the binary representation is used for the least significant bits. In this paper we will use the binary representation when referring to the ith bit, unless specified otherwise.

3

Individual Hardness of Bits

In this section, we discuss the security of the trailing n − ω(log n) bits, where ω(log n) is as defined earlier. To be precise we show that except the least significant bit, all the n − ω(log n) lower bits are individually hard with respect to the DLSE problem. Based on definition 3, this amounts to proving the bits of the discrete logarithm are DLSE-hard. The proof techniques we employ are variations of techniques from [4] and [20]. Let Oi (g, y, p) be a perfect oracle which gives the ith bit (for any i ∈ [2, n − ω(log n)]. Note that i increases from right to left and i = 1 for the least significant bit. Given this oracle we show that in polynomial number of steps we can compute the short exponent discrete logarithm. In addition, we prove hardness of individual bits by showing that given an imperfect oracle Oi (g, y, p) with advantage to predict the ith bit (for any i in the prescribed range), we can turn this into an algorithm to compute the discrete logarithm of a short exponent in probabilistic polynomial time by making a polynomial number of queries to this oracle. For the rest of the paper we will refer to lower k bits to mean lower k bits excluding the least significant bit, for any k. Theorem 4. The lower n − ω(log n) bits are individually DLSE-hard.

310

Sarvar Patel and Ganapathy S. Sundaram

Proof: According to definition 3, it is enough to show that given Oi (g, y, p) (where g is a generator of the group in question) we can compute log y for all y such that s = log y is a short exponent. In this paper we assume that p − 1 = 2q, where q is an odd integer. (a) Perfect Oracles - Oi (g, y, p). We are given g s and g and we know in advance that s is small (consisting of ω(log n) bits). Now, computing the least significant bit is always easy, via the Legendre symbol. Hence we compute it and set it to zero. Let i = 2 and suppose we have an oracle for the 2nd bit. If this is a perfect oracle then we discover the second bit. Once this is known then we set it to zero and we will continue to refer to the new number as g s . Next we p−1 s s compute the square roots of g s . The roots are g 2 and g 2 + 2 where we refer to the former as the principal square root. Since the two least significant bits of g s are zero, we know that the principal square root has LSB equal to zero (or equivalently Legendre symbol one). This allows us to identify the principal square root. Now run the oracle on the principal square root and compute the second least significant bit. This bit is really the third least significant bit of s. Once again, set this bit to zero and repeat the process. Clearly, in poly(n) steps we would have computed s one bit at a time from right to left, given an oracle for the second bit. Now, in general when we are given the oracle for the ith bit (i > 2) we square s g i − 2 times. Then the 2nd LSB of s is at the ith position, and we run the oracle to compute this bit; we zero this bit and once again compute square roots. The principal square root corresponds to the root with LSB equal to zero. Now the (i + 1)th bit of s can be computed by running the oracle on the principal square root. Continue this process and in c steps where c = log s, we would know s. (b) Imperfect Oracles - Oi (g, y, p). Suppose we have an imperfect oracle which succeeds in finding the ith bit in only more than fifty percent of the x ∈ Zp∗ . Then we can concentrate the stochastic advantage and turn this oracle into an oracle which answers any specific instance correctly with arbitrarily high probability. We divide the proof into two parts (i) The lower 2 ≤ i < n − ω(log n) − O(log n) bits are individually hard. (ii) The middle n−ω(log n)−O(log n) ≤ i ≤ n−ω(log n) bits are individually hard. (i) Let i = 2 and suppose we have an imperfect oracle for the 2nd bit whose advantage is , i.e., the oracle can give the correct answer on more than fifty percent of the possible inputs (and we do not know which ones). Then let {rj } be a sequence of polynomial number of random numbers between 1 and p − 1. We run the oracle on g s+rj , where the LSB of s is zero. Via the weak law of large numbers [4], a simple counting of the majority of 10 s and 00 s of the oracle output (after neutralizing the effect of the random number) for the second LSB yields this bit with high probability. Now compute the square roots and pick the principal square root as earlier. Once again repeat the process with a fresh set of random numbers to discover the next bit. In c = log s steps we recover a candidate and verify that g candidate = g s mod p. If they are not equal then the

An Efficient Discrete Log Pseudo Random Generator

311

whole process is repeated. Clearly in poly(n) steps we would have discovered s one bit at a time from right to left. The details of the proofs are omitted, and we refer to [4] or [20] for further details. The only aspect that needs additional mention is the fact, when we randomize it is possible that for some rj when we add them to the exponent we may exceed p − 1. We refer to this as cycling. Assuming that we pick our random numbers uniformly, then we argue that the probability of this cycling is negligible because most of the leading bits of g s are zero. Suppose i > 2. Then we square g s i − 1 times, and repeat the above process and conclude that any oracle which has an advantage will lead to a polynomial time algorithm to compute s. The probability of cycling is still negligible for 2 ≤ i < n − ω(log n) − O(log n) because even in the extreme case when i = 1 n − ω(log n) − O(log n) the chance of cycling is 2ω(log n) or less than one over any polynomial. (ii) The proof of this step is also similar to the second part of the proof of (i) except that one has to set the initial t bits of s to zero by guessing, before we start the randomizing process. Even when i = n − ω(log n) and s has been shifted so that the 2nd least significant bit is in the ith position, the probability 1 for any Polynomial in n. Here t is up to of cycling can be bounded by P oly(n) O(log n) number of bits and hence the probability of cycling is bounded above 1 and hence we need to increase the number of queries by a certain by P oly(n) amount corresponding to the drop in advantage due to cycling. Once again the details are omitted for brevity (see [4]) and will be included in an expanded version of this paper.

4

Discrete Logarithm Hides Almost n Bits

In this section we prove the simultaneous hardness of n − ω(log n) lower bits of the index in modular exponentiation. Intuitively, given a generator g of a finite field of order p, and g x for some x then we show that gaining any information about the trailing n − ω(log n) bits is hard. Here hardness is with respect to the DLSE problem. In other words, for any prime p given a random generator g and a random element g x of the finite field, any information on the relevant bits of x can be converted into an poly(n) algorithm to solve the DLSE problem. Now, the phrase gaining any information is rather vague, and this is clarified by the concept of simultaneous security which is defined below for any generic one-way function. Definition 5. Let f be a one-way function. A collection of k bits, B k (x) is said to be simultaneously secure for f if B k (x) is easy to compute given x and for every Boolean predicate B an oracle which computes B(B k (x)) correctly with probability greater than 12 given only f (x) can be used to invert f in Poly(n) time. In this paper we will be employing a modified notion of simultaneous security relative to a possibly different one-way function.

312

Sarvar Patel and Ganapathy S. Sundaram

Definition 6. Let f and f 0 be one-way functions. A k-bit predicate B k is said to be f 0 -simultaneously hard if given f (x), for every non-trivial Boolean predicate B on k bits, an oracle which outputs B(B k (x)) can be used to invert f 0 in polynomial time. If B k is a f 0 hard predicate then we say the bits of B k (x) are f 0 -simultaneously hard. The above definition, although precise, is not easy to apply when understanding simultaneous security. A more working definition is provided in definition 7, phrased in the language of the discrete logarithm problem over a prime modulus. Definition 7. The bits of the exponentiation function g x mod p at location j ≤ i ≤ k are DLSE-simultaneously hard if the [j, k] bits of the discrete logarithm of g x mod p are polynomially indistinguishable from a randomly selected [j, k] bit string for random chosen (g, p, g x mod p). In addition any polynomial distinguishability will lead to an oracle which solves the DLSE problem in polynomial time. Once again, proving polynomial indistinguishability of a group of bits as above is difficult. But the notion relative hardness helps alleviate this problem and in fact leads to a test of simultaneous security. Definition 8. The ith bit, j ≤ i ≤ k, of the function g x mod p is relatively hard to the right in the interval [j, k] if no polynomial time algorithm can, given a random admissible triplet (g, p, g x mod p) and in addition given the k − i bits of the discrete logarithm of g x to its right, computes the ith bit of the discrete loga1 for any polynomial rithm of g x with probability of success greater than 12 + poly(n) poly(n) where n = log p. Based on this definition, we have a test for simultaneous security. The statement of this test is the following fact. Fact Definitions 7 and 8 are equivalent. The proof of this equivalence is implied by the well-known proof of the universality of the next bit test due to Yao [25]. Now, using this fact and the intractibility of the DLSE problem we show that the trailing n − ω(log n) bits are simultaneously hard. Theorem 9. The n− ω(log n) trailing bits of g x mod p are simultaneously hard, with respect to the DLSE problem. Proof: Based on the above fact, it is sufficient to show that every trailing bit of x (given g and g x ) is relatively hard to the right in the interval [2, n − ω(log n)]. Following the definitions and theorem above we know that, in order to show simultaneous security, we are allowed to use only a weak oracle: given g x , to predict the ith bit of x , all the i − 1 trailing bits of the unknown x should also be given to the oracle. Such a weak oracle may not work in general. Assume the theorem is false. Then, for some i ∈ [2, n − ω(log n)] there exists an oracle which when supplied with the trailing i − 1 bits of a generic x succeeds

An Efficient Discrete Log Pseudo Random Generator

313

1 in predicting the ith bit of x with advantage (where is poly(n) ). Now pick s an element S = g where s is a short exponent. We can shift s to the left by squaring S the appropriate number of times. Now all the bits to the right of the ith bit are zero. Since 0 ≤ i < n − ω(log n) we can shift s by i − 1 bits to the left without cycling. Recall, by cycling we mean the exponent exceeds p − 1 and hence its remainder modulo p − 1 replaces the exponent. Now the 2nd LSB of s rests on the ith bit and we can run the oracle repeatedly by multiplying by g r mod p where r is a random number between 0 and p − 1. In order to make sure that the probability of cycling is low we may have to set the t = O(log n) leading bits of s to zero which we can exhaustively guess and run the algorithm for each guess. Since we will continue to have an 0 ≥ − 1t advantage we can deduce the bit from the oracle in poly(n) time. We know the 2nd LSB of s in this manner. We set that bit to zero, and take the square root of the number. Of the two roots we should pick the one which is the quadratic residue because all the lower bits are zero to begin with and hence the square root should have a zero in the LSB. Now the next bit of s is in the ith position and we can run the oracle repeatedly to discover this bit and so on to recover all the bits of s. At the end of the algorithm we have a candidate and we can see if g candidate equals S. If it does then we stop or else repeat the algorithm with another guess for t bits or different random numbers r. Note the oracle is very weak unlike the case for the individual bit oracle. The oracle here will tell you the i th bit with advantage provided you also supply all the i − 1 bits to the right of i. However we are able to do this because all the bits to the right of the shifted s are known to be zero, since we started with a short exponent. Now we have shown that for every i such that 2 ≤ i < ω(log n) we can use this weak oracle to discover s thus we have shown the trailing bits to be simultaneously hard provided the function g s mod p with s of size ω(log n) is hard to invert.

5

Pseudo Random Bit Generator

In this section we provide the details of the new pseudo-random bit generator. In particular we extend the scheme used by Blum-Micali [4] to extract more bits. This is the same scheme that Long-Wigderson [16] used in their generator but their output consisted of log n bits per iteration. In our new scheme we produce n−ω(log n) bits per iteration. Recall from section 2 that the Blum-Micali scheme used a mildly different definition of “bits”. We use the same definition of bits as [10], but we do not encounter the difficulties they did in defining the generation scheme since our exponentiation induces a permutation on Zp ∗ . NEW GENERATOR Pick a seed x0 from Zp ∗ . Define xi+1 = g xi mod p. At the ith step (i > 0) output the lower n − ω(log n) bits of xi , except the least significant bit.

314

5.1

Sarvar Patel and Ganapathy S. Sundaram

Proof of Security

Suppose A is an -distinguisher of the l (l is poly in n) long output of our generator, then there is a (/l)-distinguisher for some output at the i th step. By appropriately running the generator then there is a (/l)-distinguisher for n − ω(log n) bits of s0 . According to our definitions in the previous section, due to Yao [25], we can use a distinguisher to create a weak oracle which will tell us the i-th bit of s provided we also give it the rightmost i − 1 bits of s. Now we note that we can use this to discover s given g s mod p where s has ω(log n) bits. We repeatedly invoke the ”weak oracle” by setting s0 = g s g r . Thus we can discover the i bit in poly(n) time. Using techniques shown in theorem 9 we can discover the entire s. So if the output sequence of our generator is -distinguishable then in poly(n) time we can discover s of our exponentiation function. Assuming it is intractable to invert the function g s mod p where s has ω(log n) bits (i.e., short exponent) then the output sequence of our generator is polynomially indistinguishable.

6

Conclusion

We have shown that the discrete logarithm mod a prime p hides n− ω(log n) bits by showing the simultaneous hardness of those bits. The hardness in this result is with respect to the discrete logarithm problem with short exponents, i.e., DLSE-simultaneously hard (as defined in section 2 of this paper). This allows us to extract n − ω(log n) bits at a time for pseudo-random generation and other applications. As an example for n of size 1024 bits and s of size 128 bits this allows us to extract almost 900 bits per exponentiation. Spoken informally, we note that the security of this example is 264 since it takes O(264 ) for the best known algorithm to crack a modular exponentiation with 128 bits. Also, if one desires more security at every step then we can decrease the number of bits extracted at every stage. This generator outputs the maximal number of bits from a single iteration. Extracting any more bits in any iteration leads to a prediction of bits - since we would then be hiding O(log n) or fewer bits and hence in polynomial number of guesses we would know the complete exponent in every iteration.

References 1. 2. 3. 4.

W. Alexi, B. Chor, O. Goldreich and C. P. Schnorr, RSA/Rabin bits are 1/2+1/poly(log N) secure, Proceedings of 25th FOCS, 449–457, 1984. 305 M. Ben-Or, B. Chor, A. Shamir, On the cryptographic security of single RSA bits, Proceedings of 15th STOC, 421–430, 1983. 305 L. Blum, M. Blum, and M. Shub, A simple secure pseudo-random number generator, SIAM J. Computing, 15 No. 2:364–383, 1986. 305 M. Blum, and S. Micali, How to generate cryptographically strong sequences of pseudo random bits, SIAM J. Computing, 13 No. 4:850–864, 1984. 309, 310, 311, 311, 313

An Efficient Discrete Log Pseudo Random Generator 5. 6. 7. 8. 9.

10.

11. 12. 13. 14. 15. 16. 17. 18. 19.

20. 21.

22. 24. 25.

315

R. B. Boppana, and R. Hirschfeld, Pseudorrandom generators and complexity classes, Advances in Computing Research, 5 (S. Micali, Ed.), JAI Press, CT. U. S. Department of Commerce/ N. I. S. T, Digital Signature Standard, FIPS 186, May 1994. 307 O. Goldreich, and L. A. Levin, A hard-core predicate for all one way functions, Proceedings of 21st STOC, 25–32, 1989. 305 S. Goldwasser, and A. Micali, Probabilistic encryption, Journal of Computer and Systems Science, 28: 270-299, 1984. 305 J. Hastad, R. Impagliazzo, L. A. Levin, and M. Luby, Construction of pseudorandom generator from any one-way function, SIAM J. Computing, to appear. 305 J. Hastad, A. W. Schrift, and A. Shamir, The discrete logarithm modulo a composite modulus hides O(n) bits, Journal of Computer and System Sciences, 47: 376–404, 1993. 305, 306, 308, 308, 313, 316 R. Impagliazzo, L. A. Levin, and M. Luby, Pseudo-random generation from one-way functions, Proceddings of 20th STOC, 12–24, 1988. 316 B. S. Kaliski, A pseudo-random bit generator based on elliptic logarithms, Advances in Cryptology - CRYPTO ’86 (LNCS 263), 84–103, 1987. 305, 316 J. Kilian, S. Micali, and R. Ostrovsky, Minimum resource zero-knowledge proofs, Procedings of 30th FOCS, 474–489, 1989. D. E. Knuth, The Art of Computer Programming (vol 3): Sorting and Searching, Addison Wesley, 1973. 307 N. Koblitz, Elliptic curve cryptosystems, Mathematics of Computation, 48:203–209, 1987. 304 D. L. Long, and A. Wigderson, The discrete log hides O(log n) bits, SIAM J. Computing, 17:363–372, 1988. 305, 309, 313 V. Miller, Elliptic curves and cryptography, Advances in Cryptology CRYPTO ’85 (LNCS 218), 417–426, 1986. 304 M. Naor, Bit commitment using pseudo-randomness, Advances in Cryptology - CRYPTO ’89 (LNCS 435), 128–136, 1989. P. van Oorschot, M. Wiener, On Diffie-Hellman key agreement with short exponents, Advances in Cryptology - EUROCRYPT ’96 (LNCS 1070), 332– 343, 1996. 307, 307 R. Peralta, Simultaneous security of bits in the discrete log, Advances in Cryptology - EUROCRYPT ’85 (LNCS 219), 62–72, 1986. 305, 309, 311 S. C. Pohlig, and M. E. Hellman, An improved algorithm for computing over GF (p) and its cryptographic significance, IEEE Trans. IT, 24: 106–110, 1978. 307 J. M. Pollard, Monte Carlo methods for index compution (mod p), Mathematics of Computation, 32, No. 143:918–924, 1978. 307 U. V. Vazirani, and V. V. Vazirani, Efficient and secure pseudo-random number generators, Proceedings of 25th FOCS, 458–463, 1984. 305 A. C. Yao, Theory and applications of trapdoor functions, Proceedings of 23rd FOCS, 80–91, 1982. 305, 312, 314

316

7

Sarvar Patel and Ganapathy S. Sundaram

Appendix

In this section we discuss some extensions of our results which will be addressed in the future. 7.1

Improving Efficiency of Computations

Let us focus on the mechanics of the generator. We start with a finite field, and a generator g of its multiplicative cyclic group. Let x0 be a secret seed. Then we define xi+1 = g xi iteratively. The output of the generator are the trailing n − ω(log n) bits of xi for all i > 0, where n = log p. Although the number of bits generated per iteration is large, each iteration involves a large exponent and this could impact on the speed of the generator. Instead, we could start with p, g, and x0 as earlier but at each stage we define xi+1 = g si where si = leading ω(log n) bits of xi . This will ensure that at each stage we are using short exponents and hence guarantee a significant speed up. This raises some interesting questions. Question 10. Will this speed impact the security of the generator? Note that when we restrict our exponents we no longer have a permutation. Hence the simple construction used here is inapplicable. A possible method of settling this problem is outlined in Hastad-etal in the context of discrete logarithms over composite moduli [10]. In particular, exploiting a certain hashing lemma proved in [11] they construct a perfect extender and the pseudo-random generation is achieved through repeated applications of the extender to a random seed. Question 11. Are there efficient extenders which guarantee the same level of security (as the DLSE) but yet perform short exponent exponentiation at each step? 7.2

Discrete Logarithms in Abelian Groups

Let G be a finite Abelian group. Let g ∈ G and let y = g x (where x is unknown and we are using the multiplicative notation to denote the group operation). The discrete logarithm problem in the subgroup generated by g asks for the value of x given g and y. In this context, Kaliksi [12] has shown that under the intractibility assumption of the discrete log in the subgroup generated by g the individual bits of x are hard. In this paper the Blum-Micali notion of bits is employed, and the proof of individual hardness is based on a novel and new oracle proof technique. The main idea being, the identification of bits is based on a correlation function which automatically accommodates cycling and changes in bits due to randomization. In addition, he completely avoids the computation of square roots which is central to several of the other works on individual bit security. This paper also

An Efficient Discrete Log Pseudo Random Generator

317

states that log n bits are simultaneously hard. Presumably, the techniques of Long-Wigderson once applied in the framework of generic Abelian groups yields this result. Now, we note that assuming the discrete logarithm problem with short exponents is also hard in the chosen Abelian group our results on simultaneous hardness of the trailing bits may be applicable. This result will be very useful when applied to the group of points on an elliptic curve over a finite field. 7.3

Discrete Logarithms in Small Subgroups

The security of the digital signature standard (DSS) is based on the intractability of the discrete logarithm in small subgroups (DLSS). This leads to a natural question: Question 12. Are there k-bit predicates attached to the input of the discrete exponentiation function that are simultaneously hard with respect to DLSS? In particular, is k = n − ω(log n)?

Fast RSA-Type Cryptosystem Modulo pk q Tsuyoshi Takagi NTT Software Laboratories 3-9-11, Midori-cho Musashino-shi, Tokyo 180-0012, Japan [email protected]

Abstract. We propose a cryptosystem modulo pk q based on the RSA cryptosystem. We choose an appropriate modulus pk q which resists two of the fastest factoring algorithms, namely the number field sieve and the elliptic curve method. We also apply the fast decryption algorithm modulo pk proposed in [22]. The decryption process of the proposed cryptosystems is faster than the RSA cryptosystem using Chinese remainder theorem, known as the Quisquater-Couvreur method [17]. For example, if we choose the 768-bit modulus p2 q for 256-bit primes p and q, then the decryption process of the proposed cryptosystem is about 3 times faster than that of RSA cryptosystem using Quisquater-Couvreur method. Keywords: RSA cryptosystem, Quisquater-Couvreur method, fast decryption, factoring algorithm

1

Introduction

The RSA cryptosystem is one of the most practical public key cryptosystems and is used throughout the world [19]. Let n be a public key, which is the product of two appropriate primes, e be an encryption key, and d be a decryption key. The algorithms of encryption and decryption consist of exponentiation to the eth and dth powers modulo n, respectively. We can make e small, but must consider low exponent attacks [3,4,6]. The encryption process takes less computation and is fast. On the other hand, the decryption key d must have more than one fourth the number of bits of the public key n to preclude Wiener’s attack [24] and its extension [23]. Therefore, the cost of the decryption process is dominant for the RSA cryptosystem. In this paper, we propose an RSA-type cryptosystem modulo n = pk q. Even though the modulus is not of the form pq, we choose appropriate sizes for the secret primes p and q to preclude both the number field sieve and the elliptic curve method. Using this modulus pk q, we construct a fast decryption public-key cryptosystem. In the key generation, we generate the public key e and secret key d using the relation ed ≡ 1 (mod L), where L = LCM(p−1, q−1). Note that L is not the same as φ(n) = pk−1 (p−1)(q−1) or even λ(n) = LCM(pk−1 (p−1), q−1). Thus, the secret exponent d becomes much smaller than n = pk q. Moreover, for decrypting Mp ≡ M (mod pk ) we show that it is possible to apply the fast decryption algorithm proposed in [22]. The running time for computing Mp is H. Krawczyk (Ed.): CRYPTO’98, LNCS 1462, pp. 318–326, 1998. c Springer-Verlag Berlin Heidelberg 1998

Fast RSA-Type Cryptosystem Modulo pk q

319

essentially equivalent to that for C d (mod p). Therefore, the decryption process is much faster than in the RSA cryptosystem using the Chinese remainder theorem [17]. The paper is organized as follows. In Section 2, we describe the algorithm of the proposed cryptosystem. We discuss the size of the secret primes which prevents the use of both the number field sieve and the elliptic curve method in Section 3. Then, we show the running time of the proposed cryptosystem in comparison with the RSA cryptosystem using the Quisquater-Couvreur method in Section 4. We explain the effectiveness of Wiener’s attack in Section 5. We show some properties of our cryptosystem related to some attacks in Section 6. Notation: Z is an integer ring. Zn is a residue ring Z/nZ and its complete residue class is {0, 1, 2, . . . , n − 1}. Z× n is a reduced residue group modulo n. LCM(m1 , m2 ) is the least common multiple of m1 and m2 . GCD(m1 , m2 ) is the greatest common divisor of m1 and m2 .

2

Proposed Public-Key Cryptosystem

In this section, we describe an RSA-type cryptosystem modulo pk q, and discuss the size of its secret keys and the running time. 2.1

Algorithm

1. Generation of the keys: Generate two random primes p, q, and let n = pk q. Compute L = LCM (p−1, q−1), and find e, d which satisfies ed ≡ 1 (mod L) and GCD(e, p) = 1. Then e, n are public keys, and d, p, q are the secret keys. 2. Encryption: Let M ∈ Z× n be the plaintext. We encrypt the plaintext by the equation: C ≡ Me

(mod n).

(1)

3. Decryption: We decrypt Mp ≡ M (mod pk ) and Mq ≡ M (mod q) using the secret key d, p, q. The plaintext M can be recovered by the Chinese remainder theorem. Here, Mq is computed by Mq ≡ C d (mod q) and Mp is computed by the fast algorithm described in [22]. 2.2

Details of the Decryption Algorithm

is pk−1 (p− 1). When Mp ≡ M (mod pk ) is recovered The order of the group Z× pk using the standard algorithm of RSA, we have to compute Mp ≡ C d (mod pk ) for d ≡ e−1 (mod LCM(pk−1 (p − 1), q − 1)). Then the running time is slower than that of the method using the Chinese remainder theorem for n = pq [17], so there are no significant advantages in using the modulus pk q. Instead, we apply the method described in [22], where the author presents a fast algorithm for computing RSA decryption modulo nk using n-adic expansion. Then, the

320

Tsuyoshi Takagi

running time for computing Mp becomes essentially equivalent to computing Mp ≡ C d (mod p) for d ≡ e−1 (mod LCM(p − 1, q − 1)). First, we modify the algorithm into a more efficient form. We denote the ciphertext reduced modulo pk by Cp . Then the relationship between the ciphertext Cp and the plaintext is Cp ≡ Mpe (mod pk ). Note that Mp the plaintext modulo pk , has the p-adic expansion such that Mp ≡ K0 + pK1 + p2 K2 + . . . + pk−1 Kk−1

(mod pk ).

(2)

Here, we define the function Fi (X0 , X1 , . . . , Xi ) as follows: Fi (X0 , X1 , . . . , Xi ) = (X0 + pX1 + . . . + pi Xi )e , where i = 0, 1, . . . , k − 1. Fk−1 (X0 + pX1 + . . . + pk−1 Xk−1 )e is the same as the function that encrypts the plaintext Mp in equation (2). By reducing modulo pi+1 , we get the relationship Fi (X0 , X1 , . . . , Xi ) ≡ Fi−1 + pi Gi−1 Xi

(mod pi+1 ),

where Fi−1 = Fi−1 (X0 + pX1 + . . . + pi−1 Xi−1 )e and Gi−1 = e(X0 + pX1 + . . . + pi−1 Xi−1 )e−1 for i = 0, 1, . . . , k − 1. ¿From this relationship, we can recursively calculate K1 , . . . , Kk−1 . For i = 1, K1 is the solution of the following linear equation of X1 : C ≡ F0 (K0 ) + pG0 (K0 )X1 (mod p2 ). (3) Assume we have already calculated K1 , K2 , . . . , Ki−1 . Using these values, we compute Fi−1 (K0 , K1 , . . . , Ki−1 ), Gi−1 (K0 , K1 , . . . , Ki−1 ) in Z, and denote them by Fi−1 , Gi−1 , respectively. Then, Ki is the solution of the following linear equation of Xi : C ≡ Fi−1 + pi Gi−1 Xi (mod pi+1 ). (4) Note that (Gi−1 , p) = 1, because GCD(K0 , p) = GCD(e, p) = 1, so we can uniquely decrypt Ki . After computing K0 , K1 , . . . , Kk−1 , we can evaluate Mp (mod pk ) from equation (2). Finally, the plaintext M (mod pk q) is also computed from the values Mp (mod pk ), Mq (mod q), and the Chinese remainder theorem. Moreover, note that we do not have to use the secret exponent d for evaluating K1 , K2 , . . . , Kk−1 . Thus, when we compute the two values of K0 ≡ C d (mod p) and Mq ≡ C d (mod q), the secret exponent d can be reduced modulo p − 1 and q−1. Indeed, C d ≡ C dp (mod p) and C d ≡ C dq (mod q) hold, where dp ≡ d (mod p − 1) and dq ≡ d (mod q − 1). In Appendix A, we describe the decryption program written in pseudo-code. For x ∈ Z and a positive integer N , [x]N denotes the remainder of x modulo N , which is in {0, 1, . . . , N − 1}.

3

Size of Secret Parameters

Here, we discuss the size of the secret parameters p and q. The RSA cryptosystem uses a composite number of the symmetry type pq, where p and q are the same

Fast RSA-Type Cryptosystem Modulo pk q

321

bit size. The cryptosystem proposed in this paper depends on the security of factoring the modulus pk q. We have to carefully choose the size of p and q. There are two types of fast factoring algorithm to consider: the number field sieve [11] and the elliptic curve method [10]. Other factoring algorithms have the same or slower running times, so the size of the RSA-modulus can be estimated by these two factoring algorithms [7,13,20]. Let LN [s, c] = exp((c + o(1)) logs (N ) log log1−s (N )). The number field sieve is the fastest factoring algorithm, and the running time is estimated from the total bit size of the integer n to be factored, which is expected as Ln [1/3, (64/9)1/3]. If we choose n to be larger than 768 bits, the number field sieve becomes infeasible. In our case, we have to make the modulus n = pk q larger than 768 bits. The elliptic curve method is effective for finding primes which are divisors of the integer n to be factored. The running time is estimated in terms of the bit size of the prime divisor p. Its expected value is Lp [1/2, 21/2 ]. Note that the running time of the elliptic curve method is different from that of the number field sieve, and the order is much different. If we choose p to be larger than 256 bits, the elliptic curve method becomes infeasible. In our case, we have to make the primes p and q of the modulus larger than 256 bits. The factoring algorithm strongly depends on the implementation. In my knowledge, the fastest implementation record for the number field sieves factored 130-digit RSA modulus [5] and that for the elliptic curve method found 48-digit prime factor [8]. Here, we again emphasize that there is a big difference in the cost between the number field sieve and the elliptic curve method. Therefore, if we choose the 768-bit modulus p2 q with 256-bit primes p and q, neither of the factoring algorithms is feasible, so the scheme is secure for cryptographic purposes. But the size of secret primes must be thoroughly discussed for the practical usage of our proposed cryptosystem, and this is work in progress. Here, we wonder if there exists factoring algorithms against the modulus with a square factor p2 q. This factoring problem appeared in the list of the open problems in number theoretic complexity by Adleman and McCurley [1], and it is unknown whether there exists Lp [1/3]-type sub-exponential algorithm which finds the primes of the composite number p2 q. Recently, Peralta and Okamoto proposed a factoring algorithm against numbers of the form p2 q based on the elliptic curve method [16]. They focused on the fact the Jacobi symbol is equal to one for a square integer, and the running time becomes a little bit faster than that of the original elliptic curve method. Remark 1. A digital signature scheme [14] and two public key cryptosystems [9,15] which rely on the difficulty of factoring numbers of the type p2 q have been proposed. These cryptosystems are fast and practical. For secure usage of these cryptosystems and our proposed cryptosystem, the research of factoring algorithms against a composite number with a square factor is desirable.

322

4

Tsuyoshi Takagi

Running Time

In this section, we estimate the running time of the proposed cryptosystem. We assume that the public modulus n = p2 q is 768 bits for 256-bit primes p and q in the following. We also assume the running time for computing Z a (mod b) is O(log22 (b) log2 (a)). Below, we estimate the worst-case running time. In the decryption process of the proposed cryptosystem, the algorithm does not depend on the secret exponent d except when we compute Cd

(mod p),

Cd

(mod q).

(5)

After calculating C d (mod p), we compute only a few multiplications for obtaining Mp ≡ M (mod pk ). This costs the same as the encryption process. If we choose a very small e, this algorithm is very efficient. For example, if the modulus be p2 q, then we only compute at most blog2 ec multiplications modulo p2 and one division of p, two multiplications modulo p, and one inversion modulo p. Moreover, when we compute the two values of equation (5), the secret exponent d can be reduced modulo p− 1 and q − 1. In other words, C d ≡ C dp (mod p) and C d ≡ C dq (mod q) hold, where dp ≡ d (mod p − 1) and dq ≡ d (mod q − 1). Thus, the size of the secret exponent can be reduced. Denote by T the running time for computing the decryption algorithm of the 0 original RSA cryptosystem, i.e., C d (mod n), where d0 is as large as n. Then, the running time of the proposed cryptosystem for a 768-bit modulus is about (2(1/3)3 + αe )T = (0.074 + αe )T , where αe depends only on the encryption exponent e. When we make the encryption exponent e very small, αe becomes negligible. A similar decryption algorithm for the RSA cryptosystem using Chinese remainder theorem, the Quisquater-Couvreur method, mainly computes C d (mod p) and C d (mod q), where n = pq is the RSA modulus, both p and q are as large as (log2 n)/2 bits, and we assume d is as large as p and q. So, the running time of Quisquater-Couvreur method is about 4 times faster than the original RSA cryptosystem. Here, we compare the running time of our proposed cryptosystem with that of Quisquater-Couvreur method. The comparison is carried out based on the common bit length of the modulus. The proposed cryptosystem with the small encryption exponent e is about 3 times faster than the RSA cryptosystem applying the Quisquater-Couvreur method for the 768-bit modulus. In addition, consider the RSA cryptosystem with the square-free modulus n = p1 p2 · · · pl , where we assume that pi are as large as (log2 n)/l bits for i = 1, 2, . . . , l. As we discussed in Section 3, we can use a 768-bit modulus n = p1 p2 p3 with 256-bit primes pi (i = 1, 2, 3) for the cryptographic purpose. This version of RSA will be faster when we use the decryption technique using the Chinese remainder theorem. Indeed, the decryption time with this modulus is dominant for computing C di (mod pi ), where we assume di are as large as pi for i = 1, 2, 3. So, the running time of this RSA variant is about 9 times faster than the original RSA cryptosystem. Here, we compare this RSA variant with

Fast RSA-Type Cryptosystem Modulo pk q

323

our proposed cryptosystem. Our proposed cryptosystem is about 1.5 times faster for a 768-bit modulus.

5

Short Secret Exponent d

A short secret exponent is desirable for the fast decryption algorithm. However, Wiener reported an attack based on the continued fraction algorithm which detects a short secret exponent d [24]. This attack is effective for d < n1/4 . The secret key d and the public key e of the proposed cryptosystem have the relation ed ≡ 1 (mod LCM(p − 1, q − 1)), and the primes p and q are much smaller than n. So, we wonder if Wiener’s attack is applicable to larger secret exponents d. Moreover, if the attacker can compute d0 such that ed0 ≡ 1 (mod LCM(pk−1 (p − 1), q − 1)),

(6)

then proposed cryptosystem will also be broken. Here, we discuss Wiener’s attack for relation (6). ¿From LCM(pk−1 (p−1), q− 1) = pk−1 (p−1)(q−1)/GCD(pk−1 (p−1), q−1), we have ed0 = 1+mpk−1 (p−1)(q− 1)/GCD(pk−1 (p−1), q−1) for some integer m. Generally, GCD(pk−1 (p−1), q−1) is very small compared with p and q. Let m/GCD(pk−1 (p − 1), q − 1) = h/g, where GCD(h, g) = 1. Then, we get the relation e h 0 pk q − gd0 = δ , k

k−1

(7)

k−1

q−p −g/h h p +p . ¿From h/d0 g ≤ 1, the upper bound of δ 0 where δ 0 = gd 0 pk q is of the size n−1/(k+1) . It is known that for a rational number x such that |x − P/Q| < 1/2Q2 , P/Q is a convergent in the continued fraction of x, where P and Q are relatively prime integers. Therefore, if n−1/(k+1) < 1/2(gd0 )2 holds, then Wiener’s attack is applicable by computing the continued fraction of e/pk q. 1 Therefore, Wiener’s attack is effective for d0 < n 2(k+1) . During key generation one must ensure that d0 ≡ e−1 (mod LCM(pk−1 (p − 1), (q − 1)) is sufficiently large. In the same manner, we can discuss the Wiener’s attack for the relation ed ≡ 1 (mod LCM(p − 1, q − 1)). In this case, we get the relation

e h pk q − gdpk−1 = δ,

(8)

h p+q−1−g/h where δ = gd . The lower bound on δ is of the size 1/gdnk/(k+1) , and pk q 1/gdnk/(k+1) is larger than the upper bound 1/2(gdpk−1 )2 ∼ 1/2(gdn(k−1)/(k+1) )2 which the continued fraction can detect. So, Wiener’s attack seems infeasible for the relation ed ≡ 1 (mod LCM(p − 1, q − 1)). Further work on this is in progress.

324

6

Tsuyoshi Takagi

Other Properties

In this section, we describe some attacks against our proposed cryptosystem and some other properties of it. Permutation: Let S be a finite set, and let F (x) be a function from S to S. The function F (x) is called a permutation function if every pair x, y ∈ S that satisfies F (x) = F (y) also satisfies x = y. The encryption function must be a permutation function in order to have unique decryption. The encryption function of the proposed cryptosystem is F (X) ≡ X e (mod pk q). This function is a permutation function if and only if GCD(p − 1, e) = GCD(q − 1, e) = GCD(p, e) = 1. The last condition is always satisfied for small e, so this condition becomes the same as that for the original RSA cryptosystem. Message concealing: A function F (x) is called unconcealed when F (x) = x holds for some x. If the encryption function is unconcealed, some plaintexts are not encrypted. Blakley and Borosh showed that the encryption function of the RSA cryptosystem is unconcealed [2]. And they also estimated the number of unconcealed messages for a modulus having the form pk q. They proved N = (1 + GCD(e − 1, pk−1 (p − 1)))(1 + GCD(e − 1, (q − 1))). This number is negligible because we choose e to be small in our proposed cryptosystem. Cycling attack: The cycling attack is to find an integer s such that s C e ≡ C (mod pk q) [12,25]. If we find such an integer, then the modulus pk q can be factored with probability greater than 1/2. From a recent result by Rivest and Silverman, it is known that the probability of the cycling attack success is negligible [20]. This analysis is also true for our proposed cryptosystem, because p and q must be chosen to be more than 256-bit primes. Here, denote by ordm (Q) the order of the point Q in the group Zm for some integer m, and ordordn (C) (e)|s holds. Note that ordm (Q)|ordn (Q) for m|n and Q in Zn . The probability that p|ordpk (Q) for a random point Q in Zpk is 1 − 1/p, so p|ordn (C) holds for a random ciphertext C in Zn with high probability, and ordp (e) is greater than the largest prime of p − 1, which is more than 50 bits with high probability. Therefore, the integer s is greater than 50 bits with high probability. Other attacks: All other attacks are applicable, for example, the low exponent attacks [3,4,6], the common modulus attack, and the chosen message attack (See, for example, [7,13]). Digital signature: Of course, the proposed algorithm can be used for a digital signature.1 The prominent property of our proposed cryptosystem is the running time for generating the signature, which it is faster than that of the RSA cryptosystem using Chinese remainder theorem. Rabin-type cryptosystem: We can construct a Rabin-type cryptosystem by applying the algorithm proposed in this paper. We can also prove that the extended Rabin-type cryptosystem is as intractable as factoring the modulus pk q. 1

Shamir proposed a variation of RSA cryptosystem with an unbalanced modulus [21]. As he stated in the paper, Shamir’s RSA can not be used for digital signatures.

Fast RSA-Type Cryptosystem Modulo pk q

325

Acknowledgments I wish to thank Shozo Naito for his helpful discussion. I would also like to thank the anonymous referees for their valuable comments.

References 1. L. M. Adleman and K. S. McCurley, “Open problems in number theoretic complexity, II” proceedings of ANTS-I, LNCS 877, (1994), pp.291-322. 321 2. G. R. Blakley and I. Borosh, “Rivest-Shamir-Adleman public key cryptosystems do not always conceal messages,” Comput. & Maths. with Appls., 5, (1979), pp.169-178. 324 3. D. Coppersmith, M. Franklin, J. Patarin and M. Reiter, “Low-exponent RSA with related messages,” Advances in Cryptology – EUROCRYPT ’96, LNCS 1070, (1996), pp.1-9. 318, 324 4. D. Coppersmith, “Finding a small root of a univariate modular equation,” Advances in Cryptology – EUROCRYPT ’96, LNCS 1070, (1996), pp.155-165. 318, 324 5. J. Cowie, B. Dodson, R. Elkenbracht-Huizing, A. K. Lenstra, P. L. Montgomery, J. Zayer; “A world wide number field sieve factoring record: on to 512 bits,” Advances in Cryptology – ASIACRYPT ’96, LNCS 1163, (1996), pp.382-394. 321 6. J. H˚ astad, “Solving simultaneous modular equations of low degree,” SIAM Journal of Computing, 17, (1988), pp.336-341. 318, 324 7. B. S. Kaliski Jr. and M. Robshaw, “Secure use of RSA,” CRYPTOBYTES, 1 (3), (1995), pp.7-13. 321, 324 8. ECMNET Project; http://www.loria.fr/ zimmerma/records/ecmnet.html 321 9. D. H¨ uhnlein, M. J. Jacobson, S. Paulus, and T. Takagi, “A cryptosystem based on non-maximal imaginary quadratic orders with fast decryption.” Advances in Cryptology – EUROCRYPT ’98, LNCS 1403, (1998), pp.294-307. 321 10. H. W. Lenstra, Jr., “Factoring integers with elliptic curves”, Annals of Mathematics, 126, (1987), pp.649-673. 321 11. A. K. Lenstra and H. W. Lenstra, Jr. (Eds.), “The development of the number field sieve,” Lecture Notes in Mathematics, 1554, Springer, (1991). 321 12. U. M. Maurer; “Fast generation of prime numbers and secure public-key cryptographic parameters,” Journal of Cryptology, Vol.8, (1995), pp.123-155. 324 13. A. J. Menezes, P. C. van Oorschot and S. A. Vanstone, “Handbook of applied cryptography,” CRC Press, (1996). 321, 324 14. T. Okamoto, “A fast signature scheme based on congruential polynomial operations,” IEEE Transactions on Information Theory, IT-36, (1990), pp.47-53. 321 15. T. Okamoto and S. Uchiyama; “A new public-key cryptosystem as secure as factoring,” Advances in Cryptology – EUROCRYPT ’98, LNCS 1403, (1998), pp.308-318. 321 16. R. Peralta and E. Okamoto, “Faster factoring of integers of a special form,” IEICE Trans. Fundamentals, Vol.E79-A, No.4, (1996), pp.489-493. 321 17. J. -J. Quisquater and C. Couvreur, “Fast decipherment algorithm for RSA publickey cryptosystem,” Electronic Letters, 18, (1982), pp.905-907. 318, 319, 319

326

Tsuyoshi Takagi

18. M. O. Rabin, “Digitalized signatures and public-key functions as intractable as factorization”, Technical Report No.212, MIT, Laboratory of Computer Science, Cambridge (1979), pp.1-16. 19. R. Rivest, A. Shamir and L. M. Adleman, “A method for obtaining digital signatures and public-key cryptosystems,” Communications of the ACM, 21(2), (1978), pp.120-126. 318 20. R. Rivest and R. D. Silverman, “Are ‘strong’ primes needed for RSA,” The 1997 RSA Laboratories Seminar Series, Seminars Proceedings, (1997). 321, 324 21. A. Shamir; “RSA for paranoids,” CryptoBytes, 1, Autumn, (1995), pp. 1-4. 324 22. T. Takagi, “Fast RSA-type cryptosystem using n-adic expansion,” Advances in Cryptology – CRYPTO ’97, LNCS 1294, (1997), pp.372–384. 318, 318, 319, 319 23. E. R. Verheul and H. C. A. van Tilborg, “Cryptanalysis of ‘less short’ RSA secret exponents,” Applicable Algebra in Engineering, Communication and Computing, 8, (1997), pp.425-435. 318 24. M. J. Wiener, “Cryptanalysis of short RSA secret exponents,” IEEE Transactions on Information Theory, IT-36, (1990), pp.553-558. 318, 323 25. H. C. Williams and B. Schmid, “Some remarks concerning the M.I.T. public-key cryptosystem,” BIT 19, (1979), pp.525-538. 324

A

Decryption Algorithm

In this appendix, we describe the decryption program written in pidgin ALGOL. For x ∈ Z and a positive integer N , [x]N will denote the remainder of x modulo N , which is in {0, 1, . . . , N − 1}. The plaintext M is encrypted by C ≡ M e (mod pk q). The relation between the encryption exponent e and the decryption exponent d is ed ≡ 1 (mod LCM(p − 1, q − 1)). procedure DECRYPTION: INPUT: d, p, q, e, k, C OUTPUT: M (1)

dp := [d]p−1 , dq := [d]q−1 ;

(2)

K0 := [C dp ]p , Mq := [C dq ]q ;

(3)

A0 := K0 ; FOR i = 1 to (k − 1) do Fi := [Ai−1 e ]pi+1 ; Ei := [C − Fi ]pi+1 ; Bi := Ei /pi in Z; Ki := [(eFi )−1 Ai−1 Bi ]p ; Ai := Ai−1 + pi Ki in Z;

(4)

Mp := Ak−1 ;

(5)

p1 := [(pk )−1 ]q , q1 := [q −1 ]pk ;

(6)

M := [q1 qMp + p1 pk Mq ]pk q .

An Elliptic Curve Implementation of the Finite Field Digital Signature Algorithm Neal Koblitz Dept. of Mathematics, Box 354350, Univ. of Washington Seattle, WA 98195 USA [email protected]

Abstract. We construct a supersingular implementation of the Elliptic Curve Digital Signature Algorithm (ECDSA) that is essentially equivalent to a finite field implementation of the Digital Signature Algorithm (DSA), and then we compare the efficiency of the two systems. The elliptic curve method is about 12 times faster. In the last section we use the same ideas to give a particularly efficient nonsupersingular implementation of elliptic curve cryptography in characteristic 7. Keywords: Digital Signature, Elliptic Curve, Supersingular, Nonadjacent Form

1

Introduction

The security of elliptic curve cryptosystems depends on the presumed intractability of the discrete logarithm problem in the group of points on the curve. Aside from the exponential time algorithms that apply to an arbitrary group — all of which are impractical if the order of the group is divisible by a prime of more than 40 decimal digits — the only discrete log algorithms that have been found for an elliptic curve group are the algorithm of Semaev–Smart–Satoh–Araki [20,22,17], which applies only to an elliptic curve over a prime field Fp whose order is equal to p, and the algorithm of Menezes–Okamoto–Vanstone (MOV) [12]. The MOV algorithm uses the Weil pairing to imbed the group of points of an elliptic curve E over a finite field Fq into the multiplicative group F× qK of an extension field FqK ; the elliptic curve discrete log problem then reduces to the discrete log problem in F× qK . This algorithm is practical if K can be taken to be small. If E is a supersingular elliptic curve, then K can always be chosen equal to 1, 2, 3, 4, or 6 [12]; whereas if E is nonsupersingular, then K is almost always much too large [1]. For this reason it is usually assumed that supersingular curves should not be used in cryptography. The purpose of this article is to give a cryptographic application of a family of supersingular elliptic curves for which K = 6 in the MOV algorithm. Suppose that #E(Fq ) is a prime l (or a very small integer factor times a prime l) of between 40 and 80 decimal digits (which is the range one would use with a nonsupersingular curve). Then q K = q 6 is roughly in the 250- to 500-digit range, H. Krawczyk (Ed.): CRYPTO’98, LNCS 1462, pp. 327–337, 1998. c Springer-Verlag Berlin Heidelberg 1998

328

Neal Koblitz

which is beyond the practical limits of algorithms for the discrete log in F× qK . Thus, such a family of curves can be used in cryptography. Moreover, the family of curves that we study lends itself to particularly efficient computation of a multiple of a point, which is the basic operation in elliptic curve cryptosystems. Because the curves have complex multiplication by cube roots of unity, this family can be treated in a manner similar to the family of anomalous binary curves that was studied in [6], [10], and [23]. §§2–3 are devoted to the properties of the curves we are proposing and to the use of a special type of ternary expansion of an integer k that allows one to compute kP with only ≈ 25 log3 q elliptic curve additions. In §§4–5 we describe our main motivation for looking at this family of supersingular elliptic curves: it enables us in characteristic 3 to make a very direct comparison of efficiency between the Digital Signature Algorithm (DSA) using finite fields (see [16]) and the Elliptic Curve Digital Signature Algorithm (ECDSA) (see, for example, [9]). Recall that in DSA one works in a cyclic subgroup of prime order l inside a finite field whose bitlength is between 3 and 6 times that of l. Thus, it would be completely consistent with the Digital Signature Standard to take Fq6 as one’s finite field and the image of E(Fq ) under the MOV imbedding as one’s cyclic subgroup of order l. Then, conjecturally, the ECDSA and the corresponding DSA have identical security, and so it is interesting to compare efficiency. We show that the elliptic curve implementation is about 12 times as fast. In other words, even though the two groups of order l are apparently cryptographically equivalent, the elliptic curve “exponentiation” can be carried out more rapidly than exponentiation in the finite field. Remark. We say “conjecturally” and “apparently” because we do not know how to prove that the discrete log problem on the elliptic curve group could not be easier than the discrete log problem in the corresponding subgroup of F× q6 . This is because we do not know how to compute the inverse of the imbedding E(Fq ) ,→ F× q6 given by the Weil pairing. Finally, in §6 we use the same ideas as in §§2–3 to give a family of nonsupersingular elliptic curves in characteristic 7 for which one also has a particularly efficient method to compute multiples of points.

2

The Curves

Let q = 3m , where m is not divisible by 2 or 3, and let a = 0 or 1. Let E be the elliptic curve (1) Y 2 = X 3 − X − (−1)a over the field of 3 elements F3 ; and let Nm denote the number of Fq -points on E. Because x3 − x = 0 for all x ∈ F3 , it is easy to see that N1 = 4 − (−1)a 3. We can also write N1 = 4 − τ − τ , where √ (−1)a 3 + i 3 τ= 2

An Elliptic Curve Implementation

329

is the root with positive imaginary part of the characteristic polynomial T 2 − (−1)a 3T + 3 of the Frobenius map Φ : (x, y) 7→ (x3 , y 3 ).1 In other words, τ satisfies the relation 3 = (−1)a 3τ − τ 2 . (2) Then, by Weil’s theorem, Nm = |τ where

3 m

m

m

a

− 1| = 3 − (−1) 2

3 m

3(m+1)/2 + 1,

(3)

is the Jacobi symbol, which is defined as follows:

3 m

=

1 if m ≡ ±1 (mod 12); −1 if m ≡ ±5 (mod 12).

Since Nm is divisible by Nm0 whenever m0 |m, we have the best chance of getting a large prime factor of Nm when m is prime. In that case N1 |Nm , but it may happen that Nm /N1 is prime. In other words, when m is prime Nm could be a prime in the case a = 0 and 7 times a prime in the case a = 1. For example, when a = 0 we find that N163 = 3163 + 382 + 1 is a prime of 78 decimal digits (259 bits); and when a = 1 we find that N97 = 397 + 349 + 1 is 7 times a prime of 46 decimal digits (154 bits). Remark. One might want to use composite m in order to be able to perform multiplications and inversions in F3m more efficiently using a tower of subfields. It is still possible to get a large prime factor of Nm with m not much larger than in the case when m is prime. For example, when a = 0, a 66-digit prime divides N169 ; and when a = 1, a 47-digit prime divides N121 , and a 74-digit prime divides N187 . We let ω denote the 6th root of unity √ (−1)a + i 3 a , (4) ω = τ − (−1) = 2 and we let Z[ω] denote the ring of integers of the form u + vω, u, v ∈ Z. Then when m is prime we are interested in primality of the element (ω + 1)m − 1 when a = 0 and primality of the element ((ω − 1)m − 1)/(ω − 2) when a = 1, since it is a prime element of Z[ω] if and only if Nm if a = 0; |(ω + 1)m − 1|2 , = 1 m 2 |(ω − 1) − 1| , if a = 1, N1 7 is a prime in Z. When a = 0 this is a close analogue of the Mersenne prime problem, as we see by replacing ω by 1. (This example of an elliptic curve 1 2 a This means that Φ − (−1) 3Φ + 3 P = O for any point P on the curve. This polynomial (more precisely, its reciprocal polynomial 1 − (−1)a 3T + 3T 2 ) is also the numerator of the zeta-function of the curve. For details on this and other properties of elliptic curves, see §VI.1 of [7] and Ch. V of [21].

330

Neal Koblitz

for cryptography and the analogy with the Mersenne prime problem were first mentioned in Exercise 11 of §VI.1 and Exercise 6 of §VI.2 in [7].) As always, the Frobenius map Φ : (x, y) 7→ (x3 , y 3 ) takes negligible time, provided that we are working in a normal basis of Fq over F3 ; and the negation map (x, y) 7→ (x, −y) is also trivial to carry out. The Frobenius map Φ acting on points P ∈ E(Fq ) may be regarded as the element τ ∈ Z[ω], because it satisfies the same quadratic equation Φ2 − (−1)a 3Φ + 3 = 0. In the case of the particular equation (1), it is also extremely easy to describe the action on points P ∈ E(Fq ) of the cube roots of unity. Let us take a = 1; the case a = 0 is virtually identical.√Then we are interested in how the nontrivial cube root of unity ω = (−1 + 3i)/2 = τ + 1 acts on P = (x, y) ∈ E(Fq ). That is, we want to find the coordinates of (Φ + 1)P = Px,y + Px3 ,y3 . Using the addition law for Px1 ,y1 + Px2 ,y2 = Px3 ,y3 , which takes the following form when Px2 ,y2 6= ±Px1 ,y1 : 2 1 − x1 − x2 ; x3 = xy22 −y −x1 3 1 y3 = y1 + y2 − xy22 −y , −x1 and the relation x3 − x = y 2 − 1 from (1), we obtain: Px,y + Px3 ,y3 = Px+1,y . (It is easy to check that this formula also holds when Px3 ,y3 = Px,y , i.e., when Px,y is an F3 -point.) Thus, the action on points of any power of τ and any sixth root of unity can be computed in trivial time. Remark. Another convenient feature of the curves (1) in characteristic 3 is that, m−1 } of Fq , then there is an easy if we use a normal F3 -basis {β, β 3 , . . . , β 3 compression technique for storing a point Px,y , by analogy with the characteristic 2 method in [13]. Namely, we represent P as (x0 , y), where x0 ∈ {0, 1, −1} is the P i first coordinate of x. Then x = xi β 3 can be recovered by setting xi = xi−1 + P i zi , i = 1, 2, . . . , m−1, where the zi are the coordinates of −y 2 −(−1)a = zi β 3 .

3

Base-τ Expansions

Suppose that we want to compute a multiple kP of an F3m -point on the elliptic curve (1). As in [10] and [23], our first step is to divide k by τ m − 1 in the ring Z[ω], and then replace k by its remainder k 0 modulo τ m − 1. This is justified because (τ m − 1)P = Φm P − P = O. Our next step is to find a base-τ expansion of k 0 with digits {0, ±1, ±ω, ±ω 2} that has nonadjacent form (NAF), where, following [23], we define “nonadjacent form” to mean that no two consecutive coefficients are nonzero. Theorem 1. Every element of Z[ω] reduced modulo τ m − 1 has a unique NAF base-τ expansion with digits {0, ±1, ±ω, ±ω 2}, in which at most (m + 1)/2 digits are nonzero. Asymptotically on the average 60% of the digits are zero.

An Elliptic Curve Implementation

331

Proof. We first recall the algorithm for finding the usual base-τ expansion of an element u + vω ∈ Z[ω] with digits j ∈ {0, 1, −1}. By (4) we have u + vω = (u − (−1)a v) + vτ . Dividing the integer u − (−1)a v by 3, we can write u − (−1)a v = 3w + ε0 for some ε0 ∈ {0, 1, −1}. Then we use (2) to write u + vω = (3w + ε0 ) + vτ = (((−1)a 3w + v) − wτ ) τ + ε0 . We then take the quotient ((−1)a 3w + v) − wτ and repeat the process to find ε1 , ε2 , and so on. Now we describe the algorithm for finding the NAF base-τ expansion of an element of Z[ω]. In each step we divide our previous quotient qj−1 by τ , getting a quotient u + vτ and a remainder ε ∈ {0, 1, −1}, as we did in the previous paragraph: qj−1 = (u + vτ )τ + ε. If ε = 0 or if 3|u, then we leave the above equality unchanged and set qj = u+vτ , ηj = ε. Otherwise, we modify the above equation as follows: qj−1 = qj τ + ηj , where

qj =

(u + (−1)a 2ε) + (v − ε)τ (u + (−1)a ε) + vτ

and ηj =

−(−1)a εω −(−1)a εω

if u ≡ (−1)a ε (mod 3); if u ≡ −(−1)a ε (mod 3),

if u ≡ (−1)a ε (mod 3); if u ≡ −(−1)a ε (mod 3).

Uniqueness of the NAF expansion is clear from the construction. Finally, the asymptotic expectation is that every nonzero digit is followed by 1+ 13 + 312 +· · · = 1.5 zero digits, in which case 60% of the digits are zero. t u √ Here is an example. Let us take a = 0 and find the expansion of 10 + 2i 3. We have: √ 10 + 2i 3 = (7 − τ )τ + 1 = (9 − 2τ )τ + ω 2 ; 9 − 2τ = (7 − 3τ )τ + 0; 7 − 3τ = (3 − 2τ )τ + 1; 3 − 2τ = (1 − τ )τ + 0; 1 − τ = 0 · τ + ω4, and hence the digits are η4 = ω 4 , η3 = 0, η2 = 1, η1 = 0, η0 = ω 2 . Remark. The expected number 25 log3 q of elliptic curve additions given by Theorem 1 is about 25% less than the previous lowest result for the number of additions of points in computing kP , which was 13 log2 q due to Solinas [23]. However, from a practical point of view this improvement in the number of elliptic curve additions might be offset by the decreased efficiency of working in characteristic 3 rather than 2. For example, in characteristic 2 one can often minimize time for a field operation by using an optimal normal basis [15]. In order to avoid field inversions and determine the time required to compute a multiple of a point in terms of field multiplications alone, we introduce projective coordinates. (See §6.3 of [11] for a discussion of this in characteristic 2.)

332

Neal Koblitz

When converted to homogeneous coordinates, the equations for point addition (see §2) become z3 = (x2 z1 − x1 z2 )3 z1 z2 ; x3 = (y2 z1 − y1 z2 )2 (x2 z1 − x1 z2 )z1 z2 − (x2 z1 − x1 z2 )3 x1 z2 − −(x2 z1 − x1 z2 )3 x2 z1 ; y3 = −(x2 z1 − x1 z2 )3 y1 z2 + (y2 z1 − y1 z2 )(x2 z1 − x1 z2 )2 x1 z2 − −x3 (y2 z1 − y1 z2 )/(x2 z1 − x1 z2 ). (Note that the last expression is a polynomial, because x3 is divisible by x2 z1 − x1 z2 .) In each stage of the computation of kP one adds a partial sum to a point of the form ηj τ j P (in which the NAF digit ηj is a sixth root of unity). The latter point is computed in negligible time in affine (i.e., non-homogeneous) coordinates; so we may assume that its projective coordinates are (x2 , y2 , 1), that is, z2 = 1. Assuming now that z2 = 1, the above formulas can be computed as follows. Successively set A = x2 z1 ;

B = y2 z1 ;

E = (B − y1 )2 ;

C = (A − x1 )2 ;

F = x1 C;

D = (A − x1 )3 ;

G = z1 E − (D + 2F ).

Then z3 = z1 D;

x3 = (A − x1 )G;

y3 = −y1 D + (B − y1 )(F − G).

This all takes 10 field multiplications. (Note that D is computed in negligible time, since we are in characteristic 3.) Since on the average 25 m point additions are needed to compute a multiple of a point, it follows that in projective coordinates one expects to compute a multiple of a point with 4m field multiplications. From the formulas for adding points in affine coordinates (see §2) we see that, alternatively, a point addition can be accomplished with 1 field inversion and 2 field multiplications. Thus, if an inversion can be done in less time than 8 field multiplications, we should use affine rather than projective coordinates. In characteristic 2 there are implementations of field inversion that take time roughly equal to that of 3 field multiplications (see [19] and [24]); and it is reasonable to expect that the same equivalence can be achieved in characteristic 3 [18]. We have obtained the following corollary of Theorem 1. Corollary 1. If one uses projective coordinates, the expected number of field multiplications in F3m needed to compute a multiple of a point on the curve (1) is 4m. Using affine coordinates, on the average one can compute a multiple of a point on (1) with 45 m field multiplications and 25 m field inversions. If a field inversion can be carried out in time equivalent to that of three field multiplications, then in affine coordinates one has a time estimate of 2m field multiplications for computing a multiple of a point.

An Elliptic Curve Implementation

4

333

DSA and ECDSA

We shall use DSA in a slightly generalized form, in which the finite field Fq , q = pm , is not necessarily a prime field. Here q has at least 500 bits, and q − 1 is divisible by a prime l of at least 160 bits. Let f : Fq → Fl be a fixed, easily computable function such that #f −1 (y) ≈ q/l for each y ∈ Fl ; that is, f spreads Fq fairly evenly over Fl . If q = p, then we represent elements of Fq by integers x ∈ {0, 1, . . . , p−1}, and we usually take f (x) to be the least nonnegative residue of x P modulo l. If m > 1, and if {β0 , . . . , βm−1 } is our Fp -basis of Fq , then for x= xi βi , xi ∈ {0, 1, . . . , p − 1}, we could, for example, define f (x) to be the P least nonnegative residue modulo l of the integer xi pi . Let g ∈ Fq be a generator of the unique subgroup of F× q of order l, and let H be a hash function taking values in Fl . Here q, l, {βi }, g, f , and H are publicly known. Alice’s secret key is a random integer x in the range 1 < x < l, and her public key is y = g x ∈ Fq . To sign a message M , Alice does the following: 1) She selects a random integer k in the range 1 < k < l. 2) She computes g k ∈ Fq and r = f (g k ). If r = 0, she returns to step 1). 3) She computes k −1 ∈ Fl and s = k −1 (H(M ) + xr) ∈ Fl . If s = 0, she returns to step 1). 4) Her signature for the message M is the pair (r, s). To verify the signature, Bob computes u1 = s−1 H(M ) ∈ Fl , u2 = s−1 r ∈ Fl , and then g u1 y u2 ∈ Fq . If f (g u1 y u2 ) = r, he accepts the signature. We now describe the elliptic curve version ECDSA. Let E be an elliptic curve defined over Fq such that #E(Fq ) is equal to a prime l of at least 160 bits (or to a small integer factor times such a prime l). Let P be an Fq -point of E of order l. Let fE : E(Fq ) → Fl be a fixed, easily computable function that spreads the points over Fl fairly evenly (for instance, we might require that #fE−1 (y) be bounded by a small constant for y ∈ Fl ). One way to define the elliptic curve function fE , for example, would be to take the x-coordinate of a point and then apply to it the function f : Fq → Fl in the above description of DSA. Alice’s secret key is an integer x in the range 1 < x < l, and her public key is the point Q = xP ∈ E(Fq ). To sign a message M , Alice does the following: 1) She selects a random integer k in the range 1 < k < l. 2) She computes kP and r = fE (kP ). If r = 0, she returns to step 1). 3) She computes k −1 ∈ Fl and s = k −1 (H(M ) + xr) ∈ Fl . If s = 0, she returns to step 1). 4) Her signature for the message M is the pair (r, s). To verify the signature, Bob computes u1 = s−1 H(M ) ∈ Fl , u2 = s−1 r ∈ Fl , and then u1 P + u2 Q ∈ E(Fq ). If fE (u1 P + u2 Q) = r, he accepts the signature.

334

5

Neal Koblitz

Comparison of DSA and ECDSA

We set up ECDSA using the curve E in (1) over Fq , q = 3m . We assume that 2 m Nm τ m − 1 3 − l= = = N1 τ −1 3m +

3 (m+1)/2 + 1, m 3 3 (m+1)/2 + 1 /7, 3 m

if a = 0; if a = 1,

is prime. Let P ∈ E(Fq ) be a point of order l. Let F : E(Fq ) → F× q6 be an MOV imbedding of the elliptic curve group into the multiplicative group of Fq6 constructed using the Weil pairing [12]. Let g = F (P ), which is a generator of the unique subgroup of F× q6 of order l. × We set up DSA in Fq6 and ECDSA in E(Fq ) so as to be equivalent to one another by means of F . Thus, if f : Fq6 → Fl is the function in DSA, then we define fE : E(Fq ) → Fl by the formula fE = f ◦ F . Remark. In a practical situation it would be more efficient to define fE without using the MOV imbedding F (for example, by applying f to the x-coordinate of a point, as suggested in §4), because even though the computation of F is polynomial time, it is not very fast. We have chosen to set fE = f ◦ F for a theoretical rather than practical reason: to make the DSA and ECDSA implementations completely equivalent. We can now easily verify that the MOV imbedding F gives an equivalence between the two signature schemes. In both cases Alice’s secret key is an integer x in the range 1 < x < l; her public key is Q = xP in ECDSA and F (Q) = F (xP ) = F (P )x = g x = y in DSA. The k, r, and s are the same in both cases. So are the u1 and u2 in signature verification. In ECDSA the signature is verified by computing u1 P + u2 Q, and in DSA by computing g u1 y u2 . The signature is accepted if r = fE (u1 P + u2 Q) = f (F (u1 P + u2 Q)) = f (g u1 y u2 ). Thus, the DSA and ECDSA implementations are equivalent. In order to get an approximate idea of the relative efficiency of the two systems, let us compare the times to compute 1) kP ∈ E(Fq ) and 2) g k ∈ Fq6 , where k is a random integer in the range 1 < k < l, i.e., k has about the same bitlength as q = 3m . We shall neglect possible speed-ups using precomputations, fast multiplication techniques, etc., and shall assume that a field multiplication in Fq takes time proportional to (log2 q)2 . We shall also assume that a field inversion in Fq takes approximately the same amount of time as 3 field multiplications; in that case the computation of kP on the average takes the equivalent of 2m field multiplications in Fq , by the corollary to Theorem 1 (see §3). On the DSA side, we have a significant efficiency advantage because we are workingPin characteristic 3. Namely, we first write the exponent k in ternary form as k = εj 3j , where εj ∈ {0, 1, 2}. For ν = 0, 1, 2 let Jν be the set of j for which j εj = ν. Since the computation of g 3 takes negligible time, the computation of

An Elliptic Curve Implementation

335

Q 2 Q j 3j g k = j∈J1 g 3 g takes just #(J1 ) + #(J2 ) field multiplications. We j∈J2 expect about one third of the digits in k to be zero, so we conclude that the computation of g k takes roughly 23 m field multiplications in Fq6 , each of which takes about 36 times as long as a field multiplication in Fq . Thus, the ratio of time for g k to time for kP is roughly 36 · 23 m = 12. 2m In other words, when we choose parameters for ECDSA and for DSA in such a way as to make the two systems equivalent, we find that ECDSA is approximately 12 times faster than DSA, independently of the value of m.

6

A Nonsupersingular Family

Consider the curve Y 2 = X 3 − b,

b 6= 0,

defined over F7 . This elliptic curve is nonsupersingular. The number N1 = 8 − t of F7 -points and the root τ with positive imaginary part of the characteristic polynomial T 2 − tT + 7 are given in the following table: t τ√ b ±1 ±4 ±2 +√ 3i ±2 ±1 (±1 + 3√ 3i)/2 ±3 ±5 (±5 + 3i)/2 As usual, we choose b and a prime m so that Nm /N1 = |(τ m − 1)/(τ − 1)|2 is prime. For instance, when b = −1 the number N59 is 12 times a 49-digit prime; and when b = 3 the number N61 is 3 times a 52-digit prime, and the number N71 is 3 times a 60-digit prime. Note that, up to complex conjugation, the six value of τ in the√table differ from one another by a factor of ±1, ±ω, or ±ω 2 , where ω = (−1 + 3i)/2. S As before, we define the action of τ on a point P ∈ E(F7 ), where F7 = m F7m is the algebraic closure of F7 , to be the Frobenius map τ Px,y = ΦPx,y = Px7 ,y7 . In this way Z[ω] imbeds in the ring of endomorphisms of E(F7 ); and it follows from the properties of nonsupersingular curves (see p. 137 of [21]) that the image of Z[ω] is all of the endomorphism ring of E(F7 ). It is easy to check that the maps Px,y 7→ P2x,y √ and Px,y 7→ P4x,y are endomorphisms of E(F7 ) of order 3. Since ω = (−1 + 3i)/2 and ω 2 = ω are the only nontrivial cube roots of unity, it follows that in each case ωP must be given by one of these maps; one can quickly determine which of the two by testing on an F7 - or F72 -point of E. Thus, the action on F7m -points of any of the sixth roots of unity ±1, ±ω, ±ω 2 is trivial to compute. Suppose that we want to compute a multiple kP for P ∈ E(F7m ). As usual, we first replace k by its remainder k 0 ∈ Z[ω] after division by τ m − 1. We

336

Neal Koblitz

then compute the base-τ expansion of k 0 using {0, ±1, ±ω, ±ω 2} rather than {0, ±1, ±2, ±3} as digits; this is easy to do using the equality τ 2 = tτ − 7 and the simple relations between τ, ω, and ±2, ±3. We cannot obtain an NAF expansion, but we have the advantage that k 0 has fewer digits in characteristic 7, where the base τ has larger norm (7 rather than 2 or 3). Since 1/7 of the digits are expected to be 0, we conclude that on the average the computation of kP requires ≈ 67 log7 q = 0.3052 log2 q elliptic curve additions. This estimate for the number of elliptic curve additions is slightly lower than Solinas’ value of 13 log2 q on an anomalous binary curve [23]. But in practice the improvement from 13 log2 q to 0.3052 log2 q is not enough to compensate for the lower efficiency of working in characteristic 7 rather than in characteristic 2. Remark. A disadvantage of this family of curves is that there are not many curves and fields to choose from. The same applies to the curves in §2, and to the anomalous binary curves in [6,10,23]. Random curves allow far more choice, but less efficient implementation.

Acknowledgments I would like to thank Arjen Lenstra, Richard Schroeppel, and Alfred Menezes for several very helpful comments and suggestions.

References 1. R. Balasubramanian and N. Koblitz, The improbability than an elliptic curve has subexponential discrete log problem under the Menezes–Okamoto–Vanstone algorithm, J. Cryptology 11 (1998), 141-145. 327 2. I. Blake, X. H. Gao, R. C. Mullin, S. A. Vanstone, and T. Yaghoobian, Applications of Finite Fields, Kluwer Acad. Publ., 1993. 3. S. Gao and H. W. Lenstra, Jr., Optimal normal bases, Designs, Codes and Cryptography 2 (1992), 315-323. 4. K. Ireland and M. I. Rosen, A Classical Introduction to Modern Number Theory, 2nd ed., Springer-Verlag, 1990. 5. N. Koblitz, Elliptic curve cryptosystems, Math. Comp. 48 (1987), 203-209. 6. N. Koblitz, CM-curves with good cryptographic properties, Advances in Cryptology – Crypto ’91, Springer-Verlag, 1992, 279-287. 328, 336 7. N. Koblitz, A Course in Number Theory and Cryptography, 2nd ed., SpringerVerlag, 1994. 329, 330 8. N. Koblitz, Algebraic Aspects of Cryptography, Springer-Verlag, 1998. 9. N. Koblitz, A. Menezes, and S. A. Vanstone, The state of elliptic curve cryptography, to appear in Designs, Codes and Cryptography. 328 10. W. Meier and O. Staffelbach, Efficient multiplication on certain non-supersingular elliptic curves, Advances in Cryptology – Crypto ’92, Springer-Verlag, 1993, 333344. 328, 330, 336 11. A. Menezes, Elliptic Curve Public Key Cryptosystems, Kluwer Acad. Publ., 1993. 331

An Elliptic Curve Implementation

337

12. A. Menezes, T. Okamoto, and S. A. Vanstone, Reducing elliptic curve logarithms to logarithms in a finite field, IEEE Trans. Information Theory 39 (1993), 1639-1646. 327, 327, 334 13. A. Menezes and S. A. Vanstone, Elliptic curve cryptosystems and their implementation, J. Cryptology 6 (1993), 209-224. 330 14. V. Miller, Uses of elliptic curves in cryptography, Advances in Cryptology — Crypto ’85, Springer-Verlag, 1986, 417-426. 15. R. Mullin, I. Onyszchuk, S. A. Vanstone, and R. Wilson, Optimal normal bases in GF (pn ), Discrete Applied Math. 22 (1988/89), 149-161. 331 16. National Institute for Standards and Technology, Digital signature standard, FIPS Publication 186, 1993. 328 17. T. Satoh and K. Araki, Fermat quotients and the polynomial time discrete log algorithm for anomalous elliptic curves, preprint. 327 18. R. Schroeppel, personal communication, Dec. 2, 1997. 332 19. R. Schroeppel, H. Orman, S. O’Malley, and O. Spatscheck, Fast key exchange with elliptic curve systems, Advances in Cryptology — Crypto ’95, Springer-Verlag, 1995, 43-56. 332 20. I. A. Semaev, Evaluation of discrete logarithms in a group of p-torsion points of an elliptic curve in characteristic p, Math. Comp. 67 (1998), 353-356. 327 21. J. Silverman, The Arithmetic of Elliptic Curves, Springer-Verlag, 1986. 329, 335 22. N. Smart, The discrete log problem on elliptic curves of trace 1, preprint. 327 23. J. Solinas, An improved algorithm for arithmetic on a family of elliptic curves, Advances in Cryptology – Crypto ’97, Springer-Verlag, 1997, 357-371. 328, 330, 330, 331, 336, 336 24. E. De Win, A. Bosselaers, S. Vandenberghe, P. De Gersem, and J. Vandewalle, A fast software implementation for arithmetic operations in GF (2n ), Advances in Cryptology — Asiacrypt ’96, Springer-Verlag, 1996, 65-76. 332

Quantum Bit Commitment From a Physical Assumption Louis Salvail1? BRICS Basic Research in Computer Science of the Danish National Research Foundation Department of Computer Science,University of ˚ Arhus Ny Munkegade, Building 540,DK-8000 ˚ Arhus C, Denmark [email protected]

Abstract. Mayers and independently Lo and Chau have shown that unconditionally secure quantum bit commitment is impossible. In this paper we show that under the assumption that the sender is not able to perform generalized measurements involving more than n qubits coherently (n-coherent measurements) then quantum bit commitment is possible. A commitment scheme is δ-binding if for each execution there is an x ˜ ∈ {0, 1} that cannot be unveiled with probability of success better than δ. Our bit commitment scheme requires the transmission of N qubits and is δ-binding, for any δ > 0, if the committer can only carry out n-coherent measurements for some n ∈ Ω(N ). For some α > 0, −αN the scheme -binding against n-coherent measurements for some √ is 2 n ∈ Ω( N ). The security against malicious receivers is unconditional.

1

Introduction

The first application of quantum mechanics in cryptography was proposed by Wiesner [34] in the late 1960’s through what he called “quantum multiplexing”. Classically, this primitive has been reinvented a decade later by Rabin [32] as one-out-of-two oblivious transfer. The power of oblivious transfer is known to provide the sufficient and necessary tool for solving the very general secure twoparty computation problem[20,15]. In its original paper [34], Wiesner describes an attack based on generalized quantum measurements against its own scheme. Although proven insecure, Wiesner’s scheme requires a quantum attacker with technology far beyond what is achievable today. In 1984, Bennett and Brassard proposed two new cryptographic applications of quantum mechanics: secret-key exchange and coin flipping by telephone [3]. Whilst the former is still strongly believed to be secure [25,7] the latter was already known to be breakable using EPR pairs [16,3]. The proposed coin flipping protocol can be modified easily to implement a quantum bit commitment scheme that can indeed be defeated by the same EPR attack [9]. Unlike Wiesner protocol, the attack is conceivable using today’s technology [1]. Some attempts to find a quantum bit commitment ?

Part of this work has been done while the author was at CWI.

H. Krawczyk (Ed.): CRYPTO’98, LNCS 1462, pp. 338–354, 1998. c Springer-Verlag Berlin Heidelberg 1998

Quantum Bit Commitment From a Physical Assumption

339

scheme not suffering the same weaknesses have then been made [9,10]. In 1993, Brassard, Cr´epeau, Jozsa and Langlois [10] proposed a quantum commitment scheme (the BCJL scheme) that was claimed to be unconditionally secure until Mayers discovered a subtle flaw in 1995 [26]. This was bad news considering Yao [35] had provided a proof that, under the assumption that secure bit commitment scheme exists, the BBCS protocol [5] for quantum oblivious transfer(QOT) is secure. Despite BCJL was known to be insecure, it was still conceivable that a secure quantum quantum bit commitment scheme could be found. The situation turned out to be a dead end when Mayers [29], and independently Lo and Chau [22], showed that no quantum bit commitment whatsoever exists. It was shown that the EPR attack can be generalized against any quantum bit commitment provided the committer can deal with large entangled quantum states. Different approaches have then been tried in order to escape the no-go theorem [13]. All these attempts aimed at taking advantage of subtle assumptions in the theorem statement. The common feature of most approaches is the use of a classical assumption that has to hold only temporarily. The goal being to build from such a temporary assumption a commitment scheme that is both concealing and binding even after the assumption is withdrawn. Unfortunately, none of these attempts has produced a scheme achieving more than what classical cryptography alone can provide. Quantum bit commitment is now known to be impossible in scenarios lying beyond the initial statement of the no-go theorem [11]. It naturally raises the question of what assumptions are needed in order for secure quantum bit commitment to exist and can these assumptions be made independent of the classical one whilst remaining meaningful? In other words, does quantum mechanics helps in providing secure two-party computation? In this paper we consider a physical limitation upon which the security of quantum bit commitment, and QOT [35], can be based. The assumption does not restrict the computing power and therefore makes sense whether or not oneway functions exist in the classical world [19]. For, we restrict the ability of one party to carry out arbitrary quantum coherent measurements. We say that a measurement is n-coherent if it involves no more than n qubits coherently. We propose a variant of BCJL that is shown to be secure under this restriction. One reason for considering this assumption is that large coherent measurements are not known to be realizable by a reliable physical process. As an example, consider the simplest interesting case n = 2. Perhaps the most important 2coherent measurement that is not 1-coherent is the Bell measurement which, together with the ability to produce EPR pairs, leads to quantum teleportation [6]. Interestingly, although quantum teleportation has been shown to work experimentally [8], the Bell measurements could only be approximated. It is in general more difficult to make several qubits interact in a measurement than producing entangled states [31,24,8]. Whereas EPR pairs can be easily produced experimentally, measuring in the Bell basis requires more work. Even though Bell measurements will probably be accomplished in the near future, large coherent measurements are very challenging even in a controlled environment. The complexity and reliability required for the physical process implementing large

340

Louis Salvail

n-coherent measurements might well not be achievable in a foreseeable future. A coherent measurement can be seen as an unitary transformation acting on the observed system plus an ancilla, followed by a standard Von Neumann measurement. This process is exactly what is meant by a quantum algorithm. The ability to perform n-coherent measurements suggests that quantum computers working on n qubits can also be realized. However, it might be the case that n-qubits quantum computers exist but n-coherent measurements against quantum protocols don’t. One reason could be that quantum cryptography, unlike quantum computation, can take place in an extremely hostile environment for the survival of large entangled quantum states [17]. Our result shows that large coherent measurements are necessary in order to apply Mayers’ attack against our scheme. A commitment scheme is δ-binding if for each execution there is a bit x ˜ ∈ {0, 1} that cannot be unveiled with probability of success better than δ. Our bit commitment scheme requires the transmission of N qubits and is δbinding, for any δ > 0, provided the committer can only carry out n-coherent −αN measurements for some n ∈ Ω(N ). For some α > 0, -binding √ the scheme is 2 against n-coherent measurements for some n ∈ Ω( N ). The commitment is also shown to conceal unconditionally the committed bit. In section 2 we give the preliminary ingredients. Section 3 presents a variation of the BCJL protocol, called LJCB. In section 4 we introduce the definitions and tools about quantum measurements and outcomes. In section 5, we define the class of n-coherent strategies against the binding condition. We show that LJCB is binding against the class of n-coherent strategies for some n ∈ Ω(N ) where N is the total number of qubits sent through the quantum channel. In section 6, LJCB is shown to be unconditionally concealing. We conclude in section 7.

2

Preliminaries

We write x ∈R X for “the element x is picked uniformly Ln and randomly from the set X”. Notation x y for x, y ∈ {0, 1}n means i=1 xi · yi . For sets X = {x0 , x1 , . . . , xn } and s ∈ {0, . . . , n} we write Xs for the s-th element xs in X. If y represents the outcome of some random experiment then we write y as the random variable associate with the experiment. We denote the Shannon entropy and information functions by H(y) and I(y) respectively. For any strings c, c0 ∈ {0, 1}n we define ∆(c, c0 ) as the Hamming distance between c and c0 . When the context allows, we also write ∆(c, c0 ) as the set of distinct positions. For X ⊆ {1, . . . , n} and b ∈ {0, 1}n we denote by bX the substring of b defines for positions in X. 1 2.1

Bit Commitment

A bit commitment scheme allows Alice to send a piece of evidence to Bob that she has a bit x ∈ {0, 1} in mind. Given what he receives, Bob cannot tell what x 1

If b, c, c0 ∈ {0, 1}n are any n-bit string then b∆(c,c0 ) ∈ {0, 1}∆(c,c b restricted to positions where c and c0 differ.

0

)

is the substring of

Quantum Bit Commitment From a Physical Assumption

341

is. This phase of the bit commitment scheme is called the committing phase. After a while, Bob can ask Alice to unveil x in such a way that it is not possible for her to unveil 1 − x without being detected. This phase is called the opening phase. The security of such a scheme is captured by the following definition: Definition 1. A bit commitment scheme is – statistically concealing if the information V the receiver gets about the committed bit x ∈ {0, 1} after the committing phase (and before opening) is such that I(x|V) ≤ 2−αN for some α > 0 and N a security parameter, – δ–binding for 0 < δ < 1, if after the execution of the committing phase there exists x˜ ∈ {0, 1} such that the probability to unveil x ˜ with success is less than δ, – δ-secure if it is both concealing and δ-binding. In this paper we are concerned with a slightly weaker form of the binding property than what is usually considered. Namely, we allow the sender to change her mind with some bounded probability of success δ. Nevertheless, a δ–secure bit commitment scheme is sufficient for secure quantum oblivious transfer[35,5]. Mayers’ theorem shows how to break any concealing commitment by constructing an attack allowing to reveal any bit with probability of success almost 1. The attack also applies for concealing but δ-binding commitment schemes whenever δ < 1 [28,29]. 2.2

Quantum Coding

The essential quantum ingredient is the BB84 coding scheme [3]. In order to transmit the bit b = 0 one of the two non-orthogonal quantum states |0i+ = 10 √1 and |0i× = √12 is chosen and sent through the quantum channel 2 . For the 2 transmission of b = 1, the two non-orthogonal quantum states are |1i+ = 01 −1 √ and |1i× = √12 . If for transmitting b ∈ {0, 1} the quantum state |bi+ is 2

chosen then we say that b is transmitted in rectilinear basis “+”. If b is encoded in |bi× we say that b is transmitted in diagonal basis “×”. Let ρb be the quantum mixture associates with the transmission of bit b in a random basis θ ∈R {+, ×}. Let {γ0 , γ1 } be the unit vectors of the Breidbart basis (i.e. γ0 = (cos π8 , sin π8 ) and γ1 = (− sin π8 , cos π8 )). We have, for any b ∈ {0, 1}, that (see [10] for more information) π π (1) ρb = cos2 |γb ihγb | + sin2 |γ1−b ihγ1−b |. 8 8 Equation 1 stands as long as the coding basis θ is random and independent. One interpretation of equation 1 is that the BB84 coding scheme is inherently ambiguous. Given any outcome of any quantum measurement, the transmitted 2

Notation |bi for b ∈ {0, 1} means |bi+ which is the computational basis.

342

Louis Salvail

bit b cannot be known with probability better than cos2 ( π8 ). The intrinsic entropy H V N (ρb ) (Von Neumann entropy) about b ∈ {0, 1} is H V N (ρb ) = H(cos2

π π , sin2 ) ≥ 0.4157611883. 8 8

(2)

No possible outcome of any measurement can give more information about b than 1−H V N (ρb ) simply because the quantum state does not carry more information than that. For any X ⊆ {1, . . . , n} and b ∈ {0, 1}n we define ρX (b) = ⊗i∈X ρbi as the density matrix associates with bX when b is transmitted according to the BB84 coding scheme. As for equation 2 we have that 2 H V N (ρX b ) = #X · H(cos

π π , sin2 ) ≥ 0.4157611883 · #X. 8 8

(3)

In addition, since ρ+ = ρ× it follows that for all measurements no outcome gives information about the transmission basis. 2.3

Generalized Measurements

It is shown in [27] (see also section 2.2 of [33]) that any possible measurement can be represented by a single IPP (Inner Product Preserving Operator) transformation from the initial space of states to a larger space of states followed by an ordinary von Neumann measurement on the latter. An m-outcome generalized measurement on a space V is described by m operators Mk : V → Wk , k = 1, . . . , m, such that if the initial state is |φi and the observed classical outcome is k then the state after the measurement, up to normalization, is Mk |φi. The probability to observe k when |φi is transmitted is kMk |φik2 . The operator Mk is IPP if it is represented as a matrix of orthonormal columns. An IPP operator Mk for the measurement of an n qubits system has 2n columns. The value hki is called the classical outcome for Mk . From Mk , we define the column vector Φθ (hki|b) = Mk |biθ containing the transition amplitudes from state |biθ to any of the final state in Mk . The probability of observing hki when |biθ is the initial state is kΦθ (hki|b)k2 . If the measurement is complete then Mk is one-dimensional and Φθ (hki|b) is not a vector but a complex number. We use the IPP representation because, as in [30], we want to analyze measurements acting on a fixed number n of qubits independently of the degree of freedom provided by appending an ancilla to the system (unlike the POVM model). When we say that a measurement is n-coherent, we mean that it measures a quantum state of dimension 2n regardless the dimension of the ancilla.

3

The Protocol

The protocol we describe works on the same principles than BCJL [10]. The main difference is the direction of the quantum transmission allowing Alice to commit. For this reason our scheme is called LJCB. Unlike the BCJL scheme, the commitment is made by choosing how to measure the received qubits. The

Quantum Bit Commitment From a Physical Assumption

343

commitment is initiated by Bob who sends to Alice N qubits in state |biθ for b ∈R {0, 1}N and θ ∈R {+, ×}N . For each qubits she receives, one of the two incompatible Von Neumann measurements + and × is chosen and the result is announced to Bob. Since the two measurements are incompatible, even knowing the outcome does not reveal all the information about which one has actually been done. Let C be an error-correcting code of length N , dimension k and minimum distance d. The code C does not need to have an efficient decoding algorithm. In order to commit (see protocol 1), Alice picks c ∈R C, measures the i–th photon πi with the Von Neumann measurement {+, ×}ci and announces the classical outcome βi ∈ {0, 1}. Alice also chooses and announces a random r ∈ {0, 1}n subject to r c = x. This completes the committing phase. In order to open x (see protocol 2), Alice simply announces c and x allowing Bob to verify (for each πi ) that when she measured in the basis he had chosen then the announced outcome corresponds to the bit originally sent. In this paper, we assume a noiseless quantum channel allowing Bob to reject Alice’s commitment as soon as one position i is found such that θi = ci but bi 6= βi . The case of a noisy quantum channel will be addressed in the final version. Protocol 1 ( commit(x) ) 1: Bob picks and announces a random boolean generating matrix G for a linear [N, k, d]–code C with N and k chosen according to theorem 3,

2: Alice picks m ∈R {0, 1}k , sets c ∈R G · m and picks r ∈R {0, 1}N subject to c r = x. Alice announces r to Bob,

3: Bob chooses randomly b ∈R {0, 1}N and θ ∈R {+, ×}N , N

4: DO i=1

– Bob sends a photon πi in polarization state |bi iθi , – Alice measures πi in basis {+, ×}ci and obtains the classical outcome βi ∈ {0, 1}, 5: Alice announces β = β1 , . . . , βN to Bob.

Protocol 2 ( open(r, β, θ, b)(c, x) ) 1: Alice announces c and x to Bob, 2: Bob accepts if and only if

1. c ∈ C, 2. (∀i ∈ {1, . . . , N })[θi = ci ⇒ bi = βi ] and 3. x = c r.

4

Tools

In this section, we give general properties applicable to any quantum measurement Alice may apply when she commits and opens the bit x. These properties are tools that will be used to deal with Alice general strategy against the binding condition.

344

Louis Salvail

When Alice commits, she measures the initial state |biθ in order to get the classical outcome hr, βi. When she opens x, she refines her measurement and gets the final classical outcome hr, β, ci. The bit x needs not to appear in the final outcome description since it is uniquely defined as c r. It is convenient to write hr, β, vi to represent a partial outcome with an extra piece of information v ∈ V for an arbitrary set V. The extra outcome v will be used in section 5 to model successive steps in Alice opening strategy. The final outcome hr, β, ci is accepted by Bob if and only if c ∈ C and the string b ∈ {0, 1}N is in the set S(β, c, θ) = {b ∈ {0, 1}n|(∀i ∈ {1, . . . , n})[θi = ci ⇒ bi = βi ]}. The following definition characterizes partial outcomes hr, β, vi allowing to announce safely the codeword c. Definition 2. A partial result with classical outcome hr, β, vi is (θ, c, p)–safe if for 12 < p < 1, θ ∈ {+, ×}n and c ∈ {+, ×}n we have P (b ∈ S(β, c, θ)|β = β ∧ θ = θ ∧ v = v) ≥ p.

(4)

We also say that hr, β, vi is (c, p, q)-safe if there exists a subset Θ ⊆ {+, ×}n such that #Θ 2n ≥ q and for each θ ∈ Θ the partial outcome hr, β, vi is (θ, c, p)-safe. Suppose the result hr, β, vi is (θ, c, p)-safe. The IPP operator implementing the measurement that produces hr, β, vi can be written in terms of transition amplitudes given the following identity (see section 2.3): P θ 2 b∈S(β,c,θ) kΦ (hr, β, vi|b)k . P (b ∈ S(β, c, θ)|hr, β, vi ∧ θ = θ) = P θ 2 b∈{0,1}n kΦ (hr, β, vi|b)k This allows to rewrite equation 4 as X kΦθ (hr, β, vi|b)k2 ≥ p b∈S(β,c,θ)

X

kΦθ (hr, β, vi|b)k2 .

(5)

b∈{0,1}n

If hr, β, vi is (c, p, q)-safe then there exists Θ ⊆ {+, ×}n such that #Θ 2n ≥ q and equation 5 holds for all θ ∈ Θ. In section 5, we shall see that next definition characterizes the partial outcomes of n-coherent measurements Alice needs in order to attack the binding condition of LJCB. Lemma 1 will then put restrictions on what Alice can physically achieve. Definition 3. Let θ ∈ {+, ×}n, r, β, c, c0 ∈ {0, 1}n. A partial result with classical outcome hr, β, vi is (θ, c, c0 , p)–promising if hr, β, vi is (θ, c, p)–safe and (θ, c0 , p)– safe. We also say that hr, β, vi is (c, c0 , p, q)-promising if there exists a subset Θ ⊆ {+, ×}n such that #Θ 2n ≥ q and for each θ ∈ Θ the partial outcome hr, β, vi is (θ, c, c0 , p)-promising. Let S(β, c, c0 , θ) = S(β, c, θ) ∩ S(β, c0 , θ) be the set of initial strings b ∈ {0, 1}n such that from hr, βi both c and c0 can be announced without error. Using equation 5, we easily get that hr, β, vi is (θ, c, c0 , p)-promising implies X X kΦθ (hr, β, vi|b)k2 ≥ (2p − 1) kΦθ (hr, β, vi|b)k2 . (6) b∈S(β,c,c0,θ)

b∈{0,1}n

Next lemma shows that promising partial results don’t always exist.

Quantum Bit Commitment From a Physical Assumption

345

Lemma 1. Let c, c0 ∈ {0, 1}n be such that ∆(c, c0 ) ∈ Ω(n) and let r, β ∈ {0, 1}n. Then, there exists no (c, c0 , p, q)–promising partial result with classical outcome hr, β, vi whenever q(2p − 1) ≥ pmax = 0.586. Proof. Let Θ ⊆ {+, ×}n be a set of basis such that #Θ 2n ≥ q and for all θ ∈ Θ the partial outcome hr, β, vi is (θ, c, c0 , p)-promising. ¿From equation 6, for all θ ∈ Θ, P (b ∈ S(β, c, c0 , θ)|hr, β, vi is (θ, c, c0 , p)-promising) ≥ 2p − 1. By construction we also have that P b∆(c,c0 ) = β∆(c,c0 ) |b ∈ S(β, c, c0 , θ) = 1. It follows that P b∆(c,c0 ) = β∆(c,c0 ) |hr, β, vi is (θ, c, c0 , p)-promising ≥ 2p − 1.

(7)

Since no measurement outcome gives information about the transmission basis θ, we have that P (θ ∈ Θ|hr, βi) ≥ q. It follows from Bayes’ law that P b∆(c,c0 ) = β∆(c,c0 ) |hr, β, vi is (c, c0 , p, q)-promising ≥ q(2p − 1). The amount of uncertainty about b∆(c,c0 ) can therefore be upper bounded as follows: H(b∆(c,c0 ) |hr, β, vi is (c, c0 , p, q)–promising ) 0 2∆(c,c ) −1 times z }| { 1 − q(2p − 1) 1 − q(2p − 1) , . . . , ∆(c,c0 ) ) ≤ H(q(2p − 1), ∆(c,c0 ) 2 −1 2 −1 ≤ H(q(2p − 1), 1 − q(2p − 1)) + (1 − q(2p − 1))∆(c, c0 ).

The above equation contradicts the lower bound expressed equation 3 since q(1 − 2p) > pmax implies H(b∆(c,c0 ) |hr, β, vi is (c, c0 , p, q)–promising ) ≤ H(0.586, 0.414) + 0.414∆(c, c0 ) ∆(c,c0 )

≤ H V N (ρb when ∆(c, c0 ) ∈ Ω(n) is large enough.

) t u

In other words, any outcome hr, β, vi that is (c, c0 , p, q)-promising for p and q such that q(2p − 1) ≥ pmax , conveys more information about b∆(c,c0 ) than what is allowed by equation 3. This holds regardless of the extra outcome v.

346

5 5.1

Louis Salvail

The Binding Condition n-Coherent Opening Strategies

Alice’s opening strategies are of the following form: – During the committing phase, Alice incompletely measures the N qubits in order to get the partial outcome hr, βi for r ∈ {0, 1}N and β ∈ {0, 1}N . She announces r and β to Bob. – During the opening phase, Alice completes her previous measurement according to the bit x she wants to unveil. The outcome of the refinement is a codeword c ∈ C and the unveiled bit x ∈ {0, 1} is c r = x. The final and complete outcome hr, β, ci allows Bob to learn x. An opening strategy is n-coherent if all measurements performed by Alice during both phases are n-coherent. Unlike fully coherent strategies, a n–coherent strategy is made out of t ≥ d N n e measurements depending only classically upon each others. Each possible measurement must be expressible as an IPP operator with no more than 2n columns. However, the description of each IPP operator may depend upon some partial outcomes obtained from previous measurements and therefore can change dynamically as the opening strategy evolves. In order to model arbitrary n-coherent opening strategies, it is convenient to use a tree structure TNn . Each node in TNn represents the current state and the next measurement to be applied. The relevant operations are quantum measurements and classical announcements. For the sake of simplicity, we only represent in TNn the opening part of Alice’s strategy. In other words, the root of TNn represents the first refinement Alice applies from the partial outcome hr, βi when the opening phase is initiated. We require that each measurement along any path P of TNn can be expressed as a set of measurements MP = {M1 , . . . , Mt } where each M ∈ MP , is an IPP operator of at most 2n columns acting on a subset B ⊆ {1, . . . , N } of the received qubits. Without loss of generality we assume that all announcements are made at the very end of the measurement process i.e. they are leafs of TNn . We also assume each internal node to define a binary outcome refinement. The outgoing edges are labelled according to the possible outcomes and lead to the next node. At the end of each path, a final announcement c ∈ C is made. Each path P in TNn defines a complete final outcome hr, β, ci which is the concatenation of all t measurement outcomes defined along P . Since each measurement Mi ∈ MP is applied to a block Bi ⊆ {1, . . . , N } of at most n qubits, P defines a partition B = {B1 , . . . , Bt } such that for all i ∈ {1, . . . , t}, #Bi ≤ n. Each measurement Mi may act coherently on photons {πj }j∈Bi . We call B the block decomposition of P and each B ∈ B is called a block. The partial and final outcomes for a measurement M ∈ MP acting on block B ∈ B are denoted by hr, βiB = hrB , βB i and hr, β, ciB = hrB , βB , cB i respectively. It is also convenient to define the block decomposition B(d) at node d which is the block decomposition for measurements along the path from the root to node d. Once the measurement in node d is completed during the execution of TNn with root hr, βi, Alice gets the partial outcome hr, β, v(d)i where v(d) represents

Quantum Bit Commitment From a Physical Assumption

347

the composite partial outcome (or view) for refinements down to d. We denote the final outcome by hr, β, ci with c ∈ C dropping the irrelevant auxiliary view u v(d). Let d0 be a node in TNn reachable from d. We write hr, β, v(d)i → hr, β, v(d0 )i if the probability to go from d to d0 in TNn is at least u. We write hr, β, v(d)i → hr, β, v(d0 )i to indicate that the probability of transition from d to d0 is nonzero. We denote L(TNn , s) the set of nodes at level s in TNn . Definition 4. Let TNn be a n-coherent opening strategy from partial outcome hr, βi. We say that TNn is (u, γ)–successful if there exists C ∗ ⊆ C such that P (c ∈ C ∗ |hr, βi ∧ TNn ) ≥ u and for all c ∈ C ∗ , P (b ∈ S(θ, β, c)|hr, βi ∧ TNn ) ≥ γ. Similarly, a node d in TNn is said to be (u, γ)–successful if the subtree TNn (d) of TNn is (u, γ)–successful. Next lemma gives some simple properties any n-coherent opening strategy TNn must have. The proof is omitted but follows easily from the definition 4 and the above discussion. Lemma 2. Let TNn be an n-coherent opening strategy with root hr, βi. Let γ = 1 − (1 − %)(1 − q) for 0 < %, q < 1 and let l > 0 be an integer. Let d ∈ TNn and n t = dN e. The following holds: 1. If d0 is a son of d in TNn then #(B(d0 ) ∩ B(d)) ≥ t − 1, 2. If hr, β, v(d)i is both (c, %, q)-safe and (c0 , %, q)-safe then hr, β, v(d)i is (c, c0 , %, 2q − 1)-promising, u 3. If for B ∈ B(d), hr, β, v(d)iB → hr, β, ciB and hr, β, ciB is (c, %, q)-safe then hr, β, v(d)iB is (c, %u, q)-safe, %l

4. if hr, β, v(d)i → hr, β, ci then % b b b ≥ t − l], (∃B(d) ⊆ B(d))(∀B ∈ B(d))[hr, β, v(d)iB → hr, β, ci ∧ #B(d) 5. if P (b ∈ S(θ, β, c)|hr, β, ci) ≥ γ l then b b b ≥ t − l]. (∃D(d) ⊆ B(d))(∀B ∈ D(d))[hr, β, ciB is (c, %, q)-safe ∧ #D(d) 5.2

LJCB is Binding

In this section we prove that whenever n is small with respect to C’s minimum distance d, Alice cannot change her mind with arbitrary good probability of success. The smaller n is, compared to d, the better the probability is for Bob to detect Alice changing her mind. Next lemma shows that any successful strategy allows to unveil only one c ∈ C with good probability of success. The binding condition will then follow. d . If TNn is a (%l , γ l )-successful Lemma 3. Let % = 0.93,γ = 0.9937 and n ≤ 4l+5 n-coherent opening strategy from partial outcome hr, βi then the following predicate holds,

H(s) ≡ [(∀d ∈ L(TNn , s))(∃!c∗ ∈ C)

[hr, β, v(d)i → hr, β, c∗ i ∧ P (b ∈ S(θ, c∗ , β)|hr, β, c∗ i) ≥ γ l ]].

348

Louis Salvail

Proof. Let q = 0.91 be such that γ = 1 − (1 − %)(1 − q). Let t = d N n e be a lower bound on the number of n-coherent measurements. The proof proceeds by mathematical induction. In the first place, it is easy to see that H(0) holds since all nodes at level 0 are announcements. Second, assume H(s) holds, we show that H(s + 1) also holds. Let d ∈ L(TNn , s + 1). Let d0 and d1 be the left and right son of d respectively. If TNn (d0 ) or TNn (d1 ) is not (%l , γ l )-successful then H(s + 1) followed directly from H(s). Now suppose both TNn (d0 ) and TNn (d1 ) are (%l , γ l )-successful. By induction hypothesis, TNn (d0 ) and TNn (d1 ) are such that %l

%l

hr, β, v(d0 )i → hr, β, c0 i and hr, β, v(d1 )i → hr, β, c1 i respectively, for c0 , c1 ∈ C. If c0 = c1 then H(s + 1) follows from H(s). Assume for a contradiction that c0 6= b 0 ) and B(d b 1 ) be defined according to lemma 2-4). We have that for c1 . Let B(d b 0 ) and D(d b 1 ) be defined as in lemma 2-5) b w ) ≥ t − l. Let D(d all w ∈ {0, 1}, #B(d b w )∩D(d b w )∩B(d) be b w ) ≥ t−l. Let Γ w = B(d ensuring that for all w ∈ {0, 1},#D(d % w w the set of blocks B ∈ B(d) such that hr, β, v(d )iB → hr, β, c iB and hr, β, cw iB w are (cw ≥ t − 2(l + 1) and from B , %, q)-safe. From property 2-1), we get that #Γ w w 2 0,1 lemma 2-3), all B ∈ Γ are such that hr, β, v(d )iB is (cw = B , % , q)-safe. Let Γ 0 1 0 1 2 Γ ∩Γ be the set of blocks B ∈ B(d) such that hr, β, v(d)iB is (cB , cB , % , 2q−1)promising. Since both #Γ 0 and #Γ 1 are greater than t − 2(l + 1) it follows that #Γ 0,1 ≥ t − 4(l + 1). Let B∆ = {B ∈ B(d)|∆(c0B , c1B ) ∈ Ω(n)} be such that d #B∆ ≥ 4l+5 from the fact that n ≤ 4l+5 . From lemma 2-2), all B ∈ Γ∆ = (Γ 0 ∩ 1 0 Γ ) ∩ B∆ are such that hr, β, v(d)iB is (cB , c1B , %2 , 2q − 1)-promising in addition to ∆(c0B , c1B ) ∈ Ω(n). To get a contradiction, it suffices to show that Γ∆ is not empty since any B ∈ Γ∆ is such that hr, β, v(d)iB is (c0B , c1B , %2 , 2q −1)-promising contradicting lemma 1 since (2%2 −1)(2q−1) > pmax . By the pigeonhole principle, since #(B(d) \ Γ 0,1 ) ≤ 4l + 4 and #B∆ ≥ 4l + 5, it must exist a block B ∈ B∆ that is also in Γ 0,1 and therefore #Γ∆ ≥ 1. We must conclude that c0 6= c1 is impossible and H(s + 1) follows. t u Next theorem uses lemma 3 in order to conclude that LJCB is δ-binding for any δ > 0 and against all n-coherent opening strategies for some n ∈ Ω(N ). Theorem 1. Let N be the number of BB84 qubits transmitted. Let l > 0 be an integer. Let d ∈ Ω(N ) be C’s minimum distance. Protocol LJCB is δ(l)-binding d and against any n-coherent opening strategy for δ(l) = γ l + %l provided n ≤ 4l+5 γ, % are defined as in lemma 3. Proof. Assume Alice can open any x ∈ {0, 1} with an appropriate n-coherent opening strategy TNn (x). The trees TNn (0) and TNn (1) cannot be both (%l , γ l )successful since otherwise the tree TNn with TNn (0) and TNn (1) as left and right subtree respectively will also be (%l , γ l )-successful. By construction, TNn has two codewords c0 6= c1 such that for all x ∈ {0, 1} hr, βi → hr, β, cx i and P (b ∈ S(θ, cx , β)|hr, β, cx i) ≥ γ l contradicting lemma 3. It follows that there exists x ˜ ∈ {0, 1} having probability less than δ(l) ≤ (1 − %l )γ l + %l ≤ γ l + %l of being unveiled with success. t u

Quantum Bit Commitment From a Physical Assumption

6

349

The Concealing Condition

In this section we show how to choose the code C such that Bob gets almost no Shannon information about the committed bit x. The technique is similar to the one introduced in [10] to deal with the concealing condition of BCJL. Here, we sketch the proof that LJCB is concealing along the same lines. We first define the density matrix ρc that characterizes Bob’s view about c ∈ C given the announcement hr, βi. We then show that Bob’s view about c is equivalent to receiving c through a noisy channel. This is done by introducing a fictitious protocol used by Alice to send c ∈ C in such a way that Bob gets the same view than after the committing phase of LJCB. We finally show, using privacy amplification techniques [4,12], that the fictitious protocol conceals x and therefore so it is for LJCB. The most general attack for Bob is to prepare a quantum system initially in pure state |ψi ∈ H2N ⊗ HB where H2N is the Hilbert space of N qubits and HB is an auxiliary Hilbert space helping Bob in its quest P for x. The quantum state |ψi can be written, for some I ∈ IN, as |ψi = 1≤i≤I ai |ψiA i ⊗ |ψiB i where |ψiA i ∈ H2N , |ψiB i ∈ HB and the ai ’s are complex numbers such that P 2 A B i |ai | = 1. We do not require |ψi i’s (resp. |ψi i) to be orthogonal. Bob then sends ρA = TrHB (|ψihψ|) to Alice and keeps the remaining part ρB = TrH2N (|ψihψ|) for later use. Once β, r ∈ {0, 1}N have been announced, Bob determines an unitary transformation U (r, β) which he applies to ρB . The strategy is completed after a standard measurement M is finally applied to the final state U (r, β)ρB U (r, β)† . First, we show that Bob has no advantage in preparing ρA in a mixed state. Consider that, instead of preparing state |ψi as described above, Bob follows the procedure Simulate(ψ) defined as: 1. 2. 3. 4.

Bob Bob Bob Bob

picks i ∈ {1, . . . , I} with probability |ai |2 , sends to Alice the quantum state |ψiA i and keeps |ψiB i for later, waits for r, β ∈ {0, 1}N and applies |ψbiB i = U (r, β)|ψiB i, measures |ψbiB i with measurement M .

The above procedure gives exactly the same view than what Bob would get if he had prepared the entangled state |ψi since |ψi is a purification of Simulate(ψ) [18]. The density matrices, for Alice’s and Bob’s systems, before M is applied are identical in both cases. It follows that M behaves the same way in both scenarios and therefore, if the initial preparation |ψi helps Bob in cheating then so it is for Simulate(ψ). By the same argument, each qubit πi can be assumed in pure state |φi i ∈ H2 allowing us to restrict the analysis to Bob’s strategy consisting of sending N qubits in state ⊗N i=1 |φi i. Let Bob’s qubits πi , for i ∈ {1, . . . , N }, be in quantum state |φi i = cos αi |0i+ sin αi |1i where αi is an arbitrary angle. For m, w ∈ {0, 1}, let pwm (αi ) be the probability that Alice observes the classical outcome m whenever |φi i is measured in basis {+, ×}w. We have that p00 (αi ) = cos2 αi , p01 (αi ) = sin2 αi , p10 (αi ) = (cos αi + sin αi )2 /2 and p11 (αi ) = (sin αi − cos αi )2 /2.

350

Louis Salvail

Let ρici be the density matrix describing what Bob gets when Alice chooses to measure πi in basis {+, ×}ci : ρici (αi ) = pci 0 (αi )|0ih0| + pci 1 (αi )|1ih1|.

(8)

The density matrix ρx (α) associates with the commitment of bit x and given the polarization angles α = α1 , α2 , . . . , αN is such that (see [10] for details) X

ρx (α) =

{c∈C|c r=x}

2−k+1

N O

ρici (αi ).

i=1

Consider the following fictitious protocol for transmitting c ∈R C from Alice to Bob. It is easy to verify that the density matrix ρbx (α) corresponding to the transmission of a random codeword from C in fictitious(x), satisfies ρbx (α) = ρx (α). Protocol 3 ( fictitious(x) ) 1: Alice chooses c ∈R C, 2: For each i ∈ {1, . . . , N }, Alice sends to Bob a photon πi in state:

– If ci = 0 then she sends |0i with probability p00 (αi ) and sends |1i with probability p01 (αi ), – If ci = 1 then she sends |0i with probability p10 (αi ) and sends |1i with probability p11 (αi ). 3: Alice announces a random r ∈ {0, 1}N such that c r = x.

Protocol fictitious(x) does not require the transmission of qubits. Classical communication is enough since only orthogonal states are sent. Given α, Bob’s view about c in LJCB is the same as if c was sent through a classical noisy channel. Let ωi be the bit received by Bob in the i-th transmission. In general, for any c, w ∈ {0, 1} and any actual view Vi up to the i-th transmission , we have P (ci = c|ωi = w ∧ αi ∧ Vi ) =

P (ci = c|Vi ) pcw (αi ) . (9) P (ci = 0|Vi ) p0w (αi ) + P (ci = 1|Vi ) p1w (αi )

An easy calculation shows that for any actual view Vi , the best choice for αi 1 vπ is αi = vπ 4 for some v ∈ IN. Whenever P (ci = c|Vi ) = 2 any αi = 4 for v ∈ IN works equally good. In order to simplify the analysis, we assume that C is a [N, k]-systematic random code. This ensures that for all i ∈ {1, . . . , k}, P (ci = c|Vi ) = 12 allowing us to set αi = 0 without loss of generality. In addition, we also assume that the redundancy part c˜ ∈ {0, 1}N −k of c ∈ C is sent perfectly to Bob. This new procedure is called fictitious∗ (x) and is identical to protocol 3 except that C is systematic and only the message part m ∈ {0, 1}k of a codeword c is sent imperfectly. Obviously if Bob does not get much information when c is sent according to fictitious∗ (x) then he gets no more information whenever c is received according to fictitious(x).

Quantum Bit Commitment From a Physical Assumption

351

The first step consists of finding a lower bound on Bob’s R´enyi (or collision) entropy about c before Alice announces the redundancy part c˜ and r ∈ {0, 1}N in fictitious∗ (x). Setting αi = 0 in equation 9 gives that for all c ∈ {0, 1}: P (ci = c|wi = 0 ∧ Vi ) ≥

1 . 3

(10)

The subset of positions J ⊆ {i|ωi = 0} is, except with negligible probability 2 2−λ k , such that #J ≥ P (ω i = 0|Vi ) k − λk = ( 34 − λ)k. Bob’s R´enyi entropy R(c|V) given the view V = ∪1≤i≤k Vi after the transmission of the k bits of message in c is such that, 5 3 3 R(c|V) ≥ −k( − λ)lg = 0.848( − λ)k. 4 9 4

(11)

Next, Bob learns perfectly N −k parity bits about cJ . The situation is identical to receiving the bits in cJ over a binary symmetric channel with error probability 13 plus u = N −k parity bits. This situation has been analyzed extensively in [12]. It is shown that, except with probability 2−λk , the R´enyi entropy R(c|V ∧ U = U ) given the complete view V and the parity bits U satisfies: R(c|V ∧ U = U ) ≥ R(c|V) − 2u − 2λk ≥ 2.63k − 2N − 3λk.

(12)

Equation 12 and the privacy amplification theorem (PAT) of [4] allows to conclude that the committed bit x = c r is statistically hidden to Bob. b > 0 such that except with negligible probability, the Theorem 2. There exists λ λN information Bob gets about x after the commit phase of LJCB is less than 2−b provided

k N

≥ 0.77.

Proof sketch. According to the PAT [4], the amount of Shannon information I(x|V ∧ U = U ∧ r = r) about x after the execution of fictitious∗ (x) is such k that I(x|V ∧ U = U ∧ r = r) ≤ 2−R(c|U =U ∧V)+1 / ln 2. Plugging N ≥ 0.77 and λN setting λ small enough in equation 12 gives I(x|V ∧ U = U ∧ r = r) ≤ 2−b ∗ b for some λ > 0. This also holds for LJCB since fictitious (x) gives always more information about x. t u

7

Conclusion

Theorem 1 and 2 ensure that LJCB can be tuned to provide both the binding and the concealing conditions. Using Gilbert-Varshamov bound (GVB) on random binary codes allows to conclude that the same tuning can satisfy both conditions simultaneously. According to GVB [23], a random N × k matrix with k N > 0.77 defines a [N, 0.77N, 0.035N ]–code except with negligible probability. Theorems 1, 2 and GVB allow to conclude with our main result: Theorem 3. Let C be a [N, 0.77N ] random binary code. Let l > 0 be an integer and let n ≤ 0.035N 4l+5 . Protocol LJCB is δ(l)-secure against all n-coherent opening strategies for γ = 0.9937, % = 0.93 and δ(l) = γ l + %l .

352

Louis Salvail

The binding condition, which is the target of Mayers’ attack, holds because if Alice could succeed in changing her mind, it would imply that some measurement outcomes have given more information than what is physically achievable. Even n though our analysis gives n ∈ Ω(N ) for any δ(l) > 0, the constant N ≈ 0.035N 4l+5 is small even for relatively large values of δ(l). It is important for practical applications to improve the constants appearing in the statement of theorem 3. Bootstrapping the BBCS protocol with LJCB leads to secure QOT provided the receiver cannot carry out n-coherent opening strategies against the commitments [35]. In BBCS, the receiver must commit on measurement outcomes. Two commitments are produced for each of the N qubits received. ¿From theorem 3 and assuming each commitment requires the transmission of N qubits, we √ get that BBCS is secure against n-coherent measurements for some n ∈ Ω( N ). Moreover, one call to BBCS is sufficient to get a 2−αN -secure commitment scheme for some√α > 0. The resulting commitment is therefore 2−αN -secure for some n ∈ Ω( N ) as well. This leads to our main open question: Is LJCB 2−αN -binding against any n-coherent opening strategy for some n ∈ Ω(N )? When used in BBCS, LJCB allows to realize QOT using only unidirectional quantum transmission. If QOT is used for quantum identification [14] then the scheme achieves unconditional security for the client and conditional security for the server. All quantum transmissions taking place are from the client to the server. This is interesting in practice because only the technology for sending photons (which is simpler than the one for receiving) is required for the client. However, in other scenarios it might be better to have a commitment scheme where the committer is sending the qubits. In such a case BCJL would be a better choice. Theorem 3 should also hold for BCJL but with different constants. It would be interesting to prove theorem 3 for BCJL as well. Different experiments in quantum information theory (see [17,24,8,31]) have given strong evidences that our assumption is realistic. It appears that the physical complexity of implementing n-coherent measurements grows very quickly as n increases. Today’s technology only allows to deal imperfectly with the simple case n = 2. Future experiments will be important in order to capture more precisely what is the inherent difficulty of implementing arbitrary large coherent measurements. Despite the fact that quantum cryptography does not provide unconditional secure two-party computation, it allows to base cryptography upon physical, realistic and well-defined assumptions. In this paper, we have shown how quantum mechanics can help in providing an alternative framework to complexity-based cryptography.

Acknowledgements The author is very grateful to Peter Høyer for indispensable help. I would like to thank Ivan Damg˚ ard, Jeroen van de Graaf and Claude Cr´epeau for helpful discussions and comments. I am also indebted to Gilles Brassard for having proposed the problem in the first place. Finally, thanks to the anonymous referees for valuable remarks.

Quantum Bit Commitment From a Physical Assumption

353

References 1. Aspect, A, P. Grangier and G. Roger, “Experimental realization of the Einstein-Podolsky-Rosen-Bohm gedankenexperiment: A new violation of Bell’s inequalities”, Physical Review Letters, vol. 49, no. 2, 1982, pp. 91 – 94. 338 2. Bell, J.S.,“On the Einstein Podolsky Rosen Paradox”, Physics, vol. 1, no. 1, 1964, p. 195. 3. Bennett, C. H. and G. Brassard, “Quantum cryptography: Public key distribution and coin tossing”, Proceedings of IEEE International Conference on Computers, Systems and Signal Processing, Bangalore, India, December 1984, pp. 175 – 179. 338, 338, 341 4. Bennett, C. H., G. Brassard, C. Cr´ epeau and U. Maurer, “Generalized Privacy Amplification”, IEEE Transaction on Information Theory, vol. 41, 1995, pp. 1915 – 1923. 349, 351, 351 5. Bennett, C. H., G. Brassard, C. Cr´ epeau and M.–H. Skubiszewska, “Practical quantum oblivious transfer”, Advances in Cryptology — Proceedings of Crypto ’91, August 1991, Springer – Verlag, pp. 351 – 366. 339, 341 6. Bennett, C. H., G. Brassard, C. Cr´ epeau, R. Jozsa, A. Peres and W.K. Wootters, “Teleporting an Unknown Quantum State via Dual Classical and EPR Channels”,Physical Review Letters, vol.70, no. 13, 1993, pp. 1895 – 1899. 339 7. Biham, E, G. Brassard,M. Boyer,J. van de Graaf and T. Mor, “Security of Quantum Key Distribution Against All Collective Attacks”, Los Alamos preprint archive quant-ph/9801022, January 1998. 338 8. Bouwmeester, D, J.W. Pan, K. Mattle,M. Eibl,H. Weinfurter and A. Zeilinger, “Experimental Quantum Teleportation”,Nature, vol.390, 1997,p.575. 339, 339, 352 9. Brassard, G.and C. Cr´ epeau, “Quantum bit commitment and coin tossing protocols”, Advances in Cryptology — Proceedings of Crypto ’90, August 1990, Springer – Verlag, pp. 49 – 61. 338, 339 10. Brassard, G., C. Cr´ epeau, R. Jozsa and D. Langlois, “A quantum bit commitment scheme provably unbreakable by both parties”, Proceedings of 34th Annual IEEE Symposium on the Foundations of Computer Science, November 1993, pp. 362 – 371. 339, 339, 341, 342, 349, 350 11. Brassard, G., C. Cr´ epeau, D. Mayers and L. Salvail, “A Brief Review on the Impossibility of Quantum Bit Commitment”, Los Alamos preprint archive quant-ph/9712023, December 1997. 339 12. Cachin, C.and U. Maurer,“Linking Information Reconciliation and Privacy Amplification”,Journal of Cryptology, vol. 10, no. 2, 1997,pp. 97 – 110. 349, 351 13. Cr´ epeau, C., “What is going on with quantum bit commitment?”, Proceedings of Pragocrypt ’96: 1st International Conference on the Theory and Applications of Cryptology, Prague, October 1996. 339 14. Cr´ epeau, C. and L. Salvail, “Quantum oblivious mutual identification”, Advances in Cryptology — Proceedings of Eurocrypt ’95, May 1995, Springer – Verlag, pp. 133 – 146. 352 15. Cr´ epeau, C., J. van de Graaf and A. Tapp, “Committed Oblivious Transfer and Private Multi-Party Computation”, in Advances in Cryptology: Proceedings of Crypto ’95 (Springer – Verlag, Berlin, 1995), Vol. 963, pp. 110 – 123. 338 16. Einstein A., B. Podolski and N. Rosen, “Can Quantum-Mechanical Description of Physical Reality be Considered Complete?”, Physical Review, no. 47, 1935, pp. 777 – 780. 338

354

Louis Salvail

17. Hughes, R.J.,D.F.V. James,J.J. Gomez,M.S. Gulley,M.H. Holzscheites, P.G. Kwiat,S.K. Lamoreaux,C.G. Peterson,V.D. Sandberg,M.M. Schauer,C.M. Simmons, C.E. Thorburn, D. Tupa, P.Z. Wang and A.G. White, “The Los Alamos Trapped Ion Quantum Computer Experiment”,Los Alamos preprint archive quant-ph/9708050, August 1997. 340, 352 18. Hughston, L. P., R. Jozsa, and W.K. Wootters, “A complete classification of quantum ensembles having a given density matrix”, Physics Letters A, vol. 183, 1993, pp. 14 – 18. 349 19. Impagliazzo, R. and M. Luby,“One-way Functions are Essential for Complexity Based Cryptography”, Proceedings of 21th Annual IEEE Symposium on the Foundations of Computer Science, 1989,pp. 230 – 235. 339 20. Kilian, J., Founding Cryptography on Oblivious Transfer, in the proceeding of 20th Symposium on Theory of Computation, Chicago, 1988, pp. 20 – 31. 338 21. Kranakis,E.,“Primality and Cryptography”,John Wiley and Sons, 1986. 22. Lo, H.–K. and H. F. Chau, “Is quantum bit commitment really possible?”, preprint archive http://xxx.lanl.gov/ps/quant-ph/9603004, March 1996. 339 23. MacWilliams, F.J.and N.J.A. Sloane,“The Theory of Error-Correcting Codes”, North-Holland, 1977. 351 24. Mattle, K.,H. Weinfurter, P.G. Kwiat and A. Zeilinger, “Dense coding in experimental quantum communication”, Physical Review Letters, vol. 76, 1996, pp. 4656 – 4659. 339, 352 25. Mayers, D., On the security of the quantum oblivious transfer and key distribution protocols, Advances in Cryptology: Proceeding of Crypto ’95, Lecture Notes in Computer Science, 1995. 338 26. Mayers, D., “The trouble with quantum bit commitment”, Presented at a workshop on quantum information theory, Montr´eal, October 1995. Available at http://xxx.lanl.gov/ps/quant-ph/9603015, March 1996. 339 27. Mayers, D., “La s´ecurit´e des protocoles de la cryptographie quantique”, PhD dissertation, Universit´e de Montr´eal, 1996. 342 28. Mayers, D., “Unconditionally secure quantum bit commitment is impossible”, presented in the Fourth Workshop on Physics and Computation — PhysComp ’96, Boston, November 1996. 341 29. Mayers, D., “Unconditionally secure quantum bit commitment is impossible”, Physical Review Letters, vol 78, 1997, pp. 3414 – 3417. 339, 341 30. Mayers, D. and L. Salvail, “Quantum oblivious transfer is secure against all individual measurements”, Proceedings of the Third Workshop on Physics and Computation — PhysComp ’94, Dallas, November 1994, IEEE Computer Society Press, pp. 69 – 77. 342 31. Michler, M., K. Mattle, H. Weinfurter and A. Zeilinger, “Interferometric Bell-state analysis”,Physical Review Letters,vol. 53, 1996,pp. 1209 – 1212. 339, 352 32. Rabin, M. O., “How to exchange secrets by oblivious transfer”, Technical Memo TR–81, Aiken Computation Laboratory, Harvard University, 1981. 338 33. Schumacher, B.,“Sending quantum entanglement through noisy channels”, Los Alamos preprint archive http://xxx.lanl.gov/ps/quant-ph/9604023, April 1996. 342 34. Wiesner, S., “Conjugate coding”, Sigact News, Vol. 15, no. 1, 1983, pp. 78 – 88; original manuscript written circa 1969. 338, 338 35. Yao, A. C.–C., “Security of quantum protocols against coherent measurements”, Proceedings of 26th Annual ACM Symposium on the Theory of Computing, 1995, pp. 67 – 75. 339, 339, 341, 352

On Concrete Security Treatment of Signatures Derived from Identification Kazuo Ohta and Tatsuaki Okamoto NTT Laboratories Nippon Telegraph and Telephone Corporation 1-1 Hikari-no-oka, Yokosuka, Kanagawa, 239-0847 Japan {ohta,okamoto}@isl.ntt.co.jp

Abstract. Signature schemes that are derived from three move identification schemes such as the Fiat-Shamir, Schnorr and modified ElGamal schemes are a typical class of the most practical signature schemes. The random oracle paradigm [1,2,12] is useful to prove the security of such a class of signature schemes [4,12]. This paper presents a new key technique, “ID reduction”, to show the concrete security result of this class of signature schemes under the random oracle paradigm. First, we apply this technique to the Schnorr and modified ElGamal schemes, and show the “concrete security analysis” of these schemes. We then apply it to the multi-signature schemes.

1 1.1

Introduction Background

To realize a practical and provably secure cryptosystem is one of the most important research topics, and digital signatures are a very important ingredient in cryptography. This paper focuses on practical and provably secure signature schemes. 1.1.1 Standard Security Paradigm versus Random Oracle Paradigm The first formal definition of the security for digital signatures (“existentially unforgeable against adaptively chosen-message attacks”) was given by Goldwasser, Micali and Rivest [7], and a concrete signature scheme satisfying this security definition was shown by assuming the existence of a claw-free pair of functions [7]. Hereafter, this formal definition and model for signatures is called the “standard security paradigm”, and a signature scheme with the standard security paradigm is just called a “provably secure” signature scheme. An ultimate target in the standard security paradigm was to realize a provably secure signature scheme assuming the weakest computational assumption, the existence of a one-way function. This target was finally solved affirmatively by Naor, Yung and Rompel [9,13]. Their solution, however, was geared towards feasibility result and thus very inefficient and far from practical. In addition, even the scheme by [7] is much less efficient than typical practical schemes such H. Krawczyk (Ed.): CRYPTO’98, LNCS 1462, pp. 354–370, 1998. c Springer-Verlag Berlin Heidelberg 1998

On Concrete Security Treatment of Signatures

355

as the RSA[14] and Schnorr[15] schemes. Therefore, no provably secure scheme as efficient as typical practical schemes has been proposed. To realize provable security and efficiency simultaneously, another paradigm to prove the security of cryptographic schemes has been proposed [1,2,12]. This is called the “random oracle paradigm”, in which an ideally random and imaginary oracle, the “random oracle”, is assumed when proving the security, and the random oracle is replaced by a practical random-like function such as a oneway hash function (e.g., SHA etc.) when realizing it in practice. Here random oracle F generates an answer randomly to a query posed to F at first. If the same query is asked later, F will answer the same value as was provided to the first query. Although the security under the random oracle paradigm cannot be guaranteed formally when using a practical random-like function in place of the random oracle, this paradigm yields much more efficient schemes than the standard security paradigm. The security with the random oracle gives an informal guarantee to the security of practical random-like functions. In addition, the random oracle model not only provides a methodology for constructing an efficient and secure scheme, but also gives some security guarantee for schemes that practitioners intuitively constructed using a random-like functions in actual systems. 1.1.2 Asymptotic Security Analysis versus Concrete Security Analysis The random oracle paradigm has another advantage over the standard security paradigm: it can much more easily provide “concrete security analysis”, which avoids complexity theory and asymptotic property when proving the security (i.e., reducing the breaking of a primitive problem to breaking a signature scheme). Such concrete security analysis provides a much better guarantee than asymptotic security analysis, since the computational complexity currently required to break a signature scheme with a “fixed size” (e.g., 1024 bits) and “fixed key” can be estimated by the assumed lower bound of the complexity of breaking the underlying primitive with the “fixed size” and “fixed key.” Note that asymptotic security gives no useful information on the security of a fixed size and fixed key system. The concrete security analysis of the reduction from breaking a signature scheme to solving a primitive problem is usually trivial and optimal (i.e., optimally efficient). Hence, we have to obtain the concrete security analysis of the opposite direction of the reduction as much as optimal. If the opposite direction is as efficient as the trivial direction, then we can call such a reduction exact. That is, the exact reduction implies that the required time (and success probability) of breaking the signature scheme is exactly equivalent to that of breaking the primitive problem. (In other words, the signature scheme is exactly as secure as the primitive problem.) The (almost) exact security of the RSA signature scheme along with random functions has been shown under the random oracle paradigm [2]. The asymptotic security of the Schnorr and modified ElGamal schemes has been proven under the same paradigm [12].

356

1.2

Kazuo Ohta and Tatsuaki Okamoto

Main Result

This paper shows the concrete security analysis of the Schnorr, modified ElGamal (MEG) and multi-signature schemes under the random oracle paradigm. (The concrete security analysis of the other signature schemes based on the FiatShamir conversion technique can be proven similarly.) In order to show the concrete security analysis of the signature schemes, we have developed a new technique, “ID reduction”, in which the identification scheme corresponding to the signature scheme is used when showing the reduction from breaking the underlying primitive to breaking the signature scheme. There are two stages of reduction. The first stage is from breaking the corresponding identification to breaking the signature scheme, and the second stage is from breaking the underlying primitive to breaking this identification. In order to obtain a tighter (i.e., close to optimal) reduction and its tighter evaluation from breaking the underlying primitive to breaking the signature scheme, our “ID reduction” technique has an advantage over the previous technique, “forking lemma”, by Pointcheval and Stern [12]. This is because the first stage of ID reduction (ID reduction lemma: Lemma 9) is optimal1 in our signature scheme model and the second stage of this reduction (Lemma 13 and Lemma 15) may be more efficient than the reduction in the forking lemma of [12], since to analyze the corresponding identification scheme is easier than to analyze the signature scheme directly. Here, finding a forking pair of signatures in the forking lemma of [12] corresponds to finding two success entries in a heavy row in our approach. Therefore, the ID reduction technique seems to be more appropriate to obtain a tighter reduction than the previous technique. In addition, the asymptotic result of the Fiat-Shamir signature scheme proven in [12] can be trivially obtained just by combining the ID reduction lemma as the first stage reduction and the well-known techniques given by [5] as the second stage reduction.

2

Framework

In this paper, we investigate a specific class of signature schemes that are derived from three move identification schemes, where the identification schemes are perfect zero-knowledge against an honest verifier [6]. This section shows the models and notations of such signature and identification schemes.

2.1

Signature Scheme

In the signature scheme, signer P publishes public key Kp while keeping secret key Ks . In this paper, we will adopt the following model as a signature scheme, which covers the class of the Fiat-Shamir scheme [4],Schnorr scheme [15] and the modified ElGamal scheme [12]: 1

We will show the meaning of “optimal” in the end of Section 3.

On Concrete Security Treatment of Signatures

357

Model 1. (Signature Model) Key generation: Each signer P generates a pair, (Kp , Ks ), of a secret key and a public key using a key generation algorithm G which, on input 1k , where k is the security parameter, produces (Kp , Ks ). Signature generation: P generates the signature of his message m using a public random oracle function F as follows: P generates X from both Ks and random string R, accesses the random oracle function F to get E = F (X, m) ∈ E, calculates Y using Ks , R and E, and sends (X, m, Y ) to V . Verification: a verifier V checks the validity of the signature of the message by the relations of (Kp , X, E, Y ) and E = F (X, m). Remark 1. We assume that this signature scheme is derived from the following identification scheme. 2.2

Identification Scheme

Here we can define an identification scheme that produces the above-mentioned signature scheme. In an identification scheme, prover P publishes a public key while keeping the corresponding secret key, and proves his identity to verifier V . Model 2. (Identification Scheme) Key generation: Prover P generates a pair, (Kp , Ks ), of a secret key and a public key using a key generation algorithm G which, on input 1k , where k is the security parameter, produces (Kp , Ks ). Identification Protocol: P proves his identity, and verifier V checks the validity of P ’s proof as follows: Step Step Step Step

1 2 3 4

P V P V

generates X from both Ks and random string R and sends it to V . generates random challenge E ∈ E and sends it to P . generates an answer Y from (Ks , R, E) and sends it to V checks the validity of the relations of (Kp , X, E, Y ).

Remark 2. We assume that this three move protocol is perfect zero-knowledge against an honest verifier. 2.3

Security

We will adopt the quantifiable notion of exact security proposed in Reference [2]. 2.3.1 Security of Key Searching Problem Definition 3. A probabilistic Turing machine (adversary) A breaks a key search problem with (t, ) if and only if A can find a secret key from a public key with success probability greater than within processing time t. The probability is taken over the coin flips of A. Definition 4. A key searching problem is (t, )-secure if and only if there is no adversary that can break it with (t, ).

358

Kazuo Ohta and Tatsuaki Okamoto

2.3.2

Security of Identification Schemes

Definition 5. A probabilistic Turing machine (adversary) A breaks an identification scheme with (t, ) if and only if A as a prover can cheat honest verifier V with a success probability greater than within processing time t. Here, A doesn’t conduct any active attack2 . Here, the probability is taken over the coin flips of A and V . Definition 6. An identification scheme is (t, )-secure if and only if there is no adversary that can break it with (t, ). 2.3.3 Security of Signature Schemes Next we will quantify the security of a signature scheme: Here we assume that the attacker can dynamically ask the legitimate user P to sign any message, m, using him as a kind of oracle. This model covers the very general attack of the signature situations, adaptive chosen message attack. Definition 7. A probabilistic Turing machine (adversary) A breaks a signature scheme with (t, qsig , qF , ) if and only if A can forge a signature of a message with success probability greater than . We allow chosen-message attacks in which A can see up to qsig legitimate chosen message-signature pairs participating in the signature generating procedure, and allow qF invocations of F , within processing time t. The probability is taken over the coin flips of A, F and signing oracle P . Definition 8. A signature scheme is (t, qsig , qF , )-secure if and only if there is no adversary that can break it with (t, qsig , qF , ).

3

ID Reduction Lemma

The general techniques by which we can derive signature schemes from three move interactive protocols were proposed in [4] and hash functions are used in order to create a kind of virtual verifier, which gives the conversion from an identification scheme to a signature scheme. To analyze the security of such a class of signature schemes, we will examine the opposite direction of conversion for adversaries in Lemma 9 in order to prove the security of signature schemes as the first stage of ID Reduction Technique. Here note a signature scheme and an identification scheme in this section mean those defined in the previous section. We assume the uniform coin flips 1 over E (i.e., Pr[E occurs] = #E ) are provided. Lemma 9. (ID Reduction Lemma) −

1

(i.e., 0 ≥ #Esig , where 0 = qF#E ). Let ≥ F sig #E 1) If A1 breaks a signature with (t, qsig , qF , ), there exists A2 which breaks the q (q

2

+4)+1

4+q

As the result of Lemma 9 3), it is enough to cover this case only for discussion of the security of identification schemes, where the honest verifier is assumed.

On Concrete Security Treatment of Signatures −

359

1

signature with (t, qsig , 1, 0 ), where 0 = qF#E . 2) If A2 breaks a signature with (t, qsig , 1, 0 ), there exists A3 which breaks the sigqsig nature with (t0 , 0, 1, 00), where 00 = 0 − #E and t0 = t + (the simulation time of qsig signatures). 3) If A3 breaks a signature with (t0 , 0, 1, 00 ), there exists A4 which breaks the corresponding identification scheme with (t0 , 00 )3 . Here we assume that the values of qF and qsig can be employed by these reductions4 . We neglect the time of reading/writing data on (random, communication, etc.) tapes, simple counting, and if-then-else controls. (Hereafter in this paper, we assume them.) Sketch of Proof: 1) Let Qi be the i-th query from A1 to the random oracle F and ρi be the i-th answer from F to A1 . Construct a machine B using A1 as follows: Step 1 Select an integer i satisfying 1 ≤ i ≤ qF randomly. Step 2 Run A1 with a random oracle F and get (X, m, E, Y ). Step 3 If (X, m) = Qi and E = ρi , then output (X, m, E, Y ). Otherwise output (Qi , ρi , ri ) where ri is a random element of the range of Y . If A1 succeeds in forging a signature (X, m, E, Y ), there are two cases: 1) (X, m) was not asked to the random oracle F , and 2) (X, m) was asked as the i-th query to the random oracle F (1 ≤ i ≤ qF ). In the former case, the success probability of A1 is at most 1/#E, because of the randomness of the random oracle. Thus Pr[B succeeds] qF X ≥ Pr[i is selected] Pr[A1 succeeds ∧ (X, m) = Qi ] i=1 qF X 1 Pr[A1 succeeds ∧ (X, m) = Qi ] = q i=1 F

=

qF 1 X Pr[A1 succeeds ∧ (X, m) = Qi ] qF i=1

1 (Pr[A1 succeeds] − Pr[A1 succeeds ∧ (X, m) is not a query to F ]) qF 1 1 ), ( − ≥ qF #E =

because Pr[A1 succeeds] ≥ . e using A1 as follows: Construct a machine B 3

4

4 From the condition of , 00 ≥ #E holds. It makes the heavy row technique available in Lemma 13 and Lemma 15, since there are at least two ‘1’ in a heavy row of a Boolean matrix H defined in Section 4.2.2. For simplicity, we also assume that these values don’t depend on the adversary’s coin flips but only on the length of its input.

360

Kazuo Ohta and Tatsuaki Okamoto

Step 1 Select an integer i satisfying 1 ≤ i ≤ qF randomly. Step 2 Run A1 with a random oracle F and a random working tape Θ, and get (X, m, E, Y ), where only the i-th query is asked to F and the remaining (qF − 1) queries are asked to Θ. Here Θ contains of (qF − 1) random blocks used as answers from Θ. Step 3 If (X, m) = Qi and E = ρi , then output (X, m, E, Y ). Otherwise output (Qi , ρi , ri ) where ri is a random element of the range of Y . A1 cannot distinguish (qF −1) random blocks of Θ from (qF −1) answers from F , e succeeds] holds. because of the randomness of F . Thus Pr[B succeeds] = Pr[B Therefore, 1 − #E e succeeds] ≥ . Pr[B qF e Put A2 = B. 2) Construct a machine A3 using A2 as follows: Step 1 For j = 1 to qsig do. Step 1-1 Run A2 with simulated (Xi , mi , Ei , Yi ) (1 ≤ i ≤ j − 1), and get a message mj chosen by A2 whose signature is requested to the signer. Step 1-2 Simulate (Xj , mj , Ej , Yj ) by the standard perfect ZKIP simulation technique of the corresponding identification scheme with an honest verifier. If there exists an integer i(< j) satisfying Xj = Xi , discard Xj and repeat this step. Step 2 Run A2 with a random oracle F and simulated (Xi , mi , Ei , Yi ) (1 ≤ i ≤ qsig ), and get (X, m, E, Y ). Step 3 Output (X, m, E, Y ). If A2 does not ask (Xi , mi ) (1 ≤ i ≤ qsig ) to F , then A2 cannot distinguish the simulated message-signature pairs from legitimate pairs because of the perfect indistinguishability described in Section 2 and the the randomness of F ’s output. The success probability of A3 is given as follows: 00 = Pr[A3 succeeds] = Pr[A2 succeeds ∧ (Xj , mj )6=(the query from A2 to F ) for 1 ≤ ∀j ≤ qsig ] = Pr[A2 succeeds] − Pr[∃i such that 1 ≤ i ≤ qsig ∧ (Xi , mi )=(the query from A2 to F )] qsig , ≥ 0 − #E while t0 = t + (the simulation time of qsig signatures in Step 1-2). 3) Let Q be a query from A3 to the random oracle F and ρ be an answer from F to A3 . Construct a machine A4 using A3 interacting with an honest verifier V as follows:

On Concrete Security Treatment of Signatures

361

Step 1 Run A3 and get a query Q = (X, m) which is sent to the random oracle F. Step 2 Send Q to V and get a challenge E from V . Step 3 Run A3 with an input ρ = E and get (X, m, E, Y ). Step 4 Output Y to V . Note that a valid signature (X, m, E, Y ) satisfies a relation of (Kp , X, E, Y ) and E = F (X, m). When a verifier V checks the validity of this relation, V accepts A4 ’s proof with (t0 , 00 ). 2 Remark 10. When ignoring the minor terms (the simulation time and 0 − 00 ), the first stage of ID reduction for the signature schemes in this paper is optimal in the following sense: For any strategy of A1 , 0 =

1 − #E qF

. On the other hand, let

f1 succeeds ∧ (X, m) = Qi ] = f1 , where Pr[A assume a specific A

1 − #E qF

. Then, for −

1

any strategy of the first stage reduction (signature to identification), 0 = qF#E . f1 , we cannot obtain Since we cannot neglect the existence of such a specific A −

1

the first stage reduction whose value of 0 is better than qF#E . Note that this does not mean the “exact” security, since 0 ≈ in the “exact” security, while 0 ≈ qF in our “optimal” reduction. In addition, note that this observation depends on the signature scheme model shown in Section 2.

4

Schnorr Signature Scheme

We discuss here the Schnorr scheme [15] as an example, though similar results can be obtained for the Fiat-Shamir scheme [4,5] etc. The schemes can also be implemented using an elliptic curve [8]. 4.1

Scheme

Key generation: A trusted center publishes two large primes, p and q, such that q | (p − 1), and element g ∈ (Z/pZ)∗ of order q. A signer P chooses a secret key s ∈ Z/qZ and publishes the public key I, where I = g s mod p. Signature generation: A signer P generates the signature of his message m using a public hash function h, and a verifier V checks the validity of signature of the message as follows: P generates a random integer r ∈ Z/qZ, calculates X = g r mod p, e = F (X, m) ∈ Z/qZ and y = r + es mod q, and sends (X, m, y) to V . Verification: V checks the validity of a signature of the message by the following ?

equations: g y ≡ XI e 4.2

?

(mod p) and e = F (X, m).

Security

The following identification scheme is reduced to the Schnorr signature scheme in Section 4.1, and it will be analyzed adopting the scenario given in Section 3.

362

Kazuo Ohta and Tatsuaki Okamoto

4.2.1 Identification Scheme Key generation: A trusted center publishes two large primes p and q such that q | (p − 1), and element g ∈ (Z/pZ)∗ of order q. A prover P chooses a secret key s ∈ Z/qZ and publishes the public keys I, where I = g s mod p. Identification Protocol: P proves his identity and a verifier V checks the validity of P ’s proof as follows: Step 1 P generates a random integer r ∈ Z/qZ, calculates X = g r mod p, and sends X to verifier V . Step 2 V generates a random integer e ∈ Z/qZ and sends it to P . Step 3 P calculates y = r + es mod q and sends it to P . ?

Step 4 V checks the following equation: g y ≡ XI e

(mod p).

4.2.2 Heavy Row Lemma A Boolean matrix and heavy row will be introduced in order to analyze the security of one-round identification schemes. Assume that there is a cheater A who can break a one-round identification scheme with (t, ), where ≥ 4q . Definition 10. (Boolean Matrix of (A, V )) Let’s consider the possible outcomes of the execution of (A, V ) as a Boolean matrix H(RA, e) whose rows correspond to all possible choices of RA, where RA is a private random tape of A; its columns correspond to all possible choices of e, which means e ∈ RV . Its entries are 0 if V rejects A’s proof, and 1 if V accepts A’s proof. Note that RV = (Z/qZ) in Schnorr’s case. Definition 11. (Heavy Row) A row of matrix of H is heavy if the fraction of 1’s along the row is at least /2, where is the success probability of A. Lemma 12. (Heavy Row Lemma) The 1’s in H are located in heavy rows of H with a probability of at least 12 . 4.2.3

Security of Identification Scheme

Lemma 13. (Security of Schnorr Identification Scheme) Let ≥ 4q . Suppose that the key searching problem of (p, g, I), that is, calculation of s from I satisfying I = g s mod p, is (t∗ , ∗ )-secure. Then the Schnorr identification scheme with parameter (p, g, I) is (t, )-secure, where 2 1 3(t + Φ1 ) 1 9 ∗ ∗ + Φ3 and = 1− . t = > 2 e 50 Here Φ1 is the verification time of the identification protocol, Φ3 is the calculation time of s in the final stage of the reduction, and e is the base of the natural logarithm.

On Concrete Security Treatment of Signatures

363

Sketch of Proof: Assume that there is a cheater A who can break an identification with (t, ). We will construct a machine A∗ which breaks the key searching problem of (p, g, I) with (t∗ , ∗ ) using A. We will discuss the following probing strategy of H to find two 1’s along the same row in H [5]: Step 1 Probe random entries in H to find an entry a(0) with 1. We denote the row where a(0) is located in H by H (0) . Step 2 After a(0) is found, probe random entries along H (0) to find another entry with 1. We denote it by a(1) . It is proven that this strategy succeeds with constant probability in just O(1/) probes, using Lemma 12 concerning a useful concept, heavy row, defined in Definition 11. Let p1 be the success probability of step 1 with 1 repetition. p1 ≥ 1 − (1 − 1/ = p01 > 1 − 1e > 35 , because the fraction of 1’s in H is . Let p2 be the ) success probability of step 2 with 2 repetition. p2 ≥ 12 × 1 − (1 − 2 )2/ = 3 , because the probability that H (0) is heavy is at least 12 p02 > 12 (1 − 1e ) > 10 by Lemma 12 and the fraction of 1’s along a heavy row is at least 2 . Therefore 9 and t∗ = t × ( 1 + 2 ) = 3t ∗ = p1 × p2 ≥ p01 × p02 > 12 (1 − 1e )2 > 50 . d(i)

(i)

a(i) represents (X (i) , e(i) , y (i) ). g y ≡ X (i) I (mod p) (i = 0, 1) holds, since a(i) is an entry with 1. Two 1’s, a(0) and a(1) , in the same row H (0) means X (1) = X (0) . Since there are two unknown variables, r(0) and s, and two (0) (1) equations are obtained, a secret key s can be calculated by s = ye(0) −y mod q −e(1) in Schnorr’s scheme, since q is prime and 0 < e(0) − e(1) < q. 2

4.2.4 Security of Signature Scheme The following theorem is proven by combining Lemma 9 and Lemma 13. Theorem 14. (Security of Schnorr Signature Scheme) − 1

Let 0 ≥ qsig , where 0 = qFq . Suppose that key searching problem of (p, g, I) is (t∗ , ∗ )-secure. Then the Schnorr signature scheme with parameter (p, g, I) is (t, qsig , qF , )-secure, where 4+q

3t0 t = 00 + Φ3 ∗

and

1 = 2 ∗

2 1 9 1− . > e 50

Here t0 = t + Φ1 + Φ2

and

00 =

− qF

1 q

−

qsig , q

where Φ1 is the verification time of the identification protocol, Φ2 is the simulation time of qsig signatures, Φ3 is the calculation time of s in the final stage of the reduction, and q is the order of g ∈ (Z/pZ)∗ .

364

4.3

Kazuo Ohta and Tatsuaki Okamoto

Discussion on the Efficiency of Our Reduction

We have proven that if the key searching problem is (t∗ , ∗ )-secure, then the Schnorr signature scheme is (t, qsig , qF , )-secure. On the other hand, if the key searching problem is breakable with (t, ), then the signature scheme is breakable with (t, 0, 1, ) by the trivial reduction. If our reduction is “exact (optimally efficient),” (t∗ , ∗ ) should be the same quantity as (t, ) for any values of qsig and qF . Here note that is does not always imply t = t∗ and = ∗ , since (t, ) and (t∗ , ∗ ) are considered to have the same quantity when t∗ = βt and ∗ = 1 − (1 − )β . Here we will estimate the degree of “exactness” of our reduction (i.e., how much close is the above mentioned reduction to the exact case) by comparing the quantities of (t∗ , ∗ ) and (t, ). For the purpose, we normalize (t, ) into (t+ , + ) with + = ∗ . Let β = α be the number of repetition of (t, )-breakable algorithm, in order to attain the same success probability as ∗ . Since ∗ = 12 (1 − 1e )2 > 9/50, α α ≈ 0.223 holds because of the requirement of 1 − (1 − ) = ∗ > 9/50. ∗ + Therefore, t+ = αt gives the degree (α ≈ 0.223) and the ratio of t and t of exactness of our reduction. If we assume that t ≈ t0 and 0 ≈ qF , since qsig is small and q is large, then its ratio is 3qαF ≈ 13.5qF . Thus, our reduction is still efficient, though it is not exact. Here note that qF can not be eliminated from this ratio because of the optimality of the ID reduction lemma.

5

Modified ElGamal Signature Scheme

We will discuss the modified ElGamal (MEG) signature scheme [12] in this section.

5.1

Scheme

Key generation: the same as the Schnorr scheme. Signature generation: A signer P generates the signature of his message m using a public hash function h as follows: P generates a random integer r ∈ (Z/qZ)∗ , calculates X = g r mod p, e = F (X, m) ∈ Z/qZ and y = e−sX mod q, r and sends (X, m, y) to V . Verification: a verifier V checks the validity of the signature of the message by ?

?

the following equations: g e ≡ X y I X (mod p) and e = F (X, m). Note: In the original ElGamal scheme, the order of g ∈ (Z/pZ)∗ is p − 1. Although we can prove the security of the MEG with ord(g) = p − 1 in a manner similar to that with ord(g) = q, here for simplicity of description we assume ord(g) = q.

On Concrete Security Treatment of Signatures

5.2

365

Security

5.2.1 Identification Scheme The following identification scheme is reduced to the MEG signature scheme in Section 5.1, and it will be analyzed adopting the scenario given in Section 3. Key generation: the same as the Schnorr scheme. Identification Protocol: P proves his identity and verifier V checks the validity of P ’s proof as follows: Step 1 P generates a random integer r ∈ (Z/qZ)∗ , calculates X = g r mod p, and sends X to verifier V . Step 2 V generates a random integer e ∈ Z/qZ and sends it to P . Step 3 P calculates y = e−sX mod q, and sends it to P . r ?

Step 4 V checks the following equation: g e ≡ X y I X 5.2.2

(mod p).

Security of Identification Scheme

Lemma 15. (Security of ElGamal Identification Scheme) Let ≥ 4q . Suppose that the key searching problem of (p, g, I) is (t∗ , ∗ )-secure. Then the ElGamal identification scheme with parameter (p, ge, I)5 is (t, )-secure, where t∗ =

√ 3(t + Φ1 ) + Φ3 R

and

∗ =

1 1 (1 − )2 2 e

√R

>

9 50

√R .

Here Φ1 is the verification time of the identification protocol, Φ3 is the calculation time of r and s (or e g) at Step 3 and Step 4, R = p−1 and q is the order of q ∗ g ∈ (Z/pZ) . Sketch of Proof: Assume that cheater A breaks the ElGamal identification with (t, ) for (p, I) and all ge ∈< g >. We will construct a machine A∗ that breaks the key searching problem of (p, g, I) with (t∗ , ∗ ) using A. We will discuss the following probing strategy of H to find two 1’s along the same row in H [5] for the identification scheme with parameter (p, g, I): Step 1 Probe random entries in H to find an entry a(0) with 1. We denote the row where a(0) is located in H by H (0) . Step 2 After a(0) is found, probe random entries along H (0) to find another entry a(1) with 1. Step 3 Calculate the value of r as follows, r= 5

e(0) − e(1) mod q y (0) − y (1)

eg is an appropriate element in the subgroup, < g >, generated by g.

366

Kazuo Ohta and Tatsuaki Okamoto

where a(i) represents (X (i) , e(i) , y (i) ) and X = X (0) = X (1) (i = 0, 1) holds. Note that r is coprime to q. In Case 1 with gcd(X, q) = 1, calculate a secret value of s as follows, output it and halt:

s=

e(0) − ry (0) mod q. X

In Case 2 with gcd(X, q) 6= 1, obtain b satisfying X = bq(= g r mod p), where 0 < b < p−1 q = R, and go to Step 4. Step 4 (For Case 2 only) Run A with input e g = Ig l mod p applying Step 1 to Step 3, where l ∈ Z/qZ is randomly selected. There are two cases, Case 1 and Case 2. e q) = 1, calculate s by the same way as Step3. In Case 1 with gcd(X, e q) 6= 1, obtain eb as well as re satisfying ebq = In Case 2 with gcd(X, g re mod p by the same way in Step 3. e If eb = b holds, calculate a secret value of s as follows, output it and halt: s=

r − le r mod q. re

Otherwise, repeat Step 4 with another input. The worst case for finding two values of b that collide is that these R − 1 1 events occur with equal probability R−1 within Case 2. Let p1 be the success probability of step 1 with 1 repetition, and p2 be the success probability of step 2 with 2 repetition. Let p3−1 be the success probability of Case 1 in step 3, and √ p3−1 = 0 in the worst case. Let p4 be the success probability of step 4 with R repetition. Then p4 ≈ 1 because of the birthday paradox of finding b = b0 satisfying 0 < b, b0 < R. Therefore √

∗ = (p1 × p2 )

R

p4 ≥

1 1 (1 − )2 2 e

√R

and t∗ =

√ √ 1 2 3(t + Φ1 ) + Φ3 (t + Φ1 ) × ( + ) + Φ3 R= R. 2

On Concrete Security Treatment of Signatures

367

5.2.3 Security of Signature Scheme The following theorem is proven by combining Lemma 9 and Lemma 15. Theorem 16. (Security of ElGamal Signature Scheme) − 1

sig Let 0 ≥ , where 0 = qFq . Suppose that the key searching problem of q (p, g, I) is (t∗ , ∗ )-secure. Then the ElGamal signature scheme with parameter (p, ge, I) is (t, qsig , qF , )-secure, where

4+q

∗

t =

√ 3(t + Φ1 + Φ2 ) + Φ R 3 00

and

∗

=

1 1 (1 − )2 2 e

√R

>

9 50

√R .

Here Φ1 is the verification time of the identification protocol, Φ2 is the simulation time of qsig signatures, and Φ3 is the calculation time of r and s (or e g) at Step 3 and Step 4. 00 =

− 1q qF

−

qsig q ,

where q is the order of g ∈ (Z/pZ)∗ .

Remark 17. The simulation time of qsig signatures can be obtained in a manner similar to that in Lemma 8 in Reference [12]. 5.3

More Efficient Reduction of MEG

Clearly the reduction for the MEG signature scheme is much less efficient than that of the Schnorr scheme, and the reduction does not preserve the parameter, (p, g, I). If we modify the MEG scheme as follows, the reduction can be almost as efficient as that of the Schnorr scheme and can preserve the parameter. The modified version of the MEG scheme is the same as the MEG scheme except: Verifier V checks whether gcd(X, q) = 1, and if it does not hold, V rejects the signature, (m, X, y). Note that when a valid signer generates (m, X, y), the probability that gcd(X, q) 6= 1 is 1/q (negligible probability).

6

Multi-Signature Schemes

Multi-signature schemes are signature schemes in which plural signers (e.g., L signers) jointly generate a signature (multi-signature) of a message under the condition that the length of the multi-signature is less than the total length of ordinary (single) signatures by plural signers (e.g., L × |s|, where |s| is the ordinary signature length). We can apply our ID reduction technique to the “one-round type” of multisignature schemes6 . This section briefly introduces our results regarding multisignature schemes. Due to the space limitation, we omit a detailed description of the results [11]. 6

The “two-round type” of multi-signature schemes have been proposed [10]. Our technique can also be applied to these schemes easily.

368

6.1

Kazuo Ohta and Tatsuaki Okamoto

The Proposed Multi-Signature Schemes

We propose provably secure multi-signature schemes against the most general attack, adaptively chosen message insider attacks [7] with the random oracle model. The proposed schemes are as follows7 : Key generation: A trusted center publishes two large primes p and q such that q | (p − 1), and element g ∈ (Z/pZ)∗ of order q. Each signer Pi chooses a secret key si ∈ Z/qZ and publishes the public key Ii , where Ii = g si mod p (1 ≤ i ≤ L) and L is the number of signers. Multi-Signature: Each signer Pi generates the signature of his message m using two public hash functions Fi and Hi as follows (1 ≤ i ≤ L): Step 1 For i = 1 to L do, where y0 = 0 and V = PL+1 : Pi generates a random integer ri ∈ Z/qZ, calculates Xi = g ri mod p, ei = Fi (X1 , . . . , Xi , m) ∈ Z/qZ, di = Hi (X1 , . . . , Xi , m) ∈ Z/qZ and yi = yi−1 + di ri + ei si mod q, and sends (X1 , . . . , Xi , m, yi ) to Pi+1 . ?

Step 2 V checks the following equations: g yL ≡ X1d1 · · ·XLdL I1e1 · · ·ILeL ?

(mod p),

?

and ei = Fi (X1 , . . . , Xi , m), di = Hi (X1 , . . . , Xi , m) (1 ≤ i ≤ L) . Remark 1. 1) We call the scheme where di = 1 Type I, the scheme where ei = 1 Type II, and the scheme where there is no restriction on di , ei Type III. 2) The schemes can also be implemented using an elliptic curve [8]. 3) It is possible for each Pi to check the validity of (I1 , . . . , Ii−1 , X1 , . . . , Xi−1 , m, E1 , . . . , Ei−1 , Yi−1 ) before generating his signature. 6.2

Security of the Schemes

The main results are as follows: Theorem 17. (Security of the Proposed Multi-Signature Scheme (Type II)) 2(L+1) +q

H

−1

sig q Let 0 ≥ . Here 0 = HL , where H0 = , and Hi = i−1 (1 ≤ i ≤ q qHi L). Suppose that the calculation of s from I1 , . . . , IL satisfying I1 × · · · × IL = g s mod p is (tII (L), II (L))-secure. Then the proposed multi-signature scheme with the same parameter is (t, qsig , qH1 , qH2 , )-secure, where

tII (L) =

II (L) = 7

t0 (2L+1) 2 + 1 + Φ3 , 00 3

2L (2L −1) 2L (2L −1) 1 3 1 1 1− > . 2 e 2 5

For simplicity of explanation, in this paper we use the multiplicative group (Z /pZ )∗ to present our schemes and the security proofs. Only the implementations over elliptic curves [8], however, are feasible in light of the multi-signature size. Note that the security of the elliptic curve versions can be proven in the same manner as those of the multiplicative group versions.

On Concrete Security Treatment of Signatures

369

Here t0 = t + Φ1 + Φ2 and 00 = HL − sig q . Φ1 is the verification time of the identification protocol, Φ2 is the simulation time of qsig signatures, Φ3 is the calculation time of s in the final stage of the reduction, and q is the order of g ∈ (Z/pZ)∗ . q

Theorem 18. (Security of the Proposed Multi-Signature (Type III)) 2(L+2) +qsig . Here q Fi − 1q Hi = qH (1 ≤ i ≤ L). i satisfying Ii = g si mod p is

Let 0 ≥

0 = HL , where H0 = , Fi =

Hi−1 − 1q qFi

, and

Suppose that the calculation of si from I1 , . . . , IL

(tIII (L), III (L))-secure. Then the proposed multisignature scheme with the same parameter is (t, qsig , qF1 , qH1 , . . . , qFL , qHL , )secure, where tIII (L) =

t0 (2L+1) (L+1) (L+1) 2 + 3L × 2 − 3 × 2 + 1 + Φ3 , 300

III

II

(L) = (L)

(L−1) (2L +L−2) (2L +L−1) 1 3 1 1 (1 − ) > . 2 e 2 5

Here t0 = t + Φ1 + Φ2 and 00 = HL − sig q . Φ1 is the verification time of the identification protocol, Φ2 is the simulation time of qsig signatures, Φ3 is the calculation time of s in the final stage of the reduction, and q is the order of g ∈ (Z/pZ)∗ . q

Remark 2. The multi-signature scheme of Type I is forgeable by a true signer, for example, signer L can make a multi-signature of arbitrary message m without coalition of other (L − 1) signers.

7

Conclusion

This paper presented a new key technique, “ID reduction”, to show the concrete security result of a class of practical signature schemes under the random oracle paradigm. We applied this technique to the Schnorr and modified ElGamal schemes, and showed the “concrete security” of these schemes. We also applied it to the multi-signature schemes. This technique should be useful in proving the concrete security of various types of signatures such as blind signatures, group signatures and undeniable signatures.

Acknowledgments We would like to thank Adi Shamir for his talks at NTT in1988, which inspired us to create the reduction technique introduced in this paper. We would also like to greatly thank Moti Yung for his invaluable support in revising our manuscript. We wish to thank anonymous reviewers for useful comments.

370

Kazuo Ohta and Tatsuaki Okamoto

References 1. M. Bellare and P. Rogaway, “Random Oracles are Practical: A Paradigm for Designing Efficient Protocols,” Proc. of the First ACM Conference on Computer and Communications Security, pp.62–73. 354, 355 2. M. Bellare and P. Rogaway, “The Exact Security of Digital Signatures –How to Sign with RSA and Rabin,” Advances in Cryptology –EUROCRYPT’96, SpringerVerlag, pp.399–416. 354, 355, 355, 357 3. T. ElGamal, “A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms,” IEEE Transactions on Information Theory, IT-31, 4, pp.469– 472, 1985. 4. A. Fiat and A. Shamir, “How to Prove Yourself,” Advances in Cryptology – CRYPTO’86, Springer-Verlag, pp.186–194. 354, 356, 358, 361 5. U. Feige, A. Fiat and A. Shamir, “Zero-Knowledge Proofs of Identity,” J. of Cryptology, 1, p.77–94. 356, 361, 363, 365 6. S. Goldwasser, S. Micali and C. Rackoff, “The Knowledge Complexity of Interactive Proof Systems,” SIAM J. on Computing, 18, pp.186-208, 1989. 356 7. S. Goldwasser, S. Micali and R. Rivest, “A Digital Signature Scheme Secure Against Adaptive Chosen-Message Attacks,” SIAM J. on Computing, 17, pp.281– 308, 1988. 354, 354, 354, 368 8. N. Koblitz, “Elliptic Curve Cryptosystems,” Mathematics of Computation, 48, pp.203–209, 1987. 361, 368, 368 9. M. Naor and M. Yung, “Universal One-Way Hash Functions and Their Cryptographic Applications,” Proc. of STOC, pp.33–43, 1989. 354 10. K. Ohta and T. Okamoto, “A Digital Multisignature Scheme Based on the FiatShamir Scheme,” Advances in Cryptology –ASIACRYPT’91, Springer-Verlag, pp. 139–148. 367 11. K. Ohta and T. Okamoto, “The Exact Security of Multi-Signature Schemes,” Technical Report of IEICE, ISEC97-27 (July, 1997), pp.41-52. 367 12. D. Pointcheval and J. Stern, “Security Proofs for Signature Schemes,” Advances in Cryptology –EUROCRYPT’96, Springer-Verlag, pp.387–398. 354, 354, 355, 355, 356, 356, 356, 356, 356, 364, 367 13. J. Rompel, “One-Way Functions are Necessary and Sufficient for Secure Signature,” Proc. of STOC, pp.387–394, 1990. 354 14. R. Rivest, A. Shamir and L. Adleman, “A Method for Obtaining Digital Signatures and Public Key Cryptosystems,” Communications of ACM, 21, 2, pp.120-126, 1978. 355 15. C.P. Schnorr, “Efficient Identification and Signatures for Smart Card,” Advances in Cryptology –EUROCRYPT’89, Springer-Verlag, pp.235–251. 355, 356, 361

Building PRFs from PRPs? Chris Hall1 , David Wagner2 , John Kelsey1 , and Bruce Schneier1 1

Counterpane Systems {hall,kelsey,schneier}@counterpane.com 2 U.C. Berkeley [email protected]

Abstract. We evaluate constructions for building pseudo-random functions (PRFs) from pseudo-random permutations (PRPs). We present two constructions: a slower construction which preserves the security of the PRP and a faster construction which has less security. One application of our construction is to build a wider block cipher given a block cipher as a building tool. We do not require any additional constructions—e.g. pseudo-random generators—to create the wider block cipher. The security of the resulting cipher will be as strong as the original block cipher. Keywords: pseudo-random permutations, pseudo-random functions, concrete security, block ciphers, cipher feedback mode.

1

Introduction and Background

In this paper we examine building psuedo-random functions from pseudo-random permutations. There are several well known constructions for building pseudorandom permutations from pseudo-random functions, notably [LR88]. However, the only results we are aware of for going in the reverse directions are the recent results of Bellare et. al. in [BKR98]1 . One primary justification for building pseudo-random functions is that it allows one to use the results of Bellare et. al. [BDJR97] to produce an n-bit cipher that can be used to encrypt more than 2n/2 blocks. Due to birthday attacks, nbit permutations will leak information about the plaintext after 2n/2 blocks. By closing the loop between pseudo-random functions and permutations, we can also accomplish a number of things: widening the block width of a cipher, creating a provably secure 1-bit cipher feedback mode, and building encryption functions secure for more than 2n/2 blocks. Given the plethora of existing practical block ciphers, it would be nice to be able to create pseudo-random functions from them directly without having to resort to building new primitives from scratch. Our work extends previous work on pseudo-random functions (PRFs) and permutations (PRPs). PRFs and PRPs were initially defined in [GGM86] as functions (resp. permutations) which a polynomially-bounded attacker cannot ? 1

The full paper is available at http://www.counterpane.com/publish-1998.html. We were unaware of these results when we originally wrote our paper, but they were instead pointed out to us by an anonymous referee.

H. Krawczyk (Ed.): CRYPTO’98, LNCS 1462, pp. 370–390, 1998. c Springer-Verlag Berlin Heidelberg 1998

Building PRFs from PRPs

371

to distinguish from truly random functions (resp. permutations) with more than neglible probability. A more recent paper by Bellare et al. [BDJR97] evaluates four different notions of security and applies those notions to the definitions of PRFs and PRPs. In addition, M. Luby has written a book on pseudorandomness which provides an excellent summary of the theoretical constructions leading up to PRFs [Lub96]. Some authors have made a distinction between PRPs and super PRPs. With a super PRP, an adversary is allowed to query for inverse evaluations of the permutation [LR88]. For our applications, we require the “super” variety of PRP. Therefore, for the remainder of this paper we shall consider only super PRPs; we usually omit the “super” prefix for conciseness. Extensive research has been conducted on building PRPs from PRFs. Many of the constructions are based on Luby and Rackoff’s original work [LR88]. Let F (l, r) = Ψ m (f1 , . . . , fm )(l, r) denote an m-round Feistel network where fi ∈ IFn:n . Then F (l, r) ∈ IP2n where Ψ i (f1 , . . . , fi ) is defined by Ψ (f )(l, r) = (r, l ⊕ f (r)) k

Ψ (f1 , . . . , fk ) = Ψ (fk ) ◦ Ψ (fk−1 ) ◦ · · · ◦ Ψ (f1 )(l, r). Luby and Rackoff [LR88] showed that an adversary has advantage at most m(m − 1)/2n if they make m < Q(n) queries for some polynomial Q(x). Recall that the advantage is computed as Adv A = |P [Ap = 1] − P [Af = 1]| where A is an adversary who returns 1 if they believe they are looking at a 2n-bit permutation from the Ψ 3 (f1 , f2 , f3 ) family and 0 otherwise. Then P [Ap = 1] denotes the probability that an attacker returns 1 when given p ∈ {Ψ 3 (f1 , f2 , f3 ) : fi ∈ Fn:n } and P [Af = 1] denotes the probability that an attacker returns 1 when given f ∈ P2n . The result was generalized for m < 2n/2 [AV96,M92,P91b,P92] to Adv A = O(m2 /2n ). Many different researchers have investigated variations of this construction [AV96,C97,Luc96,M92,P91b] [P92,P97,SP91,SP92,ZMI89a,ZMI89b] and even proposed different constructions [M92,P97]. The exact nature of these constructions is beyond the scope of this document; they investigate building PRPs from PRFs, and we are interested in going the other direction. In addition to designing PRPs from PRFs, some researchers have studied designing PRFs from smaller PRFs. Aiello and Venkatesan built a 2n-bit to 2nbit function from eight n-bit to n-bit functions using a Benes transform [AV96]. They achieved the notable bound that Adv A = |P [AB = 1] − P [Af = 1]| = O(m/2n ) after m queries, where AB is the result of executing the adversary A with the oracle instantiated by a function B from the Benes family, and Af is the result of running the adversary with a random 2n-bit function.

372

Chris Hall et al.

Aside from building wider functions, some researchers have examined building variable-length input PRFs (VI-PRFs). In [BCK96], Bellare et al. formalize the notation of VI-PRFs and analyze the security of several constructions. Their functions are constructed using simpler primitives: fixed-length input PRFs (FIPRFs) which were first defined in [BKR94] in order to model the Data Encryption Algorithm (DES). One important feature of these papers is that they focus on concrete security analysis, which attempts to provide precise estimates of security, rather than being satisfied with asymptotic results. Bellare et al. initiated this study in [BKR94,BGR95]. When it comes to building PRFs from PRPs, though several different people have noted that a PRP can be used as a PRF with advantage O(m2 /2n ) for m < 2n/2 (e.g. [AV96]), there has been a notable lack of research in this area. One recent exception is the excellent paper of Bellare et. al. [BKR98], which uses the notion of data-dependent keying to build a PRF from a PRP. Their results present strong evidence for the security of their PRP→PRF construction, and they take some initial steps towards a more complete analysis of its strength against computationally-bounded adversaries. One of the most appealing features of their construction is its practicality: the construction is very simple, and performance is degraded by only a factor of two (or less, when in stream cipher modes). It should be possible to use their re-keying construction in the applications found in Section 3, as a drop-in replacement for our PRP→PRF construction. This would provide corresponding improvements in performance; the tradeoff is that the available security results are weaker for the re-keying construction. One interesting motivation for building PRFs from PRPs is that we could build larger PRPs from smaller PRPs by first constructing PRFs from the PRPs, using the results of [AV96] to strengthen the function, and finally using one of the many results available for building PRPs from PRFs. This is in fact the approach we take in our paper, and it provides the first useful technique (which we are aware of) for securely increasing the block width of a trusted block cipher. The format of the rest of our paper is as follows. In Section 2 we introduce our two constructions for producing PRFs from PRPs: ORDER(P )j:k and i TRUNCATE(P )n−m . In Section 3 we apply our constructions to a few different n problems and give descriptions of our solutions. Finally, in Section 4 we analyze the security of the constructions presented in Section 2. 1.1

Notation

In this section we introduce some of the notation we will use through the rest of the paper: Rn Zn2 , the set of all n-bit blocks. IPn The symmetric group on 2n elements (specifically, the set of all permutations on Rn ). IFn:m The set of all functions with the signature Rn → Rm .

Building PRFs from PRPs

373

p(a, b) Denotes the evaluation of a permutation p with the bit concatentation of a and b. (t, q, e)-secure Captures the notion of a cryptographic primitive which is secure, in the sense that any adversary who uses at most t units of offline work and issues at most q chosen-plaintext/ciphertext queries can only get advantage at most e for distinguishing the primitive from a random function (or permutation). This roughly means that an attacker must either do t work or implement q chosen-text queries to have any chance of breaking the primitive; however, even then the attacker is not guaranteed a practically-useful attack. Therefore, this is a very strong measure of security, in the sense that if a primitive is proven strong under this model, it is likely to be very strong indeed.

2

The Constructions

We introduce two constructions: ORDER(P )j:k and TRUNCATE(P )n−m . The former n i uses a permutation p ∈ IPi to produce a function f ∈ IFj:k . The latter uses a permutation p ∈ IPn to produce a function f ∈ IFn:n−m . In this section we give a brief description of each of these constructions along with their security, but leave the analysis of their security until Section 4. 2.1

ORDER(P )n:1 n+1

Our first construction, ORDER(P )n:1 n+1 uses the order of entries in a table representing a n+1-bit permutation to encode a function fp ∈ IFn:1 . More specifically, if p ∈ IPn+1 then we assign a function fp ∈ IFn:1 where 0 if p(0, x) < p(1, x) fp (x) = 1 otherwise. Here the expression p(0, x) stands for the result of applying p to the concatenation of the bit 0 and the n-bit value x. Note, this construction is really a special instance of a much more general construction given in the next two sections. However, for our analysis we found it much simpler to analyze this simple case (in a later section) and extrapolate to the more general case. 2.2

k−1

n:2 m Wider Outputs: ORDER(P )n+km

Of course, in practice a PRF with a 1-bit output is rarely useful. Fortunately, there are some simple techniques to build wide-output PRFs from PRPs with a 1-bit output. One basic approach is to observe that j = 2k (independent) PRFs from IFn:m suffice to build a PRF on IFn:jm . This yields the following construction. Given a PRF F ∈ IFn+k:m , we build a wider PRF G ∈ IFn:2k m by G(x) = (F (0, x), F (1, x), . . . , F (2k − 1, x)).

374

Chris Hall et al.

This construction has the disadvantage that it reduces the input size slightly, which can be a problem for some applications. Of course, this does not produce an optimal construction. We leave the analysis to Section 4, but in fact the next construction is optimal. By optimal we mean that it divides the set of permutations IPn into equally-sized equivalence classes such that each equivalence class has an odd number of permutations. This implies that we cannot divide the equivalence classes any further and still expect to have equally-sized equivalence classes. 2.3

m

n:2 −1 Wider Outputs, Efficiently: ORDER(P )n+m

As one might expect, the construction of the previous section fails to extract all of the possible bits from a permutation. In some cases we can nearly double the number of bits that we obtain from a given permutation p by extracting more information about the sorted order of p(x). Suppose that we have a permutation p ∈ IPn+m ; then we build a function f ∈ IFn:2m −1 in the following fashion. First we determine 2m−1 bits of f (x) by using the construction outlined in the previous section. That is, if [f (x)]i denotes bit i of f (x) and 0 ≤ i < 2m−1 , then ( 0 if p(0, i, x) < p(1, i, x) . [f (x)]i = 1 otherwise Briefly, the remaining bits of information are obtained by comparing the minimum elements of two pairs of values min {p(xj ), p(x0j )} for j = 1, 2. To be more precise, we start by creating 2n perfectly-balanced binary trees with 2m − 1 nodes (i.e. each one has height m − 1) and uniquely assign each tree to a different n-bit value x. Hence tree x will correspond to f (x). For any given tree, each node has three values associated with it: a n + m-bit value X(x), a 1-bit value Y (x), and a m-bit value Z(x), which serves to identify the node. For ease of exposition, we assign Z(x) so that the root node has Z(x) = 0, the left child of a node has the value 2Z(x) + 1, and the right child of a node has the value 2Z(x) + 2 (implying Z is independent of x so we can drop it). This assigns each node a unique m-bit value and allows us to associate bit i of f (x) with the Y (x) value of node i.2 Using these particular Z-values, the leaf nodes will have the values 2m−1 − 1 to 2m − 2. Let Xi (x) and Yi (x) denote the X and Y values respectively of the leaf nodes with Z = i. Then for i ≥ 2m−1 − 1 ( 0 if p(0, Zi − 2m−1 − 1, x) < p(1, Zi − 2m−1 − 1, x) Yi (x) = 1 otherwise. Xi (x) = min{p(0, Zi − 2m−1 − 1, x), p(1, Zi − 2m−1 − 1, x)} 2

Some other ordering of the nodes will also work, such as one given by a postorder traversal of the tree.

Building PRFs from PRPs

375

This is precisely the information obtained by the construction of the previous section. For the remaining 2m−1 − 1 bits of information, we assign ( 0 if X2i+1 (x) < X2i+2 (x) Yi (x) = 1 otherwise. Xi (x) = min{Y2i+1 (x), Y2i+2 (x)} It should be clear that this tree partially encodes the order of p(0, x), . . . , p(2m − 1, x), but that more than one permutation may produce the same function. It requires 2m invocations of the permutation p to produce the 2m − 1 bits of fp (x). For an example evaluation of f (x) for p ∈ IP3 , see Figure 1. f(x) = 0111000 (postorder traversal) X = 0, Y = 0 X = 0, Y = 1 X = 2, Y = 0

X = 0, Y = 1

X = 3, Y = 0 X = 3, Y = 1

X = 4, Y = 0

P(0,x) :=P(1,x) 2 := 5P(2,x) := P(3,x) 1 := 0P(4,x) := P(5,x) 6 := 3P(6,x) := P(7,x) 4 := 7

Fig. 1. Example Function from p ∈ IP3 .

We can use this latter technique to build a PRF in IFm:n using a permutation in IPa where a = d m+log2 (n+1)+1 e. It will require d log2 (n+1)+1 e invocations of E per invocation of IFm:n . Note, if n 6= 2l −1 for some l, we will actually obtain a wider output than n bits. In that case we can simply truncate the output to n bits and retain the security of the PRF. While this construction provably transfers (essentially) all of the security of the underlying block cipher to the PRF, the disadvantage is that it has poor performance: we can get a 57:127 PRF that’s provably as strong as DES (and hence a 57:64 PRF), but it requires 128 queries to DES per PRF computation. 2.4

TRUNCATE(P )n−m n

Our second construction has much better performance, but uses a very different idea: we merely truncate a few bits of the output of the underlying block cipher, so the PRF can be almost as fast as the block cipher. Formally, let p ∈ IPn be a random permutation. We assign a function fp ∈ IFn:n−m by fp = g ◦ p where g : Rn → Rn−m denotes the function which truncates the high m bits from its input. For a PRP family {πk } the resulting PRF family would be {fπk }.

376

Chris Hall et al.

The disadvantage to this approach is that it doesn’t preserve the security of the underlying block cipher nearly as well: our proofs only work when the attacker has at most O(min{2(n+m)/2 , 22(n−m)/3 }) chosen texts available to him, where n is the block width of the underlying cipher and m is the number of truncated bits. In practice, this means that we can prove security up to O(24n/7 ) chosen texts by truncating m = n/7 bits, but our analysis degrades too much to be provide better bounds for larger m.

3

Applications

There are several nice applications of our result. Probably one of the most interesting is that we “close the loop” between PRFs and PRPs. Luby-Rackoff [LR88] gave a nice PRF → PRP construction; we have now shown how to go the other direction3 . We explore two additional possibilities in the next sections. There are others listed below, but due to a lack of time and space we have omitted further analysis of these ideas. Hence we pose them as open problems for further study. 1. Building MACs (or possibly hash functions) with provable security. The disadvantage is that they are likely to be very slow. 2. Building provably-strong PRNGs out of our constructions for provablystrong PRFs. Such a tool might be used for session key derivation, for example. The advantage is that in many cases (depending upon the application, of course) the PRNG isn’t performance-critical, so slow techniques are still interesting if they have notable security advantages. 3. Building provably-strong stream ciphers from our constructions for provablystrong PRFs. By running a good PRF in counter mode, you can get security past the birthday bound. In contrast, 64-bit block ciphers typically run into security problems when used in a standard chaining mode to encrypt more than 232 known texts, no matter how strong the cipher is. Bellare et. al. have explored this application further in [BKR98]. 3.1

Building Wider Block Ciphers

Techniques for building wider block ciphers are especially relevant as the AES standards effort ramps up. The problem with most existing ciphers, such as Triple-DES, is that they offer only 64-bit blocks, and thus fall prey to certain birthday attacks that can work with only 232 texts or so. (The matching ciphertext attack is one example.) As network communication speeds rise, this limit becomes increasingly concerning: for instance, on a 1 Gbit/sec encrypted link, we expect that information about two plaintext blocks will leak after only 6 minutes or so. The only solution is to move towards ciphers with wider block lengths, but if this involves a full cipher redesign, then we may forfeit the insights provided 3

We don’t consider treating a PRP as a PRF as an example because it won’t produce more general functions, and because its security level is limited.

Building PRFs from PRPs

377

by more than two decades of analysis on DES and Triple-DES. This motivates our search for a construction which can provably retain the time-tested security level of Triple-DES while providing a wider block length. This paper provides new results in this area. If we have a trusted cipher, then we can model it as a PRP family. Using one of our constructions we can construct a PRF family, use the Benes transform [AV96] to create a wider PRF family, and finally use Luby-Rackoff to create a PRP family again. The nice thing is that the resulting PRP family will be almost four times as wide as the original construction. Furthermore, we will be able to provide provable security reductions to show that the widened cipher is likely to be strong if the original cipher is secure. We will focus on a particular example and consider Triple-DES. Hence let n = 64 and P = {Ek } be the Triple-DES family where Ek (X) denotes encryption with key k and plaintext X. Also suppose that P is (t, q, e) secure. Then using we can construct a PRF family F = {fEk } ⊂ IF58:58 (truncate the ORDER(P )58:63 64 5 extra bits). As later analysis will show, F is (t, q/64, e) secure. In other words, F largely retains the security properties of Triple-DES. Using the modified Benes transform, we can form a second PRF family F 2 = {gf } where f ∈ F and F 2 ⊂ IF110:110 . The reason we do not obtain a family F 2 ⊂ IF116:116 is that the modified Benes transform requires six independent functions. Hence we can use the first three bits of our functions in F to obtain eight independent function families for constructing IF2 . The results of [AV96] show that F 2 is a (t, q/64, e+e0)-secure PRF, where e0 is neglible for q/64 < 2110 . Finally, using F 2 and Luby-Rackoff we can create a final PRP family P 2 = {pg1 ,g2 ,g3 } where gi ∈ F 2 and P 2 ⊂ P220 . P 2 will have nearly identical security to F 2 : (t, q/64, e + e0 + e00 ) where e00 is neglible for q/64 < 2554 . The primary disadvantage of this construction is that the resulting widened cipher P 2 will be almost 450 times slower than the original cipher P . With a normal 4-round Luby-Rackoff construction, we will use 4 invocations of functions from F 2 for each invocation of a permutation in P 2 . Each function in F 2 uses 6 invocations of functions from F . Finally, for each function in F we will use 64 invocations of a permutation in P . Hence we will require 4 × 6 × 64 = 1536 invocations of Triple-DES per invocation of P 2 ; of course, each invocation of P 2 encrypts 220/64 times as many bits as P , so the performance of the widened cipher P 2 will be 1536 · 64/220 ≈ 447 times worse than Triple-DES. This is definitely very slow, but it is provably secure! An alternative to using Luby-Rackoff is to use a construction by M. Naor and O. Reingold [NR96]. There you get a twofold speed-up in execution and we only require 768 invocations of Triple-DES. This translates to a total of roughly 223 times worse performance than Triple-DES. The advantage, of course, is that the resulting cipher is that we have removed the 232 -texts limitation on the security of Triple-DES. 4

Note: the security proof of the Luby-Rackoff construction given in [LR88] actually assume that the gi are independent; but the proofs in [NR96] remove that restriction.

378

Chris Hall et al.

Our construction uses the Benes transform only for technical reasons. The reason we can’t apply the Luby-Rackoff construction directly to our PRF family F is that a 4-round Luby-Rackoff cipher with m-bit blocks is only secure up to 2m/4 texts; with m = 2 · 58, the security level would be too low, so we build a double-width PRF family F 2 to increase m. However, eliminating the Benes transform could produce significant performance speedups, so this motivates the search for PRP constructions with better security. For example, by using Patarin’s recent results on the 6-round Luby-Rackoff construction [P98], we can build a widened cipher P 3 ⊂ P116 that is secure with up to about min{q, 243.5 } texts; by using single-DES instead of Triple-DES as our starting point, we can get a 116-bit cipher which is provably as secure as DES and has performance about 212 times worse than DES (or about 71 times worse than Triple-DES), though it has somewhat less security than our construction of P 2 . construction to build It would also be possible to use the TRUNCATE(P )n−m n a double-width block cipher, instead of ORDER(P )6 458:63 as above. This would provide significantly better performance (the widened cipher could be as fast as 1/3 the performance of the original cipher). However, at present the available proofs provide no guarantee of security past about 236 texts, which is probably not a compelling advantage over the 232 birthday bound. As a third alternative, one could use the re-keying construction of Bellare et. al. [BKR98] to build F out of Triple-DES (say). Applying the Benes transform and the Naor-Reingold construction would then provide a 256-bit cipher which is only 3 times slower than Triple-DES. The disadvantage is that the available security results are difficult to compare with the figures given above. The examples we gave here usually resulted in a block cipher with a peculiar width. It should be clear how to modify this example slightly to generate (say) a 192-bit block cipher, by truncating F or F 2 to the appropriate size. 3.2

Applications to 1-Bit CFB Mode

We note that our main construction provides a way to increase the robustness of 1-bit CFB mode by tweaking the mode slightly. The standard 1-bit CFB mode builds a function h : ZZ n2 → ZZ 2 by letting h(x) be the least significant bit of the encryption Ek (x) of x under a block cipher E with key k. Then we build a stream cipher as Cj = Pj ⊕ h(Cj−64 , . . . , Cj−1 ). The problem is that we are not aware of any proof that CFB mode preserves the security of the underlying block cipher. Clearly all of the security of 1-bit CFB mode must come from the non-linear Boolean function h. Theorem 1 (in Section 4.1) guarantees the security of h against an adversary with access to q 2n/2 chosen-text queries, assuming the underlying block cipher is secure. However, for typical block ciphers 2n/2 = 232 , which means that the “security warranty” provided by Theorem 1 is voided after 232 chosen-text queries5 . As 5

Theorem 7 can guarantee security up to q = O(24n/7 ), but this is still significantly smaller than the O(2n ) query security we would ideally hope to see. As we shall see, this hope is not unreasonable.

Building PRFs from PRPs

379

most typical block ciphers are built to resist much more powerful adversaries, we would prefer to have better reductions. We do not know of any better security proofs for 1-bit CFB in the literature, but we can improve the situation with a slight modification to the mode. Replace h by the function fEk defined in Section 2.1. (We will need to sacrifice one bit of feedback, so that Cj = Pj ⊕fEk (Cj−63 , . . . , Cj−1 ), but 63 bits is more than sufficient for practical purposes.) This requires two encryptions per invocation of fEk , so our mode will be twice as slow as the standard 1-bit CFB, but we do not expect this to be a serious problem, as implementors typically use 1-bit CFB mode for its resynchronization properties rather than for its performance characteristics. Of course, the primary advantage of our 1-bit modified cipher feedback mode is that we can provide provable security reductions for fEk . If E is a (t, q, e)-PRP, then fEk will be a (t, q/2, e)-PRF. In short, our construction of fEk preserves the security level of the underlying block cipher extremely effectively. Therefore, this modification to 1-bit CFB mode looks attractive for practical use.

4

Analysis

In this section we provide analysis of our ORDER(P )j:k and TRUNCATE(P )n−m n i constructions. In addition, we evaluate the security of a PRP family when viewed as a PRF family. 4.1

Previous Attempts

As we have mentioned earlier, every PRP can be viewed as a PRF with certain security parameters. We first analyze this trivial construction. Theorem 1. Let p be a random permutation on n bits. Then p is a (t, q, e)-PRF for e = q 2 /2n+1 . Proof. Standard; omitted due to lack of space. Furthermore, it is simple to show that this bound is tight. We can easily construct an adversary which distinguishes between p and a random function with advantage approximately q(q − 1)/2n+1 (for q = O(2n/2 )): simply look for collisions and return 0 if you see a collision (where you are supposed to return 1 if you think it’s not a random function). It is worth noting that this analysis also establishes the security of another related construction. One might naively propose a construction based (loosely) on the Davies-Meyer hashing mode [MMO85]: fp (x) = p(x) ⊕ x. The final xor of x into the ciphertext destroys the bijective property of p, so at first glance fp might look like a reasonable candidate for a better PRF. However,

380

Chris Hall et al.

we note that this construction has no better security than before. It can be distinguished from a random function with advantage q 2 /2n+1 : merely apply the adversary of the previous paragraph to the function g defined by g(x) = fp (x)⊕x. The security reduction we showed in Theorem 1 is sufficient to show that PRFs exist if PRPs do, from a complexity-theoretic point of view, since the security bound it shows is exponential in n. Therefore, complexity theorists interested only in asymptotics need read no further. However, practical applications are a bit more demanding: they require concrete security guarantees. We find this O(2n/2 ) level of security inadequate for practical applications. Most block ciphers today offer 64-bit block widths, thus providing a convenient and efficient PRP with n = 64. For such ciphers, the above theorem provides no security assurances when adversaries are allowed to make q ≈ 2(n+1)/2 = 232.5 chosen-text queries (or more). This is too weak for serious cryptologic use; we would prefer something that provides better resistance to chosen-text attacks. After all, the underlying block cipher typically provides better security than that—so it is natural to wonder whether we can do better. Is there a PRF construction that preserves the security of the underlying block cipher? We show below that the answer is yes. 4.2

Analysis of ORDER(P )n:1 n+1

We gave a description of ORDER(P )n:1 n+1 in Section 2.1. Let π be a (keyed) family of permutations {πk : k ∈ K} ⊂ IPn+1 on Rn+1 . Using this construction we obtain a family fπ = {fπk : k ∈ K} of functions in IFn:1 . We can (by a slight abuse of notation) view π as a random variable, taking values in IPn+1 , by taking k to be a random variable uniformly distributed over K. (We drop the subscript, writing π instead of πk as a slight abuse of notation, to avoid an unwieldy morass of distractingly nested subscripts.) Similarly, fπ can be viewed as a random variable, too. We say that p is a random permutation (on Rn+1 ) to mean that it is a random variable which is uniformly distributed over all elements of IPn+1 . Similarly, we say that f is a random function (from IFn:m ) when we mean that it is a random variable which is uniformly distributed over IFn:m . We wish to show that fπ preserves the security level of the underlying PRP π. Most of the work to be done is handled by a purely information-theoretic analysis, which ignores all issues of computational complexity. We tackle this in Theorem 2. Theorem 2. If p is a random permutation on Rn+1 , then fp is a random function over IFn:1 . Proof. Take any g ∈ IFn:1 . It is clear that there exists a p ∈ IPn+1 such that g = fp : for example, take the p such that p(2x) = 2x + g(x)

p(2x + 1) = 2x + 1 − g(x)

∀x ∈ Rn .

Building PRFs from PRPs

381

Next we show that |{p : g = fp }| is a constant that does not depend on g, i.e. that there are an equal number of representative permutations p for all g. First, suppose that g1 , g2 ∈ IFn:1 are two functions that differ at exactly one point X (i.e. g1 (x) = g2 (x) for all x 6= X and g1 (X) 6= g2 (X)). Then we construct a bijective mapping φ : IPn+1 → IPn+1 , which has the property that fp = g1 exactly when fφ(p) = g2 . This will show that there are an equal number of representations for any two functions g1 , g2 which differ at exactly one point. Then it will be easy to see that this implies the desired result, since for any two functions g,h ∈ IFn:1 one can construct a sequence g = g0 , g1 , g2 , . . . , gk−1 , gk = h such that all the consecutive pairs gi , gi+1 differ at exactly one point. The mapping φ is built as follows. Take any input p; we define φ(p) = p0 by p(b, x) if x 6= X p0 (b, x) = p(1 − b, x) if x = X. Now it is clear that fp0 = g2 if fp = g1 , and vice versa. Furthermore, φ is an involution, so it is clear that it is a bijective mapping, as claimed. This completes the proof. t u Once we have this nice result, extending it to the setting of computationallybounded adversaries is not so hard. It requires much unravelling of notation, but essentially no new ideas. We first introduce the notion of pseudo-randomness, to handle the most important case where the adversary is computationally bounded. Informally, saying that π is a pseudo-random permutation (PRP) on Rn+1 is supposed to convey the idea that it is computationally infeasible for an adversary to distinguish π from a random permutation on Rn+1 . (Some authors use the phrase “pseudorandom permutation generator” to refer to this object; for conciseness, we will omit the “generator” term throughout this paper.) We formalize this notion as follows. An adversary is an oracle machine −1 −1 B p,p ,π,π which outputs a 0 or 1 (according to whether it thinks p is truly random or is drawn from the family {πk : k ∈ K}). It takes four oracles as inputs: a test permutation p (which outputs p(x) on input x) along with its inverse p−1 , and an oracle for π (which outputs πk (x) on input k, x) as well as an oracle for π −1 . Its advantage Adv B is −1

Adv B = |Prob(B πk ,πk

,π,π −1

= 1) − Prob(B r,r

−1

,π,π −1

= 1)|,

where r is a random permutation and k is uniformly distributed over K. More formally, we say that π is a (t, q, e)-PRP if the advantage of any adversary which is allowed at most q queries (total) to the first two oracles and t offline work is at most e. This models a block cipher which is secure with up to q adaptive chosen-plaintext/ciphertext queries and t trial encryptions. See [BKR94,BGR95] for more information about (t, q, e) security. We can define a (t, q, e)-PRF (pseudo-random function) in a similar fashion. −1 In this definition, an adversary is an oracle machine Ag,γ,π,π with access to four oracles: a function g which outputs g(x) on input x, an oracle γ which

382

Chris Hall et al.

outputs γk (x) on input k, x, and two oracles π, π −1 for the PRP class (as above). We define its advantage by Adv A = |Prob(Aγk ,γ,π,π

−1

= 1) − Prob(As,γ,π,π

−1

= 1)|,

where s is a random function and k is uniformly distributed over K. In the cases that we are most interested in, we have γk = fπk . We say that γ is a (t, q, e)PRF if all adversaries A which make at most q oracles queries (total) to g, γ and perform at most t computations obey Adv A ≤ e. Note that it is important to include the oracles for π, π−1 in the definition of a (t, q, e)-PRF. In what follows, we will be interested in PRFs built from a PRP π. Here π models a block cipher; we assume the algorithm is publicly known (by Kerchkoff’s principle), so anyone trying to attack fπ can freely compute πk (x) on any chosen inputs k, x. This required us to extend the standard definition of a PRF to model this situation. With those preliminaries out of the way, we may proceed to the rest of the analysis. We get the following pleasing consequence of Theorem 2 whose proof we leave to the appendices. Theorem 3. If π is a (t, q, e)-PRP on Rn+1 , then fπ is a (t, q/2, e)-PRF over IFn:1 . t u

Proof. See Appendix A. 4.3

m

n:2 −1 Analysis of ORDER(P )n+m m

n:2 −1 In Section 2.3 we introduced the general ORDER(P )n+m construction. There are two corresponding theorems whose full proofs we omit due to a lack of space.

Theorem 4. If π is a random permutation on Rn+m , then fπ is a random function over IFn:2m −1 . Proof. (sketch) The basic idea is to again consider two functions f1 , f2 ∈ IFn:2m −1 which differ in exactly one output (say f1 (0) 6= f2 (0)). We can build a map φ : IPn+m → IPn+m such that fp = f1 exactly when fφ(p) = f2 . Again this will show that all f ∈ IFn:2m −1 have an equal number of representative permutations p (existance is trivial). To build the map φ, we need merely look at the binary tree we constructed for x = 0. (Actually we must consider a slightly expanded version of the tree in which the leaf nodes of our original tree are expanded into two children containing the values p(0, Z, x) and p(1, Z, x).) Starting with i = 0, we compare bit i of f1 (0) and f2 (0) and swap the left and right subtrees of node i if f1 (0) and f2 (0) differ in bit i. Note, this may destroy the original equality of bits j > i for f1 (0) and f2 (0) so in evaluating bit i we assume that f1 (0) has the value denoted by the most recent tree. The end result is a series of subtree swaps for evaluating f1 (0) which are clearly reversible. The subtree swaps specified will remap values of a permutation to values of another permutation and we take φ to be that map. It is clearly onto and hence bijective. This completes the proof of the theorem. t u

Building PRFs from PRPs

383

Theorem 5. If π is a (t, q, e)-PRP on Rn+m , then fπ is a (t, q/2m , e)-PRF over IFn:2m −1 . Proof. The proof is nearly identical to that of Theorem 3.

t u

In Section 2.3 we made a claim that this construction was optimal. By that we meant that one could not create a map from IPn+m to IFn:l for l > 2m − 1. We state this in the following lemma. Lemma 1. There exists no map φ : IPn+m → IFn:l for l > 2m − 1 such that N (f ) = |{p ∈ IPn+m : φ(p) = f }| is constant for all f ∈ IFn:l . Proof. Let φ be a map such that N (f ) is constant for all f ∈ IFn:l , then we will n show that l ≤ 2m − 1. There are 2l2 functions in IFn:l hence we are dividing n IPn+m into 2l2 equivalence classes. For any j, |IPj | = (2j )! and it is not hard j to show that 22 −1 exactly divides (2j )!. Hence the power of 2 dividing the size n+m n n m −1 /2l2 = 22 (2 −l)−1 . In order for N (f ) to of each equivalence class is 22 be constant, we must have that 2n (2m − l) − 1 ≥ 0, which implies 2m − l ≥ 1, whence l ≤ 2m − 1. This completes the proof of the lemma. t u Our analysis above used a strongly information-theoretic framework: first, we showed that the construction produces a random function when fed a random permutation (Theorem 2), and then all the desired pseudo-randomness results just fall out trivially from that. This framework is desirable because it makes the analysis relatively simple; however, we showed in Lemma 1 that it imposes serious limitations on the performance of the resulting constructions. The above bound essentially shows that, to achieve better performance, we’ll need to do abandon the information-theoretic framework and take another approach. This we do below. 4.4

Analysis of TRUNCATE(P )n−m n

The construction of Section 4.2 is probably most attractive because it is so amenable to theoretical analysis, and because it preserves the security of the underlying block cipher so efficiently no matter how many chosen-text queries are issued. However, it also has a severe disadvantage for practical use: it is quite slow. based on truncating In Section 2.4 we defined a PRF family TRUNCATE(P )n−m n bits of a permutation. The result trades off security for performance. Recall the construction: for any permutation πk on Rn , we define a function f ∈ IFn:n−m by fπk = g ◦ πk where g : Rn → Rn−m denotes the function which truncates the high m bits from its input. We could instead have taken g to be any fixed function g : Rn → Rn−m such that each y ∈ Rn−m has 2m easily-computable pre-images g −1 (y), and the

384

Chris Hall et al.

results would still apply. However, bit-truncation is attractive because it is both fast and amenable to a simple mathematical description6 . Therefore, for clarity of exposition we concentrate hereafter solely on bit-truncation. First we show that if π is a random permutation, then fπ is a pseudo-random function. The following theorem proves that, roughly speaking, Adv A is negligible while q min{2(n+m)/2 , 22(n−m)/3 }. Theorem 6. If π is a random permutation on Rn , then fπ is a (t, q, e)-PRF over IFn:n−m , where e = 5(q 2 /2n+m )1/3 + q 3 /22(n−m)+1 . Proof. See Appendix B.

t u

This shows that truncating some bits from the output of πk gives slightly better security. For m ≤ n/7, the theorem says that truncating m bits adds nearly m/2 bits of security against adaptive chosen-text attacks to the PRF πk . However, for m > n/7, the second term in e dominates (in that it is largest and hence limits q), and our analysis does not provide better security reductions when increasing m past n/7. We believe that these limits are not inherent, but rather are a reflection of the inadequacy of our analysis. As an illustration, the best attack we can find needs q = O(2(n+m)/2) texts to distinguish fπ from random with significant advantage (see Theorem 8), so this leaves a substantial gap between the upper and lower bounds. We suspect that a better analysis could provide a better security reduction. (However, we could be wrong.) The main idea of the proof is to show that the probability of getting any particular set of outputs Y to a given set of oracle-queries X is roughly the same whether the oracle is instantiated “under the hood” by a PRF or by a truncated-PRP. We use this to show that any oracle algorithm A must behave almost exactly the same regardless of which type of oracle it is given. That follows just because A’s execution can depend only on the list of inputs and outputs to the oracle. This can then be used to show that Adv A is small. Of course, our bounds only hold when q is small enough. The first step in the analysis is to compute the probabilities that a random function F and a truncated-PRP fπ will map X to Y . For F this is easy, but for fπ it is substantially harder. In the general case this gets quite messy, so we restrict ourselves to the special case where there are no three-way collisions in Y ; this makes the calculation tractable. (This restriction adds an artificial contribution q 3 /22(n−m)+1 to our bound on the advantage, so we have sacrificed tightness for tractability.) After that, all that is left is relatively straightforward computations (albeit in large quantities). Theorem 7. If π is a (t, q, e)-PRP on Rn , then fπ is a (t, q, e0 )-PRF over IFn:n−m , where e0 = e + 5(q 2 /2n+m )1/3 + q 3 /22(n−m)+1 . 6

The study of the properties of bit-truncation may also have some independent interest, as several authors have already suggested applying a bit-truncation output transform to existing MAC constructions in hopes of improving their security (see, e.g., [PO95]).

Building PRFs from PRPs

385

Proof. Omitted. Follows directly from Theorem 6 along lines analogous to the proof of Theorem 3. t u Theorem 8. Let π be a permutation family on Rn . Then for all q = O(2(n+m)/2 ), there is an adversary which can distinguish fπ from a random function with q known texts, O(q) work, and advantage Ω(q 2 /2n+m ). Proof. (sketch) Let r count the number of collisions in the outputs fπ (1), . . . , fπ (q). Then our adversary outputs 1 (guessing that the oracle is fπ ) if r < q(q − 1)/2n−m+1, and 0 otherwise. Using the techniques found in the proof of Theorem 6, we find that this adversary operates with advantage Ω(q 2 /2n+m ). t u

5

Conclusion

We have presented two constructions for generating pseudo-random functions given pseudo-random permutations: ORDER(P )j:k and TRUNCATE(P )n−m . The forn i mer had the notable property that it preserved the security of the underlying pseudo-random permutation whereas the latter had the property that it was much more efficient. Unfortunately, the gain in speed results in a trade-off in security and the latter construction fails to preserve the strength of the underlying pseudo-random permutation. Using our constructions we were able to solve a few different problems, including stretching the width of a block cipher while preserving the security. We also examined a secure 1-bit cipher feedback mode using a pseudo-random permutation.

Acknowledgements Thanks to Dan Boneh, Ian Goldberg, and the anonymous referees for many helpful comments.

References AV96.

W. Aiello, R. Venkatesan, “Foiling birthday attacks in length doubling transformations,” Advances in Cryptology—EUROCRYPT ’96 Proceedings, Springer-Verlag, pp. 307–320. 371, 371, 371, 372, 372, 377, 377 BCK96. M. Bellare, R. Canetti, H. Krawczyk, “Pseudorandom Functions Revisited: The Cascade Construction and its Concrete Security,” Proceedings of the 37th Symposium on Foundations of Computer Science, IEEE, 1996. 372 BDJR97. M. Bellare, A. Desai, E. Jokipii, P. Rogaway, “A Concrete Security Treatment of Symmetric Encryption: Analysis of the DES Modes of Operation,” Full version, Extended abstract in Proceedings of 38th Annual Symposium on Foundations of Computer Science (FOCS 97), IEEE, 1997. 370, 371

386

Chris Hall et al.

BGR95. M. Bellare, R. Gu´erin, P. Rogaway, “XOR MACs: New methods for message authentication using finite pseudorandom functions,” Advances in Cryptology—CRYPTO ’95 Proceedings, Springer-Verlag, 1995, pp 15–28. 372, 381 BKR94. M. Bellare, J. Kilian, P. Rogaway, “The security of cipher block chaining,” Advances in Cryptology—CRYPTO ’94 Proceedings, Springer-Verlag, 1994. 372, 372, 381 BKR98. M. Billare, T. Krovetz, P. Rogaway, “Luby-Rackoff Backwards: Increasing Security by Making Block Ciphers Non-Invertible (Extended Abstract),” Advances in Cryptology—EUROCRYPT ’98 Proceedings, Springer-Verlag, 1998. 370, 372, 376, 378 BM84. M. Blum, S. Micali, “How to Generate Cryptographically Strong Sequences of Pseudo-random Bits,” SIAM J. Comput., 13 (Nov. 1984), pp. 850–864. C97. D. Coppersmith, “Luby-Rackoff: Four rounds is not enough,” IBM Research Report, RC 20674 (12/24/96), Mathematics. 371 GGM86. O. Goldreich, S. Goldwasser, S. Micali, “How to Construct Random Functions,” Journal of the ACM, Vol. 33, No. 4, October 1986, pp. 792–807. 370 LR88. M. Luby, C. Rackoff, “How to Construct Pseudorandom Permutations from Pseudorandom Functions,” SIAM J. Comput., Vol. 17, No. 2, April 1988, pp. 373–386. 370, 371, 371, 371, 376, 377 Lub96. M. Luby, Pseudorandomness and Cryptographic Applications, Princeton University Press, 1996. 371 Luc96. S. Lucks, “Faster Ruby-Lackoff Ciphers,” Proceedings of Third Fast Software Encryption Workshop, Springer-Verlag, pp. 189–203. 371 M92. U.M. Maurer, “A Simplified and Generalized Treatment of LubyRackoff Pseudorandom Permutation Generators,” Advances in Cryptology— EUROCRYPT ’92 Proceedings, Springer-Verlag, 1992, pp. 239–255. 371, 371, 371 MMO85. S.M. Matyas, C.H. Meyeter, J. Oseas, “Generating strong one-way functions with cryptographic algorithm,” IBM Technical Disclosure Bulletin, 27 (1985), 5658–5659. 379 NR96. M. Naor, O. Reingold, “On the construction of pseudo-random permutations: Luby-Rackoff revisited.,” preliminary version, http://www.wisdom.weizmann.ac.il/Papers/trs/CS96-10/abstract.html 377, 377 P90. J. Pieprzyk, “How to Construct Pseudorandom Permutations from Single Pseudorandom Functions,” Advances in Cryptology—EUROCRYPT ’90, Springer-Verlag, pp. 140–150. P91a. J. Patarin, “Etude des g´ n´rateurs de permutations bas´es sure le Sch´ema du D.E.S.,” Ph. D. Thesis, INRIA, Domaine de Voluceau, Le Chesnay, France, 1991. P91b. J. Patarin, “New Results on Pseudorandom Permutation Generators Based on the DES Scheme,” Advances in Cryptology—CRYPTO ’91 Proceedings, Springer-Verlag, pp. 301–312. 371, 371 P92. J. Patarin, “How to Consruct Pseudorandom and Super Pseudorandom Permutations from One Single Pseudorandom Function,” Advances in Cryptology—EUROCRYPT ’92 Proceedings, Springer-Verlag, pp. 256–266. 371, 371 P97. J. Patarin, “Improved Security Bounds for Pseudorandom Permutations,” Proceedings of the Fourth ACM Conference on Computer and Communications Security, April 1–4, 1997, pp. 142–150. 371, 371

Building PRFs from PRPs

387

J. Patarin, “About Feistel Schemes with Six (or More) Rounds,” Proceedings of the Fifth Fast Software Encryption Workshop, LNCS 1372, Springer, 1998, pp. 103–121. 378 PO95. B. Preneel, P. van Oorschot, “MDx MAC and building fast MACs from hash functions,” Advances in Cryptology—CRYPTO ’95 Proceedings, LNCS 1070, Springer-Verlag, 1996. 384 SP91. B. Sadeghiyan, J. Pieprzyk, “On Necessary and Sufficient Conditions for the Construction of Super Pseudorandom Permutations,” Advances in Cryptology—ASIACRYPT ’91, Springer-Verlag, pp. 194–209. 371 SP92. B. Sadeghiyan, J. Pieprzyk, “A Construction for Super Pseudorandom Permutations from A Single Pseudorandom Function,” Advances in Cryptology— EUROCRYPT ’92, Springer-Verlag, pp. 267–284. 371 Y82. A.C. Yao, “Theory and Applications of Trapdoor Functions,” Proceedings of the 23rd IEEE Symposium on Foundations of Computer Science, IEEE, New York, 1982, pp. 80–91. ZMI89a. , Y. Zheng, T. Matsumoto, H. Imai, “On the Construction of Block Ciphers Provably Secure and Not Relying on Any Unproved Hypothesis,” Advances in Cryptology—CRYPTO ’89 Proceedings, Springer-Verlag, pp. 461-480. 371 ZMI89b. Y. Zheng, T. Matsumoto, H. Imai, “Impossibility and Optimality Results on Constructing Pseudorandom Permutations,” Advances in Cryptology— EUROCRYPT ’89, Springer-Verlag, pp. 412–421. 371 P98.

A

Proof of Theorem 3

Proof. Our proof proceeds as follows. Suppose we have an adversary A which (t0 , q 0 , e0 )-breaks fπ .7 We construct an adversary B which (t0 , 2q 0 , e0 )-breaks π. The result will follow. −1 −1 The construction for B requires very little creativity. B p,p ,π,π performs −1 the same computations as Ag,γ,π,π ; anytime A makes an oracle query, we simulate the oracle and return the result to the computation in progress. The simulation of oracle queries goes like this. If A queries the g oracle with x, then B issues two queries to p with inputs (0, x) and (1, x) and compares the results; if p(0, x) < p(1, x), B uses the result 0, and otherwise uses 1. If A queries the γ oracle with k, x, then B issues the two queries k, (0, x) and k, (1, x) to its oracle for π, and constructs the result similarly. Finally, A’s oracle queries for π and π −1 can be satisfied trivially. Let e0 = Adv A, and let t0 , q 0 count the time and number of oracle queries that A requires. Clearly t0 , 2q 0 counts the time and number of oracle queries that B requires. It merely remains to bound Adv B, which we achieve with the following series of observations. Lemma 2. Let r be a random permutation, and s be a random function. (Recall that according to our terminology both will be uniformly distributed on their respective spaces.) 7

This means that with at most q 0 queries and t0 offline encryptions, there is an adversary who has advantage greater than e0 .

388

Chris Hall et al. −1

−1

−1

(i) For any permutation p, Afp ,fπ ,π,π = B p,p ,π,π . (ii) The random variable fr has the same distribution as s; in other words, fr is a random function. (iii) With the random variables r, s as before, we have −1 −1 Prob(As,fπ ,π,π = 1) = P rob(Afr ,fπ ,π,π = 1). −1 −1 −1 (iv) Prob(As,fπ ,π,π = 1) = Prob(B r,r ,π,π = 1). −1 −1 −1 (v) Prob(Afπk ,fπ ,π,π = 1) = Prob(B πk ,πk ,π,π = 1). Proof. (i) follows by construction of B. (ii) is exactly Theorem 2. (iii) follows immediately from (ii). (iv) follows from (i) and (iii). (v) is merely a special case of (i), substituting p = πk .

t u

Lemma 3. Adv B = Adv A. Proof. Apply part (v) of Lemma 2 to the first term in Adv B, and apply part (iv) of Lemma 2 to the second term in Adv B. We get exactly the expression for Adv A. t u Now this suffices to prove the theorem. Given that π is a (t, q, e)-PRP, we show that fπ is a (t, q/2, e)-PRF by examining the contrapositive. Suppose there exists an adversary A who (t, q/2, e0 )-breaks fπ with advantage e0 > e. We have shown how to construct an adversary B which breaks π. By Lemma 3, Adv B = Adv A = e0 ; also, B requires at most t time and q oracle queries. In other words, B (t, q, e0 )-breaks π, for e0 > e. But this contradicts our assumption that π is a (t, q, e)-PRP. Therefore, such A cannot exist, and the theorem follows. t u

B

Proof of Theorem 6 −1

Proof. Let Afπk ,π,π be any adversary that breaks fπk . Let X = (X1 , . . . , Xq ) be a q-vector over Rn of q different “inputs,” and let Y = (Y1 , . . . , Xq ) be a q-vector over Rn−m of “outputs.” The random variables (X, Y ) will be a “transcript” of a run of the adversary A: Xj records the j-th query to the fπ oracle, and Yj records the corresponding output from the oracle. Without loss of generality, we may take X = (1, . . . , q), since any adversary A which makes repeated queries Xi = Xj (i < j) can be easily converted to an adversary A0 with the same advantage such that A0 makes no repeated queries. (Our construction of A0 merely simulates the action of A, for each oracle query Xj made by A: if Xj is a new query, A0 behaves identically to A; but if Xj = Xi for some i < j, then A0 sets Yj = Yi and continues to simulate the action of A without querying the fπ oracle.) Furthermore, since π is presumed to be a truly random permutation, the values of the oracle queries don’t matter, so long as they don’t repeat.

Building PRFs from PRPs

389

Let F ∈ IFn:n−m be a truly random function. Define pF (X, Y ) = Prob(F (X) = Y ) to be the probability that F maps each Xj 7→ Yj ; define pf (X, Y ) = Prob(fπ (X) = Y ) in a similar fashion. We often leave off the (X, Y ) and simply write pf or pF when the choice of (X, Y ) is clear from context. Also, we sometimes Pwrite pf (S) to mean the probability (with respect to f ) of a set S, i.e. pf (S) = (X,Y )∈S pf (X, Y ). We wish to show that fπ is roughly indistinguishable from F if q is not too large. The main idea is to show that pf (X, Y ) ≈ pF (X, Y ). Our argument proceeds as follows. We bound pf /pF , showing that it is close to 1. This bound doesn’t hold uniformly for all choices of (X, Y ), but it holds for nearly all of them—or more precisely, the set S where the bound holds has probability very close to 1. Formally, we prove that |pf /pF − 1| ≤ δ for all (X, Y ) ∈ S; we also show that both pf (¬S) and pF (¬S) are small. This can be informally viewed as a sort of “probabilistic bound.” We prove, in another crucial lemma, that Adv A ≤ max{pf (¬S), pF (¬S)} + δ. This is a generic result that relies only on the bound on pf /pF ; no domain-specific knowledge is required. Therefore, it suffices to bound pf /pF tightly enough that pf (¬S), pF (¬S), and δ are small. We move to the details of the proof. We take S to be the set of all q-vectors Y over Rn−m which have r repeated values, no triply-repeated values, and for which |r − q(q − 1)/2n−m+1 | ≤ cq/2(n−m+1)/2 , where c ≥ 1 is a small constant left free for the moment. Lemma 5 helps us show that |pf /pF − 1| ≤ δ for (X, Y ) ∈ S. Lemma 6 bounds pF (¬S), and Lemma 7 bounds pf (¬S). Finally, Lemma 4 proves that Adv A ≤ max{pf (¬S), pF (¬S)} + δ. Combining these four lemmas, we get the big result Adv A ≤ 1/c2 + 4cq/2(n+m+1)/2 + q 3 /22(n−m)+1 + q 2 /2n+m for all c ≥ 1. Finally, we optimize over c to obtain the best bound; taking c = (2(n+m−1)/2 /q)1/3 yields Adv A ≤ 4(q 2 /2n+m )1/3 + q 3 /22(n−m)+1 + q 2 /2n+m ≤ 5(q 2 /2n+m )1/3 +q 3 /22(n−m)+1 , as claimed. Due to lack of space, the proofs of the lemmas are omitted; full details are available at http://www.counterpane.com/publish-1998.html. Lemma 4. With S defined as above, we have Adv A ≤ max{pf (¬S), pF (¬S)} + δ when δ ≥ max(X,Y )∈S |pf (X, Y )/pF (X, Y ) − 1|.

390

Chris Hall et al.

Lemma 5. Let Y have r repeated values and no triply-repeated values, with X = (1, 2, . . . , q). Then pF = 2−q(n−m) , and pf = (1 − 2−m )r

q−1 Y i=0

2m . −i

2n

We have pf /pF ≈ exp{q(q−1)/2n+1 −r/2m } for large q, r. Finally, if (X, Y ) ∈ S and q ≤ 2(n+m)/2 /c and q ≤ 22n/3 , then |pf /pF −1| ≤ δ for δ = 2cq/2(n+m+1)/2 + 2q 3 /3 · 2−2n + q 2 /2n+m+1 . Lemma 6. We have pF (¬S) ≤ 1/c2 + q 3 /6 · 2−2(n−m) . Lemma 7. We have pf (¬S) ≤ 1/c2 + q 3 /6 · 2−2(n−m) + δ. This completes the proof of Theorem 6.

t u

Security Amplification by Composition: The Case of Doubly-Iterated, Ideal Ciphers W. Aiello1 , M. Bellare2 , G. Di Crescenzo1 , and R. Venkatesan3 1

2

Bellcore, 445 South St., Morristown, NJ 07960, USA [email protected] Dept. of Computer Science & Engineering, University of California at San Diego 9500 Gilman Drive, La Jolla, California 92093, USA {mihir,giovanni}@cs.ucsd.edu. URL:http://www-cse.ucsd.edu/users/{mihir,giovanni} 3 Microsoft Research, One Microsoft Way, Redmond, WA 98052, USA [email protected]

Abstract. We investigate, in the Shannon model, the security of constructions corresponding to double and (two-key) triple DES. That is, we consider Fk1 (Fk2 (·)) and Fk1 (Fk−1 (Fk1 (·))) with the component functions 2 being ideal ciphers. This models the resistance of these constructions to “generic” attacks like meet in the middle attacks. We obtain the first proof that composition actually increases the security in some meaningful sense. We compute a bound on the probability of breaking the double cipher as a function of the number of computations of the base cipher made, and the number of examples of the composed cipher seen, and show that the success probability is the square of that for a single key cipher. The same bound holds for the two-key triple cipher. The first bound is tight and shows that meet in the middle is the best possible generic attack against the double cipher. Keywords: Ciphers, cascaded ciphers, Shannon model, information theory, DES, Double DES, meet in the middle attacks.

1

Introduction

A block cipher is a map F : {0, 1}κ ×{0, 1}n → {0, 1}n . Here κ is the key size and def n is the block size. Each κ-bit key k induces a map Fk (·) = F (k, ·) : {0, 1}n → n n −1 denote the inverse cipher, {0, 1} which is a permutation on {0, 1} . Let F meaning F −1 (k, ·) = Fk−1 is the inverse map of Fk (·). For example, DES is such a cipher with κ = 56 and n = 64. It is common practice to compose ciphers in attempts to increase security. The result of composition is a new cipher, with a larger key size but the same block size. Here are the two most popular mechanisms, corresponding, respectively, to double DES and (two-key) triple DES: def

– Double F , or the 2-cascade cipher: Dbl-F : {0, 1}2κ × {0, 1}n → {0, 1}n is defined by Dbl-F k1 ,k2 (x) = Fk1 (Fk2 (x)) . H. Krawczyk (Ed.): CRYPTO’98, LNCS 1462, pp. 390–407, 1998. c Springer-Verlag Berlin Heidelberg 1998

Security Amplification by Composition

391

– Two-key triple F : Trp2 -F : {0, 1}2κ × {0, 1}n → {0, 1}n is defined by (Fk1 (x))) . Trp2 -F k1 ,k2 (x) = Fk1 (Fk−1 2 ∗

Let Op-F : {0, 1}κ × {0, 1}n → {0, 1}n denote one of these, where κ∗ = 2κ and Op ∈ {Dbl, Trp2 }. What we want to know is: How good a cipher is Op-F ? Has the composition and the increased key length actually bought us anything? Generic versus cryptanalytic attacks. There are several possible approaches to this question, depending on what kinds of attacks one wants to take into account. There are two main classes of attacks: • Cryptanalytic attacks: Like differential [3,4] and linear [9] cryptanalysis • Generic attacks: Like exhaustive key search and meet-in-the-middle attacks. Generic attacks are, roughly, those that don’t exploit the structure of the cipher, but work against any cipher, even an ideal one. More precisely, we define generic attacks as those that succeed in the Shannon model of an ideal cipher discussed below. The strength of specific composed ciphers like double DES against cryptanalytic attacks is not known; certainly, one does not expect a proof of such strength. The strength of the composed cipher against generic attacks, in contrast, can at least in principle be determined, by an analysis in the Shannon model, since it is a purely information theoretic question. However, the technical problems here are quite challenging; in particular, it is not even known that composition increases the strength of a cipher at all in this model. In this paper we tackle this question, analyzing, in the Shannon model, twokey based compositions such as the above. We will prove upper bounds on the probability of “breaking” the composed cipher as a function of the “effort” invested by the adversary, with both terms in quotes to be properly defined. Our results are the first to show that cipher composition in the Shannon model actually increases security: the success probability of an adversary, as a function of her resources, is significantly lower than in the case of a single key cipher. For the double cipher our results are actually tight (optimal) and show that meet in the middle is the best possible generic attack on this cipher. We now define the model, and state our results, more precisely. 1.1

The Model

We model F as an ideal block cipher in the sense of Shannon. This means F (k, ·) is a random permutation on {0, 1}n, for each k. More precisely, let PERM(n) be the set of all permutations on {0, 1}n. Then, for each κ-bit key k, select, uniformly and independently, a map from PERM(n), and assign Fk this value. So F consists of 2κ maps, each a random permutation. Now, we want to ask how good is Op as a composition operator. How can we measure this? We do so in a strong adversarial model, which allows the adversary chosen plaintext attacks on Op-F . Furthermore, success for the adversary A does not mean she has to find the key: it suffices that A identify some “weakness” in

392

W. Aiello et al.

the cipher. This means A should be able to detect any deviation in Op-F k∗ (·) from a truly random permutation, when k ∗ is a random and hidden key for Op-F . Formally, give the adversary oracles for F, F −1 . (This models her ability to compute the original cipher at any points she likes.) Also give her an oracle we call E : {0, 1}n → {0, 1}n, which can take one of two forms: ∗ • World 1: Set E = Op-F k∗ (·) where k ∗ ∈ {0, 1}κ is a randomly chosen key for cipher Op-F • World 2: Set E = π where π is a permutation chosen randomly from PERM(n). Put the adversary A in one of these worlds, and ask her which one she is in. If she can’t tell then Op-F k∗ (·) is behaving like a random permutation, meaning it is good. Formally, define the advantage of A as P1 − P2 , where Pi is the probability that A outputs 1 in world i ∈ {1, 2}. (The probability is over the choice of the oracles in each case.) Call A a (q, t)-adversary if it makes at most t queries to the F, F −1 oracles and at most q queries to the E oracle. (Note in practice t is likely to be much larger than q since F, F −1 queries are just DES computations and E queries are plaintexts in a chosen plaintext attack. We always assume q ≥ 1 since otherwise the advantage of the adversary is zero no matter what the construction.) Define Sec(Op, κ, n, q, t) as the maximum advantage attainable by any (q, t)-adversary. This is the key quantity; it is a function we call the security of the operator Op. The question is to determine this function as accurately as possible. In particular we want to upper bound it as a function of the adversary resources q, t and the block cipher parameters κ, n. Before stating the results we stress the power of the model. It allows chosen plaintext attacks on the composite cipher Op-F . Note it certainly captures common attacks like birthday attacks and meet-in-the-middle attacks, but also more sophisticated attacks which could be adaptive. Notice that the advantage of a (q, t) adversary in attacking the single key cipher F itself in this model (namely E = Fk for a random κ bit string k in world 1) will be (at most) t/2κ . This is the mark we have to beat if we want to show that the composed cipher is stronger than the original one. 1.2

The Results

It is known that the strength of the composed cipher is at least that of the first [10], but prior to this work it was not known whether the advantage of a (q, t) adversary versus Dbl-F was any lower than its advantage versus the single key cipher F itself. Here we are able to show that composition actually increases security, in the ideal cipher model described above. The double key cipher. Recall that the double F cipher Dbl-F has 2κ bits of key. Our main result is Theorem 1, which says that Sec(Op, κ, n, q, t) is at most t2 /22κ . Namely, no (q, t)-adversary attacking the double cipher can achieve an advantage greater than t2 /22κ .

Security Amplification by Composition

393

1 Sec1(x) Sec2(x)

0.8

0.6

0.4

0.2

0 46

48

50

52

54

56

Fig. 1. Sec1(x) (the upper curve) and Sec2(x) (the lower curve) are, respectively, the maximal possible advantage obtainable by an adversary in breaking the single and double key ideal ciphers, respectively, as a function of x = log2 (t), the logarithm of the number of cipher computations made. We are using a key length of κ = 56. We see that Sec2 lies below Sec1 but they meet at 1. The text provides the exact formulas for these quantities.

We also show this bound is essentially tight, due to (a variant of) the meet in the middle attack. Theorem 2 presents an adversary who runs this attack, and analyzes it to show that its advantage is within a small factor of t2 /22κ . Note that the maximum possible advantage of an adversary attacking the double cipher case is the square of the maximum possible advantage of an adversary of the same resources attacking the original single key cipher. Thus, it is considerably smaller in most cases. (For example if κ = 56 and t = 245 then the former is 2−22 and the latter is 2−11 . Or, looking at it another way, to achieve an advantage of 2−11 against the double cipher you need at least 250 queries, while to get the same advantage against the single cipher you need only 245 queries.) To see the relation better, we plot in Figure 1 the maximal advantage t/2κ of an adversary in breaking the original single key cipher, and the maximal advantage t2 /22κ of an adversary in breaking the double cipher, as a function of x = log2 (t). Notice that the upper bound on the advantage in the double key case hits one (meaning, the scheme can be broken) when t = 2κ . This is expected: that’s the meet in the middle attack. Of course, that’s the same point at which the advantage hits one for the original single key cipher. (In this case due to an exhaustive key search attack.) Thus, the “effective key length” of the double cipher is not more than that of the single one. That does not mean that security has not increased. Security is not a number, but a function of the resources invested, and our analysis and Figure 1 show that for values of t below 2κ the

394

W. Aiello et al.

chance of breaking the double cipher is smaller than that of breaking the original one. The two-key triple cipher. We show that the same bound holds for the two-key triple cipher, meaning the advantage of a (q, t) adversary is bounded by t2 /22κ . This shows that here too there is an improvement in the security curve as a function of t. In this case our bound is tight for the case t ≈ q but not tight in general. See [1] for this material. The m-fold cascade. The m-fold composition of cipher F is the cipher with key k1 , . . . , km defined by Fk1 ,...,km = Fk1 ◦ Fk2 ◦ · · · ◦ Fkm . The techniques above extend to show that the advantage of an (q, t) adversary is at most tm /2mκ . This shows that the advantage grows more and more slowly as m increases. However, for m ≥ 3 the result is not tight; we expect the 3-fold composed cipher to have an even greater strength than this indicates. Thus, we won’t discuss this result any more in this paper. The future. The analysis of the two key ciphers we present here is a start on a problem that appears to be quite technically challenging. In the future we would like to see tight bounds on the advantage for the m-fold composition for m ≥ 3 and also for the two-key triple cipher in the case q << t, but the distance needed to get there seems quite large at this time. 1.3

Related Work

The model used here is that of Kilian and Rogaway [8], who in turn built on Even and Mansour [7], although the basic idea of course goes back to Shannon [13]. Kilian and Rogaway [8] analyze Rivest’s DESX cipher in this model and show it has a large effective key length. If generic (or, as they call them, key search) attacks are the only concern, DESX is cheaper than Double or Triple DES, but DESX is just as vulnerable as DES to differential and linear cryptanalysis. The (apparent) strength of Double and two-key triple DES against cryptanalysis coupled with the proven strength against generic attacks seem to make a strong combination that is absent for DESX. The basic meet in the middle attacks are due to [5,12]. Even and Goldreich provide some time-space tradeoffs for meet-in-the-middle attacks [6], and Van Oorschot and Wiener [14] reduce the space requirements. Even and Goldreich [6] had shown that the cascade of m ciphers is at least as strong as its strongest component. Maurer and Massey [10] argued that this result required restrictions in the model, and also showed that the cascade is at least as strong as its first component. Our work is the first to show that the cascade can be stronger than the original cipher. Our analysis builds on techniques of [8] and [2]. Applications aside, we feel that we are looking at a basic information theoretic question, namely the power of cascaded ciphers.

Security Amplification by Composition

1.4

395

Discussion on Implications of Our Result

What implications do these results have for the security of real ciphers like DES? This is a question that needs to be addressed with some care. After all, DES is not an ideal cipher. We are not claiming to have “proven Double DES” secure; that obviously is not a realistic possibility. Our results might be interpreted as saying that the existence of a generic attack against DES that is substantially better than the meet in the middle attack would imply that there are serious weaknesses in the random behavior of DES that so far has empirical support. The class of generic attacks is broad enough to be interesting, including meet-in-the-middle attacks and variants of it. But it does not include cryptanalytic attacks like differential or linear cryptanalysis, which exploit the structure of the cipher. However, one should note that at the moment the best attacks against Double and Triple DES are not the cryptanalytic ones, but the generic meet-in-the-middle attacks. And our results can be interpreted as ruling out improvements along those lines. The adversary resources we consider here are the number of cipher computations t and the number of available plaintext-ciphertext pairs of the attacked cipher available, q. These are the most basic resources, and also the natural ones to consider in an information theoretic setting. One might attempt to consider other resources like space (e.g. when it is small compared to the number of queries), or make a distinction between parallelizable and sequential computations. Addressing these issues would change the nature of the problem to the point where it is difficult to see how it might be treated by techniques similar to the ones we use. 1.5

Organization

The double cipher analysis is in Section 3. There we state and prove the upper bound. In Appendix A we present the meet in the middle attack analysis that shows the upper bound is tight. Some proofs are omitted due to lack of space and can be found in the full version of this paper [1].

2

Definitions

General. We use standard notation for expressing probabilistic experiments and algorithms. Namely if S is a probability space then x ← S denotes the operation of drawing x at random according to distribution S. If S is a set we use the same notation with the understanding that S is imbued with the uniform distribution. If S is not a set or probability space (in particular if x is a string or function) then x ← S is simply an assignment statement. Block ciphers. For an integer n ≥ 1 let PERM(n) denote the set of all maps π : {0, 1}n → {0, 1}n that are permutations, meaning both one-to-one and onto. A function F : {0, 1}κ × {0, 1}n → {0, 1}n is a block cipher if for each key k ∈ {0, 1}κ, the function F (k, ·) : {0, 1}n → {0, 1}n is a permutation on {0, 1}n, meaning a member of PERM(n). Here, n is the block length of the cipher and κ

396

W. Aiello et al.

is the key length of the cipher. Think of F as a 2κ by 2n table, with entry (k, x) containing F (k, x). Each row is a permutation of {0, 1}n. For convenience, define Fk : {0, 1}n → {0, 1}n, for each k ∈ {0, 1}κ, by Fk (x) = F (k, x). This is the permutation in the k-th row. Although the function F does not have an inverse function, it does have a well defined inverse block cipher. When it is clear from context that F is a block cipher then we will let F −1 : {0, 1}κ ×{0, 1}n → {0, 1}n denote the block cipher inverse of F , defined as follows: F −1 (k, y) = Fk−1 (y). That is, F −1 (k, y) = x iff F (k, x) = y. Let BC(κ, n) denote the set of all block ciphers with key length κ and block length n. This is viewed as a probability space under the uniform distribution. Thus F ← BC(κ, n) means that F is selected according to the following experiment: for all k ∈ {0, 1}κ do F (k, ·) ← PERM(n). Operators: Double and triple. We are interested in transformations, or operators, which map one block cipher to another. In general such an operator is a map Op taking a block cipher F ∈ BC(κ, n) and returning another block cipher, which we denote by Op-F , and which belongs to BC(κ∗ , n∗ ) for some values of κ∗ , n∗ that depend on κ, n and Op. (In this paper it will always be the case that n∗ = n.) We now define the two central operators for this paper. The double composition operator Dbl : BC(κ, n) → BC(2κ, n) is defined by Dbl-F k1 k2 = Fk1 ◦Fk2 . In other words, Dbl-F (k1 k2 , x) = F (k1 , F (k2 , x)) for every k1 , k2 ∈ {0, 1}κ and every x ∈ {0, 1}n. The two key, triple composition operator Trp2 : BC(κ, n) → BC(2κ, n) is defined by Trp2 -F k1 k2 = Fk1 ◦ Fk−1 ◦ Fk1 . In other 2 words, Trp2 -F (k1 k2 , x) = F (k1 , F −1 (k2 , F (k1 , x))) for every k1 , k2 ∈ {0, 1}κ and every x ∈ {0, 1}n . Note both these ciphers have key length twice that of the original cipher. Security. We will be considering the security of these operators. The setting for security is the following. Consider an adversary algorithm A which has access to three oracles, E, F, F −1 , where F ∈ BC(κ, n) and E : {0, 1}n → {0, 1}n. It computes with them and eventually outputs a bit. This computation is adaptive. This means that it makes queries to oracles as it pleases, choosing these queries as a function of answers to previous queries. We represent A’s output −1 when interacting with these oracles by AE,F,F . (Since we will not restrict the computational power of the adversary A, it is without loss of generality deterministic, and hence this output is uniquely defined once A, F, E are fixed.) If the oracles that A interacts with are chosen according to some distribution then A’s output will be a random variable over {0, 1}. We let h i −1 SuccA (κ, n) = Pr AE,F,F = 1 : F ← BC(κ, n) ; E ← PERM(n) denote the success probability of A in the “ideal world” (called world 2 in the Introduction) where E is a random permutation independent of the cipher F . On the other hand, if Op : BC(κ, n) → BC(κ∗ , n∗ ) is an operator then we let SuccA (Op, κ, n) = i h −1 ∗ Pr AE,F,F = 1 : F ← BC(κ, n) ; k ∗ ← {0, 1}κ ; E ← Op-F k∗ .

Security Amplification by Composition

397

In other words, having selected F , apply the operator to it to get a new cipher F ∗ = Op-F . Now, choose at random a permutation E of this cipher, by choosing a key k ∗ and setting E to Fk∗∗ . (This was called world 1 in the Introduction.) Now let AdvA (Op, κ, n) = SuccA (Op, κ, n) − SuccA (κ, n) . This is the the advantage of A in breaking the Op induced cipher. To measure the quality of a particular operator Op (eg. Dbl or Trp2 ) we want to upper bound the advantage in terms of the resources used by the adversary, meaning the number of queries it makes to its oracles. We call a query to the E oracle an E-query; a query to the F oracle an F query; a query to the F −1 oracle an F −1 query. Typically the number of E-queries is denoted q, while the sum of the number of F and F −1 queries is denoted t. The security of the operator Op is then given by Sec(Op, κ, n, q, t) = max AdvA (Op, κ, n) , A

where the maximum is taken over all adversaries A who make at most q E-queries and at most t F/F −1 queries. Thus our goal will be to bound Sec(Op, κ, n, q, t) in terms of q, t, κ, n for the two ciphers we are investigating, namely Op = Dbl and Op = Trp2 . We stress that this bound will apply to any adversary. No assumptions are made about the strategy followed by this adversary other than that it is limited to the specified number of queries.

3

Security Analysis of the Double Cipher

In this section our goal will be to determine the security of the doubly iterated ideal cipher. In other words, we want to estimate, as accurately as possible, the value of Sec(Dbl, κ, n, q, t), as a function of the cipher parameters κ, n and the adversary resource bounds q, t. The following is the main theorem, which provides an upper bound on the security. It says that the advantage of any adversary A attacking the doubly iterated ideal cipher is at most t2 /22κ , regardless of the strategy used by this adversary. Theorem 1. For any κ, n, q, t ≥ 1 it is the case that t2 Sec(Dbl, κ, n, q, t) ≤ 2κ . 2 Notice that the bound depends only on the number t of F/F −1 queries made by A, and the key length κ of the cipher; it does not depend on the number q of E-queries made by A or the block length n of the cipher. This reflects the reality. In fact our result is essentially tight; more precisely, the bound above is tight up to constant factors as long as q is not too tiny. This is established by Theorem 2 where we show that an appropriate adaptation of the standard meet in the middle attack enables an adversary to obtain an advantage close to that of the upper bound. The rest of this section will be devoted to a proof of Theorem 1. We fix an adversary A who makes at most q E queries and at most t F/F −1 queries.

398

W. Aiello et al.

We want to show that AdvA (Dbl, κ, n) ≤ t2 /22κ . We will first introduce some terminology. 3.1

Preliminaries

The probability spaces. We consider two “games.” Each consists of running the adversary with its oracles chosen according to some probability space. Probability Space 1 is that of the experiment defining SuccA (Dbl, κ, n). Namely, the underlying experiment is: F ← BC(κ, n) ; k1∗ ← {0, 1}κ ; k2∗ ← {0, 1}κ ; E ← Fk1∗ ◦ Fk2∗ , −1

and Game 1 is to just run AE,F,F and reply to its oracle queries according to the functions E, F, F −1 chosen by the experiment. Now, the experiment defining Probability Space 2 is F ← BC(κ, n) ; k1∗ ← {0, 1}κ ; k2∗ ← {0, 1}κ ; E ← PERM(n) . −1

In Game 2, we just run AE,F,F and reply to its oracle queries according to the functions E, F, F −1 chosen by the experiment. Notice that in so doing, we completely ignore the two keys k1∗ , k2∗ ; the responses to oracle queries do not depend on these at all. Thus, the output of A in Game 2 is exactly that in the experiment defining SuccA (κ, n). The extra keys we have created will be used only in the analysis. We let Pr1 [ · ] denote the probability under Probability Space 1, and Pr2 [ · ] that under Probability Space 2. Quantities involved. Since we are not limiting the computing power of the adversary, we may, without loss of generality, regard it as deterministic. We may also assume it makes exactly q E queries and exactly t F/F −1 queries, and that no query is ever repeated. When the oracles E, F, F −1 are fixed, the sequence of queries by A and responses by the oracles is determined. We view it as a game in which the adversary and the oracles alternate moves; one query followed by a response is a round, so each round has two moves, the first by the adversary, the second by the oracles. There are q + t rounds. We will be referring to the following quantities: Mvs = The set {0, 1, . . . , 2(q +t)} whose members will be used to index moves of the game. OdMvs = The set of odd numbers in Mvs, corresponding to question moves. EvMvs = The set of even numbers in Mvs, corresponding to reply moves. It is technically convenient to include 0 in these sets even though there is no 0-th round or move. Furthermore we use the following notation: qi : For i ∈ OdMvs, the query in the i-th move. It is of the form (x, ∗), (k, x, ∗), or (k, ∗, y) which are queries to E, F , and F −1 , respectively. ri : For i ∈ EvMvs, the reply in the i-th move. For i > 0 it is (x, E(x)), (k, x, Fk (x)), or (k, Fk−1 (y), y), corresponding, respectively, to the query qi−1 ; for i = 0 it is the empty string.

Security Amplification by Composition

399

Also: Viewi (AE,F,F

−1

) : For i ∈ Mvs, the view of the adversary after i moves; this is q1 r2 . . . qi−1 ri if i > 0 is even; q1 r1 . . . ri−1 qi if i is odd; and the empty string if i = 0 −1 −1 View(AE,F,F ) : View2(q+t) (AE,F,F ).

Note the adversary’s output bit is some deterministic function of the last view. We call the keys (k1∗ , k2∗ ) chosen in the games the crucial key pair. Our analysis will focus on whether or not this key pair is “eliminated” by a current view, and what is its distribution from the point of view of A if not. So let vi represent a possible view after i moves of the game. We consider two sets of key pairs, the “seen key pairs” (SKP) and the “remaining key pair” (RKP): SKP(vi ) : A key pair k1 , k2 is in SKP(vi ) if there are two queries q and q 0 in vi such that q is an F -query or F −1 query with key k1 (i.e., a query of the form (k1 , x, ∗) or (k1 , ∗, y), respectively), and q 0 is an F -query or F −1 query with key k2 (i.e., a query of the form (k2 , x, ∗) or (k2 , ∗, y), respectively). RKP(vi ) : ({0, 1}κ × {0, 1}κ) − SKP(vi ) Note that SKP(vi ) depends only on the queries in vi and not on the replies. That is, SKP(vi ) = SKP(vi+1 ) for i ∈ OdMvs. If A knows that Fk2 (x) = y and Fk1 (y) = z and has also made the E query x then it can with high probability eliminate (k1 , k2 ) as a candidate for the crucial key pair. Intuitively, we might think of the key pairs (k1 , k2 ) ∈ SKP(v) as being “eliminated”. (Of course, they might not be eliminated, but we can’t be sure, so we count them out.) Thus RKP(vi ) captures the set of remaining key pairs associated to any view. These are the key pairs (k1 , k2 ) so that at least one of them has not been in either an F or an F −1 query. Note the key pair is not considered “eliminated” if one of its components has been in a F/F −1 query: both have to have been in such queries to “eliminate” the pair. The current view vi contains some number of F or F −1 queries on a particular key k. This effectively “opens up” the corresponding spots in row k of the F table, in the sense that in the randomly chosen F table, these entries become known to the adversary. Similarly for E-queries. We let F-Qrs(vi , k) = The set of all y such that there are responses in vi of the form (k, x, y). E-Qrs(vi ) = The set of all y such that there are responses in vi of the form (x, y). The random variables. Under the random choice of E, F, F −1 made in the probability spaces 1 and 2, the above discussed quantities become random variables. Here are some random variables we will need to refer to explicitly:

400

W. Aiello et al.

Qi : Ri : Ti : Viewi : View : Ui,j :

Takes value qi , the i-th query, for i ∈ OdMvs. Takes value ri , the i-th reply, for i ∈ EvMvs. Equals Qi if i is odd and Ri if i is even. −1 Takes value Viewi (AE,F,F ), for i ∈ Mvs. −1 Takes value View(AE,F,F ). Equals Ti . . . Tj

The bad event. We also define a central event: badi : For i ∈ Mvs, event badi is said to happen if the crucial key pair (k∗1 , k∗2 ) is seen, that is, (k∗1 , k∗2 ) ∈ SKP(Viewi ). In other words, the crucial key pair is “eliminated”. Whether a particular key pair has been seen only depends on the queries of A and thus badi = badi+1 for i ∈ OdMvs. We let bad be bad2(q+t) , meaning it captures whether the bad event happened at the end of the game. 3.2

Proof Outline

A very rough cut at the idea of the analysis is that as long as bad has not happened in probability space 1, the answers coming back to oracle queries there “look random” and so probability space 1 looks like probability space 2. We can then bound the advantage by the probability of the bad event. This is overly simplistic. It is also incorrect. One should first note that even if the bad event fails to happen in game 1, that game will not look like game 2; there are events that have probability one in the latter and zero in the former. In fact, we need to condition on the bad event not happening in both probability spaces. We will show that the conditional probability of a particular view given that bad has not occurred is the same in the two games. To show this we will be forced to show something stronger as stated in the lemma below. Lemma 1. Let i ∈ Mvs and let vi be a possible view of the adversary after the i-th move. Then for all 0 ≤ s ≤ 2(q + t) − i, Pr1 [ Viewi = vi | badi+s ] = Pr2 [ Viewi = vi | badi+s ] . The proof of this lemma is postponed until later. Since the final decision of the adversary depends only on its view, the distribution of the adversary’s decision is the same in the two games as long as the bad event has not happened. Thus, a corollary to the above lemma is h h i i −1 −1 (1) Pr1 AE,F,F = 1 | bad = Pr2 AE,F,F = 1 | bad . Less obvious is that Lemma 1 will also be needed to show that the probability of the bad event is the same in both games. To show this we need to prove something a bit stronger: we need to show that the equality holds at any stage. This is stated in the lemma stated below.

Security Amplification by Composition

401

Lemma 2. For all i = 0, . . . , 2(q + t), Pr1 [ badi ] = Pr2 [ badi ] .

(2)

The proof of this lemma is also postponed until later. Lemmas 1 and 2 can be used to bound the advantage of the adversary by the probability of the bad event. Lemma 3. AdvA (Dbl, κ, n) ≤ Pr2 [ bad ]. Proof (Lemma 3). The lemma is shown using the following straightforward cal−1 culation. We suppress the superscripts of AE,F,F for clarity. Pr1 [ A = 1 ] − Pr2 [ A = 1 ] =

Pr1 [ A = 1 | bad ] · Pr1 [ bad ] − Pr2 [ A = 1 | bad ] · Pr2 [ bad ] + Pr1 [ A = 1 | bad ] · Pr1 [ bad ] − Pr2 [ A = 1 | bad ] · Pr2 [ bad ]

=

(Pr1 [ A = 1 | bad ] − Pr2 [ A = 1 | bad ]) · Pr2 [ bad ]) + (Pr1 [ A = 1 | bad ] − Pr2 [ A = 1 | bad ]) · Pr2 [ bad ]

= (Pr1 [ A = 1 | bad ] − Pr2 [ A = 1 | bad ]) · Pr2 [ bad ] . The second equality is by Lemma 2. The last equality is by Equation (1).

t u

Of course, since the probability of the bad event is the same in both probability spaces we could have bounded the advantage by the probability of the bad event in probability space 1. However, calculating the probability of the bad event is very easy in probability space 2 as can be seen below. Lemma 4. Pr2 [ bad ] ≤ t2 /22κ . Proof (Lemma 4). This is straightforward, since in Game 2, no information about the keys (k∗1 , k∗2 ) is given to the adversary. The bad event depends only on the number of F and F −1 queries, and in the worst case all the t such queries are made to different keys. Then the chance that k∗1 is in any query is t/2κ , and t u the same, independently, for k∗2 , so the bound holds. Clearly, Lemmas 3 and 4 imply Theorem 1. This completes the outline of the proof of Theorem 1. To complete the proof we must prove Lemmas 1 and 2. To do so we will first need a sequence of three lemmas, Lemmas 5, 6, and 7. The last of these will be used in the proof of Lemma 1. Lemma 5 will again be used to prove Lemma 8 on the conditional probability of the crucial key pair. Lemma 8 will then be used with Lemma 1 to prove Lemma 2. 3.3

Distribution of Replies in the Next Round

In Game 2, given the view vi at any point, the distribution of the answer to the next oracle query is, clearly, uniform, over the remaining range; for example, the answer to an E-query is uniform over {0, 1}n − E-Qrs(vi ). The first lemma will say this is true for Game 1 too, as long as the bad event does not happen. However, we will need to say this in a strong sense. Namely,

402

W. Aiello et al.

fix any key pair that has still not been “eliminated”. Conditioned on this being the crucial key pair, as well as on the current view, the distribution of the answer to the next oracle query is still “as it should be,” meaning uniform over whatever possibilities remain. Note we must show this for all types of queries: E, F and F −1 . Lemma 5. Let j ∈ {1, 2} and i ∈ OdMvs. Let vi = q1 r2 . . . qi−2 ri−1 qi be a possible view of the adversary just before the answer to query qi is obtained. For any string ri+1 ∈ {0, 1}n and all (k1 , k2 ) ∈ RKP(vi kri+1 ), Prj [ Ri+1 = ri+1 | (k∗1 , k∗2 ) = (k1 , k2 ) ∧ Viewi = vi ] =  1   if qi is an E-query and ri+1 6∈ E-Qrs(vi )  n  2 − |E-Qrs(vi )|   1 if qi is an F or F −1 query with key k and ri+1 6∈ n  2 − |F-Qrs(k, vi )| F-Qrs(k, vi )      0 otherwise. In particular, the value depends neither on j nor on (k1 , k2 ). Proof (Lemma 5). See [1].

t u

The above lemma shows that for a fixed partial conversation vi where i ∈ OdMvs, and fixed pair of keys k1 , k2 such that badi is true (i.e., (k1 , k2 ) ∈ RKP(vi )), all the answers ri+1 which continue to keep the partial conversations from being “bad” (i.e., (k1 , k2 ) ∈ RKP(vi ri+1 )), have the same probability in each probability space. We will use this lemma to prove an extension of this. Namely, for a fixed partial conversation vi and fixed pair of keys k1 , k2 such that badi is true, all further move sequences which continue to keep the partial conversations from being “bad” have the same probability in each probability space. We state this formally below. Lemma 6. Let j ∈ {1, 2}. Let vi be a possible view of the adversary after move i ∈ Mvs, and let 1 ≤ ` ≤ 2(q + t) − i. For any possible extension ui+1,i+` of vi by ` moves, and for any key pair (k1 , k2 ) ∈ RKP(vi kui+1,i+` ), Prj [ Ui+1,i+` = ui+1,i+` | (k∗1 , k∗2 ) = (k1 , k2 ) ∧ Viewi = vi ] depends neither on j nor on (k1 , k2 ). (That is, it depends only on vi and ui+1,i+` .) Proof (Lemma 6). See [1].

t u

We now use the above lemma to prove a generalization of Lemma 5 which we will need subsequently. Lemma 7. Let j ∈ {1, 2} and i ∈ OdMvs. Let vi = q1 r2 . . . qi−2 ri−1 qi be a possible view of the adversary just before the answer to query qi is obtained. For any string ri+1 ∈ {0, 1}n, all (k1 , k2 ) ∈ RKP(vi kri+1 ), and all 0 ≤ s ≤ 2(q+t)−i, Prj [ Ri+1 = ri+1 | (k∗1 , k∗2 ) = (k1 , k2 ) ∧ Viewi = vi ∧ badi+s ] depends neither on j nor on k1 , k2 . (That is, it depends only on vi and ri+1 and s.)

Security Amplification by Composition

403

t u

Proof (Lemma 7). See [1].

Proof (Lemma 1). The proof will be by induction on i ∈ Mvs. The base case of the induction is when i = 0, and in this case the lemma is trivially true because the view is by definition the empty string. So assume the statement of the lemma up to move i. We will prove it for i + 1. Fix an arbitrary s ≥ 0. First consider the case where i ∈ EvMvs, meaning the last move in vi is a reply. Let qi+1 be arbitrary. Then: Prj [ Viewi+1 = vi qi+1 | badi+1+s ] = Prj [ Viewi = vi | badi+1+s ] · Prj [ Qi+1 = qi+1 | Viewi = vi ∧ badi+1+s ] . First, look at the first factor. Since s ≥ 0 by assumption, then s + 1 ≥ 0, and therefore the first term is the same for j = 1 and 2 by induction. Next look at the second factor. A’s query is just dependent on A and on vi , the view so far. Thus, the probability is the same for both j = 1 and j = 2. (And is equal to 0 except possibly for one value of qi+1 .) Therefore, the product of the two probabilities is equal for j = 1 and j = 2, for all s ≥ 0. Next consider the case where i ∈ OdMvs, meaning the last move in vi is a query. Let ri+1 ∈ {0, 1}n be arbitrary and let vi+1 = vi ri+1 . Then: Prj [ Viewi+1 = vi ri+1 | badi+1+s ] = Prj [ Viewi = vi | badi+1+s ] · Prj [ Ri+1 = ri+1 | Viewi = vi ∧ badi+1+s ] . Consider the first factor. Since s ≥ 0 by assumption, then s+1 ≥ 0, and therefore, by induction, the first term is the same for j = 1 and 2. The second factor is equal to: X pj (k1 , k2 ) · qj (k1 , k2 ) (k1 ,k2 )

where the sum is over all (k1 , k2 ) ∈ {0, 1}κ × {0, 1}κ and we have set pj (k1 , k2 ) = Prj [ Ri+1 = ri+1 | (k∗1 , k∗2 ) = (k1 , k2 ) ∧ Viewi = vi ∧ badi+1+s ] qj (k1 , k2 ) = Prj [ (k∗1 , k∗2 ) = (k1 , k2 ) | Viewi = vi ∧ badi+1+s ] We start by examining the first factor, namely pj (k1 , k2 ). By Lemma 7, for all (k1 , k2 ) ∈ / SKP(vi+1 ), this probability is the same for both j = 1 and 2, and independent of (k1 , k2 ). Call this value p. On the other hand for (k1 , k2 ) ∈ SKP(vi+1 ) we have pj (k1 , k2 ) = 0 because of the conditioning on badi+1+s . Thus the above sum reduces to X p· qj (k1 , k2 ) (k1 ,k2 )

where the sum is over all (k1 , k2 ) ∈ RKP(vi+1 ). We claim that this range is over all the nonzero values of the probability and thus the sum is equal to 1. To see this, note that qj (k1 , k2 ) is equal to 0 for (k1 , k2 ) ∈ SKP(vi+1 ). This completes the induction and the proof of Lemma 1. t u

404

W. Aiello et al.

The remaining task is to prove Lemma 2 which states that the probability that the bad event occurs is the same in both probability spaces. To do so we will first prove the following lemma about the distribution of keys. The proof of this lemma will use Lemma 1 which, recall, states that the probability of a given query and response (which are not bad) for a fixed partial view and a fixed pair of keys (which are not bad) is the same in both probability spaces. 3.4

Equi-Probability of Unseen Keys

A crucial lemma is that in Game 1, as long as the bad event has not happened, if adversary has a particular view, then any “un-eliminated” key pair is equally likely to be the crucial key pair. Without this, it might be that the adversary’s chance of hitting the crucial key is better in Game 1 (given the bad event fails) than in Game 2 (given the bad event fails). To simplify notation, for j ∈ {1, 2} and vi let Prj,vi [ · ] = Prj [ · | Viewi = vi ∧ badi ] . Lemma 8. Let j ∈ {1, 2}. Let vi be a possible view of the adversary after move i ∈ Mvs. Let (k1 , k2 ) ∈ RKP(vi ). Then 1 . Prj,vi [ (k∗1 , k∗2 ) = (k1 , k2 ) ] = |RKP(vi )| Proof (Lemma 8). See [1].

t u

Using the above lemma we can now prove Lemma 2 which (recall) states that Pr1 [ badi ] = Pr2 [ badi ] for all i ∈ Mvs. Proof (Lemma 2). The proof is by induction on i ∈ Mvs. The base case is when i = 0. In this case, the current view v of the adversary, in either game, is empty, so that SKP(v) = ∅. Thus, both probabilities are zero. So, assume the lemma statement is true up to move i ∈ Mvs where i < 2(q + t). We will prove it for i + 1, namely we will show that Pr1 [ badi+1 ] = Pr2 [ badi+1 ] . (3) We first consider the case where i + 1 is even, meaning the last move in vi is a query. We have Prj [ badi+i ] = Prj [ badi ] + Prj [ badi+1 | badi ] . The first term is equal for j = 1 and 2 by induction, and Prj [ badi+1 | badi ] = 0 because i + 1 is even. To complete the induction we need to prove Equation (3) for the case where i + 1 is odd, meaning the last move in vi is a reply. Let j ∈ {1, 2}. We can write Prj [ badi+1 ] = Prj [ badi ] + Prj [ badi+1 | badi ] . The first term is independent of j by the induction hypothesis. We will now argue that the second term is also independent of j. By conditioning we can write the second term as

Security Amplification by Composition

405

Prj [ badi+1 | badi ] X Prj [ badi+1 | badi ∧ Viewi = vi ] · Prj [ Viewi = vi | badi ] = vi ∈Vj

=

X

vi ∈Vj

Prj,vi [ badi+1 ] · Prj [ Viewi = vi | badi ] , {z } | {z } | |

first term

{z

second term

product term associated to vi

}

where Vj = { vi : Prj [ Viewi = vi | badi ] > 0 } is the set of possible views after move i in Game j. Let us first observe that V1 = V2 , namely the set of views vi for which the second term of the “product term associated to vi ” is positive is the same in both games. This is true by Lemma 1, which tells us that Prj [ Viewi = vi | badi ] does not depend on j and hence in particular the values of v for which it is zero are the same for j = 1 and j = 2. Now let us set V = V1 = V2 and compare the sums, term by term, in the cases j = 1 and j = 2. Fix a particular string vi ∈ V and focus on the “product term associated to vi .” The second term in it is independent of j by Lemma 1. We will show the same is true for the first term, which will complete the proof. (One needs to be a little careful. The first term is not well defined for just any v, only for vi ∈ Vj . That’s why it was important, first, to restrict attention to these vi values, and, second, to make sure that V1 = V2 , since otherwise we would not be sure that we have shown equality for every term in the two sums.) So the remaining task is to consider Prj [ badi+1 | badi ∧ Viewi = vi ] for vi ∈ V and show it does not depend on j. First note that RKP(vi ) 6= ∅, because, RKP(vi ) = ∅ would imply Prj [ Viewi = vi | badi ] = 0, and we have assumed the last to not be true. Since the view vi and the adversary are fixed, the next query qi+1 is uniquely determined. Let NKP(vi , qi+1 ) = RKP(vi ) − RKP(vi kqi+1 ) be the set of “new key pairs” that are “seen” by the (i + 1)-th query. (This set is empty if the latter is an E-query. It is also empty if it is an F or F −1 query with key with which A has already queried. If it is an F or F −1 query with key k with which A has not queried, then the set consists of pairs (k, k 0 ) and (k 0 , k) where k 0 is any other key with which A has queried F or F −1 .) We claim that |NKP(vi , qi+1 )| , (4) Prj [ badi+1 | badi ∧ Viewi = vi ] = |RKP(vi )| for both j = 1 and j = 2. Note the fraction is well defined, in that the denominator is not zero, because RKP(vi ) is non-empty. Equation (4) follows from Lemma 8. This says that from the point of view of the adversary, all remaining key pairs remain equally likely, in either game. u t

406

W. Aiello et al.

Acknowledgments The second author was supported by a 1996 Packard Foundation Fellowship in Science and Engineering, and by NSF CAREER Award CCR-9624439. The third author was supported in part by the above mentioned grants of the second author. Thanks to the members of the Crypto 98 program committee for their comments on the paper.

References 1. W. Aiello, M. Bellare, G. Di Crescenzo and R. Venkatesan, “Security Amplification by Composition:The Case of Doubly-Iterated, Ideal Ciphers” Full version of this paper, available via http://www-cse.ucsd.edu/users/mihir. 394, 395, 402, 402, 403, 404, 407 2. M. Bellare, J. Kilian and P. Rogaway, “The security of cipher block chaining”, Advances in Cryptology – Crypto 94 Proceedings, Lecture Notes in Computer Science Vol. 839, Y. Desmedt ed., Springer-Verlag, 1994. 394 3. E. Biham and A. Shamir, “Differential cryptanalysis of DES-like cryptosystems,” J. of Cryptology, Vol. 4, No. 1, pp. 3–72, 1991. 391 4. E. Biham and A. Shamir, “Differential cryptanalysis of the Full 16-round DES,” Advances in Cryptology – Crypto 92 Proceedings, Lecture Notes in Computer Science Vol. 740, E. Brickell ed., Springer-Verlag, 1992. 391 5. W. Diffie and M. Hellman, “Exhaustive cryptanalysis of the NBS data encryption standard,” Computer, Vol. 10, No. 6, pp. 74–84, June 1977. 394 6. S. Even and O. Goldreich, “On the power of cascade ciphers,” ACM Transactions on Computer Systems, Vol. 3, No. 2, May 1985, pp. 108–116. 394, 394 7. S. Even and Y. Mansour, “A construction of a cipher from a single pseudorandom permutation,” Advances in Cryptology – ASIACRYPT 91 Proceedings, Lecture Notes in Computer Science Vol. 739, H. Imai, R. Rivest and T. Matsumoto ed., Springer-Verlag, 1991. 394 8. J. Kilian and P. Rogaway, “How to protect DES against exhaustive key search”, Advances in Cryptology – Crypto 96 Proceedings, Lecture Notes in Computer Science Vol. 1109, N. Koblitz ed., Springer-Verlag, 1996. 394, 394, 394 9. M. Matsui, “Linear cryptanalysis method for DES cipher,” Advances in Cryptology – Eurocrypt 93 Proceedings, Lecture Notes in Computer Science Vol. 765, T. Helleseth ed., Springer-Verlag, 1993. 391 10. U. Maurer and J. Massey, “Cascade ciphers: The importance of being first,” Journal of Cryptology, Vol. 6, No. 1, 1993, pp. 55–61. 392, 394 11. R. Merkle, “Secrecy, authentication, and public key systems,” UMI Research Press, Ann Arbor, Michigan, 1979. 12. R. Merkle, and M. Hellman, “On the security of multiple encryption”, Communications of the ACM, vol. 24, n. 7, pp. 465–467, July 1981. 394 13. C. Shannon, “Communication theory of secrecy systems,” Bell Systems Technical Journal, Vol. 28, No. 4, 1949, pp. 656–715. 394 14. P. Van Oorschot and M. Wiener, “Improving meet in the middle attacks by orders of magnitude,” Advances in Cryptology – Crypto 96 Proceedings, Lecture Notes in Computer Science Vol. 1109, N. Koblitz ed., Springer-Verlag, 1996. 394 15. P. Van Oorschot and M. Wiener. “A known plaintext attack on Two-Key Triple Encryption,” Advances in Cryptology – Eurocrypt 90 Proceedings, Lecture Notes in Computer Science Vol. 473, I. Damg˚ ard ed., Springer-Verlag, 1990.

Security Amplification by Composition

A

407

Best Attack: Meet in the Middle

In this section we will show the following: Lemma 9. For any κ, n ≥ 1, any 1 ≤ s ≤ q ≤ 2n−1 , and any t ≥ 2s, there is an adversary A such that t2 1 1 . · − AdvA (Dbl, κ, n) ≥ 4s2 22κ 2s(n−1) We can now optimize the value of s and obtain the following theorem which says that the bound of Theorem 1 is essentially tight: Theorem 2. For any κ, n ≥ 1, let s = d(2κ + 1)/(n − 1)e. Then for any t ≥ 2s and s ≤ q ≤ 2n−1 it is the case that 1 t2 . Sec(Dbl, κ, n, q, t) ≥ 8s2 22κ Proof. The choice of s guarantees that 22κ+1 ≤ 2s(n−1) . This means that 1 1 1 1 − s(n−1) ≥ . 22κ 2 22κ 2 Now apply Lemma 9.

t u

Notice that for typical block cipher parameters κ, n, the value of s is very small. For example, for the DES parameters κ = 56 and n = 64 we have s = d113/63e = 2. Thus the above lower bound of Theorem 2 is in practice close to the upper bound of Theorem 1. Proof (Lemma 9). The proof is by presenting an adversary A who achieves the claimed advantage. The adversary A plays a version of the meet-in-the-middle attack, but we need to adapt it slightly and then analyze it in our framework. It is convenient to let [N ] = {1, 2, . . . , N } for any integer N ≥ 1. The adversary proceeds as follows: For i = j, . . . , s do Let xj ∈ {0, 1}n be the j-th string in lexicographic order Compute yj = E(xj ) Choose two disjoint sets K1 = { k1,i : i ∈ [t/2s] } and K2 = { k2,i : i ∈ [t/2s] } of κ-bit keys, each set being of size t/2s. (These might be chosen at random, but not necessarily). For i = 1, . . . , t/2s do For j = 1, . . . , s do Compute ui,j = F (k1,i , xj ) and vi,j = F −1 (k2,i , yj ) Let ui = (ui,1 , . . . , ui,s ) and vi = (vi,1 , . . . , vi,s ) Let C = { (a, b) ∈ [t/2s] × [t/2s] : ua = vb } If C 6= ∅ then return 1 else return 0 An analysis of this attack, showing that the advantage of the adversary is as claimed, is in [1]. u t

On the Existence of 3-Round Zero-Knowledge Protocols Satoshi Hada and Toshiaki Tanaka KDD R & D Laboratories 2-1-15 Ohara, Kamifukuoka, Saitama 356-8502, Japan {sa-hada,tl-tanaka}@kdd.co.jp

Abstract. In this paper, we construct a 3-round zero-knowledge protocol for any NP language. Goldreich and Krawczyk proved that a 3-round black-box simulation zero-knowledge protocol exists only for BPP languages. However, there is no contradiction here. That is, our proposed protocol achieves a weaker notion of zero-knowledge: auxiliary-input nonuniform zero-knowledge. Since this notion has not been investigated in the literature, we classify several zero-knowledge notions including it and discuss the relationships among them. Our main contribution is to provide a non-black-box simulation technique. It is based on a novel computational assumption related to the Diffie-Hellman problem. Although this assumption is strong and nonstandard, its non-standard nature seems essential for our simulation technique. Keywords: Zero-knowledge, interactive proof, Diffie-Hellman problem.

1

Introduction

The fundamental notion of zero-knowledge (ZK) introduced by Goldwasser, Micali and Rackoff plays a central role in modern cryptography [GMR85]. In this paper, we investigate the methodology underlying ZK in order to construct a 3-round ZK protocol for NP. 1.1

Background on Zero-Knowledge Protocol

Consider an interactive protocol in which a prover convinces a verifier that some common input x belongs to some underlying language L (In this paper, L is in NP). The length of x is denoted by n and one measures complexity in terms of n. The verifier is always a probabilistic polynomial-time machine. We focus on two properties: “soundness” and “zero-knowledge.” Each can be formalized in two ways depending on whether or not we restrict the adversary (the cheating prover and the cheating verifier) to a resource bound machine. The soundness asks that if x ∈ / L, any cheating prover can not convince the verifier to accept, except with negligible error probability. This notion is formalized in two ways: “proofs” and “arguments.” These provide the statistical H. Krawczyk (Ed.): CRYPTO’98, LNCS 1462, pp. 408–423, 1998. c Springer-Verlag Berlin Heidelberg 1998

On the Existence of 3-Round Zero-Knowledge Protocols

409

soundness and the computational soundness, respectively. The former requires that even a computationally unrestricted cheating prover should be unable to make the verifier accept x ∈ / L, except with negligible probability [GMR85]. On the other hand, the latter requires that any cheating prover restricted to probabilistic polynomial-time should be unable to make the verifier accept x ∈ / L, except with negligible probability [BrCr86][BCC88]. Although the notion of arguments is weaker than the notion of proofs, it is good enough for cryptographic applications. The soundness of arguments will typically depend on the complexity assumptions such as the discrete logarithm assumption. Whenever we talk of proofs or arguments, we always mean ones with negligible error probability. Zero-knowledge asks that when x ∈ L, an interaction with the prover yields no information (other than the fact x ∈ L) to any cheating verifier. Again, this notion is formalized in two ways: “statistical ZK” (SZK) and “computational ZK” (CZK). The former requires that even a computationally unrestricted cheating verifier will not gain useful information, except with negligible probability. On the other hand, the latter requires that any resource bound cheating verifier (probabilistic polynomial-time machine or polynomial-size circuit family) will not gain useful information, except with negligible probability. Clearly, SZK is a special case of CZK. In this paper, unless stated explicitly, ZK protocols mean CZK arguments. Our proposed protocol is a CZK argument. 1.2

Classification of Zero-Knowledge

Our proposed protocol achieves the notion of auxiliary-input non-uniform ZK. Since this notion has not been investigated in detail so far, we classify several relevant ZK notions and discuss the relationships among them. ZK was originally formalized in [GMR85] as follows: for any probabilistic polynomial-time machine Vˆ (the cheating verifier), there exists a probabilistic polynomial-time machine SVˆ (the simulator) which produces a probability distribution which is computationally indistinguishable from the distribution of conversations of Vˆ with the prover P . This original definition (GMRZK) is not suitable for cryptographic applications since it is not closed under sequential composition [GoKr96]. In cryptographic applications, the verifier can have some additional a-priori information. In order to overcome the above problem, auxiliary-input zero-knowledge (AIZK) was introduced in [GoOr94]. AIZK is defined by augmenting GMRZK with auxiliary-input, that is, the simulation requirement is extended to deal with non-uniform verifiers with an auxiliary-input, where the simulator takes the same auxiliary-input used by the verifier. It was shown that AIZK is closed under sequential composition [GoOr94]. Black-box simulation zero-knowledge (BSZK) requires the existence of a universal simulator that, using any non-uniform verifier Vˆ as a black-box, succeeds in simulating the interaction of Vˆ with the prover P . It was shown that BSZK implies AIZK [GoOr94]. Although BSZK is the most restrictive among the above definitions, almost all known ZK protocols are BSZK.

410

Satoshi Hada and Toshiaki Tanaka

All the above definitions are “semi-uniform” in the sense that it uses uniform machines but quantifies over all common inputs x ∈ L. The non-uniform formalization of ZK appeared in [Go93], where all machines are modeled by a family of polynomial-size circuits. We consider two non-uniform formalizations here: non-uniform zero-knowledge and auxiliary-input non-uniform zero-knowledge. Non-uniform zero-knowledge (NUZK) is a non-uniform variant of GMRZK. That is, it requires that for any family of polynomial-size circuits Vˆ , there exists a family of (probabilistic) polynomial-size circuits SVˆ which produces a probability distribution which is computationally indistinguishable from the distribution of conversations of Vˆ with the prover P . It is important to note that NUZK does not imply GMRZK [Go98-2]. In fact, one can devise artificial protocols for sparse languages such that it achieves the notion of NUZK but not GMRZK. For example, consider the following interactive proof for a sparse language Lsp = {1n }n∈N . The prover sends the verifier a hard function K(·) of the common input x ∈ Lsp (e.g., K is a non-recursive function indicating whether the nth Turing machine accepts every input). The verifier accepts iff x is of the form 1n . Certainly, this is an interactive proof for Lsp . It is not GMRZK since there is no way to simulate in probabilistic polynomial-time the interaction in which the prover sends the value of K(x). On the other hand, it is still NUZK since the simulator may just incorporate the hard bit (i.e., the nth circuit will incorporate the bit indicating if the nth Turing machine accepts every input). This shows that NUZK is a very weak notion of ZK and does not satisfy the intuitive requirement of ZK. Also, the result of [GoKr96] can be extended to show that NUZK is not closed under sequential composition. Auxiliary-input non-uniform zero-knowledge (AINUZK) is defined by augmenting the notion of NUZK with auxiliary-input. The above interactive proof for a sparse language achieves not only NUZK but also AINUZK. That is, AINUZK also does not satisfy the intuitive requirement of ZK. However, AINUZK has an advantage over NUZK since it is closed under sequential composition [GoOr94][Go93]. Our proposed protocol achieves this notion. Let Cl(def ) denote the class of all interactive proofs and arguments satisfying the requirements of definition def . In the light of the above, it holds that Cl(BSZK) ⊆ Cl(AIZK) ⊂ Cl(GM RZK) ⊂ Cl(N U ZK) and Cl(AIZK) ⊂ Cl(AIN U ZK) ⊂ Cl(N U ZK). It is an open problem whether Cl(BSZK) equals Cl(AIZK) [GoOr94]. 1.3

Motivation and Contribution

The round complexity, the number of messages exchanged, is a standard complexity measure for the efficiency of ZK protocols. Several researchers constructed constant round ZK protocols for NP [BCY89][FeSh89] [GoKa96] 1 [BJY97]. The 1

ZK protocols constructed in [GoKa96] are proofs rather than arguments.

On the Existence of 3-Round Zero-Knowledge Protocols

411

lower bounds on the round complexity have been investigated from the practical and theoretical viewpoint. Goldreich and Oren proved that only languages in BPP have 2-round AIZK protocols [GoOr94]. Their result can be extended to prove that only languages in P/poly have 2-round AINUZK protocols. Furthermore, Goldreich and Krawczyk proved that only languages in BPP have 3-round BSZK protocols [GoKr96] 2 . Since the argument in [GoKr96] uses the notion of black-box simulation in an essential way, their result does not apply to the weaker notions such as AIZK and AINUZK. Therefore, with respect to AIZK and AINUZK, it is an interesting open problem whether there exists a 3-round ZK protocols for a non-trivial language, i.e., a language not known to be in BPP and P/poly. As mentioned above, almost all known ZK protocols are BSZK, that is, the zero-knowledge property has been demonstrated using the black-box simulation of the verifier. In fact, it seems hard to conceive an alternative way to demonstrate ZK property. Therefore, it seems hard to construct a 3-round ZK protocol for a non-trivial language. In other words, in order to construct such protocols, a new simulation technique is needed. In this paper, we construct a 3-round AINUZK protocol for any NP language. Our result does not contradict the result of [GoKr96] since our proposed protocol does not achieve the notion of BSZK. Our main contribution is to provide a nonblack-box simulation technique. It is based on a novel computational assumption related to the Diffie-Hellman problem. We call it the strong Diffie-Hellman assumption (SDHA). Although this assumption is strong and non-standard, its non-standard nature seems essential for our simulation technique. Organization. In Section 2, we give the definitions of AINUZK arguments and some standard complexity assumptions. Section 3 describes our proposed protocol. In Section 4, we formalize SDHA. In Section 5, we prove the correctness of our proposed protocol. In Section 6, we conclude with some remarks.

2

Preliminaries

In this section, we give the definitions of AINUZK arguments and some standard complexity assumptions. Most of this section follows [BJY97] and [Go98-1]. 2.1

Auxiliary-Input Non-Uniform Zero-Knowledge Arguments

We deal with NP languages and let WL (x) denote the witness set of x which belongs to an NP language L. We say that a function ν(·) : N → R is negligible if for every polynomial poly(·) and all sufficiently large n’s, it holds that ν(n) < 1/poly(n). Also, we say that a function g(·) : N → R is overwhelming if g(·) = 1 − ν(·) for some negligible function ν(·). 2

The proofs in [GoKr96] are for CZK proofs. However, their result extends to CZK arguments. See Remarks 6.3 and 6.5 in that paper.

412

Satoshi Hada and Toshiaki Tanaka

We consider two probabilistic polynomial-time interactive machines called the prover and the verifier. Initially both machines have access to a common input tape which includes x of length n. The prover and the verifier send messages to one another through two communication tapes. After exchanging a polynomial number of messages, the verifier stops in an accept state or in a reject state. Each machine, denoted by A, only sees its own tapes, namely, the common input tape, the random tape, the auxiliary-input tape and the communications tapes. In particular, the prover’s auxiliary input tape includes a witness w ∈ WL (x). Let A(x, m, r) denote A’s next message, where x is the common input, r the random coins and m the messages so far. We let Ax (·, ·) = A(x, ·, ·) and Ax,r (·) = A(x, ·, r). When A takes an auxiliary input y, we write Ayx and Ayx,r for Ax and Ax,r , respectively. Let Acc(Px , Vx ) denote the probability that V accepts when interacting with P on the common input x. The probability is taken over the random tapes of both machines. Definition 1. Let P, V be two probabilistic polynomial-time interactive machines. We say that (P, V ) is an argument for L if the following two conditions are satisfied: - Completeness: For every x ∈ L, every w ∈ WL (x), Acc(Pxw , Vx ) = 1. - Soundness: For every probabilistic polynomial-time machine Pˆ (the cheating prover), every polynomial poly(·), all sufficiently long x ∈ / L and all y’s, Acc(Pˆxy , Vx ) <

1 . poly(|x|)

We recall the notion of computational indistinguishability of probability distributions used in the definition of zero-knowledge. Definition 2. Let L be an NP language. An ensemble indexed by L × {0, 1}∗ is a sequence {Ex,y }x∈L,y∈{0,1}∗ of probability distributions, one for each (x, y) ∈ 0 L × {0, 1}∗. Let E = {Ex,y }x∈L,y∈{0,1}∗ and E 0 = {Ex,y }x∈L,y∈{0,1}∗ be two en∗ sembles over a common index set L×{0, 1} . A distinguisher is a polynomial-size circuit family D = {Dx,y }x∈L,y∈{0,1}∗ . We say that E and E 0 are computationally indistinguishable if for every distinguisher D, every polynomial poly(·), all sufficiently long x ∈ L and all y ∈ {0, 1}∗, |Pr [Dx,y (v) = 1] − Pr [Dx,y (v 0 ) = 1] | <

1 , poly(|x|)

0 where v and v 0 are chosen according to the distribution Ex,y and Ex,y , respectively.

A view of the verifier is an ensemble which consists of the common input, the auxiliary input, the random coins and the sequence of messages by the prover and the verifier during the interaction. Let View(Px , Vxy ) = [x, y, r, m] denote V ’s view after interacting with P , where x is the common input, y the auxiliary input to V , r the random coins of V and m the sequence of messages sent by P and V . Note that r is empty when V is a family of polynomial-size circuits.

On the Existence of 3-Round Zero-Knowledge Protocols

413

Definition 3. Let P, V be two probabilistic polynomial-time interactive machines. We say that (P, V ) is an auxiliary-input non-uniform zero-knowledge for L if for every family of polynomial-size circuits Vˆ (the cheating verifier), there exists a family of (probabilistic) polynomial-size circuits SVˆ (the simulator) such that the following two ensembles are computationally indistinguishable: {SVˆ (x, y)}x∈L,y∈{0,1}∗ and {View(Px , Vˆxy )}x∈L,y∈{0,1}∗ . We remark that it is not required that simulator SVˆ can be effectively constructed given a verifier Vˆ , but rather that it exists. 2.2

DLA and DHA

We give two standard complexity assumptions related to the discrete logarithm problems. All exponentiations in this paper are in Zp∗ (the definition of the prime p will be clear by the context). To simplify the notations, we omit the expression “mod p”. We recall the discrete logarithm assumption (DLA). In this paper, we need a stronger definition of DLA in which we assume nothing on the distribution of a prime p and a base g. Definition 4. Let LP QG denote the set {(p, q, g)} of primes and generators, where p and q are primes such that p = 2q + 1 and g is an element of order q in Zp∗ (a generator of a subgroup of Zp∗ of order q). LP QG can be recognized in probabilistic polynomial-time with negligible error probability by testing primality for p and q in probabilistic polynomialtime [SS77][Ra80], and verifying that g is not the identity and that g q = 1. Furthermore, there exists a probabilistic polynomial-time algorithm which, on input 1n , outputs (p, q, g) ∈ LP QG such that p is of length n. Assumption 5 (DLA). For every family of polynomial-size circuits I = {In }n≥1 , every polynomial poly(·) and all sufficiently large n’s, InvIDL (p, q, g) = P rob[ In (p, q, g, g a ) = a ] <

1 , poly(n)

where (p, q, g) is any instance in LP QG such that p is of length n. The probability is taken over the choice of a uniformly at random in Zq . The Diffie-Hellman assumption (DHA) says that the Diffie-Hellman problem [DH76] is intractable in the same setting as DLA. Assumption 6 (DHA). For every family of polynomial-size circuits I = {In }n≥1 , every polynomial poly(·) and all sufficiently large n’s, InvIDH (p, q, g) = P rob[ In (p, q, g, g a , g b ) = g ab ] <

1 , poly(n)

where (p, q, g) is any instance in LP QG such that p is of length n. The probability is taken over the choice of a, b uniformly at random in Zq .

414

3

Satoshi Hada and Toshiaki Tanaka

Protocol Description

In this section, we construct a 3-round ZK protocol for any NP language (called 3R-ZK). Our starting point is a 3-round public-coin honest-verifier ZK protocol for an NP language LN P . We transform it into a 3-round secret-coin any-verifier ZK protocol for the same language LN P . 3.1

The Starting Protocol

We require that the starting protocol (M, A) satisfies the following properties. Let M1 , Y, M2 denote the messages exchanged in the starting protocol. M1 and M2 are the first and the second messages that the prover sends to the verifier, respectively. Y is the verifier’s challenge. B0. It is a public-coin protocol in which the challenge Y (the verifier’s public coins) is chosen uniformly at random in any polynomially samplable subdomain of {0, 1}∗ . B1. The prover can be implemented in probabilistic polynomial-time when it is given as its auxiliary-input an NP witness. B2. It satisfies a strong soundness property which requires that for every common input x ∈ / LN P and every possible first message M1 , there exists at most one verifier’s challenge Y such that the prover may answer properly in its second message M2 . B3. It is zero-knowledge with respect to a prescribed verifier for the protocol, i.e., honest-verifier zero-knowledge (HVZK). Formally, for the prescribed verifier B, there exists a probabilistic polynomial-time simulator SHV (the honest-verifier simulator) such that the following two ensembles are computationally indistinguishable: {SHV (x, y)}x∈L,y∈{0,1}∗ and {View(Mx , Ayx )}x∈L,y∈{0,1}∗ . For example, the parallel composition of Blum’s ZK protocol for the Hamiltonian circuit problem satisfies all the above properties [Bl86] (See also Chapter 4, Exercise 16 in [Go98-1]). Theorem 7 ([Bl86][Go98-1]). Assuming the existence of non-uniformly secure commitment schemes, there exists a starting protocol satisfying all the above properties for any NP language. 3.2

Our Proposed Protocol

Before describing our proposed protocol, we review the general approach to constructing constant round ZK protocols for NP. Only BPP languages have constant round public-coin BSZK protocols [GoKr96]. Therefore, only feasible way of constructing constant round BSZK protocols for NP is to let the verifier use “secret coins”. That is, the coins inducing the message sent by the verifier are

On the Existence of 3-Round Zero-Knowledge Protocols

415

kept secret from the prover. In fact, all the previous constant round ZK protocols are secret-coin protocols [BCY89][FeSh89][BMO90] [GoKa96][BJY97]. We note that in all the previous protocols, the verifier demonstrates that it knows the secret coins. As a result, the simulator can get the verifier’s secret coins in the simulation. For example, in [FeSh89] the verifier executes a witness-hiding protocol. In [BCY89][BMO90][GoKa96] the verifier executes a commitment protocol3 . In [BJY97] the verifier executes a cut-and-choose type protocol. Furthermore, the previous constant round ZK protocols are designed so that once the simulator gets the verifier’s secret coins, it can complete the simulation without any NP witness, whereas as long as the cheating prover does not know the verifier’s secret coins, the soundness condition is satisfied. We construct a 3-round ZK protocol by transforming the starting protocol into a 3-round secret-coin protocol in which the challenge Y is generated by an interaction of the prover and the verifier, rather than by the verifier itself. In the light of the above, the resulting protocol should satisfy the following properties: R1. The verifier demonstrates that it knows the coins inducing the message sent by it, while keeping these coins secret from the prover. R2. The knowledge of the verifier’s secret coins enables the simulator to answer properly in the second message given a fixed challenge Y . R3. As long as the verifier’s secret coins are kept secret, it is computationally difficult for a cheating prover to answer properly in the second message given a fixed challenge Y . The property R1 has been implemented by a notion of “proof of knowledge” [TW87][FFS88][BeGo92], specifically by bit-commitment protocols, witness-hiding protocols and cut-and-choose type protocols. However, these protocols require an interaction which we can not afford here (Note that in 3-round protocols, the verifier sends the message once for all). Therefore, it seems impossible to satisfy the property R1. Nevertheless, we resolve this difficulty using a new type of computational assumption so that the protocol resulting from our transformation can satisfy all the properties. Protocol: 3R-ZK for an NP language LN P . Common Input: a common input x of length n. Prover’s Witness: an NP witness in WLN P (x). P1: The prover P computes the first message as follows: P1-1 P generates an instance (p, q, g) ∈ LP QG such that p is of length n. P also generates uniformly a random number a ∈ Zq . Then P computes A = ga. P1-2 P computes M1 according to the starting protocol. P sends (M1 , p, q, g, A) to the verifier V . V1: V checks whether (p, q, g) is in LP QG and p is of length n. If this is true, V generates a random number b ∈ Zq (the secret coins), computes (B, X) = (g b , Ab ) and sends (B, X) to P . Otherwise V rejects. 3

In a commitment protocol, the secret coins are revealed finally.

416

Satoshi Hada and Toshiaki Tanaka

P2: P checks whether X = B a . If this is false P stops, otherwise P computes the second message as follows: P2-1 P generates a random number c ∈ Zq and computes (C, Y ) = (g c , B c ) (These may also be computed as (C, Y ) = (Ac , X c )). P2-2 P computes M2 using Y as the challenge according to the starting protocol. P sends (M2 , C, Y ) to V . V2: V checks whether the following two conditions are satisfied: V2-1 V checks whether Y = C b . V2-2 V checks whether M2 is valid using Y as the challenge according to the starting protocol. If either condition is violated V rejects, otherwise V accepts. We explain that 3R-ZK satisfies all the properties. With respect to R1, we can make the following observation. The verifier’s secret coins b are kept secret if we assume that it is computationally intractable to compute b from (g, A, B, X). Furthermore, it seems that the verifier must raise (g, A) to bth power in order to pass the prover’s check X = B a in P2. That is, we assume that the verifier knows the secret coins b whenever it holds that X = B a . This is a new type of computational assumption which we call SDHA-1. SDHA-1 can be formalized as follows: for any verifier Vˆ , there exists another verifier Vˆ 0 such that Vˆ 0 outputs not only (B, X) but also the secret coins b whenever Vˆ outputs (B, X) satisfying X = B a . We may say that R1 is implemented using a computational assumption rather than a notion of “proof of knowledge”. R2 is satisfied since given Y and b, it is easy to compute the second message C such that Y = C b . When the simulator uses Vˆ 0 (but not Vˆ ) as a black-box, it can get not only (B, X) but also b. As a result, it is possible to complete the simulation. As in R1, it seems that the prover must raise (g, B) or (A, X) to cth power in order to pass the verifier’s check Y = C b in V2-1 (Note that there are two ways of computing (C, Y ) in P2-1). We assume that the prover knows the value of c such that Y = B c or X c whenever it holds Y = C b . We call this assumption SDHA-2. Assume that R3 is not satisfied. Then, given a fixed challenge Y , the cheating prover can compute the second message C satisfying Y = C b for randomly chosen (B, X). Under SDHA-2, this means that, given Y , it is easy to compute the discrete logarithm c such that Y = B c or X c for randomly chosen (B, X). This contradicts DLA. The above discussion roughly shows that 3R-ZK is a ZK protocol for LN P . The formal proof is given in Section 5.

4

The Strong Diffie-Hellman Assumption

In this section, we formalize SDHA. There are two versions of SDHA: SDHA-1 and SDHA-2. They are required for the ZK property and the soundness, respectively.

On the Existence of 3-Round Zero-Knowledge Protocols

417

Assumption 8 (SDHA-1). Firstly, DLA is assumed to hold in this assumption. Let I be a family of polynomial-size circuits which takes as input (p, q, g, g a ) and tries to output (B, X) such that X = B a . For every family of polynomialsize circuits I = {In }n≥1 , there exists another family of polynomial-size circuits I 0 = {In0 }n≥1 which, on input (p, q, g, g a ), outputs (B 0 , X 0 , b) satisfying the following two conditions, where the probability is taken over the choice of a uniformly at random in Zq , (p, q, g) is any instance in LP QG and p is of length n. 1. In0 (p, q, g, g a ) is statistically close to In (p, q, g, g a ) on the first two outputs (B, X). 2. For every polynomial poly(·) and all sufficiently large n’s, P rob[ X 0 = B 0a ∧ B 0 6= g b ] <

1 . poly(n)

Roughly, the above conditions say that whenever I outputs (B, X) such that X = B a , I 0 outputs not only (B, X) but also b such that B = g b (i.e., X = (g a )b ) with overwhelming probability. The proposition below shows that SDHA-1 implies DHA. However, it is unlikely that DHA implies SDHA-1. Proposition 9. Under SDHA-1, DHA holds. Proof.(sketch) Assume that DHA does not hold. Then there exists a family of polynomial-size circuits I which, on input g, A = g a , B = g b , outputs B = g b and X = g ab with non-negligible probability. Under SDHA-1, there exists another family of polynomial-size circuits I 0 that computes not only (B, X) but also the discrete logarithm b such that B = g b . This contradicts DLA. t u Assumption 10 (SDHA-2). Firstly, DLA is assumed to hold in this assumption. Let I be a family of polynomial-time circuits which takes as input (p, q, g, g a , g b , g ab ) and tries to output (C, Y ) such that Y = C b . For every family of polynomial-size circuits I = {In }n≥1 , there exists another family of polynomial-size circuits I 0 = {In0 }n≥1 which takes as input (p, q, g, g a , g b , g ab ) and outputs (C 0 , Y 0 , c) satisfying the following two conditions, where the probability is taken over the choice of b uniformly at random in Zq , (p, q, g) is any instance in LP QG , p is of length n and a is any element in Zq . 1. In0 (p, q, g, g a , g b , g ab ) is statistically close to In (p, q, g, g a , g b , g ab ) on the first two outputs (C, Y ). 2. For every polynomial poly(·) and all sufficiently large n’s, P rob[ Y 0 = C 0b ∧ Y 0 6= (g b )c ∧ Y 0 6= (g ab )c ] <

1 . poly(n)

418

Satoshi Hada and Toshiaki Tanaka

Roughly, the above conditions say that whenever I outputs (C, Y ) such that Y = C b , I 0 outputs not only (C, Y ) but also c such that Y = (g b )c or Y = (g ab )c (i.e., C = g c or (g a )c ) with overwhelming probability. SDHA-2 implies SDHA-1 and so we call SDHA-2 SDHA. We remark that in both assumptions, it is not required that I 0 can be effectively constructed given I, but rather that it exists. This is similar to the definition of AINUZK.

5

Main Theorem

We prove that 3R-ZK is an AINUZK argument. Theorem 11. There exists a 3-round auxiliary-input non-uniform computational zero-knowledge argument for any NP language under SDHA. Proof. There exists a non-uniformly secure commitment scheme under DLA [BM84]. By Theorem 7, the starting protocol exists under SDHA. Therefore, Theorem 11 follows combining Lemma 12 and 13. t u Our result does not apply to the notion of AIZK. However, if we strengthen SDHA with auxiliary-input, we can prove that 3R-ZK is AIZK. This issue is taken up in the last section. 5.1

3R-ZK is AINUZK

Lemma 12. 3R-ZK is AINUZK for LN P under SDHA-1. Proof. Firstly, we focus on the computation of the cheating verifier Vˆxy in V1, where the inputs are (p, q, g, A, M1 ) and the outputs are (B, X) such that X = B a . We consider it as the computation of I in SDHA-1. The inputs (p, q, g, A) to Vˆxy play the role of the inputs (p, q, g, g a ) to I in SDHA-1. Furthermore, we can consider that the other quantities such as the common input x, the auxiliary-input y and the message M1 are incorporated into I in SDHA-1. Therefore, we can apply SDHA-1 to the cheating verifier Vˆxy : for any cheating 0 verifier Vˆxy , there exists a family of polynomial-size circuits Vˆx y which outputs not only (B, X) but also b such that B = g b . As mentioned in the observation of the property R2, when the simulator 0 uses Vˆx y as a black-box, it can get the secret coins b and complete the simulation with b. For simplicity, we describe the simulator SVˆ as a probabilistic polynomialtime machine. Machine: Simulator SVˆ . Input: x, y. Output: a view [x, y, (M1 , p, q, g, A)(B, X)(M2 , C, Y )]. S1. SVˆ performs P1-1 to get (p, q, g, A). S2. SVˆ runs the honest-verifier simulator SHV in the property B3 of the starting protocol to get (M1 , Y, M2 ) such that Y is an element of order q in Zp∗ .

On the Existence of 3-Round Zero-Knowledge Protocols

419

0

S3. SVˆ runs Vˆx y on (M1 , p, q, g, A) to get (B, X, b). SVˆ checks whether X = B a . If this is false, SVˆ stops and outputs [x, y, (M1 , p, q, g, A)(B, X)]. S4. SVˆ checks whether B = g b . If this is false, SVˆ aborts. S5. SVˆ computes C such that Y = C b . S6. SVˆ outputs [x, y, (M1 , p, q, g, A)(B, X)(M2 , C, Y )]. Clearly SVˆ runs in probabilistic polynomial-time. The probability that SVˆ aborts in S4 is negligible under SDHA-1. Now we show that the output distribution ensemble {SVˆ (x, y)}x∈L,y∈{0,1}∗ is computationally indistinguishable from {View(Px , Vˆxy )}x∈L,y∈{0,1}∗ . The proof is by contradiction. Assume there exists a distinguisher D that can distinguish {SVˆ (x, y)}x∈L,y∈{0,1}∗ from {View(Px , Vˆxy )}x∈L,y∈{0,1}∗ . Then we can construct a distinguisher D0 that distinguishes the output distribution ensemble {SHV (x, y)}x∈L,y∈{0,1}∗ from {View(Mx , Ayx )}x∈L,y∈{0,1}∗ , in contradiction to the property B3 of the starting protocol (M, A). Given a view (M1 , Y, M2 ) of the starting protocol (from either distributions), D0 extends it to a view of 3RZK and invokes D on the extended view as follows: 0 Distinguisher: D0 = {Dx,y }x∈LN P ,y∈{0,1}∗ . Input: (M1 , Y, M2 ), where we assume that (p, q, g) ∈ LP QG is fixed in advance and that Y is an element of order q in Zp∗ . Output: 0 or 1. 0 D1: Dx,y runs SVˆ to extend the input (M1 , Y, M2 ) to a view [x, y, (M1 , p, q, g, A) (B, X) (M2 , C, Y )], where the input (M1 , Y, M2 ) is used as a result of S2, respectively. 0 invokes Dx,y on the extended view. D2: Dx,y

If the input (M1 , Y, M2 ) is from View(Mx , Ayx ), the extended view is distributed statistically close to View(Px , Vˆxy ). This is because the probability that SVˆ aborts 0 is negligible and the output distributions of Vˆxy and Vˆx y are statistically close on (B, X) under SDHA-1. On the other hand, if the input (M1 , Y, M2 ) is from SHV (x, y), the extended view is distributed exactly alike the distribution SVˆ(x, y). Therefore, D0 distinguishes the two ensembles in the property B3 of the starting protocol. t u Since SVˆ does not use Vˆ as a black-box, the above argument does not show that 3R-ZK is BSZK. SDHA-1 does not say that the circuit for Vˆ 0 can be effectively constructed given the circuit for Vˆ , but rather that it exists. However, it is sufficient for our purpose since the definition of AINUZK also does not require that the circuit for SVˆ can be effectively constructed given the circuit Vˆ . That is, under SDHA-1, for any verifier Vˆ , there exist another one Vˆ 0 and the simulator SVˆ . Therefore, the above argument shows that 3R-ZK is AINUZK. 5.2

3R-ZK is an Argument

Lemma 13. 3R-ZK is an argument for LN P under SDHA-2.

420

Satoshi Hada and Toshiaki Tanaka

Proof. The completeness is trivially satisfied because of the property B1 of the starting protocol. We focus on the soundness. Assume that 3R-ZK does not have negligible error probability. Then there exist a cheating prover Pˆ , a polynomial p0 (·) and an infinite set G = {(x, y)} of common inputs not in LN P and auxiliary inputs such that Acc(Pˆxy , Vx ) > 1/p0 (|x|) for all (x, y) ∈ G. We will show that this contradicts DLA. Let K be the set of all integers n for which G contains a common input x of length n. We will show that there exists an inverter I = {In }n∈K such that for all n ∈ K, there exist (p, q, g) ∈ LP QG (p is of length n) such that InvIDL (p, q, g) is overwhelming. Firstly, we construct a (probabilistic) polynomial-size circuit family P G = {P Gn }n∈K which outputs a (bad) instance (p, q, g) ∈ LP QG such that the discrete logarithm modulo p is easy to compute. For each n ∈ K we fix some common input and some auxiliary input (x, y) ∈ G and they are incorporated into P Gn . We allow P Gn to use Pˆxy as a black-box. We allow P Gn to feed the random coins for Pˆxy . For simplicity, we describe P Gn as an expected polynomial-time machine and its expected running time is clearly O(p0 (n)poly(n)). Machine: Prime Generator {P Gn }n∈K . Input: 1n . Output: (r, M1 , p, q, g, A). Step 0: P Gn initiates Pˆxy on the random coins r. y Step 1: P Gn runs both Pˆx,r and Vx to get a transcript [(M1 , p, q, g, A) (B, X) (M2 , C, Y )]. If this is rejecting, P Gn goes back to Step 0. Step 2: P Gn outputs (r, M1 , p, q, g, A). y , Vx , (M1 , p, q, g, A)) denote the conditional probability that Vx Let Acc(Pˆx,r y accepts x ∈ / LN P in interacting with Pˆx,r when the conversation so far is y (M1 , p, q, g, A). We say that (p, q, g) is bad if Acc(Pˆx,r , Vx , (M1 , p, q, g, A)) > y ˆ 1/2p0 (n). Since Acc(Px , Vx ) > 1/p0 (n), it must be that the probability (over r y , Vx , (M1 , p, q, and the random coins of V leading to (M1 , p, q, g, A)) that Acc(Pˆx,r g, A))>1/2p0 (n) is at least 1/2. Therefore there exists a bad instance (p, q, g) ∈ LP QG for all n ∈ K and the probability that the output (p, q, g) ∈ LP QG of P Gn is bad is at least 1/2. We ignore the possibility that (p, q, g) ∈ / LP QG since it happens with negligible probability. y Before we describe an inverter I = {In }n∈K , we apply SDHA-2 to Pˆx,r . y We consider the computation of the prover Pˆx,r in P2, where the inputs are (p, q, g, A, M1 )(B, X) and the outputs are (M2 , C, Y ) such that Y = C b . We consider it as the computation of I in SDHA-2. The inputs (p, q, g, A, B, X) to y play the role of the inputs (p, q, g, g a , g b , g ab ) to I in SDHA-2. Furthermore, Vˆx,r we can consider that the other quantities such as the random coins r, the message M1 , the common input x and the auxiliary-input y are incorporated into I in y : for any SDHA-2. Therefore, we can apply SDHA-2 to the cheating prover Pˆx,r 0 y y cheating prover Pˆx,r , there exists a family of polynomial-size circuits Pˆx,r which c c outputs in P2 not only (M2 , C, Y ) but also c such that Y = B or X . From now on, we assume that P Gn has output a bad instance (p, q, g) ∈ LP QG along with (r, M1 , A). We construct an inverter I = {In }n∈K , where a

On the Existence of 3-Round Zero-Knowledge Protocols

421

common input x, an auxiliary input y, the output (r, M1 , A) of P Gn and a such that A = g a are incorporated into each machine In . Furthermore, In is 0 y allowed to use Pˆx,r as a black-box. For simplicity, we describe In as an expected polynomial-time machine. Machine: Inverter {In }n∈K . Input: A bad (p, q, g) output by P Gn , a random number β of order q in Zp∗ . Output: The discrete logarithm α such that β = g α . Step 1: In generates a random number b ∈ Zq and computes B = βg b and X = Ba. 0 y Step 2: In runs Pˆx,r on ((M1 , p, q, g, A)(B, X)) to get its response (M2 , C, Y, c). In checks whether (M1 , Y, M2 ) is accepting according to the starting protocol. If this is false, In goes back to Step 1, otherwise In goes to Step 3. Step 3: In checks whether Y = B c or Y = X c . If this is false, In goes back to Step 1, otherwise In goes to Step 4. 0 Step 4: In generates a random number b0 ∈ Zq and computes B 0 = g b and X 0 = B 0a . If B = B 0 then In outputs α = b0 − b mod q (Note that 0 βg b = g b ). Otherwise, In goes to Step 5. 0 y Step 5: As in Step 2, In runs Pˆx,r on ((M1 , p, q, g, A)(B 0 , X 0 )) to get its response (M20 , C 0 , Y 0 , c0 ). In checks whether (M1 , Y 0 , M20 ) is accepting according to the starting protocol. If this is false, In goes back to Step 4, otherwise In goes to Step 6. c0 c0 Step 6: In checks whether Y 0 = B 0 or Y 0 = X 0 . If this is false, In goes back to Step 4, otherwise In goes to Step 7. Step 7: In outputs α such that β = g α . In tries to get two different accepting transcripts. Since we assumed that (p, q, g) is bad, the expected running time of In is O((p0 (n))2 poly(n)). In Step 7, it holds that Y = β ac g abc or β c g bc and it also holds that Y 0 = 0 0 ab0 c0 g or g b c . Since x ∈ / LN P , Y must equal Y 0 by the property B2 of the starting protocol. So it is easy to compute α such that β = g α from the values (a, b, b0 , c, c0 ). Therefore we conclude that for all n ∈ K, there exists (p, q, g) ∈ LP QG such that InvIDL (p, q, g) is overwhelming. This contradicts DLA. t u

6

Concluding Remarks

We introduced a novel computational assumption SDHA so that we could provide a non-black-box simulation technique and construct a 3-round AINUZK protocol for NP. However, SDHA is strong and non-standard. It is fundamentally different from the standard complexity assumptions such as DLA and DHA in the sense that SDHA has double quantification (i.e., for every adversary, there exists another one such that something holds) whereas the standard assumptions have one quantifier (i.e., for every adversary, something holds). It is unlikely that SDHA holds under some standard complexity assumptions. Therefore, it is interesting and necessary to study the validity of SDHA.

422

Satoshi Hada and Toshiaki Tanaka

Our result can not apply to AIZK. When we apply SDHA-1 to a probabilistic polynomial-time verifier Vˆ , the resultant Vˆ 0 is a circuit family and the simulator SVˆ is also a circuit family. This does not satisfy the requirement of the definition of AIZK. One may think that we can prove that 3R-ZK achieves GMRZK or AIZK if SDHA-1 is formalized in the uniform model, where both I and I 0 are modeled by probabilistic polynomial-time machines. It is not the case since such uniform assumption (called uniform SDHA-1) can not deal with the common input x and the auxiliary-input y. We can prove that 3R-ZK achieves the notion of AIZK if we further strengthen uniform SDHA-1 with auxiliary-input, that is, if we assume that uniform SDHA-1 holds even when both I and I 0 are allowed to take arbitrary (same) auxiliary-inputs (We call this strengthened assumption auxiliary-input uniform SDHA-1). This result leads us to an interesting corollary: under auxiliary-input uniform SDHA-1, it holds that Cl(BSZK) ⊂ Cl(AIZK) unless NP ⊆ BPP. However, auxiliary-input uniform SDHA-1 seems unreasonable [Go98-2]. Consider I as a universal machine which takes as its auxiliary-input the description of any circuit C which, given (g, g a ), outputs (B, X) such that X = B a . Then, auxiliary-input uniform SDHA-1 says that I 0 can reverse-engineer the circuit C and output b such that B = g b . Therefore, auxiliary-input uniform SDHA seems very strong and problematic.

Acknowledgments This paper owes much to the valuable comments and suggestions of Oded Goldreich. He kindly helped us to revise our earlier version of this paper. We would like to thank the anonymous referees of Crypto’98 for valuable comments. We also thank Masahiro Wada and Koji Nakao for their encouragement.

References BeGo92. BJY97.

BMO90. Bl86.

BM84.

BCC88.

M. Bellare and O. Goldreich , “On Defining Proofs of Knowledge, ” Proceedings of Crypto’92, 1992. 415 M. Bellare, M. Jakobsson and M. Yung, “Round-Optimal Zero-Knowledge Arguments Based on any One-Way Function, ” Proceedings of Eurocrypt’ 97, 1997. 410, 411, 415, 415 M. Bellare, S. Micali and R. Ostrovsky, “ Perfect Zero-Knowledge in Constant Rounds,” Proceedings of 22nd STOC, 1990. 415, 415 M. Blum, “How to Prove a Theorem So No One Else Can Claim It,” Proceedings of the International Congress of Mathematicians, pp.1444-1451, 1986. 414, 414 M. Blum and S. Micali, “How to Generate Cryptographically Strong Sequences of Pseudo-Random Bits,” SIAM Journal on Computing, Vol.13, No.4, pp.850-863, 1984. 418 G. Brassard, D. Chaum and C. Cr´epeau, “Minimum Disclosure Proofs of Knowledge, ” Journal of Computer and System Sciences, Vol. 37, No. 2, pp. 156-189, 1988. 409

On the Existence of 3-Round Zero-Knowledge Protocols BCY89.

423

G. Brassard, C. Cr´epeau and M. Yung, “ Everything in NP Can Be Argued in Perfect Zero-Knowledge in a Bounded Number of Rounds, ” Proceedings of 16th ICALP, pp.123-136, 1989. 410, 415, 415 BrCr86. G. Brassard and C. Cr´epeau, “Non-Transitive Transfer of Confidence : A Perfect Zero-Knowledge Interactive Protocol for SAT and Beyond, ” Proceedings of 27th FOCS, 1986. 409 DH76. W. Diffie and M. Hellman, “New Directions in Cryptography,” IEEE Trans. Inform. Theory, Vol.22, No.6, pp.644-654, 1976. 413 FFS88. U. Feige, A. Fiat, and A. Shamir, “Zero Knowledge Proofs of Identity,” Journal of Cryptology, Vol.1, pp.77-94, 1988. 415 FeSh89. U. Feige and A. Shamir, “Zero Knowledge Proofs of Knowledge in Two Rounds,” Proceedings of Crypto’89, pp.526-544, 1989. 410, 415, 415 Go93. O. Goldreich, “A Uniform-Complexity Treatment of Encryption and ZeroKnowledge,” Journal of Cryptology, Vol.6, No. 1, pp.21-53, 1993. 410, 410 Go98-1. O. Goldreich, “Foundations of Cryptography (Fragments of a Book - Version 2.03),” February 27, 1998. 411, 414, 414 Go98-2. O. Goldreich, private communication, May 1998. 410, 422 GoKa96. O. Goldreich and A. Kahan, “How to Construct Constant-Round ZeroKnowlege Proof Systems for NP,” Journal of Cryptology, Vol.9, No. 3, pp.167-190, 1996. 410, 410, 415, 415 GoKr96. O. Goldreich and H. Krawczyk, “On the Composition of Zero-Knowledge Proof Systems,” SIAM Journal on Computing, Vol.25, No.1, pp.169-192, 1996. 409, 410, 411, 411, 411, 411, 414 GMW91. O. Goldreich, S. Micali, and A. Wigderson, “Proofs that Yield Nothing But Their Validity or All Languages in NP Have Zero-Knowledge Proof Systems,” Journal of the ACM, Vol.38, No.1, pp.691-729, 1991. GoOr94. O. Goldreich and Y. Oren, “Definitions and Properties of Zero-Knowlege Proof Systems,” Journal of Cryptology, Vol.7, No. 1, pp.1-32, 1994. 409, 409, 409, 410, 410, 411 GMR85. S. Goldwasser, S. Micali, and C. Rackoff, “The Knowledge Complexity of Interactive Proofs,” Proceedings of 17th STOC, pp.291-304, 1985. 408, 409, 409 Ra80. M. O. Rabin, “Probabilistic Algorithm for Testing Primality, ” Jounal of Number Theory, Vol 12, pp.128-138, 1980. 413 SS77. R. Solovay and V. Strassen, “A Fast Monte-Carlo Test for Primality,” SIAM Journal on Computing, Vol.6, No.1, pp.84-86, 1977. 413 TW87. M. Tompa and H. Woll, “Random Self-Reducibility and Zero Knowledge Interactive Proofs of Possession of Information,” Proceedings of 28th FOCS, pp.472-482, 1987. 415

Zero-Knowledge Proofs for Finite Field Arithmetic or: Can Zero-Knowledge Be for Free? Ronald Cramer1 and Ivan Damg˚ ard2 1

ETH Z¨ urich [email protected] 2 BRICS (Basic Research in Computer Science, Center of the Danish National Research Foundation) Aarhus University [email protected]

Abstract. We present a general method for constructing commitment schemes based on existence of q-one way group homomorphisms, in which elements in a finite prime field GF (q) can be committed to. A receiver of commitments can non-interactively check whether committed values satisfy linear equations. Multiplicative relations can be verified interactively with exponentially small error, while communicating only a constant number of commitments. Particular assumptions sufficient for our commitment schemes include: the RSA assumption, hardness of discrete log in a prime order group, and polynomial security of Diffie-Hellman encryption. Based on these commitments, we give efficient zero-knowledge proofs and arguments for arithmetic circuits over finite prime fields, namely given such a circuit, show in zero-knowledge that inputs can be selected leading to a given output. For a field GF (q), where q is an m-bit prime, a circuit of size O(m), and error probability 2−m , our protocols require communication of O(m2 ) bits. We then look at the Boolean Circuit Satisfiability problem and give non-interactive zero-knowledge proofs and arguments with preprocessing. In the proof stage, the prover can prove any circuit of size n he wants by sending only one message of size O(n) bits. As a final application, we show that Shamirs (Shens) interactive proof system for the (IP-complete) QBF problem can be transformed to a zero-knowledge proof system with the same asymptotic communication complexity and number of rounds.

1

Introduction

In this paper, we present a general method for building commitment schemes, which are based on existence of any family of one-way group homomorphisms with a particular extra property (detailed below). We call such functions q-one way group homomorphisms. Informally speaking, these schemes allow a prover to compute a commitment to an element a in the finite prime field GF (q), having sent this commitment to H. Krawczyk (Ed.): CRYPTO’98, LNCS 1462, pp. 424–441, 1998. c Springer-Verlag Berlin Heidelberg 1998

Zero-Knowledge Proofs for Finite Field Arithmetic

425

a verifier, the prover cannot change his mind about a, still the verifier cannot guess a from the commitment. Our commitments are small (i.e. if q is an m bit prime, commitments will be of size O(m) bits) and have useful homorphic properties: given any linear equation over GF (q), the verifier can check whether a set of committed values satisfy the equation without communicating with the prover. We give an efficient protocol allowing the prover to convince the verifier that committed values a, b, c satisfy ab = c without revealing anything else about a, b, c. By efficient, we mean that the protocol achieves error probability exponentially small in m, but requires only communication of a constant number of commitments. Other auxiliary protocols allow the prover to convince the verifier that a commitment contains 0 or 1; and to convince him that pairs of committed bits (c1 , d1 ), ..., (cm , dm ) satisfy ci = di , i = 1..m by opening only one commitment. We give examples of concrete assumptions sufficient for the existence of qone way homomorphisms, including the RSA assumption, hardness of discrete log in a prime order group, and polynomial security of Diffie-Hellman encryption. When instantiating our commitments using these concrete assumptions, we get some examples of commitment schemes that were known, while others are new. However, no efficient multiplication protocol were known for any of these schemes before. We consider this multiplication protocol and our unified view of many apparently different commitment schemes to be an important technical contributions of this paper 1 . In recent work by Gennaro et al. [21] and Cramer et al. [9], our commitment schemes have been used as an essential tool to build efficient multiparty computations protocols. Perhaps the most obvious application of commitment schemes in general is for building Zero-Knowledge interactive proofs [20] and arguments [5]. These are protocols allowing a prover to convince a verifier that a statement is true while revealing nothing but the validity of the assertion. Interactive proofs are secure against cheating even by infinitely powerful provers, on the other hand, zero-knowledge can - at least for NP-hard problems - only be guaranteed relative to a computational assumption (unless the polynomial time hierachy collapses, [15]). If one-way functions exist, then all languages in IP (and hence in NP) have zero-knowledge proofs [19][6]. Interactive arguments are only secure against polynomial time provers, and so require computational assumptions to establish soundness. On the other hand, they can provide perfect (unconditional) zero-knowledge for all of NP [5]. Summarizing informally, these basic results say that, under reasonable computational assumptions, all languages that have an interactive proof (argument), also have a zero-knowledge interactive proof (argument), albeit a much less efficient one. From this has emerged naturally a line of research aimed at improving 1

In [16], a commitment scheme is given, together with a multiplication protocol with properties somewhat similar to ours. That protocol, however, only works under a specialized strong version of the RSA assumption, and can only be used to make statistical zero-knowledge arguments (as opposed to perfect zero-knowledge arguments as well as zero-knowledge proofs in our case).

426

Ronald Cramer and Ivan Damg˚ ard

the efficiency (in terms of communication complexity) of zero-knowledge protocols for NP complete problems such as SAT [4][22][23][8]. It is natural to ask to what extent we can reach the optimal situation, where giving a zero-knowledge interactive proof for SAT, or other problems in IP, is as efficient as giving a mere interactive proof? We do not have a general or final answer to this (hence the question mark in the title). But we do show that our commitment schemes can be applied to build protocols implying that in some cases, zero-knowledge may indeed be almost or entirely for free, as far as communication complexity is concerned. We first present zero-knowledge proofs and arguments for arithmetic circuits over finite prime fields, namely given a circuit with multiplication and addition gates, show in zero-knowledge that inputs can be selected leading to a given output. We will refer to this as the Arithmetic Circuit Problem (ACP). For a field GF (q), where q is an m-bit prime, a circuit of size O(m), cryptographic security parameter m and error probability 2−m , our protocols require communication of O(m2 ) bits. A more detailed account of the performance of our protocol is given in Theorem 53 and shows that the circuit actually only influences the complexity through the number of inputs and multiplications - linear operations are for free. If the circuit involves m multiplications, the best previously known method is to rewrite the multiplications to Boolean circuits and use the best known protocol for circuit satisfiability. This leads to a communication complexity of Ω(m3 log m) bits. The simplest (non zero-knowledge) proof system for ACP is non-interactive: one just reveals the inputs. So we pay a price for zero-knowledge at least in terms of the interaction required. For an NP hard problem, this cannot be avoided unless N P ⊂ BP P . But we can partially avoid it by going to the model of noninteractive proofs or arguments with preprocessing [28]. In this model, we present protocols for ACP and Boolean Circuit SAT. Here, the prover and verifier are allowed to do an interactive preprocessing stage, in which it is not necessary to know which statement (circuit) will be proved later (except perhaps for an upper bound on its size). Then, at a later time, the prover should be able to prove any circuit of his choice by sending only one message. For ACP, the complexity of both our preprocessing and proof phase is O(m2 ) bits (the same as for the interactive protocol mentioned above). For the SAT, using a circuit of size n, cryptographic security parameter n and error probability 2−n , our preprocessing has size O(n2 ) bits, whereas the proof is of size O(n) bits. We note that our total communication complexity is the same as that of the best previously known zero-knowledge interactive proofs [8] (which could not be split in a preprocessing and proof phase). To compare with earlier work on interactive arguments, we need to state the performance of our protocols more accurately: for an error probability of 2−k , and cryptographic security parameter l, the complexity of the preprocessing is O(ln + k) bits. The non-interactive proof stage has size O(n + l). The best earlier work on arguments is by Cramer and Damg˚ ard [8] who obtained O(n)max(l, k), and by Kilian [23] who obtained O(kl log l). None of these protocol could be split

Zero-Knowledge Proofs for Finite Field Arithmetic

427

in a preprocessing and proof phase, as ours. Our total complexity improves on [8] and is not directly comparable to [23]. It is superior to [23] for some choices of parameters, e.g. when all parameters are chosen equal to n, but inferior in other cases - in particular because of the very interesting fact that the result from [23] does not depend on n. From a practical point of view, Kilian’s results are not of much relevance, since they are based on PCP’s [2], and hence rely on the elaborate reductions needed to build PCP’s. By contrast, the constants involved in our asymptotic complexities are small enough for our protocols to be practical with realistic choices of parameters. For example, our most efficient argument for SAT based on RSA produces a proof stage of size 2(n + l) bits, where l is the length of the RSA modulus used. Which means that circuits of interest in real applications (say of size 10.000-100.000 gates) would produce proof stages of size 3-26 Kbyte, using a 1024 bit RSA modulus. Our entire protocol for ACP, resp. the proof stage of our SAT protocol, have the same worst case complexity as the simplest non zero-knowledge proof system, where one just reveals the inputs, since indeed this may cost Ω(n2 ), resp. Ω(n) bits in general. Although our protocols may therefore be optimal in this sense, this does not exclude the possibility of finding much more efficient protocols for particular classes of circuits, e.g. protocols with complexity depending only on the number of inputs. Furthermore, it does not seem impossible to improve the preprocessing for the SAT protocol, e.g. to O(n) bits. Our final result shows that Shamirs (Shens) [26][27] interactive proof system for the (IP-complete) QBF problem can be transformed to a zero-knowledge proof system with the same asymptotic communication and round complexity2 . So as far as Shen’s QBF protocol is concerned, our results do show that zeroknowledge can be for free - but on the other hand, we do not know whether this is an optimal proof system for QBF.

2

Commitment Schemes from Group Homomorphisms

A commitment scheme of the kind we use consists of a function commit : {0, 1}l × [0..q[→ {0, 1}l , whose description is output by a probabilistic polynomial time generator on input 1l and a prime q, where l is a security parameter. This is done in the set-up phase of the commitment scheme. The generator may be able to take an arbitrary pair (q, l) as input. This is called a generator with unbounded q. Or there may be a constant δ > 0, such that the generator works, only if the bit length of q is δl. We refer to commit as the public key of the commitment scheme. To commit to an integer a ∈ [0..q[, one chooses r at random from {0, 1}l and computes the commitment C ← commit(r, a). To open a commitment, r, a are revealed. 2

It is, of course, well known [6] that it is possible to build a zero-knowledge protocol from Shen’s or Shamir’s proof systems, provided one-way functions exist. However, the transformation from [6] leads a huge loss of efficiency. Our result holds for an error probability of 2−n , where n is the input length

428

Ronald Cramer and Ivan Damg˚ ard

For interactive proofs, we will need commitments to be unconditionally binding: a is uniquely determined from commit(r, a). We also need the scheme to hide a, but in this case the scheme is at most computationally hiding: the distributions of commitments to any pair of distinct integers are polynomially indistinguishable. For interactive arguments, we use commitment schemes that are unconditionally hiding: a commitment to a has distribution independent of a. Then the best we can achieve is that the scheme is computationally binding: take any probabilistic polynomial time algorithm which takes an input a public key produced by the generator on input 1l . Let (l) be the probability with which the algorithm outputs a commitment and two valid openings revealing distinct values. Then (l) is negligible, i.e. for any polynomial p, (l) ≤ 1/p(l) for all large enough l. 2.1

Basic Definitions

Definition 21 A Group Homomorphism Generator G is a probabilistic polynomial time algorithm which on input 1l outputs a description of two finite Abelian groups G, H and a homomorphism f : H → G. Elements in G, H can be represented as l-bit strings, and the group operation and inverses in G and H can be computed in polynomial time. Finally, a uniformly chosen element in H can be selected in probabilistic polynomial time. G is said to be one-way if in addition the following holds for any polynomial size family of circuits {∆i | i = 1, 2, ..}: on input f, y, where f is selected by G on input 1l and y is uniformly chosen in Im(f ), the probability that ∆l outputs x ∈ H such that f (x) = y is negligible. We will need a further property of the generator, which loosely speaking says that f is as hard to invert in points of form y i as it is to invert it in y, as long as 0 < i < q, but inversion is easy in points of form y q : Definition 22 A group homomorphism generator G is said to be q-one-way if it is one-way, takes a prime q as additional input, and there is a polynomial time algorithm satisfying the following: on input f, z, y, i where 0 < i < q, y ∈ G, f (z) = y i , it computes x such that f (x) = y. Finally, there is a polynomial time algorithm which on input y computes x0 such that f (x0 ) = y q . We remark that if f is one-one, and |H| = q, q-one-wayness follows trivially from one-wayness. Definition 23 An unconditionally binding q-homomorphism generator G is a q-one-way generator, which also satisfies that for f generated by G, there exists y ∈ G, such that yIm(f ) has order q in the factor group G/Im(f ). Furthermore, the distributions y i f (r) and y j f (s) for 0 ≤ i, j < q, i 6= j and independently chosen uniform r, s, must be polynomially indistinguishable. Informally, what this definition says, is that a y should exist, such that the cosets yIm(f ), y 2 Im(f ), .. are all distinct, and it should be hard to tell the difference between random elements in distinct cosets.

Zero-Knowledge Proofs for Finite Field Arithmetic

2.2

429

Commiment Schemes

Throughout, we will assume that a prover P will be generating commitments and sending them to a verifier V . First is an unconditionally hiding scheme: – Set-up Phase: V runs q-one-way generator G on input 1l , to obtain f : H → G. He chooses a random element y ∈ Im(f ), e.g. by choosing an element in H and applying f . Then f, G, H, y are sent to P . V must now give an zero-knowledge proof of knowledge that he knows an f -preimage of y. This proof can be easily constructed from the f -preimage protocol in Section 2.3, by using one-bit challenges, and iterating the protocol sequentially. – Commitment to integer 0 ≤ a < q: P chooses random r ∈ H, and sends commit(r, a) = y a f (r) to V . – Opening commitment C: P sends a, r to V who accepts if and only if C = commit(r, a) and 0 ≤ a < q. – Hiding Property: is clear, since if P has accepted the set-up phase, it follows (except possibly with exponentially small probability) that a commitment will have distribution independent from the value committed to, namely the uniform distribution over Im(f ). – Binding Property: If any cheating prover P ∗ can open a commitment to reveal two different values, he can produce a, r, a0 , r0 such that a > a0 0 0 and y a f (r) = y a f (r0 ). Then y a−a = f (r0 r−1 ), which means we can find a preimage of y by definition of q-one-wayness. This in turn contradicts the assumption that G is one-way, if P ∗ is in polynomial time. Next, we describe an unconditionally binding scheme: – Set-up Phase: P runs unconditionally binding q-homomorphism generator G on input 1l , to obtain f : H → G. He chooses an element y ∈ G according to Definition 23. Then f, G, H, y are sent to V . For some generators V can verify himself that indeed y has the property requested in Definition 23. If this is not the case, P must give a zero-knowledge proof that y 6∈ Im(f ). This can be done by a straightforward modification of the classical quadratic non-residuosity protocol from [20]. – Commitment to integer 0 ≤ a < q: P chooses random r ∈ H, and sends commit(r, a) = y a f (r) to V . – Opening commitment C: P sends a, r to V who accepts if and only if C = commit(r, a) and 0 ≤ a < q. – Hiding Property: follows immediately from the assumption in Definition 23. – Binding Property: Definition 23 guarantees that if V accepts the set-up phase, commitments to different values will be in distinct cosets of Im(f ). We will write [r, a]y for y a f (r), and sometimes, when no misunderstanding is possible, only [r, a] or [a]. It should be clear from the definition of these commitments that both types have a linear homomorphic property: given commitments [r, a] and [s, b], P can open [r, a] · [s, b] to reveal (a + b) mod q. Indeed, let j

430

Ronald Cramer and Ivan Damg˚ ard

be such that a + b = (a + b) mod q + jq, and let t be such that f (t) = y jq . Note that by q-one wayness, t is easy for P to compute. We have [r, a] · [s, b] = [rst, (a + b) mod q]. In a similar way, it follows that [r, a]c = [r0 , ca mod q] and y c · [r, a] = [r00 , (c + a) mod q] for a constant c and easily computable (by P ) values r0 , r00 ∈ H. 2.3

Auxiliary Protocols

All protocols in this section are proofs of knowledge and 3-move Arthur-Merlin games, with a random challenge from V as second message. We say that such a protocol has the special soundness property if from any pair of conversations (m, e, z), (m, e0 , z 0 ), where e 6= e0 , one can efficiently compute the information the prover claims to know. In [3], a definition of proofs of knowledge is given, part of which is the soundness error. Loosely speaking, this is the maximal probability with which the prover can convince the verifier without having the claimed knowledge: the definition requires that any prover with success probability larger than the soundness error should be able to compute the relevant knowledge in expected time inversely proportional to his success probability. We have the following which can be found, e.g. in the coming journal version of [13]. It is hardly surprising, but less trivial to prove than one might expect: Lemma 24 If a protocol has special soundness, it has soundness error 1/c, where c is the number of possible challenges the verifier chooses from. A protocol is special honest verifier zero-knowledge (SHVZK), if it has a simulator which on input e produces a correctly distributed conversation (m, e, z). This is a stronger condition than normal honest verifier zero-knowledge which just calls for a simulator producing a conversation with a random e. We first give a protocol for showing that a commitment contains a 0/1 value. For this, it turns out to be sufficient to be able to prove knowledge of a preimage under f . The following protocol can be used for any f generated by a q-one-way generator, and is a generalization of Schnorr’s discrete log protocol [25]: f -PREIMAGE PROTOCOL Input: f and u ∈ G. P knows v, such that f (v) = u. 1. P chooses r ∈ H at random and sends m = f (r) to V . 2. V chooses a random challenge e, so that 0 ≤ e < q and sends it to P . 3. P sends z = rv e to V , who checks that f (z) = mue . Lemma 25 If P, V follow the protocol, V always accepts. The protocol has the special soundness property and is SHVZK. Proof The first claim is trivial. The second follows directly from the definition of q-one-wayness. Finally, on input e, one simulates by choosing at random z and outputting (f (z)u−e, e, z). t u

Zero-Knowledge Proofs for Finite Field Arithmetic

431

It is clear that this protocol can be used to show that a commitment C contains 0, by using u = C, and that it contains 1 by using u = Cy −1 . We may now use the proof of partial knowledge technique from [10][12] to make a protocol in which P proves that C contains 0 or 1, without revealing which is the case. The resulting protocol is referred to as a bit commitment proof. It is still SHVZK, and has special soundness. Its communication complexity is 4l + 2 log q bits. The final auxiliary protocol we have is a multiplication protocol, an interactive proof showing that the prover can open commitments A, B, C to reveal values a, b, c for which c = ab mod q. As a side effect, we also obtain a protocol for showing that the prover can open a commitment. Assume P knows how to write the commitments in the form A = [r, a]y , B = [u, b]y , C = [s, ab mod q]y . Now observe that if we choose j such that ab = (ab) mod q + jq and set t = f −1 (y −jq )su−a , then t is easily computable by P , and C = [t, a]B . Conversely, assuming that you can open A and B to reveal a, b, knowledge of such a t implies you can open C to reveal ab mod q. With this rewriting of C we see that, loosely speaking, we need a protocol for showing that A contains the same value w.r.t. y as does C w.r.t B. This leads to: MULTIPLICATION PROTOCOL Input: f and commitments A, B, C. P knows a, r, t, b, u, such that A = [r, a]y , C = [t, a]B and B = [u, b]y . The protocol proceeds by executing the following two 3-step protocols in parallel, using the same challenge e in both instances. The first is intended to verify that A, C have the correct form, while the second verifies that the prover can open B 3 : 1. First protocol: (a) P chooses x ∈ Zq and s1 , s2 ∈ H at random and sends M1 = [s1 , x]y , M2 = [s2 , x]B to V . (b) V chooses a random number e, so that 0 ≤ e < q and sends it to P . (c) P sets z = (x + ea) mod q and chooses i such that z = x + ea + iq. He then computes w1 = s1 re f −1 (y −iq ) and w2 = s2 te f −1 (B −iq ). He sends z, w1 , w2 to V , who verifies that [w1 , z]y = M1 Ae and [w2 , z]B = M2 C e . 2. Second protocol: (a) P chooses d ∈ Zq and s ∈ H at random and sends M = [s, d]y to V . (b) V chooses a random number e, so that 0 ≤ e < q and sends it to P . (c) P sets v = (d + eb) mod q and chooses j such that v = d + eb + jq. He then computes w = sue f −1 (y −jq ). He sends v, w to V , who verifies that [w, v]y = M B e The properties of this protocol are the following: 3

In some cases, the context may imply that P knows how to open B, in which case the second subprotocol can be omitted.

432

Ronald Cramer and Ivan Damg˚ ard

Lemma 26 If P, V follow the protocol, V always accepts. The protocol has special soundness: from two accepting conversations with challenges e, e0 , e 6= e0 , one can efficiently compute a, r, b, u, s such that A = y a f (r), B = y b f (u), C = y ab mod q f (s). Finally, the protocol is SHVZK. Proof The first claim is trivial by inspection. For the second, we let two conversations (M, M1 , M2 , e, v, w, z, w1 , w2 ), (M, M1 , M2 , e0 , v 0 , w0 , z 0 , w10 , w20 ), where e 6= e0 be given. If they lead to accept, we immediately obtain 3 equations 0 from each conversation. By dividing them pairwise, we get: y z−z f (w1 w10 −1 ) = 0 0 0 0 0 −1 Ae−e , B z−z f (w2 w20 ) = C e−e and y v−v f (ww0−1 ) = B e−e . Define ω = 0 −1 0 (e − e ) mod q, and i such that (e − e )ω = 1 + iq. Let α = f −1 ((B i )q ), which is easy to compute by q-one wayness. Then by raising the last equation to ω, we get 0 B = y (v−v )ω f ((ww0−1 )ω α−1 ) which is the desired form. The other two equations can be treated similarly. For honest verifier simulation on input e, choose v, w, z, w1 , w2 uniformly at random, and compute the rest of the conversation by: M = y v f (w)B −e , M1 = y z f (w1 )C −e , M2 = B z f (w2 )C −e . t u The communication complexity of the multiplication protocol is 6l + 3 log q bits. Both our auxiliary protocols have soundness error 1/q by construction. For our main protocols, we will need error 2−k . For this, we will iterate the auxiliary protocols in parallel dk/ log qe times. This works, since SHVZK and special soundness are trivially seen to be preserved under parallel composition.

3

Examples of Group Homomorphism Generators

Any of our generators have 1l and a prime q as input parameters. Generators with bounded q include as part of their definition a constant δ. Proofs in this section are left to the reader. RSA GENERATOR The generator selects an RSA modulus N = p1 p2 of bit length l, for primes p1 , p2 , such that (q, (p1 − 1)(p2 − 1)) = 1. The output is N . For this generator, ∗ we define H = G = ZN , and f (x) = xq mod N . Lemma 31 Under the RSA assumption, the RSA generator is a q-one-way generator, with unbounded q. One can also base an unconditionally binding generator on an RSA-like function. The resulting commitment/encryption scheme was first discovered by Benaloh [7] in the context of verifiable secret sharing. q-RESIDUOSITY GENERATOR The generator selects an RSA modulus N = p1 p2 of bit length l, for primes

Zero-Knowledge Proofs for Finite Field Arithmetic

433

p1 , p2 , subject to q|(p1 − 1)(p2 − 1) and δ = log q/ log N . The output is N . ∗ For this generator, we define H = G = ZN , and f (x) = xq mod N . By the q’th residusity assumption, we mean the assumption that random elements in distinct cosets of Im(f ) as defined here are polynomially indistinguishable. This is a natural generalization of the well known quadratic residuosity assumption. Lemma 32 Under the q’th residuosity assumption, the q-residuosity generator is an unconditionally binding q-homomorphism generator. that our We now show a generator based on the discrete log problem modulo a prime number. The commitment scheme resulting from this generator was first discovered by Pedersen [24] in the context of verifiable secret sharing. DISCRETE LOG GENERATOR The generator selects randomly a prime p of bit length l, subject to δ = log q/log p and q|p − 1, where 0 < δ < 1 is a constant. It also selects g ∈ Zp∗ , such that g generates the (unique) subgroup in Zp∗ of order q. The output is p, g. For this generator, we define H = Zq , G =< g >, and f (x) = g x mod p. When using this generator as basis for our protocols, we will assume that a party receiving an element u supposedly in G always verifies that uq = 1 and stops the protocol if not. Lemma 33 Assume that any probabilistic polynomial time algorithm solves the discrete log problem modulo prime numbers as selected by the Discrete Log Generator with negligible probability. Then the Discrete Log Generator is a q-one-way generator with bounded q. We remark that nothing prevents us from using other groups of prime order, such as for example the group on an appropriately chosen elliptic curve. Finally, we show an example of an unconditionally binding generator, based on the DiffieHellman problem [11]: DIFFIE-HELLMAN GENERATOR The generator selects randomly a prime p of bit length l/2, subject to δ = log q/l and q|p − 1, where 0 < δ < 1/2 is a constant. It also selects g ∈ Zp∗ , such that g generates the (unique) subgroup in Zp∗ of order q, and finally a random h ∈< g >. The output is p, g, h. For this generator, we define H = Zq , G =< g > × < g >, and f (x) = (g x mod p, hx mod p) 4 . Recall that (p, q, g, h) can be used as a public key to encrypt an element m ∈< g > by choosing r at random and letting the ciphertext be (g r mod p, mhr mod p) [14]. Recall also the notion of polynomial security, defined by Goldwasser and Micali [18], which says that random encryptions of distinct messages are poynomially indistinguishable. 4

The remark on verification of membership in G for the Discrete Log Generator also applies here

434

Ronald Cramer and Ivan Damg˚ ard

Lemma 34 If Diffie-Hellman encryption is polynomially secure, then the DiffieHellman generator is an unconditionally binding q-homomorphism generator.

4

Protocol Descriptions

This section describes our protocols in a way that is independent from any particular implementation of the commitment scheme. We will describe how to build honest verifier zero-knowledge protocols. Well known techniques may then be used to make protocols that are zero-knowledge in general. Common to all our protocols is an intital step in which the prover and verifier go through the setup phase for the commitment scheme, as described in Section 2. This can be done once and for all, and the instance of the commitment scheme generated can be reused in several protocol executions. Therefore, we do not mention the intital step explicitly in the descriptions below. The linear homomorphic property of commitments can be used to show relations on committed bits. Concretely, suppose we want to show for two sets of bit-commitments D0 , ..., Dn and C0 , ..., Cn , where n < log q, that the same bit bi is contained in Ci and Di , for i = 1...n. This can be done much more efficiently than by comparing each Ci , Di individually. For this, we have the following protocol: EQUALITY PROTOCOL n n 2n−1 2n−1 ·..·C0 , and D = Dn2 ·Dn−1 ·..·D0 V computes the commitments C = Cn2 ·Cn−1 which should both be commitments to the number whose binary representation is bn bn−1 ...b0 . P opens CD−1 to reveal 0. It is easy to see that this game reveals nothing about the value of b0 , ..bn , and that assuming P can open each of the commitments to reveal a one-bit value, all pairs Ci , Di contain the same bit, or he can break the commitment scheme. 4.1

Protocols for Arithmetic Circuits over GF (q)

In this section, we are given an arithmetic circuit Ψ over GF (q), where q is an m-bit prime, with u inputs, t multiplication gates, and any number of linear operations. All gates have arbitrary fan-out. We assume for simplicity that there is only one output value computed, from gate G0 , we are given a value y for this output, and the prover’s goal is to demonstrate that inputs can be selected that lead to output y. STEP 1 The prover makes u commitments I1 , .., Iu , such that Ij contains input value xj ∈ GF (q). The input values are selected such that the circuit computes y as output. The prover also makes t commitments T1 , ..., Tt , such that Ti contains the value that is output by the i’th multiplication gate in the circuit, given that the inputs are x1 , ..., xu . All commitments produced are sent to V , and P proves that he knows how to open all of them.

Zero-Knowledge Proofs for Finite Field Arithmetic

435

STEP 2 Both P and V compute, based on I1 , .., Iu , T1 , .., Tt and using linearity of commitments, for each gate commitment(s) representing its input value(s), and a commitment representing its output value. PROOF, Step 3 For each multiplication gate: let A, B be the commitments representing the input values a, b, and let C be the commitment representing the output value c. P uses the multiplication protocol to convince V that ab mod q = c. PROOF, Step 4 P opens the commitment representing the output value of G0 . V accepts, if and only if all proofs in Steps 1 and 3 are accepted, and P correctly opens the commitment in Step 4 to reveal y. For clarity, we have separated the invocation of subprotocols into steps 1 and 3. However, they can all be executed in parallel, using the same random challenge from V for all of them. By SHVZK for the subprotocols, this can still be simulated against an honest verifier. We get the following, which we state without proof: Lemma 41 The above protocol is using commitments constructed from a q-one-way generator is perfect honest verifier zero-knowledge, and honest verifier zero-knowledge when using commitments constructed from an unconditionally binding q-homomorphism generator. The communication complexity is O((u+ t) (l + m)dk/me) bits in either case. A Non-interactive with Preprocessing Variant We sketch here a variant of the arithmetic circuit protocol that is non-interactive with preprocessing. The asymtotic complexity for the preprocessing is the same as the original protocol, whereas the proof phase has complexity O((u + t)(l + m)) bits. The variant is based on a technique borrowed from Beaver et al. [1]. In the preprocessing, the prover will produce commitments J1 , ..., Jm containing random values (will later represent input values), and t random triples of commitments ([d ], [e], [f ]) such that de = f mod q. The prover will show that he can open all commitments and that the multiplicative relations hold. In the proof phase, a circuit with input values is known to the prover. Consider a fixed multiplication gate. It is first assigned a distinct triple ([d], [e], [f ]) from the preprocessing. Let a, b, c, where ab = c mod q be the values actually occurring at the gate. The prover can now send to the verifier = a − d and δ = b − e. Now, the verifier can on his own compute a triple [a], [b], [c] by letting [a] = y [d], [b] = y δ [e] and [c] = y +δ [f ] · [d]δ · [e] . In the same way, the prover tells the verifier how to modify the Ji ’s to get commitments containing the correct inputs to the circuit by giving the differences between the random values in the Ji ’s and the actual values. All that remains is for the prover to show that “gates connect correctly”, i.e. that if e.g. A0 represents the output from one gate, which is connected to the

436

Ronald Cramer and Ivan Damg˚ ard

input of another gate, represented by A, the prover shows that A and A0 contain the same value by opening A0 A−1 as 0 (where, however, V can handle linear operations on his own). 4.2

Non-Interactive Protocols with Preprocessing for SAT

For the protocol description, we first need some notation and definitions: We will assume (without loss of generality) that the circuit to be proved satisfiable later is given with at most n NAND gates with fan-in 2 and arbitrary fan-out. Definition 42 A NAND-Table is a matrix with 4 rows and 3 columns containing commitments. A NAND-table is correct, if it contains only bit commitments and any of its rows ([a], [b], [c]) satisfies a ∧ b = ¬c. An NAND table is useful if it is correct, and if one obtains, by opening all its commitments and permuting the rows, the truthtable of the NAND-function. In the following the honest prover will make only useful NAND-tables, but to keep the prover from cheating it will be enough to force him to generate at least correct NAND-tables. To show correctness of a NAND-table, P can first show that the 8 commitments in the two first positions of each row are bit commitments. Then for each row [a], [b], [c], P shows that 1 − c = ab mod q. Assuming that a and b are 0/1 values, this ensures that so is c, and that ¬c = a∧b. PREPROCESSING The prover makes n useful NAND-tables, using for each table an independently and uniformly chosen permutation of the rows. He proves that all NAND-tables are correct, as described above. For the proof phase, we are given the concrete circuit Φ that should be shown to be satisfiable, containing gates G1 , .., Gn , where we assume that Gn is the gate computing the final output from the circuit. The proof string to be sent to V is constructed by P as follows: PROOF, Step 1 For i = 1..n, take the first unused NAND table Ti from the preprocessing and assign it to gate Gi . Fix a set of input bits that satisfy the circuit. A computation with these input bits selects in a natural way a row in each Ti . For i = 1..n, P includes 2 bits in the proof string indicating which row is selected. Having selected rows in all truth tables, P has defined commitments representing the inputs and output of each gate. He must now demonstrate that ”gates connect correctly”: PROOF, Step 2 We make a list of pairs of commitments as follows: Let w be a wire in the circuit. If it connects from Ti to Tj , append to to the list the pair of commitments representing the output from Ti resp. the relevant input to Tj . For each circuit input bit b, let Tk be the first gate receiving b. Append to the list a set of pairs,

Zero-Knowledge Proofs for Finite Field Arithmetic

437

each of which have the input commitment from Tk as first component and as the second an input commitment from each distinct gate also receiving b. P must now show that each pair of commitments contain the same bit. Clearly, this gives at most 2n pairs of commitments that must checked for equality. For commitments with unbounded q, or bounded commitments where δl ≥ 2n, P completes these equality proofs by opening only one commitment, by running the Equality protocol shown above. Otherwise, the bits to be compared are distributed over several commitments holding δl bits each, so P will need to open 2n/(δl) commitments. PROOF, Step 3 P opens the last commitment in the selected row of Tn (to reveal 1, in order to convince V about the final result of the computation in the circuit). VERIFICATION OF PROOF If V rejected any of the proofs in the preprocessing, V rejects immediately. V selects the rows designated by the information from Step 2 of the proof. V computes the pairs of commitments used by P in Step 3, and verifies that P have proved that all pairs contain equal bits (this amounts to verifying that P has correctly opened one or more commitments to reveal 0). Finally V verifies that the commitment opened in Step 4 was correctly opened to reveal 1. As for ACP, the subprotocols in the preprocessing can be done in parallel. This, and SHVZK for the subprotocols lead to: Lemma 43 The above protocol using commitments constructed from a q-oneway generator is perfect honest verifier zero-knowledge. If the generator has unbounded q, the communication complexity of the preprocessing is O(nl + k) bits, and O(n)max(k, l) bits otherwise. When using commitments constructed from an unconditionally binding q-homomorphism generator, the protocol is honest verifier zero-knowledge, and the communication complexity of the preprocessing is O(nl + k) bits. The proof stage has size O(n + l) in all cases. 4.3

Zero-Knowledge Proof for QBF

In [26], Shamir gave the first proof that IP = P SP ACE, by exhibiting an interactive proof system for the PSPACE complete QBF problem. A little later, Shen [27], building on Shamirs ideas, gave a somewhat more efficient proof system for QBF, which appears to be the most efficient proof system known for QBF. In this section, we sketch how our techniques may be applied to transform Shens proof system into a zero-knowledge proof system with the essentially the same communication and round complexity. By examining Shen’s protocol, one finds that all the work done takes place in a finite field GF (q) for some prime q. If, for a QBF instance of length n, we want error probability 2−n , the analysis of the protocol shows that this can be done by using a q of bit length O(n). By further inspection of the protocol, one finds that in each round of the protocol, the prover sends the coefficients of some

438

Ronald Cramer and Ivan Damg˚ ard

polynomial, the verifier checks this polynomial, and returns a random element in the field. The operations done by the verifier in order to check the polynomials received all fall in one of the following categories: 1. Evaluate a polynomial received from the prover in a point chosen by the verifier, or in a constant point. 2. Add or multiply a constant number of values computed as in 1). 3. Compare values computed as in 1) or 2). 4. The final step: insert all random values chosen by the verifier into a multivariate polynomial efficiently computable from the input QBF instance. Compare the result to a value obtained from the previous rounds. We now modify the protocol by having the prover communicate his polynomials by in stead sending commitments to each of the coefficients. This affects the number of bits needed to send a polynomial by at most a constant factor, and furthermore the verifier can on his own compute commitments to results of operations of type 1). For the multiplications in 2), the prover supplies a commitment containing the result of each such multiplication. Therefore, at the end of the interaction, the verifier has for each multiplication in the original protocol a set of triples of commitments ([a], [b], [c]), also he has one commitment D together with a value d that can be computed efficiently from the QBF instance. The verifier now only needs to be convinced that for each triple, it holds that ab mod p = c, and that D contains d. The multiplication protocol allows the prover to convince the verifier about these facts in honest verifier zero-knowledge. Since it is constant round and communicates a constant number of commitments, we get a protocol with the same round and communication complexity, up to a constant factor.

5

Results for the Main Protocols

The results below use the same notation as the corresponding protocol descriptions, and all protocols are designed for an error of 2−k . For formal definitions of proof systems, completeness, soundness and zero-knowledge, please refer to [20]. In the case of arguments, completeness and zero-knowledge are as for proof systems. For computational soundness, we use the so called relative soundness definition of [13] (with one change, see below) and show that our protocol, given an instance of the commitment scheme, has soundness error 2−k relative to the problem of breaking the commitment scheme. Concretely, this means that if a cheating prover has success probability > 2−k , then he can break the commitment scheme instance in expected time polynomial in l and linear in 1/( − 2−k ). In [13], the circuit to prove is given as input initially. This cannnot be assumed to be true for a protocol with preprocessing. So for this case, we define the success probability of a cheating prover to be the probability with which he can successfully complete the preprocessing, and then compute a non-satisfiable circuit together with a proof that the verifier will accept.

Zero-Knowledge Proofs for Finite Field Arithmetic

439

We note that all our communication complexity results are computed without including the complexity of setting up the commitment schemes, since the same commitment scheme instance can be reused in many protocol executions 5 . Theorem 51 If there exists a q-one-way generator with unbounded q then there exists a non-interactive perfect zero-knowledge argument with preprocessing for Boolean Circuit Satisfiability. The communication complexity of the preprocessing is O(nl + k) bits, while the proof phase has size O(n + l). If the generator has bounded q, the conclusion is the same, but the communication complexity of the preprocessing becomes O(n)max(k, l) bits. Theorem 52 If there exists an unconditionally binding q-homomorphism generator (with bounded q) then there exists a non-interactive zero-knowledge proof with preprocessing for Boolean Formula Satisfiability, such that the communication complexity of the preprocessing is O(n)max(k, l) bits, while the proof phase has size O(n + l). Theorem 53 If there exists an q-one-way generator, resp. an unconditionally binding q-homomorphism generator then there exists a perfect zero-knowledge argument, resp. a computational zero-knowledge proof for ACP. The communication complexity is O((u + t)(l + m)dk/me) bits in either case. A sketch of the proofs for these theorems: From Lemmas 41, 43, we have honest verifier zero-knowledge protocols, which, except for the initial set-up of commitment schemes are 3-move Arthur-Merlin games with k-bit challenges, and have communication complexities as required in the theorems. To establish soundness, we observe that from correct answers to 2 different challenges, one can compute either a satisfying assignment or two different ways to open some commitment, the latter case being of course impossible with unconditionally binding commitments. This immediately implies soundness for the interactive proof case and, using Lemma 24, also for the argument case. To show zero-knowledge in general, we observe that the interactive arguments we have from the lemmas are already zero-knowledge in general, since the verifier shows knowledge of a trapdoor for the commitments in the initial stage. Adjusting correctly the error probability of this proof, we can ensure that by rewinding the verifier, the simulator can, in expected polynomial time, either extract this trapdoor or exhaustively find a satisfying assignment. Then simulation is trivial in either case. For the interactive proof case, we use the well-known idea that the honest verifier simulator can be used as subrutine in a real simulation provided that the verifier commits to his challenge in advance. For a solution of the subtle technical problems with this, see [17]. If we use our unconditionally hiding commitments for this part, both soundness and asymptotic communication complexity will be unaffected. 5

However, in several cases, including the setup step makes no difference. This is true in general for Theorem 51, and for Theorems 52, 53 when based on the Diffie-Hellman generator.

440

Ronald Cramer and Ivan Damg˚ ard

Theorem 54 If there exists an unconditionally binding q-homomorphism generator (with bounded q), then there exists a zero-knowledge interactive proof system for the QBF problem with the same asymptotic round and communication complexity as Shen’s interactive proof system when designed to have error probability 2−n for a length n QBF instance. Proof sketch The zero-knowledge protocol described in Subsection 4.3 consists of first a stage where the prover and verifier go through ”the same” interaction as in the original proof system, except that the prover sends commitments to his messages. Then a stage, where the prover convinces the verifier that a set of relations hold between the committed values. This stage is only honest verifier zero-knowledge, but can be made zero-knowledge with no essential loss of efficiency as above, using the method from [17]. Hence the proof that our modified protocol is a zero-knowledge proof system for QBF is a straightforward modification of the proof from [6] since, like ours, the protocol built in [6] is a modification of an Arthur-Merlin interactive proof system with one-sided error. Also, the transformation from [6] results in a two-stage protocol of the same form as ours. t u Acknowledgement We thank the anonymous referees for comments that substantially improved our presentation.

References 1. D. Beaver: Efficient Multiparty Protocols Using Circuit Randomization, Proceedings of Crypto 91, Springer-Verlag LNCS, 1992, pp. 420–432. 435 2. L. Babai, L. Fortnow, L. Levin and M. Szegedi: Checking Computations in Polylogarithmic Time, Proceedings of STOC ’91. 427 3. M. Bellare and and O. Goldreich: On Defining Proofs of Knowledge, Proceedings of Crypto ’92, Springer Verlag LNCS, vol. 740, pp. 390–420. 430 4. J. Boyar, G. Brassard and R. Peralta: Subquadratic Zero-Knowledge, Journal of the ACM, November 1995. 426 5. G. Brassard, D. Chaum and C. Cr´epeau: Minimum Disclosure Proofs of Knowledge, JCSS, vol.37, pp. 156–189, 1988. 425, 425 6. M.Ben-Or, O.Goldreich, S.Goldwasser, J.H˚ astad, J.Kilian, S.Micali and P.Rogaway: Everything Provable is Provable in Zero-Knowledge, Proceedings of Crypto 88, Springer Verlag LNCS series, 37–56. 425, 427, 427, 440, 440, 440 7. J. Benaloh: Secret Sharing Homomorphisms: Keeping Shares of a Secret Secret, Proc. of Crypto 86, Springer Verlag LNCS series, 251–260. 432 8. R. Cramer and I. Damg˚ ard: Linear Zero-Knowledge, Proc. of STOC 97. 426, 426, 426, 427 9. R. Cramer, I. Damg˚ ard and U. Maurer: Span Programs and General Secure Multiparty Computations, BRICS Report series RS-97-27, available from http://www.brics.dk. 425 10. R. Cramer, I. Damg˚ ard and B. Schoenmakers: Proofs of Partial Knowledge and Simplified Design of Witness Hiding Protocols, Proceedings of Crypto ’94, Springer verlag LNCS, vol. 839, pp. 174–187. 431 11. W. Diffie and M. Hellman: New Directions in Cryptography, IEEE Transactions on Information Theory IT-22 (6): 644–654, 1976. 433

Zero-Knowledge Proofs for Finite Field Arithmetic

441

12. De Santis, Di Crecenzo, Persiano and Yung, Proceedings of FOCS 1994. 431 13. I. Damga˚ ard and B. Pfitzmann: Sequential Iteration of Interactive Arguments, Proc. of ICALP 98, Springer Verlag LNCS series. 430, 438, 438 14. T. ElGamal, A Public-Key Cryptosystem and a Signature Scheme based on Discrete Logarithms, IEEE Transactions on Information Theory, IT-31 (4): 469–472, 1985. 433 15. L.Fortnow: The complexity of Perfect Zero-Knowledge, Adv. in Computing Research, vol.5, 1989, 327–344. 425 16. E. Fujisaki and T. Okamoto: Statistical Zero-Knowledge Protocols to prove Modular Polynomial Relations, Proceedings of Crypto 97, Springer Verlag LNCS series. 425 17. O. Goldreich and A. Kahan: How to Construct Constant-Round Zero-Knowledge Proof Systems for NP, Journal of Cryptology, (1996) 9: 167–189. 439, 440 18. S. Goldwasser and S. Micali: Probabilistic Encryption, JCSS, vol.28, 1984. 433 19. O. Goldreich, S. Micali and A. Wigderson: Proofs that yield Nothing but their Validity and a Methodology of Cryptographic Protocol Design, Proceedings of FOCS ’86, pp. 174–187. 425 20. S. Goldwasser, S. Micali and C. Rackoff: The Knowledge Complexity of Interactive Proof Systems, SIAM J.Computing, Vol. 18, pp. 186-208, 1989. 425, 429, 438 21. R.Gennaro, T.Rabin and M.Rabin: Simplified VSS and Fast-Track Multiparty Computations, Proceedings of PODC ’98. 425 22. J. Kilian: A note on Efficient Proofs and Arguments, Proceedings of STOC ’92. 426 23. J. Kilian: Efficient Interactive Arguments, Proceedings of Crypto ’95, Springer Verlag LNCS, vol. 963, pp. 311–324. 426, 426, 427, 427, 427 24. T. Pedersen: Non-Interactive and Information Theoretic Secure Verifiable Secret Sharing, proc. of Crypto 91, Springer Verlag LNCS, vol. 576, pp. 129–140. 433 25. C. P. Schnorr: Efficient Signature Generation by Smart Cards, Journal of Cryptology, 4 (3): 161–174, 1991. 430 26. A.Shamir: IP=PSPACE, Journal of the ACM, vol.39 (1992), 869-877. 427, 437 27. A. Shen: IP=PSPACE, Simplified Proof, Journal of the ACM, vol.39 (1992), pp.878-880. 427, 437 28. A. De Santis, S. Micali, G. Persiano: Non-interactive zero-knowledge with preprocessing, Advances in Cryptology - Proceedings of CRYPTO 88 (1989) Lecture Notes in Computer Science, Springer-Verlag pp. 269–282. 426

Concurrent Zero-Knowledge: Reducing the Need for Timing Constraints? Cynthia Dwork1 and Amit Sahai2 1

IBM Almaden Research Center 650 Harry Road, San Jose, CA 95120, USA [email protected] 2 MIT Laboratory for Computer Science 545 Technology Square, Cambridge, MA 02139, USA [email protected]

Abstract. An interactive proof system (or argument) (P, V ) is concurrent zero-knowledge if whenever the prover engages in polynomially many concurrent executions of (P, V ), with (possibly distinct) colluding polynomial time bounded verifiers V1 , . . . , Vpoly(n) , the entire undertaking is zero-knowledge. Dwork, Naor, and Sahai recently showed the existence of a large class of concurrent zero-knowledge arguments, including arguments for all of NP, under a reasonable assumption on the behavior of clocks of nonfaulty processors. In this paper, we continue the study of concurrent zero-knowledge arguments. After observing that, without recourse to timing, the existence of a trusted center considerably simplifies the design and proof of many concurrent zero-knowledge arguments (again including arguments for all of NP), we design a preprocessing protocol protocol, making use of timing, to simulate the trusted center for the purposes of achieving concurrent zero-knowledge . Once a particular prover and verifier have executed the preprocessing protocol protocol, any polynomial number of subsequent executions of a rich class of protocols will be concurrent zero-knowledge.

1

Introduction

In order to be useful in the real world, cryptographic primitives and protocols must remain secure even when executed concurrently with other arbitrarily chosen protocols, run by arbitrarily chosen parties, whose identities, goals, or even existence may not be known. Indeed, this setting, characterized in [13] as a distributed computing aggregate, describes the Internet. Electronic interactions over an aggregate, such as economic transactions, transmission of medical data, data storage, and telecommuting, pose security risks inadequately addressed in computer science research. In particular, the issue of the security of concurrent executions is often1 ignored. ?

1

Most of this work performed while at the IBM Almaden Research Center. Also supported by a DOD NDSEG doctoral fellowship, and DARPA grant DABT-96-C0018. but not always, e.g. [1] in a different setting

H. Krawczyk (Ed.): CRYPTO’98, LNCS 1462, pp. 442–458, 1998. c Springer-Verlag Berlin Heidelberg 1998

Concurrent Zero-Knowledge: Reducing the Need for Timing Constraints

443

A zero-knowledge protocol is supposed to ensure that no information is leaked during its execution. However, when zero knowledge interactions are executed concurrently both parties can be at risk. Consider the case of zero knowledge proofs: the verifier faces the possibility that the prover with which it is interacting is actually using some concurrently running second interaction as an “oracle” to help answer the verifier’s queries – this is the classical chess master’s problem. In the case of a proof of knowledge, the interaction may not actually yield a proof. This is an issue of potential malleability of the interactive proof system, and is addressed in [13]. In contrast, the prover faces the risk that concurrent executions of a protocol with many verifiers may leak information and may not be zero-knowledge in toto. In this case the interaction remains a proof but may fail to remain zero knowledge. This issue was first addressed in [16]. To overcome this difficulty, [16] introduce the notion of an (α, β) constraint for some α ≤ β: For any two (possibly the same) non-faulty processors P1 and P2 , if P1 measures α elapsed time on its local clock and P2 measures β elapsed time on its local clock, and P2 begins its measurement in real time no sooner than P1 begins, then P2 will finish after P1 does. As [16] points out, an (α, β) constraint is implicit in most reasonable assumptions on the behavior of clocks in a distributed system (e.g., the linear drift assumption). According to the (standard) view that process clocks are under the control of an adversarial scheduler, the (α, β) constraint limits the choices of the adversary to schedules that satisfy the constraints. Under an (α, β) constraint, [16] shows that there exist constant round concurrent zero-knowledge protocols of various kinds, for example, arguments for any language in N P 2 . In the protocols of [16], processors make explicit use of their local clocks in order to achieve concurrent zero-knowledge. The protocols require that certain timing constraints be met, which limit the kinds of protocol interleavings that can occur. Our Contribution. In this work, we reduce the need for timing in achieving concurrent zero-knowledge. Specifically, for a rich class of interactive protocols, we are able push all use of timing into a constant round preprocessing phase; furthermore, the real time at which the preprocessing phase between a prover P and verifier V1 occurs need not have any relation to the real time when P and a different verifier V2 execute the preprocessing. After this preprocessing protocol phase, the prover and the verifier can execute any polynomial number of a rich class of protocols without any further timing constraints, and the whole interaction will be concurrent zero-knowledge. We require the existence of a semantically secure public-key encryption scheme. By limiting the use of timing to a single initial phase for each (P, V ) pair, our methods can reduce the real execution time of protocols. This is because once preprocessing completes the parties never deliberately introduce timing delays in executing steps of future protocols. In contrast, in the protocols of [16] such deliberate delays play a critical role. For many applications, where two parties 2

under verious standard computational assumptions

444

Cynthia Dwork and Amit Sahai

will be executing many zero-knowledge protocols, such as authentication with a system, these repeated delays may be expensive. Moreover, as we will see, our approach frequently yields simpler protocols that are easier to prove concurrent zero-knowledge. Colluding Verifiers interacting with the Prover V1 V2 . . . Vn Step 1 Step 2 Step 1 Step 2 .. . Step Step Step Step

1 2 3 4

.. . Step 3 Step 4 Step 3 Step 4 Diagram 1. A troublesome interleaving for concurrent zero-knowledge. Interleavings of Protocols. The difficulty in achieving concurrent zeroknowledge is due to the existence of certain “bad” interleavings of concurrently executing protocols. The bad interleavings revolve around the difficulty of simulating a transcript of multiple concurrent interactions (recall that the ability to simulate an interaction is the core of the definition of zero-knowledge). Consider the standard (computational) zero-knowledge protocol for 3-colorability3 [22], which can be based on any information-theoretic commitment scheme. Generic Zero-Knowledge Argument for 3-Colorability: 1) V −→ P : Information-theoretic commitment to queries. 2) P −→ V : Commitment to graphs and colorings. 3) V −→ P : Open queries. 4) P −→ V : Open queried graphs or colorings, which V then checks are valid. The standard simulator, having access only to V , produces transcripts of this protocol as follows. First, it receives V ’s commitment in Step 1. Then, supplying V initially with “garbage” in Step 2, the simulator discovers the queries V committed to through V ’s Step 3 response. The simulator uses this knowledge to construct graphs and colorings which would fool these particular queries. Then 3

This is the “‘parallelized” version that has negligible error while remaining zeroknowledge.

Concurrent Zero-Knowledge: Reducing the Need for Timing Constraints

445

the simulator “rewinds” the interaction to just after Step 1, and supplies V with a commitment to these new graphs and colorings in Step 2. Since V is already committed by Step 1, its Step 3 response cannot change. Thus, the simulator can open the graphs and colorings according to the queries, and V will accept. This simulator fails in the context of concurrent interactions because of the rewinding. Consider the following interleaving of n colluding verifiers following the generic four-round protocol described above. An adversary controlling the verifiers can arrange that the Step 1 commitments to queries made by verifiers Vi+1 , . . . , Vn can depend on messages sent by the prover in Step 2 of its interaction with Vi . It is a well-known open problem how to simulate transcripts with this interleaving in polynomial time; the difficulty with the straightforward approach is that once the queries in the interaction with Vi are opened (in Step 3), it becomes necessary to re-simulate Step 2 of the interaction with Vi , and therefore the entire simulation of the interaction with verifiers Vi+1 , . . . , Vn must be re-simulated. The most deeply nested transaction, with Vn , is simulated roughly 2n times. Remark on Commitment Schemes The literature discusses two types of bit or string commitment: computational and information-theoretic. In computational string commitment there is only one possible way of opening the commitment. Such a scheme is designed to be secure against a probabilistic polynomial time receiver and an arbitrarily powerful sender. In information theoretic commitment it is possible to open the commitment in two ways, but the assumed computational boundedness of the sender prevents him from finding a second way. Such a scheme is designed to be secure against an arbitrarily powerful receiver and a probabilistic polynomial time prover. See [13] for a formal definition of computational commitment. The commitments in Step 1 of the generic zero-knowledge argument must be information-theoretic, meaning that information theoretically nothing is leaked about the committed values. This is for soundness, rather than for zeroknowledge. Our techniques require that the verifier only use computational commitments (for example, as in the 6-round zero-knowledgeargument for NP of Feige and Shamir [19], which we modify for technical reasons). The Trusted Center Model. Consider a model in which a trusted center gives out signed public key, private key pairs (E, D) of some public key cryptosystem to every user over a secure private channel. As we now explain, in this model arguments such as the one given in [19] can be simulated without rewinding, provided that the commitments by V are performed using the public key E given to it by the trusted center. This is significant because, if there is no rewinding, then interleavings such as the one described above are not problematic. The simulator for V simulates its interaction with the trusted center as well as with P . So, the simulator knows the private key D corresponding to the public key E used in V ’s commitments. Hence, the simulator never has to rewind to learn a committed value. We call such simulations, in which rewinding is

446

Cynthia Dwork and Amit Sahai

avoided, straight-line4 . In the case of straight-line zero-knowledge protocols, it is clear that concurrent interactions pose no threat to simulability, since the simulator can simulate each interaction independently in a straight-line fashion. This trusted center model is extremely powerful, and a great many standard protocols become straight-line zero-knowledge, and hence concurrent zero-knowledge, in the trusted center model with only minor modifications. For example, aside from arguments for N P , we also exhibit natural protocols for deniable message authentication and coin flipping. Although straight-line zero-knowledge implies concurrent zero-knowledge without any timing constraints in the trusted center model, the notion of a trusted center that knows everyone’s private keys and communicates over secure channels is undesirable or infeasible in many contexts. The preprocessing protocol protocol of Section 4 uses timing to permit P and V to agree on a key EV for V to use for commitments in their future interactions. Intuitively, the interaction ensures (with overwhelming probability) that V (perhaps with the collusion of other verifiers, but with absolutely no help from P ), “knows” the corresponding decryption key DV . Formally, the preprocessing protocol protocol will ensure that subsequent interactions between P and V that would have been straight-line zero-knowledge in the trusted center model, are actually straightline zero-knowledge in the conventional model.

2

Model and Definitions

Timing. We assume that all parties in any interaction have access to local clocks. Furthermore, as proposed in [16], we assume that there are known constants α and β ≥ α, for which the following (α, β) constraint holds: For any two (possibly the same) non-faulty processors P1 and P2 , if P1 measures α elapsed time on its local clock and P2 measures β elapsed time on its local clock, vand P2 begins its measurement in real time no sooner than P1 begins, then P2 will finish after P1 does. Zero-Knowledge and Concurrent Zero-Knowledge. In the original “black box” forumulation of zero-knowledge proof systems [24], an interactive proof system (P, V ) for a language L is computational (or perfect) zero-knowledge if there exists a probabilistic, expected polynomial time oracle machine S, called the simulator, such that for every probabilistic polynomial time verifier strategy V ∗ , ∗ the distributions (P, V ∗ )(x) and S V (x) are computationally indistinguishable (or identical) whenever x ∈ L. Here, formally, the machine V ∗ is assumed to take as input a partial conversation transcript, along with a random tape, and 4

Note that without a trusted center or some other extra source of power, straightline zero-knowledge is not an interesting concept, since any language that premits a straight-line zero-knowledge proof in the conventional sense must be in BPP – the simulator could act as the prover.

Concurrent Zero-Knowledge: Reducing the Need for Timing Constraints

447

output the verifier’s next response. This defintion also holds in the case of arguments [7], or computationally-sound proofs, where the prover and verifier are both probabilistic polynomial time machines. Following [16], to investigate preservation of zero-knowledge in a distributed setting, we consider a probabilistic polynomial time adversary that controls many verifiers simultaneously. Here, we consider an adversary A that takes as input a partial conversation transcript of a prover interacting with several verifiers concurrently, where the transcript includes the local times on the prover’s clock when each message was sent or received by the prover. The output of A will either be a tuple (ıreceive, V, α, t), indicating that P receives message α from V at time t on P ’s local clock, or (ısend, V, t), indicating that P must send a message to V at time t on P ’s local clock. The adversary must output a local time for P that is greater than all the times given in the transcript that was input to A (the adversary cannot rewind P ), and standard well-formedness conditions must apply. If these conditions are not met, this corresponds to a non-real situation, so such transcripts are simply discarded. Note that we assume that if the adversary specifies a response time t for the prover that violates a timing constraint of the protocol with V , the prover should answer with a special null response which invalidates the remainder of the conversation with verifier V . The distribution of transcripts generated by an adversary A interacting with a prover P on common input x is denoted (P ↔ A)(x). We say an argument or proof system (P, V ) for a language L is computational (or perfect) concurrent zero-knowledge if there exists a probabilistic, expected polynomial time oracle machine S such that for every probabilistic polynomial time adversary A, the distributions (P ↔ A)(x) and S A (x) are computationally indistinguishable (or identical) whenever x ∈ L. Note that since we assume that the prover acts honestly and follows the protocol, it does not matter if there is a single entity that is acting as the prover for all verifiers, or if there are many entities that are acting as provers for subsets of the verifiers, since the actions of the provers would be the same, and in our model, the timing of events is controlled by the adversary. NIZK. Some of our protocols make use of non-interactive zeroknowledge (NIZK) proof constructions [5,20,2,4] for languages in N P . Note, however, that although typically one considers NIZK in a model where all parties share a public random string, we do not make any such assumptions in any model we consider. In a NIZK proof, the prover P and verifier V have a common input x and also share a random string σ, called the reference string, of length polynomial in the length of x. The prover wishes to convince the verifier of the membership of x in some fixed N P language L. To this end, the prover is allowed to send the verifier a single message m = P (x, σ), computed (probabilistically) as a function of x, σ. The probabilistic polynomial time verifier must decide whether or not to accept as a function of x, σ, and m. Such an interaction (P, V ) is an NIZK proof system for L if: (1) If x ∈ L, for all σ, (P, V )(x, σ) accepts. (2) If x ∈ / L, for all P ∗ , the probability over σ and the random coins of P and V that (P ∗ , V )(x, σ) accepts is negligible. (3) There exists a proba-

448

Cynthia Dwork and Amit Sahai

bilistic polynomial time simulator S such that, if x ∈ L, then the distributions S(x) and (σ, P (x, σ)), where in the latter distribution σ is chosen uniformly, are computationally indistinguishable. We further ask that the prover be probabilistic polynomial time, but also allow that in the case when x ∈ L, the prover is given a witness w for the membership of x ∈ L. We require, however, that the distribution (σ, P (x, σ, w)) be computationally indistinguishable from S(x) no matter how the witness w is chosen. [20,2] show that such NIZK proof systems with efficient provers exist for every language in N P assuming trapdoor permutations exist. Note that the definition above gives “bounded” NIZK proof systems, i.e., a given reference string σ can be used to prove only one N P statement. We also require unbounded NIZK proof systems, in which any polynomial number of N P statements can be proven in zero-knowledge using the same reference string σ. [12,20] have shown that the existence of a bounded NIZK proof system for an N P -complete language L with an efficient prover implies the existence of unbounded NIZK proof systems with efficient provers for any language in N P . A precise definition of unbounded NIZK can be found in [2,4,20]. Note that NIZK proofs are truly non-interactive only if the prover and the verifier already agree on a random string σ, which we do not assume. Furthermore, if the distribution of σ is far from uniform, then the zero-knowledge condition fails to hold. This issue motivates our concurrently simulable random selection protocol, described below. Assumptions. We require a probabilistic public key cryptosystem that is semantically secure [23]. The encryptions must be uniquely decodable (so the scheme must be undeniable [9]). We will use the public key cryptosystem for computationally secure string commitment as follows: V uses an encryption key E to commit to a string s by simply sending an encryption e of s using a random string r. To open s, V sends s, r; the receiver checks that e = E(s, r).

3

Straight-Line Zero-Knowledge in the Trusted Center Model

In order to define the class of protocols for which our construction applies, we consider a trusted center model, in which the trusted center communicates to each participant a public key, private key pair (E, D) for a public key cryptosystem, over a secure private channel. More formally, we assume the existence of a trusted center with which any party can interact using a secure private channel. In our model, before any protocol (P, V ) begins, first V receives a public key and private key pair (E, D) from the trusted center over a secure channel, whereas P receives only E from the trusted center. Then the interaction takes place as in the normal model. Also in our trusted center model, we modify the definition of zero-knowledge to require the simulator to also simulate the interaction with the trusted center, which in particular means that the simulator produces the public key E and private key D given to any verifier.

Concurrent Zero-Knowledge: Reducing the Need for Timing Constraints

449

We use the trusted center model only for definitional purposes; our protocols do not assume a trusted center. In particular, we will define the class of protocols that are straight-line zero-knowledge in the trusted center model and argue that any protocol in this class is concurrent zero-knowledge. We will show that this class is rich, and, in the next section, show how to use timing to replace the role of the trusted center by means of a preprocessing phase. As noted above, the trusted center model is extremely powerful; in particular, in this model Rackoff and Simon were able to define and construct noninteractive zero-knowledge proofs of knowledge [27]. These noninteractive proofs could then be used to prove “plaintext awareness” of encrypted messages (intuitively, that the sender “knows” what he is sending), resulting in a cryptosystem secure against the most general chosen ciphertext attacks (called chosen ciphertext in the post-processing mode in [13]; the construction of the cryptosystem in [27] also requires the trusted center to establish a digital signature scheme). This is equivalent to non-malleable security against a post-processing chosen ciphertext attack [13]. The trusted center model also proves useful in the context of concurrent zero-knowledge. In particular, if the protocol requires that commitments be made using the key E chosen by the trusted center, then the construction of concurrent zero-knowledge protocols becomes a simpler task: the simulator simulates each party’s interaction with the trusted center, and hence knows the secret key D for each public key E later used in the protocol. We will prove concurrent zero-knowledge in the trusted center model by establishing an even stronger property, straight-line zero-knowledge. Intuitively, a protocol is straight-line zero-knowledge if there exists a simulator that does no “re-winding” in order to produce its transcript. Formally, a zero-knowledge interactive protocol (P, V ) is straight-line zero-knowledge if the simulator S for the protocol is of a special form. Recall S is in general an expected polynomial time machine that uses a verifier strategy V ∗ as an oracle, giving it partial transcripts and obtaining the verifier’s next message as its response. Define ∗ O(S V (x; r)) = (q1 , q2 , . . . , qm ) to be the ordered sequence of oracle queries (partial transcripts) given by S to V ∗ , on input x and using random bits r. We ∗ require for every V ∗ , x, and r, letting O(S V (x; r)) = (q1 , q2 , . . . , qm ), that the transcript qi is a prefix of qi+1 for 1 ≤ i ≤ m − 1. Such a simulator S is called a straight-line simulator. It is immediate that a straight-line zero-knowledge protocol is also concurrent zero-knowledge, since interaction with many verifiers simultaneously can be simulated by simply simulating the interaction with each verifier separately using the straight-line simulator. Note that, in the conventional framework for zero-knowledge proofs, straightline zero-knowledge proofs can only exist for languages in BP P , since the polynomial time simulator can act as the prover. In the trusted center model, this need not concern us, since the real prover cannot impersonate the trusted center, whereas the simulator can.

450

3.1

Cynthia Dwork and Amit Sahai

Examples

The class of protocols with straight-line simulators in the trusted center model is rich. Generic NP. The generic argument for membership in an NP language, described in Section 1 requires information-theoretic commitments on the part of the verifier, and therefore does not fit our model. The 6-round protocol of Feige and Shamir [19], which can be based on any one-way function, can be modified to be straight-line zero-knowledge in the trusted center model provided that the verifier’s commitments are made using the key received from the trusted center. The modification involves using an information-theoretic commitment scheme for an additional initial commitment by the prover (details are omitted for lack of space). Thus, there is a constant round straight-line zero-knowledge argument in the trusted center model for every language in NP based only on the existence of semantically secure public-key encryption and information-theoretic commitment schemes. However, there is a simpler, four round scheme, based on the existence of trapdoor permutations, which we present below. Random String Selection. We next describe a random string selection (coinflipping) protocol, by which two parties P and V can select a random string which will be random as long as one of the parties is honest. The random selection protocol has the following extremely useful property: in the trusted center model, the simulator can force any desired string as the outcome of the protocol; moreover, the distribution of simulated transcripts is identical to the distribution on actual transcripts, conditioned on any given output. In the sequel, let E denote the public key assigned to the verifier by the trusted center. The natural cryptographic protocol for random selection of strings of length k, due to [3], can be made straight-line simulable as follows5 : 1) V −→ P : E(rV ) : rV ∈R {0, 1}k 2) P −→ V : rP : rP ∈R {0, 1}k 3) V −→ P : Reveal coins used to generate E(rV ). The output of the protocol is rV ⊕ rP . Since E(rV ) is a computationally secret commitment to any party that does not know D, it is clear that this protocol achieves the desired random selection properties. Here, the simulator, on input x ∈ {0, 1}k , (after having simulated the trusted center, i.e., having supplied V with a public key, private key pair (E, D)), receives the verifier’s Step 1 message. Using D, it recovers rV . The simulator then supplies V ∗ with the Step 2 message x ⊕ rV . In Step 3, V ∗ must decommit to rV , and so the output of the protocol is x. If the input x is chosen uniformly at random, then the simulator’s Step 2 message, x ⊕ rV will also be uniformly random. Hence, the simulator’s distribution will actually be identical to the distribution of actual transcripts. 5

It is interesting that if the roles of P and V are reversed, P ’s new role in the protocol is no longer known to be simulable.

Concurrent Zero-Knowledge: Reducing the Need for Timing Constraints

451

Alternative NP. We can use the random string selection protocol to give a 4round alternative to the straight-line zero-knowledge argument system for N P that is also straight-line zero-knowledge in the trusted center model, if we make the stronger assumption that trapdoor permutations exist. By [20,2], assuming trapdoor permutations exist, there are efficient prover NIZK proofs for N P . Recall that NIZK proofs require a random string to be shared by the parties P and V . We will use the random selection protocol above to select this shared randomness. The following protocol is therefore an argument proving x ∈ L for any language L ∈ N P : 1) 2) 3) 4)

V P V P

−→ P −→ V −→ P −→ V

: : : :

E(rV ) : rV ∈R {0, 1}poly(|x|) rP : rP ∈R {0, 1}poly(|x|) Reveal coins used to generate E(rV ). NIZK proof that x ∈ L using reference string σ = rV ⊕ rP .

Note that Step 4 can later be repeated any (polynomial) number of times to prove different statements in N P once the reference string has been established (using an unbounded NIZK proof system such as the one given in [20]). A straight-line simulator proceeds as follows. First, it calls the simulator SN IZK (x) of the NIZK proof system, which produces a reference string σ and an NIZK proof p. The straight-line simulator given above for the random selection protocol is then invoked to produce a transcript for Steps 1-3 that force rV ⊕ rP = σ. The simulator then outputs p as the prover’s Step 4 message, and terminates the simulation. Since the distribution SN IZK (x) is computationally indistinguishable from the distribution (σ, p) where σ is truly random, and p is generated by the NIZK prover’s algorithm, we have that the distribution of our straight-line simulator will be computationally indistinguishable from the distribution of actual conversation transcripts of this protocol. Deniable Message Authentication. NIZK proofs can also be useful for constructing straight-line zero-knowledge protocols for other applications. Consider the problem of deniable message authentication [13,15,16]. Here, the prover wishes to authenticate a message m to the verifier, in such a way that no other party can verify the authentication. In particular, we require that verifiers cannot prove to anyone else that the prover authenticated m. It suffices that the protocol be concurrent zero-knowledge, since if the verifiers could generate the transcript of their conversations with the prover on their own, then certainly it will not be possible to prove that the prover authenticated m to any other party. We exhibit a very natural protocol for this task, with a slight modification to make it straight-line zero-knowledge. For this protocol, we will require a non-malleable public key encryption scheme. Note that the encryption scheme must be non-malleable in the conventional model, not just in the trusted center model! Let the prover’s public non-malleable encryption key be EP , for which it alone knows the private key. 1) V −→ P : E(rV ), where rV ∈R {0, 1}poly(|x|) 2) P −→ V : rP , where rP ∈R {0, 1}poly(|x|)

452

Cynthia Dwork and Amit Sahai

3) V −→ P : Reveal coins used to generate E(rV ). Choose r ∈R {0, 1}k . Send EP (m ◦ r), y = E(r), and an NIZK proof that the two encryptions sent are consistent with some r ∈ {0, 1}k using reference string σ = rV ⊕ rP . 4) P −→ V : r Note that the first two steps can be omitted if there is some other source of a random string to use as the reference string for the NIZK proof. Such a string could, for example, be found as part of the public key for the prover’s encryption scheme, as it is in the construction of [13]. The straight-line simulator simulates the first 2 steps trivially. In Step 3, after checking the NIZK, the simulator uses D to decrypt y, yielding rS . Note that if the NIZK proof was accepted, then the decryption will correctly give rS = r with all but negligible probability. Hence, the simulator simply outputs rS as the prover’s final message, and terminates. The simulator will thus fail with no more than a negligible probability. These examples illustrate not only that the class of straight-line zeroknowledge protocols in the trusted center model is rich, but also that it is not difficult to construct proofs that fit this definition. In the next section, we show how to eliminate the trusted center for the purpose of concurrent zero-knowledge using a preprocessing protocol based on timing constraints.

4

The Preprocessing Protocol

In this section, we show how to how to achieve concurrent zero-knowledge without the trusted center for all protocols that are straight-line zero-knowledge in the trusted center model. This is accomplished by replacing the trusted center with a preprocessing protocol that employs timing constraints. This eliminates the trusted center for the purpose of maintaining concurrent zero-knowledge. Let G be the generator for a public-key cryptosystem which requires `(n) random bits. We will write G(1n , σ) = (E, D) to mean that G, when given security parameter n and random bits σ ∈ {0, 1}`(n), produces the public encryption algorithm E and private decryption algorithm D. Let C be a secure commitment scheme, such as the elegant scheme of [26]. The protocol uses the Basic Commit with Knowledge protocol (BCK) of [13]. Preprocessing Protocol: 0. V : Generates random strings σ, r01 , r02 , . . . r0n , r11 , r12 , . . . , r1n ∈ {0, 1}`(n) V runs G(1n , σ) to produce E and D, and sets up the scheme C. 1. V −→ P : E, C(σ), C(r01 ), C(r02 ), . . . , C(r0n ), C(r11 ), C(r12 ), . . . , C(r1n ). 2. P −→ V : Random bits b1 , b2 , . . . , bn . i ⊕ σ. 3. V −→ P : For each i, opens C(rbi i ) and sends r(1−b i) 4. V ←→ P : Verifier gives a ZK argument (e.g. [19]) of consistency of the Step 1-3 messages above with some σ such that G(1n , σ) produces E. 5. P −→ V : If Step 4 is accepted, send “READY.”

Concurrent Zero-Knowledge: Reducing the Need for Timing Constraints

453

Timing Constraints: (1) P requires the Step 3 message to be received before time α has elapsed on its local clock since the Step 1 message was sent. If a verifier V fails to respond in this allotted time, we say V has timed out. (2) P does not send the Step 5 signal until time β has elapsed on its local clock since Step 1. For zero-knowledge, we assume that the adversary is constrained by an (α, β)constraint. For completeness we must also assume that V can send its Step 3 message in the real time required for time α to elapse on P ’s local clock. The following theorem shows that these timing constraints effectively eliminate all problematic interleavings. Theorem 1. Assuming that a semantically secure public-key cryptosystem exists, the Preprocessing Protocol, followed by any polynomial number of protocols that are straight-line zero-knowledge in the trusted center model, is (computational) concurrent zero-knowledge. Furthermore, using the Preprocessing Protocol does not give the Prover any advantage it would not have in the original protocol. In particular, using the Preprocessing Protocol does not endanger the soundness of any protocol that was sound in the trusted center model. Theorem 2. Let π = (P, V ) be any protocol in the trusted center model, and let π 0 = (P 0 , V 0 ) be the Preprocessing Protocol followed by π in the normal model. Then, for any probabilistic polynomial time prover P ∗ , there exists another prover P ∗∗ such that the distribution of transcripts from (P ∗ , V 0 ) (not including the transcript of the Preprocessing Protocol) is computationally indistinguishable from the distribution of transcripts from (P ∗∗ , V ) (not including the initial interaction with the trusted center). Proof (of Theorem 2). Theorem 2 follows from the fact that the verifier’s role in the Preprocessing Protocol is simulable without knowing D or a σ such that G(1n , σ) = (E, D). P ∗∗ behaves as follows: First it simulates the Preprocessingprotocol with P ∗ , and then it simply behaves as P ∗ does afterwards. From the trusted center, it first receives E. Then it generates random strings σ, r01 , r02 , . . . r0n , r11 , r12 , . . . , r1n ∈ {0, 1}`(n), and sets up the commitment scheme C with P ∗ . It sends E, C(σ), C(r01 ), C(r02 ), . . . , C(r0n ), C(r11 ), C(r12 ), . . . , C(r1n ) to P ∗ , who responds with some random bits b1 , b2 , . . . , bn . P ∗∗ then for each i, opens i C(rbi i ) and sends r(1−b ⊕ σ. Note that all this time σ had absolutely nothing i) to do with E. However, by the zero-knowledge property of the argument of Step 4, P ∗∗ can simulate Step 4 as if G(1n , σ) = (E, D). By this zero-knowledge condition, the transcript of all steps so far is computationally indistinguishable from a partial transcript of a real interaction of V 0 and P ∗ . Since the state of P ∗ at the end of Step 4 (i.e. the beginning of π) is computationally indistinguishable from its state at this point in a real interaction with V 0 , the theorem follows.

454

Cynthia Dwork and Amit Sahai

Proof (of Theorem 1, using the proof techniques of [16].). First, we observe that the timing constraints yield the following interleaving contraint: Interleaving Constraint: While any verifier is in Steps 1-3 and has not timed out, no new interaction can be started and complete Step 5. Note that this remains true by the (α, β)-constraint even if there are many provers with different local clocks, since the time between Steps 1-3 must always be less in real time than the minimum delay in real time between Steps 1-5. Note also that in all steps the prover needs no special information to carry out her side of the protocol. Hence, for any particular verifier, all steps in the Preprocessing protocol are trivial to simulate (perfectly) in a straight-line fashion. To be able to simulate any subsequent protocol that is straight-line zero-knowledge in the trusted center model, we appeal to the following Lemma: Lemma 1. For any verifier V , if the simulator has Step 3 responses for two different Step 2 queries (for the same Step 1 message), then the simulator can simulate all subsequent executions of protocols with V that are straight-line zeroknowledge in the trusted center model (computationally) in a straight-line fashion with all but negligible probability. Proof. Since the Step 2 queries were different, there exists an i such that V opened both r0i and r1i , and (supposedly) supplied both a = r1i ⊕σ and b = r0i ⊕σ. The simulator can test both a ⊕ r1i and b ⊕ r0i by running G with these inputs. If G produces V ’s encryption key E, then we know that the decryption key D produced must be V ’s secret key. If this is the case, the simulator has V ’s secret key and can simulate all future protocols that are straight-line zero-knowledge in the trusted center model (computationally) in a straight-line fashion, by assumption. If not, for any future simulation of V , when the simulator obtains a Step 3 response γ from V , it again checks with the responses it already has to see if this new response will yield a valid secret key for V . If this is not the case, then the simulator has proof that γ is inconsistent with the commitments in V ’s Step 1 message. Hence with all but negligible probability, V will not pass Step 4 of the protocol, by the soundness of the ZK Argument. Note that the soundness condition for ZK Arguments requires that no PPT prover can succeed in proving a false statement with more than negligible probability. The interaction of the PPT A and the PPT simulator together certainly still comprise a PPT system, and hence cannot prove the false statement with more than negligible probability. Thus with all but negligible probability, V never makes it past Step 4, and the Lemma follows. We now describle a subroutine of the simulator called Extract. The subroutine takes two arguments, the name of a verifier Vi , and a partial starting transcript T that includes the Step 1 message of Vi . Extract(Vi,T ) is only called if the simulator already has obtained one Step 3 response from Vi . The

Concurrent Zero-Knowledge: Reducing the Need for Timing Constraints

455

purpose of calling Extract on Vi is to create for Vi the situation required by the Lemma. In Extract(Vi,T ) the simulator repeats the following procedure as many times as needed to obtain another Step 3 response from V . – Starting with partial transcript T , begin a simulation until either Vi gives a Step 3 response or more than time α has passed since Step 1 of Vi . During this simulation: • For any verifiers introduced after the Step 1 message of Vi , by the Interleaving Constraint, we know these verifiers will never proceed past Step 5 in the time allotted, so simulate the interaction with them perfectly. • If any verifier Vj which was introduced before the Step 1 message of Vi gives a Step 3 response: ∗ If the simulator has already obtained two Step 3 responses from Vj , by the Lemma all interaction with Vj can be simulated in a straightline fashion. ∗ If not, the simulator executes Extract(Vj ,T ). Thus, we are guaranteed that after executing Extract(Vi, T ) we have received two Step 3 responses from Vi . If the two responses received are the same, the simulator fails. This can only happen if the random bits chosen by the simulator in Step 2 were identical, an event with exponentially small probability. We will later argue that the simulator is expected polynomial time. Hence the simulator only gets an expected polynomial number of chances to fail in this manner, and so its probability of failure in this way is negligible. If the two Step 3 responses are different, such a verifier that has satisfied the conditions of the Lemma is called neutralized. Now, to generate its output transcript the simulator begins a straight-line simulation with the adversary. Whenever a verifier V that has not already been neutralized gives a Step 3 response, the simlator calls Extract(V, T ), where T is the partial transcript up to and including the Step 1 message of V . When Extract terminates, V has been neutralized and thus, by the Lemma, all future interaction with V can be simulated in a straight-line fashion. This continues until the simulation is concluded. By construction, the distribution of transcripts produced by such a simulation is computationally indistinguishable from those arising from an actual interaction with the adversary, since the transcript is produced in a straight-line manner. We must confirm that the expected running time of the simulator is polynomially bounded. Each trial within Extract, not counting time taken by recursive function calls, certainly takes polynomial time, say O(nc ). Let us analyze the expected running time of a function call to Extract. Now, conditioned on some partial transcript T , let Xi denote the random variable for the time to complete Extract(Vi , T ). Let pi denote the probability over simulations starting at T that Vi will give its Step 3 response during a simulation trial. If V1 is the first verifier appearing in T , then during Extract(V1 , T ), no recursive calls can be made for other verifiers. Hence, X1 ≤ O(nc )(1 + p1 + (1 − p1 )(1 + X1 )), and so by linearity

456

Cynthia Dwork and Amit Sahai

of expectation, E(X1 ) ≤ O(nc ) p21 . More generally, if Vi is the i’th verifier api−1 P pj Xj +pi +(1−pi)(1+Xi )), pearing in the transcript T , then Xi ≤ O(nc )(1+ j=1

and a simple induction shows that E(Xi ) ≤ O(nc ) p2ii . Now, in the simulation, conditioned on a partial transcript T , the probability that Extract(Vi , T ) will be called (from outside Extract) is exactly pi . Thus, the expected amount of time the simulation will spend on Extract(Vi , T ) is O(nc ) · 2i. Since this does not depend on T , we can remove the conditioning and conclude that the expected amount of time the simulation will spend in Extract for Vi will be O(nc ) · 2i. We note that the total number of verifiers that can be present in the final transcript is bounded by the amount of time the adversary runs for. Hence, if the adversary’s expected running time is t(n), the expected amount of time the simulation will spend in Extract for all of the verifiers is O(nc t(n)2 ). The rest of the simulation will certainly take no more than expected O(nc )t(n) time, and so we conclude that the expected running time is polynomial in n.

5

Additional Remarks and Future Research

Recently, Kilian, Petrank and Rackoff [25] have shown that any 4-round nontrivial zero-knowledge interactive proof is not black-box simulatable under concurrent executions. In a companion paper, Richardson and Kilian [28] have shown that for any ε > 0 and any upper bound k on the amount of concurrency to be tolerated, there exists a zero-knowledge proof for any language in N P requiring k ε messages. We believe that the Kilian-Richardson protocol can be used (with some modifications) as a preprocessing protocol protocol to allow subsequent constant round concurrent zero-knowledge arguments for any statement in N P ; we are in the process of checking the details. The difficulties in achieving non-malleability and concurrent zero knowledge both stem from potentially bad protocol interleavings. In [16] and in the preprocessing protocol protocol described in this paper, timing is used explicitly to proscribe certain interleavings in order to achieve concurrent zero-knowledge. Can timing be used in a natural way to achieve non-malleability? For concreteness, consider non-malleable string commitment. Since non-malleable string commitment protocols exist without recourse to timing [13], any timing-based solution would be interesting only if it is efficient or simple. Can timing be used to achieve other cryptographic objectives?

References 1. M. Bellare and P. Rogaway, Provably Secure Session Key Distribution - The Three Party Case, Proc. 27th STOC, 1995, pp 57–64. 442 2. M. Bellare and M. Yung. Certifying permutations: Noninteractive zero-knowledge based on any trapdoor permutation, Journal of Cryptology, 9(3):149-166, 1996. 447, 448, 448, 451

Concurrent Zero-Knowledge: Reducing the Need for Timing Constraints

457

3. M. Blum. Coin flipping by telephone: A protocol for solving impossible problems. In Allen Gersho, editor, Advances in Cryptology: A Report on CRYPTO 81, pages 11-15, 24-26 August 1981. Department of Electrical and Computer Engineering, U. C. Santa Barbara, ECE Report 82-04, 1982. 450 4. M. Blum, A. De Santis, S. Micali, and G. Persiano. Noninteractive zero-knowledge, SIAM Journal on Computing, 20(6):1084-1118, 1991. 447, 448 5. Blum M., P. Feldman and S. Micali, Non-Interactive Zero-Knowledge Proof Systems, Proc. 20th ACM Symposium on the Theory of Computing, Chicago, 1988, pp 103-112. 447 6. G. Brassard, C. Crepeau and M. Yung, Constant-Round Perfect Zero-Knowledge Computationally Convincing Protocols. Theoretical Computer Science 84, 1991. 7. G. Brassard, D. Chaum, C. Crepeau, Minimum Disclosure Proofs of Knowledge. JCSS, Vol. 37, 1988, pp. 156-189. 447 8. S. Brands and D. Chaum, Distance-Bounding Protocols Advances in Cryptology – EUROCRYPT‘93, 1993. 9. R. Canetti, C. Dwork, M. Naor, R. Ostrovsky, Deniable Encryption, “Security in Communication Networks” workshop, Amalfi, Italy 1996 and CRYPTO’97 448 10. D. Chaum and H. van Antwerpen, Undeniable Signatures, Advances in Cryptology– CRYPTO ’89, G. Brassard (Ed.), Springer-Verlag, pp. 212-216. 11. R. Cramer and I. Damgard New Generation of Secure and Practical RSA-Based Signatures, Advances in Cryptology–CRYPTO ’96. Springer-Verlag, 1996. 12. A. De Santis and M. Yung. Cryptographic Applications of the Metaproof and Manyprover Systems, Proc. CRYPTO’90, Springer-Verlag, 1990. 448 13. D. Dolev, C. Dwork and M. Naor, Non-malleable Cryptography, Preliminary version: Proc. 21st STOC, 1991. Full version: submitted for publication (available from the authors). 442, 443, 445, 449, 449, 451, 452, 452, 456 14. C. Dwork and M. Naor, Pricing via Processing -or- Combatting Junk Mail, Advances in Cryptology – CRYPTO’92, Lecture Notes in Computer Science 15. C. Dwork and M. Naor, Method for message authentication from non-malleable crypto systems, US Patent No. 05539826, issued Aug. 29th 1996. 451 16. C. Dwork, M. Naor, and A. Sahai, Concurrent Zero Knowledge, to appear, STOC’98 443, 443, 443, 443, 443, 443, 446, 447, 451, 454, 456 17. U. Feige, A. Fiat and A. Shamir, Zero Knowledge Proofs of Identity, J. of Cryptology 1 (2), pp 77-94. (Preliminary version in STOC 87). 18. U. Feige and A. Shamir, Witness Indistinguishable and Witness Hiding Protocols Proc. 22nd STOC, 1990, pp. 416–426. 19. U. Feige and A. Shamir, Zero Knowledge Proofs of Knowledge in Two Rounds, Advances in Cryptology – Crypto 89 Proceedings, Lecture Notes in Computer Science Vol. 435, G. Brassard ed., Springer-Verlag, 1989. 445, 445, 450, 452 20. U. Feige, D. Lapidot and A. Shamir, Multiple Non-Interactive Zero-Knowledge Proofs Based on a Single Random String, Proceedings of 31st Symposium on Foundations of Computer Science, 1990, pp. 308-317. 447, 448, 448, 448, 451, 451 21. O. Goldreich, Foundations of Cryptography (Fragments of a Book), 1995. Electronic publication: http://www.eccc.uni-trier.de/eccc/info/ECCC-Books/ecccbooks.html (Electronic Colloquium on Computational Complexity). 22. O. Goldreich and H. Krawczyk. On the Composition of Zero Knowledge Proof Systems. SIAM J. on Computing, Vol. 25, No. 1, pp. 169–192, 1996. 444 23. S. Goldwasser and S. Micali. Probabilistic Encryption, Journal of Computer and System Sciences, Vol. 28, April 1984, pp. 270–299. 448 24. S. Goldwasser, S. Micali, and C. Rackoff, The Knowledge Complexity of Interactive Proof Systems. SIAM Journal on Computing, Vol. 18, 1 (1989), pp. 186-208. 446

458

Cynthia Dwork and Amit Sahai

25. J. Killian, E. Petrank, and C. Rackoff, Zero Knowledge on the Internet. Manuscript, 1998. 456 26. M. Naor, Bit Commitment Using Pseudo-Randomness, Journal of Cryptology, vol 4, 1991, pp. 151-158. 452 27. C. Rackoff and D. Simon, Non-Interactive Zero-Knowledge Proof of Knowledge and Chosen Cipherext Attack, Proc. CRYPTO’91, Springer-Verlag, 1992, pp. 433 – 444 449, 449 28. R. Richardson and J. Killian. Non-Synchronized Composition of Zero-Knowledge Proofs. Manuscript, 1998. 456

The Solution of McCurley’s Discrete Log Challenge Damian Weber1 and Thomas Denny2 1

Institut f¨ ur Techno– und Wirtschaftsmathematik Erwin–Schr¨ odinger–Str. 49, D–67663 Kaiserslautern [email protected] 2 debis IT Security Services Rabinstraße 8, D–53111 Bonn [email protected]

Abstract. We provide the secret Diffie-Hellman-Key which is requested by Kevin McCurley’s challenge of 1989. The DH-protocol in question has been carried out in (ZZ/pZZ)∗ where p is a 129-digit prime of special form. Our method employed the Number Field Sieve. The linear algebra computation was done by the Lanczos algorithm. Keywords: Discrete Logarithms, Number Field Sieve, Index Calculus, Lanczos

1

Introduction

When discrete log cryptosystems are designed the groups (ZZ/pZZ)∗ serve as a standard choice, as for example in [3,4,14]. In view of the Diffie–Hellman key exchange protocol introduced in [3], McCurley stated a challenge by using the following setup [11]: bA = 12740218011997394682426924433432284974938204258693 16216545577352903229146790959986818609788130465951 66455458144280588076766033781 bB = 18016228528745310244478283483679989501596704669534 66973130251217340599537720584759581769106253806921 01651848662362137934026803049 p = (739 · 7149 − 736)/3 q = (p − 1)/(2 · 739) The order of the multiplicative group, which is generated by the element 7, splits as follows: |(ZZ/pZZ)∗ | = 2 · 739 · q. – Alice computes (using her secret key xA ) as 7xA ≡ bA (mod p) – Bob computes (using his secret key xB ) as 7xB ≡ bB (mod p) H. Krawczyk (Ed.): CRYPTO’98, LNCS 1462, pp. 458–471, 1998. c Springer-Verlag Berlin Heidelberg 1998

The Solution of McCurley’s Discrete Log Challenge

459

Kevin McCurley asked for the common secret key K ≡ 7(xA ·xB ) (mod p) which we computed at 03:50pm Middle European Time on Jan 25, 1998 as K = 38127280411190014138078391507929634193998643551018670285056375615 (1) 045523966929403922102172514053270928872639426370063532797740808,

by first calculating xA = 6185869085965188327359333165203790426798764306952171345914622218 (2) 49525998156144877820757492182909777408338791850457946749734,

the secret key of Alice. Since p is of a special form it is very convenient to use the number field sieve discrete log algorithm [17,5] for the precomputation. This step has already been carried out in [21]. It was unclear whether one could keep that attractive number field chosen there for computing the individual logarithms as well [18]. Readers not familiar with the number field sieve are recommended to look up these references. We note that for “general” p, the record for discrete logarithms is 85 decimal digits [20]. In contrast to factoring with the number field sieve, some additional computational difficulties have to be dealt with. For example, it is costly to transform the original congruence to another form such that the number field sieve is actually applicable. Another constraint is the smaller size of factor bases – otherwise the linear algebra step would be infeasible. After the introduction of notation in section 2 we start with a description of how we transformed the original problem to a problem where only logarithms of “small” elements have to be computed in section 3. Section 4 deals with the choice of the polynomial defining the number field. Section 5 is devoted to lattice sieving techniques for discrete log computations. In section 6 we pay attention to computing the solution of the resulting sparse linear system mod q, which eventually yielded the solution to the original discrete log problem.

2

Notation of the Number Field Sieve Parameters

Let the discrete logarithm problem be ax ≡ b (mod p), p prime. Let f be an irreducible polynomial of degree n, the coefficient of X n be called h . Furthermore, let α ∈ C be a root of f . There should be at least one root m of f (X) modulo p. Set ω = h · α. In this case there exists a ring homomorphism ϕ : ZZ[ω] −→ ZZ/pZZ ω 7→ h · m. We set g(X) := X − m. We denote with F Balg (the algebraic factor base) a finite set of prime ideals in the ring of integers of Q(ω), and with F Brat (the rational factor base) a finite set of prime numbers in ZZ.

460

3

Damian Weber and Thomas Denny

Reduction of the Original Problem

With the number field sieving step, logarithms of elements s ∈ ZZ/pZZ can be obtained, if a smooth σ ∈ ϕ−1 (s) ⊂ ZZ[ω] is known. In particular, this is the case if s lies in the rational factor base. Having planned to use a rational factor base size of 30000 this would mean to aim at bounding s by the 30000–th prime, that is 350381. With the current available methods this is not feasible. With the following relation, however, we are reduced to s’s which are not bigger than 5.05 · 1013 : t a141266132 · bA ≡ (mod p), v where t = 23 · 31 · s1 · s3 · s6 · s8 · s10 · s11 (3) v = 353 · s2 · s4 · s5 · s7 · s9 · s12 . with s1 s2 s3 s4 s5 s6 s7 s8 s9 s10 s11 s12

= 603623, = 165073039, = 1571562367, = 1601141623, = 1715568391, = 7575446399, = 13166825869, = 265542836371, = 371303006453, = 4145488613977, = 4338202139093, = 5041332876473.

We proceed with how equation (3) has been found. Each b ∈ (ZZ/pZZ)∗ can √ be expressed as a quotient b ≡ t/v (mod p) with |t|, |v| < p+1 [19, Th.67]. Such a representation can be found by applying the extended Euclidean algorithm. In the challenge computation we computed bl :≡ 7l · b (mod p) for many l’s, found the quotient bl ≡ tl /vl and tried to split tl and vl . The ρ–function [6] tells us how many pairs we need to test until a successful decomposition occurs. The term ρi (α) denotes the probability that the i–th largest prime factor of the number n is at most n1/α . We set ρ(α) := ρ1 (α). We started looking for factors of t and v with at most 15 decimal digits simultaneously. The probability that a 65–digit number has at most 15 digits is ρ(13/3) ≈ 2.12 · 10−3 . Assuming t and v behave as random integers of this size we expect to find a successful l after ≈ 1/(2.12 · 10−3 )2 ≈ 222500 trials. We distributed the interval [141200001; 141422500] among 40 Sparc ELC and 20 Sparc 4. As a Sparc 4 is about four times faster than a Sparc ELC, we chose the interval length for the ELC as 1850 in contrast to 7500 for the Sparc 4 stations. Each machine carried out four different stages; we give the average running times for each stage (Sparc 4 workstation) per l:

The Solution of McCurley’s Discrete Log Challenge

1. 2. 3. 4.

461

trial division up to 106 (1.35 sec), ECM for factors up to 109 (7.11 sec), ECM for factors up to 1012 (30.02 sec), ECM for factors up to 1015 (128.80 sec),

where ECM is an acronym for Lenstra’s elliptic curve factoring method [10]. We label these stages by TDIV, ECM9, ECM12 and ECM15, respectively. A pair (t, v) is useless if either t or v contains a prime factor above our smoothness bound 1015 . We can estimate beforehand how many pairs (t, v) will be recognized as useless by each stage if we evaluate the ρ2 function. Table 1. Probability of a number of 65 digits recognized as useless. useless after stage with probability

TDIV 0.184

ECM9 0.238

ECM12 0.243

ECM15 0.190

Using trial division in combination with ECM is a very tedious smoothness test; we experimented with an early abort strategy. Such a technique has been used in several algorithms, originating from [16]. In our case, after each stage we removed a third of the pairs (t, v) – those with the biggest unfactored part – from our list. The following behaviour is to be expected when applying this strategy on each Sparc 4 processor. On such a machine we start with 7500 pairs (t, v). From table 1 we estimate that approximately (1−0.184)2 ≈ 66.6 %, that is 4994, will survive the trial division step. Our early abort condition removes a third of the pairs, this leaves 3329. From these approximately (1 − 0.238)2 ≈ 58.2 % survive ECM9 (1933). Another cut by early aborting leaves 1288. ECM12 yields 738 pairs left. After removing a third of these pairs, 492 are left for ECM15. In case of no successful pair being found we can now estimate the time of the smoothness tests per processor as: 7500 · 1.35 + 3329 · 7.11 + 1288 · 30.02 + 492 · 128.8 = 135829.55 sec ≈ 37.7 h.

Table 2. Reduction sieve: # pairs per stage. proc 1 2 3 4 5 6

TDIV start useless 7500 2535 7500 2446 7500 2531 7500 2408 7500 2636 7500 2497

ECM9 start useless 3307 1139 3366 1192 3309 1232 3391 1181 3239 1102 3332 1190

ECM12 start useless 1444 574 1448 603 1383 565 1472 592 1423 590 1426 548

ECM15 start useless 579 364 563 339 545 309 586 359 555 341 585 352

run–time (h) total 41.0 41.3 41.5 42.7 40.3 41.5

462

Damian Weber and Thomas Denny

From table 2, which summarizes the output of six Sparc 4 processors, we see that the theoretical prediction of the useless pairs can be used to get a good estimate of the actual total running time per processor.

4

Choice of the Polynomial

This section is devoted to finding an appropriate polynomial f for the number field sieve (see section 2). According to practical experience we should consider number fields of degree n = 3, 4, 5, 6. In order to make the best choice, i.e. to find a maximum number of relations, we examine the probability of finding relations over two factor bases of optimal size with respect to the expected norm of elements c+dα of that number ring. In order to construct suitable polynomials of such degrees we may use the identities 21p = 739 · (750 )3 − 5152 3p = 5173 · (737 )4 − 736 21p = 739 · (730 )5 − 5152 21p = 739 · (725 )6 − 5152. We therefore have to choose among the following pairs of polynomials g(X) = X g(X) = X g(X) = X g(X) = X

− 750 − 737 − 730 − 725

f (X) = 739 · X 3 − 5152 f (X) = 5173 · X 4 − 736 f (X) = 739 · X 5 − 5152 f (X) = 739 · X 6 − 5152

In order to compare the four different possible choices of the degree, we look at the values c + dm, N (c + dα) to be decomposed over the factor bases. On the rational side we get c + dm ≈ dm; on the algebraic side, we obtain −739 · cn − 5152dn ≈ −739 · cn . As a sieving rectangle of 106 × 106 was expected to be needed, we got table 3 with the aid of the ρ–function. Table 3. Comparing different degrees degree 3

m

h · cn |F B1 | |F B2 | # trials per full

dm

1.8 · 1042 1.8 · 1048 31

37

4

1.9 · 10

5

2.3 · 1025 2.3 · 1031

6

21

1.3 · 10

1.9 · 10

27

1.3 · 10

1021

19800 20200

3.7 · 1011

10

19900 20100

6.2 · 109

1033

19600 20400

3.7 · 109

16400 23600

1.1 · 1010

28

39

10

We see from this table that degree 4 and 5 were competing with slight advantage of degree 5. The only way to find out which is the better one is to give both

The Solution of McCurley’s Discrete Log Challenge

463

a try and continue with the one which produced more relations. Test sieving has been carried out for x+ym and N (x+yα) in the rectangle [−106 , 106 ]×[1, 5000]. From the following amount of relations it is evident that degree 5 is the better choice indeed (running time in sec on a Sparc 4).

Table 4. Relations after test sieving. type full 1 LP (alg) 1 LP (rat) 2 LP

5

degree 4 16 49 114 344 running time 5653

degree 5 127 411 631 2056 9535

Sieving

After fixing the polynomials f , g we had to choose appropriate sieving parameters. The precomputation in 1995 was carried out with the quadruple large prime variant. We repeated the precomputations for two reasons: firstly, several improvements in the linear algebra step allowed to use a bigger factor base, secondly, we wanted to find out how effective the double large prime variant would perform for this setting. Table 5 depicts the parameters and the sieving results of 1995 (quadruple large prime variation) and 1997 (double large prime variation). Both setups produced the result we wished: a linear system the solution of which yields the logarithms of particular elements of ZZ/pZZ. We comment on the figures in table 5. We raised the large prime bound in order to increase the likelihood to encounter a partial relation, which now contained at most one large prime for f and g. We shrinked the sieving interval for two reasons. In the polynomial N (X + Y α) = −739X 5 − 5152Y 5 both variables contribute to the same extent to the absolute value of the norm. In our first run, however, we observed that after covering the first half of the square we have already had enough relations. So we attempted to end up with a square sieving range instead of a rectangle which was roughly achieved. The running time of the first run is a very crude estimate on behalf of mips years (mega instructions per second). Although this measurement is outdated, we want to stick to it, in order to have the running times comparable to many of the previous publications concerning discrete log and factoring computations. Our run–time measurement is based on the observation that the UltraSparc we used was eight times faster than a Sparc ELC workstation which is rated at 21 mips.

464

Damian Weber and Thomas Denny

Table 5. Parameters and sieving results

FB rat FB alg LP rat LP alg x–range y–range run–time

1 2 3 4

full LP LP LP LP full

quadruple large prime double large prime parameters 20000 30000 20000 30000 106 5 · 107 5 · 105 5 · 107 6 15 · 10 5 · 106 6 2 · 10 4 · 106 110 mips y ≈ 180 mips y relations 3199 10797 42407 196734 211888 895415 478543 – 388685 – combined partials 306717 75592

By utilizing the amount of relations depicted in table 5, logarithms of specific factor base elements can be computed. Now let’s turn to the computation of logarithms of elements not lying in the factor base. One of the open questions in [18] was: is it possible to compute the logarithm of an arbitrary element of (ZZ/pZZ)∗ without abandoning the especially comfortable polynomial f ? Changing f is required by the theory but its analysis is for p → ∞. In our computation, however, we pursued another route which has already been indicated in section 3. This is the attempt to transform the original problem such that the remaining elements, the logarithm of which is unknown, can be treated like factor base elements. Let s be one of the primes of the right hand side of (3). A relation of the following form is required for each s: Q c + dm = s r rer , product over r ∈ F Brat , Q [c + dα] = r rer , product over r ∈ F Balg .

(4)

The lattice sieve satisfies this request by defining Ms := {(c, d) | c + dm ≡ 0 (mod s)} and searching for smooth elements among (c + dm)/s and c + dα with (c, d) taken from a subset of Ms . This will be called the lattice sieve for s. Analogously, one may introduce lattice sieving for prime ideals. This is a standard technique in number field sieve implementations introduced by [15].

The Solution of McCurley’s Discrete Log Challenge

465

In general it is difficult to find directly a relation like (4). What may be expected is to find relations of the form Q c + dm = s · R1 R2 r rer , product over r ∈ F Brat , Q (5) [c + dα] = R1 R2 r rer , product over r ∈ F Balg , with large prime (ideals) R1 , R2 , R1 , R2 . As with the large prime variation of the classical number field sieve, with additional relations containing each one of the R1 , R2 , R1 , R2 , these can be turned into a relation only containing one large prime, namely s. The heuristic algorithm which eventually led to the solution of the challenge was as follows: 1. by lattice sieving for s find a quadruple large prime relation of the form (5) 2. let R run through the list R1 , R2 , R1 , R2 ; with the lattice sieve for R find either – a single large prime relation containing only the large prime R and proceed with the next R from the list, or – a double large prime relation containing only the large prime R and another large prime which we call R0 ; in this case repeat the second step of this algorithm with R replaced by R0 (called iteration in table 7). Step 1 from above (finding (5) for s = si , 1 ≤ i ≤ 12) has been performed with the following sieving range: Table 6. Lattice sieve step 1, sieving rectangle. primes

x–range

y–range

s1 to s5

[-35000;35000] [1;12000]

s6

[-55000;55000] [1;25000]

s7 to s11 [-30000;30000] s12

[1;5000]

[-50000;50000] [1;50000]

After performing step one – the time of which is shown in table 7 – the lattice sieve iterations had to be carried out for primes which lay in the interval [105 ; 1010 ], the lower bound due to the maximal factor base element having a norm of 349949 (algebraic) and 350377 (rational). The upper bound is due to the difficulty of finding appropriate relations for the s’s above s5 ; s6 has already 10 decimal digits. Each lattice sieve iteration for the R0 was carried out with a sieving rectangle of [−35000, 35000] × [1, 20000] spending about 5000 sec for each on a Sparc 20. Summing this up, about 211 h in total on one Sparc 20 were needed. Clearly, it is trivial to distribute each s and each iteration to different workstations. This concludes the description of all sieving tasks.

466

Damian Weber and Thomas Denny

Table 7. Running times of lattice sieve steps. prime time (sec) # LP in (5) # iterations of step 2 s1 5680 1 1 s2 3089 2 4 s3 3691 3 8 s4 4696 2 7 s5 5003 1 5 s6 50941 4 13 s7 1300 2 9 s8 1314 2 16 s9 1389 2 11 s10 1343 4 21 s11 1394 4 13 s12 96810 4 8

6

Linear Algebra

In this section we describe the method of how to solve the linear system which consists of the exponents of the free and full relations, the combined partials (table 5) and the special relations produced by the heuristic algorithm in section 5. There are five more columns containing additive characters to ensure that q–th powers in Q(α) can be constructed [17]. Hence, we are left with a matrix of a form shown in figure 1.

rat. FB

alg. FB

si

full relations

14.28%

combined partials 83.72%

additive characters

1.98%

exponents indiv. primes

free relations

12

5

special relations 0.02% columns: 60000

Fig. 1. Relation matrix.

The Solution of McCurley’s Discrete Log Challenge

467

The subsequent computation has been divided into two steps. 1. a preprocessing step (refinement of structured Gaussian elimination), 2. the Lanczos algorithm (description in [7], [8]). The practicability of a possible alternative method, a combination of structured Gauss and ordinary Gaussian elimination suffers from enourmous space requirements (in our example about 2 GB of main memory). We define n to be the number of unknowns and ω to be the total number of non–zero entries in the linear system. The running time of the Lanczos algorithm is known to be O(n2 + nω). The goal of step 1 is to iteratively decrease n while increasing ω as long as this running time is decreasing. To make a firm decision at this point, we need to predict the actual running time of step 2 on the machine we are using. Starting from the basic operations in the Lanczos algorithm, the following sections develop the model which we apply for that purpose. 6.1

Operations

The basic operations over ZZ/qZZ that are performed during an iteration of the Lanczos algorithm are – computation of inner products – matrix–vector multiplication – vector updates (adding a multiple of a vector to another vector). In order to speed up the computations over ZZ/qZZ we used the Montgomery representation [12]. Due to the fact that the linear system consists of exponents from decomposing integers, almost 95 % of the non-zero entries are equal to ±1. The remaining entries ci are relatively small (−40 ≤ ci ≤ 40). Table 8 classifies the non-zero entries of our linear system before and after step 1. Table 8. Compactification of relation matrix. original system after preprocessing unknowns

60 001

35 666

equations

75 592

35 688

49.8

164.6

1 785 588 1 761 865

2 657 470 2 711 635

219 483

332 644

avg. weight/equation 1–entries (−1)–entries ci –entries

We could greatly reduce the time to perform a matrix–vector multiplication in ZZ/qZZ by computing all intermediate results in ZZ (but in Montgomery representation) and doing the reduction mod q only once, while creating the result

468

Damian Weber and Thomas Denny

vector. By this technique (lazy reduction) we achieve the substantial gain of 29% of the running time for the matrix-vector multiplication (timing on Sparc 20, different linear system): Table 9. Average running time of one matrix–vector multiplication. running time original version lazy reduction addition 14.05 s 10.47 s subtraction 13.22 s 11.08 s scalar mult 6.17 s 1.70 s final reduction – 0.58 s total 33.44 s 23.83 s

6.2

Running Time Model

An examination of all operations performed during the Lanczos algorithm to solve a linear system of dimension n with ω1 1-entries, ω2 (−1)-entries and ω3 ci -entries lead to the following formula: T (n, ω, r) = n2 · t2 + n · (2 · ω + t1 )

(6)

where ω = cache1 · (ω1 · T (Add) + ω2 · T (Sub)) + cache3 · ω3 · T (kmult) t1 = cache2 · (T (Inv) + (2 + r) · T (M ult)) t2 = cache2 · (T (Square) + 2 · T (Sub m) + (2 + r) · T (Add m) +(3 + r) · T (M ult)) + 2 · cache3 · T (Red). In this formula r is the number of solutions that need to be calculated and T (operation) is the time needed to perform a single arithmetic operation on integers of magnitude of q. The variables cache1 , cache2 and cache3 represent the time needed to access main memory, first level cache and second level cache, respectively. For a Sparc 20 workstation we may take cache1 = 2.0, cache2 = 1.0, cache3 = 1.3. These values are strongly machine dependent and have to be determined by experiment. By using (6), the time needed to solve a linear system of equations can be accurately predicted. This is crucial to decide whether an iteration of step 1 from above does improve the running time. We now proceed by deriving a bound ∆ (> 0) for the maximal increase of ω while decrementing n. This depends on the number and type of entries in our linear system as well as on the time of arithmetic and memory operations. To achieve a speed up and save memory, we have the condition T (n, ω, r) − T (n − 1, ω + ∆, r) ≥ 0.

The Solution of McCurley’s Discrete Log Challenge

469

Solving this for ∆, we obtain ∆ ≤

(2 · n − 1) · t2 + 2 · ω + t1 . 2 · (n − 1)

In practice, this upper bound lies between 100 and 1200. 6.3

Results

Using this formula and the ideas of the structured Gaussian elimination the running time of the Lanczos algorithm to compute 22 solutions of the original system was reduced by more than 50 %. The reduction in the dimension also led to an enormous reduction in the main memory requirements (approx. 30 MB) as 25 vectors have to be stored (see table 8 above). Table 10 depicts the running time for the basic operations and the total running time of the original and the compactified system of linear equations (timings on Sparc 20). Table 10. Speed up by compactification. operation

original system after preprocessing

matrix–vector multiplication update vector

24.1 s 7.4 s

34.9 s 4.4 s

update solutions

85.0 s

48.3 s

3.7 s

2.2 s

inner product computation single iteration complete computation

120.1 s

92.0 s

2002.3 h

911.0 h

The solutions computed by the Lanczos algorithm finally yielded the logarithms of 2, 353, s1 , . . . , s12 . The logarithm of 31 has already been known from [21]. By using the identities of (3), Alice’s key was easy to obtain (2). The final task was to compute the common key K of Bob and Alice from K ≡ bxBA (mod p) shown in (1).

Acknowledgements The authors are particularily grateful to Kevin McCurley for offering that challenge. For providing the computing power we thank Ulrich Gr¨ af (Sun Microsystems Benchmark Center/Germany) and Raimund Seidel (University of Saarland/Germany). The integer computations have been performed by two reliable and efficient multi–precision libraries, LiDIA and FREELIP. Accordingly, many

470

Damian Weber and Thomas Denny

thanks go to the LiDIA Group (University of Darmstadt/Germany) and Arjen Lenstra (Citibank/USA). Additionally, we wish to thank Johannes Buchmann, Oliver Schirokauer, Thomas Setz and J¨ org Zayer.

References 1. I. Biehl and J. Buchmann and Th. Papanikolaou. LiDIA – a library for computational number theory. Technical report, Universit¨ at des Saarlandes/Germany, 1995. http://www.informatik.th-darmstadt.de/TI/LiDIA 2. Th. F. Denny. L¨ osen grosser d¨ unnbesetzter Gleichungssysteme u ¨ber endlichen Primk¨ orpern. PhD thesis, Universit¨ at des Saarlandes/Germany, 1997. 3. W. Diffie and M. Hellman. New directions in cryptography. IEEE Trans. Information Theory 22, pages pp. 472–492, 1976. 458, 458 4. T. ElGamal. A public key cryptosystem and a signature scheme based on discrete logarithms. IEEE Trans. Information Theory, 31:469–472, 1985. 458 5. D. Gordon. Discrete logarithms in GF(p) using the number field sieve. SIAM J. Discrete Math., 6:124–138, 1993. 459 6. D. E. Knuth and L. Trabb Pardo. Analysis of a simple factorization algorithm. Theoretical Computer Science, 3:321–348, 1976. 460 7. M. LaMacchia and A. Odlyzko. Solving large sparse linear systems over finite fields. In Advances in Cryptology – Crypto ’90, number 537 in Lecture Notes in Computer Science, pages 109–133, 1990. 467 8. M. LaMacchia and A. Odlyzko. Computation of discrete logarithms in prime fields. Designs, Codes and Cryptography, 1:46–62, 1991. 467 9. A. K. Lenstra, H. W. Lenstra, Jr. (eds.). The development of the number field sieve. Number 1554 in Lecture Notes in Mathematics. Springer, 1993. 10. H. W. Lenstra, Jr. Factoring integers with elliptic curves. Ann. of Math., 126:649– 673, 1987. 461 11. K. S. McCurley. The discrete logarithm problem. In Cryptology and Computational Number Theory, number 42 in Proc. Symp. in Applied Mathematics, pages 49–74. American Mathematical Society, 1990. 458 12. P. L. Montgomery. Modular multiplication without trial division. Math. Comp., 44:519–521, 1985. 467 13. V. M¨ uller and Th. F. Denny. On the reduction of composed relations from the number field sieve. In H. Cohen, editor, Algorithmic Number Theory – ANTS II, number 1122 in Lecture Notes in Computer Science, 1996. 14. National Bureau of Standards. Digital signature standard, 1994. FIPS Publication 186. 458 15. J. M. Pollard. The lattice sieve. Number 1554 in Lecture Notes in Mathematics. Springer, 1993. 464 16. C. Pomerance and S. S. Wagstaff. Implementation of the continued fraction integer factoring algorithm. In Proc. 12th Manitoba Conf., Winnipeg/Manitoba 1982, Congr. Numerantium, volume 37 of Numerical mathematics and computing, pages 99–118, 1983. 461 17. O. Schirokauer. Discrete logarithms and local units. Phil. Trans. R. Soc. Lond. A 345, pages 409–423, 1993. 459, 466 18. O. Schirokauer, D. Weber, and Th. F. Denny. Discrete logarithms: the effectiveness of the index calculus method. In H. Cohen, editor, Algorithmic Number Theory – ANTS II, number 1122 in Lecture Notes in Computer Science, 1996. 459, 464

The Solution of McCurley’s Discrete Log Challenge

471

19. D. Shanks. Solved and unsolved problems in number theory (3rd ed.). Chelsea Publishing Company, 1985. 460 20. D. Weber. Computing discrete logarithms with quadratic number rings. In Eurocrypt’98, Lecture Notes in Computer Science, 1998. To appear. 459 21. D. Weber. Computing discrete logarithms with the number field sieve. In H. Cohen, editor, Algorithmic Number Theory – ANTS II, number 1122 in Lecture Notes in Computer Science, 1996. 459, 469 22. D. Weber. On the computation of discrete logarithms in finite prime fields. PhD thesis, Universit¨ at des Saarlandes/Germany, 1997. 23. D. Weber. An implementation of the number field sieve to compute discrete logarithms mod p. Advances in Cryptology – Eurocrypt’95. number 921 in Lecture Notes in Computer Science, 1995. 24. J. Zayer. Faktorisieren mit dem Number Field Sieve. PhD thesis, Universit¨ at des Saarlandes/Germany, 1995.

Optimal Extension Fields for Fast Arithmetic in Public-Key Algorithms Daniel V. Bailey1 and Christof Paar2 1

Computer Science Department Worcester Polytechnic Institute, Worcester, MA 01609 USA [email protected] 2 ECE Department Worcester Polytechnic Institute, Worcester, MA 01609 USA [email protected]

Abstract. This contribution introduces a class of Galois field used to achieve fast finite field arithmetic which we call an Optimal Extension Field (OEF). This approach is well suited for implementation of publickey cryptosystems based on elliptic and hyperelliptic curves. Whereas previous reported optimizations focus on finite fields of the form GF (p) and GF (2m ), an OEF is the class of fields GF (pm ), for p a prime of special form and m a positive integer. Modern RISC workstation processors are optimized to perform integer arithmetic on integers of size up to the word size of the processor. Our construction employs well-known techniques for fast finite field arithmetic which fully exploit the fast integer arithmetic found on these processors. In this paper, we describe our methods to perform the arithmetic in an OEF and the methods to construct OEFs. We provide a list of OEFs tailored for processors with 8, 16, 32, and 64 bit word sizes. We report on our application of this approach to construction of elliptic curve cryptosystems and demonstrate a substantial performance improvement over all previous reported software implementations of Galois field arithmetic for elliptic curves. Keywords: finite fields, fast arithmetic, pseudo-Mersenne primes, Optimal Extension Fields, OEF, binomials, modular reduction, hyperelliptic curves, elliptic curves, cryptographic implementation

1

Introduction and Motivation

Arithmetic in finite fields is an integral part of many public-key algorithms, including those based on the discrete logarithm problem in finite fields, elliptic curve based schemes, and emerging applications of hyperelliptic curves. Our ability to quickly perform arithmetic in the underlying finite field determines the performance of these schemes. Finite fields are identified with the notation GF (pm ), where p is a prime and m is a positive integer. Essentially all previous work in this area has focused on two types of finite fields: GF(pm ) with m = 1, p a prime; and p = 2, m some positive integer. In this paper, we consider the H. Krawczyk (Ed.): CRYPTO’98, LNCS 1462, pp. 472–485, 1998. c Springer-Verlag Berlin Heidelberg 1998

Optimal Extension Fields for Fast Arithmetic in Public-Key Algorithms

473

use of extension fields of large characteristic with the characteristic p a prime of special form, m some positive integer. The case of p = 2 is especially attractive for hardware circuit design of finite field multipliers, since the elements of the subfield GF (2) can conveniently be represented by the logical signals “0” and “1.” However, p = 2 does not offer the same computational advantages in a software implementation, since modern workstation microprocessors are designed to calculate results in units of data known as words. Traditional software algorithms for multiplication in GF (2m ) have a complexity of cm m w steps, where w is the processor’s word length and c is some constant greater than one. For the large values of m required for practical public-key algorithms, multiplication in GF (2m ) can be very slow. Similarly, prime fields GF (p) also have computational difficulties on standard computers. For example, practical elliptic curve schemes fix p to be greater than 2150 . Multiple machine words are required to represent elements from these fields on general-purpose workstation microprocessors, since typical word sizes are simply not large enough. This representation presents two computational difficulties: carries between words must be accomodated, and reduction modulo p must be performed with operands that span multiple machine words. In this paper we define a special class of choices of p and m and show that they can yield considerable computational advantages. Our primary motivation in what follows is to exploit the very high performance that modern RISC processors offer for integer arithmetic on single words, which alleviate many of the difficulties found with GF (p) and GF (2m ). Our focus in the present paper is on elliptic curve cryptosystems as introduced in [7] and [13]. However, the arithmetic introduced here can also be applied to hyperelliptic curve public-key systems as introduced in [8].

2

Our New Approach

Our new approach is based on the observation that several well-known optimizations exist for software implementation of finite field arithmetic and that when they are used in conjunction they yield significant performance gains for implementation of elliptic and hyperelliptic curve cryptosystems. To optimize arithmetic in GF (pm ) we stipulate the following properties on the choice of p and m: 1. Choose p to be less than but close to the word size of the processor so that all subfield operations take advantage of the processor’s fast integer arithmetic. 2. Choose p to be a pseudo-Mersenne prime, that is, of the form 2n ± c for some log2 c ≤ 12 n to allow for efficient subfield modular reduction. 3. Choose m so that we have an irreducible binomial xm − ω for efficient extension field modular reduction. The extension degree m can be small if the processor word size allows for large values of p. A field that offers these arithmetic optimizations we call an Optimal Extension Field (OEF). For a formal definition of OEF, see Section 7. We demonstrate

474

Daniel V. Bailey and Christof Paar

that these optimizations can yield a substantial performance improvement over previous results as in [4,16,17,3]. As an example, when a modern RISC workstation with a 64-bit architecture such as the DEC Alpha family is our target platform, we would choose a p near 264 . This approach has the advantage of fully exploiting the RISC CPU’s ability to quickly perform 64 bit × 64 bit integer multiplication, thus performing a subfield multiplication with a single multiply instruction followed by a modular reduction. Due to the special form of p, we may perform this reduction without executing a traditional division algorithm. In order to gain this sort of computational advantage for public-key algorithms with field orders of more than 264 , we use a field extension m of moderate degree. For example, the choice of p = 261 −1 together with an extension degree of m = 3 would result in an OEF with order approximately 2183 . Such a field is desirable in the construction of cryptosystems based on the discrete logarithm problem in elliptic curve groups. In this paper we demonstrate efficient methods to construct such fields, strategies for fast arithmetic in an OEF, and implementation results for an application of this work to elliptic curve cryptosystems.

3

Previous Work

Previous work on optimization of software implementations of finite field arithmetic has often focused on a single cryptographic application, such as designing a fast implementation for one particular finite field. One popular optimization involves the use of subfields of characteristic two. A paper due to DeWin et al. [17] analyzes the use of GF ((2n )m ), with a focus on n = 16, m = 11. This construction yields an extension field with 2176 elements. The subfield GF (216 ) has a Cayley table of sufficiently small size to fit in the memory of a workstation. Optimizations for multiplication and inversion in such composite fields of characteristic two are described in [3]. Schroeppel et al. [16] report an implementation of an elliptic curve analogue of Diffie-Hellman key exchange over GF (2155 ) with an irreducible trinomial as the field polynomial. The arithmetic is based on a polynomial basis representation of the field elements. Elements of the field are each stored in three 64-bit registers. Much optimization work has been done in selection of Optimal Normal Bases (ONB) to speed computations in GF (2m ). Draft standards such as [18,19], and [9] suggest use of ONB for elliptic curve systems. Others have investigated use of pseudo-Mersenne primes to construct Galois fields GF (p) in connection with elliptic curve cryptography as found in [2,14] and some patents have been issued on their use. Unlike the methods in [17,3] which use Cayley tables to implement subfield arithmetic, our approach requires no additional memory and is therefore attractive in memory-constrained applications. In addition, our system is faster in real-world tests as described in Section 8.

Optimal Extension Fields for Fast Arithmetic in Public-Key Algorithms

4

475

Optimal Extension Field Arithmetic

This section describes the basic construction for arithmetic in fields GF (pm ), of which an OEF is a special case. The subfield is GF (p) and the extension degree is denoted by m, so that the field can be denoted by GF (pm ). This field Pm−1 is isomorphic to GF (p)[x]/(P (x)), where P (x) = xm + i=0 pi xi , pi ∈ GF (p), is a monic irreducible polynomial of degree m over GF (p). In the following, a residue class will be identified with the polynomial of least degree in this class. We consider a standard (or polynomial or canonical) basis representation of a field element A ∈ GF (pm ): A(x) = am−1 xm−1 + . . . + a1 x + a0 ,

(1)

where ai ∈ GF (p). Since we choose p to be less than the processor’s word size, we can represent A(x) with m registers. All arithmetic operations are performed modulo the field polynomial. The choice of field polynomial determines the complexity of the operations required to perform the modular reduction. In this paper, we will only be concerned with the operations of addition, multiplication, and squaring. 4.1

Addition and Subtraction

Addition and subtraction of two field elements is implemented in a straightforward manner by adding or subtracting the coefficients of their polynomial representation and if necessary, performing a modular reduction by subtracting p once from the intermediate result. Previous implementations in GF (2n ) offer a slight computational advantage since addition or subtraction is simply an XOR that does not require modular reduction. When compared to the addition operation in GF (p) for large p, we observe that an OEF does not require carry between computer words in computing a sum while GF (p) does. This property results in a modest performance gain over GF (p).

Algorithm 1 Optimal Extension Field Addition Require: A(x) = am−1 xm−1 + . . . + a1 x + a0 , B(x) = bm−1 xm−1 + . . . + b1 x + b0 , A(x), B(x) ∈ GF (pm ). Ensure: A(x) + B(x) ≡ C(x) ∈ GF (pm ) for i ← 0 to m − 1 do ci = ai + bi if ci ≥ p then ci ← ci − p end if end for

476

4.2

Daniel V. Bailey and Christof Paar

Multiplication

Multiplication is performed in two stages. First, we perform an ordinary polynomial multiplication of two field elements A(x) and B(x), resulting in an intermediate product C 0 (x) of degree less than or equal to 2m − 2: C 0 (x) = A(x) × B(x) = c02m−2 x2m−2 + . . . + c01 x + c00 ; c0i ∈ GF (p).

(2)

The schoolbook method to calculate the coefficients c0i , i = 0, 1, . . . , 2m − 2, requires m2 multiplications and (m − 1)2 additions in the subfield GF (p). Since field multiplication is the time critical task in many public-key algorithms this paper will deal extensively with fast multiplication methods, and later sections are devoted to aspects of this operation. In Section 4.4 we present an efficient method to calculate the residue C(x) ≡ C 0 (x) mod P (x), C(x) ∈ GF (pm ). Section 5 gives a method to quickly perform the coefficient multiplication in GF (p). 4.3

Squaring

Squaring may be implemented using the method for general multiplication outlined above. However, we observe that squaring a field element affords some additional computational efficiencies. For example, consider the field element A(x) = a2 x2 + a1 x + a0 , A(x) ∈ GF (p3 ). We compute the square of A(x) and obtain: (a2 x2 + a1 x + a0 )2 = a22 x4 + 2a2 a1 x3 + [2a2 a0 + a21 ]x2 + 2a1 a0 x + a20

(3)

Multiplication by two may be implemented in a computer as a left shift operation by one bit. On many computer architectures, a left shift is faster than an explicit integer multiplication. Thus instead of requiring m2 multiplications, we need only m(m+ 1)/2 explicit multiplications. The remainder may be performed as shifts. 4.4

Extension Field Modular Reduction

After performing a multiplication of field elements in a polynomial representation, we obtain the intermediate result C 0 (x). In general the degree of C 0 (x) will be greater than or equal to m. In this case, we need to perform a modular reduction. The canonical method to carry out this calculation is long polynomial division with remainder by the field polynomial. We observe that we must perform subfield multiplications to implement the reduction, proportional to the number of terms in the field polynomial. However, if we construct a field polynomial with low coefficient weight, the modular reduction will require fewer subfield multiplications. Since monomials xm , m > 1 are obviously always reducible, we turn our attention to irreducible binomials. An OEF has by definition a field polynomial of the form: (4) P (x) = xm − ω

Optimal Extension Fields for Fast Arithmetic in Public-Key Algorithms

477

The use of irreducible binomials as field polynomials yields major computational advantages as will be shown below. Observe that irreducible binomials do not exist over GF (2). In Section 6, we will demonstrate that such irreducible binomials can be constructed. Once such a binomial has been determined, modular reduction can be performed with the following complexity: Theorem 1. Given a polynomial C 0 (x) over GF (p) of degree less than or equal to 2m − 2, C 0 (x) can be reduced modulo P (x) = xm − ω requiring m − 1 multiplications by ω and m − 1 additions, where both of these operations are performed in GF (p). Proof. By assumption, C 0 (x) has the form: C 0 (x) = c02m−2 x2m−2 + . . . + c0m xm + c0m−1 xm−1 + . . . + c01 x + c00

(5)

Only the terms c0m+i xm+i , i ≥ 0, must be reduced modulo P(x). We observe that: c0m+i xm+i ≡ ωc0m+i xi mod P (x); i = 0, 1, . . . , m − 2

(6)

Since the degree of C 0 (x) ≤ 2m − 2, we require at most m − 1 multiplications by ω and m − 1 additions to combine the reduced terms. t u A general expression for the reduced polynomial is given by: C(x) ≡ c0m−1 xm−1 + [ωc02m−2 + c0m−1 ]xm−2 + · · · + [ωc0m+1 + c01 ]x +[ωc0m + c00 ] mod P (x)

(7)

As an optimization, when possible we choose those fields with an irreducible binomial xm − 2, allowing us implement the multiplications as shifts. OEFs that offer this optimization are known as Type II. A method to search for these Type II OEFs is given in Section 7.

5

Fast Subfield Multiplication

As shown above, fast subfield multiplication is essential for fast multiplication in GF (pm ). Subfield arithmetic in GF (p) is implemented with standard modular integer techniques, which are previously reported in the literature, see for example [12]. For actual implementation of OEF arithmetic, optimization of subfield arithmetic is critical to performance, so we include these remarks in this paper for completeness. We recall that multiplication of two elements a, b ∈ GF (p) is performed by a × b ≡ c mod p. Modern workstation CPUs are optimized to perform integer arithmetic on operands of size up to the width of their registers. An OEF takes advantage of this fact by constructing subfields whose elements may be represented by integers in a single register. For example, on a workstation with 64-bit registers, the largest prime we may represent is 264 − 59. So we choose a prime

478

Daniel V. Bailey and Christof Paar

p ≤ 264 − 59 as the field characteristic on this computer. To this end, we recommend the use of Galois fields with subfields as large as possible while still within single-precision limits of our host CPU. We perform multiplication of two single-word integers and in general obtain a double-word integer result. In order to finish the calculation, we must perform a modular reduction. Obtaining a remainder after division of two integers is a well-studied problem [12]. Many methods such as Barrett Reduction exist which offer computational advantages over traditional long division of integers. These methods, however, are still slow when compared to multiplication of single-word integers. Our choice of p allows a far less complex modular reduction operation. It is well known that fast modular reduction is possible with moduli of the form 2n ± c, where c is a “small” integer. Integers of this form allow modular reduction without division. We present a form of such a modular reduction algorithm, adapted from [12]. In this paper we consider only primes of the form 2n − c, although a trivial change to the following algorithm allows the use of primes 2n + c. The operators << and >> are taken to mean “left shift” and “right shift” respectively.

Algorithm 2 Fast Subfield Modular Reduction Require: p = 2n − c, log2 c ≤ 12 n, x < p2 is the integer to reduce Ensure: r ≡ x mod p q0 ← x >> n r0 ← x − q0 2n r ← r0 i←0 while qi > 0 do qi+1 ← qi c >> n ri+1 ← qi c − (qi+1 >> n) i←i+1 r ← r + ri end while while r ≥ p do r ←r−p end while

Under these conditions, the algorithm terminates after a maximum of two iterations of the while loop, so we require at the most two multiplications by c, six shifts by n, and six additions and subtractions. In practice, this leads to a dramatic performance increase over performing explicit division with remainder. For example, when p = 232 − 5, m = 5, and we implement subfield reduction by performing an explicit division with remainder on a 500 MHz DEC Alpha CPU, we require 7.74 µsec for a multiplication in GF (pm ). When we perform modular reduction using this algorithm, we require only 1.35 µsec, a fivefold savings.

Optimal Extension Fields for Fast Arithmetic in Public-Key Algorithms

479

If c = 1, this algorithm executes the first while loop only once. In addition, no multiplications are required for the modular reduction and the entire operation may be performed with 2 shifts and 2 adds if the intermediate result is contained in a single word, a substantial improvement over the c > 1 case. An OEF that offers this optimization is known as Type I. In our implementation as reported in Section 8, we have included p = 261 − 1 for this reason. Our implementation takes advantage of its special form, making p = 261 − 1 the best performing choice of p we consider.

6

Irreducible Binomials

In Section 4.4 we showed that irreducible binomials allow modular reduction with low complexity. The following theorem from [11] describes the cases when an irreducible binomial exists: Theorem 2. Let m ≥ 2 be an integer and ω ∈ GF (p). Then the binomial xm −ω is irreducible in GF (p) if and only if the following two conditions are satisfied: (i) each prime factor of m divides the order e of ω in GF (p), but not (p − 1)/e; (ii) p ≡ 1 mod 4 if m ≡ 0 mod 4. An important corollary is given in [5]: Corollary 1. Let ω be a primitive element for GF (p) and let m be a divisor of p − 1. Then xm − ω is an irreducible polynomial of order (p − 1)m over GF (p). We present the following new corollary which follows directly from the above, since p − 1 is always an even number: Corollary 2. Let ω be a primitive element for GF (p). Then x2 −ω is irreducible over GF (p). An extension degree of 2 is especially attractive for the implementation of cryptosystems based on hyperelliptic curves, since the field orders required are in the range 40-120 bits [15]. On a 32-bit or 64-bit architecture, the use of an OEF with m = 2 can form the basis for a very fast hyperelliptic curve implementation. Irreducible binomials do not exist over GF (2). Thus, previous approaches to this problem focusing on GF (2m ) have been unable to use binomials. For an OEF, however, we require p and m such that an irreducible binomial can be constructed. An algorithm to find such choices of p and m is described in Section 7.

7

Optimal Extension Fields

In the following, we define a new class of finite field, which we call an Optimal Extension Field (OEF). To simplify matters, we introduce a new name for a class of prime numbers:

480

Daniel V. Bailey and Christof Paar

Definition 1. A pseudo-Mersenne prime is a prime number of the form 2n ± c, log2 c ≤ 12 n. We now define an OEF: Definition 2. An Optimal Extension Field is a finite field GF (pm ) such that: 1. p is a pseudo-Mersenne prime, 2. An irreducible binomial P (x) = xm − ω exists over GF (p). We observe that there are two special cases of OEF which yield additional arithmetic advantages, which we call Type I and Type II. Definition 3. A Type I OEF has p = 2n ± 1. A Type I OEF allows for subfield modular reduction with very low complexity, as described in Section 5. Definition 4. A Type II OEF has an irreducible binomial xm − 2. A Type II OEF allows for speedups in extension field modular reduction since the multiplications by ω in Theorem 1 can be implemented using shifts instead of explicit multiplications. The choice of m depends on the factorization of p − 1 due to Theorem 2 and Corollary 1. In the following we describe an efficient construction method for OEFs. From a very high level, this method consists of three main steps: We choose a pseudo-Mersenne prime p first, then factor p − 1, and then finally select an extension degree m. Since p ≤ 264 due to current common processor word lengths, it is sufficient to use trial division to quickly factor p − 1. This procedure does not exhaustively list all OEFs, rather it is designed to quickly locate a Type II OEF for a desired field order and machine word size. Further, this procedure considers only those primes 2n − c, although a prime 2n + c is a valid choice for OEFs. A high-level outline of our field construction algorithm, which is based on Corollary 1 is given as Algorithm 3. There are other possible values for the order of ω that would lead to a greater number of fields that meet our criteria according to Theorem 2. However, the inclusion of these additional fields comes at the expense of an increase in complexity of our algorithm. We found that even with the restriction of ω a primitive element on our search for fields, there are still enough Type II OEFs to construct fields for any application. Our computational experiments indicate that for n = 32 and n = 64 there are hundreds of fields that satisfy these criteria. Tables of OEFs for all 7 ≤ n ≤ 63 are found in [1]. For example, suppose we wish to construct a field for use on a modern workstation with 64-bit integer arithmetic for use in an elliptic curve key exchange algorithm. We set n ← 63, c ← 1, low ← 120, high ← 260. Then we apply a probabilitstic primality test for the integers 2n − c, incrementing c by 2 until we locate a prime. Using this method, we discover that p = 263 − 259 is

Optimal Extension Fields for Fast Arithmetic in Public-Key Algorithms

481

prime. At this point, we factor p − 1 using trial division to obtain the factorization 22 × 32 × 7 × 107 × 342062455008707 = 9223372036854775548. Given this factorization we can easily perform a primitivity check and find that 2 is a primitive element. Algorithms to compute the order of a group element are well known, see [12]. It remains only to select an extension degree. By trial division, we observe that 2, 3, and 4 all divide p − 1 and thus x2 − 2, x3 − 2, and x4 − 2 are all irreducible binomials over GF (p). These binomials yield the fields GF ((263 − 259)2 ), GF ((263 − 259)3 ), and GF ((263 − 259)4 ), respectively. The approximate orders of these fields are 2126 , 2189 , and 2252 , respectively.

Algorithm 3 Fast Type II Optimal Extension Field Construction Procedure Require: n bitlength of desired p; low, high bounds on bit length of field order Ensure: p, m define a Type II Optimal Extension Field with field order between 2low and 2high . c←1 for c ← 1 to 12 n do p ← 2n − c if p is prime then factor p − 1 if 2 is primitive in GF (p) then for m ← low to high do if m|(p − 1) then return p, m end if end for end if end if end for

8 8.1

Implementation Results Application to Elliptic Curve Cryptography

One of the most important applications of our technique is in elliptic curve cryptosystems, where Galois field arithmetic performance is critical to the performance of the entire system. We show that an OEF yields substantially faster software finite field arithmetic than those previous reported in the literature. We implemented our algorithms on a 500 MHz DEC Alpha workstation in optimized C, only resorting to assembly to perform 64 bit × 64 bit multiplications, since these operations are not directly supported by Digital’s C compiler. We executed the Type II OEF construction procedure to find Type II OEFs for the word sizes 8, 16, 32, and 63. These word sizes are representative of the CPUs found in typical applications, although OEFs may be constructed for any

482

Daniel V. Bailey and Christof Paar

arbitrary word size. For each word size we attempted to construct an OEF with approximately 160, 190, and 240 bit length, as such fields are suggested for the implementation of practical elliptic curve systems [18,19]. The OEF construction algorithm from Section 7 found the fields shown in Table 1 with the exception of fields for an 8-bit word size, and the field with p = 261 −1. In both cases, ω = 2 is not primitive in GF (p). We constructed these cases using Theorem 2. In order to obtain accurate timings, we executed field multiplication in GF (pm ) one million times, observed the execution time, and computed the average. Table 1 shows the result of our field construction and subsequent timing measurements. For each of our example OEFs, Table 1 lists nm, which is the approximate bit length of the field order, the prime p, the irreducible binomial, and the time in microseconds to perform the GF (pm ) multiplication. In addition, we provide estimated time in milliseconds for a single elliptic curve group operation, elliptic curve point doubling, and estimated time for a full point multiplication, using the following assumptions. The elliptic curve addition operation in projective coordinates may be performed with 15 multiplications in GF (pm ), while doubling requires 12 multiplications [10]. Then we estimate the time required for an elliptic curve point multiplication as required in the elliptic curve analogue of Diffie-Hellman key exchange, assuming an implementation using the k-ary window method [6] with k = 4 to speed the repeated doubling and add operations. Note that in the estimations we ignored time required to perform additions in the finite field, but also did not employ better point multiplication algorithms such as signed-digit methods [10] and addition chains. Most fields included here are Type II with the exception of the 8-bit fields and the field GF ((261 −1)3 ), which is Type I. This accounts for its very high performance: a field multiplication is performed in 0.52 microseconds. When applied to elliptic curve cryptosystems, this field results in a very fast implementation, requiring only 1.58 milliseconds for a full point multiplication. 8.2

Comparison

We also compared our implementation with three previously reported approaches. For ease in comparison, we report our timing results as measured on a 150 MHz DEC Alpha. Results are found in Table 2. For each implementation, we give the timing for a field multiplication. It can be seen that our OEF GF ((261 − 1)3 ) yields field multiplication speeds which are more than twice as fast as the best previously reported approach. This is true even though our field has an order of 2183 , whereas the field in [16] has an order of 2155 and their workstation has a slightly higher clock rate.

Optimal Extension Fields for Fast Arithmetic in Public-Key Algorithms

483

Table 1. OEF arithmetic timings on a 500 MHz DEC Alpha p = 2n − c binomial GF mult EC add EC douxm − ω (µsec) (µsec) ble (est.) (µsec) (est.) 8 20 2 − 15 x −7 48.3 725 580 28 − 5 x25 − 6 70.1 1050 841 28 − 15 x30 − 7 100 1500 1200 216 − 165 x10 − 2 13.8 207 166 216 − 243 x12 − 2 16.9 253 203 16 15 2 − 165 x − 2 28.0 420 336 232 − 5 x5 − 2 1.35 20 16.2 232 − 387 x6 − 2 2.13 32 26 232 − 1053 x7 − 2 3.00 45 36 61 3 2 −1 x − 37 0.52 7.8 6.24 263 − 259 x3 − 2 0.87 13 10 263 − 259 x4 − 2 1.49 22 18

nm

160 200 240 160 192 240 160 192 224 183 189 252

αP (msec) (est.) 130 231 392 37.1 53.7 110 3.62 6.85 11.0 1.58 2.64 6.12

Table 2. Comparison of arithmetic performance Method

Field Size

Field Type

DeWin [17]

176 bits

GF ((2n )m )

Guajardo176 bits Paar [3] Schroeppel [16] 155 bits

GF ((2n )m )

OEF

GF (pm )

9

183 bits

GF (2m )

GF (µsec) 133 MHz Pen- 62.7 tium 175 MHz DEC 38.6 Alpha 175 MHz DEC 7.1 Alpha 150 MHz DEC 3.3 Alpha Platform

mult

Conclusion

In this paper we have introduced a class of finite fields, known as Optimal Extension Fields, which take advantage of well-known optimizations for finite field arithmetic on microprocessors commonly found in workstations. OEFs are especially attractive for use in elliptic curve and hyperelliptic curve systems. The arithmetic speedups are due to the inherent properties of an OEF. An OEF may be constructed with a subfield close to the size of the host CPU. The field

484

Daniel V. Bailey and Christof Paar

characteristic of an OEF is a pseudo-Mersenne prime, that is, of the form 2n ± c for small c, allowing fast subfield modular reduction. The extension degree of an OEF always allows for an irreducible binomial. Finally, the field polynomial of an OEF is chosen to have a constant term equal to 2. In real-world demonstrations, we have shown that an OEF yields a considerable speed advantage over previous software implementations of Galois field arithmetic for elliptic curve cryptography.

References 1. Daniel V. Bailey. Optimal extension fields. Major Qualifying Project (Senior Thesis), 1998. Computer Science Department, Worcester Polytechnic Institute, Worcester, MA, USA. 480 2. Richard E. Crandall. Method and apparatus for public key exchange in a cryptographic system. US Patent 5463690, 1995. 474 3. Jorge Guajardo and Christof Paar. Efficient algorithms for elliptic curve cryptosystems. In Advances in Cryptology — Crypto ’97, pages 342–356. Springer Lecture Notes in Computer Science, August 1997. 474, 474, 474, 483 4. G. Harper, A. Menezes, and S. Vanstone. Public-key cryptosystems with very small key lengths. In Advances in Cryptology — EUROCRYPT ’92, pages 163–173, May 1992. 474 5. D. Jungnickel. Finite Fields. B.I.-Wissenschaftsverlag, Mannheim, Leipzig, Wien, Z¨ urich, 1993. 479 6. D.E. Knuth. The Art of Computer Programming. Volume 2: Seminumerical Algorithms. Addison-Wesley, Reading, Massachusetts, 2nd edition, 1981. 482 7. N. Koblitz. Elliptic curve cryptosystems. Mathematics of Computation, 48:203– 209, 1987. 473 8. N. Koblitz. Hyperelliptic cryptosystems. Journal of Cryptology, 1(3):129–150, 1989. 473 9. J. Koeller, A. Menezes, M. Qu, and S. Vanstone. Elliptic Curve Systems. Draft 8, IEEE P1363 Standard for RSA, Diffie-Hellman and Related Public-Key Cryptography, May 1996. working document. 474 10. Kenji Koyama and Yukio Tsuruoka. Speeding up elliptic cryptosystems by using a signed binary window method. In Crypto ’92. Springer Lecture Notes in Computer Science, 1992. 482, 482 11. R. Lidl and H. Niederreiter. Finite Fields, volume 20 of Encyclopedia of Mathematics and its Applications. Addison-Wesley, Reading, Massachusetts, 1983. 479 12. A. J. Menezes, P. C. van Oorschot, and S. A. Vanstone. Handbook of Applied Cryptography. CRC Press, 1997. 477, 478, 478, 481 13. V. Miller. Uses of elliptic curves in cryptography. In Lecture Notes in Computer Science 218: Advances in Cryptology — CRYPTO ’85, pages 417–426. SpringerVerlag, Berlin, 1986. 473 14. Atsuko Miyaji and Makoto Tatebayashi. Method for generating and verifying electronic signatures and privacy communication using elliptic curves. US Patent 5442707, 1995. 474 15. S. Paulus. Ein Algorithmus zur Berechnung der Klassengruppe quadratischer Ordnungen u ¨ber Hauptidealringen. PhD thesis, Institute for Experimental Mathematics, University of Essen, Essen, Germany, June 1996. 479

Optimal Extension Fields for Fast Arithmetic in Public-Key Algorithms

485

16. R. Schroeppel, H. Orman, S. O’Malley, and O. Spatscheck. Fast key exchange with elliptic curve systems. Advances in Cryptology — CRYPTO ’95, pages 43–56, 1995. 474, 474, 482, 483 17. E. De Win, A. Bosselaers, S. Vandenberghe, P. De Gersem, and J. Vandewalle. A fast software implementation for arithmetic operations in GF (2n ). In Asiacrypt ’96. Springer Lecture Notes in Computer Science, 1996. 474, 474, 474, 483 18. ANSI X9.62-199x. The Elliptic Curve Digital Signature Algorithm. Draft, January 1998. working document. 474, 482 19. ANSI X9.63-199x. Elliptic Curve Key Agreement and Key Transport Protocols. Draft, January 1998. working document. 474, 482

Time-Stamping with Binary Linking Schemes Ahto Buldas1 , Peeter Laud2 , Helger Lipmaa1 , and Jan Villemson2 1

Cybernetica Akadeemia 21, EE0026 Tallinn, Estonia 2 Cybernetica Tartu Lab, Lai 36, EE2400 Tartu, Estonia {ahtbu,peeter,helger,jan}@cyber.ee Abstract. We state the basic requirements for time-stamping systems applicable as the necessary support to the legal use of electronic documents. We analyze the main drawbacks of the time-stamping systems proposed to date and present a new system that meets all the stated requirements. We prove that these requirements cannot be significantly tightened.

1

Introduction

Time-stamping ([HS91], [BdM91], [BHS92]) is a set of techniques enabling us to ascertain whether an electronic document was created or signed at a certain time. The real importance of time-stamping becomes clear when there is a need for a legal use of electronic documents with a long lifetime. Without time-stamping we neither can trust signed documents when the cryptographic primitives used for signing have become unreliable nor solve the cases when the signer himself repudiates the signing, claiming that he has accidentally lost his signature key. During the last years, especially in the context of legal regulation of using digital signatures, the organizational and legal aspects of time-stamping itself have become the subject of world-wide attention. In addition to defining the responsibilities of the owner of the signature, duties and responsibilities of the third party (Time-Stamping Service, TSS) must be stated as well. Hence, there is an increasing interest in time-stamping systems where the need to trust the TSS is minimized. In order to make users liable only for their own mistakes, there has to be a possibility to ascertain the offender. Unlike physical objects, digital documents do not comprise the seal of time. Thus, the association of an electronic document uniquely with a certain moment of time is very complicated, if not impossible. Even by the theory of relativity, no absolute time exists. The best we can achieve with time-stamping is the relative temporal authentication (RTA) based on the complexity-theoretic assumption on the existence of collision-resistant one-way hash functions. RTA enables the verifier given two time-stamped documents to verify which of the two was created earlier. The main drawbacks of the time-stamping systems proposed to date concern (1) the need to unconditionally trust the TSS and (2) the time-complexity of RTA, which is linear on the number of issued time-stamps. H. Krawczyk (Ed.): CRYPTO’98, LNCS 1462, pp. 486–501, 1998. c Springer-Verlag Berlin Heidelberg 1998

Time-Stamping with Binary Linking Schemes

487

In the current paper theoretical and practical requirements are discussed and a new time-stamping system is presented (1) in which the need to trust the TSS is significantly diminished and (2) which offers RTA with the complexity proportional to the logarithm of the number of issued time-stamps. In Sect. 2 the time-stamping solutions proposed to date are analyzed. Sect. 3 clarifies the security objectives of time-stamping by giving essential requirements to the time-stamping systems. In Sect. 4 the protocols of the new time-stamping system are described using the linear linking scheme. In Sect. 5 binary linking schemes are introduced and a scheme with logarithmic verifying time is presented. In Sect. 6 we prove that the requirements stated in Sect. 3 cannot be tightened.

2

Existing Time-Stamping Systems

By a simple time-stamping protocol ([HS91], Sect. 4), the TSS appends the current time t to the submitted document X, signs the composite document (t, X) and returns the two values t and s = sigTSS (t, X) to the client. The weaknesses of this scheme are the unreliability of old time-stamps after a possible leakage of the signature key of the TSS and the impossibility of verifying whether s was issued actually at time t stated in the time-stamp, implying that the TSS has to be unconditionally trusted. Because of these drawbacks it has been widely accepted that a secure time-stamping system cannot rely solely on keys or on any other secret information. An overview of the existing time-stamping solutions is given in [MQ97]. 2.1

Linear Linking Scheme (LLS)

In order to diminish the need for trust, the users may demand that the TSS links all time-stamps together into a chain using a collision-resistant hash function H as was proposed in [HS91], Sect. 5.1 (variant 1). In this case the time-stamp for the n-th submitted document Xn is s = sigT SS (n, tn , IDn , Xn , Ln ) , where tn is the current time, IDn is the identifier of the submitter and Ln is the linking information defined by the recursive equation Ln := (tn−1 , IDn−1 , Xn−1 , H(Ln−1 )) . There are several complications with the practical implementation of this scheme. At first, the number of steps needed to verify the one-way relationship between two time-stamps is linear with respect to the number of time-stamps between them. Hence, a single verification may be as costly as it was to create the whole chain. This solution has impractical trust and broadcast requirements, as it was pointed out already in [BdM91]. A modification was proposed in [HS91] (Sect. 5.1, variant 2) where every time-stamp is linked with k > 1 time-stamps directly preceding it. This variation decreases the requirements for broadcast by increasing the space needed to store individual time-stamps.

488

Ahto Buldas et al.

2.2

Tree-Like Schemes

Two similar tree-like schemes have been proposed [BdM91,BHS92]. In the HaberStornetta scheme [BHS92,HS97], the time-stamping procedure is divided into rounds. The time-stamp Rr for round r is a cumulative hash of the time-stamp Rr−1 for round r − 1 and of all the documents submitted to the TSS during the round r. After the end of the r-th round a binary tree Tr is built. Every participant Pi who wants to time-stamp at least one document in this round, submits to the TSS a hash yr,i which is a hash of Rr−1 and of all the documents he wants to time-stamp in this round. The leafs of Tr are labeled by different yr,i . Each inner node k of Tr is recursively labeled by Hk := H(HkL , HkR ), where kL and kR are correspondingly the left and the right child nodes of k, and H is a collision-resistant hash function. The TSS has to store only the time-stamps Rr for rounds (Fig. 1). All the remaining information, required to verify whether a certain document was time-stamped during a fixed round, is included into the individual time-stamp of the document.

R r-1

yr,1

H4

yr,2

H5

yr,3 yr,4

H6

Rr

R r-1 yr,1

H4

yr,2

H5

Rr H6

yr,3 yr,4

Fig. 1. An example of the time-stamp for round r by the schemes presented in [BdM91] (left) and [BHS92] (right). For example, the individual time-stamp for yr,3 is [r; (yr,4 , L), (H4 , R)]. The verifying procedure of the time-stamp of yr,3 consists of verifying the equality Rr = H(H(H4 , H(yr,3 , yr,4 )), Rr−1 ). Here, the size of a single time-stamp is logarithmic with respect to the number of participants submitting their documents to the TSS for the current round. The Haber–Stornetta linking scheme [BHS92,HS97] differs slightly from the Benaloh–de Mare scheme [BdM91]. Here, the time-stamp Rn for the n-th round is linked directly to Rn−1 , enabling the verifier to check one-way dependencies between Ri without examining the individual time-stamps of the submitted documents. This is impossible in the Benaloh–de Mare scheme. However, in the Haber–Stornetta scheme the individual time-stamps in the n-th round are not linked to the time-stamp Rn−1 for previous round. These schemes are feasible but provide the RTA for the documents issued during the same round only if we unconditionally trust the TSS to maintain the order of time-stamps in Tr . Therefore, this method either increases the need for trust or otherwise limits the maximum temporal duration of rounds to the

Time-Stamping with Binary Linking Schemes

489

insignificant units of time (one second in Digital Notary system). However, if the number of submitted documents during a round is too small, the expenses of time-stamping a single document may become unreasonably large (Sect. 3.3).

3

Security Objectives

In the following we give a definition of time-stamping systems applicable in legal situations. Later we will justify our approach and compare it to older systems. A time-stamping system consists of a set of principals with the time-stamping server (TSS) together with a triple (S, V, A) of protocols. The stamping protocol S allows each participant to post a message. The verification protocol V is used by a principal having two time-stamps to verify the temporal order between those time-stamps. The audit protocol A is used by a principal to verify whether the TSS carries out his duties. Additionally, no principal (in particular, TSS) should be able to produce fake time-stamps without being caught. A time-stamping system has to be able to handle time-stamps which are anonymous and do not reveal any information about the content of the stamped data. The TSS is not required to identify the initiators of time-stamping requests. Our notion of time-stamping system differs from the one given in, e.g., [BdM91] by several important aspects. Below we motivate the differences. 3.1

Relative Temporal Authentication

The main security objective of time-stamping is temporal authentication [Jus98]– ability to prove that a certain document has been created at a certain moment of time. Although the creation of a digital data item is an observable event in the physical world, the moment of its creation cannot be ascertained by observing the data itself (moreover, no such thing as the absolute thing exists). The best one can do is to check the relative temporal order of the created data items (i.e., prove the RTA) using one-way dependencies defining the arrow of time, analogous to the way in which the growth of entropy defines the arrow of time in the physical world ([Haw88], Chap. 9). For example, if H is a collision-resistant one-way hash function, one can reliably use the following “rough” derivation rule: if H(X) and X are known to a principal P at a moment t, then someone (possibly P himself) used X to compute H(X) at a moment prior to t. To date, the existence of one-way functions has not been proved. Therefore, the proposed time-stamping systems make sense only under the hypothesis of the existence of collision free one-way hash functions. Definition 1. A collision-resistant one-way hash function ([MOV96], Sect. 9.2) is a function H which has the properties of compression, ease of computation, preimage resistance, 2nd-preimage resistance and collision resistance. Definition 2. Let ρ be a binary relation on IN, such that x ρ y implies x < y and H be a collision-resistant one-way hash function. A (ρ, H)-linking scheme is

490

Ahto Buldas et al.

a procedure to link a family (Hn ) of data items together using auxiliary linking items Ln satisfying the recursive formula Ln := H(Hn , Ln1 , . . . , Ln]ρ−1 (n) ) ,

(1)

where n1 ≥ · · · ≥ n]ρ−1 (n) are exactly the elements of ρ−1 (n) := {m | m ρ n} (the preimage of n by ρ). A sequence (mi )`i=1 , where mi ρ mi+1 , is called a verifying chain between m1 and m` with length `. In the context of time-stamping Hn = H(n, Xn ), where Xn denotes the n-th time-stamped document. The linking item Ln is also referred to as a time-stamp of Xn . Note that a one-way relationship between Ln and Lm (n < m) does not prove that in the moment of creating Xn the bit-string Xm did not exist. All we know is that Xn did exist at the moment of creating Lm . We have omitted the tn in the formula for Hn , whereas it should not be taken for granted that the value tn indeed represents the submission time of Xn . The only way for a principal to associate a time-stamp with a certain moment of time is to time-stamp a nonce at this moment. By a nonce we mean a sufficiently long random bit-string, such that the probability it has been already time-stamped is negligible. In order to verify the absolute creating time of a document timestamped by another principal, the verifier has to compare the time-stamp with the time-stamps of nonces generated by the verifier herself. In this solution there are neither supplementary duties to the TSS nor to the other principals. The use of nonces illustrates the similarity between time-stamping and ordinary authentication protocols, where nonces are used to prevent the possible reuse of old messages from previous communications. By using RTA it is possible to determine not only the submitting time of the signature but also the time of signing the document. Before signing a document X the principal P generates a nonce N and time-stamps it. He then includes the time-stamp L(N ) of N to the document, signs it and obtains the time-stamp L(σ) of the signature σ = sigP (L(N ), X). From the view-point of the TSS these stamping events are identical (he need not be aware whether he is time-stamping a nonce or meaningful data). For the verification of the document X, the verifier has to compare both these time-stamps with the timestamps trusted by her. As there are one-way dependencies between L(N ), σ and L(σ) the verifier may conclude that the signature was created in the time-frame between the moments of issuance of L(N ) and of L(σ) respectively. If these moments are close enough, the signing time can be ascertained with necessary precision. 3.2

Detection of Forgeries

A time-stamping system must have properties enabling users to verify whether an arbitrary time-stamp is correct or not. Possession of two documents with corresponding time-stamps is not enough to prove the RTA between the documents because everyone is able to produce fake chains of time-stamps.

Time-Stamping with Binary Linking Schemes

491

A time-stamping system should allow (1) to determine whether the timestamps possessed by an individual have been tampered with; and (2) in the case of tampering, to determine whether the time-stamps were tampered by the TSS or tampered after the issuing (generally by unknown means). In the second case, there is no-one to bring an action against. The principals interested in legal use of time-stamps should themselves verify their correctness immediately after the issuing (using signatures and other techniques discussed later) because if the signature of the TSS becomes unreliable, the signed time-stamps cannot be used as an evidence. In order to increase the trustworthiness of the time-stamping services it should be possible for the clients to periodically inspect the TSS. Also, in the case when the TSS is not guilty he should have a mechanism to prove his innocence, i.e., that he has not issued a certain time-stamp during a certain round. Additionally, the TSS must publish regularly, in an authenticated manner, the time-stamps for rounds [BdM91] in mass media. If the time-stamping protocol includes (by using collision-resistant one-way hash functions) (1) the message digest of any time-stamp issued during the r-th round into the time-stamp for r-th round, and (2) the message digest of the time-stamp for round r − 1 into any time-stamp issued during the r-th round, it will be intractable for anyone to undetectably forge a time-stamp. The forgery detection procedures should be simple. Forgeries should be determinable either during the stamping protocol (when the time-stamp, signed by the TSS, fails to be correct) or later when it is unable to establish the temporal order between two otherwise correct timestamps (see Sect. 4 for details). 3.3

Feasibility Requirements

The time-stamping systems of [BdM91] and [HS97] use nonlinear partial ordering of time-stamps and therefore do not support the RTA. Sect. 4 shows how to modify the linear linking scheme ([HS91], Sect. 5.1) to fulfill the security objectives (RTA and detection of forgeries). On the other hand, in practice, in this scheme the detection of forgeries would take too many steps. As noted in [Jus98], it is easy to forge time-stamps when we can assume that the verifier has limited computational power. This leads us to the question of feasibility. In order to make RTA feasible in the case when time-stamps belong to different rounds, it is reasonable to define an additional layer of links between the time-stamps for rounds. Definition 3. Assume we are given (ρ, H) and (δ, H) linking schemes and a monotonically increasing function ξ : IN → IN. By a (ρ, ξ, δ, H)-linking scheme we mean a procedure for linking a family (Hn ) of data items together using auxiliary linking items Ln and Lr satisfying the recursive formulae Ln := H(Hn , Ln1 , . . . , Ln]ρ−1 (n) )

if n 6∈ ξ(IN)

Lr := Lξ(r) = H(Hr , Lr1 , . . . , Lr]δ−1 (r) ) Hr := H(Hm , Lm1 , . . . , Lm]ρ−1 (n) ) ,

492

Ahto Buldas et al.

where m = ξ(r), ρ−1 (n) = {m1 , . . . , m]ρ−1 (n) } (m1 ≥ ... ≥ m]ρ−1 (n) ) and δ −1 (r) = {r1 , . . . , r]δ−1 (r) } (r1 ≥ . . . ≥ r]δ−1 (r) ). The values Lr are also referred to as the time-stamps for rounds. Note that the time-stamps requested from the TSS during the verification protocol should belong to the set of time-stamps for rounds because only these time-stamps are available in the time-stamping server. Definition 4. A (ρ, ξ, δ, H)-linking scheme is said to be an Accumulated Linking Scheme (ALS) with rank m, if 1. If ξ(r) < n ≤ ξ(r + 1) then ρ−1 (n) ⊂ [ξ(r), ξ(r + 1)] ∪ ξ(IN); 2. ξ(r + 1) − ξ(r) ≥ m. We say that a (ρ, H)-linking scheme enables accumulated time-stamping if for arbitrary positive m there exists ξ, such that the (ρ, ξ, ρ, H)-scheme is an ALS with rank m. If the linking scheme used enables accumulated time-stamping, the duration of the rounds can be flexibly enlarged in order to guarantee that only a negligible fraction of the time-stamps are kept in the memory of the time-stamping server. Let n be the total number of time-stamps issued till the moment of the current run of stamping/verification protocol. The feasibility requirements can be summarized with the following: 1. The number of the evaluations of the hash function during the verification protocol should be O(log n). In particular, the number of time-stamps examined during a single run of the verification protocol should be O(log n); 2. There should be a conveniently small upper bound to the length of rounds, whereas the clients want to get their time-stamps in reasonable time. It seems to be sensible to require that the stamping protocol of the n-th document must terminate before the TSS has received additional O(log n) time-stamp requests. In real applications it is desirable for the average length of rounds to be constant (this would guarantee that for an arbitrary constant c there would be only negligible fraction of rounds with length greater than c). 3. The size of an individual time-stamp should be small. As we will show later (Thm. 2), there is a trade-off between these quantities. In Sect. 5 and the following sections we present an improvement of the scheme of Sect. 4.

4

First Version of Our System: Linear Linking

For pedagogical reasons, we outline the protocols and the basic organizational principles of our system using the linear linking scheme. This scheme fulfills all the trust requirements but is impractical. Further, the described scheme is significantly improved by replacing the linear scheme with a binary linking scheme. Let the number M of time-stamps per round be a constant known to the participants (clients) and all the data items Xn be of fixed size. Therefore, in the case of the linear linking scheme, the time-stamp for the r-th round has a number ξr = M · r.

Time-Stamping with Binary Linking Schemes

4.1

493

Role of the TSS

The TSS maintains the following three databases: 1. the database Dc of the time-stamps of the current round. 2. the database Dp of the time-stamps of the previous round. 3. the database Dr of the time-stamps for rounds. These databases are considered to be on-line in the sense that any client can make requests into them at any moment. The fourth database (the complete data-base of time-stamps) is also stored but not on-line (it may be stored into an archive of CD-s). Requests to this database are possible, but costly (e.g., requiring human interaction). After the end of each round, the time-stamps in Dp are stored to a separate CD (this process may be audited). Thereafter, Dp is emptied. The time-stamp Rr for the current round is computed, added to Dr and published in a newspaper (two processes which should be audited). The database Dc is copied into Dp and a new database Dc is created. 4.2

Stamping Protocol

Suppose, the current round number is r. 1. Client sends Xn to the TSS. 2. The TSS finds Hn = H(n, Xn ) and Ln = (Hn , Ln−1 ), and adds the pair (Hn , Ln ) to Dc . 3. The TSS signs the pair (n, Ln ) and sends (n, Ln , sigTSS (n, Ln )) back to the client. 4. The TSS sends the tuple head(n) = (Hn−1 , Hn−2 , . . . , Hξr−1 +1 ) to the client. 5. The client verifies the signature of TSS and checks, whether H(Hn , H(Hn−1 , . . . H(Hξr−1 +1 , Lξr−1 ) . . . )) = Ln ,

(2)

where the true values Lξi can be found either from the newspaper or by requesting for their values from the on-line database Dr of the TSS. After the M requests have been answered the TSS finishes the round by finding Lξr = H(Hξ0 r , Lξr−1 ) (where Hξ0 r = H(Hξr , Lξr −1 )) and publishing Lξr and his public key KTSS in the newspaper. The client may now continue, during a limited period, the protocol in order to get the complete individual time-stamp for Xn . 6. The client sends a request to the TSS. 7. Let tail(n) = (Hξr −1 , Hξr −2 , . . . , Hn+2 , Hn+1 ) The TSS answers by sending (tail(n), sigTSS (tail(n))) to the client. 8. The client checks whether Lξr = H(Hξr −1 , H(Hξr −2 , . . . H(Hn+2 , H(Hn+1 , Ln )) . . . )) .

(3)

494

Ahto Buldas et al.

Definition 5. The complete individual time-stamp sn for the n-th document is sn := (tail(n), head(n), n, Ln , sigTSS (n, Ln )) . Every client who is interested in the legal use of a time-stamp, should validate it during the stamping protocol. In a relatively short period between the 1st and the 3rd step and between the 4th and 6th step, the signature key of TSS is trusted to authenticate him and therefore, his signature on an invalid head(n) or tail(n) can be used as an evidence in the court. But the client is responsible for doing it when the signature key of TSS can still be trusted. Later, the signature of TSS may become unreliable and therefore only the one-way properties can be used. 4.3

Verification Protocol

Let r(n) denote the round where sn was issued. Assume, the verifier has two time-stamped documents (Xm , sm ) and (Xn , sn ) where m < n. 1. The verifier checks the validity of the equations (2) and (3) for both timestamps. 2. If r(m) = r(n) then the data hold in tail(m) and head(n) will be enough to check whether Ln = H(Hn , H(Hn−1 , . . . H(Hm+1 , Lm ) . . . )) . 3. If r(m) < r(n), the verifier sends a request to the TSS. 4. The TSS answers by sending the tuple vmn = (Hξ0 r(n)−1 , Hξ0 r(n) −2 , . . . , Hξ0 r(m) ) and the signature sigTSS (vmn ) to the verifier. 5. The verifier validates the signature, finds Lξr(m) using (3), finds Lr(n)−1 using the formula Lr(n)−1 = H(Hξ0 r(n)−1 , H(Hξ0 r(n)−2 , . . . H(Hξ0 r(m) , Lξr(m) ) . . . )) and finally, compares the value of Ln in sn with the value given by (2). 4.4

Audit Protocol

Because of the possible legal importance of the time-stamps issued by the TSS, there should be some mechanism to audit TSS. One easy way to do it is to periodically ask time-stamps from the TSS and verify them. If these time-stamps are linked inconsistently (i.e., the Eq. (2) and (3) hold for both time-stamps but the verification protocol fails), the TSS can be proven to be guilty. Also, there has to be a mechanism for the TSS to prove that he has not issued a certain time-stamp S in a certain round r. This can be done if the TSS presents all the time-stamps issued during the r-th round, shows that S is not among them and that the time-stamp for the r-th round, found by using these time-stamps and the linking rules, coincides with the published time-stamp.

Time-Stamping with Binary Linking Schemes

5

495

Binary Linking Schemes

In the current section we give a construction of a practical linking scheme with logarithmic upper bound to the length of the shortest verifying chain between any two time-stamps. Definition 6. Let f and g be functions from IN to IN satisfying the condition f (n) ≤ g(n) < n for any n. A (f, g, H)−binary linking scheme (BLS) is a (ρ, H)linking scheme where for any n, ρ−1 (n) = {f (n), g(n)}. In order to guarantee the existence of a verifying chain between arbitrary x and y, we have to take g(n) := n − 1. In those cases we omit n − 1 and talk just about a (f, H)-BLS. A binary linking scheme can alternatively be defined as a directed countable graph which is connected, contains no cycles and where all the vertices have two outgoing edges (links). Let us construct an infinite family of such graphs Tk in the following way: 1. T1 consists of a single vertex which is labeled with the number 1. This vertex is both the source and the sink of the graph T1 . 2. Let Tk be already constructed. Its sink is labeled by 2k − 1. The graph Tk+1 consists of two copies of Tk , where the sink of the second copy is linked to the source of the first copy, and an additional vertex labeled by 2k+1 − 1 which is linked to the source of the second copy. Labels of the second copy are increased by 2k − 1. The sink of Tk+1 is equal to the sink of the first copy, the source of Tk+1 is equal to the vertex labeled by 2k+1 − 1. Thereafter, link all the vertices of the second copy which have less than two outgoing links, to the source of the first copy. Note that there is now a double link from the sink of the second copy to the source of the first copy. 2 k

2 -1

Tk

Tk+1 2

k+1

-1

k+1

-2

Tk

The sequence (Tk ) defines a binary linking scheme with the vertices labeled by natural numbers which contains each scheme Tk as its initial segment. After the construction of this binary linking scheme, add links from the sources of any such initial segment to a special vertex labeled by 0 (Fig. 2). Here (see also Rem. 1), f (n) = n − 2h(n) + 1, where h(n) is given recursively by the equation ( k , if n = 2k − 1 , h(n) = k−1 h(n + 1 − 2 ) , if 2k−1 ≤ n < 2k − 1 . Theorem 1. Let `(a, b) be the length of the shortest verifying chain from b to a. If k > 2 and 0 < a ≤ b < 2k then `(a, b) ≤ 3k − 5. (See Appendix A)

496

Ahto Buldas et al.

In Sect. 4 we presented an outline of a time-stamping system that fulfills our trust requirements. In the next we show how to make this system feasible by using a BLS. ξ 3 = 22

ξ0 = 0

ξ1 = 7

ξ 2 = 15

ξ 4 = 31 31

15 30 7

14

22 29

3

10

18

13

25 21

6

28

12 0

1

2

4

5

8

9

11

16

17

19

20

23

24

26

27

Fig. 2. The ALS structure built on T5 with m = 7. In order to issue the individual time-stamp for the n-th document, the TSS has to find the shortest verifying chains between ξr(n)−1 and n and between n and ξr(n) . The n-th individual time-stamp consists of the minimal amount of data (Sect. 4.2) necessary to verify the mutual one-way dependencies between all Lj which lay on these chains. It can be shown that if f satisfies the implication m > n ⇒ (f (m) ≤ f (n) ∨ f (m) ≥ n)

(4)

then (f, H) enables accumulated time-stamping (the proof has been omitted because of its technicality). In particular, the binary linking scheme described in Sect. 5 enables accumulated time-stamping. For a fixed m let k := dlog2 me, ξ0 := 0, ξ1 := 2k − 1 (the source of Tk ) and for arbitrary i > 1, ( ξ2j + ξi−2j , if i 6= 2j ξ(i) := 2 · ξi/2 + 1 , if i = 2j , where j := blog2 ic. The length of the n-th time-stamp in this scheme does not exceed 2 · 3 · log(n) · χ bits, where χ is the output size of the hash function H. The maximum length of rounds grows proportionally to O(log n). However, the average length of rounds is constant and therefore it is practical to publish the time-stamps for rounds after constant units of time. This can be achieved easily with the following procedure. If the “deadline” for round is approaching and there are still q time-stamps not issued yet, assign random values to the remaining data items Hn .

Time-Stamping with Binary Linking Schemes

497

Remark 1. Denote by ord n the greatest power of 2 dividing n. In the ALS presented above, it is reasonable to label time-stamps in the lexicographical order with pairs (n, p), where 0 ≤ p ≤ ord n and n > 0. Then, ( (0, p) , n = 2p f (n, p) := p p (n − 2 , ord (n − 2 )) , otherwise and g(n, p) := (n, p − 1) if p > 0 and g(n, 0) := (n − 1, ord (n − 1)). Also, the formulas of ξi will simplify: in this case, ξ(i) := (2k−1 i, k − 1 + ord i), for i ≥ 1. It is easy to show that for each n and m the shortest verifying chain between n and m is uniquely defined. The data vmn necessary to verify the one-way dependence is computed by the procedure TSData(m, n): proc TSData(m, n) ≡ Data := nil while n > m do Data := append(Data, Hn ) if f (n) 6= n − 1 ∧ f (n) ≥ m then Data := append(Data, Ln−1 ); n := f (n) else Data := append(Data, Lf (n) ); n := n − 1 fi od. Here, head(n) := TSData(ξr(n−1) , n) and tail(n) := TSData(n, ξr(n) ). Example 1. Let ξ0 = 0 and ξ1 = 15 (Fig. 2). In order to compute the fourth and the tenth time-stamps we need tail(10) := (H15 , L0 , H14 , L7 , H13 , L12 ) , head(10) := (H10 , L9 , H7 , L6 ) , tail(4) := (H15 , L0 , H14 , L13 , H7 , L0 , H6 , L3 , H5 , L4 ) , head(4) := (H4 , L3 , H3 , L2 ) . Let (f, H) be a BLS satisfying the implication (4). Let x < y < z < w and C1 , C2 be verifying chains from z to x and w to y respectively. It is obvious that C1 and C2 have a common element. Thus, if m < n then the verifying chains tail(m) and head(n) have a common element c which implies the existence of a verifying chain (m = n0 , n1 , . . . , ni−1 , ni = c, ni+1 , . . . , n`−1 , n` = n) . This chain can be found by a simple algorithm and is of logarithmic length. Let r(m) denote the round into which m belongs. The proof of the last claim for the case r(m) = r(n) is given in Appendix A. If m and n belong to different rounds,

498

Ahto Buldas et al.

15

On the verifying chain

14

Other links used for verification

13

Not used for verification

7 3

10 6

0

1

2

4

5

8

9

11

12

Fig. 3. The time-stamp of X10 in the proposed system. the verifying is straightforward, because of the similar structure of the second layer of links. The verifying chain from n to m is of the form (m, . . . , m0 , ξr(m) , . . . , ξr(n)−1 , n0 , . . . , n) , where the number of ξj -s is logarithmic due to the fact that the time-stamps for rounds are linked together in a way similar to the linking of all time-stamps (Fig. 2). The length of the sequences (m, . . . , m0 ) and (n0 , . . . , n) is also logarithmic (Appendix A). Example 2. For the chains given in Example 1, the common element is 7 and the verifying chain between 4 and 10 is (4, 5, 6, 7, 10). Corollary 1. Due to the similarity between the verification and the stamping procedure, for an arbitrary pair of time-stamped documents the number of steps executed (and therefore, also the number of time-stamps examined) during a single run of the verification protocol is O(log n).

6

Optimality

Our solution meets asymptotically the feasibility requirements, but could these requirements be refined? Mostly not, an insight into this is given below. Namely, we show that for any linking scheme there does not exist a time-stamping solution where (1) the length of the time-stamps is O(log n), (2) for any m and n there exists a verifying chain between m and n with the length O(log n) that is completely contained in the union S(m) ∪ S(n) of the corresponding individual time-stamps and (3) the stamping protocol will end in a logarithmic time. We prove this under the assumptions (1) that an individual time-stamp is a subset of IN and (2) that the size of a time-stamp is proportional to the size of ]S(n) + ]ρ−1 (S(n)) = O(]ρ−1 (S(n))) (holds if the transitive closure ρ∗ of ρ coincides with the natural order <, i.e, the time-stamp S(n) consists of tail(n) and head(n))). Theorem 2. Let ρ be a binary relation on IN satisfying ρ∗ =<. There does not exist a function S : IN → 2IN such that

Time-Stamping with Binary Linking Schemes

499

1. | ρ−1 (S(n))| < c1 log n for some c1 , for any n. 2. For every m and n there exists a ρ-chain (m = m1 , m2 , . . . , mk = n) where mi ∈ S(m) ∪ S(n) (that is, the number of time-stamps necessary to examine during the verification protocol is greater than 2). 3. For any n, max{S(n)} − n ≤ c2 log n for some constant c2 . Proof. Assume that there exists such S. Let n be a sufficiently large positive integer. For a m ∈ IN let Φ(m) := [m, m + dc2 log me]. The intervals Φ(1 + log n−2 ic2 log n), i ∈ 0, . . . , b n−cc22 log c do not intersect. n Let m < n − c2 log n − 1. In this case dm + c2 log me < n. As the set S(m) ∪ S(n) contains a ρ-chain from m to n there should exist such m1 ∈ Φ(m) and n1 ∈ S( n) on this chain that m1 ρ n1 . Thus, for every m < n − c2 log n − 1 the set Φ(m) ∩ ρ−1 (S(n))) is nonempty. Hence, the set ρ−1 (S(n)) has at least log n−2 b n−cc22 log c=Θ(n/ log n) elements. A contradiction with Condition 1. t u n The Thm. 2 can be straightforwardly generalized to claim that the number of examined time-stamps must be greater than any fixed constant.

Acknowledgements and Further Work We would like to thank Stuart Haber for his patience, without his help this paper would have been totally unreadable. We are grateful to Philip Hawkes and anonymous referees for valuable remarks. The reasoning about the time-stamping procedures creates the need for a formal apparatus capable to prove the security of time-stamping protocols, in a way similar to how the BAN-style logics [BAN89] are used for reasoning about ordinary authentication protocols. The renewing protocols and technical specifications need to be elaborated.

References BAN89. Michael Burrows, Mart´ın Abadi, and Roger Needham. A Logic of Authentication. SRC Research Reports 39, DEC’s System Research Center, February 1989. 499 BdM91. Josh Benaloh and Michael de Mare. Efficient Broadcast time-stamping. Technical Report 1, Clarkson University Department of Mathematics and Computer Science, August 1991. 486, 487, 488, 488, 488, 489, 491, 491 BHS92. Dave Bayer, Stuart Haber, and W. Scott Stornetta. Improving the efficiency and reliability of digital time-stamping. In Sequences’91: Methods in Communication, Security, and Computer Science, pages 329–334. Springer-Verlag, 1992. 486, 488, 488, 488, 488 Haw88. Stephen W. Hawking. A Brief History of Time: From the Big Bang to Black Holes. Bantam Books, April 1988. 489 HS91. Stuart Haber and W.-Scott Stornetta. How to Time-Stamp a Digital Document. Journal of Cryptology, 3(2):99–111, 1991. 486, 487, 487, 487, 491

500

Ahto Buldas et al.

HS97.

Stuart Haber and W.-Scott Stornetta. Secure Names for Bit-Strings. In Proceedings of the 4th ACM Conference on Computer and Communications Security, pages 28–35, April 1997. 488, 488, 491 Jus98. Mike Just. Some Timestamping Protocol Failures. In Internet Society Symposium on Network and Distributed System Security, 1998. Available at http://www.scs.carleton.ca/~just/. 489, 491 MOV96. Alfred J. Menezes, Paul C. Van Oorschot, and Scott A. Vanstone. Handbook of Applied Cryptography. CRC Press, 1996. 489 MQ97. Henry Massias and Jean Jacques Quisquater. Time and Cryptography. Technical report, Universit catholique de Louvain, March 1997. TIMESEC Technical Report WP1. 487

A

Proof of Theorem 1

We will prove an upper bound for the length of the verifying chain for the linking scheme described in Sect. 5. Let ek = 2k − 1, i.e. ek is the number of the last vertex of Tk . To simplify the proof we add the vertex 0 to the scheme and link it with all the vertices that have less than two outgoing links. These are exactly the vertices ek . Let `(a, b) denote the length of the shortest path between a and b. The equations `(0, ek ) = 1, `(ek−1 , ek ) = 2 and ek − ek−1 = ek−1 + 1 follow immediately from the definition. Lemma 1. If 0 < a ≤ ek ≤ b then `(a, b) = `(a, ek ) + `(ek , b). If ek−1 ≤ a < ek then `(a, ek ) = `(a, ek − 1) + `(ek − 1, ek ). The claims above follow immediately from the structural properties of the linking scheme. Lemma 2. If ek−1 ≤ a ≤ b < ek then `(a, b) = `(a − ek−1 , b − ek−1 ). Proof. This follows from the construction of Tk from the two copies of Tk−1 . Here a and b are vertices in the second copy of Tk−1 (or the last vertex of the first copy), and a − ek−1 and b − ek−1 are the same vertices in the first copy of t u Tk−1 (or the vertex 0). Lemma 3. If 0 ≤ a < ek then `(0, a) ≤ k. Proof. Induction on k. Base: k = 1. Then a = 0 and `(0, a) = 0 < k. Step: k > 1. Observe the following cases: – If 0 ≤ a < ek−1 then the induction assumption gives `(0, a) ≤ k − 1 < k. – If ek−1 ≤ a < ek then `(0, a) = `(0, ek−1 ) + `(ek−1 , a) = 1 + `(0, a − ek−1 ) by Lemma 2. Observe the following cases: • a = ek − 1. Then `(0, a) = 1 + `(0, a − ek−1 ) = 1 + `(0, ek−1 ) = 2 ≤ k. • a < ek − 1. Then `(0, a) = 1 + `(0, a − ek−1 ) ≤ 1 + (k − 1) = k by induction assumption.

Time-Stamping with Binary Linking Schemes

501

t u Lemma 4. If 0 < a ≤ ek then `(a, ek ) ≤ 2(k − 1). Proof. Induction on k. Base: k = 1. Then a = 1 and `(a, ek ) = `(1, 1) = 0 = 2(k − 1). Step: k > 1. Observe the following cases: – If 0 < a ≤ ek−1 then `(a, ek ) = `(a, ek−1 ) + `(ek−1 , ek ) ≤ 2(k − 2) + 2 = 2(k − 1) by induction assumption. – If ek−1 < a ≤ ek then observe the following cases: • a = ek . Then `(a, ek ) = 0 ≤ 2(k − 1). • a < ek . Then `(a, ek ) = `(a, ek − 1) + `(ek − 1, ek ) = `(a − ek−1 , ek−1 ) + 1 by the Lemma 2. Induction assumption now gives `(a, ek ) = `(a − ek−1 , ek−1 ) + 1 ≤ 2(k − 2) + 1 < 2(k − 1). t u Proof (Theorem 1). Induction on k. Base: k = 3. In this case one can directly verify that `(a, b) ≤ 4. Step: k > 3. Observe the following cases: – If 0 < a ≤ b ≤ ek−1 then the induction assumption gives us `(a, b) ≤ 3(k − 1) − 5 < 3k − 5. – If 0 < a ≤ ek−1 < b ≤ ek then `(a, b) = `(a, ek−1 ) + `(ek−1 , b) ≤ 2(k − 2) + `(ek−1 , b) by the Lemma 4. The following cases are possible: • b = ek . Then `(ek−1 , b) = 2 < k − 1. • b = ek − 1. Then `(ek−1 , b) = 1 < k − 1. • b < ek − 1. Then the lemmas 2 and 3 give `(ek−1 , b) = `(0, b − ek−1 ) ≤ k − 1. Thus `(a, b) ≤ 2(k − 2) + k − 1 = 3k − 5. – If ek−1 < a ≤ b ≤ ek then observe the following cases: • b = ek . Then `(a, b) = `(a, ek ) ≤ 2(k − 1) < 3k − 5 by Lemma 4. • b < ek . Then `(a, b) = `(a − ek−1 , b − ek−1 ) ≤ 3(k − 1) + 5 < 3k − 5 by Lemma 2 and induction assumption. t u As dlog be = k iff ek−1 + 1 < b ≤ ek + 1 we get k < dlog be + 1 and thus `(a, b) ≤ 3dlog be − 2 .

Threshold Traitor Tracing Moni Naor? and Benny Pinkas?? Dept. of Applied Mathematics and Computer Science Weizmann Institute of Science Rehovot 76100, Israel {naor,bennyp}@wisdom.weizmann.ac.il

Abstract. This work presents threshold tracing schemes. Tracing schemes trace the source of keys which are used in pirate decoders for sensitive or proprietary data (such as pay-TV programs). Previous tracing schemes were designed to operate against any decoder which decrypts with a non-negligible success probability. We introduce threshold tracing schemes which are only designed to trace the source of keys of decoders which decrypt with probability greater than some threshold q (which is a parameter). These schemes present a dramatic reduction in the overhead compared to the previous constructions of tracing schemes. We argue that in many applications it is only required to protect against pirate decoders which have a decryption probability very close to 1 (for example, TV decoders). In such applications it is therefore very favorable to use threshold tracing schemes.

1

Introduction

We present very efficient tracing systems: systems which allow data providers to identify sources of leakage of their keys to illegitimate receivers. Consider for example a pay-TV provider which finds out that someone is selling pirate decoders which enable the decoding of transmissions without paying the required fees. A tracing system enables the provider to identify which legitimate receivers assisted in constructing the pirate decoders. Tracing systems were first presented by Chor, Fiat and Naor [8]. They used the following security requirement, which in our view is too stern for many applications: they required full-resiliency, i.e that the schemes should trace the source of any decoder which decodes with a non-negligible probability. We claim that for many very relevant applications a decoder with a success probability which is non-negligible, but is not very close to 1, is useless. Assume for example that a TV program is divided into one minute segments which are separately encrypted. A decoder which decrypts with probability 90% is expected to fail in the decoding of one out of ten minutes. Very few customers will be willing to pay for such a decoder. ? ??

Research supported by BSF Grant 32-00032. Supported by an Eshkol Fellowship from the Israeli Ministry of Science.

H. Krawczyk (Ed.): CRYPTO’98, LNCS 1462, pp. 502–517, 1998. c Springer-Verlag Berlin Heidelberg 1998

Threshold Traitor Tracing

503

We present threshold tracing schemes which depend on a parameter q. They trace the source of keys of any decoder which decodes with success probability not smaller than q but there is no guarantee for their success against decoders with success probability smaller than q. The efficiency of our threshold tracing schemes is superior to that of the tracing schemes of [8] (see Section 4.3 for a numerical comparison for constructions of typical size). We therefore claim that applications which do not require fully resilient tracing should use threshold tracing schemes. In order to use threshold tracing schemes the communicated content should be divided into blocks which are independently encrypted. A legitimate decoder contains keys which enable it to decrypt every block. These keys identify that decoder. If a (pirate) decoder contains enough keys (taken from the legitimate decoders of traitors) to enable it to decrypt more than a q fraction of the blocks, these keys are sufficient to identify at least one of the traitors. It is assumed that a pirate decoder which decrypts less than a q fraction of the blocks is not useful and therefore it is not important to trace the source of its keys. In general, it is always useful to recognize what is a “success” of the adversary, and design schemes which prevent such a success. This process may lead to very efficient constructions, with an overhead that is proportional to the severity of the “attack” to which they are immune (this is the case with the threshold tracing schemes we present, whose overhead is an inverse function of q). Such constructions can also serve to price the security by presenting the overhead incurred by requiring a certain amount of security. Let us first consider the scenario in which the schemes operate. A data provider is distributing some content to legitimate receivers (e.g. paying subscribers). The content is typically distributed encrypted, and each legitimate receiver has a decryption key. A traitor is a legitimate receiver who attempts to enable unauthorized users to access the content. A traitor can distribute a copy of the cleartext of the content to other illegitimate receivers. We do not attempt to protect against such pirate distribution but claim that in many cases the economy of scale makes such a distribution non-profitable or too dangerous. Typical cases where this is true include – Pay-per-view or subscription television broadcasts. It is an expensive and a risky business to start a pirate broadcast station. (A similar application is the distribution of content over the Internet using “push” technology). – Online services or databases, publicly accessible (say on the Internet) where a charge may be levied for access to all or certain records. The pirate must copy the entire information provided by the online service and maintain an updated copy. This process is non-efficient and can be easily detected. As piracy in these cases is a criminal commercial enterprise the risk/benefit ratio in distributing illegal copies of the content becomes unattractive. A pirate can sell illegal access to the content by providing its customers with much shorter data – the decryption keys. We therefore concentrate in this paper in preventing

504

Moni Naor and Benny Pinkas

traitors from distributing their decryption keys to other users1 . We construct (k,q)-threshold tracing schemes. If an illegitimate user uses a pirate decoder2 which was built using the keys of at most k legitimate users (who are therefore traitors), and if the decoder can decrypt with probability at least q, then our schemes will identify (with high probability) at least one traitor given the pirate decoder (it cannot be promised that the schemes identify more traitors since it is possible that all the keys used in constructing the pirate decoder were taken from a single traitor). We note that in fact our schemes have the very desirable property that the identity of the traitor can be established by considering the pirate decryption process as a black box. It suffices to capture one pirate decoder and its behavior will identify the traitor, there is no need to “break it open” or read any data stored inside. The schemes can be based on any symmetric encryption system. The security parameter is the length of the key of that system. We measure the efficiency of the solutions in terms of several performance parameters. The memory and communication parameters are measured in multiples of the size of the security parameter. The efficiency parameters are: (a) The memory and computation requirements for an authorized user. These parameters are of special importance if the user has limited computation and storage capabilities, as is the case with smartcards. (b) The memory and computation requirements for the data supplier. These parameters are typically less important, since the data supplier can perform its computations off-line and can use large storage space. (c) The data redundancy overhead, i.e. the increase in data size that is needed in order to enable the tracing. This refers to the communication overhead (in broadcast or online systems) or the additional “wasted” storage in CD-ROM type systems. 1.1

Our Results

Consider a tracing scheme for n users, which should be secure with probability 1 − p against coalitions of up to k users. 1

2

In practice today it is often considered sufficient to prevent piracy by supplying the authorized parties with so-called secure hardware solutions (smartcards and their like) that are designed to prevent interference and access to enclosed cryptographic keys. The assumptions about the security of these hardware mechanisms are not always correct. There are several methods that use hardware faults in the “secure hardware solutions” in order to find the keys that are enclosed inside [3,5,4]. Our schemes obtain their claimed security without any secure hardware requirements. Should such devices be used to store the keys, they will undoubtedly make the attack even more expensive, but this is not a requirement. We use the term pirate decoder to represent the pirate decryption process, this may or may not be a physical box, and may simply be some code on a computer.

Threshold Traitor Tracing

505

Our schemes compare very well to the the best tracing scheme of [8] (see also table 1). That scheme required each user to store a personal key of length O(log(1/p) log(n/p)). This was also the running time required from the user. The communication overhead was O(k log(1/p) log(n/p)). We remark that the “O” notation hides considerable coefficients. For a threshold 0 < q < 1, our one-level scheme has personal keys of length 4k log(n/p), and a communication overhead of only 4k. The user is required to 3q perform only a single decryption operation. The length of the personal keys of the simplest two-level threshold scheme k is O(log(k/p) log(n/p)), and its communication overhead is O(k log( q log(k/p) )). A user should perform very few decryption operations. We remark that in this case the coefficients of the “O” notation are very moderate. Table 1 contains a comparison for a reasonable size system, in which all the parameters and coefficients are plugged in From now on we describe the exact complexity of the schemes we present. We do not use an “O” notation but rather present all the constant coefficients. 1.2

Content Distribution Schemes

The schemes which are used to distribute the content from the data provider to the legitimate receivers are of the following general form: The data supplier generates a meta-key which contains a base set A of random keys and assigns subsets of these keys to users, m keys per user (the parameters will be specified later). These m keys jointly form the user’s personal key. Different personal keys may have a nonempty intersection. We denote the personal key for user u by P (u), which is a subset of the base set A. A message in a traitor tracing message consists of pairs of the form henabling block, cipher blocki. The cipher block is the symmetric encryption of the actual data (say part of a video clip), under some secret random key s. Alternately, it could be the exclusive-or of the message with s and we would get an information theoretic secure version of the scheme (although a very inefficient one, since as with any one-time-pad the size of the key should be as long as the encrypted data). The enabling block allows authorized users to obtain s. The enabling block consists of encrypted values under some or all of the keys of the base set A. Every authorized user will be able to compute s by decrypting the values for which he has keys and then computing the actual key from these values. For all the schemes we present the computation on the user end is simply taking the exclusive-or of values that the user is able to decrypt. A very simple scheme is to give each user a different key. Then the enabling block includes an encryption of s with each of the users’ keys. However the length of the enabling block is then linear in the number of legitimate users and might be too large for many applications. Traitors may conspire and give an unauthorized user (or users) a subset of their keys so that the unauthorized user will also be able to compute the key s from the values he has been able to decrypt. The goal of the system designer is to assign keys to the users such that when a pirate decoder is captured it

506

Moni Naor and Benny Pinkas

would be possible to detect at least one traitor, subject to the limitation that the number of traitors is at most k. We remark that the overhead of both the schemes of [8] and of our threshold schemes depends on the parameter k. Since the overhead of our schemes is a considerably smaller function of k it is possible to set this parameter to a higher value and protect against larger coalitions. 1.3

Eliminating Piracy

Traitor tracing schemes help in three aspects of piracy prevention: they deter users from cooperating with pirates, they identify the pirates and enable to take legal actions against them, and they can be used to disable active pirate users. The usage of traitor tracing schemes discourages users from helping pirates and especially from submitting their keys to be used in pirate decoders. In particular, if the process of a user obtaining a personal key requires some sort of registration and physical identification then it should be hard for pirates to obtain a large number of personal keys. Consequently, the tracing traitor scheme can identify the source of keys which are used in pirate decoders and this mere fact should deter users from helping pirates. When a pirate decoder is found and a source of its keys is identified, legal activities should be taken against this source. Indeed, as was pointed by Pfitzmann in [17] a corrupt data provider that wishes to incriminate an honest user might construct a “dummy” pirate decoder containing this user’s keys, “reveal” it and claim that the user is a pirate. Similar misbehavior is possible though with many current types of services and yet there is little evidence that service providers have performed such illegal activities. The broadcast encryption schemes of Fiat and Naor [13] deal very efficiently with disabling active pirate users, i.e. preventing them from further decryption. These schemes allow one to broadcast messages to any dynamic subset of the user set and are specifically suitable for pay-per-view TV applications. The schemes require a single short transmission to disable all pirate decoders if they were manufactured via a collaborative effort of no more than k traitors. Another broadcast encryption scheme was suggested by Wallner et al [18], and is secure against any number of corrupt users. It has better performance than [13] if the number of deletions is small. In particular, personal keys are of length O(log n) and there is no data redundancy in regular operation. A combination of a traitor tracing scheme and a broadcast encryption scheme is a very powerful tool. When a traitor is traced the dynamic subset of users authorized to receive the broadcast should be changed by simply excluding the traced traitor. This procedure should be repeated until the pirate box is rendered useless. In [9] it is described how to combine a tracing traitor scheme and a broadcast encryption scheme in order to achieve this capability. Both the data redundancy overhead and the key length of the resulting scheme are the multiplication of the corresponding overheads for the tracing and broadcast encryption schemes (but used with the scheme of [18] this does not increase the total overhead too much).

Threshold Traitor Tracing

1.4

507

Related Work

The work of Chor, Fiat, and Naor [8] has introduced the concept of traitor tracing, and presented several tracing schemes. We survey their results in section 3. A more complete and formal treatment of the problem is presented in [9] which is the full version of [8] and of our paper. Boneh and Shaw [6] have suggested a scheme for marking different copies of an electronic document by inserting a different fingerprint into each copy. The fingerprint is composed of a sequence of marks with each mark having one of two values (therefore the fingerprint corresponds to a binary string)3 . The scheme is based on a marking assumption which states that a coalition of users who each have a copy with the same value for a certain mark cannot generate a copy with a different value for that mark. The scheme has the property that using up to k copies it is impossible to generate a new copy whose fingerprint does not reveal at least one of the k copies that were used. It offers better security in the sense that it enables to trace the leaked content itself (and not just the key which enables its decryption). It can also be used as a tracing traitors scheme but it is much less efficient than the schemes of [8]: the number of keys that each user should have is k 4 times greater than in the most efficient scheme of [8]. Another solution for copyright protection is through self enforcement schemes, which were suggested by Dwork, Lotspiech and Naor [11]. In these schemes the content is encrypted and each legitimate user receives a different decryption key which includes some sensitive information related to the user (e.g. his credit card number). Users will be reluctant to hand their keys to others since the keys contain this sensitive information. The self enforcement schemes suggested in [11] use the same type of security as was used in [8,6]. Namely, the system is secure against coalitions of less than k corrupt users, and the system’s complexity depends on k. Pfitzmann [17] has suggested a tracing traitors method which yields a proof for the liability of the traced traitors. In this scheme the issuing of keys from the center to the users is performed by an interactive protocol. At the end of the protocol the center is not able to construct a “pirate decoder” that frames a user, but if a real pirate decoder is found the center is able to trace the source of the keys the decoder contains. However, as this construction uses a relatively complex primitive (general secure multi party protocols) which is rather inefficient (e.g. it operates on the circuit which evaluates the function), its overall complexity is high.

2

Definitions

A traitor tracing scheme consists of three components: – A user initialization scheme, used by the data supplier to add new users. The data supplier has a meta-key α that defines a mapping Pα : U 7→ {0, 1}s 3

See for instance [10] for a method for inserting marks into a document.

508

Moni Naor and Benny Pinkas

where U is the set of possible users and s is the number of bits in the personal key of each user. When user ui ∈ U joins, he receives his personal key Pα (ui ). In all of our constructions Pα (ui ) consists of a subset of m decryption keys out of a larger set A of keys. – An encryption scheme Eα : {0, 1}∗ 7→ {0, 1}∗ used by the data supplier to encrypt messages and a decryption scheme Dβ : {0, 1}∗ 7→ {0, 1}∗ used by every user to decrypt those messages. Let the personal key of user ui be β = Pα (ui ), then for any message M ∈ {0, 1}∗ we have M = Dβ (Eα (M )). In our schemes the messages are encrypted block by block where every encrypted block contains an enabling block and a cipher block. The decryption process consists of a preliminary decryption of encrypted keys in the enabling block, a process which combines the results to obtain a common key, and finally a decryption of the cipher block. – A traitor tracing algorithm, used upon confiscation of a pirate decoder, to determine the identity of a traitor. We do not assume that the contents of a pirate decoder can be viewed by the traitor tracing algorithm but rather that the tracing algorithm can access it as a black box and test how (if at all) it decrypts an input ciphertext. (We do assume however that the pirate decoder can be reset to its original state, i.e. that there is no self-destruction mechanism when it detects a traitor tracing algorithm.) The encryption of plaintext blocks in our schemes results in a message which consists of an enabling block and a cipher block. The cipher block contains the plaintext block encrypted by some encryption algorithm using some random block key s which is unique to this block. The enabling block contains encryptions of “shares” of the block key such that every legitimate user can use his personal key to decrypt enough shares to reconstruct the block key. An adversary who wants to decrypt the message can either break the encryption scheme that was used in the cipher block without using any information from the enabling block, or try to learn some information from the enabling block that might help in the decryption process. In this paper we assume that it is hard to break the underlying encryption scheme so we are only interested in preventing attacks of the latter kind. Assume that an adversary has the cooperation of a coalition of at most k legitimate users, and uses their keys to construct a decoder. We would like to trace at least one of the coalition members. Intuitively a scheme is called fully resilient if it is possible to trace (with high certainty) at least one of the traitors that helped build a decoder which does not break the underlying encryption algorithms. More accurately, a system is fully resilient if for every pirate decoder which runs in time t it either holds that it is possible to trace at least one of the traitors which helped its construction, or that the decoder can break one of the underlying encryption algorithms in time t. Fully resilient tracing schemes were suggested and constructed in [8]. There are many applications for which the pirate decoder must decrypt with probability close to 1, like the TV broadcast example we presented in Section 1. In such scenarios we can concentrate on tracing the source of keys which were used to build

Threshold Traitor Tracing

509

decoders which decrypt with probability greater than some threshold. A scheme is called a q-threshold scheme if for every decoder which does not break the underlying encryption algorithms and decrypts with probability greater than q it is possible to trace at least one of the traitors that helped building it. An obvious and preliminary requirement from the tracing traitors schemes is that they supply secure encryption. That is, an adversary which has no information on the keys that are used should not be able to decrypt the encrypted content. Intuitively, our security definitions claim that if an adversary (who might have some of the keys) is able to decrypt and escape from being traced then the scheme is insecure as an encryption scheme even against an adversary who has no keys. Following we present an exact definition of fully-resilient and threshold tracing schemes. Definition 1. Let T be a coalition of at most k users. Let A be an adversary who has a subset F of the values of the keys of the users in T , and who is able to decrypt in time t and with probability greater than q0 the content sent in the tracing traitors scheme. The security assumption is that one of the following two statements holds: – Given F the data supplier is able to trace with probability at least 1 − p at least one of the users in T . – There exists an adversary A0 which uses A as a black box and whose input is only an enabling block and a cipher block of the tracing traitors scheme. A0 can reveal the content that is encrypted in the cipher block in time which is linear in the length of its input and in t, and with probability at least q00 (q 00 is defined in the next paragraph). The probability is taken over the random choices of the data supplier, and when appropriate over the random choices of the adversary or of the tracing algorithm. The scheme is called fully (p, k)-resilient if the security assumption holds for q 0 = q 00 . If the scheme further achieves p = 0 then it is called fully k-resilient. The scheme is called q-threshold (p, k)-resilient if the security assumption holds for q 0 = q + q 00 . Since we assume the underlying encryption algorithms to be secure, we can assume that the probability (q 00 ) with which an adversary A0 which knows nothing but the ciphertext can break the encryption is negligible. Therefore in a fully resilient scheme the data supplier can trace at least one traitor if it finds a pirate decoder (adversary A) which decrypts with non-negligible probability. In a threshold scheme the data supplier is able to do so if it finds a decoder which decrypts with probability greater than q by a non-negligible difference (but to simplify the exposition we often take the freedom to refer to threshold schemes as secure against any pirate decoder which decrypts with probability greater than q).

510

3

Moni Naor and Benny Pinkas

Fully-Resilient Tracing Schemes

The fully-resilient tracing schemes of [8] are based on applying hash functions combined with any private key cryptosystems, and do not require any public key operations. Our threshold schemes will be based on the same operations. The hash functions are used to assign decryption keys (from a base set of decryption keys) to authorized users. The assignment guarantees that any combination of keys, taken from the personal keys of any coalition of traitors, has the following property: If this combination enables decryption then it is “far” from the personal key of any innocent (non–traitor) user. (For more information on hash functions and their applications see [15,7,19,14].) There are two types of traceability schemes defined in [8]. Open schemes assume that the mapping is public and the indexes of the keys which are mapped to any user are publicly known (the only secret information is the content of the keys). Secret schemes are defined to operate in cases where the mapping of keys is secret and it is unknown which keys are used by every user. The constructions of secret schemes can be more efficient than those of open schemes and are therefore recommended to be used in practice. The reason for the gain in efficiency is that traitors do not know which keys the other users received. Therefore even if the set of keys of a coalition of traitors includes a large part of the keys of an innocent user the traitors do not know which keys these are and cannot construct a pirate decoder which incriminates a specific user. Our threshold tracing schemes are secret schemes. Secret fully-resilient schemes were constructed for n users and at most k traitors. Two types of secret schemes were presented in [8]: – Secret fully (p, k)-resilient one-level schemes required the personal key of each user to consist of m = 43 k log(n/p) decryption keys, and the enabling block to 4 2 include 16 3 k log(n/p) key encryptions. Each user should perform 3 k log(n/p) decryptions in order to reveal the broadcasted secret. – Secret fully (p, k)-resilient two-level schemes required the personal key of each user to consist of m = 43 b log(2n/p) decryption keys, and the enabling ln(ek/b) block to include 32 3 ekb log(2n/p)(1 + b−1−ln(ek/b) ) key encryptions, where b = log(4/p). Each user should perform 43 b log(2n/p) decryptions in order to reveal the broadcasted secret. Two-level schemes are more efficient than one-level schemes if k log(1/p).

4

Threshold Tracing Schemes

Threshold tracing schemes are designed to trace the source of keys of any pirate decoder whose advantage in decrypting the content (compared to an adversary who does not have any of the keys) is at least q. The complexity of q-threshold schemes depends on q. These schemes are more efficient for larger values of q. They are secret schemes in the sense that the set of keys that each user receives is unknown to other users. The design concept

Threshold Traitor Tracing

511

of these schemes is as follows: either the pirate decoder holds enough keys to enable the tracing of at least one traitor, or it does not contain enough keys to ensure a decryption probability greater than q. The security of tracing schemes is reduced to the assumption that the encryption scheme that is used is secure and therefore any adversary who does not have the decryption keys cannot decrypt with a non-negligible success probability. The benefit of using threshold tracing schemes is a dramatic reduction in the data redundancy overhead and in the number of operations needed for decryption, whereas the length of the personal key is almost as short as in secret fully resilient schemes. We also present a threshold scheme which improves over fully-resilient schemes in all complexity parameters. Next we define one-level and two-level threshold tracing schemes. The data redundancy overhead and the personal key length are parameterized and there is a tradeoff between them. It is possible to set the parameter to a value which obtains the best tradeoff between the two complexity measures (for instance the last entry of Table 1 demonstrates a reasonable such tradeoff). 4.1

A One-Level Threshold Scheme

The scheme uses a threshold parameter q, against k traitors and for a total of n users, each with a unique identity u ∈ {1, . . . , n}. Initialization: A set of ` hash functions h1 , h2 , . . . , h` are chosen independently at random. Each hash function hi maps {1, . . . , n} into a set of 4k random keys Ai = {ai,1 , ai,2 , . . . , ai,4k }. The hash functions are kept secret. User u receives, upon initialization, the indices and values of ` keys {h1 (u), h2 (u), . . . , h` (u)}. The keys can be imagined as organized in a matrix of size ` × 4k, where each user receives a single key from each row. Distributing a secret: Let s be the secret to be distributed. Let q ≤ w < 1 and 0 < t ≤ ` be two parameters which will be defined later (the scheme would divide the secret into t shares and ensure that a decoder which contain keys from fraction of at least w of the rows would be able to decrypt the secret with probability greater than q). The data provider chooses random values {si }ti=1 subject to the constraint t ⊕i=1 si = s, and chooses t random rows r1 , . . . , rt . For every i (i = 1, 2, . . . , t) the data provider encrypts si under each of the 4k keys in row Ari . Decryption: Each authorized user has one key from every row Ari and is therefore always able to decrypt every si and compute s. Parameters: The memory required per user is m = ` keys. The amount of work that each user should perform in order to reveal a key is O(t). The data redundancy overhead used in distributing the key is r = 4kt. The parameter t should be set so that for t random rows it holds with probability q that a pirate decoder which contains keys from less than a fraction w of the rows does not have a key from at least one of the t rows (and therefore a decoder which does not have keys from a fraction w of the rows cannot decrypt with probability better than q). First observe that w ≥ q since otherwise the probability is less than q even for t = 1. The probability of the decoder having

512

Moni Naor and Benny Pinkas

log(1/q) keys from all t rows is at most wt and therefore setting t = logw q = log(1/w) suffices to make the probability of correct decryption at most q. For example, it is possible to set w = q and t = 1. The broadcast center would only have to broadcast the secret s encrypted by the keys of a single row which it chooses randomly. The data redundancy overhead is then only O(4k). Tracing: We are only concerned with decoders which include keys from at least w` rows4 . Using the methods of [9] it is possible to reveal the set of keys F that a pirate decoder uses while treating the decoder as a black box. Assume w.l.o.g. that F contains one key from each of w` rows. Denote these rows as r1 , . . . , rw` , and denote the key in F ∩ Ari as fri . The body that performs the traitor tracing knows the functions hri (·) and can therefore identify and mark the users in h−1 ri (fri ) for every i. The user with the largest number of marks is exposed as the traitor. Analysis: Since there were at most k traitors it is obvious that one of them contributed w`/k keys to F . Consider the probability that an innocent user, say user 1, contributed w`/k keys to F . Since the hash functions hri are random and secret the mapping hri (1) is random and independent of the mapping of the traitors by hri . The probability that fri equals the key mapped to user 1 is 1/4k. An immediate application of the Chernoff bound shows that the probability that at least w`/k of the keys of user 1 are in F is at most 2−3w`/4k . Choosing an ` such that n · 2−3w`/4k < p ensures a traitor is revealed with probability at least 4k 1 − p. The data provider should therefore set ` = 3w log(n/p). For any practical purpose the parameter q can be set to be a constant. However one-level schemes are used in the next subsection as building blocks for two-level schemes and there q should be a function of other parameters. The results regarding one-level threshold schemes are summed up in the following theorem. We first state the results for a parameterized w. As w increases the key length decreases and the data redundancy overhead increases. Then we state the results for w = q.

Theorem 2. There is a q-threshold (p, k)-resilient scheme, with a parameter 4k log(n/p) keys w taking values in [q, 1), in which a personal key consists of 3w log(1/q) and the data redundancy overhead is of 4k log(1/w) keys. A user should perform log(1/q) log(1/w)

decryptions in order to reveal the broadcasted secret.

When w = q a personal key consists of 4k 3q log(n/p) keys and the data redundancy overhead is of only 4k keys. A user should only perform a single decryption in order to decrypt the broadcasted secret. The scheme we presented displays a tremendous improvement in the data redundancy overhead, but the length of the personal key is a little larger than in the 4k one-level fully resilient scheme (it is 4k 3q log(n/p) compared to 3 log(n/p) in the 4

It is possible to prove, as is done in [9], that if a decoder has keys from less rows and can decrypt with probability better than the threshold then it can be used to break the underlying encryption scheme.

Threshold Traitor Tracing

513

one-level fully resilient scheme). The next subsection presents two-level threshold schemes which balance the two complexity parameters through a tradeoff between the key length and the data redundancy overhead. 4.2

Two-Level Threshold Schemes

Two-level threshold schemes are constructed from one-level threshold schemes by using many one-level schemes and applying a hash function to map users to schemes. We first present a basic construction which displays a tradeoff between the personal key lengths and the data redundancy overhead, and which can obtain shorter key length than the one-level threshold scheme. Then we change the parameters of the construction to obtain schemes with an even shorter key length, in the price of increasing the data redundancy a little. These schemes perform better than fully-resilient schemes in both the personal key length and the data redundancy overhead. The basic construction The construction uses a random mapping h from the domain {1, . . . , n} to a range of size 2ek/b. It is required that for any fixed set of k traitors the probability that b or more traitors are mapped together by h is less than p/2, i.e. b−1 b b−1 k b ek 1 p b ek < = < b−1 b 2ek b 2ek b 2 2 4ek satisfies the inequality. Once such a mapping is Setting b = log p log(1/p) chosen we continue by constructing threshold one-level schemes for each set of preimages h−1 (i) for 1 ≤ i ≤ 2ek/b. In the initialization phase each user u receives his personal key for the subscheme h(u), and the secret s is distributed by each of the 2ek/b subschemes. It is required that each subscheme has the following property against b traitors: either the success probability of the traitors in decrypting the secret qb is greater by at most q˜ = 2ek than the success probability of an adversary who does not have any of the keys, or the traitors can be traced with probability at least 1 − p/2. If in no subscheme the traitors have an advantage greater than q˜ then the pirate decoder cannot decrypt with an advantage better than q. The initialization and secret distribution stages are straightforward. The subschemes are built in the same way as the one-level schemes of the previous subsection. As before w is a parameter that defines the minimal fraction of rows such that with keys from less than w` rows in a certain subscheme a decoder cannot decrypt with probability better than q˜. If a pirate decoder decrypts with probability greater than q it must contain keys from a w fraction of the rows in one or more of the subschemes. The tracing process that was defined for the one-level scheme can then trace at least one of the traitors which contributed keys for this subscheme. The following theorem therefore follows:

514

Moni Naor and Benny Pinkas

Theorem 3. There is a q-threshold (p, k)-resilient scheme, with the parameter qb 4ek w taking values in [ 2ek , 1), where b = log( p log(1/p) ), in which: 4 b log(2n/p) basic keys. – The length of the personal key is m = 3w 1 log( 2ek – The data redundancy overhead is 8ek log(1/w) qb ) basic encryptions.

– The receiver should perform secret.

log(2ek/(qb)) log(1/w)

decryptions in order to decrypt the

The key is longer than the key in the fully resilient secret two-level scheme by a factor of only 1/w, and the data redundancy overhead is substantially shorter. Comparing with the one-level threshold scheme for the same value of the parameter w, the personal key changes by a factor of b/k, and the data redundancy overhead changes by a factor of 2e·(1+log(2ek/b)/ log(1/q)). Therefore the key is shorter and the data redundancy overhead is larger. However, the increase in the data redundancy overhead is relatively moderate: if we denote the ratio between the key length in this scheme and in the one-level scheme as 1/α then the data redundancy overhead increases by a factor of only 2e(1 + log(2eα)/ log(1/q)). qb Note that the minimum value for w is q˜ = 2ek which is smaller than the minimum value for w in the one-level scheme. Setting w to this value yields the minimum possible data redundancy overhead, 8ek encryptions, whereas the key length is maximal, m = 8ek 3q log(2n/p). Both are longer than the values for the one-level scheme by a factor of exactly 2e. The two-level scheme features a tradeoff between the length of the personal key and the data redundancy overhead. At one end of the curve there is a short key but a longer data redundancy overhead and in the other end the key length is maximal and the data redundancy overhead is minimal, and both are equal up to a constant factor to the performance of the one-level threshold scheme for minimal data redundancy overhead. Note that as with the two-level fullyresilient secret scheme the expected number of users that are mapped to each subscheme is smaller than n by a factor of b/2ek. The subschemes can therefore be defined for a smaller set of users to achieve greater efficiency. Shorter personal keys The following variant of a threshold tracing scheme improves all the complexity parameters of the most efficient fully-resilient scheme (whereas the previous tracing scheme had a dramatic improvement in the data redundancy and decryption overheads, but increased the personal key a little). The decrease in the length of the personal keys is enabled as follows: The same construction as before is used, with 2ek/b1 subschemes, and it is required that the probability that more than b2 users are mapped together is at most p/2 (previously the values b1 and b2 were equal). The personal key 4 is composed of 3w b2 log(2n/p) keys, and the data redundancy overhead is of b2 1 8ek b1 log(1/w) log( 2ek qb1 ) basic encryptions. The values b1 , b2 should satisfy the following inequality: b2 −1 b2 b2 −1 b 2ek p k b1 ek b1 b1 2 · ≤ · = · < 2ek b2 2ek b1 2b2 2 b2

Threshold Traitor Tracing

515

α Assume b2 = bα (α > 1). The previous inequality is satisfied if b ≥ 1 = b q log(k/p) α α α−1 · log log(k/p) . The following theorem is therefore obtained:

Theorem 4. For every α > 1 there is a q-thresholdq (p, k)-resilient scheme, with qb the parameter w taking values in [ 2ek , 1), where b =

α

α α−1

·

log(k/p) log log(k/p) ,

in which:

4 – The length of the personal key is m = 3w · bα · log(2n/p) basic keys. α−1 – The data redundancy overhead is 8ekb log( 2ek qb )/ log(1/w) basic encryptions. – A receiver should perform log( 2ek qb )/ log(1/w) decryptions in order to decrypt the secret.

As α increases the personal key length decreases and the data redundancy overhead increases. The limits of these values as α −→ ∞ are 4 · loglog(k/p) – The limit of the length of the personal key is m = 3w log(k/p) · log(2n/p) basic keys. 2ek 1 – The limit of the data redundancy overhead is 8ek loglog(k/p) log(k/p) log( q ) · log(1/w) basic encryptions. – A receiver should perform log(2ek/q) log(1/w) decryptions in order to decrypt the secret.

This scheme has the shortest personal key among all the schemes we presented. The small penalty for this is a data redundancy overhead which is longer than in the other threshold two-level scheme. However, the data redundancy is still shorter than in the fully resilient schemes. 4.3

An Example

Let us consider the following example in order to demonstrate the performance of the different tracing schemes. Suppose that we would like to create a traitor tracing scheme for up to one million authorized users, so that for at most k = 1000 traitors the probability of false identification is at most 2−10 . We describe in Table 1 the length of the personal key of each user and the data redundancy overhead, both measured by the number of basic keys that they contain (i.e. the ratio between their size and the size of a key of the encryption scheme that is used to encrypt the content). The table also shows the number of decryption operations that should be performed by the receiver. We compare the performance of threshold schemes to the performance of the best fully-resilient scheme – the two-level secret scheme described in section 3. The table refers to the section in which each of the schemes is described. The first result is for the most efficient two-level secret fully resilient scheme. The other results are of threshold schemes which were designed to trace only the source of keys of decoders which can decrypt with probability greater than 3/4. This type of schemes allows for a tradeoff between the length of the personal key and the data redundancy, as is demonstrated in the table.

516

Moni Naor and Benny Pinkas

Property

Section Personal Data Decryption Key Redun. Operations 3 496 21,270,000 496 4.1 53,000 4000 1

Secret two-level best fully-res. Threshold one-level, min. data redundancy Threshold two-level, min. 4.2 data redundancy w = 1/2 Threshold two-level 4.2 min. key α→∞ Threshold tradeoff 4.2 w = 1/8

1,660

185,000

9

380

1,290,000

13

10,000

64,500

3

Table 1. Examples of the complexity of different Tracing Traitors schemes, using n = 106 , k = 1000, p = 10−3 , and q = 3/4.

The secret two-level scheme has a short key length but the data redundancy overhead is large. The threshold schemes feature a tradeoff between the length of the personal key and the data redundancy overhead. It is possible to make one parameter very small by increasing the other parameter, and it is also possible to achieve very reasonable results for both measures, as in the last entry. The scheme of Section 4.2 is superior to the secret two-level scheme in all the complexity parameters. It should also be noted that if we are only concerned with decoders which decrypt with probability close to 1 it is possible to get more efficient schemes by defining a scheme for q ≈ 1.

5

Conclusions

We presented threshold tracing schemes which are considerably more efficient than fully-resilient tracing schemes. In many applications there is only need for decoders which decrypt with probability greater than some threshold, and these applications should use threshold tracing schemes to trace the source of illegal decoders. The efficiency of the threshold schemes as a function the size of a corrupt coalition of users, k, allows for resiliency against rather large such coalitions. We remark that in many different applications and scenarios (other than traitor tracing) there is no need for security against adversaries which perform negligibly better than “guessing the secret”. These applications call for threshold security schemes similar to the schemes presented in this work. These schemes should depend on a parameter q (the threshold) and only protect against adversaries which achieve success greater than q.

Threshold Traitor Tracing

517

References 1. N. Alon, J. Bruck, J. Naor, M. Naor and R. Roth, Construction of Asymptotically Good Low-Rate Error-Correcting Codes through Pseudo-Random Graphs, IEEE Transactions on Information Theory, vol. 38 (1992), 509–516. 2. N. Alon and J. Spencer, The Probabilistic Method, Wiley, 1992. 3. R. Anderson and M. Kuhn, Tamper Resistance – A Cautionary Note, Usenix Electronic Commerce Workshop, Oakland (1996), 1–11. 504 4. E. Biham and A. Shamir, Differential Fault Analysis of Secret Key Cryptosystems, Proc. Advances in Cryptology – Crypto ’97, Springr-Verlag LNCS 1294 (1997), 513–525. 504 5. D. Boneh, R. A. Demillo and R. J. Lipton, On the Importance of Checking Computations, Proc. Advances in Cryptology – Eurocrypt ’97 (1997), 37–51. 504 6. D. Boneh and J. Shaw, Collusion-Secure Fingerprinting for Digital date, Proc. Advances in Cryptology – Crypto ’95 (1995), 452–465. 507, 507 7. J. L. Carter and M. N. Wegman, Universal Classes of Hash Functions, Journal of Computer and System Sciences 18 (1979), 143–154. 510 8. B. Chor, A. Fiat and M. Naor, Tracing Traitors, Proc. Advances in Cryptology – Crypto ’94, Springr-Verlag LNCS 839 (1994), 257–270. 502, 503, 505, 506, 507, 507, 507, 507, 507, 508, 510, 510, 510 9. B. Chor, A. Fiat, M. Naor and B. Pinkas, Tracing Traitors, manuscript, (1998). 506, 507, 512, 512 10. Cox I., Kilian J., Leighton T. and Shamoon T., A Secure, Robust Watermark for Multimedia, Information Hiding Workshop, Cambridge, UK, Springer-Verlag LNCS 1174, (1996), 185–206. 507 11. C. Dwork, J. Lotspiech and M. Naor, Digital Signets: Self-Enforcing Protection of Digital Information, 28th Symposium on the Theory of Computation (1996), 489–498. 507, 507 12. P. Erd¨ os, P. Frankl and Z. F¨ uredi, Families of finite sets in which no set is covered by the union of r others, Israel J. of math. 51 (1985), 79–89. 13. A. Fiat and M. Naor, Broadcast Encryption, Proc. Advances in Cryptology - Crypto ’93 (1994), 480–491. 506, 506 14. M.L. Fredman, J. Koml´ os and E. Szemer´edi, Storing a Sparse Table with O(1) Worst Case Access Time, Journal of the ACM, Vol 31 (1984), 538–544. 510 15. K. Mehlhorn, Data Structures and Algorithms: Sorting and Searching, Springer-Verlag (1984). 510 16. F. J. MacWilliams and N. J. A. Sloane, The Theory of Error Correcting Codes, North Holland, Amsterdam, (1977). 17. B. Pfitzmann, Trials of Traced Traitors, Information Hiding Workshop, Cambridge, UK, Springer-Verlag LNCS 1174, (1996), 49–64. 506, 507 18. D.M. Wallner, E.J. Harder, R.C. Agee, Key Management for Multicast: Issues and Architectures, internet draft draft-wallner-key-arch-00.txt (1997). Avaliable at ftp://ietf.org/internet-drafts/draft-wallner-key-arch-00.txt 506, 506 19. M. N. Wegman and J. L. Carter, New Hash Functions and Their Use in Authentication and Set Equality, Journal of Computer and System Sciences 22 (1981), 265–279. 510

Author Index

Aiello W .....................

Lodha S..........................

137

MaurerU .........................

121

Bellare M ................ 26, 283, 390 Bellovin S.M ....................... 46 Biryukov A ........................ 72

NaorM ...................... Nguyen P .........................

267, 502 223

Bleichenbacher D ...................

Ohta K ........................... Okamoto T .......................

354 354

Ostrovsky R ......................

137

Paar C ...........................

472

Patel S ........................... Petrank E ........................

304 169

Aumann

137, 3 9 0

Y .......................

299

Bailey D.V .......................

472

1

Buldas A .........................

486

Catalano D .......................

105

Chabaud

F ........................

Cramer R .....................

56 13, 4 2 4

I ........................

424

Pfitzmann B ......................

153

Denny T .......................... Desai A ............................

458 26

Pinkas B ......................... Pointcheval D ......................

502 26

Di Crescenzo G ................... Dwork C .........................

390 442

Rabin M.O .......................

299

Fitzi M ...........................

121

Rabin T ........................... R.eingold O .......................

89 267

Rivest R.L ........................

153

Gennaro R ........................

105

Rogaway P .........................

26

Goldreich O ......................

153

Hada S ...........................

408

Salvail L ..........................

338

Halevi S.......................... Hall C ............................

283 370

Schneier B ........................ Shamir A .........................

370 257

H~tM

121

Shimoyama T ..................... Shoup V ........................... Stern J ...........................

200 13 223

Sundaram

304

Damgs

Sahai A ......................

...........................

Jakobsen T .......................

212

Joux A ............................

56

Jutla C.S .........................

186

Kaneko T .........................

200

Kelsey J ..........................

370

Kilian J ..........................

169

Kipnis A .........................

257

Koblitz N .........................

327

Kushilevitz E ......................

72

G.S ....................

283, 442

Takagi T .........................

318

Tanaka T .........................

408

Vadhan S ......................... Vaudenay S .......................

283 243

Venkatesan R .....................

390

Villemson J .......................

486

Laud P ...........................

486

Wagner D ........................

370

LipmaaH

486

Weber D ..........................

458

........................

Lecture Notes in Computer Science For information about Vols. 1-1386 please contact your bookseller or Springer-Verlag

Vol. 1387: C. Lee Giles, M. God (Eds.), Adaptive Processing of Sequences and Data Structures. Proceedings, 1997. XII, 434 pages. 1998. (Subseries LNAI).

Vol. 1405: S.M. Embury, N.J. Fiddian, W.A. Gray, A.C. Jones (Eds.), Advances in Databases. Proceedings, 1998. XII, 183 pages. 1998.

Vol. 1388: J. Rolim (Ed.), Parallel and Distributed

VoI. 1406: H. Burkhardt, B. Neumann (Eds.), Computer Vision -ECCV'98. Vol. I. Proceedings, 1998. XVI, 927 pages. 1998.

Processing. Proceedings, 1998. XVII, 1168 pages. 1998. Vol. 1389: K. Tombre, A.K. Chhabra (Eds.), Graphics Recognition. Proceedings, 1997. XII, 421 pages. 1998. Vol. 1390: C. Scheideler, Universal Routing Strategies

for Intereonneetion Networks. XVII, 234 pages. 1998. Vol. 139h W. Banzhaf, R. Poli, M. Schoenaner, T.C. Fogarty (Eds.), Genetic Programming. Proceedings, 1998. X, 232 pages. 1998. Vol. 1392: A. Barth, M. Breu, A. Endres, A. de Kemp (Eds.), Digital Libraries in Computer Science: The MeDoc Approach. VIII, 239 pages. 1998. Vol. 1393: D. Bert (Ed.), B'98: Recent Advances in the Development and Use of the B Method. Proceedings, 1998. VIII, 313 pages. 1998. Vol. 1394: X. Wu. R. Kotagiri, K.B. Korb (Eds.), Research and Development in Knowledge Discovery and Data Mining. Proceedings, 1998. XVI, 424 pages. 1998. (Subseries LNAI). Vol. 1395: H. Kitano (Ed.), RoboCup-97: Robot Soccer World Cup I. XIV, 520 pages. 1998. (Subseries LNAI). Vol. 1396: E. Okamoto, G. Davida, M. Mambo (Eds.), Information Security. Proceedings, 1997. XII, 357 pages. 1998. Vol. 1397: H. de Swart (Ed.), Automated Reasoning with Analytic Tableaux and Related Methods. Proceedings, 1998. X, 325 pages. 1998. (Subseries LNAI). Vol. 1398: C. N6dellec, C. Rouveirol (Eds.), Machine Learning: ECML-98. Proceedings, 1998. XII, 420 pages. 1998. (Subseries LNAI). Vol. 1399: O. Etzion, S. Jajodia, S. Sripada (Eds.), Temporal Databases: Research and Practice. X, 429 pages. 1998. Vol. 1400: M. Lenz, B. Bartsch-SpOrl, H.-D. Burkhard, S. Wess (Eds.), Case-Based Reasoning Technology. XVIII, 405 pages. 1998. (Subseries LNAI).

Vol. 1407: H. Burkhardt, B. Neumann (Eds.), Computer Vision -ECCV'98. Vol. II. Proceedings, 1998. XVI, 881 pages. 1998. Vol. 1409. T. Sehaub, The Automation of Reasoning with Incomplete Information. XI, 159 pages. 1998. (Subseries LNAI). Vnl. 141 h L. Asplund (Ed.), Reliable Software Technologies - Ada-Europe. Proceedings, 1998. XI, 297 pages. 1998. Vol. 1412: R.E. Bixby, E.A. Boyd, R.Z. Rios-Mercado (Eds.), Integer Programming and Combinatorial Optimization. Proceedings, 1998. IX, 437 pages. 1998. Vol. 1413: B. Pernici, C. Thanos (Eds.), Advanced Information Systems Engineering. Proceedings, 1998. X, 423 pages. 1998. Vol. 1414: M. Nielsen, W. Thomas (Eds.), Computer Science Logic. Selected Papers, 1997. VIII, 511 pages. 1998. Vol. 1415: J. Mira, A.P. del Pobil, M.AIi (Eds.), Methodology and Tools in Knowledge-Based Systems. Vol. I. Proceedings, 1998. XXIV, 887 pages. 1998. (Subseries

LNA1). Vol. 1416: A.P. del Pobil, J. Mira, M.Ali (Eds.), Tasks and Methods in Applied Artificial Intelligence. Vol.II. Proceedings, 1998. XXIII, 943 pages. 1998. (Subseries LNAI). Vol. 1417: S. Yalamanchili, J. Duato (Eds.), Parallel Computer Routing and Communication. Proceedings, 1997. XII, 309 pages, t998. Vol. 1418: R. Mercer, E. Neufeld (Eds.), Advances in ArtificialIntelligence. Proceedings, 1998. XII, 467 pages. 1998. (Subseries LNAI). Vol. 1419: G. Vigna (Ed.), Mobile Agents and Security. XII, 257 pages. 1998.

Vol. 1401: P. Sloot, M. Bubak, B. Hertzberger (Eds.), High-Performance Computing and Networking. Proceedings, 1998. XX, 1309 pages. 1998.

Vol. 1420: J. Desel, M. Silva (Eds.), Application and Theory of Petri Nets 1998. Proceedings, 1998. VIII, 385 pages. 1998.

Vol. 1402: W. Lamersdorf, M. Merz (Eds.), Trends in Distributed Systems for Electronic Commerce. Proceedings, 1998. XII, 255 pages. 1998.

Vol. 1421: C. Kirchner, H. Kirchner (Eds.), Automated Deduction - CADE-15. Proceedings, 1998. XIV, 443 pages. 1998. (Subseries LNAI).

Vol. 1403: K. Nyberg (Ed.), Advances in Cryptology EUROCRYPT '98. Proceedings, 1998. X, 607 pages. 1998.

Vol. 1422: J. Jeuring (Ed.), Mathematics of Program Construetion. Proceedings, 1998. X, 383 pages. 1998.

Vol. 1404: C. Freksa, C. Habel. K.F. Wender (Eds.), Spatial Cognition. VIII, 491 pages. 1998. (Subseries LNAI).

Vol. 1423: J.P. Buhler (Ed.), Algorithmic Number Theory. Proceedings, 1998. X, 640 pages. 1998.

Vol. 1424: L. Polkowski, A. Skowron (Eds.), Rough Sets and Current Trends in Computing. Proceedings, 1998. XIII, 626 pages. 1998. (Subseries LNAI). Vol. 1425: D. Hutehison, R. Schafer (Eds.), Multimedia Applications, Services and Techniques - ECMAST'98. Proceedings, 1998. XVI, 532 pages. 1998.

Vol. 1449: W.-L. Hsu, M.-Y. Kao (Eds.), Computing and Combinatorics. Proceedings, 1998. XII, 372 pages. 1998. Vol. 1450: L. Brim, F. Gruska, J. Zlatu~ka (Eds.), Mathematical Foundations of Computer Science 1998. Proceedings, 1998. XVII, 846 pages. 1998.

Vol. 1427: A.J. Hu, M.Y. Vardi (Eds.), Computer Aided Verification. Proceedings, 1998. IX, 552 pages. 1998.

Vol. 1451: A. Amin, D. Dori, P. Pudil, H. Freeman (Eds.), Advances in Pattern Recognition. Proceedings, 1998. XXt, 1048 pages. 1998.

Vol. 1429: F. van der Linden (Ed.), Development and Evolution of Software Architectures for Product Families. Proceedings, 1998. IX, 258 pages. 1998.

Vol. 1452: B.P. Goettl, H.M. Halff, C.L. Redfield, V.J. Shute (Eds.), Intelligent Tutoring Systems. Proceedings, 1998. XIX, 629 pages. 1998.

Vol. 1430: S. Trigila, A. Mullery, M. Campolargo, I-I. Vanderstraeten, M. Mampaey (Eds.), Intelligence in Services and Networks: Technology for Ubiquitous Telecom Services. Proceedings, 1998. XII, 550 pages. 1998.

Vol. 1453: M.-L. Mugnier, M. Chein (Eds.), Conceptual Structures: Theory, Tools and Applications. Proceedings, 1998. XIII, 439 pages. (Subseries LNAI).

Vol. 1431: H. Imai, Y. Zheng (Eds.), Public Key Cryptography. Proceedings, 1998. XI, 263 pages. 1998. Vol. 1432: S. Arnborg, L. Ivansson (Eds.), Algorithm Theory - SWAT '98. Proceedings, 1998. IX, 347 pages. 1998. Vol. 1433: V. Honavar, G. Slutzki (Eds.), Grammatical Inference. Proceedings, 1998. X, 271 pages. 1998. (Subseries LNAI).

Vol. 1454: I. Smith (Ed.), Artificial Intelligence in Structural Engineering. XI, 497 pages. 1998. (Subseries LNAI). Vol. 1456: A. Drogoul, M. Tambe, T. Fukuda (Eds.), Collective Robotics. Proceedings, t998. VII, 161 pages. 1998. (Subseries LNAI). Vol. 1457: A. Ferreira, J. Rolim, H. Simon, S.-H. Teng (Eds.), Solving Irregularly Structured Problems m Prallel. Proceedings, 1998. X, 408 pages. 1998.

Vol. 1434: J.-C. Heudm (Ed.), Virtual Worlds. Proceedings, 1998. XII, 412 pages. 1998. (Subseries LNAI).

Vol. 1458: V.O. Mittal, H.A. Yanco, J. Aronis, R-. Simpson (Eds.), Assistive Technology in Artificial Intelligence. X, 273 pages. 1998. (Subseries LNAI).

Vol. 1435: M. Klusch, G. Wei6 (Eds.), Cooperative Information Agents II. Proceedings, 1998. IX, 307 pages. 1998. (Subseries LNAI).

Vol. 1459: D.G. Feitelson, L. Rudolph (Eds.), Job Scheduling Strategies for Parallel Processing. Proceedings, 1998. VII, 257 pages. 1998.

Vol. 1436: D. Wood, S. Yu (Eds.), Automata Implementataon. Proceedings, 1997. VIII, 253 pages. 1998.

Vol. 1460. G. Quirchmayr, E. Schweighofer, T.J.M. Bench-Capon (Eds.), Database and Expert Systems Applications. Proceedings, 1998. XVI, 905 pages. 1998.

Vol. 1437: S. Albayrak, F.J. Garijo (Eds.), Intelligent Agents for Telecommunication Applications. Proceedings, 1998. XII, 251 pages. 1998. (Subseries LNAI). Vol. 1438: C. Boyd, E. Dawson (Eds.), Information Security and Privacy. Proceedings, 1998. XI, 423 pages. 1998. Vol. 1439: B. Magnusson (Ed.), System Configuration Management. Proceedings, 1998. X, 207 pages. 1998. Vol. 1441: W. Wobcke, M. Pagnucco, C. Zhang (Eds.), Agents and Multi-Agent Systems. Proceedings, 1997. XII. 241 pages. 1998. (Subseries LNAI). Vol. 1442: A. Fiat. G.J. Woeginger (Eds.), Online Algorithms. XVIII, 436 pages. 1998. Vol. 1443: K.G. Larsen, S. Skyum, G. Winskel (Eds.), Automata, Languages and Programming. Proceedings, 1998. XVI, 932 pages. 1998. Vol. 1444: K. Jansen, J. Rolim (Eds.), Approximation Algorithms for Combinatorial Optimization. Proceedings, 1998. VIII, 201 pages. 1998. Vol. 1445: E. Iul (Ed.), ECOOP'98 - Object-Oriented Programming. Proceedings, 1998. XII, 635 pages. 1998. Vol. 1446: D. Page (Ed.), Inductive Logic Programming. Proceedings, 1998. VIII, 301 pages. 1998. (Subseries LNAI). Vol. 1447: V.W. Porto, N. Saravanan, D. Waagen, A.E. Eiben (Eds.), Evolutionary Programming VII. Proceedings, 1998. XVI, 840 pages. 1998. Vol. 1448: M. Farach-Colton (Ed.), Combinatorial Pattern Matching. Proceedings, 1998. VIII, 251 pages. 1998.

Vol. 1461: G. Bilardi, G.F. Italiano, A. Pietracaprina, G. Pucci (Eds.), Algorithms - ESA'98. Proceedings, 1998. XII, 516 pages. 1998. Vol. 1462: H. Krawczyk (Ed.), Advances in Cryptology CRYPTO '98. Proceedings, 1998. XII, 519 pages. 1998. Vol. 1464: H.H.S. Ip, A.W.M. Smeulders (Eds.), Multimedia Information Analysis and Retrieval. Proceedings, 1998. VIII, 264 pages. 1998. Vol. 1465: R. Hirsehfeld (Ed.), Financial Cryptography. Proceedings, 1998. VIII, 311 pages. 1998. Vol. 1466: D. Sangiorgi, R. de Simone (Eds.), CONCUR'98: Concurrency Theory. Proceedings, 1998. XI, 657 pages. 1998. Vol. 1467: C. Clack, K. Hammond, T. Davie (Eds.), Implementation of Functional Languages. Proceedings, 1997. X, 375 pages. 1998. Vol. 1469: R. Pmgjaner, N.N. Savino, B. Serra (Eds.), Computer Performance Evaluation. Proceedings, 1998. XIII, 376 pages. 1998. Vol. 1473: X. Leroy, A. Ohori (Eds.), Types in Compilation. Proceedings, 1998. VIII, 299 pages. 1998. Vol. 1475: W. Litwin, T. Morzy, G. Vossen (Eds.), Advances in Databases and Information Systems. Proceedings, 1998. XIV, 369 pages. 1998. Vol. 1482. R.W. Hartenstein, A. Keevalhk (Eds.), FieldProgrammable Logic and Applications. Proceedings, 1998. XI, 533 pages. 1998.