1:
2: \documentclass[acmcsur]{acmtrans2m}
3:
4: %
5: %
6: %
7: %
8:
9: \markboth{J\"{o}rg Rothe}{Some Facets of Complexity Theory and Cryptography}
10:
11: \title{Some Facets of Complexity Theory and Cryptography:
12: A Five-Lectures Tutorial}
13:
14: \author{
15: J\"{O}RG ROTHE \\
16: Heinrich-Heine-Universit\"at D\"usseldorf
17: }
18:
19: %
20:
21: \usepackage{eepic,epic}
22: %
23: \usepackage{latexsym}
24: \usepackage{amsfonts}
25: \usepackage{amsmath}
26: \usepackage{amssymb}
27:
28: \usepackage[latin1]{inputenc}
29: \usepackage{psfig}
30:
31:
32: %
33: %
34: %
35: %
36: %
37:
38: %
39: %
40: %
41: %
42:
43:
44:
45: \let\ensuremathTEMP\ensuremath
46: \newcommand{\oldimplies}{\:\Rightarrow\:}
47: \newcommand{\band}{\bigwedge}
48: \newcommand{\Band}[3]{(\bigwedge#1\!\!:\,#2\!\!:\,#3)}
49: \newcommand{\bor}{\bigvee}
50: \newcommand{\Bor}[3]{(\bigvee#1\!\!:\,#2\!\!:\,#3)}
51: \def\union{\,\bigcup}
52: \def\inter{\,\bigcap}
53: \newcommand{\true}{\mbox{\it true}}
54: \newcommand{\false}{\mbox{\it false}}
55: \newcommand{\SUM}[3]{ (\sum #1 \!\! : \, #2 \!\!:\, #3) }
56: \newcommand{\IFS}{\mbox{\bf if}}
57: \newcommand{\IF}[1]{ \mbox{\bf if} \, #1 \, \rightarrow \, }
58: \newcommand{\GC}[2]{ #1 \, \rightarrow \, #2 }
59: \newlength{\filength}
60: \settowidth{\filength}{\mbox{\bf f{}i}}
61: \newsavebox{\gcbox}
62: \sbox{\gcbox}{\framebox[\filength]{\rule{0ex}{2ex}}}
63: \newcommand{\BB}[1]{\usebox{\gcbox}\; #1 \, \rightarrow \, }
64: \newcommand{\FI}{\; \mbox{\bf f{}i}}
65: \newcommand{\Skip}{ \mbox{\bf skip} }
66: \newcommand{\DOS}{\mbox{\bf do}}
67: \newcommand{\DO}[1]{\mbox{\bf do} \, #1 \, \rightarrow \,}
68: \newcommand{\OD}{\mbox{\bf od}}
69: \newcommand{\cobegin}{{\bf cobegin}\,}
70: \renewcommand{\|}{\, // \,}
71: \newcommand{\coend}{\,{\bf coend}}
72: \newcommand{\Set}[1]{ \hbox{\bf\{} #1 \hbox{\bf\}}}
73: \newcommand{\Bag}[1]{ \{\!| #1 |\!\}}
74: \newcommand{\hoare}[3]{\{{#1}\}\:{#2}\:\{{#3}\}}
75: \renewcommand{\wp}[2]{ {\it wp}({#1},{#2})}
76: \newcommand{\assert}[1]{\!\{#1\}}
77: \newcommand{\atom}[1]{\langle\,{#1}\,\rangle}
78: \newcommand{\lbl}[1]{{#1 \!:\;\,}}
79: \newcommand{\pre}[1]{ {\it pre}({#1})}
80: \newcommand{\post}[1]{ {\it post}({#1}) }
81: \newcommand{\NI}[2]{ {\it NI}({#1},{#2}) }
82: \newcommand{\equi}[3]{ { {\rm E}_{#1}^{#2}({#3}) } }
83: \newcommand{\red}[3]{ { {\rm R}_{#1}^{#2}({#3}) } }
84: \newcommand{\sparse}{{{\rm SPARSE}}}
85: \newcommand{\tally}{{{\rm TALLY}}}
86: \newcommand{\inferfrom}[2]{\begin{array}[t]{c}\displaystyle
87: \frac{#1}{#2}\end{array}}
88: %
89: %
90: \newtheorem{theorem}{Theorem}[section]
91: \newtheorem{corollary}[theorem]{Corollary}
92: \newtheorem{claim}[theorem]{Claim}
93: \newtheorem{method}[theorem]{Method}
94: \newtheorem{openquestion}[theorem]{Open Question}
95: \newtheorem{pausetoponder}[theorem]{Pause to Ponder}
96: %
97: %
98: %
99: %
100: %
101: %
102: %
103: %
104: %
105: \newcommand{\qedblob}{\mbox{\rule[-1.5pt]{5pt}{10.5pt}}}
106: \def\literalqed{{\ \nolinebreak\hfill\mbox{\qedblob\quad}}}
107: \def\qedcareful{\literalqed}
108: \def\qed{\literalqed}
109: \def\trueloveqed{{\ \nolinebreak\hfill\mbox{\boldmath
110: \Huge$ \Box$}\nolinebreak\mbox{$\!\!\!\!\!\!
111: {}^{\normalsize\heartsuit}$}}}
112: %
113: %
114: \newtheorem{lemma}[theorem]{Lemma}
115: \newtheorem{observation}[theorem]{Observation}
116: \newtheorem{fact}[theorem]{Fact}
117: \newtheorem{proposition}[theorem]{Proposition}
118: \newdef{definition}[theorem]{Definition}
119: \newdef{remark}[theorem]{Remark}
120: \newdef{example}[theorem]{Example}
121: %
122: \hyphenation{theory theoretical area areas theorem theorems}
123: \hyphenation{par-allel par-allelize par-allelized threshold}
124: \hyphenation{circuits circuit}
125: \hyphenation{Hema-chan-dra Hema-spaan-dra}
126: \hyphenation{area areas}
127: \hyphenation{ent-schei-dungs-prob-lem}
128: \hyphenation{Wa-ta-na-be Ogi-ha-ra Mi-tsu-no-ri Thierauf}
129:
130:
131:
132:
133: %
134:
135: %
136: %
137: %
138: %
139: \makeatletter
140: \def\@citex[#1]#2{\if@filesw\immediate\write\@auxout{\string\citation{#2}}\fi
141: \def\@citea{}\@cite{\@for\@citeb:=#2\do
142: {\@citea\def\@citea{,\linebreak[0]}\@ifundefined
143: {b@\@citeb}{{\bf ?}\@warning
144: {Citation `\@citeb' on page \thepage \space undefined}}%
145: \hbox{\csname b@\@citeb\endcsname}}}{#1}}
146: \makeatother
147:
148: %
149:
150: %
151: %
152: %
153: %
154: %
155: %
156:
157: %
158: %
159: \newcommand{\naturalnumber}{\ensuremath{{ \mathbb{N} }}}
160: %
161: \newcommand{\naturalnumberpositive}{\ensuremath{{ \mathbb{N}^+ }}}
162: %
163: \newcommand{\naturalfromtwo}{\ensuremath{{ \mathbb{N}^{\geq 2} }}}
164: \newcommand{\naturalfromthree}{\ensuremath{{ \mathbb{N}^{\geq 3} }}}
165: \makeatletter %
166: \renewcommand{\theequation}{\thesection.\arabic{equation}}
167: %
168: \makeatother
169: \newcommand{\sharpp}{{\rm \#P}}
170: \newcommand{\sharpsat}{{\rm \#SAT}}
171: \newcommand{\sat}{{\rm SAT}}
172: \newcommand{\qbf}{{\rm QBF}}
173: \newcommand{\parityp}{{\rm \oplus P}}
174: \newcommand{\up}{\mbox{\rm UP}}
175: \newcommand{\us}{{\rm US}}
176: \newcommand{\fewnp}{{\rm FewNP}}
177: \newcommand{\fewp}{{\rm FewP}}
178: \newcommand{\coup}{\mbox{\rm coUP}}
179: \newcommand{\e}{{\rm E}}
180: \newcommand{\E}{{\rm E}}
181: \renewcommand{\exp}{{\rm EXP}}
182: \newcommand{\NE}{{\rm NE}}
183: \renewcommand{\ne}{{\rm NE}}
184: \newcommand{\nexp}{{\rm NEXP}}
185: \newcommand{\p}{\mbox{\rm P}}
186: \newcommand{\littlep}{{\rm p}}
187: \newcommand{\NP}{{\rm NP}}
188: \newcommand{\ssf}{{\rm SSF}}
189: \newcommand{\np}{\mbox{\rm NP}}
190: \newcommand{\scriptnp}{\mbox{\protect\scriptsize\rm NP}}
191: \newcommand{\ip}{\mbox{\rm IP}}
192: \newcommand{\lh}{{\rm LH}}
193: \newcommand{\elh}{{\rm ELH}}
194: \newcommand{\hh}{{\rm HH}}
195: \newcommand{\nt}{{\rm NT}}
196: \newcommand{\nnt}{{\rm NNT}}
197: \newcommand{\parityoptp}{{\rm \oplus{}OptP}}
198: \newcommand{\optp}{{\rm OptP}}
199: \newcommand{\diffp}{{\rm D^P}}
200: \newcommand{\pp}{{\rm PP}}
201: \newcommand{\bpp}{\mbox{\rm BPP}}
202: \newcommand{\zpp}{\mbox{\rm ZPP}}
203: \newcommand{\rp}{\mbox{\rm R}}
204: \newcommand{\cor}{\mbox{\rm coR}}
205: \newcommand{\npc}{$\np$-com\-plete}
206: \newcommand{\conp}{\mbox{\rm coNP}}
207: \newcommand{\pspace}{\mbox{\rm PSPACE}}
208: \newcommand{\eespace}{{\rm EESPACE}}
209: \newcommand{\dspace}{{\rm DSPACE}}
210: \newcommand{\co}{\ensuremath{ {\rm co}}}
211: \newcommand{\psp}{\ensuremath{\pspace}}
212: \newcommand{\pnexp}{\ensuremath{\p^\nexp}}
213: \newcommand{\npnexp}{\ensuremath{\np^\nexp}}
214: \newcommand{\nenp}{\ensuremath{\ne^\np}}
215: \newcommand{\enp}{\ensuremath{\e^\np}}
216: \newcommand{\pnp}{\ensuremath{\p^\np}}
217: \newcommand{\pnplog}{\ensuremath{\p^{\np[\log ]}}}
218: \newcommand{\nexpnp}{\ensuremath{\nexp^\np}}
219: \newcommand{\coNP}{\ensuremath{{\rm coNP}}}
220: \newcommand{\cone}{\ensuremath{{\rm coNE}}}
221: \newcommand{\pitwozero}{\ensuremath{\Pi_2^0}}
222: \newcommand{\pithreezero}{\ensuremath{\Pi_3^0}}
223: \newcommand{\sigmathreezero}{\ensuremath{\Sigma_3^0}}
224: \newcommand{\low}[1]{\ensuremath{{\rm L}_{{#1}}}}
225: \newcommand{\comp}[1]{\ensuremath{{\overline{{#1}}}}}
226: \newcommand{\lowORACLEW}[1]{\ensuremath{{\rm L}^W_{{#1}}}}
227: \newcommand{\lowp}{\ensuremath{{\rm L}_{\p}}}
228: \newcommand{\lownp}{\ensuremath{{\rm L}_{\np}}}
229: \newcommand{\lowsigma}[1]{\ensuremath{{\rm L}_{\Sigma_{{#1}}^p}}}
230: \newcommand{\lowtheta}[1]{\ensuremath{{\rm L}_{\Theta_{{#1}}^p}}}
231: \newcommand{\lowdelta}[1]{\ensuremath{{\rm L}_{\Delta_{{#1}}^p}}}
232: \newcommand{\lowORACLEWdelta}[1]{\ensuremath{{\rm L}^W_{\Delta_{{#1}}^p}}}
233: \newcommand{\extlowsigma}[1]{\ensuremath{{\rm EL}_{\Sigma_{{#1}}^p}}}
234: \newcommand{\extlowtheta}[1]{\ensuremath{{\rm EL}_{\Theta_{{#1}}^p}}}
235: \newcommand{\extlowdelta}[1]{\ensuremath{{\rm EL}_{\Delta_{{#1}}^p}}}
236: \newcommand{\extlowORACLEWdelta}[1]{\ensuremath{{\rm EL}^W_{\Delta_{{#1}}^p}}}
237: \newcommand{\high}[1]{\ensuremath{{\rm H}_{{#1}}}}
238: \newcommand{\highp}{\ensuremath{{\rm H}_{\p}}}
239: \newcommand{\highnp}{\ensuremath{{\rm H}_{\np}}}
240: \newcommand{\highsigma}[1]{\ensuremath{{\rm H}_{\Sigma_{{#1}}^p}}}
241: \newcommand{\sigmak}{\ensuremath{\Sigma_k^p}}
242: \newcommand{\sigmaka}{\ensuremath{\Sigma_k^{p,A}}}
243: \newcommand{\deltaka}{\ensuremath{\Delta_k^{p,A}}}
244: \newcommand{\deltazero}{\ensuremath{\Delta_0^{p}}}
245: \newcommand{\deltazeroa}{\ensuremath{\Delta_0^{p,A}}}
246: \newcommand{\thetazero}{\ensuremath{\Theta_0^{p}}}
247: \newcommand{\thetazeroa}{\ensuremath{\Theta_0^{p,A}}}
248: \newcommand{\deltakaW}{\ensuremath{\Delta_k^{p,A \oplus W}}}
249: \newcommand{\deltak}{\ensuremath{\Delta_k^{p}}}
250: \newcommand{\thetaka}{\ensuremath{\Theta_k^{p,A}}}
251: \newcommand{\pitwo}{\ensuremath{\Pi_2^p}}
252: \newcommand{\thetatwo}{\ensuremath{\Theta_2^p}}
253: \newcommand{\deltatwo}{\ensuremath{\Delta_2^p}}
254: \newcommand{\poly}{\ensuremath{{\rm poly}}}
255: \newcommand{\linear}{\ensuremath{{\rm linear}}}
256: \newcommand{\quadratic}{\ensuremath{{\rm quadratic}}}
257: \newcommand{\ph}{\ensuremath{\mbox{\rm PH}}}
258: \newcommand{\few}{{\ensuremath{\rm Few}}}
259: \newcommand{\const}{{\ensuremath{\rm Const}}}
260: \newcommand{\littleconst}{{\ensuremath{\rm const}}}
261: \newcommand{\fewch}{\ensuremath{{\rm FewCH}}}
262: \newcommand{\eh}{\ensuremath{{\rm EH}}}
263: \newcommand{\startofproof}{\noindent{\bf Proof}\quad}
264: \newcommand{\sproof}{\noindent{\bf Proof}\quad}
265: \newcommand{\startofproofof}[1]{\noindent{\bf Proof of {#1}}\quad}
266: \newcommand{\sproofof}[1]{\noindent{\bf Proof of {#1}}\quad}
267: \newcommand{\eproofof}[1]{\noindent{\hspace*{0.1in} \hfil \hfill \mbox{\qed{} {#1}}}\quad}
268: \newcommand{\chapterref}[1]{Chapter~\ref{#1}}
269: \newcommand{\sectionref}[1]{Section~\ref{#1}}
270: \newcommand{\equationref}[1]{Equation~\ref{#1}}
271: %
272: %
273: \def\bull{\vrule height .9ex width .8ex depth -.1ex }
274: %
275: %
276: %
277: %
278: %
279: %
280: \newcommand{\blob}{\mbox{\rule[-1.5pt]{5pt}{10.5pt}}}
281: \newcommand{\lindent}{\qquad}
282: \newcommand{\magicnum}{{ n^{\frac{1-\epsilon}{\epsilon}+\delta}}}
283: \newcommand{\fsup}{{\,f_{super}\,}}
284: \newcommand{\fred}{{\,f_{reduced}\,}}
285: \newcommand{\pne}{\ensuremath{\p^\ne}}
286: \newcommand{\npne}{\ensuremath{\np^\ne}}
287: \newcommand{\nnexarg}{\ensuremath{\nxx^\nexx (x) }}
288: \newcommand{\nnexx}{\ensuremath{\nxx^\nexx }}
289: \newcommand{\nnex}{\ensuremath{\nxx^\nexx }}
290: \newcommand{\expnp}{\ensuremath{\exp^\np }}
291: \newcommand{\dtime}{\ensuremath{{\rm DTIME}}}
292: \newcommand{\nxx}{\ensuremath{{\rm N_{17}}}}
293: \newcommand{\nexx}{\ensuremath{{\rm NE_{21}}}}
294: \newcommand{\seh}{\ensuremath{{\rm SEH}}}
295: \newcommand{\ppoly}{\ensuremath{\p/\poly}}
296: \newcommand{\sexph}{\ensuremath{{\rm SEXPH}}}
297: \newcommand{\pstar}{\ensuremath{\p_\star}}
298: \newcommand{\mstar}{\ensuremath{M^\star}}
299: \newcommand{\nestar}{\ensuremath{\ne_{\,\star}}}
300: %
301: \newcommand{\supersetproper}{ \stackrel{\scriptscriptstyle\superset}{\scriptscriptstyle\not-}}
302: \newcommand{\subsetproper}{ \stackrel{\scriptscriptstyle\subset}{\scriptscriptstyle\not-}}
303: %
304: %
305: %
306: %
307: %
308: %
309: %
310: \newcommand{\superset}{\supset}
311: \newcommand{\superseteq}{\supseteq}
312:
313: \def\unionfromc{\,\textstyle\bigcup_{\scriptstyle c}\,}
314: \def\unionfromk{\,\textstyle\bigcup_{\scriptstyle k}\,}
315:
316:
317:
318:
319:
320:
321:
322:
323:
324: %
325: %
326: \newcommand{\newlozenge}{\setlength{\fboxsep}{0pt}\setlength{\fboxrule}{.7pt}\framebox[6pt]{\rule{0pt}{9pt}}}
327:
328:
329: %
330: \newcommand{\card}[1]{{ \mathopen\parallel {#1} \mathclose\parallel }}
331: \newcommand{\ceiling}[1]{{{\lceil {#1} \rceil}}}
332: \newcommand{\floor}[1]{{{\lfloor {#1} \rfloor}}}
333:
334: %
335: %
336: %
337: %
338: %
339: %
340: \newcommand{\pairs}[1]{\mathopen\langle{#1}\mathclose\rangle}
341: \newcommand{\pair}[1]{\mathopen\langle{#1}\mathclose\rangle}
342: %
343: \newcommand{\piso}{\ensuremath{\p-{\rm isomorphic}}}
344: \newcommand{\manyonea}{\ensuremath{\,\leq_{m}^{{\littlep},\,A}\,}}
345: \newcommand{\manyone}{\ensuremath{\,\leq_{\rm m}^{{\littlep}}\,}}
346: \newcommand{\manyonered}{\ensuremath{\,\leq_{m}^{{\littlep}}\,}}
347: \newcommand{\turingred}{\ensuremath{\,\leq_{T}^{{\littlep}}\,}}
348: \newcommand{\snred}{\ensuremath{\,\leq_{T}^{{sn}}\,}}
349: \newcommand{\ttred}{\ensuremath{\,\leq_{tt}^{{\littlep}}\,}}
350: \newcommand{\pttred}{\ensuremath{\,\leq_{ptt}^{{\littlep}}\,}}
351: \newcommand{\postt}{\ensuremath{\,\leq_{ptt}^{{\littlep}}\,}}
352: \newcommand{\cred}{\ensuremath{\,\leq_{c}^{{\littlep}}\,}}
353: \newcommand{\bred}{\ensuremath{\,\leq_{b}^{{\littlep}}\,}}
354: \newcommand{\dred}{\ensuremath{\,\leq_{d}^{{\littlep}}\,}}
355: \newcommand{\notpttred}{\ensuremath{\,\nleq_{ptt}^{{\littlep}}\,}}
356: \newcommand{\pos}{\ensuremath{\,\leq_{pos}^{{\littlep}}\,}}
357: \newcommand{\posred}{\ensuremath{\,\leq_{pos}^{{\littlep}}\,}}
358: \newcommand{\locallyposred}{\ensuremath{\,\leq_{\widehat{pos}}^{{\littlep}}\,}}
359: \newcommand{\notposred}{\ensuremath{\,\nleq_{pos}^{{\littlep}}\,}}
360: \newcommand{\abred}{\ensuremath{\,\leq_{a}^{{b}}\,}}
361:
362: \newcommand{\linearturingsubscript}{\ensuremath{{\bigo(n)\hbox{-}T}}}
363: \newcommand{\linearturingred}{\ensuremath{\,\leq_{\linearturingsubscript}^{{\littlep}}\,}}
364: \newcommand{\redlinearturingpsel}{\ensuremath{{\red{\linearturingsubscript}{p}{\psel}}}}
365:
366: \newcommand{\paiso}{\ensuremath{$\p^A$-iso\-mor\-phic}}
367: \newcommand{\pisoa}{\paiso}
368: \newcommand{\pisoam}{\ensuremath{$\p^A$\hbox{-isomorphism}}}
369: \newcommand{\ndet}{nondeterministic\xspace}
370: \newcommand{\pisom}{\ensuremath{$\p$\hbox{-isomorphism}}}
371: %
372: %
373: \newcommand{\calfselector}{\calf\hbox{-}selector\xspace}
374: \newcommand{\npsvselector}{\npsv\hbox{-}selector\xspace}
375: \newcommand{\npsvtselector}{\npsvt\hbox{-}selector\xspace}
376: \newcommand{\npmvselector}{\npmv\hbox{-}selector\xspace}
377: \newcommand{\npmvtselector}{\npmvt\hbox{-}selector\xspace}
378: \newcommand{\calfselectivity}{\calf\hbox{-}selectivity\xspace}
379: \newcommand{\npsvselective}{\npsv\hbox{-}selective\xspace}
380: \newcommand{\npsvtselective}{\npsvt\hbox{-}selective\xspace}
381: \newcommand{\npmvselective}{\npmv\hbox{-}selective\xspace}
382: \newcommand{\npmvtselective}{\npmvt\hbox{-}selective\xspace}
383: \newcommand{\npsvselectivity}{\npsv\hbox{-}selectivity\xspace}
384: \newcommand{\psel}{\ensuremath{{\rm P\!@,@,@,@,@,\hbox{-}sel}}}
385: \newcommand{\calfsel}{\ensuremath{{\calf\hbox{-}\rm{}sel}}}
386: \newcommand{\dashsel}{\ensuremath{{\rm\hbox{-}sel}}}
387: \newcommand{\pwsel}{\ensuremath{{{\rm P}^W\rm{}\!\hbox{-}sel}}}
388: \newcommand{\calfselective}{\calf\hbox{-}selective\xspace}
389: \newcommand{\pclose}{\ensuremath{{\rm P\hbox{-}close}}}
390: \newcommand{\apt}{\ensuremath{{\rm APT}}}
391: \newcommand{\itleft}{\ensuremath{{\mathit{left}}}}
392: \newcommand{\quasip}{\ensuremath{{\rm qP}}}
393: \newcommand{\semirecursive}{\ensuremath{{\rm SEMIRECURSIVE}}}
394: \newcommand{\sigmastar}{\ensuremath{\Sigma^\ast}}
395: \newcommand{\pisnp}{\ensuremath{\p=\np}}
396: \newcommand{\usuba}{\ensuremath{U_A}}
397: \newcommand{\univsuba}{\ensuremath{Univ_A}}
398: \newcommand{\pisnotnp}{\ensuremath{\p\neq\np}}
399: \newcommand{\lb}{\ensuremath{\{}}
400: \newcommand{\rb}{\ensuremath{\}}}
401: %
402: \newcommand{\equivclassslash}{\ensuremath{\wr}}
403: \newcommand{\equivclass}[1]{\ensuremath{cl({#1})}}
404: \newcommand{\pa}{\ensuremath{\p^A}}
405: \newcommand{\calf}{\ensuremath{{\cal F}}}
406: \newcommand{\calc}{\ensuremath{{\cal C}}}
407: \newcommand{\npa}{\ensuremath{\np^A}}
408: \newcommand{\fpa}{\ensuremath{\fp^A}}
409: \newcommand{\npw}{\ensuremath{\np^W}}
410: \newcommand{\conpa}{\ensuremath{\conp^A}}
411:
412:
413: \newcommand{\upa}{\ensuremathTEMP{\up^A}}
414: \newcommand{\sparses}{\ensuremathTEMP{{\rm sparse} S\,}}
415: %
416: \newcommand{\bigo}{{\protect\cal O}}
417: \newcommand{\bigoh}{{\protect\cal O}}
418:
419:
420: \makeatletter%
421: \def\nottoobig#1{{\hbox{$\left#1\vcenter to1.111\ht\strutbox{}\right.\n@space$}}}
422: \makeatother%
423:
424: \newcommand{\condition}{\,\nottoobig{|}\:}
425: %
426:
427: \def\land{{\; \wedge \;}}
428: %
429: %
430: %
431: %
432: \newcommand{\change[1]}{\protect\footnote{{\bf CHANGED! The change is:} {#1}}}
433: \newcommand\integers{{\mathbb{Z}}}
434: \def\Z{\integers}
435: \newcommand{\counting}{\mbox{\tt Counting}}
436: \newcommand{\seq}{\subseteq}
437: \newcommand{\spp}{\mbox{\rm SPP}}
438: \newcommand{\fp}{\mbox{\rm FP}}
439: \def\nats{\naturalnumber}
440: \newcommand{\bh}{{\rm BH}}
441: \newcommand{\cp}[1]{{{\rm CP}_{\{{#1}\}}}}
442:
443: \newcommand\la{\ \leftarrow \ }
444: \newcommand\ra{\ \rightarrow \ }
445: \newcommand\lra{\ \leftrightarrow \ }
446: \newcommand\La{\ \Leftarrow \ }
447: \newcommand\Ra{\ \Rightarrow \ }
448: \newcommand\Lra{\ \Leftrightarrow \ }
449: \newcommand\lola{\ \longleftarrow \ }
450: \newcommand\lora{\ \longrightarrow \ }
451: \newcommand\lolra{\ \longleftrightarrow \ }
452: \newcommand\Lola{\ \Longleftarrow \ }
453: \newcommand\Lora{\, \Longrightarrow \ }
454: \newcommand\Lolra{\ \Longleftrightarrow \ }
455: \newcommand\Lolradef{\ :\Longleftrightarrow \ }
456: %
457: %
458: \def\equalsdef{=}
459: \def\equalsdeffootnote{=}
460: \newcommand{\weakaowf}{A$^{\!\!\mbox{\protect\scriptsize w}\!}$OWF}
461: \newcommand{\weakaowfmath}{A$^{\!\mbox{\protect\scriptsize w}\!}$OWF}
462: \newcommand{\weakaowfs}{A$^{\!\!\mbox{\protect\scriptsize w}\!}$OWFs}
463: \newcommand{\weakaowfsmath}{A$^{\!\mbox{\protect\scriptsize w}\!}$OWFs}
464: \newcommand{\weakaowffootnote}{A$^{\!\!\mbox{\protect\tiny w}\!}$OWF}
465: \newcommand{\weakaowfsfootnote}{A$^{\!\!\mbox{\protect\tiny w}\!}$OWFs}
466:
467: \newcommand{\image}{\mbox{\rm{}image}}
468: \newcommand{\domain}{\mbox{\rm{}domain}}
469: \newcommand{\sigmabot}{\stackrel{\mbox{\tiny $\bot$}}{\sigma}}
470: \newcommand{\sigmabots}[1]{\stackrel{\mbox{\tiny $\bot$}}{\sigma}\!\!(#1)}
471: \newcommand{\id}{\mbox{\it{}id}}
472:
473: \newcommand{\certificate}[2]{{\tt Certificates}_{#1}({#2})}
474: \newcommand{\graphiso}{{\tt Graph\mbox{-}Isomorphism}}
475: \newcommand{\threecolor}{{\tt Graph\mbox{-}Three\mbox{-}Colorability}}
476:
477: %
478:
479: \newcommand{\brief}
480: {
481: \setcounter{page}{1}
482: \pagestyle{plain}
483: \setxxkopf%
484: }
485:
486: \newcommand{\setjoerg}
487: {\def\setxname{Prof.\ Dr.\ J. Rothe}
488: \def\setxtel{12188}
489: \def\setxfaxt{11823}
490: \def\setxbuilding{25.13}
491: \def\setxfloor{02}
492: \def\setxroom{39}
493: \def\setxemail{\mbox{rothe@cs.uni-duesseldorf.de}}
494: \def\setxuntertext{Prof.\ Dr.\ J. Rothe}
495: \def\setauntertext{gez.\ Prof.\ Dr.\ J. Rothe}
496: \setxkopf}
497:
498: \def\setxdatum{\today}
499: \def\setxendefl{Mit freundlichen Gr\"u\ss en}
500: \def\setxanltext{Anlage(n)}
501: \def\setxvor{+49~211~81}
502: \def\setxtelt{Tel.:}
503: %
504: \def\setxfax{Fax: }
505: \def\setxkopiet{Verteiler:}
506: \def\setxbuildingt{Geb\"aude: }
507: \def\setxfloort{Ebene: }
508: \def\setxroomt{Raum: }
509:
510: \newcommand{\setgheine}{\raisebox{-12mm}{
511: \psfig{file=/usr/share/texmf/tex/latex/heine/heine.ps,height=2.3cm}}}
512:
513:
514: \newcommand{\setxkopf}
515: {\def\setxxkopf
516: {\newpage
517: \strut\\[-2.5cm]\strut
518: \begin{center}
519: \begin{minipage}[t]{5cm}
520: \begin{center}
521: \sf
522: Mathematisches Institut\\[.1cm]
523: Abteilung f{\"u}r Informatik\\[.1cm]
524: \small\sf
525: \setxname\\%
526: \end{center}
527: \end{minipage}
528: \hfill\setgheine
529: \hfill\begin{minipage}[t]{6.3cm}
530: {\small\sf Universit{\"a}tsstr.~1,
531: D-40225 D{\"u}sseldorf\\}
532: \scriptsize\sf
533: \makebox[2.1em][l]{\setxbuildingt \setxbuilding,
534: \setxfloort \setxfloor, \setxroomt \setxroom}\\[-.1cm]
535: %
536: \makebox[3em][l]{\setxtelt} \setxvor~\setxtel,%
537: \ \setxfax \setxvor~\setxfaxt \\[-.1cm]
538: %
539: \makebox[3em][l]{e-mail:} \setxemail\\%[-0.5cm]
540: \strut\normalsize
541: \setxdatum\\[-6mm]
542: \end{minipage}\end{center}
543: }} %
544:
545: %
546:
547: %
548:
549: %
550: %
551: %
552:
553:
554: %
555: %
556: %
557: %
558: %
559: %
560: %
561: %
562: %
563: %
564: %
565: %
566: %
567: %
568: %
569: %
570: %
571: %
572: %
573: %
574: %
575: %
576: %
577:
578:
579: \newenvironment{construction}{\bigbreak\begin{block}}{\end{block}
580: \bigbreak}
581:
582: \newenvironment{block}{\begin{list}{\hbox{}}{\leftmargin 1em
583: \itemindent -1em \topsep 0pt \itemsep 0pt \partopsep 0pt}}{\end{list}}
584:
585:
586: %
587: %
588: %
589: %
590: %
591: %
592: %
593: %
594:
595: \dimen15=0.75em
596: \dimen16=0.75em
597:
598: \newcommand{\lblocklabel}[1]{\rlap{#1}\hss}
599:
600: \newenvironment{lblock}{\begin{list}{}{\advance\dimen15 by \dimen16
601: \leftmargin \dimen15
602: \itemindent -1em
603: \topsep 0pt
604: \labelwidth 0pt
605: \labelsep \leftmargin
606: \itemsep 0pt
607: \let\makelabel\lblocklabel
608: \partopsep 0pt}}{\end{list}}
609:
610:
611: %
612: %
613:
614: \newenvironment{lconstruction}[2]{\dimen15=#1 \dimen16=#2
615: \bigbreak\begin{block}}{\end{block}\bigbreak}
616:
617:
618: \newcommand{\Comment}[1]{{\sl (\ #1\ )}}
619:
620:
621: %
622: %
623: %
624:
625: \newenvironment{algorithm}{\begin{list}
626: {{\bf Step~\arabic{alg}}.}
627: {\usecounter{alg}}}{\end{list}}
628: \newcounter{alg}
629:
630: %
631:
632: %
633: %
634: %
635: %
636: %
637: %
638: %
639: %
640: %
641: %
642: %
643: %
644: %
645: %
646: %
647: %
648: %
649: %
650: %
651: %
652: %
653: %
654: %
655: %
656: %
657: %
658: %
659: %
660: %
661:
662:
663: \begin{abstract}
664: In this tutorial, selected topics of cryptology and of
665: computational complexity theory are presented. We give a brief overview
666: of the history and the foundations of classical cryptography, and then
667: move on to modern public-key cryptography. Particular attention is
668: paid to cryptographic protocols and the problem of constructing key
669: components of protocols such as one-way functions. A function is
670: one-way if it is easy to compute, but hard to invert. We discuss
671: the notion of one-way functions both in a cryptographic and in a
672: complexity-theoretic setting. We also consider interactive proof systems
673: and present some interesting zero-knowledge protocols. In a
674: zero-knowledge protocol one party can convince the other party of
675: knowing some secret information without disclosing any bit of this
676: information. Motivated by these protocols, we survey some
677: complexity-theoretic results on interactive proof systems and related
678: complexity classes.
679: \end{abstract}
680:
681:
682: \category{E.3}{Data Encryption}{Public-key Cryptosystems}
683:
684: \category{F.1.3}{Computation by Abstract Devices}{Complexity Measures and
685: Classes}[Complexity hierarchies \and Relations among complexity classes]
686:
687: \category{F.2.2}{Analysis of Algorithms and Problem Complexity}{Nonnumerical
688: Algorithms and Problems}[Computations on discrete structures]
689:
690: \terms{Theory, Security, Algorithms}
691:
692: \keywords{complexity theory, public-key cryptography, secret-key agreement,
693: digital signatures, interactive proof systems, zero-knowledge protocols,
694: one-way functions}
695:
696: \begin{document}
697:
698: \begin{bottomstuff}
699: Author's address: J. Rothe, Institut f\"ur Informatik,
700: Heinrich-Heine-Universit\"at D\"usseldorf, 40225 D\"usseldorf, Germany.
701: Email address: ${\tt rothe@cs.uni\mbox{-}duesseldorf.de}$. \newline
702: This version, which revises earlier versions of this tutorial, appears
703: in {\em ACM Computing Surveys}, vol.~34, no.~4, December 2002. \newline
704: This work was supported in part by grant
705: NSF-INT-9815095/DAAD-315-PPP-g\"{u}-ab.
706: \end{bottomstuff}
707:
708: \maketitle
709:
710: \sloppy
711:
712:
713: \clearpage
714:
715: \tableofcontents
716:
717: %
718:
719: \section*{Outline of the Tutorial}
720: \addcontentsline{toc}{section}{Outline of the Tutorial}
721:
722: This tutorial consists of five lectures on cryptography, based on the lecture
723: notes for a course on this subject given by the author in August, 2001, at the
724: 11th Jyv\"askyl\"a Summer School in Jyv\"askyl\"a, Finland. As the title
725: suggests, a particular focus of this tutorial is to emphasize the close
726: relationship between cryptography and complexity theory. The material
727: presented here is not meant to be a comprehensive study or a complete survey
728: of (the intersection of) these fields. Rather, five vivid topics from those
729: fields are chosen for exposition, and from each topic chosen, some gems---some
730: particularly important, central, beautiful results---are presented. Needless
731: to say, the choice of topics and of results selected for exposition is
732: based on the author's personal tastes and biases.
733:
734: The first lecture sketches the history and the classical foundations of
735: cryptography, introduces a number of classical, symmetric cryptosystems, and
736: briefly discusses by example the main objectives of the two opposing parts of
737: cryptology: cryptography, which aims at designing secure ways of encryption,
738: versus cryptanalysis, which aims at breaking existing cryptosystems. Then, we
739: introduce the notion of perfect secrecy for cryptosystems, which dates back
740: to Claude Shannon's pioneering work~\cite{sha:j:secrecy} on coding and
741: information theory.
742:
743: The second lecture presents the public-key cryptosystem RSA,
744: which was invented by Rivest, Shamir, and Adleman~\cite{riv-sha-adl:j:rsa}.
745: RSA is the first public-key cryptosystem developed in the
746: public sector. To describe RSA, some background from number
747: theory is provided in as short a way as possible but to the extent necessary to
748: understand the underlying mathematics. In contrast to the
749: information-theoretical approach of perfect secrecy, the security of RSA is
750: based on the assumption that certain problems from number theory are
751: computationally intractable. Potential attacks on the RSA cryptosystem as
752: well as appropriate countermeasures against them are discussed.
753:
754: The third lecture introduces a number of cryptographic protocols, including
755: the secret-key agreement protocols of Diffie and
756: Hellman~\cite{dif-hel:j:diffie-hellman} and of Rivest and Sherman
757: (see~\cite{rab-she:t-no-URL:aowf,rab-she:j:aowf}),
758: ElGamal's public-key cryptosystem~\cite{gam:j:public-key}, Shamir's no-key
759: protocol, and the digital signature schemes of Rivest, Shamir, and
760: Adleman~\cite{riv-sha-adl:j:rsa}, ElGamal~\cite{gam:j:public-key}, and Rabi
761: and Sherman~\cite{rab-she:t-no-URL:aowf,rab-she:j:aowf}, respectively. Again,
762: the underlying mathematics and, relatedly, security issues of these protocols
763: are briefly discussed.
764:
765: A remark is in order here. The protocols presented here are among the most
766: central and important cryptographic protocols, with perhaps two exceptions:
767: the Rivest--Sherman and the Rabi--Sherman protocols.
768: While the secret-key agreement protocol of Diffie and
769: Hellman~\cite{dif-hel:j:diffie-hellman} is widely used in practice, that of
770: Rivest and Sherman (see~\cite{rab-she:t-no-URL:aowf,rab-she:j:aowf}) is not
771: (yet) used in applications and, thus, might appear somewhat exotic at first
772: glance. An analogous comment applies to
773: the Rabi--Sherman digital signature protocol.
774: However, from our point of view, there is some hope that this fact,
775: though currently true, might change in the near future. In
776: Section~\ref{sec:discussion}, we will discuss the state of the art on
777: the Diffie--Hellman protocol and the Rivest--Sherman protocol,
778: and we will argue that recent progress of
779: results in complexity theory may lead to a significant
780: increase in the cryptographic security and the applicability of the
781: Rivest--Sherman protocol. One line of complexity-theoretic research
782: that is relevant here is presented in Section~\ref{sec:aowf};
783: another line of research is
784: Ajtai's breakthrough result~\cite{ajt:c:hard-instances-in-lattices}
785: on the complexity of the shortest lattice vector problem (SVP, for short),
786: which is informally stated
787: %
788: in Section~\ref{sec:discussion}.
789:
790: The fourth lecture introduces interactive proof systems and zero-knowledge
791: protocols. This area has rapidly developed and flourished in complexity
792: theory and has yielded a number of powerful results.
793: For example, Shamir's famous
794: %
795: result~\cite{sha:j:ip} characterizes the power of interactive proof systems
796: in terms of classical complexity classes: Interactive proof systems precisely
797: capture the class of problems solvable in polynomial space.
798: Also, the study of interactive proof systems is related to
799: probabilistically checkable proofs, which has yielded novel
800: nonapproximability results for hard
801: optimization problems; see the survey~\cite{gol:b:taxonomy-of-proof-systems}.
802: Other results about interactive proof systems and the related zero-knowledge
803: protocols have direct applications in cryptography.
804: In particular, zero-knowledge protocols enable one party to
805: convince another party of knowledge of
806: some secret information without conveying
807: any bit of this information. Thus, they are ideal technical tools for
808: authentication purposes. We present two of the classic zero-knowledge
809: protocols: the Goldreich-Micali-Wigderson protocol for graph
810: isomorphism~\cite{gol-mic-wid:c:nothing,gol-mic-wid:j:nothing} and the
811: Fiat-Shamir protocol~\cite{fia-sha:c:fiat-shamir-zero-knowledge} that is based
812: on a number-theoretical problem. For an in-depth treatment of zero-knowledge
813: protocols and many more technical details, the reader is referred to Chapter~4
814: of Goldreich's book~\cite{gol:b:foundations}.
815:
816: The fifth lecture gives an overview on the progress of results that was
817: recently obtained by Hemaspaandra, Pasanen, and this
818: author~\cite{hem-rot:j:aowf,hem-pas-rot:c:strong-noninvertibility}. Their
819: work, which is motivated by the Rivest--Sherman and the Rabi--Sherman protocols,
820: studies properties of functions that are used in building these two
821: cryptographic protocols. It is results about these functions that
822: may be useful in quantifying the security of these protocols.
823: In particular, the key building block of the Rivest--Sherman protocol is a
824: strongly noninvertible,
825: %
826: associative one-way function.
827: Section~\ref{sec:aowf} presents the
828: %
829: result~\cite{hem-rot:j:aowf} on how to construct such a function
830: from the assumption that $\p \neq \np$.
831: In addition, recent
832: results on strong
833: noninvertibility are surveyed, including the perhaps somewhat surprising
834: result that if $\p \neq \np$ then there exist strongly noninvertible functions
835: that in fact are invertible~\cite{hem-pas-rot:c:strong-noninvertibility}.
836: These results are obtained in the {\em worst-case\/} complexity model,
837: which is relevant and interesting in a
838: complexity-theoretic setting, but useless in applied cryptography. For
839: cryptographic applications, one would need to construct such functions based
840: on the {\em average-case\/} complexity model, under plausible assumptions.
841: Hence, the most challenging open research question
842: %
843: related to strongly noninvertible, associative
844: one-way functions is to find some evidence that they exist even in the
845: average-case model. As noted above, our hope
846: of obtaining such a result is based on recent progress on the shortest
847: lattice vector problem accomplished
848: by~Ajtai~\cite{ajt:c:hard-instances-in-lattices}. Roughly speaking, Ajtai
849: proved that this problem is as hard in the average-case as it is in the
850: worst-case model.
851: Based on this result, Ajtai and
852: Dwork~\cite{ajt-dwo:c:public-key-system-worst-average-equivalence}
853: designed a public-key
854: cryptosystem whose security is based merely on worst-case assumptions.
855: Ajtai's breakthrough results, his techniques, and their
856: cryptographic applications are not covered in this tutorial.
857: We refer to the nice surveys by Cai~\cite{cai:c:lattice-problems-survey} and,
858: more recently, by Kumar and Sivakumar~\cite{kum-siv:j:svp-survey}
859: and Nguyen and Stern~\cite{ngu-ste:c:two-faces-of-lattices} on the
860: complexity of~SVP and the use of lattices in crytography.
861:
862: The tutorial is suitable for graduate students with some background in
863: computer science and mathematics and may also be accessible to interested
864: undergraduate students. Since it is organized in five essentially
865: independent, self-contained lectures, it is also possible to present only a
866: proper subset of these lectures. The only dependencies occurring between
867: lectures are that some of the number-theoretical background given in
868: Section~\ref{sec:rsa-system} is also used in Section~\ref{sec:protocols}, and
869: that the Rivest--Sherman secret-key agreement protocol and the
870: Rabi--Sherman digital signature protocol presented in
871: Section~\ref{sec:protocols} motivate the investigations in
872: Section~\ref{sec:aowf}.
873: This last section contains perhaps the technically most challenging material,
874: which in part is presented on an expert level with the intention of
875: %
876: %
877: guiding the reader towards an active field of current research.
878:
879:
880: There are a number of textbooks and monographs on cryptography that
881: cover various parts of the field in varying depth, such as the
882: books by
883: %
884: Goldreich~\cite{gol:b:modern-cryptography,gol:b:foundations},
885: Salomaa~\cite{sal:b:public-key-cryptography},
886: Stinson~\cite{sti:b:cryptography}, and Welsh~\cite{wel:b:codes}. Schneier's
887: book~\cite{sch:b:applied-cryptography} provides a very comprehensive
888: collection of literally all notions and concepts known in cryptography, which
889: naturally means that the single notions and concepts cannot be treated in
890: mathematical detail there, but the interested reader is referred to an
891: extraordinarily large bibliography for such an in-depth treatment.
892: Singh~\cite{sin:b:code-book} wrote a very charming, easy-to-read, interesting
893: book about the history of cryptography from its ancient roots to its modern
894: and even futuristic branches such as quantum cryptography. An older but still
895: valuable source is Kahn's book~\cite{kah:b:codebreakers}.
896: We conclude this
897: list, without claiming it to be complete, with the books by
898: Bauer~\cite{bau:b:decrypted-secrets},
899: Beutelspacher et al.~\cite{beu-sch-wol:b:kryptographie,beu:b:cryptology},
900: and Buchmann~\cite{buc:b:kryptographie}.
901:
902:
903: %
904:
905: \section{Cryptosystems and Perfect Secrecy}
906: \label{sec:classical-cryptography}
907:
908: \subsection{Classical Cryptosystems}
909:
910: The notion of a cryptosystem is formally defined as follows.
911:
912: \begin{definition}[Cryptosystem]~
913: \label{def:cryptosystem}
914: \begin{itemize}
915: \item A {\em cryptosystem\/} is a quintuple $(\mathcal{P}, \mathcal{C},
916: \mathcal{K}, \mathcal{E}, \mathcal{D})$ such that:
917: \begin{enumerate}
918: \item $\mathcal{P}$, $\mathcal{C}$, and $\mathcal{K}$ are finite sets, where
919:
920: \begin{tabular}{rl}
921: \centering
922: $\mathcal{P}$ & is
923: %
924: the {\em plain text space\/} or {\em clear text space\/};\\
925: $\mathcal{C}$ & is the {\em cipher text space\/};\\
926: $\mathcal{K}$ & is the {\em key space}.
927: \end{tabular}
928:
929: Elements of $\mathcal{P}$ are referred to as plain text (or clear text), and
930: elements of $\mathcal{C}$ are referred to as cipher text. A {\em message\/}
931: is a string of plain text symbols.
932:
933: \item $\mathcal{E} = \{E_k \condition k \in \mathcal{K}\}$ is a family of
934: functions $E_k : \mathcal{P} \rightarrow \mathcal{C}$ that are used for
935: encryption, and $\mathcal{D} = \{D_k \condition k \in \mathcal{K}\}$ is a
936: family of functions $D_k : \mathcal{C} \rightarrow \mathcal{P}$ that are
937: used for decryption.
938:
939:
940: \item For each key $e \in \mathcal{K}$, there exists a key $d \in \mathcal{K}$
941: such that for each $p \in \mathcal{P}$:
942: \begin{equation}
943: \label{equ:correctness}
944: D_d (E_e (p)) = p .
945: \end{equation}
946: \end{enumerate}
947:
948: \item A {\em cryptosystem\/} is called {\em symmetric\/} (or {\em
949: ``private-key''\/}) if $d = e$, or if $d$ can at least be ``easily''
950: computed from~$e$.
951:
952: \item A {\em cryptosystem\/} is called {\em asymmetric\/} (or {\em
953: ``public-key''\/}) if $d \neq e$, and it is ``computationally infeasible
954: in practice'' to compute $d$ from~$e$. Here, $d$ is the {\em private key},
955: and $e$ is the {\em public key}.
956:
957: \end{itemize}
958: \end{definition}
959:
960: At times, different key spaces are used for encryption and for decryption,
961: which results in a slight modification of the above definition.
962:
963: We now present and discuss some examples of classical cryptosystems. Consider
964: the English alphabet $\Sigma = \{\mbox{\rm{}A}, \mbox{\rm{}B}, \ldots ,
965: \mbox{\rm{}Z}\}$. To carry out the arithmetic modulo $26$ with letters as if
966: they were numbers, we identify $\Sigma$ with $\integers_{26} = \{0, 1, \ldots
967: , 25\}$; thus, $0$ represents \mbox{\rm{}A} and $1$ represents~\mbox{\rm{}B},
968: and so on. This encoding of the plain text alphabet by integers and the
969: decoding of $\integers_{26}$ back to $\Sigma$ is not part of the actual
970: encryption and decryption, respectively. It will be used for the next three
971: examples. Note that messages are elements of~$\sigmastar$, where $\sigmastar$
972: denotes the set of strings over~$\Sigma$.
973:
974: \begin{example}[Caesar cipher, a monoalphabetic symmetric cryptosystem]~
975:
976: Let $\mathcal{K} = \integers_{26}$, and let $\mathcal{P} = \mathcal{C} =
977: \Sigma$. The {\em Caesar cipher\/} encrypts messages by shifting (modulo
978: $26$) each character of the plain text by the same number $k$ of letters in
979: the alphabet, where $k$ is the key. Shifting each character of the cipher
980: text back using the same key $k$ reveals the original message:
981: \begin{itemize}
982: \item For each $e \in \integers_{26}$, define the encryption function $E_e :
983: \Sigma \rightarrow \Sigma$ by
984: \[
985: E_e (p) = (p + e) \mod 26,
986: \]
987: where addition with $e$ modulo $26$ is carried out character-wise, i.e., each
988: character $m_i \in \Sigma$ of a message $m \in \sigmastar$ is shifted by $e$
989: positions to $m_i + e \mod 26$. For example, using the key $e = 11 =
990: \mbox{\rm{}L}$, the message {\rm{}``SUMMER''} will be encrypted as
991: {\rm{}``DFXXPC.''}
992:
993: \item For each $d \in \integers_{26}$, define the decryption function $D_d :
994: \Sigma \rightarrow \Sigma$ by
995: \[
996: D_d (c) = (c - d) \mod 26,
997: \]
998: where subtraction by $e$ modulo $26$ again is carried out character-wise.
999: Hence, $d=e$. For example, decrypting the cipher text {\rm{}``DNSZZW''} with
1000: the key $d = 11$ reveals the plain text {\rm{}``SCHOOL.''}
1001: \end{itemize}
1002: \end{example}
1003:
1004: Since the key space is very small, breaking the Caesar cipher is very easy.
1005: It is vulnerable even to {\em ``cipher-text-only attacks,''} i.e., an attacker
1006: given enough cipher text $c$ can easily check the $26$ possible keys to
1007: see which one yields a meaningful plain text. Note that the given cipher text
1008: should contain enough letters to enable a unique decryption.
1009:
1010: The Caesar cipher is a monoalphabetic cryptosystem, since
1011: it replaces each given
1012: plain text letter, wherever in the message it occurs, by the same letter of
1013: the cipher text alphabet. In contrast, the French cryptographer and diplomat
1014: Blaise de Vigen\`{e}re (1523--1596) proposed a polyalphabetic cryptosystem,
1015: which is much harder to break. Vigen\`{e}re's system builds on earlier work
1016: by the Italian mathematician Leon Battista Alberti (born in 1404), the German
1017: abbot Johannes Trithemius (born in 1492), and the Italian scientist Giovanni
1018: Porta (born in 1535), see~\cite{sin:b:code-book}. It works like the Caesar
1019: cipher, except that the cipher text letter encrypting any given plain text
1020: letter X varies with the position of X in the plain text.
1021:
1022: More precisely, one uses for encryption and decryption a {\em Vigen\`{e}re
1023: square}, which consists of 26 rows with 26 columns each. Every row contains
1024: the 26 letters of the alphabet, shifted by one from row to row, i.e., the rows
1025: and columns may be viewed as a Caesar encryption of the English alphabet with
1026: keys $0$, $1$, $\ldots$,~$25$. Given a message~$m \in \sigmastar$, one first
1027: chooses a key $k \in \sigmastar$, which is written above the message~$m$,
1028: symbol by symbol, possibly repeating $k$ if $k$ is shorter than~$m$ until
1029: every character of $m$ has a symbol above it.
1030: Denoting the $i$th letter of any string
1031: $w$ by~$w_i$, each letter $m_i$ of $m$ is then encrypted as in the Caesar
1032: cipher, using the row of the Vigen\`{e}re square that starts with~$k_i$, where
1033: $k_i$ is the key letter right above~$m_i$. Below, we describe the
1034: Vigen\`{e}re system formally and give an example of a concrete encryption.
1035:
1036: \begin{example}[Vigen\`{e}re cipher, a polyalphabetic symmetric cryptosystem]~
1037:
1038: For fixed~$n \in \nats$, let $\mathcal{K} = \mathcal{P} = \mathcal{C} =
1039: \integers_{26}^{n}$. Messages $m \in \sigmastar$, where $\Sigma$ again is
1040: the English alphabet, are split into blocks of length $n$ and are encrypted
1041: block-wise. The {\em Vigen\`{e}re cipher\/} is defined as follows.
1042: \begin{itemize}
1043: \item For each $e \in \integers_{26}^{n}$, define the encryption function $E_e
1044: : \integers_{26}^{n} \rightarrow \integers_{26}^{n}$ by
1045: \[
1046: E_e (p) = (p + e) \mod 26,
1047: \]
1048: where addition with $e$ modulo~$26$ is carried out character-wise, i.e., each
1049: character $p_i \in \Sigma$ of a plain text $p \in \mathcal{P}$ is shifted by
1050: $e_i$ positions to $p_i + e_i \mod 26$.
1051:
1052: \item For each $d \in \integers_{26}^{n}$, define the decryption function $D_d
1053: : \integers_{26}^{n} \rightarrow \integers_{26}^{n}$ by
1054: \[
1055: D_d (c) = (c - d) \mod 26,
1056: \]
1057: where subtraction modulo~$26$ again is carried out character-wise. As in the
1058: Caesar cipher, $d = e$.
1059: \end{itemize}
1060: For example, choose the word $k =$~{\rm{}ENGLISH} to be the key. Suppose we
1061: want to encrypt the message
1062: $m=$~{\rm{}FINNISHISALLGREEKTOGERMANS,}\footnote{From this example we not only
1063: learn how the Vigen\`{e}re cipher works, but also that using a language
1064: such as Finnish, which is not widely used, often makes illegal decryption
1065: harder, and thus results in a higher level of security. This is not a
1066: purely theoretical observation. During World War~II, the US Navy
1067: transmitted important messages using the language of the Navajos, a Native
1068: American tribe. The ``Navajo Code''
1069: %
1070: was never broken by the Japanese code-breakers, see~\cite{sin:b:code-book}.
1071: } %
1072: omitting the spaces between words. Table~\ref{tab:vigenere} shows how each
1073: plain text letter is encrypted, yielding the cipher text~$c$. For instance,
1074: the first letter of the message, {\rm{}``F,''} corresponds to the first letter
1075: of the key, {\rm{}``E.''}~~Hence, the intersection of the {\rm{}``F''}-column
1076: with the {\rm{}``E''}-row of the Vigen\`{e}re square gives the first letter,
1077: {\rm{}``J,''} of the cipher text.
1078: \begin{table}[ht]
1079: \centering
1080: \rm\small
1081: \begin{tabular}{|l|cccccccccccccccccccccccccc|}
1082: \hline
1083: $k$ & E &\hspace{-4mm} N &\hspace{-4mm} G &\hspace{-4mm} L
1084: &\hspace{-4mm} I &\hspace{-4mm} S &\hspace{-4mm} H &\hspace{-4mm} E
1085: &\hspace{-4mm} N &\hspace{-4mm} G &\hspace{-4mm} L &\hspace{-4mm} I
1086: &\hspace{-4mm} S &\hspace{-4mm} H &\hspace{-4mm} E &\hspace{-4mm} N
1087: &\hspace{-4mm} G &\hspace{-4mm} L &\hspace{-4mm} I &\hspace{-4mm} S
1088: &\hspace{-4mm} H &\hspace{-4mm} E &\hspace{-4mm} N &\hspace{-4mm} G
1089: &\hspace{-4mm} L &\hspace{-4mm} I \\\hline
1090: $m$ & F &\hspace{-4mm} I &\hspace{-4mm} N &\hspace{-4mm} N
1091: &\hspace{-4mm} I &\hspace{-4mm} S &\hspace{-4mm} H &\hspace{-4mm} I
1092: &\hspace{-4mm} S &\hspace{-4mm} A &\hspace{-4mm} L &\hspace{-4mm} L
1093: &\hspace{-4mm} G &\hspace{-4mm} R &\hspace{-4mm} E &\hspace{-4mm} E
1094: &\hspace{-4mm} K &\hspace{-4mm} T &\hspace{-4mm} O &\hspace{-4mm} G
1095: &\hspace{-4mm} E &\hspace{-4mm} R &\hspace{-4mm} M &\hspace{-4mm} A
1096: &\hspace{-4mm} N &\hspace{-4mm} S \\\hline
1097: $c$ & J &\hspace{-4mm} V &\hspace{-4mm} T &\hspace{-4mm} Y
1098: &\hspace{-4mm} Q &\hspace{-4mm} K &\hspace{-4mm} O &\hspace{-4mm} M
1099: &\hspace{-4mm} F &\hspace{-4mm} G &\hspace{-4mm} W &\hspace{-4mm} T
1100: &\hspace{-4mm} Y &\hspace{-4mm} Y &\hspace{-4mm} I &\hspace{-4mm} R
1101: &\hspace{-4mm} Q &\hspace{-4mm} E &\hspace{-4mm} W &\hspace{-4mm} Y
1102: &\hspace{-4mm} L &\hspace{-4mm} V &\hspace{-4mm} Z &\hspace{-4mm} G
1103: &\hspace{-4mm} Y &\hspace{-4mm} A\\
1104: \hline
1105: \end{tabular}
1106: \caption{An example of encryption by the Vigen\`{e}re cipher.
1107: \label{tab:vigenere}
1108: }
1109: \end{table}
1110: \end{example}
1111:
1112: Our last example of a classical, historically important cryptosystem is the
1113: Hill cipher, which was invented by Lester Hill in 1929. It is based on
1114: linear algebra and, like the Vigen\`{e}re cipher, is an affine linear block
1115: cipher.
1116:
1117: \begin{example}[Hill cipher, a symmetric cryptosystem and a
1118: linear block cipher]~
1119:
1120: For fixed~$n \in \nats$, the key space $\mathcal{K}$ is the set of all
1121: invertible $n \times n$ matrices in $\integers_{26}^{n \times n}$.
1122: %
1123: Again, $\mathcal{P} = \mathcal{C} =
1124: \integers_{26}^{n}$ and messages $m \in \sigmastar$ are split into blocks of
1125: length $n$ and are encrypted block-wise. All arithmetic operations are
1126: carried out modulo~$26$.
1127:
1128: The {\em Hill cipher\/} is defined as follows.
1129: \begin{itemize}
1130: \item For each $K \in \mathcal{K}$, define the encryption function $E_K
1131: : \integers_{26}^{n} \rightarrow \integers_{26}^{n}$ by
1132: \[
1133: E_K (p) = K \cdot p \mod 26,
1134: \]
1135: where $\cdot$ denotes matrix multiplication modulo~$26$.
1136:
1137: \item Letting $K^{-1}$ denote the inverse matrix of~$K$, the decryption
1138: function $D_{K^{-1}} : \integers_{26}^{n} \rightarrow \integers_{26}^{n}$ is
1139: defined by
1140: \[
1141: D_{K^{-1}} (c) = K^{-1} \cdot c \mod 26.
1142: \]
1143: Since $K^{-1}$ can easily be computed from~$K$, the Hill cipher is a
1144: symmetric cryptosystem. It is also the most general linear block cipher.
1145:
1146: Concrete examples of messages encrypted by the Hill cipher can be found in,
1147: e.g.,~{\rm{}\cite{sal:b:public-key-cryptography}}.
1148: \end{itemize}
1149: \end{example}
1150:
1151: Affine linear block ciphers are easy to break by ``{\em known-plain-text
1152: attacks},'' i.e., for an attacker who knows some sample plain texts with the
1153: corresponding encryptions, it is not too hard to find the key used to encrypt
1154: these plain texts. They are even more vulnerable to ``{\em chosen-plain-text
1155: attacks},'' where the attacker can choose some pairs of
1156: corresponding plain texts and encryptions, which may be useful if there are
1157: reasonable conjectures about the key used.
1158:
1159: The method of frequency counts is often useful for decrypting messages. It
1160: exploits the redundancy of the natural language used for plain text messages.
1161: For example, in many languages the letter ``E'' occurs, statistically
1162: significant,
1163: most frequently, with a percentage of $12.31\%$ in English, of $15.87\%$ in
1164: French, and even of $18.46\%$ in German,
1165: see~\cite{sal:b:public-key-cryptography}. Some languages have other letters
1166: that occur with the highest frequency; for example, ``A'' is the most frequent
1167: letter in average Finnish texts, with a percentage of
1168: $12.06\%$~\cite{sal:b:public-key-cryptography}.
1169:
1170: In 1863, the German cryptanalyst
1171: Friedrich Wilhelm Kasiski found a method to break the Vigen\`{e}re
1172: cipher.
1173: %
1174: Singh~\cite{sin:b:code-book} attributes this achievement
1175: also to an unpublished work, done probably around~1854, by the British
1176: genius and eccentric Charles Babbage.
1177: %
1178: The books by Salomaa~\cite{sal:b:public-key-cryptography} and
1179: Singh~\cite{sin:b:code-book} describe Kasiski's and Babbage's method.
1180: It marks a
1181: breakthrough in the history of cryptanalysis, because previously the
1182: Vigen\`{e}re cipher was considered unbreakable. In particular, like similar
1183: periodic cryptosystems with an unknown period, the Vigen\`{e}re cipher
1184: appeared to resist cryptanalysis by counting and analysing the frequency
1185: of letters in the cipher text. Kasiski showed how to determine the period
1186: from repetitions of the same substring in the cipher text.
1187:
1188: In light of Kasiski's and Babbage's achievement, it is natural to ask
1189: whether there exist any cryptosystems that guarantee {\em perfect secrecy}.
1190: We turn to this question in the next section that describes some of the
1191: pioneering work of Claude Shannon~\cite{sha:j:secrecy}, who laid the
1192: foundations of modern coding and information theory.
1193:
1194: \subsection{Conditional Probability and Bayes's Theorem}
1195:
1196: To discuss perfect secrecy of cryptosystems in mathematical terms, we first
1197: need some preliminaries from elementary probability theory.
1198:
1199: \begin{definition}
1200: Let $A$ and $B$ be events with $\mbox{\rm Pr}(B) > 0$.
1201: \begin{itemize}
1202: \item The {\em probability that $A$ occurs under the condition that $B$
1203: occurs\/} is defined by
1204: \[
1205: \mbox{\rm Pr}(A \, |\, B) = \frac{\mbox{\rm Pr}(A \cap B)}{\mbox{\rm Pr}(B)}.
1206: \]
1207: \item $A$ and $B$ are {\em independent\/} if $\mbox{\rm Pr}(A \cap B) =
1208: \mbox{\rm Pr}(A) \; \mbox{\rm Pr}(B)$ (equivalently, if $\mbox{\rm Pr}(A \,
1209: |\, B) = \mbox{\rm Pr}(A)$).
1210: \end{itemize}
1211: \end{definition}
1212:
1213: \begin{lemma}[Bayes's Theorem]
1214: Let $A$ and $B$ be events with $\mbox{\rm Pr}(A) > 0$ and $\mbox{\rm Pr}(B)
1215: > 0$. Then,
1216: \[
1217: \mbox{\rm Pr}(B) \; \mbox{\rm Pr}(A \, |\, B) = \mbox{\rm Pr}(A) \; \mbox{\rm
1218: Pr}(B \, |\, A).
1219: \]
1220: \end{lemma}
1221:
1222: \begin{proof}
1223: By definition,
1224: \[
1225: \mbox{\rm Pr}(B) \; \mbox{\rm Pr}(A \, |\, B) = \mbox{\rm Pr}(A \cap B) =
1226: \mbox{\rm Pr}(B \cap A) = \mbox{\rm Pr}(A) \; \mbox{\rm Pr}(B \, |\, A).
1227: \]
1228: \end{proof}
1229:
1230: \subsection{Perfect Secrecy: Shannon's Theorem}
1231:
1232: Consider the following scenario:
1233:
1234: \[
1235: \begin{array}{ccc}
1236: & \psfig{file=mielke.ps,height=2cm} & \\
1237: & \mbox{{\bf\large Erich}} & \\[.2cm]
1238: \psfig{file=alice.ps,height=2cm} &
1239: \psfig{file=channel.eps,width=2cm} &
1240: \psfig{file=bob.ps,height=2cm}
1241: \end{array}
1242: \]
1243:
1244:
1245: Using a cryptosystem $(\mathcal{P}, \mathcal{C}, \mathcal{K}, \mathcal{E},
1246: \mathcal{D})$, Alice and Bob are communicating over an insecure channel in the
1247: presence of eavesdropper Erich. Recall that $\mathcal{P}$, $\mathcal{C}$, and
1248: $\mathcal{K}$ are finite sets. Erich reads a cipher text,~$c \in
1249: \mathcal{C}$, and tries to get some information about the corresponding plain
1250: text,~$p \in \mathcal{P}$. The plain texts are distributed on $\mathcal{P}$
1251: according to a probability distribution $\mbox{\rm Pr}_{\mathcal{P}}$ that may
1252: depend on the language used. For each new plain text, Alice chooses a new key
1253: from $\mathcal{K}$ that is independent of the plain text to be encrypted. The
1254: keys are distributed according to a probability distribution $\mbox{\rm
1255: Pr}_{\mathcal{K}}$ on~$\mathcal{K}$. The distributions $\mbox{\rm
1256: Pr}_{\mathcal{P}}$ and $\mbox{\rm Pr}_{\mathcal{K}}$ induce a probability
1257: distribution $\mbox{\rm Pr} = \mbox{\rm Pr}_{\mathcal{P} \times \mathcal{K}}$
1258: on $\mathcal{P} \times \mathcal{K}$. Thus, for each plain text $p$ and each
1259: key~$k$,
1260: \[
1261: \mbox{\rm Pr}(p, k) = \mbox{\rm Pr}_{\mathcal{P}}(p) \; \mbox{\rm
1262: Pr}_{\mathcal{K}}(k)
1263: \]
1264: is the probability that the plain text $p$ is encrypted with the key~$k$,
1265: where $p$ and $k$ are independent.
1266:
1267: %
1268: %
1269: $\mbox{\rm Pr}(p) = \mbox{\rm Pr}_{\mathcal{P}}(p)$ is the probability that
1270: the plain text $p$ will be encrypted.
1271: %
1272: %
1273: Similarly, $\mbox{\rm Pr}(k) = \mbox{\rm Pr}_{\mathcal{K}}(k)$ is the
1274: probability that the key $k$ will be used.
1275: %
1276: %
1277: Let $c$ be another random variable whose distribution is determined by the
1278: system used. Then, $\mbox{\rm Pr}(p \, |\, c)$ is the probability that
1279: $p$ is encrypted under the condition that $c$ is received.
1280: Erich knows the cipher text $c$, and he knows the probability
1281: distribution~$\mbox{\rm Pr}_{\mathcal{P}}$, since he knows the language used
1282: by Alice and Bob.
1283:
1284: \begin{definition}
1285: A cryptosystem $(\mathcal{P}, \mathcal{C}, \mathcal{K}, \mathcal{E},
1286: \mathcal{D})$ provides {\em perfect secrecy\/} if and only if
1287: \[
1288: (\forall p \in \mathcal{P})\, (\forall c \in \mathcal{C})\, [\mbox{\rm Pr}(p
1289: \, |\, c) = \mbox{\rm Pr}(p)].
1290: \]
1291: \end{definition}
1292:
1293: That is, a cryptosystem achieves perfect secrecy if the event that some
1294: plain text $p$ is encrypted and the event that some cipher text $c$ is received
1295: are independent: Erich learns nothing about $p$ from knowing~$c$. The
1296: following example of a cryptosystem that does not provide perfect secrecy is due
1297: to Buchmann~\cite{buc:b:kryptographie}.
1298:
1299: \begin{example}[Perfect secrecy]
1300:
1301: Let $\mathcal{P}$, $\mathcal{C}$, and $\mathcal{K}$ be given such that:
1302: \begin{itemize}
1303: \item $\mathcal{P} = \{0,1\}$, where $\mbox{\rm Pr}(0) = \frac{1}{4}$ and
1304: $\mbox{\rm Pr}(1) = \frac{3}{4}$;
1305:
1306: \item $\mathcal{K} = \{A,B\}$, where $\mbox{\rm Pr}(A) = \frac{1}{4}$ and
1307: $\mbox{\rm Pr}(B) = \frac{3}{4}$;
1308:
1309: \item $\mathcal{C} = \{a,b\}$.
1310: \end{itemize}
1311:
1312: It follows that, for example, the probability that a ``$1$'' occurs and is
1313: encrypted with the key $B$ is:
1314: \[
1315: \mbox{\rm Pr}(1,B) = \mbox{\rm Pr}(1) \cdot \mbox{\rm Pr}(B) = \frac{3}{4}
1316: \cdot \frac{3}{4} = \frac{9}{16}.
1317: \]
1318: Let the encryption functions be given by:
1319: \[
1320: \begin{array}{cccc}
1321: E_A(0) = a; & E_A(1) = b; & E_B(0) = b; & E_B(1) = a.
1322: \end{array}
1323: \]
1324: Hence, the probability that the cipher text $a$ occurs is:
1325: \[
1326: \mbox{\rm Pr}(a) = \mbox{\rm Pr}(0,A) + \mbox{\rm Pr}(1,B) = \frac{1}{16} +
1327: \frac{9}{16} = \frac{5}{8}.
1328: \]
1329: Similarly, the probability that the cipher text $b$ occurs is:
1330: \[
1331: \mbox{\rm Pr}(b) = \mbox{\rm Pr}(1,A) + \mbox{\rm Pr}(0,B) = \frac{3}{16} +
1332: \frac{3}{16} = \frac{3}{8}.
1333: \]
1334: Then, for each pair $(p, c) \in \mathcal{P} \times \mathcal{C}$, the
1335: conditional probability $\mbox{\rm Pr}(p \, |\, c)$ is:
1336: \begin{eqnarray*}
1337: \mbox{\rm Pr}(0 \, |\, a) = \frac{\mbox{\rm Pr}(0,A)}{\mbox{\rm Pr}(a)} =
1338: \frac{\frac{1}{16}}{\frac{5}{8}} =
1339: \frac{1}{10} ; & \hspace*{1cm} &
1340: \mbox{\rm Pr}(0 \, |\, b) = \frac{\mbox{\rm Pr}(0,B)}{\mbox{\rm Pr}(b)} =
1341: \frac{\frac{3}{16}}{\frac{3}{8}} =
1342: \frac{1}{2} ;\\
1343: \mbox{\rm Pr}(1 \, |\, a) = \frac{\mbox{\rm Pr}(1,B)}{\mbox{\rm Pr}(a)} =
1344: \frac{\frac{9}{16}}{\frac{5}{8}} =
1345: \frac{9}{10} ; & \hspace*{1cm} &
1346: \mbox{\rm Pr}(1 \, |\, b) = \frac{\mbox{\rm Pr}(1,A)}{\mbox{\rm Pr}(b)} =
1347: \frac{\frac{3}{16}}{\frac{3}{8}} =
1348: \frac{1}{2} .
1349: \end{eqnarray*}
1350: In particular, it follows that
1351: \[
1352: \mbox{\rm Pr}(0) = \frac{1}{4} \neq \frac{1}{10} = \mbox{\rm Pr}(0 \, |\, a) ,
1353: \]
1354: and thus the given cryptosystem does not provide perfect secrecy: If Erich
1355: sees the cipher text~$a$, he can be pretty sure that the encrypted plain text
1356: was a~``$1$.''
1357: \end{example}
1358:
1359: \begin{theorem}[Shannon~\cite{sha:j:secrecy}]
1360: Let $S = (\mathcal{P}, \mathcal{C}, \mathcal{K}, \mathcal{E}, \mathcal{D})$
1361: be a cryptosystem with $||\mathcal{C}|| = ||\mathcal{K}||$ and $\mbox{\rm
1362: Pr}(p) > 0$ for each $p \in \mathcal{P}$. Then, $S$ provides perfect
1363: secrecy if and only if
1364: \begin{enumerate}
1365: \item[{\rm{}(1)}] $\mbox{\rm Pr}_{\mathcal{K}}$ is the uniform distribution,
1366: and
1367: \item[{\rm{}(2)}] for each $p \in \mathcal{P}$ and for each $c \in
1368: \mathcal{C}$, there exists a unique key $k \in \mathcal{K}$ with $E_k(p) =
1369: c$.
1370: \end{enumerate}
1371: \end{theorem}
1372:
1373: \begin{proof}
1374: Assume that $S$ provides perfect secrecy. We show that the conditions~(1)
1375: and~(2) hold.
1376:
1377: Condition~(2): Fix a plain text $p \in \mathcal{P}$. Suppose that there is a
1378: cipher text $c \in \mathcal{C}$ such that for all $k \in \mathcal{K}$, it
1379: holds that $E_k(p) \neq c$. Thus,
1380: \[
1381: \mbox{\rm Pr}(p) \neq 0 = \mbox{\rm Pr}(p \, |\, c),
1382: \]
1383: which implies that $S$ does not provide perfect secrecy, a contradiction.
1384: Hence,
1385: \[
1386: (\forall c \in \mathcal{C})\, (\exists k \in \mathcal{K})\, [E_k(p) = c] .
1387: \]
1388: Now, $||\mathcal{C}|| = ||\mathcal{K}||$ implies that each cipher text $c \in
1389: \mathcal{C}$ has a unique key $k$ with $E_k(p) = c$.
1390:
1391: Condition~(1): Fix a cipher text $c \in \mathcal{C}$. For $p \in
1392: \mathcal{P}$, let $k(p)$ be the unique key $k$ with $E_k(p) = c$. By
1393: Bayes's theorem, for each $p \in \mathcal{P}$, we have:
1394: \begin{equation}
1395: \label{equ:bayes}
1396: \mbox{\rm Pr}(p \, |\, c) = \frac{\mbox{\rm Pr}(c \, |\, p ) \;
1397: \mbox{\rm Pr}(p)}{\mbox{\rm Pr}(c)}
1398: = \frac{\mbox{\rm Pr}(k(p)) \; \mbox{\rm Pr}(p)}{\mbox{\rm Pr}(c)} .
1399: \end{equation}
1400: Since $S$ provides perfect secrecy, we have $\mbox{\rm Pr}(p \, |\, c) =
1401: \mbox{\rm Pr}(p)$. By Equation~(\ref{equ:bayes}), this implies $\mbox{\rm
1402: Pr}(k(p)) = \mbox{\rm Pr}(c)$, and this equality holds independently of~$p$.
1403:
1404: Hence, the probabilities $\mbox{\rm Pr}(k)$ are equal for all $k \in
1405: \mathcal{K}$, which implies $\mbox{\rm Pr}(k) = \frac{1}{||\mathcal{K}||}$.
1406: Thus, $\mbox{\rm Pr}_{\mathcal{K}}$ is the uniform distribution.
1407:
1408: Conversely, suppose that conditions~(1) and~(2) hold. We show that $S$
1409: provides perfect secrecy. Let $k = k(p, c)$ be the unique key $k$ with $E_k(p)
1410: = c$. By Bayes's theorem, it follows that
1411: \begin{eqnarray}
1412: \label{equ:cond}
1413: \mbox{\rm Pr}(p \, |\, c) & = &
1414: \frac{\mbox{\rm Pr}(p) \; \mbox{\rm Pr}(c \, |\, p )}{\mbox{\rm Pr}(c)}
1415: \nonumber \\
1416: & = &
1417: \frac{\mbox{\rm Pr}(p) \; \mbox{\rm Pr}(k(p, c))}
1418: {\sum_{q \in \mathcal{P}} \mbox{\rm Pr}(q) \; \mbox{\rm Pr}(k(q, c))} .
1419: \end{eqnarray}
1420: Since all keys are uniformly distributed, it follows that
1421: \[
1422: \mbox{\rm Pr}(k(p, c)) = \frac{1}{||\mathcal{K}||} .
1423: \]
1424: Moreover, we have that
1425: \[
1426: {\sum_{q \in \mathcal{P}} \mbox{\rm Pr}(q) \; \mbox{\rm Pr}(k(q, c))}
1427: = \frac{\sum_{q \in \mathcal{P}} \mbox{\rm Pr}(q)}{||\mathcal{K}||}
1428: = \frac{1}{||\mathcal{K}||} .
1429: \]
1430: Substituting this equality in Equation~(\ref{equ:cond}) gives:
1431: \[
1432: \mbox{\rm Pr}(p \, |\, c) = \mbox{\rm Pr}(p) .
1433: \]
1434: Hence, $S$ provides perfect secrecy.
1435: \end{proof}
1436:
1437: \subsection{Vernam's One-Time Pad}
1438:
1439: The Vernam one-time pad is a symmetric cryptosystem that does provide perfect
1440: secrecy. It was invented by Gilbert Vernam in 1917,\footnote{Slightly
1441: differing from the system described here, Vernam's actual invention was a
1442: system with a finite period and hence did not provide perfect secrecy; see
1443: Kahn~\cite{kah:b:codebreakers} on this point.
1444: }
1445: and is defined as
1446: follows. Let $\mathcal{P} = \mathcal{C} = \mathcal{K} = \{0,1\}^n$ for some
1447: $n \in \nats$. For $k \in \{0,1\}^n$, define
1448: \begin{itemize}
1449: \item the encryption function $E_k : \{0,1\}^n \rightarrow \{0,1\}^n$ by
1450: \[
1451: E_k (p) = p \oplus k \mod 2\; \mbox{, and}
1452: \]
1453:
1454: \item the decryption function $D_k : \{0,1\}^n \rightarrow \{0,1\}^n$ by
1455: \[
1456: D_k (c) = c \oplus k \mod 2,
1457: \]
1458: \end{itemize}
1459: where $\oplus$ denotes bit-wise addition modulo~$2$. The keys are uniformly
1460: distributed on $\{0,1\}^n$. Note that for each plain text $p$ a new key $k$
1461: is chosen from~$\{0,1\}^n$.
1462:
1463: By Shannon's Theorem, the one-time pad provides perfect secrecy, since for each
1464: plain text $p \in \mathcal{P}$ and for each cipher text $c \in \mathcal{C}$,
1465: there exists a unique key $k \in \mathcal{K}$ with $c = p \oplus k$, namely
1466: the string $k = c \oplus p$.
1467:
1468: However, the one-time pad has major disadvantages that make it impractical to
1469: use in most concrete scenarios: To obtain perfect secrecy, every key can be
1470: used only once, and it must be at least as long as the plain text to be
1471: transmitted. Surely, since for every communication a new secret key at least
1472: as long as the plain text must be transmitted, this results in a vicious
1473: circle. Despite these drawbacks, for the perfect secrecy it provides, the
1474: one-time pad has been used in real-world applications such as, allegedly, the
1475: hotline between Moscow and Washington,
1476: see~\cite[p.~316]{sim:j:symmetric-asymmetric-encryption}.
1477:
1478: %
1479: %
1480: %
1481:
1482: \section{RSA Cryptosystem}
1483: \label{sec:rsa-system}
1484:
1485: The RSA cryptosystem, named after its inventors Ron Rivest, Adi Shamir, and
1486: Leonard Adleman, is the first public-key
1487: cryptosystem~\cite{riv-sha-adl:j:rsa}. It is still widely used in
1488: cryptographic applications today. Again, the scenario is that Alice and Bob
1489: want to exchange messages over an insecure channel on which Erich is an
1490: eavesdropper:
1491:
1492: \[
1493: \begin{array}{ccc}
1494: & \psfig{file=mielke.ps,height=2cm} & \\
1495: & \mbox{{\bf\large Erich}} & \\[.2cm]
1496: \psfig{file=alice.ps,height=2cm} &
1497: \psfig{file=channel.eps,width=2cm} &
1498: \psfig{file=bob.ps,height=2cm}
1499: \end{array}
1500: \]
1501:
1502: In order to describe how the RSA cryptosystem works, we first need some
1503: preliminaries from elementary number theory.
1504:
1505: \subsection{Euler and Fermat's Theorems}
1506:
1507: The {\em greatest common divisor\/} of two integers $a$ and $b$ is denoted by
1508: $\mbox{gcd}(a,b)$. For $n \in \nats$, define the set
1509: \[
1510: \integers_{n}^{\ast} = \{ i \condition 1 \leq i \leq n-1 \mbox{ and }
1511: \mbox{gcd}(i,n) = 1\} .
1512: \]
1513:
1514: The {\em Euler function\/} $\phi$ is defined by $\phi(n) = ||
1515: \integers_{n}^{\ast} ||$. Note that $\integers_{n}^{\ast}$ is a group (with
1516: respect to multiplication) of order~$\phi(n)$. The following useful
1517: properties of $\phi$ follow from the definition:
1518: \begin{itemize}
1519: \item $\phi(m \cdot n) = \phi(m) \cdot \phi(n)$ for all $m, n \in \nats$ with
1520: $\mbox{gcd}(m,n) = 1$, and
1521:
1522: \item $\phi(p) = p - 1$ for all primes~$p$.
1523: \end{itemize}
1524: We will specifically use that $\phi(n) = (p-1)(q-1)$, where $p$ and $q$ are
1525: primes and $n = pq$.
1526:
1527: Euler's Theorem below is a special case (for the group~$\integers_{n}^{\ast}$)
1528: of Langrange's Theorem, which states that for each element $g$ of a finite
1529: multiplicative group $G$ having order $|G|$ and the neutral element~$1$, it
1530: holds that $g^{|G|} = 1$.
1531:
1532: \begin{theorem}[Euler]
1533: For each $a \in \integers_{n}^{\ast}$, $a^{\phi(n)} \equiv 1 \mod n$.
1534: \end{theorem}
1535:
1536: The special case of Euler's Theorem with $n$ being a prime not dividing $a$ is
1537: known as Fermat's Little Theorem.
1538:
1539: \begin{theorem}[Fermat's Little Theorem]
1540: \label{thm:fermat}
1541: If $p$ is a prime and $a \in \integers_{p}^{\ast}$, then $a^{p-1} \equiv 1
1542: \mod p$.
1543: \end{theorem}
1544:
1545: \subsection{RSA}
1546: \label{sec:rsa}
1547:
1548: \noindent
1549: {\bf (1) Key generation:}
1550: \begin{enumerate}
1551: \item Bob chooses randomly two large primes $p$ and $q$ with $p \neq q$, and
1552: computes their product $n = pq$.
1553:
1554: \item Bob chooses a number $e \in \nats$ with
1555: \begin{eqnarray}
1556: \label{equ:e}
1557: 1 < e < \phi(n) = (p-1)(q-1) & \mbox{ and } & \mbox{gcd}(e, \phi(n)) = 1 .
1558: \end{eqnarray}
1559:
1560: \item Bob computes the unique number $d$ satisfying
1561: \begin{eqnarray}
1562: \label{equ:d}
1563: 1 < d < \phi(n) & \mbox{ and } & e \cdot d \equiv 1 \mod \phi(n) .
1564: \end{eqnarray}
1565: That is, $d$ is the inverse of $e$ modulo~$\phi(n)$.
1566:
1567: \item The pair $(n,e)$ is Bob's {\em public key}, and $d$ is Bob's {\em
1568: private key}.
1569: \end{enumerate}
1570:
1571: \begin{figure}[!ht]
1572: \centering
1573: \fbox{
1574: \begin{minipage}{4.5in}
1575: %
1576: \begin{construction}
1577: \item {\bf Euclid's Algorithm (extended)}
1578: \begin{block}
1579: \item {\bf Input:} Two integers, $b_0$ and~$b_1$.
1580: \item {\bf begin} $x_0 := 1$; $y_0 := 0$; $x_1 := 0$; $y_1 := 1$;
1581: $i:= 1$;
1582: \begin{block}
1583: \item {\bf while} $b_i$ does not divide $b_{i-1}$ {\bf do}
1584: \begin{block}
1585: \item {\bf begin}
1586: \begin{block}
1587: \item $q_i := \left\lfloor \frac{b_{i-1}}{b_i} \right\rfloor$;
1588: \item $b_{i+1} := b_{i-1} - q_i \cdot b_i$;
1589: \item $x_{i+1} := x_{i-1} - q_i \cdot x_i$;
1590: \item $y_{i+1} := y_{i-1} - q_i \cdot y_i$;
1591: \item $i := i+1$
1592: \end{block}
1593: \item {\bf end}
1594: \end{block}
1595: \item {\bf begin output}
1596: \begin{block}
1597: \item $b := b_i$;
1598: \hfill $(\ast$ $b = \mbox{gcd}(b_0, b_1) = 1$ $\ast)$
1599: \item $x: = x_i$;
1600: \item $y := y_i$
1601: \hfill $(\ast$ $y$ is the inverse of $b_1 \mod b_0$
1602: $\ast)$
1603: \end{block}
1604: \item {\bf end output}
1605: \end{block}
1606: \item {\bf end}
1607: \end{block}
1608: %
1609: \end{construction}
1610: %
1611: \end{minipage}}
1612: \caption{The extended algorithm of Euclid.
1613: \label{fig:euklid}
1614: }
1615: \end{figure}
1616:
1617: In order to generate two large primes (e.g., primes with 80 digits each)
1618: efficiently, one can choose large numbers at random and test them for
1619: primality.
1620: Since by the Prime Number Theorem, the number of primes not exceeding $N$ is
1621: approximately $\frac{N}{\ln N}$, the odds of hitting a prime are good after a
1622: reasonably small number of trials. To verify the primality of
1623: the number picked, one usually
1624: makes use of a randomized polynomial-time primality test such as the Monte
1625: Carlo\footnote{A Monte Carlo algorithm is a randomized algorithm whose ``yes''
1626: answers are reliable, while its ``no'' answers may be erroneous with a
1627: certain error probability, or vice versa. The corresponding complexity
1628: classes are called R and coR, respectively,
1629: see~\cite{gil:j:probabilistic-tms}. In contrast, a Las Vegas algorithm may
1630: for certain sequences of coin flips halt without giving an answer at all,
1631: but whenever it gives an answer, this answer is correct. The corresponding
1632: class, $\zpp = \rp \cap \cor$, was also defined by
1633: Gill~\cite{gil:j:probabilistic-tms}.}
1634: algorithm of Rabin~\cite{rab:j:probabilistic-algorithms-for-primality} that is
1635: related to a deterministic algorithm due to
1636: Miller~\cite{mil:j:riemann-primes}; their primality test is known as the
1637: Miller-Rabin test. An alternative, though less popular Monte Carlo algorithm
1638: was proposed by Solovay and
1639: Strassen~\cite{sol-str:j:monte-carlo-for-primality}. The reason why the
1640: Solovay-Strassen test is less popular than the Miller-Rabin test is that
1641: it is less efficient and less accurate.
1642: These two primality
1643: tests, along with a careful complexity analysis and the required
1644: number-theoretical background, can be found in, e.g., the books by
1645: Stinson~\cite{sti:b:cryptography} and
1646: Salomaa~\cite{sal:b:public-key-cryptography}. Additional primality tests are
1647: contained in~\cite{gol:b:foundations,buc:b:kryptographie}.
1648:
1649: \begin{quote}
1650: {\em Note Added in Proof\/}: Quite recently, Agrawal et
1651: al.~\cite{agr-kay-sax:m:primes-in-p} designed a deterministic
1652: polynomial-time algorithm for primality. Their breakthrough result is a
1653: milestone in complexity theory and solves a long-standing open problem. It
1654: is unlikely, though, that this algorithm will have immediate consequences
1655: for cryptographic applications, since Agrawal et
1656: al.~\cite{agr-kay-sax:m:primes-in-p} note that their algorithm has a running
1657: time of roughly $n^{12}$ and thus is much less efficient than the
1658: probabilistic primality tests currently in use.
1659: \end{quote}
1660:
1661: We now argue that the keys can be computed efficiently. In particular, the
1662: inverse $d$ of $e$ modulo~$\phi(n)$ can be computed efficiently via the
1663: extended algorithm of Euclid; see Figure~\ref{fig:euklid}.
1664:
1665: \begin{lemma}
1666: \label{lem:euklid}
1667: On input $b_0 = \phi(n)$ and~$b_1 = e$, the extended algorithm of Euclid
1668: computes in polynomial time integers $x$ and $y$ such that
1669: \[
1670: x \cdot \phi(n) + y \cdot e \equiv 1 \mod \phi(n) .
1671: \]
1672: Thus, $y$ is the inverse of $e$ modulo~$\phi(n)$, and Bob chooses
1673: $d \equiv y \mod \phi(n)$ as his private key.
1674: \end{lemma}
1675:
1676: \begin{example}
1677: Bob chooses the primes $p = 11$ and $q = 23$, and computes their product $n
1678: = 253$ and $\phi(253) = 10 \cdot 22 = 220$. The smallest possible $e$
1679: satisfying Equation~{\rm{}(\ref{equ:e})} is $e = 3$. The extended algorithm
1680: of Euclid yields the following sequence of $b_i$, $x_i$, and~$y_i$:
1681: \[
1682: \begin{array}{|r||r|r|r|r|}
1683: \hline\hline
1684: i & b_i & x_i & y_i & q_i \\
1685: \hline
1686: 0 & 220 & 1 & 0 & \mbox{--} \\
1687: 1 & 3 & 0 & 1 & 73 \\
1688: 2 & 1 & \mbox{\boldmath $1$} & \mbox{\boldmath $- 73$} & \mbox{--} \\
1689: \hline\hline
1690: \end{array}
1691: \]
1692: Since $1 \cdot 220 + (- 73) \cdot 3 = 220 - 219 \equiv 1 \mod 220$, the unique
1693: value $d = -73 + 220 = 147$ computed by Bob satisfies
1694: Equation~{\rm{}(\ref{equ:d})} and is the inverse of $e = 3$ modulo~$220$.
1695: \end{example}
1696:
1697: \medskip
1698: \noindent
1699: {\bf (2) Encryption:} We assume that messages over some alphabet $\Sigma$ are
1700: block-wise encoded as positive integers with a fixed block length. Suppose
1701: that~$m < n$ is the message Alice wants to send to Bob.
1702: Alice knows Bob's public key $(n, e)$ and computes the encryption $c =
1703: E_{(n,e)}(m)$ of~$m$, where the encryption function is defined by
1704: \[
1705: E_{(n,e)}(m) = m^e \mod n .
1706: \]
1707:
1708: Performed naively, this computation may require a large number of
1709: multiplications, depending on the choice of~$e$. To ensure efficient
1710: encryption, we will employ a ``fast exponentiation'' algorithm called
1711: ``square-and-multiply,'' see Figure~\ref{fig:square-and-multiply} below.
1712:
1713: \begin{figure}[!ht]
1714: \centering
1715: \fbox{
1716: \begin{minipage}{4.5in}
1717: %
1718: \noindent
1719: {\bf Square-and-Multiply Algorithm}
1720: \begin{algorithm}
1721: \item[{\bf Input}:] $m, n, e \in \nats$, where $m < n$.
1722: \item Let the binary expansion of the exponent $e$ be given by
1723: \[
1724: e = \sum_{i = 0}^{k} e_i 2^{i} , \quad \mbox{where $e_i \in \{0,1\}$.}
1725: \]
1726: \item Successively compute $m^{2^i}$, where $0 \leq i \leq k$, using the
1727: equality
1728: \[
1729: m^{2^{i+1}} = \left( m^{2^i}\right)^{2}.
1730: \]
1731: It is not necessary to store the intermediate values of~$m^{2^i}$.
1732:
1733: \item In the arithmetic modulo~$n$, compute
1734: \begin{equation}
1735: \label{equ:square-and-multiply}
1736: m^e = \prod_{\stackrel{\mbox{\protect\scriptsize $i = 0$}}{e_i = 1}}^{k}
1737: m^{2^i}.
1738: \end{equation}
1739: \label{item:square-and-multiply:3}
1740:
1741: \item[{\bf Output}:] $m^e$.
1742: \end{algorithm}
1743: %
1744: \end{minipage}}
1745: \caption{The square-and-multiply algorithm.
1746: \label{fig:square-and-multiply}
1747: }
1748: \end{figure}
1749:
1750: Equation~{\rm{}(\ref{equ:square-and-multiply})} in
1751: Step~\ref{item:square-and-multiply:3} of Figure~\ref{fig:square-and-multiply}
1752: is correct, since
1753: \[
1754: m^e = m^{\sum_{i = 0}^{k} e_i 2^{i}} =
1755: \prod_{i = 0}^{k} \left( m^{2^i}\right)^{e_i} =
1756: \prod_{\stackrel{\mbox{\protect\scriptsize $i = 0$}}{e_i = 1}}^{k} m^{2^i} .
1757: \]
1758:
1759:
1760: Hence, instead of $e$ multiplications, Alice need compute no more than $2
1761: \log e$ multiplications. Thus, the square-and-multiply method speeds up the
1762: encryption exponentially.
1763:
1764: \begin{example}
1765: Suppose Alice wants to compute $c = 6^{17} \mod 100$. The binary expansion of
1766: the exponent is $17 = 1 + 16 = 2^0 + 2^4$.
1767: \begin{enumerate}
1768: \item Alice successively computes:
1769: \[
1770: \begin{array}{lclcl}
1771: 6^{2^0} & = & 6^1 & = & 6 ;\\
1772: 6^{2^1} & = & 6^2 & = & 36 ;\\
1773: 6^{2^2} & = & 36^2 & \equiv & -4 \mod 100 ; \\
1774: 6^{2^3} & \equiv & (-4)^2 \mod 100 & \equiv & 16 \mod 100 ; \\
1775: 6^{2^4} & \equiv & 16^2 \mod 100 & \equiv & 56 \mod 100 .
1776: \end{array}
1777: \]
1778:
1779: \item Alice computes her cipher text
1780: \[
1781: \begin{array}{lclcl}
1782: c & = & 6^{17} \mod 100 & \equiv & 6 \cdot 6^{2^4} \mod 100 \\
1783: & & & \equiv & 6 \cdot 56 \mod 100 \\
1784: & & & \equiv & 36 \mod 100 .
1785: \end{array}
1786: \]
1787: Note that only four squarings and one multiplication are needed for her to
1788: compute the cipher text.
1789: \end{enumerate}
1790: \end{example}
1791:
1792: \medskip
1793: \noindent
1794: {\bf (3) Decryption:} Let $c$, $0 \leq c < n$, be the cipher text sent to Bob;
1795: $c$ is subject to eavesdropping by Erich. Bob decrypts $c$ using his
1796: private key $d$ and the following decryption function:
1797: \[
1798: D_d (c) = c^d \mod n .
1799: \]
1800: Again, the fast exponentiation algorithm described in
1801: Figure~\ref{fig:square-and-multiply} ensures that the legal recipient Bob can
1802: decrypt the cipher text efficiently. Thus, the RSA protocol is feasible. To
1803: prove that it is correct, we show that Equation~{\rm{}(\ref{equ:correctness})}
1804: is satisfied.
1805:
1806: \begin{figure}[!htb]
1807: \centering
1808: \begin{tabular}{||c||c|c|c||}
1809: \hline\hline
1810: \parbox[t]{.5cm}{\bf Step} &
1811: \psfig{file=alice.ps,height=2cm} &
1812: \psfig{file=mielke.ps,height=2cm} &
1813: %
1814: %
1815: \psfig{file=bob.ps,height=2cm} \\ \hline\hline
1816: {\bf 1} & & & \parbox[t]{5.5cm}
1817: {chooses large primes $p$, $q$ at random, computes $n = pq$
1818: and $\phi(n) = (p-1)(q-1)$, his public key $(n, e)$
1819: with $e$ satisfying Eq.~{\rm{}(\ref{equ:e})}, and
1820: his private key $d$ satisfying Eq.~{\rm{}(\ref{equ:d})}} \\ \hline
1821: {\bf 2} & &
1822: \mbox{\huge $\stackrel{\mbox{\normalsize $(n, e)$}}{\Leftarrow}$} & \\ \hline
1823: {\bf 3} & \parbox[t]{3cm}
1824: {encrypts message $m$ by computing
1825: \[
1826: c = m^e \mod n
1827: \]
1828: }
1829: & & \\ \hline
1830: {\bf 4} & &
1831: \mbox{\huge $\stackrel{\mbox{\normalsize $c$}}{\Rightarrow}$} & \\ \hline
1832: {\bf 5} &
1833: & & \parbox[t]{5.5cm}
1834: {decrypts cipher text $c$ by computing
1835: \[
1836: m = c^d = \left(m^e\right)^d \mod n
1837: \]
1838: }
1839: \\ \hline\hline
1840: \end{tabular}
1841: \caption{The RSA protocol.
1842: \label{fig:rsa}
1843: }
1844: \end{figure}
1845:
1846: Figure~\ref{fig:rsa} summarizes the single steps of the RSA protocol and
1847: displays the information communicated by Alice and Bob that is subject to
1848: eavesdropping by Erich.
1849:
1850: \begin{theorem}
1851: Let $(n, e)$ and $d$ be Bob's public and private key in the RSA
1852: protocol. Then, for each message $m$ with $0 \leq m < n$,
1853: \[
1854: m = \left( m^e \right)^d \mod n .
1855: \]
1856: That is, RSA is a public-key cryptosystem.
1857: \end{theorem}
1858:
1859: \begin{proof}
1860: Since $e \cdot d \equiv 1 \mod \phi(n)$ by Equation~{\rm{}(\ref{equ:d})},
1861: there exists an integer $t$ such that
1862: \[
1863: e \cdot d = 1 + t(p-1)(q-1) ,
1864: \]
1865: where $n = pq$. It follows that
1866: \[
1867: \begin{array}{lclcl}
1868: \left( m^e \right)^d & = & m^{e \cdot d}& = & m^{1 + t(p-1)(q-1)} \\
1869: & & & = & m \left(m^{t(p-1)(q-1)}\right) \\
1870: & & & = & m \left(m^{p-1}\right)^{t(q-1)}.
1871: \end{array}
1872: \]
1873: Hence, we have
1874: \begin{equation}
1875: \label{equ:mmodp}
1876: \left( m^e \right)^d \equiv m \mod p ,
1877: \end{equation}
1878: since if $p$ divides $m$ then both sides of Equation~{\rm{}(\ref{equ:mmodp})}
1879: are $0 \mod p$, and if $p$ does not divide $m$ (i.e., $\mbox{gcd}(p,m) = 1$)
1880: then by Fermat's Little Theorem, we have
1881: \[
1882: m^{p-1} \equiv 1 \mod p .
1883: \]
1884: By a symmetric argument, it holds that
1885: \[
1886: \left( m^e \right)^d \equiv m \mod q .
1887: \]
1888: Since $p$ and $q$ are primes with $p \neq q$, it follows from the Chinese
1889: Remainder Theorem (see, e.g., \cite{knu:b2:2} or~\cite{sti:b:cryptography})
1890: that
1891: \[
1892: \left( m^e \right)^d \equiv m \mod n.
1893: \]
1894: Since $m < n$, the claim follows.
1895: \end{proof}
1896:
1897: \subsection{RSA Digital Signature Protocol}
1898: \label{sec:digital-sign-rsa}
1899:
1900: \begin{figure}[!htb]
1901: \centering
1902: \begin{tabular}{||c||c|c|c||}
1903: \hline\hline
1904: \parbox[t]{.5cm}{\bf Step} &
1905: \psfig{file=alice.ps,height=2cm} &
1906: \psfig{file=mielke.ps,height=2cm} &
1907: %
1908: %
1909: \psfig{file=bob.ps,height=2cm} \\ \hline\hline
1910: {\bf 1} & \parbox[t]{4cm}
1911: {chooses $n = pq$, her public key $(n, e)$, and her private key $d$ as in
1912: the RSA protocol, see Section~\ref{sec:rsa}} & & \\ \hline
1913: {\bf 2} & \parbox[t]{4cm}
1914: {computes her signature
1915: \[
1916: \mbox{sig}_A (m) = m^d \mod n
1917: \]
1918: for the message~$m$}
1919: & & \\ \hline
1920: {\bf 3} & &
1921: \mbox{\huge $\stackrel{\mbox{\normalsize $m, \mbox{sig}_A (m)$}}{\Rightarrow}$} & \\ \hline
1922: {\bf 4} &
1923: & & \parbox[t]{4cm}
1924: {verifies Alice's signature by checking the congruence
1925: \[
1926: m \equiv \left(\mbox{sig}_A (m)\right)^e \mod n
1927: \]}
1928: \\ \hline\hline
1929: \end{tabular}
1930: \caption{The RSA digital signature protocol.
1931: \label{fig:rsa-digital-signature}
1932: }
1933: \end{figure}
1934:
1935: %
1936: %
1937: The RSA public-key cryptosystem described in
1938: Section~\ref{sec:rsa} can be modified so as to yield a digital signature
1939: protocol. Figure~\ref{fig:rsa-digital-signature} shows how the RSA digital
1940: signature protocol works. A chosen-plain-text attack on the RSA digital
1941: signature scheme, and countermeasures to avoid it, are described in
1942: Section~\ref{sec:security-rsa}.
1943:
1944: \subsection{Security of RSA and Possible Attacks on RSA}
1945: \label{sec:security-rsa}
1946:
1947: The security of the RSA cryptosystem strongly depends on whether factoring
1948: large integers is intractable. It is widely believed that there is no
1949: efficient factoring algorithm, since no such algorithm could be designed as
1950: yet, despite considerable efforts in the past. However, it is not known
1951: whether the problem of factoring large integers is as hard as the problem of
1952: cracking the RSA system.
1953:
1954: Here is a list of potential attacks on the RSA system. To preclude these
1955: direct attacks, some care must be taken in choosing the primes $p$ and~$q$,
1956: the modulus~$n$, the exponent~$e$, and the private key~$d$. For further
1957: background on the security of the RSA system and on proposed attacks to break
1958: it, the reader is referred
1959: to~\cite{bon:j:rsa-attacks,sha:j:rsa-for-paranoids,kal-rob:j:secure-use-rsa,moo:b:protocol-failures}.
1960: For each attack on RSA that has been proposed in the literature to date, some
1961: practical countermeasures are known, rules of thumb that prevent the success
1962: of those attacks or, at least, that make their likelihood of success
1963: negligibly small.
1964:
1965: \begin{description}
1966: \item[Factoring attacks:] The aim of the attacker Erich is to use the
1967: public key $(n, e)$ to recover the private key $d$ by factoring~$n$, i.e.,
1968: by computing the primes $p$ and $q$ with $n = pq$. Knowing $p$ and~$q$, he
1969: can just like Bob compute $\phi(n) = (p-1)(q-1)$ and thus the inverse $d$ of
1970: $e$ modulo~$\phi(n)$, using the extended algorithm of Euclid; see
1971: Figure~\ref{fig:euklid} and Lemma~\ref{lem:euklid}. There are various ways
1972: in which Erich might mount this type of attack on RSA\@.
1973: \begin{itemize}
1974: \item {\em Brute-force attack\/}: Erich might try to factor the modulus $n$
1975: simply by exhaustive search of the complete key space. Choosing $n$
1976: sufficiently large will prevent this type of attack. Currently, it is
1977: recommended to use moduli $n$ with at least 768 bits, i.e., the size of 512
1978: bits formerly in use no longer provides adequate protection today. Of
1979: course, the time complexity of modular exponentiation grows rapidly with the
1980: modulus size, and thus there is a tradeoff between increasing the security
1981: of RSA and decreasing its efficiency.
1982:
1983: It is also generally accepted that those moduli $n$ consisting of prime
1984: factors $p$ and $q$ of roughly the same size are the hardest to factor.
1985:
1986: \item {\em General-purpose factoring methods\/}: Examples of such general
1987: factoring algorithms are the {\em general number field sieve\/} (see,
1988: e.g.,~\cite{len-len:b:number-field-sieve}) or the older {\em quadratic
1989: sieve} (see, e.g.,~\cite{buc:b:kryptographie,sti:b:cryptography}). They
1990: are based on the following simple idea. Suppose $n$ is the number to be
1991: factorized. Using the respective ``sieve,'' one determines integers $a$ and
1992: $b$ such that
1993: \begin{eqnarray}
1994: \label{equ:sieve}
1995: a^2 \equiv b^2 \mod n & \mbox{and} & a \not\equiv \pm b \mod n .
1996: \end{eqnarray}
1997: Thus, $n$ divides $a^2 - b^2 = (a-b)(a+b)$, but neither $a-b$ nor $a+b$.
1998: Hence, $\mbox{gcd}(a-b,n)$ is a nontrivial factor of~$n$. The general number
1999: field sieve and the quadratic sieve differ in the specific way the integers
2000: $a$ and $b$ satisfying Equation~(\ref{equ:sieve}) are found.
2001:
2002: \item {\em Special-purpose factoring methods\/}: Depending on the form of
2003: the primes $p$ and~$q$, it might be argued that using special-purpose
2004: factoring methods such as Pollard's ``$p-1$
2005: method''~\cite{pol:j:factorization} may be more effective and more
2006: successful than using general-purpose factoring methods. This
2007: potential threat led to the introduction of {\em strong primes\/} that
2008: resist such special-purpose factoring methods. A strong prime $p$ is
2009: required to satisfy certain conditions such as that $p-1$ has a large
2010: factor~$r$ and $r-1$, in turn, has a large factor, etc.
2011:
2012: \item {\em Elliptic curve method\/}: This factoring method was introduced
2013: by Lenstra~\cite{len:j:elliptic-curves}, and it has some success probability
2014: regardless of the form of the primes chosen. Consequently, the most
2015: effective countermeasure against the elliptic curve method is to use primes
2016: of very large size. This countermeasure simultaneously provides, with a
2017: very high probability, protection against all known types of special-purpose
2018: factoring methods. In short, randomly chosen large primes are more
2019: important than strong primes. Note that weak primes are believed to be
2020: rare; Pomerance and Sorenson~\cite{pom-sor:j:weak-primes} study the density
2021: of weak primes.
2022:
2023: \item {\em Factoring on a quantum computer\/}: Last, we mention that Shor's
2024: algorithm for factoring large numbers on a quantum
2025: computer~\cite{shor:j:factoring-on-quantum-computer} poses a potential
2026: threat to the security of RSA and other cryptosystems whose security relies
2027: on the hardness of the factoring problem. More precisely, Shor's efficient
2028: quantum algorithm determines the order of a given group element, a problem
2029: closely related to the factoring problem. Using Miller's randomized
2030: reduction~\cite{mil:j:riemann-primes}, if one can efficiently compute the
2031: order of group elements, then one can efficiently solve the factoring
2032: problem. However, the quantum computer is a theoretical construct
2033: currently. Whether or not Shor's quantum factoring algorithm will be a
2034: practical threat remains to be seen in the future.
2035: \end{itemize}
2036:
2037:
2038: \item[Superencryption:] Early on Simmons and
2039: Norris~\cite{sim-nor:j:comments-on-rsa} proposed an attack on RSA called
2040: superencryption. This attack is based on the observation that a sufficient
2041: number of encryptions will eventually recover the original message, since
2042: the RSA encryption function is an injective mapping onto a finite set, which
2043: makes the graph of the function a union of disjoint cycles. This attack is
2044: a threat to the security of RSA, provided that the number of encryptions
2045: required is small. Luckily, superencryption is not a practical attack if
2046: the primes are large and are chosen at random.
2047:
2048: \item[Wiener's attack:] Wiener~\cite{wie:j:cryptanalysis-of-rsa} proposed an
2049: attack on the RSA system by a continued fraction approximation, using the
2050: public key $(n, e)$ to provide sufficient information to recover the private
2051: key~$d$. More precisely, Wiener proved that if the keys in the RSA system
2052: are chosen such that $n = pq$, where $q < p < 2q$, and $d < \frac{1}{3}
2053: \sqrt[4]{n}$, then given the public key $(n, e)$ with $ed \equiv 1 \mod
2054: \phi(n)$ the private key $d$ can be computed in linear time.
2055:
2056: Here is a proof sketch of Wiener's result (see~\cite{bon:j:rsa-attacks}).
2057: Since $ed \equiv 1 \mod \phi(n)$, there exists a $k$ such that $ed - k
2058: \phi(n) = 1$, which implies that $\frac{k}{d}$ is an approximation of
2059: $\frac{e}{\phi(n)}$:
2060: \begin{eqnarray}
2061: \label{equ:wiener}
2062: \left| \frac{e}{\phi(n)} - \frac{k}{d} \right| & = &
2063: \left| \frac{1}{d \phi(n)} \right| .
2064: \end{eqnarray}
2065: Erich does not know~$\phi(n)$, but he can use $n$ in place of~$\phi(n)$.
2066: Using $ed - k \phi(n) = 1$ and the easily verified fact that $|n - \phi(n)| <
2067: 3 \sqrt{n}$, in place of Equation~(\ref{equ:wiener}) we now have
2068: \[
2069: \left| \frac{e}{n} - \frac{k}{d} \right|
2070: = \left| \frac{1 - k(n - \phi(n))}{d n} \right|
2071: \leq \left| \frac{3k\sqrt{n}}{d n} \right|
2072: = \frac{3k}{d \sqrt{n}}.
2073: \]
2074: Since $k \phi(n) = ed -1 < ed$ and $e < \phi(n)$, we have $k < d < \frac{1}{3}
2075: \sqrt[4]{n}$. Hence,
2076: \[
2077: \left| \frac{e}{n} - \frac{k}{d} \right|
2078: < \frac{1}{d\sqrt[4]{n}}
2079: < \frac{1}{2d^2}.
2080: \]
2081: There are at most $\log n$ fractions $\frac{k}{d}$ with $d < n$ approximating
2082: $\frac{e}{n}$ so tightly, and they can be obtained by computing the $\log n$
2083: convergents of the continued fraction expansion of $\frac{e}{n}$
2084: (see~\cite[Thm.~177]{har-wri:b:number}). Since $ed - k \phi(n) = 1$, we have
2085: $\mbox{gcd}(k, d) = 1$, so $\frac{k}{d}$ is a reduced fraction.
2086:
2087: Note that this attack is efficient and practical, and thus is a concern, only
2088: if the private key $d$ is chosen to be small relative to~$n$. For example, if
2089: $n$ is a 1024 bits number, then $d$ must be at least 256 bits long in order to
2090: prevent Wiener's attack. A small value of~$d$, however, enables fast
2091: decryption and in particular is desirable for low-power devices such as
2092: ``smartcards.''~~Therefore, Wiener proposed certain techniques that avoid his
2093: attack.
2094:
2095: The first technique is to use a large encryption exponent,
2096: say~$\tilde{e} = e + \ell \phi(n)$ for some large~$\ell$. For a large
2097: enough~$\tilde{e}$, the factor $k$ in the above proof is so large that
2098: Wiener's attack cannot be mounted, regardless of how small $d$ is.
2099:
2100: The second technique uses the Chinese Remainder Theorem to speed up
2101: decryption, even if $d$ is not small. Let $d$ be a large decryption exponent
2102: such that both $d_p \equiv d \mod p-1$ and $d_q \equiv d \mod q-1$ are small.
2103: Then, one can decrypt a given cipher text $c$ as follows. Compute $m_p =
2104: c^{d_p} \mod p$ and $m_q = c^{d_q} \mod q$, and use the Chinese Remainder
2105: Theorem to obtain the unique solution $m$ modulo $n = pq$ of the two equations
2106: $m = m_p \mod p$ and $m = m_q \mod q$. The point is that although $d_p$ and
2107: $d_q$ are small, $d$ can be chosen large enough to resist Wiener's attack.
2108:
2109: Boneh and Durfee~\cite{bon-dur:j:improving-wiener-attack} recently improved
2110: Wiener's result: Erich can efficiently compute $d$ from $(n, e)$ provided that
2111: $d < n^{0.292}$.
2112:
2113:
2114: \item[Small-message attack:] RSA encryption is not effective if both the
2115: message $m$ to be encrypted and the exponent $e$ to be used for encryption
2116: are small relative to the modulus~$n$. In particular, if $c = m^e < n$ is
2117: the cipher text, then $m$ can be recovered from $c$ by ordinary root
2118: extraction. Thus, either the public exponent should be large or the
2119: messages should always be large. It is this latter suggestion that is more
2120: useful, for a small public exponent is often preferred in order to speed up
2121: the encryption and to preclude Wiener's attack.
2122:
2123: \item[Low-exponent attack:] One should take precautions, though, not to choose
2124: the public exponent too small. A preferred value of $e$ that has been used
2125: often in the past is $e = 3$. However, if three parties participating in
2126: the same system encrypt the same message $m$ using the same public
2127: exponent~$3$, although perhaps different moduli $n_1$, $n_2$, and~$n_3$,
2128: then one can easily compute $m$ from the three cipher texts:
2129: \begin{eqnarray*}
2130: c_1 & = & m^3 \mod n_1 \\
2131: c_2 & = & m^3 \mod n_2 \\
2132: c_3 & = & m^3 \mod n_3 .
2133: \end{eqnarray*}
2134: In particular, the message $m$ must be smaller than the moduli, and so $m^3$
2135: will be smaller than $n_1 n_2 n_3$. Using the Chinese Remainder Theorem (see,
2136: e.g., \cite{knu:b2:2,sti:b:cryptography}), one can compute the unique solution
2137: \[
2138: c = m^3 \mod n_1 n_2 n_3 = m^3 .
2139: \]
2140: Hence, one can compute $m$ from $c$ by ordinary root extraction.
2141:
2142: More generally, suppose that $k$ related plain texts are encrypted with the
2143: same exponent~$e$:
2144: \begin{eqnarray*}
2145: c_1 & = & (a_1 m + b_1)^e \mod n_1 \\
2146: c_2 & = & (a_2 m + b_2)^e \mod n_2 \\
2147: & \vdots & \\
2148: c_k & = & (a_k m + b_k)^e \mod n_k ,
2149: \end{eqnarray*}
2150: where $a_i$ and $b_i$, $1 \leq i \leq k$, are known and $k > \frac{e(e+1)}{2}$
2151: and $\min(n_i) > 2^{e^2}$. Then, an attacker can solve for $m$ in polynomial
2152: time using lattice reduction techniques. This observation is due to Johan
2153: H{\aa}stad~\cite{has:j:solving-low-degree-equations}, and his ``broadcast
2154: attack'' has been strengthened by Don
2155: Coppersmith~\cite{cop:j:low-exponent-rsa-attacks}. This attack is a
2156: concern if the messages are related in a known way. Padding the messages with
2157: pseudorandom strings prior to encryption prevents mounting this attack in
2158: practice, see, e.g.,~\cite{kal-rob:j:secure-use-rsa}. If the messages are
2159: related in a known way, they should not be encrypted with many RSA keys.
2160:
2161: A recommended value of $e$ that is commonly used today is $e = 2^{16} +1$.
2162: One advantage of this value for $e$ is that its binary expansion has only two
2163: ones, which implies that the square-and-multiply algorithm of
2164: Figure~\ref{fig:square-and-multiply} requires very few
2165: operations,\footnote{How many exactly?}
2166: and so is very efficient.
2167:
2168: \item[Forging RSA signatures:] This attack is based on the fact that the RSA
2169: encryption function is a homomorphism: if $(n, e)$ is the public key and
2170: $m_1$ and $m_2$ are two messages then
2171: \begin{equation}
2172: \label{equ:homomorph-rsa}
2173: m_{1}^{e} \cdot m_{2}^{e} \equiv \left(m_{1} \cdot m_{2}\right)^{e} \mod n .
2174: \end{equation}
2175: Another identity that can easily be verified is:
2176: \begin{equation}
2177: \label{equ:identity-rsa}
2178: \left( m \cdot r^e \right)^d \equiv m^d \cdot r \mod n .
2179: \end{equation}
2180: In particular, these identities can be used to mount an attack on the digital
2181: signature scheme based on the RSA algorithm, see
2182: Figure~\ref{fig:rsa-digital-signature} and Section~\ref{sec:digital-sign-rsa}.
2183: Given previous message-signature pairs $(m_1 , \mbox{sig}_A (m_1)), \ldots ,
2184: (m_k , \mbox{sig}_A (m_k))$, Erich can use the
2185: congruences~(\ref{equ:homomorph-rsa}) and~(\ref{equ:identity-rsa}) to compute
2186: a new message-signature pair $(m, \mbox{sig}_A (m))$ by
2187: \begin{eqnarray*}
2188: m & = & r^e \prod_{i = 1}^{k} m_i^{e_i} \mod n ; \\
2189: \mbox{sig}_A (m) & = &
2190: r \prod_{i = 1}^{k} \left(\mbox{sig}_A (m_i) \right)^{e_i} \mod n ,
2191: \end{eqnarray*}
2192: where $r$ and the $e_i$ are arbitrary. Hence, Erich can forge Alice's
2193: signature without knowing her private key, and Bob will not detect the
2194: forgery, since $m \equiv \left(\mbox{sig}_A (m)\right)^e \mod n$. Note that,
2195: in Equation~(\ref{equ:homomorph-rsa}), even if $m_{1}$ and~$m_{2}$ are
2196: meaningful plain texts, $m_{1} \cdot m_{2}$ usually is not. Thus, Erich can
2197: forge Alice's signature only for messages that may or may not be useful.
2198: However, he might choose the messages $m_i$ so as to generate a meaningful
2199: message $m$ with a forged digital signature. This {\em chosen-plain-text
2200: attack\/} can again be avoided by pseudorandom padding techniques that
2201: destroy the algebraic relations between messages. Pseudorandom padding is
2202: also a useful countermeasure against the following {\em chosen-cipher-text
2203: attack\/}: Erich intercepts some cipher text~$c$, chooses $r \in \nats$ at
2204: random, and computes $c \cdot r^e \mod n$, which he sends to the legitimate
2205: receiver Bob. By Equation~(\ref{equ:identity-rsa}), Bob will decrypt the
2206: string $\hat{c} = c^d \cdot r \mod n$, which is likely to look like a random
2207: string. Erich, however, if he were to get his hands on~$\hat{c}$, could
2208: obtain the original message $m$ by multiplying by~$r^{-1}$, the inverse of $r$
2209: modulo~$n$, i.e., by computing $m = r^{-1} \cdot c^d \cdot r \mod n$.
2210: \end{description}
2211:
2212: %
2213: %
2214: %
2215:
2216: \section{Protocols for Secret-Key Agreement, Public-Key Encryption, and
2217: Digital Signatures}
2218: \label{sec:protocols}
2219:
2220: Consider again a scenario where Alice and Bob want to exchange messages over
2221: an insecure channel such as a public telephone line, and where Erich is an
2222: eavesdropper:
2223:
2224: \[
2225: \begin{array}{ccc}
2226: & \psfig{file=mielke.ps,height=2cm} & \\
2227: & \mbox{{\bf\large Erich}} & \\[.2cm]
2228: \psfig{file=alice.ps,height=2cm} &
2229: \psfig{file=channel.eps,width=2cm} &
2230: \psfig{file=bob.ps,height=2cm}
2231: \end{array}
2232: \]
2233: This is why Alice and Bob want to encrypt their messages. For efficiency
2234: purposes, they decide to use a symmetric cryptosystem in which they both
2235: possess the same key for encryption and for decryption; recall
2236: Definition~\ref{def:cryptosystem}. But then, how can they agree on a joint
2237: secret key when they can communicate only over an insecure channel? If they
2238: were to send an encrypted message containing the key to be used in subsequent
2239: communications, which key should they use to encrypt {\em this\/} message?
2240:
2241: This paradoxical situation is known as the {\em secret-key agreement\/}
2242: problem, and it was considered to be unsolvable since the beginning of
2243: cryptography. It was quite a surprise when in 1976 Whitfield Diffie and
2244: Martin Hellman~\cite{dif-hel:j:diffie-hellman} did solve this long-standing,
2245: seemingly paradoxical problem by proposing the first secret-key agreement
2246: protocol. We describe their protocol in Section~\ref{sec:diffie-hellman}.
2247: Interestingly, it was the Diffie--Hellman protocol that inspired Rivest,
2248: Shamir, and Adleman to invent the RSA system. That is, Diffie and Hellman's
2249: key idea to solve the secret-key agreement problem opened the door to modern
2250: public-key cryptography, which no longer requires sending secret keys over
2251: insecure channels.
2252:
2253: Strangely enough, the reverse happened in the nonpublic sector. The
2254: Communications Electronics Security Group (CESG) of the
2255: %
2256: British Government Communications Head Quarters (GCHQ) claims to have invented
2257: the RSA public-key cryptosystem prior to Rivest, Shamir, and Adleman and the
2258: Diffie--Hellman secret-key agreement scheme independently of Diffie and
2259: Hellman. And they did so in reverse order. James Ellis first discovered the
2260: principle possibility of public-key cryptography in the late sixties. In
2261: 1973, Clifford Cocks developed the mathematics necessary to realize Ellis's
2262: ideas and formulated what four years later became known as the RSA system.
2263: Soon thereafter, inspired by Ellis's and Cocks's work, Malcolm Williamson
2264: invented what became known as the Diffie--Hellman secret-key agreement scheme,
2265: around the same time Diffie and Hellman succeeded. None of the results of
2266: Ellis, Cocks, and Williamson became known to the public then. The full
2267: story---or what of it is publicly known by now---is told in Singh's
2268: book~\cite{sin:b:code-book}.
2269:
2270: Section~\ref{sec:elgamal} shows how to modify the Diffie--Hellman protocol in
2271: order to obtain a public-key cryptosystem. This protocol is due to Taher
2272: ElGamal~\cite{gam:j:public-key}. Just like the Diffie--Hellman protocol,
2273: ElGamal's cryptosystem is based on the difficulty of computing discrete
2274: logarithms.
2275:
2276: Section~\ref{sec:no-key} gives an interesting protocol due to an unpublished
2277: work of Adi Shamir. In this protocol, keys do not need to be agreed upon
2278: prior to exchanging encrypted messages.
2279:
2280:
2281: Another cryptographic task is the generation of {\em digital signatures\/}:
2282: Alice wants to sign her encrypted messages to Bob in a way that allows Bob to
2283: verify that Alice was indeed the sender of the message. Digital signature
2284: protocols are used for the authentication of documents such as email messages.
2285: The goal is to preclude Erich from forging Alice's messages and her signature.
2286: Digital signature protocols are described in
2287: Section~\ref{sec:digital-sign-rsa} (RSA digital signatures), in
2288: Section~\ref{sec:elgamal} (ElGamal digital signatures) and in
2289: Section~\ref{sec:riv-rab-she} (Rabi and Sherman digital signatures).
2290:
2291: \subsection{Diffie and Hellman's Secret-Key Agreement Protocol}
2292: \label{sec:diffie-hellman}
2293:
2294: \begin{figure}[!htb]
2295: \centering
2296: \begin{tabular}{||c||c|c|c||}
2297: \hline\hline
2298: \parbox[t]{.5cm}{\bf Step} &
2299: \psfig{file=alice.ps,height=2cm} &
2300: \psfig{file=mielke.ps,height=2cm} &
2301: %
2302: %
2303: \psfig{file=bob.ps,height=2cm} \\ \hline\hline
2304: {\bf 1} & \multicolumn{3}{c||}
2305: {Alice and Bob agree upon a large prime~$p$ and a primitive root
2306: $g$ of~$p$;} \\
2307: & \multicolumn{3}{c||}
2308: {$p$ and $g$ are public} \\ \hline
2309: {\bf 2} & \parbox[t]{4cm}
2310: {chooses a large number $a$ at random, computes $\alpha = g^a \mod p$}
2311: & & \parbox[t]{4cm}
2312: {chooses a large number $b$ at random, computes $\beta = g^b \mod p$}
2313: \\ \hline
2314: {\bf 3} & &
2315: \mbox{\huge $\stackrel{\mbox{\normalsize $\alpha$}}{\Rightarrow}$} & \\
2316: & &
2317: \mbox{\huge $\stackrel{\mbox{\normalsize $\beta$}}{\Leftarrow}$} & \\ \hline
2318: {\bf 4} & \parbox[t]{4cm}
2319: {computes her key
2320: \[
2321: k_A = \beta^a \mod p
2322: \]
2323: }
2324: & & \parbox[t]{4cm}
2325: {computes his key
2326: \[
2327: k_B = \alpha^b \mod p
2328: \]
2329: } \\ \hline\hline
2330: \end{tabular}
2331: \caption{The Diffie--Hellman secret-key agreement protocol.
2332: \label{fig:diffie-hellman}
2333: }
2334: \end{figure}
2335:
2336: Figure~\ref{fig:diffie-hellman} shows how the Diffie--Hellman secret-key
2337: agreement protocol works. It is based on the modular exponential function
2338: with base $g$ and modulus~$p$, where $p$ is a prime and $g$ is a primitive
2339: root of $p$ in~$\integers_{p}^{\ast}$, the cyclic group of prime residues
2340: modulo~$p$; recall that $\integers_{p}^{\ast}$ has order $\phi(p) = p-1$.
2341: The formal definition is as follows.
2342:
2343: \begin{definition}
2344: %
2345: %
2346: \begin{itemize}
2347: \item For $n \in \nats$, a {\em primitive root of~$n$\/} is any element $a \in
2348: \integers_{n}^{\ast}$ satisfying that, for each $d$ with $1 \leq d <
2349: \phi(n)$, it holds that
2350: \[
2351: a^d \not\equiv 1 \mod n .
2352: \]
2353: Equivalently, a primitive root of $n$ is a generator of~$\integers_{n}^{\ast}$.
2354:
2355: \item Let $p$ be a prime, and let $g$ be a primitive root of~$p$.
2356: %
2357: The function
2358: $\alpha_{(g, p)} : \integers_{p-1} \rightarrow \integers_{p}^{\ast}$
2359: that is defined by
2360: \[
2361: \alpha_{(g, p)}(a) = g^a \mod p .
2362: \]
2363: is called the {\em modular exponential function with base $g$ and
2364: modulus~$p$}. Its inverse function, which for fixed $p$ and $g$ maps
2365: $\alpha_{(g, p)}(a)$ to~$a = \log_g \alpha \mod p$, is called the {\em
2366: discrete logarithm}.
2367: \end{itemize}
2368: \end{definition}
2369:
2370: As noted above, every primitive root of $p$ generates the
2371: entire group~$\integers_{p}^{\ast}$. Moreover,
2372: $\integers_{p}^{\ast}$ has precisely
2373: $\phi(p-1)$ primitive roots. For example, $\integers_{5}^{\ast} = \{1, 2, 3,
2374: 4\}$ and $\integers_{4}^{\ast} = \{1, 3\}$, so $\phi(4) = 2$, and the two
2375: primitive roots of~$5$ in $\integers_{5}^{\ast}$ are $2$ and~$3$, since
2376: \[
2377: \begin{array}{llll}
2378: 2^1 = 2;\ & 2^2 = 4;\ & 2^3 \equiv 3 \mod 5;\ & 2^4 \equiv 1 \mod 5;\ \\
2379: 3^1 = 3;\ & 3^2 \equiv 4 \mod 5;\ & 3^3 \equiv 2 \mod 5;\
2380: & 3^4 \equiv 1 \mod 5 .\
2381: \end{array}
2382: \]
2383: Not every integer has a primitive root: $8$ is the smallest such example. It
2384: is known from elementary number theory that an integer $n$ has a primitive
2385: root if and only if $n$ is $1$ or $2$ or~$4$, or is of the form $q^k$ or
2386: $2q^k$ for some odd prime~$q$.
2387:
2388: The protocol from Figure~\ref{fig:diffie-hellman} works, since
2389: \[
2390: k_A = \beta^a = g^{ba} = g^{ab} = \alpha^b = k_B .
2391: \]
2392: Thus, the keys computed by Alice and Bob indeed are the same.
2393:
2394: Computing discrete logarithms is considered to be a very hard problem: no
2395: efficient algorithms are known for solving it. In contrast, the modular
2396: exponential function can be computed efficiently, using the fast
2397: exponentiation algorithm ``square-and-multiply'' described as
2398: Figure~\ref{fig:square-and-multiply}. That is why modular exponentiation is
2399: considered to be a candidate for a
2400: ``one-way function,'' i.e., a function that is easy to
2401: compute but hard to invert. Things are bad. It is currently not known
2402: whether or not one-way functions exist. Things are worse. Although they are
2403: not known to exist, one-way functions play a key role in cryptography, and the
2404: security of many cryptosystems is based on the assumption that one-way
2405: functions do exist. We will discuss the notion of one-way functions in more
2406: detail in Section~\ref{sec:aowf}.
2407:
2408: If Erich is listening carefully to Alice and Bob's communication in the
2409: Diffie--Hellman protocol (see Figure~\ref{fig:diffie-hellman}), he knows $p$,
2410: $g$, $\alpha$, and~$\beta$. He wants to compute their joint secret key, $k_A
2411: = k_B$. This problem is known as the {\em Diffie--Hellman problem}. If Erich
2412: could solve the discrete logarithm problem efficiently, he could easily
2413: compute $a = \log_g \alpha \mod p$ and $b = \log_g \beta \mod p$ and, thus,
2414: $k_A = \beta^a \mod p$ and $k_B = \alpha^b \mod p$. That is, the
2415: Diffie--Hellman problem is no more difficult than the discrete logarithm
2416: problem. The converse question---of whether the Diffie--Hellman problem is as
2417: hard as the discrete logarithm problem---is still an unproven conjecture.
2418: Fortunately, as noted above, the discrete logarithm problem is viewed as being
2419: intractable, so this attack is very unlikely to be a practical threat. On the
2420: other hand, it is the only known attack for computing the keys directly from
2421: $\alpha$ and $\beta$ in the Diffie--Hellman protocol. Note, however, that no
2422: proof of security for this protocol has been established up to date.
2423:
2424: Note also that computing the keys $k_A = k_B$ directly from $\alpha$ and
2425: $\beta$ is not the only possible attack on the Diffie--Hellman protocol. For
2426: example, it is vulnerable to the {\em Man-in-the-middle attack}. Unlike
2427: passive attacks against the underlying mathematics of a
2428: cryptosystem, in which an eavesdropper tries to gain information without
2429: affecting the protocol, the Man-in-the-middle attack is an active attack, in
2430: which an eavesdropper attempts to alter the protocol to his own advantage.
2431: That is, Erich, as the ``man in the middle,'' might
2432: pretend to be Alice when communicating with Bob, and he might pretend to be
2433: Bob when communicating with Alice. He could intercept $\alpha = g^a \mod p$
2434: that Alice sends to Bob and he could also intercept $\beta = g^b \mod p$ that
2435: Bob sends to Alice, passing on his own values $\alpha_E$ in place of $\alpha$
2436: to Bob and $\beta_E$ in place of $\beta$ to Alice. That way Erich could
2437: compute two (possibly distinct) keys, one for communicating with Alice, the
2438: other one for communicating with Bob, without them having any clue that they
2439: in fact are communicating with him.
2440: Thus, Alice and Bob cannot be certain of the authenticity of their respective
2441: partners in the communication. In Section~\ref{sec:zero-knowledge}, we
2442: will introduce {\em zero-knowledge protocols}, which can be used to ensure
2443: proper authentication.
2444:
2445: \begin{figure}[!htp]
2446: \centering
2447: \begin{tabular}{||c||c|c|c||}
2448: \hline\hline
2449: \parbox[t]{.5cm}{\bf Step} &
2450: \psfig{file=alice.ps,height=2cm} &
2451: \psfig{file=mielke.ps,height=2cm} &
2452: %
2453: %
2454: \psfig{file=bob.ps,height=2cm} \\ \hline\hline
2455: {\bf 1} & \multicolumn{3}{c||}
2456: {Alice and Bob agree upon a large prime~$p$ and a primitive root
2457: $g$ of~$p$;} \\
2458: & \multicolumn{3}{c||}
2459: {$p$ and $g$ are public} \\ \hline
2460: {\bf 2} & & & \parbox[t]{4cm}
2461: {chooses a large number $b$ at random as his private key
2462: and computes $\beta = g^b \mod p$}
2463: \\ \hline
2464: {\bf 3} & &
2465: \mbox{\huge $\stackrel{\mbox{\normalsize $\beta$}}{\Leftarrow}$} & \\ \hline
2466: {\bf 4} & \parbox[t]{4cm}
2467: {chooses a large number $a$ at random, computes $\alpha = g^a \mod p$, the
2468: key $k = \beta^a \mod p$, and the cipher text $c = E_k(m)$, where $m$ is
2469: the message to be sent} & & \\ \hline
2470: {\bf 5} & &
2471: \mbox{\huge $\stackrel{\mbox{\normalsize $\alpha$, $c$}}{\Rightarrow}$} & \\ \hline
2472: {\bf 6} & & & \parbox[t]{4cm}
2473: {computes $k = \alpha^b \mod p$ and
2474: $m = D_k(c)$} \\ \hline\hline
2475: \end{tabular}
2476: \caption{A public-key cryptosystem based on the Diffie--Hellman protocol, which
2477: uses the encryption and decryption algorithms $E_k$ and $D_k$ of a given
2478: symmetric cryptosystem.
2479: \label{fig:diffie-hellman-public-key}
2480: }
2481: \end{figure}
2482:
2483: By slightly modifying the Diffie--Hellman protocol, it is possible to obtain a
2484: public-key cryptosystem. The variant of the Diffie--Hellman protocol
2485: presented here
2486: %
2487: in fact is a ``hybrid cryptosystem,'' a public-key cryptosystem making use of
2488: a given symmetric cryptosystem. Such hybrid systems are often useful in
2489: practice, for they combine the advantages of asymmetric and symmetric
2490: cryptosystems. Symmetric systems are usually more efficient than public-key
2491: systems.
2492:
2493: The protocol works as follows. Alice and Bob agree on a large prime~$p$ and a
2494: primitive root $g$ of~$p$, which are public. They also agree on some
2495: symmetric cryptosystem $S = (\mathcal{P}, \mathcal{C}, \mathcal{K},
2496: \mathcal{E}, \mathcal{D})$ with encryption functions $\mathcal{E} = \{E_k
2497: \condition k \in \mathcal{K}\}$ and decryption functions $\mathcal{D} = \{D_k
2498: \condition k \in \mathcal{K}\}$. The subsequent steps of the protocol are
2499: shown in Figure~\ref{fig:diffie-hellman-public-key}. The message to be sent
2500: is encrypted using the symmetric system~$S$, and the symmetric key $k$ used in
2501: this encryption is transmitted in a Diffie--Hellman-like fashion. This
2502: modification of the original Diffie--Hellman protocol is the standard usage of
2503: Diffie--Hellman.
2504:
2505: The system in Figure~\ref{fig:diffie-hellman-public-key}
2506: modifies the original Diffie--Hellman protocol in the following way.
2507: While in the Diffie--Hellman scheme Alice and Bob {\em simultaneously\/}
2508: compute and send their ``partial keys'' $\alpha$ and~$\beta$, respectively,
2509: they do so {\em sequentially\/} in the protocol in
2510: Figure~\ref{fig:diffie-hellman-public-key}. That is, Alice must
2511: wait for Bob's value~$\beta$, his public key,
2512: to be able to compute the key $k$ with which she
2513: then encrypts her message~$m$ via the symmetric cryptosystem~$S$.
2514: Moreover,
2515: %
2516: %
2517: Bob generates, once and for all, his public $\beta$
2518: for possibly several communications with Alice, and also for possibly several
2519: users other than Alice who might want to communicate with him. In contrast,
2520: Alice has to generate her $\alpha$ anew again and again every time she
2521: communicates with Bob, just like in the original Diffie--Hellman protocol.
2522: This modification of Diffie--Hellman is usually
2523: referred to as Predistributed Diffie--Hellman. In a {\em key
2524: distribution scheme}, one party chooses a key and then transmits it to
2525: another party or parties over an insecure channel. In contrast, in a {\em
2526: secret-key agreement scheme\/} such as the original Diffie--Hellman protocol
2527: from Figure~\ref{fig:diffie-hellman}, two or more parties jointly compute, by
2528: communicating over an insecure channel, a shared secret key, which depends on
2529: inputs from both or all parties.
2530:
2531: \subsection{ElGamal's Public-Key Cryptosystem and Digital Signature Protocol}
2532: \label{sec:elgamal}
2533:
2534: Taher ElGamal~\cite{gam:j:public-key} developed a public-key cryptosystem and
2535: a digital signature protocol that are based on the Diffie--Hellman protocol.
2536: In fact, the variant of Diffie--Hellman presented in
2537: Figure~\ref{fig:diffie-hellman-public-key} is somewhat reminiscent of the
2538: original ElGamal public-key cryptosystem, which we will now describe.
2539:
2540: \begin{figure}[!htp]
2541: \centering
2542: \begin{tabular}{||c||c|c|c||}
2543: \hline\hline
2544: \parbox[t]{.7cm}{\bf Step} &
2545: \psfig{file=alice.ps,height=2cm} &
2546: \psfig{file=mielke.ps,height=2cm} &
2547: %
2548: %
2549: \psfig{file=bob.ps,height=2cm} \\ \hline\hline
2550: {\bf 1} & \multicolumn{3}{c||}
2551: {Alice and Bob agree upon a large prime~$p$ and a primitive root
2552: $g$ of~$p$;} \\
2553: & \multicolumn{3}{c||}
2554: {$p$ and $g$ are public} \\ \hline
2555: {\bf 2} & & & \parbox[t]{4cm}
2556: {chooses $b \in \integers^{\ast}_{p-1}$ at random and computes $\beta = g^b
2557: \mod p$; \\ $b$ is private and $\beta$ is public}
2558: \\ \hline
2559: {\bf 3} & &
2560: \mbox{\huge $\stackrel{\mbox{\normalsize $\beta$}}{\Leftarrow}$} & \\ \hline
2561: {\bf 4} & \parbox[t]{4cm}
2562: {picks a secret $a \in \integers^{\ast}_{p-1}$ at random,
2563: computes $\alpha = g^a \mod p$ and $c = m \beta^a \mod p$,
2564: where $m$ is the message to be sent
2565: } & & \\ \hline
2566: {\bf 5} & &
2567: \mbox{\huge $\stackrel{\mbox{\normalsize $\alpha$, $c$}}{\Rightarrow}$} & \\
2568: \hline
2569: {\bf 6} & & & \parbox[t]{4cm}
2570: {computes $x = p - 1 - b$ and decrypts by computing
2571: \[
2572: m = c \alpha^x \mod p
2573: \]
2574: } \\ \hline\hline
2575: \end{tabular}
2576: \caption{The ElGamal public-key cryptosystem.
2577: \label{fig:ElGamal}
2578: }
2579: \end{figure}
2580:
2581: Figure~\ref{fig:ElGamal} shows ElGamal's public-key cryptosystem. After Alice
2582: and Bob have agreed on a prime $p$ and a primitive root $g$ of~$p$, Bob picks
2583: a random value $b \in \integers^{\ast}_{p-1}$ and computes his public key
2584: $\beta = g^b \mod p$. If Alice wants to send him a message $m \in
2585: \integers^{\ast}_{p}$, she looks up $\beta$ and ``disguises'' $m$ by
2586: multiplying it with $\beta^a$ modulo~$p$, where $a \in \integers^{\ast}_{p-1}$
2587: is a random number she has picked. This yields the first part $c$ of the
2588: cipher text, the second part is $\alpha = g^a \mod p$. She sends both $c$ and
2589: $\alpha$ to Bob. To decrypt, Bob first computes $x = p - 1 - b$. Since $1
2590: \leq b \leq p-2$, it follows that $1 \leq x \leq p-2$. Bob then can recover
2591: the original plain text $m$ by computing:
2592: \[
2593: c \alpha^x \equiv
2594: m \beta^a g^{a(p - 1 - b)} \equiv
2595: m g^{ba + a(p-1) - ab} \equiv
2596: m \left(g^{p-1}\right)^a \equiv
2597: m \mod p .
2598: \]
2599:
2600: Just as in the Diffie--Hellman protocol, the security of the ElGamal protocol
2601: is based on the difficulty of computing discrete logarithms. Although it is
2602: not known whether breaking the ElGamal protocol is as hard as solving the
2603: discrete logarithm problem, it can be shown that breaking the ElGamal protocol
2604: is precisely as hard as solving the Diffie--Hellman problem. To prevent known
2605: attacks on the ElGamal cryptosystem, the prime $p$ should be chosen large
2606: enough (at least 150 digits long) and such that $p-1$ has at least one large
2607: prime factor.
2608:
2609: \begin{figure}[!htp]
2610: \centering
2611: \begin{tabular}{||c||c|c|c||}
2612: \hline\hline
2613: \parbox[t]{.5cm}{\bf Step} &
2614: \psfig{file=alice.ps,height=2cm} &
2615: \psfig{file=mielke.ps,height=2cm} &
2616: %
2617: %
2618: \psfig{file=bob.ps,height=2cm} \\ \hline\hline
2619: {\bf 1} & \multicolumn{3}{c||}
2620: {Alice and Bob agree upon a large prime~$p$ and a primitive root
2621: $g$ of~$p$;} \\
2622: & \multicolumn{3}{c||}
2623: {$p$ and $g$ are public} \\ \hline
2624: {\bf 2} & & & \parbox[t]{4cm}
2625: {chooses $b$ and $\beta = g^b \mod p$ as in Fig.~\ref{fig:ElGamal};
2626: chooses a number $r$ with $\mbox{gcd}(r, p-1) = 1$,
2627: computes $\rho = g^r \mod p$ and $s$ according to
2628: Eq.~{\rm{}(\ref{equ:elgamal-digital-signature})} and his signature
2629: \[
2630: \mbox{sig}_B (m) = (\rho, s)
2631: \]
2632: }
2633: \\ \hline
2634: {\bf 3} & &
2635: \mbox{\huge $\stackrel{\mbox{\normalsize $\beta$, $m$,
2636: $\mbox{sig}_B (m)
2637: %
2638: $}}{\Leftarrow}$} & \\ \hline
2639: {\bf 4} & \parbox[t]{4cm}
2640: {verifies Bob's signature by checking that
2641: Eq.~(\ref{equ:elgamal-dig-dig-check}) holds:
2642: \[
2643: g^m \equiv \beta^{\rho} \cdot \rho^s \mod p .
2644: \]
2645: } & & \\ \hline\hline
2646: \end{tabular}
2647: \caption{The ElGamal digital signature protocol.
2648: \label{fig:ElGamal-digital-signature}
2649: }
2650: \end{figure}
2651:
2652: ElGamal's system can be modified so as to yield a digital signature protocol.
2653: A particularly efficient variant of this protocol that is due to an idea of
2654: Schnorr~\cite{sch:c:signature} is now the United States ``Digital Signature
2655: Standard''~\cite{NIST:1991:DSS,NIST:1992:DSS}.
2656:
2657: The ElGamal digital signature protocol is presented in
2658: Figure~\ref{fig:ElGamal-digital-signature}. Suppose that Bob wants to send a
2659: message $m$ to Alice. To prove that he indeed is the sender, he wants to sign
2660: the message in a way that Alice can verify.
2661: Let a large prime $p$ and a primitive root $g$ of $p$
2662: be given as in the ElGamal public-key cryptosystem, see
2663: Figure~\ref{fig:ElGamal}. As in that protocol, Bob chooses his private $b$
2664: and computes $\beta = g^b \mod p$. In addition, he now chooses a number $r$
2665: coprime with $p-1$, and he computes $\rho = g^r \mod p$ and a solution $s$ to
2666: the congruence
2667: \begin{equation}
2668: \label{equ:elgamal-digital-signature}
2669: b \cdot \rho + r \cdot s \equiv m \mod p-1
2670: \end{equation}
2671: using the extended algorithm of Euclid, see Figure~\ref{fig:euklid} and
2672: Lemma~\ref{lem:euklid}.
2673:
2674: Bob keeps $b$ and $r$ secret, and he sends along with his message $m$ his
2675: digital signature $\mbox{sig}_B (m) = (\rho, s)$ and the value $\beta$ to
2676: Alice.
2677:
2678: Alice checks the validity of the signature by verifying the congruence
2679: \begin{equation}
2680: \label{equ:elgamal-dig-dig-check}
2681: g^m \equiv \beta^{\rho} \cdot \rho^s \mod p .
2682: \end{equation}
2683: The protocol is correct, since by Fermat's Little Theorem (see
2684: Theorem~\ref{thm:fermat}) and by
2685: Equation~(\ref{equ:elgamal-digital-signature}), it holds that
2686: \[
2687: g^m \equiv g^{b \cdot \rho + r \cdot s} \equiv
2688: \beta^{\rho} \cdot \rho^s \mod p .
2689: \]
2690: Note that the public verification key, which consists of the values $p$, $g$,
2691: and~$\beta$, is computed just once and can be used to verify any message that
2692: is signed with $p$, $g$, $b$, and~$\beta$. However, a new value of $r$ is
2693: chosen every time a message is signed.
2694:
2695:
2696: \subsection{Shamir's No-Key Protocol}
2697: \label{sec:no-key}
2698:
2699: \begin{figure}[!htp]
2700: \centering
2701: \begin{tabular}{||c||c|c|c||}
2702: \hline\hline
2703: \parbox[t]{.5cm}{\bf Step} &
2704: \psfig{file=alice.ps,height=2cm} &
2705: \psfig{file=mielke.ps,height=2cm} &
2706: %
2707: %
2708: \psfig{file=bob.ps,height=2cm} \\ \hline\hline
2709: {\bf 1} & \multicolumn{3}{c||}
2710: {Alice and Bob agree upon a large prime~$p$, which is public} \\ \hline
2711: {\bf 2} & \parbox[t]{4cm}
2712: {computes $x = m^a \mod p$, \\
2713: where $m$ is the message} & & \\ \hline
2714: {\bf 3} & &
2715: \mbox{\huge $\stackrel{\mbox{\normalsize $x$}}{\Rightarrow}$} & \\ \hline
2716: {\bf 4} &
2717: & & \parbox[t]{4cm}
2718: {computes $y = x^b \mod p$} \\ \hline
2719: {\bf 5} & &
2720: \mbox{\huge $\stackrel{\mbox{\normalsize $y$}}{\Leftarrow}$} & \\ \hline
2721: {\bf 6} & \parbox[t]{4cm}
2722: {computes $z = y^{a^{-1}} \mod p$} & & \\ \hline
2723: {\bf 7} & &
2724: \mbox{\huge $\stackrel{\mbox{\normalsize $z$}}{\Rightarrow}$} & \\ \hline
2725: {\bf 8} &
2726: & & \parbox[t]{4cm}
2727: {computes $m = z^{b^{-1}} \mod p$} \\ \hline\hline
2728: \end{tabular}
2729: \caption{Shamir's no-key protocol.
2730: \label{fig:shamir-no-keys}
2731: }
2732: \end{figure}
2733:
2734: Adi Shamir proposed a
2735: %
2736: cryptosystem by which Alice and Bob can
2737: exchange messages that are encrypted by Alice's and Bob's individual secret
2738: keys, yet in which there is no need for Alice and Bob to previously agree on a
2739: {\em joint\/} secret key. This clever idea is described in an unpublished
2740: paper of Shamir, and it is again based on the modular exponentiation function
2741: and the difficulty of efficiently computing discrete logarithms that was
2742: useful for the Diffie--Hellman secret-key agreement protocol described in
2743: Section~\ref{sec:diffie-hellman}.
2744: The Shamir protocol is often called Massey-Omura in the literature.
2745: Both inventors were preceded by Malcolm Williamson from GCHQ who developed the
2746: same protocol in the nonpublic sector around 1974.
2747:
2748: Figure~\ref{fig:shamir-no-keys} shows how Shamir's no-key protocol works. In
2749: this protocol, let
2750: $m$ be the message that Alice wants to send to Bob. First, Alice and Bob
2751: agree on a large prime~$p$. Alice generates a pair $(a,a^{-1})$ satisfying
2752: \[
2753: a a^{-1} \equiv 1 \mod p-1,
2754: \]
2755: where $a^{-1}$ is the inverse of $a$ modulo $p-1$. Recall from
2756: Section~\ref{sec:rsa} that, given a prime $p$ and an integer $a \in
2757: \integers_{p}^{\ast}$, the inverse $a^{-1}$ of $a$ modulo $p-1$ can easily be
2758: computed. Similarly, Bob generates a pair $(b,b^{-1})$ satisfying
2759: \[
2760: b b^{-1} \equiv 1 \mod p-1,
2761: \]
2762: where $b^{-1}$ is the inverse of $b$ modulo $p-1$. See
2763: Figure~\ref{fig:shamir-no-keys} for the rest of the steps.
2764:
2765: The protocol is correct, since for all messages $m$, $1 \leq m \leq p$, it
2766: holds that:
2767: \begin{eqnarray*}
2768: m \equiv m^{a a^{-1}} \mod p & \mbox{ and } & m \equiv m^{b b^{-1}} \mod p .
2769: \end{eqnarray*}
2770: Hence, looking at Figure~\ref{fig:shamir-no-keys}, we obtain
2771: \[
2772: z^{b^{-1}} \equiv y^{a^{-1} b^{-1}} \equiv x^{b a^{-1} b^{-1}} \equiv
2773: m^{a b a^{-1} b^{-1}} \equiv m \mod p ,
2774: \]
2775: so Step~8 of Figure~\ref{fig:shamir-no-keys} is correct.
2776:
2777: Note that modular exponentiation is used here
2778: %
2779: both for encryption and decryption.
2780: %
2781: The key property for this protocol to work is that modular
2782: exponentiation is symmetric in the exponents, i.e., for all $a$ and $b$, it
2783: holds that
2784: \[
2785: \alpha_{(g, p)}(a \cdot b) \equiv g^{a \cdot b} \equiv g^{b \cdot a}
2786: \mod p .
2787: \]
2788:
2789: \subsection{Rivest, Rabi, and Sherman's Secret-Key Agreement and
2790: Digital Signature Protocols}
2791: \label{sec:riv-rab-she}
2792:
2793: Ron Rivest, Muhammad Rabi, and Alan Sherman developed secret-key agreement and
2794: digital signature protocols. The secret-key agreement protocol from
2795: Figure~\ref{fig:rivest-sherman-secret-key} is attributed to Rivest and Sherman
2796: in~\cite{rab-she:t-no-URL:aowf,rab-she:j:aowf}. The digital signature
2797: protocol from Figure~\ref{fig:rabi-sherman-digital-signature} is due to Rabi
2798: and Sherman~\cite{rab-she:t-no-URL:aowf,rab-she:j:aowf}.
2799:
2800: Here is a brief, intuitive explanation of how these protocols work. The key
2801: building block of both protocols is a {\em total, strongly noninvertible,
2802: associative one-way function}. As mentioned earlier, one-way functions are
2803: theoretical constructs not known to exist. However, there are plausible
2804: assumptions under which one-way functions of various types can be constructed.
2805: In Section~\ref{sec:aowf}, under a quite plausible complexity-theoretic
2806: assumption, we will see how to construct a concrete candidate for a total,
2807: strongly noninvertible, associative one-way function. For now, assume that
2808: $\sigma$ {\em is\/} such a function. That is, $\sigma$ is a total two-ary
2809: (i.e., two-argument) function mapping pairs of positive integers to positive
2810: integers such that:
2811: \begin{itemize}
2812: \item $\sigma$ is {\em associative}, i.e., the equation $\sigma(x,\sigma(y,z))
2813: = \sigma(\sigma(x,y),z)$ holds for all $x, y, z \in \nats$.
2814:
2815: \item $\sigma$ is {\em strongly noninvertible}, i.e., $\sigma$ is hard to
2816: invert even if in addition to the function value one of the arguments is
2817: given.
2818: \end{itemize}
2819:
2820: Look at Rivest and Sherman's secret-key agreement protocol in
2821: Figure~\ref{fig:rivest-sherman-secret-key}. Since $\sigma$ is associative,
2822: we have:
2823: \[
2824: k_A = \sigma(x,\sigma(y,z)) = \sigma(\sigma(x,y),z) = k_B ,
2825: \]
2826: and thus the keys computed by Alice and Bob indeed are the same. On the other
2827: hand, if Erich was listening carefully, he knows not only two function values,
2828: $\sigma(x,y)$ and $\sigma(y,z)$, but he also knows~$y$, the first argument of
2829: $\sigma(y,z)$ and the second argument of $\sigma(x,y)$. That is why $\sigma$
2830: must be strongly noninvertible, in order to prevent the direct attack that
2831: Erich computes Alice's secret number $x$ from $\sigma(x,y)$ and $y$ or Bob's
2832: secret number $z$ from $\sigma(y,z)$ and~$y$, in which case he could easily
2833: obtain their joint secret key, $k_A = k_B$. Analogous comments apply to Rabi
2834: and Sherman's digital signature protocol presented in
2835: Figure~\ref{fig:rabi-sherman-digital-signature}.
2836:
2837:
2838: \begin{figure}[!htp]
2839: \centering
2840: \begin{tabular}{||c||c|c|c||}
2841: \hline\hline
2842: \parbox[t]{.5cm}{\bf Step} &
2843: \psfig{file=alice.ps,height=2cm} &
2844: \psfig{file=mielke.ps,height=2cm} &
2845: %
2846: %
2847: \psfig{file=bob.ps,height=2cm} \\ \hline\hline
2848: {\bf 1} & \parbox[t]{4cm}
2849: {chooses two large numbers $x$ and $y$ at random, keeps $x$ secret, and
2850: computes $\sigma(x,y)$} & & \\ \hline
2851: {\bf 2} & &
2852: \mbox{\huge
2853: $\stackrel{\mbox{\normalsize $y$, $\sigma(x,y)$}}{\Rightarrow}$} & \\ \hline
2854: {\bf 3} &
2855: & & \parbox[t]{4cm}
2856: {chooses a large number $z$ at random, keeps $z$ secret and computes
2857: $\sigma(y,z)$}
2858: \\ \hline
2859: {\bf 4} & &
2860: \mbox{\huge
2861: $\stackrel{\mbox{\normalsize $\sigma(y,z)$}}{\Leftarrow}$}
2862: & \\ \hline
2863: {\bf 5} & \parbox[t]{4cm}
2864: {computes her key
2865: \[
2866: k_A = \sigma(x,\sigma(y,z))
2867: \]
2868: } & & \parbox[t]{4cm}
2869: {computes his key
2870: \[
2871: k_B = \sigma(\sigma(x,y),z)
2872: \]
2873: } \\ \hline\hline
2874: \end{tabular}
2875: \caption{The Rivest--Sherman secret-key agreement protocol, which uses
2876: a strongly noninvertible, associative one-way function~$\sigma$.
2877: \label{fig:rivest-sherman-secret-key}
2878: }
2879: \end{figure}
2880:
2881: \begin{figure}[!htp]
2882: \centering
2883: \begin{tabular}{||c||c|c|c||}
2884: \hline\hline
2885: \parbox[t]{.5cm}{\bf Step} &
2886: \psfig{file=alice.ps,height=2cm} &
2887: \psfig{file=mielke.ps,height=2cm} &
2888: %
2889: %
2890: \psfig{file=bob.ps,height=2cm} \\ \hline\hline
2891: {\bf 1} & \parbox[t]{4cm}
2892: {chooses two large numbers $x_A$ and $y_A$ at random, keeps $x_A$ secret, and
2893: computes $\sigma(x_A, y_A)$} & & \\ \hline
2894: {\bf 2} & &
2895: \mbox{\huge
2896: $\stackrel{\mbox{\normalsize
2897: $y_A$, $\sigma(x_A, y_A)$}}{\Rightarrow}$} & \\ \hline
2898: {\bf 3} &
2899: \parbox[t]{4cm}
2900: {computes her signature
2901: \[
2902: \mbox{sig}_A (m) = \sigma(m, x_A)
2903: \]
2904: for the message $m$}
2905: & & \\ \hline
2906: {\bf 4} & &
2907: \mbox{\huge
2908: $\stackrel{\mbox{\normalsize
2909: $m$, $\mbox{sig}_A (m)$}}{\Rightarrow}$} & \\ \hline
2910: {\bf 5} & & & \parbox[t]{4cm}
2911: {verifies Alice's signature by checking whether
2912: $\sigma(m, \sigma(x_A, y_A))$ equals $\sigma(\sigma(m, x_A), y_A)$
2913: } \\ \hline\hline
2914: \end{tabular}
2915: \caption{The Rabi--Sherman digital signature protocol, which uses a strongly
2916: noninvertible, associative one-way function~$\sigma$.
2917: \label{fig:rabi-sherman-digital-signature}
2918: }
2919: \end{figure}
2920:
2921:
2922: \subsection{Discussion of Diffie--Hellman versus Rivest--Sherman}
2923: \label{sec:discussion}
2924:
2925: While the secret-key agreement protocol of Diffie and
2926: Hellman~\cite{dif-hel:j:diffie-hellman} is widely used in practice, that of
2927: Rivest and Sherman (see~\cite{rab-she:t-no-URL:aowf,rab-she:j:aowf}) is not
2928: (yet) used in applications and, thus, might appear somewhat exotic at first
2929: glance. Note, however, that neither the Diffie--Hellman nor the Rivest--Sherman
2930: protocol has a proof of security up to date. So, let us digress for a moment
2931: to compare the state of the art on these two protocols.
2932:
2933: \begin{itemize}
2934: \item While the Diffie--Hellman protocol uses a concrete function, the
2935: Rivest--Sherman protocol is based on an unspecified, ``abstract'' function
2936: that is described only by listing the properties it should satisfy. That is
2937: not to say that Rivest--Sherman is an abstract version of Diffie--Hellman.
2938: Rather, the Rivest--Sherman protocol may be seen as an alternative to the
2939: Diffie--Hellman protocol. The advantage of Rivest and Sherman's approach is
2940: that it is more flexible, as it does not depend on a single function.
2941:
2942: \item The security of the Diffie--Hellman scheme is based on the (unproven, yet
2943: plausible) assumption that computing discrete logarithms is a
2944: computationally intractable task.
2945:
2946: In contrast, the Rivest--Sherman scheme uses a candidate for a strongly
2947: noninvertible, associative one-way function (see
2948: Section~\ref{sec:definitions} for the formal definition) as its key building
2949: block. Although it is not known whether such functions exist, it has been
2950: shown recently by Hemaspaandra and this author~\cite{hem-rot:j:aowf} that
2951: they do exist in the worst-case model under the (unproven, yet plausible)
2952: assumption that $\p \neq \np$, where P denotes the class of polynomial-time
2953: solvable problems, and NP denotes the class of problems that can be solved
2954: nondeterministically in polynomial time. Section~\ref{sec:aowf} presents
2955: this result and a sketch of its proof.
2956:
2957: \item Breaking Diffie--Hellman is not even known to be as hard as computing
2958: discrete logarithms, even though some nice progress in this direction has
2959: been made recently by Maurer and
2960: Wolf~\cite{mau-wol:j:breaking-diffie-hellman-and-discrete-log}, who
2961: established conditions for relating the hardness of breaking Diffie--Hellman
2962: to that of computing discrete logarithms. Again, their results rest on
2963: unproven, yet plausible assumptions. In particular, let $\nu(p)$ denote the
2964: minimum, taken over all numbers $d$ in the interval $[p - 2 \sqrt{p} + 1 ,\,
2965: p + 2 \sqrt{p} + 1]$, of the largest prime factors of~$d$. The
2966: ``smootheness assumption'' says that $\nu(p)$ is polynomial in $\log p$.
2967: Why is this assumption plausible? The idea is that numbers in the
2968: Hasse-Weil interval (which are sizes of elliptic curves) are smooth with the
2969: same probability as random numbers of the same length, and these
2970: probabilities are independent. Under this smoothness assumption, Maurer and
2971: Wolf~\cite{mau-wol:j:breaking-diffie-hellman-and-discrete-log} proved that
2972: breaking Diffie--Hellman and computing the discrete logarithm are
2973: polynomial-time equivalent tasks in the underlying cyclic group, where
2974: the equivalence is nonuniform.
2975:
2976:
2977: Similarly, even if strongly noninvertible, associative one-way functions
2978: were known to exist, one could not conclude that the Rivest--Sherman protocol
2979: is secure; rather, strong noninvertibility merely precludes certain types of
2980: direct attacks~\cite{rab-she:j:aowf,hem-rot:j:aowf}. Moreover, strongly
2981: noninvertible, associative one-way functions could be constructed so far
2982: only in the {\em worst-case\/} complexity model, assuming $\p \neq \np$.
2983: Although this result is relevant and interesting in a complexity-theoretic
2984: setting, it has no direct implications in applied cryptography.
2985: For cryptographic
2986: applications, one would need to construct such functions based on the {\em
2987: average-case\/} complexity model, under plausible assumptions.
2988: \end{itemize}
2989:
2990:
2991: As noted in the outline of the tutorial, there is some hope for obtaining such
2992: a strong result by combining Hemaspaandra and Rothe's~\cite{hem-rot:j:aowf}
2993: technique on constructing strongly noninvertible, associative one-way functions
2994: in the worst case with Ajtai's~\cite{ajt:c:hard-instances-in-lattices}
2995: techniques on constructing hard instances of lattice problems.
2996: The shortest lattice vector problem, denoted by~SVP, is the problem of
2997: finding a shortest lattice vector in the lattice generated by a given
2998: lattice basis. Roughly speaking,
2999: Ajtai~\cite{ajt:c:hard-instances-in-lattices} proved that the problem SVP is
3000: as hard in the average-case as it is in the worst-case complexity model.
3001:
3002: More precisely, Ajtai constructed an infinite family $\{\Lambda_n\}_{n \geq
3003: 1}$ of lattices, where each $\Lambda_n$ is represented by a basis as an
3004: instance of SVP, and he showed the following result: Suppose one can compute
3005: in polynomial time, for each~$n$, an approximately shortest vector in a
3006: lattice $\Lambda_i$ {\em randomly\/} chosen from $\{\Lambda_n\}_{n \geq 1}$,
3007: with non-negligible probability. Then, the length of a shortest vector in
3008: {\em every\/} lattice from $\{\Lambda_n\}_{n \geq 1}$ can be estimated to
3009: within a fixed polynomial factor in polynomial time with probability close to
3010: one. However, since the best approximation factor known to be achieved by
3011: polynomial-time algorithms is essentially exponential, and since the best
3012: algorithms known to achieve polynomial-factor approximations run in
3013: exponential time, it follows that, as mentioned above, ``SVP is as hard in the
3014: average-case as it is in the worst-case model.''~~In this regard, the SVP is a
3015: unique problem; for no other problem in NP that is believed to be outside P
3016: such a strong connection is known to hold.
3017:
3018: Based on the worst-case/average-case equivalence of SVP, Ajtai and
3019: Dwork~\cite{ajt-dwo:c:public-key-system-worst-average-equivalence} designed a
3020: public-key cryptosystem whose cryptographic security depends only on
3021: worst-case complexity assumptions. However, the worst-case hardness of SVP
3022: (in the Euclidean norm) had remained an open problem for a long time. Solving
3023: this problem, Ajtai~\cite{ajt:c:worst-case-hardness-of-svp} established the
3024: NP-hardness of SVP under randomized reductions. His result was strengthened
3025: by Micciancio~\cite{mic:j:svp-is-np-hard-to-approximate}, who also simplified
3026: Ajtai's proof. Since the construction of strongly noninvertible, associative
3027: one-way functions in~\cite{hem-rot:j:aowf} is based on the assumption $\p \neq
3028: \np$, it seems reasonable to consider the NP-hard problem SVP to be a good
3029: candidate for achieving strongly noninvertible, associative one-way functions
3030: even in the technically more demanding average-case model.
3031:
3032: The complexity of~SVP and the use of lattices in crytography are covered in
3033: the surveys by Cai~\cite{cai:c:lattice-problems-survey}, Kumar and
3034: Sivakumar~\cite{kum-siv:j:svp-survey}, and Nguyen and
3035: Stern~\cite{ngu-ste:c:two-faces-of-lattices}. Interestingly, lattices are
3036: useful both in breaking existing cryptosystems like RSA (e.g., the
3037: low-exponent attacks of H{\aa}stad~\cite{has:j:solving-low-degree-equations}
3038: and Coppersmith~\cite{cop:j:low-exponent-rsa-attacks}), see
3039: Section~\ref{sec:security-rsa}) and in designing secure cryptosystems (e.g.,
3040: the Ajtai-Dwork public-ley cryptosystem).
3041:
3042: %
3043: %
3044: %
3045:
3046: \section{Interactive Proof Systems and Zero-Knowledge Protocols}
3047: \label{sec:zero-knowledge}
3048:
3049: In Section~\ref{sec:diffie-hellman}, we mentioned the Man-in-the-middle
3050: attack on the Diffie--Hellman secret-key agreement protocol. Imagine that Bob
3051: has just agreed with his partner on a joint secret key via a public telephone
3052: line. Of course, he assumes it was Alice he was talking to. Bob was so
3053: clever to use the Diffie--Hellman protocol, and so he thinks that Erich does
3054: not have a clue about what secret key they have chosen:
3055: \[
3056: \begin{array}{ccc}
3057: & \mbox{\bf ???} & \\
3058: & \psfig{file=mielke.ps,height=2cm} & \\
3059: & \mbox{{\bf\large Erich}} & \\[.2cm]
3060: \psfig{file=alice.ps,height=2cm} &
3061: \psfig{file=channel.eps,width=2cm} &
3062: \psfig{file=bob.ps,height=2cm}
3063: \end{array}
3064: \]
3065:
3066: But Erich was even smarter. Here is what really happened:
3067: \[
3068: \begin{array}{ccc}
3069: \psfig{file=mielke.ps,height=2cm} \ \
3070: \mbox{{\bf\large Erich}} &
3071: \psfig{file=channel-no-blitz.eps,width=2cm} &
3072: \psfig{file=bob.ps,height=2cm}
3073: \end{array}
3074: \]
3075:
3076: This situation raises the issue of {\em authentication\/}: How can Bob be
3077: certain that it in fact was Alice he was communicating with, and not Erich
3078: pretending to be Alice? In other words, how can Alice prove her identity to
3079: Bob beyond any doubt?
3080:
3081: In Section~\ref{sec:protocols}, we have seen how to use digital signatures for
3082: the authentication of documents such as email messages. In this section, our
3083: goal is to achieve authentication of an {\em individual\/} rather than a
3084: document. One way to achieve this goal is to assign to Alice's identity some
3085: secret information such as her PIN (``{\em P\/}ersonal {\em I\/}dentifaction
3086: {\em N\/}umber'') or any other private information that nobody else knows. We
3087: refer to the information proving Alice's identity as Alice's {\em secret}.
3088:
3089: But here's another catch. Alice would like to convince Bob of her identity by
3090: proving that she knows her secret. Ideally, however, she should not disclose
3091: her secret because then it wouldn't be a secret anymore: If Bob, for example,
3092: knew Alice's secret, he could pretend to be Alice when communicating with
3093: somebody else. So the question is:
3094: \begin{quote}
3095: {\em How can one prove the knowledge of a secret without telling the
3096: secret?\/}
3097: \end{quote}
3098: That is precisely what zero-knowledge protocols are all about.
3099:
3100:
3101: \subsection{Interactive Proof Systems}
3102:
3103: Zero-knowledge protocols are a special form of interactive proof systems,
3104: which we will describe first. Interactive proof systems were introduced by
3105: Shafi Goldwasser, Silvio Micali, and Charles
3106: Rackoff~\cite{gol-mic-rac:c:interactive-proof-systems,gol-mic-rac:j:interactive-proof-systems}.
3107: Independently, Babai and
3108: Moran~\cite{bab-mor:j:arthur-merlin,bab:c:trading} developed the essentially
3109: equivalent notion of Arthur-Merlin games.
3110:
3111: As in the previous protocols, we consider the communication between two
3112: parties, the ``prover'' Alice and the ``verifier'' Bob:
3113: \[
3114: \begin{array}{ccc}
3115: \mbox{\bf Prover} & & \mbox{\bf Verifier} \\
3116: \psfig{file=alice.ps,height=2cm} &
3117: \psfig{file=channel-no-blitz.eps,width=2cm} &
3118: \psfig{file=bob.ps,height=2cm}
3119: \end{array}
3120: \]
3121: For now, we are not interested in the security aspects that may arise when the
3122: communication is eavesdropped; rather, we are concerned with the following
3123: communication problem: Alice and Bob want to jointly solve a given
3124: problem~$L$, i.e., they want to decide whether or not any given instance
3125: belongs to~$L$. For concreteness, consider the graph isomorphism problem.
3126:
3127: \begin{definition}
3128: The vertex set of any graph $G$ is denoted by~$V(G)$, and the edge set of
3129: $G$ is denoted by~$E(G)$. Let $G$ and $H$ be undirected, simple graphs,
3130: i.e., graphs with no reflexive or multiple edges.
3131:
3132: An {\em isomorphism\/} between $G$ and $H$ is a bijective mapping $\pi$
3133: from $V(G)$ onto $V(H)$ such that, for all $i,j \in V(G)$,
3134: \[
3135: \{i,j\} \in E(G) \,\Longleftrightarrow\, \{\pi(i),\pi(j)\} \in E(H).
3136: \]
3137: %
3138: $\graphiso$ denotes the set of all pairs of isomorphic graphs.
3139: \end{definition}
3140:
3141: The graph isomorphism problem is to determine whether or not any two given
3142: graphs are isomorphic. This problem belongs to NP, and since there is no
3143: efficient algorithm known for solving it, it is widely considered to be a
3144: hard, intractable problem. However, it is not known to be complete
3145: for~NP, i.e., it is not known whether this problem belongs to the hardest NP
3146: problems. In fact, due to its ``lowness'' properties, it is doubted that the
3147: graph isomorphism problem is NP-complete. A set $A$ is low for a complexity
3148: class~$\mathcal{C}$ if it does not yield any additional computational power
3149: when used as an oracle by the machines representing the class~$\mathcal{C}$,
3150: i.e., if $\mathcal{C}^{A} = \mathcal{C}$. Sch\"{o}ning~\cite{sch:j:gi} showed
3151: that $\graphiso$ is in the second level of the low hierarchy within~NP, i.e.,
3152: it is low for $\np^{\scriptnp}$, the second level of the polynomial hierarchy.
3153: It follows that if $\graphiso$ were NP-complete then the polynomial hierarchy
3154: would collapse, which is considered unlikely. Moreover, K\"{o}bler et
3155: al.~\cite{koe-sch-tor:j:pplow} proved $\graphiso$ low for~PP, probabilistic
3156: polynomial time.
3157:
3158: Therefore, it is conjectured that the graph isomorphism problem might be
3159: neither in P nor NP-complete, and this is what makes this problem so
3160: interesting for complexity theoreticians. Of course, proving this conjecture
3161: would immediately prove P different from NP; so, such a proof seems beyond
3162: current techniques. For more complexity-theoretic background on the graph
3163: isomorphism problem, we refer to the book by K\"{o}bler, Sch\"{o}ning, and
3164: Tor\'{a}n~\cite{koe-sch-tor:b:graph-iso}.
3165:
3166: We mention in passing that (language versions of) the factoring problem and
3167: the discrete logarithm problem are not known to be NP-complete either. Unlike
3168: the graph isomorphism problem, however, no lowness properties are known for
3169: these two problems. Grollmann and Selman~\cite{gro-sel:j:complexity-measures}
3170: have shown that a language version of the discrete logarithm problem is
3171: contained in~UP, which denotes Valiant's class ``unambiguous polynomial
3172: time''~\cite{val:j:checking}. NP-complete problems are very unlikely to
3173: belong to UP, so this result gives some evidence against the NP-completeness
3174: of the discrete logarithm problem.
3175:
3176: Returning to Alice and Bob's communication problem, their task is to decide
3177: whether or not any given pair $(G, H)$ of graphs is isomorphic. Alice, the
3178: prover, tries to {\em prove\/} them isomorphic by providing Bob with an
3179: isomorphism $\pi$ between $G$ and~$H$. She intends to convince Bob {\em no
3180: matter whether or not $G$ and $H$ in fact are isomorphic}. But Bob is
3181: impatient. To accept the input, he wants to be convinced with overwhelming
3182: probability that the proof provided by Alice indeed is correct. Even worse,
3183: he is convinced only if {\em every potential prover strategy\/} Alice might
3184: come up with yields an overwhelming success probability. If Alice can
3185: accomplish this then Bob accepts the input, otherwise he rejects it.
3186:
3187: To formalize this intuition, imagine Alice and Bob to be Turing machines.
3188: Alice, the prover, is an all-powerful Turing machine with no computational
3189: limitation whatsoever. Bob, the verifier, is a randomized Turing machine
3190: working in polynomial time, but capable of making random moves by flipping an
3191: unbiased coin. In Definition~\ref{def:interactive-proof-system} below, in
3192: case of acceptance, it is enough that Alice finds one sufficient strategy to
3193: convince Bob. In case of rejection, however, rather than considering every
3194: potential prover strategy of Alice, it is useful to quantify over all
3195: possible provers that may replace Alice.
3196:
3197: For the definition of randomized Turing machines, we refer to any textbook on
3198: complexity theory such
3199: as~\cite{bal-dia-gab:b:sctI:95,bov-cre:b:complexity,hem-ogi:b:companion,pap:b:complexity,pap:b:complexity}.
3200: Essentially, every nondeterministic Turing machine can be viewed as a
3201: randomized Turing machine by defining a suitable probability measure on the
3202: computation trees of the machine.
3203:
3204: \begin{definition}[Interactive Proof System]
3205: {\rm{}\cite{gol-mic-rac:c:interactive-proof-systems,gol-mic-rac:j:interactive-proof-systems}}
3206: \label{def:interactive-proof-system}
3207: \begin{enumerate}
3208: \item An {\em interactive proof system\/} (or ``{\em IP protocol\/}'') $(A,B)$
3209: is a protocol between Alice, the prover, and Bob, the verifier. Alice runs
3210: a Turing machine $A$ with no limit on its resources, while Bob runs a
3211: polynomial-time randomized Turing machine~$B$. Both access the same input
3212: on a joint input tape, and they are equipped with private work tapes for
3213: internal computations. They also share a read-write communication tape to
3214: exchange messages. Alice does not see Bob's random choices. Let $\mbox{\rm
3215: Pr}((A, B)(x) = 1)$ denote the probability (according to the random
3216: choices made in the communication) that Bob accepts the input~$x$; i.e., for
3217: a particular sequence of random bits, ``$(A, B)(x) = 1$'' denotes the event
3218: that Bob is convinced by Alice's proof for $x$ and accepts.
3219:
3220: \item An {\em interactive proof system $(A, B)$ accepts a set $L$\/} if and
3221: only if for each~$x$:
3222: \begin{eqnarray}
3223: x \in L & \Lora & (\exists A)\,
3224: [\mbox{\rm Pr}((A, B)(x) = 1) \geq \frac{3}{4}];
3225: \label{eq:ip-acceptance}
3226: \\
3227: x \not\in L & \Lora & (\forall \widehat{A})\,
3228: [\mbox{\rm Pr}((\widehat{A}, B)(x) = 1) \leq \frac{1}{4}],
3229: \label{eq:ip-rejection}
3230: \end{eqnarray}
3231: where in {\rm{}(\ref{eq:ip-acceptance})} we quantify over the prover
3232: strategies (or ``proofs'') for $x$ of the prescribed Turing machine~$A$,
3233: whereas in {\rm{}(\ref{eq:ip-rejection})} we quantify over the proofs
3234: $\widehat{A}$ for $x$ of any prover (i.e., any Turing machine of unlimited
3235: computational power) that may replace the fixed Turing machine~$A$.
3236:
3237: \item $\ip$ denotes the class of all sets that can be accepted by an
3238: interactive proof system.
3239: \end{enumerate}
3240: \end{definition}
3241:
3242: Note that the acceptance probabilities of at least $\frac{3}{4}$ if $x \in L$
3243: (respectively, of at most $\frac{1}{4}$ if $x \not\in L$) are chosen at will.
3244: By probability amplification
3245: techniques~\cite{pap:b:complexity,bal-dia-gab:b:sctI:95,bov-cre:b:complexity},
3246: one can use any constants
3247: $\frac{1}{2} + \epsilon$ and $\frac{1}{2} - \epsilon$, respectively, where
3248: $\epsilon > 0$. It is even possible to make the error probability as small as
3249: $2^{-p(|x|)}$, for any fixed polynomial~$p$. Better yet, Goldreich, Mansour,
3250: and Sipser~\cite{gol-man-sip:c:provers-that-never-fail} have shown that one
3251: can even require the acceptance probability of exactly~$1$ if $x \in L$,
3252: without changing the class~$\ip$.
3253:
3254: In the literature, verifier and prover are sometimes referred to as {\em
3255: Arthur\/} and {\em Merlin}. In fact, the Arthur-Merlin games introduced by
3256: Babai and Moran~\cite{bab-mor:j:arthur-merlin,bab:c:trading} are
3257: nothing else than the interactive proof systems of Goldwasser et
3258: al.~\cite{gol-mic-rac:c:interactive-proof-systems,gol-mic-rac:j:interactive-proof-systems}.
3259: One difference between Definition~\ref{def:interactive-proof-system} and the
3260: definition of Arthur-Merlin games is that the random bits chosen by Arthur are
3261: public (i.e., they are known to Merlin), while they are private to Bob in
3262: Definition~\ref{def:interactive-proof-system}. However, Goldwasser and
3263: Sipser~\cite{gol-sip:j:private} have shown that the privacy of the verifier's
3264: random bits does not matter: Arthur-Merlin games are equivalent to interactive
3265: proof systems.
3266:
3267: What if Bob has run out of coins? That is, what if he behaves
3268: deterministically when verifying Alice's proof for ``$x \in L$''? Due to her
3269: unlimited computational power, Alice can provide proofs of unlimited length,
3270: i.e., of length not bounded by any function in the length of~$x$. However,
3271: since Bob is a polynomial-time Turing machine, it is clear that he can check
3272: only proofs of length polynomially in~$|x|$. It follows that IP, when
3273: restricted to deterministic polynomial-time verifiers, is just a cumbersome
3274: way of defining the class~$\np$. Hence, since $\graphiso$ belongs to~NP, it
3275: must also belong to the (unrestricted) class~$\ip$. We omit presenting an
3276: explicit IP protocol for $\graphiso$ here, but we refer to
3277: Section~\ref{sec:graphiso}, where in
3278: Figure~\ref{fig:goldreich-micali-wigderson} an IP protocol for $\graphiso$
3279: with an additional property is given: it is a zero-knowledge protocol.
3280:
3281: But what about the complement of $\graphiso$? Does there exist an interactive
3282: proof system that decides whether or not two given graphs are {\em
3283: non\/}-isomorphic? Note that even though Alice is all-powerful
3284: computationally, she may run into difficulties when she is trying to prove
3285: that the graphs are non-isomorphic. Consider, for example, two non-isomorphic
3286: graphs with 1000 vertices each. A proof of that fact seems to require Alice
3287: to show that none of the $1000!$ possible permutations is an isomorphism
3288: between the graphs. Not only would it be impossible for Bob to check such a
3289: long proof in polynomial time, also for Alice it would be literally impossible
3290: to write this proof down. After all, $1000!$ is approximately $4 \cdot
3291: 10^{2567}$. This number exceeds the number of atoms in the entire visible
3292: universe,\footnote{Dark matter excluded.} which is
3293: currently estimated to be around $10^{77}$, by a truly astronomical factor.
3294:
3295: That is why the following result of Goldreich, Micali, and
3296: Wigderson~\cite{gol-mic-wid:c:nothing,gol-mic-wid:j:nothing} was a bit of a
3297: surprise.
3298:
3299: \begin{theorem}
3300: {\rm{}\cite{gol-mic-wid:c:nothing,gol-mic-wid:j:nothing}} \quad
3301: \label{thm:non-gi-proof-system}
3302: $\overline{\graphiso}$ is in~$\ip$.
3303: \end{theorem}
3304:
3305: \begin{proof}
3306: Figure~\ref{fig:goldreich-micali-wigderson-graphnoniso} shows the
3307: interactive proof system for the graph non-isomorphism problem.
3308:
3309: \begin{figure}[!htb]
3310: \centering
3311: \begin{tabular}{||c||c|c|c||}
3312: \hline\hline
3313: \parbox[t]{.5cm}{\bf Step} &
3314: \psfig{file=alice.ps,height=2cm} &
3315: \psfig{file=mielke.ps,height=2cm} &
3316: %
3317: %
3318: \psfig{file=bob.ps,height=2cm} \\ \hline\hline
3319: & \multicolumn{3}{c||}
3320: {{\bf Input}: Two graphs $G_1$ and $G_2$} \\ \hline
3321: {\bf 1} & & & \parbox[t]{4cm}
3322: {randomly chooses a permutation $\pi$ on $V(G_1)$ and a bit
3323: $b \in \{1,2\}$, and computes $H = \pi(G_b)$} \\ \hline
3324: {\bf 2} & &
3325: \mbox{\huge
3326: $\stackrel{\mbox{\normalsize $H$}}{\Leftarrow}$} & \\ \hline
3327: {\bf 3} &
3328: \parbox[t]{4cm}
3329: {determines $a \in \{1,2\}$ such that $G_a$ and $H$ are isomorphic} & &
3330: \\ \hline
3331: {\bf 4} & &
3332: \mbox{\huge
3333: $\stackrel{\mbox{\normalsize $a$}}{\Rightarrow}$} & \\ \hline
3334: {\bf 5} & & & \parbox[t]{4cm}
3335: {accepts if and only if $a = b$} \\ \hline\hline
3336: \end{tabular}
3337: \caption{The Goldreich-Micali-Wigderson IP protocol
3338: for $\overline{\graphiso}$.
3339: \label{fig:goldreich-micali-wigderson-graphnoniso}
3340: }
3341: \end{figure}
3342:
3343: Let us check that the implications (\ref{eq:ip-acceptance}) and
3344: (\ref{eq:ip-rejection}) from Definition~\ref{def:interactive-proof-system} do
3345: hold. Suppose that $G_1$ and $G_2$ are non-isomorphic. Then, it is easy for
3346: Alice to determine that graph $G_b$, $b \in \{1,2\}$, to which $H$ is
3347: isomorphic. So she sends $a = b$, and Bob accepts with probability~$1$. That
3348: is,
3349: \begin{eqnarray*}
3350: (G_1, G_2) \in \overline{\graphiso} & \Lora &
3351: (\exists A)\, [\mbox{\rm Pr}((A, B)(G_1, G_2) = 1) = 1].
3352: \end{eqnarray*}
3353:
3354: Now suppose that $G_1$ and $G_2$ are isomorphic. Then, no matter what clever
3355: strategy Alice applies, her chance of answering correctly (i.e., with $a=b$)
3356: is no better than~$\frac{1}{2}$ because she does not see Bob's random bit $b$
3357: and so can do no better than guessing. That is,
3358: \begin{eqnarray*}
3359: (G_1, G_2) \not\in \overline{\graphiso} & \Lora &
3360: (\forall \widehat{A})\, [\mbox{\rm Pr}((\widehat{A}, B)(G_1, G_2) = 1)
3361: \leq \frac{1}{2}].
3362: \end{eqnarray*}
3363: Note that the acceptance probability of $\leq \frac{1}{2}$ above is not yet
3364: the acceptance probability of $\leq \frac{1}{4}$ required in
3365: (\ref{eq:ip-rejection}) of Definition~\ref{def:interactive-proof-system}.
3366: However, as mentioned above, standard probability amplification
3367: techniques yield an error probability as close to zero as one desires. We
3368: leave the details to the reader.
3369: \end{proof}
3370:
3371: By definition, IP contains all of~$\np$. The above result shows that
3372: IP also contains a problem from coNP, the class of complements of NP problems,
3373: which is unlikely to be contained in~$\np$.
3374: So, the question arises of how big the
3375: class IP actually is. A famous result of Adi Shamir~\cite{sha:j:ip} settled
3376: this question: IP equals PSPACE, the class of problems that can be decided in
3377: polynomial space.
3378:
3379: \subsection{Zero-Knowledge Protocols}
3380: \label{sec:zero}
3381:
3382: Recalling the issue of authentication mentioned at the beginning of this
3383: section, we are now ready to define zero-knowledge protocols.
3384:
3385: As mentioned above, $\graphiso$ is in~$\ip$. To prove that the two given
3386: graphs are isomorphic, Alice simply sends an isomorphism $\pi$ to Bob, which
3387: he then checks deterministically in polynomial time. Suppose, however, that
3388: Alice wants to keep the isomorphism $\pi$ secret. On the one hand, she does
3389: not want to disclose her secret; on the other hand, she wants to prove to Bob
3390: that she knows it. What she needs is a very special IP protocol that conveys
3391: nothing about her secret isomorphism, and yet proves that the graphs are
3392: isomorphic. The next section will present such a zero-knowledge protocol for
3393: $\graphiso$.
3394:
3395: But what is a zero-knowledge protocol and how can one formalize it? The
3396: intuition is this. Imagine that Alice has a twin sister named Malice who
3397: looks just like her. However, Malice does not know Alice's secret. Moreover,
3398: Malice does not have Alice's unlimited computational power; rather, just as
3399: the verifier Bob, she only operates like a randomized polynomial-time Turing
3400: machine. Still, she tries to simulate Alice's communication with Bob. An IP
3401: protocol has the {\em zero-knowledge property\/} if the information
3402: communicated in Malice's simulated protocol cannot be distinguished from the
3403: information communicated in Alice's original protocol. Malice, not knowing
3404: the secret, cannot put any information about the secret into her simulated
3405: protocol, and yet she is able to generate that clone of the original protocol
3406: that looks just like the original to an independent observer. Consequently,
3407: the verifier Bob (or any other party such as Erich) cannot extract any
3408: information from the original protocol. In short, if there's nothing in
3409: there, you can't get anything out of it.
3410:
3411: \begin{definition}[Zero-Knowledge Protocols]
3412: {\rm{}\cite{gol-mic-rac:c:interactive-proof-systems,gol-mic-rac:j:interactive-proof-systems}} \quad
3413: \label{def:zero-knowledge}
3414: Let $(A,B)$ be an interactive proof system accepting a problem~$L$. We say
3415: $(A,B)$ is a {\em zero-knowledge protocol for $L$\/} if and only if there
3416: exists a simulator Malice such that the following holds:
3417: \begin{itemize}
3418: \item Malice runs a randomized polynomial-time Turing machine $M$ to simulate
3419: the prover Alice in her communication with Bob, thus yielding a simulated
3420: protocol $(M,B)$;
3421: \item for each~$x \in L$, the tuples $(a_1, a_2, \ldots , a_k)$ and $(m_1,
3422: m_2, \ldots , m_k)$ representing the communication in $(A,B)$ and
3423: in~$(M,B)$, respectively, are identically distributed over the coin tosses
3424: of $A$ and $B$ in $(A,B)$ and of $M$ and $B$ in~$(M,B)$, respectively.
3425: \end{itemize}
3426: \end{definition}
3427:
3428: The above definition is called ``honest-verifier perfect zero-knowledge''
3429: in the literature. That is, (a)~one assumes that the verifier is {\em honest},
3430: and (b)~one requires that the information communicated in the simulated
3431: protocol {\em perfectly\/}
3432: coincides with the information communicated in the original protocol.
3433:
3434: Assumption~(a) is not quite realistic for most cryptographic applications.
3435: A dishonest verifier might alter the protocol to his own advantage.
3436: Therefore, one should modify the definition above to require that for {\em
3437: each\/} verifier $B^{\ast}$ there exists a simulator $M^{\ast}$ generating
3438: a simulated protocol not distinguishable from the original one.
3439: However, honest-verifier zero-knowledge protocols with public random bits can
3440: always be transformed to protocols that have the zero-knowledge property
3441: also in the presence of dishonest verifiers.
3442:
3443: Regarding assumption~(b), there are several other notions of zero-knowledge
3444: that are weaker than perfect zero-knowledge, such as ``statistical
3445: zero-knowledge'' and ``computational zero-knowledge.''~~In a {\em statistical
3446: zero-knowledge protocol\/} (also known as {\em almost-perfect zero-knowledge
3447: protocol\/}), one requires that the information communicated in the original
3448: and in the simulated protocol be indistinguishable by certain statistical
3449: tests. In a {\em computational zero-knowledge protocol}, one merely requires
3450: that the information communicated in the original and in the simulated
3451: protocol be computationally indistinguishable, i.e., for each randomized
3452: polynomial-time Turing machine, the probability of detecting differences in
3453: the corresponding distributions is negligibly small.
3454:
3455: In the latter model, Goldreich, Micali, and
3456: Wigderson~\cite{gol-mic-wid:c:nothing,gol-mic-wid:j:nothing} showed what is
3457: considered by far the most important result on zero-knowledge: Every problem
3458: in NP has a computational zero-knowledge protocol under the plausible
3459: assumption that there exist cryptographically secure bit-commitment schemes.
3460: The key idea is a computational zero-knowledge protocol for $\threecolor$, a
3461: well-known NP-complete problem. In contrast, it seems
3462: unlikely~\cite{bra-cre:c:sorting-out-zero-knowledge} that such a strong claim
3463: can be proven for the perfect zero-knowledge model presented in
3464: Definition~\ref{def:zero-knowledge}.
3465:
3466: For more information about interactive proof systems and zero-knowledge, we
3467: refer to the books by
3468: Goldreich~\cite[Chapter~4]{gol:b:foundations}, Köbler
3469: et al.~\cite[Chapter~2]{koe-sch-tor:b:graph-iso},
3470: Papadimitriou~\cite[Chapter~12.2]{pap:b:complexity}, Balc\'{a}zar et
3471: al.~\cite[Chapter~11]{bal-dia-gab:b:sctII}, and Bovet et
3472: al.~\cite[Chapter~10]{bov-cre:b:complexity} and to the surveys by Oded
3473: Goldreich~\cite{gol:j:zero-knowledge-survey}, Shafi
3474: Goldwasser~\cite{gol:c:interactive-proof-systems}, and Joan
3475: Feigenbaum~\cite{fei:j:interactive-proof-systems}.
3476:
3477: \subsection{Zero-Knowledge Protocol for the Graph Isomorphism Problem}
3478: \label{sec:graphiso}
3479:
3480: Oded Goldreich, Silvio Micali, and Avi
3481: Wigderson~\cite{gol-mic-wid:c:nothing,gol-mic-wid:j:nothing} proposed a
3482: zero-knowledge protocol for the graph isomorphism problem. This result was
3483: quite a surprise, since previously zero-knowledge protocols were known only
3484: for problems contained both in NP and coNP\@. It is considered to be
3485: unlikely that NP equals coNP; in particular, it is considered to be unlikely
3486: that $\graphiso$ is in coNP\@.
3487:
3488: \begin{theorem}
3489: {\rm{}\cite{gol-mic-wid:c:nothing,gol-mic-wid:j:nothing}} \quad
3490: \label{thm:gi-is-zero-knowledge}
3491: $\graphiso$ has a zero-knowledge protocol.
3492: \end{theorem}
3493:
3494: \begin{proof}
3495: Figure~\ref{fig:goldreich-micali-wigderson} shows the
3496: Goldreich-Micali-Wigderson protocol. One difference to the protocol for the
3497: graph non-isomorphism problem in
3498: Figure~\ref{fig:goldreich-micali-wigderson-graphnoniso} is that now Alice
3499: too makes random choices.
3500:
3501: Alice's secret is the isomorphism $\pi$ she has chosen. The protocol is
3502: correct, since Alice knows her secret $\pi$ and also her random
3503: permutation~$\rho$. Hence, she can easily compute the
3504: isomorphism $\sigma$ with $\sigma(G_b) = H$ to prove her identity to Bob.
3505: When doing so, she does not have to disclose her secret $\pi$ to Bob in
3506: order to convince him of her identity. In particular,
3507: \begin{eqnarray*}
3508: (G_1, G_2) \in \graphiso & \Lora &
3509: (\exists A)\, [\mbox{\rm Pr}((A, B)(G_1, G_2) = 1) = 1],
3510: \end{eqnarray*}
3511: so the implication~(\ref{eq:ip-acceptance}) from
3512: Definition~\ref{def:interactive-proof-system} holds. Since Alice herself has
3513: chosen two isomorphic graphs, the case $(G_1, G_2) \not\in \graphiso$ does not
3514: occur, so the implication~(\ref{eq:ip-rejection}) from
3515: Definition~\ref{def:interactive-proof-system} trivially holds if the protocol
3516: is implemented properly. Thus, the protocol is an interactive proof system
3517: for $\graphiso$.
3518:
3519: Recall that Alice wants to prove her identity via this protocol. Suppose that
3520: Erich or Malice want to cheat by pretending to be Alice. They do not know her
3521: secret isomorphism~$\pi$, but they do know the public isomorphic graphs $G_1$
3522: and~$G_2$. They want to convince Bob that they know Alice's secret, which
3523: corresponds to~$(G_1,G_2)$. If, by coincidence, Bob's bit $b$ equals their
3524: previously chosen bit~$a$, they win. However, if $b \neq a$, computing
3525: $\sigma = \rho \circ \pi$ or $\sigma = \rho \circ \pi^{-1}$ requires knowledge
3526: of~$\pi$. Without knowing~$\pi$, computing $\pi$ from the public graphs $G_1$
3527: and $G_2$ seems to be impossible for them, since $\graphiso$ is a hard
3528: problem, too hard even for randomized polynomial-time Turing machines. Thus,
3529: they will fail provided that the graphs are chosen large enough.
3530:
3531: \begin{figure}[!htb]
3532: \centering
3533: \begin{tabular}{||c||c|c|c||}
3534: \hline\hline
3535: \parbox[t]{.5cm}{\bf Step} &
3536: \psfig{file=alice.ps,height=2cm} &
3537: \psfig{file=mielke.ps,height=2cm} &
3538: %
3539: %
3540: \psfig{file=bob.ps,height=2cm} \\ \hline\hline
3541: & \multicolumn{3}{c||}
3542: {{\bf Generation of isomorphic graphs and a secret isomorphism}} \\ \hline
3543: {\bf 1} & \parbox[t]{4cm}
3544: {chooses a large graph $G_1$, a random permutation $\pi$ on
3545: $G_1$'s vertices, and computes the graph $G_2 = \pi(G_1)$; \\
3546: $(G_1, G_2)$ are public, $\pi$ is private} & & \\ \hline
3547: & \multicolumn{3}{c||}
3548: {{\bf Protocol}} \\ \hline
3549: {\bf 2} &
3550: \parbox[t]{4cm}
3551: {randomly chooses a permutation $\rho$ on $V(G_1)$ and a bit
3552: $a \in \{1,2\}$, computes $H = \rho(G_a)$} & & \\ \hline
3553: {\bf 3} & &
3554: \mbox{\huge
3555: $\stackrel{\mbox{\normalsize $H$}}{\Rightarrow}$} & \\ \hline
3556: {\bf 4} & & &
3557: \parbox[t]{4cm}
3558: {chooses a bit $b \in \{1,2\}$ at random and wants to see an isomorphism
3559: between $G_b$ and $H$}
3560: \\ \hline
3561: {\bf 5} & &
3562: \mbox{\huge
3563: $\stackrel{\mbox{\normalsize $b$}}{\Leftarrow}$} & \\ \hline
3564: {\bf 6} & \parbox[t]{4cm}
3565: {computes the permutation
3566: \[
3567: \sigma = \left\{
3568: \begin{array}{ll}
3569: \rho & \mbox{if $b = a$} \\
3570: \rho \circ \pi & \mbox{if $1 = b \neq a = 2$} \\
3571: \rho \circ \pi^{-1} & \mbox{if $2 = b \neq a = 1$}
3572: \end{array}
3573: \right.
3574: \]
3575: satisfying $\sigma(G_b) = H$} & & \\ \hline
3576: {\bf 7} & &
3577: \mbox{\huge
3578: $\stackrel{\mbox{\normalsize $\sigma$}}{\Rightarrow}$} & \\ \hline
3579: {\bf 8} & & &
3580: \parbox[t]{4cm}
3581: {verifies that indeed
3582: \[
3583: \sigma(G_b) = H
3584: \]
3585: and accepts accordingly} \\ \hline\hline
3586: \end{tabular}
3587: \caption{The Goldreich-Micali-Wigderson zero-knowledge protocol
3588: for graph isomorphism.
3589: \label{fig:goldreich-micali-wigderson}
3590: }
3591: \end{figure}
3592:
3593: Since they cannot do better than guessing the bit~$b$, they can cheat with
3594: probability at most~$\frac{1}{2}$. Of course, they can always guess the
3595: bit~$b$, which implies that their chance of cheating successfully is
3596: exactly~$\frac{1}{2}$. Hence, if Bob demands, say, $k$ independent rounds
3597: of the protocol to be executed, he can make the cheating probability as small
3598: as~$2^{-k}$, and thus is very likely to detect any cheater. Note that after
3599: only 20 rounds the odds of malicious Malice getting away with it undetected are
3600: less than one to one million. Hence, the protocol is correct.
3601:
3602: \begin{figure}[!htb]
3603: \centering
3604: \begin{tabular}{||c||c|c|c||}
3605: \hline\hline
3606: \parbox[t]{.5cm}{\bf Step} &
3607: \psfig{file=malice.ps,height=2cm} \hspace*{-1.2cm}
3608: \mbox{\bf\large Malice} &
3609: \psfig{file=mielke.ps,height=2cm} &
3610: %
3611: %
3612: \psfig{file=bob.ps,height=2cm} \\ \hline\hline
3613: & \multicolumn{3}{c||}
3614: {{\bf Simulated generation of isomorphic graphs}} \\ \hline
3615: {\bf 1} & \parbox[t]{4cm}
3616: {knows the public pair $(G_1, G_2)$ of isomorphic graphs, does not know
3617: Alice's secret~$\pi$} & & \\ \hline
3618: & \multicolumn{3}{c||}
3619: {{\bf Simulated Protocol}} \\ \hline
3620: {\bf 2} &
3621: \parbox[t]{4cm}
3622: {randomly chooses a permutation $\rho$ on $V(G_1)$ and a bit
3623: $a \in \{1,2\}$, computes $H = \rho(G_a)$} & & \\ \hline
3624: {\bf 3} & &
3625: \mbox{\huge
3626: $\stackrel{\mbox{\normalsize $H$}}{\Rightarrow}$} & \\ \hline
3627: {\bf 4} & & &
3628: \parbox[t]{4cm}
3629: {chooses a bit $b \in \{1,2\}$ at random and wants to see an isomorphism
3630: between $G_b$ and $H$}
3631: \\ \hline
3632: {\bf 5} & &
3633: \mbox{\huge
3634: $\stackrel{\mbox{\normalsize $b$}}{\Leftarrow}$} & \\ \hline
3635: {\bf 6} &\parbox[t]{4cm}
3636: {if $b \neq a$ then $M$ deletes all messages transmitted in this round and
3637: repeats; \\
3638: if $b = a$ then $M$ sends $\sigma = \rho$} & & \\ \hline
3639: {\bf 7} & &
3640: \mbox{\huge
3641: $\stackrel{\mbox{\normalsize $\sigma$}}{\Rightarrow}$} & \\ \hline
3642: {\bf 8} & & &
3643: \parbox[t]{4cm}
3644: {$b = a$ implies that indeed
3645: \[
3646: \sigma(G_b) = H ,
3647: \]
3648: so Bob accepts ``Alice's'' identity} \\ \hline\hline
3649: \end{tabular}
3650: \caption{How to simulate the Goldreich-Micali-Wigderson protocol
3651: without knowing the secret~$\pi$.
3652: \label{fig:goldreich-micali-wigderson-simulator}
3653: }
3654: \end{figure}
3655:
3656: It remains to show that the protocol in
3657: Figure~\ref{fig:goldreich-micali-wigderson} is zero-knowledge.
3658: Figure~\ref{fig:goldreich-micali-wigderson-simulator} shows a simulated
3659: protocol with Malice, who does not know the secret~$\pi$, replacing Alice.
3660: The information communicated in one round of the protocol is given by a triple
3661: of the form $(H, b, \sigma)$. Whenever Malice chooses a bit $a$ with $a =
3662: b$, she simply sends $\sigma = \rho$ and wins: Bob, or any independent
3663: observer, will not detect that she in fact is Malice. Otherwise, whenever $a
3664: \neq b$, Malice fails. However, that's no problem at all: She simply deletes
3665: this round from the simulated protocol and repeats. Thus, she can produce a
3666: sequence of triples of the form $(H, b, \sigma)$ that is indistinguishable
3667: from the corresponding sequence of triples in the original protocol between
3668: Alice and Bob. It follows that the Goldreich-Micali-Wigderson protocol is
3669: zero-knowledge.
3670: \end{proof}
3671:
3672:
3673: \subsection{Fiat and Shamir's Zero-Knowledge Protocol}
3674:
3675: Based on a similar protocol by Goldwasser, Micali and
3676: Rackoff~\cite{gol-mic-rac:j:interactive-proof-systems},
3677: Amos Fiat and Adi Shamir~\cite{fia-sha:c:fiat-shamir-zero-knowledge} proposed
3678: a zero-knowledge protocol for a number-theoretical problem. It is based on
3679: the assumption that computing square roots in $\integers_{n}^{\ast}$ is
3680: infeasible in practice. Due to its properties, the Fiat-Shamir protocol is
3681: particularly suitable for authentication of individuals in large computer
3682: networks. It is a public-key protocol, it is more efficient than other
3683: public-key protocols such as the RSA algorithm, it can be implemented on a
3684: chip card, and it is zero-knowledge. These advantages resulted in a rapid
3685: deployment of the protocol in practical applications. The Fiat-Shamir
3686: protocol is integrated in the ``Videocrypt'' Pay-TV
3687: system~\cite{coh-has:p:controlling-access-broadcast}.
3688: The original Fiat-Shamir identification scheme has later been improved
3689: by Feige, Fiat und
3690: Shamir~\cite{fei-fia-sha:j:zero-knowledge-proof-of-identity}
3691: to a zero-knowledge protocol in which not only the secret square roots
3692: modulo~$n$ are not revealed, but also the information of whether or not
3693: there {\em exists\/} a square root modulo~$n$ is not leaked.
3694:
3695: The theory of zero-knowledge may also become important in future internet
3696: technologies. To prevent confusion, we note that Zero-Knowledge Systems,
3697: Inc., a Montr\'{e}al-based company that was founded in 1997 and provides
3698: products and services enabling users to protect their privacy on-line on the
3699: world wide web, is not a commercial fielding of zero-knowledge
3700: protocols~\cite{gol:perscomm:nov01}.
3701:
3702: \begin{figure}[!htb]
3703: \centering
3704: \begin{tabular}{||c||c|c|c||}
3705: \hline\hline
3706: \parbox[t]{.5cm}{\bf Step} &
3707: \psfig{file=alice.ps,height=2cm} &
3708: \psfig{file=mielke.ps,height=2cm} &
3709: %
3710: %
3711: \psfig{file=bob.ps,height=2cm} \\ \hline\hline
3712: & \multicolumn{3}{c||}
3713: {{\bf Key generation}} \\ \hline
3714: {\bf 1} & \parbox[t]{4cm}
3715: {chooses two large primes $p$ and $q$ and a secret
3716: $s \in \integers_{n}^{\ast}$, $n = pq$,
3717: and computes $v = s^2 \mod n$; \\
3718: $p$, $q$, and $s$ are kept secret, \\
3719: whereas $n$ and $v$ are public} & & \\ \hline
3720: & \multicolumn{3}{c||}
3721: {{\bf Protocol}} \\ \hline
3722: {\bf 2} &
3723: \parbox[t]{4cm}
3724: {chooses $r \in \integers_{n}^{\ast}$ at random and computes $x = r^2 \mod n$} & & \\ \hline
3725: {\bf 3} & &
3726: \mbox{\huge
3727: $\stackrel{\mbox{\normalsize $x$}}{\Rightarrow}$} & \\ \hline
3728: {\bf 4} & & &
3729: \parbox[t]{4cm}
3730: {chooses a bit $b \in \{0,1\}$ at random}
3731: \\ \hline
3732: {\bf 5} & &
3733: \mbox{\huge
3734: $\stackrel{\mbox{\normalsize $b$}}{\Leftarrow}$} & \\ \hline
3735: {\bf 6} &\parbox[t]{4cm}
3736: {computes $y = r \cdot s^b \mod n$} & & \\ \hline
3737: {\bf 7} & &
3738: \mbox{\huge
3739: $\stackrel{\mbox{\normalsize $y$}}{\Rightarrow}$} & \\ \hline
3740: {\bf 8} & & &
3741: \parbox[t]{4cm}
3742: {verifies that indeed
3743: \[
3744: y^2 \equiv x \cdot v^b \mod n
3745: \]
3746: and accepts accordingly} \\ \hline\hline
3747: \end{tabular}
3748: \caption{The Fiat-Shamir zero-knowledge protocol.
3749: \label{fig:fiat-shamir}
3750: }
3751: \end{figure}
3752:
3753: \begin{figure}[!htb]
3754: \centering
3755: \begin{tabular}{||c||c|c|c||}
3756: \hline\hline
3757: \parbox[t]{.5cm}{\bf Step} &
3758: \psfig{file=malice.ps,height=2cm} \hspace*{-1.2cm}
3759: \mbox{\bf\large Malice} &
3760: \psfig{file=mielke.ps,height=2cm} &
3761: %
3762: %
3763: \psfig{file=bob.ps,height=2cm} \\ \hline\hline
3764: & \multicolumn{3}{c||}
3765: {{\bf Simulated key generation}} \\ \hline
3766: {\bf 1} & \parbox[t]{4cm}
3767: {knows the public $n = pq$ and \\ $v = s^2 \mod n$; \\
3768: does not know the private primes $p$ and $q$ and Alice's secret $s$}
3769: & & \\ \hline
3770: & \multicolumn{3}{c||}
3771: {{\bf Simulated Protocol}} \\ \hline
3772: {\bf 2} &
3773: \parbox[t]{4cm}
3774: {randomly chooses $r \in \integers_{n}^{\ast}$ and a bit $c \in \{0,1\}$, \\
3775: computes $x = r^2 \cdot v^{-c} \mod n$} & & \\ \hline
3776: {\bf 3} & &
3777: \mbox{\huge
3778: $\stackrel{\mbox{\normalsize $x$}}{\Rightarrow}$} & \\ \hline
3779: {\bf 4} & & &
3780: \parbox[t]{4cm}
3781: {chooses a bit $b \in \{0,1\}$ at random}
3782: \\ \hline
3783: {\bf 5} & &
3784: \mbox{\huge
3785: $\stackrel{\mbox{\normalsize $b$}}{\Leftarrow}$} & \\ \hline
3786: {\bf 6} &\parbox[t]{4cm}
3787: {if $b \neq c$ then $M$ deletes all messages transmitted in this round and
3788: repeats; \\
3789: if $b = c$ then $M$ sends $y = r$} & & \\ \hline
3790: {\bf 7} & &
3791: \mbox{\huge
3792: $\stackrel{\mbox{\normalsize $y$}}{\Rightarrow}$} & \\ \hline
3793: {\bf 8} & & &
3794: \parbox[t]{4cm}
3795: {$b = c$ implies that indeed
3796: \begin{eqnarray*}
3797: y^2 & = & r^2 \ \; = \ \; r^2 v^{-c} v^{b} \\
3798: & \equiv & x \cdot v^b \mod n,
3799: \end{eqnarray*}
3800: so Bob accepts ``Alice's'' identity} \\ \hline\hline
3801: \end{tabular}
3802: \caption{How to simulate the Fiat-Shamir protocol without knowing
3803: the secret~$s$.
3804: \label{fig:fiat-shamir-simulator}
3805: }
3806: \end{figure}
3807:
3808: \begin{theorem}
3809: {\rm{}\cite{fia-sha:c:fiat-shamir-zero-knowledge}} \quad
3810: \label{thm:fiat-shamir-zero-knowledge}
3811: The Fiat-Shamir procedure given in Figure~\ref{fig:fiat-shamir}
3812: is a zero-knowledge protocol.
3813: \end{theorem}
3814:
3815: \begin{proof}
3816: Look at Figure~\ref{fig:fiat-shamir}. The protocol is correct, since
3817: Alice knows the secret $s \in \integers_{n}^{\ast}$ that she has chosen, and
3818: thus she can compute~$y = r \cdot s^b$, where $b$ is the bit that Bob has
3819: chosen at random. Hence, it holds in $\integers_{n}^{\ast}$ that
3820: \[
3821: y^2 \equiv (r \cdot s^b)^2 \equiv r^2 \cdot s^{2b} \equiv r^2 \cdot v^b \equiv
3822: x \cdot v^b \mod n,
3823: \]
3824: so Bob accepts Alice's identity.
3825:
3826: Suppose now that Erich or Malice want to cheat by pretending to be Alice.
3827: They do not know her secret~$s$, nor do they know the primes $p$ and~$q$, but
3828: they do know the public $n = pq$ and $v = s^2 \mod n$. They want to convince
3829: Bob that they know Alice's secret~$s$, the square root of $v$ modulo~$n$. If,
3830: by coincidence, Bob's bit $b$ equals zero then $y = r \cdot s^0 = r$ and they
3831: win. However, if $b = 1$, computing a $y$ that satisfies $y^2 \equiv x \cdot
3832: v^b \mod n$ requires knowledge of the secret~$s$, assuming that computing
3833: square roots modulo $n$ is hard. Without knowing~$s$, if Malice or Erich were
3834: able to compute the correct answer for both $b = 0$ and $b = 1$, say $y_b$
3835: with $y_{b}^{2} \equiv x \cdot v^b \mod n$, they could efficiently compute
3836: square roots modulo~$n$ as follows: $y_{0}^{2} \equiv x \mod n$ and $y_{1}^{2}
3837: \equiv x \cdot v \mod n$ implies $(\frac{y_1}{y_0})^2 \equiv v \mod n$; hence,
3838: $\frac{y_1}{y_0}$ is a square root of $v$ modulo~$n$.
3839:
3840: It follows that they can cheat with probability at most~$\frac{1}{2}$. Of
3841: course, they can always guess the bit~$b$ in advance and prepare the answer
3842: accordingly. Choosing $x = r^2 \cdot v^{-b} \mod n$ and $y = r$ implies that
3843: \begin{equation}
3844: \label{eq:cheat-fiat-shamir}
3845: y^2 \equiv r^2 \equiv r^2 \cdot v^{-b} \cdot v^{b} \equiv x \cdot v^{b} \mod n.
3846: \end{equation}
3847: Thus, Bob will not detect any irregularities and will accept. Hence, their
3848: chance to cheat successfully is exactly~$\frac{1}{2}$. Again, if Bob
3849: demands, say, $k$ independent rounds of the protocol to be executed, he can
3850: make the cheating probability as small as desired and is very likely to
3851: detect any cheater.
3852:
3853: It remains to show that the Fiat-Shamir protocol in
3854: Figure~\ref{fig:fiat-shamir} is zero-knowledge.
3855: Figure~\ref{fig:fiat-shamir-simulator} shows a simulated protocol with Malice,
3856: who does not know the secret~$s$, replacing Alice. The information
3857: communicated in one round of the protocol is given by a triple of the form
3858: $(x, b, y)$. In addition to the randomly chosen $r \in \integers_{n}^{\ast}$,
3859: Malice guesses a bit $c \in \{0,1\}$ and computes $x = r^2 \cdot v^{-c} \mod
3860: n$, which she sends to Bob. Whenever $c$ happens to be equal to Bob's
3861: bit~$b$, Malice simply sends $y = r$ and wins. By an argument analogous to
3862: Equation~(\ref{eq:cheat-fiat-shamir}) above, neither Bob nor any independent
3863: observer will detect that she actually is Malice:
3864: \[
3865: y^2 \equiv r^2 \equiv r^2 \cdot v^{-c} \cdot v^{b} \equiv x \cdot v^{b} \mod n.
3866: \]
3867: Otherwise, whenever $c \neq b$, Malice fails. However, that's no problem at
3868: all: She simply deletes this round from the simulated protocol and repeats.
3869: Thus, she can produce a sequence of triples of the form $(x, b, y)$ that is
3870: indistinguishable from the corresponding sequence of triples in the original
3871: protocol between Alice and Bob. It follows that the Fiat-Shamir protocol is
3872: zero-knowledge.
3873: \end{proof}
3874:
3875: We have chosen to give here the original Fiat-Shamir identification scheme as
3876: presented in most books (see, e.g.,
3877: \cite{gol:b:foundations,beu-sch-wol:b:kryptographie}). Note, however, that
3878: quite a number of modifications and improvements of the Fiat-Shamir protocol
3879: have been proposed, including the ``zero-knowledge proof of knowledge''
3880: protocol of Feige, Fiat und
3881: Shamir~\cite{fei-fia-sha:j:zero-knowledge-proof-of-identity}. We also note in
3882: passing that we omitted many formal details in our arguments in this section.
3883: A rigid formalism (see~\cite{gol:b:foundations}) is helpful in discussing many
3884: subtleties that can arise in zero-knowledge protocols. For example, looking
3885: at Figure~\ref{fig:fiat-shamir}, Alice could be impersonated by anyone who
3886: picks the value $r = 0$ without Bob detecting this fraud. We refer to
3887: Burmester and Desmedt~\cite{bur-des:j:remarks-soundness-of-proofs} for
3888: appropriate modifications of the scheme. Moreover, Burmester et
3889: al.~\cite{bur-des-pip-wal:c:general-zero-knowledge,bur-des-bet:j:zero-knowledge-identification}
3890: proposed efficient zero-knowledge protocols in a general algebraic setting.
3891:
3892:
3893: %
3894: %
3895: %
3896:
3897: \section{Strongly Noninvertible Associative One-Way Functions}
3898: \label{sec:aowf}
3899:
3900: Recall Rivest and Sherman's secret-key agreement protocol
3901: (Figure~\ref{fig:rivest-sherman-secret-key}) and Rabi and Sherman's digital
3902: signature protocol (Figure~\ref{fig:rabi-sherman-digital-signature}) presented
3903: in Section~\ref{sec:riv-rab-she}. Both of these protocols use a candidate for
3904: a strongly noninvertible, associative one-way function. Are these protocols
3905: secure? This question has two aspects: (1)~Are they secure under the
3906: assumption that strongly noninvertible, associative one-way functions indeed
3907: exist? (2)~What evidence do we have for the existence of such functions?
3908:
3909: The first question is an open problem. Security here depends on
3910: precisely how ``strong noninvertibility'' is defined, and in which model.
3911: Traditional complexity theory is concerned with the worst-case model and has
3912: identified a large number of problems that are hard in the worst case.
3913: Cryptographic applications, however, require the more demanding average-case
3914: model (see, e.g.,
3915: \cite{gol:b:foundations,gol:b:modern-cryptography,lub:b:pseudorandom}) for
3916: which much less is known. As noted by Rabi and Sherman~\cite{rab-she:j:aowf},
3917: no proof of security for the Rivest--Sherman and Rabi--Sherman protocols is
3918: currently known, and even assuming the existence of associative one-way
3919: functions that are strongly noninvertible in the weaker worst-case model would
3920: not
3921: %
3922: imply that the protocols are secure. In that regard,
3923: however, the Rivest--Sherman and Rabi--Sherman protocols are just like many
3924: other protocols currently used in practical applications. For example,
3925: neither the Diffie--Hellman protocol nor the RSA protocol currently has a proof
3926: of security. There are merely heuristic, intuitive arguments about how to
3927: avoid certain direct attacks. The ``security'' of the Diffie--Hellman protocol
3928: draws on the assumption that computing discrete logarithms is hard, and the
3929: ``security'' of the RSA protocol draws on the assumption that factoring large
3930: integers is hard. Breaking Diffie--Hellman is not even known to be as hard as
3931: the discrete logarithm problem, and breaking RSA is not even known to be as
3932: hard as the factoring problem. In a similar vein, Rabi and
3933: Sherman~\cite{rab-she:t-no-URL:aowf,rab-she:j:aowf} only give intuitive
3934: arguments for the security of their protocols, explaining how to employ the
3935: strong noninvertibility of associative one-way functions to preclude certain
3936: direct attacks.
3937:
3938: Turning to the second question raised above: What evidence do we have
3939: that strongly noninvertible, associative one-way functions exist? Assuming $\p
3940: \neq \np$, we will show how to construct total, strongly noninvertible,
3941: commutative,\footnote{Commutativity is needed to extend the Rivest--Sherman
3942: and Rabi--Sherman protocols from two parties to $m > 2$ parties. }
3943: associative one-way functions~\cite{hem-rot:j:aowf}. The question of whether
3944: or not P equals NP is perhaps the most important question in theoretical
3945: computer science. It is widely believed that P differs from NP, although this
3946: question has remained open for more than thirty years now. For more
3947: background on complexity theory, we refer
3948: to the textbooks~\cite{bal-dia-gab:b:sctI:95,bov-cre:b:complexity,hem-ogi:b:companion,pap:b:complexity}.
3949:
3950:
3951: \subsection{Definitions and Progress of Results}
3952: \label{sec:definitions}
3953:
3954: From now on, we adopt the worst-case notion of one-way functions that is due
3955: to Grollmann and Selman~\cite{gro-sel:j:complexity-measures}, see also the
3956: papers by Ko~\cite{ko:j:operators}, Berman~\cite{ber:thesis:iso}, and
3957: Allender~\cite{all:thesis:invertible,all:coutdatedExceptForPUNCstuff:complexity-sparse},
3958: and the surveys~\cite{sel:j:one-way,bey-hem-hom-rot:j:aowf-survey}.
3959: %
3960: %
3961: %
3962: %
3963: %
3964: %
3965: %
3966: %
3967: Recall that one-way functions are easy to compute but hard to invert.
3968: To prevent the notion of noninvertibility from being trivialized, one-way
3969: functions are required to be ``honest,'' i.e., to not shrink their inputs too
3970: much. Formal definitions of
3971: various types of honesty can be found
3972: in~\cite{gro-sel:j:complexity-measures,hem-rot-wec:c:easy-one-way-permutations,hem-rot:j:one-way,rot-hem:j:one-way,hem-pas-rot:c:strong-noninvertibility,hom:t:low-ambiguity-aowf,hom-tha:c:one-way-permutations}.
3973:
3974: One-way functions are often considered to be one-argument functions.
3975: Since the protocols from Section~\ref{sec:riv-rab-she} require two-argument
3976: functions, the original definition is here tailored to the case of two-ary
3977: functions. Let $\rho : \nats \times \nats \rightarrow \nats$ be any two-ary
3978: function; $\rho$ may be nontotal and it may be many-to-one.
3979: %
3980: %
3981: %
3982: %
3983: %
3984: %
3985: %
3986: %
3987: %
3988: We say that $\rho$ is {\em (polynomial-time) invertible\/} if there exists a
3989: polynomial-time computable function $g$ such that for all $z \in
3990: \image(\rho)$, it holds that $\rho(g(z)) = z$; otherwise, we call $\rho$
3991: {\em not polynomial-time invertible}, or {\em noninvertible} for short.
3992: %
3993: We say that $\rho$ is a {\em one-way function\/} if and only if $\rho$ is
3994: honest, polynomial-time computable, and noninvertible.
3995: %
3996: %
3997: One-argument one-way functions are well-known to exist if and only if $\p \neq
3998: \np$; see, e.g.,~\cite{sel:j:one-way,bal-dia-gab:b:sctI:95}. It is easy to
3999: prove the analogous result for two-argument one-way functions,
4000: see~\cite{hem-rot:j:aowf,rab-she:j:aowf}.
4001:
4002: We now define strong noninvertibility (strongness, for short).
4003: %
4004: %
4005: %
4006: %
4007: %
4008: %
4009: %
4010: %
4011: %
4012: As with noninvertibility, strongness requires an appropriate notion of honesty
4013: so as to not be trivial. This notion is called ``s-honesty''
4014: in~\cite{hem-pas-rot:c:strong-noninvertibility}, and since it is merely a
4015: technical requirement, we omit a formal definition here. Intuitively,
4016: ``s-honesty'' fits the notion of strong noninvertibility in that it is
4017: measured not only in the length of the function value but also in the length
4018: of the corresponding given argument.
4019:
4020: \begin{definition}
4021: {\rm{}(see~\cite{rab-she:j:aowf,hem-rot:j:aowf})} \quad
4022: \label{d:strong-oneway}
4023: Let $\sigma : \nats \times \nats \rightarrow \nats$ be any two-ary function;
4024: $\sigma$ may be nontotal and it may be many-to-one.
4025: Let $\pair{\cdot, \cdot} : \nats \times \nats \rightarrow\, \nats$ be some
4026: standard pairing function.
4027: \begin{enumerate}
4028: %
4029: %
4030: %
4031: %
4032: %
4033: %
4034: %
4035: %
4036: %
4037: \item We say that $\sigma$ is {\em (polynomial-time) invertible with respect
4038: to its first argument\/} if and only if there exists a polynomial-time
4039: computable function $g_1$ such that for all $z \in \image(\sigma)$ and for
4040: all $a$ and $b$ with $(a,b) \in \domain(\sigma)$ and $\sigma(a,b) = z$, it
4041: holds that $\sigma(a, g_1(\pair{a,z})) = z$.
4042:
4043: \item We say that $\sigma$ is {\em (polynomial-time) invertible with respect
4044: to its second argument\/} if and only if there exists a polynomial-time
4045: computable funtion $g_2$ such that for all $z \in \image(\sigma)$ and for
4046: all $a$ and $b$ with $(a,b) \in \domain(\sigma)$ and $\sigma(a,b) = z$, it
4047: holds that $\sigma(g_2(\pair{b,z}), b) = z$.
4048:
4049: \item We say that $\sigma$ is {\em strongly noninvertible\/} if and only if
4050: $\sigma$ is neither invertible with respect to its first argument nor
4051: invertible with respect to its second argument.
4052:
4053: \item We say that $\sigma$ is a {\em strong one-way function\/} if and only if
4054: $\sigma$ is s-honest, polynomial-time computable, and strongly
4055: noninvertible.
4056: \end{enumerate}
4057: \end{definition}
4058:
4059: Below, we define Rabi and Sherman's notion of associativity, which henceforth
4060: will be called ``weak associativity.''
4061:
4062: \begin{definition}
4063: {\rm{}\cite{rab-she:t-no-URL:aowf,rab-she:j:aowf}} \quad
4064: \label{def:rs-associative}
4065: A two-ary function $\sigma : \nats \times \nats \rightarrow\, \nats$ is said
4066: to be {\em weakly associative\/} if and only if $\sigma(a, \sigma(b, c)) =
4067: \sigma(\sigma(a, b), c)$ holds for all $a,b,c \in \nats$ for which each of
4068: $(a,b)$, $(b,c)$, $(a, \sigma(b, c))$, and $(\sigma(a, b), c)$ belongs to the
4069: domain of~$\sigma$.
4070: \end{definition}
4071:
4072: Although this notion is suitable for total functions, weak associativity does
4073: not adequately fit the nontotal function case. More precisely, weak
4074: associativity fails to preclude, for nontotal functions, equations from having
4075: a defined value to the left, while being undefined to the right of their
4076: equality sign. Therefore, we present in Definition~\ref{def:associative}
4077: below another notion of associativity for two-ary functions that is suitable
4078: both for total and for nontotal two-ary functions. This definition is due to
4079: Hemaspaandra and Rothe~\cite{hem-rot:j:aowf}
4080: %
4081: who note that the two notions of
4082: associativity are provably distinct (see~Proposition\ref{prop:ass}), and this
4083: distinction can be explained (see~\cite{hem-rot:j:aowf}) via Kleene's careful
4084: discussion~\cite[pp.~327--328]{kle:b:metamathematics} of two distinct notions
4085: of equality for partial functions in recursion theory: ``Weak equality''
4086: between two partial functions explicitly allows ``specific, defined function
4087: values being equal to undefined'' as long as the functions take the same
4088: values on their joint domain. In contrast, ``complete equality'' precludes
4089: this unnatural behavior by additionally requiring that two given partial
4090: functions be equal only if their domains coincide; i.e., whenever one is
4091: undefined, so is the other. Weak associativity from
4092: Definition~\ref{def:rs-associative} is based on Kleene's weak equality between
4093: partial functions, whereas associativity from Definition~\ref{def:associative}
4094: is based on Kleene's complete equality.
4095:
4096: \begin{definition}
4097: {\rm{}\cite{hem-rot:j:aowf}} \quad
4098: \label{def:associative}
4099: Let $\sigma : \nats \times \nats \rightarrow\, \nats$ be any two-ary function;
4100: $\sigma$ may be nontotal. Define $\nats_{\bot} \equalsdef \nats \cup
4101: \{\bot\}$, and define an extension $\sigmabot : \nats_{\bot}
4102: \times \nats_{\bot} \rightarrow\, \nats_{\bot}$ of $\sigma$ as follows:
4103: \[
4104: \sigmabots{a,b} \equalsdef \left\{
4105: \begin{array}{ll} \sigma(a,b) &
4106: \mbox{if $a \neq \bot$ and $b \neq \bot$ and $(a,b) \in \mbox{\rm
4107: domain}(\sigma)$} \\
4108: \bot & \mbox{otherwise.}
4109: \end{array}
4110: \right.
4111: \]
4112:
4113: We say that $\sigma$ is {\em associative\/} if and only if, for all $a,b,c \in
4114: \nats$, it holds that
4115: \begin{eqnarray*}
4116: \sigmabots{\sigmabots{a,b},c} & = & \sigmabots{a,\sigmabots{b,c}}.
4117: \end{eqnarray*}
4118:
4119: We say that $\sigma$ is {\em commutative\/} if and only if, for all $a,b \in
4120: \nats$, it holds that
4121: \begin{eqnarray*}
4122: \sigmabots{a,b} & = & \sigmabots{b,a}.
4123: \end{eqnarray*}
4124: \end{definition}
4125:
4126: The following proposition explores the relation between the two associativity
4127: notions presented respectively in Definition~\ref{def:rs-associative} and in
4128: Definition~\ref{def:associative}. In particular, these are indeed
4129: different notions.
4130:
4131: \begin{proposition}
4132: {\rm{}\cite{hem-rot:j:aowf}} \quad ~
4133: \label{prop:ass}
4134: \begin{enumerate}
4135: \item Every associative two-ary function is weakly associative.
4136:
4137: \item Every total two-ary function is associative exactly if it is weakly
4138: associative.
4139:
4140: \item There exist two-ary functions that are weakly associative, yet not
4141: associative.
4142: \end{enumerate}
4143: \end{proposition}
4144:
4145: Rabi and Sherman~\cite{rab-she:t-no-URL:aowf,rab-she:j:aowf} showed that $\p
4146: \neq \np$ if and only if commutative, weakly associative one-way functions
4147: exist. However, they did not achieve strong noninvertibility. They did not
4148: achieve totality of their weakly associative one-way functions, although they
4149: presented a construction that they claimed achieves totality of any weakly
4150: associative one-way function. Hemaspaandra and Rothe~\cite{hem-rot:j:aowf}
4151: showed that Rabi and Sherman's claim is unlikely to be true: Any proof of this
4152: claim would imply that $\np = \up$, which is considered to be unlikely.
4153: Intuitively, the reason that Rabi and Sherman's construction is unlikely to
4154: work is that the functions constructed
4155: in~\cite{rab-she:t-no-URL:aowf,rab-she:j:aowf} are not associative in the
4156: sense of Definition~\ref{def:associative}. In contrast, the Rabi--Sherman
4157: construction indeed is useful to achieve totality of the associative, strongly
4158: noninvertible one-way functions constructed in~\cite{hem-rot:j:aowf}.
4159:
4160: Thus, Rabi and Sherman~\cite{rab-she:t-no-URL:aowf,rab-she:j:aowf} left open
4161: the question of whether there are plausible complexity-theoretic conditions
4162: sufficient to ensure the existence of total, strongly noninvertible,
4163: commutative, associative one-way functions. They also asked whether such
4164: functions could be {\em constructed\/} from any given one-way function.
4165: Section~\ref{sec:creating} presents the answers to these questions.
4166:
4167: \subsection{Creating Strongly Noninvertible, Total, Commutative, Associative
4168: One-Way Functions from Any One-Way Function}
4169: \label{sec:creating}
4170:
4171: Theorem~\ref{thm:aowf-equ} below is the main result of this section. Since
4172: $\p \neq \np$ is equivalent to the existence of one-way functions with no
4173: additional properties required, the converse of the implication stated in
4174: Theorem~\ref{thm:aowf-equ} is clearly also true. However, we focus on
4175: only the interesting implication directions in
4176: Theorem~\ref{thm:aowf-equ} and in the upcoming Theorem~\ref{thm:c} and
4177: Theorem~\ref{thm:d}.
4178:
4179: \begin{theorem}
4180: {\rm{}\cite{hem-rot:j:aowf}}
4181: \quad
4182: \label{thm:aowf-equ}
4183: If $\p \neq \np$ then there exist total, strongly noninvertible, commutative,
4184: associative one-way functions.
4185: \end{theorem}
4186:
4187: A detailed proof of Theorem~\ref{thm:aowf-equ} can be found
4188: in~\cite{hem-rot:j:aowf}, see also the
4189: survey~\cite{bey-hem-hom-rot:j:aowf-survey}.
4190: Here, we briefly sketch the proof idea.
4191:
4192: Assume $\p \neq \np$. Let $A$ be a set in $\np - \p$, and let $M$ be a fixed
4193: NP machine accepting~$A$. Let $x \in A$ be an input accepted by~$M$ in
4194: time~$p(|x|)$, where $p$ is some polynomial. A useful property of NP sets is
4195: that they have polynomial-time checkable certificates.\footnote{Other common
4196: names for ``certificate'' are ``witness'' and ``proof'' and ``solution.''
4197: }
4198: %
4199: %
4200: %
4201: %
4202: That is, for each certificate $z$ for ``$x \in A$,'' it holds that: (a)~the
4203: length of $z$ is polynomially bounded in the length of~$x$, and (b)~$z$
4204: certifies membership of $x$ in $A$ in a way that can be verified
4205: deterministically in polynomial time. $\certificate{M}{x}$ denotes the set of
4206: all certificates of $M$ on input~$x$. Note that $\certificate{M}{x}$ is
4207: nonempty exactly if $x \in A$.
4208:
4209: \begin{figure}[ht!]
4210: \begin{center}
4211: \psfig{figure=dreif.eps,width=12cm}
4212: \end{center}
4213: \caption{\label{fig:dreif} The three-coloring $\psi$ of graph~$G$.}
4214: \end{figure}
4215:
4216: \begin{example}
4217: For concreteness, consider $\threecolor$, a well-known $\np$-complete
4218: problem that asks whether the vertices of a given graph can be colored with
4219: three colors such that no two adjacent vertices receive the same color.
4220: Such a coloring is called a legal three-coloring. In other words, a legal
4221: three-coloring is a mapping $\psi$ from the vertex set of $G$ to the set of
4222: colors (\mbox{\rm RED}, \mbox{\rm GREEN}, \mbox{\rm BLUE}) such that the
4223: resulting color classes are independent sets. Figure~\ref{fig:dreif} gives
4224: an example.
4225:
4226: The standard $\np$ machine for $\threecolor$ works as follows: Given a
4227: graph~$G$, nondeterministically guess a three-coloring $\psi$ of~$G$ (i.e.,
4228: a partition of the vertex set of $G$ into three color classes) and check
4229: deterministically whether $\psi$ is legal.
4230:
4231: Any legal three-coloring of~$G$ is a {\em certificate\/} for the
4232: three-colorability of $G$ (with respect to the above $\np$ machine). For
4233: the specific graph from Figure~\ref{fig:dreif}, one certificate $\psi$
4234: %
4235: is specified by the three color classes $\psi^{-1}(\mbox{\rm GREEN}) = \{ a
4236: , g \}$, $\psi^{-1}(\mbox{\rm RED}) = \{ c , f , h \}$, and
4237: $\psi^{-1}(\mbox{\rm BLUE}) = \{ b , d , e \}$.
4238:
4239: As is standard, graphs as well as three-colorings can be encoded as binary
4240: strings that represent nonnegative integers.
4241: \end{example}
4242:
4243: Suppose that for each $x \in A$ and for each certificate $z$ for ``$x \in
4244: A$,'' it holds that $|z| = p(|x|) > |x|$.
4245: %
4246: This is only a technical requirement that makes it easy to tell input strings
4247: apart from their certificates. For any integers $u, v, w \in \nats$, let
4248: $\min(u,v)$ denote the minimum of $u$ and~$v$, and let $\min(u,v,w)$ denote
4249: the minimum of $u$, $v$, and~$w$. Define a two-ary function $\sigma : \nats
4250: \times \nats \rightarrow\, \nats$ as follows:
4251: \begin{itemize}
4252: \item If $a = \pair{x,z_1}$ and $b = \pair{x,z_2}$ for some $x \in A$ with
4253: certificates $z_1,z_2 \in \certificate{M}{x}$ (where, possibly, $z_1 =
4254: z_2$), then define $\sigma(a,b) = \pair{x,\min(z_1,z_2)}$;
4255:
4256: \item if there exists some $x \in A$ with certificate $z \in
4257: \certificate{M}{x}$ such that either $a = \pair{x,x}$ and $b = \pair{x,z}$,
4258: or $a = \pair{x,z}$ and $b = \pair{x,x}$, then define $\sigma(a,b) =
4259: \pair{x,x}$;
4260:
4261: \item otherwise, $\sigma(a,b)$ is undefined.
4262: \end{itemize}
4263:
4264: What is the intuition behind the definition of~$\sigma$? The number of
4265: certificates contained in the arguments of $\sigma$ is decreased by one in a
4266: way that ensures the associativity of~$\sigma$. Moreover, $\sigma$ is
4267: noninvertible, and it is also strongly noninvertible. Why? The intuition
4268: here is that, regardless of whether none or either one of its arguments is
4269: given in addition to $\sigma$'s function value, the inversion of~$\sigma$
4270: requires information about the certificates for elements of~$A$. However, our
4271: assumption that $A \not\in \p$ guarantees that this information cannot
4272: efficiently be extracted.
4273:
4274: One can show that $\sigma$ is a commutative, associative one-way function that
4275: is strongly noninvertible. We will show associativity and strongness below.
4276: Note that $\sigma$ is not a total function. However, $\sigma$ can be extended
4277: to a total function without losing any of its other properties already
4278: established~\cite{hem-rot:j:aowf}.
4279: %
4280: %
4281: %
4282: %
4283: %
4284: %
4285: %
4286: %
4287: %
4288: %
4289: %
4290: %
4291: %
4292: %
4293: %
4294: %
4295: %
4296: %
4297: %
4298: %
4299: %
4300: %
4301: %
4302: %
4303: %
4304: %
4305: %
4306: %
4307: %
4308:
4309: We now show that $\sigma$ is strongly noninvertible. For a contradiction,
4310: suppose there is a polynomial-time computable inverter, $g_2$, for a fixed
4311: second argument. Hence, for each $w \in \image(\sigma)$ and for each second
4312: argument $b$ for which there is an $a \in \nats$ with $\sigma(a,b) = w$, it
4313: holds that
4314: \[
4315: \sigma(g_2(\pair{b,w}), b) = w.
4316: \]
4317: Then, contradicting our assumption that $A \not\in \p$, one could decide $A$
4318: in polynomial time as follows:
4319: \begin{quote} On input~$x$, compute $g_2 (\pair{\pair{x,x},\pair{x,x}})$,
4320: compute the integers $d$ and $e$ for which $\pair{d,e}$ equals $g_2
4321: (\pair{\pair{x,x},\pair{x,x}})$, and accept $x$ if and only if $d = x$ and
4322: $e \in \certificate{M}{x}$.
4323: \end{quote}
4324: Hence, $\sigma$ is not invertible with respect to its second argument. An
4325: analogous argument shows that $\sigma$ is not invertible with respect to its
4326: first argument. Thus, $\sigma$ is strongly noninvertible.
4327:
4328: Next, we prove that $\sigma$ is associative. Let $\sigmabot$ be
4329: the total extension of $\sigma$ as in Definition~\ref{def:associative}. Fix
4330: any three elements of~$\nats$, say $a = \pair{a_1, a_2}$, $b = \pair{b_1,
4331: b_2}$, and $c = \pair{c_1, c_2}$. To show that
4332: \begin{eqnarray}
4333: \label{equ:ass}
4334: \sigmabots{\sigmabots{a, b}, c} & = & \sigmabots{a, \sigmabots{b, c}}
4335: \end{eqnarray}
4336: holds, distinguish two cases.
4337:
4338: \begin{description}
4339: \item[Case~1:] $a_1 = b_1 = c_1$ and $\{a_2, b_2, c_2 \} \seq \{a_1\} \cup
4340: \certificate{M}{a_1}$.
4341:
4342: Let $x, y \in \{a, b, c\}$ be any two fixed arguments of~$\sigma$. As noted
4343: above, if $x$ and $y$ together contain $i$ certificates for ``$a_1\in A$,''
4344: where $i \in \{1, 2\}$, then $\sigma(x,y)$---and thus also
4345: $\sigmabots{x,y}$---contains exactly $\max\{0, i-1\}$
4346: certificates for ``$a_1\in A$.''~~In particular,
4347: $\sigmabots{x,y}$ preserves the minimum certificate if both $x$
4348: and $y$ contain a certificate for ``$a_1\in A$.''
4349:
4350: If exactly one of $x$ and $y$ contains a certificate for ``$a_1\in A$,''
4351: then $\sigmabots{x,y} = \pair{a_1, a_1}$.
4352:
4353: If none of $x$ and $y$ contains a certificate for ``$a_1\in A$,'' then
4354: $\sigma(x,y)$ is undefined, so $\sigmabots{x,y} = \bot$.
4355:
4356: Let $k\leq 3$ be a number telling us how many of $a_2$, $b_2$, and~$c_2$
4357: belong to $\certificate{M}{a_1}$. For example, if $a_2 = b_2 = c_2 \in
4358: \certificate{M}{a_1}$ then $k = 3$. Consequently:
4359: \begin{itemize}
4360: \item If $k \leq 1$ then both $\sigmabots{\sigmabots{a,b},c}$ and
4361: $\sigmabots{a,\sigmabots{b,c}}$ equals~$\bot$.
4362:
4363: \item If $k=2$ then both $\sigmabots{\sigmabots{a,b},c}$ and
4364: $\sigmabots{a,\sigmabots{b,c}}$ equals~$\pair{a_1, a_1}$.
4365:
4366: \item If $k=3$ then both $\sigmabots{\sigmabots{a,b},c}$ and
4367: $\sigmabots{a,\sigmabots{b,c}}$ equals~$\pair{a_1, \min(a_2, b_2, c_2)}$.
4368: \end{itemize}
4369: In each of these three cases, Equation~(\ref{equ:ass}) is satisfied.
4370:
4371: \item[Case~2:] Suppose Case~1 is not true.
4372:
4373: Then, either it holds that $a_1 \neq b_1$ or $a_1 \neq c_1$ or $b_1 \neq
4374: c_1$, or it holds that $a_1 = b_1 = c_1$ and $\{a_2, b_2, c_2 \}$ is not
4375: contained in $\{a_1\} \cup \certificate{M}{a_1}$. By the definition
4376: of~$\sigma$, in both cases it follows that
4377: \[
4378: \begin{array}{rcccl}
4379: \sigmabots{\sigmabots{a,b},c}
4380: & = & \bot & = &
4381: \sigmabots{a,\sigmabots{b,c}} ,
4382: \end{array}
4383: \]
4384: which satisfies Equation~(\ref{equ:ass}) and concludes the proof that $\sigma$
4385: is associative.
4386: \end{description}
4387:
4388: %
4389: %
4390: %
4391: %
4392: %
4393: %
4394: %
4395: %
4396: %
4397: %
4398: %
4399: %
4400: %
4401: %
4402: %
4403: %
4404: %
4405: %
4406: %
4407: %
4408: %
4409: %
4410: %
4411: %
4412: %
4413: %
4414: %
4415: %
4416: %
4417: %
4418: %
4419: %
4420: %
4421: %
4422: %
4423: %
4424: %
4425: %
4426: %
4427: %
4428: %
4429: %
4430:
4431: Finally, we mention some related results of Chris
4432: Homan~\cite{hom:t:low-ambiguity-aowf} who studied upper and lower bounds on
4433: the ambiguity of associative one-way functions. In particular, extending Rabi
4434: and Sherman's~\cite{rab-she:j:aowf} result that no total, associative one-way
4435: function is injective, he proved that no total, associative one-way function
4436: can be constant-to-one. He also showed that, under the plausible assumption
4437: that $\p \neq \up$, there exist linear-to-one, total, strongly noninvertible,
4438: associative one-way functions.
4439:
4440: On a slightly less related note, Homan and
4441: Thakur~\cite{hom-tha:c:one-way-permutations} recently proved that one-way
4442: permutations (i.e., one-way functions that are total, one-to-one, and onto)
4443: exist if and only if $\p \neq \up \cap \coup$. This result gives a
4444: characterization of one-way permutations in terms of a complexity class
4445: separation, and thus the ultimate answer to a question studied
4446: in~\cite{gro-sel:j:complexity-measures,hem-rot-wec:c:easy-one-way-permutations,hem-rot:j:one-way,rot-hem:j:one-way}.
4447:
4448: \subsection{If P $\neq$ NP then Some Strongly Noninvertible Functions are
4449: Invertible}
4450: \label{sec:fct}
4451:
4452: Is every strongly noninvertible function noninvertible? Hemaspaandra,
4453: Pasanen, and Rothe~\cite{hem-pas-rot:c:strong-noninvertibility} obtained the
4454: surprising result that if $\p \neq \np$ then this is not necessarily the case.
4455: This result shows that the term ``strong noninvertibility'' introduced
4456: in~\cite{rab-she:t-no-URL:aowf,rab-she:j:aowf} actually is a misnomer, since
4457: it seems to suggest that strong noninvertibility always implies
4458: noninvertibility, which is not true.
4459:
4460: \begin{theorem}
4461: {\rm{}\cite{hem-pas-rot:c:strong-noninvertibility}} \quad
4462: \label{thm:c}
4463: If $\p \neq \np$ then there exists a total, honest two-ary function that is
4464: strongly one-way but not a one-way function.
4465: \end{theorem}
4466:
4467: We give a brief sketch of the proof. Assume $\p \neq \np$. Then, there
4468: exists a total two-ary one-way function, call it~$\rho$. For any integer $n
4469: \in \nats$, define the notation
4470: \begin{eqnarray*}
4471: \mbox{odd}(n) = 2n + 1 & \mbox{ and } &
4472: \mbox{even}(n) = 2n .
4473: \end{eqnarray*}
4474: Define a function $\sigma : \nats \times \nats \rightarrow
4475: \nats$ as follows. Let $a, b \in \nats$ be any two arguments of~$\sigma$.
4476: \begin{itemize}
4477: \item If $a \neq 0 \neq b$, $a = \pair{x,y}$ is odd, and $b$ is even, then
4478: define $\sigma(a,b) = \mbox{even}(\rho(x,y))$.
4479:
4480: \item If $a \neq 0 \neq b$, $a$ is even, and $b = \pair{x,y}$ is odd, then
4481: define $\sigma(a,b) = \mbox{even}(\rho(x,y))$.
4482:
4483: \item If $a \neq 0 \neq b$, and $a$ is odd if and only if $b$ is odd, then
4484: define $\sigma(a,b) = \mbox{odd}(a+b)$.
4485:
4486: \item If $a=0$ or $b=0$, then define $\sigma(a,b) = a+b$.
4487: \end{itemize}
4488:
4489: %
4490: %
4491: %
4492: %
4493: %
4494: %
4495: %
4496: %
4497: %
4498: %
4499: %
4500: %
4501: %
4502: %
4503: %
4504: %
4505:
4506: %
4507: %
4508: %
4509:
4510: We claim that $\sigma$ is strongly noninvertible.
4511: For a contradiction, suppose $\sigma$ were invertible with respect to its
4512: first argument via an inverter, $g_1$. By the definition of~$\sigma$,
4513: for any $z \in \image(\rho)$ with $z \neq 0$, the function $g_1$ on input
4514: $\pair{2,\mbox{even}(z)}$ yields an odd integer $b$ from which we can read the
4515: pair $\pair{x,y}$ with $\rho(x,y) = z$.
4516: %
4517: %
4518: %
4519: %
4520: Hence, using~$g_1$, one could invert $\rho$ in polynomial time, a
4521: contradiction. Thus, $\sigma$ is not invertible with respect to its first
4522: argument. Analogously, one can show that $\sigma$ is not invertible with
4523: respect to its second argument. So, $\sigma$ indeed is strongly
4524: noninvertible.
4525:
4526: But $\sigma$ is invertible! By the fourth line in the definition of~$\sigma$,
4527: every $z$ in the image of $\sigma$ has a preimage of the form $(0,z)$.
4528: Thus, the function $g$ defined by $g(z) = (0, z)$ inverts $\sigma$ in
4529: polynomial time. Hence, $\sigma$ is not a one-way function.
4530: %
4531:
4532: Why don't we use a different notion of strongness that automatically implies
4533: noninvertibility? Here is an attempt to redefine the notion of strongness
4534: accordingly, which yields a new notion that we will call ``overstrongness.''
4535:
4536: \begin{definition}
4537: {\rm{}\cite{hem-pas-rot:c:strong-noninvertibility}} \quad
4538: \label{d:c-strong}
4539: Let $\sigma : \nats \times \nats \rightarrow \nats$ be any two-ary function;
4540: $\sigma$ may be nontotal and it may be many-to-one. We say that $\sigma$ is
4541: {\em overstrong\/} if and only if no polynomial-time computable function $f$
4542: with $f : \{1,2\} \times \nats \times \nats \rightarrow \nats \times \nats$
4543: satisfies that for each $i \in \{1,2\}$ and for each $z, a \in \nats$:
4544: \[
4545: ((\exists b \in \nats) [(\sigma(a,b) = z \land i = 1) \lor
4546: (\sigma(b,a) = z \land i = 2)]) \Lora \sigma(f(i,z,a)) = z .
4547: \]
4548: \end{definition}
4549:
4550: Note that overstrongness implies both noninvertibility and strong
4551: noninvertibility. However, the problem with this new definition is that it
4552: completely loses the core of why strongness precludes direct attacks on the
4553: Rivest--Sherman and Rabi--Sherman protocols protocols. To see why, look at
4554: Figure~\ref{fig:rivest-sherman-secret-key} and
4555: Figure~\ref{fig:rabi-sherman-digital-signature}, which give the protocols of
4556: Rabi, Rivest, and Sherman. In contrast to overstrongness, Rabi, Rivest, and
4557: Sherman's original definition of strong noninvertibility (see
4558: Definition~\ref{d:strong-oneway}) {\em respects the argument given}. It is
4559: this feature that precludes Erich from being able to compute Alice's secret
4560: $x$ from the transmitted values $\sigma(x,y)$ and~$y$, which he knows. In
4561: short, overstrongness is {\em not well-motivated\/} by the protocols of Rabi,
4562: Rivest, and Sherman.
4563:
4564: We mention without proof some further results of Hemaspaandra, Pasanen, and
4565: Rothe~\cite{hem-pas-rot:c:strong-noninvertibility}.
4566: %
4567: %
4568:
4569: \begin{theorem}
4570: {\rm{}\cite{hem-pas-rot:c:strong-noninvertibility}} \quad
4571: \label{thm:d}
4572: \begin{enumerate}
4573: \item If $\p \neq \np$ then there exists a total, honest, s-honest, two-ary
4574: overstrong function. Consequently, if $\p \neq \np$ then there exists a
4575: total two-ary function that is both one-way and strongly one-way.
4576:
4577: \item If $\p \neq \np$ then there exists a total, s-honest two-ary one-way
4578: function $\sigma$ such that $\sigma$ is invertible with respect to its first
4579: argument and $\sigma$ is invertible with respect to its second argument.
4580:
4581: \item If $\p \neq \np$ then there exists a total, s-honest two-ary one-way
4582: function that is invertible with respect to either one of its arguments
4583: (thus, it is not strongly one-way), yet that is not invertible with respect
4584: to its other argument.
4585:
4586: \item \label{thm:d4} If $\p \neq \np$ then there exists a total, honest,
4587: s-honest two-ary function that is noninvertible and strongly noninvertible
4588: but that is not overstrong.
4589: \end{enumerate}
4590: \end{theorem}
4591:
4592:
4593:
4594: %
4595: %
4596: %
4597: %
4598: %
4599: %
4600: %
4601: %
4602: %
4603: %
4604: %
4605: %
4606: %
4607: %
4608: %
4609: %
4610: %
4611: %
4612: %
4613: %
4614: %
4615: %
4616: %
4617: %
4618: %
4619: %
4620: %
4621: %
4622: %
4623: %
4624: %
4625: %
4626: %
4627: %
4628: %
4629: %
4630: %
4631: %
4632: %
4633: %
4634: %
4635: %
4636: %
4637: %
4638: %
4639: %
4640: %
4641: %
4642: %
4643: %
4644: %
4645: %
4646: %
4647: %
4648: %
4649: %
4650: %
4651: %
4652: %
4653: %
4654: %
4655: %
4656: %
4657: %
4658: %
4659: %
4660: %
4661: %
4662: %
4663: %
4664: %
4665: %
4666:
4667: \begin{acks}
4668: I am grateful to Pekka Orponen for inviting me to
4669: be a lecturer of the 11th Jyv\"askyl\"a Summer School that was held in August,
4670: 2001, at the University of Jyv\"askyl\"a. I thank Kari Pasanen for being a
4671: great tutor of this tutorial, for carefully proofreading a preliminary draft
4672: of this paper, and in particular for subletting his summer house on an island
4673: of scenic Lake Keitele to me and my family during the summer school. I am
4674: grateful to Pekka and Kari for their hospitality, and I thank my 33 summer
4675: school students from 16 countries for making this course so much fun and
4676: pleasure. I also thank Eric Allender, Godmar Back, Harald Baier, Lane
4677: Hemaspaandra, Eike Kiltz, Alan Selman, Holger Spakowski, Gerd Wechsung, and
4678: Peter Widmayer for their insightful advice and helpful comments and for their
4679: interest in this paper. Last but not least, I thank the anonymous ACM
4680: Computing Surveys referees whose detailed comments very much helped to fix
4681: errors in an earlier version and to improve the presentation, and the editor,
4682: Paul Purdom, for his guidance during the editorial process.
4683: \end{acks}
4684:
4685:
4686: %
4687: %
4688: \bibliographystyle{alpha}
4689:
4690: %
4691: %
4692: \bibliography{/home/inf1/rothe/BIGBIB/joergbib}
4693: %
4694:
4695: \begin{received}
4696: Received Month Year;
4697: revised Month Year; accepted Month Year
4698: \end{received}
4699:
4700: \end{document}
4701:
4702: %
4703: %
4704: %
4705: %
4706:
4707:
4708:
4709:
4710: