🌑

Hi Folks.
Home Explore About
Explore / Study / Computer Science / Cryptography 1.5k words | 9 minutes

§13 One-way Functions, Cyclic Groups, Discrete Log and Diffie-Hellman Problems

  1. One-Way Functions
    1. One-Way Functions: Definition
    2. A One-Way Function based on the Factoring Assumption
  2. Cyclic Groups
    1. Order of a Group Element
    2. Cyclic Groups
    3. Cyclic Groups: Groups of Prime Order
    4. Cyclic Groups: Zp∗\mathbb{Z}^*_pZp∗​
  3. Discrete Log and Diffie-Hellman Problems
    1. Discrete-Logarithm problem
    2. Discrete-Logarithm Experiment DLog⁡A,G(n)\operatorname{DLog}_{\mathscr{A},\mathscr{G}}(n)DLogA,G​(n)
    3. Discrete-Logarithm problem: Security
    4. Diffie-Hellman Problems: Computational Diffie-Hellman (CDH)
    5. Diffie-Hellman Problems: Decisional Diffie-Hellman (DDH)
    6. DDH problem (Formal)

One-Way Functions

One-Way Functions: Definition

  • Definition. The inverting experiment InvertA,f(n)\operatorname{Invert}_{\mathscr{A}, f}(n):
    1. Choose uniform x{0,1}nx \in \{0,1\}^n, and compute y:=f(x)y := f(x).
    2. Adversary A\mathscr{A} is given 1n1^n and yy as inputs. A\mathscr A outputs xx'.
    3. A\mathscr A succeeds and the experiment evaluates to 11 if and only if f(x)=yf(x') = y.
  • Definition. A function f:{0,1}{0,1}f : \{0,1\}^* \rightarrow \{0,1\}^* is one-way if the following two conditions hold:

    1. (Easy to compute): There is a polynomial-time algorithm that on input xx outputs f(x)f(x).

    2. (Hard to invert): For all PPT algorithms A\mathscr A there is a negligible function ϵ(n)\epsilon(n) such that:

      Pr[InvertA,f(n)=1]ϵ(n)\Pr [\operatorname{Invert}_{\mathscr{A}, f}(n) = 1] \le \epsilon(n)

A One-Way Function based on the Factoring Assumption

  • Given 1n1^n and GenModulusGenModulus, define the (deterministic) function fGenf_{Gen} as follows:
    • Input: String xx of length nn.
    • Output: Integer NN.
    • compute (N,p,q):=GenModulus(1n;x)(N, p, q) := GenModulus(1^n; x), i.e., run Gen(1n)Gen(1^n) using random tape xx.
    • return NN.
  • Theorem. If the Factoring problem is hard relative to GenModulusGenModulus, then fGenf_{Gen} is a one-way function.

Cyclic Groups

Order of a Group Element

  • Definition. Let G\mathbb{G} be a finite group of order mm. Let gGg \in \mathbb{G} be an arbitrary element. The order of gg is the smallest positive integer ii such that gi=1g^i = 1.
    • Let G\mathbb{G} be a finite group of order mm. Let gGg \in \mathbb{G} be an arbitrary element.
    • Consider the set g:={g0,g1,}\langle g \rangle := \{g_0, g_1, \ldots \}. By Fermat’s Little Theorem, we know that gm=1g^m = 1.
    • Let imi \le m be the smallest positive integer for which gi=1(=g0)g^i = 1 ( = g^0). g={g0,,gi1}\langle g \rangle = \{g^0, \ldots, g^{i-1}\}.
    • g\langle g \rangle contains exactly ii elements. Furthermore, g\langle g \rangle is a subgroup of G\mathbb{G} for any gg.

Cyclic Groups

  • Definition. If an element gGg \in \mathbb{G} has order G=m| \mathbb{G} | = m, then g=G\langle g \rangle = \mathbb{G}.

    In this case, we call G\mathbb{G} a Cyclic Group and say that gg is a Generator of G\mathbb{G}.

Cyclic Groups: Groups of Prime Order

  • Theorem: If G\mathbb{G} is a group of prime order pp, then G\mathbb{G} is cyclic.

    Furthermore, all elements of G\mathbb{G} except the identity element are generators of G\mathbb{G}.

Cyclic Groups: Zp\mathbb{Z}^*_p

  • Theorem: If pp is prime, then Zp\mathbb{Z}^*_p is cyclic (of order p1p - 1).

Discrete Log and Diffie-Hellman Problems

Discrete-Logarithm problem

  • Fix a cyclic group G\mathbb{G} of order qq, and generator gGg \in \mathbb{G}.

    We know that: {g0,g1,,gq1}=G\{g_0, g_1, \ldots, g_{q-1}\} = \mathbb{G}.

    Equivalently, for every hGh \in \mathbb{G}, there is a unique xZqx \in \mathbb{Z}_q, such that gx=hg^x = h.

  • Define loggh\log_g h to be this xx. This is the discrete logarithm of hh with respect to gg (in the group G\mathbb{G}).

    Discrete Logarithm problem in G\mathbb{G}: Given gGg \in \mathbb{G}, and uniform hGh \in \mathbb{G}, compute loggh\log_g h.

  • Discrete Logarithms obey same rules as standard logs:

    logg1=0log_g 1 = 0

    logghr=[rlogghmodq]log_g h^r = [r \cdot log_g h \bmod q]

    logg(h1h2)=[(loggh1+loggh2)modq]log_g (h_1 h_2) = [(\log_g h_1 + \log_g h_2) \bmod q]

Discrete-Logarithm Experiment DLogA,G(n)\operatorname{DLog}_{\mathscr{A},\mathscr{G}}(n)

  • For a group generation algorithm G\mathscr{G}, algorithm A\mathscr{A}, and parameter nn, define the experiment DLogA,G(n)\operatorname{DLog}_{\mathscr{A},\mathscr{G}}(n):
    1. Run G(1n)\mathscr{G}(1^n) to obtain (G,q,g)(\mathbb{G}, q, g), i.e., (G,q,g)G(1n)(\mathbb{G}, q, g) \leftarrow \mathscr{G}(1^n).
    2. Choose uniform hGh \in \mathbb{G}.
    3. A\mathscr A is given (G,q,g,h)(\mathbb{G}, q, g, h), and outputs xZqx \in \mathbb{Z}_q.
    4. A\mathscr{A} succeeds and the experiment evaluates to 11 if and only if gx=hg^x = h, and 00 otherwise.

Discrete-Logarithm problem: Security

  • Definition. The Discrete Logarithm problem is hard relative to G\mathscr{G} if for all probabilistic polynomial time algorithms A\mathscr{A}, there exists a negligible function ϵ(n)\epsilon(n) such that:

    Pr[DLogA,G(n)=1]ϵ(n)\Pr [\operatorname{DLog}_{\mathscr{A},\mathscr{G}}(n) = 1] \le \epsilon(n)

Diffie-Hellman Problems: Computational Diffie-Hellman (CDH)

  • Fix cyclic group G\mathbb{G} of order qq, and generator gGg \in \mathbb{G}.

    Given elements h1,h2Gh_1, h_2 \in \mathbb{G}, define DHg(h1,h2):=gloggh1loggh2\operatorname{DH}_g (h_1, h_2) := g^{\log_g h_1 \cdot \log_g h_2}.

    That is, if h1=gx1h_1 = g^{x_1}, h2=gx2h_2 = g^{x_2}, then DHg(h1,h2)=gx1x2=h1x2=h2x1\operatorname{DH}_g (h_1, h_2) = g^{x_1 \cdot x_2} = h^{x_2}_1 = h^{x_1}_2.

  • CDH problem in G\mathbb{G} (Informal): Given gGg \in \mathbb{G}, and uniform h1,h2Gh_1, h_2 \in \mathbb{G}, compute DHg(h1,h2)\operatorname{DH}_g (h_1, h_2).

Diffie-Hellman Problems: Decisional Diffie-Hellman (DDH)

  • Fix cyclic group G\mathbb{G} of order qq, and generator gGg \in \mathbb{G}.

    Given elements h1,h2Gh_1, h_2 \in \mathbb{G}, define DHg(h1,h2):=gloggh1loggh2\operatorname{DH}_g (h_1, h_2) := g^{\log_g h_1 \cdot \log_g h_2}.

    That is, if h1=gx1h_1 = g^{x_1}, h2=gx2h_2 = g^{x_2}, then DHg(h1,h2)=gx1x2=h1x2=h2x1\operatorname{DH}_g (h_1, h_2) = g^{x_1 \cdot x_2} = h^{x_2}_1 = h^{x_1}_2.

  • DDH problem in G\mathbb{G} (Informal): Given gGg \in \mathbb{G}, and uniform h1,h2Gh_1, h_2 \in \mathbb{G}, distinguish DHg(h1,h2)\operatorname{DH}_g (h_1, h_2) from a uniform group element in G\mathbb{G}.

DDH problem (Formal)

  • Let G\mathscr{G} be a group-generation algorithm. On input 1n1^n, G\mathscr{G} outputs a cyclic group G\mathbb{G}, its order qq, (with bit length q=n\|q\| = n), and a generator gg.

  • Definition. The DDH problem is hard relative to G\mathscr G if for all PPT algorithms A\mathscr{A}, there is a negligible function ϵ(n)\epsilon(n) such that:

    Pr[A(G,q,g,gx,gy,gz)=1]Pr[A(G,q,g,gx,gy,gxy)=1]ϵ(n)\left|\operatorname{Pr}\left[\mathscr{A}\left(\mathbb{G}, q, g, g^{x}, g^{y}, g^{z}\right)=1\right]-\operatorname{Pr}\left[\mathscr{A}\left(\mathbb{G}, q, g, g^{x}, g^{y}, g^{x \cdot y}\right)=1\right]\right| \leq \epsilon(n)

    where the probabilities are taken over the experiment in which G(1n)\mathscr{G}(1^n) outputs (G,q,g)(\mathbb{G}, q, g) and then uniform x,y,zZqx, y, z \in \mathbb{Z}_q are chosen.

— Mar 21, 2023

Related: ,
Creative Commons License
§13 One-way Functions, Cyclic Groups, Discrete Log and Diffie-Hellman Problems by Lu Meng is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License. Permissions beyond the scope of this license may be available at About.

Made with ❤ at Earth.

Buy me a coffee GitHub LinkedIn Instagram Bilibili