COS433/Math

 473:  
Cryptography
Mark  Zhandry
Princeton  University
Spring  2018
Number  Theory
ℤN:  integers  mod  N
ℤN*:  integers  mod  N that  are  relatively  prime  to  N
• x∈ ℤN* iff x has  an  “inverse”  y s.t. xy mod N = 1
• For  prime  N, ℤN*={1,…,N-1}

Φ(N) = |ℤN*|

Euler’s  theorem:  for  any  x∈ ℤN*, xΦ(N) mod N = 1

Groups
A  group  is  a  set  G together  with  a  binary  operation  ⊗
• g ⊗h ∈ G
• ∃identity  1 s.t. g⊗1 = 1⊗g = g
• f⊗(g⊗h) = (f⊗g)⊗h (Associativity)
• For  all  g, ∃g-1 s.t. g⊗g-1 = g-1⊗g = 1

In  this  class,  we  will  always  work  with  finite  

commutative  groups
• |G|<∞
• g⊗h=h⊗g
Examples  of  Groups
Additive  group  ℤN
• g⊗h = g+h mod N

Multiplicative  group  ℤN*

• g⊗h = g×h mod N
Cyclic  Groups
A  group  G of  size  N is  cyclic  if:
∃ g s.t. G = {1,g,g2, …, gN-1}
(we  call  such  a  g a  generator)

Examples:
• Additive  group  ℤN (generator?)

• Multiplicative  group  ℤp* for  prime  p

Non-­‐example:  ℤ15*
 DLog:

Stronger  Assumptions
• Given  (g,ga),  compute  a
Increasing  Difficulty

CDH:
• Given  (g,ga,gb), compute  gab

DDH:
• Distinguish  (g,ga,gb,gc) from  (g,ga,gb,gab)
 G cyclic,  order  q

(G,t,ε)-Discrete  Log:
For  any  algorithm                running  in  time  at  most  t,

Pr[gaß (g,ga): gßG, aßℤq] ≤ε

(G,t,ε)-Computational  Diffie Hellman:
For  any  algorithm                running  in  time  at  most  t,

Pr[gabß (g,ga,gb): gßG, a,bßℤq] ≤ε

(G,t,ε)-Decisional  Diffie Hellman:
For  any  algorithm                running  in  time  at  most  t,

| Pr[1ß (g,ga,gb,gab): gßG, a,bßℤq]

-Pr[1ß (g,ga,gb,gc): gßG, a,b,cßℤq] |≤ε
Hardness  of  DLog
Over  ℤp*:
• Brute  force:  O(p)
• Better  algs based  on  birthday  paradox:  O(p½)
• Even  better  heuristic  algorithms:
exp( C (log p)1/3 (log log p)2/3 )

• Therefore,  plausible  assumption:  

⅓ ⅓
(ℤp ,t=2
* (log p) ,ε=2-(log p) )
Naor-­‐Reingold PRF
Domain:  {0,1}n
Key  space:  ℤqn+1
Range:  G

a b1x1 b2x2 … bnxn

F( (a,b1,b2,…,bn), x ) = g

Theorem:  If  (G,t,ε)-DDH  holds, then  the  Naor-­‐

Reingold PRF  is  (t-t’, r, 2rnε)-secure
Proof  by  Hybrids
Hybrids  0:      H(x) = g a b1
x1 b x2 … b xn
2 n

bi+1xi+1 … bnxn
Hybrid  i:      H(x) = Hi(x [1,i])
• Hi is  a  random  function  from  {0,1}i à G

Hybrid  n:      H(x) is  truly  random

Proof
Suppose  adversary  can  distinguish  Hybrid  i-1 from  
Hybrid  i for  some  i

Easy  to  construct  adversary  that  distinguishes:

bxi
xàHi(x) from  xàHi-1(x [1,i-1])
with  advantage  2rε
Proof
Suppose  adversary  makes  2r queries
• Assume  wlog that  queries  are  in  pairs  x||0,  x||1

What  does  the  adversary  see?

• Hi(x): 2r random  elements  in  G
bixi
• Hi-1(x [1,i-1]) : r random  elements  in  G, h1,…,hr
as  well  as  h1b, …, hrb
 Lemma:  Assuming  (G,t,ε)-DDH  the  following  
distributions  are  indistinguishable  except  with  
advantage  sε:
(g,gx1,gy1,…,gxs,gys) and
(g,gx1,gb x1, …,gxs,gb xs)

Suffices  to  finish  proof  of  NR-­‐PRF

Proof  of  Lemma
Hybrids  0:  (g,gx1,gb x1, …,gxs,gb xs)

Hybrid  i:
(g,gx1,gy1,…,gxi,gyi, gxi+1,gb xi+1, …gxs,gb xs)

Hybrid  s:   (g,gx1,gy1,…,gxs,gys)

Proof  of  Lemma
Suppose  adversary  distinguishes  Hybrid  i-1 from  
Hybrid  i

Use  adversary  to  break  DDH:

(g,h,u,v)
(g,gx1,gy1,…,gxi-1,gyi-1,u,v,
gxi+1,hxi+1, …gxs,hxs)
Proof  of  Lemma
(g,gx1,gy1,…,gxi-1,gyi-1,u,v, gxi+1,hxi+1, …gxs,hxs)

If  (g,h,u,v) = (g,gb,gxi,gb xi), then  Hybrid  i-1

If  (g,h,u,v) = (g,gb,gxi,gyi), then  Hybrid  i

Therefore,              ‘s  advantage  is  the  same  as        ‘s    

Further  Applications
From  NR-­‐PRF  can  construct:

• CPA-­‐secure  encryption

• Block  Ciphers

• MACs

• Authenticated  Encryption
Parameter  Size  in  Practice?
G = subgroup  of  ℤp* of  order  q,  where  q| p-1
• In  practice,  best  algorithms  require  p ≥ 21024 or  so

• G = ”elliptic  curve  groups”

• Can  set  p ≈ 2256 to  have  security
⇒ best  attacks  run  in  time  2128

Therefore,  elliptic  curve  groups  tend  to  be  much  

more  efficient  ⇒ shift  to  using  in  practice
Integer  Factorization
Integer  Factorization
Given  an  integer  N, find  it’s  prime  factors

Studied  for  centuries,  presumed  difficult

• Grade  school  algorithm:  O(N1/2)
• Better  algorithms  using  birthday  paradox:  O(N¼)
• Even  better  assuming  G.  Riemann  Hyp.:  O(N⅕)
• Still  better  heuristic  algorithms:
exp( C (log N)1/3 (log log N)2/3 )
• However,  all  require  super-­‐polynomial  time  in  bit-­‐
length  of  N
(λ,t,ε)-­‐Factoring  Assumption: For  any  factoring  
algorithm          running  in  time  at  most  t,

Pr[(p,q)ß (N):
N=pq and  p,q random  λ-­‐bit  primes]≤ε

⅓ ⅓
Plausible  assumption: (λ, t=2 ,
λ ε=2 )
-λ
Sampling  Random  Primes

Prime  Number  Theorem:  A  random  λ-­‐bit  number  is  

prime  with  probability  ≈1/λ

Primality  Testing:  It  is  possible  in  polynomial  time  to  

decide  if  an  integer  is  prime

Fermat  Primality  Test  (randomized,  some  false  positives):

• Choose  a  random  integer  a∈{0,…,N-1}
• Test  if  aN = a mod N
• Repeat  many  times
Chinese  Remainder  Theorem
Let  N = pq for  distinct  prime  p,q

Let  x∈ℤp, y∈ℤq

Then  there  exists  a  unique  integer  z∈ℤN such  that  
• x = z mod p,  and  
• y = z mod q

Proof:  z = [py(p-1 mod q)+qx(q-1 mod p)] mod N

Quadratic  Residues
Definition:  y is  a  quadratic  residue  mod  N if  there  
exists  an  x such  that  y = x2 mod N.    x is  called  a  
“square  root”  of  y

Ex:
• Let  p be  a  prime,  and  y≠0 a  quadratic  residue  mod  
p.    How  many  square  roots  of  y?
• Let  N=pq be  the  product  of  two  primes,  y a  
quadratic  residue  mod N.    Suppose  y≠0 mod p
and  y≠0 mod q.    How  many  square  roots?
(λ,t,ε)-­‐QR  Assumption: For  any  factoring  algorithm          
running  in  time  at  most  t,

Pr[y2=x2 mod N:
yß (N,x2)
N=pq and  p,q random  λ-­‐bit  primes
xßℤN ]≤ε
Theorem: If  the  (λ,t,ε)-­‐factoring  assumption  holds,  
then  the  (λ,t-t’,2ε)-­‐QR  assumption  holds
Proof
To  factor  N:
• xßℤN
• yß (N,x2)
• Output GCD(x-y,N)

Analysis:
• Let  {a,b,c,d}  be  the  4  square  roots  of  x2
• has  no  idea  which  one  you  chose
• With  probability  ½,  y will  not  be  in  {+x,-x}
• In  this  case,  we  know  x=y mod p but  x=-y mod q
Collision  Resistance  from  
Factoring
Let  N=pq,  y a  QR  mod  N
Suppose  -1 is  not  a  QR mod  N

Hashing  key:  (N,y)

Domain:  {1,…,(N-1)/2}×{0,1}
Range:  {1,…,(N-1)/2}

H( (N,y), (x,b) ): Let  z = ybx2 mod N

• If  z∈{1,…,(N-1)/2}, output  z
• Else,  output  –z mod N ∈{1,…,(N-1)/2}
Theorem: If  the  (λ,t,ε)-­‐factoring  assumption  holds,  
H is  (t-t’,2ε)-­‐collision  resistant
Proof:
• Collision  means  (x0,b0)≠(x1,b1) s.t.
yb0 x02 = ± yb1 x12 mod N

• If  b0=b1,  then  x0≠x1, but x02=±x12 mod N

• x02=-x12 mod N not  possible.    Why?
• x0≠-x1 since x0,x1∈{1,…,(N-1)/2}

• If  b0≠b1,  then  (x0/x1)2 = ±y±1 mod N

• -y case  not  possible.    Why?
• (x0/x1) or  (x1/x0) is  a  square  root  of  y
Choosing  N
How  to  choose  N so  that  -1 is  not  a  QR?

By  CRT,  need  to  choose  p,q such  that  -­‐1  is  not  a  QR  
mod  p or  mod  q

Fact:  if  p = 3 mod 4,  then  -1 is  not  a  QR  mod  p

Fact:  if  p = 1 mod 4,  then  -1 is  a  QR  mod  p
Is  Composite  N Necessary  for  SQ  
to  be  hard?
Let  p be  a  prime,  and  suppose  p = 3 mod 4

Given  a  QR  x mod  p,  how  to  compute  square  root?

Hint:  recall  Fermat:  xp-1=1 mod  p for  all  x≠0

Hint:  what  is  x(p+1)/2 mod  p?

Solving  Quadratic  Equations
In  general,  solving  quadratic  equations  is:
• Easy  over  prime  moduli
• As  hard  as  factoring  over    composite  moduli
Other  Powers?
What  about  x à x4 mod N?  x à x6 mod N?

The  function  x à x3 mod N appears  quite  different

• Suppose  3 is  relatively  prime  to  p-1 and  q-1
• Then  x à x3 mod p is  injective  for  x≠0
• Let  a be  such  that  3a = 1 mod p-1
• (x3) a = x1+k(p-1) = x(xp-1) k = x mod p
• By  CRT,  x à x3 mod N is  injective  for  x∈ℤN*
x 3 mod N
What  does  injectivity mean?

Cannot  base  of  factoring:

Adapt  alg for  square  roots:
• Choose  a  random  z mod N
• Compute  y = z3 mod N
• Run  inverter  on  y to  get  a  cube  root  x
• Let  p = GCD(z-x, N), q = N/p
RSA  Problem
Given  
• N = pq,
• e such  that  GCD(e,p-1)=GCD(e,q-1)=1,
• y=xe mod N for  a  random  x

Find  x

Injectivity means  cannot  base  hardness  on  factoring,  

but  still  conjectured  to  be  hard
(e,t,ε)-­‐RSA  Assumption: For  any  factoring  
algorithm           running  in  time  at  most  t,

Pr[xß (N,x3 mod N)

N=pq and  p,q random  λ-­‐bit  primes  s.t.
GCD(3,p-1)=GCD(3,q-1)=1
xßℤN* ]≤ε
Application:  PRGs
Let  F(x) = x3 mod N, h(x) =  least  significant  bit

x F

Theorem:  If  (e,t,ε)-­‐RSA  Assumption  holds,  then  

G(x) = ( F(x), h(x) ) is  a  (t-t’,ε’)-secure  PRG
Crypto  from  Minimal  Assumptions
Many  ways  to  build  crypto
We’ve  seen  many  ways  to  build  crypto
• SPN  networks
• LFSR’s
• Discrete  Log
• Factoring

Questions:
• Can  common  techniques  be  abstracted  out  as  
theorem  statements?
• Can  every  technique  be  used  to  build  every  
application?
One-­‐way  Functions
The  minimal  assumption  for  crypto

Syntax:
• Domain  D
• Range  R
• Function  F: D à R
No  correctness  properties  other  than  deterministic
Security?

Definition:  F is  (t,ε)-One-­‐Way  if,  for  all            running  

in  time  at  most  t,
Pr[xß (F(x)),xßD] < ε

Trivial  example:
F(x) = parity  of  x
Given  F(x), impossible  to  predict  x
Security

Definition:  F is  (t,ε)-One-­‐Way  if,  for  all            running  

in  time  at  most  t,
Pr[F(x)=F(y):yß (F(x)),xßD] < ε
Examples
Any  PRG

Any  Collision  Resistant  Hash  Function  (with  sufficient  

compression)

F(p,q) = pq

F(g,a) = (g,ga)

F(N,x) = (N,x3 mod N) or  F(N,x) = (N,x2 mod N)

What’s  Known
OWF
PRF
PRP
PRG
CRH MAC Enc

Com Auth
Enc
So  Far

OWF
CRH
PRF PRP
PRG

Com
MAC Enc

Plus  arrows  from  everything   Auth

to  one-­‐way  functions Enc
Our  Goal:  Fill  in  Remaining  Arrows
Hardcore  Bits
Let  F be  a  one-­‐way  function  with  domain  D,  range  R

Definition: A  function  h:Dà{0,1} is  a  (t,ε)-

hardcore  bit  for  F if,  for  any          running  in  time  at  
most  t,  
| Pr[1ß (F(x), h(x)), xßD]
- Pr[1ß (F(x), b), xßD,bß{0,1}] | ≤ ε

In  other  words,  even  given  F(x),  hard  to  guess  h(x)

Examples  of  Hardcore  Bits
Define  lsb(x) as  the  least  significant  bit  of  x

For  x∈ZN,  define  Half(x) as  1 iff 0≤x<N/2

Theorem:  Let  p be  a  prime,  and  F:Zp*àZp* be  F(x) =
gx mod p,  for  some  generator  g

Half is  a  hardcore  bit  for  F (assume  F is  one-­‐way)

Theorem:  Let  N be  a  product  of  two  large  primes  p,q,  
and  F:ZN*àZN* be  F(x) = xe mod N for  some  e
relatively  prime  to  (p-1)(q-1)

Lsb and Half are  hardcore  bits  for  F (assuming RSA)

Theorem:  Let  N be  a  product  of  two  large  primes  p,q,  
and  F:ZN*àZN* be  F(x) = x2 mod N

Lsb and Half are  hardcore  bits  for  F (assuming

factoring)
Goldreich Levin  Hardcore  Bit
Let  F be  a  OWF  with  domain  {0,1}n and  range  R

Let  F ’:{0,1}2n à {0,1}n×R be:

F’(r,x) = r,F(x)

Define  h(r,x) = <r,x> = ∑rixi mod 2

Theorem  (Goldreich-­‐Levin): If  F is  (t,ε)-one-­‐way,  

then  h is  a  ( poly(t,1/ε), poly(ε) )-hc bit  for  F ’
Application:  PRGs
Suppose  F was  a  permutation  (D=R and  F is  one-­‐to-­‐
one)

Let  F ’, h be  from  Goldreich-­‐Levin

x F

h
Hardcore  Bits
A  hc bit  for  any  OWF

Implies  PRG  from  any  one-­‐way  permutation

• PRG  from  Dlog (Blum-­‐Micali)
• PRG  from  RSA
• PRG  from  Factoring

Actually,  can  construct  PRG  from  any  OWF

• Proof  beyond  scope  of  course
So  Far

OWF
CRH
PRF PRP
PRG

Com
MAC Enc

Plus  arrows  from  everything   Auth

to  one-­‐way  functions Enc
Reminders
HW5  due  next  week

Keep  working  on  project