Public-Key Cryptography [2nd ed.] 978-3-642-08254-2, 978-3-662-03269-5

Cryptography, secret writing, is enjoying a scientific renaissance following the seminal discovery in 1977 of public-key

152 89 24MB

English Pages 282 Year 1996

Report DMCA / Copyright

DOWNLOAD PDF FILE

Table of contents :
Front Matter....Pages I-X
Classical Two-Way Cryptography....Pages 1-54
The Idea of Public Keys....Pages 55-76
Knapsack Systems....Pages 77-124
RSA....Pages 125-157
Other Bases of Cryptosystems....Pages 159-179
Cryptographic Protocols: Surprising Vistas for Communication....Pages 181-244
Back Matter....Pages 245-275
Recommend Papers

Public-Key Cryptography [2nd ed.]
 978-3-642-08254-2, 978-3-662-03269-5

  • Commentary
  • 600 dpi, pages have an extra grey layer
  • 0 0 0
  • Like this paper and download? You can publish your own PDF file online for free in a few minutes! Sign Up
File loading please wait...
Citation preview

Texts in Theoretical Computer Science An EATCS Series Editors: W. Brauer G. Rozenberg A. Salomaa Advisory Board: G. Ausiello M. Broy S. Even J. Hartmanis N. Jones T. Leighton M. Nivat C. Papadimitriou D. Scott

Springer-Verlag Berlin Heidelberg GmbH

Arto Salomaa

Public-Key Cryptography Second, Enlarged Edition With 22 Figures

'Springer

Author Prof. Dr. Arto Salomaa Data City Turku Centre for Computer Studies FIN-20520 Turku, Finland

Series Editors Prof. Dr. Wilfried Brauer Institut fiir Informatik, Technische Universitat Mtinchen Arcisstrasse 21, D-80333 Mtinchen, Germany Prof. Dr. Grzegorz Rozenberg Institute of Applied Mathematics and Computer Science University of Leiden, Niels-Bohr-Weg 1, P.O. Box 9512 2300 RA Leiden, The Netherlands Prof. Dr. Arto Salomaa (see above)

Library of Congress Cataloging-in-Publication Data Sa l omaa. Arto. Public-key cryptography 1 Arto Salomaa. --2nd. enl . ed . p.

em . --

L a;

for j

= 2, ... , n .

i= I

Exhaustive search is not needed to solve the corresponding knapsack problem - it suffices to ·scan through A once from righ to left. Given k (the size of the knapsack), we first find out whether or not k セ。ョN@ If the answer is "no", an cannot belong to the sum we are looking for. If the answer is "yes", an must belong to the sum. This follows because all of the remaining a/s cannot sum up to k. We define k = { k if k < an , I k - an if k セ@ an

and carry out the same procedure fork 1 and an_ 1 . We are through when we reach a 1 . The algorithm shows also that, for any k, the knapsack problem has at most one solution, provided A is superincreasing. If we publicize a superincreasing A as the basis of our cryptosystem, then decryption will be equally easy for both the cryptanalyst and the legal receiver. In order to avoid this, we "scramble" A in such a way that the resulting B is not any more superincreasing but rather looks as an arbitrary knapsack vector. In fact, it only looks like one because very few knapsack vectors can be obtained in this fashion: the scrambling we use is modular multiplication. Indeed, we used modular arithmetic many times already in Chapter 1. A reader unfamiliar with the congruence notation should consult Appendix B. An integer m > La; is chosen. Since A is superincreasing, m is large in comparison with all numbers in A. Another integer t, with no common factors with m, is chosen. m and t are referred to as the modulus and the multiplier. The choice of l (mod m). The t guarantees that there exists another integer t- 1 such that tt- 1 integer t - t can be regarded as the inverse oft. It can be easily computed from t and m. We now form the products ta;, i = l, . . . , n, and reduce them modulo m: let b; be the least positive remainder of ta; modulo m. The resulting vector

=

B

= (b 1 , b2 ,

• .. ,

bn)

is publicized as the encryption key. The encryption method for blocks of plaintext consisting of n bits each is the one described above. The items t, t- 1 and m are kept as the secret trapdoor. Before comparing the situation from the point of view of the cryptanalyst and the legal receiver, let us return to our previous numerical illustration. It is easy to see that our previous tO-tuple (now denoted by B)

= (43, 129,215,473,903, 302,561, 1165,697, 1523) by modular multiplication with m = 1590 and t = 43 from B

is obtained increasing knapsack vector

A= (1, 3, 5, 11, 21, 44, 87, 175,349, 701) . Let us verify this in detail.

the super-

2.1 Some Streets Are One-Way

63

The first five numbers in B are obtained from the corresponding numbers in A by a direct multiplication with 43- no reduction with respect to the modulus is needed. (In a real-life situation not even the first numbers should be too small because then the multiplier can be easily detected.) The following calculations yield the remaining five numbers in B.

= 1892 = 1590 + 302' 43·87 = 3741 = 2·1590 + 561' 43 · 175 = 7525 = 4·1590 + 1165' 43 . 349 = 15007 = 9 . 1590 + 697 ' 43 . 701 = 30143 = 18. 1590 + 1523 . 43 · 44

We observe further that t and m have no common factors. In fact, 43 · 37 = 1591 Hence,

t-

1

= 37.

=1

(mod 1590).

Let us now find out an easy decryption method for the legal receiver. Consider first the general case, where A is a superincreasing vector and B is obtained from A by multiplying each number in A with t (mod m). Since the legal receiver knows t- 1 and m, he/she is able to find A from the public key B. After receiving a cryptotext block c', which is an integer, the legal receiver computes t - 1 c' and its smallest positive remainder c (mod m). To decrypt, he/she solves the easy knapsack problem defined by A and c. The solution is a unique sequence p of n bits. It is also a correct block of the plaintext because any solution p' of the knapsack problem defined by B and c' must equal p. Indeed,

c = t- 1 c'

= t- 1 Bp' = t- 1 tAp' = Ap'

(mod m).

Observe now that Ap' < m because m > a 1 + a 2 + . . . +a" . This implies that the above congruence can be reduced to the equation c = Ap'. Since the knapsack problem defined by A and c cannot have several solutions, we must have p' = p. Thus, how should the legal receiver handle the cryptotext (2942,3584,903, 3326,215, 2817,2629,819) obtained earlier? Multiplying by t - 1 = 37 he/she obtains first 37 · 2942 = 108854

= 68 · 1590 + 734 =734

(mod 1590) .

Continuing in the same way, he/she gets the 8-tuple (734,638,21,632,5,879, 283,93) . The number 734 and the superincreasing A yield the 10-bit sequence 1001100001. Indeed, since 734 > 701, the last bit must be 1. The numbers in A are now compared with the difference 734 - 701 = 33. The first number, from right to left, smaller than 33 is 21. The next number 11 is smaller than the difference 33 - 21 = 12. Finally, the first number 1 equals the difference 12- 11. The positions of 1, 11, 21 and 701 in A are 1, 4, 5 and 10, respectively.

64

2. The Idea of Public Keys

The numbers 638, ... , 93 yield in the same way the other seven 10-bit sequences listed above. By decoding all eight sequences the legal receiver obtains the plaintext SAUNA AND HEALTH. D The above Example 2.1 constitutes the main part of this section. The general principles for the construction of public-key cryptosystems will be stated explicitly in the next section. The cryptosystem based on superincreasing knapsack vectors serves as a simple and yet detailed illustration of these principles. On the other hand, the cryptosystem as such is not very reliable: a polynomial-time algorithm for breaking it will be discussed in Chapter 3. The algorithm is based on the fact that it is not necessary for the cryptanalyst to find the correct multiplier t and modulus m, that is, the ones actually used by the cryptosystem designer. It suffices to find any t' and m' such that the multiplication of the publicized vector by t'- 1 (mod m') yields a superincreasing vector. Thus, the cryptanalyst may actually break the system by preprocessing, that is, after the encryption key has been publicized. Since the public encryption keys are used for some time, there is often plenty of time for preprocessing, whereas the cryptanalyst is in a hurry after intercepting important encrypted messages. One-way streets- that's what public-key cryptography is all about. The reader might think of examples of one-way streets within different realms of life. Here is one very typical example. The device depicted in Fig. 2.3 is a trap used for fishing, especially in the nordic countries.

Fig. 2.3

It is very easy for a fish to enter the cage. The shape of the entrance guides the fish in - for further encouragement there might be some small fish in the cage as a bait. On the other hand, it is very hard for a fish to find its way out, although in principle an escape is possible. The legal receiver, that is the fisherman, takes the fish out by opening the trapdoor on top of the cage.

2.2 How to Realize the Idea This section will contain some general principles about the construction of publickey cryptosystems. The knowledge of the encryption key Ek should not give away

2.2 How to Realize the Idea

65

the decryption key Dk. More specifically, the computation of Dk from Ek should be intractable, at least for almost all keys k. The following mechanical analog depicts the difference between classical and public-key cryptosystems. Assume the information is sent in a box with clasp rings. Then, encryption according to a classical cryptosystem corresponds to the locking of the box with a padlock and sending the key via some absolutely secure channel, such as using an agent in the James Bond class. Key management is always an essential issue, and often constitutes a difficult problem, when one uses classical cryptosystems. Public-key cryptography corresponds to having open padlocks, provided with your name, freely available in places such as post offices. A person who wants to send a message to you closes a box with your padlock and sends it to you. Only you have a key for opening the padlock.

Fig. 2.4

The following modification of the basic public-key procedure is suitable for classical cryptosystems as well. Denote by EA., EB, .. . the encryption procedures used by A, B, .... Denote the decryption procedures similarly by D A• DB, ..•. Assume further that the cryptosystem is commutative: in any composition of E A, EB, D A• DB, ... the order of the factors is immaterial. If A wants to send a message w to B, then the following protocol is used: (i) (ii) (iii) (iv)

A B A B

sends EA(w) to B. sends EB(EA(w)) to A. sends DA(EB(EA(w))) = DA(EA(EB(w))) decrypts DB(EB(w)) = w .

= EB(w) to B.

66

2. The Idea of Public Keys

Coming back to our illustration with padlocks, open padlocks need not be distributed in advance if this protocol is followed. First, A sends the box to B, locked with A's padlock. Then, B sends the box back to A, now locked also with B's padlock. Next, A opens the padlock E A and sends the box back to B. Now B can open it. Thus, the box is always protected by at least one padlock. There is no problem in the key management: the keys are not distributed at all. See Fig. 2.4. The protocol described above is secure against passive eavesdroppers. However, an active eavesdropper C might masquerade him/her as B. Then A has no way of knowing who the other party actually is. By a passive eavesdropper we mean a cryptanalyst who tries only to obtain all possible information in order to decipher important messages. An active eavesdropper masquerades him/her as the intended receiver of a message and returns information to the original sender accordingly. We are now ready to list the general principles behind the construction of public-key cryptosystems.

Step 1: Start with a difficult problem P. P should be intractable according to complexity theory: there is no algorithm that solves all instances of Pin polynomial time with regard to the size of the instance. Preferably, not only the "worstinstance" complexity but also the average complexity of P is high. Step 2: Pick up an easy subproblem preferably in linear time.

P easy

of P.

Peasy

should be in polynomial time,

Step 3: "Shuffle or scramble" Peasy in such a way that the resulting problem does not resemble the problem P easy any more. The problem Pshuffle should at least look like the original intractable problem P. P shuffle

Step 4: Publicize Pshuffle• describing how it should be used as an encryption key. The information concerning how P easy can be recovered from Pshuffle is kept as a secret trapdoor.

Step 5: Construct the details of the cryptosystem in such a way that decryption will be essentially different for the cryptanalyst and the legal receiver. While the former has to solve P shuffle (looking like the intractable P), the latter may use the trapdoor and solve only Peasy·

Of course, our description of the Steps 1-5 is still on a very abstract level. The quality of the resulting public-key cryptosystem depends on how the details can be filled in. There are many questions to be answered. How is Pshuffle used as a basis for encryption? How easy is P easy? What constitutes the trapdoor? In particular, is it possible for the cryptanalyst to find the trapdoor by preprocessing? Can an instance of Pshuffle be easy to crack just accidentally? And so forth. We will return below to the theoretical problems involved. Let us now recall Example 2.1 from the preceding section. It serves as a very typical illustration of Steps 1-5. The knapsack problem is NP-complete - so it is a very suitable choice for the basic intractable problem. The superincreasing

2.2 How to Realize the Idea

67

knapsack problem is an easy enough subproblem of P. Modular multiplication constitutes a reasonable way of shuffling. We still return in Chapter 3 to the problem of how reasonable it actually is. This discussion will also deal with the possibilities of the cryptanalyst, as well as with some modified cryptosystems. In general, knapsack vectors form a natural and useful method for encryption. What is very interesting about the basic Steps 1-5 of public-key cryptography has something to do with their universality: the subject matter or the area of the problems is not specified in any way. In principle, the problems can be almost about anything. Examples will be seen in later chapters. However, so far the problems most suitable as a basis for a public-key cryptosystem have dealt with number theory. We have already seen an example: the knapsack problem. So far the most widely studied public-key cryptosystem, RSA, is also based on number theory. The product of two large prime numbers can be publicized without giving away the primes themselves. The one-way function, or the trapdoor, can be formulated in these terms. Details will be presented in Chapter 4. It is maybe intrinsic in the nature of public-key cryptography that very little or nothing is known about the underlying problems. Thus, RSA has been very successful although the complexity of the underlying problem, factorization, has not been adequately characterized. On the other hand, some public-key cryptosystems based on provably intractable problems (N P-complete, etc.) have turned out to be failures. For future reference, we now list some very fundamental number-theoretic problems that have so far defied all attempts to classify their complexities. Indeed, none of the subsequent problems is known either to possess a deterministic polynomial time algorithm, or to be complete for any natural complexity class. The problems have turned out to be very useful for many aspects of public-key cryptography. Some mutual reductions among the problems are also known: which of them are "easier" and which are "harder". F ACTOR(n). Find the factorization of n. PRIMALITY(n). Decide whether or not n is prime. FIND-PRIME(> n). Find a prime number >n. SQUAREFREENESS(n). Decide whether or not a square of a prime divides n. QUAD-RESIDUE(a,n). Decide whether or not x 2 =a (mod n) holds for some x. SQUAREROOT(a,n). Find, if possible, an x such that x 2 a (mod n). DISCRETE-LOG(a,b,n). Find, if possible, an x such that ax = b (mod n).

=

A number-theory minded reader might want to think of some natural reductions among the problems mentioned. For instance, if we are able to factor n, we are also able to tell whether or not n is prime. In fact, the primality problem is essentially simpler than factorization because there are many easily computable criteria to the following effect: if n is prime then a certain condition A (for instance, a congruence) is satisfied. Hence, if A is not satisfied then we are able to conclude that n is composite, without being able to factorize n.

68

2. The Idea of Public Keys

From the theoretical point of view it would be desirable to be able to formally establish some lower bounds for the amount of work the cryptanalyst has to do in order to break a public-key cryptosystem. Unfortunately, no such theoretical lower bounds are known for the most widely used public-key cryptosystems. For instance, F ACTOR(n) might be in low polynomial time, which would mean that RSA and related systems would collapse. On the other hand, it is not likely that F ACTOR(n) is in low polynomial time. After all, people have investigated F ACTOR(n) (more or less intensely) already for more than two thousand years. We will now discuss some issues of complexity theory that shed some light on the state of affairs: there are no provable lower bounds for the amount of work of a cryptanalyst analyzing a public-key cryptosystem. In fact, our previous Golden rule can be extended to concern public-key cryptosystems as follows. Golden Rule for Designers of Public-Key Cryptosystems. Test your system in practice from various points of view. Do not expect to prove remarkable results concerning the security of your system. Again, a reader not familiar with the basics of complexity theory should consult Appendix A. It is generally believed that P =I= N P. This implies that N P-complete problems are intractable. Hence, if we can show that the cryptanalysis of a publickey cryptosystem is N P-complete, we would have established its intractability. However, the following argument shows that this is not likely to be the case. The encryption key is public. Combine this fact with the requirement posed for any cryptosystem, classical and public-key alike: the encryption is easy once the encryption key and the plaintext are known. (Otherwise, the cryptosystem would be very cumbersome to use!) It follows that in any reasonable public-key cryptosystem the cryptanalysis problem is in N P. Given a cryptotext, the cryptanalyst first guesses the plaintext and then encrypts it, finding out whether it leads to the given cryptotext. Even if the publicized encryption method is nondeterministic, the whole procedure is still clearly in N P. The cryptanalysis problem is also in Co-N P. If the encryption method is deterministic, then this is obvious because one can proceed exactly as before: find out that the given plaintext-candidate does not yield the given cryptotext. In the general case, independently of whether the encryption method is deterministic, we argue as follows. We are given a triple (w, k, c),

where w is a candidate for the plaintext, k is the public encryption key and c is the cryptotext. We are supposed to accept the triple exactly in case w is not the plaintext giving rise to c. Clearly there is only one such plaintext; otherwise, decryption would be ambiguous. Our algorithm first guesses the plaintext p, then finds out (in nondeterministic polynomial time) whether p gives rise to c according to k. Only in case of a positive answer the algorithm continues, comparing p and w letter by letter. If a difference is found, the algorithm accepts. We are viewing the cryptanalysis problem in the obvious fashion: find the plaintext when the cryptotext and the public key are known. Along similar lines

2.2 How to Realize the Idea

69

one can show that several analogous problems are in the intersection NP n Co-NP, for instance, the following ones. In each case we assume that the public encryption key and the cryptotext are given. (i) Does a given word appear as a prefix (resp. a suffix) in the plaintext? (ii) Does a given word appear as a subword in the plaintext? (iii) Is a given word obtained by considering only the letters in the positions 5, 10, 15, ... in the plaintext? Thus, the cryptanalysis problem for a public-key cryptosystem is in the intersection N P n Co-N P. Hence, if the cryptanalysis problem C would be N P-complete, we would have NP = Co-NP. This is seen by the following simple argument. Consider any L in N P. Since C is N P-complete, L is polynomial time reducible to C Consequently, also the complement of L is polynomial time reducible to the complement of セ@ which is in NP, by our assumption. This implies that L is in Co-NP and, hence, NP is included in Co-NP. By this inclusion, the reverse inclusion is obvious. Take any Lin Co-NP. The complement of Lis in NP and, consequently, in Co-NP. This implies that Lis in NP. We have shown that if the cryptanalysis problem for a public-key cryptosystem is NP-complete, then NP = Co-NP. This implies that it is highly unlikely that the cryptanalysis problem for a public-key cryptosystem is N P-complete or higher up in the complexity hierarchy. We can look for examples optimal from the point of view of complexity theory.

Example 2.2. (Due to [Kar 1].) Consider wffpc's (see Appendix A) with variables in X u Y, where X and Yare disjoint. Every such wffpc is built from variables using propositional connectives v , " and "' . We allow also the truth-values T and F to appear in a wffpc. Let IX be an assignment of truth-values for the variables in X, and p0 and p 1 two wffpc's such that p0 assumes the truth-value T and p 1 the value F (or vice versa) for every assignment of truth-values for variables in Xu Y that uses IX for the variables in X. Thus, if IX is used for X, the truth-values of p0 and p 1 are independent of the truth-values assigned for the variables in Y. The pair (p 0 , pd constitutes the public encryption key, whereas IX is the secret trapdoor. As an illustration, consider X= {xpx 2 } andY= {ypy 2 }. Define IX by

1X(xd = F

and

1X(x 2 ) = T .

One can then choose

Po= "'Yt " Yz " Xz " (Yt v X1 v ("' Yz Pt = (Yz v Xz)

1\

(Yt v X1 v ("' Yt

1\

1\

Xz)),

Xz)) ·

It is easy to see that, independently of the values for y 1 and y 2 , p0 assumes the value F and p 1 the value T for IX. To encrypt a particular occurrence of the bit i in the plaintext, one assigns in P; truth-values for the variables in Yin an arbitrary fashion and shuffles the resulting wffpc (with variables in X) randomly according to the standard rules of the propositional calculus (introduction and elimination of T and F, associativity,

70

2. The Idea of Public Keys

commutativity, distributivity, idem potence). If we assign the values F and T for y 1 and y 2 in our illustration, Po reads

"' F " T" x 2

"

(F v x 1 v ("' T" x 2 ))

.

This can be shuffled to x 2 " x 1 . Consequently, x 2 " x 1 is one possible encryption for the bit 0. Legal decryption is immediate because a is known. Using the N P-completeness of the satisfiability problem, the following result can be obtained. Assume that we may consult an oracle who, given the public key and a cryptotext, tells us the bit the cryptotext is obtained from. (Oracles will be discussed in more detail in Chapter 4.) Then for every language in the intersection of NP and Co-NP, there is a deterministic polynomial time algorithm using the oracle for determining whether or not a given word is in the language. The result means that the cryptanalysis of any public-key cryptosystem can be reduced to the cryptanalysis of the system described above. Thus, the system is optimal in the sense that any cryptanalytic method to break it can be used to break any other public-key cryptosystem as well. Unfortunately, the same result can be obtained for the following degenerate system. In the public key (p 0, p 1 }, exactly one of the p's, say pk, is satisfiable. The index k constitutes the secret trapdoor. An occurrence of the bit i is encrypted by first assigning truth-values for the variables in Pi in an arbitrary fashion. If the resulting truth-value for Pi is T, i is encrypted as #, otherwise i is encrypted as i itself. In the legal decryption one simply maps # to k and leaves 0 and 1 unchanged. On the other hand, a cryptanalyst can find out the meaning of # by generating assignments until either Po or p 1 becomes true. If Pk is rarely true, then # occurs rarely in the cryptotext. Thus, the degenerate system is intuitively very weak. The paradox of the system being optimal is explained by the fact that we have considered worst case rather than average complexities. 0 In the discussion above the setup for cryptanalysis has been: given cryptotext and public encryption key. For the setup "encryption key only" the cryptanalysis problem is still in N P for any public-key cryptosystem. Interestingly enough, the system given in Example 2.2 is optimal also as regards the cryptanalytic setup "encryption key only": the cryptanalysis problem is NP-complete. It is obvious that no similar upper bounds for cryptanalytic complexity can be given for classical cryptosystems. Essentially, this due to the fact that because everything is kept secret then the easyness of the encryption and decryption for legal users cannot lead to any consequences as regards the world of the cryptanalyst. A final rather strange observation can be made from the point of view of complexity theory. A public-key cryptosystem can always be viewed as a sequence of pairs (Ei, Di), i = 1, 2, ... , where Ei is an encryption key and Di the corresponding decryption key. Both keys are completely determined by i: they can be given by some verbal description. Preprocessing proceeds now as follows. After an encryption key Ek has been publicized, the sequence (Ei, DJ is generated, until the correct EJ = the one verbally coinciding with Ek) is found. This may involve a huge

2.3 Obvious Advantages of Public Keys

71

(computationally intractable) amount of work. But still: this amount is a constant independent of the length of the cryptotext. From this point of view, the complexity of the cryptanalytic setup "cryptotext and encryption key" is n + c, where c is a constant! Of course, from a practical point of view, this does not say much because c is huge.

2.3 Obvious Advantages of Public Keys The advantages of public-key cryptography are tremendous, provided the idea can be realized without any too harmful side-effects. The most far-reaching innovation due to public keys concerns key management: how to handle and send keys. Consider any classical (that is, symmetric) cryptosystem. The encryption key gives away the decryption key and, hence, the former cannot be publicized. This means that the two legal parties (sender and receiver) have to agree in advance upon the encryption method. This can happen either in a meeting between the two parties, or else by sending the encryption key via some absolutely secure channel. If a public-key cryptosystem is used, the two parties do not have to meet - they do not even have to know each other or be in any kind of previous communication! This is a huge advantage, for instance, in the case of a big data bank, where there are numerous users and some user wants to communicate only with a specific another user. Then he/she can do so just by applying the information in the data bank itself. One can compare classical and public-key cryptosystems also as regards the length of a key. Since every key has to be described somehow, the description being a sequence of letters of some alphabet (that is, a word), it is natural to talk about the length of a key. There is a remarkable difference between classical and public-key cryptosystems. Consider first a classical cryptosystem. If the key is longer than the plaintext, nothing has really been achieved. Since the key has to be transmitted securely, one could transmit the plaintext instead of the key via this secure channel. Of course, in some situations the key is transmitted earlier to wait for the crucial moment. Consider next a public-key cryptosystem. The length of the encryption key is largely irrelevant. The key is publicized anyway. This means that also the length of the decryption key is largely irrelevant: the receiver only has to store it in a secure place. The easiness of key management can justly be regarded as the chief advantage of public-key cryptography. Let us now consider some other advantages. The central issues raised will be discussed also later on. One of a computer system's central strongholds is the password file. The following might be an entry in such a file. login: JOHNSON

password: KILLER

If the password file is exposed- accidentally or otherwise - to an inspection by an intruder, then the intruder will have free access, for instance, to Mr. Johnson's

72

2. The Idea of Public Keys

electronic mail. We assume here that the mail is not encrypted and, thus, security is provided only by the passwords. Suppose now that one-way functions fare used in connection with the password file. The entry mentioned above is now as follows. login: JOHNSON

password: KILLER function:

f1

Here f 1 is a description of a one-way function. The idea is that KILLER is Mr. Johnson's "public" password, whereas only Mr. Johnson knows his "secret" password PURR such that /APURR) =KILLER . In fact, he "publicized" the password KILLER after computing iJ (PURR). Mr. Johnson types in the secret password PURR, after which the computer checks whether or not f 1 applied to PURR gives the correct result KILLER. The computer does not store PURR in any way. The password file may now be inspected by an intruder without loss of security because the functionf1 cannot be inverted. The one-way functions f need not be cryptographic: a trapdoor for inverting them is useless in this case. It is even possible to have the same function for all users. The reader might suggest in what respect such a common function is weaker than individual functions. Authentication is an important issue. How do we know that a message planted in a communication channel or information system is authentic? How do we generate such an electronic or digital signature? Let us first state more explicitly what we want. Consider two parties A and B, possibly with conflicting interests. Typically, the parties could be a bank and its customer, or the two superpowers. When A sends a message to B, the message should be signed in such a way that the parties get the following two kinds of protection. (i) Both A and B should be protected against messages addressed to B but fed in the information system by a third party C, who pretends to be A. (ii) A should be protected against messages forged by B, who claims to have received them from A, properly signed. Of course, if B sends a message to A then A and B should be interchanged in (ii). One may visualize (i) and (ii) by thinking Bas an American agent in Moscow, A as his/her boss in Washington, and Cas a Russian agent. The importance of (i) should be obvious. (ii) is required, for instance, in case B initiates some operation without any authorization from A. The operation turns out to be a failure. However, B claims to have acted according to the instructions given by A in a properly signed message! Conditions (i) and (ii) are somewhat contradictory and, therefore, hard to satisfy simultaneously. According to (i), B should know something about A's signature. According to (ii), B should not know too much about A's signature. It is to be emphasized that electronic signatures usually change the whole text, rather than just being an addition to the end of the text.

2.3 Obvious Advantages of Public Keys

73

If a good classical cryptosystem is used, then requirement (i) can be satisfied in a reasonable fashion: A and B agree upon an encryption key known only to them. A message is signed by encrypting it according to the key. The key and preferably also the cryptosystem have to be changed reasonably often. Once C finds out the key, he/she can start sending properly signed messages. Requirement (ii) is apparently more difficult to satisfy because, as we already pointed out, B should know something about the way A generates the signature, and yet it should be impossible forB to generate A's signature. Observe also that if we are dealing with a big network of communicating parties (such as a network of mail users) then it is impractical to use a distinct secret method of signing for every pair of users. If a public-key cryptosystem is used, then both (i) and (ii) can be satisfied, at least in principle. As before, we denote by E A, E8 , . . . (resp. DA, D8 , . . . ) the encryption (resp. decryption) key used by A, B, .... First, A sends the message w to Bin the form E 8 (D A( w)). Then, B can recover D A(w) by his/her secret decryption key D 8 . From DA(w), B can recover w by the publicly known EA. Observe that EA and D A are inverses. Now both (i) and (ii) are satisfied. Only A knows D A and, hence, neither C nor B can forge A's signature. This is the case at least if plaintexts are meaningful passages of some natural language. Then the probability is negligible that some text not obtained by D A from a meaningful plaintext would translate into something meaningful. By this reason, A can also not deny sending the message to B. If only signature (but not the encryption of the message) is important, then it suffices that A sends B the pair (w, D A(w)). Requirements (i) and (ii) are satisfied as before. The basic procedures of authentication described above are vulnerable, especially as regards attacks by active eavesdroppers. The seriousness of attacks depends on the details, in particular, on the possibilities of the eavesdropper to plant false messages in the system. The basic procedures can be strengthened by applying a protocol. This means that A's sending a message to B consists of several communication steps between A and B. A first communicates something to B. Depending on the contents of this communication, B communicates something back to A. And so forth . In general, a protocol involves a sequence of message exchanges. The number of communicating parties may be also greater than two. A specific, usually public-key, cryptosystem is used. The security of a protocol usually means protection against a passive or an active eavesdropper but often also protection against cheating by some of the parties. In the latter case a protocol may provide for arbitration procedures if the parties happen to disagree about their adherence to the protocol. Protocols are no more secure than the cryptosystem applied. It is difficult to prove that a specific cryptosystem possesses certain security properties. It is also difficult to prove that if the underlying cryptosystem satisfies certain security conditions then the protocol possesses certain security properties. Many of the issues involved will be dealt with in the sequel, especially in Chapter 6. Here we briefly mention some examples of problems and tasks for which protocols have been successfully applied.

74

2. The Idea of Public Keys

Handshaking is in general slightly more complicated than authentication. The problem is that A and B want to establish a secure communications channel in a certain communications environment without any prior exchange of information. In our previous example the American agent in Moscow and the boss in Washington had to agree beforehand at least about something: how in principle signatures are generated and where the public keys are available. (We assume that they used the basic procedure described above.) This is not actually much and can be included in the common instructions provided for the users of an information system. Hence, the situation is very close to handshaking. Very often handshaking is understood to imply that the parties trust each other. Thus requirement (ii) becomes unnecessary. Suppose elections are held over a computer network. A protocol should make it impossible for non-registered voters to vote although they might be legal users of the network. Furthermore, ballots should be kept secret and the publicized outcome of the elections should be fair. Also some new types of secret votings can be carried out using appropriate protocols. Such protocols seem to open new vistas for confidential communication. Some members of a council might have the right of veto. When an appropriate protocol is followed, nobody knows whether a negative decision is based on the majority, or somebody using the veto-right, or on both! Let us consider a specific example. The parties A, B, C 1 , . •. , c. want to make a yes or no decision. All parties can vote yes or no. Moreover, A and B have two additional votes, super-yes and super-no. Such a voting may be visualized as arising in the United Nations, with A and B being the two superpowers. If no supervotes are cast, the majority decides. If at least one supervote is cast, then the ordinary votes have no significance. The decision is yes in case of a draw. After the voting all parties know the decision but nobody knows why the decision was made. Was it due to a supervote, majority, or to both? Of course, it is possible to construct a voting machine to satisfy the requirements. But nobody would trust such a machine: it could be tampered to leak information and/or announce a false outcome for the voting. In the next example a specific protocol is suggested. Example 2.3. Two persons A and B want to play poker by telephone without any

third party acting as an impartial judge. We consider the basic variant of the game, where five cards are dealt. As regards most of the other variants, the protocol is essentially the same. It is obviously necessary for A and B to exchange information in encrypted form in order to "deal" cards in a proper way. A proper deal should satisfy the following requirements. (i) All hands (sets of five cards) are equally likely. (ii) The hands of A and B are disjoint. (iii) Both players know their own hand but have no information about the opponent's hand. (iv) It is possible for each of the players to find out the eventual cheating of the other player.

2.3 Obvious Advantages of Public Keys

75

We now propose a protocol. A cryptosystem, classical or public-key, is used. However, neither the encryption methods EA and EB nor the decryption methods D A and DB are publicized. Moreover, commutativity is assumed: in any composition of E's and D's the mutual order is immaterial. Before the actual play, A and B agree on the names w 1 , . . . , w52 of the 52 cards. The names are chosen in such a way that the cryptosystem is applicable in the sense needed in the sequel. For instance, if EA and EB operate on integers within a certain range then each wi should be an integer within this range. We are now ready to describe the protocol. A acts as the dealer but the roles of A and B can be interchanged. The protocol consists of the following four steps. Step 1: B shuffles the cards, encrypts them using EB, and tells the result to A. This means that B tells A the items EB(w 1 ), ••. , EB(w 52 ) in a randomly chosen order. Step 2: A chooses five of the items EB(w;) and tells them to B. These items are

B's cards. Step 3: A chooses another five of the items E B( wi ), encrypts them by E A, and tells the result to B. Step 4: After receiving five items of the form EA(EB(w;)) in Step 3, B applies DB to them and tells the result to A. These five items represent A's cards.

Let us now see how the requirements (i)-(iv) are satisfied. Clearly both players know their own cards. In particular, A receives in Step 4 five items of the form DB(EA(EB(w;))). Because of commutativity, DB(EA(EB(wi))) = EA(DB(EB(wi))) = EA(wi),

and hence A has only to use D A. The hands will also be disjoint: B can immediately check that the items given in Step 3 differ from those given in Step 2. No conclusive evidence can be presented as regards the other requirements (i) - (iv). The matter depends largely on how truly one-way functions the E's actually are. For instance, it might be impossible to find wi on the basis of EB(wi) but, still, some partial information about wi could be found. For instance, if wi is a sequence of bits, the last bit could be found from EB(wJ Such partial information could tell A that all aces are within a certain proper subset of EB(w 1 ), • . . , EB(w 52 ). Then A would surely deal B only cards outside this subset and for himself/herself only cards from this subset. In this case (i) and the second part of (iii) would be violated. The cryptosystem cannot be public-key in the normal sense. A could simply compute all the values E 8 (w;) and deal the cards accordingly: a good hand forB but slightly better for himself/herself! Some of the issues in this example are of general nature and will be discussed also later. In fact, a public-key cryptosystem can never have a small plaintext space, such as only 52 plain texts. Then all of them can be encrypted using the public key, and decryption amounts to a search through all resulting cryptotexts.

76

2. The Idea of Public Keys

The possibility of obtaining partial information is also one of the central issues in public-key cryptography. For some cryptosystems, such as RSA, it has been shown that if partial information can be obtained then the whole system can be broken. This means that if you are convinced about the security of the cryptosystem, then you also know that the system does not leak partial information. 0 We conclude this chapter by mentioning three problems that require cryptographic protocols for their solution. The protocols devised for these problems are often used as a part of a protocol for a more complicated problem. Thus, the protocol given in [GM] for the problem of Example 2.3 uses coin flipping. A and B want to .flip a coin by telephone without any impartial judge. As always, both parties should at some later stage be able to check that the other party did not cheat. This may happen after the result of the coin flipping has been used for some other purpose. An oblivious transfer allows A to transfer a secret to B with probability!. After the completion of the protocol, B knows whether or not the secret was transferred successfully, but A does not know. Two or more parties want to share a part of their secrets but do not want to give away their secrets entirely. For instance, two people want to find out who is older without learning anything else about each other's age. After going through the protocol both know who is older but neither one knows how much older.

Chapter 3. Knapsack Systems

3.1 A Trapdoor is Built Public-key cryptosystems based on the knapsack problem were already briefly discussed in Example 2.1 in Chapter 2. It was also pointed out that knapsack systems are very suitable for illustrating all basic ideas behind public-key cryptography. The setup is also versatile enough to produce new variants to avoid cryptographic weaknesses. Mathematical techniques will be used in this and later chapters to a larger extent than in Chapters 1 and 2. All the necessary tools will be summarized in the appendices. Fundamentals of the theory can also be understood without entering the mathematical developments. This section presents the basic knapsack system in more details than Example 2.1. Shamir's cryptanalytic attack is described in Section 3.2. Section 3.3 deals with a general theory of reachability, applicable to both simple and composite knapsacks. Interesting variants of knapsack systems will be presented in Section 3.4. The final Section 3.5 deals with systems based on dense knapsacks. We are now ready to go into definitions. A knapsack vector A = (a 1 , •.• , a") is an ordered n-tuple, n;;::: 3, of distinct positive integers a;. An instance of the knapsack problem is a pair (A, ex), where A is a knapsack vector and ex is a positive integer. A solution to (A, ex) is a subset of A whose elements sum up to ex. (Since we are talking about a subset, each a; appears in the sum at most once.) Knapsack problems are sometimes called also subset sum problems. The most common variant of the knapsack problem is to tell whether or not a given instance (A, ex) possesses a solution. A variant used in cryptography is to produce a solution for a given instance (A, ex) when it is known that a solution exists. Both of these variants are N P-complete. There are also variants that are not even in NP. A knapsack vector A is used to encrypt a block C of n bits by summing up such components of A that 1 appears in the corresponding position in C. If the sum is denoted by ex, then decryption amounts to finding C from ex, or from A and ex if we are dealing with a public-key cryptosystem. The latter possibility is just the cryptographic variant of the knapsack problem. Equivalently, we may view C as a column vector of bits. Then ex equals the product AC.

78

3. Knapsack Systems

As an illustration, assume that n = 6 and A = (3,41,5, 1,21, 10). Then (1, 1,0,0, 1,0) and (1,0, 1, 1,0, 1) are encrypted as 65 and 19, respectively. For this A, all cryptotexts a are numbers :s; 81. At most one plaintext corresponds to each cryptotext. For A= (14, 28, 56, 82, 90, 132, 197,284, 341, 455), the cryptotext a= 515 has exactly three corresponding plaintexts (1, 1,0,0,0, 1,0,0, 1,0),

(0, 1, 1,0, 1,0,0,0, 1,0),

(1,0,0, 1, 1, 1, 1,0,0,0) .

This is seen immediately by reading A from right to left, for instance, 455 cannot appear in the solution because it is not possible to express 60 = 515- 455 as a sum. Similarly, the cryptotext a= 516 has no corresponding plaintext. Now it is easy to see that none of the last four numbers in A can appear in the sum, whereas the sum of the remaining numbers is too small. For a = 517, the only corresponding plaintext is (1, 1, 1,0, 1, 1, 1,0,0,0). Examples like this illustrate the obvious fact that cryptanalysis arising from some instances of the knapsack problem can be easy. Since uniqueness of decryption is desirable, the knapsacks vectors A should have the property that, for every a, all instances (A, a) possess at most one solution. Such knapsack vectors A are referred to as injective in the sequel. This terminology is very natural because the injectivity of A means that the function induced by A, defined in Example 2.1, is injective. Of the two A's considered above the first is injective, whereas the second is not. For some vectors A, all instances (A, a) are easy to solve. We have already seen in Example 2.1 that super-increasing vectors possess this property. A two-way cryptosystem can be based on such vectors in an obvious fashion: both the sender and receiver know the vector A . On the other hand, if a vector B is publicized as an encryption key, then the legal receiver must have some secret trapdoor information for transforming B and the cryptotext into an easy instance of the knapsack problem. We already indicated in Example 2.1 how this can be done using super-increasing vectors. The construction will now be given in a somewhat more detailed form . A knapsack vector A = (a 1 , . . . , an) is increasing (resp. super-increasing) iff

holds for all j = 2, ... , n. Clearly, every super-increasing vector is increasing. For a knapsack vector A we define max A= max(ail1 :s;j :s; n) . Let x be a nonnegative number. We denote by [x] the integer part of x, that is, the greatest integer :s; x. For integers x and m セ@ 2, we denote by (x, mod m) the least nonnegative remainder of x modulo m. It is easy to see that (x, modm)

= x- [x/m] · m .

3.1 A Trapdoor is Built

79

This equation will be often, especially in Section 3.3, written in the form x = (x, modm)

+ [x/m]·m.

We now define two variants of the notion of modular multiplication. Consider a knapsack vector A, an integer m > max A and a positive integer t < m such that the greatest common divisor (t, m) = 1. If B = (b 1 , . . . , bn) is a vector such that bi = (tai, modm),

fori= 1, ... , n,

we say that B results from A by modular multiplication with respect to the modulus m and multiplier t or, briefly, with respect to the pair (m, t). The condition (t, m) = 1 guarantees the existence of an inverse t- 1 = u such that tu

= 1 (modm)

and 1 ::::;; u < m. This implies that also conversely A results from B by modular multiplication with respect to m and u. (Clearly m > max B because every bi is reduced modulo m.) If above the condition m > max A is replaced by the stronger condition n

m>

L ai,

we say that B results from A by strong modular multiplication with

i= I

respect to m and t. Observe that now we cannot conclude that A results from B by strong modular multiplication with respect to m and u because the inequality n

m>

L bi

does not necessarily hold. Of course, A results from B by modular

i= I

multiplication with respect to m and u. A cryptosystem designer now chooses A, t, m, B such that A is super-increasing and B results from A by strong modular multiplication with respect to m and t. B is publicized as the encryption key, and n-bit blocks are sent to the designer as numbers p obtained from Bin the way described above. An eavesdropper has to solve the instance (B, p) of the knapsack problem. The designer computes a= (u/3, mod m) and solves the instance (A, a). Why this works is summarized in the following lemma.

Lemma 3.1. Assume that A = (a 1 , . • . , an) is super-increasing and B results from A by strong modular multiplication with respect to m and t. Assume further that u = t -! (mod m), p is arbitrary and r:x. = (up, mod m). Then the following assertions hold true. (i) The knapsack problem (A, r:x.) is solvable in linear time. If a solution exists, it is unique. (ii) The knapsack problem (B, /3) has at most one solution. (iii) If a solution to (B, /3) exists, it equals the unique solution to (A, r:x.). Proof (i) It was shown in Example 2.1 that every knapsack problem with a superincreasing A can be solved in linear time by reading through A once from right to left. The method shows that there can be at most one solution. (ii) and (iii) Assume

80

3. Knapsack Systems

that an n-bit vector D is a solution to (B, p), that is, BD = p. Consequently, a= up= uBD

=u(tA)D =AD (modm).

Since m exceeds the sum of the components of A, we must have AD < m. Since also a< m, by the definition of a, we conclude that a= AD. Thus, D equals the unique solution to (A, a). This shows (iii). Since we started with an arbitrary solution to (B, {3) and showed that it equals the unique solution to (A, a), we have established

D セP@

In our cryptographic application of Lemma 3.1 we know that (B, {3) has a solution: f3 was computed in a way to guarantee this. Example 3.1. Our first illustration is still manageable with a pocket calculator. Let

n = 10 and consider the super-increasing vector

A =(103, 107,211,430,863,1718,3449,6907, 13807,27610). Choose the modulus m = 55207 which is greater (by two) than the sum of the components of A. Choose further the multiplier t = 25236. Then (t, m) = 1 and t- 1 = u = 1061. Indeed, 1061.25236- 1 = 485.55207 . As a result of the strong modular multiplication we now get B=(4579,50316,24924, 30908,27110, 17953,32732, 16553,22075,53620). For instance,

+ 47 · 55207 and 1061 · 4579 = 103 + 88 · 55207 , 25236 · 1718 = 17953 + 785 • 55207 and 1061 ·17953 = 1718 + 345 · 55207 , 25236 · 27610 = 53620 + 12620 · 55207 and 1061 · 53620 = 27610 + 1030 · 55207 .

25236 · 103 = 4579

The vector B is the public encryption key, whereas the items A, t, u, m constitute the secret trapdoor. Of course, the knowledge of m and either t or u enables one to compute the other items immediately. Let us now use the public key B and encrypt the plaintext IN FINLAND CHILDREN USED TO BE BORN IN SAUNA EVEN TODAY INFANT MORTALITY IS IN FINLAND LOWEST IN THE WORLD. We use first the numerical encoding, where the space between words gets the value 0 and the letters A-Z the values 1-26. The numerical encoding is expressed in bits. In fact, a complete list of the bit values was given in Example 2.1. Since B can be used to encrypt blocks of ten bits, our plaintext has to be divided into blocks consisting of two characters each. In what follows, we give first a plaintext block, then the numerical encoding and, finally, the encryption of the block as a decimal number. The cryptotext consists of the 53 numbers thus obtained, written one after the other so that individual numbers are distinguishable.

3.1 A Trapdoor is Built

IN F IN LA ND

01001 00000

01001 01100 01110

c

00000

HI LD RE N

01000 01100 10010 01110 10101 00101

us ED T 0

BE B OR N IN

00000

01111 00010 00000

01111 01110 01001

s

00000

AU NA E VE N TO DA

00001 01110

y

IN FA NT

00000

10110 01110 10100 00100 11001 01001 00110 01110

M

00000

OR TA LI TY I

01111 10100 01100 10100

s IN

00000

10011 01001

01110 00110 01110 00001 00100 00011 01001 00100 00101 00000

10011 00100 10100 00000

00101 00010 10010 00000

01110 10011 10101 00001 00101 00101 ()()()()()

01111 00001 00000

01110 00001 10100 01101 10010 00001 01001 11001 01001 00000

01110

148786 38628 148786 128860 122701 75695 136668 91793 105660 106148 150261 68587 34506 133258 101081 22075 173286 106148 148786 93648 115236 159768 70173 130584 106148 154483 78544 82005 148786 109452 140654 102905 173286 83123 161592 133808 86352 62597 148786

81

82

3. Knapsack Systems

F

()()()()()

IN LA ND L

01001 01100 01110

ow

01111 00101 10100 01001

ES T IN T HE

w OR LD

()()()()()

()()()()()

01000 ()()()()()

01111 01100

00110 01110 00001 00100 01100 10111 10011 ()()()()()

01110 10100 00101 10111 10010 00100

38628 148786 128860 122701 49285 243459 145682 29503 148786 34506 120489 110201 173286 91793

We decrypt the first number 148786. Note first that 1061·148786 = 2859·55207

+ 25133.

Consider the knapsack problem (A, 25133). The solution is obtained by scanning A once from right to left. Whenever the number at hand is at least the currently scanned component of A, we get the bit 1 and the new number is obtained by subtracting the component from the number previously at hand. Otherwise, we get the bit 0 and the number at hand remains unaltered. The result can be expressed as follows. Number 25133 25133 11326 4419 970 970 107 107 107 0

Component of A 27610 13807 6907 3449 1718 863 430 211 107 103

Bit 0 1 1 1 0 1 0 0 1 0

The original bit vector, from which the plaintext IN results, can be read from the last column bottom up. In the decryption of the second number 38628 we obtain first 20714 which is treated similarly, and so forth . A further remark is in order. Assume that we try to proceed in the reverse order. Consider the plaintext block OR appearing three times. Encrypt it first with A,

3.1 A Trapdoor is Built

83

yielding 17136. Apply strong modular multiplication with respect to 55207 and 25236, yielding 7665. But (B, 7665) clearly possesses no solution. The simple explanation is that we cannot deduce an equation from a congruence (as in the proof of Lemma 3.1) because m is smaller than the sum of the components of B. Indeed, 7665 = 173286 (mod 55207) , and we should operate with 173286. Our second illustration is too big for a pocket calculator but still too small for real encryption. Realistic examples are very likely to become completely unreadable. The computations here, as well as in the final illustration in Example 4.1, are due to Kimmo Kari. Let now n = 20. Choose the modulus and multiplier

m = 53939986 and t = 54377 , yielding

t-

1

= u = 17521047. The super-increasing A is defined by: al az = a3 a4

as a6 a? as a9 a1o = a 11 = a12 = a13 = a14 = a1s = a16 = a17 = a1s = a19 = a 20 =

101 102 206 412 823 1647 3292 6584 13169 26337 52676 105352 210703 421407 842812 1685624 3371249 6742497 13484996 26969992

Strong modular multiplication gives now the following publicized vector B:

bi bz b3 b4 bs

= 5492077 = 5546454 = 11201662 = 22403324 =44752271

84

3. Knapsack Systems

b6 = 35618933 b7 = 17189126 b 8 = 34378252 b9 = 14870895 b10 = 29687413 b,, = 5543594 b 12 = 11087188 bl3 = 22119999 b,4 = 44294375 b 15 = 34540010 b,6 = 15140034 b,7 = 30334445 b 18 = 6674527 b,9 = 13457808 b 20 = 26915616 Let us encrypt the following plaintext about sauna: IF YOUR FEET CARRY YOU TO SAUNA THEY SURELY CARRY YOU BACK HOME IF SAUNA ALCOHOL AND TAR DO NOT CURE YOUR DISEASE IT MUST BE FATAL. As before, empty space is encoded as 0, and the letters A-Z get the numbers 1- 26. Five bits per number are required in binary notation. Since n = 20, four plaintext characters are encrypted at the same time. The encoding, divided into sequences of 20 bits, looks as follows. IF Y OUR FEET CAR RY Y OU T 0 SA UNA THEY SUR ELY CARR Y YO U BA CK H OME

I F

S

01001 01111 00110 00000 10010 01111 01111 10101 10100 00000 00101 00011 11001 10101 00011 01111 01001

00110 10101 00101 00011 11001 10101 00000 01110 01000 10011 01100 00001 00000 00000 01011 01101 00110

00000 10010 00101 00001 00000 00000 10011 00001 00101 10101 11001 10010 11001 00010 00000 00101 00000

11001 00000 10100 10010 11001 10100 00001 00000 11001 10010 00000 10010 01111 00001 01000 00000 10011

3.1 A Trapdoor is Built

AUNA ALC OHOL AND TAR DO NOT CURE YOU R DI SEAS E IT MUS T BE FAT AL

00001 00000 01111 00000 00000 00000 01110 00011 00000 10010 10011 00101 00000 10100 00000 00001

10101 00001 01000 00001 10100 00100 01111 10101 11001 00000 00101 00000 01101 00000 00110 01100

01110 01100 01111 01110 00001 01111 10100 10010 01111 00100 00001 01001 10101 00010 00001 00000

85

00001 00011 01100 00100 10010 00000 00000 00101 10101 01001 10011 10100 10011 00101 10100 00000

The cryptotext consists now of the following numbers (see the remark below at the end of Example 3.1):

1 3 4 4 5 2 7 0 1

174 6 8 190 6 2 1 0 2 5 4 214 27 1 8 3 7 1 5 3 5 16 18 220 5 2 0 1 1

69 56 368 3 8 4 4 0

5 7 1 6 4 3 5 9 4 3 6 5 0 6 7

2

0 3 2 29 375 5 4 1 1 5

16 840 6 176 1 4 8 1 9 3 3 3 7

180 334 2 16 71411380

1288 2 0 7 5 1 1 7 5 1492

0 2960 6 1 9 6 7 9 5 8 3 1

73987

6 5 8 3 1 2 7 2 24 5 56 3 3 8 1

86

3. Knapsack Systems

8 3 18 3 5 2 9 1 4 2 5 7 7 6 6 7

12 4 17 7 20 5 1 9 7 5 7 7 6 0 1

17 124 8 3 6 0 2 4 7 8 8 1 19 5 1 1 9 5 2 3 7 1 4

19 146 34 2 3 1 2 8 2 5 8 3 2 2 2 2 7 4 3 3 3 6 8 6 7 4 7 3 0 0 8

12 4 780 0 5 3 8 1 5 5 4 4 0 8

The legal recipient multiplies these numbers by u (mod m), and goes back to the super-increasing A. For instance, the multiplication of the first number gives 15488011. When solving this with respect to A, we get similarly as in our first illustration:

Number

Component of A

Bit

15488011 15488011 2003015 2003015 2003015 317391 317391 317391 106688 1336 1336 1336 1336 1336 1336 1336 513 101 101 101

26969992 13484996 6742497 3371249 1685624 842812 421407 210703 105352 52676 26337 13169 6584 3292 1647 823 412 206 102 101

0 1 0 0 1 0 0 1 1 0 0 0 0 0 0 1 1 0 0 1

3.2 How to Find the Trapdoor

87

Our encryption procedure in this second illustration was exceptional: the order of the components of B was reversed before encryption. Thus, to get the first encrypted number 134452701 we formed the sum b 19 + b 16 + b 13 + b 12 + b 5 + b4 + b 1 • This procedure follows the analysis of A from right to left in the table above. However, the procedure will not be repeated in the sequel because it is unnatural from the point of view of vector multiplication. 0

3.2 How to Find the Trapdoor We face the following cryptanalytic task. A knapsack vector B = (b 1 , • •• , b") is known to us. B is used as a public encryption key in the manner described above. We also know that B is obtained by strong modular multiplication from a superincreasing vector A, with respect to a modulus m and multiplier t. All of the items A, m and tare unknown to us. We want to find them. What interests us most directly is to find m and t- 1 = u (mod m). Knowing m and u we can immediately compute A and decrypt any cryptotext. The computation of u from t, or vice versa, amounts to one application of Euclid's algorithm and can be done fast. The cryptanalytic setup here is encryption key only. Often this means that more time is available because the analysis of the system can be carried out before important cryptotexts have been sent. This section discusses A. Shamir"s cryptanalytic approach. The resulting algorithm runs in polynomial time. However, it is to be emphasized that a classification of cryptosystems into bad and good is overly simplified if it focuses only on the condition whether or not a polynomial time algorithm for the cryptanalysis is known. The degree of the polynomial is very important in cryptography. Moreover, as we have already emphasized, knapsack systems are very versatile for producing modifications to overcome known cryptanalytic attacks. When we say that an algorithm runs in polynomial time, we have to be careful in defining the size of an instance B, the algorithm being polynomial with respect to the size. We have to consider a family of knapsack vectors B whose sizes grow to infinity. There are two parameters contributing to the size of a vector B: the number n of the components and the sizes of the individual components b;. If either one of the parameters is kept bounded from above, the resulting knapsack problems can be solved trivially in polynomial time. Indeed, if each b; in every vector considered is less than some constant C, the total number of vectors is finite and, hence, there is some fixed time bound such that every knapsack problem considered can be solved within this time bound. On the other hand, if always n < C then every knapsack problem considered can be solved in linear time, where the coefficient is the constant 2c. It is customary to choose the number n of components as the size and to give bounds for the components in terms of n. It is to be emphasized that all such bounds for the components are artificial from a mathematical point of view and restrict the generality of the problem because only a very small number of

88

3. Knapsack Systems

instances fall within the bounds. This is apparent also in view of the general theory of Section 3.3. In [Sh2], the bounds are given as follows. A proportionality constant d > 1 is fixed. Then the modulus m consists of dn bits. The component a;, 1 セ@ i セ@ n, of the super-increasing vector A consists of dn - 1 - n + i bits. If dis not an integer, dn is replaced by· [dn]. The leading bit is 1 in every number. This guarantees that A is always super-increasing and that one can choose m to exceed the sum of the components of A. In the original paper, [MeH], the choices n = 100 and d = 2 were recommended. This means that m consists of 200 bits and the components a 1 , . •• , a 100 grow in size from 100 to 199 bits. In constructing the algorithm the initial observation is that it is not necessary to find the inverse multiplier u and modulus m actually used by the designer of the cryptosystem. Any pair (u, m) will do, provided u and m satisfy the conditions of modular multiplication as regards B, the result A of such a modular multiplication is super-increasing and m exceeds the sum of the components of A. (This implies that B results from A by strong modular multiplication with respect to m and u- 1 = t.) Such pairs (u, m) are referred to as trapdoor pairs. Once we have found a trapdoor pair, Lemma 3.1 becomes available, and we may decrypt using the resulting super-increasing vector. This is quite independent of whether or not our trapdoor pair and the resulting super-increasing vector are the ones actually used by the cryptosystem designer. On the other hand, the existence of at least one trapdoor pair is guaranteed by the fact that cryptosystem designer made use of such a pair. (Using the terminology of Section 3.3, we know a priori that the given knapsack vector B is super-reachable.) To find a trapdoor pair (u, m), we first consider the graphs of the functions b;u (mod m) for all values i = 1, ... , n. The graph of b;u (mod m) consists of straight line segments, where the values u = pm/b;, p = 1, 2, ... , are discontinuation points of the function. Thus, the graph of the function b;u (mod m) has the sawtooth form of Fig. 3.1. This sawtooth curve is considered for each i = 1, . .. , n.

m

m Fig. 3.1

Recall that (b 1 u, mod m) = a 1 , where u is not a variable but the actual inverse multiplier we are looking for. Since a 1 is the first component in a super-increasing vector and m exceeds the sum of all components, a 1 must be very small in

3.2 How to Find the Trapdoor

89

comparison with m. This implies that the trapdoor pair value of u must be close to some minimum of the b1 -graph. An explicit estimate concerning how close it must be presupposes some conventions (such as those indicated above) about the sizes of a 1 and m, as well as about the expected value of b 1 . Usually bJai is very large for small values of i. However, the cryptosystem designer may take care of that bJai < 1 for some values of i. Then some distances will be much larger than expected, which causes serious difficulties for the cryptanalyst. Similarly we see that the trapdoor pair value of u must be close to some minimum of the b 2 -graph. This implies (by the triangular inequality) that the two minima of the b 1- and b2 -graphs must be close to one another. One can proceed in the same way and consider more sawtooth curves. The fact that the trapdoor pair value of u is close to a minimum on each curve implies that all these minima are close to one another. Thus, instead of trying to find u itself, we may try to find "accumulation points" of the minima of our sawtooth curves. This amounts to constructing a small interval containing a minimum of each sawtooth curve. From this interval we also find a trapdoor pair value of u. By heuristic calculations (see [Sh2]) one can show that, for the value d = 2 of the proportionality constant, it suffices to analyze only four sawtooth curves to get a manageable (not too big) set of accumulation points for their minima. Any accumulation point of minima of all curves is among the accumulation points constructed for the minima of the four curves mentioned. We now come to the problem of how to express these ideas in terms of inequalities. The first obstacle is that we do not know any value of a modulus m appearing in a trapdoor pair. This obstacle is easily overcome. We reduce the size of the picture so that m becomes 1. In other words, the lengths are divided by m. This operation does not affect the location of the accumulation points in which we are interested. For instance, if there was a bcminimum near the seventh b 3 minimum before the size reduction, the same certainly holds true after the size reduction. The algorithm for finding a trapdoor pair consists of two parts. In the first part, we find candidates for an integer p such that the pth minimum of the b 1 -curve is an accumulation point we are looking for. The second part of the algorithm tests the candidates one by one. One of the tests has to succeed because the trapdoor pair value of u used by the cryptosystem designer determines one accumulation point. A specific precaution has to be taken. The first part of the algorithm might produce too many (in comparison with the size of the problem) candidates for p. Therefore, we fix in advance a parameter r indicating the maximum number of candidates allowed. If the first part of the algorithm produces r + 1 candidates for p, the algorithm terminates and reports failure. The algorithm is stochastic with a negligible probability of failure. On the other hand, we do not have to consider all components b 2 , •.. , b" in the first part of the algorithm, but may fix in advance the value of another parameter s s are not considered at all in the first part of the algorithm, and it is very likely that

90

3. Knapsack Systems

entirely wrong values of p are produced. However, the second part of the algorithm checks through all values of i, 2 ::; i ::; n. A candidate p is rejected if, for some i, there is no minimum of the b;-curve near the pth minimum of the b 1-curve. We already pointed out that s = 4 is in many cases a reasonable choice. Consider the first part of the algorithm in more detail. The u-coordinate of the pth minimum of the b 1-curve is p/b 1 • (Recall that we reduced the picture in such a way that the modulus equals 1.) Hence, the condition that some minimum of the b2 -curve lies near the pth minimum of the b 1-curve can be expressed as p

q

- e < - - - < e, b1 b2

1 ::; p ::; b 1 - 1,

1 ::; q ::; b2

-

1.

Multiplying by the product b 1b2 we obtain

- b < b2p - b1 q < b, 1 ::::;; p ::::;; b1 - 1,

1 ::; q ::::;; b2 - 1 .

We write s- 1 inequalities of this latter form, one for each of the components • • • , b•. How small the number b has to be chosen will be commented upon later. The first part of the algorithm finally outputs all integers p for which there are integers q, . . . such that all of the s - 1 inequalities are satisfied. We now describe the second part of the algorithm. It tests numbers p produced by the first part until it is successful. Consider a fixed p. All discontinuity points of all n curves lying in the closed interval [p/b 1, (p + 1)/b 1] are sorted into increasing order. Let xi and xi+ 1 be two consecutive points in the sorted list of points. Then in the interval [xi, xi+ 1] each of the b;-curves is just a line segment, expressible in the form b;u- c{, where cf is a constant depending on i and j (and, of course, also on p). The solution of the following system of linear inequalities in u is a (possibly empty) open subinterval of [xi , xi+ 1]: b2 ,

n

L (b;u -

cf) < 1 ,

i= I

A necessary and sufficient condition for two numbers u and m to constitute a trapdoor pair is the membership of uj m in a subinterval thus constructed, for some p and j. Indeed, the last inequalities express the super-increasing condition, and the inequality preceding the last the condition for the modulus being sufficiently large. Thus, the second part of the algorithm investigates successively through pairs (p, j), where pis a candidate produced by the first part andj is an index of a point in the sorted list corresponding top. The investigation is carried out until a nonempty interval is found. At least the trapdoor pair actually used by the cryptosystem designer corresponds to a nonempty interval. The second part of the algorithm amounts to finding a rational number ujm from some nonempty interval we are considering. This is a problem in Diophantine

3.2 How to Find the Trapdoor

91

approximation. The first part amounts to producing candidates p worth a further study, which is a problem of integer programming. Both techniques require only polynomial time. Recall also that the algorithm reports failure if more than r candidates pare generated in the first part. In the inequalities of the first part also then a bound{> is considered. It is estimated in [Sh2] that if we choose{>< the probability for the algorithm to fail is at most (2/r)'- 1 . The degree of the polynomial expressing the running time of the algorithm is hard to estimate, as is the interrelation between the degree, the failure probability and the values of the three chosen constants 1>, r and s. From the point of view of decryption it does not make much difference if we do not obtain a super-increasing vector but rather a permutation of a super-increasing vector. The permuted version can be quickly sorted into increasing order. While we cannot analyze in polynomial time all n! permutations of the given vector B, we can reduce the number of permutations by using the fact that a super-increasing vector is also an increasing one. This is done by making the intervals [xi, xi+ 1 ] smaller by including also the intersection points between pairs of curves (in addition to the discontinuity points of all curves). This increases the expected number of intervals from O(n) to O(n 2 ). Within each new interval there is a specific vertical ordering of all curves. This ordering gives the only possible permutation of the accomponents, provided the interval in question leads to success. The inequalities have to be modified because the super-increasing condition is not any more required.

JbJi,

Example 3.2. Our first illustration of the algorithm is very simple. The publicized vector is B = (7, 3, 2). Of course, it is very easy to handle this vector directly; it is even super-increasing in reverse order. However, in case of this vector all computations can be presented in great detail. This means that many details of the algorithm can be further clarified. Consider the first part of the algorithm. There are two double inequalities - {>

< 3p- 7q < 1>,

-

{>

< 2p- 7r
,

where 1 :::;; p :::;; 6, 1 :::;; q :::;; 2, r = 1. We are looking for values of p such that the inequalities are satisfied, for some q and r in their respective ranges. We still have to fix the value of the constant b. The choice {> = = .j7ii = 1.87 was recommended above. This choice produces no values of p. Indeed, in small examples any asymptotic result might be wrong. We intend to check through all values of pin the second part of the algorithm. The following table lists for each p the smallest value of() such that the above inequalities, where < is replaced by :::;; , have a solution for some q and r. (7 r can of course be replaced by 7 because r = 1 is the only possible value.)

JbJi

pl123456 (j

5 3 2 2 3 5

It will be seen below that even if we choose

(j

= 2, we miss the correct p-value.

92

3. Knapsack Systems

Thus, for the second part of the algorithm, we accept all p-values as candidates. This means that we divide the entire interval (0, 1) into subintervals

such that all of the three hi-curves are line segments biu- c{ in each subinterval. (As before, the superscript j indicates the interval.) We consider here open rather than closed intervals because no discontinuation point of some bccurve can give a trapdoor pair. The inequalities to be considered, for each subinterval, in the second part of the algorithm are (7u- i') + (3u- i") + (2u- i'") < 1 , 7u- i' < 3u- i", (7u- i')

+ (3u-

i") < 2u- i'",

where the constants range over the values 0 セ@ i' セ@ 6, 0 セ@ i" セ@ 2, 0 セ@ i"' depending on the subinterval. The inequalities can be written in the form

セ@

1,

12u < i, 4u ,

1215p- 43rl

セ@

f>,

l473p- 43sl

セ@

{).

Since the numbers 129, 215 and 473 happen to be multiples of 43, we get p = 1 as a candidate even if we choose{) = 0. We do not investigate other candidates and, thus, we are interested in the interval (1/43, 2/43). Consider discontinuation points of other curves in this interval. The one closest to the left end point of the interval is 36/1523. It is not necessary that the closest point is obtained using the greatest bcnumber but for this B it happens to be the case. Our interval is now (1/43, 36/1523). In this interval the b;-curves are

43u- 1, 302u- 7,

129u- 3, 215u- 5, 473u- 11, 903u- 21 , 561 u- 13,

1165u- 27, 697u- 16,

1523u- 35.

The inequality expressing the size of the modulus is 6011 u - 139 < 1, yielding u < 140/6011 . Since 140/6011 < 36/1523, we get the new interval (1/43, 140/6011). We now list the inequalities expressing the super-increasing condition. The left column gives the inequality and the right column the solution. 129u- 3 > 43u- 1 , 215u - 5 > 172u - 4 , 473u- 11 > 387u- 9 , 903u- 21 > 860u- 20, 302u-7> 1763u-41, 561u- 13 > 2065u- 48, 1165u- 27 > 2626u- 61, 697u- 16 > 3791u- 88, 1523u- 35 > 4488u- 104,

u > 1/43' u > 1/43' u > 1/43' u > 1/43' u < 34/1461' u < 35/1504' u < 34/1461' u < 72/3094' u < 69/2965.

94

3. Knapsack Systems

The first four inequalities are satisfied in the whole interval, whereas the remaining five restrict the right end point of the interval. The smallest among the upper bounds obtained for u is 72/3094 = 36/1547. Thus, we obtain finally the interval (1/43, 36/1547). Choosing the number 37/1590 from this interval, we obtain the super-increasing vector of the cryptosystem designer mentioned in Example 2.1. Choosing the number 72/3095, we get the super-increasing vector (1, 3, 5, 11, 21, 79, 157, 315,664, 1331). The reader might want to compute the super-increasing vector obtained by choosing the number 720/30949 from our final interval. Our next illustration is the first publicized vector B = (4579, 50316, 24924, 30908,27110, 17953,32732, 16553,22075,53620)

considered in Example 3.1. This is much trickier than the vector B from Example 2.1 considered above. We do not go into any details of the first part of the algorithm. We only mention that p = 88 is a candidate generated. This leads to the interval (88/4579, 89/4579). The three leftmost discontinuation points of our curves are in increasing order of magnitude 594/30908, 479/24924 and

967/50316.

In the interval (88/4579, 594/30908) the curves have the form

4579u- 88, 50316u- 966, 24924u- 478, 30908u- 593, 27110u- 521, 16553u- 318,

17953u- 345,

22075u- 424,

32732u- 629,

53620u- 1030.

The sum of these expressions should be less than 1. This leads to the inequality 280770u < 5393 , which is not satisfied for any u in the interval. We have to consider next the subintervals (594/30908, 479/24924) and

(479/24924, 967/50316).

The right side of the inequality above is in these subintervals 5394 and 5395, respectively. (This is due to the fact that the constant in the 30908- and 24924curves is increased by 1.) But still the inequality is not satisfied by any u in the subinterval. We proceed to study the interval (967/50316, 1031/53620)

3.2 How to Find the Trapdoor

95

whose right end point is the next discontinuation point. In this interval the above inequality expressing the size requirement of the modulus gets the form

280770u < 5396,

yielding u < 2698/ 140385 .

This leads to the new interval (967/ 50316, 2698/ 140385) . We now write the inequalities expressing the super-increasing condition. As before, the left column gives the inequality and the right column the solution

50316u- 967 > 4579u- 88, 24924u - 479 > 54895u- 1055 , 30908u- 594 > 79819u- 1534, 27110u- 521 > 110727u- 2128, 17953u- 345 > 137837u- 2649, 32732u- 629 > 155790u - 2994, 16553u- 318 > 188522u- 3623, 22075u- 424 > 205075u- 3941 , 53620u- 1030 > 227150u- 4365,

u > 879/45737 ' u < 576/29971 ' u < 940/48911 ' u < 1607/83617' u < 2304/ 119884 ' u < 2365/ 123058 ' u < 3305/ 171969' u < 3517/ 183000' u < 3335/ 173530 .

Only the first inequality has influence on the end points of our interval. Hence, our final subinterval will be (879/45737, 2698/ 140385) . The interval is very tight: the end points differ by 1 on the 9th decimal only. The number 1061/55207 corresponding to the trapdoor pair of the cryptosystem designer lies in this interval. It is interesting to note also that neither one of the end points of the final interval is a discontinuation point and that the left end point lies quite far from our original left end point 88/4579. Our final illustration deals with the second publicized vector B of Example 3.1. Without going into any details, we mention that the following interval is obtained: (

410868073108917982154 1264891196933908912166'

410868073109349502042 ) 1264891196933908912166 .

The original ujm lies in this interval, and so does

u' m'

410868073109000000000 1264891196933908912166

We reduce the quotient u' /m' and obtain the super-increasing vector A' with 。セ@

a2 = a3 a4 a5 a(; a?

450448325606142 454908210018084 918736188860052 1837472377720104 3670484871028266 26182899405826276 71194348822186470

96

3. Knapsack Systems

a8 a9 a} 0

a1 1 a1 2 a} 3

a}4 a} 5

a} 6

a1 7

a} 8

a} 9

a2 0

142388697644372940 303619324952515624 607234190020619306 = = 1233314769589420298 = 2466629539178840596 = 4933254618473269250 = 9866513696830950442 = 19751855943672434802 = 39522549357124227406 = 79045103174132866754 = 158109039358160679368 = 316218087636090182620 = 632436175272180365240 .

3.3 Theory of Reachability Does a given knapsack vector B result from some super-increasing vector by strong modular multiplication or perhaps by a sequence of strong modular multiplications? If it does, we would like to know such a super-increasing vector, as well as the multipliers and moduli involved. These are the issues investigated in this section. The setup will be quite general. There will be no restrictions concerning the sizes of the components with respect to n. The algorithms will be deterministic. The complexity depends on how the size of the input is defined. It is to be emphasized that the problems mentioned above are quite different from the knapsack problem itself. For instance, the problems do not become easy if the number of the components of B is bounded by a constant k. For these problems, it is still not sufficient to make 2k experiments. In general, if the problems above have been settled, the corresponding knapsack problems will be easy. By definition, a knapsack vector B is super-reachable iff there is a superincreasing A such that B results from A by strong modular multiplication. For r セ@ 1, the vector B is r-hyper-reachable iff there is a sequence of vectors A 0 , A 1 , . . . , A, = B such that A 0 is super-increasing and, for each i = 0, ... , r - 1, Ai+ 1 results from Ai by strong modular multiplication. Clearly, the notions of super-reachability and 1-hyper-reachability coincide. A vector may be defined in a way showing it to be r-hyper-reachable, r > 1, but the vector may still be super-reachable. For instance, in the fundamental paper [MeH] about knapsack-based cryptosystems, the vector B = (25, 87, 33) is obtained from the super-increasing vector A = (5, 10, 20) by two strong modular multiplications, with respect to the modulus-multiplier pairs (47, 17) and (89, 3). It is also shown that B cannot be obtained from A by one strong modular multiplication. However, B is super-reachable because it is obtained from (2, 3, 66) by strong modular multiplication with respect to the pair (99, 62).

3.3 Theory of Reachability

97

We require strong modular multiplication because then Lemma 3.1 becomes available. If we have only modular multiplication, it is not guaranteed that a solution of (B, p) equals the only solution of (A, a), where a results from Pby the corresponding inverse modular multiplications. This conclusion can be made if the original multiplications are strong, even if there are several of them. The following result is a basic tool in constructing examples of vectors that are not r-hyper-reachable.

Theorem 3.1. Every r-hyper-reachable vector is injective. Hence, every super-reachable vector is injective. Proof The theorem is a consequence of the following facts (i) and (ii).

(i) Every super-increasing vector is injective. Indeed, the algorithm described in Example 2.1 shows that any knapsack problem (A, a), where A is super-increasing, possesses at most one solution. (ii) Strong modular multiplication preserves injectivity. Assume that B results from A by strong modular multiplication with respect to the pair (m, t). Assume, further, that BC = BC' for some bit vectors C and C'. Clearly, A results from B by modular multiplication (m, u), where u is the inverse of t. Because we have uBC = uBC' by assumption, we have also AC AC' (mod m). Since m exceeds the sum of the components of A, this congruence must be an equation: AC = AC'. By 0 (i) we conclude that C = C' and, hence, B is injective.

=

For instance, if some component in a vector equals the sum of some other components, the vector cannot be r-hyper-reachable. Consider a knapsack vector A = (a 1 , . • . , an), an integer m > max A and a positive integer t < m such that (t, m) = 1. The growing sequence associated with the triple (A, t, m) is the sequence of triples (A(k), t, m + kt), k = 0, 1, 2, ... , where A(k) = (a 1

+ k · [tadm] , . .. , an+ k · [tan fm]).

Thus, the growing sequence begins with (A, t, m). The terms multiplier and modulus refer also to the number t and m + kt in the triple (A(k), t, m + kt). For instance, if A = (1, 2, 3), t = 4, m = 5, then the growing sequence begins with the triples ((1, 2, 3), 4, 5), ((1, 3, 5), 4, 9) and ((1, 4, 7), 4, 13) . If A

= (1, 4, 7), t = 3, m = 8, then the growing sequence is ((1, 4 + k, 7 + 2k), 3, 8 + 3k), k = 0, 1, 2, .. .

A number i, 2 s; i s; n, is termed a violation point in a knapsack vector A iff i-1

ai

s;

L aj .

j= 1

Thus, the i-th component of A violates the requirement of A being super-increasing. If A is increasing, every violation point i in A satisfies i セ@ 3.

98

3. Knapsack Systems

The goal of a triple (A, t, m) is the first triple (A(k), t, m + kt) in the growing sequence such that A(k) is super-increasing and m + kt is greater than the sum of the components of A(k), provided such triples exist. Clearly, a triple can be its own goal and some triples have no goal. In particular, if A is not increasing, then (A, t, m) cannot possess a goal. This follows because ai > ai+l implies that [taJm] セ@ [tai+ dm] and consequently, for all k, ai

+ k·[taJm] > ai+l + k·[tai+dm].

Returning to the two examples considered above, i = 3 is a violation point in the initial vector of the first sequence. The third triple is the goal of the sequence. The second sequence possesses no goal because the modulus will never become big enough. Next we define a notion in some sense dual to that of a growing sequence. Let (A, t, m) be a triple defined as in connection with growing sequences. The diminishing sequence associated with the triple (A, t, m) is the sequence of triples (A(- k), t, m- kt), k = 0, 1, 2, ... , where the vectors A(- k) are defined by descending induction as follows. A(- 0) = A. Assume that A(- k) = (d 1 , . . • , dn) has been defined and that we still have m- kt >max A(- k). (The inequality holds for k = 0, by the choice of the original triple.) Then A(- k- 1) = (d 1

-

[td 1 /(m- kt)], ... , dn- [tdn/(m- kt)]).

Diminishing sequences are always finite, whereas growing sequences are infinite. However, in the sequel only finite initial segments of growing sequences will be of interest. We will now develop the technical tools needed for the algorithms. We begin with properties of growing sequences. In Lemmas 3.2-3.4, the notation A, t, m, A(k) is the same as in the definition of a growing sequence.

Lemma 3.2. If A is increasing or super-increasing, then each vector in the growing sequence associated with (A, t, m) is increasing or super-increasing, respectively. Proof The inequality ai-l < ai implies the inequality [tai- dm] if A is increasing then so is every A(k). Assume, next, that

:$;

[taJm]. Hence,

i-1

L ai < ai.

j=l

Consequently,

This implies that, whenever A is super-increasing, then so is every A(k).

0

Lemma 3.3. If B = (b 10 ••. , bn) results from A by modular multiplication with respect to (m, t), then B results also from every A(k) by modular multiplication with respect to (m + kt, t). This holds true also if"modular multiplication" is replaced by "strong modular multiplication".

3.3 Theory of Reachability

99

Proof We infer by the assumption: b;

= (ta;, modm), for l セ@

i セ@

n.

= l. For all k, t(a; + k • [ta J m]) = b; + [taJ m] • m + [taJm] · kt = b; + [taJm] (m + kt) .

Clearly, (t, m + kt)

Since b; < m + kt, we conclude that (t(a;

+ k • [taJm]), mod (m + kt)) = b; .

This means that B results from A(k) by modular multiplication with respect to + kt, t). Assume that B results from A by strong modular multiplication with respect to (m, t). This implies that (m

n

L a; max B. Consequently, (ta;, mod m) = b;, for 1 セ@ i セ@ n. This implies that

t.,. [ta;/m]

=b; - ta; =b; (mod t) .

102

3. Knapsack Systems

Since b; :=: ; max B < t, we may write further (t 1 [ta;/m], mod t)

= b; ,

which shows that B results from A 1 by modular multiplication with respect to (m 1 , t 1 ). Also the claim concerning strong modular multiplication follows because n

if m >

L a;, then i= I n

n

i= I

i= I

L ta;/m セ@ L

t>

[taJ m] .

To prove the last sentence of Lemma 3.5, it suffices to show that if A is super-increasing then so is A 1 . The assumption of A being super-increasing implies, for 2 :=: ; i :=::;; n, i-1

L

ta)m < ta;/m.

j= I

Hence, i- 1

(*)

L

[ta)m] :=: ; [ta;/m] .

j= I

Assume that we have equality in (*). Then i-1

L m[taj/m] = m[ta;/m]

j = I

and consequently, i- 1

L (taj- bj) = ta;- b; ,

j= I

which can be written in the form b; -

i-1

L bj = t

(

i-1

a;- セ@

j = l

)

aj .

j= l

Since the coefficient of t is positive, we infer i-1

t :=: ; b;-

L bj < b; :=::;;max B.

j= I

Since this contradicts the assumption t > max B, we must have strict inequality in (*). Since i was arbitrary, we conclude that A 1 is super-increasing. D As an illustration, we observe that the vector B = (46, 45, 40, 30) is ((4, 5, 10, 20), 49, 50)-super-reachable. By Lemma 3.5, it is also super-reachable from each of the triples ((3, 4, 9, 19), 48, 49),

((2, 3, 8, 18), 47, 48)

In the last triple the multiplier is :=: ; max B. We now discuss diminishing sequences.

and

((1, 2, 7, 17), 46, 47).

3.3 Theory of Reachability

103

Lemma 3.6. Assume that B results from A by modular multiplication with respect to (m, t) and that, furthermore, m > 2 max B and t セ@ max B. Then B results also from A(- 1) by modular multiplication with respect to (m - t, t). Moreover, if A is increasing then so is A ( - 1). Proof We use our customary notation A = A(- 0) = (a 1 , B = (b 1 , • . . , bn). Then the i-th component of A( - 1), 1 セ@ i セ@ n, is

.•• ,

an)

and

ai- [taJm].

Multiplying this by t and using our assumption we obtain

= bi + m[taJm] - t[taJm]

tai- t[taJm] = bi

+ (m

- t) [taJm]

= bi (mod (m -

Because by our assumptions m - t > max B セ@

t)) .

bi, we obtain

(t(ai- [taJm]), mod(m- t))

= bi.

Observe that m > 2 t,

(*)

yielding m - t > t ,

and clearly (t, m - t) = 1. The first assertion now follows if the new modulus is big enough. Assume the contrary: ai- [taJm] セ@ m- t, for some i. We multiply this by t, use the above expression for tai and the assumption m > 2 max B, obtaining t(m- t) セ@

bi

+ (m-

t)[taJm]
(m- t)(t- [taJm]),

contradicting(*) because t > [taJm]. To prove the second assertion, we denote A( - 1) arbitrary, 1 セ@ i セ@ n- 1. Since A( - 0) is increasing, aj + 1

= ai + a

for some a

セ@

= (e 1 , . . . , en).

Let i be

1.

Assume first that a > 1. Then ei+ 1

= ai +a- [t(ai + a)jm] セ@ ai +a- (1 + [taJm] + [tajm]) = ei +(a - 1)- [tajm]

> ei .

Here the first inequality follows because always [x + y] second because by(*) [tajm] セ@ tajm < a/2 . Assume, secondly, that a= 1. In this case [tajm] [t(ai

セ@

= 0. If

+ 1)/m] = [tajjm]

,

[x]

+ [y] + 1, and the

104

3. Knapsack Systems

we obtain e;+ 1 > e;. Hence, suppose that (**)

[t(a;

+ 1)/m] = [taJm] + 1 .

Clearly, there are no other possibilities. (**)would imply that e; + 1 right side of(**) by P+ 1. Hence,

mP:::;; ta; < m(p Assume that ta; < m(P

+ 1):::;; t(a; + 1) .

+

-n Hence by(*),

セI@

+ t = m(P +

ta; + t < m(P +

a contradiction. Hence, ta; セ@ m(P

b;

= e;. Denote the

1)

+ t- m/2 < m(p +

1),

+ 1). But now

= ta; - Pm セ@ m/2 .

This implies that m :::;; 2b;:::;; 2 max B, contradicting our assumption. This shows that(**) cannot hold. 0 Lemma 3.6 will be applied in the sequel to the triples of the diminishing sequence as long as we still have m- kt > 2 max B. In this way the modulus will be forced to become :::;; 2 max B. It is important to note that certain properties preserved by the growing sequences are not preserved by the diminishing sequences. A may be superincreasing although the other vectors in the diminishing sequence are not. For instance, choose A = (1 , 14, 23, 66, 105), t = 87, m = 374 , implying that B = (87, 96, 131,132, 159) and, hence, t:::;; maxB and m > 2maxB. Now A(- 1) = (1, 11, 18, 51, 81), which is not super-increasing. Similarly, we see that (4, 3, 2) results from (1, 4, 7) by strong modular multiplication with respect to (13, 4) but when we go to the first triple in the diminishing sequence, we observe that (4, 3, 2) does not result from (1, 3, 5) by strong modular multiplication with respect to (9, 4) (although it results by modular multiplication as it should by Lemma 3.6). Such negative results are natural in view of our last lemma, Lemma 3.7, and reflect the fact that some properties are rescued from a certain point on in the growing sequence. The same properties are lost at this point in the diminishing sequence. The second assertion in Lemma 3.6 shows a property preserved by diminishing sequences. This assertion is not needed in the proof of our main result.

Lemma 3.7. Consider A, B, m and t satisfying the assumption of Lemma 3.6. Consider the growing sequence associated with (A(- 1), t, m- t). Let (C, t, m), C = (c 1 , . . . , en) be the first triple in this sequence. Then C =A. Proof As in Lemma 3.6, we denote A(- 1) = (e 1 , •. . , en). We consider an arbitrary i, 1 :::;; i :::;; n, and denote the components a;, c; , e; simply by a, c, e. By the

3.3 Theory of Reachability

105

definition of growing and diminishing sequences, we have c = e + [tej(m - t)] and e = a - [tajm] . To prove that a= c (and hence also Lemma 3.7), we have to show that

[te/(m - t)]

(*)

= [ta/m] .

By Lemmas 3.3 and 3.6, we know that

ta

=tc (mod m),

yielding a

=c (mod m) .

This implies that (**)

[te/(m- t)]

= [tajm] (mod m) .

(**) can hold without (*) holding only in case that the absolute value of the difference between the two bracket expressions is a positive multiple of m. We prove that this is impossible by showing that both of the bracket expressions (which clearly are nonnegative) are less than m. Since m- t > max A(- 1) セ@ e, we obtain

[tej(m- t)] < t < m . The bracket expression on the right side of(**) is estimated by denoting t/m = x and using the principle [y] セ@ y. Therefore,

[tajm]

= x(e + [tajm]) セ@ x(e + x(e + [tajm])) セ@ x(e + x(e + x(e + [ta/m]))) セ@ e(x + x 2 + ... + xP) + xP[tajm] セ@ e/ (1 - x) + xP[tajm] = mej(m- t) + xP[ta/m] < m + xP[tajm] . セ@

xa

This holds for arbitrarily large p, which means that the term xP[ta/m] can be made 0 arbitrarily small. Consequently, [ta/m] < m. Lemma 3.7 can be used inductively in the same sense as Lemma 3.6. We may generate the diminishing sequence as long as the modulus satisfies the inequality m - kt > 2 max B. Once we have reached a values with m - st セ@ 2 max B, we may increase the modulus again by considering the growing sequence. Lemma 3.7 then tells us that the growing sequence coincides with the original diminishing sequence. The following main result is now fairly obvious in view of the technical tools developed.

Theorem 3.2. A knapsack vector B is super-reachable iff, for some A, t :::; max B and m セ@ 2 max B, B results from A by modular multiplication with respect to (m, t) and the triple (A, t, m) possesses a goal. Proof The "if"-part follows by Lemma 3.3 and the definition of a goal. Lemma 3.4 gives a simple method for deciding whether or not a given triple possesses a goal. For the "only if"-part, assume that B is super-reachable. By Lemma 3.5, B is (A, t, m)-super-reachable with t セ@ max B. If m セ@ 2 max B, we are finished. Other-

106

3. Knapsack Systems

wise, we form the diminishing sequence (A(- k), t, m - kt),

0::;; k ::;; s,

where sis the smallest integer such that m - st ::;; 2 max B. By Lemma 3.6, B results from A(- s) by modular multiplication with respect to (m - st, t). By Lemma 3.7, the triple (A(- s), t, m- st) possesses a goal. 0 The algorithm due to Theorem 3.2 can be described as follows. Given B, choose m satisfying max B < m ::;; 2 max B and u < m with (u, m) = 1. Check whether the vector A resulting from B by modular multiplication with respect to (m, u) is increasing and u- 1 = t ::;; max B. If not, choose another pair (u, m). Else check by Lemma 3.4 whether the triple (A, t, m) possesses a goal. If it does, B is superreachable and the goal also gives a super-increasing vector, multiplier and modulus showing this. If (A, t, m) possesses no goal, another pair (u, m) is tried. When all possible pairs (u, m) have been tried without success, the algorithm terminates with the conclusion that B is not super-reachable. Various shortcuts can be made in the choice of the pairs (u, m). The algorithm is deterministic and works for all instances, independently of any conventions concerning the size of the components of the vectors. Thus, also cheating which uses non-super-reachable vectors can be found out. As will be mentioned below, similar algorithms can be used to many other problems as well.

Example 3.4. We give some illustrations of the algorithm. Consider first B = (4, 1, 6). The following table lists all pairs (u, m), where m::;; 2 max B, u < m, (u, m) = 1, u - 1 ::;; max B and the resulting A is increasing. Abbreviations are the

same as in Example 3.3.

u, m

3, 11 9, 11 5, 8 2, 7

t

= u- 1 4 5 5 4

A

(1, (3, (4, (1,

3, 7) 9, 10) 5, 6) 2, 5)

Goal

k = 1, (1, 4, 9), 4, 15 NR(i = 3), NR(m) NR(i = 3), NR(m) k = 2, (1, 4, 9), 4, 15

Thus, (4, 1, 6) is super-reachable. It is interesting to note that in both cases leading to success we obtain the same goal. It follows that, whenever (4, 1, 6) is (A, t, m)-super-reachable, then t セ@ 4 and m セ@ 15. Thus, it does not suffice to investigate moduli m セ@ 2 max B without considering growing sequences. Of course, m can be arbitrarily large in the growing sequence. Also t can be made larger by applying an argument similar to that used in Lemma 3.5 in the reverse order. The vector B = (1, 10, 8) is 2-hyper-reachable because it results from (1, 2, 4) by two strong modular multiplications, first with respect to (8, 5) and then with respect to (12, 5). The following table shows that B is not super-reachable.

3.3 Theory of Reachability

u,m

t = u- 1

A

7,20 9,20 2, 17 6,17 5, 14 3, 13 4, 11 5, 11

3 9 9 3 3 9 3 9

(7, 10, 16) (9, 10, 12) (2, 3, 16) (6, 9, 14) (5, 8, 12) (3, 4, 11) (4, 7, 10) (5, 6, 7)

107

Goal NR(i = NR(i = NR(m) NR(i = NR(i = NR(m) NR(i = NR(i =

3), NR(m) 3), NR(m) 3), NR(m) 3), NR(m) 3), NR(m) 3), NR(m)

Of knapsack vectors with all components :::;; 4 exactly the following ones are super-reachable: (2, 4, 3), (4, 3, 2), (1, 2, 4), (2, 4, 1), (4, 1, 2) . The study of (4, 3, 2) is interesting because it shows that one cannot reject noninjective candidates A in spite of Theorem 3.l.This is due to the fact that injectivity can be gained later on in the growing sequence. We now return to Example 3.2 and show how some of the results can be obtained by the method of Theorem 3.2. Consider B = (7, 3, 2). We saw that the number 61 /84 is in the interval obtained. Since 73 is the inverse of 61, we conclude that B is ((7, 15, 38), 73, 84)-superreachable. Here the multiplier is too big. Lemma 3.5 yields, in succession, the triples ((6, 13, 33), 62, 73)'

((5, 11, 28), 51, 62)'

((4, 9, 23), 40, 51)'

((3, 7, 18), 29, 40) '

((2, 5, 13), 18, 29) '

((1, 3, 8), 7, 18) .

In the last triple the multiplier t = 7 satisfies t :::;; max B, and we cannot apply Lemma 3.5 further. However, we still have m > 2 max B. But taking one step in the diminishing sequence we obtain the triple ((1, 2, 5), 7, 11). Consider, finally, the vector B=(43, 129,215,473,903,302,561,1165,697, 1523). We computed in Example 3.2 the interval (1 /43, 36/ 1547). Choosing the number ujm = 72/3095 from this interval, we get the super-increasing vector A= (1, 3, 5, 11, 21, 79, 157,315,664, 1331) . Now t = 43 < max B but m > 2 max B. When we go two steps back in the diminishing sequence, we obtain the triple ((1, 3, 5, 11, 21, 77, 153, 307, 646, 1295), 43, 3009) . Now also m is within the size limits.

0

108

3. Knapsack Systems

We call a vector B permutation-super-reachable iff some permutation of B is super-reachable. Cryptanalytic significance of permutation-super-reachable vectors was discussed earlier. As in Theorem 3.1 we can show that every permutationsuper-reachable vector is injective. Conversely, by our theory it is easy to see that every injective (b 1 , b2 , b3 ) is permutation-super-reachable. Assume that B is super-reachable. Theorem 3.2 gives a method of finding the smallest m such that B is (A, t, m)-super-reachable, for some A and t. The multiplier t can be similarly minimized. By estimating the maximal number of steps in the growing sequence before the goal is reached, one can also compute an upper bound M, depending on B, such that B is super-reachable iff it is (A, t, m)-super-reachable with m :s; M. Using our lemmas one can also decide of a given pair (B, r) whether or not B is r-hyper-reachable and, if the answer is positive, produce the corresponding super-increasing vector, multipliers and moduli. More details about all of these matters are given in [Sa 4]. It will be seen in the next section how one can choose an arbitrary starting vector if one uses sufficiently many strong modular multiplications to get the publicized vector.

3.4 Trying to Hide the Trapdoor Again The last two sections in this chapter discuss variants of knapsack-based cryptosystems, exhibiting various methods to meet cryptanalytic attacks. It has been emphasized already several times that some caution is needed in cryptography as regards arguments based on complexity theory. From a cryptographic point of view it does not prove much if it is shown that the worst instances of some problem are difficult but little or nothing is known about the average complexity of the problem. As regards algorithms running in polynomial time, the degree of the polynomial is important. Even if an expected cryptanalytic attack leads to an NP-complete problem, there might be other attacks that lead to easy problems. This point will now be illustrated using ideas based on knapsacks. The cryptosystem described will be partially public-key in that a knapsack vector A = (a 1 , ••• , an) is publicized, whereas there is also a secret key K = (k 1 , • .• , kn) with k; = 0, 1. The key is used both in encryption and decryption. In cryptanalysis the setup "chosen plaintext" seems to lead to an N P-complete problem, whereas the setup "known plaintext" with a long enough plaintext leads to an easy problem. We use the symbol E9 to denote bitwise addition. The notation is extended to concern vectors as well. Thus, 1 E9 1 = 0 and (1, 1, 0, 1, 0) E9 (1, 1, 1, 0, 0) = (0, 0, 1, 1, 0). Denote further t

= [log 2 ( 1 +itt

a)J+

1.

Clearly, any sum of the a;'s, where each individual a; appears at most once, can be expressed as a binary number with t bits. As already mentioned, A will be public, whereas the bit vector K is secret. For the encryption the plaintext is divided into blocks P = (p 1 , ••• ,p,) oft bits. For

3.4 Trying to Hide the Trapdoor Again

each P, a random bit vector R = (r 1 ,

••• ,

109

r ") is chosen. The sum

n

A(K EB R)

=

L

(k; EB r;)a;

i= 1

is formed. (Thus K EB R is viewed as a column vector.) Let S be the binary representation of this sum, consisting oft bits with some initial O's if necessary. The encrypted version of P is now

C

= (L, R)

where L

= S EB P .

Thus, an (n + t)-bit cryptotext corresponds to a t-bit plaintext. Since the n last bits of the cryptotext giveR, the legal recipient who knows K can immediately compute S and, therefore, the plaintext P from the t-bit initial segment L of the cryptotext. A cryptanalyst who knows some pair (P, C), where P may even be chosen by the cryptanalyst, can immediately compute S from L EB P = S EB P EB P = S. However, the S thus obtained corresponds to the particular plaintext P. Although R is known, the determining of K still leads to the N P-complete knapsack problem. Therefore, the cryptanalyst has not gained much information for decrypting some other cryptotext received later. Assume, however, that the cryptanalyst knows some pair (plaintext, cryptotext), where the plaintext is long enough. More specifically, it should consist of n t-bit blocks. This means that the cryptanalyst knows n triples (P;, L;, R;), i = 1, ... ,n. Denote the bitwise multiplication of two n-bit vectors T and U by T * U. Thus, the i-th component in T• U equals 1 iff the i-th component equals 1 both in Tand U. It is easily seen by induction on n that TEBU= T+ U-2(T•U) .

Indeed, for n = 1 this is obvious. Assuming the equation for two n-bit vectors, we extend it to two (n + 1)-bit vectors by applying the inductive hypothesis to their last n bits (the result is ann-bit vector with no carry), after which the matter with the leading bits is the same as for n = 1. Of course, + and - above denote ordinary addition and subtraction. For instance, 11010 EB 10111 = 01101 = 13 = 11010 + 10111- 2·10010 = 26

+ 23- 2·18,

where we have written bit vectors without parentheses and commas. The cryptanalyst now writes the n linear equations

S; = A(K EB R;)

= A(K + R; - 2(K * R;)), QセゥョL@

for the n unknowns k;. Unless the determinant of the system equals 0, K can be quickly computed. On the other hand, if the system happens to be singular, the knowledge of a few more triples (P;, L;, R;) is very likely to yield a nonsingular system. In fact, if n + j triples are known, the probability of getting a nonsingular system tends very fast to 1 with j growing. As an illustration, consider A = (2, 3, 4, 5, 6, 7), yielding n = 6 and t = 5. K = 110011 is chosen as the secret key. Observe that in this cryptosystem the injectivity of A is not important because the decryption process gives the items of A to be summed up and, hence, the knapsack problem need not be solved at all.

3. Knapsack Systems

110

Encrypt the plaintext P 1 = 01010 by choosing R 1 = 101010. Now K EB R 1 = 011001, whence S 1 = 3 + 4 + 7 = 01110 and C 1 = 00100101010. (The index 1 in S 1 points out the interconnection with R 1 .) Knowing P 1 and C 1 , the cryptanalyst may immediately compute S 1 = 00100 EB 01010 = 01110. But the knapsack problem (A, 14) has to be solved in order to obtain K EB R 1 from which K results because K EB R 1 EB R 1 = K. R 1 is of course immediate from C 1 . Thus, the knowledge of the pair ( P 1 , C 1 ) does not give much information for the decryption of the cryptotexts

C4 = 00111011110,

C 3 = 01110111101,

C 2 = 11110010101.

C 5 = 11110001010,

C 6 = 00111011011.

Assume, however, that the cryptanalyst knows the six pairs (P;, C;), 1 セ@ where

i セ@ 6,

P 5 =01110, P 6 =00001.

P 2 =10011, P 3 =00001, P 4 =10101,

(It is no coincidence that the plain texts P2 - P 6 represent the numerical encoding of SAUNA.) Then a system of 6 linear equations can be written for the unknown k;'s . Consider i = 1. As above, we infer that

+ A(K- 2(K •R 1 )),

S 1 = 14 = AR 1 whence 2

=-

2k 1 + 3k 2

4k 3 + 5k4

-

and similarly from the equations for

-

6k 5

+ 7k 6

,

s2 - s6

+ 6k 5 - 7k 6 , - 6 = - 2k 1 - 3k 2 - 4k 3 - 5k4 + 6k 5 - 7k 6 0 = 2k 1 - 3k 2 - 4k 3 - 5k4 - 6k 5 + 7 k 6 , 6 = 2k 1 + 3k 2 - 4k 3 + 5k4 - 6k 5 + 7 k 6 , - 14 = 2k 1 - 3k 2 - 4k 3 + 5k4 - 6k 5 - 7 k 6 • -2 = 2k 1

-

3k 2

+ 4k 3

5k4

-

,

This system of 6 equations is clearly singular. However, it gives a unique solution for K. In fact, the third and fifth equations yield k 3 = 0, and the second and fifth equations k 1 = 1. The remaining considerations are based on the fact that the k;'s are bits. Parity check shows immediately that exactly one of k 2 , k4 , k 6 equals 0. The last equation, with the values inserted for k 1 and k 3 , reads

- 16 = - 3k 2

+ 5k4

-

6k 5

-

7k 6

,

which shows that k4 has to be the one equaling 0. This means that the remaining bits must equal 1. As in this example, a unique solution in bits is obtained although there is no unique solution over rational numbers. The cryptanalytic method bears resemblance to the one used in connection with Hill's system in Example 1.2. Next we'll discuss a notion somewhat weaker than that of r-hyper-reachability. The public key will be a knapsack vector obtained by a succession of strong

3.4 Trying to Hide the Trapdoor Again

Ill

modular multiplications from some knapsack vector, not necessarily a superincreasing one. The moduli and multipliers constitute the secret trapdoor information. This information is sufficient for the legal recipient to decrypt using a system of linear equations. We now present the details. The cryptosystem designer chooses an arbitrary injective knapsack vector A1 = (aL .. . , 。セIL@ a multiplier t 1 and a modulus m1 satisfying the conditions of strong modular multiplication, that is, n

1 セエ

Q@

i; 1

Assume that A 2 = (ai, ... , a;) results from A1 by strong modular multiplication with respect to (m 1 , t 1 ) . Then t 2 and m 2 are chosen such that the conditions of strong modular multiplication (for A2 ) are satisfied. Let A3 ]H。セL@ . .. , a:) be the vector resulting from A 2 by strong modular multiplication with respect to (m 2 , t 2 ) . The procedure is continued until a vector An = (aj, ... , 。セIL@ resulting by strong modular multiplication from An_ 1 with respect to (mn _ 1 , tn _I), is reached. The cryptosystem designer (who is in this case the same as the legal recipient of messages) publicizes the vector An as the encryption key but keeps the pairs (mi, tJ, 1 セ@ i セ@ n - 1, as the secret trapdoor. From the secret trapdoor the inverse ui of ti (mod mJ, 1 セ@ i セ@ n - 1, can be immediately computed. After receiving a cryptotext an , the legal recipient has to find n bits x 1 , . . . , xn such that n

L:

(*)

a? xi= an .

i; 1

By n - 1 modular multiplications numbers ai satisfying ai

= (uiai+ 1o mod mJ, 1 セ@

i セ@

n- 1,

are found. These numbers ai constitute the right sides of the equations obtained from (*) by successive modular multiplications using the inverse multipliers. Originally only congruences (mod mJ are obtained but the congruences reduce to equations by the argument of Lemma 3.1 . Thus, the legal recipient obtains the system of n linear equations n

L:

a{ xi = ai, j = 1, . . . , n .

i; 1

From this system the unknowns xi can be computed, with the reservations concerning singularity mentioned above. The reservations are mild because we have the additional knowledge of the x/s being bits. However, if the start vector A 1 is not injective, all ambiguities are preserved by (strong) modular multiplications and, hence, are present in every equation of the system. A cryptanalyst has difficulties in trying to apply algorithms of the types considered in Sections 3.2 and 3.3 because there is no vector, such as a super-increasing one, to look for.

112

3. Knapsack Systems

As a simple illustration, consider A 1 =(3,2,6),

t 1 = 13,

A2 =(1,7,2),

t2

A3 Now u 2

= 6 and

u1

= (2, 3, 4),

=2,

m1 = 19, m2 =11,

publicized .

= 3. The cryptotext

6 leads to the system of equations

2x 1 + 3x 2 + 4x 3 = 6, x 1 + 7x 2 + 2x 3 = 3, 3x 1

+ 2x 2 + 6x 3

= 9,

from which the unique bit vector 101 is obtained, although the system is singular and possesses the general solution x 2 = 0, x 1 = 3 - 2x 3 . The subsequent knapsack system is suitable for authentication, that is, (electronic) signatures in the sense discussed already in Section 2.3. The two main requirements of cryptography, privacy and signature generation, are somewhat conflicting and, therefore, it is hard to satisfy them both in a really strong fashion by the same system. Most of the variants of knapsack systems are intended to satisfy the requirement of privacy. The following is especially suitable for generating signatures. The emphasis is on speed and simplicity. Both signing and verification can be carried out by performing only additions and subtractions. We need the following modification of the knapsack problem, also easily shown to be NP-complete. Given, for some n セ@ 3, n + 2 positive integers a 1 , ••• a,, a and m with a; being distinct and m > max {a; 11 :::;; i :::;; n }, find (if possible) some solution (c 1 , . . . , c,.) for the congruence II

(*)

L a;ci =a (modm), i= 1

where each ci satisfies 0 :::;; ci :::;; [ Iog 2 m] + 1. Thus, we allow the item ai to be used several times in forming the sum. However, the number of times allowed is small and never exceeds the number of bits in the modulus. Before proceeding with the formal details, we discuss in general terms how such a knapsack system can be used to generate signatures. The sender chooses and publicizes a knapsack system determined by A = (a 1 , •• . , a,.) and m such that the system leads to apparently difficult knapsack problems but the problems can actually be solved quickly by some secret trapdoor information. The sender signs a message a by using the trapdoor information to solve ( * ): the n-tuple (c 1 , • . • , c,.) constitutes the signature for a. The legal receiver who has received both a and the signature can verify the signature by checking that(*) holds. If the legal receiver or a cryptanalyst wants to forge the sender's signature for some message a.', he/she has to solve the instance of the knapsack problem determined by the triple (A, m, a'). An additional requirement concerning the choice of the knapsack system is that all conceivable messages a must have a signature, that is,(*) must have a solution for all such a..

3.4 Trying to Hide the Trapdoor Again

113

We are now ready to present the formal details, as seen from the point of view of the legal sender who in this case is the cryptosystem designer. Consider a prime number m whose binary representation possesses t bits. (Typically, t = 200.) Let H = (h;) be a t x 2t matrix whose entries are randomly chosen bits and A a 2tdimensional column vector satisfying the following t congruences:

HA

= ( ;: )

(mod m) .

2t-1

There are only t congruences in 2t unknowns, that is, the components of A. We may basically choose t components of A at random and compute the remaining components. The computation can be done fast and the probability of getting stuck is minimal because some of the randomly chosen components may be altered whenever necessary. We choose 0 :::;; i :::;; t - 1 and 1 :::;; j :::;; 2t as the indices of the rows and columns. The components a; of A will be random-looking (t-bit) integers such that any power of 2 between 2° and 2'- 1 can be expressed as the sum (mod m) of some of them. The items A and m are publicized, whereas H is kept as a secret trapdoor information. Messages a are numbers in the closed interval [1, . . . ,m- 1]. The signature for a is a vector C = (cp . .. , c 2,) satisfying(*) where we haven= 2t. Signatures can immediately be verified by checking(*). Forging of signatures will be difficult because of reasons explained above. Essentially, one has to solve the N P-complete modular knapsack problem. On the other hand, signing will be easy if we are in the possession of the secret trapdoor information H. In order to sign a message a, we write a as a sum of powers of 2: t-1

a=

I

b;2i .

i=O

Thus, b; is the (i + 1)st bit from the right in the binary representation of a. t bits will suffice because of the agreement about the range of a. We claim that we can choose t-1

ci =

L

1 :::;; j :::;; 2t .

b;h;i'

i=O

Then ci does not exceed the number t of bits of m, as required in(*). Moreover, r-1

a=

:L

i=O

r-·1

b;2i=

Jcエセ@ 1

I

i=O

2t

b;

I

ajhij

j= I

b; hii) ai =

it

1

ciai

(mod m) .

Only addition is needed for generating and verifying signatures.

114

3. Knapsack Systems

The above system is not even intended for concealing because messages are sent in plaintext. As regards the security of the signing procedure, an attack based on linear algebra is possible. When sufficiently many message-signature pairs are known, the matrix H can be computed. The situation is the same as in connection with the first system presented in this section, as well as with Hill's system discussed in Example 1.2. This insecurity problem can be solved by randomizing the bits of IX before signing IX. This can be done, for instance, by subtracting a randomly chosen subset of the a/s from IX:

where R = (r 1 , . . . , r 2 ,) is a random vector of bits. We first find the signature C' for by the method described above. Then C' + R can be used to sign IX because

IX'

IX

=

IX'

+ RA

=C' A + RA = (C' + R)A

(mod m) .

The components of the new signature are still within the allowed interval. The random vector R need not be known even for the legal recipient.

Example 3.5. Consider the modulus m = 29 expressible in five bits 11101. Hence, H will be a 5 x 10 random matrix. Choose 1011011100) 0 10 1 1 1 0 0 10 ( H= 0000111. 0 0 1 0 1 0 0 0 1 1100001 We may take, for instance, A= (14, 15, 19, 16, 3, 24, 10, 5, 2, 7) and the five congruences will be satisfied. The third congruence has the form 14

+ 15 + 19 + 5 + 2 + 7 =

62

=4

(mod 29).

The message IX = 22 is written in reverse binary notation as 01101, from which the signature C = 2322210122 is obtained immediately using H. The correctness of the signature is verified by CA

= 196

=22

(mod 29).

Similarly, the plaintexts, 9, 8, 20 and 1 have signatures 1022021101, 0011010001,

2221100112

and

1011011100 .

The plaintexts may be viewed as numerically encoded letters. This means that the word VIHT A has a signature obtained by writing the five signatures one after the other. No confusion will arise even if boundary markers are not used.

3.4 Trying to Hide the Trapdoor Again

115

Consider, finally, a randomized signature for a = 22. Choose the ten random bits as follows: R = 101101()()()(). We obtain a'= (22-73, mod 29) = 7. The signature for a' is 2222121221 and, hence, the randomized signature for a is 3233131221. The reader might want to generate randomized signatures for the other plaintext letters I, H, T, A. Observe that the same plaintext has several randomized signatures. D The final cryptosystem presented in this section hides in a very simple way the fact that the start vector A is super-increasing. The hiding is accomplished by adding some random noise to the components of A so that the new components do not form a super-increasing sequence, only some segments of their binary representations do. After scrambling by strong modular multiplication, these segments are not any more visible. We now describe the details. As usual, let n be the number of components of the knapsack vectors considered. Denote g = [ log 2 n] + 1. Consequently, n < 29 • Let r 1 and r 2 be arbitrary positive integers. Choose random integers Ri1 and rセ@ satisfyセ@ 2, 1 セ@ i セ@ n. Define ing 0 セ@ R} < 2'i, 1 セェ@

The a;'s can be depicted as follows, I

セ@

i セ@

n.

Number of bits Bits

random Ri1 0 ... 010 ... 0 n . . . i ... 1

0 .. . 0

random rセ@

The purpose of Ri1 is to disguise the fact that the a;'s are super-increasing- the fact becomes immediately visible if each Ri1 equals 0. The contribution of the other random block, rセL@ is buried in the outcome of the strong modular multiplication. The g-block of O's is a guard zone for the addition of the numbers rセZ@ it keeps the sum from overflowing into the n-bit identity block expressing the superincreasing property. Indeed, n

L rセ@

< n2'2 < 2g+r2 .

i=l

Let t and m satisfy the conditions of strong modular multiplication for ••• , an). Then the vector B = (b 1 , ••• , bn) resulting from A by strong modular multiplication with respect to the pair (t, m) is publicized as the encryption key. The numbers t, m, r 1 , r2 constitute the secret trapdoor. (The number g is public because it is defined in terms of n). Decryption is trivial for the legal recipient who knows the trapdoor. Let u be the inverse oft (mod m). For a cryptotext {3, denote A

= (a 1 ,

a= (u{J,modm).

Then the plaintext corresponding to f3 is simply the n-bit block in the binary representation of a, obtained by omitting the r 2 + g last bits and taking in reverse

116

3. Knapsack Systems

order the n-bit block from the end of the remammg part. (We could have introduced a guard zone also for the sequences rセ@ but it is not actually needed.) That the legal decryption is simpler than for the basic knapsack system of Section 3.1 is due to the fact that now the super-increasing vector consists of powers of 2 and, consequently, the sum vector gives directly the correct sequence of bits. We have discussed here only the basic variant, where the super-increasing vector is the simplest possible. The general case of an arbitrary super-increasing vector is cumbersome to handle with because then the components require several bits for their representation. An algorithm of the type presented in Section 3.2 does not work for cryptosystems of this kind.

Example 3.6. Choose n = 5, whence g = 3. The public encryption key is B = (62199, 61327, 13976, 16434, 74879).

The legal recipient knows also the trapdoor

m = 75000, u = 22883 (t = 1547), r2 = 4. Assume that the cryptotext 151054 is received. When it is multiplied by 22883 and reduced modulo 75000, the number 43682 results. The binary representation of this number is 43682 = 1010 10101 010 0010 . where the four different blocks are visible. The recipient removes r 2 + g = 7 bits from the end. The next five bits give the plaintext 10101. We may still check: 62199 + 13976 + 74879 = 151054. Similarly, modular multiplication applied to the cryptotext 75303 yields 33549 or, in binary notation, 33549 = 1000 00110 000

1101 .

The plaintext is now 01100, which shows also that we take, after removing 7 bits, the 5-bit sequence from the end in the reverse order. This is just a technicality caused by the fact that we are reading here the super-increasing part in the wrong order. Thus, now 75303 is the sum of the second and third components of Bas it should be. We still write down the original vector A, together with the binary representations divided into blocks.

a1 a2 a3 a4 a5

=24717 = 20741 = 12808 = 9222 = 6157

r1 = 3

essential

g=3

r2 = 4

110 101 011 010 001

00001 00010 00100 01000 10000

000 000 000 000 000

1101 0101 1000 0110 1101

3.5 Dense Knapsacks

117

Although r 1 = 3, in our examples the initial random segment is of length 4 because of overflow. This means that the binary representations have 16 bits. The maximum length of the initial random segment is S in this example. The legal recipient does not even look at this segment, so it is not necessary for him/ her to know r 1 .

3.5 Dense Knapsacks The underlying knapsack in the basic variant of a public-key cryptosystem is of low density, meaning that the components are very scarce in comparison with the number of them. This is not the case as regards the cryptosystem discussed in this section: the underlying knapsack is dense or of high density. A formal definition of these notions will be commented on later. Earlier in this section we have been using ordinary integer arithmetic or modular arithmetic, where all numbers are reduced with respect to certain modulus. In this section, the arithmetic used will be based on finite fields or Galois fields. The basic notions of finite fields are contained in Appendix B. We present here in somewhat more details some notions and a lemma needed in this section. A finite field has always ph elements, where pis a prime number and h セ@ 1. Such a finite field is often denoted F(ph). We describe a convenient way of representing elements of F(ph). We may speak of the base field F(p), that is, the subfield of F(ph) consisting of the elements 0, 1, ... , p - 1. In the base field we consider ordinary arithmetic modulo p. Every element =I 0 possesses an inverse. An element a is algebraic of degree hover F(p) iff a satisfies in F(p) a polynomial equation P(x) = 0 of degree h but no polynomial equation of a lower degree. (This implies that the polynomial P(x) in question must be irreducible in F(p).) The ph elements of F(ph) can be represented in the form

LCiai, oセ

」 ゥセー



QL@

oセゥィMQN@

In the arithmetic the "coefficients" ci are reduced modulo p, while any power ai, i セ@ h, can be replaced by a lower power using the equation P(a) = 0. For instance, let p = 3 and a satisfy the equation x 2 - x - 1 = 0. The elements of the resulting field F(ph) = F (9) can be expressed as

0, 1, 2, a, a

+ 1, a + 2, 2a, 2a + 1, 2a + 2 .

In the arithmetic higher powers of a are reduced by the equation a 2 = a

+ 1. Thus,

+ 2) (2a + 1) = 2a 2 + Sa + 2 = 2a + 2 + Sa + 2 = a + 1 . Given an element fJ =I 0 of F(ph), we may consider powers pi. It is clear that we have never fJi = 0. However, it might be the case that when i runs through the numbers i = 1, 2, ... ,ph- 1, then pi runs through the nonzero elements of F(ph). In such a case fJ is referred to as a generator of F* (ph), the set (in fact, the (a

multiplicative group) of nonzero elements of F(ph). A generator can be viewed as a base for logarithms. To compute a logarithm of an element y of F(ph) means

118

3. Knapsack Systems

computing a number a such that pa = y. Logarithms of this kind are often referred to as discrete logarithms. Their computation is believed to be intractable. It is known to be as hard as factorization (see Appendix B). Returning to the example above, we first write down the powers of rx. i

rx;

1

2

3

45

6

7

8

I rx rx + 1 2rx + 1 2 2rx 2rx + 2 rx + 2 1

From this table we observe that rx is a generator. The table can be arranged also as a table of logarithms, where the elements y of F(ph) are listed in some easily retrievable (such as alphabetic) order. Y 11 2 rx rx+ 1 rx+2 2rx 2rx+ 1 2rx+2 log«y 8 4 1 2 7 5 3 6

The table of logarithms can be applied to aid multiplication and division in the customary way. The logarithms are reduced modulo ph- 1. For instance, log(rx + 2) (2rx + 1) =log (rx + 2) +log (2rx + 1) = 10 = 2 , implying (rx + 2) (2rx + 1) = rx + 1. Similarly, log((rx + 1)/(2rx + 1)) = 2- 3 = 7, implying (rx + 1)/(2rx + 1) = rx + 2. Also 2rx + l is a generator of F*(9), with the table of logarithms

Y 11 2 rx rx + 1 rx + 2 2rx 2rx + 1 2rx + 2 log2a + 1 y 8 4 3 6 5 7 1 2 It is easy to verify that also rx + 2 and 2rx are generators but there are no further generators. Clearly, pis a generator iff i =ph - 1 is the smallest positive exponent satisfying pi= 1. Therefore, the number of generators equals cp(ph - 1), where the Euler function cp(x) stands for the number of positive integers i セ@ x satisfying (i, x) = l. In our example cp(8) = 4. It is very important to observe that the arithmetics defined above is different from modular arithmetics. The two coincide only if h = 1. In cryptosystems, where the underlying knapsack is super-increasing, decryption is always unique. This follows because super-increasing knapsacks are injective. The following question concerning the existence of sequences with unique h-fold sums was raised already in 1936. Given positive integers n and h, is there a vector A = (a 1 , . . . , an) with distinct nonnegative a;'s such that all sums of exactly h components of A , where repetitions are allowed, are distinct. It is easy to construct A's satisfying this condition, where the a;'s grow exponentially, for instance, a; = h; - 1 , l セ@ i セ@ n. This corresponds to knapsacks of low density such as the super-increasing ones. But what about the case of high density knapsacks: can one satisfy this condition with the a;'s growing only polynomially in n. Bose and Chowla, [BC], gave a solution which is presented in the following lemma in a form more suitable for the cryptosystem we have in mind. It should be emphasized that

3.5 Dense Knapsacks

119

the vectors obtained will not necessarily be injective because only sums of h components are considered. In fact, the number of components in the sums will be s; h because repetitions of the same component are allowed. Contrary to our customary notation, we denote by p the total number of components in A, to emphasize the primality.

Lemma 3.8. Let p be a prime and h セ@ 2 an integer. Then there is a knapsack vector A = (a 1 , ••• , ap) satisfying the following conditions (i) and (ii). (i) l s; ai s; ph - l for l s; i s; p. (ii) Let xi and Yi be nonnegative integers and consider p

(*)

(xp ... ,xp)"#(y 1 ,

• ••

L

,yp) where

p

xi=h and

i= 1

L

Yi=h.

i= 1

Then p

p

i= 1

i= 1

L xiai "# L Yiai ·

(**)

Proof Consider the finite field F(ph). Let rx be an element algebraic of degree hover F(p) and g a generator of F*(ph). Define ai

= log9 ( rx + i - l ), l s; i s; p .

It is obvious that (i) is satisfied because it expresses only the range of discrete logarithms. To show that also (ii) is satisfied, assume the contrary: there are xi and Yi satisfying(*) but, instead of(**) we have p

p

L xiai = i=L1 Yiai · i= 1

(**)'

Then equality results also when g is raised to the power expressed by each side of (**)'.Taking into account the definition of ai, this equality resulting from(**)' can be written (**)"

(rx

+ 0)"'' ... (rx + p - Wp =

(rx

+ O)Y1

... (rx

+p-

l)Yp .

When both sides of ( ** )" are expressed as polynomials of rx, the highest powers of rx must coincide on both sides because of(*). Moreover, also by(*), the exponent in the highest power must be equal to h. When the right side of(**)" is subtracted from the left side, a nonzero (because of(*)) polynomial in rx results whose degree is s; h - l. Hence, rx satisfies a polynomial equation with degree s; h - 1 and, consequently, cannot be algebraic of degree h. This contradiction shows that(**)' cannot hold. D The proof is the same if pis a power of a prime. The proof shows also that(**) could be replaced by the stronger condition p

p

i= 1

i= 1

L xiai I= L yiai

(mod ph - 1) .

120

3. Knapsack Systems

We still need one auxilliary result before presenting the details of the cryptosystem based on dense knapsacks. According to this cryptosystem, the plaintext consists of p-bit blocks such that there are exactly h bits 1 in each block. Arbitrary binary plaintext cannot be divided into such blocks. However, it is intuitively clear that arbitrary, somewhat shorter blocks can be first encoded as blocks satisfying the required condition. This will be shown in the following lemma. Of the many known constructions, all of them computationally easy, we have chosen the one easiest to describe.

Lemma 3.9. Consider positive integers n セ@ 3 and h < n. Then there is an injective mapping of the set of all [log 2 G:)]-bit sequences into the set ofall such n-bit sequences that the number of 1's in each sequence equals h. Proof. We view the [log 2 HセI}M「ゥエ@

sequences as binary representations of numbers a. Arrange the n-bit sequences, containing h 1's each, in alphabetic order where 0 precedes 1. Thus, in the first sequence according to this ordering all the 1's are at the end and, in the last sequence, at the beginning. We map the binary sequence representing the number a into the (a+ 1)st sequence in the ordering constructed. This mapping is clearly injective. Moreover, we do not run out of sequences of the in number, and there are altogether 2x x-bit latter type because they are 0 sequences. In most cases the brackets make the number smaller.

m

As an illustration, let n = 5, h

= 2. Then [Iog 2

:>:'

セ@

N

w

4.1 Legal World

133

hold, we may conclude that n is composite but still cannot factorize n. (ii) For real-valued functions of real numbers, there is no difference, from the point of view of complexity, between exponentiation and computation of logarithms. In the discrete case modular exponentiation is easy, whereas logarithms constitute an intractable problem. This problem will be dealt with also in Section 4.6. The problems of authentication and digital signatures were discussed already in Section 2.3. In what follows the subscripts indicate the user. Thus, eA, d A, nA are the encryption and decryption exponents and the modulus used by A. Assume first that only signature but not secrecy is needed in the transmission of messages. Then A sends the pair (w, D A(w)), where

DA(w) = (wdA, mod nA). The receiver can verify the signature by applying A's public encryption exponent eA. Since only A is in possession of d A, no other person could have signed the message w. However, a forger can choose a number c, compute EA(c) = (c'A, modnA) and claim successfully that c is the signature by A to the message EA(c). This method of attack can be used for finding signatures to unpredictable messages only: only A can sign a prechosen message. Such unpredictable messages are not likely to be meaningful if, for instance, the plaintexts are obtained by numerical encoding from some natural language. Then the redundancy in the messages is high, and only a very small portion of blocks of a certain size are numerical encodings of parts of meaningful plaintext. In addition to the amount of redundancy also the type of redundancy of plaintexts is important. In particular, neither the inverse of a meaningful message nor the product of two meaningful messages should be meaningful. Otherwise, a forger knowing A's signatures s; to messages wi, i = 1, 2, can sign, with the correct A's signature, the messages (w 1 w2 , mod nA) and (w1 1 , mod nA) using (s 1 s 2 , mod nA) and (s1 1 ,modnA). Consider the first illustration in Example 4.1. The signatures for the messages 12 and 29 are 23 and 24, respectively. Clearly, (l2·29,mod55)= 18 and

(29- 1,mod55)= 19

can then be signed using (23 • 24, mod 55)= 2 and (24 -•, mod 55)= 39 . Only nA and the signatures for wi are needed to construct the new signatures. This method of forging applies to products of more than two factors as well. Since apparently dAis always odd, we can sign also (- w1 , modnA) using (- s., modnA). Assume, secondly, t!tat both signature and secure transmission are requied. To send a signed message to B, A first signs it using (dA, nA) and then encrypts the result using (e 8 , n8 ). B first decrypts using the decryption exponent d8 , after which the original message can be obtained using the public encyption key eA. The presence of dA in the message guarantees that it was sent by A. As before, one has to

134

4. RSA

be cautious because of the possibility of forging signatures to unpredictable messages. There is also another difficulty caused by the fact that A and B are using different moduli. Assume that nA > n8 . Then D A(w) is not necessarily in the interval [1, n8 - 1], and reduction modulo n8 would certainly make the legal decryption more difficult. There are two ways to overcome this difficulty. (i) All users agree upon a common threshold t. Each user A chooses two RSA keys, one for signatures and the other for encryption. The items involved are denoted by superscripts s and e, respectively. Each user A takes care of that ョセ@ < t < nA. The difficulty described above does not arise if A sends the message w to B in the form emdセHキIN@

(ii) Also the threshold number can be avoided if messages from A to Bare sent in the form E 8(D A(w)) or D A(E8(w)), depending on whether nA < n8 or n8 < nA .

4.2 Attack and Defense We discussed already in the preceding section how to meet an attack by a forger of signatures. In general, many cryptanalytic attacks have been proposed against RSA cryptosystems. None of these attacks has turned out to be serious. In this section we discuss some typical ones of them and mention also a few other aspects one should be aware of in order to prevent certain rather obvious attacks. Consider first the choice of p and q. They should be random primes and not, for instance, primes contained in some table of primes. To factorize, one can always check through the table or run through the sequence of primes of the specific form. The two primes should also not be close to one another. If they are close to one another (and p > q), then (p- q)/2 is small and (p + q)/2 is only slightly larger than Moreover, (p + q) 2 /4- n = (p- q) 2 /4

Jn.

Jn,

and, hence, the left side is a perfect square. To factorize n, one tests integers x > until one finds one such that x 2 - n is a perfect square, say y 2 • Then p = x + y and q = X - y. For instance, for n = 97343, we have = 311.998. Now 312 2 - n = 1, which gives directly p = 313, q = 311. In general, it is advisable that the bit representations of p and q differ in length by a few bits. Also q>(n) should be considered in the choice of p and q. Clearly both p- 1 and q - l are even, implying that cp(n) is divisible by 4. Assume that (p- 1, q- 1) is large and, consequently, the least common multiple u of p- 1 and q- 1 is small in comparison with q>(n). Then any inverse of e modulo u will work as a decryption exponent. Since in this case it is much easier to find d simply by testing, p - 1 and q - 1 should have no large common factor. The extreme possibility is that one of p- 1 and q- 1, say q - 1, divides the other. Now it suffices to consider inverses of e modulo p - 1. Take again an

Jn

4.2 Attack and Defense

135

example. Let n = 11041 and e = 4013. Now any inverse of 4013 modulo 180 can be used as the decryption exponent. This follows because the least common multiple of p- 1 and q- 1 happens to be 180. Thus, we obtain d = 17. The cryptosystem designer should also avoid the situation where (mod n) ,

implying that

w = ((rx'

+ 1)/(rx' -

1))Jc (mod n) .

5.1 Exponentiation in Quadratic Fields

165

Returning again to the numerical example, we use first E to obtain oc 2e: oc 2e =: (28 2 + 5)/(28 2 - 5)

+ (2 • 28/(28 2 - 5))j5

=95 + 126}5 (mod 143) . Recall that d

= 16. Therefore, we compute X 1 (oc 2 e)

= 95,

Y1 (oc 2 e)

=31 , (oc e) =62, (oc e) =108 ,

X 2 (oc 2 e) X4 X8

2

2

X 16(oc2e) = 18 ' Consequently, 18 hence, oc

= 126 ,

=59, Y (oc e) =83 , Y (oc e) =139 , Y16(oc2e) =137 . Y2 (oc 2 e) 4

2

8

2

=± oc (mod 143). Since b = 1, a must be odd and, = - (18 + 137 .j5) =125 + 6j5 (mod 143). + 137 J5

2

Using the second component b 1 = 0 of the cryptotext, we infer that oc = oc' and, therefore,

w

=(126 + 6j5)(124 + 6}5)- J5 1

= (126 + 6}5)(124- 6}5)(124 2 - 5. 6 2 )- 1 J5

= 83 • 38- 1 = 21

(mod 143) .

Thus w = 21, which was the original plaintext. A reader who has worked through the details will surely agree that the cryptosystem of Williams is much more difficult to explain than RSA! However, this does not imply that encryption and decryption have greater time complexity than in RSA. We have here also the additional advantage that cryptanalysis by preprocessing is provably equivalent to factoring.

Cryptanalysis Versus Factoring. If we have found p or q, we can immediately compute m and d. Conversely, assume that a cryptanalyst has somehow found a decryption algorithm. The algorithm can be used to factor n as follows. First a number x with

(x c)=_ 1

(**)

2

;

is chosen by trial. Then xis encrypted but the process is begun by selecting b 1 = 0 Thus, the false value + 1 is used for the Jacobi symbol on and y = x + purpose. Let (E, 0, b2 ) be the resulting cryptotext. The cryptanalyst now applies the algorithm to find the corresponding plaintext w. However, w is not the same as x because the encryption process started by cheating. In fact, a fairly straightforward calculation shows that (x - w, n) equals p or q. (Details can be found in

Jc.

166

5. Other Bases of Cryptosystems

[Wil].) This means that the cryptanalyst is able to factor n. The situation is analogous to knowing two distinct square roots modulo n. Let us do this in our example. Choose x = 138. Then (* *) will be satisfied. Cheat by choosing b 1 = 0 andy= 138 + Hence,

Js.

IX=

yjy = 73

+ 71Js.

Since 73 is odd, we obtain b 2 = 1. We compute next: X 1 (rx) = 73,

Y1 (rx) = 71 ,

X 2 (rx)=:75,

Y2 (rx) = 70,

X 3 (rx)=:9,

Y3 (rx) = 139,

X 5 (rx)=133,

Y5 (rx)

X 6 (rx)=18,

Y6 (rx) = 71 ,

X 11 (rx) = 139,

Y11 (rx) = 82,

X 12 (rx) = 75,

Yu(rx) = 125,

X 23 (rx) = 42,

Y23 (rx) = 73 .

We infer that

E = 42·73- 1

=44,

=28 (mod 143),

which yields the cryptotext (28, 0, 1). It was decrypted already above with the result w = 21. This leads to the factorization of n because

(x- w, n)

= (117, 143) =

13.

The discussion shows also that if the cryptanalyst is able to apply the setup "chosen cryptotext" (even for one chosen cryptotext), the system is immediately broken.

5.2 Iteration of Morphisms Many public-key cryptosystems based on the theories of automata and formal languages have been proposed. Some of them will be discussed in this and the next section. As we have emphasized already before, the purpose is rather to give a feeling of the diverse possibilities to construct public-key cryptosystems than to evaluate the resulting systems. Apart from security issues, such an evaluation should take into account also other aspects: ease of legal application, length of cryptotexts, etc. Some of these aspects will be mentioned below. Languagetheoretic notions will be explained to the extent they are needed for the understanding of the systems. Some further language theory will be used without detailed explanations, for instance, in cryptanalysis. As regards language theory, the interested reader may consult [Sal].

5.2 Iteration of Morphisms

167

Let r and Ll be alphabets. Recall that r• denotes the set of all words over r, including the empty word A.. In what follows, r and Ll may be equal, disjoint or partially overlapping. A mapping h: r• -+ Ll * is termed a morphism iff h(xy) = h(x)h(y) holds for all words x and y over r. It follows that always h(A.) = A. and that a morphism is completely determined by its values for the letters of r. A.finite substitution a is a mapping of r* into the set of finite subsets of Ll* such that a(xy) = a(x)a(y) holds for all words x andy over r. The two conclusions made for morphisms hold also now. For instance, let r = Ll = {a, b} and a(a) = {a, ab},

a(b) = {b, bb} .

Then a(ab)

= {ab, abb, abbb} .

Observe that a(ab) contains only three elements because the word abb is obtained in two different ways. In the sequel it will sometimes be convenient to use the notation (x)h instead of h(x), and similarly for finite substitutions. If Lis a language, then a(L) = {yly E a(x), for some x E L} . We now begin the description of the cryptosystem. Consider two morphisms h0 , h 1 : r•-+ r•, as well as a nonempty word w over r. We say that the quadruple G = (r, h0 , h 1 , w) is backward deterministic iff the condition

always implies the condition

Here each i 1 andj, belongs to the set of indices {0, 1}. Thus, backward determinism means that in an application of a sequence of morphisms, one after the other, the outcome uniquely determines the sequence; it is not possible that two different sequences lead to the same outcome. Example 5.1. Consider the morphisms defined by

h0 (a) = ab,

h0 (b) = b, h 1 (a)= a,

h 1 (b)= ba .

If we choose w = a, then the resulting quadruple is not backward deterministic because the outcome a is obtained by a sequence of 1's of any length. The same conclusion holds if w =b. On the other hand, the quadruple ({a, b}, h0 , h 1 , ab) is backward deterministic. This follows because the last letter of a word reveals the morphism last applied. Using this principle one can "parse" a word w' back to the initial word, provided w' was obtained by some sequence of morphisms from w. D Backward deterministic quadruples G can be used as classical cryptosystems in the following obvious fashion. A sequence of bits i 1 ••• in is encrypted as the word (w)hi, ... hi"· Backward determinism guarantees that decryption will be unique.

168

5. Other Bases of Cryptosystems

For instance, if G is the quadruple in Example 5.1 with w = ab, then some plaintexts are encrypted as follows. Plaintext 0 1

00 01 10 11

011

Cryptotext

abb aba abbb ababa abbab abaa abaabaa

Of course, G has to be kept secret if it used as a classical cryptosystem in the sense described. Otherwise, there will be no difference between legal decryption and cryptanalysis. Cryptosystems of this type are referred to as functional. In general, afUnctional cryptosystem is specified by two functions fo and ft and an initial value x. A sequence of bits i 1 • • . in is encrypted as the value (x).t;, ... J;•. A condition corresponding to the backward determinism defined above has to be satisfied to guarantee the uniqueness of decryption. More than two functions are needed if plaintexts contain more than two characters. An obvious way to transform a functional cryptosystem into a public-key one is to provide a trapdoor leading from the publicized functions and values to some easily parsable situations. More specifically, we know the initial value x and functions fo, ft, as well as a value y such that

= (x).t;, ... J;. ' for some composition of the functions fo, ft. With this information it is hard to find y

the sequence of bits i 1 . • . in determining the composition, although we know the sequence is unique. However, with the trapdoor information the equation can be transformed into the form y' = (x')gi, · · · gi" • where x', y', g 0 , g 1 are known. Moreover, now the sequence of bits (which is the same as the original sequence) can be found easily. Let us see how the trapdoor is constructed when the two functions are morphisms. In fact, the trapdoor will lead to two easily parsable morphisms. The publicized setup uses an alphabet much bigger than 1:, and two finite substitutions instead of two morphisms. The substitutions and the initial word are defined in such a way that the bit sequence remains unaltered when the trapdoor is used to go from the "public" equation to the easily parsable one. More specifically, let G = (1:, h0 , h 1 , w) be backward deterministic. Let L1 be an alphabet of a much greater cardinality than 1:. Typically, 1: consists of five letters, whereas L1 consists of 200 letters. Let g:L1*-+ 1:* be a morphism mapping every letter to a letter or to the empty word in such a way that g- 1 (a) is nonempty for all

5.2 Iteration of Morphisms

169

letters a of I:. This means that every letter d of Ll is either a descendant of some letter in I: or a dummy. The letter d is a descendant of a if g(d) =a. The additional condition of g- 1 (a) being nonempty implies that every letter of I; has at least one descendant. The letter dis a dummy if g(d) =X Consider a quadruple H = (LI, a 0, a 1, u), where a 0 and a 1 are finite substitutions on Ll defined below and u is a word over Ll satisfying g(u) = w. Equivalently, u belongs to g- 1 (w). In general, u is not unique because dummies may occur in arbitrary positions and each descendant may also be chosen arbitrarily. Also the finite substitutions a 0 and a 1 are not unique. For each din Ll, a 0 (d) is a nonempty finite set of words y such that if h0 maps g(d) into x in I:*, then g(y) = x. Equivalently, a 0 (d) is a finite nonempty subset of g- 1 (h 0 (g(d))). (Customarily we write the arguments of functions on the right as here. It should cause no confusion that we write them on the left while encrypting, in order to preserve the proper order in the bit sequence.) A substitution a 1 is defined in the same way, using h 1 . The quadruple H = (LI, a 0 , a 1 , u) is publicized as the encryption key. A bit sequence i 1 . . . in is encrypted by choosing an arbitrary word x from the finite set (u)a;, . . . a;" . If the bit sequence is long, it can be divided in an arbitrary fashion into blocks that are encrypted separately. Everything else, that is, I:, h0 , h 1 , w, g remains as a secret trapdoor. The essential item is the "interpretation" morphism g: all other items can be computed from g and the public information. We mention in passing that in the terminology of L-systems G is a DTOL-system and H a TOL-system. L-systems, named after A. Lindenmayer, are mathematical models very suitable for computer simulation of biological growth processes. The reader is referred to [RS] for details. The idea behind the public-key cryptosystem just described is that a cryptanalyst has to parse according to the messy TOL-system H, whereas the legal receiver who knows the trapdoor can operate in the simple and easily parsable DTOL-system G. More comments will be given below. That the public-key cryptosystem works as intended is a consequence of the next lemma. Lemma 5.2. Let G =(I:, h 0 , h 1 , w) be backward deterministic, and let g and H = (LI, a 0 , a 1 , u) be defined as above. Use G and H to encrypt bit sequences in the way described above. Then decryption according to His unique. Moreover, if the bit sequence i 1 . . . in is encrypted as y according to H , then i 1 . . . in is the decryption of g(y) according to G. Proof Consider the last sentence. Assume that y is a word in the set (u)cr;, . . .

CT;" ·

Then g(y)

= (g(u))h;,

. .. h;n

= (w)h;,

... hin'

This follows by the definition of the substitutions and u. (An algebraically minded reader will notice that substitutions, as well as morphisms, commute with catenation by their very definition.)

170

5. Other Bases of Cryptosystems

To prove the uniqueness of decryption according to H, assume that some y can be decrypted both as the bit sequence i and the bit sequence j. By the last sentence, g(y) is decrypted both as i and j according to G. Since decryption according to G is unique by backward determinism, we must have i = j. 0 Continuing Example 5.1, let L1 tion morphism by g(c 1) = b,

= {c 1, c2 , c 3, c4, c 5} and define the interpreta-

g(c 2) = g(c 4)

=a, g(c 3) = g(c 5) =A..

Thus, c2 and c 4 are descendants of a, c 1 is the only descendant of b, and c 3 and c 5 are dummies. We choose u = c4c 3c 1, then g(u) = ab = w. To construct the substitutions, recall that the morphisms were defined by h 1: a --+ a,

b --+ ba .

We now define u 0 and u 1 using the same descriptive notation. u1: c1--+ c1c2, c3c1c4 c2--+ c2, c3csc4 c3--+ c3, CsCs c4--+ c2, c4c3 Cs--+ c3, CsC3

Uo: c1--+ c1' c3c1

c 2 --+ c 4cp c 2c 1c 5 c3--+ Cs, c3c3 c 4 --+ c4cp c 2c 5c 1, c4c 1c 3 Cs--+ Cs, C3CsC3

This is a correct definition because when the interpretation morphism g is applied, u 0 and u 1 reduce to h0 and h 1 : Uo: b--+ b, b

(11:

a--+ ab, ab A. --+ A., A. a --+ ab, ab, ab A. --+ A., A.

b--+ ba, ba a--+ a, a A. --+ A., A. a--+ a, a A. --+ A., A.

To encrypt 011 using the public-key, we first choose the word y 1 = c4c 1c 5c 1 from (u)u 0 , then the word y 2 = c 2c 3c 1c4c 3c 1c 2 from (y 1)u 1 and, finally, the word

from (y 2 )u 1 . The legal receiver may compute g(y) = abaabaa ,

from which the plaintext 011 can be immediately recovered using the special property of h0 and h 1 mentioned above. 0 Not all DTOL-systems, that is, quadruples G = (!', h0 , hp w) are backward deterministic. For instance, if all words h0 (a), where a ranges over letters of .r, are powers of the same word x, then G cannot be backward deterministic. This follows because it is easy to verify that (w)h 0 h1 h0 h0 = (w)h 0 h0 h1 h0



5.2 Iteration of Morphisms

171

On the other hand, backward determinism does not guarantee easy parsing. For this purpose, the notion of strong backward determinism is more appropriate. By definition, a quadruple G = (L', h0 , h 1 , w) is strongly backward deterministic iff the condition

always implies the conditions t

= in and

X

= (w)h;. . ..

hin-t .

Thus, every word generated by a strongly backward deterministic G has a unique predecessor in !'*, and is derived from this predecessor by a unique morphism. This means that the parsing sequence of a word in a strongly backward deterministic DTOL-system depends only on the word and, consequently, parsing (decryption) can be carried out from right to left without any look-ahead. This is not necessarily true if G is only backward deterministic. In order to find the last bit, one may even have to go back to the axiom. Example 5.2. Clearly, every strongly backward deterministic DTOL-system is backward deterministic. Consider G =({a, b}, h0 , hp ab), where h1 : a _. bb, b --. ab .

That G is backward deterministic is easy to show by an inductive argument: a counter example immediately leads to a shorter counter example, which is of course impossible. On the other hand, G is not strongly backward deterministic because (ab)h 0 h 1 = bbababab = (abbb)h 1 = (baaa)h 0



One can prove that strong backward determinism is a decidable property, whereas backward determinism is undecidable. 0 An issue important in system design is the word length. Cryptotexts should not be too long compared with plaintexts. Fortunately, there are big classes of DTOLsystems with linear growth rate. In the transition to TOL-systems, the growth rate remains essentially the same as regards descendants ofletters. The substitutions for the dummies should be defined in such a way that exponential growth is not likely to occur. Besides, block division of the plaintext can always be used to reduce growth. As regards cryptanalysis, preprocessing is not likely to succeed. Consider trapdoor pairs (G, g) such that G is a DTOL-system resulting from H by the interpretation morphism g. Given H, there may be several such trapdoor pairs. Only one of them, say (G 1 , g 1), has been used by the cryptosystem designer. Ifsome other pair (G 2 , g 2 ) giving rise to His found, it can be used in decryption with the following warning. G2 is not necessarily backward deterministic and, therefore,

172

5. Other Bases of Cryptosystems

a cryptotext may lead to several plaintexts. However, the correct plaintext is always among them. This observation does not make the cryptanalysis by preprocessing essentially easier. It can be shown that it is anNP-complete problem to find any trapdoor pair. (Some other preprocessing method might still exist.) Consequently, also finding the dummy letters is an NP-complete problem. For if the dummies have been found, the construction of a trapdoor pair will be easy. This result means that it does not help much to know that dummies always have to be replaced by words consisting of dummies. Altogether, the cryptosystem seems to be safe against cryptanalysis by preprocessing: trapdoor pairs are not easy to be found. A cryptanalytic algorithm running in time kn 3 , where n is the length of the intercepted cryptotext and the constant k is fairly large, can be constructed using the theory of finite automata, [Kar2]. In the following generalization, finding the dummy symbols is no longer sufficient for successful cryptanalysis. Recall that the interpretation morphism g was supposed above to assume as its values only letters or the empty word. Such a very restrictive definition is not necessary. We now assume that the interpretation morphism is any surjective morphism g: A*-+ 1:*. This means that all words of 1:* appear as values of g, a condition certainly satisfied by our original definition. Otherwise, the cryptosystem design remains unaltered. However, let us be more specific. As before, assume that G = (1:, h0 , h 1 , w) is backward deterministic (preferably: strongly backward deterministic). Choose A to be much bigger than 1:, and let the morphism g: A*-+ 1:* be surjective. Let u be a word over A such that g(u) = w. Such a u exists because g is surjective. For d in A, let o";(d), i = 0, 1, be a finite nonempty set of words x with the property g(x) = h;(g(d)) .

Again, the surjectivity of g is needed to assure that there are such words x. As before, the decryption of a cryptotext y can be carried out by parsing the word g(y) according to G. Lemma 5.2 remains valid also now. Cryptanalysis by preprocessing seems to be more difficult. However, the cubic-time algorithm mentioned above for analyzing intercepted cryptotexts is applicable also to the generalized system.

Example 5.3. Consider G = ({a, b}, h0 , h1 , ba), where the morphisms are defined by

Then G is strongly backward deterministic by the obvious reasons: the last letter of a word determines the morphism used, and the predecessor of a word is unique because both morphisms are injective. We choose A = {c 1 , • . . , c 10 } to consist of

5.2 Iteration of Morphisms

173

ten letters, and define the interpretation morphism by g: c 1 -+ ab

c6-+ A.

c 2 -+ b

c 7 -+ bab

c3 -+A.

Cs -+A.

c 4 -+ b

c 9 -+

c 5 -+

a

Next we may choose u = c9 because g(c 9 ) define the substitutions u 0 and cr 1 by

ba

c 10 -+ aa

= ba. To complete the definition of H, we CTl: C1-+ C4C1o• C9Cs

cro: c1-+clc4 c2-+ c6c2

c2-+ CsCs

c3-+ c3c6

c3-+ c6cs

c4-+ c2' c3c4

c4-+ c3cs

C5 -+ Cp c 5 c 2

Cs-+ c9, c2cs

c6-+ CsC3

c6-+ c6c3

C7-+ C7CsC4

C7-+C1C10

Cs-+ Cs

Cs-+ Cs

c9-+ c3c7, c4c1

c9-+ cl c6cs, CsC9

C10 -+ C5 C7 , C1c 5 c 2

Clo-+ c9c9, c7cs

This definition is correct because, for all i and d, cr;(d) contains only words x satisfying g(x) = h;(g(d)). For instance, from the first and two last lines we obtain g(c 4 C10 )

= g(c 9c 5) =baa= h 1 (ab) = h 1(g(c 1)),

g(c 3c 7) = g(c 4 c 1) = bab = h0 (ba) = h0(g(c 9)), g(c 5c 7) = g(c 1c 5c 2) = abab = h0 (aa) = h0 (g(c 10 )).

The plaintext 01101 is encrypted according to the public key H, for instance, as follows:

For the legal decryption one first computes g(y)

= abaabaaabaaabaa .

174

5. Other Bases of Cryptosystems

By the parsing rule of G, one further obtains the equations h 1 (bababbabbab) h0 (baababa)

= g(y) ,

= bababbabbab ,

h 1 (abaa) = baababa ,

= abaa , = bab ,

h 1 (bab) h 0 (ba)

where the indices of h give the plaintext 01101. In the generalized version of the cryptosystem, where the interpretation morphism is chosen more freely, dummies are not essential for safety, as they are in the basic version. On the contrary, careless use of dummies may be a security risk. In the illustration above, some cryptanalytic conclusions can be based on the first six characters of the cryptotext y. This issue will become clearer if we assume that in the cryptosystem design the choice was u = c 9c 3 instead of u = c 9 . Then one is immediately to separate the suffix z of any cryptotext, generated by the letter c3 in u. This follows because c 3 generates only letters c 3, c 6, c 8 and, moreover, the last letter of any word generated by c9 is not among the three mentioned. In z all occurrences of c8 may be ignored, and parsing can be based on the morphisms s0 and s 1 determined by u 0 and u 1 .

For instance, z = c 3c 3c 3c 3c 6c 3c 3c 3c 3c6c3 can be analyzed as follows: s 0 (c 6c 6c 6c 3c 6c 6c 6c 3c 6) = z , s 1(c 3c 3c 6c 3c 3c 6c 3) = c 6c 6c 6c 3c 6c 6c 6c 3c 6 s 0(c 6c 3c 6c 3c 6) = c 3c 3c 6c 3c 3c 6c 3 , s 1(c 6c 6c 3) = c 6c 3c 6c 3c 6 , sl (c3c6) = c6c6c3 ' so(c3) = c3c6 .

The plaintext 011010 can be read from the indices of s. In many cases this decryption method might be even easier than legal decryption based on G!

5.3 Automata and Language Theory In the cryptosystem discussed in the preceding section the underlying problem belongs to the theory of formal languages. Cryptanalysis and legal decryption amount to parsing the cryptotext in a certain fashion. Parsing will be essentially easier if the secret trapdoor is known. We have discussed this cryptosystem in some

5.2 Automata and Language Theory

175

length, since quite a number of details are known about it. The cryptosystems presented in this section are based also on language theory and related areas. However, our discussion will now be more sketchy and brief. All details needed from the underlying areas will not be explained. Indeed, such an explanation is not necessary-for the overview. Quite many of the proposed public-key cryptosystems apply an idea that could be called encryption by coloring. A color is associated to each plaintext letter. Since we again assume that plaintexts are bit sequences, we use only two colors white (bit 0) and black (bit I). The public encryption key provides a method of generating arbitrarily many elements colored white, as well as arbitrarily many elements colored black. In the cryptosystems discussed here the elements are words. Bits are encrypted as words colored correspondingly. Of course, for different occurrences of the bit 0 (resp. l), different words colored white (resp. black) should be chosen. In an ideal situation it is an intractable problem to decide the color of a given word, whereas the knowledge of the trapdoor makes such a decision easy. Clearly, the public encryption key always gives a decision method that may be of unmanageable complexity: generate words of both colors by turns until you meet the one appearing in the cryptotext. All public-key cryptosystems based on encryption by coloring tend to increase word length unacceptably much. The number of words possible for the encryption of each bit has to be large, preferably potentially infinite. Otherwise, a cryptanalyst can generate all encryptions in advance and use a table look-up in order to encrypt. This leads to the somewhat paradoxical situation that to increase security one has to increase the expected ratio between cryptotext length and plaintext length. A typical public-key cryptosystem based on the idea of encryption by coloring applies the word problem for finitely presented groups, that is, groups with finitely many generators {a 1 , • . . , am} and finitely many defining relations wi =A.,

i

=

l, ... , n ,

where A. is the identity of the group and each wi is a word over the alphabet {a 1 ,a1 1 , . . . , am,a,;; 1 }. Two words x andy over this alphabet are termed equivalent iff there is a finite sequence of words X=

x0 ,

X 1, ... , X 1

= y

such that, for j = 0, ... , t - l, xi+ 1 results from xi by introducing or eliminating an occurrence ofwi, wi-t, zz- 1 or z- 1 z, where l :s; i :s; nand z is an arbitrary word. The word problem for a finitely presented group consists of deciding of an arbitrary word whether or not it is equivalent to the identity A.. (Clearly, x and y are equivalent iff xy- 1 is equivalent to A..) There are specific groups with an undecidable word problem. Such a group G is used as a basis for a public-key cryptosystem in the following way. Assume that G is determined by(*). The defining relations(*), as well as two nonequivalent words y0 and y 1 , are publicized as the encryption key. The encryption of a bit i is an arbitrary word equivalent to Yi- Thus, to encrypt the bit 0, the sender applies the transformation rules determined by(*) in an arbitrary fashion to y0 . This can, of course, be done already in advance: the sender generates a large

176

5. Other Bases of Cryptosystems

number of encryptions of both bits and keeps them in a safe deposit box until proper need arises. The decryption leads, at least in principle, to the word problem: one has to decide whether a word is equivalent to y0 or y 1 . The encryption method guarantees that each word under consideration is equivalent to exactly one of y 0 and y 1 . The secret trapdoor consists of additional defining relations such that the word problem will be easy for the resulting group G' but the words y 0 and y 1 are still nonequivalent. Thus, G' has the same generators as G but, in addition to(*), some other defining relations. One may always choose y 0 and y 1 as two generators of G, provided the new defining relations do not identify these generators. The new defining relations may, for instance, introduce some commutativity in order to make the word problem of G' easy. The applicability of the cryptosystem depends on the choice of the defining relations. In particular, the additional relations constituting the trapdoor are essential from the point of view of security. It is important to notice that it is not necessary for the cryptanalyst to find the additional relations actually used by the cryptosystem designer. Any relations such that the resulting group G" will have an ea.sy word problem and the two public words y 0 and y 1 are nonequivalent will do. This means that the cryptosystem designer has to be very careful in inserting the trapdoor. For instance, if G bas two generators a and b which are also used as the two public words, then the introduction of the additional defining relation bab- 1a- 2 =.A. induces commutativity in the form ba = a 2 b. Depending on the other relations, this might make the word problem essentially easier. Similar cryptosystems can be constructed using defining relations in connection with algebraic structures other than groups. No specific results, such as the complexity of cryptanalysis by preprocessing (that is, cryptanalytic setup is encryption key only) are known. The following public-key cryptosystem is based on hiding regular languages. As for systems based on iterated morphisms, cryptanalysis by preprocessing is provably N P-complete. (Observe the contrast to the basic knapsack system.) The system uses also dummy letters, as well as encryption by coloring. Some basics of automata theory are needed. They will not be explained here; the reader is referred to [Sal]. The language generated by a grammar G (resp. accepted by an automaton A) is denoted by L(G) (resp. L(A)). We present first a simplified version of the cryptosystem. Choose two arbitrary grammars G0 and G1 with the same terminal alphabet 1:, as well as a finite deterministic automaton A 0 over the same alphabet 1:. Make all final states of A 0 into nonfinal, and vice versa. Denote the resulting automaton by A 1 . Thus, the languages L(A 0 ) and L(A 1 ) are complements of each other. Construct grammars Gi such that L(Gi) = L(G;) n L(A;), for i = 0, 1 . The grammars Gi are easily obtained from G; and A; by the triple construction standard in language theory. The grammars G0 and G'1 are now publicized as the encryption key. Encryption by coloring is used: the bit i is encrypted as an arbitrary word in L(Gi). The

5.2 Automata and Language Theory

177

automata A; are kept as the secret trapdoor. An eavesdropper has to decide membership in L(Gi), which is an undecidable problem in general. The legal receiver decrypts by solving the easy problem concerning whether the cryptotext is in L(A 0 ) or L(A 1 ). System design guarantees that decryption is always unique. We are now ready for the full version of the cryptosystem. In fact, the complexity results mentioned below deal with the full version. We first define the morphic image of a grammar. Consider a grammar G, and let h be a morphism mapping each terminal letter of G into a letter (considered to be terminal) or the empty word, and each nonterminal letter of G into a letter (considered to be nonterminal). The morphic image h(G) of G consists of all productions h(rJ.)-+ h(p), where rJ.-+ pis a production in G. The start letter of h(G) equals the morphic image of the start letter of G. For grammars G 1 and G 2 , the notation G 1 s G 2 means that the set of productions of G 1 is a subset of the production set of G 2 • In the full version of the cryptosystem, A; and Gi are defined as above. Let Ll be a much bigger alphabet than 1:, and let G'( (i = 0, 1) be gammars with the terminal alphabet 1: and h a morphism such that h(Gi')

s

Gi .

The pair (G 0, G'{) constitutes the public encryption key. Also now encryption by coloring is used. As before, decryption will always be unique. To decrypt, the legal receiver applies the morphism h to one block of the cryptotext. If x is the resulting word, then the corresponding plaintext bit is 0 iff A 0 accepts x. One can show that cryptanalysis by preprocessing is an N P-complete problem in the following sense. Given (G0, G'{), it is N P-complete to find (h, A 0 ) such that the former pair may result from the latter pair and the additional items G0 and G 1 by the process described above. The other known public-key cryptosystems whose cryptanalysis by preprocessing is N P-complete are the system considered in Example 2.2 and the system based on iterated morphisms. Of course, this property does not guarantee security: the result says nothing about the complexity of cryptanalysis in general. The system based on hiding regular languages can be strengthened further by replacing the grammars G0 and G'{ with some equivalent grammars. Some specific method of generating equivalent grammars has to be considered. It is not clear whether this will constitute an essential strengthening. Finally, some public-key cryptosystems based on automata theory will be briefly mentioned. A sequential machine M is a finite automaton provided with an output. Thus, M translates an input word into an output word of the same length. The inverse M- 1 translates the output back to the input. Let k be a positive integer. The inverse M - 1 (k) with delay k operates in the following fashion. Let y be M's output to the input word x. After receiving as its input the word yu, where u is an arbitrary word of length k, M- 1 (k) produces the word wx as its output, where w is some word of length k. In the public-key cryptosystem, k and M- 1 (k) are publicized as the encryption key, whereas M is kept as a secret trapdoor. To encrypt the plaintext y, one chooses an arbitrary word u oflength k and applies M - 1 (k) to the word yu. To decrypt a c, the legal receiver ignores the first k letters of c and

178

5. Other Bases of Cryptosystems

applies M to the remaining word. In general, it is difficult to compute M from k and M- 1 (k). No specific complexity estimates are known. Cellular automata CA constitute a promising basis for public-key cryptosystems. The matter is not yet clearly understood. For instance, given a reversible two-dimensional cellular automaton, it is very difficult to find its inverse. In fact, there is no algorithm for finding the inverse within a time complexity bounded by a computable function. The public encryption key consists of a reversible cellular automaton CA and a natural number k. The plaintext is encoded as a configuration of CA and encrypted by applying CA k times to the configuration. The resulting configuration constitutes the cryptotext. The inverse CA- 1 constitutes the secret trapdoor. The legal receiver applies CA - 1 k times to the cryptotext.

5.4 Coding Theory Consider a situation where errors are likely to occur in the transmtsston of information. Noise in the information channel might be due to technical failures or negligence on the part of the sender or receiver. In coding theory it is assumed that errors occur randomly and independently. It is equally likely for the bit 0 to be incorrectly received as the bit 1, as for the bit 1 to be incorrectly received as the bit 0. In this basic setup there is no malicious adversary acting on purpose. The purpose of coding theory is to introduce redundance in such a way that even if errors occur in the transmission, the received message can still be correctly interpreted. Of course, some assumption has to be made concerning the number of errors; no amount of redundancy is sufficient to correct unboundedly many errors. More specifically, assume that d errors may occur in the transmission of a word w consisting of n bits. Thus, the received word w' differs from w with respect to at most d bits but the incorrect bits may occur anywhere in the word. Let C = {a 1 , . . . , ak} be a set of n-bit words ai such that any two of the a's differ with respect to at least 2d + 1 bits. Then C is referred to as a d-error correcting code. Indeed, ai can be correctly inferred from the received a;, since ai and a; differ with respect to at most d bits, whereas a; differs from any ai.j # i, with respect to at least d + 1 bits. Although decoding, that is recovering ai from a;, is always possible in principle, it might still be intractable computationally. In fact, the public-key cryptosystem described below uses the idea that the public-key leads to an intractable decoding problem, whereas the trapdoor enables the receiver to decode easily. Thus, coding theory and cryptography have opposite aims. In coding theory one tries to write the message in such a form that reasonably many errors can be tolerated in the transmission. In this sense the clarity of the message is increased. In cryptography, on the other hand, one tries to decrease the clarity in order to make the message incomprehensible for an eavesdropper. Because of these opposite aims it is difficult to combine the two approaches, although it would be very important to translate messages into a form protected both against eavesdroppers and random noise. For this purpose, the message should first be encrypted, after which

5.4 Coding Theory

179

an error correcting code should be applied to the result. A reverse order of these two operations is not meaningful for obvious reasons. Protection against both noise and an active eavesdropper seems to be impossible. Altogether the details of combining cryptography with coding theory are not yet properly understood. Such a combination is not intended in the public-key cryptosystem described briefly below. The system is due to McEliece and resembles knapsack systems, in particular, the ones based on dense knapsacks. The cryptosystem uses d-error correcting Goppa codes. Such a code {a 1 , . . . , ak} is based on a polynomial of degree d irreducible over the finite field F (2m). It can be represented in terms of a binary k x n generator matrix M, where n =2m. The cryptosystem designer chooses arbitrary binary matrices Sand P such that Sis a nonsingular k x k matrix and Pan n x n permutation matrix. The product M ' = SMP is understood as a binary matrix, where all numbers are reduced modulo 2. The crucial fact is that M' at least looks like the generator matrix for an arbitrary linear code. No tractable decoding algorithms are known for linear codes, whereas Gappa codes are easy to handle. The cryptosystem designer publicizes M' as the encryption key but keeps S, M and P as the secret trapdoor. From the trapdoor information also the inverses s- 1 and p - 1 can be immediately computed. A plaintext block w consisting of k bits is encrypted as c = wM'(dJb,

where b is an arbitrary binary n-dimensional vector with exactly d components equal to 1 and tB denotes bitwise addition. Vectors b are chosen by the sender separately for each block w. The legal receiver knows that M ' = SM P and computes cP- 1

= wSM tB bP- 1 •

Since Pis a permutation matrix, exactly d components of bP- 1 equall. Hence, the error vector bP- 1 can be removed by the decoding technique of Gappa codes, yielding wS. From this w is immediately recovered by multiplying with s- 1 • An eavesdropper faces the problem of decoding an apparently linear code. Decoding for linear codes is an N P-complete problem. Cryptanalysis by preprocessing appears hopeless if n and d are large enough: there are too many possibilities for M, S and P. For instance, if n = 1024 and d = 50 there are approximately 10149 possible polynomials that can be used as a basis for a Gappa code. The parameters are tied by the formula k = 2m - md = n - md. Assuming that the inversion of a k x k matrix requires k3 steps, the time complexity of brute force cryptanalysis by preprocessing can be estimated as

For n = 1024 and d =50, this gives the value 280 · 7 . It can be shown that the probability for the existence of more than one trapdoor is negligible.

Chapter 6. Cryptographic Protocols: Surprising Vistas for Communication

6.1 More than Etiquette A protocol usually refers to customs and regulations dealing with diplomatic formality, precedence and etiquette. Typically, a protocol determines a map for seating the participants, or the order of speeches. It has happened that an international conference has spent most of the time while arguing about the seating protocol. A cryptographic protocol constitutes an algorithm for communications between different parties, adversaries or not. The algorithm applies cryptographic transformations and is usually based on public-key cryptography. However, the goal of the protocol is usually something beyond the simple secrecy of message transmission. The communicating parties might want to share parts of their secrets to achieve a common goal, or to join their forces in order to disclose a secret not known to any of the parties separately. Two parties distant from one another might want to generate together a random sequence. One party might also want to convince another that he/she is in the possession of some information, without disclosing anything of the information itself. Protocols realizing such goals have considerably changed our ideas about what is impossible when several parties, adversaries or not, are communicating with each other. Protocols are designed with a specific goal in mind. Both the security properties of the underlying cryptosystem and those of the protocol itself have to be taken into consideration in the evaluation of the protocol. Intuitively, a protocol is at most as secure as the underlying cryptosystem but the security of a protocol can be much lower. For instance, consider the following very general task. A private conversation should be established between two individual users of an information system or a communication network. No assumptions are made concerning whether or not the two individual users ever communicated before. The basic idea behind publickey cryptography can be used to solve this problem. The resulting protocol is very simple and consists of the following two steps. First, all users publish their encryption key. Secondly, messages intended for a user A are encrypted by A's encryption key. In this case the underlying cryptosystem might be secure but the protocol as such still does not prevent the possibility of impersonating: Some user C might pretend to be the user B when sending messages to A. To prevent the occurrence of such situations, some convention of signing messages has to be added to the protocol.

182

6. Cryptographic Protocols: Surprising Vistas for Communication

When separating security properties of the underlying cryptosystem from those of the protocol, the possible adversaries should be kept in mind. In most communication protocols, an adversary belongs to one of the following three types. (1) Communicating parties who try to cheat. We will meet later two types of cheaters, passive and active. (2) Passive eavesdroppers. They are otherwise harmless but may obtain information not intended for them. (3) Active eavesdroppers. Besides obtaining secret information, they may mess up the whole protocol. In the simple protocol above, the user C who tries to impersonate B can be classified to belong to the type (3). For an example of an adversary of the type (1), consider the protocol in Example 2.3 for playing poker by telephone. Assume, further, that encryptions and decryptions are carried out by modular exponentiations and taking discrete logarithms, respectively. (In Example 2.3 the encryption and decryption methods were left unspecified.) More specifically, assume that the players A and B have agreed on a large safe prime p and on the representation of the cards as numbers from the interval [2, p- 1]. Each player chooses privately encryption and decryption exponents satisfying

e,,.d,4

=e d =1 (modp- 1), 8 8

after which encryption and decryption are carried out modulo p. However, the property of being a quadratic residue (mod p) is preserved in this encryption. If the dealer notices that the numerical representation of each ace is a quadratic residue, only nonresidues are dealt to the opponent and residues to the dealer. The dealer now knows that the opponent has no aces. It is also clear that all hands are not equally likely. Even in the case of a modulus n such that quadratic residuosity (mod n) is intractable, the dealer can trace the progress of a perfect square (mod n) through the execution of the protocol. Usually it is very difficult to establish mathematical theorems about the security of a protocol as such or with respect to the security of the underlying cryptosystem. One should examine methods by which the security properties of protocols can be defined and established, as well as by which the impossibility of a protocol meeting certain requirements can be proved. The same issues are met also in the analysis of ordinary algorithms. However, cryptographic protocols are different from ordinary algorithms in that each participant has some computational power (that might vary from participant to participant) and is able to make inferences. This means that a participant may combine a priori knowledge and the knowledge acquired so far with the information contained in the messages just received. The new message to be sent depends on this combined knowledge. The following modification of a popular game illustrates these issues. The participants, arbitrarily many, form a chain. The first and last member know their positions. Moreover, each member knows the next member in the chain. During the first phase of the protocol the first member sends the number 2 to the second, and any other member adds 1 to the number received and sends the resulting number further, with the exception of the last member who does not send anything

6.1 More than Etiquette

183

further. After this phase every member knows his/her ordinal number i. The second phase of the protocol consists of a transmission of a message w consisting of a string of letters over the English alphabet. The message w is originally in the possession of member 1. After receiving a message w', the member i applies CAESAR(i) to the first letter of w', transfers the resulting letter to the end of the word, and sends the new word to the next member. Again, the last member does not send anything. If there are altogether seven members, then the plaintext w =SAUNA is transformed as follows: SAUNA-+ AUNAT-+ UNATC-+ NATCX-+ ATCXR-+ TCXRF-+ CXRFZ After receiving the word CXRFZ, the seventh member is immediately able to decrypt, and so are all members. Clearly, this protocol is very vulnerable against adversaries of all of the three types (l)-(3). A protocol for sending encrypted messages, where the receiver acknowledges the receipt, can be described as follows. The encryption keys EA, EB, . . . have been publicized, whereas each of the decryption keys D A• DB, ... is known to the appropriate user only. According to the protocol, the sending of a message w from A to B is carried out in two steps. Step 1: A sends the triple (A, E8 (w), B) to B. Step 2: B decrypts using DB and acknowledges by sending the triple (B, EA(w), A)

to A. An active eavesdropper C may now intercept the triple in Step l and forward to B the triple (C, EB(w), B). Without noticing the trick, B sends in Step 2 the triple

(B, Ec(w), C) to C, after which C is able to decrypt! Even the following version,

where also signatures are provided, does not essentially alter the situation. Step 1: A sends the pair (EB(EB(w)A), B) to B. Step 2: B uses DB to find A and w and acknowledges by sending the pair (EA(EA(w)B), A) to A.

Here the functions E and D are assumed to operate on numbers. The names A, B, ... are sequences of digits, and EB(w)A is the sequence of digits obtained by catenating EB(w) and A. An active eavesdropper C may now intercept the pair (EA(EA(w)B), A) in Step 2. Thus, C knows EA(w'), where w' = EA(w)B. C now sends A the pair (EA(EA(w')C), A) and A, thinking that this is Step l of the protocol, acknowledges by sending the pair (Ec(Ec(w')A), C) to C. C now finds out w' and hence also EA(w) by using De, after which C sends the pair (EA(EA(w)C), A) to A. After A has acknowledged by sending the pair (Ec(Ec(w)A), C) to C, Cis able to compute w. Of course, A may learn about the interception and be more cautious by keeping

a detailed record of messages sent and received.

184

6. Cryptographic Protocols: Surprising Vistas for Communication

We discuss finally in this section a signature scheme based on the identities i of users in a network. The identity i can be based, for instance, on the user's name and network address. The identity should identify the user and be available to the other users. It serves the purpose of a public encryption key. The scheme assumes also the existence of a trusted agency, whose sole purpose is to give each user a secret number x, based on the user's identity i. This happens when the user joins the network. More specifically, let n, e and d be as in RSA, and f be a one-way function of two variables. The items n, e and f are made public, but d and the factorization of n are known only to the agency. The secret number given by the agency to the user with the identity i is x = (id, modn). The user's signature for a message w is any pair (s, t) such that (*)

Given a triple (w, s, t), this condition can be verified by the other users because i, n, e and fare public information. On the other hand, a user can generate a signature (s, t) for a message w by choosing a random number r and computing t = (re, mod n)

and

s = (xrf

B2.s• B4,11• Bs,9•

B2,9• Bs,s• B1o, 11 ·

All of these boxes contain 0, as they should.

0

The following protocol is different in the sense that lockable boxes are not used, although they are present implicitly. P wants to convince V that he knows an isomorphism g between two given graphs G1 and G2 . (By definition, an isomorphism between G1 and G2 is a 1-to-1 mapping n of the nodes of G1 onto the nodes of G2 that is also edge-invariant: any nodes x and y are adjacent in G1 iff n(x) and n(y) are adjacent in G2 .) The protocol consists of k rounds of the following three steps. Step 1: P generates and tells V a random isomorphic copy G11 of G 1 •

6.7 Convincing Proofs with No Details

207

Step 2: V asks P to tell her an isomorphism between G" and Gp, where she has chosen P from the indices 1 and 2. Step 3: P acts as requested. If P knows an isomorphism between G1 and G2 , Step 3 will always be easy for him because he knows also the inverse of the isomorphism of G1 onto gセN@ Otherwise, P is in trouble if p = 2. One might think that the Verifier learns something if, for instance, G" = G2 and P= 1. The point is that V does not get any information she could not have obtained without the Prover: she could have hit such a fortunate random copy G" herself! The problem of graph non-isomorphism is in Co-NP but it is not known whether it is in NP. Of course, it is in P-SPACE. Using the following simple protocol, P can convince V that he knows that the graphs G0 and G1 are not isomorphic. Step 1: V generates a random sequences of bits i 1 , • . . , ik and random graphs Hit' .. . , Hik such that always Hi 1 is isomorphic to Gi1 • V tells P the sequence of graphs Hv Step 2: P tells V the sequence of bits i 1 ,

•.. ,

ik.

Clearly, P has no way of knowing the sequence of bits if the original graphs G0 and G1 are isomorphic. In this case, the probability of P getting caught in Step 2 equals 1 - 2-k. If G0 and G1 are not isomorphic and P has enough computing power to settle the problem of graph isomorphism, V will be convinced. According to a very recent result of A. Shamir, P-SPACE is the collection of problems possessing such an interactive proof. More specifically, P has unlimited computing power but V works in polynomial time and has to become convinced with arbitrarily high probability. The result is particularly interesting because a proposed solution for a problem in P-SPACE cannot necessarily be checked in polynomial time. Thus, interaction constitutes here the missing link. Let us now discuss a possible way of constructing lockable boxes. It is no loss of generality to assume that each box contains only one bit. If it is originally supposed to contain more information, it can be replaced by several boxes that are opened simultaneously. The method described below is based on the assumption that the computation of discrete logarithms (mod p) is intractable. First a large prime p and a generator g of F*(p) are publicized. This means either that P and V agree about p and g or, more generally, that p and g can be used by all parties wishing to engage in minimum disclosure proofs. If there is any doubt of p and g actually being a prime and a generator, we may assume that also the factorization of p - 1 is known, whence the facts concerning p and g can be immediately verified. At the beginning V chooses and tells P a random number r, 1 < r < p - 1. P cannot compute the discrete logarithm of r (mod p), that is, an integer e such that g" = r (mod p). This follows by our assumption concerning the intractability of

208

6. Cryptographic Protocols: Surprising Vistas for Communication

computing discrete logarithms (which is not essentially simpler even if the factorization of p - 1 is known). In order to lock a bit b into a box, P chooses a number y randomly and secretly and tells Vthe "box": x = (rbgY, mod p). Clearly, any element ofF *(p) is of the form (gY, mod p), as well as of the form (rgY, mod p). This implies that x does not reveal anything of the locked bit b. When P wants to open the box for V, he tells V the "key", that is, y. This does not help V in any way to open other boxes. On the other hand, this method forces P to commit himself to the bit b. He cannot open the box both as 0 and 1. Suppose the contrary: P can choose two numbers y and y' such that (gY, mod p) = (rgY', mod p) ,

and then later announce y or y' as the key to the box, depending on whether he wants 0 or 1 to appear in the box. But now r

=gy - y' (modp)

and, consequently, P is able to compute the discrete logarithm of r, which contradicts our assumption. This means that, when locking the bit b into the box, P has committed himself to b and cannot later change b.

6.8 Zero-Knowledge Proofs We now make a further restriction against the verifier. While we required in the previous section in the condition II that V learns nothing from P's proof, we now require that V learns nothing whatsoever. By definition, a protocol is zeroknowledge iff I and II are satisfied and, moreover, V learns nothing from P that she could not learn by herself without P. In other words, V is able to simulate the protocol as if P were participating although he, in fact, is not. In this definition we assume the existence of one-way functions (in order to construct lockable boxes). Let us consider another N P-complete problem, namely, the construction of a Hamilton cycle in a graph G. By definition, a cycle (that is, a path with the same start and end nodes) in a graph G is a Hamilton cycle iff it passes through all nodes of G exactly once. The Prover, P, wants to convince the Verifier, V, that he knows a Hamilton cycle in a graph G with t nodes 1, . . . , t. The protocol has again k rounds. Each round consists of 4 steps and proceeds as follows. Step 1: P locks the t nodes of G in a random order into t boxes B 1 ,

Moreover, P prepares (

セI@

•• . ,

B,.

locked boxes Bii• 1 :::;; i < j :::;; t. The box Bii contains the

number 1 if there is an edge in G between the nodes locked in boxes Bi and Bi. If there is no edge between these nodes, Bii contains the number 0. P gives all boxes to V. Step 2: V flips a coin and tells P the outcome.

6.8 Zero-Knowledge Proofs

209

Step 3: (a) If the outcome was "heads", P opens all the boxes. (b) If the outcome was "tails", P opens t boxes Bhi 2 , Bi 2 h, .. . , Bi,h• where the indices run cyclically and every index appears exactly twice. Step 4: (a) V verifies that she got a copy of G. The verification will be easy for her

because the opened Bi-boxes tell her the isomorphism used. (b) Vverifies that all of the opened boxes contain the number 1. Everything said about the protocol concerning 3-colorability (before Theorem 6.2) is valid also now: the protocol above satisfies the conditions I and II. Let us now show that the protocol is also zero-knowledge. Assume that V has an algorithm A (running in random polynomial time) to extract some information from her conversation with P. In the following way V can use A to extract the same information even in the absence of P. V first plays the role of P. She flips a coin and, according to the outcome, she either applies an isomorphism to G and locks the result in boxes, or else locks an arbitrary t-cycle in boxes and, just for the fun of it, puts some numbers in other boxes to make the total number of boxes correct. Now, having received the boxes, V plays the role ofV. She applies her algorithm A to decide the choice between (a)- and (b)-lines. She either gets the same information as in the presence of a true prover P or learns that P is a false prover. V can do everything in polynomial time. The same argument applies also to the protocol concerning 3-coloring. Hence, we obtain the following result.

Theorem 6.3. The given protocols for 3-coloring and Hamilton cycles are zeroknowledge.

Consider the way of locking the boxes presented at the end of Section 6. 7. Then V does not gain anything from the way P commits himself to specific bits or opens the boxes. The boxes are simulatable in the sense that V can do everything just by herself without P being available at all. This concerns both locking and opening the

boxes. The situation is different if the k rounds of the protocol are run in parallel. This will be discussed later on in this section. Suppose P knows a positive solution for a problem in N P, for instance, a solution to a knapsack problem. (Here the term "positive" is to be contrasted with "negative": no solution exists. Our technique is straightforward for positive solutions. Zero-knowledge proofs are possible for negative solutions as well. For instance, a proof that a given knapsack problem possesses no solution has to be carried out within a suitable formalism.) Both of the problems discussed in Theorem 6.3 are N P-complete. This means that any instance of a problem in N P, such as an instance of the knapsack problem, can be reduced in polynomial time to either one of them. This reduction can be carried out also by the Verifier. This result will be stated in the following theorem.

210

6. Cryptographic Protocols: Surprising Vistas for Communication

Theorem 6.4. Every positive solution for a problem in N P can be given a zeroknowledge proof

An interesting variation is obtained if all k rounds in the protocols of Theorem 6.3 are carried out in parallel. This means that P prepares at once k sets of locked boxes, and V asks k questions, one for each set. Assume that V uses the k sets of locked boxes to formulate her questions, for instance, by interpreting the k sets as k numbers, applying a one-way k-place function to these numbers, and using the first k bits of the function value to determine the questions. Then it is conceivable that, although the dialogue might contain no information about P's secret, still the dialogue could not be reconstructed without P. In other words, V could convince a third party about the secret's existence, although she could give no details concerning the secret. In fact, in this parallel version V is not able to simulate k rounds in polynomial time. If the zero-knowledge character is to be maintained even in the parallel version of the protocol, then V should be able to open a locked box both as 0 and as 1. This is precisely what Pis not able to do, and the situation can be achieved in some cases if V has additional information. More specifically, we say that the locked boxes are (or the method of locking information into the boxes is) chameleon iff V can simulate whatever she would have seen in the process by which P commits himself to bits and, moreover, V can simulate both the process by which P opens a box as a 0 and the process by which he opens it as a 1. The boxes based on the discrete logarithm, as described at the end of Section 6.7, are not chameleon. If V, instead of P, chooses the number y, she still cannot open the box for both of the bits. This means that the protocol should not be performed in parallel if it is to be zero-knowledge. This can be seen by the following argument. Assume that V gives the number (2ge, mod p) = r toP, where she has chosen e by herself. This means that a box locked by P looks like (rbgY, mod p) = (g each of them being a sequence oft bits. The buyer B has decided to buy the secret s;.

s1,

Step 1: A gives B a cryptographic one-way function f, mapping t-bit numbers onto t-bit numbers, but keeps the trapdoor and thus also f- 1 to herself. She also gives B a sequence x 1, ••• , xk consisting of k t-bit random numbers. Step 2: B chooses at-bit random number a and computes f(a) . He gives A the number a =X; XOR f(a). Step 3: For j = 1, ... , k, A computes the number

yj =sjXORj- 1(aXORxj) and gives the sequence of numbers yj to B . Step 4: B learns s; by computing y; XORa. Indeed,

y; XORa = s; XOR f- 1(x; XORJ(a) XORx;) XORa =s;XORf- 1(/(a))XORa =s;XORaXORa =s;. It is obvious that the protocol guarantees security for B. The only information B gives to A is the number a= X; XOR j(a). However, because a is randomly chosen, a looks completely random from A's point of view. This means that A cannot learn anything about i . It is not so obvious that the protocol is secure for A. After all, A gives all the secrets sj to B , encrypted as yj. If B has followed the protocol honestly and chosen the number a randomly, then a XORxj is random, and thus the probability of B learning f- 1(a XORxj) is negligible. Therefore, B cannot learn Sj for j =fo i. However, if B is dishonest, he might try to learn two secrets s; and Sj by finding two numbers b 1 and b2 such that

f(bz) XOR j(bt) = Xj XORx;. If he succeeds in finding such numbers b 1 and b2, he takes a = b 1• B then learns s; as before but now also

f- 1(aXORxj) = f- 1(j(b 1)XORx;XORxj) = f- 1(/(bt)XORJ(bz)XORJ(bt)) = bz and, consequently, B learns Sj as well. This means that it should not be possible for B to find numbers b 1 and b2 as required. The cryptographic function f has to satisfy some additional rather natural requirements. Indeed, the encryption function of an RSA system seems to possess all properties needed, [Renv]. This concludes our discussion about the method of eligibility tokens. The essence of the mathematical problem amounts to constructing a proper protocol for secret selling of secrets. Here "proper" means that the security issues are

224

6. Cryptographic Protocols: Surprising Vistas for Communication

taken care of and also that no secret is sold to two buyers. We still mention that in the protocol above the random numbers Xj can be replaced by a second one-way function g. The details are left to the reader. We discuss next a secret balloting system based on the method of encrypted votes. We consider here a network, referred to as the public file. Also persons who are not legal voters might have access to the public file. In the method of encrypted votes, the voters cast their votes publicly but in an encrypted form. Thus, we assume that the government has a way of telling whether or not a message in the public file stems from a legal voter; the legality of voters has to be checked in every election. The officials of the election, referred to also collectively as the government, consist of the control C and scramblers S;, i = 1, ... , k. According to the protocol, the different parts of the government should follow certain rules. Nothing can be done against such a rotten government, where all parts are dishonest. However, if only one of the scramblers follows the protocol honestly, a fraud of the other parts will be disclosed. An individual voter may feel secure if she trusts one of the scramblers, say, a representative of the voter's own political party. In this sense, one swallow makes the spring! The protocol operates on a certain basic domain, a finite set whose cardinality is much bigger than the total number of voters. Both the encrypted votes and the "plaintext" votes are elements of the basic set. Each of the scramblers commits himself publicly to a scrambling strategy. The latter is a permutation of the basic domain, satisfying certain additional requirements. The protocol is so designed that the election result is unreadable from the set of (encrypted) votes, but it will become readable after each of the scramblers has scrambled the set according to his particular strategy. The original set of encrypted votes is a subset of the basic domain, and so is the set after the work of each scrambler. The tally can be computed from the set after the last scrambler has applied his strategy. Thus, the voters first cast their votes in an encrypted form, giving rise to a list X0 of elements of the basic domain. For i = 1, ... , k, the scrambler S; applies his strategy to the list X;-I. producing another list X; of elements of the basic domain. The election result can be computed from the list Xk. The link between a voter and the element she contributed to the list X0 is known to C. However, the link is broken latest after the work of the honest scrambler. We have now described how everything is supposed to work. Let us go into details. The basic domain will be the set F* (q) of nonzero elements of a finite field F(q), q =ph, where p is a large prime. Our overall cryptographic assumption will be that discrete logarithm is intractable. Let g be a generator of the set F*(q). The numbers g and q are public knowledge. Consider a scrambler S. His scrambling strategy will be a number a, indicating that S will replace each element t of F* (q) by ta. S discloses his commitment to the strategy by publicizing the number ga. By our assumption about the intractability of the discrete logarithm, the commitment does not disclose the scrambling strategy itself. On the other hand, publishing ga is a commitment for S: S cannot later scramble t to tb, b =/= a, because ga =/= gh .

6.10 Secret Balloting Systems Revisited

225

An important property of the scrambling strategies thus defined is commutativity: it is immaterial in which order the scramblers apply their strategies. This is an immediate consequence of the commutativity of exponentiation: (ta)b = (tb)a. In fact, we could take a more general approach and consider an arbitrary basic domain rather than F*(q). Then, in view of the voting protocol, the requirements concerning scrambling strategies would be that all strategies come from a commutative pool and commitments do not give away the strategies. We still have to tell how the "plaintext" votes (elements of the set Xk> according to the notation above) are associated with the candidates. Plaintext votes are elements of the basic domain T which is a huge set. We define a mapping