Groups for PKE: A Quick Primer Discrete Log and DDH Assumptions, Candidate Trapdoor One-Way Permutations
1 Groups, a primer
2 Groups, a primer
A set G (for us finite, unless otherwise specified)
2 Groups, a primer
A set G (for us finite, unless otherwise specified)
A binary operation *: G×G→G
2 Groups, a primer
A set G (for us finite, unless otherwise specified)
A binary operation *: G×G→G Abuse of notation: G instead of (G,*)
2 Groups, a primer
A set G (for us finite, unless otherwise specified)
A binary operation *: G×G→G Abuse of notation: G instead of (G,*) Sometimes called addition, sometimes called multiplication (depending on the set/operation)
2 Groups, a primer
A set G (for us finite, unless otherwise specified)
A binary operation *: G×G→G Abuse of notation: G instead of (G,*) Sometimes called addition, sometimes called multiplication (depending on the set/operation)
Properties:
2 Groups, a primer
A set G (for us finite, unless otherwise specified)
A binary operation *: G×G→G Abuse of notation: G instead of (G,*) Sometimes called addition, sometimes called multiplication (depending on the set/operation)
Properties: Associativity,
2 Groups, a primer
A set G (for us finite, unless otherwise specified)
A binary operation *: G×G→G Abuse of notation: G instead of (G,*) Sometimes called addition, sometimes called multiplication (depending on the set/operation)
Properties: Associativity, Existence of identity,
2 Groups, a primer
A set G (for us finite, unless otherwise specified)
A binary operation *: G×G→G Abuse of notation: G instead of (G,*) Sometimes called addition, sometimes called multiplication (depending on the set/operation)
Properties: Associativity, Existence of identity, Invertibility
2 Groups, a primer
A set G (for us finite, unless otherwise specified)
A binary operation *: G×G→G Abuse of notation: G instead of (G,*) Sometimes called addition, sometimes called multiplication (depending on the set/operation)
Properties: Associativity, Existence of identity, Invertibility
Also for us (unless specified otherwise) Commutativity
2 Groups, a primer
A set G (for us finite, unless otherwise specified)
A binary operation *: G×G→G Abuse of notation: G instead of (G,*) Sometimes called addition, sometimes called multiplication (depending on the set/operation)
Properties: Associativity, Existence of identity, Invertibility
Also for us (unless specified otherwise) Commutativity
Examples: Z (integers, with addition operation; infinite group), n ZN (integers modulo N), G (G group; coordinate-wise op)
2 Groups, a primer
3 Groups, a primer Computation with groups
3 Groups, a primer Computation with groups For us, finite, but typically large: i.e., exponential in k
3 Groups, a primer Computation with groups For us, finite, but typically large: i.e., exponential in k Some compact representation of the elements (poly(k) bits)
3 Groups, a primer Computation with groups For us, finite, but typically large: i.e., exponential in k Some compact representation of the elements (poly(k) bits) Efficient algorithms for:
3 Groups, a primer Computation with groups For us, finite, but typically large: i.e., exponential in k Some compact representation of the elements (poly(k) bits) Efficient algorithms for: Checking if an element (in standard rep.) is in the group
3 Groups, a primer Computation with groups For us, finite, but typically large: i.e., exponential in k Some compact representation of the elements (poly(k) bits) Efficient algorithms for: Checking if an element (in standard rep.) is in the group Group operation (on elements in standard rep.)
3 Groups, a primer Computation with groups For us, finite, but typically large: i.e., exponential in k Some compact representation of the elements (poly(k) bits) Efficient algorithms for: Checking if an element (in standard rep.) is in the group Group operation (on elements in standard rep.) Inverting
3 Groups, a primer Computation with groups For us, finite, but typically large: i.e., exponential in k Some compact representation of the elements (poly(k) bits) Efficient algorithms for: Checking if an element (in standard rep.) is in the group Group operation (on elements in standard rep.) Inverting Sampling a random element (almost) uniformly
3 Groups, a primer Computation with groups For us, finite, but typically large: i.e., exponential in k Some compact representation of the elements (poly(k) bits) Efficient algorithms for: Checking if an element (in standard rep.) is in the group Group operation (on elements in standard rep.) Inverting Sampling a random element (almost) uniformly Group itself represented by these algorithms
3 Groups, a primer Computation with groups For us, finite, but typically large: i.e., exponential in k Some compact representation of the elements (poly(k) bits) Efficient algorithms for: Checking if an element (in standard rep.) is in the group Group operation (on elements in standard rep.) Inverting Sampling a random element (almost) uniformly Group itself represented by these algorithms For collection of groups: GroupGen, an algorithm to select a group
3 Groups, a primer
4 Groups, a primer Additive notation: X+Y, identity denoted as 0, X+X denoted by 2X
4 Groups, a primer Additive notation: X+Y, identity denoted as 0, X+X denoted by 2X
Multiplicative notation: XY, identity 1, XX denoted as X2
4 Groups, a primer Additive notation: X+Y, identity denoted as 0, X+X denoted by 2X
Multiplicative notation: XY, identity 1, XX denoted as X2
Order of a group G: |G| = number of elements in G
4 Groups, a primer Additive notation: X+Y, identity denoted as 0, X+X denoted by 2X
Multiplicative notation: XY, identity 1, XX denoted as X2
Order of a group G: |G| = number of elements in G
Cyclic group (finite, in multiplicative notation): there is one element g such that G = {g0, g1, g2, ... g|G|-1}
4 Groups, a primer Additive notation: X+Y, identity denoted as 0, X+X denoted by 2X
Multiplicative notation: XY, identity 1, XX denoted as X2
Order of a group G: |G| = number of elements in G
Cyclic group (finite, in multiplicative notation): there is one element g such that G = {g0, g1, g2, ... g|G|-1}
4 Groups, a primer Additive notation: X+Y, identity denoted as 0, X+X denoted by 2X
Multiplicative notation: XY, identity 1, XX denoted as X2
Order of a group G: |G| = number of elements in G
Cyclic group (finite, in multiplicative notation): there is one element g such that G = {g0, g1, g2, ... g|G|-1} g0
4 Groups, a primer Additive notation: X+Y, identity denoted as 0, X+X denoted by 2X
Multiplicative notation: XY, identity 1, XX denoted as X2
Order of a group G: |G| = number of elements in G
Cyclic group (finite, in multiplicative notation): there is one element g such that G = {g0, g1, g2, ... g|G|-1} 0 g g1
4 Groups, a primer Additive notation: X+Y, identity denoted as 0, X+X denoted by 2X
Multiplicative notation: XY, identity 1, XX denoted as X2
Order of a group G: |G| = number of elements in G
Cyclic group (finite, in multiplicative notation): there is one element g such that G = {g0, g1, g2, ... g|G|-1} 0 g g1 g2
4 Groups, a primer Additive notation: X+Y, identity denoted as 0, X+X denoted by 2X
Multiplicative notation: XY, identity 1, XX denoted as X2
Order of a group G: |G| = number of elements in G
Cyclic group (finite, in multiplicative notation): there is one element g such that G = {g0, g1, g2, ... g|G|-1} 0 g g1 g2 g3 . .
4 Groups, a primer Additive notation: X+Y, identity denoted as 0, X+X denoted by 2X
Multiplicative notation: XY, identity 1, XX denoted as X2
Order of a group G: |G| = number of elements in G
Cyclic group (finite, in multiplicative notation): there is one element g such that G = {g0, g1, g2, ... g|G|-1} 0 gN-1 g g1 2 gN-2 g .. g3 .. ..
4 Groups, a primer Additive notation: X+Y, identity denoted as 0, X+X denoted by 2X
Multiplicative notation: XY, identity 1, XX denoted as X2
Order of a group G: |G| = number of elements in G
Cyclic group (finite, in multiplicative notation): there is one element g such that G = {g0, g1, g2, ... g|G|-1} 0 gN-1 g g1 2 gN-2 g e.g. N, with say g=1 (additive group) 3 Z .. g .. ..
4 Groups, a primer Additive notation: X+Y, identity denoted as 0, X+X denoted by 2X
Multiplicative notation: XY, identity 1, XX denoted as X2
Order of a group G: |G| = number of elements in G
Cyclic group (finite, in multiplicative notation): there is one element g such that G = {g0, g1, g2, ... g|G|-1} 0 gN-1 g g1 2 gN-2 g e.g. ZN, with say g=1 (additive group) . g3 . . . or any g s.t. gcd(g,N) = 1 .
4 Groups, a primer Additive notation: X+Y, identity denoted as 0, X+X denoted by 2X
Multiplicative notation: XY, identity 1, XX denoted as X2
Order of a group G: |G| = number of elements in G
Cyclic group (finite, in multiplicative notation): there is one element g such that G = {g0, g1, g2, ... g|G|-1} 0 gN-1 g g1 2 gN-2 g e.g. ZN, with say g=1 (additive group) . g3 . . . or any g s.t. gcd(g,N) = 1 .
Number of generators of ZN =: φ(N)
4 Groups, by examples
0 gN-1 g g1 gN-2 g2 . 3 . g . . . .
5 Groups, by examples
0 gN-1 g g1 gN-2 g2 . 3 . g . . . .
* ZN = (generators of ZN, multiplication mod N)
5 Groups, by examples
0 gN-1 g g1 gN-2 g2 . 3 . g . . . .
* ZN = (generators of ZN, multiplication mod N)
Numbers which have multiplicative inverse mod N
5 Groups, by examples
0 gN-1 g g1 gN-2 g2 . 3 . g . . . .
* ZN = (generators of ZN, multiplication mod N)
Numbers which have multiplicative inverse mod N
* If N is prime, ZN is a cyclic group, of order N-1
5 Groups, by examples
0 gN-1 g g1 gN-2 g2 . 3 . g . . . .
* ZN = (generators of ZN, multiplication mod N)
Numbers which have multiplicative inverse mod N
* If N is prime, ZN is a cyclic group, of order N-1
* e.g. Z5 = {1,2,3,4} is generated by 2 (as {1,2,4,3}), and by 3 (as {1,3,4,2})
5 Groups, by examples
0 gN-1 g g1 gN-2 g2 . 3 . g . . . .
* ZN = (generators of ZN, multiplication mod N)
Numbers which have multiplicative inverse mod N
* If N is prime, ZN is a cyclic group, of order N-1
* e.g. Z5 = {1,2,3,4} is generated by 2 (as {1,2,4,3}), and by 3 (as {1,3,4,2})
(Also cyclic for certain other values of N)
5 Discrete Log
6 Discrete Log
Discrete Log (w.r.t g) in a (multiplicative) group G generated by g: x DLg(X) = unique x such that X = g (x ∈ {0,1,...,|G|-1})
6 Discrete Log
Discrete Log (w.r.t g) in a (multiplicative) group G generated by g: x DLg(X) = unique x such that X = g (x ∈ {0,1,...,|G|-1})
This could be used as a compact representation of elements in G
6 Discrete Log
Discrete Log (w.r.t g) in a (multiplicative) group G generated by g: x DLg(X) = unique x such that X = g (x ∈ {0,1,...,|G|-1})
This could be used as a compact representation of elements in G
Group operation is given by Z|G| operations on the discrete logs
6 Discrete Log
Discrete Log (w.r.t g) in a (multiplicative) group G generated by g: x DLg(X) = unique x such that X = g (x ∈ {0,1,...,|G|-1})
This could be used as a compact representation of elements in G
Group operation is given by Z|G| operations on the discrete logs
But may also consider the group with a different representation * (e.g. natural representation for Zp )
6 Discrete Log
Discrete Log (w.r.t g) in a (multiplicative) group G generated by g: x DLg(X) = unique x such that X = g (x ∈ {0,1,...,|G|-1})
This could be used as a compact representation of elements in G
Group operation is given by Z|G| operations on the discrete logs
But may also consider the group with a different representation * (e.g. natural representation for Zp )
In a computational group, given standard representation of g and x, can efficiently find the standard representation of X=gx (How?)
6 Discrete Log
Discrete Log (w.r.t g) in a (multiplicative) group G generated by g: x DLg(X) = unique x such that X = g (x ∈ {0,1,...,|G|-1})
This could be used as a compact representation of elements in G
Group operation is given by Z|G| operations on the discrete logs
But may also consider the group with a different representation * (e.g. natural representation for Zp )
In a computational group, given standard representation of g and x, can efficiently find the standard representation of X=gx (How?)
But given X and g, may not be easy to find x (depending on G)
6 Discrete Log Assumption
7 Discrete Log Assumption
In several groups, PPT adversaries are assumed to have negligible probability of solving the discrete logarithm problem
7 Discrete Log Assumption
In several groups, PPT adversaries are assumed to have negligible probability of solving the discrete logarithm problem
Probability over choice of the group (from a collection), of a generator, and a random group element X
7 Discrete Log Assumption
In several groups, PPT adversaries are assumed to have negligible probability of solving the discrete logarithm problem
Probability over choice of the group (from a collection), of a generator, and a random group element X
DL Expt: (G,g)←GroupGen; X←G; Adv(G,g,X)→z; gz=X?
7 Discrete Log Assumption
In several groups, PPT adversaries are assumed to have negligible probability of solving the discrete logarithm problem
Probability over choice of the group (from a collection), of a generator, and a random group element X
DL Expt: (G,g)←GroupGen; X←G; Adv(G,g,X)→z; gz=X?
If Eve could solve the discrete logarithm (DL) problem, then Diffie-Hellman key-exchange is no good
7 Discrete Log Assumption
In several groups, PPT adversaries are assumed to have negligible probability of solving the discrete logarithm problem
Probability over choice of the group (from a collection), of a generator, and a random group element X
DL Expt: (G,g)←GroupGen; X←G; Adv(G,g,X)→z; gz=X?
If Eve could solve the discrete logarithm (DL) problem, then Diffie-Hellman key-exchange is no good
Eve gets x, y from gx, gy and can compute gxy herself
7 Discrete Log Assumption
In several groups, PPT adversaries are assumed to have negligible probability of solving the discrete logarithm problem
Probability over choice of the group (from a collection), of a generator, and a random group element X
DL Expt: (G,g)←GroupGen; X←G; Adv(G,g,X)→z; gz=X?
If Eve could solve the discrete logarithm (DL) problem, then Diffie-Hellman key-exchange is no good
Eve gets x, y from gx, gy and can compute gxy herself
A “key-recovery” attack
7 A Candidate DLA Group
8 A Candidate DLA Group
* The cyclic group ZP (P prime)
8 A Candidate DLA Group
* The cyclic group ZP (P prime)
Has N=P-1 elements
8 A Candidate DLA Group
* The cyclic group ZP (P prime)
Has N=P-1 elements
Isomorphic to ZN (Isomorphism: discrete log w.r.t a generator. A different isomorphism for each generator)
8 A Candidate DLA Group 1 8 7 9 5
6 2 * The cyclic group ZP (P prime) 4 3 10 Has N=P-1 elements
Isomorphic to ZN (Isomorphism: discrete log w.r.t a generator. A different isomorphism for each generator)
8 A Candidate DLA Group 1 8 7 9 5
6 2 * The cyclic group ZP (P prime) 4 3 10 Has N=P-1 elements
Isomorphic to ZN (Isomorphism: discrete log w.r.t a generator. A different isomorphism for each generator)
Discrete Logarithm problem (given “std rep.”) considered hard
8 A Candidate DLA Group 1 8 7 9 5
6 2 * The cyclic group ZP (P prime) 4 3 10 Has N=P-1 elements
Isomorphic to ZN (Isomorphism: discrete log w.r.t a generator. A different isomorphism for each generator)
Discrete Logarithm problem (given “std rep.”) considered hard
* i.e., the isomorphism from ZP (in “std rep.”) to ZN is hard to evaluate
8 Decisional Diffie-Hellman (DDH) Assumption
9 Decisional Diffie-Hellman (DDH) Assumption
Assumption that implies CPA security of El Gamal encryption
9 Decisional Diffie-Hellman (DDH) Assumption
Assumption that implies CPA security of El Gamal encryption
x y xy x y r {(g , g , g )}(G,g)←GroupGen; x,y←[|G|] ≈ {(g , g , g )}(G,g)←GroupGen; x,y,r←[|G|]
9 Decisional Diffie-Hellman (DDH) Assumption
Assumption that implies CPA security of El Gamal encryption
x y xy x y r {(g , g , g )}(G,g)←GroupGen; x,y←[|G|] ≈ {(g , g , g )}(G,g)←GroupGen; x,y,r←[|G|] At least as strong as DLA
9 Decisional Diffie-Hellman (DDH) Assumption
Assumption that implies CPA security of El Gamal encryption
x y xy x y r {(g , g , g )}(G,g)←GroupGen; x,y←[|G|] ≈ {(g , g , g )}(G,g)←GroupGen; x,y,r←[|G|] At least as strong as DLA If DDH assumption holds, then DLA holds [Exercise]
9 Decisional Diffie-Hellman (DDH) Assumption
Assumption that implies CPA security of El Gamal encryption
x y xy x y r {(g , g , g )}(G,g)←GroupGen; x,y←[|G|] ≈ {(g , g , g )}(G,g)←GroupGen; x,y,r←[|G|] At least as strong as DLA If DDH assumption holds, then DLA holds [Exercise] But possible that DLA holds and DDH assumption doesn’t
9 Decisional Diffie-Hellman (DDH) Assumption
Assumption that implies CPA security of El Gamal encryption
x y xy x y r {(g , g , g )}(G,g)←GroupGen; x,y←[|G|] ≈ {(g , g , g )}(G,g)←GroupGen; x,y,r←[|G|] At least as strong as DLA If DDH assumption holds, then DLA holds [Exercise] But possible that DLA holds and DDH assumption doesn’t
* e.g.: DLA is widely assumed to hold in Zp (p prime), but DDH assumption doesn’t hold there!
9 A Candidate DDH Group 1 8 7 9 5
6 2 4 3 10
10 A Candidate DDH Group 1 8 7 9 5 Quadratic (QR): “even” elements 6 2 4 3 10
10 A Candidate DDH Group 1 8 7 9 5 Quadratic (QR): “even” elements 6 2 4 3 10
10 A Candidate DDH Group 1 8 7 9 5 Quadratic (QR): “even” elements 6 2 4 3 Does not change with the generator (why?) 10
10 A Candidate DDH Group 1 8 7 9 5 Quadratic (QR): “even” elements 6 2 4 3 Does not change with the generator (why?) 10 Easy to check if an element is a QR or not
10 A Candidate DDH Group 1 8 7 9 5 Quadratic (QR): “even” elements 6 2 4 3 Does not change with the generator (why?) 10 Easy to check if an element is a QR or not
Enough to check if raising to N/2 gives 1 (identity element) (Why?)
10 A Candidate DDH Group 1 8 7 9 5 Quadratic (QR): “even” elements 6 2 4 3 Does not change with the generator (why?) 10 Easy to check if an element is a QR or not
Enough to check if raising to N/2 gives 1 (identity element) (Why?)
* DDH does not hold in ZP
10 A Candidate DDH Group 1 8 7 9 5 Quadratic (QR): “even” elements 6 2 4 3 Does not change with the generator (why?) 10 Easy to check if an element is a QR or not
Enough to check if raising to N/2 gives 1 (identity element) (Why?)
* DDH does not hold in ZP
gxy is a QR w/ prob. 3/4; gz only w/ prob. 1/2.
10 A Candidate DDH Group 1 8 7 9 5 Quadratic (QR): “even” elements 6 2 4 3 Does not change with the generator (why?) 10 Easy to check if an element is a QR or not
Enough to check if raising to N/2 gives 1 (identity element) (Why?)
* DDH does not hold in ZP
gxy is a QR w/ prob. 3/4; gz only w/ prob. 1/2.
* How about in a subgroup of ZP such that all are QRs?
10 A Candidate DDH Group 1 8 7 9 5
6 2 4 3 10
11 A Candidate DDH Group 1 8 7 * * QRP : All QRs in ZP 9 5
6 2 4 3 10
11 A Candidate DDH Group 1 8 7 * * QRP : All QRs in ZP 9 5
Is a (computational) cyclic group of order (P-1)/2 6 2 (Why?) 4 3 10
11 A Candidate DDH Group 1 8 7 * * QRP : All QRs in ZP 9 5
Is a (computational) cyclic group of order (P-1)/2 6 2 (Why?) 4 3 10 DDH potentially hard?
11 A Candidate DDH Group 1 8 7 * * QRP : All QRs in ZP 9 5
Is a (computational) cyclic group of order (P-1)/2 6 2 (Why?) 4 3 10 DDH potentially hard? Could check if cubic residue!
11 A Candidate DDH Group 1 8 7 * * QRP : All QRs in ZP 9 5
Is a (computational) cyclic group of order (P-1)/2 6 2 (Why?) 4 3 10 DDH potentially hard? Could check if cubic residue!
* But if (P-1) is not divisible by 3, all elements in ZP are cubic residues! (Why?)
11 A Candidate DDH Group 1 8 7 * * QRP : All QRs in ZP 9 5
Is a (computational) cyclic group of order (P-1)/2 6 2 (Why?) 4 3 10 DDH potentially hard? Could check if cubic residue!
* But if (P-1) is not divisible by 3, all elements in ZP are cubic residues! (Why?) “Safe” if (P-1)/2 is also prime: P called a safe-prime
11 A Candidate DDH Group 1 8 7 * * QRP : All QRs in ZP 9 5
Is a (computational) cyclic group of order (P-1)/2 6 2 (Why?) 4 3 10 DDH potentially hard? Could check if cubic residue!
* But if (P-1) is not divisible by 3, all elements in ZP are cubic residues! (Why?) “Safe” if (P-1)/2 is also prime: P called a safe-prime DDH Candidate
11 A Candidate DDH Group 1 8 7 * * QRP : All QRs in ZP 9 5
Is a (computational) cyclic group of order (P-1)/2 6 2 (Why?) 4 3 10 DDH potentially hard? Could check if cubic residue!
* But if (P-1) is not divisible by 3, all elements in ZP are cubic residues! (Why?) “Safe” if (P-1)/2 is also prime: P called a safe-prime DDH Candidate
* QRP where P is a “safe prime”
11 To w ar d s Tra p d o o r O W P
12 To w ar d s Tra p d o o r O W P
Two candidates: RSA function and Rabin function
12 To w ar d s Tra p d o o r O W P
Two candidates: RSA function and Rabin function
Over appropriate domains
12 To w ar d s Tra p d o o r O W P
Two candidates: RSA function and Rabin function
Over appropriate domains
Will rely on factorization as the trapdoor
12 To w ar d s Tra p d o o r O W P
Two candidates: RSA function and Rabin function
Over appropriate domains
Will rely on factorization as the trapdoor
Hence one-wayness will rely on hardness of factoring (and more)
12 * ZN
Extended Euclidean algorithm to find (b,d) given (a,N). Used to efficiently invert * elements in ZN
13 * ZN Group operation: “multiplication modulo N”
Extended Euclidean algorithm to find (b,d) given (a,N). Used to efficiently invert * elements in ZN
13 * ZN Group operation: “multiplication modulo N” Has identity, is associative
Extended Euclidean algorithm to find (b,d) given (a,N). Used to efficiently invert * elements in ZN
13 * ZN Group operation: “multiplication modulo N” Has identity, is associative Group elements: all numbers (mod N) which have a multiplicative inverse modulo N
Extended Euclidean algorithm to find (b,d) given (a,N). Used to efficiently invert * elements in ZN
13 * ZN Group operation: “multiplication modulo N” Has identity, is associative Group elements: all numbers (mod N) which have a multiplicative inverse modulo N * * e.g.: Z6 has elements {1,5}, Z7 has {1,2,3,4,5,6}
Extended Euclidean algorithm to find (b,d) given (a,N). Used to efficiently invert * elements in ZN
13 * ZN Group operation: “multiplication modulo N” Has identity, is associative Group elements: all numbers (mod N) which have a multiplicative inverse modulo N * * e.g.: Z6 has elements {1,5}, Z7 has {1,2,3,4,5,6} a has a multiplicative inverse modulo N Extended Euclidean algorithm to find (b,d) given (a,N). Used to efficiently invert * elements in ZN
13 * ZN Group operation: “multiplication modulo N” Has identity, is associative Group elements: all numbers (mod N) which have a multiplicative inverse modulo N * * e.g.: Z6 has elements {1,5}, Z7 has {1,2,3,4,5,6} a has a multiplicative inverse modulo N ⇔ ∃ integers b, c s.t. ab = 1+cN Extended Euclidean algorithm to find (b,d) given (a,N). Used to efficiently invert * elements in ZN
13 * ZN Group operation: “multiplication modulo N” Has identity, is associative Group elements: all numbers (mod N) which have a multiplicative inverse modulo N * * e.g.: Z6 has elements {1,5}, Z7 has {1,2,3,4,5,6} a has a multiplicative inverse modulo N ⇔ ∃ integers b, c s.t. ab = 1+cN Extended Euclidean algorithm to find (b,d) ⇔ gcd(a,N)=1 given (a,N). Used to efficiently invert * elements in ZN
13 * ZN Group operation: “multiplication modulo N” Has identity, is associative Group elements: all numbers (mod N) which have a multiplicative inverse modulo N * * e.g.: Z6 has elements {1,5}, Z7 has {1,2,3,4,5,6} a has a multiplicative inverse modulo N ⇔ ∃ integers b, c s.t. ab = 1+cN Extended Euclidean algorithm to find (b,d) ⇔ gcd(a,N)=1 given (a,N). Used to efficiently invert * (⇒) gcd(a,N) | (ab-cN) elements in ZN
13 * ZN Group operation: “multiplication modulo N” Has identity, is associative Group elements: all numbers (mod N) which have a multiplicative inverse modulo N * * e.g.: Z6 has elements {1,5}, Z7 has {1,2,3,4,5,6} a has a multiplicative inverse modulo N ⇔ ∃ integers b, c s.t. ab = 1+cN Extended Euclidean algorithm to find (b,d) ⇔ gcd(a,N)=1 given (a,N). Used to efficiently invert * (⇒) gcd(a,N) | (ab-cN) elements in ZN (⇐) from Euclid’s algorithm: ∃ b, d s.t. gcd(a,N) = ab+dN
13 * ZN Group operation: “multiplication modulo N” Has identity, is associative Group elements: all numbers (mod N) which have a multiplicative inverse modulo N * * e.g.: Z6 has elements {1,5}, Z7 has {1,2,3,4,5,6} a has a multiplicative inverse modulo N ⇔ ∃ integers b, c s.t. ab = 1+cN Extended Euclidean algorithm to find (b,d) ⇔ gcd(a,N)=1 given (a,N). Used to efficiently invert * (⇒) gcd(a,N) | (ab-cN) elements in ZN (⇐) from Euclid’s algorithm: ∃ b, d s.t. gcd(a,N) = ab+dN * | ZN | = #integers in [1,N-1] co-prime with N = φ(N)
13 * ZP , P prime
14 * ZP , P prime
* Recall ZP
14 * P , P prime 1 Z 8 7 9 5 * 11 * Z Recall ZP 6 2 4 3 10
14 * P , P prime 1 Z 8 7 9 5 * 11 * Z Recall ZP 6 2 4 3 * 10 | ZP | = P-1 (all of them co-prime with P)
14 * P , P prime 1 Z 8 7 9 5 * 11 * Z Recall ZP 6 2 4 3 * 10 | ZP | = P-1 (all of them co-prime with P)
Cyclic: Isomorphic to ZP-1
14 * P , P prime 1 Z 8 7 9 5 * 11 * Z Recall ZP 6 2 4 3 * 10 | ZP | = P-1 (all of them co-prime with P)
Cyclic: Isomorphic to ZP-1
Has φ(P-1) different generators
14 * P , P prime 1 Z 8 7 9 5 * 11 * Z Recall ZP 6 2 4 3 * 10 | ZP | = P-1 (all of them co-prime with P)
Cyclic: Isomorphic to ZP-1
Has φ(P-1) different generators
Discrete Log assumed to be hard
14 * P , P prime 1 Z 8 7 9 5 * 11 * Z Recall ZP 6 2 4 3 * 10 | ZP | = P-1 (all of them co-prime with P)
Cyclic: Isomorphic to ZP-1
Has φ(P-1) different generators
Discrete Log assumed to be hard
* Quadratic Residues form a subgroup QRP
14 * P , P prime 1 Z 8 7 9 5 * 11 * Z Recall ZP 6 2 4 3 * 10 | ZP | = P-1 (all of them co-prime with P)
Cyclic: Isomorphic to ZP-1
Has φ(P-1) different generators
Discrete Log assumed to be hard
* Quadratic Residues form a subgroup QRP
Candidate group for DDH assumption
14 * ZN , N=PQ, two primes
15 * ZN , N=PQ, two primes
* e.g. Z15 = {1,2,4,7,8,11,13,14}
15 * ZN , N=PQ, two primes
* e.g. Z15 = {1,2,4,7,8,11,13,14}
* | ZPQ | = (P-1)(Q-1) (P≠Q, primes)
15 * ZN , N=PQ, two primes
* e.g. Z15 = {1,2,4,7,8,11,13,14}
* | ZPQ | = (P-1)(Q-1) (P≠Q, primes)
Cyclic?
15 * ZN , N=PQ, two primes
* e.g. Z15 = {1,2,4,7,8,11,13,14}
* | ZPQ | = (P-1)(Q-1) (P≠Q, primes)
Cyclic?
* 4 2 4 4 2 4 2 No! In Z15 , 2 = 4 = 7 = 8 = 11 = 13 = 14 = 1 (i.e., each generates at most 4 elements, out of 8)
15 * ZN , N=PQ, two primes
* e.g. Z15 = {1,2,4,7,8,11,13,14}
* | ZPQ | = (P-1)(Q-1) (P≠Q, primes)
Cyclic?
* 4 2 4 4 2 4 2 No! In Z15 , 2 = 4 = 7 = 8 = 11 = 13 = 14 = 1 (i.e., each generates at most 4 elements, out of 8)
* * “Product of two cycles”: Z3 and Z5
15 * ZN , N=PQ, two primes
* e.g. Z15 = {1,2,4,7,8,11,13,14}
* | ZPQ | = (P-1)(Q-1) (P≠Q, primes)
Cyclic?
* 4 2 4 4 2 4 2 No! In Z15 , 2 = 4 = 7 = 8 = 11 = 13 = 14 = 1 (i.e., each generates at most 4 elements, out of 8)
* * “Product of two cycles”: Z3 and Z5
Chinese Remainder Theorem
15 Chinese Remainder Theorem
16 Chinese Remainder Theorem
Consider mapping elements in Z15 (all 15 of them) to Z3 and Z5
16 Chinese Remainder Theorem
Consider mapping elements in Z15 (all 15 of them) to Z3 and Z5 a � (a mod 3, a mod 5)
16 Chinese Remainder Theorem
Z15 Z3 Z5 0 0 0 Consider mapping elements in Z15 (all 15 of them) to Z3 and Z5 a � (a mod 3, a mod 5)
16 Chinese Remainder Theorem
Z15 Z3 Z5 0 0 0 Consider mapping elements in Z15 (all 15 of 1 1 1 them) to Z3 and Z5 a � (a mod 3, a mod 5)
16 Chinese Remainder Theorem
Z15 Z3 Z5 0 0 0 Consider mapping elements in Z15 (all 15 of 1 1 1 them) to Z3 and Z5 a � (a mod 3, a mod 5)
16 Chinese Remainder Theorem
Z15 Z3 Z5 0 0 0 Consider mapping elements in Z15 (all 15 of 1 1 1 2 2 2 them) to Z3 and Z5 3 0 3 a � (a mod 3, a mod 5)
16 Chinese Remainder Theorem
Z15 Z3 Z5 0 0 0 Consider mapping elements in Z15 (all 15 of 1 1 1 2 2 2 them) to Z3 and Z5 3 0 3 a � (a mod 3, a mod 5) 4 1 4 5 2 0 6 0 1 7 1 2 8 2 3 9 0 4 10 1 0 11 2 1 12 0 2 13 1 3 14 2 4
16 Chinese Remainder Theorem
Z15 Z3 Z5 0 0 0 Consider mapping elements in Z15 (all 15 of 1 1 1 2 2 2 them) to Z3 and Z5 3 0 3 a � (a mod 3, a mod 5) 4 1 4 CRT says that the pair (a mod 3, a mod 5) 5 2 0 uniquely determines a (mod 15)! 6 0 1 7 1 2 8 2 3 9 0 4 10 1 0 11 2 1 12 0 2 13 1 3 14 2 4
16 Chinese Remainder Theorem
Z15 Z3 Z5 0 0 0 Consider mapping elements in Z15 (all 15 of 1 1 1 2 2 2 them) to Z3 and Z5 3 0 3 a � (a mod 3, a mod 5) 4 1 4 CRT says that the pair (a mod 3, a mod 5) 5 2 0 uniquely determines a (mod 15)! 6 0 1 7 1 2 All 15 possible pairs occur, once each 8 2 3 9 0 4 10 1 0 11 2 1 12 0 2 13 1 3 14 2 4
16 Chinese Remainder Theorem
Z15 Z3 Z5 0 0 0 Consider mapping elements in Z15 (all 15 of 1 1 1 2 2 2 them) to Z3 and Z5 3 0 3 a � (a mod 3, a mod 5) 4 1 4 CRT says that the pair (a mod 3, a mod 5) 5 2 0 uniquely determines a (mod 15)! 6 0 1 7 1 2 All 15 possible pairs occur, once each 8 2 3 In general for N=PQ (P, Q relatively prime), 9 0 4 a � (a mod P, a mod Q) maps the N 10 1 0 elements to the N distinct pairs 11 2 1 12 0 2 13 1 3 14 2 4
16 Chinese Remainder Theorem
Z15 Z3 Z5 0 0 0 Consider mapping elements in Z15 (all 15 of 1 1 1 2 2 2 them) to Z3 and Z5 3 0 3 a � (a mod 3, a mod 5) 4 1 4 CRT says that the pair (a mod 3, a mod 5) 5 2 0 uniquely determines a (mod 15)! 6 0 1 7 1 2 All 15 possible pairs occur, once each 8 2 3 In general for N=PQ (P, Q relatively prime), 9 0 4 a � (a mod P, a mod Q) maps the N 10 1 0 elements to the N distinct pairs 11 2 1 12 0 2 In fact extends to product of more than 13 1 3 two (relatively prime) numbers 14 2 4
16 Chinese Remainder Theorem
Z15 Z3 Z5 and ZN 0 0 0 1 1 1 2 2 2 3 0 3 4 1 4 5 2 0 6 0 1 7 1 2 8 2 3 9 0 4 10 1 0 11 2 1 12 0 2 13 1 3 14 2 4
17 Chinese Remainder Theorem
Z15 Z3 Z5 and ZN 0 0 0 1 1 1 2 2 2 3 0 3 4 1 4 CRT representation of N: every element of N Z Z 5 2 0 can be written as a unique element of ZP × ZQ 6 0 1 7 1 2 8 2 3 9 0 4 10 1 0 11 2 1 12 0 2 13 1 3 14 2 4
17 Chinese Remainder Theorem
Z15 Z3 Z5 and ZN 0 0 0 1 1 1 2 2 2 3 0 3 4 1 4 CRT representation of N: every element of N Z Z 5 2 0 can be written as a unique element of ZP × ZQ 6 0 1 Addition can be done coordinate-wise 7 1 2 8 2 3 9 0 4 10 1 0 11 2 1 12 0 2 13 1 3 14 2 4
17 Chinese Remainder Theorem
Z15 Z3 Z5 and ZN 0 0 0 1 1 1 2 2 2 3 0 3 4 1 4 CRT representation of N: every element of N Z Z 5 2 0 can be written as a unique element of ZP × ZQ 6 0 1 Addition can be done coordinate-wise 7 1 2 8 2 3 (a,b) +(mod N) (a’,b’) = (a +(mod P) a’,b +(mod Q) b’) 9 0 4 10 1 0 11 2 1 12 0 2 13 1 3 14 2 4
17 Chinese Remainder Theorem
Z15 Z3 Z5 and ZN 0 0 0 1 1 1 2 2 2 3 0 3 4 1 4 CRT representation of N: every element of N Z Z 5 2 0 can be written as a unique element of ZP × ZQ 6 0 1 Addition can be done coordinate-wise 7 1 2 8 2 3 (a,b) +(mod N) (a’,b’) = (a +(mod P) a’,b +(mod Q) b’) 9 0 4 10 1 0 CRT: ZN ≅ ZP × ZQ (group isomorphism) 11 2 1 12 0 2 13 1 3 14 2 4
17 Chinese Remainder Theorem
* Z15 Z3 Z5 and ZN 0 0 0 1 1 1 2 2 2 3 0 3 4 1 4 5 2 0 6 0 1 7 1 2 8 2 3 9 0 4 10 1 0 11 2 1 12 0 2 13 1 3 14 2 4
18 Chinese Remainder Theorem
* Z15 Z3 Z5 and ZN 0 0 0 1 1 1
* 2 2 2 Elements in N Z 3 0 3 4 1 4 5 2 0 6 0 1 7 1 2 8 2 3 9 0 4 10 1 0 11 2 1 12 0 2 13 1 3 14 2 4
18 Chinese Remainder Theorem
* Z15 Z3 Z5 and ZN 0 0 0 1 1 1
* 2 2 2 Elements in N Z 3 0 3 No multiplicative inverse iff (0,x) or (x,0) 4 1 4 5 2 0 6 0 1 7 1 2 8 2 3 9 0 4 10 1 0 11 2 1 12 0 2 13 1 3 14 2 4
18 Chinese Remainder Theorem
* Z15 Z3 Z5 and ZN 0 0 0 1 1 1
* 2 2 2 Elements in N Z 3 0 3 No multiplicative inverse iff (0,x) or (x,0) 4 1 4 5 2 0 Multiplication (and identity, inverse) 6 0 1 also coordinate-wise 7 1 2 8 2 3 9 0 4 10 1 0 11 2 1 12 0 2 13 1 3 14 2 4
18 Chinese Remainder Theorem
* Z15 Z3 Z5 and ZN 0 0 0 1 1 1
* 2 2 2 Elements in N Z 3 0 3 No multiplicative inverse iff (0,x) or (x,0) 4 1 4 5 2 0 Multiplication (and identity, inverse) 6 0 1 also coordinate-wise 7 1 2 * * * Else in ZN : i.e., (x,y) s.t. x∈ ZP , y∈ ZQ 8 2 3 9 0 4 10 1 0 11 2 1 12 0 2 13 1 3 14 2 4
18 Chinese Remainder Theorem
* Z15 Z3 Z5 and ZN 0 0 0 1 1 1
* 2 2 2 Elements in N Z 3 0 3 No multiplicative inverse iff (0,x) or (x,0) 4 1 4 5 2 0 Multiplication (and identity, inverse) 6 0 1 also coordinate-wise 7 1 2 * * * Else in ZN : i.e., (x,y) s.t. x∈ ZP , y∈ ZQ 8 2 3 9 0 4 * * * ZN ≅ ZP × ZQ 10 1 0 11 2 1 12 0 2 13 1 3 14 2 4
18 Chinese Remainder Theorem
* Z15 Z3 Z5 and ZN 0 0 0 1 1 1
* 2 2 2 Elements in N Z 3 0 3 No multiplicative inverse iff (0,x) or (x,0) 4 1 4 5 2 0 Multiplication (and identity, inverse) 6 0 1 also coordinate-wise 7 1 2 * * * Else in ZN : i.e., (x,y) s.t. x∈ ZP , y∈ ZQ 8 2 3 9 0 4 * * * ZN ≅ ZP × ZQ 10 1 0 Easy to compute the isomorphism (in both 11 2 1 directions) if P, Q known [Exercise] 12 0 2 13 1 3 14 2 4
18 RSA Function
19 RSA Function
e fRSA[N,e](x) = x mod N
19 RSA Function
e fRSA[N,e](x) = x mod N Where N=PQ, and gcd(e,φ(N)) = 1
19 RSA Function
e fRSA[N,e](x) = x mod N Where N=PQ, and gcd(e,φ(N)) = 1 fRSA[N,e]: ZN → ZN
19 RSA Function
e fRSA[N,e](x) = x mod N Where N=PQ, and gcd(e,φ(N)) = 1 fRSA[N,e]: ZN → ZN * * Alternately, fRSA[N,e]: ZN → ZN
19 RSA Function
e fRSA[N,e](x) = x mod N Where N=PQ, and gcd(e,φ(N)) = 1 fRSA[N,e]: ZN → ZN * * Alternately, fRSA[N,e]: ZN → ZN fRSA[N,e] is a permutation
19 RSA Function
e fRSA[N,e](x) = x mod N Where N=PQ, and gcd(e,φ(N)) = 1 fRSA[N,e]: ZN → ZN * * Alternately, fRSA[N,e]: ZN → ZN fRSA[N,e] is a permutation
In fact, there exists d s.t. fRSA[N,d] is the inverse of fRSA[N,e]
19 RSA Function
e fRSA[N,e](x) = x mod N Where N=PQ, and gcd(e,φ(N)) = 1 fRSA[N,e]: ZN → ZN * * Alternately, fRSA[N,e]: ZN → ZN fRSA[N,e] is a permutation
In fact, there exists d s.t. fRSA[N,d] is the inverse of fRSA[N,e] d s.t. ed=1 (mod φ(N)), xed = x (mod N)
19 RSA Function
e fRSA[N,e](x) = x mod N Where N=PQ, and gcd(e,φ(N)) = 1 fRSA[N,e]: ZN → ZN * * Alternately, fRSA[N,e]: ZN → ZN fRSA[N,e] is a permutation
In fact, there exists d s.t. fRSA[N,d] is the inverse of fRSA[N,e] d s.t. ed=1 (mod φ(N)), xed = x (mod N) * For ZN because order is φ(N)
19 RSA Function
e fRSA[N,e](x) = x mod N Where N=PQ, and gcd(e,φ(N)) = 1 fRSA[N,e]: ZN → ZN * * Alternately, fRSA[N,e]: ZN → ZN fRSA[N,e] is a permutation
In fact, there exists d s.t. fRSA[N,d] is the inverse of fRSA[N,e] d s.t. ed=1 (mod φ(N)), xed = x (mod N) * For ZN because order is φ(N) For ZN? By CRT, and because multiplication is coordinate-wise ed (and it holds in ZP and ZQ. note: 0 = 0) [Exercise]
19 RSA Function
e fRSA[N,e](x) = x mod N Where N=PQ, and gcd(e,φ(N)) = 1 fRSA[N,e]: ZN → ZN * * Alternately, fRSA[N,e]: ZN → ZN fRSA[N,e] is a permutation with a trapdoor (namely (N,d))
In fact, there exists d s.t. fRSA[N,d] is the inverse of fRSA[N,e] d s.t. ed=1 (mod φ(N)), xed = x (mod N) * For ZN because order is φ(N) For ZN? By CRT, and because multiplication is coordinate-wise ed (and it holds in ZP and ZQ. note: 0 = 0) [Exercise]
19 RSA Function
e fRSA[N,e](x) = x mod N Where N=PQ, and gcd(e,φ(N)) = 1 fRSA[N,e]: ZN → ZN * * Alternately, fRSA[N,e]: ZN → ZN fRSA[N,e] is a permutation with a trapdoor (namely (N,d))
20 RSA Function
e fRSA[N,e](x) = x mod N Where N=PQ, and gcd(e,φ(N)) = 1 fRSA[N,e]: ZN → ZN * * Alternately, fRSA[N,e]: ZN → ZN fRSA[N,e] is a permutation with a trapdoor (namely (N,d))
RSA Assumption: fRSA[N,e] is a OWF collection, when P, Q random k-bit primes and e < N random number s.t. gcd(e,φ(N))=1 (with * inputs uniformly from ZN or ZN )
20 RSA Function
e fRSA[N,e](x) = x mod N Where N=PQ, and gcd(e,φ(N)) = 1 fRSA[N,e]: ZN → ZN * * Alternately, fRSA[N,e]: ZN → ZN fRSA[N,e] is a permutation with a trapdoor (namely (N,d))
RSA Assumption: fRSA[N,e] is a OWF collection, when P, Q random k-bit primes and e < N random number s.t. gcd(e,φ(N))=1 (with * inputs uniformly from ZN or ZN ) Alternate version: e=3, P, Q restricted so that gcd(3,φ(N))=1
20 RSA Function
e fRSA[N,e](x) = x mod N Where N=PQ, and gcd(e,φ(N)) = 1 fRSA[N,e]: ZN → ZN * * Alternately, fRSA[N,e]: ZN → ZN fRSA[N,e] is a permutation with a trapdoor (namely (N,d))
RSA Assumption: fRSA[N,e] is a OWF collection, when P, Q random k-bit primes and e < N random number s.t. gcd(e,φ(N))=1 (with * inputs uniformly from ZN or ZN ) Alternate version: e=3, P, Q restricted so that gcd(3,φ(N))=1 RSA Assumption will be false if one can factorize N
20 RSA Function
e fRSA[N,e](x) = x mod N Where N=PQ, and gcd(e,φ(N)) = 1 fRSA[N,e]: ZN → ZN * * Alternately, fRSA[N,e]: ZN → ZN fRSA[N,e] is a permutation with a trapdoor (namely (N,d))
RSA Assumption: fRSA[N,e] is a OWF collection, when P, Q random k-bit primes and e < N random number s.t. gcd(e,φ(N))=1 (with * inputs uniformly from ZN or ZN ) Alternate version: e=3, P, Q restricted so that gcd(3,φ(N))=1 RSA Assumption will be false if one can factorize N -1 * Then knows φ(N) and can find d=e in Zφ(N)
20 RSA Function
e fRSA[N,e](x) = x mod N Where N=PQ, and gcd(e,φ(N)) = 1 fRSA[N,e]: ZN → ZN * * Alternately, fRSA[N,e]: ZN → ZN fRSA[N,e] is a permutation with a trapdoor (namely (N,d))
RSA Assumption: fRSA[N,e] is a OWF collection, when P, Q random k-bit primes and e < N random number s.t. gcd(e,φ(N))=1 (with * inputs uniformly from ZN or ZN ) Alternate version: e=3, P, Q restricted so that gcd(3,φ(N))=1 RSA Assumption will be false if one can factorize N -1 * Then knows φ(N) and can find d=e in Zφ(N) Converse not known to hold
20 RSA Function
e fRSA[N,e](x) = x mod N Where N=PQ, and gcd(e,φ(N)) = 1 fRSA[N,e]: ZN → ZN * * Alternately, fRSA[N,e]: ZN → ZN fRSA[N,e] is a permutation with a trapdoor (namely (N,d))
RSA Assumption: fRSA[N,e] is a OWF collection, when P, Q random k-bit primes and e < N random number s.t. gcd(e,φ(N))=1 (with * inputs uniformly from ZN or ZN ) Alternate version: e=3, P, Q restricted so that gcd(3,φ(N))=1 RSA Assumption will be false if one can factorize N -1 * Then knows φ(N) and can find d=e in Zφ(N) Converse not known to hold Trapdoor OWP Candidate 20 Rabin Function
21 Rabin Function
2 fRabin[N](x) = x mod N where N=PQ, P,Q primes ≡3 mod 4
21 Rabin Function
2 fRabin[N](x) = x mod N where N=PQ, P,Q primes ≡3 mod 4
Candidate OWF collection (indexed by N)
21 Rabin Function
2 fRabin[N](x) = x mod N where N=PQ, P,Q primes ≡3 mod 4
Candidate OWF collection (indexed by N)
Equivalent to the assumption that fmult is a OWF (for the appropriate distribution)
21 Rabin Function
2 fRabin[N](x) = x mod N where N=PQ, P,Q primes ≡3 mod 4
Candidate OWF collection (indexed by N)
Equivalent to the assumption that fmult is a OWF (for the appropriate distribution) If can factor N, will see how to find square-roots
21 Rabin Function
2 fRabin[N](x) = x mod N where N=PQ, P,Q primes ≡3 mod 4
Candidate OWF collection (indexed by N)
Equivalent to the assumption that fmult is a OWF (for the appropriate distribution) If can factor N, will see how to find square-roots So (P,Q) a trapdoor to “invert”
21 Rabin Function
2 fRabin[N](x) = x mod N where N=PQ, P,Q primes ≡3 mod 4
Candidate OWF collection (indexed by N)
Equivalent to the assumption that fmult is a OWF (for the appropriate distribution) If can factor N, will see how to find square-roots So (P,Q) a trapdoor to “invert” If can take square-root mod N, can factor N [Exercise]
21 Rabin Function
2 fRabin[N](x) = x mod N where N=PQ, P,Q primes ≡3 mod 4
Candidate OWF collection (indexed by N)
Equivalent to the assumption that fmult is a OWF (for the appropriate distribution) If can factor N, will see how to find square-roots So (P,Q) a trapdoor to “invert” If can take square-root mod N, can factor N [Exercise]
* Not a permutation in ZN or ZN [Why?]
21 Rabin Function
2 fRabin[N](x) = x mod N where N=PQ, P,Q primes ≡3 mod 4
Candidate OWF collection (indexed by N)
Equivalent to the assumption that fmult is a OWF (for the appropriate distribution) If can factor N, will see how to find square-roots So (P,Q) a trapdoor to “invert” If can take square-root mod N, can factor N [Exercise]
* Not a permutation in ZN or ZN [Why?]
* How about in QRN ?
21 * Square-roots in ZP
1 8 7 9 5 * Z11 6 2 4 3 10
22 * Square-roots in ZP
1 2 * 8 7 x easy to invert in ZP if (P-1)/2 odd 9 5 * Z11 6 2 4 3 10
22 * Square-roots in ZP
1 2 * 8 7 x easy to invert in ZP if (P-1)/2 odd 9 5 * Let y := (x2) (P+1)/4 to get y2 = x2 Z11 6 2 4 3 10
22 * Square-roots in ZP
1 2 * 8 7 x easy to invert in ZP if (P-1)/2 odd 9 5 * Let y := (x2) (P+1)/4 to get y2 = x2 Z11 6 2 What are the square-roots? 4 3 10
22 * Square-roots in ZP
1 2 * 8 7 x easy to invert in ZP if (P-1)/2 odd 9 5 * Let y := (x2) (P+1)/4 to get y2 = x2 Z11 6 2 What are the square-roots? 4 3 10 √1 = ±1
22 * Square-roots in ZP
1 2 * 8 7 x easy to invert in ZP if (P-1)/2 odd 9 5 * Let y := (x2) (P+1)/4 to get y2 = x2 Z11 6 2 What are the square-roots? 4 3 10 √1 = ±1
x2=1 (mod P) ⇔ (x+1)(x-1) = 0 (mod P) ⇔ (x+1)=0 or (x-1)=0 (mod P) ⇔ x=1 (mod P) or x=-1 (mod P)
22 * Square-roots in ZP
1 2 * 8 7 x easy to invert in ZP if (P-1)/2 odd 9 5 * Let y := (x2) (P+1)/4 to get y2 = x2 Z11 6 2 What are the square-roots? 4 3 10 √1 = ±1
x2=1 (mod P) ⇔ (x+1)(x-1) = 0 (mod P) ⇔ (x+1)=0 or (x-1)=0 (mod P) ⇔ x=1 (mod P) or x=-1 (mod P)
-1 = g(P-1)/2 because (g(P-1)/2)2 = 1 (and g(P-1)/2 ≠ 1, as order(g) = P-1)
22 * Square-roots in ZP
1 2 * 8 7 x easy to invert in ZP if (P-1)/2 odd 9 5 * Let y := (x2) (P+1)/4 to get y2 = x2 Z11 6 2 What are the square-roots? 4 3 10 √1 = ±1
x2=1 (mod P) ⇔ (x+1)(x-1) = 0 (mod P) ⇔ (x+1)=0 or (x-1)=0 (mod P) ⇔ x=1 (mod P) or x=-1 (mod P)
-1 = g(P-1)/2 because (g(P-1)/2)2 = 1 (and g(P-1)/2 ≠ 1, as order(g) = P-1)
2 More generally √(x ) = ±x (i.e., only x and -1*x ) [Why?]
22 * Square-roots in QRP
1 8 7 9 5 * Z11 6 2 4 3 10
23 * Square-roots in QRP
* 2 In ZP √(x ) = ±x 1 8 7 9 5 * Z11 6 2 4 3 10
23 * Square-roots in QRP
* 2 In ZP √(x ) = ±x * 1 How many square-roots stay in QRP ? 8 7 9 5 * Z11 6 2 4 3 10
23 * Square-roots in QRP
* 2 In ZP √(x ) = ±x * 1 How many square-roots stay in QRP ? 8 7 9 5 Depends on P! * Z11 6 2 4 3 10
23 * Square-roots in QRP
* 2 In ZP √(x ) = ±x * 1 How many square-roots stay in QRP ? 8 7 9 5 Depends on P! * * Z11 e.g. QR13 = {±1,±3,±4} 6 2 4 3 10
1 -6 2 -3 4 * -8 Z13 8 -4 3 -2 6 -1
23 * Square-roots in QRP
* 2 In ZP √(x ) = ±x * 1 How many square-roots stay in QRP ? 8 7 9 5 Depends on P! * * Z11 e.g. QR13 = {±1,±3,±4} 6 2 1,3,-4 have 2 square-roots each. But -1,-3,4 4 3 * 10 have none within QR13
1 -6 2 -3 4 * -8 Z13 8 -4 3 -2 6 -1
23 * Square-roots in QRP
* 2 In ZP √(x ) = ±x * 1 How many square-roots stay in QRP ? 8 7 9 5 Depends on P! * * Z11 e.g. QR13 = {±1,±3,±4} 6 2 1,3,-4 have 2 square-roots each. But -1,-3,4 4 3 * 10 have none within QR13 * * * Since -1 ∈ QR13 , x ∈ QR13 ⇒ -x ∈ QR13 1 -6 2 -3 4 * -8 Z13 8 -4 3 -2 6 -1
23 * Square-roots in QRP
* 2 In ZP √(x ) = ±x * 1 How many square-roots stay in QRP ? 8 7 9 5 Depends on P! * * Z11 e.g. QR13 = {±1,±3,±4} 6 2 1,3,-4 have 2 square-roots each. But -1,-3,4 4 3 * 10 have none within QR13 * * * Since -1 ∈ QR13 , x ∈ QR13 ⇒ -x ∈ QR13 1 * -6 2 -1 ∈ P iff (P-1)/2 even QR -3 4 * -8 Z13 8 -4 3 -2 6 -1
23 * Square-roots in QRP
* 2 In ZP √(x ) = ±x * 1 How many square-roots stay in QRP ? 8 7 9 5 Depends on P! * * Z11 e.g. QR13 = {±1,±3,±4} 6 2 1,3,-4 have 2 square-roots each. But -1,-3,4 4 3 * 10 have none within QR13 * * * Since -1 ∈ QR13 , x ∈ QR13 ⇒ -x ∈ QR13 1 * -6 2 -1 ∈ P iff (P-1)/2 even QR -3 4 * -8 13 8 * Z If (P-1)/2 odd, exactly one of ±x in P (for all x) QR -4 3 -2 6 -1
23 * Square-roots in QRP
* 2 In ZP √(x ) = ±x * 1 How many square-roots stay in QRP ? 8 7 9 5 Depends on P! * * Z11 e.g. QR13 = {±1,±3,±4} 6 2 1,3,-4 have 2 square-roots each. But -1,-3,4 4 3 * 10 have none within QR13 * * * Since -1 ∈ QR13 , x ∈ QR13 ⇒ -x ∈ QR13 1 * -6 2 -1 ∈ P iff (P-1)/2 even QR -3 4 * -8 13 8 * Z If (P-1)/2 odd, exactly one of ±x in P (for all x) QR -4 3 -2 6 * Then, squaring is a permutation in QRP -1
23 * Square-roots in QRP
1 8 7 9 5 * Z11 6 2 4 3 10
24 * Square-roots in QRP
1 8 7 * 2 In ZP √(x ) = ±x (i.e., x and -1*x ) 9 5 * Z11 6 2 4 3 10
24 * Square-roots in QRP
1 8 7 * 2 In ZP √(x ) = ±x (i.e., x and -1*x ) 9 5 * Z11 * If (P-1)/2 odd, squaring is a permutation in QRP 6 2 4 3 10
24 * Square-roots in QRP
1 8 7 * 2 In ZP √(x ) = ±x (i.e., x and -1*x ) 9 5 * Z11 * If (P-1)/2 odd, squaring is a permutation in QRP 6 2 4 3 But easy to compute both ways 10
24 * Square-roots in QRP
1 8 7 * 2 In ZP √(x ) = ±x (i.e., x and -1*x ) 9 5 * Z11 * If (P-1)/2 odd, squaring is a permutation in QRP 6 2 4 3 But easy to compute both ways 10
(P+1)/4 * In fact √z = z ∈ QRP (because (P+1)/2 even)
24 * Square-roots in QRP
1 8 7 * 2 In ZP √(x ) = ±x (i.e., x and -1*x ) 9 5 * Z11 * If (P-1)/2 odd, squaring is a permutation in QRP 6 2 4 3 But easy to compute both ways 10
(P+1)/4 * In fact √z = z ∈ QRP (because (P+1)/2 even)
* Rabin function defined in QRN and relies on keeping the factorization of N=PQ hidden
24 * QRN
25 * QRN
* What do elements in QRN look like, for N=PQ?
25 * QRN
* What do elements in QRN look like, for N=PQ? * * * By CRT, can write a ∈ ZN as (x,y) ∈ ZP ×ZQ
25 * QRN
* What do elements in QRN look like, for N=PQ? * * * By CRT, can write a ∈ ZN as (x,y) ∈ ZP ×ZQ 2 2 2 * * CRT representation of a is (x ,y ) ∈ QRP ×QRQ
25 * QRN
* What do elements in QRN look like, for N=PQ? * * * By CRT, can write a ∈ ZN as (x,y) ∈ ZP ×ZQ 2 2 2 * * CRT representation of a is (x ,y ) ∈ QRP ×QRQ * * * QRN ≅ QRP × QRQ
25 * QRN
* What do elements in QRN look like, for N=PQ? * * * By CRT, can write a ∈ ZN as (x,y) ∈ ZP ×ZQ 2 2 2 * * CRT representation of a is (x ,y ) ∈ QRP ×QRQ * * * QRN ≅ QRP × QRQ * If both P,Q≡3 (mod 4), then squaring is a permutation in QRN
25 * QRN
* What do elements in QRN look like, for N=PQ? * * * By CRT, can write a ∈ ZN as (x,y) ∈ ZP ×ZQ 2 2 2 * * CRT representation of a is (x ,y ) ∈ QRP ×QRQ * * * QRN ≅ QRP × QRQ * If both P,Q≡3 (mod 4), then squaring is a permutation in QRN 2 2 * * * * √(x ,y ) = (±x,±y) in ZP ×ZQ but exactly one in QRP ×QRQ
25 * QRN
* What do elements in QRN look like, for N=PQ? * * * By CRT, can write a ∈ ZN as (x,y) ∈ ZP ×ZQ 2 2 2 * * CRT representation of a is (x ,y ) ∈ QRP ×QRQ * * * QRN ≅ QRP × QRQ * If both P,Q≡3 (mod 4), then squaring is a permutation in QRN 2 2 * * * * √(x ,y ) = (±x,±y) in ZP ×ZQ but exactly one in QRP ×QRQ Can efficiently do this, if can compute (and invert) the * * * isomorphism from QRN to QRP ×QRQ
25 * QRN
* What do elements in QRN look like, for N=PQ? * * * By CRT, can write a ∈ ZN as (x,y) ∈ ZP ×ZQ 2 2 2 * * CRT representation of a is (x ,y ) ∈ QRP ×QRQ * * * QRN ≅ QRP × QRQ * If both P,Q≡3 (mod 4), then squaring is a permutation in QRN 2 2 * * * * √(x ,y ) = (±x,±y) in ZP ×ZQ but exactly one in QRP ×QRQ Can efficiently do this, if can compute (and invert) the * * * isomorphism from QRN to QRP ×QRQ (P,Q) is a trapdoor
25 * QRN
* What do elements in QRN look like, for N=PQ? * * * By CRT, can write a ∈ ZN as (x,y) ∈ ZP ×ZQ 2 2 2 * * CRT representation of a is (x ,y ) ∈ QRP ×QRQ * * * QRN ≅ QRP × QRQ * If both P,Q≡3 (mod 4), then squaring is a permutation in QRN 2 2 * * * * √(x ,y ) = (±x,±y) in ZP ×ZQ but exactly one in QRP ×QRQ Can efficiently do this, if can compute (and invert) the * * * isomorphism from QRN to QRP ×QRQ (P,Q) is a trapdoor * th * Without trapdoor, OWF candidate (QRN forms 1/4 of ZN )
25 Rabin Function
26 Rabin Function
2 fRabin[N](x) = x mod N
26 Rabin Function
2 fRabin[N](x) = x mod N Candidate OWF collection, with N=PQ (P,Q random k-bit primes)
26 Rabin Function
2 fRabin[N](x) = x mod N Candidate OWF collection, with N=PQ (P,Q random k-bit primes)
* If P, Q ≡3 (mod 4), then in QRN
26 Rabin Function
2 fRabin[N](x) = x mod N Candidate OWF collection, with N=PQ (P,Q random k-bit primes)
* If P, Q ≡3 (mod 4), then in QRN
A permutation
26 Rabin Function
2 fRabin[N](x) = x mod N Candidate OWF collection, with N=PQ (P,Q random k-bit primes)
* If P, Q ≡3 (mod 4), then in QRN
A permutation
Has a trapdoor for inverting (namely (P,Q))
26 Rabin Function
2 fRabin[N](x) = x mod N Candidate OWF collection, with N=PQ (P,Q random k-bit primes)
* If P, Q ≡3 (mod 4), then in QRN
A permutation
Has a trapdoor for inverting (namely (P,Q))
Candidate Trapdoor OWP
26 Summary
27 Summary
* A DLA candidate: ZP
27 Summary
* A DLA candidate: ZP * A DDH candidate: QRP where P is a safe prime
27 Summary
* A DLA candidate: ZP * A DDH candidate: QRP where P is a safe prime Chinese Remainder Theorem
27 Summary
* A DLA candidate: ZP * A DDH candidate: QRP where P is a safe prime Chinese Remainder Theorem ZN ≅ ZP × ZQ
27 Summary
* A DLA candidate: ZP * A DDH candidate: QRP where P is a safe prime Chinese Remainder Theorem ZN ≅ ZP × ZQ * * * ZN ≅ ZP × ZQ
27 Summary
* A DLA candidate: ZP * A DDH candidate: QRP where P is a safe prime Chinese Remainder Theorem ZN ≅ ZP × ZQ * * * ZN ≅ ZP × ZQ * * * QRN ≅ QRP × QRQ
27 Summary
* A DLA candidate: ZP * A DDH candidate: QRP where P is a safe prime Chinese Remainder Theorem ZN ≅ ZP × ZQ * * * ZN ≅ ZP × ZQ * * * QRN ≅ QRP × QRQ T-OWP candidates:
27 Summary
* A DLA candidate: ZP * A DDH candidate: QRP where P is a safe prime Chinese Remainder Theorem ZN ≅ ZP × ZQ * * * ZN ≅ ZP × ZQ * * * QRN ≅ QRP × QRQ T-OWP candidates: e fRSA[N,e] = x mod N where N=PQ and gcd(e,φ(N))=1
27 Summary
* A DLA candidate: ZP * A DDH candidate: QRP where P is a safe prime Chinese Remainder Theorem ZN ≅ ZP × ZQ * * * ZN ≅ ZP × ZQ * * * QRN ≅ QRP × QRQ T-OWP candidates: e fRSA[N,e] = x mod N where N=PQ and gcd(e,φ(N))=1 -1 * Trapdoor: (P,Q) → φ(N) → d=e in Zφ(N)
27 Summary
* A DLA candidate: ZP * A DDH candidate: QRP where P is a safe prime Chinese Remainder Theorem ZN ≅ ZP × ZQ * * * ZN ≅ ZP × ZQ * * * QRN ≅ QRP × QRQ T-OWP candidates: e fRSA[N,e] = x mod N where N=PQ and gcd(e,φ(N))=1 -1 * Trapdoor: (P,Q) → φ(N) → d=e in Zφ(N) 2 fRabin[N] = x mod N where N=PQ, where P,Q ≡3 (mod 4)
27 Summary
* A DLA candidate: ZP * A DDH candidate: QRP where P is a safe prime Chinese Remainder Theorem ZN ≅ ZP × ZQ * * * ZN ≅ ZP × ZQ * * * QRN ≅ QRP × QRQ T-OWP candidates: e fRSA[N,e] = x mod N where N=PQ and gcd(e,φ(N))=1 -1 * Trapdoor: (P,Q) → φ(N) → d=e in Zφ(N) 2 fRabin[N] = x mod N where N=PQ, where P,Q ≡3 (mod 4) Trapdoor: (P,Q)
27