Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download 2011 - Verimag
Document related concepts
History of randomness wikipedia , lookup
Ars Conjectandi wikipedia , lookup
Inductive probability wikipedia , lookup
Birthday problem wikipedia , lookup
Infinite monkey theorem wikipedia , lookup
Probability interpretations wikipedia , lookup
Law of large numbers wikipedia , lookup
Transcript
Security models
1st Semester 2011/2012
P. Lafourcade
H. Siswantoro, S. Ziad
Lecture Note IV
Date: 03.10.2011
Contents
1 Introduction
1
2 Computational Indistinguishability
2.1 Probability Ensembles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2.2 Relation to Statistical Closeness . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2
2
4
3 Hybrid Technique
3.1 Indistinguishability by Repeated Sampling . . . . . . . . . . . . . . . . . . . . . . .
3.2 Hybrid Technique . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
5
5
5
4 Pseudorandom Generators
4.1 Pseudorandom Ensembles and Generators . . . . . . . . . . . . . . . . . . . . . . .
4.2 Increasing the Expansion Factor . . . . . . . . . . . . . . . . . . . . . . . . . . . .
7
7
8
5 An example of Pseudorandom Generator: Blum-Blum-Shub
5.1 Description of the Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
5.2 Security of the generator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
11
11
11
6 Cramer-Shoup cryptosystem
6.1 Introduction . . . . . . . . .
6.2 Presentation of the scheme
6.3 Proof of security . . . . . .
6.4 Conclusion . . . . . . . . .
11
11
12
13
13
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
7 Exercise
13
References
14
1
Introduction
In the second half of the XXth century, three theories of randomness have been proposed. The
first theory, proposed by Shannon (cf. [3]), is based on probability theory and is focused on
distributions which are not perfectly random. Shannon’s Information Theory characterizes perfect
randomness as the extreme case in which the entropy is maximized: this happens only with a
unique distribution, the uniform one. Then, one cannot generate perfect random strings from
shorter random strings.
The second theory (cf. [11, 13]), due to Solomonov, Kolmogorov, and Chaitin, is based on
computability theory (especially the notion of a universal language). It measures the complexity
of objects in terms of the shortest program that generates the object. However, like the latter
theory, Kolmogorov Complexity is quantitative and perfect random objects appears as an extreme
case.
1
Then the third theory (cf. [2, 9, 16]), initiated by Blum, Goldwasser, Micali and Yao is based
on complexity theory and is the subject of this lecture. The interesting approach consists now
to provide a notion of perfect randomness that nevertheless allows to efficiently generate perfect
random strings: we view objects as equal if they cannot be told apart from any efficient procedure.
In these notes, we first introduce some definitions mainly based on [8] (probability ensembles,
polynomial-time indistinguishability, and efficiently constructible ensembles) which lead us to talk
about pseudorandom generators. Then, we will briefly present a pseudorandom generator: BlumBlum-Shub (Section 5).
Moreover, these notes emphasize the notion of hybrid technique, used to prove some theorems
and the security of Cramer-Shoup cryptosystem (Section 6).
2
Computational Indistinguishability
2.1
Probability Ensembles
Intuitively, two objects are said computationally indistinguishable if they cannot be distinguished
by any efficient procedure. In complexity theory, we often consider the running time of an algorithm in term of the size of its input, and study its asymptotic comportment. Thus, the objects
we consider are infinite sequences of distributions, where each distribution has a finite support.
The latter discussion extends naturally to probability. In this subsection, we will first define the
notion of probability ensemble, and then present computational indistinguishability.
Definition 1 (probability ensemble). [8] Let I be a countable set. A probability ensemble indexed
by I is a sequence of random variables indexed by I. Namely, any X = {Xi }i∈I where each Xi ,
i ∈ I is a random variable, is a probability ensemble indexed by I.
In the following, we will denote by X = {Xn }n∈N a probability ensemble having each Xn
ranging over strings of length poly(n). Since we can convert any natural number in the binary
numeral system, we can consider a natural number n as a word w ∈ {0, 1}∗ . Thus, we will
denote by X = {Xw }w∈{0,1}∗ a probability ensemble having each Xw ranging over string of length
poly(|w|). In the rest of this lecture, we will deal only with ensembles indexed by N.
Let us now define properly the notion of computational indistinguishability.
Definition 2 (computational indistinguishability). Two probability ensembles {Xn }n∈N and
{Yn }n∈N are called computationally indistinguishable (or indistinguishable in polynomial-time)
if, for any probabilistic polynomial-time algorithm D, any positive polynomial p, and for all sufficiently large n’s
1
.
|Pr[D(Xn , 1n ) = 1] − Pr[D(Yn , 1n ) = 1]| <
p(n)
By replacing n by |w| in the polynomial p, we easily adapt this definition to any probability
ensembles {Xw }w∈{0,1}∗ and {Yw }w∈{0,1}∗ . This definition leads us to two comments. First,
we have allowed the algorithm D (called a distinguisher ) to be probabilistic: the requirement is
stronger but it is mandatory by the approach on the subject. Secondly, the definition give that
events occur with a negligible probability (in the sense of Lecture I), so that they also occur with
negligible probability if the experiment is repeated for poly(n)-many times.
Let us give a simple example (but not so easy).
Example 3. Let b be a string generated by flipping a “fair” coin until head appears (head = 1).
Let X be a random variable which represents the size of b. Define random variables B1 , B2 , . . .
where Bi represents the value of the bit assigned to b in the ith flip, if X ≥ i, and ? otherwise.
The following simple probabilistic algorithm corresponds this example:
repeat
2
b ←R {0, 1}
until b = 1
Note that exactly one Bi will take the value 1, in which case X will be equal to i. Thus, we
have the following equalities:
Pr[Bi = 0|X ≥ i] =
1
2
and
Pr[Bi = 1|X ≥ i] =
1
.
2
Indeed, if X ≥ i, we have Bk = 0 for all 1 ≤ j ≤ i − 1 and the ith flip is such that Bi is uniformly
distributed over {0, 1}. Moreover, it is clear that
Pr[Bi = ?|X < i] = 1,
and that means that we do not flip the coin a ith time since we obtained head before this flip.
1
. It is obvious for i = 1: we will flip the
Let us show by induction on i that Pr[X ≥ i] = 2i−1
coin at least one time. Then, for i = 2, we need to have B1 = 0 and we get
Pr[X ≥ 2] = Pr[B1 = 0|X ≥ 1] Pr[X ≥ 1] =
1
.
2
At step i ≥ 2, we need Bi−1 = 0 and as before
Pr[X ≥ i] = Pr[Bi−1 = 0|X ≥ i − 1] Pr[X ≥ i − 1] =
1
1
1
× i−2 = i−1 .
2 2
2
Thus, X has a geometric distribution with success 21 .
We give two easy exercises to test your comprehension of this notion:
Exercise 1. Consider the algorithm D which flips a “fair” coin and outputs its outcome (0 or 1).
Verify that
|Pr[D(X) = 1] − Pr[D(Y ) = 1]| ,
where X is the event “obtain 1” and Y “obtain 0”, is negligible.
Exercise 2. Consider the algorithm D that outputs 1 if on only if the input string contains more
zeros than ones. If D can be implemented in polynomial time, then prove that X and Y are
polynomial-time indistinguishable.
We finish this subsection by proving the transitivity of indistinguishability for three ensembles.
Proposition 4. The relation of computational indistinguishability is an equivalence relation over
the probability ensembles.
Proof. It is clear that this relation is reflexive (i.e., X and X are computationally indistinguishable)
and symmetric (by definition). Let X = {Xn }n∈N , Y = {Yn }n∈N and Z = {Zn }n∈N be three
probability ensembles such that X and Y are indistinguishable in polynomial time and Y and Z
are indistinguishable in polynomial time. Then let D be a probabilistic polynomial-time algorithm
and p be a positive polynomial. Since 2p is also a positive polynomial, we know that for n large
enough,
1
,
|Pr[D(Xn , 1n ) = 1] − Pr[D(Yn , 1n ) = 1]| <
2p(n)
and
|Pr[D(Yn , 1n ) = 1] − Pr[D(Zn , 1n ) = 1]| <
3
1
.
2p(n)
Let us show that X and Z are computationally indistinguishable:
|Pr[D(Xn , 1n ) = 1] − Pr[D(Zn , 1n ) = 1]| ≤ |Pr[D(Xn , 1n ) = 1] − Pr[D(Yn , 1n ) = 1]|
+ |Pr[D(Yn , 1n ) = 1] − Pr[D(Zn , 1n ) = 1]|
(by the triangular inequality)
1
1
≤
+
2p(n) 2p(n)
1
≤
p(n)
for all sufficiently large n’s. This allows us to conclude.
2.2
Relation to Statistical Closeness
We can relate computational indistinguishability with a traditional notion from probability theory.
Two ensembles X = {Xn }n∈N et Y = {Yn }n∈N are said to be statistically close if, for every
positive polynomial p and all sufficiently large n’s, we have
1X
1
.
∆(n) =
|Pr[Xn = α] − Pr[Yn = α]| <
2 α
p(n)
In other words, the statistical difference of X and Y is negligible.
We have the following proposition:
Proposition 5. If two ensembles X and Y are statistically close, then they are also polynomialtime indistinguishable.
Proof. We prove the contrapositive. Suppose X and Y are not indistinguishable in polynomial
time. Then there exist a probabilistic polynomial-time algorithm D and a positive polynomial p
such that form many n’s, it holds
|P [D(Xn ) = 1] − Pr[D(Yn ) = 1)| ≥
1
.
p(n)
For α a string of length n, let q(α) be defined as
q(α) = Pr[D(α) = 1].
Then, we have
Pr[D(Xn ) = 1] =
X
q(α) Pr[Xn = α],
α
and
Pr[D(Yn ) = 1] =
X
q(α) Pr[Yn = α].
α
Replacing these equalities in (1) gives
X
X
1
≤
q(α) Pr[Xn = α] −
q(α) Pr[Yn = α]
p(n) α
α
X
≤
q(α) (Pr[Xn = α] − Pr[Yn = α])
α
X
≤
q(α) |Pr[Xn = α] − Pr[Yn = α]|
α
≤
X
|Pr[Xn = α] − Pr[Yn = α]|
α
≤ 2∆(n).
Thus, ∆(n) is not negligible, so X and Y are not statistically close.
4
(1)
However, the converse of this latter proposition is not true. In particular, we have
Proposition 6. There exists an ensemble X = {Xn }n∈N such that X is not statistically close
to the uniform ensemble U = {Un }n∈N whereas X and U are computationally indistinguishable.
Furthermore, Xn assigns all probability mass to a set Sn consisting of at most 2n/2 strings of
length n.
Sketch of the proof. We construct the ensemble X = {Xn }n∈N by choosing for each n a set Sn ⊂
{0, 1}n of cardinality N = 2n/2 , and letting Xn be uniformly distributed on Sn . Thus, Pr[Xn =
/ Sn .
α] = N1 for α ∈ Sn , and Pr[X = α] = 0 for α ∈
The fact that X, U are not statistically close is immediate from the above. The main point is
now how to choose the set Sn . It is chosen such that Xn is indistinguishable from Un by polynomial
size circuit C. More details are available in [8].
3
3.1
Hybrid Technique
Indistinguishability by Repeated Sampling
By Definition 2, we know that two ensembles are considered computationally indistinguishable
if no efficient procedure can tell them apart based on a single sample. We will generalize this
definition by providing D with multiple samples (as long as the number of samples is bounded by
a polynomial m(n)): if the difference in output probabilities is a negligible function, X and Y will
be indistinguishable by multiple samples.
Definition 7 (indistinguishability by repeated sampling). [8] Two ensembles, X = {Xn }n∈N
and Y = {Yn }n∈N , are indistinguishable by polynomial-time sampling if, for every probabilistic
polynomial-time algorithm D, every positive polynomials m and p, and all sufficiently large n’s,
1
,
Pr[D(Xn1 , ..., Xnm(n) ) = 1] − Pr[D(Yn1 , ..., Ynm(n) ) = 1] <
p(n)
m(n)
m(n)
and Yn1 through Yn
where Xn1 through Xn
i
identical to Xn and Yn identical to Yn .
are independent random variables, with each Xni
By considering Example 3, the main idea is now to flip several coins at the same time until
head appears for each coin.
Now, we define the notion of efficiently constructible ensemble.
Definition 8 (efficiently constructible ensemble). [8] An ensemble X = {Xn }n∈N is said to be
polynomial-time-constructible if there exists a probabilistic polynomial-time algorithm S such that
for every n, the random variables S(1n ) and Xn are identically distributed.
3.2
Hybrid Technique
We now show that for efficiently constructible ensembles, computational indistinguishability (on
one sample) implies computational indistinguishability by repeated sampling. The proof of this
result will use a trick called the hybrid technique. The main idea is to cut the problem in pieces
in order to solve easier small problems.
Theorem 9. [8] Let X = {Xn }n∈N and Y = {Yn }n∈N be two polynomial-time-constructible
ensembles, and suppose that X and Y are indistinguishable in polynomial-time (as in Definition 2).
Then X and Y are indistinguishable by polynomial-time sampling (as in Definition 7).
In other words, playing several copies of the same thing at the same time does not change
anything. We will do a proof by contradiction. Indeed, if it is not the case, we can prove that the
existence of an efficient algorithm that distinguishes X and Y using several samples implies the
existence of an efficient algorithm which distinguishes the ensembles X and Y .
5
Proof. Suppose the contrary. Then there exist a polynomial-time algorithm and two positive
polynomials m and p such that for many n’s, we have
∆(n) = Pr[D(Xn1 , ..., Xnm ) = 1] − Pr[D(Yn1 , ..., Ynm ) = 1] >
1
,
p(n)
(2)
where m = m(n), and the Xni and Yni are defined by repeated sampling.
The goal is now to find a probabilistic polynomial-time algorithm D0 that distinguishes X and
Y.
For every 0 ≤ k ≤ m, we define the hybrid random variable
Hnk = (Xn1 , ..., Xn(k) , Ynk+1 , ..., Ynm ),
m(n)
m(n)
where Xn1 through Xn
and Yn1 through Yn
are independent random variables, with each Xni
i
identical to Xn and Yn identical to Yn . The index k will represent the place in the tuple where it
switches from Xn to Yn . Clearly, we have
Hnm = (Xn1 , ..., Xnm ),
and
Hn0 = (Yn1 , ..., Ynm ).
Thus, we will be able to go from the former one to the latter one using the Hnk .
By hypothesis, D can distinguish Hn0 and Hnm . The idea is now to use D in order to build a
probabilistic polynomial-time algorithm D0 that distinguishes X and Y . This algorithm proceeds
as follow:
1. D0 selects k uniformly in the set {0, 1, ..., m − 1},
2. D0 generates k independent samples of Xn denoted x1 , ..., xk (since X is an efficiently constructible ensemble),
3. D0 generates m − k − 1 independent samples of Yn denoted y k+2 , ..., y m (since Y is an
efficiently constructible ensemble),
4. D0 invokes D with the input α and halts with the output
D0 (α) = D(x1 , ..., xk , α, y k+2 , ..., y m ).
If is clear that D0 can be implemented in polynomial-time. Let us prove and use the following
claims:
Claim 10. By construction of D0 , we have
Pr[D0 (Xn ) = 1] =
m−1
1 X
Pr[D(Hn`+1 ) = 1],
m
`=0
and
Pr[D0 (Yn ) = 1] =
m−1
1 X
Pr[D(Hn` ) = 1].
m
`=0
Proof. By construction of the algorithm D0 , for a random k in {0, . . . , m − 1}, we have
Pr[D0 (Xn ) = 1] =
m−1
X
Pr[k = l] Pr[D(Xn1 , . . . , Xnk , Xn` , Ynk+2 , . . . , Ynm ) = 1].
`=0
Now, Pr[k = `] =
follows.
1
m
and by using the definition of the hybrid random variables Hnk , the claim
6
We can remark that, in the former equality, we do the sum on all Hni except Hn0 = (Yn1 , . . . , Ynm ),
and that in the latter one, we do the sum on all Hni except Hnm = (Xn1 , . . . , Xnm ).
Claim 11. For ∆(n) as in Equation 2, we have
|Pr[D0 (Xn ) = 1] − Pr[D0 (Yn ) = 1]| =
∆(n)
.
m(n)
Proof. Using Claim 10, we get
m−1
m−1
X
1 X
`+1
`
Pr[D(Hn ) = 1] −
|Pr[D (Xn ) = 1] − Pr[D (Yn ) = 1]| =
Pr[D(Hn ) = 1]
m
`=0
`=0
1 =
Pr[D(Hnm ) = 1] − Pr[D(Hn0 ) = 1]
m
∆(n)
=
.
m
0
0
Note that there are canceling between the first and the second lines: it is a telescopic sum.
1
, it follows from Claim 11 that for many n’s, the probabilisticSince by hypothesis ∆(n) > p(n)
time algorithm D0 distinguishes X and Y , which is in contradiction with the hypothesis of the
theorem.
Let us highlight the special trick used in the proof: the hybrid technique. It constitutes a
special type of “reducibility argument”: to prove the indistinguishability of complex ensembles,
we use the indistinguishability of basic ensembles. Let us emphasize properties of the construction
of the hybrid random variables which are important for the argument:
Extreme hybrids collide the complex ensembles. Indeed, we want to prove the indistinguishability of the complex ensembles and it relates to the complex ensembles.
Neighboring hybrids are easily related to the basic ensembles. Indeed, we know the indistinguishability of the basic ensembles and it relates to the basic ensembles.
Number of hybrid is “small” (i.e., polynomial). It is an important property since we want
to deduce computational indistinguishability of extreme hybrid random variables from the
computational indistinguishability of each pair of neighboring hybrid random variables.
4
Pseudorandom Generators
In this section, we will discuss pseudorandom generators. Informally, these are efficient deterministic algorithms that produce a “pseudorandom” bit sequence. Of course, we will ask this sequence
to be computationally indistinguishable from a truly random sequence. By definition, these pseudorandom generators produce sequences that look random to any efficient observer. Thus, their
outputs can be used in any application requiring random sequences. Then, no efficient adversary
will be able to differentiate truly random sequences from pseudorandom ones.
This section is an application of the hybrid technique: we will use it in the proof of Theorem 14.
4.1
Pseudorandom Ensembles and Generators
It is an important case of computationally indistinguishable pair of ensembles, where one of them
is uniform.
Definition 12. [8] The ensemble X = {Xn }n∈N is called pseudorandom ensemble if there exists
a uniform ensemble U = {U`(n) }n∈N such that X and U are indistinguishable in polynomial time.
7
Notice that |Xn | is not necessarily n whereas |Um | = m. Actually, for polynomial-timecomputable function ` : N → N and ensemble X as in the latter definition, we have that with very
high probability |Xn | = `(n).
A pseudorandom ensemble can be used instead of a uniform ensemble in any efficient program
with very few degradation of performance. This replacement is interesting in the case where generating pseudorandom ensembles costs less than generating the corresponding uniform ensemble.
In particular, in cryptography, we want to generate pseudorandom ensembles using as little true
randomness as possible. This leads us to the following definition.
Definition 13 (pseudorandom generator). A pseudorandom generator is a deterministic polynomialtime algorithm G satisfying:
• Expansion: there exists a function ` : N → N such that `(n) > n for all n ∈ N and
|G(s)| = `(|s|) for all s ∈ {0, 1}∗ .
• Pseudorandomness: the ensemble {G(Un )}n∈N is pseudorandom.
The function ` is called the expansion factor of G.
The input s of the pseudorandom generator is called its seed.
4.2
Increasing the Expansion Factor
Pseudorandom generators as defined above are actually only required to stretch their input a
bit. Indeed, given a pseudorandom generator G with expansion function `(n) = n + 1, we construct a pseudorandom generator G0 with arbitrary polynomial expansion factor. Let us give this
construction (represented on Figure 1):
Construction: Let G be a pseudorandom generator with expansion function `(n) = n + 1,
and let p be a positive polynomial. Define
G0 (s) = σ1 σ2 · · · σp(|s|) ,
where s0 = s, the bit σi is the first bit of G(si−1 ), and si is the |s|-bit-long suffix of G(si−1 ) for
every 1 ≤ i ≤ p(|s|).
We can give the corresponding algorithm:
s0 ← s
n ← |s|
for i = 1 to p(n) do
σi si ← G(si−1 ) {where σi ∈ {0, 1} and |si | = |si−1 |}
end for
Output σ1 σ2 ...σp(n)
G0
s0
G
s1
σ1
G
s2
G
...
sp(s)
σp(n)
σ2
Figure 1: Representation of the construction of the new pseudorandom generator
Let us prove that G0 is really a pseudorandom generator:
8
Theorem 14. Let G, p and G0 be defined as in the previous construction such that p(n) > n for
every n. If G is a pseudorandom generator, then G0 is also a pseudorandom generator.
The proof will use an hybrid technique. Intuitively, we can see that each application of G can
be replaced by a random process. The indistinguishability of each application of G implies that
polynomially many applications of G are indistinguishable from a random process.
Proof. Suppose that G0 is not a pseudorandom generator. Then, {G0 (Un )}n∈N and {Up(n) }n∈N
are distinguishable, i.e., there exist a probabilistic polynomial-time algorithm D and a positive
polynomial q such that, for many n’s, it holds that
∆(n) = |Pr[D(G0 (Un )) = 1] − Pr[D(Up(n) ) = 1]| >
1
.
q(n)
For each 0 ≤ k ≤ p(n), we consider the distribution
Hnk = Uk1 · prefp(n)−k (G0 (Un2 )),
where Uk1 and Un2 are independent uniform distributions (over {0, 1}k and {0, 1}n , respectively),
and prefj (G0 (x)) denotes the j-bit long prefix of G0 (x). In other words, Hnk is the concatenation
of a uniformly chosen k-bit-long string and the (p(n) − k)-bit-long prefix of G0 (Un ). We clearly
have
Hn0 = G0 (Un )
and
Hnp(n) = Up(n) .
A different way of viewing Hkn is represented in Figure 2. We pick the σ1 , . . . , σk randomly in
{0, 1}, and sk uniformly in {0, 1}n , and for i = k + 1, . . . , p(n), we apply the construction and
obtain si σi = G(si−1 ).
Hnk
sk
σk
...
σ1
G
sk+1
G
...
σk+1
sp(s)
σp(n)
σk−1
Figure 2: Hybrid Hnk as a modification of the construction.
It follows that if an algorithm D can distinguish extreme hybrid random variables, it can
distinguish two neighboring hybrid random variables. Another piece of notation: we denote by
suffj (x) the j-bit-long suffix of the string x. Then, we have1 the following equality for every
x ∈ {0, 1}n :
prefj+1 (G0 (x)) = pref1 (G(x)) · prefj (G0 (suffn (G(x)))).
For easier notation, let us define
fp(n)−k (x) = pref1 (x) · prefp(n)−k−1 (G0 (suffn (x))) ∈ {0, 1}p(n)−k .
Thus, with this piece of notation and by construction of G0 , we have
Hnk = Uk1 · prefp(n)−k (G0 (Un2 ))
= Uk1 · pref1 (G(Un2 )) · prefp(n)−k−1 (G0 (suffn (G(Un2 )))))
= Uk1 · fp(n)−k (G(Un2 )),
1 Convince
yourself!
9
and
1
Hnk+1 = Uk+1
· prefp(n)−(k+1) (G0 (Un2 ))
0
00
0
2
= Uk1 · U11 · pref(p(n)−k−1) (G0 (suffn (Un+1
))
0
0
0
2
2
= Uk1 · pref1 (Un+1
) · pref(p(n)−k−1) (G0 (suffn (Un+1
))
0
0
2
= Uk1 · fp(n)−k (Un+1
),
where the Uj` uniform random variables are independent.
By hypothesis, D can distinguish Hn0 and Hnm . The idea is now to use D in order to build a
probabilistic polynomial-time algorithm D0 that distinguishes G(Un ) and Un+1 . This algorithm
proceeds as follow:
1. D0 selects k uniformly in the set {0, 1, ..., p(n) − 1},
2. D0 selects β ∈ {0, 1}k uniformly,
3. D0 invokes D with the input α and halts with the output
D0 (α) = D(β · fp(n)−k (α)).
If is clear that D0 can be implemented in polynomial-time. Let us prove and use the following
claim:
Claim 15. By construction of D0 , we have
Pr[D0 (G(Un )) = 1] =
p(n)−1
X
1
Pr[D(Hn` ) = 1],
p(n)
`=0
and
p(n)−1
X
1
Pr[D(Hn`+1 ) = 1].
Pr[D (Un+1 ) = 1] =
p(n)
0
`=0
0
Proof. By construction of D , we get, for every α ∈ {0, 1}n+1 ,
p(n)−1
X
1
Pr[D (α) = 1] =
Pr[D(Uk .fp(n)−` (α)) = 1].
p(n)
0
`=0
We use the latter equalities to conclude.
Finally, we have
p(n)−1
p(n)−1
X
X
1 0
0
`
`+1
|Pr[D (G(Un )) = 1] − Pr[D (Un+1 ) = 1]| =
Pr[D(Hn ) = 1] −
Pr[D(Hn ) = 1]
p(n) `=0
`=0
1 Pr[D(G0 (Un ) = 1] − Pr[D(Up(n) ) = 1]
=
p(n)
∆(n)
1
=
>
.
p(n)
q(n)p(n)
This is a contradiction with the fact that G is a pseudorandom generator.
10
5
An example of Pseudorandom Generator: Blum-BlumShub
The Blum-Blum-Shub Pseudorandom Bit Generator is described in [1]. It is based on the difficulty
to solve the quadratic residuosity problem. This generator is provably secure but is very slow.
5.1
Description of the Algorithm
We say that a prime number p such that p ≡ 3 (mod 4) is a Blum prime number. We introduce
a piece of notation: if x is a number, then parity(x) = x mod 2.
Let us describe the algorithm:
•
•
•
•
•
•
Generate p and q, two large Blum prime numbers.
Compute n = pq.
Choose s ∈ [1, n − 1], the random seed2 .
Compute x0 = s2 (mod n).
Define the sequence xi = x2i−1 (mod n) and zi = parity(xi ).
The output is the bit sequence zi = z1 , z2 , . . ..
For example, let p = 71 and q = 83, then n = pq = 71 × 83 = 5893 and we choose s = 1000.
We obtain:
x0 = 1000000 (mod 5893) = 4083
⇒ z0 = 1
x1 = 16670889 (mod 5893) = 5485 ⇒ z1 = 1 .
x2 = 30085225 (mod 5893) = 1460 ⇒ z2 = 0
The output will be (1, 0).
5.2
Security of the generator
The proof of security relies on the quadratic residuosity assumption. First, the authors show how
an advantage in guessing the parity of an element can be converted in an advantage for determining
quadratic residuosity in polynomial time. Then, they show the relation between their generator
and the quadratic residuosity assumption using a result introduced by Goldwasser and Micali in
[10].
We can add that if we can solve the integer factorization, then we can solve the quadratic
residuosity problem. Indeed, knowing how to solve the factorization in polynomial time allows us
to solve the quadratic residuosity problem in polynomial time too. However, we do not know how to
solve this problem in polynomial time without using a polynomial-time oracle for the factorization.
Notice that this problem is often used in cryptography, such as in RSA cryptosystem.
6
Cramer-Shoup cryptosystem
6.1
Introduction
In 1998, Ronald Cramer and Victor Shoup proposed a public key cryptosystem. This cryptosystem
is the first efficient scheme proven to be IND-CCA2 in standard model. The Cramer-Shoup system
is presented and analyzed in [4]. Its security is based on the Diffie-Hellman problem, i.e., let g be
a generator element of some group (typically the multiplicative group of a finite field or an elliptic
curve group) and let x and y be randomly chosen integers. Knowing g x and g y , can we compute
the value of g xy ? It is assumed that the Diffie-Hellman decision problem is hard. And now it
is proved that solve the Diffie-Hellman decision problem involves solving the discrete logarithm
problem, i.e., given g and g x , can we compute the value of x. The Cramer-Shoup scheme is
2 random
seeds are often generated from the state of the computer system such as the time
11
an extension of the basic ElGamal encryption scheme published in [7]. But the difference with
ElGamal, is that the Cramer-Shoup scheme is secure against adaptive chosen ciphertext attack
and it also requires a universal one-way hash function.
We recall some notions:
• IND-CCA2: This notion of security was defined by C. Rackoff and D. Simon in [15]. The
adversary can use the decryption oracle before and after the challenge. The cryptosystem is
IND-CCA2 secure if the advantage of any polynomial-time adversary is negligible.
• The Diffie-Hellman decision problem: Knowing g x and g y , it should be hard for any adversary
to distinguish between g xy and g r for some random value r.
• ElGamal: This cryptosystem is malleable and so is not IND-CCA2 secure. For example,
given an encryption (c1 , c2 ) of a message m, we can feed to the decryption oracle with a
valid encryption (c1 , g · c2 ) and we get g · m.
• The universal one-way hash function: A collision-resistant hash function is a function H
for which is infeasible for any adversary to find two different inputs x and y such that
H(x) = H(y). A universal one-way hash function is a function H for which is infeasible for
any adversary, having an input x, to compute H(x) and to find a different input y such that
H(x) = H(y).
In [14], Naor and Yung introduced the first scheme provably secure against lunchtime attacks
(CCA1). Then others were proposed and proved to be CCA2 but they were impractical like in
[15]. However in [6], [17] or in [12], practical schemes are proposed but they were not proved to
be secure against CCA2 and even sometimes they were broken. The importance of the CramerShoup scheme is due to the fact that it is the first cryptosystem both provably secure (CCA2) and
possible to implement.
6.2
Presentation of the scheme
Let G be a cyclic group of order q, where q is prime and large.
Key Generation. Random generators g1 , g2 ∈ G are chosen. Random elements x1 , x2 , y1 , y2 , z ∈
Zq are also chosen. Then we compute c = g1x1 g2x2 , d = g1y1 g2y2 , and h = g1z . Next, we choose a
hash function H from the family of universal one-way hash functions. We obtain the public
key (g1 , g2 , c, d, h, H) and the private key (x1 , x2 , y1 , y2 , z).
Encryption. Let m ∈ G be a message. We choose r ∈ Zq at random and we compute
u1 = g1r ,
u2 = g2r ,
e = hr m,
α = H(u1 , u2 , e),
and v = cr drα . The resulting ciphertext is (u1 , u2 , e, v).
Decryption. First, we compute α = H(u1 , u2 , e) and verify if
ux1 1 +y1 α u2x2 +y2 α = v.
If this condition is not verified, the decryption algorithm outputs “reject”; otherwise, it
computes m = uez .
1
Now, we verify that this encryption scheme works correctly. We have ux1 1 ux2 2 = g1rx1 g2rx2 = cr ,
r
likewise, uy11 uy22 = dr , thus ux1 1 +y1 α ux2 2 +y2 α = cr drα = v. The output is obtained by uez = hgrzm =
hr m
hr
1
= m.
12
1
6.3
Proof of security
The goal is to prove the following theorem:
Theorem 16. The Cramer-Shoup cryptosystem is secure against adaptive chosen ciphertext attack
assuming that:
1. The hash function H is chosen from a universal one-way family.
2. The Diffie-Hellman decision problem is hard in the group G.
This proof is developed in [4], so we give an overview of the method which uses a hybrid
technique. First they assume that an adversary can break the cryptosystem and show how to use
this adversary to construct a statistical test. They give (g1 , g2 , u1 , u2 ) coming from a distribution
R or D. Then, they build a simulator that simulates the joint distribution consisting of adversary’s
view in its attack on the cryptosystem, and the hidden bit b generated by the oracle. Authors
prove the two following lemmas: When the simulator’s input comes from D, the distribution of the
adversary’s view and the hidden bit b is statistically indistinguishable; and when the simulator’s
input comes from R, the distribution of the hidden bit b is (essentially) independent from the
adversary’s view. The heart of the proof is to show that the decryption oracle will reject all invalid
ciphertexts, except with negligible probability because it is verified, then the distribution of the
hidden bit b is independent of the adversary’s view. To show this, they consider three different
cases with (u1 , u2 , e, v), the output of the simulator, a legitimate ciphertext and (u01 , u02 , e0 , v 0 ),
an invalid ciphertext submitted by the adversary. In these three cases, the decryption oracle
rejects the invalid ciphertexts according to the assumption on the hash function and a negligible
probability.
6.4
Conclusion
In [4], Ronald Cramer and Victor Shoup propose several implementations of their scheme. This
cryptosystem is secure against adaptive chosen ciphertext attack using standard cryptographic
assumptions. The security proved is the strongest, i.e., IND-CCA2. In contrast to Elgamal,
Cramer-Shoup adds additional elements to ensure non-malleability even against a resourceful
attacker. For that, the scheme uses a collision-resistant hash function and additional computations.
Moreover Ronald Cramer and Victor Shoup still use a hybrid technique to prove the security of
a scheme in [5]. They show that the existence of an efficient adaptive chosen ciphertext attack
with non-negligible advantage implies the existence of an efficient distinguishing algorithm that
contradicts the hardness assumption for a hard problem.
7
Exercise
Problem: we define the n-IND-CPA game as follows: Given an encryption scheme S = (K, E,
D), an n-IND-CPA adversary is a tuple A = (A1 , A2 , ..., An+1 ) of probabilistic polynomial-time
algorithms. For b ∈ {0, 1}, define the following game. n-INDb -CPA:
• Generate (pk, sk) ← K(η)
• (s1 , m1,0 , m1,1 ) ← A1 (η, pk)
• (s2 , m2,0 , m2,1 ) ← A1 (η, pk, s1 , E(pk, m1,b ))
• ...
• b0 ← An+1 (η, pk, sn , E(pk, mn,b ))
• return b0
n−IN D−CP A
Define AdvS,A
= P r[b0 ← n-IND1 -CPA : b0 = 1] − P r[b0 ← n-IND0 -CPA : b0 = 1]. Show
that an encryption scheme is n-IND-CPA secure if and only if it is IND-CPA secure.
13
Solution: we want to prove that if the encryption scheme is IND-CPA secure then it is n-INDCPA secure. n-IND-CPA adversary is a tuple A = (A1 , A2 , ..., An+1 ) of probabilistic polynomialtime algorithms.
Game 0: run A1 , A2 , ..., An+1 ciphering mi,0
Game 1: run A1 , A2 , ..., An+1 ciphering mi,0 then mi,1 with i > 1
...
Game n+1: return b0
We consider the adversary B = (B1 , B2 )
B1 → i, 1 < i < n + 1
for the first i − 1: we run A1 , A2 , ..., Ai−1
Input: run A1 with pk
Output: m1,0 and m1,1
For 2 ≤ j ≤ i − 1 : (Sj , mj,0 ; mj,1 ) ← Aj (Sj−1 , E(pk, mj−1,0 ))
So the output of B1 is: (Si−1 , mi−1,0 , mi−1,1 )
B2 takes (Si−1 , c)
We run Ai with Si−1 and c returning (Si , mi,0 , mi,1 )
for i + 1 ≤ j ≤ n : (Sj , mj,0 ; mj,1 ) ← Aj (Sj−1 , E(pk, mj−1,1 ))
An+1 → b0 , output of B2 is b0
The advantage between Ai and Ai+1 is negligible. That means it exists a polynom p such that:
n−IN D−CP A
Adv(A
<
i ,Ai+1 )
n−IN D−CP A
AdvS,A
<
n
X
1
p
n−IN D−CP A
Adv(A
= n.
i ,Ai+1 )
i=1
1
p
so the advantage of A1 , A2 , ..., Ai−1 is negligible.
Now we want to prove that the encryption scheme is n-IND-CPA secure ⇒ IND-CPA secure.
By contradiction:
So if the adversary C = (C1 , C2 ) could find b0 then the adversary A = (A1 , A2 , ..., An+1 )
• Generate (pk, sk) ← K(η)
• (s1 , m1,0 , m1,1 ) ← A1 (η, pk)
• (s2 , m2,0 , m2,1 ) ← A1 (η, pk, s1 , E(pk, m1,b ))
• ...
• b0 ← An+1 (η, pk, sn , E(pk, mn,b ))
• return b0
C1 : Input: run A1 with pk
output: (Sn , mn,0 , mn,1 )
C2 : run An+1 (η, pk, Sn , E(pk, mn,b ))
return b0
If IND-CPA is not secure that means the adversary C finds b0 , which is the same output of An+1 ,
so n-IND-CPA is not secure.
References
[1] L Blum, M Blum, and M Shub. A simple unpredictable pseudo random number generator.
SIAM J. Comput., 15(2):364–383, 1986.
14
[2] M. Blum, S. Micali, Massachusetts Institute of Technology. Laboratory for Computer Science,
and Massachusetts Institute of Technology. Industrial Liaison Program. How to generate
cryptographically strong sequences of pseudo-random bits. SIAM J. Comput., 13(4):850–864,
1984.
[3] T.M. Cover, J.A. Thomas, and J. Wiley. Elements of information theory. Wiley Online
Library, 1991.
[4] Ronald Cramer and Victor Shoup. A practical public key cryptosystem provably secure
against adaptive chosen ciphertext attack. pages 13–25. Springer-Verlag, 1998.
[5] Ronald Cramer and Victor Shoup. Universal hash proofs and a paradigm for adaptive chosen
ciphertext secure public-key encryption. pages 45–64. Springer-Verlag, 2001.
[6] Ivan Damgard. Towards practical public key systems secure against chosen ciphertext attacks.
Advances in Cryptology – CRYPTO ’91, pages 445–456, 1991.
[7] T. El Gamal. A public key cryptosystem and signature scheme based on discrete logarithms.
IEEE Trans. Inform. Theory, pages 469 – 472, 1985.
[8] O. Goldreich. Foundations of cryptography: Basic applications. Cambridge Univ Pr, 2004.
[9] S. Goldwasser and S. Micali. Probabilistic encryption. Journal of computer and system
sciences, 28(2):270–299, 1984.
[10] Shafi Goldwasser and Silvio Micali. Probabilistic encryption & how to play mental poker
keeping secret all partial information. In STOC ’82: Proceedings of the fourteenth annual
ACM symposium on Theory of computing, pages 365–377, New York, NY, USA, 1982. ACM.
[11] L.A. Levin. Randomness conservation inequalities; information and independence in mathematical theories*. Information and Control, 61(1):15–37, 1984.
[12] Chae Hoon Lim and Pil Joong Lee. Another method for attaining security against adaptively
chosen ciphertext attacks. In In Advances in Cryptology – CRYPTO ’93, pages 420–434.
SpringerVerlag, 1993.
[13] L. Ming and P. Vitanyi. An introduction to Kolmogorov complexity and its applications.
Springer, 1997.
[14] M. Naor and M. Yung. Public-key cryptosystems provably secure against chosen ciphertext
attacks. 22nd Annual ACM Symposium on Theory of Computing, pages 427–437, 1990.
[15] Charles Rackoff and Daniel R. Simon. Non-interactive zero-knowledge proof of knowledge
and chosen ciphertext attack. Advances in Cryptology – CRYPTO ’91, pages 433–444, 1991.
[16] A.C. Yao. Theory and application of trapdoor functions. In 23rd Annual Symposium on
Foundations of Computer Science, pages 80–91. IEEE, 1982.
[17] Yuliang Zheng and Jennifer Seberry. Practical approaches to attaining security against adaptively chosen ciphertext attacks. In Advances in Cryptology – CRYPTO ’92, pages 292–304.
Springer-Verlag, 1992.
15
