Shamir 1981

Download Shamir 1981

Post on 13-Oct-2015




0 download

Embed Size (px)


<ul><li><p>5/23/2018 Shamir 1981</p><p> 1/7</p><p>ON THE GENERATION OF CRYPTOGRAPHICALLYSTRONG PSEUDO-RANDOM SEQUENCES</p><p>Adi ShamirDepartment of Applied MathematicsThe Weizmann Institute of Science</p><p>Rehovot, Israel</p><p>Abstract</p><p>In this paper we show how to generate from a short rando m seed S a long se-quence of pseudo-random numbers R i in which the problem of computing one more R ivalue giv en an arbitrarily large subset of the other values is provably equivalen t tothe cryptanalysis of the associated Rivest-Shamir-Adleman encryption function.</p><p>I Introduction</p><p>The simplest and safest cryptosystem is undoubtedly the one-time pad, inventedby G. S. Vern am in 1917. Its secret key is a long sequence of randomly chosen bits.A cleartext is encry pted by XOR'ing its bits with an initial segment of the key, andthe resultant cypher text is decrypt ed by XOR'ing its bits again with the same seg-ment. Each segment is deleted afte r a single use, so that the key is graduallyconsumed (see Fig. I). It is easy to show that with out kn owing the relevant segmentof the key, a cryptana lyst cannot de termin e the cleartext, and thus the sys tem issecure in theory as well as in practice.</p><p>i 2cleartexts: i i 0 0 1 0 0 0 1 1 ...</p><p>key: 0 1 0 0 1 0 1 1 0 1 0 ...</p><p>cyphertexts: 0 0 1 0 1 1 1 1 0 0 1 ...i 2</p><p>Fig. i</p></li><li><p>5/23/2018 Shamir 1981</p><p> 2/7</p><p>~</p><p>The main drawback of one-time pads is the huge key which has to be generated,distributed and stored by the communicating parties in complete secrecy. In practice~this truly random key is replaced by a pseudo-random running key derived during theencryption/decryption process from an initial seed by a sequence generator such as ashift register with non-linear feedbacks. The seed (which is a relatively shortrandomly chosen number describing the initial state of the sequence generator) is theonly secret element in this scheme, and it can be used in the encryption of an almostunbounded number of cleartexts.</p><p>In order to be cryptographically strong, the pseudo-random running key must beunpredictable. The main problem is to guarantee that even when the cryptanalystobtains long segments of the running key (by XOR'ing together known cleartext/cypher-text pairs) he should have no knowledge whatsoever about any other segment. Note thatthe long running key is deterministically generated from the short seed, and thuspure information-theoretic ambiguity arguments become inapplicable once the crypt-analyst obtains enough segments.</p><p>The notion of cryptographic knowledge is notoriously slippery, and it can bedefined in any one of the following forms:</p><p>(i) The classical notion: the ability to retrieve the desired value frommemory.</p><p>(ii) The complexity-theoretic notion: The ability to compute the desired valuewithin certain time and space complexity bounds.</p><p>(iii) The information-theoretic notion: the ability to sharpen the a-prioriprobability distribution of candidate values.</p><p>The analysis of pseudo-random sequences in this paper is based on definition (ii).Consequently, we do not analyse the statistical biases and autocorrelations of oursequences, and we do not consider the possibilXty of obtaining partial informationabout some sequence elements (e.g., that their sum is always even). This is admitted-ly a simplified version of reality, but it is the only one about which we were ableto get concrete results. One of the most challenging open problems of cryptographyis to develop a unified theory of knowledge that analyses the information/complexitytradeoffs of cryptographic systems - how much information can be gained by investinga given amount of computational resources.</p><p>While one can argue heuristically that almost any sequence generated by a com-plicated multipass randomizing procedure is likely to be cryptographically secureunder definition (ii), the challenge is to generate a sequence which is provablysecure. At this stage, complexity theory lacks tools for proving the absolutedifficulty of computational tasks, and thus a more realistic goal is to developpseudo-rando m sequence generators which are secure modulo some plausible but unprovedassumption (such as NP # P , the existence of one-way functions, or the difficulty</p></li><li><p>5/23/2018 Shamir 1981</p><p> 3/7</p><p>5 6</p><p>of factoring integers). By clearly indentifying the fundamental sources of securityand insecurity, such an analysis can put cryptocompl exity on a firmer theoretica lbasis even when the underl ying assumptions are not known to be true.</p><p>II. Schemes Based on One-Wa y Functions.</p><p>The purpose of this section is to illustrate the trickiness of formal proofs ofsecurity by analysing some simple schemes ba sed on the notio n of one-way functions.To simplif y the analysis, we axiom atica lly assume that these functions are permuta -tions on some finite univers e U , that they are everywh ere easy to compute, and thatthey are everywhere difficult to invert (more details on this axiomatic approach canbe found in Shamir [1980]).</p><p>Given a one-way function f , we can generat e a long pseud o-ran dom sequen ce ofelements in U by apply ing f to some standa rd sequenc e of arguments derived fromthe initial s eed S . This sequence can be as simple as</p><p>S , S+I , S+2 , ...and the crypta nalys t is assume d to kno w f and the general nature of the sequence,but not S . The values of f(S+i) are consid ered as indivisi ble objects rather thanas bit strings, since we want to avoid problems of partia l knowled ge about them. Notethat unli ke the output of shift registers w ith feedbacks, these sequences do not sufferfrom error propagation problems, since each element is computed separately from itsindex and the seed.</p><p>The difficul ty of extrac ting S from a sin ~ e value of f(S+i) is guarant eedby the one-way nature of f . However, withou t further assumption on f one cannotformally prove that S cannot be extrac ted fr om pairs of values (such asf(S), f(S+l)) Furthermor e, f may be degene rate in the sense that some of itsvalues may be directly computable from other values without computing S first. Asimple example which shows that good one-way functions can be misused as sequencegenerators is suppli ed by the RSA encry ption function (Rivest, Sh amir and Adlem an[1978]):</p><p>EK(M) = ~ (rood N)This function is believed to be one-way with repsect to the key K when the messageM and the modulus N ~re known, but its application to the standard sequence</p><p>M = 2, 3, 4, 5, 6, ...generates the sequence</p><p>2K(mod N) , 3K(mod N) , 4K( mod N) , whi ch the third element is just the squar e (mod N) of the first element, thefifth element is just the produ ct (mod N) of the first two ~lements, etc. Thismultiplicati ve degeneracy makes the sequence insecure even though the secret seed Kremains unknown.</p></li><li><p>5/23/2018 Shamir 1981</p><p> 4/7</p><p>5 7</p><p>A variant of this scheme avoids the problem of multiplicati ve degeneracy byusing the sequence of primes as the standard sequence:</p><p>M = 2, 3, 5, 7, ii, ...Is the generated sequence secure? We conjecture that it is, but without knowing allthe potential degeneracies of the RSA function, we are unable to prove any formalequiv alen ce betw een the diffi culty of comp uting K from 2 (mod N) and (e.g.) thediffic ulty of compu ting 5 (mod N) from 2 (mod N) and 3 (mod N) .</p><p>Anothe r way (proposed by Rivest [1980]) in which long sequences may be generatedfrom one-way functions is to iterate their application to the secret seed S . Theresultant sequence:</p><p>f(s) , f2(S) = f(f(S)), f3(S) = f(f(f(S))) .. easy to extend in the forward direction (by applying f), but hard to extend back-ward s (by appS ying f-l) . If we pick two secret seeds R and T , generate the twosequences fi(R) and fi(T) and XOR pairs of their elements in opposite directions:</p><p>fl(R) O fn(r) , f2(R) ~ fn-l(T) ,... ,fn(R) @ fl(T) ,we get a sequence which seems to be hard to extend either forwards or backwards. Thiscan be formally proved in the following special case:Lemma I: If f is a one-way function, t hen a new element of the seque nce cannot becomputed from a single known element.Proof: By contradiction. Ass ume that for some i j , fi(R) @ fn-i(T) can be com-puted from fJ(R) fn-J(T) for all choices of the unkno wn seeds R and T . Ourgoal is to show that given an arbit rary S , f-l(s) can be easily computed, andthus f is not a one-w ay function.</p><p>With out loss of generality, we assume that i &lt; j . We pick a rando m T , andcomput e S fn-J(T) . Since f is invertible, there is some (hard to compute) Rsuch that S = fJ(R) . By assu mption, from S ~ fn-J(T) = fJ(R) fn-J(T) we cancomp ute fi(R) ~ fn-i(T) = fi-J(s) fn-i(T) . Knowi ng T , we can compute fn-i(T)and thus isola te fi-J(s) . Since j-i is positive, we can easily apply f j-i-itimes to fi-J(s) to get:</p><p>fJ-i-l(fi -J(s)) = f-l(s )and this is the desir ed result.</p><p>Q.E.D.Unfortunately, the XOR operator which scrambles the two sequences together makes</p><p>it impossible to prove any formal result in more complicated cases. For example, wedo not kno w how to prove that f2(R) @ f2(T) cannot be computed from fl(R) ~ f3(T)and f3(R) fl(T) if we only assum e that f is hard to invert.</p><p>In view of these difficulties, it is quite remarkable that for one particularpseudo-r andom sequence generator based on the RSA function, we can formally prove thatno matter how many sequence elements the cryptanalyst gathers, the task of computingone more element~:remains just as diffiuclt. The scheme and its proof are descr ibed</p></li><li><p>5/23/2018 Shamir 1981</p><p> 5/7</p><p>548</p><p>in the next section.</p><p>III. T he Pr op os ed Scheme.</p><p>The RSA public-key encryption function with modulus N maps the secret cleartextM under the public ly know n key K to ~ (mod N) . The correspo nding dec ryptionfunction recove rs th e clearte xt by taking the K-th root of the cypher text (mod N) .The cryptographic security of the RSA cryptosys tem is thus equivalent by definitionto the difficul ty of taking roots mod N . When N is a large compos ite numbe r withunknown factorization, this root problem is believed to be very difficult, but whenthe factor izatio n of N (or Euler' s totient function ~(N)) is know n and K isrelatively prime to ~(N) , there is a fast algo rith m for solvin g it.</p><p>Each pseudo-rand om sequence generator consists of a modulus N and some standardeasy-t o-gen erate seque nce of keys KI,K2, ... such that ~(N) and all the Ki'sare pairwi se re lativel y prime. As far as we know, the difficulty of the root probl emis deter mined by the choice of N but not by the choice of the K.'s and thusIalmost any segment of odd primes (e.g., 3,5,7,11, ...) can be used as the standar dsequence.</p><p>To actually generate a pseudo-random sequence of values RI ,~ , .~. , the twoparties choose a rando m seed S and use their knowle dge of ~(N) to compute thesequence of roots:</p><p>I/K I/K 2h = S (mod N) , ~ = S (mod N) .. .. .</p><p>The security of this scheme depends only on the secrecy of the factor izatio n of N ,and thus we can assume that every one (including the cryptanalyst) knows N , S andall the Ki's . Our goal is to prove that the complexi ty of the root prob lem remainsuncha nged even when some of the other roots of the same S (mod N) are given forfree. With out loss of generality, it is enough to consi der the following pair ofproblems:</p><p>(i) Give n N and S , comp ute R I (ii) Give n N, S, R2, ... R% , comput e R I </p><p>(The sequen ce of Ki's and the value of ~ are assumed to be fixedparamete rs in these problems).</p><p>Since the difficul ty of the root problem s fluctuates wildl y as N goes from Ito infinity, we would like to establish the equivalence between the security of theRSA cryptosystem and the complexity of our pseudo-random sequences for each value ofN rather than asymptotically. To deal with these finite problems, we have to con-sider their boolea n circuit complexities. Unfortunately, for each partic ular Nthere exists a small circuit that stores the factori zation of N and uses it tosolve all the root problems mod N efficiently. To overcom e this difficulty, we lump</p></li><li><p>5/23/2018 Shamir 1981</p><p> 6/7</p><p>5 9</p><p>togeth er all the modu li N of the same binar y size n and claim:</p><p>Theo rem 2: There is a fixed polyno mial P(i,n) such that for any number Z of know nroots, for any size n of the modulu s, and for any circuit CZ, thatsolves all the instances of prob lem (ii) of size n , there exists anoth er circuit</p><p>of size at most IC~,nl + P(,n) that solves all the instances of pro ble m (i) ofCsize n .</p><p>The peculiar property of the RSA encryption function that makes the proof of thistheorem possible is:</p><p>Lemma 3: There is a polyn omial size circuit t hat computes from N , A 1 ,..., A ,~l(mo d .. ~ AS N) ,. , S mod N) the value of S (mod N) wh ere Ao = gcd(A ,..., A)</p><p>Proof:that</p><p>A = AIB I +. .+ ABConsequently, A ( )BI /A \ B</p><p>S o = sAI '' kS J (mod N) ,and these exponentiations can be carried out efficiently by the method of repeatedsquarings.</p><p>By Euclid's algorithm, there are (easy to compute) integers B 1 .... , B such</p><p>Corollary: If the Ao'S are relatively prime, theni powers by a circuit of polynomial size.S itself can be computed from its</p><p>Proof of Theorem 2:the K. , we definelequal topowers of</p><p>i/K(2) T1 K~</p><p>TWe show how to construct CT = SK~2 K(mod N) . S in ce n</p><p>KIK 2 ... K~R 1 (mod N) . The follo wing Z-IS :</p><p>from C~, n Given N,S and allR I = S I/KI (mod N) , T is als onumbers can be easily computed as</p><p>KIK3...K ~.K%= R I = S 3 (mo d N)</p><p>KIK2 ---K ~_ 1 --K~_ I= R I = S 2 (mod N)The values of N,T and (2)...() can be fed into C, nof the seed S) , and the output of this circuit is:</p><p>I/K 1 K2... K (i) T = R 1 (mod N) o</p><p>(with T play ing the role</p></li><li><p>5/23/2018 Shamir 1981</p><p> 7/7</p><p>55</p><p>Since the Ki's are pairw ise relat ively prime, t he gcd of the ~ exponents of R 1 in(i) .,. (~) is 1 , and thus by the corollary of Lem ma 3 we can easil y compute R 1i~self. All the computations of powers in (2) ... (~) and the final extraction ofR 1 can be done by a circuit whose size is some polynomial in ~ and n , and thusthe size of C does not exceed [C,n[ + P(,n)</p><p>Q.E.D.Practical cryptographic systems must be almost everywhere difficult to break,</p><p>since the existence of an efficient cryptanalytic algorithm which for one percent ofthe keys can decypher one percent of the messag es is enough to make the system useless.Theo rem 2 is not strong e nough in the context of cryptocom plexity, since it does notrule out the possib ility that the RSA function is almost ever ywhere secure while ourpseud o-ran dom se quence gen erator is sometimes (i.e., for many S) breakable. To showthat this situation is impossible, we have to consid er circuits C~, n which are notperfect. For each N of size n , we define g(N) to be the f~action of seeds Sfor whic h C%, n computes the correct v alue of R I . This success rate depends onthe circuit, and its v~lue is typically I for easily fac torable N . We can nowuse (for the first time) the randomness of S in order to prove:</p><p>Theor em 4: There is a fixed polyno mial P(,n) such that for any circuit C, nthat solves some of the instances of probl em (ii) of size n with success rate g(N),there exist s another circuit C'n of size at...</p></li></ul>