Discrete Square Roots Cryptosystems Rabin Cryptosystem

CHAPTER 6: OTHER CRYPTOSYSTEMS and BASIC CRYPTOGRAPHY PRIMITIVES

A large number of interesting and important cryptosystems have already been designed. In this chapter we present several other of them in order to illustrate other principles and techniques that can be used to design cryptosystems.

Part VI At ﬁrst, we present several cryptosystems security of which is based on the fact that computation of square roots and discrete logarithms is in general infeasible in some Public-key cryptosystems, II. Other cryptosystems, security, PRG, hash groups. functions Secondly, we discuss one of the fundamental questions of modern cryptography: when can a cryptosystem be considered as (computationally) perfectly secure?

In order to do that we will: discuss the role randomness play in the cryptography; introduce the very fundamental deﬁnitions of perfect security of cryptosystem present some examples of perfectly secure cryptosystems.

Finally, we discuss in some details such important cryptography primitives as pseudo-random number generators and hash functions prof. Jozef Gruska IV054 6. Public-key cryptosystems, II. Other cryptosystems, security, PRG, hash functions 2/66

DISCRETE SQUARE ROOTS CRYPTOSYSTEMS RABIN CRYPTOSYSTEM

Let Blum primes p, q are kept secret, and let the Blum integer n = pq be the public key. Encryption: of a plaintext w < n

c = w 2 (mod n)

Decryption: -brieﬂy

It is easy to verify (using Euler’s criterion which says that if c is a quadratic residue (p 1)/2 modulo p, then c − 1 (mod p),) that DISCRETE SQUARE ROOTS CRYPTOSYSTEMS ≡ c(p+1)/4mod p and c(q+1)/4mod q ± ± p+1 p 1 are two square roots of c modulo p and q. (Indeed, 2 = −2 + 1) One can now obtain four square roots of c modulo n using the method of Chinese remainder shown in the Appendix.

In case the plaintext w is a meaningful English text, it should be easy to determine w from the four square roots w1, w2, w3, w4 presented above. However, if w is a random string (say, for a key exchange) it is impossible to determine w from w1, w2, w3, w4.

Rabin did not propose this system as a practical cryptosystem. prof. Jozef Gruska IV054 6. Public-key cryptosystems, II. Other cryptosystems, security, PRG, hash functions 3/66 prof. Jozef Gruska IV054 6. Public-key cryptosystems, II. Other cryptosystems, security, PRG, hash functions 4/66 COMPUTATION of SQUARE ROOTS MODULO PRIMES CHINESE REMAINDER THEOREM

Theorem Let m1,..., mt be integers, gcd(mi , mj ) = 1 if i = j, and a1,..., at be integers 6 such that 0 < ai < mi , 1 i t. ≤ ≤ In case of Blum primes p and q and Blum integer n = pq, in order to solve the equation Then the system of congruences x 2 a(mod n), one needs to compute squares of a modulo p and modulo q and then to ≡ x ai (mod mi ), 1 i t use the Chinese remainder theorem to solve the equation x 2 = a (mod pq). ≡ ≤ ≤ has the solution

t Example To solve modular equation x 2 71 (mod 77),one needs to solve modular ≡ x = ai Mi Ni (?) equation i=1 x 2 71 1 (mod 7) to get x 1(mod 7) X ≡ ≡ ≡ ± where and t M 1 to solve also modular equation M = mi , Mi = , Ni = Mi− mod mi mi 2 i=1 x 71 5 (mod 11) to get x 4 (mod 11). Y ≡ ≡ ≡ ± and the solution (?) is unique up to the congruence modulo M. Using the Chinese Remainder Theorem we then get Application Each integer 0 < x < M is uniquely represented by t-tuple: x 15, 29 (mod 77). ≡ ± ± x (mod m1),..., x (mod mt ).

Example If m1 = 2, m2 = 3, m3 = 5, then (1, 0, 2) represents integer 27. Advantage: With such a modular representation addition, subtraction and multiplication can be done component-wise and therefore in parallel time. prof. Jozef Gruska IV054 6. Public-key cryptosystems, II. Other cryptosystems, security, PRG, hash functions 5/66 prof. Jozef Gruska IV054 6. Public-key cryptosystems, II. Other cryptosystems, security, PRG, hash functions 6/66

DETAILS and CORRECTNESS of DECRYPTION I DETAILS and CORRECTNESS of DECRYPTION II

Blum primes p, q form a secret key; n = pq is the public key.

Encryption of a plaintext w < n: Since c = w 2 mod n we have c w 2 (mod p) and c w 2 (mod q); ≡ ≡ 2 c = w mod n. (p+1)/4 2 (p+1)/2 (p 1)/2 Since r c , we have r c c − c (mod p), and Fermat theorem ≡ ≡ ≡ Decryption: Compute then implies that r 2 c (mod p); ≡ r = c(p+1)/4 mod p and s = c(q+1)/4 mod q; Similarly, since s c(q+1)/4 we receive s2 c (mod q); Find integers a, b such that ap + bq = 1 and compute ≡ ≡

x = (aps + bqr) mod n, y = (aps bqr) mod n Since x 2 (a2p2s2 + b2q2r 2) (mod n) and ap + bq = 1 we have bq 1 (mod p) − ≡ ≡ and therefore x 2 r 2 (mod p); Four square roots of c modn then are (all modulo n): ≡

x, y, x, y Similarly we get x 2 s2 (mod q) and the Chinese remainder theorem then implies − − ≡ x 2 c (mod n); ≡

In case w is a meaningful English text, it should be easy to determine w from 2 x, y, x, y. Similarly we get y c (mod n). − − ≡

However, this is not the case if w is an arbitrary string.

prof. Jozef Gruska IV054 6. Public-key cryptosystems, II. Other cryptosystems, security, PRG, hash functions 7/66 prof. Jozef Gruska IV054 6. Public-key cryptosystems, II. Other cryptosystems, security, PRG, hash functions 8/66 GENERALIZED RABIN CRYPTOSYSTEM SECURITY of RABIN CRYPTOSYSTEM

Public key: n, B (0 B < n) We show that any hypothetical decryption algorithm A for Rabin cryptosystem, can be ≤ Trapdoor: Blum primes p, q (n = pq) used, as an oracle, in the following randomized algorithm, to factor an integer n. Encryption: e(x) = x(x + B) mod n Algorithm: B2 B Decryption: d(y) = 4 + y 2 mod n − 1 Choose a random r, 1 r < n; „q « ≤ 2 2 It is easy to verify that if ω is a nontrivial square root of 1 modulo n, then there are four 2 Compute y = (r B /4) mod n; y = ek (r B/2) . decryptions of e(x): − { − } B2 B 3 Call A(y), to obtain a decryption x = + y mod n; x, x, ω x + B B , ω x + B B 4 − 2 − 2 − 2 − 2 − 2 „ « q2 2 Example ` ´ ` ´ 4 Compute x1 = x + B/2; x1 r mod n B B B B B B 2 B 2 B 2 { ≡ } e ω x + 2 2 = ω x + 2 2 ω x + 2 + 2 = ω x + 2 2 = − − − 5 if x1 = r then quit (failure) x 2 + Bx = e(x) ± ` ` ´ ´ ` ` ´ ´ ` ` ´ ´ ` ´ ` ´ else gcd(x1 + r, n) = p or q Decryption of the generalized Rabin cryptosystem can be reduced to the decryption of the original Rabin cryptosystem. Indeed, after Step 4, either x1 = r mod n or x1 = ωr mod n. 2 ± ± Indeed, the equation x + Bx y (mod n) can be transformed, In the second case we have ≡ 2 2 by the substitution x = x1 B/2 , into x1 B /4 + y (mod n) 2 − 2 ≡ n (x1 r)(x1 + r), and, by deﬁning c = B /4 + y, into x1 c (mod n) ≡ | − Decryption can be done by factoringn and solving congruences but n does not divide any of the factors x1 r or x1 + r. − 2 2 Therefore computation of gcd(x1 + r, n) or gcd(x1 r, n) must yield factors of n. x1 c (mod p) x1 c (mod q) − prof. Jozef Gruska IV054 6. Public-key≡ cryptosystems, II. Other cryptosystems,≡ security, PRG, hash functions 9/66 prof. Jozef Gruska IV054 6. Public-key cryptosystems, II. Other cryptosystems, security, PRG, hash functions 10/66

DISCRETE LOGARITHM CRYPTOSYSTEMS ElGamal CRYPTOSYSTEM

Design: choosea large prime p – (with at least 150 digits). choose two random integers 1 q, x < p – where q is a primitive element of Z ∗p ≤ calculate y = qx mod p. Public key: p, q, y; trapdoor: x Encryption of a plaintext w: choose a random r and compute a = qr mod p, b = y r w mod p Cryptotext: c = (a, b) DISCRETE LOGARITHM CRYPTOSYSTEMS (Cryptotext contains indirectly r and the plaintext is ”masked” by multiplying with y r (and taking modulo p)) b x Decryption: w = ax mod p = ba− mod p. Proof of correctness: ax qrx mod p ≡ b y r w qrx w w(mod p) ax ≡ ax ≡ qrx ≡

Note: Security of the ElGamal cryptosystem is based on infeasibility of the discrete logarithm computation.

prof. Jozef Gruska IV054 6. Public-key cryptosystems, II. Other cryptosystems, security, PRG, hash functions 11/66 prof. Jozef Gruska IV054 6. Public-key cryptosystems, II. Other cryptosystems, security, PRG, hash functions 12/66 SHANKS’ ALGORITHM for DISCRETE ALGORITHM BIT SECURITY of DISCRETE LOGARITHM

Let us consider problem to compute Li (y) = i-th least signiﬁcant bit of lgqy in Z ∗p.

Let m = √p 1 . The following algorithm computes lg y in Z ∗p. d − e q Result 1 L1(y) can be computed efficiently. mj To show that we use the fact that the set QR(p) has (p 1)/2 elements. 1 Compute q mod p, 0 j m 1. ≤ ≤ − a − mj Let q be a primitive element of Z ∗p. Clearly, q QR(p) if a is even. Since the elements 2 Create list L1 of m pairs (j, q mod p), sorted by the second item. ∈ i 0 2 p 3 3 Compute yq− mod p, 0 i m 1. q mod p, q mod p,..., q − mod p ≤ ≤ − i 4 Create list L2 of pairs (i, yq− mod p) sorted by the second item. are all distinct, we have that 5 Find two pairs, one (j, z) L1 and (i, z) L2 with identical second element ∈ ∈ QR(p) = q2i mod p 0 i (p 3)/2 { | ≤ ≤ − } If such a search is successful, then Consequence: y is a quadratic residue iff lgqy is even, that is iff L1(y) = 0. mj i q mod p = z = yq− mod p (p 1)/2 By Euler’s criterion y is a quadratic residue if y − 1 mod p and as the result ≡ L (y) can therefore be computed as follows: qmj+i y (mod p) 1 ≡ (p 1)/2 On the other hand, for any y we can write L1(y) = 0 if y − 1 mod p; ≡ lgqy = mj + i, L1(y) = 1 otherwise for some 0 i, j < m. Hence the search in the Step 5 of the algorithm has to be ≤ successful. Result 2 Efficient computability of Li (y), i > 1 in Z ∗p would imply efficient computability of the discrete logarithm in Z ∗p.

prof. Jozef Gruska IV054 6. Public-key cryptosystems, II. Other cryptosystems, security, PRG, hash functions 13/66 prof. Jozef Gruska IV054 6. Public-key cryptosystems, II. Other cryptosystems, security, PRG, hash functions 14/66

GROUP VERSION of ElGamal CRYPTOSYSTEM FEISTEL ENCRYPTION/DECRYPTION SCHEME

A group version of discrete logarithm problem This is a general scheme for design of cryptosystems that Given a group (G, ), α G, β αi i 0 . Find was used at the design of several important ◦ ∈ ∈ { | ≥ } L k cryptosystems, such as Lucifer and DES. 0 R0 log β = k such that α = β that is k = log β α α Its main advantage is that encryption and decryption are K very similar, and even identical in some cases, and then 0 the same hardware can be used for both encryption and GROUP VERSION of ElGamal CRYPTOSYSTEM F decryption. ElGamal cryptosystem can be implemented in any group in which discrete logarithm Let F a be a so-called round function and K0, K1,..., Kn K problem is infeasible. be sub-keys for rounds 0, 1, 2,..., n. 1 Encryption is as follows: Cryptosystem for (G, ) F ◦ Split the plaintext into two equal size parts L0, R0. Public key: α, β k For rounds i 0, 1,..., n compute Trapdoor: k such that α = β ∈ { }

Li+1 = Ri ; Ri+1 = Li F (Ri , ki ) Encryption: of a plaintext w and a random integer k ⊕ k k Kn+1 e(w, k) = (y1, y2) where y1 = α , y2 = w β then the ciphertext is (Rn+1, Ln+1) ◦ Decryption of (Rn+1, Ln+1) is done by computing, for F i = n, n 1,..., 0 − Decryption: of cryptotext (y1, y2): L n+1 Rn+1 Ri = Li+1, Li = Ri+1 F (Li+1, Ki ) k d(y1, y2) = y2 y − ⊕ ◦ 1 and (L0, R0) is the plaintext prof. Jozef Gruska IV054 6. Public-key cryptosystems, II. Other cryptosystems, security, PRG, hash functions 15/66 prof. Jozef Gruska IV054 6. Public-key cryptosystems, II. Other cryptosystems, security, PRG, hash functions 16/66 An important special case is that of computation of discrete logarithm in a group of points of an elliptic curve defined over a finite field. WHEN ARE ENCRYPTIONS PERFECTLY SECURE? RANDOMIZED ENCRYPTIONS

From security point of view, public-key cryptography with deterministic encryptions has the following serious drawback:

A cryptanalyst who knows the public encryption function e k and a cryptotext c can try to guess a plaintext w, compute e k (w) and compare it with c. The purpose of randomized encryptions is to encrypt messages, using randomized algorithms, in such a way that one can prove that no feasible computation on the cryptotext can provide any information whatsoever about the corresponding plaintext (except with a negligible probability). WHEN ARE ENCRYPTIONS PERFECTLY SECURE? Formal setting: Given: plaintext-spaceP cryptotext C key-space K random-space R

encryption: e k : P x R C → P decryption: d k : C P or C 2 such that for any p, r: → →

p = dk (ek (p, r)) or p dk (ek (p, r)) ∈

dk and ek should be easy to compute. Given e k , it should be unfeasible to determine d k . prof. Jozef Gruska IV054 6. Public-key cryptosystems, II. Other cryptosystems, security, PRG, hash functions 17/66 prof. Jozef Gruska IV054 6. Public-key cryptosystems, II. Other cryptosystems, security, PRG, hash functions 18/66

WHEN is a CRYPTOSYSTEM (perfectly) SECURE? SECURE ENCRYPTIONS – BASIC CONCEPTS I

We now start to discuss a very nontrivial question: when is an encryption scheme First question: Is it enough for perfect security of a cryptosystem that one cannot get a computationally perfectly SECURE? plaintext from a cryptotext? At ﬁrst, we introduce two very basic technical concepts: NO, NO, NO Deﬁnition A function f:N R is a negligible function if for any polynomial p(n) and WHY → for almost all n: For many applications it is crucial that no information about the plaintext could be f (n) 1 obtained. ≤ p(n)

Intuitively, a cryptosystem is (perfectly) secure if one cannot get any (new) Definition – computational distinguishibility Let X = Xn n N and Y = Yn n N be { } ∈ { } ∈ information about the corresponding plaintext from any cryptotext. probability ensembles such that each Xn and Yn ranges over strings of length n. We say It is very nontrivial to define fully precisely when a cryptosystem is (computationally) that X and Y are computationally indistinguishable if for every feasible algorithm A the perfectly secure. difference It has been shown that perfectly secure cryptosystems have to use randomized dA(n) = Pr[A(Xn) = 1] Pr[A(Yn) = 1] encryptions. | − | is a negligible function in n.

prof. Jozef Gruska IV054 6. Public-key cryptosystems, II. Other cryptosystems, security, PRG, hash functions 19/66 prof. Jozef Gruska IV054 6. Public-key cryptosystems, II. Other cryptosystems, security, PRG, hash functions 20/66 SECURE ENCRYPTION – FIRST DEFINITION SECURE ENCRYPTIONS – SECOND DEFINITION

Deﬁnition – semantic security of encryption A cryptographic system with an encryption function e is semantically secure if for every feasible algorithm A, there exists a feasible algorithm B so that for every two functions

n f , h : 0, 1 ∗ 0, 1 Definition A randomized-encryption cryptosystem is { } → { } n and all probability ensembles X n n N , where X n ranges over 0, 1 polynomial time secure if, for anyc N and sufficiently { } ∈ { } ∈ larges N (security parameter), any randomized Pr[A(e(Xn), h(Xn)) = f (Xn)] < Pr[B(h(Xn)) = f (Xn)] + µ(n), ∈ where µ is a negligible function. polynomial time algorithms that takes as inputs (in unary) and the public key, cannot distinguish between randomized In other words a cryptographic system is encryptions, by that key, of two given messages of length semantically secure if what we can do with c, with the probability larger than 1 + 1 . knowledge of cryptotext we can do also without 2 sc knowledge of cryptotext. It can be shown that any semantically Both definitions are equivalent. secure public-key cryptosystem must use a randomized encryption algorithm. RSA cryptosystem is not secure in the above sense. However, randomized versions of RSA are semantically secure.

prof. Jozef Gruska IV054 6. Public-key cryptosystems, II. Other cryptosystems, security, PRG, hash functions 21/66 prof. Jozef Gruska IV054 6. Public-key cryptosystems, II. Other cryptosystems, security, PRG, hash functions 22/66

PSEUDORANDOM GENERATORS PSEUDORANDOM GENERATORS STORY

Pseudorandom generators are algorithms that generate pseudorandom (almost random) strings or integers.

Pseudorandom generators is an additional key concept of cryptography and of the design of eﬃcient algorithms. PSEUDORANDOM GENERATORS There is a variety of classical algorithms capable to generate pseudorandomness of diﬀerent quality concerning randomness.

Quantum processes can generate perfect randomness and on this basis quantum (almost perfect) generators of randomness are already commercially available.

prof. Jozef Gruska IV054 6. Public-key cryptosystems, II. Other cryptosystems, security, PRG, hash functions 23/66 prof. Jozef Gruska IV054 6. Public-key cryptosystems, II. Other cryptosystems, security, PRG, hash functions 24/66 CRYPTOGRAPHICALLY PERFECT PSEUDORANDOM SIMPLE PSEUDORANDOM GENERATORS GENERATORS

One of the most basic questions of perfect security of Informally, a pseudorandom generator is a deterministic polynomial time algorithm which expands short random sequences (called seeds) into longer bit sequences such that encryptions is whether there are cryptographically the resulting probability distribution is in polynomial time indistinguishable from the perfect pseudorandom generators and what such a uniform probability distribution. concept really means. Example. Linear congruential generator

The concept of pseudorandom generators is quite old. An 2 One chooses n-bit numbers m, a, b, X0 and generates an n element sequence interesting example is due to John von Neumann: X1X2 ... Xn2 Take an arbitrary integer x as the ”seed” of n-bit numbers by the iterative process and repeat the following process: Xi+1 = (aXi + b) mod m. compute x 2 and take a sequence of the middle digits of x 2 as a new ”seed” x.

prof. Jozef Gruska IV054 6. Public-key cryptosystems, II. Other cryptosystems, security, PRG, hash functions 25/66 prof. Jozef Gruska IV054 6. Public-key cryptosystems, II. Other cryptosystems, security, PRG, hash functions 26/66

CRYPTOGRAPHIC PSEUDORANDOM GENERATORS PSEUDORANDOM GENERATORS and ENCRYPTIONS

In cryptography random sequences can usually be replaced by pseudorandom sequences generated by (cryptographically perfect/strong) pseudorandom generators. Definition - pseudorandom generator. Let l(n): N N be such that l(n) > n for all → n.A (computationally indistinguishable) pseudorandom generator with a stretch If two parties share a pseudorandom generator g, function l, is an efficient deterministic algorithm which on the input of a random n-bit seed outputs a l(n)-bit sequence which is computationally indistinguishable from any and exchange (secretly) a short random string - random l(n)-bit sequence. (seed)- s Definition A predicate b is a hard core predicate of the functionf if b is easy to evaluate, but b(x) is hard to predict from f(x). (That is, it is unfeasible, given f(x) where x is uniformly chosen, to predict b(x) substantially better than with the probability 1/2.) then they can generate and use long Conjecture: The least significant bit of x 2 mod n is a hard-core predicate. pseudorandom string g(s) as a key k

Theorem Letf be a one-way function which is length preserving and eﬃciently computable, and b be a hard core predicate off, then for one-time pad for encoding and decoding.

l( s ) 1 G(s) = b(s) b(f (s)) b f | | − (s) · ··· is a (cryptographically perfect) pseudorandom generator“ with stretch” function l(n).

prof. Jozef Gruska IV054 6. Public-key cryptosystems, II. Other cryptosystems, security, PRG, hash functions 27/66 prof. Jozef Gruska IV054 6. Public-key cryptosystems, II. Other cryptosystems, security, PRG, hash functions 28/66 CRYPTOGRAPHICALLY STRONG (PERFECT) CANDIDATES for CRYPTOGRAPHICALLY STRONG PSEUDO-RANDOM GENERATORS PSEUDO-RANDOM GENERATORS

So far there are only candidates for cryptographically strong pseudo-random generators. Fundamental question: when is a pseudo-random generator good enough for cryptographical purposes? For example, cryptographically strong are all pseudo-random generators that are unpredictable to the left in the sense that a cryptanalyst that knows the generator and Basic concept:A pseudo-random generator is called cryptographically strong if the sees the whole generated sequence except its first bit has no better way to find out this sequence of bits it produces, from a short random seed, is so good for using with first bit than to toss the coin. ONE-TIME PAD cryptosystem, that no polynomial time algorithm allows a cryptanalyst to learn any information about the plaintext from the cryptotext. It has been shown that if integer factoring is intractable, then the so-called BBS pseudo-random generator, discussed below, is unpredictable to the left. A cryptographically strong pseudo-random generator would therefore provide sufficient security in a secret-key cryptosystem if both parties agree on some short seed and never (We make use of the fact that if factoring is unfeasible, then for almost all quadratic use it twice. residues x mod n, coin-tossing is the best possible way to estimate the least significant 2 As discussed later: Cryptographically strong pseudo-random generators could provide bit of x after seeing x mod n.) perfect secrecy also for public-key cryptography. Let n be a Blum integer. Choose a random quadratic residue x0 (modulo n). Problem: Do cryptographically strong pseudo-random generators exist? For i 0 let ≥ 2 Remark: The concept of a cryptographically strong pseudo-random generator is one of xi+1 = xi mod n, bi = the least significant bit of xI the key concepts of the foundations of computing. For each integer i, let BBS n,i (x0) = b0 ... bi 1 Indeed,a cryptographically strong pseudo-random generator exists if and only if a − one-way function exists what is equivalent with P = UP and what implies P = NP. be the first i bits of the pseudo-random sequence generated from the seed x by the BBS 6 6 0 pseudo-random generator. prof. Jozef Gruska IV054 6. Public-key cryptosystems, II. Other cryptosystems, security, PRG, hash functions 29/66 prof. Jozef Gruska IV054 6. Public-key cryptosystems, II. Other cryptosystems, security, PRG, hash functions 30/66

PERFECTLY SECURE ENCRYPTION ALGORITHMS - EXAMPLES RANDOMIZED VERSION of RSA-LIKE CRYPTOSYSTEM

The scheme works for any trapdoor function (as in case of RSA), f : D D, D 0, 1 n, → ⊂ { } for any pseudorandom generator G : 0, 1 k 0, 1 l , k << l { } → { } and any hash function h : 0, 1 l 0, 1 k , PERFECTLY SECURE ENCRYPTION ALGORITHMS - EXAMPLES { } → { } wheren=l+k. Given a random seed s 0, 1 k as input, G generates a pseudorandom ∈ { } bit-sequence of length l. Encryption of a message m 0, 1 l is done as follows: ∈ { k } 1 A random string r 0, 1 is chosen. ∈ { } 2 Set x = (m G(r)) (r h(m G(r))). (If x / D go to step 1.) ⊕ k ⊕ ⊕ ∈ 3 Compute encryption c = f(x) – length of x and of c is n. Decryption of a cryptotext c. 1 Compute f − (c) = a b, a = l and b = k. k | | | | Set r = h(a) b and get m = a G(r). ⊕ ⊕ Comment Operation ” ” stands for a concatenation of strings. k prof. Jozef Gruska IV054 6. Public-key cryptosystems, II. Other cryptosystems, security, PRG, hash functions 31/66 prof. Jozef Gruska IV054 6. Public-key cryptosystems, II. Other cryptosystems, security, PRG, hash functions 32/66 BLOOM-GOLDWASSER CRYPTOSYSTEM ONCE MORE HASH FUNCTIONS

Private key: Blum primes p and q. Public key: n = pq. Encryption of x 0, 1 m. ∈ { } 1 Randomly choose s0 0, 1,..., n . ∈ { } 2 For I = 1, 2, ... , m + 1 compute 2 si si 1 mod n ← − and σi = lsb(si ). —– lsb – least signiﬁcant bit { } The cryptotext is then (sm+1, y), where y = x σ1σ2 . . . σm. ⊕ Decryption: of the cryptotext (r, y): m Let d = 2− mod φ(n)). HASH FUNCTIONS d Let s1 = r mod n. 2 For i = 1, ... , m, compute σi = lsb(si ) and si+1 s mod n ← i The plaintext x can then be computed as y σ1σ2 . . . σm. ⊕

prof. Jozef Gruska IV054 6. Public-key cryptosystems, II. Other cryptosystems, security, PRG, hash functions 33/66 prof. Jozef Gruska IV054 6. Public-key cryptosystems, II. Other cryptosystems, security, PRG, hash functions 34/66

HASH FUNCTIONS - PICTURE HASH FUNCTIONS - BASICS

Hash functions are (one-way) functions that map huge A hash function is any function that maps digital data of huge (arbitrary) size to digital data of small fixed size, in such a way that slight differences in input data produce big sets A (randomly and uniformly) into small sets A. differences in output data.

A The values returned by a hash function are called hash values, hash codes, ﬁngerprints, message digests, digests or simply hashes.

A good hash function should map possible inputs as evenly as possible over its output f B range.

In other words, if a hash function maps a set A of n elements into a set B of m << n n elements, then the probability that an element of B is the value of much more than m elements of A should be very small.

Cryptographic hash functions are hash functions that Hash function have a variety applications, especially in the design of eﬃcient algorithms satisfy very well various cryptographic properties. and in cryptography.

prof. Jozef Gruska IV054 6. Public-key cryptosystems, II. Other cryptosystems, security, PRG, hash functions 35/66 prof. Jozef Gruska IV054 6. Public-key cryptosystems, II. Other cryptosystems, security, PRG, hash functions 36/66 CRYPTOGRAPHIC HASH FUNCTIONS SOME APPLICATIONS

A good cryptographic hash function f is such a hash function that withstand all known To verify integrity of messages. Determining cryptographic attacks. As a minimum, it must have the following properties: whether any changes have been made to a message can

Pre-image resistance: Given a hash h it should be infeasible (difficult) to find any be accomplished by comparing message digests message m such that h = f (m). In such a case it is also said that f should have one-wayness property. calculating before, and after, transmission. Second pre-image resistance: Given a message m1 it should be infeasible (difficult) to Passport verification The idea is to only store hash of find another message m2 such that f (m1) = f (m2). In such a case it is also said that f should be weakly collision resistant. each password. To authenticate a user, the password Collision resistance: It should be infeasible (difficult) to find two messages m1 and m2 presented by the user is hashed and compared with the such that f (m1) = f (m2). In such a case it is also said that f should be strongly collision resistant. stored hash. In cryptographic practice ”difficult” generally means ”almost certainly beyond the reach of any adversary who must be prevented from breaking the system for as long In 2013 a long-term Password Hashing Competition as the security of the system is considered to be very important”. was announced to choose a new, standard algorithm for password hashing.

prof. Jozef Gruska IV054 6. Public-key cryptosystems, II. Other cryptosystems, security, PRG, hash functions 37/66 prof. Jozef Gruska IV054 6. Public-key cryptosystems, II. Other cryptosystems, security, PRG, hash functions 38/66

EXAMPLES AN ALMOST GOOD HASH FUNCTION

Example 1 For a vector a = (a1,..., ak ) of integers let We show an example of a hash function (so called Discrete Log Hash Function) that seems to have as the only drawback that its computation is quite demanding to be used k in practice: H(a) = ai mod n (p 1) i=0 − Letp be a large prime such that q = 2 is also prime and let α, β be two primitive X a where n is a product of two large primes. roots modulop. Denote a = logα β (that is β = α ). This hash functions does not meet any of the three properties mentioned above. h will map two integers smaller than q to an integer smaller thanp, for Example 2 For a vector a = (a1,..., ak ) of integers let m = x0 + x1q, 0 x0, x1 q 1 as follows, ≤ ≤ − k x0 x1 2 h(x0, x1) = h(m) = α β (mod p). H(a) = ai mod n i=0 To show thath is one-way and collision-free the following fact can be used: X where n is product of two large primes. FACT: If we know diﬀerent messages m1 and m2 such that h(m1) = h(m2), then we can

This function is one-way, but it is not weakly collision-free. compute logα β.

prof. Jozef Gruska IV054 6. Public-key cryptosystems, II. Other cryptosystems, security, PRG, hash functions 39/66 prof. Jozef Gruska IV054 6. Public-key cryptosystems, II. Other cryptosystems, security, PRG, hash functions 40/66 EXTENDING HASH FUNCTIONS HASH FUNCTIONSh from CRYPTOSYSTEMS

Let h : 0, 1 m 0, 1 t be a strongly collision-free hash function, where m > t + 1. { } → { } We design now a strongly collision-free hash function Let us have computationally secure cryptosystem with plaintexts, keys and cryptotexts being binary strings of a ﬁxed length n and with encryption functions ek . ∞ i t h∗ : 0, 1 0, 1 . { } → { } If i=m [ Let a bit string x, x = n > m, have decomposition x = x1 x2 ... xm | | k k k x = x1 x2 ... xk , is the decomposition of x into substrings of length n, g0 is a random string, and k k where xi = m t 1 if i < k and xk = m t 1 d for some d. gi = f (xi , gi 1) | | − − | | − − − − n (Hence k = .) for i = 1,..., m, where f is a function that “incorporates” encryption functions ek of the (m t 1) cryptosystem, for suitable keys k, then l − − m h(x) = gm . h∗ will be computed as follows: For example such good properties have these two functions: 1 for i=1 to k-1 do yi := xi ; d 2 yk := xk 0 ; yk+1 := binary representation of d ; f (xi , gi 1) = egi 1 (xi ) xi k − − ⊕ t+1 f (xi , gi 1) = eg (xi ) xi gi 1 3 g1 := h(0 y1); − i 1 − k − ⊕ ⊕ 4 for i=1 to k do gi+1 := h(gi 1 yi+1); k k 5 h∗(x) := gk+1.

prof. Jozef Gruska IV054 6. Public-key cryptosystems, II. Other cryptosystems, security, PRG, hash functions 41/66 prof. Jozef Gruska IV054 6. Public-key cryptosystems, II. Other cryptosystems, security, PRG, hash functions 42/66

PRACTICALLY USED HASH FUNCTIONS NEW DEVELOPMENTS

A variety of hash functions has been constructed. Very often used hash functions are MD4, MD5 (created by Rivest in 1990 and 1991 and producing 128 bit message digest). In February 2005, an attack on SHA-1 was reported that would ﬁnd collision in about 269 hashing operations - rather than the 280 as expected by dictionary attack NSA published, as standards, starting in 1993, SHA-0, SHA-1 (Secure Hash for a 160-bit hash function. In August 2005 another attack on SHA-1 was reported that would ﬁnd collisions in Algorithm) – producing 160 bit message digest – based on similar ideas as 63 MD4 and MD5. 2 operations. Though no collision for SHA-1 was found, it started to be expected that this will One of the most important cryptographic results of the last years was due soon happen and so SHA2 was developed. to the Chinese Wang who has shown that MD4 is not cryptographically In order to ensure long-term robustness of applications that use hash functions a secure. Security of MD5 is also questioned. public competition was announced by NIST to replace SHA-2. On October 2012 Keccak was selected as the winner and a version of this algorithm Observe that every cryptographic hash function is vulnerable to a collision is expected to be a new standard in 2014 under the name SHA-3. attack using so called birthday attack. Due to the birthday problem a hash of n bits can be broken in √2n evaluations of the hash function - much faster than the brute force attack.

prof. Jozef Gruska IV054 6. Public-key cryptosystems, II. Other cryptosystems, security, PRG, hash functions 43/66 prof. Jozef Gruska IV054 6. Public-key cryptosystems, II. Other cryptosystems, security, PRG, hash functions 44/66 MD5 HOW to FIND COLLISIONS of HASH FUNCTIONS

Often used in practise has been hash function MD5 designed in 1991 by Rivest. It maps any binary message into 128-bit hash.

The input message is broken into 512-bit blocks, divided into 16 words-states (of 32 bits) and padded if needed to have ﬁnal length divisible by 512. Padding consists of a bit 1 followed by so many 0’s as required to have the length up to 64 bits fewer than a multiple of 512. Final 64 bits represent the length of the original message modulo 264.

The main MD5 algorithm operates on 128-bits word HOW to FIND COLLISIONS of HASH FUNCTIONS that is divided into four 32-bits words A, B, C, D ABCD initialized to some ﬁxed constants. The main The most basic method is based on so-called birthday F algorithm then operates on 512 bit message blocks in j paradox related to so-called the birthday problem. turn - each block modifying the state. M i

The precessing of a message consists of four rounds. Ki j-th round is composed of 16 similar operations using non-linear functions Fj and left rotations by sj places where sj varies for each round - see next ﬁgure. Ki s−shift and Mi are 32-bits keys and messages.

ABC D

prof. Jozef Gruska IV054 6. Public-key cryptosystems, II. Other cryptosystems, security, PRG, hash functions 45/66 prof. Jozef Gruska IV054 6. Public-key cryptosystems, II. Other cryptosystems, security, PRG, hash functions 46/66

BIRTHDAY PROBLEM and its VARIATIONS BASIC DERIVATIONS related to BIRTHDAY PARADOX

It is well known that if there are 23 (29) [40] 57 < 100 > people in one { } For probabilityp ¯(n) that all n < 366 people in a room have birthday in different days, it room, then the probability that two of them have the same birthday is holds more than 50% (70%)[89%] 99% < 99.99997% > — this is called a n 1 n 1 { } − 365 i − (365 i) 365! Birthday paradox. p¯(n) = − = i=0 − = 365 365n 365n(365 n)! i=1 „ « Q − More generally, if we haven objects andr people, each choosing one object Y (so that several people can choose the same object), then if This equation expresses the fact that in order no two persons share a birthday, the second √ person cannot have the same birthday as the first one, third person cannot have the r 1.177√n(r 2nλ), then probability that two people choose the same same birthday as first two,..... object≈ is 50% ((1≈ e λ)%). − − Probability p(n) that at least two person have the same birthday is therefore Another version of the birthday paradox: Let us haven objects and two groups ofr people. If r √λn, then probability that someone from one p(n) = 1 p¯(n) group chooses the same≈ object as someone from the other group is − This probability is larger than 0.5 first time for n = 23. (1 e λ). − −

prof. Jozef Gruska IV054 6. Public-key cryptosystems, II. Other cryptosystems, security, PRG, hash functions 47/66 prof. Jozef Gruska IV054 6. Public-key cryptosystems, II. Other cryptosystems, security, PRG, hash functions 48/66 FINDING COLLISIONS USING BIRTHDAY PARADOX ALGORITHM

Input: A hash function h onto a domain of size n, a real θ and an empty hash table. Output: A pair (x1, x2) such that x1 = x2 and h(x1) = h(x2) 6 If the hash of a hash function h has size n, then to a given x to find x 0 such that n h(x) = h(x 0) by brute force requires 2 hash computations in average. 1. for θ (n) different x do 2. compute y = h(x) p The idea, based on the birthday paradox, is simple. Given x we iteratively pick a random 3. if there is a (y, x 0) pair in the hash table then n i 1 n x 0 until h(x) = h(x 0). The probability that i-th trial is first to succeed is (1 2− ) − 2− ; 4. yield (x, x 0) and stop − 5. add (y, x) to the hash table The average complexity, in terms of hash function computations is therefore 6.Otherwise search failed

∞ n i 1 n n Theorem If we pick numbers with uniform distribution in 1, 2,..., n θ√n times, then i(1 2− ) − 2− = 2 . { } − we get at least one number twice with probability converging (for n ) to i=1 → ∞ X To ﬁnd collisions, that is two x and x such that h(x ) = h(x ) is easier, thanks to the θ2 1 2 1 2 1 e− 2 birthday paradox and can be done by the following algorithm: −

For n = 365 we get triples: (θ, θ√n, probability) as follows: (0.79, 15, 25%); (1.31, 25, 57%); (2.09, 40, 89%)

prof. Jozef Gruska IV054 6. Public-key cryptosystems, II. Other cryptosystems, security, PRG, hash functions 49/66 prof. Jozef Gruska IV054 6. Public-key cryptosystems, II. Other cryptosystems, security, PRG, hash functions 50/66

HASH FUNCTION DOMAIN LOWER BOUND APPENDIX

Birthday paradox imposes a lower bound on the sizes of message digests (ﬁngerprints)

For example, a 40-bit hashes would be insecure because a collision could be found with probability 0.5 with just over 4020 random guesses. APPENDIX Minimum acceptable size of hashes seems to be 128 and therefore 160 are used in such important systems as DSS – Digital Signature Schemes (standard).

prof. Jozef Gruska IV054 6. Public-key cryptosystems, II. Other cryptosystems, security, PRG, hash functions 51/66 prof. Jozef Gruska IV054 6. Public-key cryptosystems, II. Other cryptosystems, security, PRG, hash functions 52/66 UNIVERSAL HASHING SCHEMES WILLIAMS CRYPTOSYSTEM – BASICS

This cryptosystem is similar to RSA, but with number operations performed in a quadratic field. Complexity of the cryptanalysis of the Williams cryptosystem is equivalent to factoring. A universal hashing scheme is a randomized algorithm that selects a hashing function Consider numbers of the form among a family of hashing functions, in such a way that probability of collision of any two distinct keys is 1/n, where n is the number of distinct hashes desired – independently α = a + b√c of the keys. where a, b, c are integers. If c is fixed, α can be viewed as a pair (a, b). Universal hashing ensures - in a probabilistic sense - that the hash function application α + α = (a , b ) + (a , b ) = (a + a , b + b ) will behave as if it were using a random function, for any distribution of the input data. 1 2 1 1 2 2 1 2 1 2 α1α2 = (a1, b1) (a2, b2) = (a1a2+c b1b2, a1b2 + b1a2) r+1 · Theorem The family of functions emH = ha a 0,..., m 1 , defined by the The conjugate α of α of a is defined by { | ∈ { − } formula r α = a b√c − ha(u) = ai ui mod m i i α + α− i=0 Auxiliary functions: X (α) = X i 2 r+1 i i i is a universal family of hash functions mapping 0,..., m 1 into 0,..., m 1. b(α α− ) α α { − } { − Yi (α) = − = − (α α) 2√c Hence − „ « i α = Xi (α) + Yi (α)√c i α = Xi (α) Yi (α)√c − prof. Jozef Gruska IV054 6. Public-key cryptosystems, II. Other cryptosystems, security, PRG, hash functions 53/66 prof. Jozef Gruska IV054 6. Public-key cryptosystems, II. Other cryptosystems, security, PRG, hash functions 54/66

This means that exponentiation can be done fast in case computation of functions Xi WILLIAMS CRYPTOSYSTEM – EFFICIENT EXPONENTIATION WILLIAMSand Yi can be done CRYPTOSYSTEM fast. - BASIC LEMMAS

Congruences on numbers of type a + b√c are deﬁned: a1 + b1√c a2 + b2√c( 2 2≡ mod n) a1 a2( mod n), b1 b2( mod n) Instead of a cb = 1 we will consider Assume now ⇔ 2≡ 2 ≡ − 2 2 congruence a cb 1( mod n) a cb = 1 − ≡ 2 2 − Basic Lemma: Let n = p q (both primes) and let a, b, c be such that a cb 1 ( Then αα = 1 and consequently · − ≡ 2 2 mod n). Moreover, let the Jacobi-Legendre symbols XI cYI = 1 − Moreover, for j i εp = (c p), εq = (c q) ≥ | | XI +J = 2XI XJ + XJ 1 − satisfy the congruence YI +J = 2YI XJ + YJ 1 εi i( mod 4) for i p, q . − ≡ − ∈ { } From these and following equations: Assume also that gcd(cb, n) = 1 and (2(a + 1) n) = 1. | XI +J = 2XI XJ +cYI YJ Denote YI +J = 2YI XJ + XI YJ (p εp)(q εq) m = − − we get the recursive formulas: 4 2 2 2 X2i = Xi + cYi = 2Xi 1 and assume that e and d satisfy the congruence − Y2i = 2Xi Yi (m + 1) X2i+1 = 2Xi Yi+1 X1 ed mod m. − ≡ 2 Y2i+1 = 2Xi Yi+1 Y1 − Under these assumptions 2ed Consequences: 1. X and Y can be, given i, computed fast. α α( mod n), i i ≡ ± Remark Since X0 = 1, X1 = a, Xi does not depend on b. where α = a + b√c . prof. Jozef Gruska IV054 6. Public-key cryptosystems, II. Other cryptosystems, security, PRG, hash functions 55/66 Thisprof. Jozeflemma Gruska plays theIV054 same 6. Public-key role cryptosystems, in showing II. Other correctness cryptosystems, security, of the PRG, Williams hash functions cryptosystem56/66 as Euler’s theorem plays for showing correctness of the RSA cryptosystem. DESIGN of WILLIAMS CRYPTOSYSTEMS DECRYPTION

1 Choose p, q, compute n = pq. Decryption: cryptotext: (E, b1, b2), where E = (Xe (α)Ye (α)− mod n), b2 0, 1 , ∈ { } Choose c such that Jacobi-Legendre symbols εp, εq satisfy congruences of previous depending whether a is even or odd. lemma (c can be chosen by a trial). Decryption: Using E the receiver may compute: Choose (by trial) a number s such that 2e e 2e α α Xe (α) + Ye (α)√c 2 α e e = (s c n) = 1, gcd(n, s) = 1. ≡ (αα¯) ≡ α¯ Xe (α) Ye (α)√c − | − − Let m be as in Basic lemma and d be such that gcd(m, d) = 1 and let e be such that E + √c E 2 + c 2E = + √c( mod n) (m + 1) ≡ E √c E 2 c E 2 c ed mod m. − − − ≡ 2 (The above computation can perform also a cryptanalyst. Trapdoor is needed for the Public key: n, e, c, s next computation.) Secret key: p, q, m, d 2ed 2e 2e α = X2ed (α) + Y2ed (α)√c = Xd (α ) + Yd (α )√c Encryption: A plaintext 0 < w < n will first be encoded as a number αw of the form a + b√c. Now all assumptions of Basic lemma are satisfied and, consequently Denote α2ed α( mod n) b = 0, γ = w + √c if (w 2 c n) = 1 ≡ ± 1 b is then used to determine which of the above signs is correct. − 2| 2 b1 = 1, γ = (w + √c)(s + √c) if (w c n) = 1 − | − w is now obtained as follows: In both cases: Denote: (γγ¯ n) = 1. s √c α0 = αif b1 = 0and − ifb1 = 1 1 γ | s + √c Define: α = γγ¯− = γ¯ w 2+c 2w Then (1) if b1 = 0, then α w 2 c + w 2 c √c ( mod n) w + √c ≡ − − 0 (w 2+c)(s2+c)+4csw 2s(w 2+c)+2w(s2+c) α ( mod n) prof. Jozef Gruska IV054 6. Public-key cryptosystems, II. Other cryptosystems, security, PRG, hash functions 57/66 prof. Jozef Gruska IV054 6. Public-key cryptosystems,≡ w II. Other√c cryptosystems, security, PRG, hash functions 58/66 (2) if b1 = 1 then α a + b√c where a = (w 2 c)(s2 c) b = (w 2 c)(s2 c) ≡ − − − − − In both cases αα¯ = a2 cb2 1( mod n) and (2(a + 1) n) = 1. and − ≡ | α0 + 1 GLOBAL GOALS of CRYPTOGRAPHY w √c ( mod n) ≡ α 1 0 −

Cryptosystems and encryption/decryption techniques are only one part of modern cryptography. General goal of modern cryptography is construction of schemes which are robust against malicious attempts to make these schemes to deviate from their prescribed functionality. The fact that an adversary can design its attacks after the cryptographic scheme has been speciﬁed, makes design of such cryptographic schemes very diﬃcult – schemes should be secure under all possible attacks. In the next chapters several of such most important basic functionalities and design of secure systems for them will be considered. For example: digital signatures, user and message authentication,... Moreover, also such basic primitives as zero-knowledge proofs, needed to deal with general cryptography problems will be presented and discussed. We will also discuss cryptographic protocols for a variety of important applications. For example for voting, digital cash,...

prof. Jozef Gruska IV054 6. Public-key cryptosystems, II. Other cryptosystems, security, PRG, hash functions 59/66