Public-Key Cryptography (Texts in Theoretical Computer Science. An EATCS Series)

Art0 Salomaa

Public-Key Cryptography Second, Enlarged Edition

With 22 Figures

Springer

Author Prof. Dr. Arto Salomaa Data City Turku Centre for Computer Studies FIN-20520 Turku, Finland

Series Editors

Prof. Dr. Wilfried Brauer Institut fur Informatik, Technische Universitat Munchen Arcisstrasse 21, D-80333 Miinchen, Germany Prof. Dr. Grzegorz Rozenberg Institute of Applied Mathematics and Computer Science University of Leiden, Niels-Bohr-Weg 1, P.O. Box 9512 2300 RA Leiden, The Netherlands Prof. Dr. Arto Salomaa (see above)

ISBN 3-540-61356-0 Springer-Verlag Berlin Heidelberg New York ISBN 3-540-52831-8 1st edition Springer-Verlag Berlin Heidelberg New York ISBN 0-387-52831-8 1st edition Springer-Verlag New York Berlin Heidelberg Library of Congress Cataloging-in-Publication

Data

Salcmaa. Ar:o. Public-key cryptography A r t 0 Salomaa. -- 2 n d . e n l . e d . p. cm. -- ( T e x t s i n t h e c r e t l c a l computer s c i e n c e ) I n c l u d e s b i b l i o g r a p h i c a l r e f e r e n c e s and i n d e x . ISBN 3-540-61356-0 (hc alk. paper) 1 . Computers--Access c o n t r o l . 2 . C r y p t o g r s p h y . I. Title. 11. S e r i e s . OA76.9.A25S26 1996 005.8'2--dC20 96-31537 CIP This work is subject to copyright. All rights are reserved, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation, broadcasting, reproduction on microfilms or in any other way, and storage in data banks. Duplication of this publication or parts thereof is permitted only under the provisions of the German Copyright Law of September 9, 1965. in its current version, and permission for use must always be obtained from Springer-Verlag. Violations are liable for prosecution under the German Copyright Law. Springer-Verliig Herlin Heidelberg New York ii nwmhcr ( 1 1 I~ertel\miiiinSpringcl-Sciencc+Husiness Mcdia (imhH 0Springer-Vcrliig Berlin Ileidelhcrg IW). 1990 Prititcd iii (icrniiin! The use of registered names, trademarks, etc. in this publication does not imply, even in the absence of a specific statement, that such names are exempt from the relevant protective laws and therefore free for general use. ('o\cr Ilc\ign. dcsigii & producti~inCimhl-l Hcidclherg SPIN:llls4nsf, JXTl I 1.5 4 T. 2 Printed on ;~cid-frccpapcr ~

To the Memory of My Sister Sirkka Salomaa 1919-1989

Preface to the Second, Enlarged Edition

There has been considerable progress on many fronts during the past five years. However, the main parts of the book remain unaffected by these developments. Of the wealth of new topics possible, I have chosen some aspects of cryptographic protocols: elections over a computer network and protocols without computers. Furthermore, the references have been updated and errors and inaccuracies, most of which were brought to my attention by Jukka Koskinen and Lucian Ilie, have been corrected. Many useful discussions with Valtteri Niemi and Ari Renvall are gratefully acknowledged, as well as the continued excellent cooperation with Springer-Verlag and especially Dr. Hans Wossner and Mrs. Ingeborg Mayer. Turku, September 1996

Art0 Salomaa

Preface to the First Edition

Cryptography, secret writing, is probably as old as writing in general. Only recently it has become the object of extensive scientific studies. Vast new applications to data security constitute one explanation for this. Perhaps a still more important reason for the huge growth of scientific research on cryptography is the seminal idea of public-key cryptography and the resulting new vistas on the possibilities of communication. This book presents a view on public-key cryptography with, classical cryptography as the starting point. An attempt has been made to cover some of the most recent developments and present novel features. The plaintext examples constitute a package of basic sauna knowledge. Acknowledgements. Hermann Maurer revived in the late 70's my dormant interest in cryptography. I have used some versions of this book since 1983 for courses on cryptography at the Universities of Turku and Leiden, as well as at the Technical University of Wien. The observations of the participants in these courses were useful. Juha Honkala, Jarkko Kari, Valtteri Niemi, Lila S h t e a n , Mika Niemi and Ari Renvall have commented on various parts of the manuscripts, and the first four have contributed in numerous discussions as well. I have also benefited from discussions with Ron Book, Wilfried Brauer. Karel Culik, Ferenc GBcseg, Jozef Gruska, Tero Harju, Iiro Honkala, Helmut Jurgensen, Juhani Karhumaki, Werner Kuich, Hannu Nurmi, Kaisa Nyberg, Azaria Paz, Grzegorz Rozenberg, Kai Salomaa, Aim0 Tietavainen, Emo Welzl, Derick Wood and Sheng Yu. Special thanks are due to Elisa Mikkola for excellent typing, as well as assistance in many practical matters. Anu Heinimaki has drawn the pictures. The Academy of Finland has provided me excellent working conditions. The good cooperation with the Academy, in particular with Marjatta Naatanen, is gratefully acknowledged. The scientific organization MATINE has supported my cryptographic research. Finally, I want to thank Springer-Verlag and especially Dr. Hans Wossner and Mrs. Ingeborg Mayer for good cooperation and timely production.

Turku, May 1990

Art0 Salomaa

Contents

Chapter 1, Classical Two-way Cryptography . . . . . . . . . . . . . . . . . . . . . . . 1.1 Cryptosystems and Cryptanalysis . . . . . . . . . . 1.2 Monoalphabetic Systems . . . . .

.......... ..........

Chapter 3. Knapsack Systems . . . . . . . 3.1 A Trapdoor is Built

................. ...............

.......................... .. .. .. .. 3.5

Dense Knapsacks

. .. . ..... ...

..................

..............

............... 4.2 Attack and Defense . .................... ................... ...................

Chapter 5. Other Bases of Cryptosystems . . . . . . . . . . . . . . ........... 5.1 Exponentiation in Quadratic Fields . . . . . 5.2 Iteration of Morphisms ................... ..........

....................

1 1

10 22 39

55 55 64 71 77 77 87 96 108 1 I7

125 125 134 137 143 147 154 159 159 166 174 178

181 181 184 . . . . . . . . . . . 187 6.3 How to Share a Secret . . . . . . . . . . . . . . . 1 90 6.4 Partial Disclosure of Secrets . ............. 194 200 .............

................

X

6.7 6.8 6.9 6.10 6.1 1

Contents

Convincing Proofs with No Details ............................... Zero-Knowledge Proofs ....................................... Zero-Knowledge Proofs of Identity ............................... Secret Balloting Systems Revisited ............................... Cryptographic Protocols Without Computers ......................

Appendix A. Tutorial in Complexity Theory

............................. Appendix B. Tutorial in Number Theory ............................... Problems ........................................................ Historical and Bibliographical Remarks ................................. References ....................................................... Index ...........................................................

202 208 213 218 234 245 249

255 263 265 269

Chapter 1. Classical T wo-Way Cryptography

1.1 Cryptosystems and Cryptanalysis The art and science of cryptography consists of two worlds. There is the world of legal communications: parties such as legal users of a data bank exchanging messages. This world can be viewed as open and sunlit. There is also the dark world of the enemy who illegally tries to intercept the messages and d o all kinds of vicious things. For people in the legal world, it is desirable that the enemy understands very little of the messages. The enemy, on the other hand, would like to have easily understandable messages. Cryptography is continuing struggle between the two worlds. A success by the enemy leads to a need to strengthen the methods in the sunlit world. This means a new challenge for the enemy. And so the struggle goes on. Eternal mathematical results are likely to be impractical. How to present the two worlds in a book? There is no difficulty as regards things past. One just describes a method in the sunlit world and then goes on telling how the enemy made a successful attack. The situation is different if one wants to say something about present things. Whenever one describes a successful enemy attack, one has to admit that the corresponding methods in the legal world were not safe after all. No exposition can claim success in both worlds. What one can d o is to give details for the legal world and then outline some possible enemy attacks, at the same time telling why the attacks are not likely to succeed. This of course has no implications concerning the eventual success of some other, maybe very ingenious enemy attacks. Anyway, this approach will be followed in the sequel. Although mathematical certainty cannot be reached, the likelihood of the safety of the methods is often very high. The following observation should be made of the two worlds. Although we called them “legal” and “dark”, it is not always the case that the former is inhabited by “good guys” and the latter is Mordor where Sauron lives. The roles can be interchanged in practical situations. For instance, the interception of messages may be attempted by our country in a war, whereas messages are interchanged by our enemy. Of course, we have justice on our side! Or the legal users of a data bank may be criminals, and the police tries to find out their activities. In fact, the terminology we will introduce below is going to be impartial in the sense that no value judgments will be attached to the two opposing parties. We are now ready to introduce the very fundamental notions of cryptography. They will be in use throughout the book. It is to be emphasized that the termino-

2

I . Classical Two-way Cryptography

logy is by no means uniform and fixed in different expositions on secret writing. When introducing the terminology used in this book, we often mention also some other terms used for the same notion by some other authors. Our over-all term for secret writing is cryptography. It includes the activities in both worlds. Some authors use the term cryptology for this over-all purpose and reserve the term “cryptography” for the activities of the legal world. The basic set-up is depicted in Fig. 1.1. A message is being sent through an insecure channel, where it may be intercepted by an eavesdropper.

U Enemy

Fig. 1.1

The picture is the same, no matter whether we speak of a horseback courier or electronic mail. We cannot secure the channel and, therefore, interception is possible. The foremost goal of the enemy is to violate the secrecy of the communication and benefit from the secret information. More sophisticated goals might be the following ones. The enemy might want to alter the message, thus confounding the receiver with a corrupted message. In this fashion the enemy also deceives the receiver about the identity of the sender. For instance, the sender might have sent the message ‘‘I will give no support to the Greens.” If the enemy alters this into “I will give $lO.OOO to the Greens,” the receiver has no idea from whom this essentially different message came. The enemy might also deceive the sender about the identity of the receiver, for instance, by grabbing the whole message and failing to forward it. In all of these cases it is of great advantage to the original sender and receiver if the enemy does not understand the message after intercepting it. For this purpose, some method of encryption will be used. The message in its original form will be referred to as the plaintext. Thus, the sender encrypts the plaintext. The result will be referred to as the cryptotext. The cryptotext is then sent via the insecure channel. Finally, the receiver decrypts the cryptotext, after which he/she has the original plaintext. Thus, sender’s translation activity is: Encrypt plaintext to cryptotext . Receiver’s translation activity is the reverse one: Decrypt cryptotext to plaintext.

1.1 Cryptosystems and Cryptanalysis

3

We may use also the shorter symbolic expressions E ( p r ) = ct

and D(ct) = pt

In the literature the terms “cleartext” and “ciphertext” or briefly “cipher” are often used instead of “plaintext” and “cryptotext.” The verbs for translation are in this case “encipher” and “decipher.” The word “code” and the corresponding verbs “encode” and “decode” have also been used, although not any more recently. The reason is that the word “code” is loaded with other meanings: error-correcting codes, automata-theoretic codes, etc. The word “code” will be used in some special contexts below, not however in the general sense of the word “cryptotext.” We now analyze the encryption and decryption further. Both translations happen within the framework of a cryptosystem. A cryptosystem consists of the following items. (i) A plaintext space PT, that is, the collection of all possible plaintexts pt. (ii) A key space K . Each key k in K determines an encryption method E, and a decryption method D,. If E, is applied to a plaintext pt, and D, to the result, then pt is obtained. (5)A cryptotext space CT, that is, the collection of all possible cryptotexts ct. Elements of CT result from the elements of P T by applying the encryption methods E,, where k ranges over K .

We need some very basic language-theoretic notions. We begin with a finite nonempty set Z, called an alphabet. The elements of Z are referred to as letters. Finite strings of elements of Z are referred to as words. The same letter may occur several times in a word. Also the string consisting of zero letters is counted as a word, the empty word 1.The length of a word w is the number of letters in w, where each letter is counted as many times as it occurs. The set of all words over Z is denoted by Z*. Subsets of Z* are referred to as (formal) languages over Z. For instance, if Z is the English alphabet {A, B, C , . . . ,Z} then ABBA, HORSE and KOKOOKOKOONKOKOKOKKO are words over Z. (Whether a word has a meaning is irrelevant. In fact, the third word has a meaning in Finnish.) We may also add to C the lower case letters, all punctuation marks and the empty space needed in an ordinary text. Then the collected works of Shakespeare, written one after the other, constitute a word over this extended alphabet. We now return to the notion of a cryptosystem, analyzing the different items further. The plaintext space PT is usually either the set Z*, for some alphabet Z, or else consists of all meaningful expressions of a natural language. We want to emphasize already now that these two possibilities are essentially different from many points of view. If the plaintext space is Z* then every letter in the message is significant: there is no leeway in the process of decryption. On the other hand, every natural language is highly redundant in the sense that a message is usually understood correctly even if many individual characters have been distorted. This is a definite advantage for the eavesdropper: he/she might understand the message correctly although the analysis is wrong in several spots! Let us illustrate this further.

4

1. Classical Two-way Cryptography

Example 1.1. Asume first that the English language constitutes the plaintext space. Consider the plaintext message WEMEETTOMORROW. (We have disregarded the spaces between individual words. This will be often done in the sequel.) This is encrypted as UBQBBNNFIVPNFOOB. (For the moment being we do not tell how the encryption is done-the method is a bit surprising.) If the eavesdropper’s analysis of the cryptotext gives the result WIMIIDTUMAROV, he/she is quite well off: the result should be understandable correctly. Assume, secondly, that the plaintext space is C* for the binary alphabet Y, = (0, l}. Assume further that the sender and the receiver have made the following previous agreement concerning the messages. The messages are of length 12 and give information about a fleet consisting of 12 vessels. More specifically, a message sent in the morning indicates which vessels participate in the mission of that particular day. For instance, according to the message 01001 1OOOOO1 the only vessels participating are the second, fifth, sixth and twelfth one. The messages are sent in an encrypted form. Now the analysis of our eavesdropper must produce the original plaintext quite accurately. Even if one bit is wrong, a grave error may occur in the resulting action. Often when the plaintext is English it is first encoded into the binary alphabet, for instance, by replacing each letter with the binary number indicating the position of the letter in the English alphabet. Since z4 < 26 < 25, words of length five are needed for this purpose: A = oooO1, B = 00010,

C = 00011, . . . , N = 01 1 10, . . . , 2 = 1 1010 .

We will use the terms encoding and decoding for translations of the message without any purpose of concealment. An encoding might be needed, for instance, in the transmission of the message. Thus, the message is first encoded and then encrypted. Of course, the redundancy of a natural language is not at all affected by an encoding. 0 After this discussion about the plaintext space, we give some comments on the key space. The cardinality of the key space should not be very small: the illegal party should not have the possibility of testing all keys. In most cases the key space is (denurnerably) infinite. We have said only that each key k determines an encryption method E, and a decryption method D, and, further, that E, and D, cancel each other. We do not want to give a more specific mathematical characterization of E, and D,. In fact, we d o not even want to require that E, is a function. In some cryptosystems presented below there are many possibilities to apply a key to a plaintext, and the results will be different. There is not much to say about the third item, the cryptotext space. It is determined by the first two items: all possible encryptions of all possible plaintexts. What makes a cryptosystem good? Sir Francis Bacon proposed the following three requirements, given now in our terminology. (i) Given E , and p t , the computation of E,(pt) is easy. Given D, and ct, the computation of D,(ct) is easy.

1.1 Cryptosystems and Cryptanalysis

5

(ii) Without knowing D,, it is impossible to find p t from ct. (iii) The cryptotext should be without suspicion: innocent looking. One can still agree with Sir Francis, with the following reservations in mind. Requirement (iii) is not any more considered to be important. Section 1.2 contains an example where it is satisfied. Requirement (i) says that for legal users the cryptosystem should not be too complicated. “Easy” refers here to complexity theory-see Appendix A. I t is assumed that the users have available a reasonable amount of computing power. In (ii) “impossible” is replaced by “computationally intractable”. The eavesdropper is also assumed to have computing power. Strengthenings of requirement (ii) are considered below in connection with cryptanalysis. Sidelines of requirement (i) are discussed in [Ka]. Before the advent of computers, everything in the application of a cryptosystem had to be done by hand. For instance, an army general responsible for cryptography used children in the first grade to test a new cryptosystem. If it was too complicated for the children, it was not accepted for army usage! There will be many examples of cryptosystems in the sequel. Let us begin here with a very old and not at all good cryptosystem: CAESAR. Many variants of it have been in use at different times-it will be discussed also in the next section. It is not important how we fix the plaintext space. CAESAR is based on substitutions: each letter is substituted by another letter. The latter is obtained from the former by advancing k steps in the alphabet. At the end of the alphabet one goes cyclically to the beginning. Thus, for k = 3, substitutions are as follows. Old: A B C D E F G H I J K L M N O P Q R S T U V W X Y Z New:DEFGHI J K L M N O P Q R S T U V W X Y Z A B C In this case, the plaintext TRY AGAIN is encrypted as WUB DJDLQ. Thus, the key space of the CAESAR system consists of the 26 numbers 0,1,2, . . . ,25. The encryption method E, determined by the key k is: advance k steps in the alphabet. The corresponding decryption method D, is: go back k steps in the alphabet. Some further illustrations: E,,(IBM)

=

HAL,

E,(MUPID) = SAVOJ ,

E,(HELP) = KHOS, E,(HOME) D,(SAVOJ)

= E,,(SAVOJ) =

=

IPNF ,

MUPID

.

Some general properties of the E’s and D’s can be stated here. One of them is commutatioity: whenever some E’s and D’s are applied one after the other, the order of application does not matter. For instance,

E , D, E, D,,

= E,

E , D, D,,

= D, =

El,.

Commutativity will be a crucial property in some of our considerations later on. Also the following relations hold for any k satisfying 1 _< k i_< 25:

D, = E,,,,

D, E, = Eo = D o .

6

1 . Classical Two-way Cryptography

The latter expresses the fact that the effects of E , and D, cancel each other as they should. The decryption key D, can be immediately computed from the encryption key E,. For any cryptosystem, D, is determined (in a mathematical sense) by E,. However, the computation of D, from E , may be intractable. In every classical cryptosystem also D, is given away if E, is publicized. Anybody who knows E , is able to compute also D,. Of course, the computation is not so immediate as in case of CAESAR but it can always be done within a reasonable time. Hence, E, cannot be publicized. A property characteristic for public-key cryptosystems is that E , can be made public without compromising the secrecy. The keys are so skillfully constructed that the computation of D, from E, is intractable, and so is the computation of p t given E , and E,(pt). This requirement will be viewed from various angles in later chapters. We wanted only to mention here the essential feature of public-key cryptosystems. After discussing the basics of cryptosystems, let us now go to the other world. From now on we refer to the eavesdropper as the cryptnndysr. Thus, the difference between cryptanalysis and decryption is that the cryptanalyst has to manage without the decryption key D,. The purpose is the same in both cases: to find the plaintext pt. The illustration in Fig. 1.1 takes now a more detailed form, depicted in Fig. 1.2.

Ct

Receiver

from plaintext space

Fig. 1.2

The sender (resp. receiver) knows in advance E, (resp. D,). For instance, the two parties might have agreed upon the matters in a previous meeting. The details of this agreement depend on the cryptosystem used. The procedure is essentially different for classical and public-key cryptosystems. Observe that we have, for any key k and plaintext p t , Dk(Ek(pc))

= D k ( C t ) = Pt

.

We now make some over-all remarks about cryptanalysis. We begin by emphasizing the following principle. Golden Rulefor Designers of Cryptosystems: Never underestimate the cryptanalyst.

1 . 1 Cryptosystems and Cryptanalysis

7

The golden rule should be applied to all activities of the cryptanalyst: spying information in advance, inventing methods of attack, computing effectively, etc. As regards the advance information, we apply the following convention in the sequel: the cryptunulyst knows the cryptosystem used. This is reasonable also because of the following reason. Even if the cryptanalyst has to try out a few cryptosystems, the complexity of the procedure is essentially the same as when working with one system. Although the cryptanalyst knows the cryptosystem, hefshe does not know the key. However, if the number of all possible keys is small, like in the CAESAR system, then all keys can be tried out. (Recall that the cryptanalyst has excellent computing facilities!) This means that a cryptosystem with a small number of keys is useless in practice. However, such systems are sometimes still useful for illustrating specific points, as is the case in this exposition. The essential condition for a cryptosystem to be good is that it is intractable to recover the plaintext p t from the cryptotext ct without knowing the decryption method D,. We now discuss in more detail the possible initial setups for the cryptanalyst. We mention below four basic setups. Some symmetric modifications of them are also possible, as well as some combinations of the basic setups. They will not be discussed below. Recall, however, that in each setup the cryptanalyst is assumed to know the cryptosystem used. Setup ( i ) : Cryptotext Only. Here the cryptanalysis has to be based on only one sample of cryptotext. For the cryptanalyst it is always better that the sample is longer. In simple systems, such as CAESAR, even short samples will suffice because usually only one key will produce meaningful plaintext. In more complicated systems long samples of cryptotext are necessary. Efficient cryptanalytic methods can be based on statistical information concerning the plaintext language, for instance, information about the frequency of individual letters in English. Examples will be given later on. Setup [ i i j : Known Plaintext. Here the cryptanalyst knows in advance some pairs ( p t , E , ( p t ) ) . The knowledge of such pairs may essentially aid the analysis of the given cryptotext c't. A very simple example is again CAESAR: any pair of any

length gives away the key. Setup (iiij: Chosen Plaintext. The cryptanalyst knows also now in advance some pairs ( p t , E k ( p t ) ) . However, p t has now been chosen by the cryptanalyst. In situations where the cryptanalyst has definite conjectures about the key, it is clear that this setup is essentially better than (ii). On the other hand, this setup (iii) is likely to be realistic at least in such cases where the cryptanalyst has the possibility of masquerading himself or herself as an authorized user of the information system in question.

Before discussing setup (iv), we give an example of a cryptosystem where the initial setup (iii) often gives much better possibilities for the cryptanalyst than the initial setup (ii).

8

I . Classical Two-way Cryptography

Example 1.2. The cryptosystem is based on linear algebra and has been quite important historically. It is originally due to Hill. The plaintext and cryptotext spaces are both equal to C*, where C is the English alphabet. We number the letters in the alphabetic order: A gets the number 0, B the number 1 and Z the number 25. All arithmetic operations are carried out modulo the total number of letters: 26. This means that 26 is identified with 0, 27 with 1, 28 with 2, and so forth. We choose an integer d 2 2. It indicates the dimension of the matrices involved. In the encryption. procedure, d-tuples of letters of the plaintext are encrypted together. In what follows d will be 2. Let now M be a d-dimensional square matrix. The entries of M are integers between 0 and 25. Furthermore, M is assumed to be invertible in our arithmetic, that is, M - ' exists. For instance,

M=(i

:)

and M - 1 = ( 2 15 0 179 ) .

Recall that arithmetic is carried out modulo 26. This implies that we have, for instance, 2.17 + 5 . 9 = 79 = 1 + 3.26 = 1 , as we should, the number being on the main diagonal of the identity matrix. The encryption is carried o u t by the equation MP=C,

where P and C are d-dimensional column vectors. More specifically, each d-tuple of plaintext letters defines the vector P where the components are the numerical encodings of the letters. Finally, C is again interpreted as a d-tuple of cryptotext letters. For instance, the plaintext HELP defines the two vectors

From the equations MP, =

(i)

=

C , and

MP, =

(

=

C,

we obtain the cryptotext HIAT. Consider now the world of our cryptanalyst. Assume the cryptanalyst has guessed that d = 2. He has to find the matrix M or, better still, the inverse M - ' . For this purpose he chooses the plaintext HELP and learns that the corresponding cryptotext is HIAT. This choice of the plaintext was good because of the following reasons. The cryptanalyst knows that

1. I Cryptosystems and Cryptanalysis

This can be written in the form M=(7 8

0)(7 19 4

'I)-'=(

7 8

15

)(

0 19

19 19 14 21

9

)=(: :).

The inverse M - ' is immediately calculable from M . Anything can be decrypted using M - ' . The point in these calculations is that the inverse

(i

exists. On the other

::)-I

hand, our cryptanalyst chose the plaintext HELP giving rise to the matrix

(::).

Thus, he has to make the choice in such a way that the resulting matrix is invertible. Assume now that the cryptanalyst is working under different preconditions: the initial setup is "known plaintext." More specifically, the cryptanalyst knows CKVOZI is the cryptotext corresponding to the plaintext SAHARA. Although we have here a longer sample of text than before, the information obtained is still much less. Indeed, the plaintext-cryptotext equations are now M(

':) (li), =

M(i) =

(:)

M(

and

'3 (2i). =

No invertible square matrix can be formed of the three column vectors appearing as coefficients of M . The cryptanalyst finds out that any invertible square matrix

can be the basis of the cryptosystem because it encrypts SAHARA as CKVOZI. Thus, the cryptanalyst might settle for the matrix M I = ( :

:>

whose inverse is

(w-'= (241

J

25

The cryptanalyst is ready for a cryptotext. He/she receives the text NAFG. The cryptanalyst now computes (2:

and

2;)(1;)=(l;)

(2:

2;)(:)=(2

The two column vectors give rise to the plaintext NAZI. However, the legal user knows the original M and its inverse and computes

(;

'D('3 ('3 (E :) (:)

getting the plaintext NAVY.

=

and

I;)(

=

'

10

1. Classical Two-way Cryptography

Our cryptanalyst made a rude error which may lead to an entirely false action! 0 We still continue our list of possible initial setups for the cryptanalyst. Setup (io): Encryption Key. The cryptanalyst knows the encryption method E , and tries to find the corresponding decryption method D, before actually receiving any samples of cryptotext. Setup (iv) is very typical for public-key cryptosystems. The encryption method E, might have been made public much in advance, and it might take several months before E, is used to encrypt important messages. Thus, the cryptanalyst usually has plenty of time for preprocessing, whereas he/she is in a hurry when a message arrives. Anything accomplished in the period when “time is cheap” is especially valuable. In some public-key cryptosystems it is not possible to construct D, from E, alone, because it is not possible to recognize the correct D, among several candidates. Some text samples are needed for this purpose. In some other public-key cryptosystems D, can be found from E , by extremely good luck, for instance, by guessing two large primes from their product.

1.2 Monoalphabetic Systems This chapter discusses classical cryptosystems, in contrast to public-key cryptosystems. The chapter constitutes the background necessary for the main parts of the book. While presenting this background, the two worlds of cryptography are taken into account. Recall the difference between classical and public-key cryptosystems. In a classical cryptosystem the decryption key D, can be easily computed from the encryption key E , , whereas in a public-key cryptosystem E , can be safely publicized without compromising the secrecy of D,. For this reason, classical systems are also often referred to as symmetric or two-way, and public-key systems as nonsymmetric or one-way. Let us first discuss some general issues. So far we did not comment at all on requirement (iii) for a good cryptosystem, proposed by Sir Francis Bacon: the cryptotext should be without suspicion, that is, innocent looking. That this requirement is not important any more is due to the fact that nowadays both plaintext and cryptotext are ordinarily sequences of bits, incomprehensible at first sight. A sequence of bits does not usually look more innocent than another sequence! However, this requirement was often taken into account in the past. The best method is garbage-in-between. The actual message (encrypted or not) is supplemented by “garbage letters” that are quite irrelevant for the actual message but still make the whole thing look like something innocent.

1.2 Monoalphabetic Systems

1I

1 2 3 4 5 6 7 8 9 10

Fig. 1.3

Richelieu used sheets of cardboard with holes. Only the letters visible from the holes were significant. Both the sender and receiver had identical sheets. One such sheet is depicted in Fig. 1.3. The sheet covers a passage of text in the shape of a rectangle with seven rows and ten columns, altogether 70 characters of text. For longer passages the sheet has to be applied several times. Thus, the holes are in positions ( 1 $1, (2,9), (3,6), (4,5), (4-61, (5,l). (5,6) ,

(5,7), (5,9), (6,2), (6,101, (7,9), (7,10) .

The following looks like an innocent love letter:

I L O 1 H A D E E P M Y S L O V E F O R E H Y P E

V E V E U K I L V E R S

Y O U Y O U N D E R N M Y A S T S R I N P A C E

However, when making use of the cryptosystem RICHELIEU in the sense of the sheet of Fig. 1.3, one gets the sinister command YOU KILL AT ONCE. There are many classifications of cryptosystems, some of which will now be mentioned. The principles of classification do not refer to the quality of cryptosystems (good or bad) but rather to the intrinsic properties in their design. A very old classification is into systems of substitution and permutation, often called also transposition. For instance, [Gal speaks of substitution ciphers and transposition ciphers.

In the former, the plaintext letters are replaced with substitutes. The substitutes are kept in the cryptotext in the same order as their originals in the plaintext. If the use of substitutes remains unaltered throughout the text, the cryptosystem is called monoalphabetic. This term reflects the idea that there is only one sequence of

12

1. Classical Two-way Cryptography

substitute letters: every plaintext letter is represented everywhere by the same substitute. If the plaintext is some natural language, cryptanalysis can always be based on the statistical distribution of letters. Examples will be seen below. Monoalphabetic substitution systems are to be contrasted with polyalphabetic ones: the use of substitutes varies in different parts of the plaintext. We return to polyalphabetic cryptosystems in Section 1.3. Most of the customary cryptanalytic methods deal with polyalphabetic systems. In a permutation (or transposition) cryptosystem the plaintext letters are rearranged. This is too simple as such, so permuting the order has to be combined with some other idea. The following is an example of a permutation system. The plaintext is divided into blocks of three letters each. In each block the letters are permuted in such a way that the first letter becomes third, and the second and third letter move one step ahead. For instance, the plaintext LETUSGOTOFRANCE becomes ETLSGUTOORAFCEN. (Recall that we often ignore the space between individual words.) This Section 1.2 discusses monoalphabetic systems. We are dealing with the English alphabet. Thus, each letter A, B, C, . . . , Z is replaced by a substitute x , , . x 2 , x 3 , . . . , x Z 6everywhere in the plaintext. The substitutes have to be different among themselves but they may include letters not belonging to the English alphabet. The extreme case is where they are some entirely different characters. For instance, consider the following arrangement:

A: D:

B: 1

E:

C: ~

F:

m I

I

I ~

The lines surrounding each letter together with the dots (two, one or zero) indicate the substitute for the letter. Thus, the plaintext WE TALK ABOUT FINNISH SAUNA MANY TIMES LATER will be encrypted as

At a first look there seems to be rather little we can say about monoalphabetic systems. If the plaintext is English or some other natural language, statistical analysis will break the system. Whenever the sample is long enough, one knows that the most frequent character in the cryptotext represents the most common letter in the natural language, and so forth. It usually suffices to find out a few

I .2 Monoalphabetic Systems

13

letters in this fashion and guess the rest of them. On the other hand, if the plaintext space is C*, where C is the English alphabet, and no additional information is available then cryptanalysis of a monoalphabetic system is impossible. There is no way of finding the correspondence between the plaintext letters and their substitutes: all correspondences are equally likely. In fact, in this case the monoalphabetic encryption is merely an encoding; the true encryption took place when meaningful messages were translated (with an even distribution) onto words of Z*. Such a first look misses some important points. In fact, much can be said about monoalphabetic systems. The crucial question concerns key management: everything breaks down if the correspondence between original letters and their substitutes (that is, the key) becomes known. Therefore, the key should not be available anywhere, neither in written form nor in computer memory. The sender and receiver have to memorize the key. Different ways of doing this have led to different monoalphabetic systems. Let us now have a look at some of them. We already talked about CAESAR in Section 1.1. The substitute of a letter is obtained by moving k steps ahead in the alphabet. In CAESAR and other similar systems the natural numerical encoding will be used: A

B

C

D

E

F

G

H

I

J

0

1

2

3

4

5

6

7

8

9 1 0 1 1 1 2

N

O

P

Q

R

S

T

U

V

W

K

X

L

Y

M

Z

13 14 15 16 17 18 19 20 21 22 23 24 25

Thus, according to CAESAR, each letter tl becomes tl + k. All arithmetic in this context is carried out modulo 26. Neither the encoding nor decoding (from numbers to letters) are intended for actual encryption. The number of all possible keys in CAESAR is very small. Another great disadvantage from the point of view of security is that the alphabetic order remains the same also in the sequence of substituted letters; only the initial position changes. The affine cryptosystems studied below d o not possess this disadvantage.

Interlude: Old Times. Julius Caesar tells in his De Bello Gallic0 how he sent an encrypted message to Cicero. The substitution system used was monoalphabetic, however, it was not CAESAR: the Latin letters were replaced by Greek ones in a way that is not clear from Caesar’s writing. The information that Caesar actually used the cryptosystem CAESAR comes from Suetonius. In fact, according to Suetonius, the shift in the alphabet was three letters. No written documentation exists about Caesar using other shifts. CAESAR is not the oldest cryptosystem. Perhaps the oldest known cryptosystem is due to the Greek historian Polybios who died thirty years before Caesar was born. It is not known whether Polybios used his system for cryptographic purposes. We describe the system for the English alphabet from which J is omitted.

14

I . Classical Two-way Cryptography

Consider the following square, nowadays often called the Polybios checkerboard: I A B C D E A A B C D E B F G H I K C L M N O P D Q R S T U E V W X Y Z Each letter a will be represented by the pair of letters indicating the row and column in which a lies. Thus, the representations of K, 0 and T are BE, C D and DD, respectively. The plaintext LETUSGOTOSAUNA is encrypted as

CAAEDDDEDCBBCDDDCDDCAADECCAA In our terminology, the Polybios system is a monoalphabetic substitution into the target alphabet (AA, AB, . . . , AE, BA, . . . , EE} of 25 letters. The art of steganography (hiding a message) is often used together with cryptography. For instance, an encrypted message may be written using invisible ink. The most famous historian, Herodotos, does not tell anything about cryptosystems in our sense but has several stories about “crypto-steganography.” Here is one of them. Histaios and his son-in-law, Aristagoras, had agreed in advance that a message consisting of a few dots means: Aristagoras should revolt against Persia. When Histaios actually wanted to send such a message to Aristagoras, he observed that the territory between them was heavily guarded. Histaios then let shave the head of his most trusted slave, wrote the dots thereon, and waited for the hair to grow again. When this had happened he set the slave off, with this message to Aristagoras: “Shave my head!” The story tells us also that in those days cryptographers had much more time than nowadays. 0 An afine cryptosystem is determined by two integers a and b, where 0 a, hI 25 and, furthermore, a and 26 are relatively prime. The substitute for the letter a will be acc + b. Here we work with the numerical encodings of the letters and, as before, arithmetic is carried out modulo 26. For instance, if a = 3 and h = 5 then the numerical encodings are mapped as follows: old: 01 2 3 4 5 6 7 8 9 1 0 1 1 1 2 1 3 1 4 1 5 1 6 1 7 1 8 1 9 2 0 2 1 2 2 2 3 2 4 2 5 new: 5 8 1 1 1 4 1 7 2 0 2 3 0 3 6 9 12 15 182124 1 4 7 1013 16 192225 2 When decoded into letters, the mapping is as follows:

o 1 d : A B C D E F G H I J K L M N O P Q R S T U V W X Y Z n e w : F I L O R U X A D G J M P S V Y B E H K N Q T W Z C

The plaintext NOTEVERYSTEAMBATHISSAUNA is encrypted as SVKRQREZHKRFPIFKADHHFNSF. The requirement of a and 26 being relatively prime assures that the mapping f(a)= aa + h is one-to-one. If we are dealing with the mapping 1Oa + I , where this requirement is not satisfied, then A and N are both mapped into B and, hence, B can be decrypted both as A and N. O n the other hand, no numerical encoding is mapped into 0 and, hence, 0 does not occur at all in the alphabet of substitutes. I t is easy to find all pairs of letters mapped into the same letter, as well as all letters not occurring in the alphabet of substitutes. We now enter again the world of the cryptanalyst. Example 1.3. The English plaintext is divided into blocks of five letters each and then encrypted using an affine system. The empty spaces between words in the English plaintext are ignored. This goes for punctuation as well. Then the following cryptotext results. B H J U H

N B U L S

V U L R U

S L Y X H

O N U U N W X R L K

B W N U A G N B O N

X U S N L U U N B W

U Y J S S S W X K X

H K X D H N U M H U

U Z D L K G S W H U

X B H J U X M B X R

H B N U O W X K X L

U X B H J

U H C X K

X A X K Z

S W K X X

L K O L J R R W H S

K C X L C H B H J U

M X O N U H N B X M

U B V U L B X R W X

K X N O Z L U S W X

L J B X X G L L K Z

H B N F U L J P H U

B H J U H U L S Y X

B J K X S

W H S S W

X K X N B

H B H J U

H Y X W N

U G S W X

G L L K

Before making any specific cryptanalytic attacks, we want to make several remarks of a general nature. All our examples are too small from the point of view of realistic cryptography. The text samples are too short and the numbers involved too small. The reason is simply that if we try to depict real-life situations, then the presentation becomes unreadable. On the other hand, small examples illustrate key issues and important methods and principles often as well as bigger realistic examples. How many possible keys does an affine system have? Every key is completely determined by the integers a and b, defining the mapping aa + b. There are 12 possible values for a: 1, 3, 5, 7, 9, 11, 15, 17, 19, 21, 23, 25. There are 26 possible values for b. They can be used independently of the values of a, except that the case a = 1, b = 0 is excluded. This gives altogether 12-26 - 1 = 311 possible keys. Checking through all the 31 1 keys is computationally easy and, hence, cryptanalysis is straightforward. However, we want to simplify this exhaustive search. Such a simplification is of crucial importance in more involved cryptanalytic tasks.

16

1 . Classical Two-way Cryptography

The basic cryptanalytic attack against substitution systems begins with a frequency count: the number of occurrences of each letter in the cryptotext is counted. The distribution of letters in the cryptotext is then compared with the distribution of letters in the plaintext language, for instance, English. The letter with the highest frequency in the cryptotext is likely to be the substitute for E, the letter with the highest frequency in English, and so forth. The likelihood grows with the length of the cryptotext. Various tables have been compiled to give information about the distribution of letters in English, as well as in other natural languages. It is to be emphasized, however, that none of these tables contains conclusive information. Even the order of letters, as regards their frequency, varies from table to table. The distribution of letters depends very much on the type of text: ordinary prose, slang, technical, telegraphic, etc. No table can conceivably take into account all types of texts! Still, some things are common for all tables describing English. The letter E always tops the frequency list, with T being second. Almost always A or 0 is in the third position. Moreover, always the same nine letters E, T, A, 0, N, I, S, R, H have a frequency higher than any other letters. These particular letters will make up about 70% of English text. The reader is invited to write a reasonably long English passage, where the high-frequency letters d o not constitute a majority! As regards positional frequency, the letter A, I, H d o not often end a word, whereas the letters E, N, R appear far less frequently in the initial than in the final position. The remaining letters in the high-frequency class, T, 0, S, appear frequently both as initial and final letters. Such considerations concerning positional frequency are, of course, irrelevant for the particular example we have to break because the block division of the plaintext destroys initial and final positions. In the following table the letters of the English alphabet are ordered according to their frequency. The percentage is also indicated for each letter. The figures are from [Gal. High:

Middle:

YO - -

E T A 0 N I S R H ~

12.31 9.59 8.05 7.94 7.19 7.18 6.59 6.03 5.14 -

70.02

% - -

L D C U P F M W Y

4.03 3.65 3.20 3.10 2.29 2.28 2.25 2.03 1.88

- -

Low: YO

1.62 1.61 .93 .52 .20 .20 .10

.09 5.27

24.7 1

We know that in our example the plaintext is in English. However, for the sake of comparison, the most frequent letters in different languages are listed in the following table.

1.2 Monoalphahetic Systems

English

%

YO

German

12.3 1 9.59 8.05 7.94 7.19 7.18 6.59 6.03 5.14

I

YO

%

12.06 10.59 9.76 8.64 8.1 1 7.83 5.86 5.54 5.20

18.46 1 1.42 8.02 7.14 7.04 5.38 5.22 5.0 1 4.94

-

~

French

Finnish

Italian

I

%

17

Spanish

I

YO 13.15 12.69 9.49 7.60 6.95 6.25 6.25 5.94 5.58

11.79 11.74 11.28 9.83 6.88 6.5 1 6.37 5.62 4.98

Observe that the letters of INSEA appear in the high-frequency class in each language! All of these more general remarks have been appropriate in this first longer cryptanalytic example. We now return to our cryptotext, counting first the number of occurrences of each letter: High: Number

-

x U H B

L N K S W

-

32 30 23 19 19 16 15 15 14 183 = 78.21 Yo

Middle: Number

Low: Number

J 0

R G M Y

z

C A

-

11 6 6 5 4 4 4 3 2

D

v

F P E I

Q T

-

6 = 2.56% 45 = 19.23%

1 . Classical Two-way Cryptography

18

The frequency of the letters X, U, H, B, L, N, K, S, W is even higher than the frequency of the letters E, A, T, 0, N, I, S, R, H. The former letters are likely to be substitutes for the latter. Since we are dealing with an affine system, it suffices to find correct substitutes for two letters. We make a try with the two most frequent letters: X is the substitute for E, and U for T. The affine system maps every numerical encoding a to act b. Hence

+

4a

+ b E 23

and

19a

+ b =20,

where the congruences are modulo 26. These congruences yield unique values for a and b: a=5

and b = 3 .

For the mapping 5a + 3, we get the following translation table from cryptotext into plaintext. Crypto

I

A B C D E F G H I J K L M N 0 P Q R S T U VWX Y Z

Plain

I

PKFAVQLGBWRMHCXSNIDYTOJ EZU

Applying this table to our cryptotext, we start getting the following plaintext: K G W T G

C K T M D

...

This nonsense does not look very promising. English should have also some vowels! Let us make another try. We still assume that the most frequent letter E is mapped to the most frequent letter X. But instead of the second highest frequencies, we now consider the third highest: assume that A is mapped into H. This gives the congruences 4a+b=23

and b = 7 .

There are two solutions for a: a = 4 and a = 17. However, the former is illegal and thus the mapping must be 17a + 7. The translation table is now Crypto Plain

1 I

ABCDEFGHI JKLMNOPQRSTUVWXYZ VSPMJGDAXUROL I FCZWTQNKHEBY

This gives the plaintext S A U N A

I S N O T

K N O W N

T O B E A

F I N N 1

S H I N V

E N T I O

N B U T T

H E W O R A R E M A

D I S F I N Y M O R

N N I S H E S A U N

T H E R E A S I N F

I N L A N

D T H A N

E L S E W

H E R E 0

N E S A U

N A P E R

E V E R Y

T H R E E

O R F O U

R P E O P

L E F I N

N S K N O

W W H A T R E I F Y

A S A U N O U S E E

A I S E L A S I G N

S E W H E S A U N A

O N T H E

D O O R Y

O U C A N

N O T B E

S U R E T A B E H I

H A T T H N D T H E

E R E I S D O O R

A S A U N

Much better! Let us still write this with ordinary spacing and punctuation: Sauna is not known to be a Finnish invention but the word is Finnish. There are many more saunas in Finland than elsewhere: one sauna per every three or four people. Finns know what a sauna is. Elsewhere if you see a sign “sauna” on the door, you cannot be sure that there is a sauna behind the door. The reader might want to verify that the letters in the high-frequency class are exactly what they should be, whereas the plaintext letters C and M from the middle class have been interchanged with the letters B and V from the low class. This is no wonder because in a plaintext of length 234 the average expected frequencies of these letters range from 2 to 7. In this range, a small change to the expected values can be caused only “locally” by one or two specific words. A final word about the contents of the plaintext should be added. The cryptanalyst is not supposed to know that many of our examples deal with sauna. Otherwise, he/she might simply try SAUNA for the repeating letter combination BHJUH! n This concludes our discussion about affine systems, both from the point of view of cryptosystems and cryptanalysis. Although practical a few centuries ago, affine systems are today used only to illustrate certain basic cryptographic issues. A mathematically natural generalization of affine systems are the polynomial cryptosystems: instead of a linear function f(a)= act + b we choose an arbitrary polynomial function. However, polynomial systems are of very minor cryptographic interest. Recall that the main motivation for affine systems is key management: we want to represent the encryption and decryption key in a compact form. The key consists always of a sequence of 26 letters. The representation in terms of a polynomial might be as complicated as the obvious representation in terms of the sequence itself.

20

I . Classical Two-way Cryptography

We discuss next another monoalphabetic system, called the KEYWORDCAESAR. Choose first a number k, 0 < k < 25, and a word or a short sentence, referred to as the keyword. All letters in the keyword should be distinct. Let us choose the keyword HOW MANY ELKS and the number 8. The keyword is now written below the alphabet, beginning from the letter whose numerical encoding is the chosen number: 0 8 25 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z H O W M A N Y E L K S

The remaining letters are written in the alphabetic order after the keyword

ABCDEFGHIJKLMNOPQRSTUVWXYZ PQRTUVXZHOWMANYELKSBCDFGI J We now have the substitutes for each letter. The plaintext ERROLFLYNN is encrypted as UKKYMVMINN. It is not necessary to require that the letters of the keyword be distinct. We may simply write the keyword without repetitions. For instance, the keyword ENGLAND EXPECTS EVERY MAN TO DO HIS DUTY and the number 2 yield the translation table:

ABCDEFGHIJKLMNOPQRSTUVWXYZ WZENGLADXPCTSVRYMOHIUBFJKQ The number of keys in KEYWORD-CAESAR is large. Although it might be impossible to find keywords for all of the 26! possible orders of the letters, this can be accomplished for substantially big subclasses. We now again take the cryptanalyst’s point of view. Example 1.4. KEYWORD-CAESAR (possibly with repetitions in the keyword) was used to produce the following cryptotext, where also the original spaces between plaintext English words were preserved

T I Q X Q F D T U V R X V I

V A U P U U V I U W Q U P U P Q U P C Q U U P C D Q U C

D Z V F C V B C M C P C Q T I P C T U U P C Z R Q X M V

C R T I Z F E F N R F E C X F E Q X F F U U V E T F C F U Q I Z T A T U I U P

C Q X R T U C V I U V Q A V B U P K C

F C X U U C F C Q V F

Q N I Q P C Q T C I U V U P P C F F N F U Q G C V I C T F U K V R U P U V I C

T U T F C Z WK K W T Y B V A N V B C Q A A K Q F Q N X C F F Q M E M V E C M N P Q B C M V D T I Y F

U A C U N

H C

I Q K A K

1.2 Monoalphabetic Systems

21

Frequency count yields the following distribution among the 241 letters. High: Number ~

U C

Q F V P T I A

32 31 23 22 20 15 15 14 8

~

180 = 74.69 Yo

Middle: Number

-

Low: Number

X K N E M

R B Z

D

-

7

= 2.90 %

54 = 22.41 Yo

Comparing the frequency of A with the frequencies in the middle group, we see that any letter in the middle group can be among the high-frequency letters E, T, A, 0, N, I, S, R, H. Moreover, the frequencies at the low end d o not give much information, especially because the text is short. However, we can start with the high-frequency letters other than A. A couple of tries will give the right choice, after which the remaining letters, few in number of occurrences, can be fitted in their proper places. However, there is an obvious shortcut than makes the cryptanalytic task very easy. This shortcut demonstrates how dangerous it is to preserve the original plaintext spacing in the cryptotext. The cryptotext contains the one-letter words T and Q. They must be A and I. Since T occurs once and Q three times, it is likely that T is I and Q is A. It becomes almost sure when we look at the frequency count concerning T and Q. The three-letter word UPC occurs seven times, whereas the other three-letter words occur only once. UPC must be THE, this conclusion being marvellously confirmed by the frequency count. We can now decrypt the letters C, P, Q. T, U in the high-frequency group. The continuation is easy. From the words TU TF (occurring twice!) we learn that F is S, and from the word UV that V is 0. The word VI and the fact that I has high frequency tell us that I is N-the assumption that I is R is refuted by the word XVIUQTIF. After decrypting eight of the nine high-frequency letters, we have lots of words in the cryptotext with only one unknown letter. This leads to the decryption of the remaining letters, one by one. The decryption table is: Crypto Plain

I I

A B C D E F GH I J K L M N O P Q R S T U VWX Y Z

LVEWPSKMN?Y?RU?HAF?ITOBCGD

We write the plaintext using also punctuation.

22

1 . Classical Two-way Cryptography

I now define sauna. It is a closed space heated by a stove sufficiently big with respect to the volume of the space. The stove contains stones, usually on the top. To take a sauna bath it is also necessary that the stove is properly heated and that you have the facility of throwing water on the stones. We transform the decryption table into an encryption table by arranging the plaintext letters in the alphabetic order.

1

Plain Crypt01

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z QWX z cR Y P T ? G AH I v E ? M F U N B D ? K ?

Hence, the keyword is CRYPTOGRAPHY GIVES ME FUN, starting from position 4.The letters J, Q, X, Z missing from the plaintext should be encrypted as 0,S, J, L, respectively. We note, finally, that the English high-frequency letter R is missing from the class of high-frequency letters of our plaintext. 0 The simplest defense against attacks based on frequency counts is provided by the cryptosystem HOMOPHONES. This system is not any more monoalphabetic: plaintext letters have several substitutes. The number of substitutes is proportional to the frequency of the letter. Thus, the English letter E should have 3 substitutes for each substitute of the letter L, and 123 substitutes for each substitute of the letter J. To encrypt an occurrence of a letter, we pick at random one of its substitutes. (We follow the distribution tables in Example 1.3.) Thus, the encryption method is not a function. The substitutes (often called homophones) might be three-digit numbers from OOO to 999. We assign E randomly 123 of these numbers. J and Z get both one number, and B and G both 16 numbers. The nine letters in the high-frequency class get altogether 700 numbers. If the homophones are assigned randomly to different occurrences of the same letter, every homophone is equally likely to appear in the cryptotext. Hence, simple frequency count does not buy the cryptanalyst anything. However, information is available also about the distribution of pairs of letters and triples of letters in various natural languages. Cryptanalysis based on such information might still be successful.

1.3 Polyalphabetic and Other Systems Recall that a cryptosystem is called monoalphabetic if the use of substitutes remains unaltered throughout the text. Monoalphabetic systems are to be contrasted with polyalphabetic ones: the use of substitutes varies in different parts of the plaintext. But are the substitutes used for individual letters or, say, pairs of letters? Clearly, it is only a matter of definition if one operates with a basic alphabet whose elements are ordered pairs of English letters. If the substitute for such a pair is always the same, we call the system monoalphabetic.

1.3 Polydlphabetic and Other Systems

23

In Section 1.2, our examples of a monoalphabetic substitution dealt with individual letters and substitutions for them. Thus, the systems were monoalphabetic in a very strict sense. We now consider a cryptosystem based on substitutions for pairs of letters, where the substitute for each pair remains the same throughout the text. Such a cryptosystem can be viewed as monoalphabetic “in a wider sense.” Later on in this section we discuss polyalphabetic systems: they are not monoalphabetic even in a wider sense. Recall Hill’s system discussed in Example 1.2. If the dimension of the matrices is two, we encrypt pairs of letters. Although the letter A may be encrypted differently in different parts of the plaintext, pairs such as AL will be encrypted in the same way, provided the distance of the pair from the beginning of the plaintext is even. The occurrences of AL in the plaintexts FISCAL and ALMOST are encrypted in the same way, whereas the occurrence in CALL is likely to be encrypted differently because AL does not appear as a block in the block division. In any case, Hill’s system is monoalphabetic in the wider sense. Simple frequency count will not be sufficient for cryptanalysis. More sophisticated frequency counts, such as statistical analysis of pairs of letters, will be needed. This problem will be discussed in Example 1.5. The system we want to discuss now is PLAYFAIR, named after Baron Playfair of St. Andrews. The letter of the English alphabet, with J omitted are arranged in a 5 x 5 square, for instance: S R H T B

Y I C N K

D P A O M

W U X G Q

Z L F E V

The square is the basis for encryption (and decryption) according to the following rules. (i) The plaintext is divided into blocks consisting of two letters each. It is taken care of that no block contains two occurrences of the same letter and that the text is of even length. If this is not the case originally, the text has to be modified. Perhaps even an irrelevant spelling error has to be implemented. For instance, ALL MEN is a legal plaintext with block division AL LM EN, whereas KISS ME and WHERE ARE YOU d o not satisfy our rules. The former has a double letter in the block division, and the latter is of odd length. (ii) We know that each plaintext block consists of two distinct letters. The encryption of a block happens as follows, using the square. If the two letters are not in the same row or column, for instance A and E, then we look at the corners of the rectangle determined by the two letters, in our case A, F, 0, E. The pair AE is mapped into FO. The order in FO is determined by the condition that F is in the same row as A and 0 in the same row as E. Similarly EA is mapped into OF, O F into EA, SV into ZB, RC into IH, and TL into ER. If the two letters are in the same row (resp. column), we go one step to the right (resp. below), and do this cyclically.

24

1. Classical Two-way Cryptography

Thus, HA is mapped into CX, WX into UG, CA into AX, DM into PD, and RL into IR. Let us now try to encrypt the plaintext C R Y P T 0 ENIGMA. (The cryptosystem used by the German military forces in the Second World War was based on the ENIGMA machine.) The block division of the plaintext is: CR YP T O EN IG M A . We observe that CR, YP and IG go to HI, DI and UN, respectively. Here we are dealing with the rectangle rule. The pairs TO and EN lie in the same row and go to N G and TO, respectively. Finally, the pair MA lies in the same column and goes to DO. Thus, the entire cryptotext will be HIDING TO UNDO. Our square is able to work with semantics marvellously! It does not make any difference for a Playfair square if some columns are transferred from one side to the other, or some rows from top to bottom. Only the cyclical order of rows and columns has to be preserved. The reader may verify that the square P U L R I A X F H C O G E T N M Q V B K D W Z S Y is equivalent to our original square, that is, both squares encrypt any plaintext in the same way. Our rules for the PLAYFAIR system are by no means the only possible ones. Double letters in the plaintext can be handled differently, for instance, by inserting a specified letter (often Q) in-between. The 5 x 5 rectangle may be replaced by a 4 x 6 or 3 x 9 rectangle, with the corresponding change in the size of the alphabet. Also a pair lying in the same row (resp. column) can be encrypted as the pair lying immediately beneath (resp. to the right), cyclically. We emphasized in Section 1.2 that the main motivation for systems such as KEYWORD-CAESAR is key management: instead of an arbitrary permutation of 26 letters, we have a simple way of representing the key. Such a simple respresentation is desirable also for the PLAYFAIR system. Rather than having to remember a 5 x 5 square of letters, we want something simpler. Keywords are useful also for PLAYFAIR. We choose a keyword with no two occurrences of the same letter. We begin the square with the keyword, after which come the remaining letters (except J) in the alphabetic order. Thus, the keyword HOW MANY ELKS yields the square H O W M A N Y E L K S B C D F G I P Q R T U V X Z We are again ready to enter the world of the cryptanalyst. We d o this in terms of a longer example.

1.3 Polyalphabetic and Other Systems

25

Example 1.5. The famous detective Brother White was investigating the mysterious disappearance of the Texan multimillionaire J.R. Oil. JR had just vanished without leaving any trace. By some ingenious deductions that are of no concern for us, Brother White was able to find an encrypted letter with the following text:

QN I H PS YF QN KA MC HC XT 0 1

MC I Q FL F S RZ MF DT D F CM

F S HA TU SD AK P F I T SM I T X I MB QN S T A Q FT I T FT QN QM

LK XR CB E F EU I L QN YF FM QN NX FM LT T I SN QN QA FX BA

CM QM NX I F MC BM FX WE AQ FY XM ML P I DF GS FG AB NO LH

LT BQ MC QN T I WD MB BA AK RX AE SN QI SM UD LN FY XC

HC I E I F LQ I E DF FT AB QN NV OW AH QN AK FM BQ I T TF

SM QN NX FL QN RE FT QE MX OR F T QN DS FO SA QE MX SM

MC AK MC YD MS IV DX I V ZU RB LR QL VK XM WA AR DK FK

VK RD IT SB IQ KA AK 0 1

DS RA NC TW AR VA LN VA FM OY

Brother White went to sauna. He had learned that sauna heat opens the veins in his brain, after which he thinks very clearly. According to his experience, the most difficult problems were “three sauna” problems, whereas he thought this problem would be cracked during one sauna session. Together with the encrypted letter, Brother White had found a beautifully ornamented silver key. The length of the key was exactly three inches. Brother White knew J.R. Oil as an enthusiastic sportsman. Fair play was one of the issues JR always emphasized. There it was! PLAYFAIR with a key of length three! Brother White was now sure he could decrypt the letter. After coming back from sauna, Brother White looked into his notes about the distribution of pairs of letters, digrams. In English, the most frequent digrams, [Gal, are: TH IN ER R E AN HE

6.3 Yo 3.1 Yo

2.7 Yo 2.5 Yo 2.2 Yo 2.2 Yo

AR EN T I TE AT ON

2.0 Yo 2.0 Yo 2.0 Yo 1.9 Yo 1.8 Yo 1.7 Yo

HA OU I T ES ST 0R

1.7 Yo 1.4 1.4 1.4 1.4 1.4

%

Yo %

Yo Yo

26

I . Classical Two-way Cryptography

Although irrelevant for the present problem, Brother White also observed the most common digrams in other languages. German: EN ER CH DE GE EI IE IN NE N D BE EL TE UN ST DI NO UE SE AU Finnish: EN TA IS IN ST AN TT SI AA IT LL TE SE A1 K A SA VA LI AL TI French: ES EN OU DE NT TE ON SE A1 IT LE ET ME ER EM 0 1 UN QU Italian: ER ES ON R E EL EN DE DI TI SI A L AN RA NT TA CO Spanish: ES EN EL DE LA OR TA CO

0s AR

UE RA RE ER AS ON ST AD AL

Brother White took notice that he had statistics about trigrams, tetragrams and reversible pairs in different languages. He also knew quite a bit about the distribution of vowels and consonants, as well as about the likelihood of a letter to begin or end a word. He realized that PLAYFAIR destroys all information concerning the beginning and end of words. He realized also that he looses some information if he counts the digrams only as they appear in the cryptotext, ignoring digrams coming from different pairs such as NF, SL, KC at the beginning. However, he was fully aware that no digram statistics can be absolute: some statistics include digrams such as LM in CALL ME, whereas some others d o not include them, etc. Brother White estimated that he would still have enough information from the frequency count of the digrams just as they appeared in the cryptotext. There are 97 different digrams among the altogether 166 digrams of the cryptotext. 97 represents 16.2% of the all possible 25.24 = 600 PLAYFAIR digrams. Brother White knew that this is quite normal: even in a much longer text it is unlikely that you get more than 40% of all possible digrams. Most of the theoretically possible digrams never appear in English. The digrams occurring more than three times in the cryptotext are: Q N , 13 occurrences, MC, 6 occurrences, A K , 5 occurrences, F T , 5 occurrences, I T , 5 occurrences, F M, 4 occurrences, S M, 4 occurrences,

7.8 YO, 3.6 %, 3.0 YO, 3.0 YO, 3.0 YO, 2.4 YO, 2.4 YO.

Brother White knew that this was only some very preliminary information. He could study also the other pairs, letters forming pairs with many letters, etc. However, he wanted to begin with a direct attack. It seemed clear that QN is the pair TH in disguise. How much could be deduced from this? Figure 1.4 shows the Playfair square Brother White has to fill in. The length of the keyword is three. After the key, all letters follow in the alphabetic order.

1.3 Polyalphabetic and Other Systems

-

27

Fig. 1.4

Thus, T H is mapped into QN. This is not possible if H, N, Q, T are in the same row. The alphabetic order would certainly not be preserved. What about their being in the same column? T has to precede, cyclically, Q and H have to precede N. Because of the alphabetic order, T has to be in the bottom row and Q in the top row. Moreover, the letters U, V, W, X, Y, Z have to follow T, with the exception of the letters appearing in the keyword. This is possible only if two of the six letters mentioned are in the keyword, and T lies in the leftmost column. This means that the square is Q U X A B C D E F G H I K L M N O P R S T V W Y Z The only possible variation is that, instead of U and X, any two of the letters U, V, W, X, Y, Z may appear after Q in the keyword. The remaining four letters follow T on the bottom row in the alphabetic order. Does this make any sense? Brother White noticed, looking at the other frequent digrams, that MC would come from HG, FM from GL, and SM from MG. Also AK, FT and IT would come from very unfrequent, if not nonexisting, English digrams. Brother White concluded that the square is not correct and, hence, Q N must come from TH via a rectangle. This rectangle must lie in the square after the keyword. Otherwise, it is not possible to preserve the alphabetic order. Hence, the rectangle looks like: H . . . N Q . . . T The letters I, K, L, M must be between H and N, the letters 0,P between N and Q, and the letters R, S between Q and T. This is said with the reservation that at most three of the in-between letters might be missing because they appear in the keyword. Of course, because of the alphabetic order no other letters than those mentioned can be between the three pairs. Still, H, N, Q, T must form a rectangle. How many of the letters I, K, L, M are in the keyword? Less than two is not possible because there are at most two letters

28

1. Classical Two-way Cryptography

between Q and T. More than two is also not possible because then there would be too many letters in the keyword. Hence, exactly two of the letters I , K . L , M are in the keyword. This implies that exactly one of the letters 0 , P is in the keyword. Otherwise, there can be no rectangle. What could such a keyword be? Knowing JR, the answer was obvious for Brother White: the keyword is OIL! Brother White jotted down quickly the square O C H Q V

I D K R W

L E M S X

A F N T Y

B G P U Z

and started the decryption: TH OK MU TA TH NI HE CO YS BO HE OR EA ET UW NE FR CE EH

ET NO S T RE I N NG AR ME AR WL L P TH RS

OT AN AR AN TH SH

IM WS GO DE G S 0 1

TH TA EN TH MY EN AS RA TM TH TO EY AL

EH SH MY AD HE L P EY XD OT AT S E EX KB CE EU E F LA HA OM

AS OU HE TH RA R I PL AL I N SW L F TM RO ME RG AM AT VE

CO LD AD

0s LD CE AN LA TH HY I V ON TH I N EN OU AR NA

ME TH MY EA TH SD AN SC ES IQ AN TH ER CA T L S C ES ME

HE I N HE WF EM OW EW OW UP U I I S SO WH S E YI I T I D DN

WH K I AR UL OR N I I N BO ER T I H F RY I T YO AM YO EN AV

Brother White wrote the same with the normal punctuation: The time has come. He who knows should think. I must go. My head, my heart are dead. Those awful things herald the morning. Oil prices down. I hear they plan a new income tax. Dallas Cowboys are not in the Superbowl. That’s why I quit. I help myself. I vanish for the next months or years. Ask Brother White to trace me in case you want me urgently. I am near the famous city of Rantola at a residence they have named Naveh Shalom.

1.3 Polyalphabetic and Other Systems

29

Brother White knew he had luck with his basic assumptions.However,also his argumentation based on the assumptions had been correct.Good cryptanalyst,just like good goalkeepers,must have also some luck. Brother White considered the 0 case closed. W e repeat the main idea behind polyalphabetic cryptosystems.The first letter in the plaintext is encrypted in a certain way,whereas the next letter may be encrypted by a different principle,and so forth.Thus,the letter A may be encrypted in many ways;the substitutesfor A and other letterscome from many alphabets. This is also a good defense against the simple frequency count: there will be no unique disguised version of A in the cryptotext. O n e of the oldest and best known polyalphabetic systems is VIGENERE, named after the French cryptographer Blaise de Vigenere (1523-1 596). A B C D E F G H I J K L M N O P Q R S T U V W X Y Z B C D E F G H I J K L M N O P Q R S T U V W X Y Z A

CDEFGHI J K L M N O P Q R S T U V W X Y Z A B D E F G H I J K L M N O P Q R S T U V W X Y Z A B C E F G H I J K L M N O P Q R S T U V W X Y Z A B C D F G H I J K L M N O P Q R S T U V W X Y Z A B C D E

G H I J H I J K I J K L J K L M K L M N L M N O M N O P

K L M N O P Q

L M N O P Q R

M N O P Q R S T U V W X Y Z A B C D E F N O P Q R S T U V W X Y Z A B C D E F G O P Q R S T U V W X Y Z A B C D E F G H P Q R S T U V W X Y Z A B C D E F G H I Q R S T U V W X Y Z A B C D E F G H I J R S T U V W X Y Z A B C D E F G H I J K S T U V W X Y Z A B C D E F G H I J K L

N O P Q R S T U V W X Y Z A B C D E F G H I J K L M O P Q R S T U V W X Y Z A B C D E F G H I J K L M N P Q R S T U V W X Y Z A B C D E F G H I J K L M N O

Q R S T U V W X Y Z A B C D E F G H IJKLMNOP R S T U V W X Y Z A B C D E F G H I JKLMNOPQ S T U V W X Y Z A B C D E F G H I J K L M N O P Q R T U V W X Y Z A B C D E F G H I J K L M N O P Q R S U V W X Y Z A B C D E F G H I J K L M N O P Q R S T

V W X Y Z A B C D E F G H I J K L M N O P Q R S T U W X Y Z A B C D E F G H I J K L M N O P Q R S T U V X Y Z A B C D E F G H I J K L M N O P Q R S T U V W Y Z A B C D E F G H I J K L M N O P Q R S T U V W X

Z A B C D E F G H I J K L M N O P Q R S T U V W X Y Fig. 1.5

30

1. Classical Two-way Cryptography

V I G E N E R E is like the CAESAR system,where the key varies from step to step. The Vigenere square of Fig. 1.5 is customarily used for encryption and decryption. Each column can be viewed as a CAESAR system,with key's 0, 1, . . . ,25. One reads the plaintext from the rows and the CAESAR keys from the columns.The latter are usually expressed in terms of a keyword. For instance,for the encryption of the plaintext PURPLE under the keyword CRYPTO,we first look at the intersection of the P-row and C-column,getting R. The whole cryptotext will be RLPEES.The same cryptotext results if we interchangethe roles of the rows and the columns in the encryption process. For the decryption,we look in which row R lies in the C-column.In this way we find P,and so forth. The keyword is customarily applied in a periodic fashion. If the plaintext is longer, the keyword is started anew from the beginning. For instance, the keyword of CRYPTO is applied to a plaintext of 15 letters in the form CRYPTOCRYPTOCRY.

Z Y X W V U T S R Q P O N M L K J I H G F E D C B A A Z Y X W V U T S R Q P O N M L K J I H G F E D C B B A Z Y X W V U T S R Q P O N M L K J I H G F E D C C B A Z Y X W V U T S R Q P O N M L K J I H G F E D

D C B A Z Y X W V U T S R Q P O N M L K J I H G F E E D C B A Z Y X W V U T S R Q P O N M L K J I H G F F E D C B A Z Y X W V U T S R Q P O N M L K J I H G G F E D C B A Z Y X W V U T S R Q P O N M L K J I H

H G F E D C B A Z Y X W V U T S R Q P O N M L K J I I H G F E D C B A Z Y X W V U T S R Q P O N M L K J J I H G F E D C B A Z Y X W V U T S R Q P O N M L K K J I H G F E D C B A Z Y X W V U T S R Q P O N M L L K J I H G F E D C B A Z Y X W V U T S R Q P O N M M L K J I H G F E D C B A Z Y X W V U T S R Q P O N N M L K J I H G F E D C B A Z Y X W V U T S R Q P O O N M L K J I H G F E D C B A Z Y X W V U T S R Q P P O N M L K J I H G F E D C B A Z Y X W V U T S R Q Q P O N M L K J I H G F E D C B A Z Y X W V U T S R R Q P O N M L K J I H G F E D C B A Z Y X W V U T S S R Q P O N M L K J I H G F E D C B A Z Y X W V U T T S R Q P O N M L K J I H G F E D C B A Z Y X W V U U T S R Q P O N M L K J I H G F E D C B A Z Y X W V V U T S R Q P O N M L K J I H G F E D C B A Z Y X W W V U T S R Q P O N M L K J I H G F E D C B A Z Y X

X W V U T S R Q P O N M L K J I H G F E D C B A Z Y Y X W V U T S R Q P O N M L K J I H G F E D C B A Z Fig. 1.6 Beaufort square

1.3 Polyalphabetic and Other Systems

31

There are, of course, many other squares that are easy to remember and can be used as a basis for a polyalphabetic system in the same way as the Vigenere square. One of the best known is the Beaufort square of Fig. 1.6: the rows are the rows of the Vigenere square written in reverse order. It is named after admiral Sir Francis Beaufort, also the creator of the Beaufort scale for wind velocities. While in the Vigenere square the first row and column also give the indices for columns and rows, respectively, the first row and the last column serve the same purpose for the Beaufort square. Thus, the first cryptotext letter when encrypting PURPLE with the keyword C R Y P T 0 is obtained from the two squares as follows: A B @

@Q

@ B

8

@

Vigenere

A

Q@

Beau fort

The general term periodic refers to polyalphabetic cryptosystems, where the alphabets of substitutes are repeated in a periodic fashion. A typical example is VIGENERE with a periodically repeated keyword, as described above. If we know the period, the cryptanalysis can be reduced to the cryptanalysis of monoalphabetic systems as follows. Say the period is five. We arrange the letters of the cryptotext in five columns in the following way. The number indicates the position of the letter in the cryptotext. 1 2 6 7 11 12 16 17 21 22 26 21

. .

. .

3 8 13 18 23 28

. .

4

5

9 1 0

14 15 19 20 24 25 29 30

. .

. .

. . . . .

Two occurrences of the same letter appearing in the same column represent the same plaintext letter. Therefore, we are likely to be able to decrypt each column by a simple frequency count. Periodic cryptosystems with an unknown period were considered to be rather strong before the invention of the following method by the German cryptanalyst F.W. Kasiski around 1860. Kasiski’s method finds the period by searching occurrences of the same word from the cryptotext. Say the word PUXUL appears twice, with 15 letters between the two occurrences: . . . PUXUL

15 letters

PUXUL

32

1 . Classical Two-way Cryptography

This might be purely accidental. It might also be due to the fact that the same plaintext portion was encrypted, starting from the same position in the key. This means that the distance between the two P s , that is 20, is a multiple of the length of the key. Thus the length of the key is 2,4,5, 10 or 20. When several such conjectures about the key length have been formed-some of the conjectures being possibly wrong-a pretty good guess about the key length can be made. The longer the repeating words are, the better. It is also of advantage to have words repeating more than once. Kasiski's method is illustrated in the following example. Example 1.6. A cryptanalyst, suspecting VIGENERE, intercepted the following cryptotext.

A K G H P A H R B V C K W C G Z

V A L B E B I A U C G H Z F S H

X L G W L A G L P L L P X J S B

Z B M M H B H F N T G E V O L U

H R O S H K P X P O B L T G Z U

H V S X L V N A Z E M H L U W R

C I T S L X P V W S H B A C M D

S M P G I H Z X P O A U C M P W

B O F A L H W T B L L M G I G M

Z F U V F B P C Z A G F L S O O

H A L V X H F M V T L H I G H H D K T A S K V B M O S L A C L Q H T S L T C K L V N T W W H M L F R V I T Y S M O I L H B L B V L P H A V W Y M T U R U G T B B T A V X H F M V T L B Z P G G V H W P G V B G L L L A Q H T A H U A B Z H T R S H G T B B T P G M V V T C S M C O L K B A V M V C Y L K L A M V J X P G H U Z R H A B Z S L H T S P H E K B A V T J C N G H U H H W H A L B M O S K V A L O M L R I Y C I L F E F I L F R Z A T S Z G L J X Y P X H A L V X H F M V T L H I G H

No previous plaintext-cryptotext pairs are known. The cryptanalyst might have received this cryptotext of exactly 400 letters, say, in blocks of five letters. However, he/she has forgotten all about the block division. He/she intends to use Kasiski's method. The block division is then only a nuisance because the identical words sought might occur in any position with respect to the blocks. The cryptanalyst observed that the word H A L V X H F M V T L H I G H , unusually long with respect to the length of the cryptotext, occurs twice. The distance between the two occurrences is 375 = 3 * 53.The distance is computed by taking a specific letter, say the first H, in both occurrences and counting the number of steps from one occurrence to the other. Here it is easy because the number of steps is apparently 15 * 25.

1.3 Polyalphabetic and Other Systems

33

The final part of the word considered, namely, V X H F M V T L H I G H occurs also for a third time. The distance between the first two occurrences is 129 = 3 43, and the distance between the last two occurrences is 246 = 2 * 3 * 41. The only common divisor between the numbers so far obtained is 3. Since the words involved are long, the cryptanalyst knows that their appearance is very unlikely to be coincidental. On the contrary, it is to be expected that the same sequence of letters was encrypted, starting from the same position in the keyword. If their appearance is not coincidental then the period is necessarily 3. The cryptanalyst has computing power. He/she could very easily make an exhaustive search of all repetitive words with length at least two. Instead, he/she tries to make a direct kill, betting for the period 3. A couple of immediate observations support this decision. There is another occurrence of VXH, 12 steps from the closest occurrence previously encountered. There are three occurrences of AVX, with distances 141 and 39 from each other. There are four occurrences of HAL, with distances 246,60 and 69 from each other. All these numbers are divisible by 3, whereas any other divisor would lead to a period not in harmony with the total information already gathered. The cryptanalyst knows that such a direct attack, avoiding an exhaustive search, is to be applauded also from a theoretical point of view. In simple examples, such as the one at hand, a direct attack may render the use of a computer unnecessary: the cryptanalysis can be done by hand. More importantly, in complicated “real life” examples such a direct attack may render the task of cryptanalysis from intractable to tractable. Assuming the period to be 3, the simple frequency count gives the following distribution of letters in the three classes involved. Letters in Class 1 have the positions 1,4, 7, . . . .

-

A

B C D E F G H I J K L M N 0

Class 2

Class 1

Letter

12 = 9.0 Yo 4 2 2 1 1 -

15

=

11.2 Yo

1

2 1

27 = 20.1 Yo 2

5 9 = 6.8 Yo 1 1 = 8.3 Yo

Class 3 9 = 6.8 Yo 12 = 9.0 Yo -

-

10 = 7.5 % 13 = 9.8 Yo 14 = 10.5 Yo 7 2 5 1

2

-

-

6

4

4 2 10 = 7.5 Yo 1 1 = 8.3 Yo 3 -

4 13 = 9.8 Yo 17 = 12.8 % 4 2

34

1 . Classical Two-way Cryptography

Letter P

I

Class 1 10 = 7.5 Yo

Q

R S T U V W X Y Z

1 5 6 9 = 6.7 Yo 14 = 10.4 Yo 2 -

4 7

I

Class 2 7 2 3 13 = 9.8 Yo 4 1 1 1 = 8.3 % 3 1 -

5

1

Class 3

5 -

13 = 9.8 Yo 1 2 6 12 = 9.0 % 1 2

RST are the only three consecutive letters in the high-frequency group ETAONISRH. Therefore, the cryptanalyst looks in each of the three classes for three consecutive letters possessing a high frequency each. In this way he/she finds out how RST was encrypted in each class. In Class 1 there are two sequences of high-frequency letters: TUV and YZA. If the former is chosen to represent RST, then the shift is two, which means that the plaintext letters WXY get the high frequencies 4,7, 12. Hence, YZA is chosen to represent RST, showing that the shift is seven. This means that the 20.1 YOletter L is the disguise of E. In small samples (here only 134 letters altogether) one cannot be sure that the letter with the highest frequency actually is the disguised version of E. However, usually only E is capable of taking such an overwhelming majority as here. In Class 2 the cryptanalyst has to make a similar choice between ABC and FGH. (Also ZAB and G H I could be considered.) Because of the same reason as before, the choice is FGH, which gives the shift 14. In Class 3 there is only one choice, KLM, giving the shift 19. Observe that neither in Class 2 nor in Class 3 has the letter E the very highest frequency, although it is close to the top in both classes. The three shifts 7, 14, 19 are obtained from the keyword HOT. The cryptanalyst may begin the decryption: T H E S T O V E I S T H E H E A R T O F S A U N A

W H E N Y O U T H R O W W A T E R O N T H E S T O N E S T H E A I R B E C O M E S M O R E H U M I D Everything seems to work: the plaintext contains information about sauna. The cryptanalyst now writes down the plaintext, using normal punctuation. The stove is the heart of sauna. When you throw water on the stones, the air becomes more humid and feels hotter. You are, thus, able to experience both dry and humid heat in sauna. The art of sauna building is not discussed here. The most

1.3 Polydlphabelic and Other Systems

35

common mistake in building a sauna is to have too small a stove with too few stones. If the stove is only a miserable tiny metal box with a couple of stones on top, then the room cannot be heated properly unless it is very small. Never be stingy with the heart of sauna! The cryptanalyst still looked back at his/her work. The facts used as a basis for the Kasiski analysis were in general correct: the same sequence of letters had been encrypted, starting from the same position of the period. The words AVX and HAL are two encryptions of the plaintext THE, starting from the first and second position of the period, respectively. Sometimes the identical plaintext parts encrypted in the same way had a very different syntactic and/or semantical function. Thus, VXH was the encryption of HEA. But it came from the HEA in HEART, HEATING, as well as THE ART. In spite of the small size of the classes, the high-frequency letters in each class were almost ETAONISRH. In fact, every “really high” letter (meaning a letter with at least 9 occurrences, with percentage indicated above) was in this group. The final conclusion of the cryptanalyst was that the period should have been 0 much longer, considering the length of the plaintext. Our cryptanalytic examples have made use of some known properties of certain natural languages: the frequency of individual letters and the frequency of digrams. We want to emphasize that statistics are available about many other properties, for instance, the frequency of trigrams, the most common words in a language, the most likely left and right neighbors of each letter, as well as the over-all distribution and mutual position between vowels and consonants. In many cryptanalytic tasks such additional statistics are extremely helpful for eliminating most of the alternatives otherwise possible. A further modification of the VIGENERE system is the AUTOCLAVE system, customarily credited to the 16th century mathematician G. Cardano who is famous also because of his formulas for solving equations of 3rd and 4th degrees. In AUTOCLAVE, the plaintext serves also as the encryption key, with a certain shift. In the following example the shift is of length six. Plaintext: A I D S I S T R A N S M I T T E D T H R O U G H Key:

A I D S I S T R A N S M I T T E D T

The key is used, as in VIGENERE, to determine a CAESAR substitution for each letter. The empty space at the beginning of the key can be filled either cyclically from the end of the plaintext, or else by using a keyword. The keyword IMMUNE induces the following beginning for the cryptotext. Plaintext:

A I D S I S T R A N S M I T T E D T H R O U G H

IMMUNEAIDSISTRANSMITTEDT Key: Cryptotext: I U P M V W T Z D F A E B K T R V F P K H Y J A

36

1. Classical Two-way Cryptography

The legal decryption is obvious: the keyword gives the beginning of the plaintext from the beginning of the cryptotext, after which one can use the plaintext already available as the key. In another variant of the AUTOCLAVE, the cryptotext already created serves as the key after the keyword. Thus, our previous example will be encrypted as follows. Plaintext: Key:

A I D S I S T R A N S M I T T E D T H R O U G H

IMMUNEIUPMVWBLPZNIJEIDQB Cryptotext: I U P M V W B L P Z N I J E I D Q B Q V W X W I The cryptanalysis of the latter AUTOCLAVE version is straightforward: the analyst only has to guess or find out the length of the key. Suppose it is known that the length is six in the example above. Then the analyst takes the first letter I and the seventh letter B in the cryptotext. The letter B lies in the T-row of the I-column in the Vigenere square. This gives the plaintext letter T. Similarly, the plaintext letter R is obtained from U and L. Apart from the first six letters, the whole plaintext can be recovered in this fashion. The former AUTOCLAVE version (where the shifted plaintext serves as the key) is not vulnerable against such a simple cryptanalytic attack. We now briefly outline the cryptanalysis of the former AUTOCLAVE version. First Kasiski’s method is applied to find the length of the keyword, or at least some likely candidates for the length, also here referred to as the period. The theoretical background for Kasiski’s method is not so strong here as in case of VIGENERE but the method is usually good enough for finding the period. Let us consider one example. Suppose that the word THE has two occurrences in the plaintext, the distance between the two occurrences being twice the period. Then some sequence of three letters, say AID, is found in the middle of the two occurrences. Thus, the following is a part of the plaintext: T H E...A I D...T H E In the encryption process we now have:

Plaintext: Key: Cryptotext:

. . . T H E . .. A I D ... T H E . .. ... T H E ... A I D ... ... T P H ... T P H ...

Thus, TPH occurs twice in the cyptotext, the distance between the two occurrences being the period. Kasiski’s method gives here exactly the period, whereas in connection with the VIGENERE it gives a multiple of the period. Once the period is known, say it likely to be six, the keyword is found by an exhaustive search based on the frequency count of individual letters. Everything is of course obvious when the keyword is known.

1.3 Polyalphabetic and Other Systems

37

There are 26 possibilities for the first letter ofthe keyword. When a possibility is fixed, it determines, together with the first letter of the cryptotext, the first letter of the plaintext. The latter, in turn, determines together with the seventh letter of the cryptotext the seventh letter of the plaintext. And so forth. So each choice for the first letter gives us the plaintext letters in positions I , 7, 13, 19,25, . . . . Choices leading to sequences improbable distributionwise may be discarded. In this way the first letter is found. Other five letters are found similarly. We have discussed the basic cryptanalytic methods for the most common old cryptosystems. Some additional remarks are in order. There is no overall procedure that could be recommended for all cryptanalytic tasks. However, a cryptanalyst should always be active: if one method fails, another should be tried. The plaintext is almost always in some natural language, granted that there may be some encoding in-between. The cryptanalyst is likely to know which language is used in the communication. Most often this is immediate from the “interception history” of the cryptotext but we should also not forget the Golden Rule for cryptosystem designers! The cryptanalyst has to know the plaintext language, or at least cooperate with a person who knows it. Therefore, it gives an additional dimension to secrecy if a language not too widely known, such as Finnish, is used as the plaintext language. This is now a suitable spot to reveal the encryption method used in Example 1.1. The plaintext was WEMEETTOMORROW. It was first translated into Finnish: TAPAAMMEHUOMENNA. CAESAR E , (advance one step) then gives the cryptotext UBQBBNNFIVPNFOOB. We have discussed the difference between monoalphabetic and polyalphabetic cryptosystems. Another natural classification, coming from formal language theory, is to divide cryptosystems into context-free and context-sensitioe. In the former individual letters and, in the latter, groups of letters are encrypted. This can happen in the monoalphabetic or polyalphabetic fashion. Typical examples of cryptosystems of various types are given in the following table.

Monoalphabetic

I 1

CAESAR

1 I

Polyalphabetic

I VIGENERE

1

Context-free

Context-sensitive PLAYFAIR PERIODIC PLAYFAIR

Here PERIODIC PLAYFAIR means a modification of PLAYFAIR, where there are several squares, say three. The first pair in the plaintext is encrypted according to the first square, the second and third pairs according to the second and third squares, the fourth pair again according to the first square, and so forth. To conclude this section, we still mention some cryptosystems of an entirely different nature. The system CODE BOOK is referred to in [Gal as the aristocrat of all cryptosystems. There is some truth in this statement since many aspects, such as making the cryptotext innocent-looking, can be taken into account in the CODE BOOK.

38

I . Classical Two-way Cryptography

Both legal parties have a dictionary translating plaintext words (at least the most necessary ones) into sequences of numbers, some nonsense words, or preferably, into some other meaningful words. Thus, a part of the dictionary might look like: Original

Translation

ATTACK

FISHING

IN

BETWEEN

MORNING

WORK’HOUR

THE

THE

Then the plaintext ATTACK IN THE MORNING will become the cryptotext FISHING BETWEEN THE WORK HOURS. Suitable endings have to be added to the cryptotext to make it syntactically correct. What about the cryptanalysis of CODE BOOK? If nothing is known about the dictionary, then the initial setup “cryptotext only” is impossible. On the other hand, the initial setups “known plaintext” and “chosen plaintext” necessarily disclose some details of the dictionary. It depends on the details how much this is going to help. Are there cryptosystems which guarantee perfect secrecy? Briefly stated, perfect secrecy means that the cryptotext does not give away any information whatsoever to the cryptanalyst. The cryptanalyst may or may not intercept the cryptotext: he/she has exactly the same knowledge in both cases. The cryptotext gives away no information about the plaintext. An example of a cryptosystem with perfect secrecy is ONE-TIME PAD. The plaintext is a sequence of bits with bounded length, say a sequence of at most 20 bits. The key is a sequence of 20 bits. It is used both for encryption and decryption and communicated to the receiver via some secure channel. Take the key 110101oooO11OOO10010. A plaintext, say 01OOO1101011, is encrypted using bitwise addition with the bits of the key, starting from the beginning of the key. Thus, the cryptotext is 100100101OOO. This gives no information to the cryptanalyst because he/she has no way of knowing whether a bit in the cryptotext comes directly from the plaintext or has been changed by the key. Here it is essential that the key is used only once, as also the name of the cryptosystem indicates. A previous plaintext together with the corresponding cryptotext give away the key, or at least a prefix of the key. Also a set of previous cryptotexts, with plaintexts remaining unknown, give away some information. Of course, legal decryption is obvious: use bitwise addition of the plaintext and the beginning of the key. The obvious disadvantage of ONE-TIME PAD is the difficult key management. The key, at least as long as the plaintext, has to be communicated separately

1.4 Rotors and DES

39

via some secure channel. Nothing has been accomplished: the difficulties in secret communication have only been transferred to a different level! Of course, the system is still useful for really important one-time messages. in some variants of ONE-TIME PAD the key management is easier but the secrecy is not quite 100%. We finally mention such a variant. The key is specified by indicating a place in the Bible, King James version. For instance, Joshua 3 , 2 , 6 means the Book of Joshua, Chapter 3, Verse 2, Letter 6. The key begins from this letter and is used in the VIGENERE fashion. Let us encrypt the plaintext PRACTICAL PERFECTLY SECRET SYSTEMS WOULD CAUSE UNEMPLOYMENT AMONG CRYPTOGRAPHERS, using this key. Plain:

P R A C T I C A L P E R F E C T L Y S E C R E T

Key:

C A M E T O P A S S A F T E R T H R E E D A Y S

Crypto:

R R M G M W R A D H E W Y I T M S P W I F R C L

Plain:

S Y S T E M S W O U L D C A U S E U N EM P L 0

Key:

T H A T T H E O F F I C E R S W E N T T H R O U L F S M X T W K T Z T F G R M O I H G X T G Z I

Crypto:

Y M E N T A M O N G C R Y P T O G R A P H E R S G H T H E H O S T A N D T H E Y C O M M A N D E Crypto: E T X U X H A G G G R U R W X M I F M B H R U W Plain:

Key:

The key management in this variant of ONE-TIME PAD is much easier, since also very long keys can be represented in the same compact form. On the other hand, the keys are by no means random. The frequency information concerning English applies. Also an exhaustive search through all keys is possible corn putationally.

1.4 Rotors and DES The cryptosystems considered so far can be made more complicated and, at the same time, more secure by the use of cryptographic machines. Such machines make the encryption and (legal) decryption processes much faster, and also provide an enormous number of possible keys to choose from. The history of cryptographic machines extends already over hundreds of years. While the early mechanical devices took several seconds for the encryption of a character, the modern electronic machines encrypt millions of characters in a second. In this last section concerning classical cryptography, we discuss some of the basics about cryptographic machines. The core idea appears clearly already in the oldest machine, the Jefferson wheel, invented and used by Thomas Jefferson.

40

I. Classical Two-way Cryptography

For an interested reader, [Ka] contains a description of the wheel in Jefferson’s own words. Jefferson’s wheel consists of a cylinder mounted on an axis. 26 straight lines, parallel to the axis and at equal distances from each other, are drawn on the cylinder. The cylinder is then cut into 10 smaller cylinders of equal height. The smaller cylinders are referred to as disks. Thus, we have 10 disks free to rotate independently about the common axis. Moreover, each of the disks is divided into 26 boxes of equal size on its circumference. O n each disk, the 26 boxes are now filled with the 26 letters of the English alphabet. The order of the letters is chosen arbitrarily and varies from disk to disk. A particular Jefferson wheel is depicted in Fig. 1.7. The same wheel will be used in Example 1.7, where also the individual disks are described in detail, that is, also the parts not visible in the figure.

Fig. 1.7

It should be added that Jefferson used 36 disks. We have chosen the smaller number 10, for clarity of presentation. Both the sender and the receiver possess identical wheels, that is, the cyclic order of the letters is the same on each disk. To encrypt an English plaintext, the sender first divides it into blocks of 10 letters each. A block is encrypted by first rotating the disks in such a way that the block can be read from one of the 26 letter sequences parallel to the axis, and then choosing any of the 25 remaining letter sequences as the cryptotext. To decrypt, the legal receiver rotates the disks of the Jefferson wheel in such a way that the cryptotext can be read from one of the 26 letter sequences. The plaintext then appears as one of the 25 remaining letter sequences. It will be obvious which one: with an extremely high probability, only one of the letter sequences can be a part of a meaningful English text. Thus, it is not necessary to agree in advance how many lines in the wheel will be advanced in the encryption process. It can be any number between 1 and 25, and the number can vary from block to block. The situation is slightly different if the plaintext is “nonsense.” Then the encryption distance in the wheel must be agreed upon in advance. For instance, if the encryption distance is 3 then the plaintext AAAAAAAAAA will be encrypted as ESYMTRHUEE according to the wheel of Fig. 1.7.

1.4 Rotors and DES

41

Example 1.7. We still consider the wheel of Fig. 1.7 but we now open out each of the disks, to define the entire sequences of letters. The same procedure can be followed in the definition of any Jefferson wheel.

Disk number:

1 2 3 4

5 6 7 8 910

Row Number: 1

A A A A A A A A A A

2

R R P N V S P E I I

3

I O S I O O U S R H E S Y M T R H U E E

4

5 6

K U L O Y P I P S T O V U C L M S B L O

8

B I K U E U E L B M C J B L B B N C C U

9

U L R T C D R D D C

10

D B C Y D Y Y H F D

11

J F D B G E D I N F

12 13

T C T F F C B J Y G L G F G K V F F T J

14

N K G S N H G O G P

15 16 17 18 19 20

P N O H H F V G H Q

7

W P N J U K J K J B Q Q E D P L K M K N M T H E Q Q M N M V S H M K R I T Q P W

21

V E Q P S J O R Q X X D V Q W N L V V L

22

Z Y W V X G W W W Y

23

G W X X M T Q Y O K

24

H X Z R I W X X U R

25 26

Y Z I Z J X Z T X S F M J W Z Z C Z Z Z

It turns out that this particular Jefferson wheel has remarkable properties in regard to certain plaintexts.

42

1 . Classical Two-way Cryptography

Consider the following plaintext. It contains some questions about sauna. The plaintext has 70 letters. Divided into blocks of 10 letters each, the plaintext looks as follows: W T M G

H U E M

A R S U

T E M S

I I U T

S N S I

T S T S

H A O T

E U N A

B N E Y

E S T T E M P E R A A H O W M A N Y T I G O I N H O W L O N

The sender decides to use the distances

in this order, for the seven blocks. Since we d o not possess any specimen of the wheel, we have to rotate the disks mentally. For each of the seven blocks, we rotate the disks in such a way that the block can be read from the row numbered by 1. In the seven resulting cases the wheel then looks as follows. We indicate the rows only up to the row lying at the chosen distance.

Disk number: Block I

Block 2

I

1

2

3

4

W Q

H E

A T P Y

5

I J

6

7

S O

8

T O

9

1

0

H I

E S

B N

M

D

S

B

Z

R

L

J

L

V

S

Y

Y

F

A

P

W

F

B

W

V

W

L

G

V

M

Q

O

C

X

X Z

X Z

U K

S H

O T

U B

X Z

G K

D F

L Y

G

M

B

J

Y

D

C

M

N

K

H

A

R

D

L

Y

A

N

Y

R

E

S

T

T

E

M

P

E

R

A

K

U

F

Y

B

U

U

S

E

I

O B

V I

G O

B F

C D

B D

H I

U P

S L

H E

C

J

N

G

G

Y

S

B

B

T

U

L

E

S

F

E

E

L

C

O

1.4 Rotors and DES

1

2

Block 3

T L N P W Q M

U V I J L B F

Block 4

A H O W M A N Y T I R E N A I S R X G H I D E N J O Y T H E

Block 5

M S V X Z G H Y F A R I E K

Block 6

G O I H S J Y U A F V P A I S

Disk number:

E D Y W X Z M A R O S U V I

3

4

5

6

7

8

910

R E I N S A U N C K J G E E X V D P Z T N S Z W T Q A W R U A X F V V X Y P I L G X O Z D B R Y O R T A B L E K

S Y L U K B R C D T F G O N

M O C U L T Y B F G S H J D

U P Q R S W X M I J Z A V O

S O R P M U B D Y E C V H F

T O L W Q X Z C A P U H I S

O G K M N Q R V W Y X Z T A

N Y T G H J K M P Q V W O U

E T O M U C D F G J P Q B N

N H O W L O N I U R Q C U V M P P X D X W O Q M Z H Z X C R U C I A L

43

44

1 . Classical Two-way Cryptography

Disk number: Block 7

I

1

2

3

4

5

6

G

M

U

S

T

I

S

H

A

K

H

Y

J

E

Y F

R O

B R

7

8

T

9 10

A

Y

Z

I

K

J L N N A D E G R E

R E

R S

The cryptotext can be read from the bottom rows listed in connection with the seven blocks. Let us still write the plaintext and the cryptotext using customary punctuation and spacing. Plain. What is the best temperature in sauna? How many times must one go in? How long must I stay? Crypto. Hardly any rules. Feel comfortable, kid, enjoy. The kind of sauna is crucial for degrees. Not only is the requirement of RICHELIEU satisfied but the cryptotext also answers the questions given in the plaintext! It is obvious that our particular Jefferson wheel was specially designed for this purpose. Conditions for such 0 a design are studied in Problem 26. The Jefferson wheel realizes a polyalphabetic substitution. Let us first consider the version where we fix in advance the distance for encryption, that is, we fix a number i among the numbers 1, 2, . . . ,25. Thus, the cryptotext is read from i lines below the plaintext. Then the wheel can be viewed as a polyalphabetic substitution with the period 10. The situation is slightly different if the encryption distance is chosen nondeterministically for each 10-block of the plaintext, as was done above. Then, after each 10 letters of the plaintext, we may aitex the subshtuhons fox the next 10 iettexs. However, there are only 25 combinations of substitutions available for the IO-blocks. The basic idea of the Jefferson wheel, the creation of a polyalphabetic substitution using disks rotating more or less independently, is central also in mechanical or electro-mechanical cryptographic machines invented later. Amazingly enough, most of these machines go back to Caesar in that the substitution is a circular one (with respect to the alphabetic order). Howeve!, the substitution varies from letter to letter and, viewing the system as VIGENERE, the length of the keyword is enormous: in many cases 10". Therefore, Kasiski's method is very unlikely to succeed in cryptanalysis. As an illustration of mechanical machines, we discuss the machine C-36 of the famous manufacturer of cryptographic machines Boris Hagelin. It is also known as the M-209 Converter and was used by the U S . Army still in the early 50s. Verbal descriptions of a mechanical device are extremely hard to follow when no specimen of the device is available. Since it is rather unlikely that the reader has C-36 at hand, we describe its operation in abstract terms. The machine is depicted

1.4 Rotors and DES

45

Fig. 1.8

in Fig. 1.8. Its basic components are six disks, usually called rotors, and a cylinder called the lug cage. Consider a 6 x 27 matrix M with entries from (0, I}. It is also assumed that every one of the 27 columns of M has at most two 1’s. Such matrices are called lug matrices. The matrix

M=[

0 1 0 0

0 0 0 0

0 1 0 0 0 0 1 0 1 0 0 0 1 1 1 0 0 0 0 0 0 0 0 0 l 0 0 1 0 0 0 1 0 0 1 1 0 0 0 1 0 0 1 0 0 l 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 0 0 0 1 0 1 0 0 0 0 1 0 0 1 0 0 0 l 1 l l l l

oololooooooloooloolooooo0oo 0 0 0 0 0 0 0 1 0 0 1 0 0 1 0 0 0 0 0 1 0 0 0 l 0 0 0 is an example of a lug matrix. Obviously, if u is a 6-dimensional row vector with entries from {O,l}, the uM is a 27-dimensional row vector with entries from {O,l,Z). For instance, if u = ( 1,0, I , 1,O,O) then

U M = (O,O,l,2,O,O,O,l,l,l,l,O,O,O,2,l,l,~,O,O,O,l,l,l,l,l,2)

.

46

.

I. Classical Two-way Cryptography

(Here we use the above M . ) The number of positive entries in uM is called the hit nurnher of t’ with respect to M . In our example the hit number is 16. In general, the hit number can be any integer between 0 and 27. A s t e p j g u r e is constructed as follows. Pile 6 sequences of numbers from {O,l}. The sequences, from top to bottom, should have lengths 17, 19,21,23, 25, 26 and start from the same point. For instance,

0 1 1 0 0 0 1 0 0 0 0 0 0 0 1 1 0 0 1 1 1 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 1 0 0 0 1 0 0 0 1 1 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 1 0 0 0 0 0 0 1

is a step figure. Contrary to lug matrices, there are no restrictions concerning the position of 1’s in step figures. A step figure generates an infinite sequence of 6-dimensional (row) vectors as follows. The first 17 vectors are read directly from the columns. Thus,

are the first two vectors generated by the step figure above. Whenever some row ends, it is restarted from the beginning. Thus, the vectors from 17th to 47th are:

Having defined the lug matrix and the step figure, we are now in the position to tell how the cryptotext is obtained. We use our previous numerical encoding of the letters: A gets the number 0, B gets the number 1 and so forth. Z gets the number 25. As before, arithmetic is carried out modulo 26. Assume that a is the i-th letter in the plaintext and that h is the hit number of the i-th vector generated by the step figure, with respect to the lug matrix. Then a is translated into the letter

y=h-a-l in the cryptotext.

1.4 Rotors and DES

47

For instance, consider the plaintext GOVERNMENTOFTHEPEOPLEBYTHEPEOPLEANDFORTHEPEOPLE, as well as the lug matrix and the step figure given above. The numerical encoding of the plaintext is as follows. We use commas only for clarity. 6, 14, 21, 4, 17, 13, 12, 4, 13, 19, 14, 5, 19, 7, 4, 15, 4, 14, 15, 11, 4, 1, 24, 19, 7, 4, 15, 4, 14, 15, 11, 4, 0, 13, 3, 5, 14, 17, 19, 7, 4, 15, 4, 14, 15, 11, 4, The length of the plaintext is 47. As we often do, we have disregarded the spaces between two words. When using cryptographic machines, the spaces are sometimes filled with the letter Z . Thus, we have to compute the hit numbers of the first 47 vectors generated by the step figure. This is straightforward because the first 17 vectors can be seen directly from the step figure and the other vectors we already computed above. The hit numbers are: 10, 17, 16,9, 9 , 9 , 7 , 0 , 0 , 0 , 0 , 12, O , O , 18, 7 , 0 , 0 , 18, 7,

9,9,19,14,9,10,5,10,0,0,0,7,7,0,12,7,7,12,0,9, 17, 19, 9, 9, 5, 12, 0 .

By the formula y = h - a - 1, we now compute the numerical encodings of the cryptotext letters: 3, 2, 20, 4, 17, 21, 20, 21, 12, 6, 11, 6, 6, 18, 13, 17, 21, 11, 2, 21, 4,7,20,20,1,5,15,5,11,10,14,3,6,12,8,1,18,20,6,1, 12, 3, 4, 20, 15, 0, 21 .

Hence, we obtain the following cryptotext: D C U E R V U V M G L G G S N R V L C V E H U U B F P F L K O D G M I B S U G B M D E U P A V . The three occurrences of PEOPLE in the plaintext have been encrypted as RVLCVE, PFLKOD and DEUPAV, whereas the three occurrences of THE have been encrypted as GSN, UBF and GBM. Several additional remarks concerning the machine C-36 are in order. The rotors and the lug cage correspond to the step figure and the lug matrix, respectively. Any prechosen step figure is obtained by activating suitable pins in the rotors. Similarly, any prechosen lug matrix is obtained by positioning the lugs suitably. The lug matrix and the step figure constitute the key for the C-36 encryption. The machine itself can be viewed as a physical realization of the cryptosystem described above: it operates according to a prechosen key after suitable pins have been activated and lugs positioned suitably. The equation y = h - a - 1 can be written also in the form a = h - y - 1. This means that the same key can be used both for encryption and decryption. This is

48

I . Classical Two-way Cryptography

the reason why the basic equation is of Beaufort type rather than of VigenGreCaesar type. A combinatorially minded reader might want to compute the number of all possible keys in the C-36 encryption. The additional requirement for the lug matrix should be kept in mind. As will be seen below, all possible keys are not good from the point of view of secrecy. It is obvious that the step figure generates vectors in a periodic fashion. Hence, the C-36 encryption can be viewed as the usage of the Beaufort square with a keyword. But how long is the keyword? Usually it is much longer than any conceivable plaintext. Hence, no periodicity due to the keyword can appear in the cryptotext. Indeed, the lengths of the rows in the step figure are all pairwise relatively prime. This implies that only after

-

17 19 21 * 23 * 25 * 26 = 101.405.850 steps we can be sure that we are back in the initial position again, that is, the step figure restarts the generation of the same sequence. In the general case the period is no shorter than this number which, in fact, exceeds the number of characters in a fairly big encyclopedia. However, in special cases the period can be much shorter. For instance, if the step figure contains no 0's then (l,l,l,l,l,l) is the only generated vector and, hence, the period equals 1. The period will be short if there are very few 1's in the lug matrix, or if there are very few 0's or very few I's in the step figure. Thus, such choices of the key should be avoided. There is no compelling mathematical reason for the step figure to consist of 6 rows. This number is just a compromise between security and technical feasibility. Of course, in general the period increases together with the number of rows. The number of rows should obviously be the same in the step figure and in the lug matrix. It is also a great advantage that the lengths of the rows in the step figure are pairwise relatively prime: this guarantees the maximal period. Everything else is arbitrary: the lengths of the rows both in the step figure and in the lug matrix, as well as the additional requirement made for the lug matrix. Physically this requirement corresponds to the number of lugs on a bar in the lug cage. It should by now be obvious that Kasiski's method or any similar approach is inadequate for the cryptanalysis of C-36. The interested reader is referred to [BeP] for other cryptanalytic approaches. Some famous cryptographic machines, such as the German ENIGMA, American SIGABA and the Japanese RED and PURPLE from World War 11, are electro-mechanical. The basic building block, a wired codewheel also called a rotor, is an insulating disk on which electrical contacts are placed on the circumference, as well as on each side. The latter contacts make the concatenation of rotors possible. As with C-36, the resulting substitution can be varied from letter to letter. We d o not want to enter a more detailed discussion of these machines. The resulting cryptographic mappings are, at least from our point of view, essentially the same as those obtained from C-36. The interested reader is referred to [BeP] for more details. As regards cryptographic machines in general, [Ka] contains an abundance of interesting material.

1.4 Rotors and DES

49

In the remainder of this chapter we consider the most widely used crptosystem of all times: Data Encryption Standard (DES) by the National Bureau of Standards. It was published in 1977- the reference [BeP] has reprinted the original publication. DES specifies an algorithm, to be implemented in electronic hardware devices, for encrypting and decrypting data. The whole idea of a “standard in cryptography is certainly revolutionary. Before the publication of DES, there apparently were no publications containing a complete algorithm for practical cryptographic usage. Although we have made the assumption that the cryptanalyst knows the cryptosystem used, most cryptosystem designers have tried to conceal the details of their algorithm. The DES is a remarkable exception: the algorithm is actually published. This may be considered as a challenge for everybody to break the system! The encryption and decryption according to DES is carried out as follows. First the users choose a key, consisting of 56 random bits. The same key is applied both in the encryption and decryption algorithm and is, of course, kept secret. Eight bits, in positions 8, 16, . . . ,64, are added to the key, to assure that each byte is of odd parity. This is useful for error detection in key distribution and storage. Thus, the bits added are determined by the original 56 random bits, now in positions 1 , 2 , . . , 7 , 9 , . . . , 1 5 , . . . , 5 7 , . . . , 63 of the key. These 56 bits are subjected to the following permutation: 57 49 41 33 1 58 50 42 10 2 59 51 19 1 1 3 60

25 17 9 34 26 18 43 35 27 52 44 36

63 55 47 39 31 23 15 7 62 54 46 38 30 22 14 6 61 53 45 37 29 21 13 5 28 20 12 4 The permutation determines two blocks C, and Do of 28 bits each. Thus, the first three bits of C, (resp. the last three bits of D o ) are bits 57,49, 41 (resp. 20, 12,4) of the key. Having constructed the blocks C,- and D,- n = 1, . . . , 16, we construct the blocks C, and D, by one or two left shifts from C,- and Dn-lraccording to the following table: n

Number of Leftshifts

1 2 3 4 5 6 7 8 9 1

I 2 2 2 2 2 2

1

10 1 1

2

2

12 13 14 15 16 2

2

2

2

1

A single left shift means a rotation of the bits one place to the left: after one left shift the bits in the 28 positions are the bits that were previously in positions

50

1. Classical Two-way Cryptography

2,3, . . . ,28, 1. Thus, C , and D , are obtained from C , and D,,respectively, by two left shifts. We are now ready to define 16 permuted selections K,, 1 5 n 5 16, of bits from the key. Each K, consists of 48 bits, obtained from the bits of C,D, in the following order: 14 3 23 16 41 30 44 46

17 28 19 7 52 40 49 42

11 15 12 27 31 51 39 50

24 6 4 20 37 45 56 36

1 21 26 13 47 33 34 29

5 10 8 2 55 48

53 32

Thus, the first (resp. last) three bits in K, are bits 14, 17, 11 (resp. 36,29,32) in C,D,. Observe that 8 of the 56 bits in C,D, are omitted from K,. Our calculations so far are preliminary in nature: we have computed from the key 16 sequences K, consisting of 48 bits each. We now show how to encrypt a block w of 64 bits of our plaintext. The block w is first subjected to the following initial permutation:

58 60 62 64 57 59 61 63

42 44 46 48 41 51 43 53 45 55 47

50 52 54 56 49

34 36 38 40 33 35 37 39

26 28 30 32 25 27 29 31

18 20 22 24 17 19 21 23

2 4 6 8 1 3 5 15 7

10 12 14 16 9 11 13

Thus, after this initial permutation, we have a word w', the first three bits of which are bits 58,50 and 42 of w. We write w' = LORo,where both Lo and R , consist of 32 bits. Having defined L,- and R,- for 1 5 n 5 16, we define L, and R, by

where 0 denotes bit-by-bit addition modulo 2 and f is defined below. The

1.4 Rotors and DES

51

encryption c of the original w is now obtained by applying the inverse of the initial permutation to the 64-bit block R16L16. We still have to define the functionfbut, before that, let us see how decryption works. It is really simple: the above equations can be written as

We can, thus, “descend” from L , , and R , , to Lo and R,, after which the decryption is clear! The function f produces from a 32-bit block R,- or L, and a 48-bit block K , (recall how K , was obtained from the key!) a block of 32 bits as follows. The first variable of 32 bits is expanded into 48 bits according to the following table: 3 4 8 12 16 20 24 28

2 5 9 13 17 21 25 29

1 6 10 14 18 22 26 30

2

3 7 11 15 19 23 27 31

4 8 12 16 20 24 28 32

5 9 13 17 21 25 29 1

Thus, the first bit in the original 32-bit block occurs in positions 2 and 48 in the new 48-bit block. After this expansion, the two blocks of 48 bits are added bit by bit modulo 2. The resulting block B of 48 bits is divided into eight 6-bit blocks: B = B I B , * * B , . Each of these eight blocks Bi is now transformed into a 4-bit block Bf, using the appropriate table Si listed below.

-

s,

14 4 1 3 0 1 5 7 4 1 1 4 1512 8

1 2 1 4 1 4 8 1 3 2 4

5 1 1 8 3 1 2 1 3 110 6 2 1 1 1 5 1 9 1 7 5 1

15 1 8 1 3 1 3 4 0 1 4 7 1 13 8 1 0

4 6 1 7 1 5 1 1 0 1 3 1

1 3 4 2 8 1 4 1 4 1 3 1 5 4 2 1

0 6 1 6 1 2 1 2 9 1 3 1

2 1 7 4 1

5

9 5 3 1 0 0 0

9

0 3

7 8

5 0 6 1 3

s* 9 2 5 1

7 2 1 3 1 2 0 1 1 0 6 8 1 2 6 9 6 7 1 2 0

0 5 1 0 9 1 1 5

3 2 1 5 5 1 4 9

52

1. Classical Two-way Cryptography s3

10 13 13 1 1

0 7 6 0 1

9 1 4 0 9 4 9 3 0

6 3 1 5 5 3 4 6 1 0 8 1 5 3 0 6 9 8 7

1 2 11 4

7 1 1 14 12 12 5 3 11

8

4 11 10 5

2 15 14 2

1 7 12

11 1 5 12

12 10 2 7

4 14 8 2

15 9 4 14

3 15 13 1510 3 12 5 6 0 9 1 0

0 9 3 4

14 9 8 6 0 1 4 5 3

7 11 13 0

5 1 1 3 8 11 6 8 1 3

13 12 5 8 1 2 15 14

s4

9 1 0 0 3 7 13 3 8

1 4 15 9

4 1 7 1 0 1 1 6 1 2 12 4 7 13 1 1 1 1 0 1 3 7 8 12 7 1 14 2 13

8 5 15 6

7 1 3 1 4 13 8 1 1 10 6 9 3 1 5 0

3

0 6 5 6 1 5 0 12 11 6 1 0 1 1

2 7 1 4

8 5 2 12 3 1 4 5 11

s5

2 1 2 14 11 4 2 11 8

5 0 9 15

s.5

12 1 1 0 1 1015 4 9 1 4 1 5 2 1 4 3

5 2 5 2

9 2 7 1 2 2 8 1 9 5 1

6 9 2 5 1

8 5 3 0

0 6 7 11

13 3 1 13 0 4 14 1

4 1 4 14 0 10 1 7 6

s 7

4 11 2 14 15 0 13 0 1 1 7 4 9 1 4 11 13 12 3 6 1 1 1 3 8 1 4 1

8 13 3 12 1 1 0 14 3 7 14 10 15 0 7 9 5

9 7 5 1 2 6 8 0 15

5 1 0 2 1 5 0 5 14 2

6 8 9 3

1 6 2 12

s* 13 2 1 1 5 1 7 1 1 2 1 1

8 3 4 4

4 6 1 5 1 1 8 1 0 3 7 1 9 1 2 1 4 7 4 1 0 8 1

1 10 4 12 2 0 3 15

3 1 4 9 5 6 1 1 6 10 13 12 9 0

5 0 1 2 0 1 4 9 15 3 5 3 5 6 1

7 2 8 1

The transformation is carried out as follows. For instance, assume that B , = 110010. The first and last bits represent a number x, 0 5 x 3. Similarly, the middle 4 bits represent a number y , 0 5 y 6 15. In our example, x = 2 and y = 9. The rows and columns of S , are considered to be indexed by such numbers x and y . Thus, the pair (x, y ) determines a unique number. In our case this number is 15. Taking the binary representation we obtain B, = 11 11.

s

1.4 Rotors and DES

53

The value off is now obtained by applying the permutation 16 29 1 5 2 32 19 22

7 12 15 18 8 27 13 11

20 28 23 31 24 3 30 4

21 17 26 10 14 9 6 25

to the resulting 32-bit block B; B’. * * B 8 .This completes the definition of the function 1; as well as our description of the encryption and decryption algorithms according to DES. The DES algorithms are very fast with appropriate hardware. On the other hand, cryptanalysis leads to numerous nonlinear systems of equations, the problems involved being at least NP-complete, see Appendix A. However, it has been proposed that a purpose-built machine might exhaust all key possibilities. The special equipment would search through all the 256 keys at a rate of 10l2keys per second: there would be lo6 chips, each searching a different portion of the keyspace at a rate of one key per microsecond. Estimates for the cost of such purpose-built equipment vary considerably. Details can be found, for instance, in [De].

Fig. 1.9

54

I . Classical Two-way Cryptography

Several properties of DES mappings have been established so far. An interesting property concerning symmetry is given in Problem 16. DES also possesses a feature very desirable from the point of view of secrecy: a small change in the plaintext or key gives rise to a big change in the cryptotext. Detailed figures concerning this avalanche efect can be found in [Kon].

Chapter 2. The Idea of Public Keys

2.1 Some Streets Are One-way Think about any of the cryptosystems presented in Chapter 1, or any other similar systems. There will be no difficulties in the decryption process for a cryptanalyst who has learned the encryption method. The encryption and decryption keys coincide even in such a sophisticated system as DES. So you give away your secrets if you work with one of the systems mentioned and publicize your encryption method. This is not necessarily the case. There are systems in which you can safely publicize your encryption method. This means that also the cryptanalyst will know it. However, he/she is still unable to decrypt your cryptotext. This is what publickey cryptography is all about: the encryption method can be made public. The idea was presented by Diffie and Hellman [DH]. Although revolutionary, the idea is still very simple. Why was such a simple idea presented so late-in the middle 70s-during the very long history of cryptography? What does safety in giving away the encryption method actually mean? How can one realize the beautiful idea? The answer to the first question is easy: complexity theory was developed only recently. The theory gives us information about the complexity of various computations, say, how much time computations will take with best available computers. Such information is crucial in cryptography. This brings us to the second question. Of course, the encryption method gives away the decryption method in a mathematical sense because the two are “inverses” of each other. Suppose, however, that it will take hundreds of years for the cryptanalyst to compute the decryption method from the encryption method. Then we don’t compromise anything by publicizing the encryption method. This is how “safety” in the second question is to be understood. As regards the question about the realization of the idea of public keys, a lot of details will be presented in the sequel. Let us make here some initial observations. In mathematics, as well as in real life, there are some one-way streets. It is easy to go along the street from A to B, whereas it is practically impossible to go from B to A . Encryption is viewed as the direction from A to B. Although you are able to go in this direction, this does not enable you to go in the opposite direction: to decrypt. Take the telephone directory of a big city. It is easy to find the number of any specific person. On the other hand, it is hard - one might say hopeless! -to find the

56

2. The Idea of Public Keys

person who has a certain specified number. The directory consists of several thick volumes. In principle, you have to go through all of them carefully. This gives an idea for a public-key cryptosystem. The encryption is context-free: letter by letter. For each letter of the plaintext, a name beginning with that letter is chosen at random from the directory. The corresponding telephone number constitutes the encryption of that particular occurrence of the letter in question. Thus, the system is polyalphabetic: two different occurrences of the same letter are very unlikely to be encrypted in the same way. The encryption of the plaintext COMETOSAUNA might be as follows. Plaintext C 0 M E T 0 S A U N A

Name Chosen

Cryptotext

Cobham Ogden Maurer Engeler Takahashi Orwell Scott Adleman Ullman Nivat Aho

7184142 35295 17 9372712 26456 1 1 2139181 5314217 3541920 4002 132 7384502 57681 15 772 1443

Thus, the whole cryptotext is obtained by writing, one after the other, all numbers appearing in the right column. Of course, the numbers are written in the order indicated. Observe that the encryption method is nondeterministic. Enormously many cryptotexts result from one and the same plaintext. O n the other hand, each cryptotext gives rise to only one plaintext. A legal receiver of the plaintext message should have a directory listed according to the increasing order of the number:. Such a directory makes the decryption process easy. According to the terminology discussed in more detail in the sequel, the reverse directory constitutes the secret trapdoor known only to the legal users of the system. Without knowledge of the trapdoor, i.e., without possessing a copy of the reverse directory, the cryptanalyst will have a hard time. This in spite of the fact that the encryption method has been publicized, and so the cryptanalyst knows, in principle, how hejshe should interpret the number sequence intercepted. Exhaustive search is likely to take too long. Of course, the cryptanalyst might also try to call the numbers in the cryptotext and ask the names. The success of this method is questionable- the cryptanalyst might get an angry answer or no answer

2.1 Some Streets Are One-way

57

at all in too many cases. Besides, the method becomes nonapplicable if a reasonably old directory is used. The system based on telephone directories is intended to be only an initial illustration, rather than a cryptosystem for serious use. After all, the “reverse” directories are not so hard to come by. The idea of public-key cryptography is closely related with the idea of one-way functions. Given an argument value x, it is easy to compute the function value f ( x ) , whereas it is intractable to compute x from f ( x ) . Here “intractable” is understood in the sense of complexity theory, see Appendix A. The situation is depicted in Fig. 2.1. easy

x < intractable

’ f(x)

Fig. 2.1

We have referred to f ( x ) as a function. However, Fig. 2.1 is to be understood in a broader sense that includes also nondeterministic encryption methods, such as the telephone directory example. Moreover, the computation of x from f ( x ) should be intractable for the cryptanalyst only. The legal receiver should have a trapdoor available. Let us use the term cryptographic to refer to such one-way functions. It is to be emphasized at this point that no cryptographic one-way functions are known. Many cryptographic functions f (x) are known such that (i) It is easy to compute f ( x ) from x; (ii) Computation of x from f ( x ) is likely to be intractable. However, no proof is known for the intractability claimed in (ii). This reflects the fact that it is very hard to obtain lower bounds in complexity theory. It is very hard to show that, no matter what algorithm we use, a certain computational task is intractable. From the point of view of public-key cryptography, functions satisfying (i) and (ii) are quite sufficient. In a typical public-key cryptosystem only the straightforward cryptanalysis is based on computing x from f ( x ) . There might be other, more ingenious, cryptanalytic methods, where this computation is avoided. Thus, the cryptanalyst might be successful even if we could show that the computation of x from f ( x ) is intractable. These issues will be discussed further in the following example.

Example 2.1. Let us first be more specific in the definition of one-way functions. A problem is termed intractable if there is no algorithm for the problem, operating in polynomial time. If there is such an algorithm, the problem is termed tractable. Easy refers to problems possessing an algorithm operating in low polynomial time, preferably in linear time. NP-complete problems are considered intractable. This is all standard terminology from complexity theory. The reader is referred to Appendix A for further details. It should be observed that traditional complexity

58

2. The Idea of Public Keys

theory is by no means ideal from the point of view of cryptography. Traditional complexity theory is all about the worst-case complexity: How hard can the nastiest instance be? Since such nasty instances might be extremely rare, information about the average complexity would be much more essential for Cryptography. A function f ( x ) being one-way means that the transition from x to f ( x ) is easy, whereas the reverse transition from f ( x ) to x is intractable. The second requirement is often replaced by a milder condition: the reverse transition is likely to be intractable. (This is the condition (ii) above.) Our example is based on the knapsack problem. An n-tuple (a1, a,, . . . ,a,) = A

of distinct positive integers, as well as another positive integer k, are given. The problem is to find, if possible, such integers a, whose sum equals k. The intuitive picture is that k indicates the size of a knapsack and each of the numbers a, indicates the size of a particular item that can be packed into the knapsack. The problem is to find such items that the knapsack will be full. As an illustration, consider the 10-tuple (43, 129,215,473,903,302,561, 1 165,697, 1523) as well as the number 3231. We observe that 3231 = 129 + 473 + 903 + 561

+ 1165.

Thus, we found a solution. The situation is depicted in Fig. 2.2.

Fig. 2.2

In principle a solution can always be found by checking through all subsets of A and finding out whether one of them sums up to k. In our illustration this means

21° = 1024 subsets. (This count includes even the empty subset.) This is certainly manageable. But what about if there are several hundreds of the numbers ai? Our illustration is small to aid the readability of the presentation. A more realistic illustration

2.1 Some Streets Are One-way

59

would have, say, 300 a:s. The point is that no essentially better algorithm than exhaustive search is known. A search through 2300 subsets is unmanageable. Indeed, the knapsack problem is known to be NP-complete. Our n-tuple A defines a function ,f(x) as follows. Any number x in the interval 0 x 5 2” - 1 can be given a binary representation consisting of n bits - we add initial zeros if necessary. Thus, 1, 2 and 3 are represented as 0 . . . 001, 0 . . . 010 and 0 . . . 01 I , whereas 1 . . . 1 1 1 is the representation for 2” - 1. We now define f ( x ) to be the number obtained from A by summing up all numbers ai such that the corresponding bit in the binary representation of x equals I . Thus, f ( 1 ) = f ( O . . . 001) = a, ,

. . . 010) = a,-

f(2) = f ( O

I

,

f(3) = f ( O . . . 011) = a n - l + a,,

and so forth. Using vector multiplication, we may write f ( x ) = AB, , where B, is the binary representation of x, written as a column vector. Our previous equation (see also Fig. 2.2) can now be written in the form f(364) =f(OlOl101100)

=

129 + 473 + 903 + 561 + 1165 = 3231 .

Further function values determined by the same 10-tuple are: f(609) =f(l00l looOo1)= 43 + 473 + 903 + 1523 = 2942, f(686) =f(lOlOlOl110)

= 43

+ 215 + 903 + 561 + 1 I65 + 697 = 3584,

f(32) =f(OOOOlOOOOO)

= 903,

f(46) =f(OOOOlOlllO)

= 903

+ 561 + 1165 + 697 = 3326,

f(128) = f ( O O l ~ )= 215, f(261) =f(O1OOOOOlOl) = 129 + 1165 + 1523 = 2817, f(44) =f(oooOlOl100) f(648) =f(lOlO00lOOO)

+ 561 + 1165 = 2629 , = 43 + 215 + 561 = 819. = 903

These particular values will be needed below. The functionf(x) was defined using the n-tuple A . Clearly, if we are able to compute x from f ( x ) then essentially the same amount of work will solve the knapsack problem: x yields immediately its binary representation which, in turn, gives the items of A that sum up to f(x). On the other hand, the computation of f ( x ) from x is easy. Since the knapsack problem is NP-complete, f(x) is a good candidate for a one-way function. Of course it is assumed that n is reasonably large, say, at least 200. The function f ( x ) is also cryptographic, as will be seen below. Let us first see how “knapsack vectors” A can be used as a basis for a cryptosystem. The plaintext is first encoded into bits and divided into blocks consisting of n bits each. If necessary, the last block is “filled by adding some zeros to the end.

60

2. The Idea of Public Keys

Each of the n-bit blocks is then encrypted by computing the value of the function f for that particular block. If the plaintext is in English, a natural way of encoding is to replace each letter by the number of the letter in the alphabet, written in binary notation. Five bits are needed for this purpose. In the following table, the numbering of the letters begins from 1, whereas the space between two words is given the number 0. Letter

Number

Binary Notation

Space A B C D E F G H I J K L M N 0 P

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26

00000 00001

Q R S T U V W

x Y Z

00010 00011 00100 00101 001 10 00111 01000 01001 01010 0101 1 01 100 01 101 01 110 01111 10000 10001 10010 1001 1 10100 10101 101 10 101 1 1 1 lo00 11001 11010

Consider our previous 10-tuple and the plaintext SAUNA AND HEALTH. Since the blocks to be encrypted consist of 10 bits each, the block division of our plaintext is as follows: SA UN Aspace AN Dspace HE AL TH

2.1 Some Streets Are One-way

61

The corresponding eight sequences of bits are: 10011m1, 1010101110, m 1 o m ,

m101110 , 001o0om,

OlOOOOOlOl, m101100 , 101oO01o0o.

But these sequences are exactly the argument values off discussed above. Hence, the cryptotext is the %tuple (2942,3584,903,3326,215,2817,2629,819).

So far our cryptosystem based on the knapsack function f ( x ) is not public-key. Indeed, we can use it as a classical system. Then the cryptanalyst has to find the basic n-tuple A and, after that, still solve the knapsack problem. If the cryptanalyst can use the setup “chosen plaintext” then it is easy to find A : the cryptanalyst uses plaintexts with exactly one occurrence of 1. But also the legal receiver has to solve the knapsack problem in order to decrypt. This means that the decryption is equally difficult (and calls for the solution of an NP-complete problem) both for the cryptanalyst and the legal receiver. This state of affairs is highly undesirable and shows that, as such, the cryptosystem is very bad. In a good cryptosystem decryption should be immensely harder for the cryptanalyst than for the legal receiver. Let us raise one further issue before we try to improve the cryptosystem and also to convert it into a public-key system. There should never be two plaintexts coming from the same cryptotext. This means that no two different sums formed from the entries of A should be equal. The sums may have the same or a different number of summands but each entry may be used only once. It can be shown that the 10-tuple discussed above has this property. But the 5-tuple (17, 103, 50,81, 33) does not have this property. According to this 5-tuple, the cryptotext (131,33, 100,234,33) can be decrypted both as SAUNA and FAUNA - a rather high degree of ambiguity! Further decryptions of the same cryptotext would result if we had a plaintext character encoded as the bit sequence 11011. Let us now convert the cryptosystem based on the n-tuple A into a public-key one. We begin with some general remarks, and then return to our numerical illustration. There are classes of easy knapsack problems. One such class results from superincreasing n-tuples A. An n-tuple A = @I,

a23

...

9

a,)

is termed superincreasing if each number exceeds the sum of the preceding

62

2. The Idea of Public Keys

numbers- that is, j - 1

aj>

C

ai

forj=2, ..., n .

i= 1

Exhaustive search is not needed to solve the corresponding knapsack problem - it suffices toscan through A once from righ to left. Given k (the size of the knapsack), we first find out whether or not k 2 a,. If the answer is “no”, a, cannot belong to the sum we are looking for. If the answer is “yes”, a, must belong to the sum. This follows because all of the remaining a:s cannot sum up to k . We define kl

={

k k

ifk
-

and carry out the same procedure for k , and a,- We are through when we reach a , . The algorithm shows also that, for any k, the knapsack problem has at most one solution, provided A is superincreasing. If we publicize a superincreasing A as the basis of our cryptosystem, then decryption will be equally easy for both the cryptanalyst and the legal receiver. In order to avoid this, we “scramble” A in such a way that the resulting B is not any more superincreasing but rather looks as an arbitrary knapsack vector. In fact, it only looks like one because very few knapsack vectors can be obtained in this fashion: the scrambling we use is modular multiplication. Indeed, we used modular arithmetic many times already in Chapter 1. A reader unfamiliar with the congruence notation should consult Appendix B. An integer m > Xui is chosen. Since A is superincreasing, rn is large in comparison with all numbers in A. Another integer t , with no common factors with m, is chosen. m and t are referred to as the modulus and the multiplier. The choice of t guarantees that there exists another integer t - ’ such that tt-’ = 1 (mod m). The integer t - ’ can be regarded as the inverse oft. I t can be easily computed from t and m. We now form the products fai, i = 1, . . . , n, and reduce them modulo m : let hi be the least positive remainder of ta, modulo m. The resulting vector is publicized as the encryption key. The encryption method for blocks of plaintext consisting of n bits each is the one described above. The items t, t - ’ and rn are kept as the secret trapdoor. Before comparing the situation from the point of view of the cryptanalyst and the legal receiver, let us return to our previous numerical illustration. It is easy to see that our previous 10-tuple (now denoted by B )

B

= (43, 129,215,473,903, 302, 561,

is obtained by modular multiplication with rn increasing knapsack vector Let us verify this in detail.

=

1165,697, 1523)

1590 and t

= 43

from the super-

2.1 Some Streets Are One-way

63

The first five numbers in B are obtained from the corresponding numbers in A by a direct multiplication with 43-no reduction with respect to the modulus is

needed. (In a real-life situation not even the first numbers should be too small because then the multiplier can be easily detected.) The following calculations yield the remaining five numbers in B. 4 3 - 4 4 = I892 = 1590 + 302, 43.87 = 3741 = 2.1590 + 561 , 4 3 * 1 7 5 = 7 5 2 5 = 4 . 1 5 9 0 + 1165, 43.349= 15007=9~1590+697, 43.701 = 30143 = 18.1590 + 1523. We observe further that t and m have no common factors. In fact, Hence, f -

' = 37.

43.37 = 1591

= 1 (mod 1590).

Let us now find out an easy decryption method for the legal receiver. Consider first the general case, where A is a superincreasing vector and B is obtained from A by multiplying each number in A with t (mod m). Since the legal receiver knows t - ' and m, he/she is able to find A from the public key B. After receiving a cryptotext block c', which is an integer, the legal receiver computes t - c' and its smallest positive remainder c (mod m).To decrypt, he/she solves the easy knapsack problem defined by A and c. The solution is a unique sequence p of n bits. It is also a correct block of the plaintext because any solution p' of the knapsack problem defined by B and c' must equal p. Indeed,

'

c

= r-'c'

= t-'Bp'

= t - ' t A p ' = Ap'

(mod m ) .

+ +

Observe now that Ap' < m because m > a , u2 . . . -t a,. This implies that the above congruence can be reduced to the equation c = Ap'. Since the knapsack problem defined by A and c cannot have several solutions, we must have p' = p. Thus, how should the legal receiver handle the cryptotext (2942,3584,903,3326,2 15,28 17,2629,819) obtained earlier? Multiplying by t - ' = 37 he/she obtains first 37 2942 = 108854 = 68 * I590

+ 734 = 734

(mod 1590) .

Continuing in the same way, he/she gets the 8-tuple (734,638,21,632,5,879,283,93)

.

The number 734 and the superincreasing A yield the 10-bit sequence 1001 1OOOO1. Indeed, since 734 > 701, the last bit must be I . The numbers in A are now compared with the difference 734 - 701 = 33. The first number, from right to left, smaller than 33 is 21. The next number 1 1 is smaller than the difference 33 - 21 = 12. Finally, the first number 1 equals the difference 12 - 1 1 . The positions of 1 , 1 1 , 21 and 701 in A are I, 4, 5 and 10, respectively.

64

2. The Idea of Public Keys

The numbers 638, . . . , 9 3 yield in the same way the other seven 10-bit sequences listed above. By decoding all eight sequences the legal receiver obtains the plaintext SAUNA AND HEALTH. The above Example 2.1 constitutes the main part of this section. The general principles for the construction of public-key cryptosystems will be stated explicitly in the next section. The cryptosystem based on superincreasing knapsack vectors serves as a simple and yet detailed illustration of these principles. On the other hand, the cryptosystem as such is not very reliable: a polynomial-time algorithm for breaking it will be discussed in Chapter 3. The algorithm is based on the fact that it is not necessary for the cryptanalyst to find the correct multiplier t and modulus m,that is, the ones actually used by the cryptosystem designer. It suffices to find any t’ and m‘ such that the multiplication of the publicized vector by t ’ (mod m’)yields a superincreasing vector. Thus, the cryptanalyst may actually break the system by preprocessing, that is, after the encryption key has been publicized. Since the public encryption keys are used for some time, there is often plenty of time for preprocessing, whereas the cryptanalyst is in a hurry after intercepting important encrypted messages. One-way streets- that’s what public-key cryptography is all about. The reader might think of examples of one-way streets within different realms of life. Here is one very typical example. The device depicted in Fig. 2.3 is a trap used for fishing, especially in the nordic countries.

Fig. 2.3

It is very easy for a fish to enter the cage. The shape of the entrance guides the fish in-for further encouragement there might be some small fish in the cage as a bait. On the other hand, it is very hard for a fish to find its way out, although in principle an escape is possible. The legal receiver, that is the fisherman, takes the fish out by opening the trapdoor on top of the cage.

2.2 How to Realize the Idea This section will contain some general principles about the construction of publickey cryptosystems. The knowledge of the encryption key E, should not give away

2.2 How to Realize the Idea

65

the decryption key D,. More specifically, the computation of D, from E , should be intractable, at least for almost all keys k. The following mechanical analog depicts the difference between classical and public-key cryptosystems. Assume the information is sent in a box with clasp rings. Then, encryption according to a classical cryptosystem corresponds to the locking of the box with a padlock and sending the key via some absolutely secure channel, such as using an agent in the James Bond class. K e y management is always an essential issue, and often constitutes a difficult problem, when one uses classical cryptosys tems. Public-key cryptography corresponds to having open padlocks, provided with your name, freely available in places such as post offices. A person who wants to send a message to you closes a box with your padlock and sends it to you. Only you have a key for opening the padlock.

Fig. 2.4

The following modification of the basic public-key procedure is suitable for classical cryptosystems as well. Denote by E,, E,, . . . the encryption procedures used by A, B, . . . . Denote the decryption procedures similarly by D,, D,, . . . . Assume further that the cryptosystem is commutative: in any composition of E,, E,, D,, D,, . . . the order of the factors is immaterial. If A wants to send a message w to B, then the following protocol is used: (i) (ii) (iii) (iv)

A sends E , ( w ) to B .

B sends E B ( E A ( w )to ) A. A sends D A ( E B ( E A ( w )= ) ) D,(E,(E,(w))) = E,(w) to B . B decrypts D,(E,(w)) = w .

66

2. The Idea of Public Keys

Coming back to our illustration with padlocks, open padlocks need not be distributed in advance if this protocol is followed. First, A sends the box to B, locked with A’s padlock. Then, B sends the box back to A, now locked also with B’s padlock. Next, A opens the padlock E , and sends the box back to B. Now B can open it. Thus, the box is always protected by at least one padlock. There is no problem in the key management: the keys are not distributed at all. See Fig. 2.4. The protocol described above is secure against passive eavesdroppers. However, an active eavesdropper C might masquerade him/her as B. Then A has no way of knowing who the other party actually is. By a passive eavesdropper we mean a cryptanalyst who tries only to obtain all possible information in order to decipher important messages. An active eavesdropper masquerades him/her as the intended receiver of a message and returns information to the original sender accordingly. We are now ready to list the general principles behind the construction of public-key cryptosysterns. Step 1: Start with a difficult problem P . P should be intractable according to complexity theory: there is no algorithm that solves all instances of P in polynomial time with regard to the size of the instance. Preferably, not only the “worstinstance” complexity but also the average complexity of P is high. Step 2: Pick up an easy subproblem Peas,,of P . Peas,,should be in polynomial time, preferably in linear time.

Step 3: “Shuffle or scramble” Peas,, in such a way that the resulting problem Pshufffe does not resemble the problem Peas,,any more. The problcm Psh,,l/le should at least look like the original intractable problem P . Step 4: Publicize Pshufffc, describing how it should be used as an encryption key. The information concerning how Peas,,can be recovered from Pshu,fle is kept as a secret trapdoor.

Step 5: Construct the details of the cryptosystem in such a way that decryption will be essentially different for the cryptanalyst and the legal receiver. While the former has to solve Psh,,ffle (looking like the intractable P ) , the latter may use the trapdoor and solve only Peas,,.

Of course, our description of the Steps 1-5 is still on a very abstract level. The quality of the resulting public-key cryptosystem depends on how the details can be filled in. There are many questions to be answered. How is psh,,fffe used as a basis for encryption? How easy is Peas,,?What constitutes the trapdoor? In particular, is it possible for the cryptanalyst to find the trapdoor by preprocessing? Can an instance of q$h,,ffle be easy to crack just accidentally? And so forth. We will return below to the theoretical problems involved. Let us now recall Example 2.1 from the preceding section. It serves as a very typical illustration of Steps 1-5. The knapsack problem is NP-complete - so it is a very suitable choice for the basic intractable problem. The superincreasing

2.2 How to Realize the Idea

67

knapsack problem is an easy enough subproblem of P . Modular multiplication constitutes a reasonable way of shuffling. We still return in Chapter 3 to the problem of how reasonable it actually is. This discussion will also deal with the possibilities of the cryptanalyst, as well as with some modified cryptosystems. In general, knapsack vectors form a natural and useful method for encryption. What is very interesting about the basic Steps 1-5 of public-key cryptography has something to d o with their universality: the subject matter or the area of the problems is not specified in any way. In principle, the problems can be almost about anything. Examples will be seen in later chapters. However, so far the problems most suitable as a basis for a public-key cryptosystem have dealt with number theory. We have already seen an example: the knapsack problem. So far the most widely studied public-key cryptosystem, R S A , is also based on number theory. The product of two large prime numbers can be publicized without giving away the primes themselves. The one-way function, or the trapdoor, can be formulated in these terms. Details will be presented in Chapter 4. It is maybe intrinsic in the nature of public-key cryptography that very little or nothing is known about the underlying problems. Thus, RSA has been very successful although the complexity of the underlying problem, factorization, has not been adequately characterized. On the other hand, some public-key cryptosystems based on provably intractable problems (NP-complete, etc.) have turned out to be failures. For future reference, we now list some very fundamental number-theoretic problems that have so far defied all attempts to classify their complexities. Indeed, none of the subsequent problems is known either to possess a deterministic polynomial time algorithm, or to be complete for any natural complexity class. The problems have turned out to be very useful for many aspects of public-key cryptography. Some mutual reductions among the problems are also known: which of them are “easier” and which are “harder”. FACTOR(n). Find the factorization of n. PRIMALITY(n). Decide whether or not n is prime. FIND-PRIME( > n). Find a prime number >n. SQUAREFREENESS(n). Decide whether or not a square of a prime divides n. QUAD-RESIDUE(a,n). Decide whether or not x z = a (mod n) holds for some x. SQUAREROOT(a,n). Find, if possible, an x such that x z = a (mod n). DISCRETE-LOG(a,b,n). Find, if possible, an x such that ax = b (mod n).

A number-theory minded reader might want to think of some natural reductions among the problems mentioned. For instance, if we are able to factor n, we are also able to tell whether or not n is prime. In fact, the primality problem is essentially simpler than factorization because there are many easily computable criteria to the following effect: if n is prime then a certain condition A (for instance, a congruence) is satisfied. Hence, if A is not satisfied then we are able to conclude that n is composite, without being able to factorize n.

68

2. The Idea of Public Keys

From the theoretical point of view it would be desirable to be able to formally establish some lower bounds for the amount of work the cryptanalyst has to d o in order to break a public-key cryptosystem. Unfortunately, no such theoretical lower bounds are known for the most widely used public-key cryptosystems. For instance, FACTOR(n) might be in low polynomial time, which would mean that RSA and related systems would collapse. On the other hand, it is not likely that FACTOR(n) is in low polynomial time. After all, people have investigated FACTOR(n) (more or less intensely) already for more than two thousand years. We will now discuss some issues of complexity theory that shed some light on the state of affairs: there are no provable lower bounds for the amount of work of a cryptanalyst analyzing a public-key cryptosystem. In fact, our previous Golden rule can be extended to concern public-key cryptosystems as follows. Golden Rule for Designers of Public-Key Cryptosystems. Test your system in practice from various points of view. Do not expect to prove remarkable results concerning the security of your system. Again, a reader not familiar with the basics of complexity theory should consult Appendix A. It is generally believed that P =+ NP. This implies that NP-complete problems are intractable. Hence, if we can show that the cryptanalysis of a publickey cryptosystem is NP-complete, we would have established its intractability. However, the following argument shows that this is not likely to be the case. The encryption key is public. Combine this fact with the requirement posed for any cryptosystem, classical and public-key alike: the encryption is easy once the encryption key and the plaintext are known. (Otherwise, the cryptosystem would be very cumbersome to use!) It follows that in any reasonable public-key cryptosystem the cryptanalysis problem is in NP. Given a cryptotext, the cryptanalyst first guesses the plaintext and then encrypts it, finding out whether it leads to the given cryptotext. Even if the publicized encryption method is nondeterministic, the whole procedure is still clearly in NP. The cryptanalysis problem is also in Co-NP. If the encryption method is deterministic, then this is obvious because one can proceed exactly as before: find out that the given plaintext-candidate does not yield the given cryptotext. In the general case, independently of whether the encryption method is deterministic, we argue as follows. We are given a triple (w,k, c) , where w is a candidate for the plaintext, k is the public encryption key and c is the cryptotext. We are supposed to accept the triple exactly in case w is not the plaintext giving rise to c. Clearly there is only one such plaintext; otherwise, decryption would be ambiguous. Our algorithm first guesses the plaintext p , then finds out (in nondeterministic polynomial time) whether p gives rise to c according to k. Only in case of a positive answer the algorithm continues, comparing p and w letter by letter. If a difference is found, the algorithm accepts. We are viewing the cryptanalysis problem in the obvious fashion: find the plaintext when the cryptotext and the public key are known. Along similar lines

2.2 How to Realize the Idea

69

one can show that several analogous problems are in the intersection N P n Co-NP, for instance, the following ones. In each case we assume that the public encryption key and the cryptotext are given. (i) Does a given word appear as a prefix (resp. a suffix) in the plaintext? (ii) Does a given word appear as a subword in the plaintext? (iii) Is a given word obtained by considering only the letters in the positions 5 , 10, 15, . . . in the plaintext? Thus, the cryptanalysis problem for a public-key cryptosystem is in the intersection N P n Co-NP. Hence, if the cryptanalysis problem C would be NP-complete, we would have N P = Co-NP. This is seen by the following simple argument. Consider any L in NP. Since C is NP-complete, L is polynomial time reducible to C Consequently, also the complement of L is polynomial time reducible to the complement of C, which is in NP, by our assumption. This implies that L is in Co-NP and, hence, N P is included in Co-NP. By this inclusion, the reverse inclusion is obvious. Take any L in Co-NP. The complement of L is in N P and, consequently, in Co-NP. This implies that L is in NP. We have shown that if the cryptanalysis problem for a public-key cryptosystem is NP-complete, then N P = Co-NP. This implies that it is highly unlikely that the cryptanalysis problem for a public-key cryptosystem is NP-complete or higher up in the complexity hierarchy. We can look for examples optimal from the point of view of complexity theory. Example 2.2. (Due to [Kar I].) Consider wffpc’s (see Appendix A) with variables in X u Y, where X and Yare disjoint. Every such wffpc is built from variables using propositional connectives v , A and . We allow also the truth-values T and F to appear in a wffpc. Let a be an assignment of truth-values for the variables in X, and p o and p 1 two wffpc’s such that p o assumes the truth-value T and pi the value F (or vice versa) for every assignment of truth-values for variables in X u Y that uses a for the variables in X. Thus, if a is used for X, the truth-values of p o and p 1 are independent of the truth-values assigned for the variables in Y. The pair ( p o , p l ) constitutes the public encryption key, whereas a is the secret trapdoor. As an illustration, consider X = { x l r x 2 } and Y = { y l , y 2 } . Define a by

-

a ( x l )= F

and a ( x 2 )= T .

One can then choose Po

= * Yl A Y2 A

P1

= (Y2 v

x2) A

x2

(Y1

A (Y1

v x1 v (-

v x1 v ( *

Yl A

Y2 A

x2))

9

x2)).

It is easy to see that, independently of the values for y , and y 2 ,p o assumes the value F and p 1 the value T for a. To encrypt a particular occurrence of the bit i in the plaintext, one assigns in pi truth-values for the variables in Y in an arbitrary fashion and shuffles the resulting wffpc (with variables in X ) randomly according to the standard rules of the propositional calculus (introduction and elimination of T and F, associativity,

70

2. The Idea of Public Keys

commutativity, distributivity, idempotence). If we assign the values F and Tfor y , and y , in our illustration, po reads

- F A T A x2

A

( F v x, v ( - T A x,)).

This can be shuffled to x, A x , . Consequently, x, A x1 is one possible encryption for the bit 0. Legal decryption is immediate because o[ is known. Using the NP-completeness of the satisfiability problem, the following result can be obtained. Assume that we may consult an oracle who, given the public key and a cryptotext, tells us the bit the cryptotext is obtained from. (Oracles will be discussed in more detail in Chapter 4.) Then for every language in the intersection of N P and Co-NP, there is a deterministic polynomial time algorithm using the oracle for determining whether or not a given word is in the language. The result means that the cryptanalysis of any public-key cryptosystem can be reduced to the cryptanalysis of the system described above. Thus, the system is optimal in the sense that any cryptanalytic method to break it can be used to break any other public-key cryptosystem as well. Unfortunately, the same result can be obtained for the following degenerate system. In the public key ( p o , p , ) , exactly one of the p’s, say p , , is satisfiable. The index k constitutes the secret trapdoor. An occurrence of the bit i is encrypted by first assigning truth-values for the variables in pi in an arbitrary fashion. If the resulting truth-value for p i is T, i is encrypted as #, otherwise i is encrypted as i itself. In the legal decryption one simply maps # to k and leaves 0 and 1 unchanged. On the other hand, a cryptanalyst can find out the meaning of # by generating assignments until either p o or p , becomes true. If pk is rarely true, then # occurs rarely in the cryptotext. Thus, the degenerate system is intuitively very weak. The paradox of the system being optimal is explained by the fact that we have considered worst case rather than average complexities. 0 In the discussion above the setup for cryptanalysis has been: given cryptotext and public encryption key. For the setup “encryption key only” the cryptanalysis problem is still in N P for any public-key cryptosystem. Interestingly enough, the system given in Example 2.2 is optimal also as regards the cryptanalytic setup “encryption key only”: the cryptanalysis problem is NP-complete. It is obvious that no similar upper bounds for cryptanalytic complexity can be given for classical cryptosystems. Essentially, this due to the fact that because everything is kept secret then the easyness of the encryption and decryption for legal users cannot lead to any consequences as regards the world of the cryptanalyst. A final rather strange observation can be made from the point of view of complexity theory. A public-key cryptosystem can always be viewed as a sequence of pairs ( Ei,Di), i = 1,2, . . . , where E , is an encryption key and Dithe corresponding decryption key. Both keys are completely determined by i : they can be given by some verbal description. Preprocessing proceeds now as follows. After an encryption key E , has been publicized, the sequence (Ei, Di)is generated, until the correct Ei(=the one verbally coinciding with Ek)is found. This may involve a huge

2.3 Obvious Advantages of Public Keys

71

(computationally intractable) amount of work. But still: this amount is a constant independent ofthe length ofthe cryptotext. From this point of view, the complexity of the cryptanalytic setup “cryptotext and encryption key” is n + c, where c is a constant! Of course, from a practical point of view, this does not say much because c is huge.

2.3 Obvious Advantages of Public Keys The advantages of public-key cryptography are tremendous, provided the idea can be realized without any too harmful side-effects. The most far-reaching innovation due to public keys concerns key management: how to handle and send keys. Consider any classical (that is, symmetric) cryptosystem. The encryption key gives away the decryption key and, hence, the former cannot be publicized. This means that the two legal parties (sender and receiver) have to agree in aduance upon the encryption method. This can happen either in a meeting between the two parties, or else by sending the encryption key via some absolutely secure channel. If a public-key cryptosystem is used, the two parties d o not have to meet - they d o not even have to know each other or be in any kind of previous communication! This is a huge advantage, for instance, in the case of a big data bank, where there are numerous users and some user wants to communicate only with a specific another user. Then he/she can d o so just by applying the information in the data bank itself. One can compare classical and public-key cryptosystems also as regards the length of a key. Since every key has to be described somehow, the description being a sequence of letters of some alphabet (that is, a word), it is natural to talk about the length of a key. There is a remarkable difference between classical and public-key cry ptos ystems. Consider first a classical cryptosystem. If the key is longer than the plaintext, nothing has really been achieved. Since the key has to be transmitted securely, one could transmit the plaintext instead of the key via this secure channel. Of course, in some situations the key is transmitted earlier to wait for the crucial moment. Consider next a public-key cryptosystem. The length of the encryption key is largely irrelevant. The key is publicized anyway. This means that also the length of the decryption key is largely irrelevant: the receiver only has to store it in a secure place. The easiness of key management can justly be regarded as the chief advantage of public-key cryptography. Let us now consider some other advantages. The central issues raised will be discussed also later on. One of a computer system’s central strongholds is the password file. The following might be an entry in such a file. login: JOHNSON

password: KILLER

If the password file is exposed - accidentally or otherwise - to an inspection by an intruder, then the intruder will have free access, for instance, to Mr. Johnson’s

72

2. The Idea of Public Keys

electronic mail. We assume here that the mail is not encrypted and, thus, security is provided only by the passwords. Suppose now that one-way functions f are used in connection with the password file. The entry mentioned above is now as follows. login: JOHNSON password: KILLER

function: fJ

Here f, is a description of a one-way function. The idea is that KILLER is Mr. Johnson’s “public” password, whereas only Mr. Johnson knows his “secret” password PURR such that f,(PURR) = KILLER

.

In fact, he “publicized” the password KILLER after computingf, (PURR). Mr. Johnson types in the secret password PURR, after which the computer checks whether or not fJ applied to PURR gives the correct result KILLER. The computer does not store PURR in any way. The password file may now be inspected by an intruder without loss of security because the functionf, cannot be inverted. The one-way functions f need not be cryptographic: a trapdoor for inverting them is useless in this case. It is even possible to have the same function for all users. The reader might suggest in what respect such a common function is weaker than individual functions. Authentication is an important issue. How d o we know that a message planted in a communication channel or information system is authentic? How d o we generate such an electronic or digital signature? Let us first state more explicitly what we want. Consider two parties A and B, possibly with conflicting interests. Typically, the parties could be a bank and its customer, or the two superpowers. When A sends a message to B, the message should be signed in such a way that the parties get the following two kinds of protection.

(i) Both A and B should be protected against messages addressed to B but fed in the information system by a third party C, who pretends to be A . (ii) A should be protected against messages forged by B, who claims to have received them from A , properly signed. Of course, if B sends a message to A then A and B should be interchanged in (ii). One may visualize (i) and (ii) by thinking B as an American agent in Moscow, A as his/her boss in Washington, and C as a Russian agent. The importance of (i) should be obvious. (ii) is required, for instance, in case B initiates some operation without any authorization from A . The operation turns out to be a failure. However, B claims to have acted according to the instructions given by A in a properly signed message! Conditions (i) and (ii) are somewhat contradictory and, therefore, hard to satisfy simultaneously. According to (i), B should know something about A’s signature. According to (ii), B should not know too much about A’s signature. It is to be emphasized that electronic signatures usually change the whole text, rather than just being an addition to the end of the text.

2.3 Obvious Advantages of Public Keys

73

If a good classical cryptosystem is used, then requirement (i) can be satisfied in a reasonable fashion: A and B agree upon an encryption key known only to them. A message is signed by encrypting it according to the key. The key and preferably also the cryptosystem have to be changed reasonably often. Once C finds out the key, he/she can start sending properly signed messages. Requirement (ii) is apparently more difficult to satisfy because, as we already pointed out, B should know something about the way A generates the signature, and yet it should be impossible for B to generate A’s signature. Observe also that if we are dealing with a big network of communicating parties (such as a network of mail users) then it is impractical to use a distinct secret method of signing for every pair of users. If a public-key cryptosystem is used, then both (i) and (ii) can be satisfied, at least in principle. As before, we denote by E,, E,, . . . (resp. D,, D,, . . .) the encryption (resp. decryption) key used by A, B, . . . . First, A sends the message w to B in the form E,(D,( w)). Then, B can recover D , ( w ) by his/her secret decryption key D,. From D,(W),B can recover w by the publicly known E,. Observe that E, and D , are inverses. Now both (i) and (ii) are satisfied. Only A knows D , and, hence, neither C nor B can forge A’s signature. This is the case at least if plaintexts are meaningful passages of some natural language. Then the probability is negligible that some text not obtained by D , from a meaningful plaintext would translate into something meaningful. By this reason, A can also not deny sending the message to B. If only signature (but not the encryption of the message) is important, then it suffices that A sends B the pair ( w , D,(w)). Requirements (i) and (ii) are satisfied as before. The basic procedures of authentication described above are vulnerable, especially as regards attacks by active eavesdroppers. The seriousness of attacks depends on the details, in particular, on the possibilities of the eavesdropper to plant false messages in the system. The basic procedures can be strengthened by applying a protocol. This means that A’s sending a message to B consists of several communication steps between A and B. A first communicates something to B. Depending on the contents of this communication, B communicates something back to A. And so forth. In general, a protocol involves a sequence of message exchanges. The number of communicating parties may be also greater than two. A specific, usually public-key, cryptosystem is used. The security of a protocol usually means protection against a passive or an active eaoesdropper but often also protection against cheating by some of the parties. In the latter case a protocol may provide for arbitration procedures if the parties happen to disagree about their adherence to the protocol. Protocols are no more secure than the cryptosystem applied. It is difficult to prove that a specific cryptosystem possesses certain security properties. It is also difficult to prove that if the underlying cryptosystem satisfies certain security conditions then the protocol possesses certain security properties. Many of the issues involved will be dealt with in the sequel, especially in Chapter 6. Here we briefly mention some examples of problems and tasks for which protocols have been successfully applied.

74

2. The Idea of Public Keys

Handshaking is in general slightly more complicated than authentication. The problem is that A and B want to establish a secure communications channel in a certain communications environment without any prior exchange of information. In our previous example the American agent in Moscow and the boss in Washington had to agree beforehand at least about something: how in principle signatures are generated and where the public keys are available. (We assume that they used the basic procedure described above.) This is not actually much and can be included in the common instructions provided for the users of an information system. Hence, the situation is very close to handshaking. Very often handshaking is understood to imply that the parties trust each other. Thus requirement (ii) becomes unnecessary. Suppose elections are held over a computer network. A protocol should make it impossible for non-registered voters to vote although they might be legal users of the network. Furthermore, ballots should be kept secret and the publicized outcome of the elections should be fair. Also some new types of secret votings can be carried out using appropriate protocols. Such protocols seem to open new vistas for confidential communication. Some members of a council might have the right of veto. When an appropriate protocol is followed, nobody knows whether a negative decision is based on the majority, or somebody using the veto-right, or on both! Let us consider a specific example. The parties A, B, C, , . . . , C, want to make a yes or no decision. All parties can vote yes or no. Moreover, A and B have two additional votes, super-yes and super-no. Such a voting may be visualized as arising in the United Nations, with A and B being the two superpowers. If no supervotes are cast, the majority decides. If at least one supervote is cast, then the ordinary votes have no significance. The decision is yes in case of a draw. After the voting all parties know the decision but nobody knows why the decision was made. Was it due to a supervote, majority, or to both? Of course, it is possible to construct a voting machine to satisfy the requirements. But nobody would trust such a machine: it could be tampered to leak information and/or announce a false outcome for the voting. In the next example a specific protocol is suggested. Example 2.3. Two persons A and B want to play poker b y telephone without any third party acting as an impartial judge. We consider the basic variant of the game, where five cards are dealt. As regards most of the other variants, the protocol is essentially the same. It is obviously necessary for A and B to exchange information in encrypted form in order to “deal” cards in a proper way. A proper deal should satisfy the following requirements.

(i) All hands (sets of five cards) are equally likely. (ii) The hands of A and B are disjoint. (iii) Both players know their own hand but have no information about the opponent’s hand. (iv) It is possible for each of the players to find out the eventual cheating of the other player.

2.3 Obvious Advantages of Public Keys

75

We now propose a protocol. A cryptosystem, classical or public-key, is used. However, neither the encryption methods E , and E , nor the decryption methods D, and D, are publicized. Moreover, commutativity is assumed: in any composition of E’s and D’s the mutual order is immaterial. Before the actual play, A and B agree on the names w , , . . . , ~ 5 of2 the 52 cards. The names are chosen in such a way that the cryptosystem is applicable in the sense needed in the sequel. For instance, if E, and E , operate on integers within a certain range then each wi should be an integer within this range. We are now ready to describe the protocol. A acts as the dealer but the roles of A and B can be interchanged. The protocol consists of the following four steps. Srep I : B shuffles the cards, encrypts them using E,, and tells the result to A. This means that B tells A the items E , ( w , ) , . . . , E B ( w 5 2 )in a randomly chosen order. Step 2: A chooses five of the items E,(w,) and tells them to B. These items are B s cards. Step 3: A chooses another five of the items E,(wi), encrypts them by E,, and tells the result to B. Step 4: After receiving five items of the form E R ( E B ( w i )in ) Step 3, B applies D, to them and tells the result to A. These five items represent A’s cards.

Let us now see how the requirements (i)-(iv) are satisfied, Clearly both players know their own cards. In particular, A receives in Step 4 five items of the form D B ( E , ( E B ( w i ) ) )Because . of commutativity,

DB(EA(E,(wi)))= ‘,(DB(EB(Wi)))

= E,(wi)

3

and hence A has only to use D,. The hands will also be disjoint: B can immediately check that the items given in Step 3 differ from those given in Step 2. N o conclusive evidence can be presented as regards the other requirements (i)-(iv). The matter depends largely on how truly one-way functions the E‘s actually are. For instance, it might be impossible to find wi on the basis of E,(wi) but, still, some partial information about wi could be found. For instance, if w i is a sequence of bits, the last bit could be found from E,(w,). Such partial information could tell A that all aces are within a certain proper subset of E , ( w , ) , . . . , E B ( w s 2 ) . Then A would surely deal B only cards outside this subset and for himself/herself only cards from this subset. In this case (i) and the second part of (iii) would be violated. The cryptosystem cannot be public-key in the normal sense. A could simply compute all the values E,(wi) and deal the cards accordingly: a good hand for B but slightly better for himself/herself! Some of the issues in this example are of general nature and will be discussed also later. In fact, a public-key cryptosystem can never have a small plaintext space, such as only 5 2 plaintexts. Then all of them can be encrypted using the public key, and decryption amounts to a search through all resulting cryptotexts.

76

2. The Idea of Public Keys

The possibility of obtaining partial information is also one of the central issues in public-key cryptography. For some cryptosystems, such as RSA, it has been shown that if partial information can be obtained then the whole system can be broken. This means that if you are convinced about the security of the cryptosystem, then you also know that the system does not leak partial information. 0 We conclude this chapter by mentioning three problems that require cryptographic protocols for their solution. The protocols devised for these problems are often used as a part of a protocol for a more complicated problem. Thus, the protocol given in [GM] for the problem of Example 2.3 uses coin flipping. A and B want t o j i p a coin by telephone without any impartial judge. As always, both parties should at some later stage be able to check that the other party did not cheat. This may happen after the result of the coin flipping has been used for some other purpose. An oblivious transfer allows A to transfer a secret to B with probability 4. After the completion of the protocol, B knows whether or not the secret was transferred successfully, but A does not know. Two or more parties want to share a part of their secrets but do not want to give away their secrets entirely. For instance, two people want to find out who is older without learning anything else about each other’s age. After going through the protocol both know who is older but neither one knows how much older.

Chapter 3. Knapsack Systems

3.1 A Trapdoor is Built Public-key cryptosystems based on the knapsack problem were already briefly discussed in Example 2.1 in Chapter 2. It was also pointed out that knapsack systems are very suitable for illustrating all basic ideas behind public-key cryptography. The setup is also versatile enough to produce new variants to avoid cryptographic weaknesses. Mathematical techniques will be used in this and later chapters to a larger extent than in Chapters 1 and 2. All the necessary tools will be summarized in the appendices. Fundamentals of the theory can also be understood without entering the mat hematical developments. This section presents the basic knapsack system in more details than Example 2.1. Shamir’s cryptanalytic attack is described in Section 3.2. Section 3.3 deals with a general theory of reachability, applicable to both simple and composite knapsacks. Interesting variants of knapsack systems will be presented in Section 3.4. The final Section 3.5 deals with systems based on dense knapsacks. We are now ready to go into definitions. A knapsack vector A = ( a , , . . . ,a,) is an ordered n-tuple, n 2 3, of distinct positive integers a,. An instance of the knapsack problem is a pair (A, a), where A is a knapsack vector and a is a positive integer. A solution to ( A , a) is a subset of A whose elements sum up to a. (Since we are talking about a subset, each ai appears in the sum at most once.) Knapsack problems are sometimes called also subset sum problems. The most common variant of the knapsack problem is to tell whether or not a given instance ( A , a) possesses a solution. A variant used in cryptography is to produce a solution for a given instance ( A , a) when it is known that a solution exists. Both of these variants are NP-complete. There are also variants that are not even in N P . A knapsack vector A is used to encrypt a block C of n bits by summing up such components of A that 1 appears in the corresponding position in C. If the sum is denoted by a, then decryption amounts to finding C from a, or from A and a if we are dealing with a public-key cryptosystem. The latter possibility is just the cryptographic variant of the knapsack problem. Equivalently, we may view C as a column vector of bits. Then a equals the product AC.

78

3. Knapsack Systems

As an illustration, assume that n = 6 and A = (3,41,5,1,21,10). Then

(l,~,O,O,l,O) and (l,O,l,l,O,l) are encrypted as 65 and 19, respectively. For this A, all cryptotexts a are numbers 5 81. At most one plaintext corresponds to each cryptotex t. For A = (14,28,56,82,90, 132, 197,284,341,455), the cryptotext a = 515 has exactly three corresponding plaintexts ~ ~ , ~ , ~ , ~ , ~ ~ ~, ,~ ~, ,~ ~, ,~ ~ , ,~~ ,~, ~~,~,O ,~,

O, ,O~ ,, ~ ,,~.~, ~ ,, ~ , O ,

This is seen immediately by reading A from right to left, for instance, 455 cannot appear in the solution because it is not possible to express 60 = 515 - 455 as a sum. Similarly, the cryptotext a = 516 has no corresponding plaintext. Now it is easy to see that none of the last four numbers in A can appear in the sum, whereas the sum of the remaining numbers is too small. For a = 517, the only corresponding plaintext is (1,1,1,0,1,1,1,0,0,0). Examples like this illustrate the obvious fact that cryptanalysis arising from some instances of the knapsack problem can be easy. Since uniqueness of decryption is desirable, the knapsacks vectors A should have the property that, for every a, all instances ( A , a) possess at most one solution. Such knapsack vectors A are referred to as injective in the sequel. This terminology is very natural because the injectivity of A means that the function induced by A, defined in Example 2.1, is injective. Of the two A’s considered above the first is injective, whereas the second is not. For some vectors A, all instances ( A , a) are easy to solve. We have already seen in Example 2.1 that super-increasing vectors possess this property. A two-way cryptosystem can be based on such vectors in an obvious fashion: both the sender and receiver know the vector A. On the other hand, if a vector B is publicized as an encryption key, then the legal receiver must have some secret trapdoor information for transforming B and the cryptotext into an easy instance of the knapsack problem. We already indicated in Example 2.1 how this can be done using super-increasing vectors. The construction will now be given in a somewhat more detailed form. A knapsack vector A = ( a l , . . . , a,) is increasing (resp. super-increasing) iff

holds for all j = 2 , . . . , n. Clearly, every super-increasing vector is increasing. For a knapsack vector A we define maxA=max(ajI1 5 j l n ) . Let x be a nonnegative number. We denote by Ex] the integer part of x, that is, the greatest integer 2 x. For integers x and m 2 2, we denote by (x, modm) the least nonnegative remainder of x modulo m. It is easy to see that (x, mod m) = x

- [x/m]

m

3.1 A Trapdoor is Built

79

This equation will be often, especially in Section 3.3, written in the form x = ( x , mod m)

+ [x/m]

*

m

We now define two variants of the notion of modular multiplication. Consider a knapsack vector A, an integer m > max A and a positive integer t < m such that the greatest common divisor (t, m ) = 1. If B = ( b l , . . . ,b,) is a vector such that b, = (ta,, modm), for i = 1 , .

. . ,n ,

we say that B results from A by modular multiplication with respect to the modulus m and multiplier t or, briefly, with respect to the pair (m, t). The condition ( t , m) = 1 guarantees the existence of an inverse t-' = u such that tu

= 1 (modm)

and 1 _< u < m. This implies that also conversely A results from B by modular multiplication with respect to m and u. (Clearly m > maxB because every hi is reduced modulo m.) If above the condition m > max A is replaced by the stronger condition m>

a,, we say that B results from A by strong modular multiplication with i= 1

respect to rn and t. Observe that now we cannot conclude that A results from B by strong modular multiplication with respect to m and u because the inequality m>

b, does not necessarily hold. Of course, A results from B by modular i= 1

multiplication with respect to m and u. A cryptosystem designer now chooses A , t, m, B such that A is super-increasing and B results from A by strong modular multiplication with respect to m and t. B is publicized as the encryption key, and n-bit blocks are sent to the designer as numbers fi obtained from B in the way described above. An eavesdropper has to solve the instance ( B , p ) of the knapsack problem. The designer computes a = ( u p , mod m) and solves the instance (A, a). Why this works is summarized in the following lemma. Lemma 3.1. Assume that A = ( a ] , .. . , a,) is super-increasing and B results from A by strong modular multiplication with respect to m and t. Assume further that u = t-' (modm), fi is arbitrary and E = (up, mod m). Then the following assertions hold true. ( i ) The knapsack problem (A, u) is solvable in linear time. If a solution

exists, it is unique. (ii) The knapsack problem ( B , p) has at most one solution. (iii) I f a solution to ( B , p) exists, it equals the unique solution to ( A , E). Proof. (i) It was shown in Example 2.1 that every knapsack problem with a superincreasing A can be solved in linear time by reading through A once from right to left. The method shows that there can be at most one solution. (ii) and (iii) Assume

80

3. Knapsack Systems

that an n-bit vector D is a solution to (B, p), that is, BD = p. Consequently, a

= up = uBD = u ( t A ) D = AD (modm) .

Since m exceeds the sum of the components of A , we must have AD < m. Since also r < m, by the definition of a, we conclude that a = AD. Thus, D equals the unique solution to ( A , a). This shows (iii). Since we started with an arbitrary solution to (B, p) and showed that it equals the unique solution to ( A, CI), we have established also (ii). 0 In our cryptographic application of Lemma 3.1 we know that ( B , p ) has a solution: p was computed in a way to guarantee this.

Example 3.1. Our first illustration is still manageable with a pocket calculator. Let n = 10 and consider the super-increasing vector A = (103,107,211,430,863,1718,3449,6907,13807,27610).

Choose the modulus m = 55207 which is greater (by two) than the sum of the components of A . Choose further the multiplier t = 25236. Then ( t , m) = 1 and t - ' = u = 1061. Indeed,

1061 -25236 - 1 = 485.55207

.

As a result of the strong modular multiplication we now get

B = (4579,50316,24924,30908,271 10,17953,32732, 16553,22075,53620) .

For instance,

+ 47.55207 and 1061 ~4579= 103 + 88.55207, 25236.1718 = 17953 + 785.55207 and 1061 -17953 = 1718 + 345.55207, 25236.27610 = 53620 + 12620-55207 and 1061 -53620 = 27610 + 1030.55207. 25236.103

= 4579

The vector B is the public encryption key, whereas the items A, t , u, in constitute the secret trapdoor. Of course, the knowledge of m and either t or u enables one to compute the other items immediately. Let us now use the public key B and encrypt the plaintext IN FINLAND CHILDREN USED TO BE BORN IN SAUNA EVEN TODAY INFANT MORTALITY IS IN FINLAND LOWEST IN T H E WORLD. We use first the numerical encoding, where the space between words gets the value 0 and the letters A-Z the values 1-26. The numerical encoding is expressed in bits. In fact, a complete list of the bit values was given in Example 2.1. Since B can be used to encrypt blocks of ten bits, our plaintext has to be divided into blocks consisting of two characters each. In what follows, we give first a plaintext block, then the numerical encoding and, finally, the encryption of the block as a decimal number. The cryptotext consists of the 53 numbers thus obtained, written one after the other so that individual numbers are distinguishable.

3.1 A Trapdoor is Built

IN F IN LA ND C H I LD RE N

us ED T 0 BE B OR N IN S AU NA E VE N TO DA Y IN FA NT M OR TA L I TY I S IN

01001

01110

00000 00110 01001 01100 01110

01110

oooo1

00100 00000 oO011 01Ooo 01001 01100 00100 10010 00101 01110 00000 10101 10011 00101 00100 OOOOO 10100 01111 00000 Ooo10 00101 m o Ooo10 01111 10010 01110 00000 01001 01110 00000 10011 m 1 10101 01110 m 1 m o 00101 10110 00101 01110 00000 10100 01111 00100 oooo1 11001 00000 01001 01110 00110 m 1 01110 10100 00000 01101 01111 10010 10100 m 1 01100 01001 10100 11001 00000 01001 10011 00000 01001 01110

148786 38628 148786 28860 22701 75695 36668 9 1793 05660 106148 150261 68587 34506 133258 101081 22075 173286 106148 148786 93648 115236 159768 70173 130584 106148 154483 78544 82005 148786 109452 140654 102905 173286 83 123 161592 133808 86352 62597 148786

RI

82

3. Knapsack Systems

F I N LA ND L

ow ES T I N T HE W OR LD

OOOOO 01001 01100 01110

OOOOO 01111 00101 10100 01001

o m 01OOO

o m 01111 01100

00110 01110 00001 00100 01100 10111 10011

00000 01110 10100 00101 10111 10010 00100

38628 148786 128860 122701 49285 243459 145682 29503 148786 34506 120489 110201 173286 91793

We decrypt the first number 148786. Note first that 1061 * 148786 = 2859.55207

+ 25133

Consider the knapsack problem ( A , 25133). The solution is obtained by scanning A once from right to left. Whenever the number at hand is at least the currently scanned component of A , we get the bit 1 and the new number is obtained by subtracting the component from the number previously at hand. Otherwise, we get the bit 0 and the number at hand remains unaltered. The result can be expressed as follows. Number 25 133 25133 11326 4419 970 970 107 107 107 0

Component of A 276 10 13807 6907 3449 1718 863 430 21 1 107 103

Bit 0 1 1 1 0 1 0

0 1 0

The original bit vector, from which the plaintext IN results, can be read from the last column bottom up. In the decryption of the second number 38628 we obtain first 20714 which is treated similarly, and so forth. A further remark is in order. Assume that we try to proceed in the reverse order. Consider the plaintext block OR appearing three times. Encrypt it first with A ,

3.1 A Trapdoor is Built

yielding 171 36. Apply strong modular multiplication with 25236, yielding 7665. But ( B , 7665) clearly possesses no explanation is that we cannot deduce an equation from a proof of Lemma 3.1) because m is smaller than the sum of Indeed, 7665 = 173286 (mod 55207) ,

83

respect to 55207 and solution. The simple congruence (as in the the components of B.

and we should operate with 173286. Our second illustration is too big for a pocket calculator but still too small for real encryption. Realistic examples are very likely to become completely unreadable. The computations here, as well as in the final illustration in Example 4.1, are due to Kimmo Kari. Let now n = 20. Choose the modulus and multiplier

m = 53939986 yielding t-I

=u =

and

t = 54377,

17521047. The super-increasing A is defined by: 101 = 102 = 206 412 = 823 a5 = a6 = 1647 a7 = 3292 a8 = 6584 a, = 13169 26337 a10 = 52676 a11 = 105352 012 = 2 10703 a13 = 42 1407 a14 = a15 = 8428 12 a16 = 1685624 a17 = 3371249 a18= 6742497 a, = 13484996 a20 = 26969992 a, a, a3 a4

=

,

Strong modular multiplication gives now the following publicized vector B:

h, = 5492077 b, = 5546454 h3 = 11201662 h, = 22403324 h, =44752271

84

3. Knapsack Systems

b, = 35618933 b, = 17189126 b, = 34378252 b9 = 14870895 610 = 29687413 b l l = 5543594 biz = 11087188 bl3 = 22119999 bI4 = 44294375 b15= 34540010 b16 = 15140034 bl7 = 30334445 b18 = 6674527 b19 = 13457808 bzo= 26915616

Let us encrypt the following plaintext about sauna: I F YOUR FEET CARRY YOU T O SAUNA THEY SURELY CARRY YOU BACK HOME I F SAUNA ALCOHOL AND TAR D O NOT CURE YOUR DISEASE IT MUST BE FATAL. As before, empty space is encoded as 0, and the letters A-Z get the numbers 1-26. Five bits per number are required in binary notation. Since n = 20, four plaintext characters are encrypted at the same time. The encoding, divided into sequences of 20 bits, looks as follows. I F Y OUR FEET CAR RY Y OU T 0 SA UNA THEY SUR ELY CARR Y YO U BA CK H OME I F S

00110 ooOo0 to101 10010 00101 00101 00000 o0011 oooO1 10010 11001 00000 01111 10101 00000 01111 00000 10011 10101 01 110 oooO1 10100 01o00 00101 00000 10011 10101 00101 01 100 11001 o0011 oooO1 10010 11001 00000 11001 10101 00000 o0010 o0011 01011 00000 01111 01 101 00101 01001 00110 00000 01001 01111 001 10

11001

00000 10100 10010 11001 10100 oooO1

00000 11001 10010

00000 10010 01111 oooO1 01o00

00000 10011

3.1 A Trapdoor is Built

AUNA ALC OHOL AND TAR DO NOT CURE YOU R DI SEAS E IT MU S T BE FAT AL

85

oooO1 10101 01 110 oooO1 00000 oooO1 01 100 Ooo11 01111 01Ooo 01111 01 100 00000 oooO1 01 110 00100 00000 10100 oooO1 10010 00Ooo 00100 01111 00000 01 110 01111 10100 00000

o0011

10101

10010 00101 10101 01001 1001 1 10100 1001 1 00101 10100

00000 11001 01111 10010 00000 00100 1001 1 00101 oooO1 0010l 00000 01001 00000 01 101 10101 l O I 0 0 00000 o0010 00000 001 10 oOoo1 oooO1 01 100 00000

00000

The cryptotext consists now of the following numbers (see the remark below at the end of Example 3.1): 1 3 4 4 5 2 7 1 7 4 6 8 6 9 1 9 0 6 2 3 6 I 0 2 5 4 8 4 2 1 4 2 7 5 7 1 8 3 7 6 4 3 1 5 3 5 9 4 3 1 6 1 8 5 0 6 2 2 0 5 2 9 3 2 0 1 1 5 4 1 1 6 8 4 0 6 1 1 4 8 1 9 3 3 1 8 0 3 3 4 2 7 1 4 1 1 3 1 2 8 8 0 2 9 2 0 7 5 6 1 9 1 1 7 5 9 5 8 1 4 9 2 7 3 9 6 5 8 3 1 2 2 4 5 5 6 3 3

0 5 8 4 1 5 6 7 7 1 7 3 1 8 6 6 3 8 7 8

1 6 3 0 2 0 3 2 5 5 6 7 6 0 0 7 1 7 2 1

86

3. Knapsack Systems

8 3 1 8 3 5 2 9 1 4 2 5 7 7 6 6 7 1 2 4 1 7 7 2 0 5 I 9 7 5 7 7 6 0 1 1 7 1 2 4 8 3 6 0 2 4 7 8 8 1 1 9 5 1 1 9 5 2 3 7 1 4 1 9 1 4 6 3 4 2 3 1 2 8 2 5 8 3 2 2 2 2 7 4 3 3 3 6 8 6 7 4 7 3 0 0 8 I 2 4 7 8 0 0 5 3 8 1 5 5 4 4 0 8 The legal recipient multiplies these numbers by u (modm), and goes back to the super-increasing A. For instance, the multiplication of the first number gives 15488011. When solving this with respect to A, we get similarly as in our first illustration:

Number

Component of A

Bit

15488011 15488011 20030 15 2003015 200301 5 317391 317391 317391 106688 1336 1336 1336 I336 1336 1336 1336 513 101

26969992 13484996 6742497 3371249 1685624 8428 12 42 1407 2 10703 105352 52676 26337 13169 6584 3292 1647 823 412 206 102 101

0 1 0 0 1 0 0 1 1 0 0 0

101

101

0 0 0 1

1 0 0 1

3.2 How

10

Find the Trapdoor

87

Our encryption procedure in this second illustration was exceptional: the order of the components of B was reversed before encryption. Thus, to get the first encrypted number 134452701 we formed the sum b19 + bI6 + b 1 3 + b12 + b, + b, + b,. This procedure follows the analysis of A from right to left in the table above. However, the procedure will not be repeated in the sequel because it is unnatural from the point of view of vector multiplication. 0

3.2 How to Find the Trapdoor We face the following cryptanalytic task. A knapsack vector B = ( b l , . . . ,b,) is known to us. B is used as a public encryption key in the manner described above. We also know that B is obtained by strong modular multiplication from a superincreasing vector A, with respect to a modulus rn and multiplier t. All of the items A, rn and t are unknown to us. We want to find them. What interests us most directly is to find rn and t - = u (mod rn). Knowing rn and u we can immediately compute A and decrypt any cryptotext. The computation of u from t, or vice versa, amounts to one application of Euclid's algorithm and can be done fast. The cryptanalytic setup here is encryption key only. Often this means that more time is available because the analysis of the system can be carried out before important cryptotexts have been sent. This section discusses A. Shamif s cryptanalytic approach. The resulting algorithm runs in polynomial time. However, it is to be emphasized that a classification of cryptosystems into bad and good is overly simplified if it focuses only on the condition whether or not a polynomial time algorithm for the cryptanalysis is known. The degree of the polynomial is very important in cryptography. Moreover, as we have already emphasized, knapsack systems are very versatile for producing modifications to overcome known cryptanalytic attacks. When we say that an algorithm runs in polynomial time, we have to be careful in defining the size of an instance B, the algorithm being polynomial with respect to the size. We have to consider a family of knapsack vectors B whose sizes grow to infinity. There are two parameters contributing to the size of a vector B the number n of the components and the sizes of the individual components b,. If either one of the parameters is kept bounded from above, the resulting knapsack problems can be solved trivially in polynomial time. Indeed, if each b, in every vector considered is less than some constant C,the total number of vectors is finite and, hence, there is some fixed time bound such that every knapsack problem considered can be solved within this time bound. On the other hand, if always n < C then every knapsack problem considered can be solved in linear time, where the coefficient is the constant 2'. It is customary to choose the number n of components as the size and to give bounds for the components in terms of n. It is to be emphasized that all such bounds for the components are artificial from a mathematical point of view and restrict the generality of the problem because only a very small number of

88

3. Knapsack Systems

instances fall within the bounds. This is apparent also in view of the general theory of Section 3.3. In [Sh2], the bounds are given as follows. A proportionality constant d > 1 is fixed. Then the modulus m consists of dn bits. The component ai, 1 i In, of the super-increasing vector A consists of dn - 1 - n + ibits. If d is not an integer, dn is replaced by[dn]. The leading bit is 1 in every number. This guarantees that A is always super-increasing and that one can choose m to exceed the sum of the components of A. In the original paper, [MeH], the choices n = 100 and d = 2 were recommended. This means that m consists of 200 bits and the components a,, . . . ,alOO grow in size from 100 to 199 bits. In constructing the algorithm the initial observation is that it is not necessary to find the inverse multiplier u and modulus m actually used by the designer of the cryptosystem. Any pair (u, m) will do, provided u and m satisfy the conditions of modular multiplication as regards B, the result A of such a modular multiplication is super-increasing and m exceeds the sum of the components of A. (This implies that B results from A by strong modular multiplication with respect to rn and u - , = t.) Such pairs (u, m) are referred to as trapdoor pairs. Once we have found a trapdoor pair, Lemma 3.1 becomes available, and we may decrypt using the resulting super-increasing vector. This is quite independent of whether or not our trapdoor pair and the resulting super-increasing vector are the ones actually used by the cryptosystem designer. On the other hand, the existence of at least one trapdoor pair is guaranteed by the fact that cryptosystem designer made use of such a pair. (Using the terminology of Section 3.3, we know a priori that the given knapsack vector B is super-reachable.) To find a trapdoor pair (u, m), we first consider the graphs of the functions biu (mod m) for all values i = 1, . . . ,n. The graph of biu (mod m) consists of straight line segments, where the values u = pm/b,, p = 1,2,. . . ,are discontinuation points of the function. Thus, the graph of the function b,u(mod m) has the sawtooth form of Fig. 3.1. This sawtooth curve is considered for each i = 1,. . . ,n. biu A

m Fig. 3.1

Recall that (b, u, mod m) = a,, where u is not a variable but the actual inverse multiplier we are looking for. Since a, is the first component in a super-increasing vector and m exceeds the sum of all components, a, must be very small in

3.2 How to Find the Trapdoor

89

comparison with rn. This implies that the trapdoor pair value of u must be close to some minimum of the b,-graph. An explicit estimate concerning how close it must be presupposes some conventions (such as those indicated above) about the sizes of a, and rn, as well as about the expected value of b, . Usually bi/a, is very large for small values of i. However, the cryptosystem designer may take care of that bi/ai < 1 for some values of i. Then some distances will be much larger than expected, which causes serious difficulties for the cryptanalyst. Similarly we see that the trapdoor pair value of u must be close to some minimum of the b,-graph. This implies (by the triangular inequality) that the two minima of the b,- and h,-graphs must be close to one another. One can proceed in the same way and consider more sawtooth curves. The fact that the trapdoor pair value of u is close to a minimum on each curve implies that all these minima are close to one another. Thus, instead of trying to find u itself, we may try to find “accumulation points” of the minima of our sawtooth curves. This amounts to constructing a small interval containing a minimum of each sawtooth curve. From this interval we also find a trapdoor pair value of u. By heuristic calculations (see [Sh2]) one can show that, for the value d = 2 of the proportionality constant, it suffices to analyze only four sawtooth curves to get a manageable (not too big) set of accumulation points for their minima. Any accumulation point of minima of all curves is among the accumulation points constructed for the minima of the four curves mentioned. We now come to the problem of how to express these ideas in terms of inequalities. The first obstacle is that we do not know any value of a modulus rn appearing in a trapdoor pair. This obstacle is easily overcome. We reduce the size of the picture so that rn becomes 1. In other words, the lengths are divided by m. This operation does not affect the location of the accumulation points in which we are interested. For instance, if there was a bi-minimum near the seventh b,minimum before the size reduction, the same certainly holds true after the size reduction. The algorithm for finding a trapdoor pair consists of two parts. In the first part, we find candidates for an integer p such that the pth minimum of the b,-curve is an accumulation point we are looking for. The second part of the algorithm tests the candidates one by one. One of the tests has to succeed because the trapdoor pair value of u used by the cryptosystem designer determines one accumulation point. A specific precaution has to be taken. The first part of the algorithm might produce too many (in comparison with the size of the problem) candidates for p . Therefore, we fix in advance a parameter r indicating the maximum number of candidates allowed. If the first part of the algorithm produces r 1 candidates for p . the algorithm terminates and reports failure. The algorithm is stochastic with a negligible probability of failure. On the other hand, we d o not have to consider all components b,, . . . ,b, in the first part of the algorithm, but may fix in advance the value of another parameter s < nand consider only the components b,, . . . ,b,. In other words, the first part of the algorithm produces numbers p such that the pth minimum of the b,-curve is nearby some minimum of the bi-curve, for i = 2, . . . ,s. Thus the values i > s are not considered at all in the first part of the algorithm, and it is very likely that

+

90

3. Knapsack Systems

entirely wrong values of p are produced. However, the second part of the algorithm checks through all values of i, 2 I i 5 n. A candidate p is rejected if, for some i, there is no minimum of the bi-curve near the pth minimum of the 6,-curve. We already pointed out that s = 4 is in many cases a reasonable choice. Consider the first part of the algorithm in more detail. The u-coordinate of the pth minimum of the b,-curve is p / b , . (Recall that we reduced the picture in such a way that the modulus equals 1.) Hence, the condition that some minimum of the b,-curve lies near the pth minimum of the b,-curve can be expressed as

Multiplying by the product b, b, we obtain

- 6 < b , p - b,4 < 6 ,

1 I p l b , - 1,

1 1 4 2 b, - 1 ,

We write s - 1 inequalities of this latter form, one for each of the components b,, . . . , h,. How small the number 6 has to be chosen will be commented upon later. The first part of the algorithm finally outputs all integers p for which there are integers q, . . . such that all of the s - 1 inequalities are satisfied. We now describe the second part of the algorithm. It tests numbers p produced by the first part until it is successful. Consider a fixed p. All discontinuity points of all n curves lying in the closed interval [ p l b , , ( p + l)/b,] are sorted into increasing order. Let xi and x i + be two consecutive points in the sorted list of points. Then in the interval [xi, xi+,] each of the bi-curves is just a line segment, expressible in the form b,u - c:, where c{ is a constant depending on i and j (and, of course, also on p). The solution of the following system of linear inequalities in u is a (possibly empty) open subinterval of [ x j , x j + xi I u

Ixj+, ,

n

(biu - c;) < 1 , i= 1

( b ,u - 4) + . . . + (bi- u - c { - ~ <) biu - c:, i = 2,. . . , n

.

A necessary and sufficient condition for two numbers u and m to constitute a trapdoor pair is the membership of u/m in a subinterval thus constructed, for some p and j . Indeed, the last inequalities express the super-increasing condition, and the inequality preceding the last the condition for the modulus being sufficiently large. Thus, the second part of the algorithm investigates successively through pairs ( p ,j ) , where p is a candidate produced by the first part and j is an index of a point in the sorted list corresponding to p. The investigation is carried out until a nonempty interval is found. At least the trapdoor pair actually used by the cryptosystem designer corresponds to a nonempty interval. The second part of the algorithm amounts to finding a rational number u/m from some nonempty interval we are considering. This is a problem in Diophantine

3.2 How to Find the Trapdoor

91

approximation. The first part amounts to producing candidates p worth a further study, which is a problem of integer programming. Both techniques require only polynomial time. Recall also that the algorithm reports failure if more than r candidates p are generated in the first part. In the inequalities of the first part also a bound 6 is considered. It is estimated in [ShZ] that if we choose 6 < Jb,/2,then the probability for the algorithm to fail is at most (2/r)'-'. The degree of the polynomial expressing the running time of the algorithm is hard to estimate, as is the interrelation between the degree, the failure probability and the values of the three chosen constants 6, r and s. From the point of view of decryption it does not make much difference if we do not obtain a super-increasing vector but rather a permutation of a super-increasing vector. The permuted version can be quickly sorted into increasing order. While we cannot analyze in polynomial time all n! permutations of the given vector B, we can reduce the number of permutations by using the fact that a super-increasing vector is also an increasing one. This is done by making the intervals [ x i , x j + smaller by including also the intersection points between pairs of curves (in addition to the discontinuity points of all curves). This increases the expected number of intervals from O(n)to O(n2).Within each new interval there is a specific vertical ordering of all curves. This ordering gives the only possible permutation of the a,-components, provided the interval in question leads to success. The inequalities have to be modified because the super-increasing condition is not any more required. Example 3.2. Our first illustration of the algorithm is very simple. The publicized vector is B = (7, 3,2). Of course, it is very easy to handle this vector directly; it is even super-increasing in reverse order. However, in case of this vector all computations can be presented in great detail. This means that many details of the algorithm can be further clarified. Consider the first part of the algorithm. There are two double inequalities

- 6 < 3p - 79 < 6,

-6

< 2p - 7 r < 6 ,

where 1 Ip I6, 1 5 q I 2, r = 1. We are looking for values of p such that the inequalities are satisfied, for some q and r in their respective ranges. We still have to fix the value of the constant 6. The choice 6 = Jb,/2 = = 1.87 was recommended above. This choice produces no values of p . Indeed, in small examples any asymptotic result might be wrong. We intend to check through all values of p in the second part of the algorithm. The following table lists for each p the smallest value of 6 such that the above inequalities, where < is replaced by 5 , have a solution for some q and r. (7r can of course be replaced by 7 because r = 1 is the only possible value.)

J7/2

~ 1 1 2 3 4 5 6

615 3 2 2 3 5 It will be seen below that even if we choose 6

=

2, we miss the correct p-value.

92

3. Knapsack Systems

Thus, for the second part of the algorithm, we accept all p-values as candidates. This means that we divide the entire interval (0, 1) into subintervals

such that all of the three b,-curves are line segments b,u - cl in each subinterval. (As before, the superscript j indicates the interval.) We consider here open rather than closed intervals because no discontinuation point of some b,-curve can give a trapdoor pair. The inequalities to be considered, for each subinterval, in the second part of the algorithm are (7u - i') + ( 3 u - i") + (214- i"') < 1 , 7 u - 'i < 3u - i" , ( 7 u - i')

+ ( 3 u - i")

< 2u - '"i ,

where the constants range over the values 0 I i' I 6, 0 I i" I 2, 0 I: i"' depending on the subinterval. The inequalities can be written in the form

1,

12u < i , 4u<j,

8u
+ + +

where the new constants are obtained from the old ones: i = 1 i' i" i"', j = i t - i l l , k = i t + i" - it", The following table lists the values of the constants in different intervals and tells, as regards each interval and each of our three inequalities, whether the inequality is satisfied in the whole interval (SAT), in some part of the interval (PART), or not satisfied in any point of the interval (NOT). Intervals are given by listing their right end point. Interval

117

217

113

311

112

417

213

511

611

1

i' i" i"'

0 0 0

1

2 0 0

2

3

1

1

3 1

0

1

4 2 1

5 2

0

4 1 1

6

0

1

1

i

1 0 0

2

4 1

5 2 4

4

8 2 5

9 3 6

10 4

3

6 2 3

7

1 1

3 2 2

PART NOT NOT

PART PART NOT

NOT SAT NOT

NOT NOT PART

NOT SAT SAT

NOT NOT NOT

PART SAT NOT

NOT NOT NOT

PART PART PART

NOT SAT PART

j

k 1211 < i 4u<j

8u
0

3

2

1

Clearly, NOT appears iff the inequality is not satisfied at the left end point of the interval. Similarly, SAT appears iff the inequality is satisfied at the right end point of the interval. An interval I generates trapdoor pairs iff either SAT or PART appears for each inequality. In such a case, the final interval is a subinterval of I.

3.2 How to Find the Trapdoor

93

In our illustration, the only such interval begins from 5/7. The right end point is 314. It turns out that all inequalities lead to the same right end point, which is not the case in general. By choosing the numbers 811 1,41/56,61/84 and 223/308 from this interval, we obtain the super-increasing vectors

(1,2,5), (7,11,26), (7,15,38) and (21,53,138), respectively. The modulus 11 is the smallest possible because there is no rational with denominator I 10 in the open interval (5/7, 3/4). Our second illustration is the publicized vector B = (43, 129,215,473,903,302,561, 1165,697, 1523)

already considered in Example 2.1. Now it does not make sense to write out a complete list of discontinuation points in any interval (p/43, ( p 1)/43). For instance, the 1523-curve alone has 35 discontinuation points in such intervals. However, B contains enough cryptographic weaknesses for us to make various shortcuts in the algorithm. The inequalities of the first part of the algorithm can now be written as

+

- 434 I 6 - 434 I 6 , 1 4 7 3 ~ 1 1 2 9 ~- 4391 I6, 1 2 1 5 ~

.

Since the numbers 129,215 and 473 happen to be multiples of 43, we get p = 1 as a candidate even if we choose 6 = 0. We do not investigate other candidates and, thus, we are interested in the interval (1/43,2/43). Consider discontinuation points of other curves in this interval. The one closest to the left end point of the interval is 36/1523. It is not necessary that the closest point is obtained using the greatest b,-number but for this B it happens to be the case. Our interval is now (1/43,36/1523). In this interval the b,-curves are

4 3 -~ 1, 1 2 9 ~ 3, 2 1 5 ~ 5, 4 7 3 ~ 11, 9 0 3 ~ 21 , 3 0 2 ~- 7, 5 6 1 ~ 13, 1 1 6 5 ~ 27, 6 9 7 ~ 16, 1 5 2 3 ~ 35. The inequality expressing the size of the modulus is

6011u - 139 < 1, yielding u < 140/6011 . Since 140/6011 < 3611523, we get the new interval (1/43, 140/6011). We now list the inequalities expressing the super-increasing condition. The left column gives the inequality and the right column the solution.

1 2 9~ 3 > 4 3 -~ 1 , 215~ 5 > 1 7 2~ 4, 473~ 11 > 3 8 7 ~- 9 , 903~ 21 > 8 6 0 ~ - 20, 3 0 2 ~- 7 > 1 7 6 3 ~ 41 , 5 6 1~ 13 > 2 0 6 5 ~- 4 8 , 1165~ 27 > 2 6 2 6 ~- 61 , 697~ 16 > 3 7 9 1 ~- 8 8 , 1523~ 35 > 4 4 8 8 ~- 104,

u > 1/43 , u > 1/43, u > 1/43 , u > 1/43 , u < 3411461 , u < 3511504,

u < 34/1461 , < 7213094, u < 6912965. u

94

3. Knapsack Systems

The first four inequalities are satisfied in the whole interval, whereas the remaining five restrict the right end point of the interval. The smallest among the upper bounds obtained for u is

7213094 = 3611547

.

Thus, we obtain finally the interval (1143,3611547).Choosing the number 3711590 from this interval, we obtain the super-increasing vector of the cryptosystem designer mentioned in Example 2.1. Choosing the number 7213095, we get the super-increasing vector

(1, 3, 5, 11, 21,79, 157, 315, 664, 1331). The reader might want to compute the super-increasing vector obtained by choosing the number 720130949 from our final interval. Our next illustration is the first publicized vector B = (4579,50316,24924,30908,27110 , 17953,32732,16553,22075,53620)

considered in Example 3.1. This is much trickier than the vector B from Example 2.1 considered above. We d o not go into any details of the first part of the algorithm. We only mention that p = 88 is a candidate generated. This leads to the interval (8814579,8914579).The three leftmost discontinuation points of our curves are in increasing order of magnitude

594130908, 419124924 and 967150316 . In the interval (88/4579,594/30908) the curves have the form

4 5 7 9 ~- 88, 50316~- 966, 24924~- 478, 30908~- 593, 27110~- 521, 17953~- 345, 32732~- 629, 16553~- 318, 22075~- 424, 53620~- 1030. The sum of these expressions should be less than 1. This leads to the inequality

280770~< 5393, which is not satisfied for any u in the interval. We have to consider next the subintervals

(594130908, 479124924) and (479124924, 967150316) . The right side of the inequality above is in these subintervals 5394 and 5395, respectively. (This is due to the fact that the constant in the 30908- and 24924curves is increased by 1.) But still the inequality is not satisfied by any u in the subinterval. We proceed to study the interval

(967150316, 1031153620)

3.2 How to Find the Trapdoor

95

whose right end point is the next discontinuation point. In this interval the above inequality expressing the size requirement of the modulus gets the form 280770~< 5396,

yielding u < 26981140385,

This leads to the new interval (967150316, 26981140385) .

We now write the inequalities expressing the super-increasing condition. As before, the left column gives the inequality and the right column the solution 5 0 3 1 6 ~- 967 > 4 5 7 9 ~- 88, 2 4 9 2 4 ~- 479 > 5 4 8 9 5 ~- 1055, 30908 u - 594 > 798 19u - 1534 , 271 1 0 ~ 521 > 110727~- 2128 , 1 7 9 5 3 ~- 345 > 137837~- 2649, 32732 u - 629 > 155790~- 2994 , 1 6 5 5 3 ~- 318 > 188522~- 3623, 2 2 0 7 5 ~- 424 > 205075~- 3941 , 5 3 6 2 0 ~- 1030 > 227150~- 4365 ,

> 879145737, < 576129971 , u < 94014891 1 , u < 1607183617 , u < 230411 19884 , u < 23651123058, u < 33051171969, u < 3517/183000, u < 33351173530, u

u

Only the first inequality has influence on the end points of our interval. Hence, our final subinterval will be (879145737, 26981140385) .

The interval is very tight: the end points differ by 1 on the 9th decimal only. The number 1061155207 corresponding to the trapdoor pair of the cryptosystem designer lies in this interval. It is interesting to note also that neither one of the end points of the final interval is a discontinuation point and that the left end point lies quite far from our original left end point 88/4579. Our final illustration deals with the second publicized vector B of Example 3.1. Without going into any details, we mention that the following interval is obtained: 410868073108917982154 410868073109349502042 1264891196933908912166 ' 1264891196933908912166

(

)

'

The original u/m lies in this interval, and so does u' _ -- 410868073109000000000

m'

1264891196933908912166

We reduce the quotient u'lm' and obtain the super-increasing vector A' with a; = a;

a; a: a; a: a;

= = = = = =

450448325606142 454908210018084 918736188860052 1837472377720104 3670484871028266 26182899405826276 71194348822186470

96

3. Knapsack Systems

142388697644372940 303619324952515624 a;, = 607234190020619306 a’, = 1233314769589420298 a’, = 2466629539178840596 a i 3 = 4933254618473269250 a i 4 = 9866513696830950442 ais = 19751855943672434802 a i a = 39522549357124227406 a ; , = 79045103174132866754 a’, = 158 109039358160679368 a i 9 = 316218087636090182620 a;, = 632436175272180365240 . a& = a; =

3.3 Theory of Reachability Does a given knapsack vector B result from some super-increasing vector by strong modular multiplication or perhaps by a sequence of strong modular multiplications? If it does, we would like to know such a super-increasing vector, as well as the multipliers and moduli involved. These are the issues investigated in this section. The setup will be quite general. There will be no restrictions concerning the sizes of the components with respect to n. The algorithms will be deterministic. The complexity depends on how the size of the input is defined. It is to be emphasized that the problems mentioned above are quite different from the knapsack problem itself. For instance, the problems d o not become easy if the number of the components of B is bounded by a constant k. For these problems, it is still not sufficient to make 2’ experiments. In general, if the problems above have been settled, the corresponding knapsack problems will be easy. By definition, a knapsack vector B is super-reachable iff there is a superincreasing A such that B results from A by strong modular multiplication. For r 2 1, the vector B is r-hyper-reachable iff there is a sequence of vectors A,, A , , . . . , A, = B such that A, is super-increasing and, for each i = 0,. . . , r - 1, A i + results from Ai by strong modular multiplication. Clearly, the notions of super-reachability and 1-hyper-reachability coincide. A vector may be defined in a way showing it to be r-hyper-reachable, r > 1, but the vector may still be super-reachable. For instance, in the fundamental paper [MeH] about knapsack-based cryptosystems, the vector B = (25,87,33) is obtained from the super-increasing vector A = (5, 10,20) by two strong modular multiplications, with respect to the modulus-multiplier pairs (47, 17) and (89,3). It is also shown that B cannot be obtained from A by one strong modular multiplication. However, B is super-reachable because it is obtained from (2, 3,66) by strong modular multiplication with respect to the pair (99,62).

3.3 Theory of Reachability

97

We require strong modular multiplication because then Lemma 3.1 becomes available. If we have only modular multiplication, it is not guaranteed that a solution of (B, p) equals the only solution of (A, a), where a results from p by the corresponding inverse modular multiplications. This conclusion can be made if the original multiplications are strong, even if there are several of them. The following result is a basic tool in constructing examples of vectors that are not r-hyper-reachable. Theorem 3.1. Every r-hyper-reachable vector is injective. Hence, every super-reachable vector is injective. Proof The theorem is a consequence of the following facts (i) and (ii). (i) Every super-increasing vector is injective. Indeed, the algorithm described in Example 2.1 shows that any knapsack problem (A, a), where A is super-increasing, possesses at most one solution. (ii) Strong modular multiplication preserves injectivity. Assume that B results from A by strong modular multiplication with respect to the pair (m, t). Assume, further, that BC = BC' for some bit vectors C and C'. Clearly, A results from B by modular multiplication (rn, u), where u is the inverse of t. Because we have uBC = uBC' by assumption, we have also A C = AC' (mod m). Since m exceeds the sum of the components of A, this congruence must be an equation: A C = AC'. By (i) we conclude that C = C' and, hence, B is injective. 0

For instance, if some component in a vector equals the sum of some other components, the vector cannot be r-hyper-reachable. Consider a knapsack vector A = ( a l , . . . ,an),an integer m > max A and a positive integer t < m such that ( t , m) = 1. The growing sequence associated with the triple ( A , t, m) is the sequence of triples ( A ( k ) ,t , m + kt), k = 0, 1,2,. . . , where A(k)= (al

+ k . [ t a , / r n ] , . . . , a n+ k . [ t a n / r n ] ) .

Thus, the growing sequence begins with (A, t, m). The terms multiplier and modulus refer also to the number t and m + kt in the triple (A(k),t , m + kt). For instance, if A = (1,2,3), t = 4, m = 5, then the growing sequence begins with the triples ( ( I , & 3),4,5), ((1,3,5),4 9 ) and ((1,4,7), 4, 13) .

If A = (1,4, 7), t = 3, m = 8, then the growing sequence is

( ( 4 4 + k,7

+ 2k), 3 , s + 3k),

k = 0, 1 , 2 , . . .

.

A number i, 2 5 i I n, is termed a violation point in a knapsack vector A iff i- 1

ai I

C aj.

j= 1

Thus, the i-th component of A violates the requirement of A being super-increasing. If A is increasing, every violation point i in A satisfies i 2 3.

98

3. Knapsack Systems

The goal of a triple ( A , t, m) is the first triple (A(k),t, m + kt) in the growing sequence such that A ( k ) is super-increasing and m + kt is greater than the sum of the components of A(k), provided such triples exist. Clearly, a triple can be its own goal and some triples have no goal. In particular, if A is not increasing, then ( A , t , m) cannot possess a goal. This follows because a, > a,, implies that [ta,/m] 2 [ta,+ / m ] and consequently, for all k, a,

+ k.[ta,/m] >

+ k * [ t a i + l / m ].

Returning to the two examples considered above, i = 3 is a violation point in the initial vector of the first sequence. The third triple is the goal of the sequence. The second sequence possesses no goal because the modulus will never become big enough. Next we define a notion in some sense dual to that of a growing sequence. Let ( A , t, m) be a triple defined as in connection with growing sequences. The diminishing sequence associated with the triple ( A, t , m) is the sequence of triples ( A ( - k), t , m - kt), k = 0,1,2,. . . , where the vectors A ( - k ) are defined by descending induction as follows. A ( - 0) = A . Assume that A ( - k ) = ( d l , . . . ,d,) has been defined and that we still have m - kt > max A ( - k). (The inequality holds for k = 0, by the choice of the original triple.) Then A ( - k - 1) = ( d , - [ t d l / ( m- k t ) ] ,. . . , d, - [td,/(m

-

k t ) ] ).

Diminishing sequences are always finite, whereas growing sequences are infinite. However, in the sequel only finite initial segments of growing sequences will be of interest. We will now develop the technical tools needed for the algorithms. We begin with properties of growing sequences. In Lemmas 3.2-3.4, the notation A, t, m, A ( k ) is the same as in the definition of a growing sequence. Lemma 3.2. If A is increasing or super-increasing, then each vector in the growing sequence associated with ( A , t, m) is increasing or super-increasing, respectively. Proofi The inequality ai- < a, implies the inequality [tai- / m ] I [ta,/m]. Hence, if A is increasing then so is every A@). Assume, next, that i- 1

1 a j < a, .

j= 1

Conseauentlv.

This implies that, whenever A is super-increasing, then so is every A(k).

cl

Lemma 3.3. l f B = ( b l , . . . ,b,) results from A by modular multiplication with respect to (m. t ) , then B results also from every A ( k ) by modular multiplication with respect to ( m + k t , t). This holds true also if‘hodular multiplication” is replaced by “strong modular multiplication”.

3.3 Theory of Reachability

99

Proof: We infer by the assumption:

bi = (ta,, modrn), for 1 I iI n

+ k t ) = 1. For all k, [(a, + k - [ t a i / r n ] ) = hi + [tai/rn] rn + [tai/rn] = hi + [tai/rn] ( m + k t ) . Since hi < rn + kt, we conclude that ( [ ( a i+ k - [tai/rn]), mod (rn + k t ) ) = bi .

Clearly, (t, m

*

kt

This means that E results from A ( k ) by modular multiplication with respect to (m

+ kt, t).

Assume that B results from A by strong modular multiplication with respect to (rn, t). This implies that iai
Consequently,

"

"

i= 1

i= 1

C (ai + k [ t a i / r n ] ) < rn + c k[tai/rn]

< rn

+ k [ t ( a , + . . . + a,)/m]

m

+ k - [ t ] = rn + kt .

We may infer that E results from A ( k ) by strong modular multiplication with 0 respect to the modulus rn + kt and multiplier t . It is an immediate consequence of Lemmas 3.2 and 3.3 that every superreachable vector can be obtained from infinitely many super-increasing vectors by strong modular multiplication. (The special case, where [taJrn] = 0 and, thus, always A ( k ) = A, can be easily handled separately.) We now investigate the question of which triples ( A , t, m) possess goals. Recall that every violation point i in A satisfies ai I a,

(*)

+ . . . + ai-l

.

Assume that also ( * ) I

[tal/m]

+ . . . + [ t a i - l / m ] < [tai/m] .

Observe that ( * ) and (*)' are by no means contradictory, even if we have a strict inequality in (*). The smallest integer x such that

1 a j + x c [ t a j / m ] < ai + x [ t a i / m ]

i- 1

i- 1

j= 1

j= 1

is called the rescuer of i. Explicitly,

By ( * ) and (*)', x is a positive integer.

I00

3. Knapsack Systems

We consider, next, the situation where the modulus is not big enough: n

(**I

m< Cai i= 1

Assume that also n

C [tai/m] < t .

( * * ) I

i= 1

Then the smallest integer y such that n

n

C a, + y i = i= 1

[tai/m] < m

+ yt

1

is called the rescuer of m. An explicit expression for y, corresponding to the one written for x above, can be easily given. If (*)' holds for every violation point i in A , then the rescuer of A is defined to be the maximum of the rescuers of all violation points i. It is important to notice that if i' is rescued by k', that is, i' is not a violation point in A(k'), then i' is not a violation point in any A ( k ) , k > k'. Hence, if we have rescued several numbers (possibly including m), then we may go on further in the growing sequence until all of them have been rescued (if ever). For the sake of completeness, we say that 0 is the rescuer of i (resp. m) if (*) (resp. (**)) does not hold.

Lemma 3.4. A triple ( A , t , m) possesses a goal iff (*)' holds whenever ( * ) holds and, holds in case (**) holds. If these conditions are satisfied, the goal is moreover, ( A ( k , ) , t, m + k,t), where k , is the maximum of the rescuers of A and m. (**)I

ProoJ: If k , is defined as in the statement of the lemma, then A ( k , ) is superincreasing (because it has no violation points) and m + k,t is greater than the sum of the components of A ( k , ) . The definition of k , guarantees that we obtain the smallest number satisfying these conditions. On the other hand, if some i satisfies ( * ) but in (*)' we have 2 instead of < , then i is a violation point in every A ( k ) . Similarly, if (**) holds but (**)' does not hold then, for all k, n

1(ai + k [ t a i / m l )2 m + kt .

i= 1

Hence, the modulus is too small in every triple of the growing sequence.

0

We now give some illustrations. In the following table A , t, m, B and the goal are listed. Here B results from A by modular multiplication with respect to (m, t). The goal always gives items showing that B is super-reachable. If no goal exists, we use the abbreviations N R ( i = i ' ) and N R ( m ) to mean that there is no rescuer for a violation point i' or modulus m, that is, (*)' or (**)' is not satisfied. In some cases there may be several such failures.

3.3 Theory of Reachability

101

Example 3.3. A

t

B

m

Goal k = 2, (1, 4, 7), 4, 13 N R ( m ) :0 1 2 2 3 k = 1 rescuer of i = 3, N R ( m ) k = 1, (1,4, 7), 4, 13 NR(m) N R ( i = 3), N R ( m ) k = 1, (1, 3, 5), 5, 1 1 N R (4 Own goal k = 2, (1, 14,23,66, 105), 87, 374 k = 3, (1, 130,259), 97, 391 k = 2, (1,41,81, 124), 93,286 N R ( i = 4), N R ( m ) 0 k = 1 rescuer of i = 3.

+ +

The first of our remaining three lemmas deals with an interplay between the multiplier and the modulus. We then discuss properties of diminishing sequences. Finally, growing and diminishing sequences are tied together. We say that B is (A, t, m)-super-reachable iff A is super-increasing and B results from A by strong modular multiplication with respect to the modulus m and multiplier t. Consider a triple (A, t,m), where A = ( a l , . . . , a n ) is a knapsack vector, m > max A, t < m and (t, m) = 1. The triple ( A , , t , , m , ) , where m,

=

t, t , = ( - m, mod t ) ,

A , = (Ctal/ml,. . . ,Cta./ml),

is called the transposed version of ( A , t, m).

Lemma 3.5. Assume that ( A , , t ,,m , ) is the transposed version of ( A ,t, m). If B results from A by modular multiplication (resp. strong modular multiplication) with respect to (m, t ) and max B < t , then B results also from A , by modular multiplication (resp. strong modular multiplication) with respect to ( m l , t,). If B is super-reachable, then B is ( A ' , t', m')-super-reachable with t' 5 max B. Proof: Clearly, t, < t. We may repeat the construction of replacing a triple by its transposed version until a triple with t' Imax B is reached. Assume that B results from A by modular multiplication with respect to (m, t ) and t > max B. Consequently, (ta,, mod m) = b,, for 1 4 i 4 n. This implies that

4 [tai/m] = bi - ta, = bi (mod t ) .

3. Knapsack Systems

102

Since hi I maxB < t , we may write further ( t l [tai/m],mod t ) = hi ,

which shows that B results from A , by modular multiplication with respect to ( m ,, t , ). Also the claim concerning strong modular multiplication follows because n

if m >

1 a,, then i= 1 n

n

i= 1

i=l

1 tai/m 2 1 [tai/m] .

t >

To prove the last sentence of Lemma 3.5, it suffices to show that if A is super-increasing then so is A , . The assumption of A being super-increasing implies, for 2 I i 5 n, i- 1

1 ta j/m < taJm

j= 1

Hence, i- 1

(*I

C [taj/m] I[tai/m] .

j= 1

Assume that we have equality in (*). Then i- 1

1 m [ta j/m ] = m[tai/m]

j= 1

and consequently,

.i - . 1

C (laj - b j ) = ta, - hi ,

j= 1

which can be written in the form

Since the coefficient o f t is positive, we infer i- 1

t I hi -

1hj < hi 5 m a x B .

j= 1

Since this contradicts the assumption t > max B, we must have strict inequality in (*). Since i was arbitrary, we conclude that A , is super-increasing. 0 As an illustration, we observe that the vector B = (46,45,40,30) is ((4,5,10,20), 49,50)-super-reachable. By Lemma 3.5, it is also super-reachable from each of the triples ((3,4,9, 19), 48,49), ((2, 3, 8, 18), 47, 48) and ((1,2, 7, 17), 46,47) In the last triple the multiplier is 5 maxB. We now discuss diminishing sequences.

3.3 Theory of Reachability

103

Lemma 3.6. Assume that B resultsfrom A by modular multiplication with respect to > 2max B und t 2 max B. Then B results also from A( - 1) by modular multiplication with respect to (m - t , t). Moreover, i f A is increasing then so is A ( - 1).

(m. t ) and that, furthermore, m

Pro@ We use our customary notation A = A ( - 0) = ( a , , . . . , a,) B = ( h , , . . . , b,). Then the i-th component of A ( - l), 1 2 i 5 n, is

and

a, - [tai/m] .

Multiplying this by t and using our assumption we obtain ta, - t[tui/m] = hi = hi

+ m[tai/m] - t[tai/m]

+ (m - t ) [tai/m] = hi(mod (m- t ) ) .

Because by our assumptions m - t > max B 2 hi, we obtain (t(a, - [ t a i / m ] ) , mod(m - t ) ) = hi

Observe that m

(*)

> 2t, yielding m - t > t ,

and clearly ( t , m - t ) = 1. The first assertion now follows if the new modulus is big enough. Assume the contrary: ai - [tai/m] 2 m - t , for some i. We multiply this by t , use the above expression for f a , and the assumption m > 2max B, obtaining t(m - t) 5

m

hi + ( m - t ) [ t a i / m ] < - + (m - t )[tai/m] , 2

from which

rn/2 > (m - t ) ( t - [ t a ; / m J ) , contradicting ( * ) because t > [tai/m]. To prove the second assertion, we denote A ( - I ) arbitrary, 1 5 i I n - 1. Since A ( - 0) is increasing, a ; + , = ai+ a for some a 2 1

=(el,.

. . , e n ) . Let

i be

,

Assume first that a > 1. Then ei+

+ a - [t(ai + a)/m] 2 a, + a - (1 + [tui/m] + [tcc/ml) =

a,

= e,

+ (a

-

1) - [ta/m] > e, .

Here the first inequality follows because always [x second because by ( * ) [ta/mJ Ita/m < 4 2

+ y ] 5 [ x ] + [ y ] + 1, and the .

Assume, secondly, that a = 1. In this case [talm] = 0. If Ct(ai + l ) / m l = Ctai/ml ,

3. Knapsack Systems

104

we obtain e i + , > e,. Hence, suppose that [t(ai

(**)

+ l)/m]

= [tai/m]

+ 1.

Clearly, there are no other possibilities. (**)would imply that ei+ = e,. Denote the right side of (**) by fi + 1. Hence, mj? 5 ta, < m(j? + 1) I t(a, + 1) . Assume that tai < m(j? + 4). Hence by (*), ta,+t<m

(p + -:>

+ t = m ( p + I)+t-m/2<m(j?+

I),

a contradiction. Hence, ta, 2 m(fi + 4). But now

bi = ta, - flm 2 m/2

.

This implies that m I 2b, I 2maxB, contradicting our assumption. This shows that (**) cannot hold. 0 Lemma 3.6 will be applied in the sequel to the triples of the diminishing sequence as long as we still have m - kt > 2 max B. In this way the modulus will be forced to become I 2 max B. It is important to note that certain properties preserved by the growing sequences are not preserved by the diminishing sequences. A may be superincreasing although the other vectors in the diminishing sequence are not. For instance, choose A = (1, 14, 23,66, 105), t = 87, m = 374, implying that B = (87,96,131,132,159) and, hence, t I max B and m > 2max B. Now A ( - 1) = (1, 11, 18, 51, 81),

which is not super-increasing. Similarly, we see that (4,3,2) results from (1,4,7) by strong modular multiplication with respect to (13,4) but when we go to the first triple in the diminishing sequence, we observe that (4,3,2) does not result from (1,3, 5) by strong modular multiplication with respect to (9,4) (although it results by modular multiplication as it should by Lemma 3.6). Such negative results are natural in view of our last lemma, Lemma 3.7, and reflect the fact that some properties are rescued from a certain point on in the growing sequence. The same properties are lost at this point in the diminishing sequence. The second assertion in Lemma 3.6 shows a property preserved by diminishing sequences. This assertion is not needed in the proof of our main result.

Lemma 3.7. Consider A , B, m and t satisfying the assumption of Lemma 3.6. Consider the growing sequence associated with ( A ( - l), t, m - t). Let ( C ,t , m), C = (cl, . . . , c,) be the first triple in this sequence. Then C = A . Proof: As in Lemma 3.6, we denote A ( - 1) = ( e l , . . . , en).We consider an arbitrary i, 1 5 i I n, and denote the components a,, c,, e, simply by a, c, e. By the

3.3 Theory of Reachahility

105

definition of growing and diminishing sequences, we have c =e

+ [te/(m- t ) ]

and e = a - [ta/m] .

To prove that u = c (and hence also Lemma 3.7), we have to show that

(*I

[ t e / ( m - t ) ] = [tu/m]

.

By Lemmas 3.3 and 3.6, we know that ta

E

tc (mod m), yielding u

= c (mod m) .

This implies that [ t e / ( m - t ) ] = [ta/m] (mod m ) .

(**I

(**) can hold without (*) holding only in case that the absolute value of the

difference between the two bracket expressions is a positive multiple of m. We prove that this is impossible by showing that both of the bracket expressions (which clearly are nonnegative) are less than m. Since m - t > max A ( - 1) 2 e, we obtain [te/(m- t ) ] < t < m

.

The bracket expression on the right side of (**) is estimated by denoting t/m = x and using the principle [ y ] i y . Therefore,

+ [ t u / m ] )s x ( e + x ( e + [ t u / m ] ) ) __ < x ( e + x ( e + x ( e + [ t a / m ] ) ) )i e ( x + x 2 + . . . + x ” ) + x P [ t a / m ] I:e / ( l x ) + xP[ta/m] = me/(m - t ) + x P [ t a / m ] < m + x P [ t u / m ].

[taim] i xu = x(e

-

This holds for arbitrarily large p , which means that the term x P [ t a / m ]can be made 0 arbitrarily small. Consequently, [ta/rn] < m. Lemma 3.7 can be used inductively in the same sense as Lemma 3.6. We may generate the diminishing sequence as long as the modulus satisfies the inequality m - kt > 2 max B. Once we have reached a value s with m - st i 2 max B, we may increase the modulus again by considering the growing sequence. Lemma 3.7 then tells us that the growing sequence coincides with the original diminishing sequence. The following main result is now fairly obvious in view of the technical tools developed.

Theorem 3.2. A knapsack vector B is super-reachable i f i for some A, t Imax B and m i 2 max 8,B resultsfrom A b y modular multiplication with respect t o (m, t ) and the triple ( A , t , m) possesses a goal. Proof. The “if”-part follows by Lemma 3.3 and the definition of a goal. Lemma 3.4 gives a simple method for deciding whether or not a given triple possesses a goal. For the “only if”-part, assume that B is super-reachable. By Lemma 3.5, B is ( A , t , m)-super-reachable with t 5 max B. If m 5 2max B, we are finished. Other-

106

3. Knapsack Systems

wise, we form the diminishing sequence ( A ( - k), t , m - kt), 0 2 k I s,

where s is the smallest integer such that m - st I 2 max B. By Lemma 3.6, B results from A ( - s) by modular multiplication with respect to (m - st, t). By Lemma 3.7, the triple ( A ( - s), t , m - s t ) possesses a goal. 0 The algorithm due to Theorem 3.2 can be described as follows. Given B, choose m satisfying max B < m 2 2max B and u < m with (u, m) = 1. Check whether the vector A resulting from B by modular multiplication with respect to (m, u ) is increasing and u - = t I max B. If not, choose another pair (u, m). Else check by Lemma 3.4 whether the triple (A, t, m) possesses a goal. If it does, B is super-

reachable and the goal also gives a super-increasing vector, multiplier and modulus showing this. If ( A , t, m) possesses no goal, another pair (u, m) is tried. When all possible pairs (u, m) have been tried without success, the algorithm terminates with the conclusion that B is not super-reachable. Various shortcuts can be made in the choice of the pairs (u, m). The algorithm is deterministic and works for all instances, independently of any conventions concerning the size of the components of the vectors. Thus, also cheating which uses non-super-reachable vectors can be found out. As will be mentioned below, similar algorithms can be used to many other problems as well. Example 3.4. We give some illustrations of the algorithm. Consider first B = (4, 1,6). The following table lists all pairs (u, m). where m 2 2 rnax B, u < m, (u, m ) = I , u - I I max B and the resulting A is increasing. Abbreviations are the same as in Example 3.3.

u,m

t = u-'

A

Goal

3, 1 1 9,11 5,8 2,7

4 5 5 4

(1, 3,7) (3,9, 10) (4, 5,6) (1,2,5)

k = 1,(1,4,9),4, 15 NR(i = 3), NR(m) NR(I = 3), NR(m) k = 2, (1,4,9), 4, 15

Thus, (4, l,6) is super-reachable. It is interesting to note that in both cases leading to success we obtain the same goal. It follows that, whenever (4, 1,6) is ( A , t , m)-super-reachable, then t 2 4 and m 2 15. Thus, it does not suffice to investigate moduli m I 2 max B without considering growing sequences. Of course, m can be arbitrarily large in the growing sequence. Also t can be made larger by applying an argument similar to that used in Lemma 3.5 in the reverse order. The vector B = (1, 10,8) is 2-hyper-reachable because it results from (1,2,4) by two strong modular multiplications, first with respect to (8,s) and then with respect to (12, 5). The following table shows that B is not super-reachable.

3.3 Theory of Rcachahility

107

Goal

u, m

7, 20 9, 20 2, 17 6,17 5, 14 3, 13 4, 11

NR(i = 3), NR(i = 3). N R (4 NR(i = 3), NR(i = 3), N R (4 NR(i = 3), NR(i = 3),

5, 1 1

NR(m) NR(m) NR(m) NR(m) NR(m) NR(m)

Of knapsack vectors with all components I4 exactly the following ones are super-reachable: (2,4,3), (4,3,2), (1,2,4), (2,4, 11, (4, 1,2) . The study of (4, 3,2) is interesting because it shows that one cannot reject noninjective candidates A in spite of Theorem 3.1.This is due to the fact that injectivity can be gained later on in the growing sequence. We now return to Example 3.2 and show how some of the results can be obtained by the method of Theorem 3.2. Consider B = (7,3,2).We saw that the number 61/84 is in the interval obtained. Since 73 is the inverse of 61, we conclude that B is ((7, 15, 38), 73, 84)-superreachable. Here the multiplier is too big. Lemma 3.5 yields, in succession, the triples ((6, 13,33), 62, 73) , ((5, 11,28), 51,621 , ((4,9,23),40,5 1) , ((3,7, 18),29,40) , ((2, 5, 13), 18,29), ((1,3, 8), 7, 18) . In the last triple the multiplier t = 7 satisfies t 2 maxB, and we cannot apply Lemma 3.5 further. However, we still have m > 2 max B. But taking one step in the diminishing sequence we obtain the triple ((1,2,5), 7, 11). Consider, finally, the vector B = (43, 129,215,473,903,302,561, 1 165,697, 1523) .

We computed in Example 3.2 the interval (1/43,36/1547). Choosing the number u/m = 72/3095 from this interval, we get the super-increasing vector A = (1, 3, 5, 11, 21, 79, 157, 315,664, 1331).

Now t = 43 < max B but m > 2 max B. When we go two steps back in the diminishing sequence, we obtain the triple

((1, 3, 5, 11,21, 77, 153, 307, 646, 1295),43, 3009). Now also m is within the size limits.

0

108

3. Knapsack Systems

We call a vector B permutation-super-reachable iff some permutation of B is super-reachable. Cryptanalytic significance of permutation-super-reachable vectors was discussed earlier. As in Theorem 3.1 we can show that every permutationsuper-reachable vector is injective. Conversely, by our theory it is easy to see that every injective (b, ,b,, b3) is permutation-super-reachable. Assume that B is super-reachable. Theorem 3.2 gives a method of finding the smallest rn such that B is ( A , t, m)-super-reachable, for some A and t. The multiplier t can be similarly minimized. By estimating the maximal number of steps in the growing sequence before the goal is reached, one can also compute an upper bound M , depending on B, such that B is super-reachable iff it is ( A , t, m)-super-reachable with rn I M . Using our lemmas one can also decide of a given pair (B, r) whether or not B is r-hyper-reachable and, if the answer is positive, produce the corresponding super-increasing vector, multipliers and moduli. More details about all of these matters are given in [Sa 41. It will be seen in the next section how one can choose an arbitrary starting vector if one uses sufficiently many strong modular multiplications to get the publicized vector.

3.4 Trying to Hide the Trapdoor Again The last two sections in this chapter discuss variants of knapsack-based cryptosystems, exhibiting various methods to meet cryptanalytic attacks. It has been emphasized already several times that some caution is needed in cryptography as regards arguments based on complexity theory. From a cryptographic point of view it does not prove much if it is shown that the worst instances of some problem are difficult but little or nothing is known about the average complexity of the problem. As regards algorithms running in polynomial time, the degree of the polynomial is important. Even if an expected cryptanalytic attack leads to an NP-complete problem, there might be other attacks that lead to easy problems. This point will now be illustrated using ideas based on knapsacks. The cryptosystem described will be partially public-key in that a knapsack vector A = ( a l , . . . ,a,) is publicized, whereas there is also a secret key K = ( k , , . . . , k,) with k , = 0, 1. The key is used both in encryption and decryption. In cryptanalysis the setup “chosen plaintext” seems to lead to an NP-complete problem, whereas the setup “known plaintext” with a long enough plaintext leads to an easy problem. We use the symbol @ to denote bitwise addition. The notation is extended to concern vectors as well. Thus, 1 @ 1 = 0 and (1, 1,0, l , O ) @ ( l , 1, 1,0,0) = (O,O, 1, 1,O). Denote further t =

[ ( +c log, 1

i:,

I)

a,

+1

Clearly, any sum of the a:s, where each individual a, appears at most once, can be expressed as a binary number with t bits. As already mentioned, A will be public, whereas the bit vector K is secret. For the encryption the plaintext is divided into blocks P = ( p l , . . . , p , ) o f t bits. For

3.4 Trying to Hide the Trapdoor Again

each P, a random bit vector R

=(r,,

109

. . . , r n ) is chosen. The sum n

A(K@R)=

(ki@ri)ai i= 1

is formed. (Thus K @ R is viewed as a column vector.) Let S be the binary representation of this sum, consisting oft bits with some initial 0's if necessary. The encrypted version of P is now C

= (L, R)

where L = S @ P .

Thus, an ( n + t)-bit cryptotext corresponds to a t-bit plaintext. Since the n last bits of the cryptotext give R, the legal recipient who knows K can immediately compute S and, therefore, the plaintext P from the t-bit initial segment L of the cryptotext. A cryptanalyst who knows some pair ( P , C),where P may even be chosen by the cryptanalyst, can immediately compute S from L @ P = S @ P @ P = S . However, the S thus obtained corresponds to the particular plaintext P. Although R is known, the determining of K still leads to the NP-complete knapsack problem. Therefore, the cryptanalyst has not gained much information for decrypting some other cryptotext received later. Assume, however, that the cryptanalyst knows some pair (plaintext, cryptotext), where the plaintext is long enough. More specifically, it should consist of n t-bit blocks. This means that the cryptanalyst knows n triples ( P i , L,, R i ) , i = I , . . . , n . Denote the bitwise multiplication of two n-bit vectors T and U by T * U . Thus, the i-th component in T * U equals 1 iff the i-th component equals 1 both in Tand U . It is easily seen by induction on n that T@U=T+U-2(T*U). Indeed, for n = 1 this is obvious. Assuming the equation for two n-bit vectors, we extend it to two ( n + I)-bit vectors by applying the inductive hypothesis to their last n bits (the result is an n-bit vector with no carry), after which the matter with the leading bits is the same as for n = 1. Of course, and - above denote ordinary addition and subtraction. For instance,

+

11010@ 10111 = 01101

=

13 = 11010 + 10111 - 2.10010 = 26 + 23 - 2 . 1 8 ,

where we have written bit vectors without parentheses and commas. The cryptanalyst now writes the n linear equations S i = A ( K @ R i ) = A ( K +Ri-2(K*Ri)),

1l i l n ,

for the n unknowns k i . Unless the determinant of the system equals 0, K can be quickly computed. On the other hand, if the system happens to be singular, the knowledge of a few more triples ( P i ,Li, Ri) is very likely to yield a nonsingular system. In fact, if n + j triples are known, the probability of getting a nonsingular system tends very fast to 1 with j growing. As an illustration, consider A = (2,3,4, 5,6,7), yielding n = 6 and t = 5. K = 110011 is chosen as the secret key. Observe that in this cryptosystem the injectivity of A is not important because the decryption process gives the items of A to be summed up and, hence, the knapsack problem need not be solved at all.

I10

3. Knapsack Systems

Encrypt the plaintext P , = 01010 by choosing R , = 101010. Now K @ R , = 01 1001, whence S , = 3 + 4 + I = 01 110 and C, = 00100101010. (The index 1 in S , points out the interconnection with R , . ) Knowing P , and C,, the cryptanalyst may immediately compute S , = 00100 @ 01010 = 01 110. But the knapsack problem ( A , 14) has to be solved in order to obtain K @ R , from which K results because K @ R , @ R , = K . R , is of course immediate from C,. Thus, the knowledge of the pair ( P , , C,) does not give much information for the decryption of the cryptotexts

c, = 1 1 110010101, c3= 01 110111101, c, = 001 1101 1 1 10, c5= 1 1 110001010, C6 = 001 11011011 . Assume, however, that the cryptanalyst knows the six pairs ( P i , Ci), 1 I i I 6, where P, = 1001 I ,

P, = 00001, P4 = 10101, P5 = 01110, P6 = 00001

.

(It is no coincidence that the plaintexts P, - P6 represent the numerical encoding of SAUNA.) Then a system of 6 linear equations can be written for the unknown k;s . Consider i = 1. As above, we infer that S , = 14 = A R ,

whence 2 = - 2k1

+ 3k2

+ A(K 4k3

-

and similarly from the equations for S ,

-

-

2(K * R , ) ) ,

+ 5k4 - 6k5 +

l k 6 ,

S,

+ 6k5 - 6 = - 2k1 - 3k2 - 4k3 - 5 k 4 + 6k5 lk6, 0 = 2k1 - 3kz - 4k3 5 k 4 - 6k5 + l k , , 6 = 2k1 + 3k2 - 4k3 + 5k4 - 6k5 + 14 = 2k1 - 3 k 2 4k3 + 5k4 - 6k5 - 7k6 .

-

2

= 2k1 -

3 k 2 + 4k3 - 5 k 4

l k 6 , -

-

I k 6 ,

-

-

This system of 6 equations is clearly singular. However, it gives a unique solution for K . In fact, the third and fifth equations yield k, = 0, and the second and fifth equations k , = 1. The remaining considerations are based on the fact that the k;s are bits. Parity check shows immediately that exactly one of k,, k,, k6 equals 0. The last equation, with the values inserted for k , and k,, reads -

16 =

- 3k2

+ 5 k 4 - 6k5

-

lk6,

which shows that k, has to be the one equaling 0. This means that the remaining bits must equal 1. As in this example, a unique solution in bits is obtained although there is no unique solution over rational numbers. The cryptanalytic method bears resemblance to the one used in connection with Hill's system in Example 1.2. Next we'll discuss a notion somewhat weaker than that of r-hyper-reachability. The public key will be a knapsack vector obtained by a succession of strong

3.4 Trying to Hide the Trapdoor Again

III

modular multiplications from some knapsack vector, not necessarily a superincreasing one. The moduli and multipliers constitute the secret trapdoor information. This information is sufficient for the legal recipient to decrypt using a system of linear equations. We now present the details. The cryptosystem designer chooses an arbitrary injective knapsack vector A , = (uf , . . . ,a:), a multiplier r, and a modulus r n , satisfying the conditions of strong modular multiplication, that is, I

1 I t , < m , , ( t , , m , ) = 1,

m,

>

C a/ .

i= 1

Assume that A, = (a:, . . . ,a:) results from A , by strong modular multiplication with respect to (m,, t , ) . Then t , and m, are chosen such that the conditions of strong modular multiplication (for A , ) are satisfied. Let A, = (u:, . . . , u : ) be the vector resulting from A, by strong modular multiplication with respect to (m,, t,). The procedure is continued until a vector A, = (a:, . . . ,a:), resulting by strong modular multiplication from A,- with respect to (mn- 1, t n - ,), is reached. The cryptosystem designer (who is in this case the same as the legal recipient of messages) publicizes the vector A, as the encryption key but keeps the pairs (mi, t i ) , 1I i 5 n - I, as the secret trapdoor. From the secret trapdoor the inverse u, of t i (modm,), 1 I i 5 n - 1, can be immediately computed. After receiving a cryptotext a,, the legal recipient has to find n bits x l , . . . ,x, such that

,

9 ayx,

=a,

i= 1

By n - 1 modular multiplications numbers ai satisfying n-1, ai = (uiai+1,mod m i ) , 1 5 i I

are found. These numbers ai constitute the right sides of the equations obtained from ( * ) by successive modular multiplications using the inverse multipliers. Originally only congruences (mod m i ) are obtained but the congruences reduce to equations by the argument of Lemma 3.1. Thus, the legal recipient obtains the system of n linear equations

"

C a/xi=aj,

j = I,. ..,n.

i= 1

From this system the unknowns xi can be computed, with the reservations concerning singularity mentioned above. The reservations are mild because we have the additional knowledge of the xI)s being bits. However, if the start vector A , is not injective, all ambiguities are preserved by (strong) modular multiplications and, hence, are present in every equation of the system. A cryptanalyst has difficulties in trying to apply algorithms of the types considered in Sections 3.2 and 3.3 because there is no vector, such as a super-increasing one, to look for.

3. Knapsack Systems

112

As a simple illustration, consider

Now

U, = 6

A , = (3,2,6),

t, =

13, rn, = 1 9 ,

A, = (1,7,2),

t , = 2,

A, = (2, 3,4),

publicized

rn, = 11 ,

.

and u , = 3. The cryptotext 6 leads to the system of equations 2x, XI

+ 3x, + 4 x 3 = 6 ,

+ 7x, + 2x,

=3 ,

3x, + 2 x , + 6 x 3 = 9 ,

from which the unique bit vector 101 is obtained, although the system is singular and possesses the general solution x, = 0, x, = 3 - 2x,. The subsequent knapsack system is suitable for authentication, that is, (electronic) signatures in the sense discussed already in Section 2.3. The two main requirements of cryptography, privacy and signature generation, are somewhat conflicting and, therefore, it is hard to satisfy them both in a really strong fashion by the same system. Most of the variants of knapsack systems are intended to satisfy the requirement of privacy. The following is especially suitable for generating signatures. The emphasis is on speed and simplicity. Both signing and verification can be carried out by performing only additions and subtractions. We need the following modification of the knapsack problem, also easily shown to be NP-complete. Given, for some n 2 3, n + 2 positive integers a,, . . . an,a and rn with a, being distinct and rn > max {ail 1 5 i 5 n}, find (if possible) some solution ( c ~ ., . . ,cn) for the congruence n

(*)

1 aici = a (mod m) , i= 1

where each c, satisfies 0 Ic, I [log, rn] + 1. Thus, we allow the item a, to be used several times in forming the sum. However, the number of times allowed is small and never exceeds the number of bits in the modulus. Before proceeding with the formal details, we discuss in general terms how such a knapsack system can be used to generate signatures. The sender chooses and publicizes a knapsack system determined by A = (a,, . . . , a , ) and rn such that the system leads to apparently difficult knapsack problems but the problems can actually be solved quickly by some secret trapdoor information. The sender signs a message c( by using the trapdoor information to solve (*): the n-tuple (c,, . . . ,c,) constitutes the signature for a. The legal receiver who has received both a and the signature can verify the signature by checking that (*) holds. If the legal receiver or a cryptanalyst wants to forge the sender’s signature for some message a’, he/she has to solve the instance of the knapsack problem determined by the triple (A, m, a’). An additional requirement concerning the choice of the knapsack system is that all conceivable messages a must have a signature, that is, (*) must have a solution for all such a.

3.4 Trying to Hide the Trapdoor Again

I13

We are now ready to present the formal details, as seen from the point of view of the legal sender who in this case is the cryptosystem designer. Consider a prime number m whose binary representation possesses t bits. (Typically, t = 200.) Let H = ( h i j )be a t x 2t matrix whose entries are randomly chosen bits and A a 2tdimensional column vector satisfying the following t congruences:

There are only t congruences in 2t unknowns, that is, the components of A. We may basically choose t components of A at random and compute the remaining components. The computation can be done fast and the probability of getting stuck is minimal because some of the randomly chosen components may be altered whenever necessary. We choose 0 s i 5 t - 1 and 1 5 j 2t as the indices of the rows and columns. The components ai of A will be random-looking (t-bit) integers such that any power of 2 between 2' and 2 r - 1 can be expressed as the sum (mod m) of some of them. The items A and m are publicized, whereas H is kept as a secret trapdoor information. Messages a are numbers in the closed interval [ l , . . . ,m - 13. The signature for a is a vector C = ( c l , . . ., c l r )satisfying ( * ) where we have n = 2t. Signatures can immediately be verified by checking (*). Forging of signatures will be difficult because of reasons explained above. Essentially, one has to solve the NP-complete modular knapsack problem. On the other hand, signing will be easy if we are in the possession of the secret trapdoor information H . In order to sign a message a, we write a as a sum of powers of 2 r-1

1 bj2' .

=

i=O

Thus, bi is the (i + 1)st bit from the right in the binary representation of a. t bits will suffice because of the agreement about the range of a. We claim that we can choose 1-1

cj =

1 bihjj,

1 2 j 2 2t

i=O

Then c j does not exceed the number t of bits of m, as required in (*). Moreover,

= j=1

(rz i=o

bihij)aj=

21

1 ciaj

(modm).

j= 1

Only addition is needed for generating and verifying signatures.

114

3. Knapsack Systems

The above system is not even intended for concealing because messages are sent in plaintext. As regards the security of the signing procedure, an attack based on linear algebra is possible. When sufficiently many message-signature pairs are known, the matrix H can be computed. The situation is the same as in connection with the first system presented in this section, as well as with Hill's system discussed in Example 1.2. This insecurity problem can be solved by randomizing the bits of a before signing r . This can be done, for instance, by subtracting a randomly chosen subset of the a i s from a:

('

21

r i a j . mod m

a' = ci j= 1

1

,

where R = ( r l , . . . ,r 2 , )is a random vector of bits. We first find the signature C' for by the method described above. Then C' + R can be used to sign a because

2'

r

= So + R A = C'A + R A = (C' + R ) A

(mod m) .

The components of the new signature are still within the allowed interval. The random vector R need not be known even for the legal recipient. Example 3.5. Consider the modulus m = 29 expressible in five bits 11 101. Hence, H will be a 5 x 10 random matrix. Choose 1 0 1 1 0 1 1 1 0 0 0 1 0 1 1 1 0 0 1 0 0 0 1 1 0 1 0 0 0 1 1 1 1 1 1 0 0 0 0 1

We may take, for instance, A = (14, 15, 19, 16, 3, 24, 10, 5,2, 7)

and the five congruences will be satisfied. The third congruence has the form 14 + 15

+ 19 + 5 + 2 + 7 = 62 = 4

(mod 29).

The message tl = 22 is written in reverse binary notation as 01 101, from which the signature C = 2322210122 is obtained immediately using H . The correctness of the signature is verified by C A = 196 = 22 (mod 29) .

Similarly, the plaintexts, 9,8,20 and 1 have signatures 1022021101, 001101OOO1, 2221100112 and

1011011100.

The plaintexts may be viewed as numerically encoded letters. This means that the word VIHTA has a signature obtained by writing the five signatures one after the other. No confusion will arise even if boundary markers are not used.

3.4 Trying to Hide the Trapdoor Again

I15

Consider, finally, a randomized signature for a = 22. Choose the ten random bits as follows: R = 101 101oooO.We obtain a' = (22 73, mod 29) = 7. The signature for a' is 2222121221 and, hence, the randomized signature for a is 3233131221. The reader might want to generate randomized signatures for the other plaintext letters I,H,T,A. Observe that the same plaintext has several randomized signatures. I i The final cryptosystem presented in this section hides in a very simple way the fact that the start vector A is super-increasing. The hiding is accomplished by adding some random noise to the components of A so that the new components do not form a super-increasing sequence, only some segments of their binary representations do. After scrambling by strong modular multiplication, these segments are not any more visible. We now describe the details. As usual, let n be the number of components of the 1. Consequently, n < 2g. Let knapsack vectors considered. Denote y = [ log, n] rl and r , be arbitrary positive integers. Choose random integers R', and R', satisfying 0 < Rj < 2 ' 1 , 1 < j < 2, 1 < i < n. Define

+

ai = ~

i 2n+q+r2 , + p+rz+i-I

The uis can be depicted as follows, 1 Number of bits Bits

+ Ri .

< i < n.

rl

n

Y

r2

random R;

0 . . . 010.. . 0 n . . . i ... I

0...O

random R i

The purpose of R', is to disguise the fact that the ai's are super-increasing- the fact becomes immediately visible if each R', equals 0. The contribution of the other random block, R i , is buried in the outcome of the strong modular multiplication. The g-block of 0's is a guard zone for the addition of the numbers R i : it keeps the sum from overflowing into the n-bit identity block expressing the superincreasing property. Indeed, n

R i < n2'l < 2g+r2. i= 1

Let t and m satisfy the conditions of strong modular multiplication for A = (al, . . . ,un).Then the vector B = (bl, . . . , b n ) resulting from A by strong modular multiplication with respect to the pair ( t , m) is publicized as the encryption key. The numbers t , m, r l , r 2 constitute the secret trapdoor. (The number 9 is public because it is defined in terms of n). Decryption is trivial for the legal recipient who knows the trapdoor. Let u be the inverse o f t (mod m). For a cryptotext fl, denote a = (up, mod m) .

Then the plaintext corresponding to B is simply the n-bit block in the binary representation of a, obtained by omitting the r z g last bits and taking in reverse

+

I16

3. Knapsack Systems

order the n-bit block from the end of the remaining part. (We could have introduced a guard zone also for the sequences R: but it is not actually needed.) That the legal decryption is simpler than for the basic knapsack system of Section 3.1 is due to the fact that now the super-increasing vector consists of powers of 2 and, consequently, the sum vector gives directly the correct sequence of bits. We have discussed here only the basic variant, where the super-increasing vector is the simplest possible. The general case of an arbitrary super-increasing vector is cumbersome to handle with because then the components require several bits for their representation. An algorithm of the type presented in Section 3.2 does not work for cryptosystems of this kind.

Example 3.6. Choose n

= 5,

whence g = 3. The public encryption key is

B = (62199,61327, 13976, 16434, 74879).

The legal recipient knows also the trapdoor rn = 75000,

u = 22883 ( t =

1547), rz = 4 .

Assume that the cryptotext 151054 is received. When it is multiplied by 22883 and reduced modulo 75000, the number 43682 results. The binary representation of this number is 43682= 1010 10101 010 0010. where the four different blocks are visible. The recipient removes r2 + g = 7 bits from the end. The next five bits give the plaintext 10101. We may still check: 62199 + 13976 + 74879 = 151054. Similarly, modular multiplication applied to the cryptotext 75303 yields 33549 or, in binary notation, 33549 = 1000 00110 OOO

1101 .

The plaintext is now 01 100, which shows also that we take, after removing 7 bits, the 5-bit sequence from the end in the reverse order. This is just a technicality caused by the fact that we are reading here the super-increasing part in the wrong order. Thus, now 75303 is the sum of the second and third components of B as it should be. We still write down the original vector A , together with the binary representations divided into blocks.

a , = 24717 a, = 20741 a3 = 12808 a4 = 9222 as = 6157

rl = 3

essential

110 101 01 1 010 001

m 1

g =3

00100

OOO OOO OOO

01OOo loo00

000 000

OOOlO

r,

=

4

1101

0101 1000 01 10 1101

3.5 Dense Knapsacks

1 I7

Although r l = 3, in our examples the initial random segment is of length 4 because of overflow. This means that the binary representations have 16 bits. The maximum length of the initial random segment is 5 in this example. The legal recipient does not even look at this segment, so it is not necessary for him/her to know r l .

3.5 Dense Knapsacks The underlying knapsack in the basic variant of a public-key cryptosystem is of low density, meaning that the components are very scarce in comparison with the number of them. This is not the case as regards the cryptosystem discussed in this section: the underlying knapsack is dense or of high density. A formal definition of these notions will be commented on later. Earlier in this section we have been using ordinary integer arithmetic or modular arithmetic, where all numbers are reduced with respect to certain modulus. In this section, the arithmetic used will be based onjnitejelds or Galois fields. The basic notions of finite fields are contained in Appendix B. We present here in somewhat more details some notions and a lemma needed in this section. A finite field has always ph elements, where p is a prime number and h L 1. Such a finite field is often denoted F ( p h ) . We describe a convenient way of representing elements of F ( ph). We may speak of the basejeld F ( p ) , that is, the subfield of F ( p h ) consisting of the elements 0, I , . . . ,p - 1. In the base field we consider ordinary arithmetic modulo p. Every element # 0 possesses an inverse. An element a is algebraic qj’ degree h over F ( p ) iff a satisfies in F ( p ) a polynomial equation P ( x ) = 0 of degree h but no polynomial equation of a lower degree. (This implies that the polynomial P ( x ) in question must be irreducible in F ( p ) . ) The ph elements of F ( p h )can be represented in the form In the arithmetic the “coefficients” c j are reduced modulo p, while any power x ‘ , i 2 h, can be replaced by a lower power using the equation P ( a ) = 0. For instance, let p = 3 and a satisfy the equation X’ - x - 1 = 0. The elements of the resulting field F ( p h )= F(9) can be expressed as 0,1,2,a,a+ l , a + 2 , 2 a , 2 a + 1 , 2 a + 2 .

In the arithmetic higher powers of a are reduced by the equation a’ = a (a

+ 1. Thus,

+ 2 ) ( 2 a + 1) = 2a* + 5a + 2 = 2ct + 2 + 5a + 2 = a + 1 .

Given an element p # 0 of F ( p h ) ,we may consider powers pi. It is clear that we have never p i = 0. However, it might be the case that when i runs through the numbers i = 1,2, . . . ,ph - 1, then pi runs through the nonzero elements of F ( p h ) . In such a case p is referred to as a generator of F * ( p h ) , the set (in fact, the multiplicative group) of nonzero elements of F ( p h ) . A generator can be viewed as a base for logarithms. To compute a logarithm of an element y of F ( p h ) means

118

3. Knapsack Systems

computing a number a such that p" = y. Logarithms of this kind are often referred to as discrete logarithms. Their computation is believed to be intractable, tt is known to be as hard as factorization (see Appendix B). Returning to the example above, we first write down the powers of a. i l l

3

2

4 5

6

7

8

ailaa+12a+122a2a+2a+21

From this table we observe that tl is a generator. The table can be arranged also as a table of logarithms, where the elements y of F ( p h ) are listed in some easily retrievable (such as alphabetic) order. Y

112aa+la+22a2r+12a+2 2 7 5 3 6

log,y 18 4 1

The table of logarithms can be applied to aid multiplication and division in the customary way. The logarithms are reduced modulo ph - 1. For instance, log@ + 2) ( 2 a + I ) = log (a + 2) + log ( 2 a + 1) = 10 = 2 , implying ( r + 2) ( 2 a + 1) = a + 1. Similarly, log((a + 1)/(2a + 1)) = 2 - 3 = 7 , implying (a + 1)/(2a + 1) = a Also 2 a

+ 2.

+ 1 is a generator of F*(9), with the table of logarithms V

1I 1 2 a r + l a + 2 2 a 2 a + 1 6 5 7 1

I ~ g , , + ~ Iy8 4 3

2u+2 2

It is easy to verify that also a + 2 and 2 a are generators but there are no further generators. Clearly, p is a generator iff i = ph - 1 is the smallest positive exponent satisfying pi = 1. Therefore, the number of generators equals q ( p h - l), where the Euler function q ( x ) stands for the number of positive integers i 5 x satisfying (i, x) = 1. In our example q ( 8 ) = 4. It is very important to observe that the arithmetics defined above is different from modular arithmetics. The two coincide only if h = 1. In cryptosystems, where the underlying knapsack is super-increasing, decryption is always unique. This follows because super-increasing knapsacks are injective. The following question concerning the existence of sequences with unique h-fold sums was raised already in 1936. Given positive integers n and h, is there a vector A = ( a l , . . . , a n ) with distinct nonnegative a,'s such that all sums of exactly h components of A, where repetitions are allowed, are distinct. It is easy to construct A's satisfying this condition, where the a;s grow exponentially, for instance, ai= hi-', 1 s i 5 n. This corresponds to knapsacks of low density such as the super-increasing ones. But what about the case of high density knapsacks: can one satisfy this condition with the 0,'s growing only polynomiaily in n. Bose and Chowla, [BC], gave a solution which is presented in the following lemma in a form more suitable for the cryptosystem we have in mind. It should be emphasized that

3.5 Dense Knapsacks

I19

the vectors obtained will not necessarily be injective because only sums of h components are considered. In fact, the number of components in the sums will be 5 h because repetitions of the same component are allowed. Contrary to our customary notation, we denote by p the total number of components in A , to emphasize the primality.

Lemma 3.8. Let p be a prime and h 2 2 an integer. Then there is a knapsack Vector A = ( a l , . . . ,ap)sutisjying the following conditions ( i ) and (ii). ( i ) 1 < a, I p h - 1 for 1 2 i <_ p. (ii) Let xi and yi be nonnegative integers and consider (*)

( x l r. . . ,x , ) # ( y 1 , . . . , yp) where

i x i = h and i= 1

i y i = h i= 1

Then P

P

C xiai + 2 y i a , . ~

~

i= 1

i= I

ProoJ: Consider the finite field F ( p h ) .Let a be an element algebraic of degree h over F ( p ) and g a generator of F * ( p h ) . Define a, = log, ( a

+ i - I),

1

< i Ip .

It is obvious that (i) is satisfied because it expresses only the range of discrete logarithms. To show that also (ii) is satisfied, assume the contrary: there are x i and yi satisfying ( * ) but, instead of (**) we have D

D

i= 1

i=l

2 xiai = 2 yiai .

(**)’

Then equality results also when g is raised to the power expressed by each side of (**)’. Taking into account the definition of a,, this equality resulting from (**)’ can be written (**)’I

(a

+ 0)Xl . . . (a + p - 1)”p = (a +

O)Y1

. . . (a + p

-

l)Yp

.

When both sides of (**)” are expressed as polynomials of a, the highest powers of a must coincide on both sides because of (*). Moreover, also by (*), the exponent in the highest power must be equal to h. When the right side of (**)” is subtracted from the left side, a nonzero (because of (*)) polynomial in a results whose degree is I h - 1. Hence, a satisfies a polynomial equation with degree < h - 1 and, consequently, cannot be algebraic of degree h. This contradiction shows that (**)’ cannot hold. 0 The proof is the same if p is a power of a prime. The proof shows also that (**) could be replaced by the stronger condition D

D

i= 1

i= 1

2 xiai + 2 y,a,

(mod ph - 1 ) .

120

3. Knapsack Systems

We still need one auxilliary result before presenting the details of the cryptosystem based on dense knapsacks. According to this cryptosystem, the plaintext consists of p-bit blocks such that there are exactly h bits 1 in each block. Arbitrary binary plaintext cannot be divided into such blocks. However, it is intuitively clear that arbitrary, somewhat shorter blocks can be first encoded as blocks satisfying the required condition. This will be shown in the following lemma. Of the many known constructions, all of them computationally easy, we have chosen the one easiest to describe. Lemma 3.9. Consider positive integers n 2 3 and h < n. Then there is an injective mapping of the set of all [log,(;)]-bit sequences into the set of all such n-bit sequences that the number of 1's in each sequence equals h. Proof: We view the [log, (;)]-bit sequences as binary representations of numbers a. Arrange the n-bit sequences, containing h 1's each, in alphabetic order where 0 precedes 1. Thus, in the first sequence according to this ordering all the 1's are at the end and, in the last sequence, at the beginning. We map the binary sequence representing the number a into the ( a + 1)st sequence in the ordering constructed. This mapping is clearly injective. Moreover, we d o not run out of sequences of the latter type because they are (;) in number, and there are altogether 2" x-bit sequences. In most cases the brackets make the number smaller. 0

As an illustration, let n = 5, h = 2. Then

and, thus, we may encode 3-bit sequences. The encoding used in the above proof is given below. The first column lists the 3-bit sequence, and the second column the corresponding 5-bit sequence with exactly 2 1's 0 0 00 0 1 0 1 10 10 1 1 1 1

0 1 0 1 0 1 0 1

0 0 0 0 0 0 0 1 0 1 0 1 1 0 1 0

0 1 1 0 0 1 0 0

1 0 1 0 1 0 0 1

1 1 0 1 0 0 1 0

Observe that there is no use for the sequences 10100 and 11OOO. Choose next n = 7, h = 2. Using the above technique, we could encode only all 16 2-bit sequences.

3.5 Dense Knapsacks

121

However, the 7-bit sequences with exactly 2 1’s in them are 21 in number. In the following encoding 21 letters of the English alphabet are given a representation. A

H I K

000001 1 0000101 0000110 000l001 0 0 0 10 10 0001100 0010001 001 0 0 1 0 0 0 10 1 0 0 0 0 1 1000

L

0 1 0 0 0 0 1

B C D E F G

M N 0 P R S T U

v W

0 1000 10 0 100 1 0 0 0101000 01 10000 1000001 1000010 1000100 1001000 10 10000 1100000

We are now ready to describe the cryptosystem. We d o it from the point of view of the system designer who will be also the legal recipient of messages. Make first a judicious choice of p (a prime power) and h < p such that you are able to compute efficiently discrete logarithms in the finite field F ( p ” ) . (This step is somewhat tricky. Some algorithms work well in special cases, for instance, the case where ph - 1 has only small prime factors.) Choose next an element a, algebraic of degree h over F ( p ) , as well as a generator g of F* ( p h ) .There are many possibilities for the pair (a, 9). Of course, a need not be the element used in the definition of F ( p ” ) .In what follows we assume this to be the case, for simplicity. Compute (*)

ai = log, (a

+ i - l),

1 5i2p

.

This is the crucial step in the system design. Scramble the numbers a, by a random permutation rc of the numbers 1, . . . ,p, and add (mod ph - 1) a randomly chosen d, 0 Id Iph - 2, to the result. Let B = (bl, . . . ,h,) be the vector thus obtained. (The scrambling by rc and d is not essential. We have included it in order to make the system coincide with the one presented in [Cho].) The public encryption key consists of B, p and h. The secret trapdoor consists of a, g, rc and d. Let C be a sequence of p bits such that exactly h of them equal 1. C, viewed as a column vector, is encrypted by taking the smallest positive remainder of BC (mod ph - 1). If h is close to p, we may encrypt in the same way p-dimensional vectors C with components summing to h. The uniqueness of decryption due to Lemma 3.8 remains valid.

122

3. Knapsack Systems

The decryption by the legal recipient knowing the trapdoor works as follows. Subtract (mod p h - 1) the number hd from the cryptotext x, yielding the number y . Compute in F ( p h )the power gy. It will be a polynomial of degree at most h - 1 in a. On the other hand, tl satisfies an equation ah = r(a),where r(a) is a polynomial of degree at most h - 1. The polynomial s(a) = ah

+ gy - r(tl)

splits into linear factors over F ( p ) because s(a) is a product of powers of g, each exponent being of the form (*). The subtraction of hd from the cryptotext reverses the effect of adding the random noise d . The linear factors are found by testing through the numbers 0, 1, . . . , p - 1. Thus, we obtain s(a) = (a

+ i , - 1) . . . (a + i,

-

1) .

The correct positions of the 1's in the plaintext vector are found out by applying the inverse permutation 71-l to the numbers i , , . . . ,i,. Lemma 3.8 guarantees that the result of the decryption procedure is always unique. A cryptanalyst faces essentially a general (modular) knapsack problem. Algorithms such as the one presented in Section 3.2 do not work because they assume that the underlying knapsack is of low density. It might be possible in this case to develop a reachability theory independent of the density. Cryptanalysis when something is known is discussed in Problem 44. In general, the density of a knapsack vector A = ( a l , . . . , a,) is defined by d ( A ) = n/log, max A .

For a super-increasing A , we have a , 2 2"- and, consequently, d ( A ) 2 n/(n - 1). Usually the density is much lower than n/(n - 1) in the super-increasing case. Since we have max A 2 n, for every knapsack vector A , we have always d ( A ) 2 n/log,n. For instance, for A = (1,2, 3, . . . ,128), we have d ( A ) = 128/7 = 18.2857. Although there is an upper bound for d ( A ) in terms of n, there is no positive lower bound for d ( A ) in terms of n. Example 3.7. In the following two illustrations no scrambling using K and d is applied. The illustrations are necessarily so small that direct cryptanalysis (that is, solving the knapsack problem) is easy. Without scrambling the essential idea of cryptosystems based on dense knapsacks becomes more visible. We consider first the example F ( 9 ) presented above, where a satisfies the equation x 2 = x + 1 irreducible in F(3). We choose the generator 2a 4- 1 cornputed above. Since the logarithms of a, a + 1 and a + 2 are 3,6 and 5, ;he obtain the public encryption key A = (3,6, 5). Plaintexts are 3-dimensional vectors with the components summing to 2. Consider the plaintexts (2,0,0) and (0,1, 1). They are encrypted as numbers 6 and 3. (Recall that we are working with the modulus p h - 1 = 8.) To decrypt, the legal recipient first computes the powers (2a

+ 1)6 = a + 1

and (2a +

=a.

3.5 Dense Knapsacks

(Here it is convenient to use the table of logarithms. When a’ both of these powers, the resulting polynomials will be and a’

a’

-

-

a

-

123

1 is added to

1 = (a + 1) (a + 2 ) ,

yielding immediately the original plaintexts (2,0,0) and (0, 1, 1). We remark in passing that it is not possible in Lemma 3.8 to replace in ( * ) the two equality signs by the sign I . Otherwise, the vector A = (3,6,5) constructed exactly as in the lemma and the two vectors (2,0,0) and (0,1,0) would constitute a counter example. (Lemma 3.8 appears in this wrong form, for instance, in [Cho].) Let us still consider the same example but scramble A by the circular permutation a: 1 -+ 2,2 -+ 3, 3 + 1 and by adding noise d = 7. The resulting vector is B = (5,4,2). The items B, p = 3 and h = 2 constitute the public encryption key, whereas a,d, the polynomial x 2 - x - 1 defining a and the generator 2a + 1 form the secret trapdoor. The plaintext (0,1,1) is encrypted as 6. The legal recipient takes at first care of the noise by computing the smallest positive remainder 8 of 6 - 2.7 (mod 8). He/she then computes a’

+ (2a + 1)’

-

a

-

I = a’ - a = a(a + 2).

This gives the vector (l,O,l),from which the original plaintext (0,I , 1) results by the inverse permutation a-l: 1 + 3,2 -+ I, 3 -+ 2. Our final illustration deals with the finite field F(64) = F(26). In order to make the exposition readable, we do not consider the example in its full generality. Thus, p = 2, h = 6. This contradicts our earlier convention h < p but does not invalidate any of the arguments we are using. We could also choose, for instance, p = 8, h = 2. The polynomial x6 - x - 1 is irreducible over F(2). (This follows because neither 0 nor 1 make this polynomial equal to 0.) Thus, F(26)can be represented in terms of a root a of this polynomial. More specifically, the 64 elements of F(26)can 6

~ ~ awhere ~ - x i~= 0, , 1. We represent the elements

be represented in the form i= 1

simply by the 6-bit sequences of the x:s. Thus, a5 + a4 + a3 + a2 + a + 1, a4 + a’ + a and 1 are represented by 11 1111,0101 10 and 000001, respectively. We choose a also as a generator of F(26).Then the table of logarithms looks as follows. We may view each element of F(26) also as a binary number as indicated. Element 1=o00001 2 = o00010 3 = o00011 4 = o00100 5 = o00101 6 = o00110 7 = o00111 8 = 001o00

Logarithm 63 1

6 2 12 7 26 3

Element 33 = 1oo001 34 = 100010 35 = 100011 36 = 100100 37 = 100101 38 = 100110 39 = 100111 40 = 101o00

Logarithm 62 25 11 34 31 17 47 15

124

3. Knapsack Systems

Element

Logarithm

9 = 001001 10 = 001010 11 =001011 12 = 001100 13 = 001101 14 = 001110 15 =001111 16 = 01ooOO 17 = 01OOO1 18 = 010010 19 = 01001 1 20 = 010100 21 = 010101 22 = 010110 23 = 010111 24 = 011OOO 25 = 011001 26 = 011010 27 = 011011 28 =011100 29 = 011101 30 = 011110 31 = 011111 32 = 1OOOOO

32 13 35 8 48 27 18 4 24 33 16 14 52 36 54 9 45 49 38 28 41 19 56 5

Element

Logarithm

41 = 101001 42 = 101010 43 = 101011 44 = 101100 45 = 101101 46 = 101110 47 = 101111 48 = 11ooOO 49 = 11OOO1 50 = 110010 51 = 110011 52 = 110100 53 = 110101 54 = 110110 55 = 110111 56 = 111OOO 57 = 111001 58 = 111010 59 = 111011 60 = 111100 61 = 111101 62 = 111110 63 = 111111

23 53 51 37 44 55 40 10 61 46 30 50 22 39 43 29 60 42 21 20 59 57 58

With the noise d = 60 the publicized vector will be B = (61, 3). (This is not, in fact, a knapsack vector because p = 2.) Plaintexts are vectors (x, y) with x y = 6. Using the public encryption key B, p = 2, h = 6, the plaintext (1,5) is encrypted as 13. The legal recipient computes the number

+

(13 - 6.60, mod63) = 31 .

The following results are immediate from the table of logarithms. a31

= a5

+ a’ + 1,

a6

+ a3’ - a - 1 = a6 + a5 + a’ + a = a(a +

,

from which the plaintext (1,5) is visible. Similarly, the plaintext (6,O) is encrypted as 51. By removing the noise the legal recipient obtains the number 6. This yields the polynomial a6, corresponding to the plaintext (6,O). The reader might want to try other examples, as well as modifications with a different p (for instance, p = 8, h = 2), and consider also some permutation a.

Chapter 4. RSA

4.1 Legal World The most widely used and tested public-key cryptosystem was originally introduced by Rivest, Shamir and Adleman, and is now referred to as the RSA system. It is based on an amazingly simple number-theoretical (one could even say arithmetical) idea, and yet it has been able to resist all cryptanalytic attacks. The idea is a clever use of the fact that, while it is easy to multiply two large primes, it is extremely difficult to factorize their product. Thus, the product can be publicized and used as the encryption key. The primes themselves cannot be recovered from the product. On the other hand, the primes are needed for decryption. Thus, we have an excellent framework for a public-key cryptosystem. Moreover, the details can be explained very fast - that’s why we called the system “amazingly simple”. This section deals with RSA from the point of view of legal users. We discuss system design, as well as encryption and decryption. Both aspects of usage, privacy and authentication, will also be presented. Section 4.2 is about some simple facts and precautionary measures one should be aware of in system design. The next two sections are concerned with the interconnection between RSA and factorization. Section 4.3 presents, for instance, primality tests. Section 4.4 discusses cryptanalysis without factorization, that is, breaking RSA via some information other than the primes p and q. In Section 4.5 we’ll come to the role of partial information: if we are able to find out certain facts about the plaintext, we are able to break the whole RSA. This means that RSA is as secure as some of its parts. In some sense, all of Sections 4.2-4.5 focus on the interplay between legal and illegal worlds, that is, between the cryptosystem designer and the cryptanalyst. The final Section 4.6 presents some systems related to RSA - the presentation will continue in Chapter 5. It should be emphasized already at this point that there is no formal proof whatsoever (i) that factorization is intractable or is intractable in the special case needed for RSA, and (ii) that factorization is needed for the cryptanalysis of RSA, that is, there is no cryptanalytic method avoiding factorization. There is lots of empirical evidence for both (i) and (ii). We now present the details of RSA. Let p and q be two distinct large random primes (typically, having about 100 digits in their decimal representation). Denote

n

= pq

and p(n) = ( p - l)(q - 1)

.

126

4. RSA

(Here cp is the Euler function mentioned also in Section 3.5.) Choose a large random number d > 1 such that ( d , cp(n)) = 1 and compute the number e, 1 < e < cp(n), satisfying the congruence

=1

ed

(modcp(n)) .

The numbers n, e and d are referred to as the modulus, encryption and decryption exponents, respectively. The numbers n and e constitute the public encryption key, whereas the remaining items p, q, cp(n) and d form the secret trapdoor. Clearly, the trapdoor information does not consist of four independent items. For instance, the knowledge of p immediately reveals the remaining three items. To encrypt, one raises the plaintext to the power e and reduces modulo n. To decrypt, one raises the cryptotext to the power d and reduces modulo n. More specifically, we assume that the plaintext is encoded as a decimal number. (We can equally well use binary representation if we like.) The number is divided into blocks of suitable size. The blocks are encrypted separately. A suitable size of the blocks is the unique integer i satisfying the inequalities lo-' < n < 10'. In some cases one may choose i - 1 as the block size or make sure that each block is less than n if uniqueness of decryption is important. For instance, in Example 4.1 below n = 2773, implying that the block size equals 4. The numbers lo00 + 27733' are encrypted as the same number, for j = 0, 1,2, 3. However, only the value j = 0 leads to a possible plaintext in Example 4.1. If w is a plaintext block and c the corresponding cryptotext block, then encryption can be expressed in terms of the following equation c = (we,mod n ) .

We now show that decryption works as intended. Lemma 4.1. For w and c defined as above,

(*I

w

= cd (modn) .

Hence, if decryption is unique, w = (cd,mod n). Pro05 By the choice of d, there is a positive integer j such that ed = jcp(n) + 1. Assume first that neither p nor q divides w. By Euler's Theorem (see Appendix B), wv(")= 1 (mod n), yielding wed- = 1 (mod n). Hence,

'

cd =

= w (mod n )

If exactly one of p and q, say p , divides w, then w 4 - ' succession w'+'(")

= 1 (mod q),

wjv(")

= 1 (mod q),

= 1 (modq), yielding

in

wed = w (mod q) .

Since the last congruence is clearly valid also modulo p, we obtain ( * ) also in this case. If both p and q divide w, we clearly have wed = w (mod n), from which (*) follows as before. 0

4.1 Legal World

127

Consider again n = 2773. If we choose the block size 4, it may happen that decryption does not lead back to the original plaintext w, for instance, when w = 3773. We now discuss the cryptosystem design, that is, how the different items are generated. In general, when we say that a random number is chosen or that we select something randomly, then we are using a random number generator, for instance, a computer program generating a sequence of digits that possesses as many statistical properties of a random sequence as possible. We do not discuss here any details concerning random number generators. To select the two large random primes p and q, one chooses randomly an odd integer r of appropriate size (say 100 digits) and tests it for primality. Primality tests are described in Section 4.3. In case of a negative answer, r + 2 is tested, and so forth. By the prime number theorem, there are approximately 10'OO/In10lo0- 1099/1n 100-digit primes. (Here In refers to the natural logarithm.) When this number is compared with the number - 1099)/2 of all 100-digit odd integers, we see that the probability of success for an individual test is approximately ,00868. Once p and q have been chosen, candidates for d are tested by Euclid's algorithm. When d satisfies (d, cp(n))= I , the chain of equations obtained from Euclid's algorithm gives immediately also e. An operation needed for both encryption and decryption is modular exponentiation, that is, computing (a',modn). This can be done much faster than by repeatedly multiplying a by itself. The method we are referring to is squaring. After each squaring reduction modulo n takes place. In this way numbers greater than n2 are never encountered. More specifically, we consider the binary representation of r, k

r=

1 xi2j,

x i = 0, 1; k = [Iog,r]

+1

Provided we know all numbers (a2',mod n),

0 5j Ik ,

(ar,mod n ) can be computed by forming at most k - 1 products and reducing each product modulo n. Thus, it suffices to compute the numbers (*), which involves

k modular squarings, and in addition at most k - 1 modular products. This means computing at most 2k - 1 products with both factors less than n and reducing the products modulo n. If r is large and cp(n) is known then r may be first reduced modulo cp(n). For instance, to compute (783,mod61), we note that 760 = 1 (mod61). Hence, we may compute (723,mod 61) as well.

128

4. RSA

By successive squarings, we obtain the powers of 7 where the exponent is a power of 2:

F 7 49 22 57 16

Since 23 = 10111, we obtain the desired result (723,mod61) = (16(22(49-7)), mod61) = 17 . Sometimes one is lucky and finds the result even much faster. This is significant especially if the available computing power is low. For instance, in computing (191239,mod323) one observes first that 1914 = 1 (mod323), yielding 191236= 1 (mod323). Since (1913, mod323) = 115, one concludes that 115 is the answer also to the original question. We have already considered the modulus n = 2773, and will still return to it in Example 4.1. To compute (192017, mod2773), we consider first the powers of 2 as exponents: j 1 0 I 2 3 4 19202'

1

1920 1083 2683 2554 820

We conclude that (192017,mod2773) = (1920-820, mod2773) = 2109. Since 17-'

=

157 (mod 2668), we may still verify the result by computing similarly (2109157,mod 2773) = 1920 .

Observe that 2773 = 47.59 and (~(2773)= 2668. When we still present a fast stochastic algorithm for primality in Section 4.3, we may conclude that all computations needed in cryptosystem design, as well as in encryption and legal decryption, can be carried out in low polynomial time. Still, the legal operations are roughly loo0 times faster in DES than in RSA. Example 4.1. We consider three illustrations with the modulus growing in size. All

of them should be readable, although even the largest one is unrealistic for practical security. Take first p = 5, q = 11, n = 55, q ( n ) = 40, e = 7, d = 23. Now plaintexts are numbers in the closed interval 11,541. Moreover, we want to exclude numbers whose greatest common divisor with 55 exceeds 1, that is, numbers divisible by 5 or 11. In general, if (w, n) > 1 for some plaintext w, then we could factorize n by computing the greatest common divisor of n and the encrypted version of w. Of course, in this example we can factorize n anyway. In general the probability of a plaintext having a common nontrivial factor with n is less than l/p + l/q. So the probability is negligible for large p and q.

4.1 Legdl World

129

In the example at hand it is easy enough to write down a complete encryption table. Plaintext

Cryptotext

Plaintext

Cryptotext

1

1

2 3 4 6 7 8 9 12 13 14 16 17 18 19 21 23 24 26 27

18 42 49 41 28 2 4 23 7 9 36 8

28 29 31 32 34 36 37 38 39 41 42 43 46 47 48 49 51 52 53 54

52 39 26 43 34 31 38 47 19 46 48 32 51 53 27 14 6 13 37 54

17

24 21 12 29 16 3

This table can be rearranged to form a complete decryption table. Cryptotext

Plaintext

Cryptotext

Plaintext

1 2 3 4 6 7 8 9 12 13 14

1

8 27 9 51 13 17 14 23 52 49

28 29 31 32 34 36 37 38 39 41 42

7 24 36 43 34 16 53 37 29 6 3

130

4. RSA

Cryptotext

Plaintext

Cryptotext

Plaintext

16 17 18 19 21 23 24 26 27

26 18 2 39 21 12 19 31 48

43 46 47 48 49 51 52 53 54

32 41 38 42 4 46 28 47 54

The following important fact is clearly visible from this example. Public-key cryptography never works for small plaintext spaces. A cryptanalyst can construct already at the preprocessing stage a complete decryption table simply by encrypting all possible plaintexts and rearranging the resulting cryptotexts in a convenient alphabetic order. As a second illustration, consider p = 47, q = 59, n = 2773, q ( n ) = 2668, e = 17, d = 157. Now the plaintext, encoded as a sequence of decimal digits, is divided into blocks of four digits. As we saw above, this might lead to a small ambiguity in the decryption process. However, no ambiguities will arise if the original plaintext is written using the 26 letters of the English alphabet, in which case the largest 4-digit number will be 2626. Let us make use of the additional dimension of security of a plaintext written in Finnish and encrypt the text SAUNOIN TAAS (I took a sauna bath again). The numerical encoding with the space getting the value 00 is as follows: Plaintext block Encoding

I SA UN I 1901 2114

01

N-

TA

AS ~~

1509 14002001 0119

The modular exponentiations needed for encryption are carried out by squaring, as seen from the next table. Plaintext w W2

w4 W8

W'6

Cryptotext wl'

I 1901 582 418 25 625 1281

2114 1509 1400 2001 0119 1693 448 2262 2562 1740 1048 459 153 2257 196 2706 1225 48 2367 1716 432 1644 179 982 2029

296 1653 1004 1417 2243

4.1 Legal World

131

The result can be checked by raising similarly the cryptotext c to the power 157. For instance if c = 1644, we obtain C’

=

1834, c4 = 2680,

C’

= 330,

c16

= 753,

c3’ = 1317, c~~ = 1364, c~~~ = 2586, c~~~ = 612, c152

- 2304,

c~~~ =

2022, c15’ = 21 I4 .

For our final illustration, we consider the subsequent numbers. p

=

3336670033 ,

q

=

987654321 1 ,

n

=

32954765761773295963,

q ( n ) = 32954765748560082720 , e = 1031 ,

d

= 31963885304131991 .

The plaintext blocks will now consist of 20 digits. No ambiguities will be present if the plaintext blocks are obtained from English text by numerical encoding, which implies that all blocks begin with 0, 1 or 2. Let us encrypt the following plaintext. “Sauna stoves are either preheated or continuously heated. Preheated means that the stove is not heated during the actual bathing. A smoke sauna is a special type of a preheated sauna. There is no chimney but smoke goes out through holes in the walls and roof.” Neither punctuation nor lower case letters are present in the encryption on the following page. We indicate also the block division and numerical encoding in the usual fashion. After completing Example 4.1, we still return to some general matters. Also RSA can be viewed according to the general principles behind the construction of public-key cryptosystems, presented in Section 2.2. The setup is here not so clear as, for instance, in connection with knapsack-based cryptosystems. For a difficult problem P one may choose the factorization of n when n is known to be the product of two primes. An easy subproblem Peasyis P with the additional knowledge of ~ ( n )The . shuffled version of Peosyis simply P itself. Or one may choose as the difficult problem P the solving of the congruence xe = c (mod n)

when the triple (e, c, n) consisting of RSA items is known. Peosyis in this case P with the additional knowledge of one of the items q ( n ) , d, p , q. Both of the following points (i) and (ii) are rather obvious but have caused many misunderstandings. (i) There is no contradiction between the fact that the compositeness of a given number n can be found out and the fact that cannot be facorized. The former fact is needed in RSA system design, whereas the factorization of n would break the cryptosystem. Indeed, there are many results of the form “if n is prime then condition C ( n ) holds.” Hence, if we observe that C ( n )does not

E A M

A L O O

S

I F D E C U T O E R O

D H B S A C O E H

N

E R R U D D A V H R I C T I N E A T R E A U I M N M O O U H T A

S T E E H C S L P M T E E A N G U A G S A S Y P H E N A S E Y K E T H O H E N D

E A H S E T

V T A N

L A U N P E E A T T N O B G T H L E W R

O I E O Y R E T I T

21 00 18 04 14 01 01 00 19 15 04 00 20 15 09 01 00 00 18 08 00 19 21 09 12 06

14 01 00 19 20 15 22 01 18 05 00 05 09 20 00 16 18 05 08 05 01 00 15 18 00 03 15 14 21 15 21 19 12 25 00 20 05 04 00 16 18 05 20 05 04 00 13 05 01 20 08 01 20 00 20 08 20 15 22 05 00 09 19 20 00 08 05 01 20 05 21 18 09 14 07 00 20 01 03 20 21 01 12 00 08 09 14 07 00 01 00 11 05 00 19 01 21 14 19 00 01 00 19 16 05 12 00 20 25 16 05 00 16 18 05 08 05 01 20 19 01 21 14 01 00 20 05 00 09 19 00 14 15 09 13 14 05 25 00 02 19 13 15 11 05 00 07 00 15 21 20 00 20 08 07 08 00 08 15 12 05 14 00 20 08 05 00 23 19 00 01 14 04 00 18 00 00 00 00 00 00 00

59 88 30 77 96 12 82 75 51 95 97 29 79 97 01 30 27 02 61 51 19 81 60 96 91 59 70 50 39

55

05 60 08 47 17 14 41 55 86 14 64 81 09 58 66 11 30 12 58 71 88 25

77 68 65 88 32 30 21 31 26 79 18 60 19 30 35 47 80 96 25 46 11 50 96 92 11 99 22 99 15 47 22 65 47 67 28 37 78 35 19 24 86 93 13 19 99 62 29 63 20 74 38 93

A R P O O E E H O

19 01 05 19 08 05 20 05 20 09 08 05 08 05 14 19 05 00 00 14 04 00 08 05 02 01 19 13 01 00 03 09 15 06 05 04 08 05 00 03 21 20 15 05 18 15 19 00 01 12 15 15

U N A R D N U A T A T T S T O T D U A T H O K I S A L P S R E H I S S U G I N L S F

S E H T T H H N E

A S E E I E E S

Cryptotext

Numerical Encoding

Plaintext

32 45 02 34 49 55 72 08 11 53 43 62 82 47 62 10 05 22 44 60 53 97 25 80 78 67

12 38 45 19 12 08 78 13 93 92 79 23 55 09 00 28 30 45 89 60 33 20 34 42 95 42

45 59 53 91 44 02 36 82 31 13 13 05 26 33 54 72 01 44 02 29 12 43 65 70 85 08

52 07 15 66 73 97 62 04 35 01 53 20 46 93 88 92 66 72 37 84 57 78 19 59 53 73 88 62 02 56 93 74 37 12 21 51 82 47 28 11 57 14 95 69 47 87 13 79 66 54 07 67

6 16 16 5 0 63 52 02 8 48 7 09 8 88 3 77 11 8

2 7 1 23 50 69 92

E>

P

N

w

L

4.1 Legal World

133

hold, we may conclude that n is composite but still cannot factorize n. (ii) For real-valued functions of real numbers, there is no difference, from the point of view of complexity, between exponentiation and computation of logarithms. In the discrete case modular exponentiation is easy, whereas logarithms constitute an intractable problem. This problem will be dealt with also in Section 4.6. The problems of authentication and digital signatures were discussed already in Section 2.3. In what follows the subscripts indicate the user. Thus, e,, d,, n , are the encryption and decryption exponents and the modulus used by A. Assume first that only signature but not secrecy is needed in the transmission of messages. Then A sends the pair (w, D,(w)), where D,(w) = (w", modn,)

.

The receiver can verify the signature by applying A's public encryption exponent e,. Since only A is in possession of d , , no other person could have signed the message w. However, a forger can choose a number c, compute E,(c) = (c'~,mod n,)

and claim successfully that c is the signature by A to the message E,(c). This method of attack can be used for finding signatures to unpredictable messages only: only A can sign a prechosen message. Such unpredictable messages are not likely to be meaningful if, for instance, the plaintexts are obtained by numerical encoding from some natural language. Then the redundancy in the messages is high, and only a very small portion of blocks of a certain size are numerical encodings of parts of meaningful plaintext. In addition to the amount of redundancy also the type of redundancy of plaintexts is important. In particular, neither the inverse of a meaningful message nor the product of two meaningful messages should be meaningful. Otherwise, a forger knowing A's signatures sito messages wi, i = 1,2, can sign, with the correct A'ssignature, the messages(w, w2, modn,)and(w;', modn,) using(s,s,,modn,) and (s;', modn,). Consider the first illustration in Example 4.1. The signatures for the messages 12 and 29 are 23 and 24, respectively. Clearly, (12*29,mod55)= 18 and (29-',mod55)= 19 can then be signed using (23 * 24, mod 55) = 2 and (24-', mod 55) = 39

.

Only n, and the signatures for wi are needed to construct the new signatures. This method of forging applies to products of more than two factors as well. Since apparently d, is always odd, we can sign also (- w l , mod n,) using (- sl, mod n,). Assume, secondly, that both signature and secure transmission are requied. To send a signed message to B, A first signs it using (d,, n,) and then encrypts the result using (eB,nB). B first decrypts using the decryption exponent d,, after which the original message can be obtained using the public encyption key e,. The presence of d , in the message guarantees that it was sent by A. As before, one has to

134

4. RSA

be cautious because of the possibility of forging signatures to unpredictable messages. There is also another difficulty caused by the fact that A and B are using different moduli. Assume that n A > n,. Then DA(w)is not necessarily in the interval [I, nB - I], and reduction modulo n, would certainly make the legal decryption more difficult. There are two ways to overcome this difficulty. (i) All users agree upon a common threshold t . Each user A chooses two RSA keys, one for signatures and the other for encryption. The items involved are denoted by superscripts s and e, respectively. Each user A takes care of that n> < t < n:. The difficulty described above does not arise if A sends the message w to B in the form E?AD>(w)). (ii) Also the threshold number can be avoided if messages from A to B are sent in the form E B ( D A ( w )or ) D A ( E B ( w ) )depending , on whether n A < n, or n, < n A .

4.2 Attack and Defense We discussed already in the preceding section how to meet an attack by a forger of signatures. In general, many cryptanalytic attacks have been proposed against RSA cryptosystems. None of these attacks has turned out to be serious. In this section we discuss some typical ones of them and mention also a few other aspects one should be aware of in order to prevent certain rather obvious attacks. Consider first the choice of p and q. They should be random primes and not, for instance, primes contained in some table of primes. To factorize, one can always check through the table or run through the sequence of primes of the specific form. The two primes should also not be close to one another. If they are close to one another (and p > 4). then ( p - q)/2 is small and ( p + q)/2 is only slightly larger than Moreover, ( p q)’/4 - n = ( P - d 2 / 4

&.

+

and, hence, the left side is a perfect square. To factorize n, one tests integers x > J n , until one finds one such that x 2 - n is a perfect square, say y 2 . Then p = x y and

+

q = .Y - y .

6

For instance, for n = 97343, we have = 31 1.998. Now 3122 - n = 1, which gives directly p = 313, q = 311. In general, it is advisable that the bit representations of p and q differ in length by a few bits. Also q ( n ) should be considered in the choice of p and q. Clearly both p - 1 and q - 1 are even, implying that q ( n ) is divisible by 4. Assume that ( p - 1, q - 1) is large and, consequently, the least common multiple u of p - 1 and q - 1 is small in comparison with cp(n).Then any inverse of e modulo u will work as a decryption exponent. Since in this case it is much easier to find d simply by testing, p - 1 and q - 1 should have no large common factor. The extreme possibility is that one of p - 1 and q - 1, say q - 1, divid.es the other. Now it suffices to consider inverses of e modulo p - 1. Take again an

4.2 Attack and Defense

135

example. Let n = 11041 and e = 4013. Now any inverse of 4013 modulo 180 can be used as the decryption exponent. This follows because the least common multiple of p - 1 and q - 1 happens to be 180. Thus, we obtain d = 17. The cryptosystem designer should also avoid the situation where q ( n ) has only small prime factors. Assume that all prime factors r of q ( n ) are less than some integer k. Since [log,n] is the exponent in the highest power of r that can possibly divide q ( n ) , it is computationally feasible to construct all candidates ti for q ( n ) and test the cryptotext raised to the power ( u l ) / e , provided this exponent is an integer. A way to overcome both of the difficulties mentioned as regards q ( n ) is to consider “safe” primes only. By definition, a prime p is safe iff also ( p - 1)/2 is prime. Examples of safe primes are 83. 107 and - 166517. It is obvious that the generation of safe primes p and q in the system design is much harder than the generation of ordinary primes. It is an open problem whether or not there are infinitely many safe primes. There are other properties of p , q and q ( n ) that might ease factorization and decryption. An RSA cryptosystem designer has to take such properties, also the ones that might be discovered in the future, into account. Indeed, the most obvious among such properties have been taken into account in existing RSA hardware. The choice of p and q is also important in view of a possible attack based on iterated encryptions. This means that one begins with the cryptotext co and computes numbers c ,. = (CPI - l , m o d n ) , i = 1,2,. . . ,

+

until one finds a meaningful ci. A little reflection will show that the probability for such an attack to succeed is negligible if p - 1 and q - 1 have large prime factors p’ and q’, and also p’ - 1 and q’ - 1 have large prime factors. It is also easy to estimate the probability in terms of the sizes of the prime factors mentioned. Assume that p and q have been chosen, and consider the choice of e and d. Their choice is not independent because one of them determines the other. Especially d should not be so small that it can be found by testing. This is the reason why we fixed d first and then computed e in the cryptosystem design. However, also a small e can be a security risk as shown, for instance, in [Wie]. If the same message is sent to several parties, cryptanalysis might become possible. Assume that A, B, C have all the public encryption exponent 3, whereas the moduli are n A , nB, n,. (We assume also that no two moduli possess a common nontrivial factor.) Thus, the messages ( w 3 , modni), i = A , B, C ,

are transmitted. A cryptanalyst who intercepts these messages can compute the number w 1 = ( w 3 ,modn,n,n,) by the Chinese Remainder Theorem. Since w is less than each of the individual moduli, we must have w 3 = w l . This means that the cryptanalyst can find w by extracting the cubic root of wl.

136

4. RSA

If nA = 517, nB = 697,n, = 667 and the three intercepted messages are 131,614 and 127, then the cryptanalyst computes first the inverses m; ' (mod ni), i = A , B, C , where mi is the product of the two other moduli. In this case the products are 464899,344839,360349,and the inverses are 156,99,371. Hence,

Since nAnBnc = 240352783,the cryptanalyst concludes that w1 = w 3 = 91125000,

from which the plaintext w = 450 is obtained. Although it is desirable from the point of view of security that both e and d are large, exactly the opposite is the case if encryption or decryption execution time is considered. Small exponents are particularly advantageous when there is a large difference in computing power between the two communicating parties. A typical example is when RSA is used in communications between a smart card and a large computer. Then it is very desirable for the smart card to have a small d and for the large computer to have a small e. In situations like this a compromise between security and available computing power has to be made. We mention finally as a curiosity that in every RSA cryptosystem some plaintext blocks are encrypted into themselves. In fact, there are at least four plaintext blocks satisfying both of the conditions E ( w ) = w and ( w , n) = 1. Clearly, (l',modp)=(l',modq)=

1 and

( ( p - l ) e , m o d p ) = p - 1 , ((4- l ) e , m o d q ) = q - 1 ,

the latter equations being a consequence of the fact that e is always odd. We obtain by the Chinese Remainder Theorem a simultaneous solution to the congruences x = a (modp) and

x

= b (modq).

When we let a and b assume independently the values w satisfying (we, mod n ) = w .

1, we obtain four numbers

In the first illustration in Example 4.1,the four numbers w are 1, 21,34,54.They correspond, in this order, to the pairs (a,b):(1, l), (1, - I), ( - 1 , l ) and (- 1, - 1). If the assumption ( w , n ) = 1 is dropped and also w = 0 is allowed to be a plaintext, then there are at least nine numbers w with E ( w ) = w. This is seen exactly as before except that now also 0 is a possible value for a and b. In Example 4.1 we get the following five additional values: 0, 45, 10, 11, 44. The discussion above shows that certain plaintexts should be avoided. Also certain encryption exponents e should be avoided. If e - 1 is a multiple of both p - 1 and 4 - 1, then every w satisfies E ( w ) = w. This is immediately seen by Euler's Theorem. Thus e = (p(n)/2+ 1 is an especially bad choice, although it lies in the customary range for e.

4.3 Primality

137

4.3 Primality This section presents some basic facts concerning primality and factoring, especially from the point of view of RSA. For a more detailed discussion, the reader is referred to [KO] and to the further references mentioned therein. The problem PRIMALITY(n) was mentioned already in Section 2.2. An efficient algorithm for this problem is essential for RSA cryptosystem design. It is not known whether the problem is in P. However, this is not an essential drawback from the point of view of RSA because we have to construct primes of a certain size only and, moreover, stochastic algorithms with a low probability of failure are quite acceptable. Such a stochastic algorithm works in most cases as follows. We consider a compositeness test C ( m ) .If an integer rn passes the test, it is definitely composite. If m fails the test, m may be a prime. The likelihood for m being prime increases with the number of compositeness tests it fails. Even if m passes a compositeness test, we still face the very difficult problem of factorizing m. As we have already emphasized, the security of RSA is based on the assumption that it is much easier to find two large primes p and 4 than it is to recover them if only their product n is known. This assumption is based on empirical evidence only; no theorem of this nature has been proved. Since an RSA cryptosystem designer has to face the very unlikely possibility that the number p he has constructed is actually composite, let us investigate what such an error might actually mean. If p = p1 p,, where pl, p2 as well as q are primes, then the designer works with a false cpl(n) = ( p - l)(q - l), whereas the correct cp(n)= (pl - l)(p, - l ) ( q - 1). Let u be the least common multiple of p1 - 1, p2 - 1 and q - 1. Assume also that (w, n) = 1. Then the congruences wPI-l

= 1 (modp,),

wPZ-l

=

1 (modp,),

w4-'

= 1 (modq)

hold by Euler's Theorem and, consequently, w" = 1 is valid for all three moduli. This implies that w" = I ( m o d n ) . Clearly, u divides cp(n). If u divides also cpl(n), then Ww(n)+ 1

w (mod n) ,

which means that encryption and decryption work as if p were prime. This happens, for instance, if the cryptosystem designer chooses p = 91, q = 41. Now n = 3731,

' p , ( n ) = 3600,

v, (n)= 2880.

The least common multiple u of 6, 12 and 40 equals 120, a number dividing cpl(n) = 3600. From this condition it also follows that whenever (d, 'pl(n)) = 1, then also (d, cp(n))= 1. Thus, one may compute e using the false 'p, without affecting the validity of D ( E ( w ) )= w. Also no additional safety risks are introduced except that the least common multiple is considerably smaller than cp(n). However, if u does not divide cpl(u), then in most cases D ( E ( w ) )# w, a fact likely to be noticed also by the cryptosystem designer. Assume that the numbers

138

4. RSA

p = 391 and q = 281 are chosen without noticing that 391 = 17.23. Now the cryptosystem designer works with

n = 109871 and

cpl(n) = 109200,

whereas actually q ( n ) = 98560. In this case u = 6160. Indeed, each of the numbers 16,22,280 divides 6160. However, u does not divide q l ( n ) ,this being due to the fact that 1 1 divides u but does not divide cpl(n).The cryptosystem designer might now choose d = 45979 and compute e = 19. For the plaintext w = 8 one obtains W e d - 1 - 8873600 = 66879 (mod 109871). For the computation it is useful to observe that 811 = 70 (mod n ) and keep in mind that 86160= 1 (modn). Assume that m is an odd integer and ( w , m ) = 1. If m is prime then, by Euler’s Theorem (also called in this case Fermat’s Little Theorem),

(*I

Wm-l

= -

1 (modm) .

If m is not prime, it is possible but not likely that ( * ) holds. In such a case m is referred to as a pseudoprime to the base w. This gives immediately the following compositeness test: m passes the test C(m)iff m- 1

(*)’

$1 (mod m) ,

for some w with (w, m) = 1. If m fails the test C ( m ) for w, that is, ( * ) holds then m might still be composite. Take the number m = 9 1 considered above. Then z 9 O = 264* 2 l h 2* 2’ = 16.16.74-4 = 64(mod91), which shows that 91 is composite. On the other hand, 3” = 1 (mod91), which shows that 91 is a pseudoprime to the base 3. One can prove similarly that 341 is a pseudoprime to the base 2 and 21 7 is a pseudoprime to the base 5. In fact, one can also prove rather easily that the three numbers 341,91 and 217 are the smallest pseudoprimes to the bases 2, 3 and 5, respectively. Let us call an integer w with ( w , m ) = 1 and satisfying the congruence (*) a witness for the primality of m. As we have seen, there are also “false witnesses”, to which m is a pseudoprime only. A method of showing with high probability that m is prime consists of gathering many witnesses for the primality of m. The next result provides some theoretical background.

-

Lemma 4.2. Either all or at most half of the integers w with 1 ( w , m ) = 1 are witnesses for the primality of m.

_.

w < m and

Proof Assume that w is not a witness (implying that (*)’ holds). Let w i , 1 I i I t, be all the witnesses. Then the numbers ui = (wwi, modm),

1 I i It ,

are all distinct and satisfy the conditions 1 I ui < m and ( u i , m ) = 1. No number ui can be a witness because 1

uy-l

Wm-lWy-l

= wm-1 (mod m )

4.3 Primality

139

would contradict (*)'. There are as many numbers ui as there are witnesses altogether. 0 The probabilistic algorithm works as follows. Given m, choose a random w with 1 I w < m. The greatest common divisor (w,m ) is found by Euclid's algorithm. If ( w , m ) > I , we conclude that m is composite. Otherwise, we compute u = ( w m - ' , mod m ) by repeated squaring. If u # 1, we conclude that m is composite. If u = 1, w is a witness for the primality of m, and we have some evidence that m could be prime. The more witnesses we find, the stronger the evidence will be. When we have found k witnesses, by Lemma 4.2 the probability of m being composite is at most 2-', except in the unfortunate case that all numbers w (with ( w , m ) = 1 and w < m ) are witnesses. If m is prime then all numbers are witnesses, and the evidence obtained points toward the right conclusion. However, all numbers can be witnesses without m being prime. Such numbers m are referred to as Carmichael numbers. Thus, by definition, an odd composite number m is a Carmichael number iff(*) holds for all w with ( w , m) = 1. It is easy to prove that a Carmichael number is always square-free, and that an odd composite square-free number m is Carmichael number iff, whenever p is a prime dividing m, then also p - 1 divides m - 1. An immediate consequence of these facts is that a Carmichael number must be the product of at least three distinct primes. For instance, for m = 561 = 3 - 1 1 * 17, each of the three numbers 3 - 1, 1 1 - 1 and 17 - 1 divides 561 - 1 and, consequently, 561 is a Carmichael number. In fact, it is the smallest Carmichael number. Also 1729, 294409 and 56052361 are Carmichael numbers. They are all of the form (6i + 1 ) (12i + 1) (18i + l), where the three factors are primes. (The three numbers are obtained for the values i = 1, 6, 35.) All numbers of this form, where the three factors are primes, are Carmichael numbers. There are also Carmichael numbers not of this form, for instance 2465 and 172081. It is not known whether there are infinitely many Carmichael numbers. The probability estimate 2-' for the algorithm described above is not valid if the number m to be tested happens to be a Carmichael number. By this algorithm, our only chance to find out that m is composite is to hit a number w with ( w , m ) > 1 in our random choice of numbers w. We now describe a test, referred to as the Solovay-Strassen primality test. It is very similar to the test described above, except that instead of ( * ) another condition (**) is used. No analogues of Carmichael number exist in connection with the latter condition. Thus, by finding more witnesses we always increase the probability that the tested number is a prime. The reader is referred to Appendix 5 for the definition of the Legendre and Jacobi symbols

(3 .

Lemma 4.3. l f m is an odd prime then, for all w,

=

(E)

(mod m )

Proof Clearly, ( * * ) holds if m divides w. Otherwise, by Fermat's Little Theorem, ( w m - l ,modm) = 1, yielding (w(m-1)/2,modm)=

A

1.

140

4. RSA

Let y be a generator of F* (m) (see Section 3.3, and let w = yj. Then

)(:

= 1

iff

j is even iff ( w ( ~ - ~ modm) ) / ~ , = 1. Thus, both sides of (**) are congruent to f 1, 0 and are congruent to 1 iff j is even.

+

Odd composite numbers m satisfying (**), for some w with ( w , m ) = 1, are called Euler pseudoprimes to the base w. Because (**) implies (*), an Euler pseudoprime to the base w is also a pseudoprime to the base w. The converse is not true: 91 is a pseudoprime but not an Euler pseudoprime to the base 3 because ( * ) is satisfied but 345 = 27 (mod 91), implying that (**) is not satisfied. 91 is an Euler pseudoprime to the base 10. The following lemma is analogous to Lemma 4.2 but deals with (**) instead of (*).

Lemma 4.4. I f m is an odd composite number, then at most halfof the integers w with 1 5 w < m and ( w , m ) = 1 satisfy (**). Proof: We first construct a w’ such that (**) is not satisfied (for w = w’). Assume that the square p2 of a prime p divides m. Then we choose w’ = 1 m/p. Now

):(

+

=1

but the left side of (**) is not congruent to 1 (mod m), since p does not

divide ( m - 1)/2. Assume, secondly, that m is a product of distinct primes and p is one of them. Choose any quadratic nonresidue s modulo p and let w‘, 1 5 w’ < m, satisfy the congruences w’ = s (mod p), w‘ = 1 (mod m/p) . Such a w’ is found by the Chinese Remainder Theorem. Then (:)=-lbut (w’)(~-’)/= ’ 1 (modmlp), yielding ( w ’ ) ( ~ - ’ ) # / ~ - 1 (modm)

Having constructed a w’ such that (**) is not satisfied, we let w i , 1 I i I t, be all the integers satisfying (**) (as well as the usual conditions 1 I wi < t, ( w i , m ) = 1). Again the numbers ui = ( w ’ w i , modm), 1 I i I t , are all distinct and satisfy 1 I ui < m and ( u i , m ) = 1. If some ui satisfies (**), we obtain

Since wi satisfies (**), we deduce further (w’)(”- ‘)I2

=

):(

(mod m ) ,

contradicting the fact that w‘ does not satisfy (**). Hence, none of the numbers ui satisfies (**). There are as many of them as there are numbers wi. 0

4.3 Primality

141

The Solovay-Strassen primality test uses (**) exactly in the same way as our earlier algorithm uses (*). To test the primality of m, we first choose a random number w < m. If ( w , m ) > 1, m is composite. Otherwise, we test the validity of (**). This is easy from the point of view of complexity because the value of

(3

can be

computed fast by the law of quadratic reciprocity. If (**) is not valid, m is composite. Otherwise, we regard w as a witness for the primality of m, choose another random number < m and repeat the procedure. After finding k witnesses, we may conclude by Lemmas 4.3 and 4.4 that the probability of m being composite is at most 2 - k . The result is stronger than the one obtained for our previous algorithm because Lemma 4.4 shows that there are no analogues of Carmichael numbers when one works with (**). However, the estimate in Lemma 4.4 cannot be improved. There are numbers m which are Euler pseudoprimes to exactly half of all possible bases. Examples are the earlier mentioned Carmichael numbers 1729 and 56052361.

There is still another modification of the primality test, where the estimate in a lemma corresponding to Lemma 4.4 actually can be improved: at most 25% of the possible numbers are (false) witnesses for a composite number m to be prime. We now describe this test, known as the Miller-Rabin primality test. Some numbertheoretic facts will be given without proofs-an interested reader is referred to [KO]. The proofs are somewhat more complicated than in connection with the preceding tests. Assume that m is a pseudoprime to the base w, that is, (*) holds. The idea is to extract successive square roots of the congruence (*) and check whether the first number # 1 on the right side of the congruences thus obtained is actually equal to - 1. If m is prime, the first such number must equal to - 1 because then f 1 are the only square roots modulo m. Thus we obtain another compositeness test. If m fails this test, that is, the first number different from 1 equals - 1, but m is composite, then m is referred to as a strong pseudoprime to the base w. We now present the formal details. Assume that m is an odd composite number. Let 2" be the highest power of 2 dividing m - 1, that is, m - 1 = 2'r,

where r is odd

.

Choose a number w with 1 Iw < m and ( w , m ) = 1. Then m is a strong pseudoprime to the base w iff the following condition is satisfied: (***)

either w'

= 1 (mod m )

or w ~ =' -~ 1 (mod m ) ,

for some s' with 0 I s' < s. Observe that the formal definition specifies the idea of extracting square roots of the congruence Wm-l - w2" = 1 (modm) . N o further square roots can be extracted if w' is reached on the left side. It can be shown that a strong pseudoprime m to the base w is also an Euler pseudoprime to the base w. If m = 3 (mod4) then also the converse holds true: in this case an Euler pseudoprime m to the base w is also a strong pseudoprime to the base w.

142

4. RSA

In the Miller-Rabin primaiity test we first compute m - 1 = 2’1, where m is the given odd integer and r is odd. The random number w is chosen as before and the validity of ( * * * ) is tested. If the test fails, then m is composite. Otherwise, we regard was a witness for the primality of m (in this case m is prime or a strong pseudoprime to the base w ) and repeat the procedure for another w . Having found k witnesses for the primality of m, we may conclude that the probability of m being composite is at most 4 - k .This is a consequence of the following lemma. Lemma 4.5. I f m is an odd composite integer, then m is a strong pseudoprime to the base w for at most 25% of all w’s satisfying 1 I w < m.

It is not necessary to check through a large number of bases w in order to be almost sure that m is a prime if it is a strong pseudoprime to each of these bases. For instance, consider the four bases 2, 3, 5, 7. Only one composite number rn < 2.5 * lo’’, namely m = 3215031751, is a strong pseudoprime to each of these four bases. Even a more general statement can be made, assuming that the “Generalized Riemann Hypothesis” is true. Under this assumption, if m is an odd composite integer then (***) fails to be true for at least one w < 2(ln m)2.Thus it suffices to test numbers w up to this bound only. In this way the Miller-Rabin primality test is transformed into a deterministic algorithm that works in polynomial time. (The usual Riemann Hypothesis is the assertion that all complex zeros of the Riemann zeta-function, which lie on the “critical strip” (where the real part is between 0 and 1) actually lie on the “critical line” (where the real part equals f). The Generalized Riemann Hypothesis is the same assertion for generalizations of the zeta-function referred to as Dirichlet L-series.) Assume that n is the modulus of RSA. If one is able to find a w such that n is a pseudoprime but not a strong pseudoprime to the base w then one is able to factorize n. This follows because in such a case one has found a number u f & 1 (mod n ) such that u2 = 1 (mod n), which implies that ( u + I , n ) is a nontrivial factor of n. A way to guard against this in the cryptosystem design is to make sure that p - 1 and q - 1 do not have a large common divisor. We shall still return to matters dealing with (***) in Section 4.4. Only the oldest and slowest primality test, the sieve of Erutosthencs, actually produces a prime factor of rn at the same time it tells that rn is composite. The sieve consists of testing the divisibility of m by prime numbers 5 All faster primality tests usually only tell that m is composite without saying anything about the factors. Many factorization methods are known. We do not discuss them here, since none of them is feasible for the standard RSA with n having approximately 200 digits. So far the asymptotically fastest factorization algorithms are conjectured to run in time

&.

o(eaJGizE),

where the constant a = 1 + E for E arbitrarily small. At the time of this writing, factorization of 100-digit numbers is computationally feasible.

4.4 Cryptanalysis and Factoring

143

4.4 Cryptanalysis and Factoring We h.ave already emphasized that there are no formal results to the effect that factoring n is actually needed in the cryptanalysis of RSA. I t is conceivable that cryptanalysis can be carried out by entirely different means. However, if such other means disclose some of the secret trapdoor items, then they also lead to fast factoring of n. This will now be shown. The first result is very simple. Lemma 4.6. Any algorithm for computing q ( n ) is applicable, without increase in complexity, for factoring n. Proof: The factor p can be immediately computed from the equations p + q = n - q ( n ) + I and p - q = J w . u

Assume next that we have a method to compute the decryption exponent d. We want to show how this method can be used to factor n. The matter is not so straightforward as in Lemma 4.6. Moreover, the resulting factorization algorithm will be probabilistic. The probability of failure can be made arbitrarily small. The complexity of the new algorithm is not essentially higher than that of the algorithm for computing d. Of course the complexity of the new algorithm depends on the fixed probability but, for any probability, the new algorithm runs in polynomial time, provided the algorithm for computing d does SO. Theorem 4.1. A n algorithm for computing d can be converted into a probabilistic algorithm for factoring n. Proof: The proof is based on similar ideas as the discussion on pseudoprimes and strong pseudoprimes in Section 4.3. We present a proof independent of the latter discussion because of two reasons. Instead of a general m, we are dealing here with the special case of an RSA modulus n and, secondly, a reader might want to study Theorem 4.1 without going into primality tests. In the proof we are using numbers w satisfying the conditions 1 I w < n and ( w , n) = I . These conditions are not repeated but should be kept in mind. I t is clear that if a random choice of w < n satisfies ( w , n) > 1 then we are immediately able to factor n. This holds true also if we have found a nontrivial square root of 1 (mod n), that is, a number u with the properties. u f f 1 (modn) and

u2 = 1 ( m o d n ) .

+

Then ( u 1) (u - 1) is divisible by n but the factors are not and, consequently, (u 1, n) equals either p or q. (This was observed already in Section 4.3.) Since the given algorithm computes d, we can immediately obtain ed - 1 in the form ed - 1 = 2'r, s 2 1, r o d d .

+

Since ed - 1 is a multiple of q ( n ) , we obtain the congruence wzSr= 1 (modn)

144

4. RSA

for an arbitrary w. (Recall the additional conditions for w.) Consequently, for some s' with 0 I s' I s, s' is the smallest number such that the congruence W2'r

= -

1 (modn)

is valid. If now

(*I

s' > 0 and

w2'

I'

f - 1 (modn) ,

we have found a nontrivial square root of 1 (mod n) and, therefore, completed the proof. Assume that (*) is not satisfied, that is, (*)'

wr E 1 (mod n) or

w Z L r=

-

1 (mod n), for some t, 0 I t < s .

Here the first congruence says that we have been able to reduce s' to 0 without encountering anything incongruent to 1 and, the second, that the value s' - 1 = t actually produces something congruent to - 1. We now determine an upper bound for the numbers w satisfying (*)'. Such numbers w are unwanted from the point of view of factorization whereas, as we already observed, numbers w satisfying (*) are wanted. Think of p - 1 and q - 1 written in the form p - 1 = 2'a,

q - 1 = 2jb, where a and b are odd

.

We assume i 5 j without loss of generality. Since 2"r is a multiple of cp(n),also r is a multiple of ab. Hence, if t 2 i then 2'r is a multiple of p - 1 and, consequently, w2"

= 1 (modp) .

From this we obtain further w2" f - 1 (mod p),

yielding w z L rf - 1 (mod n) .

This means that (*)' is never satisfied for t 2 i. Since clearly i < s, we may write (*)' in the equivalent form (*)"

w'

= 1 (modn)

or

w z L r= - 1 (modn), for some t, 0 5 t

< i.

We now estimate the number of w's satisfying the first congruence in (*)". Let g be a generator of F * ( p ) and assume that w g" (mod p). (It should be emphasized

=

that in this proof we talk about numbers we are actually unable to compute. Such numbers are used only to justify the algorithm and d o not appear in the execution.) Clearly, each of the congruences w ' = 1 (modp) and

ur

= 0 (modp - 1)

implies the other. Hence, the congruences have the same number of solutions for the unknown w and u. The number of solutions for the latter congruence equals ( r , p - 1) = a. Therefore, a is also the number of solutions for the former congruence. Exactly in the same way we see that b is the number of solutions for the congruence w' = 1 (mod 4). This implies that ab is the number of solutions for the congruence w' = 1 (mod n). (Note that every pair of solutions for the p- and

4.4 Cryptanalysis and Factoring

145

q-congruences yields a solution for the n-congruence by the Chinese Remainder Theorem. There are altogether ab such pairs.) We estimate, secondly, the number of w's satisfying the second condition in (*)". Arguing exactly as before, we infer that the number of solutions w for the congruence w2"'' = 1 (modp) (resp. w2'I = 1 (modp))

'

'

equals (2" r, p - 1) = 2'+ a (resp. (2'r, p - 1) = 2'a). This follows because t + 1 I i. Consequently, the number of solutions for the congruence W2'r

= -

-

1 (modp)

is at most 2'+' a - 2'a = 2'a. In the same way we conclude that the number of solutions for the congruence w2% = - 1 (modq) is at most 2'b. (Here the inequality i 5 j is needed: t the number of solutions w for the congruence W2'r

+ 1 Ii I j . ) This implies that

= - -1

(modn) is at most 2'a*2'b = 22'ab. We are now ready to give an upper bound for the number of unwanted w's, that is, w's satisfying (*)' or, equivalently, (*)". Such an upper bound is obtained by adding the numbers of solutions for the first and second congruence in (*)", the latter number being the sum over the possible values oft: i-1

ab+ab

r=o

(

22'=ab 1 +

:I:

4'

) ( +- ') =ab 1

4i;

(Here the fact 1 5 i Ij has been used.) Since q ( n ) is the number of all possible w's, at most 50% of all w's are unwanted. This means that, after testing k w's, the probability of not finding a wanted w is at most 2 - k , converging rapidly n to 0. In the argument above, we may consider also w's with (w, n) > 1 as wanted. Hence, the number of all possible w's is n - 1, of which (p(n)/2is less than 50%. However, this improvement of the estimate is negligible, since w's with (w, n) > 1 are very rare exceptions. Assuming the generalized Riemann Hypothesis, one can show that there are very small wanted w's. This implies that Theorem 4.1 can be expressed, for instance, in the form: any deterministic polynomial-time algorithm for computing d can be converted into a deterministic polynomial-time algorithm for factoring n.

146

4. RSA

RSA is applicable also to an environment, where the moduli, as well as encryption and decryption exponents, are distributed by an agency which all parties involved trust. Assume that the agency publicizes a modulus n common to everybody, as well as the encryption exponents e,, e,, . . . of the users A, B, . . . . In addition, the agency distributes to the users individually the secret decryption exponents d,, d,, . . . . The primes p and q are known to the agency only. This setup is vulnerable in the sense of the following theorem. The method is similar to that of Theorem 4.1. The result can be viewed as an example of cryptanalysis without factoring n.

Theorem 4.2. In the setup described above any user is able tojind in deterministic cubic time another user S secret decryption exponent (without factoring n). Pro05 We show how B can find d,. For some k, e,d, - 1 = kcp(n) .

B does not know k but knows es, d,, eA and n. Let t be some number dividing e,d, - 1 and satisfying a = (e,d, - l)/t,

where (a, e,) = 1

We cannot choose t = (e,d, - 1, e,) because, for instance, the square of a factor of eA may divide e,d, - 1. There is, however, a simple deterministic algorithm, running in cubic time, for computing t and a. In fact, denote eBdB -

= 909

(90,eA) = h0

and define inductively, for i 2 1, gi=Yi-l/hi-l,

(gi9eA)=hi.

For h,= 1, we may choose t = h,h, . . . hl and a =y,. For h, 2 2, we have y,+,2y8/2. This means that h , = 1 is found in a linear number of steps. At each step, Euclid's algorithm is called, yielding altogether the cubic time estimate. B now computes by Euclid's algorithm a and b such that aa

+ be, = 1 ,

where b is chosen to be positive. Observe that cp(n) divides a because a = kcp(n)/t, where k / t is an integer because ( t , cp(n))= 1. The latter equation follows because (e,, cp(n))= 1 and, hence, t is a product of numbers, none of which has a nontrivial factor common with cp(n). The observation implies the congruence be,

= 1 (mod cp(n)),

and hence b (reduced modulo n ) can be used as d,.

0

Although in Theorem 4.2 B constructs d, without factoring n, Theorem 4.1 can then be used to factor n.

4.5 Partial Information in RSA

147

4.5 Partial Information on RSA The general question about partial information is very important in cryptography. Is it possible for the cryptanalyst to obtain some partial information about the plaintext, such as the last bit of the plaintext, although it might be intractable to get the whole plaintext? Sometimes such partial information might be crucially important. There are many results for RSA to the effect that certain parts are as hard as the whole. In general, such results are of the following form. Suppose that we have an algorithm for obtaining about RSA certain partial cryptanalytic information, such as the last bit of the plaintext corresponding to an intercepted cryptotext. The algorithm is supposed to work in every instance of RSA cryptotexts. Then this algorithm can be converted, without too much increase in computational complexity, into a cryptanalytic algorithm that breaks RSA. What this means is that, whenever RSA leaks such partial information, then the security can be entirely broken. If we trust that RSA cannot be broken, we can also be confident that no partial information of the kind dealt with in the results can be obtained. Of course, some partial information is always easily obtainable. For instance, if the last decimal digit of n is 3, then the last decimal digits of p and 4 are 1 and 3, or 7 and 9. Such partial information is not likely to disclose anything about the plaintext. Are such results to the effect that certain parts are as hard as the whole a token of cryptographic strength or weakness? One can argue in both ways. If one has confidence in the system, security of the parts certainly adds to the confidence. When in doubt, the possibility of breaking the system by partial cryptanalysis makes the situation even more doubtful. A convenient way to present results, where the existence of an algorithm is presupposed without giving any details of the algorithm, is to use an oracle. The

Fig. 4.1

148

4. RSA

oracle gives an answer to any question that the presupposed algorithm is able to settle, for instance, tells the last bit of a plaintext. The algorithm to be constructed, for instance, an algorithm for finding the whole plaintext, may during the computation ask questions of the proper form from the oracle. Such questions may be asked without any cost, that is, they do not affect the complexity. Thus, the complexity of the new algorithm depends on the “additional” steps only, and not of the complexity of the presupposed algorithm. If the latter is known, it is easy to estimate the complexity of the new algorithm, where the oracle is replaced by steps of the presupposed algorithm. The use of oracles is depicted in Fig. 4.1. We begin with a simple illustration showing how an algorithm telling whether or not a plaintext x is less than n/2 can be used to obtain more information about x. Thus, we have at our disposal the following oracle 0 (size):

Fig. 4.2

This means that, given an input consisting of a public encryption key and the encrypted version of x, O(size) tells whether or not x < n/2. We now construct an algorithm A telling in which of the intervals (jn/8,(j+ l)n/8) 0 I j I 7, the plaintext x lies. Given the input consisting of e, n and (xe, mod n), the algorithm only has to compute the numbers (*)

(2exe,mod n) and

(4exe,mod n) ,

and ask three questions from the oracle. Hence, the increase in complexity from any algorithm doing the job of O(size) to the algorithm A is negligible. The three questions asked from the oracle are the one depicted in Fig. 4.2, and the questions where xe is replaced by (2x)’ and (4x)’. The latter two questions can be asked because the algorithm A has computed the numbers (*). The position of x depends on the answers to the three questions, posed in the order mentioned, according to the following table. Answers

Interval

yes, yes, yes yes, yes, no yes, no, yes yes, no, no no, yes, yes no, yes, no no, no, yes no, no, no

0 < x < n/8 n/8 < x < n/4 n/4 < x < 3n/8 3n/8 < x < n/2 n/2 < x < 5n/8 5n/8 < x < 3n/4 3n/4 < x < 7n/8 7n/8 < x < n

4.5 Partial Information on RSA

149

It is easy to verify the results. For instance, assume that O(size) has given the information

x > n/2, ( 2 x , mod n ) < n/2, ( 4 x , mod n ) < n / 2 , that is, the sequence of answers “no, yes, yes”. The first two inequalities tell us that n/2 < x < 31114, because if x > 3nf4, then ( 2 x , mod n ) > n/2 and we would have “no” as the second answer. Combining this information with the last inequality, we obtain n/2 < x < 5118, because again 5n/8 < x < 3n/4 would imply ( 4 x , mod n ) > ‘n/2. This procedure can be carried out until the intervals become so small that x is uniquely determined by the interval to which it belongs. We will now present the details explicitly. It will be convenient to use also the oracle O(parity) that will tell the parity of x. If we work with binary notation, O(parity) is naturally depicted as follows.

n, e,

(.ye,

2, if x is even, 2, if x is odd.

mod n )

Fig. 4.3

Thus, the oracle tells the last bit of x . We will now show how, using O(parity), x can be constructed bit by bit from the right. Denote by N the number of bits in n (where 1 is the leading bit). Thus, N = [log,n] + 1. We also use the operators B and M producing from a number > 0 the corresponding binary sequence, and vice versa. For instance, B(91) = 1011011 and M(1011011) = 91. B ( x ) always begins with 1. The operators B and M are sometimes needed to avoid confusion. For two sequences of bits, t and u, we denote by tu the sequence of bits obtained by writing t and u one after the other. The sequence t u is refegred to as the catenation o f t and u. As usual, we denote by It( the lengrh of the sequence t. If M ( t ) 2 M ( u ) , we denote by LAST(t - u ) the last IuI bits in the sequence B ( M ( f )- M ( u ) ) ,where 0’s are added to the beginning if IB(M(f)- M ( u ) ) < ) I uI. In general, if LAST([ - u ) = D then I D I = I u I and, for some w, B ( M ( t ) - M(u))is a suffuc of w.For instance, LAST(1011011 - 1010111) = oooO100, LAST(1OI 1011 - 1 1 1)

=

100.

In the first case w is empty and, in the second case, w = 1010. The condition M ( t ) 2 M ( u ) guarantees that LAST(t - u ) is always defined. Let K be the inverse of 2’ (modn), that is,

2‘K

= 1 (mod n ) .

I50

4. RSA

The number K is found rapidly by Euclids algorithm. Given (xe, mod n), we now define inductively r(i) and ANS(i), for 1 < i < N. By definition, r( 1) = (xe, mod n) and ANS( 1) is the answer given by O(parity) to the input x‘. (We express the input in this short form because the items n and e remain unaltered during the discussion.) Assume that r(i - 1) and ANS(i - 1) have already been defined, for some i 2 2. Then r(i) =

{

(r(i - 1 ) K , modn) if ANS(i - 1) = 0 , ((n - r(i - 1 ) ) K ,modn) if ANS ( i - 1) = 1 ,

and ANS( i ) is the oracle’s answer to the input r (i). Observe that it follows from the definition that r ( i )is of the form (ye,mod n), for some y. Secondly, we define t(i), N 2 i 2 1, by descending induction. First, t (A’)= ANS(N)

Assume that

t ( i - 1) =

t(i), i 2

1

.

2, has already been defined. Then

t(i)O if ANS(i - 1) = 0 , LAST(B(n) - t(i)O) if ANS(I - 1)

=

1 and

LAST(t(i)O - B(n)) if ANS(i - 1) = 1 and

M ( t ( i ) O )< n , M ( t ( i ) O )> n

Here the separation of ANS(i - 1) into two subcases is needed to guarantee that LAST is defined. In fact, the latter subcase occurs iff i = 2 and M(t(2)) > 42. For instance, n = 21, B ( n ) = 10101 and t(2) = 1101. As an example, take the first illustration in Example 4.1. We have n = 55, e = 7, N = 6 and B ( n ) = 110111. Euclid’s algorithm gives K = 52. Assume that xe = 49. (We write .ye instead of (xe,mod n) for simplicity.) We obtain first r(1) = 4 9 , ANS(1) = 0 , r(2) = 49-52 = 1 8 , ANS(2) = 0 , r(3) = 18.52

=1 ,

ANS(3) = 1 ,

r(4) = 54-52 = 3 , ANS(4) = 1 ,

r(5)

52.52

r(6) = 9 - 5 2

=9 , = 28 ,

ANS(5) = 0 , ANS(6) = 1

.

Of course, the values ANS(i) are not computed but obtained from the oracle. In this simple case they can be seen from the table given in Example 4.1. Let us now compute the values t(i). The values t(6) = 1 and t ( 5 ) = 10 are immediate by the definition. Since ANS(4) = 1, we obtain t(4) = LAST(110111 - 100) = 011 . Similarly, t(3) = LAST(110111 - 01 10) = OOO1

.

The remaining values are again obtained by direct catenation: t(2) = O0010 and t( 1) = 000100. It can now be immediately verified that t ( 1) is the binary representa-

4.5 Partial Information on RSA

I51

tion of x in N bits: 47 E 49 (mod 55) This is true also in general. Theorem 4.3. In the notation dejined above, M(t(1)) = x

.

Before proving Theorem 4.3, we observe that the oracle has to be consulted N times in order to find x. In addition, one application of Euclid’s algorithm, as well as at most N - 1 modular multiplications and at most 2 N subtractions are needed. Thus, the cryptanalytic algorithm for finding x is very fast if the oracle may

be consulted without cost. In this sense a method for finding the last bit of the plaintext yields a method for finding the entire plaintext. Proof of Theorem 4.3. For 1 Ii IN , we denote by u ( i ) the number satisfying u(i)’

= r ( i ) (modn),

0 < u(i)< n

.

Such numbers u ( i ) exist by the definition of r(i). More specifically, the relation 2‘r(i) = f r(i - 1) (modn) shows how the numbers u(i) can be constructed successively. We denote also u(i) = OjB(u(i)), where j = N - JB(u(i))J.Then j 2 0 because u ( i ) < n. Thus, u ( i ) is always a binary sequence of length N . We now claim that, for N 2 i 2 1, there is a w ( i ) , possibly empty, such that (*)

u ( i ) = w ( i ) t ( i ).

Theorem 4.3 follows from (*) where we substitute i = 1. Observe first that It(l)l = N because It(N)I = 1 and the length increases by one in every transition from t(i) to t(i - 1). Since Iu(l)l = N , (*) implies that w ( 1 ) must be empty and that u ( 1 ) and t(1) are the same binary sequence. On the other hand, M(u(1))= x and, consequently, M ( t ( 1 ) )= x. Our claim (*) is established by descending induction on i. For i = N , ( * ) holds true because by definition the last bit of u ( N )equals the last bit of B ( u ( N ) )which, in turn, equals A N S ( N ) = t ( N ) . The inductive hypothesis is that ( * ) holds for the value i. Consider the value i - 1. Assume first that A N S ( i - 1) = 0. Then r ( i ) = ( r ( i - 1)K, modn)

and, consequently,

r ( i - 1) = 2er(i)= (2u(i))e (modn) ,

which implies that u ( i - 1) = (2u(i),mod n). If B ( u ( i - 1)) = B(u(i))O we obtain, by the inductive hypothesis and the definition of t (i- l), u(i - 1) = w(i - I)t(i)O = w(i - l ) t ( i - 1)

and, therefore, ( * ) holds for the value i - 1 where w ( i - 1) is obtained from w ( i )by

152

4. RSA

omitting one 0 from the beginning. On the other hand, B(u(i - 1)) # B(u(i))O implies that u(i - 1) = 2u(i) - n. (Clearly, 2u(i) < 2n.) Hence, u ( i - 1) is odd, which contradicts the assumption ANS(i - 1) = 0. This shows that B(u(i - 1)) = B(u(i))O. Assume, secondly, that ANS(i - 1) = 1. In this case r(i - 1)

= - 2er(i) = - 2eu(i)e = (-2u(i))e

(modn) ,

Here the last congruence follows because e is odd. This implies that u(i > 2 4 9 , then

-

1) =

( - 2u(i), mod n). If n

u(i - 1) = w(i - l)LAST(B(n) - t(i)O) = w(i - l)t(i - 1) . If n < 2u(i), then u ( i - 1 ) = w(i - l)LAST(t(i)O - B ( n ) )= w(i - l)t(i - 1)

The two alternatives correspond to the separation of ANS(i - 1) = 1 into two subcases in the definition of t ( i - 1). i l This completes the inductive step and, consequently, (*) holds. The following Example 4.2 illustrates further various points in the above construction. Example 4.2. Let us see first how u(i) and u(i) look like in the illustration given just before Theorem 4.3. Here again the table in Example 4.1 is useful. We obtain ~ ( 6=) 7,

46) = O00111 ,

~ ( 5 =) 14, u ( 5 ) = 001110 ,

~ ( 4= ) 27,

44) = 01 1011 ,

4 3 ) = 1,

43) = m

4 2 ) = 2,

42) = oo0010,

u(1) = 4,

o(1) = O00100.

1,

Comparing the values u(i) and the previously computed values t(i), we infer that w(1) is empty and ~ ( 2=) 0, ~ ( 3=) 00, ~ ( 4 =) 01 1, ~ ( 5 =) 001 1, ~ ( 6=) O0011 . As a second illustration, consider n = 57, e = 5, (x', modn) = 48. We obtain first N = 6, B ( n ) = 11 1001, K = 41, and then the following values. i

r(i) ANS(i) t(i)

u(i) o(i)

I

1

2

3

4

5

6

27 24 15 12 21 1 1 1 0 1 0 011 11 1 loo001 01100 0110 6 3 27 15 12 33 loo001 001100 O00110 oo0011 011011 001111 48

4.5 Partial Information on RSA

153

The next illustration is somewhat bigger. Consider n = 8137, e = 517, (xe,modn)=5611.1nthiscasewehave N=13,B(n)=1111111001001, 25'7 = 2 5 1 2 . 3 2= 6905-32 = 1261 (mod8137), whence K = 342. The resulting values of r(i), ANS(i) and

i

r(i)

ANS(i)

1 2 3 4 5 6 7 8 9 10 11 12 13

561 1 6767 3406 1261 1 7795 509 1 7941 1936 3015 5868 5154 306 1

0 0 0 0 1 0 0 1 0 0 0 1 0

t ( i ) are

as follows.

t(i)

OOOOOOOOlOOOO 000000001OOO

OOOOOO00100 0000000010 000000001 1 1 100100 1 1 10010 1 1 1001 01OOo 0100 010 01 0

Consequently, x = M(t(1))= 16. The table can be filled in fast if the oracle can actually be consulted. However, because we do not have any oracle available, the values in the table have to be computed by some other method. Such a method cannot be tractable computationally or, otherwise, we are able to break RSA! In the computations above x = 16 was known a priori. Then the t- and ANS-columns can be computed top down. Once the ANS-column is known, the computation of the r-column is immediate. In this particular example we have q ( n ) = 7956 and d = 2 7 7 .

0

Stronger results can be obtained for probabilistic algorithms. Given (x', mod n), we are always able to guess the last bit of x with probability $. Suppose, however, that we have a slight advantage in guessing, that is, there is a positive E such that we are always able to guess the last bit of x with probability + E. Then we are able to break RSA. More explicitly, the following result is shown in [SchA]. Suppose the oracle O(parity,&)tells the last bit of x with probability 2 4 + E, after receiving the input consisting of n, e and (xe, modn). If the oracle can be consulted without cost, there is a probabilistic polynomial time algorithm for computing x from the input mentioned. The algorithm is of Las Vegas type because the output can be checked by modular exponentiation.

154

4. RSA

We have considered an oracle telling the last bit of x. The result can be extended to concern oracles informing some other bit of x as well. In particular, the technique of Theorem 4.3 is almost directly applicable to the case, where the oracle tells thejth bit from the end in B ( x ) , and the binary representation of n ends with at least j I’s. In Theorem 4.3 we have j = 1. Instead of O(parity), we may as well use the oracle O(size) in considerations connected with Theorem 4.3.Indeed, for all z with 0 < z < n, we have z < n l 2 iE (22, mod n ) is even. Because of this fact, each of the two oracles simulates the other.

4.6 Discrete Logarithms and Key Exchange Assume that in RSA only the modulus n is public but the encryption exponent e is kept secret. Assume, further, that the cryptanalyst has intercepted at least one pair ( w , w e ) and tries to break the system, that is, to find the decryption exponent d by the “known plaintext” approach. The cryptanalyst then faces the problem of finding the logarithm of w to the base we (modn). This is a special case of computing discrete logarithms. Many cryptosystems, public-key or otherwise, based on discrete logarithms have been proposed. When used as a basis for a cryptosystem, the computation of discrete logarithms is assumed to be intractable. If we consider the equation ax = y for positive real numbers, the difficulty of determining x from a and y to prescribed accuracy is approximately the same as determining y from a and x. Both problems amount to multiplications, divisions and table look-up dealing with precomputed logarithms to any base. As regards discrete logarithms, the situation is entirely different. Modular exponentiations can be carried out reasonably fast - we already have discussed this and presented numerous examples. The presumable intractability of the inverse operation, taking discrete logarithms, was used already in Section 3.5. The general notion of a discrete logarithm can be formulated as follows. Let g be an element of a finite group G and let y be another element of G. Then any integer x such that g” = y is called a discrete logarithm of y to the base g. Clearly, every element y of G has a discrete logarithm to the base g iff G is cyclic with the generator g. For instance, in the multiplicative group of positive integers modulo 7 only the numbers 1, 2, 4 have a discrete logarithm to the base 2, whereas all numbers have a discrete logarithm to the base 3 according to the table Number

1 2 3 4 5 6

Logarithm

6 2 1 4 5 3

Tables of discrete logarithms in simple cases were considered also in Section 3.5. Of course, groups of small cardinality present no computational difficulties. There are also efficient algorithms of computing discrete logarithms in some special cases, such as the algorithm of D. Coppersmith, [Cop], for finite fields F(2h).

4.6 Discrete Logarithms and Key Exchange

I55

However, in the general case the known algorithms for computing discrete logarithms in groups of order m are roughly of the same complexity in terms of m as the algorithms for factorizing m. Perhaps the best general-purpose algorithm, due to Silver, Pohlig and Hellman, [PoH] and [Odl], works very efficiently if all prime factors of m are small. The algorithm is described in the following example. Example 4.3. Let F(q), q = rh, be a finite field. Consider discrete logarithms to the base y, where y is a generator for F*(q). For each prime divisor p of q - 1, we compute the numbers ~ ( i , p ) = ( g ~ ( ~ - ' ) / ~ , r n o dOq<) i, < p .

If every p dividing 4 - 1 is small, the size of the precomputed table consisting of the auxiliary numbers a(i, p ) is manageable. For instance, consider F(181) and g = 2. (2 is indeed a generator.) Now 180 = 22 32 * 5 and the table of the numbers a(i, p ) looks as follows.

-

180

4

48 132

59 42 125 135

Let us now compute the discrete logarithm z of 62 to the base 2. In general, if 4 - 1 = np" then, to find the discrete logarithm x of y to the base g, it suffices to find (x, modp') for each p in the prime factorization of q - 1. Using the Chinese Remainder Theorem, x is then easily computed from the values (x, mod p"). To compute (x, modp"), we consider the representation of this number to the base p : x,p . . . x,-,p'-' , 0 Ixi I p - 1 . (x,modp') = x,

+

+

+

In the example we consider the factor p a = 32 and write (z, mod 9) = xo + 3x,. To find x,,, we compute the number C y ( q - l ) ' p , modq) which equals a(;, p ) , for some i. We choose xo = i. In the example (6260,mod 181) = 48 and, hence, xo = 1 . This works in general because ( g q - ' , mod 4) = 1 and, hence, p-1)lP = - 9 x ( q - l ) / P g x o ( P - I ) / P a(xo, p ) (mod 4) .

To obtain xlr we compute first the inverse g-xo of gxo(modq) and consider y , = yg-"O. If now

( y'4

-1

,mod q ) = a(i, P ) ,

then x, = i. To obtain x2, we consider the number y , = y g - " o - x ' p and compute (y(q-')@', m o d q ) .

The procedure is carried on until (x, modp") is found.

156

4. RSA

Returning to the example, we find y, = 31. This implies that (yi80/9,mod 181) = 1

and, hence, x, = 0. Altogether z = 1 (mod9). Consider next the factor p a = 22. Now we have to determine xo 2x,. (We use the same x-notation for the unknowns.) Since (6290,mod 181) = 1, we conclude that xo = 0. Now y, = y = 62 and (6245,mod 181) = 1 , whence x, = 0 and z = 0 (mod4). Consider, finally, the factor p a = 5 ’ . Now there is only xo to be determined. Since (6236, 181) = 1 , we conclude that xo = 0 and z = 0 (mods). The three congruences computed for z now yield the value z = 100. Hence, log 62 = 100. The same table can be used to compute the discrete logarithm of any y, instead of the value y = 62. Consider the choice y = 30. Denote log 30 = z. For the factor 22, we obtain (3090, mod 181) = 180 and, hence, xo = 1. Since further (154’,mod181) = 1, we obtain x i = O and, therefore z 3 I (mod4). For the factor 32, we deduce first xo = 0 because (3060,mod 181) = I. Since (3020,mod 181) = 132, we infer further x1 = 2 and, consequently, z = 6 (mod9). Finally, for the factor 5, we conclude that xo = 3 and, consequently, z E 3 (mod 5) because (3036,mod 181) = 125. The three congruences yield the result log 30 = 33. The Silver-Pohlig-Hellman algorithm is always efficient, with the possible exception that the construction of the table for the numbers a(i, p ) might become intractable if q-1 has a large prime factor p. An extreme case is F ( q ) , where q is a safe prime (see Section 4.2). To compute the ( q - 1)/2 entries in the column for ( q - 1)/2 amounts to practically the same computational effort as constructing the entire table of logarithms. 0

+

Public-key cryptosystems are, in general, considerably slower to use than classical cryptosystems. Key management problems present in the latter can be taken care of by a suitable protocol for key exchange.Two users agree upon a secret key which is, later on, used as a basis for a classical cryptosystem such as DES or PLAYFAIR. By a suitable encoding the key can always be represented as a number. The earliest and also most frequently used key exchange protocols rely on the intractability of the problem of computing discrete logarithms. We now present briefly some such protocols. A prime number q and a generator g of F * ( q ) are publicized among all users. Each user Ai chooses randomly a number ki. The users keep the numbers ki secret but publicize the powers (ski,mod 4).Thus, the following table is public information. User

I

Number

I

A,

A2

(g’’I, mod q ) ( g k 2 ,modq)

...

A”

...

(gkn,mod q )

The common key between two users A i and A j (who have had no previous communication) is now the number (gkik’,modq). The user A i can compute this number using the number ki and the information publicized by A j . The situation is symmetric from the point of view of A j . The key can be computed also by a cryptanalyst who is able to compute discrete logarithms and, thus, to find either

4.6 Discrete Logarithms and Key Exchange

157

ki or k j from the public information. An active eavesdropper A,, who is able to insert in the table the number ( g k m ,modq) to the column for A,, is capable of establishing a communication link with A i who wants to communicate with A,. As an illustration, choose q = 181 and g = 2 (see Example 4.3). Assume that A (resp. A ,) has chosen k , = 100 (resp. k, = 33). Hence, the publicized numbers are 62 and 30, respectively. Now both A and A are able to compute the common key 48: (3O1Oo,mod 181) = (6233,mod 181) = 48 . The described system of key exchange is due to Diffie and Hellman, [DH]. It is the oldest proposed system for eliminating the transfer of secret keys but it is still considered to be one of the most secure public-key schemes. By now it has been tested from various angles. It is also practical from the computational point of view. If q is a prime of 1000 bits, then A ineeds only about 2000 multiplications to compute the common key ( g k i k Jmod , q). On the other hand, an eavesdropper has to compute discrete logarithms. This requires more than 2loo operations if any of the currently known algorithms is used. In the following simple modification of the Diffie-Hellman scheme messages are transmitted directly. Suppose that q, a prime or a power of a prime, is known to all 'users. Each user A selects a secret integer e , such that 0 < eA < q - 1 and (eA* - 1) = 1. Furthermore, A computes the inverse d, of e , (modq - I). The transmission of a message w , 0 < w < q - 1, is carried out in the following three steps. Step I: A sends to B : (we*,modq). Step 2 : B sends to A: (we,'#, modq). Step 3 : A decrypts with d, and sends to B: (wen, modq).

This protocol is, in fact, the basic one in public-key cryptography. We have already met several versions of it. It is vulnerable against an active eavesdropper intercepting the message in Step 1 and masquerading as B. In the following modification, due to El Gamal, [ElG], q and a generator g of F * ( q ) are known to all users. Each user A selects a secret integer m,, 0 < mA < q - 1, and publicizes g"^ (viewed as an element of F ( q ) )as the encryption key. Messages w are sent to A in the form ( g k , wgkmA),where k is a random integer chosen by the sender. It suffices for the sender to know g"A, whereas A can recover w by computing first g An eavesdropper faces the problem of computing discrete logarithms. We present, finally, a general method for key exchange. Basically, the computational complexity will be O(m) for legal users and 0(m2)for eavesdroppers. A key space of cardinality m', as well as a one-way function 1; are known to all users. The inverse function is not known to any of the users. User A (resp. B ) randomly chooses m keys xl, . . . ,x, (resp. y , , . . . ,y,) and computes the values f(xl),. . . ,f(x,) (resp. f(y,), . . . , f(y,)). B sends to A the values f(y,), and A answers by sending to B a value f ( x j )that lies among the values sent by B. In the unlikely event that no such f ( x j ) exists, A computes further values f ( x ) by choosing new keys x, until a match is found. In order to benefit from the situation, an eavesdropper usually has to computef(x) for roughly m' values x. -'"'A.

Chapter 5. Other Bases of Cryptosystems

5.1 Exponentiation in Quadratic Fields The framework presented in Section 2.2 for the construction of public-key cryptosystems is very general. Indeed, the area or subject matter of the underlying problem is not specified in any way. Any one-way street could be worth a try, and many streets have actually been tried. By now there exist numerous public-key cryptosystems, based on quite diverse concepts. The purpose of this chapter is to give an idea of various types of existing public-key cryptosystems. The presentation is by no means intended to be exhaustive - only few systems will be discussed. No attempt has been made to select the “best” systems but only to present material that might inspire research towards public-key cryptosystems not dangerously depending on the difficulty of some specific number-theoretic problem. As we have observed in many contexts, one can very seldom obtain mathematical results concerning the quality of a cryptosystem; any notions of security are usually based on experience. Consequently, a comparison between different systems and a selection of some best systems is in most cases futile. Many cryptosystems have been motivated in the literature by simply stating that the cryptanalysis leads to such and such difficult problem. This is not sufficient because the problem might turn out to be easier than expected. In general it is also not known that a solution of the underlying problem is actually needed for cryptanalysis; a clever bypass might be found. In RSA the underlying problem is the factoring of the product of two primes. As we have pointed out, the complexity of this problem is not known. It is also not known whether a bypass exists for cryptanalysis. The following cryptosystem, due to Williams [Will, seems to possess all the advantages of RSA. Moreover, one can actually prove that any method of breaking the system by preprocessing leads to the factoring of the modulus. Thus, cryptanalysis by preprocessing is equivalent to factoring. On the other hand, the setup “chosen cryptotext” is always successful in cryptanalysis. If the system is used, this setup should not be possible for an eavesdropper. Encryption and decryption are as fast in the system of Williams as in RSA. On the other hand, the details of the former system are much harder to describe. Instead of ordinary modular exponentiation as in RSA, numbers of the form a + b& are now raised to powers modulo n. Here a, b and c are integers but the

160

5 . Other Bases of Cryptosysterns

square root can be irrational. However, it is not necessary to compute the value of the square root. In what follows, all details will be presented without using the terminology of quadratic fields. Consider numbers of the form a =a

+ b&,

&

where a, b, c are integers. Here is understood formally as a number whose square equals c. If c remains fixed then numbers a can be viewed as pairs (a, b), with the following definition of addition and multiplication: al

+ a2 = (al, b l ) + (a2,b 2 )= (al + a2,b , + b 2 ) + cb,b,,aib2 + b1a2).

The conjugate of a number a is defined by o!=a-b&.

The functions X i and Yi,i = 0, 1,2,

. . . , will be useful in the sequel. By definition,

Xi(a) = Xi(u,b) = (ai

+ tii)/2 ,

Yi(a)= Yi(a,b) = b(ai - tii)/(. - o!) = (ai - tii)/2&.

(The last expression is intended only to aid intuition. Since the functions are defined for pairs (a, b),c should not appear.) It follows that powers of a and ti can be expressed in terms of the functions:

Clearly the numbers X i ( a ) and Yi(a)are integers. Assume now that the equation a' - cb2 = 1

is satisfied and consider a and o! as defined above. Then ao! = 1 and Xf-cY?=l,

where we have omitted the argument a. Moreover, for j 2 i, x l. + J . = 2 x i x j - X j - i , Yl.+ J . = 2 X i Y j - Yj+

.

From these equations and the further equations

xi+j= xixj+ CY, Y j , Yi+ = Y i X j + xi Y j ,

5.1 Exponentiation in Quadratic Fields

161

we get the recursion formulas

x2i= xr + CY: = 2x,z - 1 , Y Z i= 2xiYi ,

x , , + , =2 x i x i + 1 - x,, Y Z i +1 = 2 x i Yi+ 1 - Y ,

.

These formulas lead to a fast evaluation of Xi and Yi in an obvious fashion. Since X, = 1 and X , = a, it also follows that X i ( a ) does not depend on b. Congruences are defined in the natural way: a,

+ b,& = a2 + b2&

(mod n)

means that both a , = a, (mod n) and b , = b , (mod n). If instead of the equation a' - cb2 = 1 we assume that the congruence a' - cb2 = 1 (mod n)

(*)

is valid, then the recursion formulas above must be replaced by the corresponding congruences modulo n. The following lemma is fundamental for the cryptosystem. The lemma is the counterpart of Euler's Theorem in RSA and serves the purpose of making encryption and decryption procedures inverses of each other. The proof of the lemma consists of straightforward calculations and is omitted here. An interested reader may consult [Will.

Lemma 5.1. Assume that n is the product of two odd primes p and q, and that a, b, c are integers satisfying the congruence (*) and, moreover, the Legendre symbols ep =

(i) (i) and eq =

satisfy the congruences

ei=

-i(mod4)

for i = p

and

i=q.

Assume further that (cb, n) = 1 and that the Jacobi symbol Denote

(

2(un+ ~-- '1) equals 1. ~

m = (P - E p ) ( q - eq)/4 and assume that e and d satisfy the congruence ed Under these ussumptions

= ( m + 1)/2 (mod m) . =+

aZed - a

(mod n) ,

where a = a -t b f i .

We are now in the position to present the details of the public-key cryptosystem due to Williams. The discussion will consist of three parts: system design, encryption and decryption. An example of Jarkko Kari will be used as an illustration.

162

5. Other Bases of Cryptosystems

System Design. First two large primes p and q are chosen and their product n is computed. Then a number c is chosen such that the Legendre symbols c p and cq satisfy the congruences mentioned in Lemma 5.1. Observe that c can be found very rapidly by trial because approximately one number in four satisfies these congruences. Next a number s is determined (by trial) such that the Jacobi symbol satisfies

(and (s, n) = 1). The number m is defined as in Lemma 5.1, a number d with (d,m) = 1 is chosen, as well as a number e satisfying the congruence in Lemma 5.1. The numbers n, e, c, s are publicized, whereas the numbers p , q, m,d are kept secret. As an example, let p = 11 and q = 13, implying n = 143. Because

(&)= = 1

(A)=

- 11 and

- 1 = - 13(mod4),

we may choose c = 5. We may also choose s = 2 because

We now obtain m = 10- 1414 = 35. Because 23- 16 = 18 (mod 39, we may finally choose the encryption and decryption exponents e = 23 and d = 16. Encryption. Plaintexts are numbers w with 0 < w < n. (If necessary, the plaintext is first divided into blocks such that this condition concerning the size of the plaintext can be met.) Now w is first encoded as a number tl of the form considered above and then encrypted by raising tl to the power e modulo n. We consider first the encoding. We denote b , = O and y = w + & or

b , = 1 and y = (w + &)(s

+ &)

')

,

depending on whether the Jacobi symbol (w'n- has the value

+ 1 or

- 1,

respectively. (The case of the Jacobi symbol being equal to 0 is so unlikely that we d o not consider it.) In both cases

In the first case this is obvious and follows, in the second case, by the choice of s. Arithmetic will be carried out modulo n. As before, the inverse x - l denotes an integer satisfying the congruence xx- = 1 (mod n). This notation is used also if x is of the form a + b&; then x- is of the same form. For convenience we sometimes denote x y - ' instead of xly. The notation (x, mod n ) is extended to concern

'

'

5.1 Exponentiation in Quadratic Fields

numbers of the form x = a (a

+ b&,

163

+ b . 6 . Thus, mod n) = (a, mod n)

+ (b, mod n)&

.

The encoding is completed by defining a = y/?. Thus, writing a in the form + b&, we have in the first case (where b , = 0)

a =a

a = (w2

+ c)/(w2 - c) + (2w/(w2

In the second case (where b ,

=

1) we have a

-

c))&

= a + b,/c

(mod n) . (mod n) with

+ c)(s2 + c) + 4csw)/(w2 - c)(s2 b =(24~+ ’ C) + 2w(s2 + c))/(w, - c)(s2 a = ((w’

and

-

-

c) C)

.

The definition a = y / j j guarantees that in both cases ab! = a’ - cb2 = 1 (mod n)

and, hence, (*) holds. This can, of course, be verified also by a straightforward calculation. We infer also in both cases that 2(a

+ 1) = 2((a + 6)/2 + 1) = y/’y + ’y/y + 2 = (y + 7)2/y7 (mod n) ,

(

which means that the Jacobi symbol 2(a n+ ~

”>

equals 1, as required in Lemma 5.1.

+

Having encoded the plaintext w as a = a b&, we now encrypt by raising the power e modulo n. As seen before, the result can be expressed in terms of X, and Ye.The latter can be computed rapidly using the recursion formulas. Denote CI to

E

= (X,(a) Y,(a)-

’, mod n) .

The cryptotext is the triple ( E , b , , b,), where b , was defined above and b, equals 0 or 1, depending on whether a is even or odd. The number aZewould give more direct information for decryption. However, as seen below, it can be immediately computed from the information given. The bits b, and b, are needed in order to make the result of the decryption unique. Without them, in general, four different plaintexts would result. Let us go back to our example. Take the plaintext w = 21. Because

we have b , = 0, y = 21

+ 3 and

= 125 + 6J5

(mod 143)

.

The algorithms for computing the Jacobi symbol and (w2 combined into a single algorithm.

-

c)-’ can also be

5. Other Bases of Cryptosysterns

164

Since 125 is odd, we obtain b, = 1. To compute X,,(a) and Y,,(a), we now use the recursion formulas, for instance, as follows.

= 125, X , ( a ) = 75 ,

Y,(a) = 6 ,

X,(a)

= 70, Y 3 ( a )= 4 8 , Y,(a) = 4 4 , Y,(a)

X 3 ( f f )3 35 , X,(a)

E

120,

X 6 ( a )= 1 8 ,

Y 6 ( a )= 71 ,

X,,(a) = 48,

Y,,(a) = 17,

X,,(a)

=75,

Y,,(a)

= 125,

X,,(a)

= 68,

Y Z 3 ( a )= 125

.

Hence, we obtain E=68-125-'r68-135=28(mod143). Consequently, the cryptotext is the triple (28,0, 1). Decryption. Using the first component E of the cryptotext, the receiver may compute the number a2e = -

a 2e /(a&)' = a e / E e = (X,(a) + Ye(a)&)/(xe(a)

= ( E + &)/(E

- &)

-

ye(a)&)

+ c)/(E2- c ) + ( 2 E / ( E 2 - c))&

= (E2

(mod n) .

Observe that this computation can be made also by a cryptanalyst who intercepted the cryptotext. However, trapdoor information is needed in the following computation:

+ Y&.d(a)&

aZed= x,,(a)

+ Yd(aze)&

= Xd(a2e)

,

where the xd- and Yd-values can be computed by the recursion formulas because aZeis known. Now all assumptions of Lemma 5.1 are satisfied and, consequently,

=

aZed

a (mod n) .

The last component b, of the cryptotext tells which of the signs of a is the correct one. Thus, a has been computed and the plaintext w is now obtained from a and b, (the second component of the cryptotext) as follows. Denote

a if b , = O ,

a' =

{ a ( s - &)/(s

Then

a'

= (w + &)/(w

+ &) if - &)

b, = 1 .

(mod n) ,

implying that w

3

((a' + l)/(a' - 1))& (mod n) .

5.1 Exponentiation in Quadratic Fields

165

Returning again to the numerical example, we use first E to obtain a'':

= (28' + 5)/(28' - 5) + (2-28/(28' = 95 + 126fi (mod 143).

a''

- 5))d

Recall that d = 16. Therefore, we compute X,(aze) = 95 ,

Y,(a")

X2(aze)= 31 ,

Y2(a2') = 59 ,

X,(aze)

E

62,

Consequently, 18 + 137& hence, a

=

- (18

= 18 , =

= 83 , Y8(a2') = 139, Y1,(aze) = 137. Y4(a2')

X,(aZe) = 108 , X,,(az")

= 126,

a (mod 143). Since b, = 1, a must be odd and,

+ 1 3 7 f i ) = 125 + 6 f i

(mod 143).

Using the second component b , = 0 of the cryptotext, we infer that a = a' and, therefore, w

= (126 + 6&)(124 + 6,,h)-',,h = (126

+ 6$)(124

- 6$)(124'-

5~6~)-,$

= 83.38-' = 21 (mod 143). Thus w = 21, which was the original plaintext. A reader who has worked through the details will surely agree that the cryptosystem of Williams is much more difficult to explain than RSA! However, this does not imply that encryption and decryption have greater time complexity than in RSA. We have here also the additional advantage that cryptanalysis by preprocessing is provably equivalent to factoring. Cryptanalysis Versus Factoring. If we have found p or q, we can immediately compute m and d. Conversely, assume that a cryptanalyst has somehow found a decryption algorithm. The algorithm can be used to factor n as follows. First a number x with (* *)

is chosen by trial. Then x is encrypted but the process is begun by selecting b, = 0 and y = x + Thus, the false value + 1 is used for the Jacobi symbol on purpose. Let (E, 0, b 2 )be the resulting cryptotext. The cryptanalyst now applies the algorithm to find the corresponding plaintext w. However, w is not the same as x because the encryption process started by cheating. In fact, a fairly straightforward calculation shows that (x - w, n) equals p or q. (Details can be found in

&.

166

5. Other Bases of Cryptosystems

[Will.) This means that the cryptanalyst is able to factor n. The situation is analogous to knowing two distinct square roots modulo n. Let us do this in our example. Choose x = 138. Then ( * *) will be satisfied. Cheat by choosing b , = 0 and y = 138 + Hence,

3.

a = y/Y = 73

+ 71 JS

.

Since 73 is odd, we obtain h, = I . We compute next:

X,(a)= 73,

Y,(a) = 71 ,

= 75, X,(a) = 9 ,

Y,(a) = 7 0 ,

X,(a)

Y3(a)= 139 ,

133,

Y,(a)= 4 4 ,

= 18, X , , ( a ) = 139,

Y6(a)= 71 ,

X,(a)

E

X,(a)

X,,(a)

X,,(a) We infer that E

=75, =42,

Y,,(a)= 8 2 ,

Y,,(a)= 125, Y,,(a)

= 73 .

= 4 2 . 7 3 - ’ = 28 (mod 143),

which yields the cryptotext (28,0, 1). It was decrypted already above with the result w = 21. This leads to the factorization of n because (X

- W ,n) = ( 1 17, 143) = 13

.

The discussion shows also that if the cryptanalyst is able to apply the setup “chosen cryptotext” (even for one chosen cryptotext), the system is immediately broken.

5.2 Iteration of Morphisms Many public-key cryptosystems based on the theories of automata and formal languages have been proposed. Some of them will be discussed in this and the next section. As we have emphasized already before, the purpose is rather to give a feeling of the diverse possibilities to construct public-key cryptosystems than to evaluate the resulting systems. Apart from security issues, such an evaluation should take into account also other aspects: ease of legal application, length of cryptotexts, etc. Some of these aspects will be mentioned below. Languagetheoretic notions will be explained to the extent they are needed for the understanding of the systems. Some further language theory will be used without detailed explanations, for instance, in cryptanalysis. As regards language theory, the interested reader may consult [Sal].

5.2 Iteration of Morphisms

I67

Let C and A be alphabets. Recall that C* denotes the set of all words over C, including the empty word 1. In what follows, C and A may be equal, disjoint or partially overlapping. A mapping h : C* -+ A* is termed a morphism iff h(xy) = h(x)h(y)holds for all words x and y over C. It follows that always h(i.) = i. and that a morphism is completely determined by its values for the letters of C. AJinite substitution a is a mapping of C* into the set of finite subsets of A* such that a ( x y ) = a ( x ) a ( y )holds for all words x and y over C. The two conclusions made for morphisms hold also now. For instance, let C = A = {a, b } and a(a) = {a, ah}, a(b) = {b,bb)

.

Then a(ab) = {ab,abb, abbb} .

Observe that a(ab)contains only three elements because the word abb is obtained in two different ways. In the sequel it will sometimes be convenient to use the notation ( x ) h instead of h(x),and similarly for finite substitutions. If L is a language, then a(L) = { y l y E a ( x ) , for some x E L } . We now begin the description of the cryptosystem. Consider two morphisms h,, h , : C* + Z*, as well as a nonempty word w over C. We say that the quadruple G = (C, h,, h , , w ) is backward deterministic iff the condition (W)hi, . . . hi” = (W)hj, . . . hjm

always implies the condition i,

. . . I.,

. . . . j, .

=J ,

Here each i, and j , belongs to the set of indices (0,1). Thus, backward determinism means that in an application of a sequence of morphisms, one after the other, the outcome uniquely determines the sequence; it is not possible that two different sequences lead to the same outcome. Example 5.1. Consider the morphisms defined by h,(a)

= ab,

h,(b)

=

b, h,(a) = a, h,(b) = ba

.

If we choose w = a, then the resulting quadruple is not backward deterministic because the outcome a is obtained by a sequence of 1’s of any length. The same conclusion holds if w = h. On the other hand, the quadruple ({a,b}, h,, h , , ah) is backward deterministic. This follows because the last letter of a word reveals the morphism last applied. Using this principle one can “parse” a word w’ back to the initial word, provided w’ was obtained by some sequence of morphisms from w. r-i Backward deterministic quadruples G can be used as classical cryptosystems in the following obvious fashion. A sequence of bits i , . . . in is encrypted as the word ( w ) h i ,. . . bin. Backward determinism guarantees that decryption will be unique.

168

5. Other Bases of Cryptosystems

For instance, if G is the quadruple in Example 5.1 with w = ab, then some plaintexts are encrypted as follows. Plaintext 0 1

00 01 10 11 01 1

Cryptotext abb aba abbb ababa abbab abaa abaabaa

Of course, G has to be kept secret if it used as a classical cryptosystem in the sense described. Otherwise, there will be no difference between legal decryption and cryptanalysis. Cryptosystems of this type are referred to as functional. In general, afinctional cryptosystem is specified by two functions f, and f, and an initial value x. A sequence of bits i , . . . in is encrypted as the value (x)fi’, . . .Ao. A condition corresponding to the backward determinism defined above has to be satisfied to guarantee the uniqueness of decryption. More than two functions are needed if plaintexts contain more than two characters. An obvious way to transform a functional cryptosystem into a public-key one is to provide a trapdoor leading from the publicized functions and values to some easily parsable situations. More specifically, we know the initial value x and functions fo, f, , as well as a value y such that

Y = W A , . . .A“ for some composition of the functions f,, f, . With this information it is hard to find the sequence of bits i , . . . in determining the composition, although we know the sequence is unique. However, with the trapdoor information the equation can be transformed into the form Y’ = (X’)gi, . . . gi, , 9

where XI,y‘, go, g1 are known. Moreover, now the sequence of bits (which is the same as the original sequence) can be found easily. Let us see how the trapdoor is constructed when the two functions are morphisms. In fact, the trapdoor will lead to two easily parsable morphisms. The publicized setup uses an alphabet much bigger than C, and two finite substitutions instead of two morphisms. The substitutions and the initial word are defined in such a way that the bit sequence remains unaltered when the trapdoor is used to go from the “public” equation to the easily parsable one. More specifically, let G = (C, h,, h , , w ) be backward deterministic. Let A be an alphabet of a much greater cardinality than C. Typically, C consists of five letters, whereas A consists of 200 letters. Let g: A* -+ Z* be a morphism mapping every letter to a letter or to the empty word in such a way that g-’(a) is nonempty for all

5.2 Iteration of Morphisms

169

letters a of C. This means that every letter d of A is either a descendant of some letter in C or a dummy. The letter d is a descendant of a if g(d) = a. The additional condition of g - ' ( a ) being nonempty implies that every letter of Z has at least one descendant. The letter d is a dummy if g(d) = 2. Consider a quadruple H = ( A , oo, o,,u), where no and 6 ,are finite substitutions on A defined below and u is a word over A satisfying .cr(u) = w. Equivalently, u belongs to g - ' ( w ) . In general, u is not unique because dummies may occur in arbitrary positions and each descendant may also be chosen arbitrarily. Also the finite substitutions oo and o1 are not unique. For each d in A , a,(d) is a nonempty finite set of words y such that if h, maps g ( d ) into x in C*, then g ( y ) = x. Equivalently, o,(d) is a finite nonempty subset of g - '(h,(g(d))).(Customarily we write the arguments of functions on the right as here. It should cause no confusion that we write them on the left while encrypting, in order to preserve the proper order in the bit sequence.) A substitution o1 is defined in the same way, using h , . The quadruple H = ( A , o,, o,, u) is publicized as the encryption key. A bit sequence i , . . . in is encrypted by choosing an arbitrary word x from the finite set (U)Oil

. . . oi" .

If the bit sequence is long, it can be divided in an arbitrary fashion into blocks that are encrypted separately. Everything else, that is, C, h,, h , , w, g remains as a secret trapdoor. The essential item is the "interpretation" morphism g: all other items can be computed from g and the public information. We mention in passing that in the terminology of L-systems G is a DTOL-system and H a TOL-system. L-systems, named after A. Lindenmayer, are mathematical models very suitable for computer simulation of biological growth processes. The reader is referred to [RS] for details. The idea behind the public-key cryptosystem just described is that a cryptanalyst has to parse according to the messy TOL-system H , whereas the legal receiver who knows the trapdoor can operate in the simple and easily parsable DTOL-system G. More comments will be given below. That the public-key cryptosystem works as intended is a consequence of the next lemma. Lemma 5.2. Let G = (C, h,, h , , w) be backward deterministic, and let g and

H = ( A , o,, o,,u) be dejned as above. Use G and H to encrypt bit sequences in the way described above. Then decryption according to H is unique. Moreover, ifthe bit sequence i , . . . in is encrypted as y according to H , then i , . . . in is the decryption of g(y) according to G . Proot Consider the last sentence. Assume that y is a word in the set (u)oil. . . gin. Then g(y) = (g(u))hi,. . . hi" = (w)hil . . . hi".

This follows by the definition of the substitutions and u. (An algebraically minded reader will notice that substitutions, as well as morphisms, commute with catenation by their very definition.)

170

5. Other Bases of Cryptosystems

To prove the uniqueness of decryption according to H , assume that some y can be decrypted both as the bit sequence i and the bit sequence j . By the last sentence, g(y) is decrypted both as i and j according to G. Since decryption according to G is unique by backward determinism, we must have i = j . 0 Continuing Example 5.1, let A = {c,, c2, c3,c4, c5} and define the interpretation morphism by g(c,) = b, 9(c2)= g(c4) = a, 9k3)= 9(c5) = 1.

Thus, c 2 and c4 are descendants of a, c1 is the only descendant of b, and c3 and c5 are dummies. We choose u = c4c3cl,then g(u) = ab = w. To construct the substitutions, recall that the morphisms were defined by h,: a - + a b , b + b; We now define

0, and 0,using

h,: a+a,

the same descriptive notation.

00: c1 -+ c,, CJC, c2 c3

+

--t

0,: c,

C4c1, c2c,c5

c2

c5, c3c3

c3

c4

C4-’~4C1rC2C~C1~C4C1C3 c5

+

b-+ ba

C g , c3c5c3

c5

-+

C1C2,c3c1c4

+

c2, c3c5c4

+

+

+

c3, CSC5 c2, c4c3 c3, c5c3

This is a correct definition because when the interpretation morphism g is applied, oo and o 1 reduce to ho and h , : do:

b -+ b, b a -+ ab, ab i. + a, A a -+ ab, ab, ab

0,:b -+ ba,

a a, a -+

ba

a --ta , a

E.-. a, a a-+a,a

a+a,a

To encrypt 01 1 using the public-key, we first choose the word y, = c4c1c5c1from (u)o,, then the word y2 = c2c3c1c4c3clc2from ( y , ) ~ ,and, finally, the word Y

= c2c5c5c1c2c2c3c1c2c2

from (y2)a,. The legal receiver may compute g(y) = abaabaa ,

from which the plaintext 01 1 can be immediately recovered using the special 0 property of h, and h , mentioned above. Not all DTOL-systems, that is, quadruples G = (C, h,, h , , w) are backward deterministic. For instance, if all words h,(a), where a ranges over letters of Z, are powers of the same word x, then G cannot be backward deterministic. This follows because it is easy to verify that ( w ) ~ , ~ , ~=,(w)h,h,h,h, ~,

.

5.2 Iteration of Morphisms

171

On the other hand, backward determinism does not guarantee easy parsing. For this purpose, the notion of strong backward determinism is more appropriate. By definition, a quadruple G = (Z, h,, h , , w) is strongly backward deterministic iff the condition

(w)hil. . . hi" = (x)h, always implies the conditions t = in and

x = (w)hi,. . . bin- I

.

Thus, every word generated by a strongly backward deterministic G has a unique predecessor in Z*, and is derived from this predecessor by a unique morphism. This means that the parsing sequence of a word in a strongly backward deterministic DTOL-system depends only on the word and, consequently, parsing (decryption) can be carried out from right to left without any look-ahead. This is not necessarily true if G is only backward deterministic. In order to find the last bit, one may even have to go back to the axiom.

Example 5.2. Clearly, every strongly backward deterministic DTOL-system is backward deterministic. Consider G = ( { a ,b}, h,, h,, ab), where h,: a + a b ,

b+bb;

h,: a + b b ,

b+ab

That G is backward deterministic is easy to show by an inductive argument: a counter example immediately leads to a shorter counter example, which is of course impossible. On the other hand, G is not strongly backward deterministic because

(ab)h,h, = bbababab

= (abbb)h, = (baaa)h, .

One can prove that strong backward determinism is a decidable property, whereas backward determinism is undecidable. L An issue important in system design is the word length. Cryptotexts should not be too long compared with plaintexts. Fortunately, there are big classes of DTOLsystems with linear growth rate. In the transition to TOL-systems, the growth rate remains essentially the same as regards descendants of letters. The substitutions for the dummies should be defined in such a way that exponential growth is not likely to occur. Besides, block division of the plaintext can always be used to reduce growth. As regards cryptanalysis, preprocessing is not likely to succeed. Consider trapdoor pairs (G,g) such that G is a DTOL-system resulting from H by the interpretation morphism g. Given H, there may be several such trapdoor pairs. Only one of them, say ( G I , g,), has been used by the cryptosystem designer. If some other pair (G2,9,) giving rise to H is found, it can be used in decryption with the following warning. G, is not necessarily backward deterministic and, therefore,

172

5. Other Bases of Cryptosystems

a cryptotext may lead to several plaintexts. However, the correct plaintext is always among them. This observation does not make the cryptanalysis by preprocessing essentially easier. It can be shown that it is an NP-complete problem to find any trapdoor pair. (Some other preprocessing method might still exist.) Consequently, also finding the dummy letters is an NP-complete problem. For if the dummies have been found, the construction of a trapdoor pair will be easy. This result means that it does not help much to know that dummies always have to be replaced by words consisting of dummies. Altogether, the cryptosystem seems to be safe against cryptanalysis by preprocessing: trapdoor pairs are not easy to be found. A cryptanalytic algorithm running in time kn’, where n is the length of the intercepted cryptotext and the constant k is fairly large, can be constructed using the theory of finite automata, [Kar2]. In the following generalization, finding the dummy symbols is no longer sufficient for successful cryptanalysis. Recall that the interpretation morphism g was supposed above to assume as its values only letters or the empty word. Such a very restrictive definition is not necessary. We now assume that the interpretation morphism is any surjectioe morphism g: A* + C*. This means that all words of C* appear as values of g, a condition certainly satisfied by our original definition. Otherwise, the cryptosystem design remains unaltered. However, let us be more specific. As before, assume that G = (C,h,, h,, w ) is backward deterministic (preferably: strongly backward deterministic). Choose A to be much bigger than C, and let the morphism g : A* + Z* be surjective. Let u be a word over A such that g(u) = w. Such a u exists because g is surjective. For d in A, let ai(d), i = 0,1, be a finite nonempty set of words x with the property

Again, the surjectivity of g is needed to assure that there are such words x . As before, the decryption of a cryptotext y can be carried out by parsing the word g(y) according to G. Lemma 5.2 remains valid also now. Cryptanalysis by preprocessing seems to be more difficult. However, the cubic-time algorithm mentioned above for analyzing intercepted cryptotexts is applicable also to the generalized system.

Example 5.3. Consider G = ( { a ,b}, h,, h , , ba), where the morphisms are defined by h,: a + a b h,: a - + b a b+b

b-+a

Then G is strongly backward deterministic by the obvious reasons: the last letter of a word determines the morphism used, and the predecessor of a word is unique because both morphisms are injective. We choose A = { c , , . . . ,c , , } to consist of

5.2 Iteration of Morphisms

173

ten letters, and define the interpretation morphism by g: c1 - + a b

c2 -+ b Cg

-+

1

cg -+ 1

c7 -+ bab c0

-+

1

c4 -+ b

cg -+ ba

c5-+a

c l 0 -+ aa

Next we may choose u = cg because g(cg)= ba. To complete the definition of H, we define the substitutions oo and o1 by

This definition is correct because, for all i and d, oi(d) contains only words x satisfying g(x) = h,(g(d)).For instance, from the first and two last lines we obtain

The plaintext 01 101 is encrypted according to the public key H, for instance, as follows: cg-+c4c1-,c3c5cgc5 -+c(jcgcgcgcgcg c0c3c0c3c7c1

‘qC1 ‘4‘1

-+c~c6c~c0c6c0c1c10c4c10c3c5c9c5c3c5c4c10 =

For the legal decryption one first computes g(y) = abaabaaabaaabaa

Y.

174

5. Other Bases of Cryptosystems

By the parsing rule of G, one further obtains the equations h , (bababbabbab) = g(y) ,

ho(baababa) = bababbabbab , h,(abaa) = baababa , h , (bab) = abaa ,

ho(ba) = bab , where the indices of h give the plaintext 01 101. In the generalized version of the cryptosystem, where the interpretation morphism is chosen more freely, dummies are not essential for safety, as they are in the basic version. On the contrary, careless use of dummies may be a security risk. In the illustration above, some cryptanalytic conclusions can be based on the first six characters of the cryptotext y. This issue will become clearer if we assume that in the cryptosystem design the choice was u = c9c3 instead of u = c9. Then one is immediately to separate the suffix z of any cryptotext, generated by the letter c3 in u. This follows because c3 generates only letters c 3 , c6, c8 and, moreover, the last letter of any word generated by c9 is not among the three mentioned. In z all occurrences of c8 may be ignored, and parsing can be based on the morphisms so and s1 determined by go and 0,. so: cg + C J C 6

s1: c 3 4 c 6

c6 + ‘3

‘6

-+

‘6‘3

For instance, z = c3c3c3c3c6c3c3c3c3c6c3 can be analyzed as follows: ~

O

(

~=

~

s1 ( c 3 c 3 c 6 c J c 3 c 6 c 3 )

s1 ( c 3 c 6 )

s0(c3)

= c6c3c6c3c6 = c6c6c3

= c3c6

~

~

~

~

3

~

= c6c6c6c3c6c6c6c3c6

= c3c3cbc3c3c6c3

s0(c6c3c6c3c6) s1 (‘6‘6‘3)

~

1

1

9

7

.

The plaintext 011010 can be read from the indices of s. In many cases this decryption method might be even easier than legal decryption based on G!

5.3 Automata and Language Theory In the cryptosystem discussed in the preceding section the underlying problem belongs to the theory of formal languages. Cryptanalysis and legal decryption amount to parsing the cryptotext in a certain fashion. Parsing will be essentially easier if the secret trapdoor is known. We have discussed this cryptosystem in some

5.2 Automata and Language Theory

175

length, since quite a number of details are known about it. The cryptosystems presented in this section are based also on language theory and related areas. However, our discussion will now be more sketchy and brief. All details needed from the underlying areas will not be explained. Indeed, such an explanation is not necessary for the overview. Quite many of the proposed public-key cryptosystems apply an idea that could be called encryption by coloring. A color is associated to each plaintext letter. Since we again assume that plaintexts are bit sequences, we use only two colors white (bit 0) and black (bit I). The public encryption key provides a method of generating arbitrarily many elements colored white, as well as arbitrarily many elements colored black. In the cryptosystems discussed here the elements are words. Bits are encrypted as words colored correspondingly. Of course, for different occurrences of the bit 0 (resp. I), different words colored white (resp. black) should be chosen. In an ideal situation it is an intractable problem to decide the color of a given word, whereas the knowledge of the trapdoor makes such a decision easy. Clearly, the public encryption key always gives a decision method that may be of unmanageable complexity: generate words of both colors by turns until you meet the one appearing in the cryptotext. All public-key cryptosystems based on encryption by coloring tend to increase word length unacceptably much. The number of words possible for the encryption of each bit has to be large, preferably potentially infinite. Otherwise, a cryptanalyst can generate all encryptions in advance and use a table look-up in order to encrypt. This leads to the somewhat paradoxical situation that to increase security one has to increase the expected ratio between cryptotext length and plaintext length. A typical public-key cryptosystem based on the idea of encryption by coloring applies the word problem for finitely presented groups, that is, groups with finitely many generators {u,, . . . ,a,} and finitely many defining relations w i = l , i = l , ...,n ,

(*)

where 1 is the identity of the group and each wi is a word over the alphabet {u,, a; ', . . . ,a,, a,' }. Two words x and y over this alphabet are termed equivalent iff there is a finite sequence of words x=xo,xl

) . . . ,x , = y

such that, for j = 0, . . . ,t - 1, xj+? results from x j by introducing or eliminating an occurrence of wit w; ,zz- or z '2, where 1 I i I n and z is an arbitrary word. The word problem for a finitely presented group consists of deciding of an arbitrary word whether or not it is equivalent to the identity 1. (Clearly, x and y are equivalent iff x y - ' is equivalent to 1.)There are specific groups with an undecidable word problem. Such a group G is used as a basis for a public-key cryptosystem in the following way. Assume that G is determined by (*). The defining relations (*), as well as two nonequivalent words yo and y , , are publicized as the encryption key. The encryption of a bit i is an arbitrary word equivalent to y i . Thus, to encrypt the bit 0, the sender applies the transformation rules determined by (*) in an arbitrary fashion to yo. This can, of course, be done already in advance: the sender generates a large

'

'

176

5. Other Bases of Cryptosystems

number of encryptions of both bits and keeps them in a safe deposit box until proper need arises. The decryption leads, at least in principle, to the word problem: one has to decide whether a word is equivalent to yo or y , . The encryption method guarantees that each word under consideration is equivalent to exactly one of y o and y , . The secret trapdoor consists of additional defining relations such that the word problem will be easy for the resulting group G' but the words y o and y , are still nonequivalent. Thus, G' has the same generators as G but, in addition to (*), some other defining relations. One may always choose y o and y , as two generators of G, provided the new defining relations d o not identify these generators. The new defining relations may, for instance, introduce some commutativity in order to make the word problem of G easy. The applicability of the cryptosystem depends on the choice of the defining relations. In particular, the additional relations constituting the trapdoor are essential from the point of view of security. It is important to notice that it is not necessary for the cryptanalyst to find the additional relations actually used by the cryptosystem designer. Any relations such that the resulting group G" will have an easy word problem and the two public words y o and y , are nonequivalent will do. This means that the cryptosystem designer has to be very careful in inserting the trapdoor. For instance, if G has two generators a and b which are also used as the two public words, then the introduction of the additional defining relation hab-'a-' = 2 induces commutativity in the form ba = a2b. Depending on the other relations, this might make the word problem essentially easier. Similar cryptosystems can be constructed using defining relations in connection with algebraic structures other than groups. No specific results, such as the complexity of cryptanalysis by preprocessing (that is, cryptanalytic setup is encryption key only) are known. The following public-key cryptosystem is based on hiding regular languages. As for systems based on iterated morphisms, cryptanalysis by preprocessing is provably NP-complete. (Observe the contrast to the basic knapsack system.) The system uses also dummy letters, as well as encryption by coloring. Some basics of automata theory are needed. They will not be explained here; the reader is referred to [Sal]. The language generated by a grammar G (resp. accepted by an automaton A ) is denoted by L(G) (resp. L ( A ) ) . We present first a simplified version of the cryptosystem. Choose two arbitrary grammars Go and G , with the same terminal alphabet Z, as well as a finite deterministic automaton A, over the same alphabet Z. Make all final states of A, into nonfinal, and vice versa. Denote the resulting automaton by A , . Thus, the languages ,!,(Ao) and L ( A , )are complements of each other. Construct grammars GI such that L(G:)= L(Ci)n L(A,), for i = 0 , l . The grammars GI are easily obtained from Gi and Ai by the triple construction standard in language theory. The grammars Gb and G', are now publicized as the encryption key. Encryption by coloring is used: the bit i is encrypted as an arbitrary word in L(G:). The

5.2 Automata and Language Theory

177

automata Ai are kept as the secret trapdoor. An eavesdropper has to decide membership in L(Gf), which is an undecidable problem in general. The legal receiver decrypts by solving the easy problem concerning whether the cryptotext is in L(A,) or L ( A , ) . System design guarantees that decryption is always unique. We are now ready for the full version of the cryptosystem. In fact, the complexity results mentioned below deal with the full version. We first define the morphic image ofa grammar. Consider a grammar G, and let h be a morphism mapping each terminal letter of G into a letter (considered to be terminal) or the empty word, and each nonterminal letter of G into a letter (considered to be nonterminal). The morphic image h(G) of G consists of all productions h(a)-+h ( j ) ,where a -+ /?is a production in G. The start letter of h(G) equals the morphic image of the start letter of G. For grammars G , and C,, the notation G , E G , means that the set of productions of G, is a subset of the production set of G,. In the full version of the cryptosystem, Ai and Gf are defined as above. Let A be a much bigger alphabet than Z, and let G ; ( i = 0, 1) be gammars with the terminal alphabet C and h a morphism such that

h(G;) E Gf . The pair ( G & Gi) constitutes the public encryption key. Also now encryption by coloring is used. As before, decryption will always be unique. To decrypt, the legal receiver applies the morphism h to one block of the cryptotext. If x is the resulting word, then the corresponding plaintext bit is 0 iff A, accepts x . One can show that cryptanalysis by preprocessing is an NP-complete problem in the following sense. Given (Gg, Gi), it is NP-complete to find (h, A , ) such that the former pair may result from the latter pair and the additional items Go and G , by the process described above. The other known public-key cryptosystems whose cryptanalysis by preprocessing is NP-complete are the system considered in Example 2.2 and the system based on iterated morphisms. Of course, this property does not guarantee security: the result says nothing about the complexity of cryptanalysis in general. The system based on hiding regular languages can be strengthened further by replacing the grammars G: and G'; with some equivalent grammars. Some specific method of generating equivalent grammars has to be considered. It is not clear whether this will constitute an essential strengthening. Finally, some public-key cryptosystems based on automata theory will be briefly mentioned. A sequential machine M is a finite automaton provided with an output. Thus, M translates an input word into an output word of the same length. The inverse M - translates the output back to the input. Let k be a positive integer. The inverse M - ' ( k ) with delay k operates in the following fashion. Let y be M's output to the input word x . After receiving as its input the word yu, where u is an arbitrary word of length k, M - ' ( k )produces the word w x as its output, where w is some word of length k. In the public-key cryptosystem, k and M - ( k ) are publicized as the encryption key, whereas M is kept as a secret trapdoor. To encrypt the plaintext y , one chooses an arbitrary word u of length k and applies M - ' ( k ) to the word yu. To decrypt a c, the legal receiver ignores the first k letters of c and

178

5. Other Bases of Cryptosystems

applies M to the remaining word. In general, it is difficult to compute M from k and M - (k). No specific complexity estimates are known. Cellular automata CA constitute a promising basis for public-key cryptosystems. The matter is not yet clearly understood. For instance, given a reversible two-dimensional cellular automaton, it is very difficult to find its inverse. In fact, there is no algorithm for finding the inverse within a time complexity bounded by a computable function. The public encryption key consists of a reversible cellular automaton CA and a natural number k. The plaintext is encoded as a configuration of CA and encrypted by applying CA k times to the configuration. The resulting configuration constitutes the cryptotext. The inverse CA - constitutes the secret trapdoor. The legal receiver applies CA - k times to the cryptotext.

'

5.4 Coding Theory Consider a situation where errors are likely to occur in the transmission of information. Noise in the information channel might be due to technical failures or negligence on the part of the sender or receiver. In coding theory it is assumed that errors occur randomly and independently. It is equally likely for the bit 0 to be incorrectly received as the bit 1, as for the bit 1 to be incorrectly received as the bit 0. In this basic setup there is no malicious adversary acting on purpose. The purpose of coding theory is to introduce redundance in such a way that even if errors occur in the transmission, the received message can still be correctly interpreted. Of course, some assumption has to be made concerning the number of errors; no amount of redundancy is sufficient to correct unboundedly many errors. More specifically, assume that d errors may occur in the transmission of a word w consisting of n bits. Thus, the received word w' differs from w with respect to at most d bits but the incorrect bits may occur anywhere in the word. Let C = {a1, . . . , ak}be a set of n-bit words aisuch that any two of the a's differ with respect to at least 2d + 1 bits. Then C is referred to as a d-error correcting code. Indeed, cli can be correctly inferred from the received a:, since ai and a; differ with respect to at most d bits, whereas a: differs from any a j . j # i, with respect to at least d 1 bits. Although decoding, that is recovering ai from a;, is always possible in principle, it might still be intractable computationally. In fact, the public-key cryptosystem described below uses the idea that the public-key leads to an intractable decoding problem, whereas the trapdoor enables the receiver to decode easily. Thus, coding theory and cryptography have opposite aims. In coding theory one tries to write the message in such a form that reasonably many errors can be tolerated in the transmission. In this sense the clarity of the message is increased. In cryptography, on the other hand, one tries to decrease the clarity in order to make the message incomprehensible for an eavesdropper. Because of these opposite aims it is difficult to combine the two approaches, although it would be very important to translate messages into a form protected both against eavesdroppers and random noise. For this purpose, the message should first be encrypted, after which

+

5.4 Coding Theory

179

an error correcting code should be applied to the result. A reverse order of these two operations is not meaningful for obvious reasons. Protection against both noise and an active eavesdropper seems to be impossible. Altogether the details of combining cryptography with coding theory are not yet properly understood. Such a combination is not intended in the public-key cryptosystem described briefly below. The system is due to McEliece and resembles knapsack systems, in particular, the ones based on dense knapsacks. The cryptosystem uses d-error correcting Goppa codes. Such a code { a l , . . . ,a t } is based on a polynomial of degree d irreducible over the finite field F(2"'). It can be represented in terms of a binary k x n generator matrix M , where n = 2". The cryptosystem designer chooses arbitrary binary matrices S and P such that S is a nonsingular k x k matrix and P an n x n permutation matrix. The product M ' = S M P is understood as a binary matrix, where all numbers are reduced modulo 2. The crucial fact is that M' at least looks like the generator matrix for an arbitrary linear code. No tractable decoding algorithms are known for linear codes, whereas Goppa codes are easy to handle. The cryptosystem designer publicizes M' as the encryption key but keeps S, M and P as the secret trapdoor. From the trapdoor information also the inverses S-I and P - I can be immediately computed. A plaintext block w consisting of k bits is encrypted as c = wM' @ b ,

where b is an arbitrary binary n-dimensional vector with exactly d components equal to 1 and @ denotes bitwise addition. Vectors 6 are chosen by the sender separately for each block w . The legal receiver knows that M' = S M P and computes

cP-' = wSM

@ bP-'

.

Since P is a permutation matrix, exactly d components of bP-' equal 1. Hence, the error vector bP-' can be removed by the decoding technique of Goppa codes, yielding wS. From this w is immediately recovered by multiplying with S - ' . An eavesdropper faces the problem of decoding an apparently linear code. Decoding for linear codes is an NP-complete problem. Cryptanalysis by preprocessing appears hopeless if n and d are large enough: there are too many possibilities for M , S and P. For instance, if n = 1024 and d = 50 there are approximately possible polynomials that can be used as a basis for a Goppa code. The parameters are tied by the formula k = 2"' - md = n - md. Assuming that the inversion of a k x k matrix requires k3 steps, the time complexity of brute force cryptanalysis by preprocessing can be estimated as

For n = 1024 and d = 50, this gives the value 2'O.'. It can be shown that the probability for the existence of more than one trapdoor is negligible.

Chapter 6. Cryptographic Protocols: Surprising Vistas for Communication

6.1 More than Etiquette A protocol usually refers to customs and regulations dealing with diplomatic formality, precedence and etiquette. Typically, a protocol determines a map for seating the participants, or the order of speeches. It has happened that an international conference has spent most of the time while arguing about the seating protocol. A cryptographic protocol constitutes an algorithm for communications between different parties, adversaries or not. The algorithm applies cryptographic transformations and is usually based on public-key cryptography. However, the goal of the protocol is usually something beyond the simple secrecy of message transmission. The communicating parties might want to share parts of their secrets to achieve a common goal, or to join their forces in order to disclose a secret not known to any of the parties separately. Two parties distant from one another might want to generate together a random sequence. One party might also want to convince another that he/she is in the possession of some information, without disclosing anything of the information itself. Protocols realizing such goals have considerably changed our ideas about what is impossible when several parties, adversaries or not, are communicating with each other. Protocols are designed with a specific goal in mind. Both the security properties of the underlying cryptosystem and those of the protocol itself have to be taken into consideration in the evaluation of the protocol. Intuitively, a protocol is at most as secure as the underlying cryptosystem but the security of a protocol can be much lower. For instance, consider the following very general task. A private conversation should be established between two individual users of an information system or a communication network. No assumptions are made concerning whether or not the two individual users ever communicated before. The basic idea behind publickey cryptography can be used to solve this problem. The resulting protocol is very simple and consists of the following two steps. First, all users publish their encryption key. Secondly, messages intended for a user A are encrypted by A’s encryption key. In this case the underlying cryptosystem might be secure but the protocol as such still does not prevent the possibility of impersonating: Some user C might pretend to be the user B when sending messages to A. To prevent the occurrence of such situations, some convention of signing messages has to be added to the protocol.

182

6. Cryptographic Protocols: Surprising Vistas for Communication

When separating security properties of the underlying cryptosystem from those of the protocol, the possible adversaries should be kept in mind. In most communication protocols, an adversary belongs to one of the following three types. (1) Communicating parties who try to cheat. We will meet later two types of cheaters, passive and active. (2) Passive eavesdroppers. They are otherwise harmless but may obtain information not intended for them. (3) Active eavesdroppers. Besides obtaining secret information, they may mess up the whole protocol.

In the simple protocol above, the user C who tries to impersonate B can be classified to belong to the type (3). For an example of an adversary of the type (l), consider the protocol in Example 2.3 for playing poker by telephone. Assume, further, that encryptions and decryptions are carried out by modular exponentiations and taking discrete logarithms, respectively. (In Example 2.3 the encryption and decryption methods were left unspecified.) More specifically, assume that the players A and B have agreed on a large safe prime p and on the representation of the cards as numbers from the interval [2, p - 13. Each player chooses privately encryption and decryption exponents satisfying

e,d,

= e,d, = 1 (modp - 1) ,

after which encryption and decryption are carried out modulo p. However, the property of being a quadratic residue (mod p) is preserved in this encryption. If the dealer notices that the numerical representation of each ace is a quadratic residue, only nonresidues are dealt to the opponent and residues to the dealer. The dealer now knows that the opponent has no aces. It is also clear that all hands are not equally likely. Even in the case of a modulus n such that quadratic residuosity (mod n) is intractable, the dealer can trace the progress of a perfect square (mod n) through the execution of the protocol. Usually it is very difficult to establish mathematical theorems about the security of a protocol as such or with respect to the security of the underlying cryptosystem. One should examine methods by which the security properties of protocols can be defined and established, as well as by which the impossibility of a protocol meeting certain requirements can be proved. The same issues are met also in the analysis of ordinary algorithms. However, cryptographic protocols are different from ordinary algorithms in that each participant has some computational power (that might vary from participant to participant) and is able to make inferences. This means that a participant may combine a priori knowledge and the knowledge acquired so far with the information contained in the messages just received. The new message to be sent depends on this combined knowledge. The following modification of a popular game illustrates these issues. The participants, arbitrarily many, form a chain. The first and last member know their positions. Moreover, each member knows the next member in the chain. During the first phase of the protocol the first member sends the number 2 to the second, and any other member adds 1 to the number received and sends the resulting number further, with the exception of the last member who does not send anything

6.1 More than Etiquette

183

further. After this phase every member knows his/her ordinal number i. The second phase of the protocol consists of a transmission of a message w consisting of a string of letters over the English alphabet. The message w is originally in the possession of member 1. After receiving a message w’, the member i applies CAESAR(i) to the first letter of w’, transfers the resulting letter to the end of the word, and sends the new word to the next member. Again, the last member does not send anything. If there are altogether seven members, then the plaintext w = SAUNA is transformed as follows: SAUNA

AUNAT -+ UNATC -+ NATCX -+ ATCXR -+ TCXRF -+ CXRFZ

After receiving the word CXRFZ, the seventh member is immediately able to decrypt, and so are all members. Clearly, this protocol is very vulnerable against adversaries of all of the three types (1)-(3). A protocol for sending encrypted messages, where the receiver acknowledges the receipt, can be described as follows. The encryption keys E,, E,, . . . have been publicized, whereas each of the decryption keys D,, D,, . . . is known to the appropriate user only. According to the protocol, the sending of a message w from A to B is carried out in two steps. Step I : A sends the triple (A, EJw), B) to B. Step 2: B decrypts using D , and acknowledges by sending the triple (B, EA(w),A ) to A.

An active eavesdropper C may now intercept the triple in Step 1 and forward to B the triple (C, E,(w), B). Without noticing the trick, B sends in Step 2 the triple (B, E,(w), C) to C , after which C is able to decrypt! Even the following version, where also signatures are provided, does not essentially alter the situation. Step 1: A sends the pair (E,(E,(w)A), B) to B. Step 2: B uses D , to find A and w and acknowledges by sending the pair (EA(EA(w)BX A ) to A.

Here the functions E and D are assumed to operate on numbers. The names A, B, . . . are sequences of digits, and E,(w)A is the sequence of digits obtained by catenating E,(W) and A. An active eavesdropper C may now intercept the pair (E,(E,(w)B), A ) in Step 2. Thus, C knows E,(w’), where W’ = E,(w)B. C now sends A the pair (E,(E,(w’)C), A ) and A, thinking that this is Step 1 of the protocol, acknowledges by sending the pair (E,(E,(w’)A), C) to C . C now finds out w‘ and hence also EA(w) by using D,, after which C sends the pair (E,(E,(w)C), A ) to A. After A has acknowledged by sending the pair (Ec(Ec(w)A),C) to C, C is able to compute w. Of course, A may learn about the interception and be more cautious by keeping a detailed record of messages sent and received.

184

6. Cryptographic Protocols: Surprising Vistas for Communication

We discuss finally in this section a signature scheme based on the identities i of users in a network. The identity i can be based, for instance, on the user's name and network address. The identity should identify the user and be available to the other users. It serves the purpose of a public encryption key. The scheme assumes also the existence of a trusted agency, whose sole purpose is to give each user a secret number x , based on the user's identity i. This happens when the user joins the network. More specifically, let n, e and d be as in RSA, and f be a one-way function of two variables. The items n, e and f are made public, but d and the factorization of n are known only to the agency. The secret number given by the agency to the user with the identity i is x = (id, mod n ) . The user's signature for a message w is any pair (s, t) such that (*)

-

se = i tf('*w , (mod n ) .

Given a triple (w,s, t ) , this condition can be verified by the other users because i, n, e andf are public information. On the other hand, a user can generate a signature (s, t) for a message w by choosing a random number r and computing t = (re,mod n)

and s = ( x r f ( ' *w ) , mod n ) .

Since xe = i (mod n), the verification condition (*)follows. The function f is used to a cryptographic hashing of t and w.

6.2 Coin Flipping by Telephone. Poker Revisited In some cryptographic protocols it is required that the parties, perhaps located far apart, generate together a random sequence, without the assistance of a trusted referee. If the number of parties is two, this amounts t o f l i p p i n g a coin by telephone. Clearly, A and B cannot do this in the simple way that one of them tosses a coin and tells the result over the telephone to the other. Absolute honesty would then be required. On the other hand, if one of the parties is accompanied by a trusted referee, coin tossing presents no problems. A wellknown illustration of the situation, due to M. Blum, is the following. A(lice) and B(ob)have just divorced and live in different cities. They want to decide who gets the car by flipping a coin. No suitable referee is available. The goal A and B want to achieve can be depicted also using the following model o f f l i p p i n g a coin in a well. A and B stand far apart from each other. B is standing by a deep well with very clear water. When A tosses a coin into the well (hopefully not missing it!) then B knows the outcome of the flip but is unable to change it. On the other hand, A does not know the outcome. Thus, B just tells A what the outcome is. The outcome is possibly used for some purpose. Later on A may come and look into the

6.2 Coin Flipping by Telephone. Poker Revisited

185

well to check whether or not the information given by B was correct. Basically it does not matter whether A or B flips the coin into the well. However, the model described above is intended to capture the essence of flipping a coin by telephone. This is hardly feasible if only one of the parties is active. The following protocol shows how A flips a coin to B by telephone. At first only B knows the outcome and tells it to A. (The outcome might determine the instructions for a certain part of a more extensive protocol.) Later on A may check that the information given by B about the outcome was correct. Step I : A chooses two large primes p and q and tells their product n = p q to B. Step 2: B chooses a random number u from the interval (1, n / 2 ) and tells A the square z = (u2, mod n). Step 3: A computes x and f y, the four square roots of z (mod n). This is possible because A knows the factorization of n. Let x’ be the smaller of the numbers (x, mod n) and ( - x, mod n). Let y‘ be defined similarly from Ifi. y. Observe that u = x’ or u = y’. Step 4: A guesses whether u = x‘ or u = y‘. More specifically, A finds the smallest number i such that the i-th bit of x’ differs from the i-th bit of y’ and tells B one of the two guesses “the i-th bit in your number u is 0” or “the i-th bit in your number u is 1”. Step 5: B tells A whether the guess was correct (heads) or wrong (tails). Step 6: Later B lets A come “near the well” by telling the number u. Step 7: A releases the factorization of n.

Clearly, A has no way of knowing u and, hence the guess is a real one. If B could cheat by changing the number u after A’s guess, then he would be in the possession of both x‘ and y‘ and, hence, could factorize n by computing the greatest common divisor of x‘ - y‘ and n. Also to avoid this, A tells only one bit of her guess in Step 4, rather than telling the entire x’ or y’. The protocol relies on the assumption that factoring is difficult. Indeed, one can say that most of the theory of cryptographic protocols is dangerously dependent on the difficulty of this single problem. Many protocols have been presented for coin flipping by telephone. The following is a general scheme. A and B both know a (supposedly)one-way function fbut not the inversef B chooses a random number x and tells A the valuef(x). A makes a guess about some 50-50 property of the number x. (For instance: Is x even or odd?) B tells A whether or not the guess was correct. Later on, B tells A the number x. The following protocol is somewhat different from the protocol above, although it is based on similar ideas and assumptions. It uses some number-theoretic

-’.

I86

6. Cryptographic Protocols: Surprising Vistas for Communication

facts concerning the Jacobi symbol

(3

(see Appendix B). Assume that n = p q as

before. Consider numbers a such that 0 c a < n and (a, n) = 1. Exactly half of such numbers a satisfy

(9

=

1 and, again, exactly half of the numbers satisfying the

latter condition are quadratic residues (mod n). The value of the Jacobi symbol is easily computable. Whether or not a is a quadratic residue (mod n) can be easily computed only if p and q are known. The protocol runs as follows. B chooses p and q and tells A their product n, as well as a random number a such that

(3

=

1. A guesses whether or not a is

a quadratic residue (mod n). B tells A whether or not the guess was correct. Later on, B lets A “come near the well” by disclosing p and q. Here it is essential that A checks that the disclosed p and q are indeed primes. (This observation is due to Juha Honkala.) Otherwise, B could cheat as follows. To start with, B chooses three primes p l , p2, q1 and a number a such that ( i ) = ( k ) = - l and (:)=+I Assume that A’s right guess is interpreted as “heads” and her wrong guess as “tails”. If B wants “heads”, he proceeds as follows. If A says “residue”, B discloses p = p1p2and q = ql. If A says “nonresidue”, B discloses p = pl and q = p2ql. If B wants “tails”, he proceeds as follows. If A says “residue”, B discloses p = p l , q = p 2 q l . If A says “nonresidue”, B discloses p = pIp2, q = ql. Coin flipping can be naturally extended to the case, where Aflips a number x to B. This means flipping x bit by bit. After the process B knows x but A knows only the number of bits in x. The idea of flipping a number can be applied to obtain a safer protocol, [GM], for playing poker by telephone. The 52 cards are represented as 6-bit numbers. Any polynomial-time algorithm for guessing with at least 51% probability a specific bit of the opponent’s card can be rewritten as a random polynomial-time algorithm for factoring n = p q . The protocol makes use of the number-theoretic fact that

(:)

=-

(i)

whenever a and b are different square roots of the same number

(mod n) and, moreover, p = q = 3 (mod 4). (“Different” means here that a f Ifr b (mod n).) We now give a brief description of the protocol. For i = 1, . . . , 5 2 , A chooses two large primes pi and q i satisfying pi = qi = 3 (mod 4) and computes their product n, = piqi.She shuffles her pack and associates the number n, to the i-th card in the shuffled pack. The i-th card is represented as a 6-tuple ( t l , t , ,

. . . , t6), where each

t j is a random number with

)(:

=

1 and,

moreover, ti is a quadratic residue (mod n,) exactly in case thej-th bit in the binary representation of the i-th card equals 1. A tells Ball of the 52 6-tuples together with the numbers ni (but does not tell pi and qi).

6.3 How to Share a Secret

187

B shuffles his pack, constructs and tells A an analogous representation of his cards, using large primes r, and s, and their products mi, for i = 1, . . . , 52. To deal one card to B, A flips 52 numbers x i to B. Thus, B knows xi for i = 1, . , . ,52, but A does not know any of the numbers xi at the moment. B tells A the numbers (xi”, mod n,) together with

)(:

i = k B tells A the numbers (xt, mod n,) and -

, except for one particular value

(3

. A can compute square roots

because she knows the factorization of n,. A now tells B the particular square root of x; whose Jacobi symbol was given her by B. Observe that A has no way of knowing the particular value i = k. But for this value, B has obtained sufficient information to factor n,. Indeed, B knows two different square roots of the same number (mod n,). Therefore, B can decrypt the k-th card in A’s pack. This will be one of his cards. For values i # k B has received no additional information. Finally, B removes the card dealt to him from his own pack and informs A which card was removed. A is not able to decrypt this information and, thus, cannot tell what the removed card was. B now deals to A one card from his pack following the same procedure. Since there are only 51 cards left in B’s pack, he flips only 51 numbers to A. The procedure is continued until five cards have been dealt to both participants. (The procedure is readily modified to the customary variants of draw poker.) After the game all secret information is released. It is easy to see how eventual cheating will be found out at this stage. For instance, it will be found out if a participant has taken more than one card in one step, although temporarily it is possible to announce more than one exceptional Jacobi symbol. Considering all the details about flipping numbers, working with quadratic residues, etc., the protocol is altogether very complicated.

6.3 How to Share a Secret This section is an interlude in the sense that actually no protocol will be presented. However, the technique discussed is used also in many cryptographic protocols. We say that t parties A,, i = 1 , . . . ,t, k-share a secret c, 1 < k It, iff the following conditions (1)-(3) are satisfied. (1) Each A , knows some information a, not known to the parties A j , j # i. (2) The secret c can be easily computed from any k of the a,’s. (3) The knowledge of any k - 1 of the ai)s, no matter which ones they are, leaves c undetermined.

A set {al, . . . ,o t } satisfying (2)-(3) is referred to as a (k, t ) threshold scheme for c. A possible setup for managing c will be discussed in Example 6.1. The practical applicability of threshold schemes is obvious. For instance, c might contain instructions for some crucial action. To initiate this action, the

188

6. Cryptographic Protocols: Surprising Vistas for Communication

consensus of at least k parties is needed. On the other hand, any k parties may undertake the action quite independently of whether the other parties agree or disagree. Examples from different areas of mathematics can be given, where an object is determined by k facts from a certain collection of facts, any additional facts being superfluous. Such examples can be used for the construction of threshold schemes. Perhaps the simplest and also very easily presentable example is based on modular arithmetic and the Chinese Remainder Theorem. Let mi, i = .l, . . . , t , be integers > 1 such that (mi,m j ) = 1 whenever i # j . Let a,, i = 1 , . . . , t, be integers with 0 I ai < mi. (In fact, a,'s could equally well be arbitrary integers.) Let M be the product of all the m,'s. Denote further M i = M/m,, and let N , be the inverse of M i (mod mi),for i = 1, . . . ,t. Thus, MiNi = 1 (mod mi). The inverse exists and is immediately found by Euclid's algorithm because ( M i ,m i ) = 1. The congruences x = a, (mod mi), i = 1, . . . ,t , possess a simultaneous solution

x

=

1 a,M,Ni . i= 1

Moreover, the solution is unique in the sense that any other solution y satisfies (y, mod M ) = (x, mod M ) .

(Observe that this gives also a proof for the Chinese Remainder Theorem. Clearly, any two solutions must be congruent to each other (mod M). It is obvious that x is a solution because M i is divisible by every mj with j # i.) Let now k be fixed, 1 < k I t. Denote by min(k) the smallest product with k distinct factors mi. Thus, min(k) = rn, . . . mk if the m,'s are in increasing order. Similarly, denote by max(k - 1) the largest product with k - 1 factors mi. We assume that (*)

min(k) - max(k - 1) 2 3*max(k- 1).

(Preferably, the m,'s are chosen in such a way that this difference is large.) Let c be an integer satisfying max(k - 1) < c < min(k) . Define the numbers ai by a, = (c, mod mi), i = 1,

. . . ,t .

Theorem 6.1. The set { a , , . . . , a t } is a (k, t ) threshold schemefor c. Proof. Assume first that any k of the a;s, say a , , . . . ,a,, are known. Denote M ' = m , . . . mk, MI = M'lmir i = 1,. . . ,k, and let NI be the inverse of MI (mod mi). Defining k

y =

1 aiMfNi, i= 1

6.3 How to Share a Secret

189

we infer by the Chinese Remainder Theorem that y

= c (mod M’) .

Since M’ 2 min(k) > c, we obtain

c = (y, mod M’) , which shows how c can be computed from the numbers a,, . . . ,a,. Assume, secondly that only k - 1 of the a,)s,say a,, . . . ,ak- are known. We define y as before, this time using only the moduli m , , . . . ,mk- and conclude that

,,

y

= c (mod ml . . . m k - , ) .

But now this leaves many possibilities for c, because of (*). Indeed, there are altogether [(min(k) - max(k - 1) - l)/ml

(**)

. ..mk-,]

possibilities which is a very large number if the mi‘s are large and close to one another. Example 6.1. Choose k = 3, t = 5 and

rn,

= 97,

m , = 98, m , = 99, m4 = 101, m5 = 103,

Then min(k) = 941094, max(k - 1) = 10403, and (**) ranges between 89 and 97, depending on the choice of the two mi’s. The highest value 97 is obtained for the product mlm2 = 9506, and the lowest value 89 for the product 10403. The secret c is a number satisfying 10403 < c < 941094 Assume that a general agency knows c and has given the parties A, the values a, = 62,

a, = 4 ,

a, = 50,

a4 = 50,

a, = 3 8 .

The moduli mi can be assumed to be public, or else one can assume that each mi is known to the party Ai only. In the latter case the central agency who handles the secret c and gives the partial information to the parties A i has also taken care of that the mi’s satisfy the required conditions. Assume now that A,, A, and A, want to combine their knowledge to find out c. First they compute

Mi

= 9999,

Mi

= 9898,

Hence, y = 4.9999.33

Mi = 9702, N ;

= 33,

N ; = 49, N ; = 17

+ 50.9898.49 + 50.9702.17 = 33816668

and, consequently, c = (y, mod 98.99- 101) = ( y , mod979902) = 500000.

6. Cryptographic Protocols: Surprising Vistas for Communication

190

Similarly, if A,, A, and A, want to find out c, they compute

Mi

=

10403,

y

Mi = 9991, Mi = 9797, N ;

= 62.10403.93

= 93,

+ 50.9991 -63 + 38.9797.43

N ; = 63, N ; = 4 3 , =

107463646,

c = (y, mod 97- 101 * 103) = 500000.

On the other hand, A, and A, only find out that y = 4.103-59

+ 38-98-41 = 176992 = 5394 = c(mod 10094),

after which A, and A, know only that c is one of the numbers 5394

+

i s

10094,

1 I; i 5 9 2 ,

even if they know all the moduli mi. The correct value of i is i = 49. Similarly, if A, and A, combine their knowledge, they find out that y = 50.101.50

+ 50-99-50 = 500000 = 50 (mod9999).

This tells them, provided they know the moduli mi, that c is one of the numbers 50

+ i.9999,

25i

s 94.

Of course, they have no way of knowing that they actually hit the correct value of c when computing y! cl

6.4 Partial Disclosure of Secrets A rapidly developing area with a wide range of applications consists of problems of the following type. Two or more parties are in the possession of secrets. To achieve a common goal, they want to share some information but not too much. A protocol has to be designed for this purpose. What makes the situation different from the sharing of secrets discussed in Section 6.3 is that in the latter some of the parties wanted to disclose their secrets entirely, in order to achieve the information c. Now all of the parties cooperate but disclose their secrets only partially. (Moreover, we do not assume the existence of a central agency. However, such an agency is not needed in Section 6.3 if the moduli are publicized.) A general setup for partial disclosure of secrets can be defined as follows. The parties A,, . . . , A , , t 2 2, each know the definition of a function f ( x , , . . . ,x,). Here each variable ranges over a finite initial segment of the set of natural numbers, and the values o f f are natural numbers. Thus, the function f can be defined in terms of a table. Each of the parties Ai knows a specific value ai belonging to the range of x i , but Ai has no information in regard to the values aj for j # i. The parties A,, . . . , A , want to compute the function value f(a,, . . . ,a,) without giving away any additional information about their own values ai. In other words, a protocol has to be designed such that, after running through the protocol, all the parties Ai know the function value f(al, . . . ,a,) but no party has given away any

6.4 Partial Disclosure of Secrets

191

additional information about the value a,. Here additional refers to any information not obtainable from the function value f ( a , , . . . ,a,). Of course, the whole matter becomes trivial if an impartial referee is used. For instance, consider f ( x l > X2r x 3 )

=

{

1 if some x i is not prime , smallest prime among the arguments, otherwise

.

If a, = 19 and f ( a , , a,, a , ) = 17, then A, knows that one of a, and a3 equals 17, and the other is a prime 2 17. If a, = 4 and f ( a , , a,, a 3 )= 1, then A, has no information whatsoever about the numbers a, and a 3 . Protocols have been designed for problems of this type. Security issues are difficult to formalize in the general case: in particular, the issue of collective cheating where some parties form a coalition to cheat the others. On the other hand, such protocols open entirely new vistas for confidential communication. For instance, new types of secret votings can be carried out. Some members of a council might have the right of veto. With the new protocols, nobody knows whether a negative decision is based on the majority, or on somebody using the veto-right, or on both! Consider a specific example. The parties S,, S , , P , , . . . ,P, where t is odd, want to make a yes or no decision. All parties can vote yes or no. In addition, S, and S, have the possibility of using “super-votes” S-yes and S-no. It has been agreed in advance that the majority decides if no super-votes are cast. In case of a single or two equivalent super-votes, all ordinary votes are ignored. In case of two contradicting super-votes, the majority of the ordinary votes decides. Such a voting can be visualized as arising in the United Nations, with S, and S, having supervotes. For instance, assume that the votes are cast according to the table

I 1 ;;1 1 I 1

Sl S-yes no s2

p5 yes p3 yes p4 yes p2 yes

After the execution of the protocol, all parties know the result. S, does not know that the result had been the same also if they had cast a no vote. S, does not know that they could not change the result. The parties Pi d o not know that their votes did not influence the decision. After the execution of the protocol with the votes

Sl S-yes S-no s2

j

1 1 I 1 1 yes Pl

yes p3 p2 no

no p.4 no p5

S , knows that S , cast an S-no vote and that the majority of the “ordinary powers” Pi cast a no vote. The problem of secret voting with super-votes can be immediately formulated using the general setup for computing the value of a function, and so can the following problem for which we will also describe a protocol in detail. A (lice) and B (ob) want to find out who is older without learning anything else about each other’s age. How can they carry out a conversation satisfying this requirement?

192

6. Cryptographic Protocols: Surprising Vistas for Communication

Let us be more specific. We want to design a protocol for the following conversation. At the beginning A knows the integer i and B knows the integer j, namely, the integers indicating A's and Bs ages in years. At the end of the conversation, both A and B know whether i 2 j or i < j, but A and B have obtained no further information about j and i, respectively. The problem we are considering is often stated in the following form. Two millionaires want to know who is richer without obtaining any additional information about each other's wealth. We assume that the ages are between one and one hundred years, that is, i and j range over the integers from 1 to 100. The following protocol is based on a public-key cryptosystem. Thus, B knows A's encryption key E, but not her decryption key D,. Step 1: B chooses a large random number x and privately computes the value E,(x) = k. Step 2: B tells A the number k - j. Step 3: A privately computes the numbers

y,=D,(k-j+u)

for11u1100.

Then A chooses a large random prime p. (The approximate size of p is somewhat smaller than the size of x. The approximate sizes of p and x have been agreed upon in advance.) A privately computes the numbers z, = (yu,modp),

She verifies that, for all u and all (*)

lz,-z,l22

D

1 Iu I100 .

# u,

and O < z , , < p -

1.

If this is not the case, A chooses another prime until she succeeds. Step 4: A tells B the sequence of numbers (in this order) (**)

z 1 , .

. .,Zi,Zi+l

+ l,zi+z + 1 , . . .

,ZlOO

+ 1,p.

Step 5: B checks whether or not the j-th number in the sequence is congruent to x (mod p). If it is, he concludes that i 2 j. If it is not, he concludes that i < j.

Step 6: B tells A the conclusion.

The conclusion in Step 5 is correct because the j-th number z j in (* *) satisfies the conditions i 2 j implies zJ = z j = y j = x (mod p) and i <j

implies z j = z j + I f zj = y j = x (modp) .

6.4 Partial Disclosure of Secrets

193

The condition (*) guarantees that no number appears twice in the sequence (**). (The addition of 1 does not matter because the positive difference of any two z’s is 2 2.) The scrambling of the numbers y, (mod p) is necessary. If A would simply tell B the sequence y , , . . . ,yiryi+,

+

1,yi+2

+ 1,. . . ,y,,, + 1 ,

then B could find i by applying E , to this sequence, since B knows the numbers k-j+u,l
y,=DA(15+u),

1 1 ~ 1 4 ,

and, hence, y , = 26, y , = 18, y , = 2, y , = 3 9 .

Scrambling with the modulus p = 31 yields z1 = 26,

z2 = 18, z 3 = 2,

z4 = 8 .

(This p is not to be confused with the factor of n.) After observing that the z’s satisfy (*), A tells B in Step 4 the sequence 26, 18, 3, 9, 31. B observes that 9 f 39 = x (mod 31) and concludes that i < j. If the modulus 23 is used for scrambling, then Z, =

3, z2 = 18, z3 = 2, z4 = 16

and, thus, (*) is not satisfied. B receives in Step 4 the sequence 3, 18, 3, 17, 23 ,

and knows that i < 3.

194

6. Cryptographic Protocols: Surprising Vistas for Communication

Suppose, secondly, that i = j = 2. If B chooses x = 48 then k - j = 25 and, consequently, y , = 31, y , =48, y , = 7, y 4 = 2 4 . If p = 13, then B receives in Step 4 the sequence 5, 9, 8, 12, 13

and, after computing 9 = 48

=x

(mod 13), concludes that i 2 j .

0

The reader might want to consider some other public-key cryptosystem as the basis for the age protocol. It is also easy to become convinced that the protocol cannot be carried out within the framework of classical cryptography, that is, without using a one-way function. The parties have to transmit to each other some exact information in such a form that the information cannot be disclosed from the message.

6.5 Oblivious Transfer We now consider another variant of confidential communication. A party A possessing a secret wants to transfer the secret to another party B in such a way that, after the protocol, A does not know whether B got the secret but B knows it. The probability for such an oblivious transfer being successful could be, for instance, 50%. A modified version of oblivious transfer is that A possesses several secrets. She wants to transfer one of them to B in such a way that only B knows which of the secrets was transferred. There are numerous situations where the need for such oblivious transfers might occur. A could be a seller of secrets who has listed a number of questions and offers to sell the answer to any of them at a huge price which we assume to be the same for each of the secrets. The secrets could be of political importance, for instance, concerning the whereabouts of a sought-after person. B wants to buy a secret but does not want to disclose which one. For instance, B might be an agent of a superpower. Disclosing the ignorance of the superpower concerning a specific matter might be delicate or even dangerous. It should be emphasized that all constraints involved in partial disclosure of secrets and oblivious transfer can be easily met with the help of an additional party, namely, a trusted referee. All information is given to the referee who distributes it to the communicating parties according to the constraints. The importance of the protocols lies in the fact that the trusted referee becomes unnecessary. This is the basic issue why protocols based on public-key cryptography open new vistas for communication. In many cases it is impossible to find a referee trusted by all parties. Who would be a referee trusted by the superpowers? Consider first the case where A wants to transfer obliviously a secret to B. We assume that the secret is the factorization of the product n of two large primes. In

6.5 Oblivious Transfer

195

fact, this is no loss of generality because the secret can be anything encrypted using an RSA cryptosystem. Then the knowledge of the factorization opens the secret. The following protocol is rather simple and is based on the fact met before (for instance, in Section 6.2) that the knowledge of two different square roots (mod n ) of the same number enables one to factor n. Step

I: B chooses a number x and tells the number (x2, mod n) to A.

Step 2: A (who knows the factorization n = p q ) computes the four square roots f x, f y of x2(mod n) and tells one of them to B. (Observe that A knows only the

square and, thus, she has no way of knowing which of the square roots is x.) Step 3: B checks whether the square root he got in Step 2 is congruent to f x (mod n). If this is the case, B got no new information. Otherwise, B has two different square roots of the same number (mod n) and, hence, is able to factor n. A has no way of knowing whether or not this is the case.

Obviously, the probability of A hitting a square root correct from B's point of view equals 1/2. We now present another protocol for oblivious transfer. The setup is more general than before. A has two secrets so and sl. She transfers one of them to B but does not know which one B got. The previous setup is obtained by letting s1 be a triviality. Moreover, the new protocol is non-interactive: B sends nothing to A. The transfer can be carried out between any two users A and B of some system. All users of the system know some large prime p , a generator g of F * ( p ) and a number c but nobody knows the discrete logarithm of c. In general, we assume that computing discrete logarithms is intractable: one cannot compute (gxy,mod p) from (g", mod p) and (gy, mod p). Since in the following discussion arithmetic is carried out modulo p , we write, for instance, g" rather than (g", mod p). A user, say B, computes his public encryption and secret decryption keys as follows. B picks randomly a bit i and a number x, 0 I x I p - 2, and computes

Pi= g"

and /Ilwi = c(g")-'

.

His public encryption key is now (Po, pl)and his secret decryption key (i, x). Since the discrete logarithm of c is unknown, B cannot know the discrete logarithms of both Po and PI. Moreover, the public encryption key does not reveal which of the two discrete logarithms B knows. Before sending B anything, A checks that his public encryption key is correctly formed: the equation Popl = c should hold. For bit sequences s1 and s2 of equal length, slXORs2 is the sequence obtained from s1 and s2 by bitwise addition (without carry). By adding 0's to the beginning of the shorter sequence, the lengths of two bit sequences can always be made equal. XOR refers to exclusive or: bitwise addition amounts to exclusive disjunction when 0 and 1 are interpreted as truth values. We are now ready for the non-interactive oblivious transfer of either so or sI, assumed to be binary integers.

196

6. Cryptographic Protocols: Surprising Vistas for Communication

Step I : A picks randomly yo and y , from the interval [0, p - 23 and computes, for j=O,1, aj = gy’, y j = Bf’, rj = sjXOR y j .

She sends ao, a l , ro and rl to B. Step 2: Using his secret decryption key, E computes

at

,

= gxYi = p y i - yi,

si = yiXOR ri .

We have met earlier passive and active eavesdroppers. In formal definitions and proofs concerning the security of protocols it is necessary to distinguish between passioe and active cheaters. The former follow the protocol but try to obtain more information than actually intended. A typical example of a passive cheater is the poker player described in Section 6.1 who uses the fact that aces are quadratic residues. An active cheater may do anything and not follow the protocol at all. An example is a person using a false age in the age protocol. It is intuitively clear that there can be very little security in a protocol if most of the parties are active cheaters. On the other hand, a good protocol should exclude the possibility of passive cheating. Let us now go back to oblivious transfers and investigate how A who possesses several secrets can transfer one of them to B in such a way that only B knows which of the secrets was transferred. Assume that we have to take care of passive cheating only. Assume that sl, . . . ,s, are A’s secrets, where each s is a sequence of bits. Thus, A has publicized the secrets, for instance, as a list of questions, and the sequences sj provide the answers. The protocol now runs as follows. Step I : A tells B a one-way function f but keeps f - to herself. Step 2: B has decided to buy the secret si, He chooses k random values x l ,. . . ,xL from f’s domain and tells A the k-tuple (yl, . . . ,y,), where

Step 3: A computes z j = f-’(yj), j = 1, . . . , k, and tells E the numbers zjXORsj, . . . ,k.

j = 1,

Step 4: B knows zi = f - ’( f(xi))= xi and, hence, is able to compute si.

Observe that E has no information about zj, for j # i, and consequently is not able to compute any s!, j # i. A has no way of distinguishing the exceptional value yi. This concerns passive cheating. Of course, if E is an active cheater and deviates from the protocol, he can learn more secrets by presenting several of the numbers y j in the form f(xj). The above protocol uses an abstract one-way function 1: Instead, we may assume that the secrets are encrypted using RSA, each secret by a different

6.5 Oblivious Transfer

197

RSA-system. Thus, disclosing a secret amounts to factoring the corresponding modulus. The protocol is based on the same idea as the poker protocol discussed in Section 6.2. Thus, A has publicized in advance a list telling what the k secrets are all about. Step I : A constructs k RSA-systems such that in each system the two primes p j and qj are congruent to 3 (mod 4). (This guarantees that two different square roots

modulo nj = p j q j of the same number have different Jacobi symbols.) She tells B the encryption keys (ej,n j ) , j = 1, . . . ,k, as well as the secrets in the encrypted form (sj.’, mod nj), j = 1,

. . . ,k .

Numerical encoding and eventual block division of the secrets have been agreed upon in advance.

):(

. . . ,x k , computes the Jacobi symbols and the squares (xj , mod n j ) , j = 1, . . . ,k. He tells A the squares and the correspondStep 2: B chooses k numbers xi,

ing Jacobi symbols, with the following exception. If B has chosen to buy the secret sirhe tells A the square (xz, mod ni) and the Jacobi symbol -

Step 3: In all k cases, A computes the square roots and tells B the square root whose Jacobi symbol she received in Step 2. Step 4: B has now two different square roots of xz (mod ni) and, consequently, is able to factor ni, find the decryption exponent di and the secret si. For indices j # i, B received no new information in Step 3 because he only got back the square root he already had. A has no way of distinguishing the specific index i. Under the assumption of RSA being secure, the above remarks concerning passive cheaters are applicable also now. B can cheat actively in Step 2 by choosing several exceptional indices i.

Example 6.3. We refer to Example 4.1. Assume that A wants to transfer obliviously the factorization of n = 2773. Suppose B tells A the number 2562 in Step 1 of the protocol. A then computes the four square roots as follows. Since A knows the factors 47 and 59 of 2773, she computes the numbers (2562, mod 47) = 24 and (2562, mod 59) = 25 . The square roots of 24 modulo 47 are t 27. The square roots of 25 modulo 59 are f 5. Since the inverse of 59 (mod 47) equals 4 and the inverse of 47 (mod 59) equals 54, the Chinese Remainder Theorem yields k 27 * 59 * 4 k 5 * 47 * 54 as the four square roots, or 349,772,2001 and 2424 after reduction (mod 2773). If B originally had 2001, he gets in Step 2 decisive new information if A returns 349 or 2424, whereas B gets nothing new if A returns 772 or 2001.

198

6. Cryptographic Protocols: Surprising Vistas for Communication

Assume next that A sells secrets, encrypted using RSA systems in the way explained in the last protocol above. Assume further that the modulus used in the encryption of some secret s is n = 2773 and that B has chosen in Step 2 the number 2001 and computed the square 2562. B is able to compute the Jacobi symbol without factoring:

If B wants to buy s, he tells A the pair (2562, 1) and gets back either 349 or 2424 in Step 3. Since 47 (but not 59) divides both 349 + 2001 and 2424 - 2001, B is able to factor n. If B does not want to buy s, he tells A the pair (2562, - 1) and obtains no new information in Step 3. The following observation concerns the very simple RSA system with the modulus n = 55, discussed at the beginning of Example 4.1. Assume that B has chosen in Step 2 the number 2, for which (2/55) = 1. If B wants to buy the corresponding secret, he tells A the pair (4, - 1). He might then get back in Step 3 the number 53 which is nothing new for him. On the other hand, he might not want to buy the secret and tells A the pair (4, 1) and still gets back in Step 3 the number 13 which enables him to factor n. The reason for these confusions is that one of the factors of n is not congruent to 3 modulo 4, as it should be according to the protocol. I7 Let us go back to the secret selling of secrets, where we now assume that also active cheating is possible. Clearly, the situation cannot be under control if both A and Bare active cheaters. (In all protocols like this one, it is customary to assume that at most half of the parties are active cheaters.) We assume that B is the eventual active cheater. To prevent active cheating, the protocol is basically modified as follows. B has to commit himself to a specific action, that is to specify which particular one of the secrets he wants to buy. The commitment may be “locked in a box” using a one-way function, but in the course of the protocol B has to convince A that he is acting according to the commitment. This he should do without disclosing any information about the action itself-a typical case of a minimum disclosure or zero-knowledge proof. The latter will be discussed in Sections 6.7 and 6.8. We now give the protocol in a very much simpler form that still makes active cheating highly improbable. We use the notion of flipping a number in the same sense as in Section 6.2. As before, sl, . . . ,sk are A’s secrets. Step 1: A flips to B k numbers x l r. . . , x k . The number of bits in the x’s has been agreed upon in advance. It may be assumed to coincide with the numbers of bits in the s’s.

6.5 Oblivious Transfer

Step 2: A tells B a one-way function f but keeps the inversef-

199

to herself.

Step 3: If B has decided to buy the secret si, he computesf(xi). Some bits inf(xi) coincide with the corresponding bits in x i . Let they be the bits in positions ul, . . . , u,, counted from the beginning. Step 4: B tells A the bit in x, in position up, for all 1 I a I k and 1 I fi I t . He does this in such a way that A can verify the information. For instance, if the first coin flipping protocol from Section 6.2 has been followed, B tells in each case his original square root. Step 5: B tells A the k-tuple (yl, . . . ,y k ) , where

A verifies that the information is in accordance with Step 4.

Step 6: A tells B the numberf-’(yj)XOR s j , j

=

1,

. . . ,k.

The above protocol is based on the fact that the number t in Step 3 is approximately half of the number of bits in xi. (It is assumed that f has a reasonably random behavior.) If B would choose two exceptional yj’s in Step 5, the number of “stable” bits would be too small because B has committed himself to the x’s produced in Step 1 and also has to validate the commitment later on. A may cheat by computing, for each j , the positions of the bits for which y j and f - ( y j )coincide. For j = i, the positions are the ones communicated to A in Step 4, whereas for j # i the positions are different with an overwhelming probability. A simple way to overcome this difficulty is to consider two buyers B and C. As before, A has the secrets sl, . . . ,sk. The parties A, B, C do not form coalitions. Step I: A tells B and C individually one-way functions f and g but keeps the inverses to herself. Step 2: B tells C (resp. C tells B) k random numbers x,, , . . ,xk (resp. x;, . . . , xi). The numbers need not be flipped, and they have as many bits as the s’s. Step 3: B (resp. C) computesf(x6) (resp. g(x,)) for his chosen index b (resp c). The function and argument values are compared with respect to “fixed points”, that is, bits remaining invariant in the transition from xb to f ( x b ) (resp. from x, to g(x,)). Step 4: B tells C (resp. C tells B) the indices of the fixed points. Call these indices stable for B (resp. for C). Step 5: B (resp. C) tells A the numbers y , , . . . ,y , (resp. y ; , . . . ,y i ) , where the y’s result from the x’s by changing every bit, whose index is not stable for C (resp. for B), to its complement.

200

6. Cryptographic Protocols: Surprising Vistas for Communication

Step 6: A tells to B (resp. to C) the numbers

f- (yJ)XORsj (resp. g - (yj)XOR sj),

j = 1,

. . . ,k .

Clearly, B and C learn the secret they want. This follows because yb =f(xb) and y , = g(x,). A does not learn anything about the choices, and neither do B and C learn anything about each other’s choices, since they know only their own one-way function, Attempts to choose more than one secret fail with an overwhelming probability because of Step 5, provided the number of bits in the s’s is not very small. In another simple protocol for secret selling of secrets A and B both use an own cryptosystem. The systems may be classical but they should be chosen from a collection, where the individual encryptions and decryptions commute. Step I : B gives A random bit sequences y , , secrets si).

. . . ,y , (of the same length as the

Step 2: A gives B the bit sequences zj = EA(sjXORyj),j = 1,

. . . ,k.

Step 3: B, having chosen the i-th secret and knowing the order of the z’s, gives A the bit sequence x = E,(zi). Step 4: A gives B the bit sequence D,(x). Step 5:

B computes DBDA(x)= s i X O R y i ,from which he, knowing y i , learns s i .

A possible way of cheating for B is to choose some combination of z’s instead of zi in Step 3 and, thus, to try to learn something about several secrets. The possibilities of success depend on the encryption method E,. The following is a further modification of oblivious transfer, often referred to as combined oblivious transfer. A and B possess secrets a and b, respectively, and g is any previously chosen function. During the protocol, B computes g(a, b), while A has no idea what B has computed. In other words, A obliviously transfers a prescribed combination of her and B’s secret to B.

6.6 Applications: Banking and Ballots Some of the protocols discussed in this chapter seem somewhat artificial or designed for rarely occurring situations. However, similar protocols are needed and to some extent already used for important frequently occurring purposes. Some examples will be outlined in this section. The choice of a particular protocol is always a compromise between various security issues and the complexity in executing the protocol. Nowadays, in cashless payment systems, the amount of transaction data and their computerization drastically increases. This development will continue when

6.6 Applications: Banking and Ballots

201

home banking becomes more common. In most cases, such payment systems are completely unacceptable, since the banks and even the computer manufacturers can easily observe who pays what amount to whom and when. Payment systems guaranteeing security against fraud, and also enabling unobservability of clients, are necessary. Measures of jurisdiction alone are insufficient, since infringements can hardly be discovered. For instance, the following requirements are connected with the unobservability of clients. Each payment should be secret from an eavesdropper. Unless the client wishes otherwise, each of his/her actions should be unlinkable to actions that have taken place earlier. The client should be able to d o business anonymously: the banks and the client’s business partners should not be able to find out his/her identity. One might also require that it is possible for a payer to make off-line payments to arbitrary payees in a way that the latter can verify the payment without using the network. Since a trusted referee is impractical in a big system, such requirements lead to protocol problems similar to the ones considered in this chapter. We do not enter the details. The reader is referred, for instance, to [BuP], for a general model of unobservable payment systems. Cryptographic protocols can also be utilized in devising the arrangements through which the voters signal their opinions. Arrangements aimed at assuring secrecy are of special importance as regards elections through a network. In secret balloting systems the transmission of messages should be secured against eavesdroppers. Moreover, in some cases also authentication is needed. We assume that these requirements are taken care of and focus the attention on specific issues dealing with balloting. In particular, we consider the following four issues. (i) Only legitimized voters should cast a vote. (ii) The ballots should be kept secret. (iii) Nobody is allowed more than one vote. (iv) Every voter should be able to verify that his/her vote has been taken into account in the computation of the electoral outcome. A protocol satisfying (iHiv) is effective against at least the most obvious forms of electoral fraud. A straightforward protocol would be based on an agency that checks the legitimization of each voter, and computes and publicizes the electoral outcome. Assume, further, that each voter sends a secret identification number together with the vote and that the outcome is publicized by issuing a list of sets where Ri,1 I i I k, is the set of secret identifications of those voters who voted for the i-th candidate or, more generally, adopted the i-th voting strategy. Then the conditions (i)-(iv) are satisfied with the exception that (ii) is violated in the sense that the agency knows how each voter voted. This violation becomes impossible if there are two agencies: one for legitimization (15)and, the other, for computing and publishing the outcome (C). The agency L sends to the agency C the set N of all identification numbers of voters but there is no further contact between the two agencies. Then protocol for a voter A is as follows. Step I: A sends a message, for instance, “hello I’m A” to L.

202

6 . Cryptographic Protocols: Surprising Vistas for Communication

Step 2: If A is allowed to vote, L sends an identification number i(A) to A and also removes A from the set of electors. If A is not allowed to vote, L sends a message “reject” to A. Step 3: A chooses a secret identification s(A) and sends C the triple (i(A),o(A), s(A)), where u(A) is A’s vote. Step 4: C finds out whether or not i ( A ) is in the set N. If it is, C removes i ( A ) from N and adds s(A)to the set of electors who voted for u(A).If it is not, C does nothing.

Step 5: At a previously specified time, C computes and publicizes over the network the outcome, as well as the list (*).

To add security, some public-key cryptosystem may be used in Steps 1-3. Messages are sent authenticated and encrypted by the receiver’s public encryption key. A person B who is not a legitimized voter may try to cheat by guessing an identification number i(B). Similarly, a legitimized voter A may try to cheat by guessing further identification numbers. Such attempts are not likely to succeed if proper identification numbers are sparse among all conceivable numbers, say, lo6 identification numbers are distributed among the first integers. If identification numbers are defined to be numbers of the form 10n + in, n = 1,2, . . . , where in is the n-th decimal in the decimal expansion of n, they are not sparse enough. The above protocol is vulnerable to the collusion of agencies L and C. Clearly, the combined knowledge of L and C discloses how each voter voted. A much more sophisticated protocol is needed to overcome this difficulty. The protocol is based on the secret selling of secrets discussed in Section 6.5. Since the agencies cheat by cooperating, we assume as well that there is only one agency C which replaces L in the above protocol. The only other difference is that in Step 2 an eligible voter A “buys” secretly from C an identification number. This means that all possible identification numbers are publicized by C in an encrypted form. C then decrypts one of them for A but does not know which one. The probability of two voters buying the same number can be made negligible by choosing much more encrypted numbers than there are voters. O n the other hand, even the encrypted numbers should be sparse among the numbers the electors might guess. It is to be added that the agency C is not at all needed if ideas presented in Section 6.4 are used. A more detailed account of secret balloting systems will be given in Section 6.10.

6.7 Convincing Proofs with No Details In the next three sections we focus the attention on the following challenging and fascinating problem. Assume that P (“the Prover”, Peter) knows some information. It could be a proof of long-standing conjecture (such as Fermat’s Last Theorem), the prime factorization of a large integer, a 3-coloring of a graph,

6.7 Convincing Proofs with N o Dctails

203

a password or an identification number. The essential thing is that P’s information is verifiable: there is an effective procedure for checking its validity. In connection with a mathematical theorem this implies that the proof is given in some formal system, where every step of the proof can be validated. P would like to convince V (“the Verifier”, Vera), beyond any reasonable doubt, that he is in the possession of this information. P could simply disclose this information so that V could d o the checking herself. If the information consists of the prime factors p and q of a large integer n, P could tell V the numbers p and q, and V could convince herself that n = pq. This is a maximum disclosure proof, where V actually learns the information and can later on show it to someone else and even claim that she factored n herself. In a minimum disclosure proof P convinces V that he has the information, but this happens in a way that does not reveal a bit of the information and, consequently, does not in any way help V to determine the information. V is almost sure (because the probability of P cheating can be made arbitrarily small) that P has the information, say, the two factors of n. But V has no idea about the factors themselves and cannot tell anything about them to a third party. A very simple minimum disclosure proof about the knowledge of the factors of n is the following. Step I: V chooses a random integer x and tells (x4, mod n) to P . Step 2: P tells (x’, mod n) to V. V obtains no information new to her because she can square x herself. On the other hand, we know that extracting square roots is equivalent to factoring n. In Step 2, P not only has to extract a square root of x4 but the particular one among the four square roots that is a quadratic residue (mod n). Determining quadratic residuosity is also intractable without knowing the factors of n. Of course, the possibility of P succeeding without knowing the factors of n can be made still smaller by iterating the protocol. Let us repeat our basic requirements. We assume that the information is the proof of a theorem.

(I) The Prover probably cannot cheat the Verifier. If the Prover does not know a proof of the theorem, his chances of convincing the verifier that he knows a proof are negligible. (11) The Verifier cannot cheat the Prover. She gets not a slightest hint of the proof, apart from the fact that the Prover knows a proof. In particular, the Verifier cannot prove the theorem to anyone else without proving it herself from scratch.

Protocols satisfying (I) and (11) contradict the common belief that one necessarily gains additional insight into a theorem by getting convinced that it holds. Minimum disclosure proofs yield no such insight. Whatever one can learn from the proof, one can learn from the statement of the theorem.

204

6. Cryptographic Protocols: Surprising Vistas for Communication

Minimum disclosure proofs are conceivable even if the Prover has no definite proof to start with but only an argument very likely to be true. For instance, P might have found the numbers p and q by one of the primality tests of Section 4.3 and is quite convinced that n = pq is the prime factorization, although it is possible that p or 4 can be decomposed further. P can transfer his conviction to V in a minimum disclosure manner, which implies that V is unable to convince a third party. The protocol above was constructed in an ad hoc manner, based on the special interconnection between factoring and extracting square roots. Some general ideas are needed if one wants to construct protocols satisfying (I) and (11)for a large class, such as problems in NP. The crucial idea in the construction will be that of a lockable box. The Verifier cannot open it because the Prover has the key. On the other hand, the Prover has to commit himselfto the contents of the box, that is, he cannot change the contents when he opens the box. In fact, the Verifier may watch when the Prover opens the box. For the moment being we do not discuss how the boxes are constructed but will return later in this section to this issue. Basically, the hardware consisting of boxes can be replaced by public-key cryptography. Locking information in a box means applying a one-way function to it. The Prover knows the inverse function and applies it when opening the box. His commitment to the box can be verified by applying the one-way function to the plaintext information. Certain assumptions have to be made because public-key cryptography is used. If the boxes are constructed using RSA or discrete logarithms, intractability of factoring or taking discrete logarithms is assumed. In most cases it is possible to change the underlying public-key cryptosystem, so it suffices to assume the existence of a one-way function. Boxes are used in the following minimum disclosure proof of the 3-colorability of a graph. A 3-coloring of a graph consists of providing the nodes with the colors B (blue),R (red)and W(white)in such a way that no two adjacent (that is, connected by an edge) nodes get the same color. 3-colorability is known to be an NP-complete problem. P wants to convince V that he knows a 3-coloring of a graph G with t nodes 1, . . . ,t . The protocol has k rounds. Each round consists of 4 steps and proceeds as follows. Step 1: P prepares and presents to V the following locked boxes B i , B f , 1 I iI 34 and Biej , 1 I i < j < 3t. Each of the boxes Bi contains one of the nodes, and each of the boxes B f one of the colors in such a way that, for every pair (il, c), where 1I i, I t and c = B, R, W , there is an i such that i, is in B, and c is in B f . Moreover, the pairs ( i , , c) appear in the pairs of boxes (B,, B f ) in a random order. Each of the boxes B,, contains either 0 or 1. 1 appears iff both of the following conditions are satisfied. If i , and j , appear in the boxes Bi and B,, respectively, then there is an edge between i , and j , in G. Moreover, in the Prover's 3-coloring, the color assigned to i , (resp.j , ) appears in the box B f (resp. BF). The boxes B,, B f and Bi, are referred to as node, color and edge boxes.

6.7 Convincing Proofs with No Details

205

Step 2: V flips a coin and tells P the outcome. Step 3: (a) If the outcome was “heads”, P opens all node and edge boxes. (b) If the outcome was “tails”, P opens all color boxes and such edge boxes Bi, that the nodes contained in Biand Bj are assigned the same color in P‘s 3-coloring. Step 4: (a) V verfies that she got a copy of G and 2t isolated nodes. If so, she accepts, otherwise rejects. The verification is easy because the opened node boxes tell the proper node labels, so no problem concerning graph isomorphism has to be settled. (b) V verifies that all of the opened 3t(t - 1)/2 edge boxes contain 0 and that each color appears t times in the color boxes. If so, she accepts, otherwise rejects.

The following facts are now obvious. The boxes have to be reconstructed for each round of the protocol. Otherwise, V learns everything in two rounds by choosing (a)- and (b)-lines. If the boxes are always reconstructed, V learns nothing about the coloring. If (a)-line is followed, she gets just a copy of G. If (b)-line is followed, she learns only that in P‘s 3-coloring of G no two adjacent nodcs get the same color and, consequently, P‘s 3-coloring is a correct one. P always passes the test if he knows a 3-coloring of G. Otherwise, he may try to cheat in two ways. (i) He does not lock in the boxes a description of G but rather of some other graph whose 3-coloring he knows. Then he gets caught if (a)-line is followed. (ii) P uses a false 3-coloring. Then he gets caught if (b)-line is followed. Thus, the probability of a false prover passing k rounds is 2 - k , and we have established the following result.

Theorem 6.2. The given protocol for 3-coloring satisjes conditions ( I ) and (I1). As regards ( I ) , the probability of the Prover cheating is 2-‘, where k is the number of rounds in the protocol. Example 6.4. Assume that t = 4, the graph G being depicted below. P knows the following 3-coloring. 1, w

2, B

4, R

3, w

P prepares the following node and color boxes.

B, : 2

BY : W

B, : 1

BS : R

B, : 1

BS : W

206

6 . Cryptographic Protocols: Surprising Vistas for Communication

B4 : 4

BS : B

B, : 2

B: : R

B6 : 4

BE :

B7 : 3

B(i' : B

B, : 3

Bg : R

B, : 4

B$ : R

Blo: 1

BYo: B

Bll: 2

BY,: B

B12: 3

BY,: W

w

Moreover, P prepares 66 edge boxes Bi, such that the 5 boxes B3,11*

'3,93

'9,117

Bll,lZ

B9,123

contain 1, and the remaining 61 boxes contain 0. If (a)-line is followed, V gets the graph

3

Y

1

l

X

1

1

2

4

5

x

x

x

x

x

x

x

x

12

9

where we use the indices of the node boxes as labels. The opened node boxes tell V that the labels 3, 11, 12, 9 are, in this order 1, 2, 3, 4. So V gets the original G without colors and 8 isolated nodes. If (b)-line is followed, the 18 edge boxes opened for V are: Bl,3,

'1.69

Bl,12,

'3.69

B3,1Z,

'4.73

'5.97

B6,123

B7,10,

B2,Sy B4,109

'7.113

BZ,8y B4,119

B8,9*

'2.9, BS,89

BIO,ll.

All of these boxes contain 0, as they should.

0

The following protocol is different in the sense that lockable boxes are not used, although they are present implicitly. P wants to convince V that he knows an isomorphism g between two given graphs G, and G,. (By definition, an isomorphism between G, and G, is a 1-to-1 mapping n of the nodes of G, onto the nodes of G, that is also edge-invariant: any nodes x and y are adjacent in G, iff n(x) and n(y) are adjacent in G,.) The protocol consists of k rounds of the following three steps. Step I: P generates and tells V a random isomorphic copy G, of G,.

6.7 Convincing Proofs with No Details

207

Step 2: V asks P to tell her an isomorphism between G , and G,, where she has chosen fl from the indices 1 and 2. Step 3: P acts as requested.

If P knows an isomorphism between G, and G,, Step 3 will always be easy for him because he knows also the inverse of the isomorphism of G , onto G,. Otherwise, P is in trouble if p = 2. One might think that the Verifier learns something if, for instance, G, = G, and fl = 1. The point is that Vdoes not get any information she could not have obtained without the Prover: she could have hit such a fortunate random copy G , herself! The problem of graph non-isomorphism is in C o - N P but it is not known whether it is in N P . Of course, it is in P-SPACE. Using the following simple protocol, P can convince V that he knows that the graphs Go and G, are not isomorphic. Step 1: V generates a random sequences of bits i , , . . . , i, and random graphs H i , , . . . ,H i , such that always H i , is isomorphic to Gij. V tells P the sequence of graphs H i j . Step 2: P tells V the sequence of bits i , ,

. . . , i,.

Clearly, P has no way of knowing the sequence of bits if the original graphs Go and G I are isomorphic. In this case, the probability of P getting caught in Step 2 equals 1 - 2-,. If Go and G , are not isomorphic and P has enough computing power to settle the problem of graph isomorphism, V will be convinced. According to a very recent result of A. Shamir, P-SPACE is the collection of problems possessing such an interactive proof. More specifically, P has unlimited computing power but V works in polynomial time and has to become convinced with arbitrarily high probability. The result is particularly interesting because a proposed solution for a problem in P-SPACE cannot necessarily be checked in polynomial time. Thus, interaction constitutes here the missing link. Let us now discuss a possible way of constructing lockable boxes. It is no loss of generality to assume that each box contains only one bit. If it is originally supposed to contain more information, it can be replaced by several boxes that are opened simultaneously. The method described below is based on the assumption that the computation of discrete logarithms (mod p ) is intractable. First a large prime p and a generator g of F * ( p ) are publicized. This means either that P and Vagree about p and g or, more generally, that p and g can be used by all parties wishing to engage in minimum disclosure proofs. If there is any doubt of p and g actually being a prime and a generator, we may assume that also the factorization of p - 1 is known, whence the facts concerning p and g can be immediately verified. At the beginning V chooses and tells P a random number r, 1 < r < p - 1. P cannot compute the discrete logarithm of r (mod p), that is, an integer e such that g' = r (mod p). This follows by our assumption concerning the intractability of

208

6. Cryptographic Protocols: Surprising Vistas for Communication

computing discrete logarithms (which is not essentially simpler even if the factorization of p - 1 is known). In order to lock a bit b into a box, P chooses a number y randomly and secretly and tells V the “box”: x = (rbgy,mod p). Clearly, any element of F * ( p )is of the form (gy, mod p). as well as of the form (rgy,mod p). This implies that x does not reveal anything of the locked bit b. When P wants to open the box for V, he tells V the “key”, that is, y . This does not help V in any way to open other boxes. On the other hand, this method forces P to commit himself to the bit b. He cannot open the box both as 0 and 1. Suppose the contrary: P can choose two numbers y and y’ such that

by,mod P) = (rgy’,mod P) , and then later announce y or y‘ as the key to the box, depending on whether he wants 0 or 1 to appear in the box. But now r

gy-y’

(mod P)

and, consequently, P is able to compute the discrete logarithm of r, which contradicts our assumption. This means that, when locking the bit b into the box, P has committed himself to b and cannot later change b.

6.8 Zero-Knowledge Proofs We now make a further restriction against the verifier. While we required in the previous section in the condition I1 that V learns nothing from P’s proof, we now require that V learns nothing whatsoever. By definition, a protocol is zeroknowledge iff I and I1 are satisfied and, moreover, V learns nothing from P that she could not learn by herself without P. In other words, V is able to simulate the protocol as if P were participating although he, in fact, is not. In this definition we assume the existence of one-way functions (in order to construct lockable boxes). Let us consider another NP-complete problem, namely, the construction of a Hamilton cycle in a graph G. By definition, a cycle (that is, a path with the same start and end nodes) in a graph G is a Hamilton cycle iff it passes through all nodes of G exactly once. The Prover, P, wants to convince the Verifier, V, that he knows a Hamilton cycle in a graph G with t nodes 1,. . . ,t . The protocol has again k rounds. Each round consists of 4 steps and proceeds as follows. Step 1: P locks the t nodes of G in a random order into t boxes B,,

Moreover, P prepares

(4)

. . . ,B,.

locked boxes B,,, 1 I i < j I t. The box B,, contains the

number 1 if there is a n edge in G between the nodes locked in boxes B, and B j . If there is no edge between these nodes, B, contains the number 0. P gives all boxes to V. Step 2: V flips a coin and tells P the outcome.

6.8 Zero-Knowledge Proofs

209

Step 3: (a) If the outcome was “heads”, P opens all the boxes. (b) If the outcome was “tails”, P opens t boxes Bili2,BiZi3,. . . , Biti,,where the indices run cyclically and every index appears exactly twice. Step 4: (a) V verifies that she got a copy of G. The verification will be easy for her because the opened B,-boxes tell her the isomorphism used. (b) Vverifies that all of the opened boxes contain the number 1.

Everything said about the protocol concerning 3-colorability (before Theorem 6.2) is valid also now: the protocol above satisfies the conditions I and 11. Let us now show that the protocol is also zero-knowledge. Assume that V has an algorithm A (running in random polynomial time) to extract some information from her conversation with P. In the following way V can use A to extract the same information even in the absence of P. V first plays the role of P. She flips a coin and, according to the outcome, she either applies an isomorphism to G and locks the result in boxes, or else locks an arbitrary t-cycle in boxes and, just for the fun of it, puts some numbers in other boxes to make the total number of boxes correct. Now, having received the boxes, Vplays the role of V. She applies her algorithm A to decide the choice between (a)- and (b)-lines. She either gets the same information as in the presence of a true prover P or learns that P is a false prover. Vcan do everything in polynomial time. The same argument applies also to the protocol concerning 3-coloring. Hence, we obtain the following result. Theorem 6.3. The given protocols for 3-coloring and Hamilton cycles are zeroknowledge. Consider the way of locking the boxes presented at the end of Section 6.7. Then V does not gain anything from the way P commits himself to specific bits or opens the boxes. The boxes are simulatable in the sense that V can d o everything just by

herself without P being available at all. This concerns both locking and opening the boxes. The situation is different if the k rounds of the protocol are run in parallel. This will be discussed later on in this section. Suppose P knows a positive solution for a problem in NP, for instance, a solution to a knapsack problem. (Here the term “positive” is to be contrasted with “negative”: no solution exists. Our technique is straightforward for positive solutions. Zero-knowledge proofs are possible for negative solutions as well. For instance, a proof that a given knapsack problem possesses no solution has to be carried out within a suitable formalism.) Both of the problems discussed in Theorem 6.3 are NP-complete. This means that any instance of a problem in NP, such as an instance of the knapsack problem, can be reduced in polynomial time to either one of them. This reduction can be carried out also by the Verifier. This result will be stated in the following theorem.

210

6. Cryptographic Protocols: Surprising Vistas for Communication

Theorem 6.4. Every positive solution for a problem in N P can be given a zeroknowledge proof:

An interesting variation is obtained if all k rounds in the protocols of Theorem 6.3 are carried out in parallel. This means that P prepares at once k sets of locked boxes, and V asks k questions, one for each set. Assume that V uses the k sets of locked boxes to formulate her questions, for instance, by interpreting the k sets as k numbers, applying a one-way k-place function to these numbers, and using the first k bits of the function value to determine the questions. Then it is conceivable that, although the dialogue might contain no information about P's secret, still the dialogue could not be reconstructed without P. In other words, V could convince a third party about the secret's existence, although she could give no details concerning the secret. In fact, in this parallel version V is not able to simulate k rounds in polynomial time. If the zero-knowledge character is to be maintained even in the parallel version of the protocol, then Vshould be able to open a locked box both as 0 and as 1. This is precisely what P i s not able to do, and the situation can be achieved in some cases if V has additional information. More specifically, we say that the locked boxes are (or the method of locking information into the boxes is) chameleon iff V can simulate whatever she would have seen in the process by which P commits himself to bits and, moreover, V can simulate both the process by which P opens a box as a 0 and the process by which he opens it as a 1. The boxes based on the discrete logarithm, as described at the end of Section 6.7, are not chameleon. If V, instead of P, chooses the number y, she still cannot open the box for both of the bits. This means that the protocol should not be performed in parallel if it is to be zero-knowledge. This can be seen by the following argument. Assume that V gives the number (2ge,mod p ) = r to P, where she has chosen e by herself. This means that a box locked by P looks like (Ibgy,mod p ) = (g(e+o)b+J',mod P )

7

where /3 is the discrete logarithm of 2 (mod p ) . Now V can use several boxes of this form to compute a function value to determine, for instance, her challenges to P. How would this be possible without P ? V could, of course, fix the numbers y by herself but still, in order to open the box both as 0 and 1, she would have to know p. By our assumption concerning discrete logarithms, she does not know p. The more boxes there are, the greater will the influence of P be. Hence, V cannot play the role of P. The only way V could have created the record of the protocol without P is that she knows herself the thing to be proven, or else she knows the discrete logarithm of 2. If we exclude the second alternative, the record of the protocol can be used to convince a third party about the truth of the thing to be proven. It is possible to add the chameleon property to the locked boxes. Rather than choosing r randomly, V chooses an exponent e randomly and gives P the number r = (g', mod p ) .

Now V knows the discrete logarithm of r and can, if necessary, convince P of this fact by a minimum disclosure proof.

6.8 Zero-Knowledge Proofs

21 I

We still consider another very basic NP-complete problem, namely, the satisfiability problem for propositional formulas. The problem remains NP-complete even if we assume that the propositional formulas are in 3-conjunctive normal form, that is, conjunctions of disjunctions, where each disjunction consists of 3 literals. A literal is a propositional variable or its negation. For instance, (X, V X2 V A

(

-X1

V

-X4)

-X2

V

-X3

V X4) A

A (X2

V

-X3)

A (X, V X,

(-X1

V X4) A

V Xt

(-X2

V X,)

V X,

V X4)

is a propositional formula in 3-conjunctive normal with four propositional variables and six clauses. The formula is satisfiable iff there is an assignment of truth-values T(true) and F (false) for the variables for which the formula assumes the truthvalue T. In this case, such an assignment is

(*I

X, =X, =

x4 = T, x 2 = F

.

When Peter wants to convince Vera in a zero-knowledge manner that he knows a satisfiability assignment, he can d o so following Theorem 6.4. We present a more direct method, resembling our discussion concerning 3-colorability. Such a more direct approach is more appropriate because satisfiability problem is basic in the sense that problems in N P can be reduced to it in a straightforward fashion, see [Sal]. Thus, P and V know a propositional formula a in 3-conjunctive normal form. Assume that a has r propositional variables and t clauses. (We could assume that a is arranged in some alphabetic order but this is not important.) P wants to convince V that he knows an assignment of truth-values for the variables making a true. As an illustration, we consider the formula above and the assignment (*). P first prepares 2r boxes Biand BY", i = 1, . . . , 2 r , referred to as variable and truth-value boxes, respectively. For each of the 2r pairs (x, y), where x is a propositional variable and y is a truth-value (Tor F), there is an i such that x is locked in Bi and y is locked in BT".Moreover, the pairs (x, y ) appear in a random order in the pairs of boxes (Bi, BY").In our illustration, there are 8 pairs of boxes, for instance,

-

-

B , : x4

BT": T

B,: x 2

BT": F

B,: x ,

BT": F

B,: x4

B:": F

B,: x ,

BT": T

B,: x ,

BZ": F

B,: x ,

BT": T

B,: x ,

B;": T

Moreover, P prepares (4r), boxes Bi* j,k, where the three indices range from 1 to 2r and from 1 to 2r, and each box contains either 0 or 1. The number

2 I2

6. Cryptographic Protocols: Surprising Vistas for Communication

-

-

-

1 appears in the box B i , , f , kexactly , in case i' = i or i' = i, j' = j orf = j , k' = k or k' = k, a contains a clause, where the three variables are the ones appearing in the boxes B i , B j , B, (in this order and negated if this is indicated by i',!, k') and, in addition, the three truth-values P assigns to these three variables (in his specific satisfiability assignment) are the ones appearing in the boxes BT", BF", B;" (in this order). The boxes B i , , f , k are , referred to as assignment boxes. Thus, t of them contain the number 1. In our illustration, the six assignment boxes containing the number 1 are B7.2,

-

1 9

B2,5.

-

17

B

-

7.2.5

9

B - T , - ~ , - SB~7,5,19 B-25,1. We have listed the boxes in the same order as the clauses above. The protocol now runs similarly as the protocol for 3-colorability. In each round of the protocol, P prepares and gives V the locked boxes as described above, V has now two options. If V so desires, P opens for her all the boxes except the truth-value boxes. V learns from the assignment boxes containing the number 1 the original propositional formula a. Thus, she learns that P has used the correct a when locking the boxes but she obtains no information whatever about P's truth-value assignment. V may also ask P to open all truth-value boxes. P then opens for her also all those assignment boxes B i , , f , kwhere . each of the indices is of the form x with F in BI", or of the form x with T i n BZ". If the number 0 appears in all of these boxes, then P's truth-value assignment is correct: no clause getting the value F by this assignment appears in a. Thus, all clauses appearing in a get the value T by P's assignment. V will be convinced about this, although she learns nothing about P's assignment. In our illustration, P opens all assignment boxes, where each of the three indices belongs to the set {2,3,4,6, 1, 5, 7, 8). The following result is obtained in the same way as Theorem 6.3: the probability of P cheating is multiplied by 4 after the completion of each round.

-

- - - -

Theorem 6.5. The protocol given above for satisfiability is zero-knowledge. Any of Theorems 6.3-6.5 can be used to convert any mathematical proof into a zero-knowledge proof. Suppose you know a proof of, say, Fermat's Last Theorem. Suppose, further, that your proof has been formalized within some proof-theoretic system. This means that there is no "hand-waving" involved: a verifier can check that every step in the proof follows by the rules of the system. Assume, finally, that an upper bound for the length of the proof is given. The proof can be found out by a nondeterministic procedure working in polynomial time. The procedure first guesses the proof and then checks its validity step by step. On the other hand, the procedure (say, a nondeterministic Turing machine) can be described in terms of a propositional formula a in 3-conjunctive normal form such that a is satisfiable iff the theorem has a proof whose length does not exceed the given bound. The construction of a is effective in the sense that anybody knowing a proof for the theorem knows also a satisfiability assignment for a. Hence, you are able to convince a verifier that you know a proof for the

6.9 Zero-Knowledge Proofs of Identity

213

theorem without giving away any information about the proof except an upper bound for its length. A few additional comments are in order. In results such as Theorem 6.4 the existence of one-way functions is needed. In fact, in our zero-knowledge protocols one-way functions are used in the construction of lockable boxes. What this means is that the prover reveals his secret to the verifier in an encrypted form. Although the verifier does not gain any on-line information, it is conceivable that she could later on, either by luck or by sufficient computing effort, break the cryptosystem and learn the entire secret. Recall, for instance, that the 3-coloring is given to the verifier in each set of locked boxes. We will not discuss here protocols referred to as perfect zero-knowledge. In such protocols V obtains no information whatsoever about P‘s secret (beyond its existence), whereas in the zero-knowledge protocols discussed above V obtains no information she could use on-line or in polynomial time. The reader might think about the meaning of zero-knowledge proofs with RSA-locked boxes in case the theorem to be proved is “There is an algorithm for factorization working in linear time”. In the protocols discussed above, the probability of P cheating decreases very rapidly with respect to the number of rounds. However, arbitrarily high security is not obtained with a bounded number of rounds. This technique can be modified to combine arbitrarily high security with a constant number of rounds. In some setups even non-interactive zero-knowledge proof systems are possible. The results of [BeG] can be applied in the following scenario. After P and V have generated together a long random sequence, P leaves for a trip around the world. Whenever he discovers a theorem, he writes a postcard to V proving his new theorem in zero-knowledge. This process is necessarily non-interactive because P has no predictable address.

6.9 Zero-Knowledge Proofs of Identity One of the problems with most of the identification techniques such as ID cards, credit cards and computer passwords is that a party P proves his identity by revealing a word i(P) that is memorized or printed on a card. An adversary cooperating with a dishonest verifier can either get a copy of the card or otherwise learn the word i(P). The adversary can later on use i ( P ) to pretend to be P and, thus, is granted the access or services implied by i(P). An obvious solution to this problem is to use a zero-knowledge proof to convince the verifier V that the prover P knows i ( P ) without revealing a single bit about i(P). Such a proof goes one step further than the zero-knowledge proofs considered in the preceding section. Previously P revealed one bit of information to V, namely, that the theorem is true, there is a 3-coloring or a satisfying truth-value assignment, etc. Not a single bit of information is now revealed. This difference can be expressed briefly by saying that, while we previously were talking about

214

6. Cryptographic Protocols: Surprising Vistas for Communication

zero-knowledge proofs of theorems, we are now talking about zero-knowledge proofs of knowledge. Of course, the latter types of proofs can be extended to concern proofs of theorems as well. This means, for instance, that P convinces V that he has settled Fermat’s Last Theorem without revealing a single bit of his information, not even whether he has established the theorem or found a counterexample! A way to d o this is to let i ( P ) consist of P‘s information, beginning with the statement of the theorem or its negation and followed by the proof or counterexample. In the following protocol the existence of a trusted agency is assumed. The only purpose of the agency is to publish a modulus n which equals the product of two large primes p and q but to keep the primes themselves secret. For a technical reason to be explained later, the primes are assumed to be congruent with 3 (mod 4). After publishing n, the agency may cease to exist. P’s secret identification i(P) consists of k numbers c,, . . . , ck with 1 I cJ < n. His public identification pi(P) consists of k numbers d,, . . . ,d , with 1 I dJ < and each d, satisfying one of the congruences

(*I

djcf

= f 1 (modn) .

The verifier V knows the public n and pi(P). P wants to convince her that he knows i(P). The following four steps constitute one round of the protocol. The number of rounds decreases the probability of P cheating. Step 1: P chooses a random number r, computes the numbers ( f r2, mod n) and tells one of them, call it x, to V. Step 2: V chooses a subset S of the set { 1, . . . ,k} and tells it to P Step 3: P tells V the number y = ( r q , mod n) ,

where

is the product of the numbers cj such that j belongs to S.

Step 4: V verifies the condition x

= If: yZT,(modn),

where Td is the product of the numbers dj such that j belongs to S. If it is not satisfied, V rejects. Otherwise, an eventual new round is begun. Observe first that the verification condition in Step 4 should hold because y’T,

= r2T:Td = f r2 =

x(modn),

the second congruence being a consequence of (*). The use of r is necessary because, otherwise, V would find out any c j by choosing S = { j } . The special form of the primes p and q guarantees that the d-numbers can range over all integers with the Jacobi symbol + 1 (mod n). This implies that V can be sure that the c-numbers exist. A tacit assumption needed for (*) is that (cj, n) = 1, for allj. If this is not the case, then n can be factorized, and the whole world collapses! A minor

6.9 Zero-Knowledge Proofs of Identity

215

technicality useful in practical implementations is to use the inverses of the squares of the c-numbers rather than the squares themselves when defining (*). Of course, the whole protocol is based on the intractability of extracting square roots (mod n) when the factorization of n is unknown. This implies that Vgets no information about the c-numbers and, in fact, Vcan play both the roles of P and V in the protocol. On the other hand, the only way for P to cheat is to guess the set S in advance, and provide ( Ifr r'Td, mod n) as x in Step 1 and y = r in Step 3. The probability for a successful guess is 2-k and, hence, 2-krin t rounds. A reason for this rapid convergence is that the k numbers in P's identification invoke an element of parallelism in the protocol. Assuming the intractability of factorization and extraction of square roots (mod n), our protocol constitutes a zero-knowledge proof of identity. It follows that not even a crooked Vera can extract any information that could later on be used to convince the true Vera about the knowledge of i(P). We remark in passing that a rigid formalism is not needed for our purposes in this chapter. In such a formalism P and V would be machines executing algorithms within certain time bounds and having access to common or separate random numbers. In the discussion of many subtleties such a more penetrating formalism is helpful. Example 6.5. The trusted agency has published the modulus n = 2773. P's secret identification i ( P ) consists of the 6-tuple C, = C, =

1901, cq = 2114,

C, =

1509,

1400, c5 = 2001, c6 = 119.

(See here also Example 4.1.) The squares of these numbers (mod n) are, in the same order, 582, 1693, 448, 2262, 2562, 296.

P now chooses his public identification p i ( P ) to consist of the 6-tuple d , = 81, d , d,

=

= 2678,

1183, d ,

= 2681,

d,

=

1207,

d6 = 2595.

Then the congruences (*) will be satisfied for j = 1, . . . , 6 and, moreover, appears on the right side for j = 1, 3,4, 5 and - 1 appears for j = 2,6. Assume that P chooses r = 1 1 1 1 and tells V the number x = ( - r', mod n) = 2437

.

Assume that V chooses S = { 1,4,5,6} and computes T, = 96 and tells V the number y = 1282. Because

6 = 1 1 16.

y 2 Td = 1282' * 1 1 16 = 2437 = x (mod n) ,

The verification condition holds. Similarly, the choices r = 1990, x = (r', mod n) = 256

+1

P computes

216

6. Cryptographic Protocols: Surprising Vistas for Communication

and S = {2,3,5} give the values

Td = 688, T, = 1228, y

= 707

.

The verification condition - y2Td= - 2517 = x (mod n) is satisfied.

0

We observed that not even a crooked verifier can gain any information that could later on be used to convince the true verifier about the knowledge of i(P). Still, some more subtle on-line cheating schemes are conceivable. Assume that a crooked verifier and prover, V , and P,, collaborate in trying to convince the true verifier V that P, knows the identification i(P) of the true prover P. Assume, further, that V, is in the position to test P's knowledge of i(P).For instance, P wants to pay a bill to V,. Then at the same time P,, who can secretly communicate with V, by radio or telephone, tries to gain access to a top-secret area, the access being granted by V if knowledge of i ( P ) is shown. Now P, and V ,can act as communication links and, in fact, the whole protocol will be executed between V and P. V will be convinced of the knowledge of i(P) but gets the wrong idea that P, knows i(P)! We now discuss another identification scheme, based on a knapsack-type problem. We present first a simple version of the scheme, and then a bit more involved one. The latter can be further generalized but it is not yet properly understood to what extent, if any, such generalizations and complications contribute towards the security of the scheme. Let A = ( a , , . . . ,a,,) be a knapsack vector with an even n. It is an NP-complete problem to pick up half of the components of A in such a way that they sum up to the same number as the remaining half. Hence, also the following problem, being more general, is NP-complete. Given a knapsack vector A and a vector B = (b, , . . . ,b,,) with integer components, maybe some of them negative. Find, if possible, a permutation B, of the vector B such that AB, = 0. For instance, if A=(3,7,8,2,12,14),

B = ( l , l , l , -1, -1, - l ) ,

then the permutation p transposing the 2nd and 5th components but leaving the other components fixed satisfies the condition because A(1, - 1, 1, - 1, 1, - 1) = 0 . (Here the second vector in the product is understood to be a column vector.) The setup is now as follows. The trusted agency has published the knapsack vector A = ( a , , . . . ,a,,). ( n need not be even.) P's public identification p i ( P ) is the vector B = ( b , , . . . ,b,,) with integer components. His secret identification i(P) is a permutation p such that AB, = 0. The protocol uses, in addition, a cryptographic hashfunction h(x, y). We do not define hash functions formally. The points essential for us are that the value h(x, y ) can be easily computed from x and y , whereas x and y cannot be recovered from the value and, moreover, h ( x , y ) is not long in comparison with x and y. The previously discussed XOR-operator is a simple hash function, if xXORy does not leak information about x or y . The hash function h(x, y ) can be published by the agency or agreed upon between P and the verifier V. Of course, it is desirable that not even h(x, y ) and one of the arguments gives away the other argument. This condition is clearly not satisfied by the XOR-operator.

6.9 Zero-Knowledge Proofs of Identity

217

Each round in the protocol, where P tries to convince V about his knowledge of i(P), consists of the following steps. Step I : P chooses a random vector R and a random permutation 4 (both having the dimension n), and tells V the values h(q, A R ) and h(pq, R,). Step 2: V chooses a number d = 0 or d = 1 and asks from P the vector C = R, + d B,. After receiving C , V asks from P either the permutation q or the permutation p4.

-

Step 3: If she asked for 4, V verifies the condition h(q, A,C) = h(q, AR). If she asked for p 4 , V verifies the condition m q , c - dB,) = NP4, R,)

.

Observe first that V has all the data needed for the verification in Step 3, either from Steps 1 and 2 or from the public information. The validity of the second verification condition is obvious by the definition of C . The validity of the first condition follows because A,C = A,(R,

+ dB,,)

= A,R,

+ dA,B,

= AR

.

(The equation A,B,, = 0 holds because AB, = 0 and, hence, the product equals 0 also if both factors are permuted by the same permutation.) Coming back to the illustration before the protocol, assume that

R=(15,1,5,9,2,6), d = l

and q=(1234).

We use here the customary notation for permutations: 4 is a mapping that permutes the components 1,2,3,4 cyclically and leaves the two other components fixed. Then R, = (9, 15, 1,5,2,6), p q = (12534), B,, = (- 1, 1, - 1, 1, 1, - 1) ,

C = ( 9 , 1 5 , 1 , 5 , 2 , 6 ) + ( - l , l , - 1,1,1,-1)=(8,16,0,6,3,5), A, = (2,3,7,8, 12, 14), A,C = 218 = AR

.

Hence, the verification condition will be satisfied. Observe that the number of permutations is huge even for relatively small values of n. This is very important from the point of view of security. In a more sophisticated version of the protocol, A is an m x n matrix with integer entries, and AP is the matrix obtained from A by applying the permutation p to the columns of A. A small prime s is fixed, typically s = 251. A and s are published by the agency, or otherwise agreed upon by all users. As before, P's public identification pi(P) is an n-vector B. His secret identification i ( P )is a permutation p such that AB, = 0 (mod s) ,

21 8

6. Cryptographic Protocols: Surprising Vistas for Communication

where the right side means an rn-vector of zeroes. (In our earlier simple version, rn = 1 and the congruence is an equation.) The protocol is basically the same as before but also the choice of d will be more general, now 0 5 d < s. The components of all vectors are reduced modulo s and, moreover, A R and A,C are now rn-vectors. Everything else remains the same. Also the validity of the verification conditions follows exactly as before and, hence, an honest prover P always passes the test. It is easy to see that the probability of success for a dishonest prover P (not knowing the permutation p ) is at most (s + 1)/2s. The protocol is zero-knowledge because the individual messages sent by P convey no knowledge. Further generalizations of the scheme are obtained, for instance, by replacing the matrix-vector products with matrix-matrix or even with tensor-tensor products.

Fig. 6.1

6.10 Secret Balloting Systems Revisited Balloting systems were already briefly discussed in Section 6.6. This is an area likely to become one of the testing grounds for the techniques of public-key cryptography. How to guarantee secrecy in elections carried out in a computer network? One-way encryption seems desirable from many points of view. One may also want to implement optional features that are not present in current elections. We will now present in a systematic way the theory of secret balloting systems, having in mind mainly elections carried out in a computer network. Our exposition follows mostly [Renv] and [NuSS]. [Schn] is a very comprehensive recent exposition on protocols and cryptographic algorithms in general, with a bibliography of 900 items. The institution of secret ballot is often mentioned as one of the hallmarks of democratic electoral systems. The reason is obvious. Without ballot secrecy the voters can be deterred from revealing their true opinions about the issues to be voted upon. Thus, the very rationale of voting, giving voters the possibility

6.10 Secret Balloting Systems Revisited

219

to express their true opinions without fearing that they will be in some way punished for having them, would be seriously undermined. Secrecy in customary balloting systems relies to a large extent on trusted persons and group work. The counting of votes is done by specific officials. The basic method of securing ballot secrecy is to make sure that the ballots of individual voters are not counted individually but in aggregates. Typically all the ballots cast in a given election locale are counted simultaneously. In this way the link between a voter and hisher (hereafter her) vote is broken. How can the link be broken if there is no election locale but the elections are conducted in a computer network? The fact that voting takes place in specifically designated areas and that all voters are identified before entering the balloting booth makes many forms of electoral fraud very difficult if not impossible. Thus, deliberate errors in vote counting presuppose the cooperation - voluntary or forced - of all officials working at a given voting locale. A plausible conjecture would be that the more persons there are supervising the electoral procedure and the more variegated political views they represent, the less likely one is to encounter electoral fraud of this kind. (Yet fraudulent elections are known to have been conducted!) Mathematically, the protocol of the traditional election system is very simple - see also Figure 6.2. The soundness (only legitimate voters may vote and each of them may vote only once) is guaranteed by identifying each voter and keeping a record of those who already voted. The secrecy is guaranteed by the privacy of the voting booth: nobody is allowed to see how a voter votes. (Nobody is allowed to enter the booth with the voter -we disregard here invalids who need assistance.) The link between the voter and her ballot is broken after the ballot is dropped in the box. The ballots are counted as an aggregate - so only the connection between the group of voters using the particular election locale and their votes remains. Thus under the system with voting booths, a voter can make promises to certain people, perhaps accepting bribes, or belong to an organization committed to a specific vote, and yet in the privacy of the voting booth she may cast the opposite vote without fearing disclosure, revenge or repercussions. The outcome of the electior, should reflect the true opinions of the people. However, it is well known that various types of fraud have occurred under this very simple system. The counting of the votes has been dishonest. A more sophisticated type of fraud is possible if the voting system employed allows the voters to list their preferences in any order. Then a dictator behind the scenes, say a feared village boss, can assign each voter a specific permutation of the candidates in such a way that the preferred candidates are always placed favorably. If a particular assigned permutation fails to appear when the votes are counted, then the boss can conclude that the voter in question did not follow the “friendly instructions”, and reprisals can be taken. This form of fraud brings about a subtle distinction in the notion of secrecy. We will return to the issue below. When elections are conducted in computer networks, numerous diverse security and secrecy issues have to be taken into account. The security-related questions in telecommunication in general include, for instance:

220

6. Cryptographic Protocols: Surprising Ustas for Communication

Fig. 6.2

Who is out there? Is she allowed to get this information? Will the infomation I send reach the right person? Has the information been seen by somebody else? Has the information been changed in transit? Can a sender deny having sent particular information? Can a receiver pretend not to have received particular information? What kind of precautions and safety measures are called for such securitv. secrecy and authentication issues depends largely on the communication environment. We shall not dwell upon such precautions but shall rather concentrate on issues directly connected with elections. The main problem of organizing a . I

6.10 Secret Balloting Systems Revisited

22 I

secret ballot election in a computer network consists of satisfying simultaneously the requirements of legitimacy and secrecy. At first thought this might seem an impossible task. How can the secrecy of the votes be preserved if one must check at the same time that the voters are legitimate? At some time the voter must be known to election officials. How can the link between the voter and her vote be broken afterwards? Several solutions based on public-key cryptography are known. Let us still summarize the basic requirements. 1. Soundness. Only legitimate voters should be able to cast valid votes, that is, votes contributing to the tally. Each legitimate voter should be able to cast only one vote. 2 . Secrecy. Nobody should be able to find out the voting strategy of any legitimate voter, without her own consent. This requirement of privacy concerns the voter’s relation both to other voters and to election officials. 3. Verifiability.The published outcome of the election should be verifiable. In particular, each voter should be able to check that her vote has been correctly counted.

We have included the requirement 3 in the basic list, although it is not satisfied by any of the balloting systems currently in use. Indeed, in current systems there is no way for a voter to verify that the tally is correctly computed, let alone that she could check that her own vote was counted for the candidate she intended. However, in elections in a computer network the requirement 3 is easy to satisfy, provided requirements 1 and 2 are taken care of. In fact, in all proposed systems 3 is an almost immediate consequence of 1 and 2. Consequently, we have considered the requirement 3 suitable even for the basic list, especially because it is very likely to increase the motivation of individual voters to vote. Other related requirements, such as the possibility of recasting votes, can also be taken care of without any major difficulties, [NuSS]. We will discuss here two methods to satisfy the requirements 1-3. In the method of eligibility tokens the voters cast their votes anonymously but together with an eligibility token. The token is acquired from the officials of the elections in advance. It should be impossible to recognize a voter from her token. Of course, the voters themselves should not be able to produce valid tokens. In the method of encrypted votes the voters cast their votes publicly but in an encrypted form. Single votes should not be decryptable but, of course, it must be possible to compute the total outcome of the election. In the protocol presented below, this will be accomplished by using certain predetermined and fixed scrambling techniques. It was already pointed out in Section 6.6 that requirements 1 and 2 are easily taken care of if disjoint groups of officials are in charge of legitimization and of the actual voting and computing the result. However, then the cooperation of the two groups is a very obvious source of fraud. Therefore, we assume that all officials in the election constitute only one group, referred to as the government. Let us consider first the method of eligibility tokens. First there is a preliminary registration phase. The government has generated a large enough set of

222

6. Cryptographic Protocols: Surprising Vistas for Communication

eligibility tokens, for instance, integers with specific properties, and published them in an encrypted form. This constitutes the setup for secret selling of secrets: the tokens are the secrets, whereas the encryptions form the published list of secrets. The government and the voters now follow a protocol for secret selling of secrets. In this way each voter gets a secret (that is, an eligibility token) but the government does not know how the secrets (tokens) are distributed among the voters. Different voters should get different secrets. The government also publishes a large finite set S and a one-way permutation f of S. In the actual election the voters cast their ballots anonymously. A ballot is a triple ( u , f(s). e ) , where u is the actual vote, s E S is a random element chosen by the voter and e is her eligibility token. The government takes into account only ballots having proper eligibility tokens. When the preassigned voting period is over, the government announces the tally of the election. Th~sis done by publishing all the valid ballots, arranged in such a sequence that it is easy for anyone to compute the results, and also easy for each voter to check that her vote has been properly counted. It is clear that the requirements 1-3 are satisfied, provided the protocol for secret selling of secrets has worked properly. Also other related requirements can be satisfied, for instance, recasting of votes is possible without compromising ballot secrecy. Let us see how this can be done. (It can happen within specific periods or continuously.) Assume that a voter whose ballot was w = ( u , y , e) changes her opinion from u to u’. Then she sends, again anonymously, to the government a quadruple ( w , u’, f(s’>,s), where s = f-‘(y) and s’ E S is a new random element chosen by the voter. The government then checks whether or not f(s) = y and, if it is, replaces the old ballot w by the new ballot (u’, f(s’), e ) . Since f is a one-way function, nobody can compute s from y and, thus, the new ballot must come from the original voter. The recasting of votes can be repeated arbitrarily many times. It is obvious from the above discussion that, as regards the presented method of eligibility tokens, practically everything rests on the reliability of the protocol for secret selling ofsecrets. Such protocols were discussed in Section 6.5, see also [Renv] and [Schn]. It was observed that it can be viewed as an advantage if there are several buyers. Based on different ideas, several protocols have been constructed for secret selling of secrets. We do not go here into details but mention only one general principle and one particularly simple protocol. After reading Section 6.5, it might seem obvious that oblivious transfer is much simpler than secret selling of secrets, viewed as tasks for constructing cryptographic protocols. However, this is not the case. It has been shown in [Renv] how any protocol for the former can be transformed to a protocol for the latter. The result can be formalized to show that all security requirements are preserved in the transformation. Moreover, several similar cryptographic tasks can be shown equivalent in the sense that a protocol for any one of them can be transformed to a protocol for another. We present, finally, a particulariy simple protocol for secret selling of secrets, also due to [Renv]. We follow the setup of Section 6.5. The seller A has k secrets

6.10 Secret Balloting Systems Revisited

223

sI,... ,sk, each of them being a sequence o f t bits. The buyer B has decided to buy the secret s;. Step 1: A gives B a cryptographic one-way hnction f ,mapping t-bit numbers onto t-bit numbers, but keeps the trapdoor and thus also f - I to herself. She also gives B a sequence XI, . . . , xk consisting of k t-bit random numbers. Step 2: B chooses a t-bit random number a and computes f ( a ) . He gives A the number a = xi XOR f ( a ) . Step 3: For j = 1, . . . , k , A computes the number y, = S, XOR f-'(a XORx,)

and gives the sequence of numbers y j to B . Step 4: B learns si by computing y; XORa. Indeed,

y; XOR a = ~i XOR f-'(xi XOR f(a) XOR x ; ) XOR a = S ; X O R ~ - ' ( ~ ( C Z ) ) X O=siXORaXORu R~ =s;. It is obvious that the protocol guarantees security for B . The only information B gives to A is the number 01 = xiXOR f ( a ) . However, because u is randomly chosen, a looks completely random from A's point of view. This means that A cannot learn anything about i. It is not so obvious that the protocol is secure for A . After all, A gives all the secrets sj to B , encrypted as yj. If B has followed the protocol honestly and chosen the number a randomly, then aXORxj is random, and thus the probability of B learning f - ' ( a XORx,) is negligible. Therefore, B cannot learn sj for j # i. However, if B is dishonest, he might try to learn two secrets si and sj by finding two numbers bl and b2 such that f(b2) XORf(b1) = xj XORX;. If he succeeds in fmding such numbers bl and 62, he takes a = bl. B then learns s; as before but now also

and, consequently, B learns sj as well. This means that it should not be possible for B to fmd numbers bl and bz as required. The cryptographic function f has to satisfy some additional rather natural requirements. Indeed, the encryption function of an RSA system seems to possess all properties needed, [Renv]. This concludes our discussion about the method of eligibility tokens. The essence of the mathematical problem amounts to constructing a proper protocol for secret selling of secrets. Here "proper" means that the security issues are

224

6. Cryptographic Protocols: Surprising Vistas for Communication

taken care of and also that no secret is sold to two buyers. We still mention that in the protocol above the random numbers xj can be replaced by a second one-way function g. The details are left to the reader. We discuss next a secret balloting system based on the method of enclypted votes. We consider here a network, referred to as the publicjle. Also persons who are not legal voters might have access to the public file. In the method of encrypted votes, the voters cast their votes publicly but in an encrypted form. Thus, we assume that the government has a way of telling whether or not a message in the public file stems from a legal voter; the legality of voters has to be checked in every election. The officials of the election, referred to also collectively as the government, consist of the control C and scramblers Si, i = 1, . . . ,k . According to the protocol, the different parts of the government should follow certain rules. Nothing can be done against such a rotten government, where all parts are dishonest. However, if only one of the scramblers follows the protocol honestly, a fraud of the other parts will be disclosed. An individual voter may feel secure if she trusts one of the scramblers, say, a representative of the voter's own political party. In this sense, one swallow makes the spring! The protocol operates on a certain basic domain, a finite set whose cardinality is much bigger than the total number of voters. Both the encrypted votes and the "plaintext" votes are elements of the basic set. Each of the scramblers commits himself publicly to a scrambling strategy. The latter is a permutation of the basic domain, satisfying certain additional requirements. The protocol is so designed that the election result is unreadable from the set of (encrypted) votes, but it will become readable after each of the scramblers has scrambled the set according to his particular strategy. The original set of encrypted votes is a subset of the basic domain, and so is the set after the work of each scrambler. The tally can be computed from the set after the last scrambler has applied his strategy. Thus, the voters fist cast their votes in an encrypted form, giving rise to a list X O of elements of the basic domain. For i = 1, . . . ,k, the scrambler Si applies his strategy to the list X ; - , , producing another list X i of elements of the basic domain. The election result can be computed from the list Xk.The link between a voter and the element she contributed to the list Xo is known to C. However, the link is broken latest after the work of the honest scrambler. We have now described how everything is supposed to work. Let us go into details. The basic domain will be the set F * ( q ) of nonzero elements of a finite field F ( q ) , q = p h , where p is a large prime. Our overall cryptographic assumption will be that discrete logarithm is intractable. Let g be a generator of the set F * ( q ) . The numbers g and q are public knowledge. Consider a scrambler S. His scrambling strategy will be a number a , indicating that S will replace each element t of F * ( q ) by t". S discloses his commitment to the strategy by publicizing the number 9". By our assumption about the intractability of the discrete logarithm, the commitment does not disclose the scrambling strategy itself. On the other hand, publishing g" is a commitment for S: S cannot later scramble t to tb, b f a , because g" fi 9'.

6.10 Secret Balloting Systems Revisited

225

An important property of the scrambling strategies thus defined is commutativity: it is immaterial in which order the scramblers apply their strategies. This is an immediate consequence of the commutativity of exponentiation: (t")b= ( t b ) u . In fact, we could take a more general approach and consider an arbitrary basic domain rather than F * ( q ) . Then, in view of the voting protocol, the requirements concerning scrambling strategies would be that all strategies come from a commutative pool and commitments do not give away the strategies. We still have to tell how the "plaintext" votes (elements of the set X t , according to the notation above) are associated with the candidates. Plaintext votes are elements of the basic domain T which is a huge set. We define a mapping q of T onto the set of the candidates. The definition of p should be as simple as possible, and it will be publicized before the actual election. For instance, if there are 8 candidates, we can define

p(w'wx) = w , lw'l = 4, IwI = 3; w',w ,x E {O, l}*,

indicating that bits 5-7, viewed as a binary integer, tell the number of the candidate who gets the vote. All other bits in the representation of an element of T are irrelevant. Thus, each of the following (plaintext) votes 11011101011011, 001011000011101101, 0111110111111101101, 0001110001001101101 goes to the 6th candidate, because in each of them the bits 5-7 spell out the number 110. As in this example, the basic domain should be divided evenly between the candidates. We are now ready to present an election protocol, based on the method of encrypted votes. Steps 1-5 can be viewed as system construction. The actual voting takes place in Step 6, whereas the remaining steps contribute towards the computation of the result. The protocol presupposes an authentication procedure, that is, when a message beginning with a name, say (C, . . .), floats in the public file, then at least the persons to whom the message is intended can verify its authenticity. Step I : The control C chooses a large enough basic domain T = F * ( q ) , its generator g, as well as a mapping p of T onto the set of candidates. C publicizes the items mentioned by writing the quadruple (C, q , g, q ) in the public file. Step 2: Each scrambler S i , i = 1, . . . , k , chooses privately a random number ai having no common factors with q - 1. (The latter condition is to guarantee that the scrambling strategy will be a permutation of T.) Si then computes g" and writes the pair ( S i , 9"')in the public file. The mapping fi of T into itself, defined by f i ( x ) = x"' is referred to as S,'s scrambling strategy. Step 3: Denote zo = g. For i = 1, . . . , k , the scrambler Siapplies his strategy to z~.-~, yielding J(zi-1) = zi and writes the triple ( & , Z ~ - ~ , Z ~in) the public file.

226

6 . Cryptographic Protocols: Surprising Vistas for Communication

Step 4: Each Si convinces C in zero-knowledge that he performed Step 3 honestly. (Details of a zero-knowledge proof can be found in wenv].) Step 5: C writes the triple ( C ,g = ZO,zk) in the public file. Step 6: Suppose KIM is the chosen candidate of a voter V,. Then y considers zk and q, and tests random numbers b until she finds an exponent bj such that

(Approximately as many tests as there are candidates will suffice. Observe that we are here avoiding the computation of the discrete logarithm!) Then uj = gbl is uj's vote in an encrypted form. V, writes the pair (4, u j ) in the public file. Similarly all voters cast their votes within a preassigned voting period. Step 7: C goes through the pairs (V,,u j ) in the file, removing illegitimate pairs. In other words, C removes a pair if V, is not a legitimate voter or 5 appears in more than one pair. (Observe that we need here our general assumption about authentication: pairs having 5 as their first component come from V,.) Step 8: C collects the remaining pairs (6, u j ) and produces a list X o = (xoI. X O Z , . . .), where the elements XO, are the encrypted ballots u j , written in the increasing order of magnitude. C writes the pair ( C , X o ) in the public file. (It is extremely unlikely that a repetition occws in the list X o . This happens when two voters who have chosen the same candidate hit the same random number. In such a case C will know that the two voters voted for the same candidate. Also the identity of the candidate will eventually be disclosed, since scrambling does not remove repetitions. By choosing a large enough q, the probability of such a coincidence can be made arbitrarily small.) Step 9: For i = 1, . . . , k , the scrambler Si applies his scrambling strategy to the elements of the list Xi-, . He writes the resulting elements in the increasing order of magnitude, obtaining a list Xi= ( x i l ,xi2,.. .). Si writes the pair (Si, Xi)in the public file. Step 10: c computes, for each candidate CAND, the number of elements xkj in the list Xk with the property (p(xk,) = CAND. The result R of the election is the list of candidates, each candidate together with the number of hisher votes. C writes the pair ( C , R ) in the public file.

Let us now analyze the above protocol, having in mind in particular the requirements 1-3 of soundness, secrecy and verifiability. As regards soundness, the very construction of the protocol guarantees legality. Since voters act openly, C can immediately verify the legality. It is also a matter of soundness that the encrypted votes go to the candidates intended. This is seen as follows. When a voter y chooses the exponent bj and writes the

6.10 Secret Balloting Systems Revisited

227

pair (V, , g b J ) in the public file, she commits herself to the scrambling strategy M hj which maps each x to x b j . Moreover, hj maps Zk to a number Z ~ which brings a vote to KIM. Altogether, g goes to zUM in a succession of scramblings as follows: g = ZO ----fzi -z2 +. .. zk ----fZuM SI

st

Sl

v,

The following succession of scramblings takes place in Steps 6 and 9 of the election protocol:

In the two successions, the same scrambling strategies have been applied to g, although in a different order. However, the order of application is immaterial and, consequently, the resulting numbers must be the same: yk

= ZKIM.

Thus, V,’s encrypted vote goes to the candidate she intended. This happens if C and the scramblers act honestly. If C or some Si makes an error or hies to cheat with respect to her vote, then V, can immediately notice it. This is a consequence of the fact that V, can follow the passage of her encrypted vote through the scrambling process. only needs to check that uj is in the list Xo, z? is in the list X I , z? is in the list Xz, and so on. Thus, the requirements of soundness and verifiability are satisfied. Of course, a more detailed protocol should include also instructions for the case that C or some Siis caught cheating. We still have to consider the requirement 2 of secrecy. If all scramblers are dishonest, they can find out the voting strategy of any single voter. There is clearly very little one can do against such a totally rotten government. However, the total conspiracy of all scramblers is needed to find out the voting strategy of an individual voter; one honest scrambler Si is enough to prevent this. By our cryptographic assumption concerning the intractability of discrete logarithm, only Si knows the scrambling strategy fi (or equivalently the number ai), although Si’scommitment gar is public knowledge. In fact, fi could be referred to as a zero-way function because neither f i ( x ) nor f i - l ( x ) is computationally tractable. Even if one knows the commitment gun,it is intractable to compute fi ( x ) or f , - ‘ ( x ) , and it is also intractable to verify whether or not fi (x) = y , for given x and y . Considering the lists Xi-l and Xi and an element x E Xi-1, it is impossible to know which element y E Xi satisfies f i ( x ) = y . Thus, an honest scrambler necessarily breaks the link between a voter and her vote. From the point of view of the voters, it suffices to select the scramblers in such a way that each voter trusts at least one scrambler. It is not even necessary for the voter to tell which of the scramblers she trusts! Recasting of votes presents no problem in this protocol. The voters who wish to recast their votes just do so in public but in an encrypted form as before, within a preassigned period, after which the government does all the work. First C replaces the old votes of those voters who voted for the second time by

228

6 . Cryptographic Protocols: Surprising Vistas for Communication

their new votes, but leaves the (encrypted) votes of the other voters untouched. This produces a new version of the list XO,after which the scramblers work as before. After a few repetitions of this procedure (provided one wants to recast votes several times) also the scrambling strategies have to be changed because, otherwise, it will become more likely that some accidental or partial information about them will be disclosed. Observe that the above protocol also provides the following interesting possibility of casting a “random vote”, a possibility certainly not present in current electoral systems. The voter V, just chooses in Step 6 a random number bl (without experimenting in any way with the function cp), computes v, = gbi and writes the pair (V,,ul) in the public file. If she so desires, V, may later find out for whom she actually voted! Such a possibility could be interesting for voters who want to prove that they are not inactive politically but who do not care a bit about any of the candidates. If the voter V, writes in the public file the pair (V,,w,), where wI is just a random element of the basic domain, she cannot even herself find out for whom she actually voted. Only the total conspiracy of all the scramblers can reveal the lucky candidate! In the rest of this section we address the rather important issue of selling and buying votes or, more generally, of forcing or persuading somebody to vote against her own free will. The election protocol presented above possesses the following property that can be considered either desirable or undesirable, depending on the point of view. Apart from allowing a voter to conceal her vote, it also allows the voter to carry away a receipt telling how she actually voted. In case of our protocol the receipt consists of the number b,. The voter V, may use this receipt to prove to somebody else that a particular candidate got her vote. It is even possible for V, to let somebody else cast the vote instead of herself! The possibility of carrying away a receipt leads to the following distinction, subtle and seemingly irrelevant at a first sight but very important from certain points of view. In the traditional election protocol, the voting booth does actually more than permits a voter to keep her vote private; it forces the votes to remain secret. In the world of an individual voter this means that the voter can make promises to unreasonable employers, bad dictators, dictator-like family heads or compelling spouses, accept bribes, or belong to an organization committed to a particular vote. Yet in the privacy of the voting booth the voter can cast a quite different, maybe opposite vote. She can do it in a happy mood, perhaps with a broad grin on her face, because nobody can accompany her to the voting booth (we disregard again the invalid voters). This means that the voter can cast a vote according to her true opinions, without any fear of repercussions or recrimination, even if her vote is against her previous promises. Even if she wanted to, the voter cannot prove to a bad boss how she actually voted; the voting booth forces the vote to remain secret. Things are drastically different in our election protocol presented above. A compelling spouse knows that the voter V, carries the receipt b, and may want to see it. The protocol leaves the secrecy to the discretion of the voter, it does not force secrecy.

6.10 Secret Balloting Systems Revisited

229

Fig. 6.3

It is of course an additional incentive for selling votes if the buyer can get a proof that the service was actually rendered. Protocols, where a voter can get a receipt about how she actually voted, might increase drastically political pressure inside certain groups of people. On the other hand, at a first glance, getting a receipt seems to be a property inherent in every verifiable election scheme. But public-key cryptography is often counterintuitive. We outline now a protocol, where it is impossible for a voter to prove afterwards how she voted, but still the requirements 1-3 of soundness, secrecy and verifiability are satisfied. The protocol is due to WieR], another method has been presented in [BenT]. The protocol we are going to outline is a modification of the method of eligibility tokens. Each voter will be convinced that her token is a valid one (that is, of a required form) but she is not able to transfer this confidence to anyone else. This means that she is given a token, and the validity of the token is shown to her by a zero-knowledgeprooj In this setup the most important part is the zero-knowledge proof of the equation f ( x ) = y, where f is defined as the scrambling strategies above. (Thus, we consider a generator g of F ' ( q ) , g and q being public. The function f in F * ( q ) is defined by f ( x ) = x a . It is intractable to verify the equation f ( x ) = y, although the commitment 9". g and

230

6. Cryptographic Protocols: Surprising Vistas for Communication

P (who knows Q and, thus, is able to compute f) can convince a verifier V of the validity of the equation f ( x ) = y in a zero-knowledge fashion. V knows P ' s commitment $. P and V repeat the following protocol sufficiently many times.

q are known.) Let us see how a prover

Step I : V randomly chooses two numbers i and j , computes ml = x'gj, and gives ml to P . Step 2: P randomly chooses a number I, computes m2 = mlg' and m3 = f (mz) and, finally, gives V the pair (m2, m3). Step 3:

v gives P

the pair (i. j ) .

Step 4: After checking that m l = x ' g J , P gives 1 to V . Step 5: V checks that m2 = mlg' and m3 = yiga(j+').If not, then V rejects.

It is fairly easy to analyze this protocol and show that it is zero-knowledge. If f ( x ) = y , then m3 = f ( m z ) = f ( x ' g j g ' ) = ( f ( x > ) ' ( f ( g ) ) j + = ' y'(ga)j+',

as it should be. On the other hand, if a cheating P is going to pass the protocol, he should be able to compute y'g"' from m 1 = x'gj. But i and j cannot be extracted from m I . (The low probability of success can be computed, and this gives an estimate of the number of rounds of the protocol needed for any preassigned degree of confidence.) It is obvious that the protocol is zero-knowledge. V learns nothing because, before she gets anything from P, she has to prove that she already knew it! In the actual voting protocol, the above zero-knowledge proof has to be generalized as follows: one proves in zero-knowledge that two lists XI, . . . ,x, and y l , . . . , y , correspond to each other by the relations f ( x i ) = 1 I i 5 t, where 0 is a permutation of the index .set (1,2, . . . , t } . A protocol similar to the one presented above can be given for this generalization, although a complication is caused by the fact that the permutation 0 is not to be disclosed. In the following description of a protocol f o r receipt-firee elections we try to make the setup similar to the election protocol presented above. Thus, we speak of the control C and scramblers S;, i = 1, . . . , k. The work of the latter is different from what it was before; the scramblers do not scramble encrypted votes but eligibility tokens. The protocol we are going to describe might seem computationally very complicated. However, a more detailed analysis shows that it is effective in any reasonable setting. Moreover, no time-consuming computations are needed in the actual voting phase. The whole procedure can be divided into phases in such a way that, as regards both time and space, practical requirements can be taken care of. This will become more apparent below. In the description of the protocol, we do not go to the level of individual steps. We only describe the general phases

6.10 Secret Balloting Systems Revisited

23 1

of the protocol: preliminaries, registration, voting and counting. Some phases can be repeated (and their results reused) in several elections. However, we do not discuss here the matters to be taken care of in such a case. Our somewhat informal exposition gives us also an opportunity for on-line explanations. In the preliminaly phase of the protocol C fist publicizes 4 and a generator g of F * ( 4 ) . Then each of the scramblers S; chooses a secret exponent ui and commits himself to it by making gag public. The product a = al . . .ak is the secret key for the permutation f ( x ) = x “ . Moreover, f is the composition fl . . . fk of the scrambling strategies of the individual scramblers. The order of the factors A in this composition is immaterial. All of the scramblers must cooperate in the computation of the function value f ( x ) . Indeed, f can be viewed as a “collective zero-way permutation”. Next C publishes a set of . set should be much larger than valid eligibility tokens x l . 0 , ~ 2 . 0 ., . . ,x , , ~ The the number of legal voters. Each scrambler S;, in turn,applies his scrambling strategy to the set (X~.;-I, . . . , x,.;-l] and proves to C in zero-knowledge (using the protocol outlined above) that the resulting set is obtained honestly. In other . . . , x , , ; ) that he has produced are the words, S. roves that the numbers {xl,i, 9; , . . . ,x?;-,) in some permuted order, without disclosing the pernumbers ’(xI.;-, mutation. Now the numbers yj = x j , k , j = 1,. . . , t , are the numbers f ( x j , o ) , j = 1, . . . , t , in some order which is not known by anybody, provided that at least one scrambler is honest in the sense that he keeps his secret. (Similarly as before, we have also here the situation where one swallow makes the spring!) Thus, the numbers y j are the original eligibility tokens, first permuted in a way that can be known only if all scramblers cooperate and then encrypted by the collective zero-way permutation f.The numbers y j are referred to as encrypted tokens. C allocates one encrypted token to each legal voter. After this, C of course knows which encrypted token each voter gets. However, these tokens are not yet the ones the voters will actually use. (Additional precautions are needed to prevent the unlikely event that a voter tries to proceed with somebody else’s encrypted token, not using her own one at all, and thus can nullify both votes in the final count.) To end the preliminary phase, the scramblers generate collectively another one-way function E . The voters will encrypt their votes using E . The encryption key E will be made public. (It is largely irrelevant and does not affect the other parts of the protocol which public-key cryptosystem is used here. Because the setup of q and g is already present, an El Gamal system is very suitable, see Section 4.6. This means that each scrambler Si commits himself to another number bi by publishing gbi.) We describe next the registration phase of the protocol. In this phase a voter communicates with each scrambler, one after the other. As a result of the communication, the voter knows her voting token, the token she is going to use in the actual election. But she can never prove to anyone, not even the scramblers, let alone some family head or organization boss, which token she has obtained. In this registration phase it is important that the voter actually proves that she is a legal voter. (In the preliminary phase this is not important;

6. Cxyptographic Protocols: Surprising Vistas for Communication

232

it does no harm if C distributes encrypted tokens also to some false voters.) One way to handle this situation is that the voter is first identified (perhaps in some office), after which she gets a private line to each of the scramblers. The registration phase might seem quite complicated. Observe, however, that it can be completed long before the actual election. Perhaps the same registration phase can also be used for several elections. In the registration phase, the voter V, with the encrypted token y j learns zj = f(y,). This z, will be her voting token, the token V, is going to use in the actual election. Thus, a valid voting token z results from one of the original eligibility tokens chosen by C, say x , by applying twice the collective zero-way permutation f : z = f ( f ( x ) ) . By the definition o f f , because the scrambling strategies commute, we can also say that z results from x when each of the scramblers applies his strategy twice. It is essential that the registration phase is carried out in such a way that 5 cannot convince anyone about the validity of her voting token. The voter V, has the encrypted token y j from the preliminary phase. She learns zj = f(y,) by asking first for yi = fi(yj) from S1, then f2(yi) from S,, and so forth, all the time using the private lines. Thus, the voter 5 approaches each of the scramblers Siand asks for the result of Si's secret scrambling strategy when applied to the particular number V, gives to Si.The scrambler tells her the result and, moreover, proves in zero-knowledge refemng to his commitment that the result he gives the voter is the correct one. This is done by the zeroknowledge proof protocol presented above. After communicating with the last scrambler, the voter is convinced that she has a valid voting token but cannot transfer her conviction about z, being a valid voting token to anyone else. However, there is the following obvious problem in this procedure. The voter approaches the last scrambler Sk with some number, say j j , and so the last scrambler will know the number f k ( j j ) he gives to the voter. But the number f k ( j j )= zj is the voter's valid voting token and, thus, it should not be known by anybody. This cannot be remedied by simply letting the voter approach the scramblers in a secret order because even then the probability of a correct guess will be unacceptably high. But the following slight modification of the idea will work. It is used with all scramblers to take care of the possibility that some of the last scramblers are in conspiracy. Suppose V, has so far learned the number x when she approaches the scrambler Si.Thus, she must learn f , ( x ) . The voter V, does not give Sithe number x but picks up randomly a number n and gives Si the number xg". Then Si tells 5 the value f, ( x g " ) and, moreover, convinces 5 in zero-knowledge about the correctness of this value. The voter V, now learns fi ( x ) because

f,(x>= fi(xg")(gai)-"* and

V, knows the commitment 9"'. On the other hand, Si learns nothing about

x from the number xg".

The actual votingphase is extremely simple. Consider again a voter

V,. Let

uj be her voting strategy. By now she also has her voting token zj. The voter sends to a public file the pair ( u , , ~ , ) , encrypted with the one-way function E

6.10 Secret Balloting Systems Revisited

233

publicized in the preliminary phase. She makes sure that E ( u j , z j ) appears in the public file by sending it again if necessary. The votes float in the public file in an encrypted form; otherwise, strategic manoeuvres based on the current count would be possible. If further desired, a method ofan anonymous channel, [PIK], can be used to prevent the item E ( u j , z,) being traced back to I(. No identity check of the senders is in use. False votes floating in the public file can do no harm. The counting phase begins when the preassigned voting period is over. First the scramblers, supervised by C , decrypt the pairs ( u j , z j ) from the items E ( u j ,z j ) floating in the public file. Then C collects, for each voting strategy u , in one list all tokens associated to u. At this stage valid tokens can in no way be distinguished from false tokens or junk. The scramblers will now decrypt the tokens, seeing whether one of the original eligibility tokens x results. The procedure is the one used in the preliminary phase, now only fi is replaced by J - ' J - ' . Indeed, each scrambler Si has to "unlock" his scrambling strategy twice because he did apply his strategy twice before: once in the preliminary phase in the process of changing an eligibility token to an encrypted token and, for the second time, in the registration phase when the encrypted token was changed to a voting token. Each scrambler convinces C in zero-knowledge about the correcmess of his actions. After each scrambler has done the unlocking, C counts how many of the original eligibility tokens xj are associated with each voting strategy, and publishes the tally. Observe that the order of inverse scramblings is quite different from the original order of scramblings. The former is f;'f;'. . . whereas the latter is f i . . . f k f l . . . fk. Thus, there are no matches in the various intermediate data, and no partial information can leak out in this way. This concludes our description of an election protocol, due to WieR], having the properties of soundness, secrecy, verifiability and receipt-freeness. There are no trusted parties, votes remain secret, correctness of the results may be checked by anyone and yet selling of votes is impossible. Computations are mainly based on modular exponentiations. The protocol can be easily implemented because there exist many kinds of hardware for modular exponentiation and, moreover, the most time-consuming computations are needed in the preliminary and counting phases. At least in the former, time is not at all critical. Since the whole setup is rather complicated, we have not presented many minor details. Some parts can also be simplified. For instance, the role of C is unimportant; C only acts as a manager for the scramblers.

fc'f;',

234

6. Cryptographic Protocols: Surprising Vistas for Communication

6.1 1 Cryptographic Protocols Without Computers We started this book from early cryptography, the history of secret writing. In the early days the methods were certainly developed quite independently of computers - there were none around. Early translations from plaintext to ciphertext were carried out using (hopefully!) ingenious methods. However, the methods never involved very complicated computations. The view is different for practically all of public-key cryptography. Indeed, the whole idea of a one-way h c t i o n is difficult to visualize in practice without referring to computing devices. Although we have presented in this book mostly small “toy examples” for which computers are not actually needed, this has happened only because of readability. Any real use of the presented methods of public-key cryptography is intended to take place within the environment of computers. Now in this h a 1 section of the book, we will complete the circle and come back to a setup without computers by discussing cryptographic protocols where computers are not used. Consider a typical cryptographical task, for instance, the cryptanalysis of an RSA cryptotext when the public key is known. In principle we can factorize the modulus by trying all factors up to the square root of the modulus and, thus, everything is possible, given enough time and patience. The important thing is that this “enough” is much too much. The whole world would have during the time required changed so much that, whatever message the cryptotext originally had, it would have become completely irrelevant. The same observation can be made about cryptography in general. “Impossible tasks” are not impossible from the point of view of classical mathematics. On the contrary, in principle everything is possible, even trivial. However, solutions lose their meaning and significance if they take too long. Proper solutions in cryptography are always tied with complexity. If your method takes unreasonably long, you might as well forget it. But you can also have in mind the seriousness of the situation and the resources of the opponent. Smaller safety measures could be adequate if the opponent has little time or resources. For most of the topics in this book, we have had a rather heavy apparatus in mind, moduli 200 digits long and so forth. What about cryptographic protocols? Some of the situations we have described are quite “harmless”, for instance, flipping a coin by telephone to settle some modest dispute. In such cases the methods suggested give the impression of killing a fly with heavy artillery - you just are not likely to do things that way. If Alice and Bob flip a coin by telephone, they certainly do not start talking about quadratic residues with respect to huge moduli! Similarly, the setup in a zero-knowledge proof becomes quite different if the Prover and/or Verifier can somehow observe the computing resources of the other. It is certainly possible to design cryptographic protocols, that is, protocols applying ideas of cryptography, for situations where computing resources are limited or nonexistent. Very little work has so far been done in this direction, although the approach is also interesting from the general mathematical point of view.

6.1 I Cryptographic Protocols Without Computers

235

This final section of the book contains some cryptographic protocols, where computers are neither used nor needed. Most of the techniques are from m ie m ] . [CrK] uses similar ideas for different purposes. Although our considerations can be viewed as initial ones in a new area, some theoretically very significant issues are involved. Of these the non-interactive zero-knowledge proofs should be especially mentioned. There are obvious reasons for investigating cryptographic protocols, where computers are not used. Nonavailability, nonportability, unreliability, mistrust or dislike of computers are certainly among such reasons. Sometimes a protocol without computers is simply better or more natural than one with computers. For instance, assume that a relatively small group of people gathered together want to take a secret vote about some important matter. Who would in such a situation consider anything such as the balloting protocols described above - even if a network of computers were available? It is much easier and more efficient to take ballots @ieces of paper or cards) and a box. The “cryptographic element” in this protocol will be shufling. When the ballots are shuffled, the group loses the link between the person and the ballot, although the link could perhaps be observed earlier. It is essential for secrecy that the link is broken before the votes are disclosed. This very simple protocol serves its purpose better than any other one could think of. Let us go back to flipping a coin by telephone. Alice and Bob cannot agree about what they are going to do in the evening. Bob would like to go to the opera but Alice likes to see basketball. Alice realizes that it is not good €or their relation if they go to different places. Bob would hate to sit in a crowded sports arena, thinking that he missed “Lulu”, his favorite opera. So Bob tells Alice over the phone that they should flip a coin but complains that the cryptographic methods for the task are overly complicated. Neither one of them is going to compute quadratic residues or square roots with respect to a large modulus. But then Alice gets a brilliant idea. Both of them have next to the phone the same telephone directory. They can flip a coin according to the following protocol. Step I: Bob picks up a number in the directory (say, 7340309) and asks whether the number immediately following it in the directory is even or odd. Step 2: Alice makes a guess (say, “odd”). It is indeed a guess because she has to react immediately and, thus, can in no way find Bob’s number. Step 3: Bob tells the result of the guess (here “wrong”). At this stage they can interrupt the protocol and do whatever the result implies. (In our example they go to see “Lulu”.) Step 4: Bob proves to Alice that he was honest in telling the result. (He tells her that the number 7340309 belongs to Sebastian Mahler. Alice checks that the next number 7175914, belonging to Ibrahim Mahmud, is even. So her guess

236

6. Cryptographic Protocols: Surprising Vistas for Communication

Fig. 6.4

was indeed wrong, and it was only fair that she had to suffer through the incomprehensible music!) Observe that, in designing the above protocol, Alice made use of a function

f,mapping each number in the directory to the number immediately following. This function f can be viewed as a zero-way function, at least for simple practical purposes such as the one considered above. In such a setup, computing f ( x ) or f - ‘ ( x > is clearly intractable: given a number X , one can find neither the number immediately preceding it nor the number immediately following it. Also the verification of an equation f ( x ) = y is intractable. In all of these tasks we assume that the “commitment” (the telephone directory) is also given. Only the additional knowledge of the “trapdoor” (the inverse directory, ordered according to increasing numbers) makes these computations tractable. It should be emphasized that these observations are valid only relative to the simple setup we had in mind. For more demanding tasks the fimction f is not zero-way. We consider next the computation of propositionalformulas (Boolean functions). A propositional formula with n variables is given. Each of the participating n parties knows the truth-value of a particular variable. How can they find out the truth-value of the whole formula without disclosing their own secret truth-value? We want to devise a protocol, as simple as possible and not using computers, for this task. In some cases the truth-value of the whole formula discloses the individual truth-values. For instance, if the truth-value of a disjunction is “false”, then each party learns the secret truth-value of every other party. This obvious exception must of course be granted in our considerations. We view truth-values as bits, 0 being “false” and 1 being “true”. Take first the computation of conjunction. Alice has a secret bit a and Bob has a secret bit 6. They want to learn a A b without revealing their secret bits,

6.11 Cryptographic Protocols Without Computers

237

unless necessary. This means that if a = 0 (resp. b = 0) then Alice (resp. Bob) should learn nothing. If a = 1, then Alice actually leams b. There are numerous situations, where such a demand for learning the conjunction arises. Alice and Bob could be just at the beginning of their relationship. They want to find mutual interests. But being very shy, they refuse to show interest in sometlung unless they know that also the other one is interested. If they are able to compute conjunction in the way described above, they can find out possible common interest, for instance, in the following: - bird watching,

- classical music, - fitness training, - long hikes, - watching sports,

- religious activities. If they have a simple protocol available, they can go further after they found a common interest. Such a further exploration is necessary if they have a common interest in religious activities. But it is very helpful also in other cases. If they are both interested in classical music, they can find much more by indicating their acceptance or nonacceptance as regards the following controversial statements:

- Even-numbered Beethoven symphonies are actually better than the oddnumbered ones.

- “Parsifal” is the greatest Wagner opera. - Glenn Gould has set an absolute standard on how to play a Bach toccata or partita.

- Mahler’s Third is among the handful of greatest symphonies ever written. - Most of Italian opera is actually operetta.

Secret computing of conjunction is needed also in more serious situations. Such a demand might arise amidst hectic negotiations between a labor union and employers’ organization. Both sides are willing to bargain, but only as much as is necessarily needed to get a contract or to avoid a strike. Sometimes a neutral third party, often representing the government, takes part in the negotiations. A rather modem idea is that such a third party should not any more make an intermediate proposition but should accept as such one of the bids of the two parties. This encourages both of the parties to bargain as much as possible in their last bid, because in this way they have a better chaixe of getting their own bid finally accepted. This holds of course only in case both negotiating parties trust the neutral third party. Otherwise, they might test the mutual acceptance or nonacceptance of packages such as

- two-year contract, salary freeze but 10% increase in overtime bonus, - one-year contract, terms as above, - no specific contract period,

3% salary increase.

238

6. Cryptographic Protocols: Surprising Vistas for Communication

Thus, if one of the parties (workers or employers) does not accept a package, it does not learn the other party’s eventual willingness, but if it accepts, it learns the other party’s attitude. Having discussed in length the background of the problem of computing conjunctions secretly, we now describe a simple protocol where a deck of five cards will be used. This “five-card trick” is due to [Bo]. The cryptographic element in this and other protocols described below will be a random cut of the deck. As usual, a cut of the deck means that some number of topmost cards is moved, without changing their order, to the bottom. An important observation is that the effect of several cuts, made after each other, can always be achieved by one cut. If so many cuts are made in succession that every participant in the protocol has lost the possibility of keeping track of the cutting position, we speak of a random cut. Thus, a random cut is a sequence of cuts, viewed as one cut. The unchanged deck constitutes also a cut, being one possibility for a random cut. Our overall cryptographic assumption will be that it is possible to make a random cut. The assumption will be made for any number L 1 of participants in the protocol and any number z 2 of cards in the deck. There are two kinds of cards, white and black. Cards of the same color are indistinguishable. As usual, the back side of each card is identical. White cards are denoted by the bit 0 and black cards by the bit 1. A deck of cards can be represented in this way as a word over the alphabet {O, l), using the convention that the leftmost letter represents the topmost card. Thus, the word 0101 1 stands for a deck with two white and three black cards, where the topmost and third cards are white. We will also have to make a distinction whether the cards are face (white or black) down or face up. A commitment to the bit 0 (resp. 1) is the deck 10 (resp. 01), cards face down. Thus, a commitment is made using one card of each color, the bottom card telling the bit committed to. It will become apparent below why it is better to use two cards for a commitment, rather then simply a card 0 or 1. We speak also of negations of bits, -0 = 1 and 1 = 0. We are now ready to define the protocol.

-

Setup: Alice and Bob have both a white card and a black card. An additional black card is put on the table, face down. Step 1: Alice makes a commitment to her secret bit. Bob makes a commitment to the negation of his secret bit. Step 2: Alice’s commitment is put on top of the card on the table, Bob’s commitment below it. After this there is a deck of five cards on the table, all cards face down. Step 3: A random cut is made on the deck.

6.1 1 Cryptographic Protocols Without Computers

239

Step 4: The cards are shown. The conjunction has the value “true” exactly in case the two white cards are next to each other, where also the top and bottom cards are considered being next to each other. (Thus, we view the deck cyclically, every card having two neighbors. We could require equivalently that the three black cards are next to each other.) Let us now analyze the validity of the protocol, namely, that the outcome is the correct one and that the secrecy requirement will be satisfied. This happens conveniently in terms of a case analysis: Secret bits and commitments 10101 10110 01 101 01 110

01011, 01101, 11010, 11100,

10110, 11010, 10101, 11001,

01101, 10101, 01011, 10011,

11010 01011 10110 00111

The correctness of the conclusion in Step 4 is immediate. If both A and B have the secret bit 1, then all cuts have two adjacent Os, whereas none of the cuts in any other case has this property. Each of the three other cases leads to the same total set of cuts. Thus, it is impossible to tell the initial conditions from a random cut. If one of the parties is committed to the bit 1, then the black card in the commitment will be placed next to the black card on the table. So if there are no three adjacent black cards in the final cut, the other party must have placed a white card next to the black card on the table. The fist party knows that 0 is the secret bit of the other party. However, a party committed to 0 learns nothing, because we are then dealing with two of the three indistinguishable sets of cuts. Clearly, disjunction can be computed in a very similar way. Now a party committed to 1 learns nothing. However, we want to take one step further. We want to compute conjunctions in such a way that the outcome remains in encrypted form. More specifically, we are given two bits x and y, in the form of commitments as described above. We want to compute the bit z = x A y , also as a commitment. Thus, to start with we have four cards faces down, two of them being a commitment for x , the other two for y. We want to devise a protocol, which now will be a game of solitaire, producing two cards faces down representing a commitment for z . Possibly some auxiliary cards will be needed in the protocol. But the player of the solitaire does not know or learn later the original bits x and y, and also not the resulting bit z ! The idea is that z can be used as an input for other protocols. Note that such a solitaire is obvious for negation. Given a commitment for the bit x , we get a commitment for - x just by switching the order of cards. (Of course, we should not look at the cards!) This would perhaps not at all be

240

6. Cryptographic Protocols: Surprising Vistas for Communication

possible if we had defined a commitment to be one card, face down. Another reason for defining a commitment in terms of two cards is that one is then able to copy a commitment without learning the bit. Such a capability is very usehl in many protocols. The following protocol and the subsequent protocol for conjunction follows m i em ] . The protocol is presented in the form of a game of solitaire. The only participant is called Verifier, Vera, V. This reflects our final aim of presenting a non-interactive zero-knowledge proof. The Verifier is of course not supposed to cheat. In particular, we assume that she (i) makes true random cuts when the protocol so requires and (ii) displays cards only if the protocol allows her to do so. Setup: Vera is given two cards face down, defining a commitment - x x . (Thus, the deck equals 01 or 10. Vera knows that one of these alternatives holds but does not know which one.) In addition, she is given a deck ( O l ) k + ' of 2k 2 cards, for some k 1 2 . Also these cards are face down but she may check that

+

they form indeed the deck (Ol)k+l. Step I : Vera makes a random cut of the deck (Ol)k+l.She is not any more

allowed to look at any card of the resulting deck, but she knows that the deck is of the form ( - ~ y ) ~ + where l, y = 0 or y = 1.

-

- -

Step 2: Vera takes two topmost cards of the deck (- ~ y ) ~ +She l . joins these cards to the commitment x x , getting the deck x x y y = YJ. She still has ) ~Ytk. also the deck ( - y ~ = Step 3: Vera makes a random cut of the deck Y4, after which she looks at the four cards. If they are 0101 or 1010, then she outputs YZk (face down). If they are 001 1, 01 10, 1100 or 1001, then she outputs ( y Y ) ~obtained , from YZkby

-

moving the topmost card to the bottom (without looking at it). Step 4: Vera concludes that her output equals ( - - x x ) ~and, thus, consists of k

copies of the original commitment.

-

It is easy to get convinced about the correctness of the conclusion in Step 4. If x = y , then Y4 = 0101 or YJ = 1010. If x = y , then Y4 = 0110 or Y 4 = 1001, and there are the two fiu-ther possibilities 001 1 and 1100 for random cuts. In both cases Vera's output, formed according to Step 3, will be ( - x x ) & . On the other hand, Vera learns something only in Step 3. But she learns only whether or not x = y and this will tell her nothing because y is completely random. Vera gets k copies of the original commitment by taking pairs of cards (preserving the order and not looking at the cards) from her output deck of 2k cards. We are now ready to describe a protocol for computing conjunctions in such a way that the outcome remains in encrypted form. Copying of commitments is needed in this protocol. So is a certain modification of making random cuts,

6.1 1 Cryptographic Protocols Without Cornputen

241

where we force the topmost card to be the one we want. The protocol below can be viewed as a “doubling variant” of the five-card trick presented before: the deck in Step 2 below is obtained by doubling the deck constructed in Step 2 of the protocol for the five-card trick. Setup: Vera is given two decks of cards, faces down, defining two commitments - x x and - y y . (Thus, both of the decks contain a white and a black card. Vera knows this but nothing more about the decks. The decks may or may not be identical.) In addition, Vera is given openly four white and four black cards. (They are needed in copying commitments.)

-

Step I : Vera makes two copies of the commitment - x x and two copies of the commitment y y . (Her white and black cards suffice for making the copies according to the preceding protocol. She needs first three cards of both colors to make two copies of - x x . But in this construction four cards become free, so Vera has again the six cards needed for making two copies of y y . This copying leaves her again four displayed cards, two of them white and two black, for possible use later.)

-

Step 2: Vera builds the deck of ten cards, face down, Y,o = - x x l y - y - x x l y - y ,

-

out of the cards she has from Step 1. The two decks y y are obtained from the two decks - y y by changing the order of cards. Vera is not allowed to look at any of the face-down cards. (Thus, Vera knows the third and eighth card of the deck Y ~ but O none of the other cards explicitly. She has some implicit information based on her overall knowledge of Y l o , for instance, that the two topmost cards are of different colors but the fifth card is of the same color as the bottom card. Besides the deck YIo. Vera has still also two displayed white cards.) Step 3: Vera makes a random cut of the deck Ylo and looks at the topmost card of the resulting deck. If it is black, she puts it back, face down, to the topmost position, takes another random cut and looks at the topmost card. She continues in this way until the topmost card is white. Then she removes the topmost card from the deck, which leaves her a deck of nine cards y9 = Y2Y3 Y4YS Y6Y7Y8Y9YlO* (Thus, Y;, = OY9 is a cut of Ylo.) Step 4: Vera makes a random cut of the deck y2y3 and looks at the cards. If they are both black, she outputs the deck y l o y 9 ,without looking at the cards. If one of them is white and the other black, she outputs (face down) the deck y7y8. (The cards y2 and y3 cannot both be white because there are no three consecutive 0s in the original deck Y L O . )

242

6. Cryptographic Protocols: Surprising Vistas for Communication

-

Step 5: Vera concludes that her output is a commitment for the conjunction (that

is, the output equals

(x A y)(x A y)).

Since the outputs in Step 4 may sound a bit mystical, let us have a closer look at the protocol. In regard to the five-card trick, some kind of doubling of the deck is needed: Vera has to get some information in order to output the correct commitment but, on the other hand, she must learn nothing about x , y or the output. This means that some cards must be shown to her (recall that white and black cards are associated to the bits 0 and 1, respectively) but enough cards must remain under cover to determine the output correctly. If the protocol above is used as a subprotocol in some more comprehensive task, then the following requirement is essential. Vera gets initially 12 cards but her output requires only 2 cards. Thus, 10 cards are “saved”. Of these 10 cards 3 white ones are disclosed to Vera, whereas the remaining 7 remain secret: Vera is not allowed to look at the yi-cards left over. (She knows something about them, for instance, that exactly 2 of them are white and that the yi-deck contains no adjacent white cards.) The 10 cards might be needed at some later stages of the comprehensive task. (We might have an unlimited supply of cards available but, on the other hand, the number of cards needed is a good complexity measure for such protocols.) An essential requirement is that the secret leff-over cards are shufled before any further use. Perhaps the clearest way of proving the validity of the above protocol (that is, the correctness of the conclusion and the secrecy of the hidden bits) is by case analysis. Depending on the values of x and y, we have the following four alternatives for the deck Ylo: A1 =0111001110, x = 1, A2 = 0110101101, x = 1, A3 = 1011010110, x = 0, Aq = 1010110101, x = 0,

y = 1; y = 0; y = 1; y = 0.

The conjunction should assume the value 1 (that is, have the commitment xy with y = 1) only if we are dealing with the alternative A l . We now investigate all possible cuts of AI, where the topmost card is 0. There will be four cases, depending on the position of this 0 in A I . However, the four cases can be joined into two pairs, because the first and second halves of A , are identical. (This holds true for A2-A4 as well.) The items important in the protocol are given in the following table: Occurrence of 0 First, Third Second, Fourth

and ~3 111001110 both black 0 1 1 100111 black-white Y9

YZ

Y7YS

YIOYS

01 01

value true true

The corresponding tables for the alternatives A2-A4 are, accordingly:

6.1 1 Cryptographic Protocols Without Computers

Occurrence of 0 A2 First, Third Second, Fourth A3 First, Third Second, Fourth

y9

Y2

and Y3

243

value

110101101 both black 101101011 black-white

false false

110101101 both black 101101011 black-white

false false

101101011 black-white 110101101 both black

false false

A4

First, Third Second, Fourth

These tables tell immediately that Vera’s conclusion in Step 5 is always correct. We have shown before that she learns nothing in copying the commitments. She also learns nothing in making the special random cut in Step 3. Although she sees some cards, she only learns that the deck contains white and black cards, which she knows anyway. Vera also learns the unordered pair ( y ~y3). , (Observe that making a random cut renders an ordered pair unordered!) But she still learns nothing because all truth-value combinations are present for both of the outcomes “black-white” and “both black”, as is immediately seen from the tables. It is also seen from the tables that it is necessary to make a random cut before looking at y2 and y3: if she could distinguish between 01 and 10, Vera would also know the difference between “true” and “false” in the fmal commitment! Thus, the validity of the protocol follows. Vera learns nothing if she does not cheat. But it is very easy for her to cheat - she can look at any commitment she wants to! The possibility for cheating lies in the nature of every solitaire. We are now ready for the final step. We can present a simple non-interactive zero-knowledge proof for the satisfiability of propositional formulas. (See Appendix A for a discussion about the universality of this problem.) A propositional formula F with variables xI,.. . ,x, is given. Since every propositional connective can be expressed in terms of conjunction and negation, we assume that these two are the only connectives occurring in F . The Prover, Peter, knows an assignment for the variables making F true. He wants to convince the Verifier, Vera, of his knowledge without revealing to her any details of the assignment. The protocol will be simply the following. Peter gives Vera his assi,onment in the form of n commitments, 2n cards, as described above. In addition, Vera is given a sufficient supply of auxiliary cards, needed in copying the commitments. (Estimates, based on F,’for the number of auxiliary cards needed can be given.) Vera now plays the solitaire, applying the protocols for conjunction and negation. She looks at the final outcome, the commitment for the whole formula F , and accepts iff the commitment is 0 1. On(y one round is needed in this non-interactive protocol. Vera’s eventual cheating can be prevented if Peter or a person trusted by him stands by, watching Vera’s play. One could also imagine a technical device that would have the same effects as card play and would report any wrongdoings of the operator. Finally,

244

6. Cryptographic Protocols: Surprising Vistas for Communication

the only way for Peter to cheat is to give pairs 00 or 11 in place of some commitments. But he would be caught immediately because cards assigned to a variable will be disclosed as an unordered pair whenever the variable takes part in a conjunction. If she gets two cards of the same color when the colors should be different, Vera will stop the game.

Fig. 6.5

Appendix A. Tutorial in Complexity Theory

The subsequent two appendices are brief introductions to only those areas of complexity and number theory that are used in this book. There are many good general introductions to both complexity and number theory. From the point of view of classical mathematics problems in cryptography are trivial in the sense that they can be solved by finitely many trials. However, reduction to finitely many cases does not make much sense if the number of cases is unmanageable. If we are not able to decrypt a message within a certain time limit, we might as well forget the whole thing because, as time passes by, the situation might change entirely. The time complexity of an algorithm is a function of the length of the input. An algorithm is of time complexityf(n) iff, for all n and all inputs of length n, the execution of the algorithm takes at mostf(n) steps. If n is an integer, its length is the number of digits or bits in n. Of course, there might be slow and fast algorithms for the same problem. In some cases an unlimited speed-up is possible. It is difficult to establish lower bounds for complexity that is to show, for instance, that every algorithm for a certain problem is of at least quadratic time complexity. Clearly, time complexity depends on the model for algorithms we have in mind. The number of steps becomes smaller if more work can be included in one step. However, fundamental notions such as polynomial time complexity are largely independent of the model. Of course, this concerns only models chosen with good taste, For instance, an abstract subroutine for testing the primality of a given number should not be included in one step! To be more specific, we choose a Turing machine as our model for algorithms. A Turing machine operates in discrete time. At each moment of time, it is in a specific internal (memory) state, the number of all possible states being finite. A read-write head scans letters written on a tape one at a time. Every pair (q, a ) determines a triple (q,, a , , m),where the q’s are states, a’s are letters and m (“move”) assumes one of the three values “left”, “right” or “no move”. This means that, after scanning the letter a in state q, the machine goes to the state ql, writes a , in place of a (possibly a , = a) and moves the read-write head according to m. If the read-write head is about to “fall off’ the tape, that is, a left move is instructed when the machine is scanning the leftmost square of the tape, then a new blank square is added to the tape. The same holds true with respect to the right end of the tape. This capability of indefinitely extending the external memory can be viewed as a built-in hardware feature of every Turing machine.

246

Appendix A. Tutorial in Complexity Theory

The tape can be viewed both as a potentially infinite memory and an input and output channel. The input-output format is specified as follows. The machine begins its computation by scanning the leftmost letter of a given input word in a specific initial state. The computation ends if and when the machine reaches a specific final state. Then the machine halts and the word appearing on the tape constitutes the output. When reading the output some auxiliary letters can be ignored. The reader is referred to [Sal] for more formal definitions, as well as for a discussion concerning the generality of the model. Now it is clear what a step means. We can define the time complexity function associated with a Turing machine A by f A ( n )= max {ml A halts after m steps for an input w with I wI = n}

.

We assume for simplicity that A halts, that is, reaches the final state for all inputs. Of course, this is not the case with respect to an arbitrary Turing machine. A Turing machine A is polynomially bounded iff there is a polynomial p(n) such that f A ( n )Ip(n) holds for all n. The notation P is used for all problems that can be solved using a polynomially bounded Turing machine. A problem is referred to as (computationally) intractable (sometimes also impossible) if it is not in P . Tractable problems (that is, problems in P) have several subclasses whose definition should be obvious: problems with linear, quadratic, cubic, etc. time complexity. The informal reference to a problem as easy means that the values of the polynomial are small, at least within the range considered. The Turing machine considered above is deterministic: the scanned letter and the internal state determine the behavior uniquely. To emphasize that a deterministic Turing machine is involved, we often speak of deterministic time complexity. A nondeterministic Turing machine may have several possibilities for its behavior when scanning a specific letter in a specific state. Consequently, specific inputs give rise to several computations. This can be visualized as the machine making guesses or using an arbitrary number of parallel processors. For each input w, the shortest successful computation s(w) (that is, a computation leading to the final state) is considered. The time complexity function of a nondeterministic Turing machine A is now defined by fA(n)= max { 1, m 1 s(w) has m steps for w with I wI = n }

.

The pair (1, m) is considered because, for some n, possibly no inputs of length n lead to successful computations. The notions of a polynomially bounded nondeterministic Turing machine and the corresponding class of problems, N P , are now defined exactly as in the deterministic case. Problems in P are tractable, whereas the problems in N P have the property that it is tractable to check whether or not a good guess for the solution of the problem is correct. A time bound for a nondeterministic Turing machine can be visualized as a time bound for checking whether or not a good guess for the solution is correct. It is not known whether the factorization of an integer is in P but it certainly is in N P : one just guesses the decomposition and verifies the guess by computing the product.

Appendix A. Tutorial in Complexity Theory

247

By definition, P is included in N P but it is a celebrated open problem whether or not P = NP. However, there are many NP-complete problems. A specific problem is NP-complete iff it is in N P and, moreover, it is NP-hard, that is, every problem in N P can be reduced in polynomial time to this specific problem. It follows that P = N P iff an NP-complete problem is in P. In such a case an arbitrary problem in N P can be settled in deterministic polynomial time because it can first be reduced in polynomial time to the specific NP-complete problem which, in turn, can be settled in polynomial time. Clearly, the composition of two polynomials is again a polynomial. It is generally believed that P # NP. Therefore, NP-complete problems are considered to be intractable. Besides NP, the terms “hard” and “complete” are used in a similar manner in connection with other classes of problems as well. A specific problem is shown to be NP-hard by proving that some problem previously known to be NP-hard can be reduced in polynomial time to the specific problem in question. If we want to show that the specific problem is NP-complete, we have to show also that it is in NP. However, we need something to start with: a problem whose NP-completeness can be established by a direct argument, without any reductions. A problem very suitable for this purpose is the satisjability problem for well-formedformulas of the propositional calculus, abbreviated wfpc’s. Such a formula is obtained from variin ables by using the operations conjunction A , disjunction v and negation a well-formed manner. We omit the obvious recursive definition. A truth-value assignment for a wffpc a is a mapping of the set of variables occurring in a into the set {true, false}. The truth-value of a can be computed for any truth-value assignment using the truth-tables of conjunction, disjunction and negation. Two wffpc’s are equivalent iff they assume the same truth-value for all truth-value assignments. A wffpc a is satisjable iff it assumes the value “true” for some truth-value assignment. For instance, the wffpc

-

(XI V

-

X2 V X 3 ) A (X2 V X 3 ) A

(

-

XI V X3) A

-

X3

is not satisfiable. Indeed, the last clause forces the assignment x 3 = false. Hence by the third clause, x 1 = false, and by the second clause x2 = true. But this assignment contradicts the first clause. The wffpc considered is in conjuctive normal form: a conjunction of disjunctions, where the terms of each disjunction are literals, that is, variables or negated variables. Moreover, it is in 3-conjunctive normal form: each conjunctive clause contains at most three literals. The satisfiability problem for wffpc’s can be shown to be NP-complete by a direct argument. Indeed, the computation of a given Turing machine with a given input being successful is equivalent to a certain wffpc being satisfiable. The details can be found, for instance, in [Sal]. The result remains valid if attention is restricted to wffpc’s in 3-conjunctive normal form. Satisfiability can, of course, be found out by checking through all possible truth-value assignments. This however, leads to exponential time complexity. Space complexity is defined analogously. If a Turing machine receives an input of length n, then originally n tape squares are occupied. New squares may be needed during the computation; their number indicates the space complexity.

248

Appendix A. Tutorial in Complexity Theory

Polynomial bounds can be considered also now. This gives rise to the classes P-SPACE and NP-SPACE. Clearly, a time class is included in the corresponding space class because one time unit is needed to extend the tape by one square. For space classes one can actually prove that P-SPACE = NP-SPACE. Consequently, we have the following chain of inclusions

P c N P E P-SPACE = NP-SPACE . Whether or not the two inclusions are proper is a celebrated open problem. The class Co-NP consists of problems whose “complement” is in NP. For instance, the complement of the problem “Is a given integer prime?” is “Is a given integer composite?” A formal definition can be given by considering problems as languages. It is clear that if a problem is in P , then also its complement is in P: the same algorithm works for the complement as well. This does not hold true in the nondeterministic case. In fact, the interrelation between NP and Co-NP is unknown but it is generally believed that N P # Co-NP. It is easy to see that if the complement of some NP-complete problem is in NP, then N P = Co-NP. There are some caveats to be kept in mind when complexity theory is applied to cryptography. When considering polynomial time complexity, the degree of the polynomial is certainly significant. For instance, n ‘ O o 0 grows ultimately slower than nloglognbut is still likely to be a much worse upper bound for the values under consideration. In cryptography average complexity is more important than worst case complexity. Suppose a user chooses at random the encryption key in a publickey cryptosystem. It is then insignificant if computing the corresponding decryption key is intractable in some rarely occurring cases but easy in most cases. Probabilistic or stochastic algorithms are often used in cryptography. Intuitively this means that random choices are made (that is, a random number generator can be called) at certain stages during the execution of the algorithm. The terminology introduced above is extended to concern the stochastic case. Thus, we may speak of algorithms running in random polynomial time. The corresponding class of problems is often denoted by BPP. It is generally believed that B P P # NP. Stochastic algorithms may fail but the probability of failure can be made arbitrarily small. Usually the time complexity increases when the probability of failure becomes smaller. The failure is due to the stochastic element. The following terminology is used to indicate different types of failure. A Monte Carlo algorithm might give a wrong answer in some cases. A Las Vegas algorithm always gives a correct answer, but it might end up with the answer “I don’t know” in some cases. We mention finally that, when talking about time complexity, we usually do not consider the computation steps of a Turing machine but rather some other elementary operation such as bit multiplication. The classes P and N P are invariant under such changes but, for instance, the degree and/or coefficients of the polynomial involved may change.

Appendix B. Tutorial in Number Theory

This appendix consists of an overview of the number theoretic results used in this book. Most of the proofs are very easy and can be found, for instance, in [KO]. An integer a divides another integer b, in symbols a I b, iff b = da holds for some integer d. Then a is called a divisor orfactor of b. Let a be an integer greater than 1. Then a is prime if its only positive divisors are 1 and a, otherwise a is composite. Every integer n > 1 can be represented uniquely, disregarding the order of factors, as a product of primes. The essential fact from the point of view of cryptography is that no tractablefactorization algorithms are known although, on the other hand, no nontrivial lower bounds for the time complexity of factorization have been established. No tractable methods are known even for the simple case, where two primes p and q have to be recovered from their product n = pq. The greatest common divisor of a and b, in symbols g.c.d. (a, b) or briefly (a, b), is the largest integer dividing both a and b. Equivalently, (a, b) is the only positive integer that divides a and b and is divisible by any integer dividing both a and b. Similarly, the least common multiple 1.c.m. (a, b) is the smallest positive integer divisible by both a and b. The greatest common divisor can be computed by Euclid’s algorithm. It consists of the following chain of equations. a=bq, + r l , O
+r2, r l = r2q, + r3 , b = r1q2

rk-2 = rk-lqk rk-l

= ‘kqk+l

0 < r2 < rl ,

0 < r3 < r2 ,

+ rk,

0 < rk < rk-l ,

.

Termination is guaranteed because the remainders ri form a strictly decreasing sequence. It is immediate from the chain that rk is a common divisor of a and b and, moreover, that any common divisor of a and b divides rk. Hence, rk = (a, b). We estimate now the time complexity of the algorithm. It is easy to see that the ordinary division algorithm runs in quadratic time. We could still have altogether exponential time complexity if we would have only ri+ < ri. Fortunately, it is easy to see that ri+z < ri/2 holds for all i. This gives the upper bound 2log,a for the number of equations. Thus, the time complexity is altogether at most cubic.

250

Appendix B. Tutorial in Number Theory

Reading the chain of equations bottom up we find, altogether in cubic time, integers x and y such that (a, b) = xa y b .

+

Two integers a and b are relatively prime iff (a, b) = 1. The Euler phi-function cp(n), n 2 1, is defined to be the number of nonnegative integers a c n such that a and n are relatively prime. It follows that cp(1) = 1 and cp(p*) = p b - p b - l , where p is prime and b 2 1. It is also easy to see that cp(mn) = p(m)cp(n)if m and n are relatively prime. By these facts p ( n ) can be computed for any n. The computation will be easy if the factorization of n is known. We say that a is congruent to b modulo m, written a

= b (mod m)

iff m divides the difference a - b. The number m is called the modulus. We assume that m 2 2. For every integer x, exactly one of the integers 0,1,. . . ,m - 1 is congruent to x modulo m. This particular integer is called the least nonnegative remainder of x modulo m and denoted by (x, modm) . This notation appears frequently in this book in different contexts. Denote further by [ x ] the integer part of x, that is, the greatest integer Ix. It follows that

(x,modm) = x - [ x / m ] - m . We have seen that if a and m are relatively prime, then there are integers x and y such that 1 = xa + ym. Hence, xa = 1 (mod m). The integer x is referred to as the inverse of a modulo m and denoted by a - 1 (modm). The inverse is unique when congruent integers are considered to be equal. The time complexity of finding the inverse is roughly the same as that of Euclid's algorithm. This implies that also the congruence az = b(modm), (a, m) = 1 , can be solved in cubic time. To find z, one first computes a-'(modm) and multiplies it by b. If (a, m) = 1 then, according to Euler's Theorem, ae(m)z 1 (mod m) .

If m is a prime not dividing a, this result takes the form = -

1 (mod m)

and is referred to as Fermat's Little Theorem. If the moduli mi are pairwise relatively prime then the system of congruences x

= a, (mod mi),

i = 1,.

. . ,k ,

possesses a solution x unique up to congruence modulo M = m, . . . m,. This result, known as the Chinese Remainder Theorem, is established in Section 6.3. A j e l d F is a set together with the operations of addition and multiplication that satisfy the familiar requirements: associativity, commutativity, distributive

Appendix €3. Tutorial in Number Theory

251

law, existence of an additive identity 0 and a multiplicative identity 1, additive inverses and multiplicative inverses for all elements except 0. Both the rational numbers and the real numbers constitute a field. Finitejelds F(q) with q elements are important in cryptography. It is easy to see that always q = ph, for some prime p and h 2 1. A convenient way of representing the elements of F ( q ) is discussed in Section 3.5. Denote by F*(q) the set of nonzero elements of F(q). An element g of F*(q) is termed a generator of F * ( q ) iff, for every a in F*(q), there is a n integer x such that gx = a holds in F*(q). There are altogether cp(q - 1) generators g. The integer x is referred to as the discrete logarithm of a to the base g. It is known that the computing of discrete logarithms (when g , a and q are known) is roughly as hard as factorization. Consider a prime p > 2. If an element a of F * ( p ) is a square, that is a = x2 for some x, a is called a quadratic residue modulo p . Otherwise, a is called a quadratic nonresidue modulo p . Clearly, a with 1 5 a _< p - 1 is a quadratic residue modulo p iff the congruence x z = a (mod p ) has a solution x. Then necessarily also - x is a solution, that is, a has two square roots modulo p . All quadratic residues are found by computing the squares of the elements 1, . . . ,( p - 1)/2. Thus, there are ( p - 1)/2 quadratic residues and nonresidues. The Legendre symbol for an integer a and prime p > 2 is defined by

(9 [ =

0 if p divides a , 1 if a is a quadratic residue modulo p , - 1 if a is a quadratic nonresidue modulo p

.

Clearly, a can be replaced by any integer congruent to a (mod p ) without changing the value of the Legendre symbol. The basic result concerning the Legendre symbol is

The Jacobi symbol is a generalization of the Legendre, symbol. Consider an integer a and an odd number n > 2. Further, let n = p ' / . . .p: be the prime factorization of n. Then the Jacobi symbol is defined to be the product of the corresponding Legendre symbols:

(;)

..

=

.I);(

(;)

.

Clearly, also now a can be replaced by a number congruent to a (mod n) without changing the Jacobi symbol. The multiplicative property

):(

=

(;)(i)

Append= B. Tutorial in Number Theory

252

follows easily from (*). Consequently,

(G)(;) =

.

For special values of a the Jacobi symbol can be computed as follows:

Basic reductions in the computation of the Jacobi symbol are carried out using the Law of Quadratic Reciprocity:

where m and n are odd numbers greater than 2. Equivalently,

rn in which case

)(:

= -

)(: )(: =

unless

= n = 3 (mod4),

)(:

(3

The value of - can now be computed, without factoring any numbers (apart from taking out powers of 2) as follows. If necessary, m is replaced by (m,mod n); a similar replacement is made also at later stages of the procedure. The Law of Quadratic Reciprocity is applied to reduce the “denominator” in

(3 (3

. As in case of

Euclid’s algorithm, the reduction can be small in one reduction step, however, two consecutive steps reduce the denominator at least by a factor of $. Altogether this yields roughly the same time complexity estimate for computing

as we have

for Euclid‘s algorithm. An example of a computation is given in Section 6.5. If p is prime, the described method constitutes also a fast algorithm for determining whether a is a quadratic residue or nonresidue modulo p. No such fast algorithm is known if, instead of a prime p , we are dealing with an arbitrary n. Let us consider in more detail the cryptographically important case, where n is the product of two odd primes, n = pq. As we noticed above, half of the numbers 1,. . . ,p - 1 are quadratic residues modulo p , the other half being nonresidues. Of course the analogous statement holds for q. On the other hand, a number a is a quadratic residue modulo n, that is x 2 = ~ ( m o d n holds ) for some x, iff a is a quadratic residue both modulo p and modulo q. Altogether this means that exactly half of the numbers a with

O < a < n and ( a , n ) = 1 satisfy

(5)

=

+ 1, and

(5)

= - 1 holds

for the other half. Moreover, half of the

Appendix B. Tutorial in Number Theory

numbers a satisfying which

=

253

+ 1 are quadratic residues modulo n, namely, those for

(;) (;) =

=

+1.

The other half, namely, those for which

(;) (;) =

=-1

are nonresidues. There seems to be no way of finding out which of the two cases occurs, unless one is able to factor n. Assume that we know that a, 0 < a < n,is a quadratic residue modulo n. Hence, for some x, x2=a(modn). Finding x, that is, extracting square roots modulo n is a very important task in cryptography. Let us again consider the case n = pq. By our assumption, a is a quadratic residue both modulo p and modulo q. This implies the existence of numbers y and z such that

( L - y)’

= a(modp)

and ( f z)’

= a(modq)

Moreover, y and z can be found in polynomial time (where the degree of the polynomial is at most 4), provided that p and q are known. The details of such an algorithm are given, for instance, in [KO]. It is assumed in the algorithm that a nonresidue modulo p is known, as well as a nonresidue modulo q. However, such nonresidues can be found fast by a stochastic algorithm. From the congruences x = fy(modp)

and x = + z ( m o d q )

we now get, by the Chinese Remainder Theorem, four square roots x of a modulo n. The square roots can be expressed as f u and rt: w, where u f f w (mod n). Such u and w are referred to as different square roots. The following two facts are important in cryptography. The knowledge of two different square roots enables one to factor n. In fact u 2 - w 2 = (u

+ w ) ( u - w ) = O(modn) .

This means that n divides (u + w ) ( u - w). However, by the choice of u and w, n divides neither u + w nor u - w. This implies that the greatest common divisor of u + w and n (obtained quickly by Euclid’s algorithm) is either p or q. The second important fact is that, whenever p = q = 3(mod4), then two different square roots u and w of the same number a modulo n possess different Jacobi symbols:

(:)

=

-

(x)

254

Appendiw B. Tutorial in Number Theory

This follows because, as seen above, either u

or else u

3

w(modp) and u = - w(modq)

= - w(modp)

and u

and by the assumption concerning p and q

= w(modq),

Problems

1. Encrypt the plaintext DONOTGOTOSAUNASOON AFTEREATING using KEYWORD-CAESAR with the keyword SUPERDOG and number 9. 2. The plaintext SAUNA is encrypted as TAKE BACK VAT OR BONDS. Describe the cryptosystem used. 3. The plaintext SAUNAANDLIFE is encrypted as RMEMHCZZTCEZTZKKDA. Describe the cryptosystem used. 4. Encrypt according to Hill's cryptosystem (see Example 1.2) the plaintext PAYMOREMONEY when the matrix used is

5. The matrix is now

Encrypt STOPPAYMENTX. 6. Establish a necessary and sufficient condition for a matrix M to be invertible when arithmetic is carried out modulo 26. (This is required in Hill's cryptosystem.) Find the inverses of a few 2-dimensional matrices. 7. Hill's cryptosystem with a 2-dimensional matrix is used. The most frequent digrams in the cryptotext are RH and NI, whereas they are TH and HE in the plaintext language. What matrix can be computed from this information?

8. To encrypt one uses first the matrix matrix

(2i:)

(;

1:)

and to the resulting text the

. Construct a single matrix with the same effect.

9. As Problem 8 but now the matrices are (in this order)

(i :)

110

and ( 1 0 1 ) . 0 1 1

256

Problems

10. In general, if the original matrices are m- and n-dimensional, how big a matrix suffices for the combined effect? 11. A cryptosystem is closed under composition iff, for every two encryption keys, there is a single encryption key having the effect of the two keys applied consecutively. Closure under composition means that the consecutive application of two keys does not add security. The preceding problems show that Hill's cryptosystem is closed under composition. Study this property with respect to some cryptosystems discussed in this book. 12. In simple cryptosystems every encryption key can be represented as a composition of a few generator keys. In CAESAR such a generator is E,, the key mapping every letter to the next one. The affine system maps a letter x, 0I xI 25, into the letter (ax + b, mod26), where (a, 26) = 1. Show that no single key can be a generator for the affine system, whereas two keys suffice. 13. Decrypt the following cryptotext given to the participants of EUROCRYPT88 in Davos:

EXVITL YEKDAV 01 E U S M S I XMTA

AMSYMX OSINAL GPLKSM I DAVOS

EAKSSI PVITHE ADAVOS

KIRZMS RRJMLO LULRVK

14. Which city with four letters is in encrypted form BHFLYPBT when the

following encryption method is used. First an arbitrary garbage letter is added after each plaintext letter. (Thus, in the resulting word the 2nd, 4th, 6th and 8th letters are insignificant.) Then Hill's system with a 2-dimensional matrix encrypting the word AIDS into the word AIDS is used. 15. The plaintext alphabet is {A, B, C, D}. The monoalphabetic system is used, where the individual letters are encrypted as follows: A+BB,

B+AAB,

C+BAB,

D+A.

For instance, the word ABDA is encrypted as BBAABABB. Show that decryption is always unique. Show that it is not unique if the individual letters are encrypted: A+AB, B+BA, C + A , D + C .

-

-

-

16. The complement x of a bit x is defined in the natural way: 0 = 1 and 1 = 0. Prove that if in DES every bit in the plaintext and in the key is replaced by its complement, then also in the cryptotext every bit will change to its complement. 17. Any word over the alphabet {A, B} can appear as plaintext. The first monoalphabetic encryption key is defined by A-CCD,

B+C

and the second by A+C,

B-,DCC.

Which words over {A, B} are encrypted as the same word over {C, D} according to both keys?

Problems 18.

19.

20.

21.

22.

23.

24. 25. 26. 27.

28. 29. 30. 31.

257

The most frequent trigrams in the cryptotext are LME, WRI and ZYC, whereas they are THE, AND and THA in the plaintext language. What is the matrix used in Hill’s cryptosystem? Each letter x, 0 5 x 5 25, is encrypted as (f(x), mod 26), wheref(x) is a quadratic polynomial. Compute the polynomial when the three most frequent letters in the cryptotext are Z, V, B (in this order), whereas they are E, T, N in the plaintext language. Consider the very weak variant of ONE-TIME PAD discussed at the end of Section 1.3. However, now the basic book is this book. For instance, the key 12345 means the fifth letter of the fourth word in the third paragraph of Section 1.2. Encrypt the plaintext RACCOONDOGANDSAUNA using the key 43333. Both the keyword and plaintext can be read in different ways from the Vigentre and Beaufort squares. Write arithmetical expressions for some of the mappings obtained. A simple cryptosystem can be based on permutations as follows. The plaintext is divided into blocks of n characters each. A fixed permutation on the numbers 11,. . . , n ) is applied to each block. For instance, SAUNA becomes UNSAA if n = 5, the permutation interchanges the first and third as well as the second and fourth letters but leaves the fifth letter unchanged. Show that the same effect can always be reached by a suitable Hill’s cryptosystem. A cryptosystem induces a language theoretic mapping from the set of plaintext words to the set of cryptotext words. In general, only little is known about such mappings but, for instance, the mapping induced by CAESAR is easy to characterize. Consider various cryptosystems and answer the question: is the induced mapping length preserving? Give necessary and/or sufficient conditions for a mapping to be realizable by a PLAYFAIR square. The results enable you to construct “meaningful translations” such as the one presented in the text. Explain the differences (apart from different alphabet sizes) between mappings realizable by a PLAYFAIR square and a 3 x 9 PLAYFAIR rectangle. Same as Problem 24 but now for the Jefferson wheel. Observe especially the importance of the distance between the plaintext and cryptotext rows. What is the period obtained from the lug matrix and step figure presented in the text? Construct a lug matrix and a step figure giving rise to the period 17 (resp. 1921). Construct a lug matrix and a step figure giving rise to the maximal period. ([BeP] may be consulted.) Show that the 10-tuple A’ studied in Section 2.1 is injective, that is, there is no a such that the knapsack problem (A’, a) would have two solutions. Let A = ( a l , . . . , a,) be a knapsack vector, that is, the ats are distinct positive integers. A positive integer a is represented by A iff a can be expressed as a sum of the ats, where no ai appears twice. If A is injective, then clearly 2” - 1 integers are represented by A. This is the greatest possible number. What is the least possible number in terms of n?

258

Problems

32. Given a knapsack problem (A, k), you have to find all solutions. Show that this problem is not even in NP. 33. Why is 2047 a bad choice for the modulus in RSA, apart from its being too small? 34. Show that encryption and decryption exponents must coincide if 35 is the modulus in RSA. 35. Some plaintext blocks remain unchanged when encrypted according to RSA. Show that their number is (1

+ (e - 1,p - 1))(1 + (e - l)(q - 1)).

36. Construct examples of Shamir’s algorithm, where at least two disjoint intervals for u/m are found. Can you say something general about the number of disjoint intervals? Is it possible that an interval reduces to a point? 37. Prove that the vector (i, i - 1, i - 2,. . . ,i - j ) , i - j 2. 1, is super-reachable exactly in case if both j = 2 and i 2 4. 38. The vector (7, 3, 2) is ((7, 15, 38), 73,84)-super-reachable. Apply the technique of Lemma 3.5 to get a small enough multiplier. 39. Prove that every injective (b,, b,, b 3 )is permutation-super-reachable. 40. Describe an algorithm for finding the smallest modulus m such that a given super-reachable vector is (A, t, m)-super-reachable. 41. Consider all knapsack vectors whose components are I 4. Prove that exactly the following ones are super-reachable: (2,4,3) , (4,3,2) , (1,2, 4) , (2,4, 1) , (4, L2) . 42. Prove that (5,3,4) and (5,4,3) are the only super-reachable ones among vectors with components 3,4,5. 43. Represent the elements of F(27) in terms of the roo! of a polynomial irreducible over F(3). Find a generator and compute the table of logarithms. 44. Study the cryptanalysis of the cryptosystem based on dense knapsacks, when some of the trapdoor items are known. (Here [Cho] should be consulted.) 45. Consider the first illustration (n = 55) in Example 4.1. Send a signed message to a user whose public encryption exponent is 13. (You have e = 7, d = 23.) 46. Show that the number 3215031751 is composite and a strong pseudoprime to each of the bases 2,3,5,7. 47. Consider the general method for key exchange presented at the very end of Chapter 4 in case of some specific function J: Can you improve the ratio m/m2 between the work done by the legal user and the work done by the cryptanalyst? 48. Assume that you have an algorithm for computing one of SQUAREFREENESS (n)(see Section 2.2) and rp(n). Can you reduce this to an algorithm for computing the other? 49. The initial value is 3 in .a functional cryptosystem, the functions being fo(x) = 3x andf,(x) = 3x 1. Thus, 011 is encrypted as

+

3fo.fifl = 85 . What is a very simple way to decrypt a cryptotext written as a decimal number? Which numbers can appear as cryptotexts?

Problems

259

50. Show that the knapsack vector (2106,880, 1320,974,2388,1617, 1568,2523,48,897) is super-reachable. 51. Give an example of a knapsack problem ( A ( i ) ,a ( i ) )having exactly i solutions. i=l,2, ... . 52. Analogously to Example 3.5, let the publicized items be A = ( 1 , 2, 3,0,0,4) ( A is viewed as a column vector) and m = 7. The secret matrix is

H=

53.

54.

55. 56. 57.

58.

(1: 1 :::j 0 1 1101

.

What is the signature for the plaintext 3 (i) by the direct method, (ii) using the randomizing vector (1,0,0,0, 1, l)? It is clear that a dual theory can be based on decreasing and super-decreasing vectors, defined in the same way as increasing and super-increasing vectors. In particular, the notion of super-d-reachability refers to super-decreasing vectors. Give examples of injective vectors that are neither super-reachable nor super-d-reachable. Construct a protocol for throwing a dice by telephone. Be not satisfied with the following obvious solution. Flip a coin three times. If the outcome is heads-heads-heads or tails-tails-tails, repeat the procedure until some other outcome is obtained. Assume that the primes p and 9 in RSA have 100 digits, the first digit being # 0. Estimate the number of possibilities for n. YJCVKUVJGJGCTVQHUCWPC? UVQXG. Prove that the remainders in Euclid's algorithm satisfy the inequality rj+z < rj/2, for all j. Construct a variant of the algorithm, by allowing negative remainders, where a slightly better convergence r j + z I rj+ 1/2 is obtained. Decrypt

KOKOOKOKOONKOKOKOKKOKOKOKOKKOKOKOKOKOKKO and

Both are actually statements or conversations in a wellknown natural language. Certainly the plaintext language is of some importance! 59. Consider the plaintext of length 47, discussed in connection with the C-36 encryption. If YES is added to the end of the plaintext, how does the cryptotext continue? 60. Assume that (a, m) = 1. Show that a'+'p(m)i2 = 1 (mod m),provided m is not one of the numbers 1,2,4, p k and 2pk, where p is an odd prime and k 2 1.

260

Problems

61. Prove that (am- 1, a" - 1) = a('"-")- 1. It is assumed that a > 1. 62. There are always in RSA encryption exponents such that every plaintext is encrypted as itself. More explicitly, prove the following assertion. For every choice of p and q, e can be chosen in such a way that w e = w (mod n) holds for all w. (The trivial choices e = 1 and e = q ( n ) + 1 are not allowed.) 63. The following encryption method is classical and was illustrated in Fig. 2.4. A large prime p is known to all users. Each user chooses and keeps secret encryption and decryption exponents e and d such that ed = 1 (mod p - 1). Thus, A encrypts a plaintext w by

E,(w) = (we,,modp) .

64. 65. 66. 67.

68. 69. 70. 71. 72.

73.

First A sends the cryptotext E,(w) = c to B. B responds by sending EB(c)= c1 to A. Finally, A sends D,(cl) to B. Show that B is able to decrypt and discuss the security issues involved. Give necessary and sufficient conditions for p and t to the effect that every element # 0 , l in the field F ( p ' ) is (i) a generator, (ii) the square of a generator. Assume that the encryption exponent e in RSA is small. Assume that an oracle always tells you E ( x + r), given E ( x ) and r. (Clearly, no oracle is needed to tell E(xr), given E ( x ) and 1.)How are you able to decrypt? Factor n = 4386607 given q ( n ) = 4382136. Consider the modification of RSA, where the modulus n is the product of three large primes p, q and r. Also now ed = 1 (mod q ( n ) ) holds for encryption and decryption exponents. Discuss the advantages and disadvantages of the modification in comparison with the ordinary RSA. Let f ( x ) and g ( x ) be one-way functions. Give a heuristic argument to show that none of the functions f ( x ) g ( x ) , f ( x ) - g ( x ) and f ( g ( x ) ) is necessarily one-way. Show that the following problem is in the intersection of N P and C o - N P for every public-key cryptosystem. Given a cryptotext, you have to decide whether or not SUVI appears as a subword in the corresponding plaintext. Consider the last illustration in Example 4.2., where n = 8137. Compute the table for r(i), ANS(i) and t(i) when x = 20. Read the remarks at the end of the example. In DES each S-box translates a 6-bit input into a 4-bit output. Prove that always changing one input bit results in changing at least two output bits. When you fix two input bits, each S-box defines a mapping of 4-bit sequences into 4-bit sequences. Which bits have to be fixed in order to get a bijection in all eight cases? Give an example of a mapping that is not a bijection. Prove that there are infinitely many pairs of primes ( p , q ) such that p = q = 3 (mod 4) but p f q (mod 8). Use Dirichlet's Theorem to the effect that there are infinitely many primes in the sequence ia b, i = 1,2,. . . , provided a and b are positive integers with (a, b) = 1. Consider the knapsack vector A = ( a l , . . . ,an), where a, = P / p i , i = 1,. . . , n, and pi are distinct primes whose product is P. Give a simple algorithm for solving the knapsack problem (A, a).

+

+

74.

Problems

261

75. Design a cryptosystem of Williams for the basic choice p = 47, q = 59 often discussed in the text. Encrypt 1991. See Section 5.1. 76. Assume that in RSA we have p = 127 and q = 131. How many messages are encrypted into themselves by both of the encryption exponents 29 and 31? 77. Consider the Diffie-Hellman key exchange system (Section 4.6) with q = 4079 and g = 1709 and secret numbers k, = 2344 and k, = 3420. What numbers are publicized and what is the common key shared by the users A , and A,? 78. Find all square roots of 64 modulo 105. 79. In the El Gamal scheme discussed at the end of Section 4.6 a prime q and a generator g of F * ( q ) are publicized. What is the effect on encryption and decryption if, in fact, g is not a generator? 80. The hexadecimal representation of 4-bit sequences oooO,OOO1,.. . , 11 11 uses the characters 0, 1,2,. . . ,9, A, B, C, D, E, F, in the order indicated. Assume that the DES key is 0123456789ABCDEF. Encrypt the plaintexts 516 and 616. 81. Study the cryptographic significance of the initial permutation in DES. 82. List all quadratic residues modulo 29 and those modulo 31. Prove that, for an odd prime p, - 3 is a quadratic residue modulo p iff p = 1 (mod 3). 83. Let n be as in RSA. Prove that the problem of listing all quadratic residues modulo n is not even in NP. 84. Consider the identification scheme as in Example 6.5 but now n = 2491. P's secret identification consists of the triple c1 = 143, C, = 3 2 ,

C) = 2261

.

Describe one round of the protocol, where the further choices r = 61 and S = { 1,3} are made. 85. Prove Lemma 5.1. 86. Consider the system based on iterated morphisms, where the underlying morphisms are ho:a+ac, b+ba, c+ca, h , : a 4 a a , b+bc, c+cb, the initial word being c. Show that the legal receiver can decrypt as follows. First the interpretation morphism is applied to the cryptotext to get a word w over the alphabet {a, b, c}. A word u is constructed such that the i-th letter of u is the (2i1)th letter of w. The word u is read from right to left, and a and b are replaced by 0 and 1, respectively. (u will contain no c's.) Show that finding a trapdoor pair for the cryptosystem based on iterated morphisms is an NP-complete problem. Consult [Kar3]. Give reasons why decoding is essentially simpler for Goppa codes than for linear codes. Consider the protocol for playing poker by phone, discussed at the end of Section 6.2. What are the possibilities for cheating if some of the chosen numbers pi and qi are actually not primes. (See the discussion about flipping a coin by telephone.) Devise a method for sharing a secret, based on some other idea than the Chinese Remainder Theorem.

+

87.

88. 89.

90.

262

Problems

91. Devise a voting protocol as in Section 6.4 for the case, where there are two superpowers and five ordinary powers. 92. A possesses 8 secrets and wants to transfer exactly one of them to B in such a way that only B knows which of the secrets was transferred. However, B cannot choose which secret he wants. Devise a protocol. 93. Give an explicit numerical example of the 7-step protocol described after Example 6.3. Discuss the possibilities of active cheating in your protocol. 94. Describe explicitly a protocol discussed in Section 6.6 for thirteen voters and two voting Strategies (i) with two agencies C and L, (ii) with only one agency L.

95. Devise a protocol for proving in a zero-knowledge manner that you know a solution to a given knapsack problem. Preferably use the idea of lockable boxes. 96. Consider the travelling salesperson problem in the form that, given a map indicating all the distances and a number k, you have to find a route through all cities on the map with length 2 k. Devise a zero-knowledge protocol for convincing a verifier that you know a solution. 97. Consider some axiom system for the propositional calculus and a simple theorem whose proof consists of, say, five steps. Devise a zero-knowledge proof for the theorem. Discuss whether or not your ideas carry over to any proof in any formal system. 98. Use RSA to obtain a method for constructing lockable boxes. 99. Consider the wffpc (xl v xz v x3) A (xz v x3) A ( x, v x3) A x3. Explain why you get caught if you try to prove in a zero-knowledge manner that you know a satisfiability assignment. 100. Give a numerical example of the second protocol presented in Section 6.9 in its full form where A is a matrix. Consult [ShS] for generalizations of the protocol and study the security issues involved.

-

-

-

Historical and Bibliographical Remarks

Since some ideas in cryptography are several thousands of years old, it does not make sense to try to trace the original sources for matters discussed in Chapter 1. [Ka] is an excellent over-all reference. [Gal discusses cryptanalytic methods before the age of computers. The cryptosystem of Example 1.2 was introduced in [Hil]. [Kon] and [BeP] discuss various cryptanalytic methods for classical systems. [Zim] could be mentioned as an example of the numerous books on cryptography before the era of public keys. Public keys were introduced in [DH]. The basic knapsack system discussed in Chapter 2 is from [MeH], and complexity issues from [Br 13 and [Kar I]. Poker by telephone, coin flipping by telephone and oblivious transfer are due to [ShRA], [Bll] and [Rab2], respectively. The theory presented in Sections 3.2 and 3.3 is from [Sh2], [Sa3] and [Sa4]. See also [Adl]. The cryptosystems in Section 3.4 are (in this order) from [EvY], [Sh3], [Shl] and due to Graham and Shamir. [Cho] is the basic reference for dense knapsacks. The theory presented in Chapter 4 was initiated in [RSA]. [Rab 11 is an early contribution. See [KO] for the original references for Section 4.3. Section 4.4 uses ideas from [Mil] and [Dell. Theorem 4.3 is from [GMT]. See also [SchA]. [Odl] is a comprehensive treatment about discrete logarithm, and [Ang] a good summary on the complexity of number theoretic problems. The material in Section 5.1 is from [Will and that in Section 5.2 from [Sa2], [Say], [Kar2] and [Kar3]. The cryptosystems based on group theory and hiding regular languages are due to [WaM] and [Nie], respectively. [SiS] is also a cryptosystem based on language theory, and the system based on sequential machines is due to [Ren]. The cryptosystem of Section 5.4 was introduced in [McE]. The signature scheme at the end of Section 6.1 is due to [Sh4], and the material in Section 6.2 to [Bll] and [GM]. The method of sharing a secret given in Section 6.3 was presented in [Mig]. The age protocol of Section 6.4 is from [Yao]. The notion of oblivious transfer is due to [Rab2]. Section 6.5 presents a simple protocol for the secret selling of secrets; more sophisticated techniques are contained in [BCR]. Section 6.6 follows [BuP] and [NUS]. The subject matter has been treated in numerous other papers, for instance, [Ben] is a comprehensive treatment with somewhat different aims. [GMR] and [GMW] are basic papers concerning zero-knowledge proofs. The first protocol in Section 6.7 is from [Dam]. Ideas from [B12] are used in the proofs of Theorems 6.2 and 6.3. A protocol for the satisfiability problem different from the one of Theorem 6.5 is given in [BCC], where the

264

Historical and Bibliographical Remarks

gates of the corresponding logical circuit are considered. [DMP] and [BeG] deal with non-interactive zero-knowledge proof systems. The two proof methods presented in Section 6.9 are from [FFS] (see also [FiS]) and [Sh5]. Cheating schemes are discussed in [DGB]. The information theoretic viewpoint, [Shan], is not discussed in this book. The following list of references contains only works referred to in this book. Further bibliographical details are contained, for instance, in [Fl], [SP], [Br2], [Kra], [Till and [Well. Cryptologia and Journal of Cryptology are periodicals devoted to cryptography. Also other journals have papers and entire issues (for instance, May 1988 issue of Proceedings of IEEE) about cryptography. CRYPT0 and EUROCRYPT are annual conferences whose proceedings are usually published in Springer Lecture Notes in Computer Science. Also the standard annual conferences on theoretical computer science (STOC, FOCS, ICALP, etc.) contain many papers dealing with cryptography.

References L. Adleman: On breaking the iterated Merkle-Hellman public key cryptosystem. Proceedings 15th ACM Symposium on the Theory of Computing, 1983, pp. 402-412 D. Angluin: Lecture Notes on the Complexity of Some Problems in Number Theory. Yale University, Computer Science Department, Technical Report 243, 1982 H. Beker and F. Piper: Cipher systems. Northwood Books, London 1982 M. Bellare and S. Goldwasser: New paradigms for digital signatures and message authentication based on non-interactive zero knowledge proofs. CRYFTO-89 Abstracts, University of California, Santa Barbara 1989, pp. 189-204 J.D.C. Benaloh: Verifiable secret-ballot elections. Yale University, Computer Science Department, Technical Report 561, 1987 J.D.C. Benaioh and D. Tuinstra: Receipt-free secret-ballot elections. Proceedings STOC-94, (1994) 544-553 M. Blum: Coin flipping by telephone. A protocol for solving impossible problems. SIGACT News, 1981, pp. 23-27 M. Blum: How to prove a theorem so no one else can claim it. Proceedings International Congress of Mathematicians, 1987, pp. 1444-1451 B. den Boer: More efficient match-making and satisfiability; the five card trick. Proceedings EUROCRYFT-89, Lecture Notes in Computer Science, vol. 434. Springer, Berlin 1990, pp. 208-2 17 R.C. Bose and S. Chowla: Theorems in the additive theory of numbers. Comment. Math. Helvet. 37 (1962) 141-147 G. Brassard: A note on the complexity of cryptography. IEEE Transactions on Information Theory IT-25 (1979) 232-233 G. Brassard: Modern cryptology. Lecture Notes in Computer Science, vol. 325. Springer, Berlin 1988 G. Brassard, D. Chaum and C. Crepeau: An introduction to minimum disclosure. Amsterdam CWI Quarterly l(1988) 3-17 G. Brassard, C. Crepeau and J.-M. Robert: All-or-nothing disclosure of secrets. Lecture Notes in Computer Science, vol. 263. Springer, Berlin 1987, pp. 234-238 H. Burk and A. Pfitzmann: Digital payment systems enabling security and unobservability. Computers and Security 9 (1989) 399-416 B.-Z. Chor: Two issues in public key cryptography. MIT Press, Cambridge, Mass. 1986 D. Coppersmith: Fast evaluation of logarithms in fields of characteristic two. IEEE Transactions on Information Theory IT-30 (1984) 587-594 C. Crepeau and J. Kilian: Discreet solitary games. Proceedings CRYPTO-93, Lecture Notes in Computer Science, vol. 773. Springer, Berlin 1994, pp. 319-330 I.B. Damgaard: On the existence of bit commitment schemes and zero-knowledge proofs. CRYPTO-89 Abstracts, University of California, Santa Barbara 1989, pp. 15-23 J.M. Delaurentis: A further weakness in the common modulus protocol for the RSA cryptoalgorithm. Cryptologia 8 (1984) 253-259 D.E. Denning: Cryptography and data security. Addison-Wesley, Reading, Mass. 1982 A. De Santis, S. Micah and G. Persiano: Non-interactive zero-knowledge proof systems. Lecture Notes in Computer Science, vol. 293. Springer, Berlin 1987, pp. 52-72 Y. Desmedt, C. Goutier and S. Bengio: Special uses and abuses of the Fiat-Shamir passport protocol. Lecture Notes in Computer Science, vol. 293. Springer, Berlin 1987, pp. 21-39 W. Dime and M. Hellman: New directions in cryptography. IEEE Transactions on Information Theory IT-22 (1976) 644-654 T. El Gamal: A public key cryptosystem and signature scheme based on discrete logarithms. IEEE Transactions on Information Theory IT-3 1 (1985) 469-473 S. Even and Y. Yacobi: Cryptosystems which are NP-hard to break. Tcchnion, Computer Science Department, Technical Report 1979

266

References

U. Feige, A. Fiat and A. Shamir: Zero knowledge proofs of identity. Journal of Cryptology 1 (1988) 77-94 A. Fiat and A. Shamir: How to prove yourself: practical solutions to identification and signature problems. Lecture Notes in Computer Science, vol. 263. Springer, Berlin 1987, pp. 186-194 D. Floyd: Annotated bibliography in conventional and public key cryptography. Cryptologia 7 (1983) 12-24 H.F. Gaines. Cryptoanalysis. Dover Publications, New York 1939 0. Goldreich, S. Micali and A. Widgerson: How to prove all NP-statements in zeroknowledge, and a methodology of cryptographic protocol design. Lecture Notes in Computer Science, vol. 263. Springer, Berlin 1987, pp. 171-185 S. Goldwasser and S. Micali; Probabilistic encryption. Journal of Computer and Systems Sciences 28 (1984) 270-299 S. Goldwasser, S. Micali and C. Rackoff: The knowledge complexity of interactive proof systems. Proceedings 17th ACM Symposium on the Theory of Computing, 1985, pp. 291-304 S. Goldwasser, S. Micali and P. Tong: Why and how to establish a private code on a public network. Proceedings 23rd FOCS Symposium, 1982, pp. 134-144 L.S. Hill: Cryptography in an algebraic alphabet. American Mathematical Monthly 36 (1929) 306-312 D. Kahn: The codebreakers: the story of secret writing. Macmillan, New York 1967 J. Kari: A cryptosystem based on propositional logic. Lecture Notes in Computer Science, vol. 381. Springer, Berlin 1989, pp. 210-219 J. Kari: A cryptanalytic observation concerning systems based on language theory. Discrete Applied Mathematics 21 (1988) 265-268 J. Kari: Observations concerning a public-key cryptosystem based on iterated morphisms. Theoretical Computer Science 66 (1989) 45-53 N. Koblitz: A course in number theory and cryptography. Springer, Berlin 1987 A. Konheim: Cryptography: a primer. Wiley and Sons, New York 1982 E. Kranakis: Primality and cryptography. Wiley-Teubner, Chichester New York Stuttgart 1986 R.J. McEliece: A public-key cryptosystem based on algebraic coding theory. Deep Space Network Progress Report. Jet Propulsion Labs, Pasadena 42-44 (1978) 114-1 16 R. Merkle and M. Hellman: Hiding information and signatures in trapdoor knapsacks. IEEE Transactions on Information Theory IT-24 (1978) 525-530 M. Mignotte: How to share a secret. Lecture Notes in Computer Science, vol. 149. Springer, Berlin 1983, pp. 371-375 G.L. Miller: Riemann’s hypothesis and tests for primality. Journal of Computer and System Sciences 13 (1976) 300-317 V. Niemi: Hiding regular languages: a public-key cryptosystem. Manuscript 1989 V. Niemi and A. Renvall: Efficient voting with no selling of votes. Manuscript 1995, submitted for publication V. Niemi and A. Renvall: Secure multiparty computations without computers. Theoretical Computer Science, to appear H. Nurmi and A. Salomaa: On the cryptography of secret ballot. Behavioral Science 36 (1991) 34-40 H. Nurmi, A. Salomaa and L. Santean: Secret-ballot elections in computer networks. Computers and Security 10 (1991) 553-560 A.M. Odlyzko: Discrete logarithms in finite fields and their cryptographic significance. Lecture Notes in Computer Science, vol. 209. Springer, Berlin 1985, pp. 224-314 S.C. Pohlig and M. Hellman: An improved algorithm for computing logarithms over GF(p) and its cryptographic significance. IEEE Transactions on Information Theory IT-24 (I 978) 106-110

References

267

C. Park, K. Itoh and K. Kurosawa: Eficient anonymous channel and allhothing election scheme. Proceedings EUROCRYPT-93, Lecture Notes in Computer Science, vol. 765. Springer, Berlin 1994. pp. 248-259 M.O. Rabin: Digitalized signatures and public key functions as intractable as factorization. MIT, Laboratory for Computer Science, Technical Report 212, 1979 M.O. Rabin: How to exchange secrets by oblivious transfer. Aiken Computation Laboratory, Harvard University, Technical Report TR-8/, 1981 Tao Renji: Some results on the structure of feedforward inverses. Scientia Sinica, Ser. A 27 (1984) 157-162 A. Renvall: Cryptographic protocols and techniques for communication. Dissertation, Univ. of Turku 1994 M. Rivest, A. Shamir and L. Adleman: A method for obtaining digital signatures and public-key cryptosystems. Commun. ACM 21 (1978) 120-126 G . Rozenberg and A. Salomaa: The mathematical theory of L systems. Academic Press, New York 1980 A. Salomaa: Computation and automata. Cambridge University Press, Cambridge 1985. Available also in French and Jaoanese A. Salomaa: A public-key cryptosystem based on language theory. Computers and Security 7 (1988) 83-87 A. Salomaa: A deterministic algorithm for modular knapsack problems. Theoretical Computer Science 88 (1991) 127-138 A. Salomaa: Decision problems arising from knapsack transformations. Acta Cybernetica 9 (1990) 419-440 A. Salomaa and S . Yu: On a public-key cryptosystem based on iterated morphisms and substitutions. Theoretical Computer Science 48 (1986) 283-296 C.P. Schnorr and W. Alexi: RSA-bits are 0.5 + E secure. Lecture Notes in Computer Science. vol. 209. Springer, Berlin 1985, pp. 113-126 B. Schneier: Applied Cryptography. John Wiley, New York 1993,2nd ed. 1995 J. Seberry and J. Pieprzyk: Cryptography: an introduction to computer security. Prentice Hall, New York 1989 A. Shamir: A fast signature scheme. MIT, Laboratory for Computer Science, Technical Report 1978 A. Shamir: A polynomial time algorithm for breaking the basic Merkle-Hellman cryptosystem. Proceedings 23rd FOCS Symposium, 1982, pp. 145-152 A. Shamir: Embedding cryptographic trapdoors in arbitrary knapsack systems. MIT, Laboratory for Computer Science, Technical Report 230, 1982 A. Shamir: Identity based cryptosystems and signature schemes. Lecture Notes in Computer Science, vol. 196. Springer, Berlin 1985, pp. 47-53 A. Shamir: An efficient identification scheme based on permuted kernels. Weizmann Institute. Department of Applied Mathematics, Technical Report 1989 A. Shamir, R. Rivest and L. Adleman: Mental poker. In D.A. Klarner (ed.), The mathematical gardener. Wadsworth International, Belmont 198 I, pp. 37-43 C.E. Shannon: Communication theory of secrecy systems. Bell System Technical Journal 28 (1949) 656-715 R. Siromoney and G. Siromoney: A public key cryptosystem that defies cryptanalysis. EATCS Bulletin 28 (1986) 37-43 H.C.A. Van Tilborg: An introduction to cryptology. Kluwer Academic Publishers, Boston 1988 N.R. Wagner and M.R. Magyarik: A public key cryptosystem based on the word problem. Lecture Notes in Computer Science, vol. 196. Springer, Berlin 1985, pp. 19-37 D. Welsh: Codes and cryptography. Oxford University Press, Oxford 1988 M.J. Wiener: Cryptanalysis of short RSA secret exponents. Proceedings EUROCRYPT-89. Lecture Notes in Computer Science, vol. 434. Springer, Berlin 1990, p. 372. Full paper: IEEE Transactions on Information Theory IT-36 (1990) 553-558

268

[Will Wao] [Zim]

References

H.C. Williams: Some public-key crypto-functions as intractable as factorization. Cryptologia 9 (1985) 223-237 A.C. Yao: Protocols for secure computations. Proceedings 23rd FOCS Symposium, 1982, pp. 160-164 H.S.Zim: Codes and secret writing. Scholastic Book Services, New York 1948

Index

alphabet 3 authentication 72 avalanche effect 54 backward deterministic 167 strongly 171 Bacon requirements 4 balloting system 219 Beaufort square 30 CAESAR 5 Carmichael number 139 chameleon 2 10 Chinese Remainder Theorem 188 classical cryptosystem 10 CODEBOOK 37 coin flipping by telephone 184 commutative cryptosystem 65 complexity theory 245 compositeness tests 137 congruence 250 conjunctive normal form 247 CO-NP 248 cryptanalysis 6 initial setups for 7 cryptographic hashing 2 16 cryptographic machines 39 C-36 44 Jefferson wheel 39 M-209 Converter 44 cryptographic protocol 18 1 age problem 191 banking 200 coin flipping by telephone 184 elections 200, 2 19 flipping numbers 186 interaction versus P-SPACE 207 minimum disclosure proof 203 non-interactive 195 oblivious transfer 194 partial disclosure of secrets 190 poker by telephone 74, 186 secret selling of secrets 196 sharing secrets 187 types of adversaries 182

without computers 234 zero-knowledge proof 208 cryptography 2 public-key 55 cryptology 2 cryptosystem 3 afine 14 AUTOCLAVE 35 automata-based 177 CAESAR 5 classical 10 CODEBOOK 37 coding-theory-based 178 commutative 5, 65 dense knapsack 121 DES 49 El Gamal 157 functional 168 Hill 8 HOMOPHONES 22 KEYWORD-CAESAR 20 knapsack 77 language-theory-based 174 McEliece 179 monoalphabetic 11 nonsymmetric 10 ONE-TIME PAD 38 one-way 10 periodic 31 PLAYFAIR 23 polyalphabetic 12 polynomial 19 public-key 6 RICHELIEU 11 RSA 125 substitution 11 symmetric 10 transposition 11 two-way 10 VIGENERE 29 Williams 159 cryptotext 2 space 3 data encryption standard 49

270

Index

decoding 4 decryption 2 exponent (RSA) 126 density of knapsack vector 122 DES 49 digital signature 72 digram 25 diminishing sequence 98 discrete logarithm I 18, 154, 25 1 eavesdropper 66 active 66 passive 66 elections 74, 191, 201 219 encoding 4 encryption 2 by coloring 175 exponent (RSA) 26 error correcting code 78 Goppa 179 linear 179 Euclid’s algorithm 249 complexity of 249 Euler phi-function 250 Euler pseudoprime 140 Euler’s Theorem 250 Ferniat’s Little Theorem 250 finite field 1 17, 25 1 algebraic over 1 17 generator of 1 17.25 1 square roots in 251 flipping numbers 186 garbage-in-between 10 goal 98 growing sequence 97 handshaking 74 hash function 21 6 hit number 46 identification 213 zero-knowledge proof of 2 13 interactive proof 207 for graph non-isomorphism 207 intractable 246

knapsack-based cryptosystem 77 cryptanalysis 87, 96 signatures by I12 knapsack problem 58 instance of 77 knapsack vector 59, 77 dense 117 density of 122 hyper-reachable 96 increasing 78 injective 78 of low density I17 permutation-super-reachable 108 super-increasing 61, 78 super-reachable 96, 101 Language 3 Las Vegas 248 least nonnegative remainder 78, 250 Legendre symbol 25 1 letter 3 descendant 169 dummy 169 literal 247 lockable box 204,207 assignment 2 I2 truth-value 21 1 variable 21 1 L-system 169 DTOL 169 TOL 169 lugcage 45 lug matrix 45 Miller-Rabin test 141 minimum disclosure proof 203 graph isomorphism 206 three-coloring 205 modular exponentiation 127 modular multiplication 79 modulus 250 monoalphabetic cryptosystems 10 Monte Carlo 248 morphism 167 iteration of 166

Jacobi symbol 25 1 complexity of computation 252 Jefferson wheel 39

NP 246 NP-complete 247 NP-hard 247 numerical encoding 13

Kasiski’s method 3 1 key exchange 156 key management 13,7 I key space 3

oblivious transfer 194 combined 200 ONE-TIME PAD 38 one-way function 57

Index cryptographic 57 oracles 147

P 246 partial disclosure of secrets 190 password 71 plaintext 2 space 3 PLAYFAIR 23 periodic 37 poker by telephone 74, 186 polyalphabetic cryptosystems 22 Polybios checkerboard 14 polynomially bounded 246 polynomial time 246 deterministic 246 nondeterministic 246 random 248 preprocessing 10 primality 137 probabilistic algorithm 248 protocol 73, 181 see cryptographic protocol pseudoprime 138 strong 141 P-SPACE 248 public-key cryptosystem 6, 66 quadratic reciprocity 252 quadratic residue 25 1 nonresidue 25 1 random polynomial time 248 rescuer 99, 100 rotors 39 RSA 125 cryptanalysis versus factoring 143, 165 digital signatures 133 partial information in 147 security of 134 satisfiability problem 2 1 1, 247 S-boxes 51 scrambling strategy 224 secrecy of protocol 221 secret selling of secrets 196 selling of votes 228

Printing: Druckhaus Beltz. Hemshach Hi nding: Buch hinderei Scki ffer. Ci run rt ad1

sharing secrets 187 sieve of Eratosthenes 142 Solovay-Strassen test 139 soundness of protocol 221 space complexity 247 steganography 14 step figure 46 stochastic algorithm 248 substitution 5 finite 167 threshold scheme 187 time complexity 245 deterministic 246 function 246 tractable 246 transposed version 101 trapdoor 56 pair 171 Turing machine 245 deterministic 246 nondeterministic 246 polynomially bounded 246 verifiability of protocol 221 VIGENERE 29 square 29 violation point 97 w@c 221 witness for primality 138 word 3 empty 3 lenght of 3 word problem 175

XOR 195 zero-knowledge proof 208 Hamilton cycle 208 non-interactive 213,243 of identity 2 13 of knowledge 214 of theorems 214 parallel version 2 10 perfect 213 satisfiability 2 1 I , 243

271