Outline QR QR encryption Secure PRSG BBS Finding sqrt Distributions Legendre/Jacobi BBS Security CPSC 367: Cryptography and Security Michael J. Fischer Lecture 21 April 11, 2019 CPSC 367, Lecture 21 1/72 Outline QR QR encryption Secure PRSG BBS Finding sqrt Distributions Legendre/Jacobi BBS Security Quadratic Residues Revisited Euler criterion Distinguishing Residues from Non-Residues Encryption Based on Quadratic Residues Summary Secure Random Sequence Generators Pseudorandom sequence generators Looking random BBS Pseudorandom Sequence Generator Appendix: Finding Square Roots Square roots modulo special primes Square roots modulo general odd primes Appendix: Similarity of Probability Distributions Cryptographically secure PRSG Indistinguishability CPSC 367, Lecture 21 2/72 Outline QR QR encryption Secure PRSG BBS Finding sqrt Distributions Legendre/Jacobi BBS Security Appendix: The Legendre and Jacobi Symbols The Legendre symbol Jacobi symbol Computing the Jacobi symbol Appendix: Security of BBS CPSC 367, Lecture 21 3/72 Outline QR QR encryption Secure PRSG BBS Finding sqrt Distributions Legendre/Jacobi BBS Security Quadratic Residues Revisited CPSC 367, Lecture 21 4/72 Outline QR QR encryption Secure PRSG BBS Finding sqrt Distributions Legendre/Jacobi BBS Security QR reprise Quadratic residues play a key role in the Feige-Fiat-Shamir zero knowledge authentication protocol. They can also be used to produce a secure probabilistic cryptosystem and a cryptographically strong pseudorandom bit generator. Before we can proceed to these protocols, we need some more number-theoretic properties of quadratic residues. CPSC 367, Lecture 21 5/72 Outline QR QR encryption Secure PRSG BBS Finding sqrt Distributions Legendre/Jacobi BBS Security Euler criterion Euler criterion The Euler criterion gives a feasible method for testing membership in QRp when p is an odd prime. Theorem (Euler Criterion) An integer a is a non-trivial1 quadratic residue modulo an odd prime p iff a(p−1)=2 ≡ 1 (mod p): 1A non-trivial quadratic residue is one that is not equivalent to 0 (mod p). CPSC 367, Lecture 21 6/72 Outline QR QR encryption Secure PRSG BBS Finding sqrt Distributions Legendre/Jacobi BBS Security Euler criterion Proof of Euler Criterion Proof in forward direction. Let a ≡ b2 (mod p) for some b 6≡ 0 (mod p). Then a(p−1)=2 ≡ (b2)(p−1)=2 ≡ bp−1 ≡ 1 (mod p) by Euler's theorem, as desired. CPSC 367, Lecture 21 7/72 Outline QR QR encryption Secure PRSG BBS Finding sqrt Distributions Legendre/Jacobi BBS Security Euler criterion Proof of Euler Criterion (continued) Proof in reverse direction. Suppose a(p−1)=2 ≡ 1 (mod p). Clearly a 6≡ 0 (mod p). We find a square root b of a modulo p. Let g be a primitive root of p. Choose k so that a ≡ g k (mod p), and let ` = (p − 1)k=2. Then g ` ≡ g (p−1)k=2 ≡ (g k )(p−1)=2 ≡ a(p−1)=2 ≡ 1 (mod p): Since g is a primitive root and g ` ≡ 1 (mod p), then φ(p)j`. Hence, `/φ(p) = `=(p − 1) = k=2 is an integer. Let b = g k=2. Then b2 ≡ g k ≡ a (mod p), so b is a non-trivial square root of a modulo p, as desired. CPSC 367, Lecture 21 8/72 Outline QR QR encryption Secure PRSG BBS Finding sqrt Distributions Legendre/Jacobi BBS Security Distinguishing Residues from Non-Residues A hard problem associated with quadratic residues Let n = pq, where p and q are distinct odd primes. Recall that each a 2 QRn has 4 square roots, and 1=4 of the ∗ elements in Zn are quadratic residues. ∗ Some elements of Zn are easily recognized as non-residues, but 00 there is a subset of non-residues (which we denote by Qn ) that are hard to distinguish from quadratic residues without knowing p and q. CPSC 367, Lecture 21 9/72 Outline QR QR encryption Secure PRSG BBS Finding sqrt Distributions Legendre/Jacobi BBS Security Distinguishing Residues from Non-Residues Quadratic residues modulo n = pq Let n = pq, p, q distinct odd primes. ∗ We divide the numbers in Zn into four classes depending on their 2 membership in QRp and QRq. 11 ∗ I Let Qn = fa 2 Zn j a 2 QRp \ QRqg. 10 ∗ I Let Qn = fa 2 Zn j a 2 QRp \ QNRqg. 01 ∗ I Let Qn = fa 2 Zn j a 2 QNRp \ QRqg. 00 ∗ I Let Qn = fa 2 Zn j a 2 QNRp \ QNRqg. Under these definitions, 11 QRn = Qn 00 01 10 QNRn = Qn [ Qn [ Qn 2 ∗ To be strictly formal, we classify a 2 Zn according to whether or not (a mod p) 2 QRp and whether or not (a mod q) 2 QRq. CPSC 367, Lecture 21 10/72 Outline QR QR encryption Secure PRSG BBS Finding sqrt Distributions Legendre/Jacobi BBS Security Distinguishing Residues from Non-Residues Quadratic residuosity problem Definition (Quadratic residuosity problem) The quadratic residuosity problem is to decide, given 00 11 11 a 2 Qn [ Qn , whether or not a 2 Qn . Fact There is no known feasible algorithm for solving the quadratic residuosity problem that gives the correct answer significantly more 00 11 than 1/2 the time for uniformly distributed random a 2 Qn [ Qn , unless the factorization of n is known. The quadratic residuosity assumption is that there is not feasible algorithm for solving the quadradic residuosity problem that gives the correct answer with probability significantly better than 1/2. CPSC 367, Lecture 21 11/72 Outline QR QR encryption Secure PRSG BBS Finding sqrt Distributions Legendre/Jacobi BBS Security Encryption Based on Quadratic Residues CPSC 367, Lecture 21 12/72 Outline QR QR encryption Secure PRSG BBS Finding sqrt Distributions Legendre/Jacobi BBS Security Securely encrypting single bits Goldwasser and Micali devised a probabilistic public key cryptosystem based on the assumed hardness of the quadratic residuosity problem that allows one to securely encrypt single bits. The idea is to encrypt a \0" by a random residue of QRn and a 00 \1" by a random non-residue in Qn . Any ability to decrypt the bit is tantamount to solving the quadratic residuosity problem. CPSC 367, Lecture 21 13/72 Outline QR QR encryption Secure PRSG BBS Finding sqrt Distributions Legendre/Jacobi BBS Security Goldwasser-Micali probabilistic cryptosystem Key Generation The public key consists of a pair e = (n; y), where n = pq for 00 distinct odd primes p, q, and y is any member of Qn . The private key consists of the triple d = (n; y; p). The message space is M = f0; 1g. (Single bits!) 00 11 The ciphertext space is C = Qn [ Qn . CPSC 367, Lecture 21 14/72 Outline QR QR encryption Secure PRSG BBS Finding sqrt Distributions Legendre/Jacobi BBS Security Goldwasser-Micali probabilistic cryptosystem (cont.) Encryption ∗ To encrypt m 2 M, Alice chooses a random r 2 Zn and sets 2 11 a = r mod n. The result a is a random element of QRn = Qn . 11 If m = 0, set c = a (which is in Qn ). 00 If m = 1, set c = ay mod n (which is in Qn ). Decryption Bob, knowing the private key p, can use the Euler Criterion to quickly determine whether or not c 2 QRp and hence whether 11 00 c 2 Qn or c 2 Qn , thereby determining m. CPSC 367, Lecture 21 15/72 Outline QR QR encryption Secure PRSG BBS Finding sqrt Distributions Legendre/Jacobi BBS Security Goldwasser-Micali probabilistic cryptosystem (cont.) Security Eve's problem of finding m given c is equivalent to the problem of 11 00 11 testing if c 2 Qn , given that c 2 Qn [ Qn . This is just the quadratic residuosity problem, assuming the ciphertexts are uniformly distributed. One can show: 11 I Every element of Qn is equally likely to be chosen as the ciphertext c in case m = 0; 00 I Every element of Qn is equally likely to be chosen as the ciphertext c in case m = 1. If the messages are also uniformly distributed, then any element of 00 11 Qn [ Qn is equally likely to be the ciphertext. CPSC 367, Lecture 21 16/72 Outline QR QR encryption Secure PRSG BBS Finding sqrt Distributions Legendre/Jacobi BBS Security Summary Important facts about quadratic residues 1. If p is odd prime, then jQR j = jZ∗j=2, and for each p p p a 2 QRp, j aj = 2. 2. If n = pq, p 6= q odd primes, then jQR j = jZ∗j=4, and for p n n each a 2 QRn, j aj = 4. (p−1)=2 3. Euler criterion: a 2 QRp iff a ≡ 1 (mod p), p odd prime. p 4. If p is odd prime, a 2 QRp, can feasibly find y 2 a. (See appendix.) 00 5. If n = pq, p 6= q odd primes, then distinguishing Qn from Q11 is believed to be infeasible. Hence, infeasible to find n p y 2 a. Why? p If not, one could attempt to find y 2 a, check that y 2 ≡ a (mod n), and conclude that a 2 Q11 if successful. CPSC 367, Lecture 21 17/72 Outline QR QR encryption Secure PRSG BBS Finding sqrt Distributions Legendre/Jacobi BBS Security Secure Random Sequence Generators CPSC 367, Lecture 21 18/72 Outline QR QR encryption Secure PRSG BBS Finding sqrt Distributions Legendre/Jacobi BBS Security Pseudorandom sequence generators Pseudorandom sequence generators A pseudorandom sequence generator (PRSG) is a function that maps a short seed to a long \random-looking" output sequence. The seed typically has length between 32 and a few thousand bits. The output is typically much longer, ranging from thousands or millions of bits or more, but polynomially related to the seed length.